xref: /freebsd/sys/netinet6/nd6.c (revision 6990ffd8a95caaba6858ad44ff1b3157d1efba8f)
1 /*	$FreeBSD$	*/
2 /*	$KAME: nd6.c,v 1.144 2001/05/24 07:44:00 itojun Exp $	*/
3 
4 /*
5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. Neither the name of the project nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 /*
34  * XXX
35  * KAME 970409 note:
36  * BSD/OS version heavily modifies this code, related to llinfo.
37  * Since we don't have BSD/OS version of net/route.c in our hand,
38  * I left the code mostly as it was in 970310.  -- itojun
39  */
40 
41 #include "opt_inet.h"
42 #include "opt_inet6.h"
43 
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #include <sys/callout.h>
47 #include <sys/malloc.h>
48 #include <sys/mbuf.h>
49 #include <sys/socket.h>
50 #include <sys/sockio.h>
51 #include <sys/time.h>
52 #include <sys/kernel.h>
53 #include <sys/protosw.h>
54 #include <sys/errno.h>
55 #include <sys/syslog.h>
56 #include <sys/queue.h>
57 #include <sys/sysctl.h>
58 
59 #include <net/if.h>
60 #include <net/if_dl.h>
61 #include <net/if_types.h>
62 #include <net/if_atm.h>
63 #include <net/route.h>
64 
65 #include <netinet/in.h>
66 #include <netinet/if_ether.h>
67 #include <netinet/if_fddi.h>
68 #include <netinet6/in6_var.h>
69 #include <netinet/ip6.h>
70 #include <netinet6/ip6_var.h>
71 #include <netinet6/nd6.h>
72 #include <netinet6/in6_prefix.h>
73 #include <netinet/icmp6.h>
74 
75 #include <net/net_osdep.h>
76 
77 #define ND6_SLOWTIMER_INTERVAL (60 * 60) /* 1 hour */
78 #define ND6_RECALC_REACHTM_INTERVAL (60 * 120) /* 2 hours */
79 
80 #define SIN6(s) ((struct sockaddr_in6 *)s)
81 #define SDL(s) ((struct sockaddr_dl *)s)
82 
83 /* timer values */
84 int	nd6_prune	= 1;	/* walk list every 1 seconds */
85 int	nd6_delay	= 5;	/* delay first probe time 5 second */
86 int	nd6_umaxtries	= 3;	/* maximum unicast query */
87 int	nd6_mmaxtries	= 3;	/* maximum multicast query */
88 int	nd6_useloopback = 1;	/* use loopback interface for local traffic */
89 int	nd6_gctimer	= (60 * 60 * 24); /* 1 day: garbage collection timer */
90 
91 /* preventing too many loops in ND option parsing */
92 int nd6_maxndopt = 10;	/* max # of ND options allowed */
93 
94 int nd6_maxnudhint = 0;	/* max # of subsequent upper layer hints */
95 
96 #ifdef ND6_DEBUG
97 int nd6_debug = 1;
98 #else
99 int nd6_debug = 0;
100 #endif
101 
102 /* for debugging? */
103 static int nd6_inuse, nd6_allocated;
104 
105 struct llinfo_nd6 llinfo_nd6 = {&llinfo_nd6, &llinfo_nd6};
106 static size_t nd_ifinfo_indexlim = 8;
107 struct nd_ifinfo *nd_ifinfo = NULL;
108 struct nd_drhead nd_defrouter;
109 struct nd_prhead nd_prefix = { 0 };
110 
111 int nd6_recalc_reachtm_interval = ND6_RECALC_REACHTM_INTERVAL;
112 static struct sockaddr_in6 all1_sa;
113 
114 static void nd6_slowtimo __P((void *));
115 static int regen_tmpaddr __P((struct in6_ifaddr *));
116 
117 struct callout nd6_slowtimo_ch;
118 struct callout nd6_timer_ch;
119 extern struct callout in6_tmpaddrtimer_ch;
120 
121 void
122 nd6_init()
123 {
124 	static int nd6_init_done = 0;
125 	int i;
126 
127 	if (nd6_init_done) {
128 		log(LOG_NOTICE, "nd6_init called more than once(ignored)\n");
129 		return;
130 	}
131 
132 	all1_sa.sin6_family = AF_INET6;
133 	all1_sa.sin6_len = sizeof(struct sockaddr_in6);
134 	for (i = 0; i < sizeof(all1_sa.sin6_addr); i++)
135 		all1_sa.sin6_addr.s6_addr[i] = 0xff;
136 
137 	/* initialization of the default router list */
138 	TAILQ_INIT(&nd_defrouter);
139 
140 	nd6_init_done = 1;
141 
142 	/* start timer */
143 	callout_reset(&nd6_slowtimo_ch, ND6_SLOWTIMER_INTERVAL * hz,
144 	    nd6_slowtimo, NULL);
145 }
146 
147 void
148 nd6_ifattach(ifp)
149 	struct ifnet *ifp;
150 {
151 
152 	/*
153 	 * We have some arrays that should be indexed by if_index.
154 	 * since if_index will grow dynamically, they should grow too.
155 	 */
156 	if (nd_ifinfo == NULL || if_index >= nd_ifinfo_indexlim) {
157 		size_t n;
158 		caddr_t q;
159 
160 		while (if_index >= nd_ifinfo_indexlim)
161 			nd_ifinfo_indexlim <<= 1;
162 
163 		/* grow nd_ifinfo */
164 		n = nd_ifinfo_indexlim * sizeof(struct nd_ifinfo);
165 		q = (caddr_t)malloc(n, M_IP6NDP, M_WAITOK);
166 		bzero(q, n);
167 		if (nd_ifinfo) {
168 			bcopy((caddr_t)nd_ifinfo, q, n/2);
169 			free((caddr_t)nd_ifinfo, M_IP6NDP);
170 		}
171 		nd_ifinfo = (struct nd_ifinfo *)q;
172 	}
173 
174 #define ND nd_ifinfo[ifp->if_index]
175 
176 	/*
177 	 * Don't initialize if called twice.
178 	 * XXX: to detect this, we should choose a member that is never set
179 	 * before initialization of the ND structure itself.  We formaly used
180 	 * the linkmtu member, which was not suitable because it could be
181 	 * initialized via "ifconfig mtu".
