1
/*-
2
 * SPDX-License-Identifier: BSD-3-Clause
3
 *
4
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 * 3. Neither the name of the project nor the names of its contributors
16
 *    may be used to endorse or promote products derived from this software
17
 *    without specific prior written permission.
18
 *
19
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29
 * SUCH DAMAGE.
30
 *
31
 *	$KAME: nd6_nbr.c,v 1.86 2002/01/21 02:33:04 jinmei Exp $
32
 */
33

34
#include "opt_inet.h"
35
#include "opt_inet6.h"
36
#include "opt_ipsec.h"
37

38
#include <sys/param.h>
39
#include <sys/systm.h>
40
#include <sys/counter.h>
41
#include <sys/eventhandler.h>
42
#include <sys/malloc.h>
43
#include <sys/libkern.h>
44
#include <sys/lock.h>
45
#include <sys/rwlock.h>
46
#include <sys/mbuf.h>
47
#include <sys/socket.h>
48
#include <sys/sockio.h>
49
#include <sys/time.h>
50
#include <sys/kernel.h>
51
#include <sys/errno.h>
52
#include <sys/sysctl.h>
53
#include <sys/syslog.h>
54
#include <sys/queue.h>
55
#include <sys/callout.h>
56
#include <sys/refcount.h>
57

58
#include <net/if.h>
59
#include <net/if_types.h>
60
#include <net/if_dl.h>
61
#include <net/if_var.h>
62
#include <net/if_private.h>
63
#include <net/route.h>
64
#include <net/vnet.h>
65

66
#include <netinet/in.h>
67
#include <netinet/in_var.h>
68
#include <net/if_llatbl.h>
69
#include <netinet6/in6_var.h>
70
#include <netinet6/in6_ifattach.h>
71
#include <netinet/ip6.h>
72
#include <netinet6/ip6_var.h>
73
#include <netinet6/scope6_var.h>
74
#include <netinet6/nd6.h>
75
#include <netinet/icmp6.h>
76
#include <netinet/ip_carp.h>
77
#include <netinet6/send.h>
78

79
#include <machine/atomic.h>
80

81
#define SDL(s) ((struct sockaddr_dl *)s)
82

83
MALLOC_DECLARE(M_IP6NDP);
84

85
struct dadq;
86
static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *);
87
static void nd6_dad_add(struct dadq *dp);
88
static void nd6_dad_del(struct dadq *dp);
89
static void nd6_dad_rele(struct dadq *);
90
static void nd6_dad_starttimer(struct dadq *, int);
91
static void nd6_dad_stoptimer(struct dadq *);
92
static void nd6_dad_timer(void *);
93
static void nd6_dad_duplicated(struct ifaddr *, struct dadq *);
94
static void nd6_dad_ns_output(struct dadq *);
95
static void nd6_dad_ns_input(struct ifaddr *, struct nd_opt_nonce *);
96
static void nd6_dad_na_input(struct ifaddr *);
97
static void nd6_na_output_fib(struct ifnet *, const struct in6_addr *,
98
    const struct in6_addr *, u_long, int, struct sockaddr *, u_int);
99
static void nd6_ns_output_fib(struct ifnet *, const struct in6_addr *,
100
    const struct in6_addr *, const struct in6_addr *, uint8_t *, u_int);
101

102
static struct ifaddr *nd6_proxy_fill_sdl(struct ifnet *,
103
    const struct in6_addr *, struct sockaddr_dl *);
104

105
VNET_DEFINE_STATIC(int, dad_enhanced) = 1;
106
#define	V_dad_enhanced			VNET(dad_enhanced)
107

108
SYSCTL_DECL(_net_inet6_ip6);
109
SYSCTL_INT(_net_inet6_ip6, OID_AUTO, dad_enhanced, CTLFLAG_VNET | CTLFLAG_RW,
110
    &VNET_NAME(dad_enhanced), 0,
111
    "Enable Enhanced DAD, which adds a random nonce to NS messages for DAD.");
112

113
VNET_DEFINE_STATIC(int, dad_maxtry) = 15;	/* max # of *tries* to
114
						   transmit DAD packet */
115
#define	V_dad_maxtry			VNET(dad_maxtry)
116

117
VNET_DEFINE_STATIC(int, nd6_onlink_ns_rfc4861) = 0;
118
#define	V_nd6_onlink_ns_rfc4861		VNET(nd6_onlink_ns_rfc4861)
119
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
120
    nd6_onlink_ns_rfc4861, CTLFLAG_VNET | CTLFLAG_RW,
121
    &VNET_NAME(nd6_onlink_ns_rfc4861), 0,
122
    "Accept 'on-link' ICMPv6 NS messages in compliance with RFC 4861");
123

124
/*
125
 * Input a Neighbor Solicitation Message.
126
 *
127
 * Based on RFC 2461
128
 * Based on RFC 2462 (duplicate address detection)
129
 */
130
void
131
nd6_ns_input(struct mbuf *m, int off, int icmp6len)
132
{
133
	struct ifnet *ifp;
134
	struct ip6_hdr *ip6;
135
	struct nd_neighbor_solicit *nd_ns;
136
	struct in6_addr daddr6, myaddr6, saddr6, taddr6;
137
	struct ifaddr *ifa;
138
	struct sockaddr_dl proxydl;
139
	union nd_opts ndopts;
140
	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
141
	char *lladdr;
142
	int anycast, lladdrlen, proxy, rflag, tentative, tlladdr;
143

144
	ifa = NULL;
145

146
	/* RFC 6980: Nodes MUST silently ignore fragments */
147
	if(m->m_flags & M_FRAGMENTED)
148
		goto freeit;
149

150
	ifp = m->m_pkthdr.rcvif;
151
	ip6 = mtod(m, struct ip6_hdr *);
152
	if (__predict_false(ip6->ip6_hlim != 255)) {
153
		ICMP6STAT_INC(icp6s_invlhlim);
154
		nd6log((LOG_ERR,
155
		    "nd6_ns_input: invalid hlim (%d) from %s to %s on %s\n",
156
		    ip6->ip6_hlim, ip6_sprintf(ip6bufs, &ip6->ip6_src),
157
		    ip6_sprintf(ip6bufd, &ip6->ip6_dst), if_name(ifp)));
158
		goto bads;
159
	}
160

161
	if (m->m_len < off + icmp6len) {
162
		m = m_pullup(m, off + icmp6len);
163
		if (m == NULL) {
164
			IP6STAT_INC(ip6s_exthdrtoolong);
165
			return;
166
		}
167
	}
168
	ip6 = mtod(m, struct ip6_hdr *);
169
	nd_ns = (struct nd_neighbor_solicit *)((caddr_t)ip6 + off);
170

171
	saddr6 = ip6->ip6_src;
172
	daddr6 = ip6->ip6_dst;
173
	taddr6 = nd_ns->nd_ns_target;
174
	if (in6_setscope(&taddr6, ifp, NULL) != 0)
175
		goto bad;
176

177
	rflag = (V_ip6_forwarding) ? ND_NA_FLAG_ROUTER : 0;
178
	if (ifp->if_inet6->nd_flags & ND6_IFF_ACCEPT_RTADV && V_ip6_norbit_raif)
179
		rflag = 0;
180

181
	if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
182
		/* dst has to be a solicited node multicast address. */
183
		if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL &&
184
		    /* don't check ifindex portion */
185
		    daddr6.s6_addr32[1] == 0 &&
186
		    daddr6.s6_addr32[2] == IPV6_ADDR_INT32_ONE &&
187
		    daddr6.s6_addr8[12] == 0xff) {
188
			; /* good */
189
		} else {
190
			nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet "
191
			    "(wrong ip6 dst)\n"));
192
			goto bad;
193
		}
194
	} else if (!V_nd6_onlink_ns_rfc4861) {
195
		struct sockaddr_in6 src_sa6;
196

197
		/*
198
		 * According to recent IETF discussions, it is not a good idea
199
		 * to accept a NS from an address which would not be deemed
200
		 * to be a neighbor otherwise.  This point is expected to be
201
		 * clarified in future revisions of the specification.
202
		 */
203
		bzero(&src_sa6, sizeof(src_sa6));
204
		src_sa6.sin6_family = AF_INET6;
205
		src_sa6.sin6_len = sizeof(src_sa6);
206
		src_sa6.sin6_addr = saddr6;
207
		if (nd6_is_addr_neighbor(&src_sa6, ifp) == 0) {
208
			nd6log((LOG_INFO, "nd6_ns_input: "
209
				"NS packet from non-neighbor\n"));
210
			goto bad;
211
		}
212
	}
213

