xref: /freebsd/sys/net80211/ieee80211_hwmp.c (revision 51015e6d0f570239b0c2088dc6cf2b018928375d)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2009 The FreeBSD Foundation
5  *
6  * This software was developed by Rui Paulo under sponsorship from the
7  * FreeBSD Foundation.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  */
30 #include <sys/cdefs.h>
31 #ifdef __FreeBSD__
32 __FBSDID("$FreeBSD$");
33 #endif
34 
35 /*
36  * IEEE 802.11s Hybrid Wireless Mesh Protocol, HWMP.
37  *
38  * Based on March 2009, D3.0 802.11s draft spec.
39  */
40 #include "opt_inet.h"
41 #include "opt_wlan.h"
42 
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/mbuf.h>
46 #include <sys/malloc.h>
47 #include <sys/kernel.h>
48 
49 #include <sys/socket.h>
50 #include <sys/sockio.h>
51 #include <sys/endian.h>
52 #include <sys/errno.h>
53 #include <sys/proc.h>
54 #include <sys/sysctl.h>
55 
56 #include <net/if.h>
57 #include <net/if_media.h>
58 #include <net/if_llc.h>
59 #include <net/ethernet.h>
60 
61 #include <net/bpf.h>
62 
63 #include <net80211/ieee80211_var.h>
64 #include <net80211/ieee80211_action.h>
65 #include <net80211/ieee80211_input.h>
66 #include <net80211/ieee80211_mesh.h>
67 
68 static void	hwmp_vattach(struct ieee80211vap *);
69 static void	hwmp_vdetach(struct ieee80211vap *);
70 static int	hwmp_newstate(struct ieee80211vap *,
71 		    enum ieee80211_state, int);
72 static int	hwmp_send_action(struct ieee80211vap *,
73 		    const uint8_t [IEEE80211_ADDR_LEN],
74 		    uint8_t *, size_t);
75 static uint8_t * hwmp_add_meshpreq(uint8_t *,
76 		    const struct ieee80211_meshpreq_ie *);
77 static uint8_t * hwmp_add_meshprep(uint8_t *,
78 		    const struct ieee80211_meshprep_ie *);
79 static uint8_t * hwmp_add_meshperr(uint8_t *,
80 		    const struct ieee80211_meshperr_ie *);
81 static uint8_t * hwmp_add_meshrann(uint8_t *,
82 		    const struct ieee80211_meshrann_ie *);
83 static void	hwmp_rootmode_setup(struct ieee80211vap *);
84 static void	hwmp_rootmode_cb(void *);
85 static void	hwmp_rootmode_rann_cb(void *);
86 static void	hwmp_recv_preq(struct ieee80211vap *, struct ieee80211_node *,
87 		    const struct ieee80211_frame *,
88 		    const struct ieee80211_meshpreq_ie *);
89 static int	hwmp_send_preq(struct ieee80211vap *,
90 		    const uint8_t [IEEE80211_ADDR_LEN],
91 		    struct ieee80211_meshpreq_ie *,
92 		    struct timeval *, struct timeval *);
93 static void	hwmp_recv_prep(struct ieee80211vap *, struct ieee80211_node *,
94 		    const struct ieee80211_frame *,
95 		    const struct ieee80211_meshprep_ie *);
96 static int	hwmp_send_prep(struct ieee80211vap *,
97 		    const uint8_t [IEEE80211_ADDR_LEN],
98 		    struct ieee80211_meshprep_ie *);
99 static void	hwmp_recv_perr(struct ieee80211vap *, struct ieee80211_node *,
100 		    const struct ieee80211_frame *,
101 		    const struct ieee80211_meshperr_ie *);
102 static int	hwmp_send_perr(struct ieee80211vap *,
103 		    const uint8_t [IEEE80211_ADDR_LEN],
104 		    struct ieee80211_meshperr_ie *);
105 static void	hwmp_senderror(struct ieee80211vap *,
106 		    const uint8_t [IEEE80211_ADDR_LEN],
107 		    struct ieee80211_mesh_route *, int);
108 static void	hwmp_recv_rann(struct ieee80211vap *, struct ieee80211_node *,
109 		   const struct ieee80211_frame *,
110 		   const struct ieee80211_meshrann_ie *);
111 static int	hwmp_send_rann(struct ieee80211vap *,
112 		    const uint8_t [IEEE80211_ADDR_LEN],
113 		    struct ieee80211_meshrann_ie *);
114 static struct ieee80211_node *
115 		hwmp_discover(struct ieee80211vap *,
116 		    const uint8_t [IEEE80211_ADDR_LEN], struct mbuf *);
117 static void	hwmp_peerdown(struct ieee80211_node *);
118 
119 static struct timeval ieee80211_hwmp_preqminint = { 0, 100000 };
120 static struct timeval ieee80211_hwmp_perrminint = { 0, 100000 };
121 
122 /* NB: the Target Address set in a Proactive PREQ is the broadcast address. */
123 static const uint8_t	broadcastaddr[IEEE80211_ADDR_LEN] =
124 	{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
125 
126 typedef uint32_t ieee80211_hwmp_seq;
127 #define	HWMP_SEQ_LT(a, b)	((int32_t)((a)-(b)) < 0)
128 #define	HWMP_SEQ_LEQ(a, b)	((int32_t)((a)-(b)) <= 0)
129 #define	HWMP_SEQ_EQ(a, b)	((int32_t)((a)-(b)) == 0)
130 #define	HWMP_SEQ_GT(a, b)	((int32_t)((a)-(b)) > 0)
131 
132 #define HWMP_SEQ_MAX(a, b)	(a > b ? a : b)
133 
134 /*
135  * Private extension of ieee80211_mesh_route.
136  */
137 struct ieee80211_hwmp_route {
138 	ieee80211_hwmp_seq	hr_seq;		/* last HWMP seq seen from dst*/
139 	ieee80211_hwmp_seq	hr_preqid;	/* last PREQ ID seen from dst */
140 	ieee80211_hwmp_seq	hr_origseq;	/* seq. no. on our latest PREQ*/
141 	struct timeval		hr_lastpreq;	/* last time we sent a PREQ */
142 	struct timeval		hr_lastrootconf; /* last sent PREQ root conf */
143 	int			hr_preqretries;	/* number of discoveries */
144 	int			hr_lastdiscovery; /* last discovery in ticks */
145 };
146 struct ieee80211_hwmp_state {
147 	ieee80211_hwmp_seq	hs_seq;		/* next seq to be used */
148 	ieee80211_hwmp_seq	hs_preqid;	/* next PREQ ID to be used */
149 	int			hs_rootmode;	/* proactive HWMP */
150 	struct timeval		hs_lastperr;	/* last time we sent a PERR */
151 	struct callout		hs_roottimer;
152 	uint8_t			hs_maxhops;	/* max hop count */
153 };
154 
155 static SYSCTL_NODE(_net_wlan, OID_AUTO, hwmp, CTLFLAG_RD | CTLFLAG_MPSAFE, 0,
156     "IEEE 802.11s HWMP parameters");
157 static int	ieee80211_hwmp_targetonly = 0;
158 SYSCTL_INT(_net_wlan_hwmp, OID_AUTO, targetonly, CTLFLAG_RW,
159     &ieee80211_hwmp_targetonly, 0, "Set TO bit on generated PREQs");
160 static int	ieee80211_hwmp_pathtimeout = -1;
161 SYSCTL_PROC(_net_wlan_hwmp, OID_AUTO, pathlifetime,
162     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
163     &ieee80211_hwmp_pathtimeout, 0, ieee80211_sysctl_msecs_ticks, "I",
164     "path entry lifetime (ms)");
165 static int	ieee80211_hwmp_maxpreq_retries = -1;
166 SYSCTL_PROC(_net_wlan_hwmp, OID_AUTO, maxpreq_retries,
167     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
168     &ieee80211_hwmp_maxpreq_retries, 0, ieee80211_sysctl_msecs_ticks, "I",
169     "maximum number of preq retries");
170 static int	ieee80211_hwmp_net_diameter_traversaltime = -1;
171 SYSCTL_PROC(_net_wlan_hwmp, OID_AUTO, net_diameter_traversal_time,
172     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
173     &ieee80211_hwmp_net_diameter_traversaltime, 0,
174     ieee80211_sysctl_msecs_ticks, "I",
175     "estimate traversal time across the MBSS (ms)");
176 static int	ieee80211_hwmp_roottimeout = -1;
177 SYSCTL_PROC(_net_wlan_hwmp, OID_AUTO, roottimeout,
178     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
179     &ieee80211_hwmp_roottimeout, 0, ieee80211_sysctl_msecs_ticks, "I",
180     "root PREQ timeout (ms)");
181 static int	ieee80211_hwmp_rootint = -1;
182 SYSCTL_PROC(_net_wlan_hwmp, OID_AUTO, rootint,
183     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
184     &ieee80211_hwmp_rootint, 0, ieee80211_sysctl_msecs_ticks, "I",
185     "root interval (ms)");
186 static int	ieee80211_hwmp_rannint = -1;
187 SYSCTL_PROC(_net_wlan_hwmp, OID_AUTO, rannint,
188     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
189     &ieee80211_hwmp_rannint, 0, ieee80211_sysctl_msecs_ticks, "I",
190     "root announcement interval (ms)");
191 static struct timeval ieee80211_hwmp_rootconfint = { 0, 0 };
192 static int	ieee80211_hwmp_rootconfint_internal = -1;
193 SYSCTL_PROC(_net_wlan_hwmp, OID_AUTO, rootconfint,
194     CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
195     &ieee80211_hwmp_rootconfint_internal, 0, ieee80211_sysctl_msecs_ticks, "I",
196     "root confirmation interval (ms) (read-only)");
197 
198 #define	IEEE80211_HWMP_DEFAULT_MAXHOPS	31
199 
200 static	ieee80211_recv_action_func hwmp_recv_action_meshpath;
201 
202 static struct ieee80211_mesh_proto_path mesh_proto_hwmp = {
203 	.mpp_descr	= "HWMP",
204 	.mpp_ie		= IEEE80211_MESHCONF_PATH_HWMP,
205 	.mpp_discover	= hwmp_discover,
206 	.mpp_peerdown	= hwmp_peerdown,
207 	.mpp_senderror	= hwmp_senderror,
208 	.mpp_vattach	= hwmp_vattach,
209 	.mpp_vdetach	= hwmp_vdetach,
210 	.mpp_newstate	= hwmp_newstate,
211 	.mpp_privlen	= sizeof(struct ieee80211_hwmp_route),
212 };
213 SYSCTL_PROC(_net_wlan_hwmp, OID_AUTO, inact,
214     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_NEEDGIANT,
215     &mesh_proto_hwmp.mpp_inact, 0, ieee80211_sysctl_msecs_ticks, "I",
216     "mesh route inactivity timeout (ms)");
217 
218 static void
219 ieee80211_hwmp_init(void)
220 {
221 	/* Default values as per amendment */
222 	ieee80211_hwmp_pathtimeout = msecs_to_ticks(5*1000);
223 	ieee80211_hwmp_roottimeout = msecs_to_ticks(5*1000);
224 	ieee80211_hwmp_rootint = msecs_to_ticks(2*1000);
225 	ieee80211_hwmp_rannint = msecs_to_ticks(1*1000);
226 	ieee80211_hwmp_rootconfint_internal = msecs_to_ticks(2*1000);
227 	ieee80211_hwmp_maxpreq_retries = 3;
228 	/*
229 	 * (TU): A measurement of time equal to 1024 μs,
230 	 * 500 TU is 512 ms.
231 	 */
232 	ieee80211_hwmp_net_diameter_traversaltime = msecs_to_ticks(512);
233 
234 	/*
235 	 * NB: I dont know how to make SYSCTL_PROC that calls ms to ticks
236 	 * and return a struct timeval...
237 	 */
238 	ieee80211_hwmp_rootconfint.tv_usec =
239 	    ieee80211_hwmp_rootconfint_internal * 1000;
240 
241 	/*
242 	 * Register action frame handler.
243 	 */
244 	ieee80211_recv_action_register(IEEE80211_ACTION_CAT_MESH,
245 	    IEEE80211_ACTION_MESH_HWMP, hwmp_recv_action_meshpath);
246 
247 	/* NB: default is 5 secs per spec */
248 	mesh_proto_hwmp.mpp_inact = msecs_to_ticks(5*1000);
249 
250 	/*
251 	 * Register HWMP.