182 	 */
183 	if (ND.basereachable)
184 		return;
185 
186 	ND.linkmtu = ifnet_byindex(ifp->if_index)->if_mtu;
187 	ND.chlim = IPV6_DEFHLIM;
188 	ND.basereachable = REACHABLE_TIME;
189 	ND.reachable = ND_COMPUTE_RTIME(ND.basereachable);
190 	ND.retrans = RETRANS_TIMER;
191 	ND.receivedra = 0;
192 	ND.flags = ND6_IFF_PERFORMNUD;
193 	nd6_setmtu(ifp);
194 #undef ND
195 }
196 
197 /*
198  * Reset ND level link MTU. This function is called when the physical MTU
199  * changes, which means we might have to adjust the ND level MTU.
200  */
201 void
202 nd6_setmtu(ifp)
203 	struct ifnet *ifp;
204 {
205 #define MIN(a,b) ((a) < (b) ? (a) : (b))
206 	struct nd_ifinfo *ndi = &nd_ifinfo[ifp->if_index];
207 	u_long oldmaxmtu = ndi->maxmtu;
208 	u_long oldlinkmtu = ndi->linkmtu;
209 
210 	switch (ifp->if_type) {
211 	case IFT_ARCNET:	/* XXX MTU handling needs more work */
212 		ndi->maxmtu = MIN(60480, ifp->if_mtu);
213 		break;
214 	case IFT_ETHER:
215 		ndi->maxmtu = MIN(ETHERMTU, ifp->if_mtu);
216 		break;
217 	case IFT_FDDI:
218 		ndi->maxmtu = MIN(FDDIIPMTU, ifp->if_mtu);
219 		break;
220 	case IFT_ATM:
221 		ndi->maxmtu = MIN(ATMMTU, ifp->if_mtu);
222 		break;
223 	case IFT_IEEE1394:	/* XXX should be IEEE1394MTU(1500) */
224 		ndi->maxmtu = MIN(ETHERMTU, ifp->if_mtu);
225 		break;
226 #ifdef IFT_IEEE80211
227 	case IFT_IEEE80211:	/* XXX should be IEEE80211MTU(1500) */
228 		ndi->maxmtu = MIN(ETHERMTU, ifp->if_mtu);
229 		break;
230 #endif
231 	default:
232 		ndi->maxmtu = ifp->if_mtu;
233 		break;
234 	}
235 
236 	if (oldmaxmtu != ndi->maxmtu) {
237 		/*
238 		 * If the ND level MTU is not set yet, or if the maxmtu
239 		 * is reset to a smaller value than the ND level MTU,
240 		 * also reset the ND level MTU.
241 		 */
242 		if (ndi->linkmtu == 0 ||
243 		    ndi->maxmtu < ndi->linkmtu) {
244 			ndi->linkmtu = ndi->maxmtu;
245 			/* also adjust in6_maxmtu if necessary. */
246 			if (oldlinkmtu == 0) {
247 				/*
248 				 * XXX: the case analysis is grotty, but
249 				 * it is not efficient to call in6_setmaxmtu()
250 				 * here when we are during the initialization
251 				 * procedure.
252 				 */
253 				if (in6_maxmtu < ndi->linkmtu)
254 					in6_maxmtu = ndi->linkmtu;
255 			} else
256 				in6_setmaxmtu();
257 		}
258 	}
259 #undef MIN
260 }
261 
262 void
263 nd6_option_init(opt, icmp6len, ndopts)
264 	void *opt;
265 	int icmp6len;
266 	union nd_opts *ndopts;
267 {
268 	bzero(ndopts, sizeof(*ndopts));
269 	ndopts->nd_opts_search = (struct nd_opt_hdr *)opt;
270 	ndopts->nd_opts_last
271 		= (struct nd_opt_hdr *)(((u_char *)opt) + icmp6len);
272 
273 	if (icmp6len == 0) {
274 		ndopts->nd_opts_done = 1;
275 		ndopts->nd_opts_search = NULL;
276 	}
277 }
278 
279 /*
280  * Take one ND option.
281  */
282 struct nd_opt_hdr *
283 nd6_option(ndopts)
284 	union nd_opts *ndopts;
285 {
286 	struct nd_opt_hdr *nd_opt;
287 	int olen;
288 
289 	if (!ndopts)
290 		panic("ndopts == NULL in nd6_option\n");
291 	if (!ndopts->nd_opts_last)
292 		panic("uninitialized ndopts in nd6_option\n");
293 	if (!ndopts->nd_opts_search)
294 		return NULL;
295 	if (ndopts->nd_opts_done)
296 		return NULL;
297 
298 	nd_opt = ndopts->nd_opts_search;
299 
300 	/* make sure nd_opt_len is inside the buffer */
301 	if ((caddr_t)&nd_opt->nd_opt_len >= (caddr_t)ndopts->nd_opts_last) {
302 		bzero(ndopts, sizeof(*ndopts));
303 		return NULL;
304 	}
305 
306 	olen = nd_opt->nd_opt_len << 3;
307 	if (olen == 0) {
308 		/*
309 		 * Message validation requires that all included
310 		 * options have a length that is greater than zero.
311 		 */
312 		bzero(ndopts, sizeof(*ndopts));
313 		return NULL;
314 	}
315 
316 	ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen);
317 	if (ndopts->nd_opts_search > ndopts->nd_opts_last) {
318 		/* option overruns the end of buffer, invalid */
319 		bzero(ndopts, sizeof(*ndopts));
320 		return NULL;
321 	} else if (ndopts->nd_opts_search == ndopts->nd_opts_last) {
322 		/* reached the end of options chain */
323 		ndopts->nd_opts_done = 1;
324 		ndopts->nd_opts_search = NULL;
325 	}
326 	return nd_opt;
327 }
328 
329 /*
330  * Parse multiple ND options.
331  * This function is much easier to use, for ND routines that do not need
332  * multiple options of the same type.
333  */
334 int
335 nd6_options(ndopts)
336 	union nd_opts *ndopts;
337 {
338 	struct nd_opt_hdr *nd_opt;
339 	int i = 0;
340 
341 	if (!ndopts)
342 		panic("ndopts == NULL in nd6_options\n");
343 	if (!ndopts->nd_opts_last)
344 		panic("uninitialized ndopts in nd6_options\n");
345 	if (!ndopts->nd_opts_search)
346 		return 0;
347 
348 	while (1) {
349 		nd_opt = nd6_option(ndopts);
350 		if (!nd_opt && !ndopts->nd_opts_last) {
351 			/*
352 			 * Message validation requires that all included
353 			 * options have a length that is greater than zero.