214
	if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
215
		nd6log((LOG_INFO, "nd6_ns_input: bad NS target (multicast)\n"));
216
		goto bad;
217
	}
218

219
	icmp6len -= sizeof(*nd_ns);
220
	nd6_option_init(nd_ns + 1, icmp6len, &ndopts);
221
	if (nd6_options(&ndopts) < 0) {
222
		nd6log((LOG_INFO,
223
		    "nd6_ns_input: invalid ND option, ignored\n"));
224
		/* nd6_options have incremented stats */
225
		goto freeit;
226
	}
227

228
	lladdr = NULL;
229
	lladdrlen = 0;
230
	if (ndopts.nd_opts_src_lladdr) {
231
		lladdr = (char *)(ndopts.nd_opts_src_lladdr + 1);
232
		lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3;
233
	}
234

235
	if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && lladdr) {
236
		nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet "
237
		    "(link-layer address option)\n"));
238
		goto bad;
239
	}
240

241
	/*
242
	 * Attaching target link-layer address to the NA?
243
	 * (RFC 2461 7.2.4)
244
	 *
245
	 * NS IP dst is unicast/anycast			MUST NOT add
246
	 * NS IP dst is solicited-node multicast	MUST add
247
	 *
248
	 * In implementation, we add target link-layer address by default.
249
	 * We do not add one in MUST NOT cases.
250
	 */
251
	tlladdr = 0;
252
	if (IN6_IS_ADDR_MULTICAST(&daddr6))
253
		tlladdr |= ND6_NA_OPT_LLA;
254

255
	/*
256
	 * Target address (taddr6) must be either:
257
	 * (1) Valid unicast/anycast address for my receiving interface,
258
	 * (2) Unicast address for which I'm offering proxy service, or
259
	 * (3) "tentative" address on which DAD is being performed.
260
	 */
261
	/* (1) and (3) check. */
262
	if (ifp->if_carp) {
263
		ifa = (*carp_iamatch6_p)(ifp, &taddr6);
264
		if (ifa != NULL)
265
			tlladdr |= ND6_NA_CARP_MASTER;
266
	} else
267
		ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6);
268

269
	/* (2) check. */
270
	proxy = 0;
271
	if (ifa == NULL) {
272
		if ((ifa = nd6_proxy_fill_sdl(ifp, &taddr6, &proxydl)) != NULL)
273
			proxy = 1;
274
	}
275
	if (ifa == NULL) {
276
		/*
277
		 * We've got an NS packet, and we don't have that address
278
		 * assigned for us.  We MUST silently ignore it.
279
		 * See RFC2461 7.2.3.
280
		 */
281
		goto freeit;
282
	}
283
	myaddr6 = *IFA_IN6(ifa);
284
	anycast = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST;
285
	tentative = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE;
286
	if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DUPLICATED)
287
		goto freeit;
288

289
	if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
290
		nd6log((LOG_INFO, "nd6_ns_input: lladdrlen mismatch for %s "
291
		    "(if %d, NS packet %d)\n",
292
		    ip6_sprintf(ip6bufs, &taddr6),
293
		    ifp->if_addrlen, lladdrlen - 2));
294
		goto bad;
295
	}
296

297
	if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) {
298
		nd6log((LOG_INFO, "nd6_ns_input: duplicate IP6 address %s\n",
299
		    ip6_sprintf(ip6bufs, &saddr6)));
300
		goto freeit;
301
	}
302

303
	/*
304
	 * We have neighbor solicitation packet, with target address equals to
305
	 * one of my tentative address.
306
	 *
307
	 * src addr	how to process?
308
	 * ---		---
309
	 * multicast	of course, invalid (rejected in ip6_input)
310
	 * unicast	somebody is doing address resolution -> ignore
311
	 * unspec	dup address detection
312
	 *
313
	 * The processing is defined in RFC 2462.
314
	 */
315
	if (tentative) {
316
		/*
317
		 * If source address is unspecified address, it is for
318
		 * duplicate address detection.
319
		 *
320
		 * If not, the packet is for addess resolution;
321
		 * silently ignore it.
322
		 */
323
		if (IN6_IS_ADDR_UNSPECIFIED(&saddr6))
324
			nd6_dad_ns_input(ifa, ndopts.nd_opts_nonce);
325

326
		goto freeit;
327
	}
328

329
	/*
330
	 * If the Target Address is either an anycast address or a unicast
331
	 * address for which the node is providing proxy service, or the Target
332
	 * Link-Layer Address option is not included, the Override flag SHOULD
333
	 * be set to zero.  Otherwise, the Override flag SHOULD be set to one.
334
	 */
335
	if (anycast == 0 && proxy == 0 && (tlladdr & ND6_NA_OPT_LLA) != 0)
336
		rflag |= ND_NA_FLAG_OVERRIDE;
337
	/*
338
	 * If the source address is unspecified address, entries must not
339
	 * be created or updated.
340
	 * It looks that sender is performing DAD. nd6_na_output() will
341
	 * send NA toward all-node multicast address, to tell the sender
342
	 * that I'm using the address.
343
	 * S bit ("solicited") must be zero.
344
	 */
345
	if (!IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
346
		nd6_cache_lladdr(ifp, &saddr6, lladdr, lladdrlen,
347
		    ND_NEIGHBOR_SOLICIT, 0);
348
		rflag |= ND_NA_FLAG_SOLICITED;
349
	}
350

351
	nd6_na_output_fib(ifp, &saddr6, &taddr6, rflag, tlladdr,
352
	    proxy ? (struct sockaddr *)&proxydl : NULL, M_GETFIB(m));
353
 freeit:
354
	if (ifa != NULL)
355
		ifa_free(ifa);
356
	m_freem(m);
357
	return;
358

359
 bad:
360
	nd6log((LOG_ERR, "nd6_ns_input: src=%s\n",
361
		ip6_sprintf(ip6bufs, &saddr6)));
362
	nd6log((LOG_ERR, "nd6_ns_input: dst=%s\n",
363
		ip6_sprintf(ip6bufs, &daddr6)));
364
	nd6log((LOG_ERR, "nd6_ns_input: tgt=%s\n",
365
		ip6_sprintf(ip6bufs, &taddr6)));
366
 bads:
367
	ICMP6STAT_INC(icp6s_badns);
368
	if (ifa != NULL)
369
		ifa_free(ifa);
370
	m_freem(m);
371
}
372

373
static struct ifaddr *
374
nd6_proxy_fill_sdl(struct ifnet *ifp, const struct in6_addr *taddr6,
375
    struct sockaddr_dl *sdl)
376
{
377
	struct ifaddr *ifa;
378
	struct llentry *ln;
379

380
	ifa = NULL;
381
	ln = nd6_lookup(taddr6, LLE_SF(AF_INET6, 0), ifp);
382
	if (ln == NULL)
383
		return (ifa);
384
	if ((ln->la_flags & (LLE_PUB | LLE_VALID)) == (LLE_PUB | LLE_VALID)) {
385
		link_init_sdl(ifp, (struct sockaddr *)sdl, ifp->if_type);
386
		sdl->sdl_alen = ifp->if_addrlen;
387
		bcopy(ln->ll_addr, &sdl->sdl_data, ifp->if_addrlen);
388
		LLE_RUNLOCK(ln);
389
		ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp,
390
		    IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
391
	} else
392
		LLE_RUNLOCK(ln);
393

394
	return (ifa);
395
}
396

397
/*
398
 * Output a Neighbor Solicitation Message. Caller specifies:
399
 *	- ICMP6 header source IP6 address
400
 *	- ND6 header target IP6 address
401
 *	- ND6 header source datalink address
402
 *
403
 * Based on RFC 2461
404
 * Based on RFC 2462 (duplicate address detection)
405
 *
406
 *    ln - for source address determination
407
 * nonce - If non-NULL, NS is used for duplicate address detection and
408
 *         the value (length is ND_OPT_NONCE_LEN) is used as a random nonce.
409
 */
410
static void
411
nd6_ns_output_fib(struct ifnet *ifp, const struct in6_addr *saddr6,
412
    const struct in6_addr *daddr6, const struct in6_addr *taddr6,
413
    uint8_t *nonce, u_int fibnum)
414
{
415
	struct mbuf *m;
416
	struct m_tag *mtag;
417
	struct ip6_hdr *ip6;
418
	struct nd_neighbor_solicit *nd_ns;
419
	struct ip6_moptions im6o;
420
	int icmp6len;
421
	int maxlen;
422