252 	 */
253 	ieee80211_mesh_register_proto_path(&mesh_proto_hwmp);
254 }
255 SYSINIT(wlan_hwmp, SI_SUB_DRIVERS, SI_ORDER_SECOND, ieee80211_hwmp_init, NULL);
256 
257 static void
258 hwmp_vattach(struct ieee80211vap *vap)
259 {
260 	struct ieee80211_hwmp_state *hs;
261 
262 	KASSERT(vap->iv_opmode == IEEE80211_M_MBSS,
263 	    ("not a mesh vap, opmode %d", vap->iv_opmode));
264 
265 	hs = IEEE80211_MALLOC(sizeof(struct ieee80211_hwmp_state), M_80211_VAP,
266 	    IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
267 	if (hs == NULL) {
268 		printf("%s: couldn't alloc HWMP state\n", __func__);
269 		return;
270 	}
271 	hs->hs_maxhops = IEEE80211_HWMP_DEFAULT_MAXHOPS;
272 	callout_init(&hs->hs_roottimer, 1);
273 	vap->iv_hwmp = hs;
274 }
275 
276 static void
277 hwmp_vdetach(struct ieee80211vap *vap)
278 {
279 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
280 
281 	callout_drain(&hs->hs_roottimer);
282 	IEEE80211_FREE(vap->iv_hwmp, M_80211_VAP);
283 	vap->iv_hwmp = NULL;
284 }
285 
286 static int
287 hwmp_newstate(struct ieee80211vap *vap, enum ieee80211_state ostate, int arg)
288 {
289 	enum ieee80211_state nstate = vap->iv_state;
290 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
291 
292 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
293 	    __func__, ieee80211_state_name[ostate],
294 	    ieee80211_state_name[nstate], arg);
295 
296 	if (nstate != IEEE80211_S_RUN && ostate == IEEE80211_S_RUN)
297 		callout_drain(&hs->hs_roottimer);
298 	if (nstate == IEEE80211_S_RUN)
299 		hwmp_rootmode_setup(vap);
300 	return 0;
301 }
302 
303 /*
304  * Verify the length of an HWMP PREQ and return the number
305  * of destinations >= 1, if verification fails -1 is returned.
306  */
307 static int
308 verify_mesh_preq_len(struct ieee80211vap *vap,
309     const struct ieee80211_frame *wh, const uint8_t *iefrm)
310 {
311 	int alloc_sz = -1;
312 	int ndest = -1;
313 	if (iefrm[2] & IEEE80211_MESHPREQ_FLAGS_AE) {
314 		/* Originator External Address  present */
315 		alloc_sz =  IEEE80211_MESHPREQ_BASE_SZ_AE;
316 		ndest = iefrm[IEEE80211_MESHPREQ_TCNT_OFFSET_AE];
317 	} else {
318 		/* w/o Originator External Address */
319 		alloc_sz =  IEEE80211_MESHPREQ_BASE_SZ;
320 		ndest = iefrm[IEEE80211_MESHPREQ_TCNT_OFFSET];
321 	}
322 	alloc_sz += ndest * IEEE80211_MESHPREQ_TRGT_SZ;
323 
324 	if(iefrm[1] != (alloc_sz)) {
325 		IEEE80211_DISCARD(vap,
326 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
327 		    wh, NULL, "PREQ (AE=%s) with wrong len",
328 		    iefrm[2] & IEEE80211_MESHPREQ_FLAGS_AE ? "1" : "0");
329 		return (-1);
330 	}
331 	return ndest;
332 }
333 
334 /*
335  * Verify the length of an HWMP PREP and returns 1 on success,
336  * otherwise -1.
337  */
338 static int
339 verify_mesh_prep_len(struct ieee80211vap *vap,
340     const struct ieee80211_frame *wh, const uint8_t *iefrm)
341 {
342 	int alloc_sz = -1;
343 	if (iefrm[2] & IEEE80211_MESHPREP_FLAGS_AE) {
344 		if (iefrm[1] == IEEE80211_MESHPREP_BASE_SZ_AE)
345 			alloc_sz = IEEE80211_MESHPREP_BASE_SZ_AE;
346 	} else if (iefrm[1] == IEEE80211_MESHPREP_BASE_SZ)
347 		alloc_sz = IEEE80211_MESHPREP_BASE_SZ;
348 	if(alloc_sz < 0) {
349 		IEEE80211_DISCARD(vap,
350 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
351 		    wh, NULL, "PREP (AE=%s) with wrong len",
352 		    iefrm[2] & IEEE80211_MESHPREP_FLAGS_AE ? "1" : "0");
353 		return (-1);
354 	}
355 	return (1);
356 }
357 
358 /*
359  * Verify the length of an HWMP PERR and return the number
360  * of destinations >= 1, if verification fails -1 is returned.
361  */
362 static int
363 verify_mesh_perr_len(struct ieee80211vap *vap,
364     const struct ieee80211_frame *wh, const uint8_t *iefrm)
365 {
366 	int alloc_sz = -1;
367 	const uint8_t *iefrm_t = iefrm;
368 	uint8_t ndest = iefrm_t[IEEE80211_MESHPERR_NDEST_OFFSET];
369 	int i;
370 
371 	if(ndest > IEEE80211_MESHPERR_MAXDEST) {
372 		IEEE80211_DISCARD(vap,
373 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
374 		    wh, NULL, "PERR with wrong number of destionat (>19), %u",
375 		    ndest);
376 		return (-1);
377 	}
378 
379 	iefrm_t += IEEE80211_MESHPERR_NDEST_OFFSET + 1; /* flag is next field */
380 	/* We need to check each destination flag to know size */
381 	for(i = 0; i<ndest; i++) {
382 		if ((*iefrm_t) & IEEE80211_MESHPERR_FLAGS_AE)
383 			iefrm_t += IEEE80211_MESHPERR_DEST_SZ_AE;
384 		else
385 			iefrm_t += IEEE80211_MESHPERR_DEST_SZ;
386 	}
387 
388 	alloc_sz = (iefrm_t - iefrm) - 2; /* action + code */
389 	if(alloc_sz !=  iefrm[1]) {
390 		IEEE80211_DISCARD(vap,
391 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
392 		    wh, NULL, "%s", "PERR with wrong len");
393 		return (-1);
394 	}
395 	return ndest;
396 }
397 
398 static int
399 hwmp_recv_action_meshpath(struct ieee80211_node *ni,
400 	const struct ieee80211_frame *wh,
401 	const uint8_t *frm, const uint8_t *efrm)
402 {
403 	struct ieee80211vap *vap = ni->ni_vap;
404 	struct ieee80211_meshpreq_ie *preq;
405 	struct ieee80211_meshprep_ie *prep;
406 	struct ieee80211_meshperr_ie *perr;
407 	struct ieee80211_meshrann_ie rann;
408 	const uint8_t *iefrm = frm + 2; /* action + code */
409 	const uint8_t *iefrm_t = iefrm; /* temporary pointer */
410 	int ndest = -1;
411 	int found = 0;
412 
413 	while (efrm - iefrm > 1) {
414 		IEEE80211_VERIFY_LENGTH(efrm - iefrm, iefrm[1] + 2, return 0);
415 		switch (*iefrm) {
416 		case IEEE80211_ELEMID_MESHPREQ:
417 		{
418 			int i = 0;
419 
420 			iefrm_t = iefrm;
421 			ndest = verify_mesh_preq_len(vap, wh, iefrm_t);
422 			if (ndest < 0) {
423 				vap->iv_stats.is_rx_mgtdiscard++;
424 				break;
425 			}
426 			preq = IEEE80211_MALLOC(sizeof(*preq) +
427 			    (ndest - 1) * sizeof(*preq->preq_targets),
428 			    M_80211_MESH_PREQ,
429 			    IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
430 			KASSERT(preq != NULL, ("preq == NULL"));
431 
432 			preq->preq_ie = *iefrm_t++;
433 			preq->preq_len = *iefrm_t++;
434 			preq->preq_flags = *iefrm_t++;
435 			preq->preq_hopcount = *iefrm_t++;
436 			preq->preq_ttl = *iefrm_t++;
437 			preq->preq_id = le32dec(iefrm_t); iefrm_t += 4;
438 			IEEE80211_ADDR_COPY(preq->preq_origaddr, iefrm_t);
439 			iefrm_t += 6;
440 			preq->preq_origseq = le32dec(iefrm_t); iefrm_t += 4;
441 			/* NB: may have Originator Proxied Address */
442 			if (preq->preq_flags & IEEE80211_MESHPREQ_FLAGS_AE)  {
443 				IEEE80211_ADDR_COPY(
444 				    preq->preq_orig_ext_addr, iefrm_t);
445 				iefrm_t += 6;
446 			}
447 			preq->preq_lifetime = le32dec(iefrm_t); iefrm_t += 4;
448 			preq->preq_metric = le32dec(iefrm_t); iefrm_t += 4;
449 			preq->preq_tcount = *iefrm_t++;
450 
451 			for (i = 0; i < preq->preq_tcount; i++) {
452 				preq->preq_targets[i].target_flags = *iefrm_t++;
453 				IEEE80211_ADDR_COPY(
454 				    preq->preq_targets[i].target_addr, iefrm_t);
455 				iefrm_t += 6;
456 				preq->preq_targets[i].target_seq =
457 				    le32dec(iefrm_t);
458 				iefrm_t += 4;
459 			}
460 
461 			hwmp_recv_preq(vap, ni, wh, preq);
462 			IEEE80211_FREE(preq, M_80211_MESH_PREQ);
463 			found++;
464 			break;
465 		}
466 		case IEEE80211_ELEMID_MESHPREP:
467 		{
468 			iefrm_t = iefrm;
469 			ndest = verify_mesh_prep_len(vap, wh, iefrm_t);
470 			if (ndest < 0) {
471 				vap->iv_stats.is_rx_mgtdiscard++;
472 				break;
473 			}
474 			prep = IEEE80211_MALLOC(sizeof(*prep),
475 			    M_80211_MESH_PREP,
476 			    IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
477 			KASSERT(prep != NULL, ("prep == NULL"));
478 
479 			prep->prep_ie = *iefrm_t++;
480 			prep->prep_len = *iefrm_t++;
481 			prep->prep_flags = *iefrm_t++;
482 			prep->prep_hopcount = *iefrm_t++;
483 			prep->prep_ttl = *iefrm_t++;
484 			IEEE80211_ADDR_COPY(prep->prep_targetaddr, iefrm_t);
485 			iefrm_t += 6;
486 			prep->prep_targetseq = le32dec(iefrm_t); iefrm_t += 4;
487 			/* NB: May have Target Proxied Address */
488 			if (prep->prep_flags & IEEE80211_MESHPREP_FLAGS_AE)  {
489 				IEEE80211_ADDR_COPY(
490 				    prep->prep_target_ext_addr, iefrm_t);
491 				iefrm_t += 6;
492 			}
493 			prep->prep_lifetime = le32dec(iefrm_t); iefrm_t += 4;
494 			prep->prep_metric = le32dec(iefrm_t); iefrm_t += 4;
495 			IEEE80211_ADDR_COPY(prep->prep_origaddr, iefrm_t);
496 			iefrm_t += 6;
497 			prep->prep_origseq = le32dec(iefrm_t); iefrm_t += 4;
498 
499 			hwmp_recv_prep(vap, ni, wh, prep);
500 			IEEE80211_FREE(prep, M_80211_MESH_PREP);
501 			found++;
502 			break;
503 		}
504 		case IEEE80211_ELEMID_MESHPERR:
505 		{
506 			int i = 0;
507 
508 			iefrm_t = iefrm;
509 			ndest = verify_mesh_perr_len(vap, wh, iefrm_t);
510 			if (ndest < 0) {
511 				vap->iv_stats.is_rx_mgtdiscard++;
512 				break;
513 			}
514 			perr = IEEE80211_MALLOC(sizeof(*perr) +
515 			    (ndest - 1) * sizeof(*perr->perr_dests),
516 			    M_80211_MESH_PERR,
517 			    IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
518 			KASSERT(perr != NULL, ("perr == NULL"));
519 
520 			perr->perr_ie = *iefrm_t++;
521 			perr->perr_len = *iefrm_t++;
522 			perr->perr_ttl = *iefrm_t++;
523 			perr->perr_ndests = *iefrm_t++;
524 
525 			for (i = 0; i<perr->perr_ndests; i++) {
526 				perr->perr_dests[i].dest_flags = *iefrm_t++;
527 				IEEE80211_ADDR_COPY(
528 				    perr->perr_dests[i].dest_addr, iefrm_t);
529 				iefrm_t += 6;
530 				perr->perr_dests[i].dest_seq = le32dec(iefrm_t);
531 				iefrm_t += 4;