354 			 */
355 			icmp6stat.icp6s_nd_badopt++;
356 			bzero(ndopts, sizeof(*ndopts));
357 			return -1;
358 		}
359 
360 		if (!nd_opt)
361 			goto skip1;
362 
363 		switch (nd_opt->nd_opt_type) {
364 		case ND_OPT_SOURCE_LINKADDR:
365 		case ND_OPT_TARGET_LINKADDR:
366 		case ND_OPT_MTU:
367 		case ND_OPT_REDIRECTED_HEADER:
368 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
369 				nd6log((LOG_INFO,
370 				    "duplicated ND6 option found (type=%d)\n",
371 				    nd_opt->nd_opt_type));
372 				/* XXX bark? */
373 			} else {
374 				ndopts->nd_opt_array[nd_opt->nd_opt_type]
375 					= nd_opt;
376 			}
377 			break;
378 		case ND_OPT_PREFIX_INFORMATION:
379 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type] == 0) {
380 				ndopts->nd_opt_array[nd_opt->nd_opt_type]
381 					= nd_opt;
382 			}
383 			ndopts->nd_opts_pi_end =
384 				(struct nd_opt_prefix_info *)nd_opt;
385 			break;
386 		default:
387 			/*
388 			 * Unknown options must be silently ignored,
389 			 * to accomodate future extension to the protocol.
390 			 */
391 			nd6log((LOG_DEBUG,
392 			    "nd6_options: unsupported option %d - "
393 			    "option ignored\n", nd_opt->nd_opt_type));
394 		}
395 
396 skip1:
397 		i++;
398 		if (i > nd6_maxndopt) {
399 			icmp6stat.icp6s_nd_toomanyopt++;
400 			nd6log((LOG_INFO, "too many loop in nd opt\n"));
401 			break;
402 		}
403 
404 		if (ndopts->nd_opts_done)
405 			break;
406 	}
407 
408 	return 0;
409 }
410 
411 /*
412  * ND6 timer routine to expire default route list and prefix list
413  */
414 void
415 nd6_timer(ignored_arg)
416 	void	*ignored_arg;
417 {
418 	int s;
419 	struct llinfo_nd6 *ln;
420 	struct nd_defrouter *dr;
421 	struct nd_prefix *pr;
422 	struct ifnet *ifp;
423 	struct in6_ifaddr *ia6, *nia6;
424 	struct in6_addrlifetime *lt6;
425 
426 	s = splnet();
427 	callout_reset(&nd6_timer_ch, nd6_prune * hz,
428 		      nd6_timer, NULL);
429 
430 	ln = llinfo_nd6.ln_next;
431 	/* XXX BSD/OS separates this code -- itojun */
432 	while (ln && ln != &llinfo_nd6) {
433 		struct rtentry *rt;
434 		struct sockaddr_in6 *dst;
435 		struct llinfo_nd6 *next = ln->ln_next;
436 		/* XXX: used for the DELAY case only: */
437 		struct nd_ifinfo *ndi = NULL;
438 
439 		if ((rt = ln->ln_rt) == NULL) {
440 			ln = next;
441 			continue;
442 		}
443 		if ((ifp = rt->rt_ifp) == NULL) {
444 			ln = next;
445 			continue;
446 		}
447 		ndi = &nd_ifinfo[ifp->if_index];
448 		dst = (struct sockaddr_in6 *)rt_key(rt);
449 
450 		if (ln->ln_expire > time_second) {
451 			ln = next;
452 			continue;
453 		}
454 
455 		/* sanity check */
456 		if (!rt)
457 			panic("rt=0 in nd6_timer(ln=%p)\n", ln);
458 		if (rt->rt_llinfo && (struct llinfo_nd6 *)rt->rt_llinfo != ln)
459 			panic("rt_llinfo(%p) is not equal to ln(%p)\n",
460 			      rt->rt_llinfo, ln);
461 		if (!dst)
462 			panic("dst=0 in nd6_timer(ln=%p)\n", ln);
463 
464 		switch (ln->ln_state) {
465 		case ND6_LLINFO_INCOMPLETE:
466 			if (ln->ln_asked < nd6_mmaxtries) {
467 				ln->ln_asked++;
468 				ln->ln_expire = time_second +
469 					nd_ifinfo[ifp->if_index].retrans / 1000;
470 				nd6_ns_output(ifp, NULL, &dst->sin6_addr,
471 					ln, 0);
472 			} else {
473 				struct mbuf *m = ln->ln_hold;
474 				if (m) {
475 					if (rt->rt_ifp) {
476 						/*
477 						 * Fake rcvif to make ICMP error
478 						 * more helpful in diagnosing
479 						 * for the receiver.
480 						 * XXX: should we consider
481 						 * older rcvif?