423
	NET_EPOCH_ASSERT();
424

425
	if (IN6_IS_ADDR_MULTICAST(taddr6))
426
		return;
427

428
	/* estimate the size of message */
429
	maxlen = sizeof(*ip6) + sizeof(*nd_ns);
430
	maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7;
431
	KASSERT(max_linkhdr + maxlen <= MCLBYTES, (
432
	    "%s: max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)",
433
	    __func__, max_linkhdr, maxlen, MCLBYTES));
434

435
	if (max_linkhdr + maxlen > MHLEN)
436
		m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
437
	else
438
		m = m_gethdr(M_NOWAIT, MT_DATA);
439
	if (m == NULL)
440
		return;
441
	M_SETFIB(m, fibnum);
442

443
	icmp6len = sizeof(*nd_ns);
444
	m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len;
445
	m->m_data += max_linkhdr;	/* or M_ALIGN() equivalent? */
446

447
	/* fill neighbor solicitation packet */
448
	ip6 = mtod(m, struct ip6_hdr *);
449
	ip6->ip6_flow = 0;
450
	ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
451
	ip6->ip6_vfc |= IPV6_VERSION;
452
	/* ip6->ip6_plen will be set later */
453
	ip6->ip6_nxt = IPPROTO_ICMPV6;
454
	ip6->ip6_hlim = 255;
455
	if (daddr6)
456
		ip6->ip6_dst = *daddr6;
457
	else {
458
		ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
459
		ip6->ip6_dst.s6_addr16[1] = 0;
460
		ip6->ip6_dst.s6_addr32[1] = 0;
461
		ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE;
462
		ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3];
463
		ip6->ip6_dst.s6_addr8[12] = 0xff;
464
		if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0)
465
			goto bad;
466
	}
467
	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
468
		m->m_flags |= M_MCAST;
469
		im6o.im6o_multicast_ifp = ifp;
470
		im6o.im6o_multicast_hlim = 255;
471
		im6o.im6o_multicast_loop = 0;
472
	}
473
	if (nonce == NULL) {
474
		char ip6buf[INET6_ADDRSTRLEN];
475
		struct ifaddr *ifa = NULL;
476

477
		/*
478
		 * RFC2461 7.2.2:
479
		 * "If the source address of the packet prompting the
480
		 * solicitation is the same as one of the addresses assigned
481
		 * to the outgoing interface, that address SHOULD be placed
482
		 * in the IP Source Address of the outgoing solicitation.
483
		 * Otherwise, any one of the addresses assigned to the
484
		 * interface should be used."
485
		 *
486
		 * We use the source address for the prompting packet
487
		 * (saddr6), if saddr6 belongs to the outgoing interface.
488
		 * Otherwise, we perform the source address selection as usual.
489
		 */
490
		if (saddr6 != NULL)
491
			ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, saddr6);
492
		if (ifa == NULL) {
493
			int error;
494

495
			error = in6_selectsrc_nbr(fibnum, &ip6->ip6_dst, &im6o,
496
			    ifp, &ip6->ip6_src);
497
			if (error) {
498
				nd6log((LOG_DEBUG, "%s: source can't be "
499
				    "determined: dst=%s, error=%d\n", __func__,
500
				    ip6_sprintf(ip6buf, &ip6->ip6_dst),
501
				    error));
502
				goto bad;
503
			}
504
		} else
505
			ip6->ip6_src = *saddr6;
506

507
		if (ifp->if_carp != NULL) {
508
			/*
509
			 * Check that selected source address belongs to
510
			 * CARP addresses.
511
			 */
512
			if (ifa == NULL)
513
				ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp,
514
				    &ip6->ip6_src);
515
			/*
516
			 * Do not send NS for CARP address if we are not
517
			 * the CARP master.
518
			 */
519
			if (ifa != NULL && ifa->ifa_carp != NULL &&
520
			    !(*carp_master_p)(ifa)) {
521
				nd6log((LOG_DEBUG,
522
				    "nd6_ns_output: NS from BACKUP CARP address %s\n",
523
				    ip6_sprintf(ip6buf, &ip6->ip6_src)));
524
				ifa_free(ifa);
525
				goto bad;
526
			}
527
		}
528
		if (ifa != NULL)
529
			ifa_free(ifa);
530
	} else {
531
		/*
532
		 * Source address for DAD packet must always be IPv6
533
		 * unspecified address. (0::0)
534
		 * We actually don't have to 0-clear the address (we did it
535
		 * above), but we do so here explicitly to make the intention
536
		 * clearer.
537
		 */
538
		bzero(&ip6->ip6_src, sizeof(ip6->ip6_src));
539
	}
540
	nd_ns = (struct nd_neighbor_solicit *)(ip6 + 1);
541
	nd_ns->nd_ns_type = ND_NEIGHBOR_SOLICIT;
542
	nd_ns->nd_ns_code = 0;
543
	nd_ns->nd_ns_reserved = 0;
544
	nd_ns->nd_ns_target = *taddr6;
545
	in6_clearscope(&nd_ns->nd_ns_target); /* XXX */
546

547
	/*
548
	 * Add source link-layer address option.
549
	 *
550
	 *				spec		implementation
551
	 *				---		---
552
	 * DAD packet			MUST NOT	do not add the option
553
	 * there's no link layer address:
554
	 *				impossible	do not add the option
555
	 * there's link layer address:
556
	 *	Multicast NS		MUST add one	add the option
557
	 *	Unicast NS		SHOULD add one	add the option
558
	 */
559
	if (nonce == NULL) {
560
		struct nd_opt_hdr *nd_opt;
561
		char *mac;
562
		int optlen;
563

564
		mac = NULL;
565
		if (ifp->if_carp)
566
			mac = (*carp_macmatch6_p)(ifp, m, &ip6->ip6_src);
567
		if (mac == NULL)
568
			mac = nd6_ifptomac(ifp);
569

570
		if (mac != NULL) {
571
			nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
572
			optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
573
			/* 8 byte alignments... */
574
			optlen = (optlen + 7) & ~7;
575
			m->m_pkthdr.len += optlen;
576
			m->m_len += optlen;
577
			icmp6len += optlen;
578
			bzero(nd_opt, optlen);
579
			nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR;
580
			nd_opt->nd_opt_len = optlen >> 3;
581
			bcopy(mac, nd_opt + 1, ifp->if_addrlen);
582
		}
583
	}
584
	/*
585
	 * Add a Nonce option (RFC 3971) to detect looped back NS messages.
586
	 * This behavior is documented as Enhanced Duplicate Address
587
	 * Detection in RFC 7527.
588
	 * net.inet6.ip6.dad_enhanced=0 disables this.
589
	 */
590
	if (V_dad_enhanced != 0 && nonce != NULL) {
591
		int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN;
592
		struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
593
		/* 8-byte alignment is required. */
594
		optlen = (optlen + 7) & ~7;
595

596
		m->m_pkthdr.len += optlen;
597
		m->m_len += optlen;
598
		icmp6len += optlen;
599
		bzero((caddr_t)nd_opt, optlen);
600
		nd_opt->nd_opt_type = ND_OPT_NONCE;
601
		nd_opt->nd_opt_len = optlen >> 3;
602
		bcopy(nonce, (caddr_t)(nd_opt + 1), ND_OPT_NONCE_LEN);
603
	}
604
	ip6->ip6_plen = htons((u_short)icmp6len);
605
	nd_ns->nd_ns_cksum = 0;
606
	nd_ns->nd_ns_cksum =
607
	    in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len);
608

609
	if (send_sendso_input_hook != NULL) {
610
		mtag = m_tag_get(PACKET_TAG_ND_OUTGOING,
611
			sizeof(unsigned short), M_NOWAIT);
612
		if (mtag == NULL)
613
			goto bad;
614
		*(unsigned short *)(mtag + 1) = nd_ns->nd_ns_type;
615
		m_tag_prepend(m, mtag);
616
	}
617

618
	ip6_output(m, NULL, NULL, (nonce != NULL) ? IPV6_UNSPECSRC : 0,
619
	    &im6o, NULL, NULL);
620
	icmp6_ifstat_inc(ifp, ifs6_out_msg);
621
	icmp6_ifstat_inc(ifp, ifs6_out_neighborsolicit);
622
	ICMP6STAT_INC2(icp6s_outhist, ND_NEIGHBOR_SOLICIT);
623