532 				/* NB: May have Target Proxied Address */
533 				if (perr->perr_dests[i].dest_flags &
534 				    IEEE80211_MESHPERR_FLAGS_AE) {
535 					IEEE80211_ADDR_COPY(
536 					    perr->perr_dests[i].dest_ext_addr,
537 					    iefrm_t);
538 					iefrm_t += 6;
539 				}
540 				perr->perr_dests[i].dest_rcode =
541 				    le16dec(iefrm_t);
542 				iefrm_t += 2;
543 			}
544 
545 			hwmp_recv_perr(vap, ni, wh, perr);
546 			IEEE80211_FREE(perr, M_80211_MESH_PERR);
547 			found++;
548 			break;
549 		}
550 		case IEEE80211_ELEMID_MESHRANN:
551 		{
552 			const struct ieee80211_meshrann_ie *mrann =
553 			    (const struct ieee80211_meshrann_ie *) iefrm;
554 			if (mrann->rann_len !=
555 			    sizeof(struct ieee80211_meshrann_ie) - 2) {
556 				IEEE80211_DISCARD(vap,
557 				    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
558 				    wh, NULL, "%s", "RAN with wrong len");
559 				    vap->iv_stats.is_rx_mgtdiscard++;
560 				return 1;
561 			}
562 			memcpy(&rann, mrann, sizeof(rann));
563 			rann.rann_seq = le32dec(&mrann->rann_seq);
564 			rann.rann_interval = le32dec(&mrann->rann_interval);
565 			rann.rann_metric = le32dec(&mrann->rann_metric);
566 			hwmp_recv_rann(vap, ni, wh, &rann);
567 			found++;
568 			break;
569 		}
570 		}
571 		iefrm += iefrm[1] + 2;
572 	}
573 	if (!found) {
574 		IEEE80211_DISCARD(vap,
575 		    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
576 		    wh, NULL, "%s", "PATH SEL action without IE");
577 		vap->iv_stats.is_rx_mgtdiscard++;
578 	}
579 	return 0;
580 }
581 
582 static int
583 hwmp_send_action(struct ieee80211vap *vap,
584     const uint8_t da[IEEE80211_ADDR_LEN],
585     uint8_t *ie, size_t len)
586 {
587 	struct ieee80211_node *ni;
588 	struct ieee80211com *ic;
589 	struct ieee80211_bpf_params params;
590 	struct mbuf *m;
591 	uint8_t *frm;
592 	int ret;
593 
594 	if (IEEE80211_IS_MULTICAST(da)) {
595 		ni = ieee80211_ref_node(vap->iv_bss);
596 #ifdef IEEE80211_DEBUG_REFCNT
597 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
598 		"ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
599 		__func__, __LINE__,
600 		ni, ether_sprintf(ni->ni_macaddr),
601 		ieee80211_node_refcnt(ni)+1);
602 #endif
603 		ieee80211_ref_node(ni);
604 	}
605 	else
606 		ni = ieee80211_mesh_find_txnode(vap, da);
607 
608 	if (vap->iv_state == IEEE80211_S_CAC) {
609 		IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni,
610 		    "block %s frame in CAC state", "HWMP action");
611 		vap->iv_stats.is_tx_badstate++;
612 		return EIO;	/* XXX */
613 	}
614 
615 	KASSERT(ni != NULL, ("null node"));
616 	ic = ni->ni_ic;
617 
618 	m = ieee80211_getmgtframe(&frm,
619 	    ic->ic_headroom + sizeof(struct ieee80211_frame),
620 	    sizeof(struct ieee80211_action) + len
621 	);
622 	if (m == NULL) {
623 		ieee80211_free_node(ni);
624 		vap->iv_stats.is_tx_nobuf++;
625 		return ENOMEM;
626 	}
627 	*frm++ = IEEE80211_ACTION_CAT_MESH;
628 	*frm++ = IEEE80211_ACTION_MESH_HWMP;
629 	switch (*ie) {
630 	case IEEE80211_ELEMID_MESHPREQ:
631 		frm = hwmp_add_meshpreq(frm,
632 		    (struct ieee80211_meshpreq_ie *)ie);
633 		break;
634 	case IEEE80211_ELEMID_MESHPREP:
635 		frm = hwmp_add_meshprep(frm,
636 		    (struct ieee80211_meshprep_ie *)ie);
637 		break;
638 	case IEEE80211_ELEMID_MESHPERR:
639 		frm = hwmp_add_meshperr(frm,
640 		    (struct ieee80211_meshperr_ie *)ie);
641 		break;
642 	case IEEE80211_ELEMID_MESHRANN:
643 		frm = hwmp_add_meshrann(frm,
644 		    (struct ieee80211_meshrann_ie *)ie);
645 		break;
646 	}
647 
648 	m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
649 	M_PREPEND(m, sizeof(struct ieee80211_frame), IEEE80211_M_NOWAIT);
650 	if (m == NULL) {
651 		ieee80211_free_node(ni);
652 		vap->iv_stats.is_tx_nobuf++;
653 		return ENOMEM;
654 	}
655 
656 	IEEE80211_TX_LOCK(ic);
657 
658 	ieee80211_send_setup(ni, m,
659 	    IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_ACTION,
660 	    IEEE80211_NONQOS_TID, vap->iv_myaddr, da, vap->iv_myaddr);
661 
662 	m->m_flags |= M_ENCAP;		/* mark encapsulated */
663 	IEEE80211_NODE_STAT(ni, tx_mgmt);
664 
665 	memset(&params, 0, sizeof(params));
666 	params.ibp_pri = WME_AC_VO;
667 	params.ibp_rate0 = ni->ni_txparms->mgmtrate;
668 	if (IEEE80211_IS_MULTICAST(da))
669 		params.ibp_try0 = 1;
670 	else
671 		params.ibp_try0 = ni->ni_txparms->maxretry;
672 	params.ibp_power = ni->ni_txpower;
673 	ret = ieee80211_raw_output(vap, ni, m, &params);
674 	IEEE80211_TX_UNLOCK(ic);
675 	return (ret);
676 }
677 
678 #define ADDSHORT(frm, v) do {		\
679 	le16enc(frm, v);		\
680 	frm += 2;			\
681 } while (0)
682 #define ADDWORD(frm, v) do {		\
683 	le32enc(frm, v);		\
684 	frm += 4;			\
685 } while (0)
686 /*
687  * Add a Mesh Path Request IE to a frame.
688  */
689 #define	PREQ_TFLAGS(n)	preq->preq_targets[n].target_flags
690 #define	PREQ_TADDR(n)	preq->preq_targets[n].target_addr
691 #define	PREQ_TSEQ(n)	preq->preq_targets[n].target_seq
692 static uint8_t *
693 hwmp_add_meshpreq(uint8_t *frm, const struct ieee80211_meshpreq_ie *preq)
694 {
695 	int i;
696 
697 	*frm++ = IEEE80211_ELEMID_MESHPREQ;
698 	*frm++ = preq->preq_len;	/* len already calculated */
699 	*frm++ = preq->preq_flags;
700 	*frm++ = preq->preq_hopcount;
701 	*frm++ = preq->preq_ttl;
702 	ADDWORD(frm, preq->preq_id);
703 	IEEE80211_ADDR_COPY(frm, preq->preq_origaddr); frm += 6;
704 	ADDWORD(frm, preq->preq_origseq);
705 	if (preq->preq_flags & IEEE80211_MESHPREQ_FLAGS_AE) {
706 		IEEE80211_ADDR_COPY(frm, preq->preq_orig_ext_addr);
707 		frm += 6;
708 	}
709 	ADDWORD(frm, preq->preq_lifetime);
710 	ADDWORD(frm, preq->preq_metric);
711 	*frm++ = preq->preq_tcount;
712 	for (i = 0; i < preq->preq_tcount; i++) {
713 		*frm++ = PREQ_TFLAGS(i);
714 		IEEE80211_ADDR_COPY(frm, PREQ_TADDR(i));
715 		frm += 6;
716 		ADDWORD(frm, PREQ_TSEQ(i));
717 	}
718 	return frm;
719 }
720 #undef	PREQ_TFLAGS
721 #undef	PREQ_TADDR
722 #undef	PREQ_TSEQ
723 
724 /*
725  * Add a Mesh Path Reply IE to a frame.
726  */
727 static uint8_t *
728 hwmp_add_meshprep(uint8_t *frm, const struct ieee80211_meshprep_ie *prep)
729 {
730 	*frm++ = IEEE80211_ELEMID_MESHPREP;
731 	*frm++ = prep->prep_len;	/* len already calculated */
732 	*frm++ = prep->prep_flags;
733 	*frm++ = prep->prep_hopcount;
734 	*frm++ = prep->prep_ttl;
735 	IEEE80211_ADDR_COPY(frm, prep->prep_targetaddr); frm += 6;
736 	ADDWORD(frm, prep->prep_targetseq);
737 	if (prep->prep_flags & IEEE80211_MESHPREP_FLAGS_AE) {
738 		IEEE80211_ADDR_COPY(frm, prep->prep_target_ext_addr);
739 		frm += 6;
740 	}
741 	ADDWORD(frm, prep->prep_lifetime);
742 	ADDWORD(frm, prep->prep_metric);
743 	IEEE80211_ADDR_COPY(frm, prep->prep_origaddr); frm += 6;
744 	ADDWORD(frm, prep->prep_origseq);
745 	return frm;
746 }
747 
748 /*
749  * Add a Mesh Path Error IE to a frame.
750  */
751 #define	PERR_DFLAGS(n)	perr->perr_dests[n].dest_flags
752 #define	PERR_DADDR(n)	perr->perr_dests[n].dest_addr
753 #define	PERR_DSEQ(n)	perr->perr_dests[n].dest_seq
754 #define	PERR_EXTADDR(n)	perr->perr_dests[n].dest_ext_addr
755 #define	PERR_DRCODE(n)	perr->perr_dests[n].dest_rcode
756 static uint8_t *
757 hwmp_add_meshperr(uint8_t *frm, const struct ieee80211_meshperr_ie *perr)
758 {
759 	int i;
760 
761 	*frm++ = IEEE80211_ELEMID_MESHPERR;
762 	*frm++ = perr->perr_len;	/* len already calculated */
763 	*frm++ = perr->perr_ttl;
764 	*frm++ = perr->perr_ndests;
765 	for (i = 0; i < perr->perr_ndests; i++) {
766 		*frm++ = PERR_DFLAGS(i);
767 		IEEE80211_ADDR_COPY(frm, PERR_DADDR(i));
768 		frm += 6;
769 		ADDWORD(frm, PERR_DSEQ(i));
770 		if (PERR_DFLAGS(i) & IEEE80211_MESHPERR_FLAGS_AE) {
771 			IEEE80211_ADDR_COPY(frm, PERR_EXTADDR(i));
772 			frm += 6;
773 		}
774 		ADDSHORT(frm, PERR_DRCODE(i));
775 	}
776 	return frm;
777 }
778 #undef	PERR_DFLAGS
779 #undef	PERR_DADDR
780 #undef	PERR_DSEQ
781 #undef	PERR_EXTADDR
782 #undef	PERR_DRCODE
783 
784 /*
785  * Add a Root Annoucement IE to a frame.
786  */
787 static uint8_t *
788 hwmp_add_meshrann(uint8_t *frm, const struct ieee80211_meshrann_ie *rann)
789 {
790 	*frm++ = IEEE80211_ELEMID_MESHRANN;
791 	*frm++ = rann->rann_len;
792 	*frm++ = rann->rann_flags;
793 	*frm++ = rann->rann_hopcount;
794 	*frm++ = rann->rann_ttl;
795 	IEEE80211_ADDR_COPY(frm, rann->rann_addr); frm += 6;
796 	ADDWORD(frm, rann->rann_seq);
797 	ADDWORD(frm, rann->rann_interval);
798 	ADDWORD(frm, rann->rann_metric);
799 	return frm;
800 }
801 
802 static void
803 hwmp_rootmode_setup(struct ieee80211vap *vap)
804 {
805 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
806 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
807 
808 	switch (hs->hs_rootmode) {
809 	case IEEE80211_HWMP_ROOTMODE_DISABLED:
810 		callout_drain(&hs->hs_roottimer);
811 		ms->ms_flags &= ~IEEE80211_MESHFLAGS_ROOT;
812 		break;
813 	case IEEE80211_HWMP_ROOTMODE_NORMAL:
814 	case IEEE80211_HWMP_ROOTMODE_PROACTIVE:
815 		callout_reset(&hs->hs_roottimer, ieee80211_hwmp_rootint,
816 		    hwmp_rootmode_cb, vap);
817 		ms->ms_flags |= IEEE80211_MESHFLAGS_ROOT;
818 		break;
819 	case IEEE80211_HWMP_ROOTMODE_RANN:
820 		callout_reset(&hs->hs_roottimer, ieee80211_hwmp_rannint,
821 		    hwmp_rootmode_rann_cb, vap);
822 		ms->ms_flags |= IEEE80211_MESHFLAGS_ROOT;
823 		break;
824 	}
825 }
826 
827 /*
828  * Send a broadcast Path Request to find all nodes on the mesh. We are
829  * called when the vap is configured as a HWMP root node.