482 						 */
483 						m->m_pkthdr.rcvif = rt->rt_ifp;
484 					}
485 					icmp6_error(m, ICMP6_DST_UNREACH,
486 						    ICMP6_DST_UNREACH_ADDR, 0);
487 					ln->ln_hold = NULL;
488 				}
489 				next = nd6_free(rt);
490 			}
491 			break;
492 		case ND6_LLINFO_REACHABLE:
493 			if (ln->ln_expire) {
494 				ln->ln_state = ND6_LLINFO_STALE;
495 				ln->ln_expire = time_second + nd6_gctimer;
496 			}
497 			break;
498 
499 		case ND6_LLINFO_STALE:
500 			/* Garbage Collection(RFC 2461 5.3) */
501 			if (ln->ln_expire)
502 				next = nd6_free(rt);
503 			break;
504 
505 		case ND6_LLINFO_DELAY:
506 			if (ndi && (ndi->flags & ND6_IFF_PERFORMNUD) != 0) {
507 				/* We need NUD */
508 				ln->ln_asked = 1;
509 				ln->ln_state = ND6_LLINFO_PROBE;
510 				ln->ln_expire = time_second +
511 					ndi->retrans / 1000;
512 				nd6_ns_output(ifp, &dst->sin6_addr,
513 					      &dst->sin6_addr,
514 					      ln, 0);
515 			} else {
516 				ln->ln_state = ND6_LLINFO_STALE; /* XXX */
517 				ln->ln_expire = time_second + nd6_gctimer;
518 			}
519 			break;
520 		case ND6_LLINFO_PROBE:
521 			if (ln->ln_asked < nd6_umaxtries) {
522 				ln->ln_asked++;
523 				ln->ln_expire = time_second +
524 					nd_ifinfo[ifp->if_index].retrans / 1000;
525 				nd6_ns_output(ifp, &dst->sin6_addr,
526 					       &dst->sin6_addr, ln, 0);
527 			} else {
528 				next = nd6_free(rt);
529 			}
530 			break;
531 		}
532 		ln = next;
533 	}
534 
535 	/* expire default router list */
536 	dr = TAILQ_FIRST(&nd_defrouter);
537 	while (dr) {
538 		if (dr->expire && dr->expire < time_second) {
539 			struct nd_defrouter *t;
540 			t = TAILQ_NEXT(dr, dr_entry);
541 			defrtrlist_del(dr);
542 			dr = t;
543 		} else {
544 			dr = TAILQ_NEXT(dr, dr_entry);
545 		}
546 	}
547 
548 	/*
549 	 * expire interface addresses.
550 	 * in the past the loop was inside prefix expiry processing.
551 	 * However, from a stricter speci-confrmance standpoint, we should
552 	 * rather separate address lifetimes and prefix lifetimes.
553 	 */
554   addrloop:
555 	for (ia6 = in6_ifaddr; ia6; ia6 = nia6) {
556 		nia6 = ia6->ia_next;
557 		/* check address lifetime */
558 		lt6 = &ia6->ia6_lifetime;
559 		if (IFA6_IS_INVALID(ia6)) {
560 			int regen = 0;
561 
562 			/*
563 			 * If the expiring address is temporary, try
564 			 * regenerating a new one.  This would be useful when
565 			 * we suspended a laptop PC, then turned on after a
566 			 * period that could invalidate all temporary
567 			 * addresses.  Although we may have to restart the
568 			 * loop (see below), it must be after purging the
569 			 * address.  Otherwise, we'd see an infinite loop of
570 			 * regeneration.
571 			 */
572 			if (ip6_use_tempaddr &&
573 			    (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0) {
574 				if (regen_tmpaddr(ia6) == 0)
575 					regen = 1;
576 			}
577 
578 			in6_purgeaddr(&ia6->ia_ifa);
579 
580 			if (regen)
581 				goto addrloop; /* XXX: see below */
582 		} else if (IFA6_IS_DEPRECATED(ia6)) {
583 			int oldflags = ia6->ia6_flags;
584 
585 			ia6->ia6_flags |= IN6_IFF_DEPRECATED;
586 
587 			/*
588 			 * If a temporary address has just become deprecated,
589 			 * regenerate a new one if possible.
590 			 */
591 			if (ip6_use_tempaddr &&
592 			    (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
593 			    (oldflags & IN6_IFF_DEPRECATED) == 0) {
594 
595 				if (regen_tmpaddr(ia6) == 0) {
596 					/*
597 					 * A new temporary address is
598 					 * generated.
599 					 * XXX: this means the address chain
600 					 * has changed while we are still in
601 					 * the loop.  Although the change
602 					 * would not cause disaster (because
603 					 * it's not an addition, but a
604 					 * deletion,) we'd rather restart the
605 					 * loop just for safety.  Or does this
606 					 * significantly reduce performance??
607 					 */
608 					goto addrloop;
609 				}
610 			}
611 		} else if (IFA6_IS_DEPRECATED(ia6)) {
612 			/*
613 			 * A new RA might have made a deprecated address
614 			 * preferred.
615 			 */
616 			ia6->ia6_flags &= ~IN6_IFF_DEPRECATED;
617 		}
618 	}
619 
620 	/* expire prefix list */
621 	pr = nd_prefix.lh_first;
622 	while (pr) {
623 		/*
624 		 * check prefix lifetime.
625 		 * since pltime is just for autoconf, pltime processing for
626 		 * prefix is not necessary.
627 		 *
628 		 * we offset expire time by NDPR_KEEP_EXPIRE, so that we
629 		 * can use the old prefix information to validate the
630 		 * next prefix information to come.  See prelist_update()
631 		 * for actual validation.
632 		 *
633 		 * I don't think such an offset is necessary.
634 		 * (jinmei@kame.net, 20010130).
635 		 */
636 		if (pr->ndpr_expire && pr->ndpr_expire < time_second) {
637 			struct nd_prefix *t;
638 			t = pr->ndpr_next;
639 
640 			/*
641 			 * address expiration and prefix expiration are
642 			 * separate.  NEVER perform in6_purgeaddr here.
643 			 */
644 
645 			prelist_remove(pr);
646 			pr = t;
647 		} else
648 			pr = pr->ndpr_next;
649 	}
650 	splx(s);
651 }
652 
653 static int
654 regen_tmpaddr(ia6)
655 	struct in6_ifaddr *ia6; /* deprecated/invalidated temporary address */
656 {
657 	struct ifaddr *ifa;
658 	struct ifnet *ifp;
659 	struct in6_ifaddr *public_ifa6 = NULL;
660 
661 	ifp = ia6->ia_ifa.ifa_ifp;
662 	for (ifa = ifp->if_addrlist.tqh_first; ifa;
663 	     ifa = ifa->ifa_list.tqe_next)
664 	{
665 		struct in6_ifaddr *it6;
666 
667 		if (ifa->ifa_addr->sa_family != AF_INET6)
668 			continue;
669 
670 		it6 = (struct in6_ifaddr *)ifa;
671 
672 		/* ignore no autoconf addresses. */
673 		if ((it6->ia6_flags & IN6_IFF_AUTOCONF) == 0)
674 			continue;
675 
676 		/* ignore autoconf addresses with different prefixes. */
677 		if (it6->ia6_ndpr == NULL || it6->ia6_ndpr != ia6->ia6_ndpr)
678 			continue;
679 
680 		/*
681 		 * Now we are looking at an autoconf address with the same
682 		 * prefix as ours.  If the address is temporary and is still
683 		 * preferred, do not create another one.  It would be rare, but
684 		 * could happen, for example, when we resume a laptop PC after
685 		 * a long period.