624
	return;
625

626
  bad:
627
	m_freem(m);
628
}
629

630
#ifndef BURN_BRIDGES
631
void
632
nd6_ns_output(struct ifnet *ifp, const struct in6_addr *saddr6,
633
    const struct in6_addr *daddr6, const struct in6_addr *taddr6,uint8_t *nonce)
634
{
635

636
	nd6_ns_output_fib(ifp, saddr6, daddr6, taddr6, nonce, RT_DEFAULT_FIB);
637
}
638
#endif
639
/*
640
 * Neighbor advertisement input handling.
641
 *
642
 * Based on RFC 2461
643
 * Based on RFC 2462 (duplicate address detection)
644
 *
645
 * the following items are not implemented yet:
646
 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD)
647
 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD)
648
 */
649
void
650
nd6_na_input(struct mbuf *m, int off, int icmp6len)
651
{
652
	struct ifnet *ifp;
653
	struct ip6_hdr *ip6;
654
	struct ifaddr *ifa;
655
	struct llentry *ln;
656
	struct mbuf *chain;
657
	struct nd_neighbor_advert *nd_na;
658
	struct in6_addr daddr6, taddr6;
659
	union nd_opts ndopts;
660
	u_char linkhdr[LLE_MAX_LINKHDR];
661
	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
662
	char *lladdr;
663
	size_t linkhdrsize;
664
	int flags, is_override, is_router, is_solicited;
665
	int lladdr_off, lladdrlen, checklink;
666
	bool flush_holdchain = false;
667

668
	NET_EPOCH_ASSERT();
669

670
	chain = NULL;
671
	ln = NULL;
672
	checklink = 0;
673

674
	/* RFC 6980: Nodes MUST silently ignore fragments */
675
	if(m->m_flags & M_FRAGMENTED)
676
		goto freeit;
677

678
	ifp = m->m_pkthdr.rcvif;
679
	ip6 = mtod(m, struct ip6_hdr *);
680
	if (__predict_false(ip6->ip6_hlim != 255)) {
681
		ICMP6STAT_INC(icp6s_invlhlim);
682
		nd6log((LOG_ERR,
683
		    "nd6_na_input: invalid hlim (%d) from %s to %s on %s\n",
684
		    ip6->ip6_hlim, ip6_sprintf(ip6bufs, &ip6->ip6_src),
685
		    ip6_sprintf(ip6bufd, &ip6->ip6_dst), if_name(ifp)));
686
		goto bad;
687
	}
688

689
	if (m->m_len < off + icmp6len) {
690
		m = m_pullup(m, off + icmp6len);
691
		if (m == NULL) {
692
			IP6STAT_INC(ip6s_exthdrtoolong);
693
			return;
694
		}
695
	}
696
	ip6 = mtod(m, struct ip6_hdr *);
697
	nd_na = (struct nd_neighbor_advert *)((caddr_t)ip6 + off);
698

699
	flags = nd_na->nd_na_flags_reserved;
700
	is_router = ((flags & ND_NA_FLAG_ROUTER) != 0);
701
	is_solicited = ((flags & ND_NA_FLAG_SOLICITED) != 0);
702
	is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0);
703

704
	taddr6 = nd_na->nd_na_target;
705
	if (in6_setscope(&taddr6, ifp, NULL))
706
		goto bad;	/* XXX: impossible */
707

708
	if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
709
		nd6log((LOG_ERR,
710
		    "nd6_na_input: invalid target address %s\n",
711
		    ip6_sprintf(ip6bufs, &taddr6)));
712
		goto bad;
713
	}
714

715
	daddr6 = ip6->ip6_dst;
716
	if (IN6_IS_ADDR_MULTICAST(&daddr6))
717
		if (is_solicited) {
718
			nd6log((LOG_ERR,
719
			    "nd6_na_input: a solicited adv is multicasted\n"));
720
			goto bad;
721
		}
722

723
	icmp6len -= sizeof(*nd_na);
724
	nd6_option_init(nd_na + 1, icmp6len, &ndopts);
725
	if (nd6_options(&ndopts) < 0) {
726
		nd6log((LOG_INFO,
727
		    "nd6_na_input: invalid ND option, ignored\n"));
728
		/* nd6_options have incremented stats */
729
		goto freeit;
730
	}
731

732
	lladdr = NULL;
733
	lladdrlen = 0;
734
	if (ndopts.nd_opts_tgt_lladdr) {
735
		lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1);
736
		lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3;
737
	}
738

739
	ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6);
740
	if (ifa != NULL && ifa->ifa_carp != NULL) {
741
		/*
742
		 * Silently ignore NAs for CARP addresses if we are not
743
		 * the CARP master.
744
		 */
745
		if (!(*carp_master_p)(ifa)) {
746
			nd6log((LOG_DEBUG,
747
			    "nd6_na_input: NA for BACKUP CARP address %s\n",
748
			    ip6_sprintf(ip6bufs, &taddr6)));
749
			ifa_free(ifa);
750
			goto freeit;
751
		}
752
	}
753
	/*
754
	 * Target address matches one of my interface address.
755
	 *
756
	 * If my address is tentative, this means that there's somebody
757
	 * already using the same address as mine.  This indicates DAD failure.
758
	 * This is defined in RFC 2462.
759
	 *
760
	 * Otherwise, process as defined in RFC 2461.
761
	 */
762
	if (ifa
763
	 && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) {
764
		nd6_dad_na_input(ifa);
765
		ifa_free(ifa);
766
		goto freeit;
767
	}
768

769
	/* Just for safety, maybe unnecessary. */
770
	if (ifa) {
771
		ifa_free(ifa);
772
		log(LOG_ERR,
773
		    "nd6_na_input: duplicate IP6 address %s\n",
774
		    ip6_sprintf(ip6bufs, &taddr6));
775
		goto freeit;
776
	}
777

778
	if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
779
		nd6log((LOG_INFO, "nd6_na_input: lladdrlen mismatch for %s "
780
		    "(if %d, NA packet %d)\n", ip6_sprintf(ip6bufs, &taddr6),
781
		    ifp->if_addrlen, lladdrlen - 2));
782
		goto bad;
783
	}
784

785
	/*
786
	 * If no neighbor cache entry is found, NA SHOULD silently be
787
	 * discarded.
788
	 */
789
	ln = nd6_lookup(&taddr6, LLE_SF(AF_INET6, LLE_EXCLUSIVE), ifp);
790
	if (ln == NULL) {
791
		goto freeit;
792
	}
793

794
	/*
795
	 * Do not try to override static entry.
796
	 */
797
	if (ln->la_flags & LLE_STATIC)
798
		goto freeit;
799

800
	if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
801
		/*
802
		 * If the link-layer has address, and no lladdr option came,
803
		 * discard the packet.
804
		 */
805
		if (ifp->if_addrlen && lladdr == NULL) {
806
			goto freeit;
807
		}
808

809
		/*
810
		 * Record link-layer address, and update the state.
811
		 */
812
		if (!nd6_try_set_entry_addr(ifp, ln, lladdr))
813
			goto freeit;
814

815
		flush_holdchain = true;
816
		if (is_solicited)
817
			nd6_llinfo_setstate(ln, ND6_LLINFO_REACHABLE);
818
		else
819
			nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
820
		EVENTHANDLER_INVOKE(lle_event, ln, LLENTRY_RESOLVED);
821
		if ((ln->ln_router = is_router) != 0) {
822
			/*
823
			 * This means a router's state has changed from
824
			 * non-reachable to probably reachable, and might
825
			 * affect the status of associated prefixes..
826
			 */
827
			checklink = 1;
828
		}
829
	} else {
830
		int llchange;
831

832
		/*
833
		 * Check if the link-layer address has changed or not.
834
		 */
835
		if (lladdr == NULL)
836
			llchange = 0;
837
		else {
838
			if (ln->la_flags & LLE_VALID) {
839
				if (bcmp(lladdr, ln->ll_addr, ifp->if_addrlen))
840
					llchange = 1;
841
				else
842
					llchange = 0;
843
			} else
844
				llchange = 1;
845
		}
846