830  */
831 #define	PREQ_TFLAGS(n)	preq.preq_targets[n].target_flags
832 #define	PREQ_TADDR(n)	preq.preq_targets[n].target_addr
833 #define	PREQ_TSEQ(n)	preq.preq_targets[n].target_seq
834 static void
835 hwmp_rootmode_cb(void *arg)
836 {
837 	struct ieee80211vap *vap = (struct ieee80211vap *)arg;
838 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
839 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
840 	struct ieee80211_meshpreq_ie preq;
841 
842 	IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, vap->iv_bss,
843 	    "%s", "send broadcast PREQ");
844 
845 	preq.preq_flags = 0;
846 	if (ms->ms_flags & IEEE80211_MESHFLAGS_GATE)
847 		preq.preq_flags |= IEEE80211_MESHPREQ_FLAGS_GATE;
848 	if (hs->hs_rootmode == IEEE80211_HWMP_ROOTMODE_PROACTIVE)
849 		preq.preq_flags |= IEEE80211_MESHPREQ_FLAGS_PP;
850 	preq.preq_hopcount = 0;
851 	preq.preq_ttl = ms->ms_ttl;
852 	preq.preq_id = ++hs->hs_preqid;
853 	IEEE80211_ADDR_COPY(preq.preq_origaddr, vap->iv_myaddr);
854 	preq.preq_origseq = ++hs->hs_seq;
855 	preq.preq_lifetime = ticks_to_msecs(ieee80211_hwmp_roottimeout);
856 	preq.preq_metric = IEEE80211_MESHLMETRIC_INITIALVAL;
857 	preq.preq_tcount = 1;
858 	IEEE80211_ADDR_COPY(PREQ_TADDR(0), broadcastaddr);
859 	PREQ_TFLAGS(0) = IEEE80211_MESHPREQ_TFLAGS_TO |
860 	    IEEE80211_MESHPREQ_TFLAGS_USN;
861 	PREQ_TSEQ(0) = 0;
862 	vap->iv_stats.is_hwmp_rootreqs++;
863 	/* NB: we enforce rate check ourself */
864 	hwmp_send_preq(vap, broadcastaddr, &preq, NULL, NULL);
865 	hwmp_rootmode_setup(vap);
866 }
867 #undef	PREQ_TFLAGS
868 #undef	PREQ_TADDR
869 #undef	PREQ_TSEQ
870 
871 /*
872  * Send a Root Annoucement (RANN) to find all the nodes on the mesh. We are
873  * called when the vap is configured as a HWMP RANN root node.
874  */
875 static void
876 hwmp_rootmode_rann_cb(void *arg)
877 {
878 	struct ieee80211vap *vap = (struct ieee80211vap *)arg;
879 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
880 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
881 	struct ieee80211_meshrann_ie rann;
882 
883 	IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, vap->iv_bss,
884 	    "%s", "send broadcast RANN");
885 
886 	rann.rann_flags = 0;
887 	if (ms->ms_flags & IEEE80211_MESHFLAGS_GATE)
888 		rann.rann_flags |= IEEE80211_MESHFLAGS_GATE;
889 	rann.rann_hopcount = 0;
890 	rann.rann_ttl = ms->ms_ttl;
891 	IEEE80211_ADDR_COPY(rann.rann_addr, vap->iv_myaddr);
892 	rann.rann_seq = ++hs->hs_seq;
893 	rann.rann_interval = ieee80211_hwmp_rannint;
894 	rann.rann_metric = IEEE80211_MESHLMETRIC_INITIALVAL;
895 
896 	vap->iv_stats.is_hwmp_rootrann++;
897 	hwmp_send_rann(vap, broadcastaddr, &rann);
898 	hwmp_rootmode_setup(vap);
899 }
900 
901 /*
902  * Update forwarding information to TA if metric improves.
903  */
904 static void
905 hwmp_update_transmitter(struct ieee80211vap *vap, struct ieee80211_node *ni,
906     const char *hwmp_frame)
907 {
908 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
909 	struct ieee80211_mesh_route *rttran = NULL;	/* Transmitter */
910 	int metric = 0;
911 
912 	rttran = ieee80211_mesh_rt_find(vap, ni->ni_macaddr);
913 	if (rttran == NULL) {
914 		rttran = ieee80211_mesh_rt_add(vap, ni->ni_macaddr);
915 		if (rttran == NULL) {
916 			IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
917 			    "unable to add path to transmitter %6D of %s",
918 			    ni->ni_macaddr, ":", hwmp_frame);
919 			vap->iv_stats.is_mesh_rtaddfailed++;
920 			return;
921 		}
922 	}
923 	metric = ms->ms_pmetric->mpm_metric(ni);
924 	if (!(rttran->rt_flags & IEEE80211_MESHRT_FLAGS_VALID) ||
925 	    rttran->rt_metric > metric)
926 	{
927 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
928 		    "%s path to transmitter %6D of %s, metric %d:%d",
929 		    rttran->rt_flags & IEEE80211_MESHRT_FLAGS_VALID ?
930 		    "prefer" : "update", ni->ni_macaddr, ":", hwmp_frame,
931 		    rttran->rt_metric, metric);
932 		IEEE80211_ADDR_COPY(rttran->rt_nexthop, ni->ni_macaddr);
933 		rttran->rt_metric = metric;
934 		rttran->rt_nhops  = 1;
935 		ieee80211_mesh_rt_update(rttran, ms->ms_ppath->mpp_inact);
936 		rttran->rt_flags = IEEE80211_MESHRT_FLAGS_VALID;
937 	}
938 }
939 
940 #define	PREQ_TFLAGS(n)	preq->preq_targets[n].target_flags
941 #define	PREQ_TADDR(n)	preq->preq_targets[n].target_addr
942 #define	PREQ_TSEQ(n)	preq->preq_targets[n].target_seq
943 static void
944 hwmp_recv_preq(struct ieee80211vap *vap, struct ieee80211_node *ni,
945     const struct ieee80211_frame *wh, const struct ieee80211_meshpreq_ie *preq)
946 {
947 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
948 	struct ieee80211_mesh_route *rtorig = NULL;
949 	struct ieee80211_mesh_route *rtorig_ext = NULL;
950 	struct ieee80211_mesh_route *rttarg = NULL;
951 	struct ieee80211_hwmp_route *hrorig = NULL;
952 	struct ieee80211_hwmp_route *hrtarg = NULL;
953 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
954 	ieee80211_hwmp_seq preqid;	/* last seen preqid for orig */
955 	uint32_t metric = 0;
956 
957 	/*
958 	 * Ignore PREQs from us. Could happen because someone forward it
959 	 * back to us.
960 	 */
961 	if (IEEE80211_ADDR_EQ(vap->iv_myaddr, preq->preq_origaddr))
962 		return;
963 
964 	IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
965 	    "received PREQ, orig %6D, targ(0) %6D", preq->preq_origaddr, ":",
966 	    PREQ_TADDR(0), ":");
967 
968 	/*
969 	 * Acceptance criteria: (if the PREQ is not for us or not broadcast,
970 	 * or an external mac address not proxied by us),
971 	 * AND forwarding is disabled, discard this PREQ.
972 	 */
973 	rttarg = ieee80211_mesh_rt_find(vap, PREQ_TADDR(0));
974 	if (!(ms->ms_flags & IEEE80211_MESHFLAGS_FWD) &&
975 	    (!IEEE80211_ADDR_EQ(vap->iv_myaddr, PREQ_TADDR(0)) ||
976 	    !IEEE80211_IS_MULTICAST(PREQ_TADDR(0)) ||
977 	    (rttarg != NULL &&
978 	    rttarg->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY &&
979 	    IEEE80211_ADDR_EQ(vap->iv_myaddr, rttarg->rt_mesh_gate)))) {
980 		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_HWMP,
981 		    preq->preq_origaddr, NULL, "%s", "not accepting PREQ");
982 		return;
983 	}
984 	/*
985 	 * Acceptance criteria: if unicast addressed
986 	 * AND no valid forwarding for Target of PREQ, discard this PREQ.
987 	 */
988 	if(rttarg != NULL)
989 		hrtarg = IEEE80211_MESH_ROUTE_PRIV(rttarg,
990 		    struct ieee80211_hwmp_route);
991 	/* Address mode: ucast */
992 	if(preq->preq_flags & IEEE80211_MESHPREQ_FLAGS_AM &&
993 	    rttarg == NULL &&
994 	    !IEEE80211_ADDR_EQ(vap->iv_myaddr, PREQ_TADDR(0))) {
995 		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_HWMP,
996 		    preq->preq_origaddr, NULL,
997 		    "unicast addressed PREQ of unknown target %6D",
998 		    PREQ_TADDR(0), ":");
999 		return;
1000 	}
1001 
1002 	/* PREQ ACCEPTED */
1003 
1004 	rtorig = ieee80211_mesh_rt_find(vap, preq->preq_origaddr);
1005 	if (rtorig == NULL) {
1006 		rtorig = ieee80211_mesh_rt_add(vap, preq->preq_origaddr);
1007 		if (rtorig == NULL) {
1008 			IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1009 			    "unable to add orig path to %6D",
1010 			    preq->preq_origaddr, ":");
1011 			vap->iv_stats.is_mesh_rtaddfailed++;
1012 			return;
1013 		}
1014 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1015 		    "adding originator %6D", preq->preq_origaddr, ":");
1016 	}
1017 	hrorig = IEEE80211_MESH_ROUTE_PRIV(rtorig, struct ieee80211_hwmp_route);
1018 
1019 	/* record last seen preqid */
1020 	preqid = hrorig->hr_preqid;
1021 	hrorig->hr_preqid = HWMP_SEQ_MAX(hrorig->hr_preqid, preq->preq_id);
1022 
1023 	/* Data creation and update of forwarding information
1024 	 * according to Table 11C-8 for originator mesh STA.
1025 	 */
1026 	metric = preq->preq_metric + ms->ms_pmetric->mpm_metric(ni);
1027 	if (HWMP_SEQ_GT(preq->preq_origseq, hrorig->hr_seq) ||
1028 	    (HWMP_SEQ_EQ(preq->preq_origseq, hrorig->hr_seq) &&
1029 	    metric < rtorig->rt_metric)) {
1030 		hrorig->hr_seq = preq->preq_origseq;
1031 		IEEE80211_ADDR_COPY(rtorig->rt_nexthop, wh->i_addr2);
1032 		rtorig->rt_metric = metric;
1033 		rtorig->rt_nhops  = preq->preq_hopcount + 1;
1034 		ieee80211_mesh_rt_update(rtorig, preq->preq_lifetime);
1035 		/* Path to orig is valid now.
1036 		 * NB: we know it can't be Proxy, and if it is GATE
1037 		 * it will be marked below.
1038 		 */
1039 		rtorig->rt_flags = IEEE80211_MESHRT_FLAGS_VALID;
1040 	} else if ((hrtarg != NULL &&
1041 	    !HWMP_SEQ_EQ(hrtarg->hr_seq, PREQ_TSEQ(0))) ||
1042 	    (rtorig->rt_flags & IEEE80211_MESHRT_FLAGS_VALID &&
1043 	    preqid >= preq->preq_id)) {
1044 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1045 		    "discard PREQ from %6D, old seqno %u <= %u,"
1046 		    " or old preqid %u < %u",
1047 		    preq->preq_origaddr, ":",
1048 		    preq->preq_origseq, hrorig->hr_seq,
1049 		    preq->preq_id, preqid);
1050 		return;
1051 	}
1052 
1053 	/* Update forwarding information to TA if metric improves. */
1054 	hwmp_update_transmitter(vap, ni, "PREQ");
1055 
1056 	/*
1057 	 * Check if the PREQ is addressed to us.
1058 	 * or a Proxy currently gated by us.
1059 	 */
1060 	if (IEEE80211_ADDR_EQ(vap->iv_myaddr, PREQ_TADDR(0)) ||
1061 	    (ms->ms_flags & IEEE80211_MESHFLAGS_GATE &&
1062 	    rttarg != NULL &&
1063 	    IEEE80211_ADDR_EQ(vap->iv_myaddr, rttarg->rt_mesh_gate) &&
1064 	    rttarg->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY &&
1065 	    rttarg->rt_flags & IEEE80211_MESHRT_FLAGS_VALID)) {
1066 		struct ieee80211_meshprep_ie prep;
1067 
1068 		/*
1069 		 * When we are the target we shall update our own HWMP seq
1070 		 * number with max of (current and preq->seq) + 1
1071 		 */
1072 		hs->hs_seq = HWMP_SEQ_MAX(hs->hs_seq, PREQ_TSEQ(0)) + 1;
1073 
1074 		prep.prep_flags = 0;
1075 		prep.prep_hopcount = 0;
1076 		prep.prep_metric = IEEE80211_MESHLMETRIC_INITIALVAL;
1077 		IEEE80211_ADDR_COPY(prep.prep_targetaddr, vap->iv_myaddr);
1078 		if (rttarg != NULL && /* if NULL it means we are the target */
1079 		    rttarg->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY) {
1080 			IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1081 			    "reply for proxy %6D", rttarg->rt_dest, ":");
1082 			prep.prep_flags |= IEEE80211_MESHPREP_FLAGS_AE;
1083 			IEEE80211_ADDR_COPY(prep.prep_target_ext_addr,
1084 			    rttarg->rt_dest);
1085 			/* update proxy seqno to HWMP seqno */
1086 			rttarg->rt_ext_seq = hs->hs_seq;
1087 			prep.prep_hopcount = rttarg->rt_nhops;
1088 			prep.prep_metric = rttarg->rt_metric;
1089 			IEEE80211_ADDR_COPY(prep.prep_targetaddr, rttarg->rt_mesh_gate);
1090 		}
1091 		/*
1092 		 * Build and send a PREP frame.