686 		 */
687 		if ((it6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
688 		    !IFA6_IS_DEPRECATED(it6)) {
689 			public_ifa6 = NULL;
690 			break;
691 		}
692 
693 		/*
694 		 * This is a public autoconf address that has the same prefix
695 		 * as ours.  If it is preferred, keep it.  We can't break the
696 		 * loop here, because there may be a still-preferred temporary
697 		 * address with the prefix.
698 		 */
699 		if (!IFA6_IS_DEPRECATED(it6))
700 		    public_ifa6 = it6;
701 	}
702 
703 	if (public_ifa6 != NULL) {
704 		int e;
705 
706 		if ((e = in6_tmpifadd(public_ifa6, 0)) != 0) {
707 			log(LOG_NOTICE, "regen_tmpaddr: failed to create a new"
708 			    " tmp addr,errno=%d\n", e);
709 			return(-1);
710 		}
711 		return(0);
712 	}
713 
714 	return(-1);
715 }
716 
717 /*
718  * Nuke neighbor cache/prefix/default router management table, right before
719  * ifp goes away.
720  */
721 void
722 nd6_purge(ifp)
723 	struct ifnet *ifp;
724 {
725 	struct llinfo_nd6 *ln, *nln;
726 	struct nd_defrouter *dr, *ndr, drany;
727 	struct nd_prefix *pr, *npr;
728 
729 	/* Nuke default router list entries toward ifp */
730 	if ((dr = TAILQ_FIRST(&nd_defrouter)) != NULL) {
731 		/*
732 		 * The first entry of the list may be stored in
733 		 * the routing table, so we'll delete it later.
734 		 */
735 		for (dr = TAILQ_NEXT(dr, dr_entry); dr; dr = ndr) {
736 			ndr = TAILQ_NEXT(dr, dr_entry);
737 			if (dr->ifp == ifp)
738 				defrtrlist_del(dr);
739 		}
740 		dr = TAILQ_FIRST(&nd_defrouter);
741 		if (dr->ifp == ifp)
742 			defrtrlist_del(dr);
743 	}
744 
745 	/* Nuke prefix list entries toward ifp */
746 	for (pr = nd_prefix.lh_first; pr; pr = npr) {
747 		npr = pr->ndpr_next;
748 		if (pr->ndpr_ifp == ifp) {
749 			/*
750 			 * Previously, pr->ndpr_addr is removed as well,
751 			 * but I strongly believe we don't have to do it.
752 			 * nd6_purge() is only called from in6_ifdetach(),
753 			 * which removes all the associated interface addresses
754 			 * by itself.
755 			 * (jinmei@kame.net 20010129)
756 			 */
757 			prelist_remove(pr);
758 		}
759 	}
760 
761 	/* cancel default outgoing interface setting */
762 	if (nd6_defifindex == ifp->if_index)
763 		nd6_setdefaultiface(0);
764 
765 	if (!ip6_forwarding && ip6_accept_rtadv) { /* XXX: too restrictive? */
766 		/* refresh default router list */
767 		bzero(&drany, sizeof(drany));
768 		defrouter_delreq(&drany, 0);
769 		defrouter_select();
770 	}
771 
772 	/*
773 	 * Nuke neighbor cache entries for the ifp.
774 	 * Note that rt->rt_ifp may not be the same as ifp,
775 	 * due to KAME goto ours hack.  See RTM_RESOLVE case in
776 	 * nd6_rtrequest(), and ip6_input().
777 	 */
778 	ln = llinfo_nd6.ln_next;
779 	while (ln && ln != &llinfo_nd6) {
780 		struct rtentry *rt;
781 		struct sockaddr_dl *sdl;
782 
783 		nln = ln->ln_next;
784 		rt = ln->ln_rt;
785 		if (rt && rt->rt_gateway &&
786 		    rt->rt_gateway->sa_family == AF_LINK) {
787 			sdl = (struct sockaddr_dl *)rt->rt_gateway;
788 			if (sdl->sdl_index == ifp->if_index)
789 				nln = nd6_free(rt);
790 		}
791 		ln = nln;
792 	}
793 }
794 
795 struct rtentry *
796 nd6_lookup(addr6, create, ifp)
797 	struct in6_addr *addr6;
798 	int create;
799 	struct ifnet *ifp;
800 {
801 	struct rtentry *rt;
802 	struct sockaddr_in6 sin6;
803 
804 	bzero(&sin6, sizeof(sin6));
805 	sin6.sin6_len = sizeof(struct sockaddr_in6);
806 	sin6.sin6_family = AF_INET6;
807 	sin6.sin6_addr = *addr6;
808 #ifdef SCOPEDROUTING
809 	sin6.sin6_scope_id = in6_addr2scopeid(ifp, addr6);
810 #endif
811 	rt = rtalloc1((struct sockaddr *)&sin6, create, 0UL);
812 	if (rt && (rt->rt_flags & RTF_LLINFO) == 0) {
813 		/*
814 		 * This is the case for the default route.
815 		 * If we want to create a neighbor cache for the address, we
816 		 * should free the route for the destination and allocate an
817 		 * interface route.
818 		 */
819 		if (create) {
820 			RTFREE(rt);
821 			rt = 0;
822 		}
823 	}
824 	if (!rt) {
825 		if (create && ifp) {
826 			int e;
827 
828 			/*
829 			 * If no route is available and create is set,
830 			 * we allocate a host route for the destination
831 			 * and treat it like an interface route.
832 			 * This hack is necessary for a neighbor which can't
833 			 * be covered by our own prefix.
834 			 */
835 			struct ifaddr *ifa =
836 				ifaof_ifpforaddr((struct sockaddr *)&sin6, ifp);
837 			if (ifa == NULL)
838 				return(NULL);
839 
840 			/*
841 			 * Create a new route. RTF_LLINFO is necessary
842 			 * to create a Neighbor Cache entry for the
843 			 * destination in nd6_rtrequest which will be
844 			 * called in rtequest via ifa->ifa_rtrequest.