847
		/*
848
		 * This is VERY complex.  Look at it with care.
849
		 *
850
		 * override solicit lladdr llchange	action
851
		 *					(L: record lladdr)
852
		 *
853
		 *	0	0	n	--	(2c)
854
		 *	0	0	y	n	(2b) L
855
		 *	0	0	y	y	(1)    REACHABLE->STALE
856
		 *	0	1	n	--	(2c)   *->REACHABLE
857
		 *	0	1	y	n	(2b) L *->REACHABLE
858
		 *	0	1	y	y	(1)    REACHABLE->STALE
859
		 *	1	0	n	--	(2a)
860
		 *	1	0	y	n	(2a) L
861
		 *	1	0	y	y	(2a) L *->STALE
862
		 *	1	1	n	--	(2a)   *->REACHABLE
863
		 *	1	1	y	n	(2a) L *->REACHABLE
864
		 *	1	1	y	y	(2a) L *->REACHABLE
865
		 */
866
		if (!is_override && (lladdr != NULL && llchange)) {  /* (1) */
867
			/*
868
			 * If state is REACHABLE, make it STALE.
869
			 * no other updates should be done.
870
			 */
871
			if (ln->ln_state == ND6_LLINFO_REACHABLE)
872
				nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
873
			goto freeit;
874
		} else if (is_override				   /* (2a) */
875
			|| (!is_override && (lladdr != NULL && !llchange)) /* (2b) */
876
			|| lladdr == NULL) {			   /* (2c) */
877
			/*
878
			 * Update link-local address, if any.
879
			 */
880
			if (lladdr != NULL) {
881
				linkhdrsize = sizeof(linkhdr);
882
				if (lltable_calc_llheader(ifp, AF_INET6, lladdr,
883
				    linkhdr, &linkhdrsize, &lladdr_off) != 0)
884
					goto freeit;
885
				if (lltable_try_set_entry_addr(ifp, ln, linkhdr,
886
				    linkhdrsize, lladdr_off) == 0)
887
					goto freeit;
888
				EVENTHANDLER_INVOKE(lle_event, ln,
889
				    LLENTRY_RESOLVED);
890
			}
891

892
			/*
893
			 * If solicited, make the state REACHABLE.
894
			 * If not solicited and the link-layer address was
895
			 * changed, make it STALE.
896
			 */
897
			if (is_solicited)
898
				nd6_llinfo_setstate(ln, ND6_LLINFO_REACHABLE);
899
			else {
900
				if (lladdr != NULL && llchange)
901
					nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
902
			}
903
		}
904

905
		if (ln->ln_router && !is_router) {
906
			/*
907
			 * The peer dropped the router flag.
908
			 * Remove the sender from the Default Router List and
909
			 * update the Destination Cache entries.
910
			 */
911
			struct ifnet *nd6_ifp;
912

913
			nd6_ifp = lltable_get_ifp(ln->lle_tbl);
914
			if (!defrouter_remove(&ln->r_l3addr.addr6, nd6_ifp) &&
915
			    (nd6_ifp->if_inet6->nd_flags &
916
			     ND6_IFF_ACCEPT_RTADV) != 0)
917
				/*
918
				 * Even if the neighbor is not in the default
919
				 * router list, the neighbor may be used as a
920
				 * next hop for some destinations (e.g. redirect
921
				 * case). So we must call rt6_flush explicitly.
922
				 */
923
				rt6_flush(&ip6->ip6_src, ifp);
924
		}
925
		ln->ln_router = is_router;
926
	}
927
        /* XXX - QL
928
	 *  Does this matter?
929
	 *  rt->rt_flags &= ~RTF_REJECT;
930
	 */
931
	ln->la_asked = 0;
932
	if (ln->la_hold != NULL)
933
		chain = nd6_grab_holdchain(ln);
934
 freeit:
935
	if (ln != NULL)
936
		LLE_WUNLOCK(ln);
937

938
	if (chain != NULL)
939
		nd6_flush_holdchain(ifp, ln, chain);
940
	if (flush_holdchain)
941
		nd6_flush_children_holdchain(ifp, ln);
942

943
	if (checklink)
944
		pfxlist_onlink_check();
945

946
	m_freem(m);
947
	return;
948

949
 bad:
950
	if (ln != NULL)
951
		LLE_WUNLOCK(ln);
952

953
	ICMP6STAT_INC(icp6s_badna);
954
	m_freem(m);
955
}
956

957
/*
958
 * Neighbor advertisement output handling.
959
 *
960
 * Based on RFC 2461
961
 *
962
 * the following items are not implemented yet:
963
 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD)
964
 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD)
965
 *
966
 * tlladdr:
967
 * - 0x01 if include target link-layer address
968
 * - 0x02 if target address is CARP MASTER
969
 * sdl0 - sockaddr_dl (= proxy NA) or NULL
970
 */
971
static void
972
nd6_na_output_fib(struct ifnet *ifp, const struct in6_addr *daddr6_0,
973
    const struct in6_addr *taddr6, u_long flags, int tlladdr,
974
    struct sockaddr *sdl0, u_int fibnum)
975
{
976
	struct mbuf *m;
977
	struct m_tag *mtag;
978
	struct ip6_hdr *ip6;
979
	struct nd_neighbor_advert *nd_na;
980
	struct ip6_moptions im6o;
981
	struct in6_addr daddr6;
982

983
	NET_EPOCH_ASSERT();
984

985
	int icmp6len, maxlen, error;
986
	caddr_t mac = NULL;
987

988
	daddr6 = *daddr6_0;	/* make a local copy for modification */
989

990
	/* estimate the size of message */
991
	maxlen = sizeof(*ip6) + sizeof(*nd_na);
992
	maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7;
993
	KASSERT(max_linkhdr + maxlen <= MCLBYTES, (
994
	    "%s: max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)",
995
	    __func__, max_linkhdr, maxlen, MCLBYTES));
996

997
	if (max_linkhdr + maxlen > MHLEN)
998
		m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
999
	else
1000
		m = m_gethdr(M_NOWAIT, MT_DATA);
1001
	if (m == NULL)
1002
		return;
1003
	M_SETFIB(m, fibnum);
1004

1005
	icmp6len = sizeof(*nd_na);
1006
	m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len;
1007
	m->m_data += max_linkhdr;	/* or M_ALIGN() equivalent? */
1008

1009
	/* fill neighbor advertisement packet */
1010
	ip6 = mtod(m, struct ip6_hdr *);
1011
	ip6->ip6_flow = 0;
1012
	ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
1013
	ip6->ip6_vfc |= IPV6_VERSION;
1014
	ip6->ip6_nxt = IPPROTO_ICMPV6;
1015
	ip6->ip6_hlim = 255;
1016

1017
	if (IN6_IS_ADDR_UNSPECIFIED(&daddr6)) {
1018
		/* reply to DAD */
1019
		daddr6 = in6addr_linklocal_allnodes;
1020
		if (in6_setscope(&daddr6, ifp, NULL))
1021
			goto bad;
1022

1023
		flags &= ~ND_NA_FLAG_SOLICITED;
1024
	}
1025
	if (IN6_IS_ADDR_MULTICAST(&daddr6)) {
1026
		m->m_flags |= M_MCAST;
1027
		im6o.im6o_multicast_ifp = ifp;
1028
		im6o.im6o_multicast_hlim = 255;
1029
		im6o.im6o_multicast_loop = 0;
1030
	}
1031

1032
	ip6->ip6_dst = daddr6;
1033
	error = in6_selectsrc_nbr(fibnum, &daddr6, &im6o, ifp, &ip6->ip6_src);
1034
	if (error) {
1035
		char ip6buf[INET6_ADDRSTRLEN];
1036
		nd6log((LOG_DEBUG, "nd6_na_output: source can't be "
1037
		    "determined: dst=%s, error=%d\n",
1038
		    ip6_sprintf(ip6buf, &daddr6), error));
1039
		goto bad;
1040
	}
1041
	nd_na = (struct nd_neighbor_advert *)(ip6 + 1);
1042
	nd_na->nd_na_type = ND_NEIGHBOR_ADVERT;
1043
	nd_na->nd_na_code = 0;
1044
	nd_na->nd_na_target = *taddr6;
1045
	in6_clearscope(&nd_na->nd_na_target); /* XXX */
1046