1093 		 */
1094 		prep.prep_ttl = ms->ms_ttl;
1095 		prep.prep_targetseq = hs->hs_seq;
1096 		prep.prep_lifetime = preq->preq_lifetime;
1097 		IEEE80211_ADDR_COPY(prep.prep_origaddr, preq->preq_origaddr);
1098 		prep.prep_origseq = preq->preq_origseq;
1099 
1100 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1101 		    "reply to %6D", preq->preq_origaddr, ":");
1102 		hwmp_send_prep(vap, wh->i_addr2, &prep);
1103 		return;
1104 	}
1105 	/* we may update our proxy information for the orig external */
1106 	else if (preq->preq_flags & IEEE80211_MESHPREQ_FLAGS_AE) {
1107 		rtorig_ext =
1108 		    ieee80211_mesh_rt_find(vap, preq->preq_orig_ext_addr);
1109 		if (rtorig_ext == NULL) {
1110 			rtorig_ext = ieee80211_mesh_rt_add(vap,
1111 			    preq->preq_orig_ext_addr);
1112 			if (rtorig_ext == NULL) {
1113 				IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1114 				    "unable to add orig ext proxy to %6D",
1115 				    preq->preq_orig_ext_addr, ":");
1116 				vap->iv_stats.is_mesh_rtaddfailed++;
1117 				return;
1118 			}
1119 			IEEE80211_ADDR_COPY(rtorig_ext->rt_mesh_gate,
1120 			    preq->preq_origaddr);
1121 		}
1122 		rtorig_ext->rt_ext_seq = preq->preq_origseq;
1123 		ieee80211_mesh_rt_update(rtorig_ext, preq->preq_lifetime);
1124 	}
1125 	/*
1126 	 * Proactive PREQ: reply with a proactive PREP to the
1127 	 * root STA if requested.
1128 	 */
1129 	if (IEEE80211_ADDR_EQ(PREQ_TADDR(0), broadcastaddr) &&
1130 	    (PREQ_TFLAGS(0) & IEEE80211_MESHPREQ_TFLAGS_TO)) {
1131 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1132 		    "root mesh station @ %6D", preq->preq_origaddr, ":");
1133 
1134 		/* Check if root is a mesh gate, mark it */
1135 		if (preq->preq_flags & IEEE80211_MESHPREQ_FLAGS_GATE) {
1136 			struct ieee80211_mesh_gate_route *gr;
1137 
1138 			rtorig->rt_flags |= IEEE80211_MESHRT_FLAGS_GATE;
1139 			gr = ieee80211_mesh_mark_gate(vap, preq->preq_origaddr,
1140 			    rtorig);
1141 			gr->gr_lastseq = 0; /* NOT GANN */
1142 		}
1143 
1144 		/*
1145 		 * Reply with a PREP if we don't have a path to the root
1146 		 * or if the root sent us a proactive PREQ.
1147 		 */
1148 		if ((rtorig->rt_flags & IEEE80211_MESHRT_FLAGS_VALID) == 0 ||
1149 		    (preq->preq_flags & IEEE80211_MESHPREQ_FLAGS_PP)) {
1150 			struct ieee80211_meshprep_ie prep;
1151 
1152 			prep.prep_flags = 0;
1153 			prep.prep_hopcount = 0;
1154 			prep.prep_ttl = ms->ms_ttl;
1155 			IEEE80211_ADDR_COPY(prep.prep_origaddr,
1156 			    preq->preq_origaddr);
1157 			prep.prep_origseq = preq->preq_origseq;
1158 			prep.prep_lifetime = preq->preq_lifetime;
1159 			prep.prep_metric = IEEE80211_MESHLMETRIC_INITIALVAL;
1160 			IEEE80211_ADDR_COPY(prep.prep_targetaddr,
1161 			    vap->iv_myaddr);
1162 			prep.prep_targetseq = ++hs->hs_seq;
1163 			hwmp_send_prep(vap, rtorig->rt_nexthop, &prep);
1164 		}
1165 	}
1166 
1167 	/*
1168 	 * Forwarding and Intermediate reply for PREQs with 1 target.
1169 	 */
1170 	if ((preq->preq_tcount == 1) && (preq->preq_ttl > 1) &&
1171 	    (ms->ms_flags & IEEE80211_MESHFLAGS_FWD)) {
1172 		struct ieee80211_meshpreq_ie ppreq; /* propagated PREQ */
1173 
1174 		memcpy(&ppreq, preq, sizeof(ppreq));
1175 
1176 		/*
1177 		 * We have a valid route to this node.
1178 		 * NB: if target is proxy dont reply.
1179 		 */
1180 		if (rttarg != NULL &&
1181 		    rttarg->rt_flags & IEEE80211_MESHRT_FLAGS_VALID &&
1182 		    !(rttarg->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY)) {
1183 			/*
1184 			 * Check if we can send an intermediate Path Reply,
1185 			 * i.e., Target Only bit is not set and target is not
1186 			 * the MAC broadcast address.
1187 			 */
1188 			if (!(PREQ_TFLAGS(0) & IEEE80211_MESHPREQ_TFLAGS_TO) &&
1189 			    !IEEE80211_ADDR_EQ(PREQ_TADDR(0), broadcastaddr)) {
1190 				struct ieee80211_meshprep_ie prep;
1191 
1192 				IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1193 				    "intermediate reply for PREQ from %6D",
1194 				    preq->preq_origaddr, ":");
1195 				prep.prep_flags = 0;
1196 				prep.prep_hopcount = rttarg->rt_nhops;
1197 				prep.prep_ttl = ms->ms_ttl;
1198 				IEEE80211_ADDR_COPY(&prep.prep_targetaddr,
1199 				    PREQ_TADDR(0));
1200 				prep.prep_targetseq = hrtarg->hr_seq;
1201 				prep.prep_lifetime = preq->preq_lifetime;
1202 				prep.prep_metric =rttarg->rt_metric;
1203 				IEEE80211_ADDR_COPY(&prep.prep_origaddr,
1204 				    preq->preq_origaddr);
1205 				prep.prep_origseq = hrorig->hr_seq;
1206 				hwmp_send_prep(vap, rtorig->rt_nexthop, &prep);
1207 
1208 				/*
1209 				 * Set TO and unset RF bits because we have
1210 				 * sent a PREP.
1211 				 */
1212 				ppreq.preq_targets[0].target_flags |=
1213 				    IEEE80211_MESHPREQ_TFLAGS_TO;
1214 			}
1215 		}
1216 
1217 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1218 		    "forward PREQ from %6D",
1219 		    preq->preq_origaddr, ":");
1220 		ppreq.preq_hopcount += 1;
1221 		ppreq.preq_ttl -= 1;
1222 		ppreq.preq_metric += ms->ms_pmetric->mpm_metric(ni);
1223 
1224 		/* don't do PREQ ratecheck when we propagate */
1225 		hwmp_send_preq(vap, broadcastaddr, &ppreq, NULL, NULL);
1226 	}
1227 }
1228 #undef	PREQ_TFLAGS
1229 #undef	PREQ_TADDR
1230 #undef	PREQ_TSEQ
1231 
1232 static int
1233 hwmp_send_preq(struct ieee80211vap *vap,
1234     const uint8_t da[IEEE80211_ADDR_LEN],
1235     struct ieee80211_meshpreq_ie *preq,
1236     struct timeval *last, struct timeval *minint)
1237 {
1238 
1239 	/*
1240 	 * Enforce PREQ interval.
1241 	 * NB: Proactive ROOT PREQs rate is handled by cb task.
1242 	 */
1243 	if (last != NULL && minint != NULL) {
1244 		if (ratecheck(last, minint) == 0)
1245 			return EALREADY; /* XXX: we should postpone */
1246 		getmicrouptime(last);
1247 	}
1248 
1249 	/*
1250 	 * mesh preq action frame format
1251 	 *     [6] da
1252 	 *     [6] sa
1253 	 *     [6] addr3 = sa
1254 	 *     [1] action
1255 	 *     [1] category
1256 	 *     [tlv] mesh path request
1257 	 */
1258 	preq->preq_ie = IEEE80211_ELEMID_MESHPREQ;
1259 	preq->preq_len = (preq->preq_flags & IEEE80211_MESHPREQ_FLAGS_AE ?
1260 	    IEEE80211_MESHPREQ_BASE_SZ_AE : IEEE80211_MESHPREQ_BASE_SZ) +
1261 	    preq->preq_tcount * IEEE80211_MESHPREQ_TRGT_SZ;
1262 	return hwmp_send_action(vap, da, (uint8_t *)preq, preq->preq_len+2);
1263 }
1264 
1265 static void
1266 hwmp_recv_prep(struct ieee80211vap *vap, struct ieee80211_node *ni,
1267     const struct ieee80211_frame *wh, const struct ieee80211_meshprep_ie *prep)
1268 {
1269 #define	IS_PROXY(rt)	(rt->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY)
1270 #define	PROXIED_BY_US(rt)		\
1271     (IEEE80211_ADDR_EQ(vap->iv_myaddr, rt->rt_mesh_gate))
1272 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
1273 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
1274 	struct ieee80211_mesh_route *rt = NULL;
1275 	struct ieee80211_mesh_route *rtorig = NULL;
1276 	struct ieee80211_mesh_route *rtext = NULL;
1277 	struct ieee80211_hwmp_route *hr;
1278 	struct ieee80211com *ic = vap->iv_ic;
1279 	struct mbuf *m, *next;
1280 	uint32_t metric = 0;
1281 	const uint8_t *addr;
1282 
1283 	IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1284 	    "received PREP, orig %6D, targ %6D", prep->prep_origaddr, ":",
1285 	    prep->prep_targetaddr, ":");
1286 
1287 	/*
1288 	 * Acceptance criteria: (If the corresponding PREP was not generated
1289 	 * by us OR not generated by an external mac that is not proxied by us)
1290 	 * AND forwarding is disabled, discard this PREP.
1291 	 */
1292 	rtorig = ieee80211_mesh_rt_find(vap, prep->prep_origaddr);
1293 	if ((!IEEE80211_ADDR_EQ(vap->iv_myaddr, prep->prep_origaddr) ||
1294 	    (rtorig != NULL && IS_PROXY(rtorig) && !PROXIED_BY_US(rtorig))) &&
1295 	    !(ms->ms_flags & IEEE80211_MESHFLAGS_FWD)){
1296 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1297 		    "discard PREP, orig(%6D) not proxied or generated by us",
1298 		    prep->prep_origaddr, ":");
1299 		return;
1300 	}
1301 
1302 	/* PREP ACCEPTED */
1303 
1304 	/*
1305 	 * If accepted shall create or update the active forwarding information
1306 	 * it maintains for the target mesh STA of the PREP (according to the
1307 	 * rules defined in 13.10.8.4). If the conditions for creating or
1308 	 * updating the forwarding information have not been met in those
1309 	 * rules, no further steps are applied to the PREP.
1310 	 */
1311 	rt = ieee80211_mesh_rt_find(vap, prep->prep_targetaddr);
1312 	if (rt == NULL) {
1313 		rt = ieee80211_mesh_rt_add(vap, prep->prep_targetaddr);
1314 		if (rt == NULL) {
1315 			IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1316 			    "unable to add PREP path to %6D",
1317 			    prep->prep_targetaddr, ":");
1318 			vap->iv_stats.is_mesh_rtaddfailed++;
1319 			return;
1320 		}
1321 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1322 		    "adding target %6D", prep->prep_targetaddr, ":");
1323 	}
1324 	hr = IEEE80211_MESH_ROUTE_PRIV(rt, struct ieee80211_hwmp_route);
1325 	/* update path metric */
1326 	metric = prep->prep_metric + ms->ms_pmetric->mpm_metric(ni);
1327 	if ((rt->rt_flags & IEEE80211_MESHRT_FLAGS_VALID)) {
1328 		if (HWMP_SEQ_LT(prep->prep_targetseq, hr->hr_seq)) {
1329 			IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1330 			    "discard PREP from %6D, old seq no %u < %u",
1331 			    prep->prep_targetaddr, ":",
1332 			    prep->prep_targetseq, hr->hr_seq);
1333 			return;
1334 		} else if (HWMP_SEQ_LEQ(prep->prep_targetseq, hr->hr_seq) &&
1335 		    metric > rt->rt_metric) {
1336 			IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1337 			    "discard PREP from %6D, new metric %u > %u",
1338 			    prep->prep_targetaddr, ":",
1339 			    metric, rt->rt_metric);
1340 			return;
1341 		}
1342 	}
1343 
1344 	IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1345 	    "%s path to %6D, hopcount %d:%d metric %d:%d",
1346 	    rt->rt_flags & IEEE80211_MESHRT_FLAGS_VALID ?