845 			 */
846 			if ((e = rtrequest(RTM_ADD, (struct sockaddr *)&sin6,
847 					   ifa->ifa_addr,
848 					   (struct sockaddr *)&all1_sa,
849 					   (ifa->ifa_flags |
850 					    RTF_HOST | RTF_LLINFO) &
851 					   ~RTF_CLONING,
852 					   &rt)) != 0)
853 				log(LOG_ERR,
854 				    "nd6_lookup: failed to add route for a "
855 				    "neighbor(%s), errno=%d\n",
856 				    ip6_sprintf(addr6), e);
857 			if (rt == NULL)
858 				return(NULL);
859 			if (rt->rt_llinfo) {
860 				struct llinfo_nd6 *ln =
861 					(struct llinfo_nd6 *)rt->rt_llinfo;
862 				ln->ln_state = ND6_LLINFO_NOSTATE;
863 			}
864 		} else
865 			return(NULL);
866 	}
867 	rt->rt_refcnt--;
868 	/*
869 	 * Validation for the entry.
870 	 * XXX: we can't use rt->rt_ifp to check for the interface, since
871 	 *      it might be the loopback interface if the entry is for our
872 	 *      own address on a non-loopback interface. Instead, we should
873 	 *      use rt->rt_ifa->ifa_ifp, which would specify the REAL interface.
874 	 */
875 	if ((rt->rt_flags & RTF_GATEWAY) || (rt->rt_flags & RTF_LLINFO) == 0 ||
876 	    rt->rt_gateway->sa_family != AF_LINK ||
877 	    (ifp && rt->rt_ifa->ifa_ifp != ifp)) {
878 		if (create) {
879 			log(LOG_DEBUG, "nd6_lookup: failed to lookup %s (if = %s)\n",
880 			    ip6_sprintf(addr6), ifp ? if_name(ifp) : "unspec");
881 			/* xxx more logs... kazu */
882 		}
883 		return(0);
884 	}
885 	return(rt);
886 }
887 
888 /*
889  * Detect if a given IPv6 address identifies a neighbor on a given link.
890  * XXX: should take care of the destination of a p2p link?
891  */
892 int
893 nd6_is_addr_neighbor(addr, ifp)
894 	struct sockaddr_in6 *addr;
895 	struct ifnet *ifp;
896 {
897 	struct ifaddr *ifa;
898 	int i;
899 
900 #define IFADDR6(a) ((((struct in6_ifaddr *)(a))->ia_addr).sin6_addr)
901 #define IFMASK6(a) ((((struct in6_ifaddr *)(a))->ia_prefixmask).sin6_addr)
902 
903 	/*
904 	 * A link-local address is always a neighbor.
905 	 * XXX: we should use the sin6_scope_id field rather than the embedded
906 	 * interface index.
907 	 */
908 	if (IN6_IS_ADDR_LINKLOCAL(&addr->sin6_addr) &&
909 	    ntohs(*(u_int16_t *)&addr->sin6_addr.s6_addr[2]) == ifp->if_index)
910 		return(1);
911 
912 	/*
913 	 * If the address matches one of our addresses,
914 	 * it should be a neighbor.
915 	 */
916 	for (ifa = ifp->if_addrlist.tqh_first;
917 	     ifa;
918 	     ifa = ifa->ifa_list.tqe_next)
919 	{
920 		if (ifa->ifa_addr->sa_family != AF_INET6)
921 			next: continue;
922 
923 		for (i = 0; i < 4; i++) {
924 			if ((IFADDR6(ifa).s6_addr32[i] ^
925 			     addr->sin6_addr.s6_addr32[i]) &
926 			    IFMASK6(ifa).s6_addr32[i])
927 				goto next;
928 		}
929 		return(1);
930 	}
931 
932 	/*
933 	 * Even if the address matches none of our addresses, it might be
934 	 * in the neighbor cache.
935 	 */
936 	if (nd6_lookup(&addr->sin6_addr, 0, ifp))
937 		return(1);
938 
939 	return(0);
940 #undef IFADDR6
941 #undef IFMASK6
942 }
943 
944 /*
945  * Free an nd6 llinfo entry.
946  */
947 struct llinfo_nd6 *
948 nd6_free(rt)
949 	struct rtentry *rt;
950 {
951 	struct llinfo_nd6 *ln = (struct llinfo_nd6 *)rt->rt_llinfo, *next;
952 	struct in6_addr in6 = ((struct sockaddr_in6 *)rt_key(rt))->sin6_addr;
953 	struct nd_defrouter *dr;
954 
955 	/*
956 	 * we used to have pfctlinput(PRC_HOSTDEAD) here.
957 	 * even though it is not harmful, it was not really necessary.
958 	 */
959 
960 	if (!ip6_forwarding && ip6_accept_rtadv) { /* XXX: too restrictive? */
961 		int s;
962 		s = splnet();
963 		dr = defrouter_lookup(&((struct sockaddr_in6 *)rt_key(rt))->sin6_addr,
964 				      rt->rt_ifp);
965 
966 		if (ln->ln_router || dr) {
967 			/*
968 			 * rt6_flush must be called whether or not the neighbor
969 			 * is in the Default Router List.
970 			 * See a corresponding comment in nd6_na_input().
971 			 */
972 			rt6_flush(&in6, rt->rt_ifp);
973 		}
974 
975 		if (dr) {
976 			/*
977 			 * Unreachablity of a router might affect the default
978 			 * router selection and on-link detection of advertised
979 			 * prefixes.
980 			 */
981 
982 			/*
983 			 * Temporarily fake the state to choose a new default
984 			 * router and to perform on-link determination of
985 			 * prefixes coreectly.
986 			 * Below the state will be set correctly,
987 			 * or the entry itself will be deleted.
988 			 */
989 			ln->ln_state = ND6_LLINFO_INCOMPLETE;
990 
991 			/*
992 			 * Since defrouter_select() does not affect the
993 			 * on-link determination and MIP6 needs the check
994 			 * before the default router selection, we perform
995 			 * the check now.
996 			 */
997 			pfxlist_onlink_check();
998 
999 			if (dr == TAILQ_FIRST(&nd_defrouter)) {
1000 				/*
1001 				 * It is used as the current default router,
1002 				 * so we have to move it to the end of the
1003 				 * list and choose a new one.
1004 				 * XXX: it is not very efficient if this is
1005 				 *      the only router.