1047
	/*
1048
	 * If we respond from CARP address, we need to prepare mac address
1049
	 * for carp_output().
1050
	 */
1051
	if (ifp->if_carp && (tlladdr & ND6_NA_CARP_MASTER))
1052
		mac = (*carp_macmatch6_p)(ifp, m, taddr6);
1053
	/*
1054
	 * "tlladdr" indicates NS's condition for adding tlladdr or not.
1055
	 * see nd6_ns_input() for details.
1056
	 * Basically, if NS packet is sent to unicast/anycast addr,
1057
	 * target lladdr option SHOULD NOT be included.
1058
	 */
1059
	if (tlladdr & ND6_NA_OPT_LLA) {
1060
		/*
1061
		 * sdl0 != NULL indicates proxy NA.  If we do proxy, use
1062
		 * lladdr in sdl0.  If we are not proxying (sending NA for
1063
		 * my address) use lladdr configured for the interface.
1064
		 */
1065
		if (sdl0 == NULL) {
1066
			if (mac == NULL)
1067
				mac = nd6_ifptomac(ifp);
1068
		} else if (sdl0->sa_family == AF_LINK) {
1069
			struct sockaddr_dl *sdl;
1070
			sdl = (struct sockaddr_dl *)sdl0;
1071
			if (sdl->sdl_alen == ifp->if_addrlen)
1072
				mac = LLADDR(sdl);
1073
		}
1074
	}
1075
	if ((tlladdr & ND6_NA_OPT_LLA) && mac != NULL) {
1076
		int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
1077
		struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_na + 1);
1078

1079
		/* roundup to 8 bytes alignment! */
1080
		optlen = (optlen + 7) & ~7;
1081

1082
		m->m_pkthdr.len += optlen;
1083
		m->m_len += optlen;
1084
		icmp6len += optlen;
1085
		bzero((caddr_t)nd_opt, optlen);
1086
		nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
1087
		nd_opt->nd_opt_len = optlen >> 3;
1088
		bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen);
1089
	} else
1090
		flags &= ~ND_NA_FLAG_OVERRIDE;
1091

1092
	ip6->ip6_plen = htons((u_short)icmp6len);
1093
	nd_na->nd_na_flags_reserved = flags;
1094
	nd_na->nd_na_cksum = 0;
1095
	nd_na->nd_na_cksum =
1096
	    in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len);
1097

1098
	if (send_sendso_input_hook != NULL) {
1099
		mtag = m_tag_get(PACKET_TAG_ND_OUTGOING,
1100
		    sizeof(unsigned short), M_NOWAIT);
1101
		if (mtag == NULL)
1102
			goto bad;
1103
		*(unsigned short *)(mtag + 1) = nd_na->nd_na_type;
1104
		m_tag_prepend(m, mtag);
1105
	}
1106

1107
	ip6_output(m, NULL, NULL, 0, &im6o, NULL, NULL);
1108
	icmp6_ifstat_inc(ifp, ifs6_out_msg);
1109
	icmp6_ifstat_inc(ifp, ifs6_out_neighboradvert);
1110
	ICMP6STAT_INC2(icp6s_outhist, ND_NEIGHBOR_ADVERT);
1111

1112
	return;
1113

1114
  bad:
1115
	m_freem(m);
1116
}
1117

1118
#ifndef BURN_BRIDGES
1119
void
1120
nd6_na_output(struct ifnet *ifp, const struct in6_addr *daddr6_0,
1121
    const struct in6_addr *taddr6, u_long flags, int tlladdr,
1122
    struct sockaddr *sdl0)
1123
{
1124

1125
	nd6_na_output_fib(ifp, daddr6_0, taddr6, flags, tlladdr, sdl0,
1126
	    RT_DEFAULT_FIB);
1127
}
1128
#endif
1129

1130
caddr_t
1131
nd6_ifptomac(struct ifnet *ifp)
1132
{
1133
	switch (ifp->if_type) {
1134
	case IFT_ETHER:
1135
	case IFT_IEEE1394:
1136
	case IFT_L2VLAN:
1137
	case IFT_INFINIBAND:
1138
	case IFT_BRIDGE:
1139
		return IF_LLADDR(ifp);
1140
	default:
1141
		return NULL;
1142
	}
1143
}
1144

1145
struct dadq {
1146
	TAILQ_ENTRY(dadq) dad_list;
1147
	struct ifaddr *dad_ifa;
1148
	int dad_count;		/* max NS to send */
1149
	int dad_ns_tcount;	/* # of trials to send NS */
1150
	int dad_ns_ocount;	/* NS sent so far */
1151
	int dad_ns_icount;
1152
	int dad_na_icount;
1153
	int dad_ns_lcount;	/* looped back NS */
1154
	int dad_loopbackprobe;	/* probing state for loopback detection */
1155
	struct callout dad_timer_ch;
1156
	struct vnet *dad_vnet;
1157
	u_int dad_refcnt;
1158
#define	ND_OPT_NONCE_LEN32 \
1159
		((ND_OPT_NONCE_LEN + sizeof(uint32_t) - 1)/sizeof(uint32_t))
1160
	uint32_t dad_nonce[ND_OPT_NONCE_LEN32];
1161
	bool dad_ondadq;	/* on dadq? Protected by DADQ_WLOCK. */
1162
};
1163

1164
VNET_DEFINE_STATIC(TAILQ_HEAD(, dadq), dadq);
1165
VNET_DEFINE_STATIC(struct rwlock, dad_rwlock);
1166
#define	V_dadq			VNET(dadq)
1167
#define	V_dad_rwlock		VNET(dad_rwlock)
1168

1169
#define	DADQ_LOCKPTR()		(&V_dad_rwlock)
1170
#define	DADQ_LOCK_INIT()	rw_init(DADQ_LOCKPTR(), "nd6 DAD queue")
1171
#define	DADQ_RLOCK()		rw_rlock(DADQ_LOCKPTR())
1172
#define	DADQ_RUNLOCK()		rw_runlock(DADQ_LOCKPTR())
1173
#define	DADQ_WLOCK()		rw_wlock(DADQ_LOCKPTR())
1174
#define	DADQ_WUNLOCK()		rw_wunlock(DADQ_LOCKPTR())
1175

1176
#define	DADQ_LOCK_ASSERT()	rw_assert(DADQ_LOCKPTR(), RA_LOCKED);
1177
#define	DADQ_RLOCK_ASSERT()	rw_assert(DADQ_LOCKPTR(), RA_RLOCKED);
1178
#define	DADQ_WLOCK_ASSERT()	rw_assert(DADQ_LOCKPTR(), RA_WLOCKED);
1179

1180
static void
1181
nd6_dad_add(struct dadq *dp)
1182
{
1183
	DADQ_WLOCK_ASSERT();
1184

1185
	TAILQ_INSERT_TAIL(&V_dadq, dp, dad_list);
1186
	dp->dad_ondadq = true;
1187
}
1188

1189
static void
1190
nd6_dad_del(struct dadq *dp)
1191
{
1192
	DADQ_WLOCK_ASSERT();
1193

1194
	if (dp->dad_ondadq) {
1195
		/*
1196
		 * Remove dp from the dadq and release the dadq's
1197
		 * reference.
1198
		 */
1199
		TAILQ_REMOVE(&V_dadq, dp, dad_list);
1200
		dp->dad_ondadq = false;
1201
		nd6_dad_rele(dp);
1202
	}
1203
}
1204

1205
static struct dadq *
1206
nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *n)
1207
{
1208
	struct dadq *dp;
1209

1210
	DADQ_LOCK_ASSERT();
1211

1212
	TAILQ_FOREACH(dp, &V_dadq, dad_list) {
1213
		if (dp->dad_ifa != ifa)
1214
			continue;
1215

1216
		/*
1217
		 * Skip if the nonce matches the received one.
1218
		 * +2 in the length is required because of type and
1219
		 * length fields are included in a header.
1220
		 */
1221
		if (n != NULL &&
1222
		    n->nd_opt_nonce_len == (ND_OPT_NONCE_LEN + 2) / 8 &&
1223
		    memcmp(&n->nd_opt_nonce[0], &dp->dad_nonce[0],
1224
		    ND_OPT_NONCE_LEN) == 0) {
1225
			dp->dad_ns_lcount++;
1226
			continue;
1227
		}
1228
		break;
1229
	}
1230

1231
	return (dp);
1232
}
1233

1234
static void
1235
nd6_dad_starttimer(struct dadq *dp, int ticks)
1236
{
1237
	DADQ_WLOCK_ASSERT();
1238

1239
	callout_reset(&dp->dad_timer_ch, ticks, nd6_dad_timer, dp);
1240
}
1241

1242
static void
1243
nd6_dad_stoptimer(struct dadq *dp)
1244
{
1245
	callout_drain(&dp->dad_timer_ch);
1246
}
1247