1347 	    "prefer" : "update",
1348 	    prep->prep_targetaddr, ":",
1349 	    rt->rt_nhops, prep->prep_hopcount + 1,
1350 	    rt->rt_metric, metric);
1351 
1352 	hr->hr_seq = prep->prep_targetseq;
1353 	hr->hr_preqretries = 0;
1354 	IEEE80211_ADDR_COPY(rt->rt_nexthop, ni->ni_macaddr);
1355 	rt->rt_metric = metric;
1356 	rt->rt_nhops = prep->prep_hopcount + 1;
1357 	ieee80211_mesh_rt_update(rt, prep->prep_lifetime);
1358 	if (rt->rt_flags & IEEE80211_MESHRT_FLAGS_DISCOVER) {
1359 		/* discovery complete */
1360 		rt->rt_flags &= ~IEEE80211_MESHRT_FLAGS_DISCOVER;
1361 	}
1362 	rt->rt_flags |= IEEE80211_MESHRT_FLAGS_VALID; /* mark valid */
1363 
1364 	/* Update forwarding information to TA if metric improves */
1365 	hwmp_update_transmitter(vap, ni, "PREP");
1366 
1367 	/*
1368 	 * If it's NOT for us, propagate the PREP
1369 	 */
1370 	if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, prep->prep_origaddr) &&
1371 	    prep->prep_ttl > 1 &&
1372 	    prep->prep_hopcount < hs->hs_maxhops) {
1373 		struct ieee80211_meshprep_ie pprep; /* propagated PREP */
1374 		/*
1375 		 * NB: We should already have setup the path to orig
1376 		 * mesh STA when we propagated PREQ to target mesh STA,
1377 		 * no PREP is generated without a corresponding PREQ.
1378 		 * XXX: for now just ignore.
1379 		 */
1380 		if (rtorig == NULL) {
1381 			IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1382 			    "received PREP for an unknown orig(%6D)",
1383 			    prep->prep_origaddr, ":");
1384 			return;
1385 		}
1386 
1387 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1388 		    "propagate PREP from %6D",
1389 		    prep->prep_targetaddr, ":");
1390 
1391 		memcpy(&pprep, prep, sizeof(pprep));
1392 		pprep.prep_hopcount += 1;
1393 		pprep.prep_ttl -= 1;
1394 		pprep.prep_metric += ms->ms_pmetric->mpm_metric(ni);
1395 		hwmp_send_prep(vap, rtorig->rt_nexthop, &pprep);
1396 
1397 		/* precursor list for the Target Mesh STA Address is updated */
1398 	}
1399 
1400 	/*
1401 	 * Check if we received a PREP w/ AE and store target external address.
1402 	 * We may store target external address if recevied PREP w/ AE
1403 	 * and we are not final destination
1404 	 */
1405 	if (prep->prep_flags & IEEE80211_MESHPREP_FLAGS_AE) {
1406 		rtext = ieee80211_mesh_rt_find(vap,
1407 			prep->prep_target_ext_addr);
1408 		if (rtext == NULL) {
1409 			rtext = ieee80211_mesh_rt_add(vap,
1410 				prep->prep_target_ext_addr);
1411 			if (rtext == NULL) {
1412 				IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1413 				    "unable to add PREP path to proxy %6D",
1414 				    prep->prep_targetaddr, ":");
1415 				vap->iv_stats.is_mesh_rtaddfailed++;
1416 				return;
1417 			}
1418 		}
1419 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1420 		    "%s path to %6D, hopcount %d:%d metric %d:%d",
1421 		    rtext->rt_flags & IEEE80211_MESHRT_FLAGS_VALID ?
1422 		    "prefer" : "update",
1423 		    prep->prep_target_ext_addr, ":",
1424 		    rtext->rt_nhops, prep->prep_hopcount + 1,
1425 		    rtext->rt_metric, metric);
1426 
1427 		rtext->rt_flags = IEEE80211_MESHRT_FLAGS_PROXY |
1428 			IEEE80211_MESHRT_FLAGS_VALID;
1429 		IEEE80211_ADDR_COPY(rtext->rt_dest,
1430 		    prep->prep_target_ext_addr);
1431 		IEEE80211_ADDR_COPY(rtext->rt_mesh_gate,
1432 		    prep->prep_targetaddr);
1433 		IEEE80211_ADDR_COPY(rtext->rt_nexthop, wh->i_addr2);
1434 		rtext->rt_metric = metric;
1435 		rtext->rt_lifetime = prep->prep_lifetime;
1436 		rtext->rt_nhops = prep->prep_hopcount + 1;
1437 		rtext->rt_ext_seq = prep->prep_origseq; /* new proxy seq */
1438 		/*
1439 		 * XXX: proxy entries have no HWMP priv data,
1440 		 * nullify them to be sure?
1441 		 */
1442 	}
1443 	/*
1444 	 * Check for frames queued awaiting path discovery.
1445 	 * XXX probably can tell exactly and avoid remove call
1446 	 * NB: hash may have false matches, if so they will get
1447 	 *     stuck back on the stageq because there won't be
1448 	 *     a path.
1449 	 */
1450 	addr = prep->prep_flags & IEEE80211_MESHPREP_FLAGS_AE ?
1451 	    prep->prep_target_ext_addr : prep->prep_targetaddr;
1452 	m = ieee80211_ageq_remove(&ic->ic_stageq,
1453 	    (struct ieee80211_node *)(uintptr_t)
1454 	    ieee80211_mac_hash(ic, addr)); /* either dest or ext_dest */
1455 
1456 	/*
1457 	 * All frames in the stageq here should be non-M_ENCAP; or things
1458 	 * will get very unhappy.
1459 	 */
1460 	for (; m != NULL; m = next) {
1461 		next = m->m_nextpkt;
1462 		m->m_nextpkt = NULL;
1463 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1464 		    "flush queued frame %p len %d", m, m->m_pkthdr.len);
1465 		/*
1466 		 * If the mbuf has M_ENCAP set, ensure we free it.
1467 		 * Note that after if_transmit() is called, m is invalid.
1468 		 */
1469 		(void) ieee80211_vap_xmitpkt(vap, m);
1470 	}
1471 #undef	IS_PROXY
1472 #undef	PROXIED_BY_US
1473 }
1474 
1475 static int
1476 hwmp_send_prep(struct ieee80211vap *vap,
1477     const uint8_t da[IEEE80211_ADDR_LEN],
1478     struct ieee80211_meshprep_ie *prep)
1479 {
1480 	/* NB: there's no PREP minimum interval. */
1481 
1482 	/*
1483 	 * mesh prep action frame format
1484 	 *     [6] da
1485 	 *     [6] sa
1486 	 *     [6] addr3 = sa
1487 	 *     [1] action
1488 	 *     [1] category
1489 	 *     [tlv] mesh path reply
1490 	 */
1491 	prep->prep_ie = IEEE80211_ELEMID_MESHPREP;
1492 	prep->prep_len = prep->prep_flags & IEEE80211_MESHPREP_FLAGS_AE ?
1493 	    IEEE80211_MESHPREP_BASE_SZ_AE : IEEE80211_MESHPREP_BASE_SZ;
1494 	return hwmp_send_action(vap, da, (uint8_t *)prep, prep->prep_len + 2);
1495 }
1496 
1497 #define	PERR_DFLAGS(n)	perr.perr_dests[n].dest_flags
1498 #define	PERR_DADDR(n)	perr.perr_dests[n].dest_addr
1499 #define	PERR_DSEQ(n)	perr.perr_dests[n].dest_seq
1500 #define	PERR_DRCODE(n)	perr.perr_dests[n].dest_rcode
1501 static void
1502 hwmp_peerdown(struct ieee80211_node *ni)
1503 {
1504 	struct ieee80211vap *vap = ni->ni_vap;
1505 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
1506 	struct ieee80211_meshperr_ie perr;
1507 	struct ieee80211_mesh_route *rt;
1508 	struct ieee80211_hwmp_route *hr;
1509 
1510 	rt = ieee80211_mesh_rt_find(vap, ni->ni_macaddr);
1511 	if (rt == NULL)
1512 		return;
1513 	hr = IEEE80211_MESH_ROUTE_PRIV(rt, struct ieee80211_hwmp_route);
1514 	IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1515 	    "%s", "delete route entry");
1516 	perr.perr_ttl = ms->ms_ttl;
1517 	perr.perr_ndests = 1;
1518 	PERR_DFLAGS(0) = 0;
1519 	if (hr->hr_seq == 0)
1520 		PERR_DFLAGS(0) |= IEEE80211_MESHPERR_DFLAGS_USN;
1521 	PERR_DFLAGS(0) |= IEEE80211_MESHPERR_DFLAGS_RC;
1522 	IEEE80211_ADDR_COPY(PERR_DADDR(0), rt->rt_dest);
1523 	PERR_DSEQ(0) = ++hr->hr_seq;
1524 	PERR_DRCODE(0) = IEEE80211_REASON_MESH_PERR_DEST_UNREACH;
1525 	/* NB: flush everything passing through peer */
1526 	ieee80211_mesh_rt_flush_peer(vap, ni->ni_macaddr);
1527 	hwmp_send_perr(vap, broadcastaddr, &perr);
1528 }
1529 #undef	PERR_DFLAGS
1530 #undef	PERR_DADDR
1531 #undef	PERR_DSEQ
1532 #undef	PERR_DRCODE
1533 
1534 #define	PERR_DFLAGS(n)		perr->perr_dests[n].dest_flags
1535 #define	PERR_DADDR(n)		perr->perr_dests[n].dest_addr
1536 #define	PERR_DSEQ(n)		perr->perr_dests[n].dest_seq
1537 #define	PERR_DEXTADDR(n)	perr->perr_dests[n].dest_ext_addr
1538 static void
1539 hwmp_recv_perr(struct ieee80211vap *vap, struct ieee80211_node *ni,
1540     const struct ieee80211_frame *wh, const struct ieee80211_meshperr_ie *perr)
1541 {
1542 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
1543 	struct ieee80211_mesh_route *rt = NULL;
1544 	struct ieee80211_mesh_route *rt_ext = NULL;
1545 	struct ieee80211_hwmp_route *hr;
1546 	struct ieee80211_meshperr_ie *pperr = NULL;
1547 	int i, j = 0, forward = 0;
1548 
1549 	IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1550 	    "received PERR from %6D", wh->i_addr2, ":");
1551 
1552 	/*
1553 	 * if forwarding is true, prepare pperr
1554 	 */
1555 	if (ms->ms_flags & IEEE80211_MESHFLAGS_FWD) {
1556 		forward = 1;
1557 		pperr = IEEE80211_MALLOC(sizeof(*perr) + 31*sizeof(*perr->perr_dests),
1558 		    M_80211_MESH_PERR, IEEE80211_M_NOWAIT); /* XXX: magic number, 32 err dests */
1559 	}
1560 
1561 	/*
1562 	 * Acceptance criteria: check if we have forwarding information
1563 	 * stored about destination, and that nexthop == TA of this PERR.
1564 	 * NB: we also build a new PERR to propagate in case we should forward.