1006 				 */
1007 				TAILQ_REMOVE(&nd_defrouter, dr, dr_entry);
1008 				TAILQ_INSERT_TAIL(&nd_defrouter, dr, dr_entry);
1009 
1010 				defrouter_select();
1011 			}
1012 		}
1013 		splx(s);
1014 	}
1015 
1016 	/*
1017 	 * Before deleting the entry, remember the next entry as the
1018 	 * return value.  We need this because pfxlist_onlink_check() above
1019 	 * might have freed other entries (particularly the old next entry) as
1020 	 * a side effect (XXX).
1021 	 */
1022 	next = ln->ln_next;
1023 
1024 	/*
1025 	 * Detach the route from the routing tree and the list of neighbor
1026 	 * caches, and disable the route entry not to be used in already
1027 	 * cached routes.
1028 	 */
1029 	rtrequest(RTM_DELETE, rt_key(rt), (struct sockaddr *)0,
1030 		  rt_mask(rt), 0, (struct rtentry **)0);
1031 
1032 	return(next);
1033 }
1034 
1035 /*
1036  * Upper-layer reachability hint for Neighbor Unreachability Detection.
1037  *
1038  * XXX cost-effective metods?
1039  */
1040 void
1041 nd6_nud_hint(rt, dst6, force)
1042 	struct rtentry *rt;
1043 	struct in6_addr *dst6;
1044 	int force;
1045 {
1046 	struct llinfo_nd6 *ln;
1047 
1048 	/*
1049 	 * If the caller specified "rt", use that.  Otherwise, resolve the
1050 	 * routing table by supplied "dst6".
1051 	 */
1052 	if (!rt) {
1053 		if (!dst6)
1054 			return;
1055 		if (!(rt = nd6_lookup(dst6, 0, NULL)))
1056 			return;
1057 	}
1058 
1059 	if ((rt->rt_flags & RTF_GATEWAY) != 0 ||
1060 	    (rt->rt_flags & RTF_LLINFO) == 0 ||
1061 	    !rt->rt_llinfo || !rt->rt_gateway ||
1062 	    rt->rt_gateway->sa_family != AF_LINK) {
1063 		/* This is not a host route. */
1064 		return;
1065 	}
1066 
1067 	ln = (struct llinfo_nd6 *)rt->rt_llinfo;
1068 	if (ln->ln_state < ND6_LLINFO_REACHABLE)
1069 		return;
1070 
1071 	/*
1072 	 * if we get upper-layer reachability confirmation many times,
1073 	 * it is possible we have false information.
1074 	 */
1075 	if (!force) {
1076 		ln->ln_byhint++;
1077 		if (ln->ln_byhint > nd6_maxnudhint)
1078 			return;
1079 	}
1080 
1081 	ln->ln_state = ND6_LLINFO_REACHABLE;
1082 	if (ln->ln_expire)
1083 		ln->ln_expire = time_second +
1084 			nd_ifinfo[rt->rt_ifp->if_index].reachable;
1085 }
1086 
1087 void
1088 nd6_rtrequest(req, rt, sa)
1089 	int	req;
1090 	struct rtentry *rt;
1091 	struct sockaddr *sa; /* xxx unused */
1092 {
1093 	struct sockaddr *gate = rt->rt_gateway;
1094 	struct llinfo_nd6 *ln = (struct llinfo_nd6 *)rt->rt_llinfo;
1095 	static struct sockaddr_dl null_sdl = {sizeof(null_sdl), AF_LINK};
1096 	struct ifnet *ifp = rt->rt_ifp;
1097 	struct ifaddr *ifa;
1098 
1099 	if (rt->rt_flags & RTF_GATEWAY)
1100 		return;
1101 
1102 	if (nd6_need_cache(ifp) == 0 && (rt->rt_flags & RTF_HOST) == 0) {
1103 		/*
1104 		 * This is probably an interface direct route for a link
1105 		 * which does not need neighbor caches (e.g. fe80::%lo0/64).
1106 		 * We do not need special treatment below for such a route.
1107 		 * Moreover, the RTF_LLINFO flag which would be set below
1108 		 * would annoy the ndp(8) command.
1109 		 */
1110 		return;
1111 	}
1112 
1113 	switch (req) {
1114 	case RTM_ADD:
1115 		/*
1116 		 * There is no backward compatibility :)
1117 		 *
1118 		 * if ((rt->rt_flags & RTF_HOST) == 0 &&
1119 		 *     SIN(rt_mask(rt))->sin_addr.s_addr != 0xffffffff)
1120 		 *	   rt->rt_flags |= RTF_CLONING;
1121 		 */
1122 		if (rt->rt_flags & (RTF_CLONING | RTF_LLINFO)) {
1123 			/*
1124 			 * Case 1: This route should come from
1125 			 * a route to interface. RTF_LLINFO flag is set
1126 			 * for a host route whose destination should be
1127 			 * treated as on-link.
1128 			 */
1129 			rt_setgate(rt, rt_key(rt),
1130 				   (struct sockaddr *)&null_sdl);
1131 			gate = rt->rt_gateway;
1132 			SDL(gate)->sdl_type = ifp->if_type;
1133 			SDL(gate)->sdl_index = ifp->if_index;
1134 			if (ln)
1135 				ln->ln_expire = time_second;
1136 #if 1
1137 			if (ln && ln->ln_expire == 0) {
1138 				/* kludge for desktops */
1139 #if 0
1140 				printf("nd6_request: time.tv_sec is zero; "
1141 				       "treat it as 1\n");
1142 #endif
1143 				ln->ln_expire = 1;
1144 			}
1145 #endif
1146 			if (rt->rt_flags & RTF_CLONING)
1147 				break;
1148 		}
1149 		/*
1150 		 * In IPv4 code, we try to annonuce new RTF_ANNOUNCE entry here.
1151 		 * We don't do that here since llinfo is not ready yet.
1152 		 *
1153 		 * There are also couple of other things to be discussed:
1154 		 * - unsolicited NA code needs improvement beforehand
1155 		 * - RFC2461 says we MAY send multicast unsolicited NA
1156 		 *   (7.2.6 paragraph 4), however, it also says that we
1157 		 *   SHOULD provide a mechanism to prevent multicast NA storm.
1158 		 *   we don't have anything like it right now.