1248
static void
1249
nd6_dad_rele(struct dadq *dp)
1250
{
1251
	if (refcount_release(&dp->dad_refcnt)) {
1252
		KASSERT(!dp->dad_ondadq, ("dp %p still on DAD queue", dp));
1253
		ifa_free(dp->dad_ifa);
1254
		free(dp, M_IP6NDP);
1255
	}
1256
}
1257

1258
void
1259
nd6_dad_init(void)
1260
{
1261
	DADQ_LOCK_INIT();
1262
	TAILQ_INIT(&V_dadq);
1263
}
1264

1265
/*
1266
 * Start Duplicate Address Detection (DAD) for specified interface address.
1267
 */
1268
void
1269
nd6_dad_start(struct ifaddr *ifa, int delay)
1270
{
1271
	struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1272
	struct dadq *dp;
1273
	char ip6buf[INET6_ADDRSTRLEN];
1274

1275
	KASSERT((ia->ia6_flags & IN6_IFF_TENTATIVE) != 0,
1276
	    ("starting DAD on non-tentative address %p", ifa));
1277

1278
	/*
1279
	 * If we don't need DAD, don't do it.
1280
	 * There are several cases:
1281
	 * - DAD is disabled globally or on the interface
1282
	 * - the interface address is anycast
1283
	 */
1284
	if ((ia->ia6_flags & IN6_IFF_ANYCAST) != 0 ||
1285
	    V_ip6_dad_count == 0 ||
1286
	    (ifa->ifa_ifp->if_inet6->nd_flags & ND6_IFF_NO_DAD) != 0) {
1287
		ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1288
		return;
1289
	}
1290
	if ((ifa->ifa_ifp->if_flags & IFF_UP) == 0 ||
1291
	    (ifa->ifa_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
1292
	    (ifa->ifa_ifp->if_inet6->nd_flags & ND6_IFF_IFDISABLED) != 0)
1293
		return;
1294

1295
	DADQ_WLOCK();
1296
	if ((dp = nd6_dad_find(ifa, NULL)) != NULL) {
1297
		/*
1298
		 * DAD is already in progress.  Let the existing entry
1299
		 * finish it.
1300
		 */
1301
		DADQ_WUNLOCK();
1302
		return;
1303
	}
1304

1305
	dp = malloc(sizeof(*dp), M_IP6NDP, M_NOWAIT | M_ZERO);
1306
	if (dp == NULL) {
1307
		log(LOG_ERR, "nd6_dad_start: memory allocation failed for "
1308
			"%s(%s)\n",
1309
			ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr),
1310
			ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1311
		return;
1312
	}
1313
	callout_init_rw(&dp->dad_timer_ch, DADQ_LOCKPTR(),
1314
	    CALLOUT_RETURNUNLOCKED);
1315
#ifdef VIMAGE
1316
	dp->dad_vnet = curvnet;
1317
#endif
1318
	nd6log((LOG_DEBUG, "%s: starting DAD for %s\n", if_name(ifa->ifa_ifp),
1319
	    ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr)));
1320

1321
	/*
1322
	 * Send NS packet for DAD, ip6_dad_count times.
1323
	 * Note that we must delay the first transmission, if this is the
1324
	 * first packet to be sent from the interface after interface
1325
	 * (re)initialization.
1326
	 */
1327
	dp->dad_ifa = ifa;
1328
	ifa_ref(dp->dad_ifa);
1329
	dp->dad_count = V_ip6_dad_count;
1330
	dp->dad_ns_icount = dp->dad_na_icount = 0;
1331
	dp->dad_ns_ocount = dp->dad_ns_tcount = 0;
1332
	dp->dad_ns_lcount = dp->dad_loopbackprobe = 0;
1333

1334
	/* Add this to the dadq and add a reference for the dadq. */
1335
	refcount_init(&dp->dad_refcnt, 1);
1336
	nd6_dad_add(dp);
1337
	nd6_dad_starttimer(dp, delay);
1338
	DADQ_WUNLOCK();
1339
}
1340

1341
/*
1342
 * terminate DAD unconditionally.  used for address removals.
1343
 */
1344
void
1345
nd6_dad_stop(struct ifaddr *ifa)
1346
{
1347
	struct dadq *dp;
1348

1349
	DADQ_WLOCK();
1350
	dp = nd6_dad_find(ifa, NULL);
1351
	if (dp == NULL) {
1352
		DADQ_WUNLOCK();
1353
		/* DAD wasn't started yet */
1354
		return;
1355
	}
1356

1357
	/*
1358
	 * Acquire a temporary reference so that we can safely stop the callout.
1359
	 */
1360
	(void)refcount_acquire(&dp->dad_refcnt);
1361
	nd6_dad_del(dp);
1362
	DADQ_WUNLOCK();
1363

1364
	nd6_dad_stoptimer(dp);
1365
	nd6_dad_rele(dp);
1366
}
1367

1368
static void
1369
nd6_dad_timer(void *arg)
1370
{
1371
	struct dadq *dp = arg;
1372
	struct ifaddr *ifa = dp->dad_ifa;
1373
	struct ifnet *ifp = dp->dad_ifa->ifa_ifp;
1374
	struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1375
	char ip6buf[INET6_ADDRSTRLEN];
1376
	struct epoch_tracker et;
1377

1378
	CURVNET_SET(dp->dad_vnet);
1379
	KASSERT(ia != NULL, ("DAD entry %p with no address", dp));
1380

1381
	NET_EPOCH_ENTER(et);
1382
	if (ifp->if_inet6->nd_flags & ND6_IFF_IFDISABLED) {
1383
		/* Do not need DAD for ifdisabled interface. */
1384
		log(LOG_ERR, "nd6_dad_timer: cancel DAD on %s because of "
1385
		    "ND6_IFF_IFDISABLED.\n", ifp->if_xname);
1386
		goto err;
1387
	}
1388
	if (ia->ia6_flags & IN6_IFF_DUPLICATED) {
1389
		log(LOG_ERR, "nd6_dad_timer: called with duplicated address "
1390
			"%s(%s)\n",
1391
			ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr),
1392
			ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1393
		goto err;
1394
	}
1395
	if ((ia->ia6_flags & IN6_IFF_TENTATIVE) == 0) {
1396
		log(LOG_ERR, "nd6_dad_timer: called with non-tentative address "
1397
			"%s(%s)\n",
1398
			ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr),
1399
			ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1400
		goto err;
1401
	}
1402

1403
	/* Stop DAD if the interface is down even after dad_maxtry attempts. */
1404
	if ((dp->dad_ns_tcount > V_dad_maxtry) &&
1405
	    (((ifp->if_flags & IFF_UP) == 0) ||
1406
	     ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0))) {
1407
		nd6log((LOG_INFO, "%s: could not run DAD "
1408
		    "because the interface was down or not running.\n",
1409
		    if_name(ifa->ifa_ifp)));
1410
		goto err;
1411
	}
1412

1413
	/* Need more checks? */
1414
	if (dp->dad_ns_ocount < dp->dad_count) {
1415
		/*
1416
		 * We have more NS to go.  Send NS packet for DAD.
1417
		 */
1418
		nd6_dad_starttimer(dp,
1419
		    (long)ifa->ifa_ifp->if_inet6->nd_retrans * hz / 1000);
1420
		nd6_dad_ns_output(dp);
1421
		goto done;
1422
	} else {
1423
		/*
1424
		 * We have transmitted sufficient number of DAD packets.
1425
		 * See what we've got.
1426
		 */
1427
		if (dp->dad_ns_icount > 0 || dp->dad_na_icount > 0) {
1428
			/* We've seen NS or NA, means DAD has failed. */
1429
			nd6_dad_duplicated(ifa, dp);
1430
		} else if (V_dad_enhanced != 0 &&
1431
		    dp->dad_ns_lcount > 0 &&
1432
		    dp->dad_ns_lcount > dp->dad_loopbackprobe) {
1433
			/*
1434
			 * Sec. 4.1 in RFC 7527 requires transmission of
1435
			 * additional probes until the loopback condition
1436
			 * becomes clear when a looped back probe is detected.
1437
			 */
1438
			log(LOG_ERR, "%s: a looped back NS message is "
1439
			    "detected during DAD for %s.  "
1440
			    "Another DAD probes are being sent.\n",
1441
			    if_name(ifa->ifa_ifp),
1442
			    ip6_sprintf(ip6buf, IFA_IN6(ifa)));
1443
			dp->dad_loopbackprobe = dp->dad_ns_lcount;
1444
			/*
1445
			 * Send an NS immediately and increase dad_count by
1446
			 * V_nd6_mmaxtries - 1.
1447
			 */
1448
			dp->dad_count =
1449
			    dp->dad_ns_ocount + V_nd6_mmaxtries - 1;
1450
			nd6_dad_starttimer(dp,
1451
			    (long)ifa->ifa_ifp->if_inet6->nd_retrans * hz / 1000);
1452
			nd6_dad_ns_output(dp);
1453
			goto done;
1454
		} else {
1455
			/*
1456
			 * We are done with DAD.  No NA came, no NS came.
1457
			 * No duplicate address found.  Check IFDISABLED flag
1458
			 * again in case that it is changed between the
1459
			 * beginning of this function and here.
1460
			 *
1461
			 * Reset DAD failures counter if using stable addresses.
1462
			 */
1463
			if ((ifp->if_inet6->nd_flags & ND6_IFF_IFDISABLED) == 0) {
1464
				ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1465
				if ((ifp->if_inet6->nd_flags & ND6_IFF_STABLEADDR) && !(ia->ia6_flags & IN6_IFF_TEMPORARY))
1466
					atomic_store_int(&DAD_FAILURES(ifp), 0);
1467
			}
1468