1565 	 */
1566 	for (i = 0; i < perr->perr_ndests; i++) {
1567 		rt = ieee80211_mesh_rt_find(vap, PERR_DADDR(i));
1568 		if (rt == NULL)
1569 			continue;
1570 		if (!IEEE80211_ADDR_EQ(rt->rt_nexthop, wh->i_addr2))
1571 			continue;
1572 
1573 		/* found and accepted a PERR ndest element, process it... */
1574 		if (forward)
1575 			memcpy(&pperr->perr_dests[j], &perr->perr_dests[i],
1576 			    sizeof(*perr->perr_dests));
1577 		hr = IEEE80211_MESH_ROUTE_PRIV(rt, struct ieee80211_hwmp_route);
1578 		switch(PERR_DFLAGS(i)) {
1579 		case (IEEE80211_REASON_MESH_PERR_NO_FI):
1580 			if (PERR_DSEQ(i) == 0) {
1581 				hr->hr_seq++;
1582 				if (forward) {
1583 					pperr->perr_dests[j].dest_seq =
1584 					    hr->hr_seq;
1585 				}
1586 			} else {
1587 				hr->hr_seq = PERR_DSEQ(i);
1588 			}
1589 			rt->rt_flags &= ~IEEE80211_MESHRT_FLAGS_VALID;
1590 			j++;
1591 			break;
1592 		case (IEEE80211_REASON_MESH_PERR_DEST_UNREACH):
1593 			if(HWMP_SEQ_GT(PERR_DSEQ(i), hr->hr_seq)) {
1594 				hr->hr_seq = PERR_DSEQ(i);
1595 				rt->rt_flags &= ~IEEE80211_MESHRT_FLAGS_VALID;
1596 				j++;
1597 			}
1598 			break;
1599 		case (IEEE80211_REASON_MESH_PERR_NO_PROXY):
1600 			rt_ext = ieee80211_mesh_rt_find(vap, PERR_DEXTADDR(i));
1601 			if (rt_ext != NULL) {
1602 				rt_ext->rt_flags &=
1603 				    ~IEEE80211_MESHRT_FLAGS_VALID;
1604 				j++;
1605 			}
1606 			break;
1607 		default:
1608 			IEEE80211_DISCARD(vap, IEEE80211_MSG_HWMP, wh, NULL,
1609 			    "PERR, unknown reason code %u\n", PERR_DFLAGS(i));
1610 			goto done; /* XXX: stats?? */
1611 		}
1612 		ieee80211_mesh_rt_flush_peer(vap, PERR_DADDR(i));
1613 		KASSERT(j < 32, ("PERR, error ndest >= 32 (%u)", j));
1614 	}
1615 	if (j == 0) {
1616 		IEEE80211_DISCARD(vap, IEEE80211_MSG_HWMP, wh, NULL, "%s",
1617 		    "PERR not accepted");
1618 		goto done; /* XXX: stats?? */
1619 	}
1620 
1621 	/*
1622 	 * Propagate the PERR if we previously found it on our routing table.
1623 	 */
1624 	if (forward && perr->perr_ttl > 1) {
1625 		IEEE80211_NOTE(vap, IEEE80211_MSG_HWMP, ni,
1626 		    "propagate PERR from %6D", wh->i_addr2, ":");
1627 		pperr->perr_ndests = j;
1628 		pperr->perr_ttl--;
1629 		hwmp_send_perr(vap, broadcastaddr, pperr);
1630 	}
1631 done:
1632 	if (pperr != NULL)
1633 		IEEE80211_FREE(pperr, M_80211_MESH_PERR);
1634 }
1635 #undef	PERR_DFLAGS
1636 #undef	PERR_DADDR
1637 #undef	PERR_DSEQ
1638 #undef	PERR_DEXTADDR
1639 
1640 static int
1641 hwmp_send_perr(struct ieee80211vap *vap,
1642     const uint8_t da[IEEE80211_ADDR_LEN],
1643     struct ieee80211_meshperr_ie *perr)
1644 {
1645 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
1646 	int i;
1647 	uint8_t length = 0;
1648 
1649 	/*
1650 	 * Enforce PERR interval.
1651 	 */
1652 	if (ratecheck(&hs->hs_lastperr, &ieee80211_hwmp_perrminint) == 0)
1653 		return EALREADY;
1654 	getmicrouptime(&hs->hs_lastperr);
1655 
1656 	/*
1657 	 * mesh perr action frame format
1658 	 *     [6] da
1659 	 *     [6] sa
1660 	 *     [6] addr3 = sa
1661 	 *     [1] action
1662 	 *     [1] category
1663 	 *     [tlv] mesh path error
1664 	 */
1665 	perr->perr_ie = IEEE80211_ELEMID_MESHPERR;
1666 	length = IEEE80211_MESHPERR_BASE_SZ;
1667 	for (i = 0; i<perr->perr_ndests; i++) {
1668 		if (perr->perr_dests[i].dest_flags &
1669 		    IEEE80211_MESHPERR_FLAGS_AE) {
1670 			length += IEEE80211_MESHPERR_DEST_SZ_AE;
1671 			continue ;
1672 		}
1673 		length += IEEE80211_MESHPERR_DEST_SZ;
1674 	}
1675 	perr->perr_len =length;
1676 	return hwmp_send_action(vap, da, (uint8_t *)perr, perr->perr_len+2);
1677 }
1678 
1679 /*
1680  * Called from the rest of the net80211 code (mesh code for example).
1681  * NB: IEEE80211_REASON_MESH_PERR_DEST_UNREACH can be trigger by the fact that
1682  * a mesh STA is unable to forward an MSDU/MMPDU to a next-hop mesh STA.
1683  */
1684 #define	PERR_DFLAGS(n)		perr.perr_dests[n].dest_flags
1685 #define	PERR_DADDR(n)		perr.perr_dests[n].dest_addr
1686 #define	PERR_DSEQ(n)		perr.perr_dests[n].dest_seq
1687 #define	PERR_DEXTADDR(n)	perr.perr_dests[n].dest_ext_addr
1688 #define	PERR_DRCODE(n)		perr.perr_dests[n].dest_rcode
1689 static void
1690 hwmp_senderror(struct ieee80211vap *vap,
1691     const uint8_t addr[IEEE80211_ADDR_LEN],
1692     struct ieee80211_mesh_route *rt, int rcode)
1693 {
1694 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
1695 	struct ieee80211_hwmp_route *hr = NULL;
1696 	struct ieee80211_meshperr_ie perr;
1697 
1698 	if (rt != NULL)
1699 		hr = IEEE80211_MESH_ROUTE_PRIV(rt,
1700 		    struct ieee80211_hwmp_route);
1701 
1702 	perr.perr_ndests = 1;
1703 	perr.perr_ttl = ms->ms_ttl;
1704 	PERR_DFLAGS(0) = 0;
1705 	PERR_DRCODE(0) = rcode;
1706 
1707 	switch (rcode) {
1708 	case IEEE80211_REASON_MESH_PERR_NO_FI:
1709 		IEEE80211_ADDR_COPY(PERR_DADDR(0), addr);
1710 		PERR_DSEQ(0) = 0; /* reserved */
1711 		break;
1712 	case IEEE80211_REASON_MESH_PERR_NO_PROXY:
1713 		KASSERT(rt != NULL, ("no proxy info for sending PERR"));
1714 		KASSERT(rt->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY,
1715 		    ("route is not marked proxy"));
1716 		PERR_DFLAGS(0) |= IEEE80211_MESHPERR_FLAGS_AE;
1717 		IEEE80211_ADDR_COPY(PERR_DADDR(0), vap->iv_myaddr);
1718 		PERR_DSEQ(0) = rt->rt_ext_seq;
1719 		IEEE80211_ADDR_COPY(PERR_DEXTADDR(0), addr);
1720 		break;
1721 	case IEEE80211_REASON_MESH_PERR_DEST_UNREACH:
1722 		KASSERT(rt != NULL, ("no route info for sending PERR"));
1723 		IEEE80211_ADDR_COPY(PERR_DADDR(0), addr);
1724 		PERR_DSEQ(0) = hr->hr_seq;
1725 		break;
1726 	default:
1727 		KASSERT(0, ("unknown reason code for HWMP PERR (%u)", rcode));
1728 	}
1729 	hwmp_send_perr(vap, broadcastaddr, &perr);
1730 }
1731 #undef	PERR_DFLAGS
1732 #undef	PEER_DADDR
1733 #undef	PERR_DSEQ
1734 #undef	PERR_DEXTADDR
1735 #undef	PERR_DRCODE
1736 
1737 static void
1738 hwmp_recv_rann(struct ieee80211vap *vap, struct ieee80211_node *ni,
1739     const struct ieee80211_frame *wh, const struct ieee80211_meshrann_ie *rann)
1740 {
1741 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
1742 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
1743 	struct ieee80211_mesh_route *rt = NULL;
1744 	struct ieee80211_hwmp_route *hr;
1745 	struct ieee80211_meshpreq_ie preq;
1746 	struct ieee80211_meshrann_ie prann;
1747 
1748 	if (IEEE80211_ADDR_EQ(rann->rann_addr, vap->iv_myaddr))
1749 		return;
1750 
1751 	rt = ieee80211_mesh_rt_find(vap, rann->rann_addr);
1752 	if (rt != NULL && rt->rt_flags & IEEE80211_MESHRT_FLAGS_VALID) {
1753 		hr = IEEE80211_MESH_ROUTE_PRIV(rt, struct ieee80211_hwmp_route);
1754 
1755 		/* Acceptance criteria: if RANN.seq < stored seq, discard RANN */
1756 		if (HWMP_SEQ_LT(rann->rann_seq, hr->hr_seq)) {
1757 			IEEE80211_DISCARD(vap, IEEE80211_MSG_HWMP, wh, NULL,
1758 			"RANN seq %u < %u", rann->rann_seq, hr->hr_seq);
1759 			return;
1760 		}
1761 
1762 		/* Acceptance criteria: if RANN.seq == stored seq AND
1763 		* RANN.metric > stored metric, discard RANN */
1764 		if (HWMP_SEQ_EQ(rann->rann_seq, hr->hr_seq) &&
1765 		rann->rann_metric > rt->rt_metric) {
1766 			IEEE80211_DISCARD(vap, IEEE80211_MSG_HWMP, wh, NULL,
1767 			"RANN metric %u > %u", rann->rann_metric, rt->rt_metric);
1768 			return;
1769 		}
1770 	}
1771 
1772 	/* RANN ACCEPTED */
1773 
1774 	ieee80211_hwmp_rannint = rann->rann_interval; /* XXX: mtx lock? */
1775 
1776 	if (rt == NULL) {
1777 		rt = ieee80211_mesh_rt_add(vap, rann->rann_addr);
1778 		if (rt == NULL) {
1779 			IEEE80211_DISCARD(vap, IEEE80211_MSG_HWMP, wh, NULL,
1780 			    "unable to add mac for RANN root %6D",
1781 			    rann->rann_addr, ":");
1782 			    vap->iv_stats.is_mesh_rtaddfailed++;
1783 			return;
1784 		}
1785 	}
1786 	hr = IEEE80211_MESH_ROUTE_PRIV(rt, struct ieee80211_hwmp_route);
1787 	/* Check if root is a mesh gate, mark it */
1788 	if (rann->rann_flags & IEEE80211_MESHRANN_FLAGS_GATE) {
1789 		struct ieee80211_mesh_gate_route *gr;
1790 
1791 		rt->rt_flags |= IEEE80211_MESHRT_FLAGS_GATE;
1792 		gr = ieee80211_mesh_mark_gate(vap, rann->rann_addr,
1793 			rt);
1794 		gr->gr_lastseq = 0; /* NOT GANN */
1795 	}
1796 	/* discovery timeout */
1797 	ieee80211_mesh_rt_update(rt,
1798 	    ticks_to_msecs(ieee80211_hwmp_roottimeout));
1799 
1800 	preq.preq_flags = IEEE80211_MESHPREQ_FLAGS_AM;
1801 	preq.preq_hopcount = 0;
1802 	preq.preq_ttl = ms->ms_ttl;
1803 	preq.preq_id = 0; /* reserved */
1804 	IEEE80211_ADDR_COPY(preq.preq_origaddr, vap->iv_myaddr);
1805 	preq.preq_origseq = ++hs->hs_seq;
1806 	preq.preq_lifetime = ieee80211_hwmp_roottimeout;
1807 	preq.preq_metric = IEEE80211_MESHLMETRIC_INITIALVAL;
1808 	preq.preq_tcount = 1;
1809 	preq.preq_targets[0].target_flags = IEEE80211_MESHPREQ_TFLAGS_TO;
1810 	/* NB: IEEE80211_MESHPREQ_TFLAGS_USN = 0 implicitly implied */
1811 	IEEE80211_ADDR_COPY(preq.preq_targets[0].target_addr, rann->rann_addr);
1812 	preq.preq_targets[0].target_seq = rann->rann_seq;
1813 	/* XXX: if rootconfint have not passed, we built this preq in vain */
1814 	hwmp_send_preq(vap, wh->i_addr2, &preq, &hr->hr_lastrootconf,
1815 	    &ieee80211_hwmp_rootconfint);
1816 
1817 	/* propagate a RANN */
1818 	if (rt->rt_flags & IEEE80211_MESHRT_FLAGS_VALID &&
1819 	    rann->rann_ttl > 1 &&
1820 	    ms->ms_flags & IEEE80211_MESHFLAGS_FWD) {
1821 		hr->hr_seq = rann->rann_seq;
1822 		memcpy(&prann, rann, sizeof(prann));
1823 		prann.rann_hopcount += 1;
1824 		prann.rann_ttl -= 1;
1825 		prann.rann_metric += ms->ms_pmetric->mpm_metric(ni);
1826 		hwmp_send_rann(vap, broadcastaddr, &prann);
1827 	}
1828 }
1829 
1830 static int
1831 hwmp_send_rann(struct ieee80211vap *vap,
1832     const uint8_t da[IEEE80211_ADDR_LEN],
1833     struct ieee80211_meshrann_ie *rann)
1834 {
1835 	/*
1836 	 * mesh rann action frame format
1837 	 *     [6] da
1838 	 *     [6] sa
1839 	 *     [6] addr3 = sa
1840 	 *     [1] action
1841 	 *     [1] category
1842 	 *     [tlv] root announcement
1843 	 */
1844 	rann->rann_ie = IEEE80211_ELEMID_MESHRANN;
1845 	rann->rann_len = IEEE80211_MESHRANN_BASE_SZ;
1846 	return hwmp_send_action(vap, da, (uint8_t *)rann, rann->rann_len + 2);
1847 }
1848 
1849 #define	PREQ_TFLAGS(n)	preq.preq_targets[n].target_flags
1850 #define	PREQ_TADDR(n)	preq.preq_targets[n].target_addr
1851 #define	PREQ_TSEQ(n)	preq.preq_targets[n].target_seq
1852 static void
1853 hwmp_rediscover_cb(void *arg)
1854 {
1855 	struct ieee80211_mesh_route *rt = arg;
1856 	struct ieee80211vap *vap = rt->rt_vap;
1857 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
1858 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
1859 	struct ieee80211_hwmp_route *hr;
1860 	struct ieee80211_meshpreq_ie preq; /* Optimize: storing first preq? */
1861 
1862 	if ((rt->rt_flags & IEEE80211_MESHRT_FLAGS_VALID))
1863 		return ; /* nothing to do */
1864 
1865 	hr = IEEE80211_MESH_ROUTE_PRIV(rt, struct ieee80211_hwmp_route);
1866 	if (hr->hr_preqretries >=
1867 		ieee80211_hwmp_maxpreq_retries) {
1868 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY,
1869 			rt->rt_dest, "%s",
1870 			"max number of discovery, send queued frames to GATE");
1871 		ieee80211_mesh_forward_to_gates(vap, rt);
1872 		vap->iv_stats.is_mesh_fwd_nopath++;
1873 		return ; /* XXX: flush queue? */
1874 	}
1875 
1876 	hr->hr_preqretries++;
1877 
1878 	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_HWMP, rt->rt_dest,
1879 	    "start path rediscovery , target seq %u", hr->hr_seq);
1880 	/*
1881 	 * Try to discover the path for this node.