1469
			nd6log((LOG_DEBUG,
1470
			    "%s: DAD complete for %s - no duplicates found\n",
1471
			    if_name(ifa->ifa_ifp),
1472
			    ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr)));
1473
			if (dp->dad_ns_lcount > 0)
1474
				log(LOG_ERR, "%s: DAD completed while "
1475
				    "a looped back NS message is detected "
1476
				    "during DAD for %s.\n",
1477
				    if_name(ifa->ifa_ifp),
1478
				    ip6_sprintf(ip6buf, IFA_IN6(ifa)));
1479
		}
1480
	}
1481
err:
1482
	nd6_dad_del(dp);
1483
	DADQ_WUNLOCK();
1484
done:
1485
	NET_EPOCH_EXIT(et);
1486
	CURVNET_RESTORE();
1487
}
1488

1489
static void
1490
nd6_dad_duplicated(struct ifaddr *ifa, struct dadq *dp)
1491
{
1492
	struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1493
	struct ifnet *ifp;
1494
	char ip6buf[INET6_ADDRSTRLEN];
1495

1496
	ifp = ifa->ifa_ifp;
1497

1498
	log(LOG_ERR, "%s: DAD detected duplicate IPv6 address %s: "
1499
	    "NS in/out/loopback=%d/%d/%d, NA in=%d\n",
1500
	    if_name(ifp), ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr),
1501
	    dp->dad_ns_icount, dp->dad_ns_ocount, dp->dad_ns_lcount,
1502
	    dp->dad_na_icount);
1503

1504
	ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1505
	ia->ia6_flags |= IN6_IFF_DUPLICATED;
1506

1507
	log(LOG_ERR, "%s: DAD complete for %s - duplicate found\n",
1508
	    if_name(ifp), ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr));
1509

1510
	/*
1511
	 * For RFC 7217 stable addresses, increment failure counter here if we still have retries.
1512
	 * More addresses will be generated as long as retries are not exhausted.
1513
	 */
1514
	if ((ifp->if_inet6->nd_flags & ND6_IFF_STABLEADDR) && !(ia->ia6_flags & IN6_IFF_TEMPORARY)) {
1515
		u_int dad_failures = atomic_load_int(&DAD_FAILURES(ifp));
1516

1517
		if (dad_failures <= V_ip6_stableaddr_maxretries) {
1518
			atomic_add_int(&DAD_FAILURES(ifp), 1);
1519
			/* if retries exhausted, output an informative error message */
1520
			if (dad_failures == V_ip6_stableaddr_maxretries)
1521
				log(LOG_ERR, "%s: manual intervention required, consider disabling \"stableaddr\" on the interface"
1522
				    " or checking hostuuid for uniqueness\n",
1523
				    if_name(ifp));
1524
		}
1525
	} else {
1526
		log(LOG_ERR, "%s: manual intervention required\n",
1527
		    if_name(ifp));
1528
	}
1529

1530
	/*
1531
	 * If the address is a link-local address formed from an interface
1532
	 * identifier based on the hardware address which is supposed to be
1533
	 * uniquely assigned (e.g., EUI-64 for an Ethernet interface), IP
1534
	 * operation on the interface SHOULD be disabled.
1535
	 * [RFC 4862, Section 5.4.5]
1536
	 */
1537
	if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) {
1538
		struct in6_addr in6;
1539

1540
		/*
1541
		 * To avoid over-reaction, we only apply this logic when we are
1542
		 * very sure that hardware addresses are supposed to be unique.
1543
		 */
1544
		switch (ifp->if_type) {
1545
		case IFT_ETHER:
1546
		case IFT_ATM:
1547
		case IFT_IEEE1394:
1548
		case IFT_INFINIBAND:
1549
			in6 = ia->ia_addr.sin6_addr;
1550
			if (in6_get_hw_ifid(ifp, &in6) == 0 &&
1551
			    IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
1552
				ifp->if_inet6->nd_flags |= ND6_IFF_IFDISABLED;
1553
				log(LOG_ERR, "%s: possible hardware address "
1554
				    "duplication detected, disable IPv6\n",
1555
				    if_name(ifp));
1556
			}
1557
			break;
1558
		}
1559
	}
1560
}
1561

1562
/*
1563
 * Transmit a neighbour solicitation for the purpose of DAD.  Returns with the
1564
 * DAD queue unlocked.
1565
 */
1566
static void
1567
nd6_dad_ns_output(struct dadq *dp)
1568
{
1569
	struct in6_ifaddr *ia = (struct in6_ifaddr *)dp->dad_ifa;
1570
	struct ifnet *ifp = dp->dad_ifa->ifa_ifp;
1571
	int i;
1572

1573
	DADQ_WLOCK_ASSERT();
1574

1575
	dp->dad_ns_tcount++;
1576
	if ((ifp->if_flags & IFF_UP) == 0) {
1577
		DADQ_WUNLOCK();
1578
		return;
1579
	}
1580
	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
1581
		DADQ_WUNLOCK();
1582
		return;
1583
	}
1584

1585
	dp->dad_ns_ocount++;
1586
	if (V_dad_enhanced != 0) {
1587
		for (i = 0; i < ND_OPT_NONCE_LEN32; i++)
1588
			dp->dad_nonce[i] = arc4random();
1589
		/*
1590
		 * XXXHRS: Note that in the case that
1591
		 * DupAddrDetectTransmits > 1, multiple NS messages with
1592
		 * different nonces can be looped back in an unexpected
1593
		 * order.  The current implementation recognizes only
1594
		 * the latest nonce on the sender side.  Practically it
1595
		 * should work well in almost all cases.
1596
		 */
1597
	}
1598
	DADQ_WUNLOCK();
1599
	nd6_ns_output(ifp, NULL, NULL, &ia->ia_addr.sin6_addr,
1600
	    (uint8_t *)&dp->dad_nonce[0]);
1601
}
1602

1603
static void
1604
nd6_dad_ns_input(struct ifaddr *ifa, struct nd_opt_nonce *ndopt_nonce)
1605
{
1606
	struct dadq *dp;
1607

1608
	if (ifa == NULL)
1609
		panic("ifa == NULL in nd6_dad_ns_input");
1610

1611
	/* Ignore Nonce option when Enhanced DAD is disabled. */
1612
	if (V_dad_enhanced == 0)
1613
		ndopt_nonce = NULL;
1614
	DADQ_RLOCK();
1615
	dp = nd6_dad_find(ifa, ndopt_nonce);
1616
	if (dp != NULL)
1617
		dp->dad_ns_icount++;
1618
	DADQ_RUNLOCK();
1619
}
1620

1621
static void
1622
nd6_dad_na_input(struct ifaddr *ifa)
1623
{
1624
	struct dadq *dp;
1625

1626
	if (ifa == NULL)
1627
		panic("ifa == NULL in nd6_dad_na_input");
1628

1629
	DADQ_RLOCK();
1630
	dp = nd6_dad_find(ifa, NULL);
1631
	if (dp != NULL)
1632
		dp->dad_na_icount++;
1633
	DADQ_RUNLOCK();
1634
}
1635

1636