1882 	 * Group addressed PREQ Case A
1883 	 */
1884 	preq.preq_flags = 0;
1885 	preq.preq_hopcount = 0;
1886 	preq.preq_ttl = ms->ms_ttl;
1887 	preq.preq_id = ++hs->hs_preqid;
1888 	IEEE80211_ADDR_COPY(preq.preq_origaddr, vap->iv_myaddr);
1889 	preq.preq_origseq = hr->hr_origseq;
1890 	preq.preq_lifetime = ticks_to_msecs(ieee80211_hwmp_pathtimeout);
1891 	preq.preq_metric = IEEE80211_MESHLMETRIC_INITIALVAL;
1892 	preq.preq_tcount = 1;
1893 	IEEE80211_ADDR_COPY(PREQ_TADDR(0), rt->rt_dest);
1894 	PREQ_TFLAGS(0) = 0;
1895 	if (ieee80211_hwmp_targetonly)
1896 		PREQ_TFLAGS(0) |= IEEE80211_MESHPREQ_TFLAGS_TO;
1897 	PREQ_TFLAGS(0) |= IEEE80211_MESHPREQ_TFLAGS_USN;
1898 	PREQ_TSEQ(0) = 0; /* RESERVED when USN flag is set */
1899 	/* XXX check return value */
1900 	hwmp_send_preq(vap, broadcastaddr, &preq, &hr->hr_lastpreq,
1901 	    &ieee80211_hwmp_preqminint);
1902 	callout_reset(&rt->rt_discovery,
1903 		ieee80211_hwmp_net_diameter_traversaltime * 2,
1904 		hwmp_rediscover_cb, rt);
1905 }
1906 
1907 static struct ieee80211_node *
1908 hwmp_discover(struct ieee80211vap *vap,
1909     const uint8_t dest[IEEE80211_ADDR_LEN], struct mbuf *m)
1910 {
1911 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
1912 	struct ieee80211_mesh_state *ms = vap->iv_mesh;
1913 	struct ieee80211_mesh_route *rt = NULL;
1914 	struct ieee80211_hwmp_route *hr;
1915 	struct ieee80211_meshpreq_ie preq;
1916 	struct ieee80211_node *ni;
1917 	int sendpreq = 0;
1918 
1919 	KASSERT(vap->iv_opmode == IEEE80211_M_MBSS,
1920 	    ("not a mesh vap, opmode %d", vap->iv_opmode));
1921 
1922 	KASSERT(!IEEE80211_ADDR_EQ(vap->iv_myaddr, dest),
1923 	    ("%s: discovering self!", __func__));
1924 
1925 	ni = NULL;
1926 	if (!IEEE80211_IS_MULTICAST(dest)) {
1927 		rt = ieee80211_mesh_rt_find(vap, dest);
1928 		if (rt == NULL) {
1929 			rt = ieee80211_mesh_rt_add(vap, dest);
1930 			if (rt == NULL) {
1931 				IEEE80211_DPRINTF(vap, IEEE80211_MSG_HWMP,
1932 				    "unable to add discovery path to %6D",
1933 				    dest, ":");
1934 				vap->iv_stats.is_mesh_rtaddfailed++;
1935 				goto done;
1936 			}
1937 		}
1938 		hr = IEEE80211_MESH_ROUTE_PRIV(rt,
1939 		    struct ieee80211_hwmp_route);
1940 		if (rt->rt_flags & IEEE80211_MESHRT_FLAGS_DISCOVER) {
1941 			IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_HWMP, dest,
1942 			    "%s", "already discovering queue frame until path found");
1943 			sendpreq = 1;
1944 			goto done;
1945 		}
1946 		if ((rt->rt_flags & IEEE80211_MESHRT_FLAGS_VALID) == 0) {
1947 			if (hr->hr_lastdiscovery != 0 &&
1948 			    (ticks - hr->hr_lastdiscovery <
1949 			    (ieee80211_hwmp_net_diameter_traversaltime * 2))) {
1950 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
1951 			            dest, NULL, "%s",
1952 				    "too frequent discovery requeust");
1953 				sendpreq = 1;
1954 				goto done;
1955 			}
1956 			hr->hr_lastdiscovery = ticks;
1957 			if (hr->hr_preqretries >=
1958 			    ieee80211_hwmp_maxpreq_retries) {
1959 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
1960 			            dest, NULL, "%s",
1961 				    "no valid path , max number of discovery");
1962 				vap->iv_stats.is_mesh_fwd_nopath++;
1963 				goto done;
1964 			}
1965 			rt->rt_flags = IEEE80211_MESHRT_FLAGS_DISCOVER;
1966 			hr->hr_preqretries++;
1967 			if (hr->hr_origseq == 0)
1968 				hr->hr_origseq = ++hs->hs_seq;
1969 			rt->rt_metric = IEEE80211_MESHLMETRIC_INITIALVAL;
1970 			sendpreq = 1;
1971 			IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_HWMP, dest,
1972 			    "start path discovery (src %s), target seq %u",
1973 			    m == NULL ? "<none>" : ether_sprintf(
1974 			    mtod(m, struct ether_header *)->ether_shost),
1975 			    hr->hr_seq);
1976 			/*
1977 			 * Try to discover the path for this node.
1978 			 * Group addressed PREQ Case A
1979 			 */
1980 			preq.preq_flags = 0;
1981 			preq.preq_hopcount = 0;
1982 			preq.preq_ttl = ms->ms_ttl;
1983 			preq.preq_id = ++hs->hs_preqid;
1984 			IEEE80211_ADDR_COPY(preq.preq_origaddr, vap->iv_myaddr);
1985 			preq.preq_origseq = hr->hr_origseq;
1986 			preq.preq_lifetime =
1987 			    ticks_to_msecs(ieee80211_hwmp_pathtimeout);
1988 			preq.preq_metric = IEEE80211_MESHLMETRIC_INITIALVAL;
1989 			preq.preq_tcount = 1;
1990 			IEEE80211_ADDR_COPY(PREQ_TADDR(0), dest);
1991 			PREQ_TFLAGS(0) = 0;
1992 			if (ieee80211_hwmp_targetonly)
1993 				PREQ_TFLAGS(0) |= IEEE80211_MESHPREQ_TFLAGS_TO;
1994 			PREQ_TFLAGS(0) |= IEEE80211_MESHPREQ_TFLAGS_USN;
1995 			PREQ_TSEQ(0) = 0; /* RESERVED when USN flag is set */
1996 			/* XXX check return value */
1997 			hwmp_send_preq(vap, broadcastaddr, &preq,
1998 			    &hr->hr_lastpreq, &ieee80211_hwmp_preqminint);
1999 			callout_reset(&rt->rt_discovery,
2000 			    ieee80211_hwmp_net_diameter_traversaltime * 2,
2001 			    hwmp_rediscover_cb, rt);
2002 		}
2003 		if (rt->rt_flags & IEEE80211_MESHRT_FLAGS_VALID)
2004 			ni = ieee80211_find_txnode(vap, rt->rt_nexthop);
2005 	} else {
2006 		ni = ieee80211_find_txnode(vap, dest);
2007 		/* NB: if null then we leak mbuf */
2008 		KASSERT(ni != NULL, ("leak mcast frame"));
2009 		return ni;
2010 	}
2011 done:
2012 	if (ni == NULL && m != NULL) {
2013 		if (sendpreq) {
2014 			struct ieee80211com *ic = vap->iv_ic;
2015 			/*
2016 			 * Queue packet for transmit when path discovery
2017 			 * completes.  If discovery never completes the
2018 			 * frame will be flushed by way of the aging timer.
2019 			 */
2020 			IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_HWMP, dest,
2021 			    "%s", "queue frame until path found");
2022 			MPASS((m->m_pkthdr.csum_flags & CSUM_SND_TAG) == 0);
2023 			m->m_pkthdr.rcvif = (void *)(uintptr_t)
2024 			    ieee80211_mac_hash(ic, dest);
2025 			/* XXX age chosen randomly */
2026 			ieee80211_ageq_append(&ic->ic_stageq, m,
2027 			    IEEE80211_INACT_WAIT);
2028 		} else {
2029 			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_HWMP,
2030 			    dest, NULL, "%s", "no valid path to this node");
2031 			m_freem(m);
2032 		}
2033 	}
2034 	return ni;
2035 }
2036 #undef	PREQ_TFLAGS
2037 #undef	PREQ_TADDR
2038 #undef	PREQ_TSEQ
2039 
2040 static int
2041 hwmp_ioctl_get80211(struct ieee80211vap *vap, struct ieee80211req *ireq)
2042 {
2043 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
2044 	int error;
2045 
2046 	if (vap->iv_opmode != IEEE80211_M_MBSS)
2047 		return ENOSYS;
2048 	error = 0;
2049 	switch (ireq->i_type) {
2050 	case IEEE80211_IOC_HWMP_ROOTMODE:
2051 		ireq->i_val = hs->hs_rootmode;
2052 		break;
2053 	case IEEE80211_IOC_HWMP_MAXHOPS:
2054 		ireq->i_val = hs->hs_maxhops;
2055 		break;
2056 	default:
2057 		return ENOSYS;
2058 	}
2059 	return error;
2060 }
2061 IEEE80211_IOCTL_GET(hwmp, hwmp_ioctl_get80211);
2062 
2063 static int
2064 hwmp_ioctl_set80211(struct ieee80211vap *vap, struct ieee80211req *ireq)
2065 {
2066 	struct ieee80211_hwmp_state *hs = vap->iv_hwmp;
2067 	int error;
2068 
2069 	if (vap->iv_opmode != IEEE80211_M_MBSS)
2070 		return ENOSYS;
2071 	error = 0;
2072 	switch (ireq->i_type) {
2073 	case IEEE80211_IOC_HWMP_ROOTMODE:
2074 		if (ireq->i_val < 0 || ireq->i_val > 3)
2075 			return EINVAL;
2076 		hs->hs_rootmode = ireq->i_val;
2077 		hwmp_rootmode_setup(vap);
2078 		break;
2079 	case IEEE80211_IOC_HWMP_MAXHOPS:
2080 		if (ireq->i_val <= 0 || ireq->i_val > 255)
2081 			return EINVAL;
2082 		hs->hs_maxhops = ireq->i_val;
2083 		break;
2084 	default:
2085 		return ENOSYS;
2086 	}
2087 	return error;
2088 }
2089 IEEE80211_IOCTL_SET(hwmp, hwmp_ioctl_set80211);
2090