1159 		 *   note that the mechanism needs a mutual agreement
1160 		 *   between proxies, which means that we need to implement
1161 		 *   a new protocol, or a new kludge.
1162 		 * - from RFC2461 6.2.4, host MUST NOT send an unsolicited NA.
1163 		 *   we need to check ip6forwarding before sending it.
1164 		 *   (or should we allow proxy ND configuration only for
1165 		 *   routers?  there's no mention about proxy ND from hosts)
1166 		 */
1167 #if 0
1168 		/* XXX it does not work */
1169 		if (rt->rt_flags & RTF_ANNOUNCE)
1170 			nd6_na_output(ifp,
1171 			      &SIN6(rt_key(rt))->sin6_addr,
1172 			      &SIN6(rt_key(rt))->sin6_addr,
1173 			      ip6_forwarding ? ND_NA_FLAG_ROUTER : 0,
1174 			      1, NULL);
1175 #endif
1176 		/* FALLTHROUGH */
1177 	case RTM_RESOLVE:
1178 		if ((ifp->if_flags & (IFF_POINTOPOINT | IFF_LOOPBACK)) == 0) {
1179 			/*
1180 			 * Address resolution isn't necessary for a point to
1181 			 * point link, so we can skip this test for a p2p link.
1182 			 */
1183 			if (gate->sa_family != AF_LINK ||
1184 			    gate->sa_len < sizeof(null_sdl)) {
1185 				log(LOG_DEBUG,
1186 				    "nd6_rtrequest: bad gateway value: %s\n",
1187 				    if_name(ifp));
1188 				break;
1189 			}
1190 			SDL(gate)->sdl_type = ifp->if_type;
1191 			SDL(gate)->sdl_index = ifp->if_index;
1192 		}
1193 		if (ln != NULL)
1194 			break;	/* This happens on a route change */
1195 		/*
1196 		 * Case 2: This route may come from cloning, or a manual route
1197 		 * add with a LL address.
1198 		 */
1199 		R_Malloc(ln, struct llinfo_nd6 *, sizeof(*ln));
1200 		rt->rt_llinfo = (caddr_t)ln;
1201 		if (!ln) {
1202 			log(LOG_DEBUG, "nd6_rtrequest: malloc failed\n");
1203 			break;
1204 		}
1205 		nd6_inuse++;
1206 		nd6_allocated++;
1207 		Bzero(ln, sizeof(*ln));
1208 		ln->ln_rt = rt;
1209 		/* this is required for "ndp" command. - shin */
1210 		if (req == RTM_ADD) {
1211 		        /*
1212 			 * gate should have some valid AF_LINK entry,
1213 			 * and ln->ln_expire should have some lifetime
1214 			 * which is specified by ndp command.
1215 			 */
1216 			ln->ln_state = ND6_LLINFO_REACHABLE;
1217 			ln->ln_byhint = 0;
1218 		} else {
1219 		        /*
1220 			 * When req == RTM_RESOLVE, rt is created and
1221 			 * initialized in rtrequest(), so rt_expire is 0.
1222 			 */
1223 			ln->ln_state = ND6_LLINFO_NOSTATE;
1224 			ln->ln_expire = time_second;
1225 		}
1226 		rt->rt_flags |= RTF_LLINFO;
1227 		ln->ln_next = llinfo_nd6.ln_next;
1228 		llinfo_nd6.ln_next = ln;
1229 		ln->ln_prev = &llinfo_nd6;
1230 		ln->ln_next->ln_prev = ln;
1231 
1232 		/*
1233 		 * check if rt_key(rt) is one of my address assigned
1234 		 * to the interface.
1235 		 */
1236 		ifa = (struct ifaddr *)in6ifa_ifpwithaddr(rt->rt_ifp,
1237 					  &SIN6(rt_key(rt))->sin6_addr);
1238 		if (ifa) {
1239 			caddr_t macp = nd6_ifptomac(ifp);
1240 			ln->ln_expire = 0;
1241 			ln->ln_state = ND6_LLINFO_REACHABLE;
1242 			ln->ln_byhint = 0;
1243 			if (macp) {
1244 				Bcopy(macp, LLADDR(SDL(gate)), ifp->if_addrlen);
1245 				SDL(gate)->sdl_alen = ifp->if_addrlen;
1246 			}
1247 			if (nd6_useloopback) {
1248 				rt->rt_ifp = &loif[0];	/*XXX*/
1249 				/*
1250 				 * Make sure rt_ifa be equal to the ifaddr
1251 				 * corresponding to the address.
1252 				 * We need this because when we refer
1253 				 * rt_ifa->ia6_flags in ip6_input, we assume
1254 				 * that the rt_ifa points to the address instead
1255 				 * of the loopback address.
1256 				 */
1257 				if (ifa != rt->rt_ifa) {
1258 					IFAFREE(rt->rt_ifa);
1259 					IFAREF(ifa);
1260 					rt->rt_ifa = ifa;
1261 				}
1262 			}
1263 		} else if (rt->rt_flags & RTF_ANNOUNCE) {
1264 			ln->ln_expire = 0;
1265 			ln->ln_state = ND6_LLINFO_REACHABLE;
1266 			ln->ln_byhint = 0;
1267 
1268 			/* join solicited node multicast for proxy ND */
1269 			if (ifp->if_flags & IFF_MULTICAST) {
1270 				struct in6_addr llsol;
1271 				int error;
1272 
1273 				llsol = SIN6(rt_key(rt))->sin6_addr;
1274 				llsol.s6_addr16[0] = htons(0xff02);
1275 				llsol.s6_addr16[1] = htons(ifp->if_index);
1276 				llsol.s6_addr32[1] = 0;
1277 				llsol.s6_addr32[2] = htonl(1);
1278 				llsol.s6_addr8[12] = 0xff;
1279 
1280 				if (!in6_addmulti(&llsol, ifp, &error)) {
1281 					nd6log((LOG_ERR, "%s: failed to join "
1282 					    "%s (errno=%d)\n", if_name(ifp),
1283 					    ip6_sprintf(&llsol), error));
1284 				}
1285 			}
1286 		}
1287 		break;
1288 
1289 	case RTM_DELETE:
1290 		if (!ln)
1291 			break;
1292 		/* leave from solicited node multicast for proxy ND */
1293 		if ((rt->rt_flags & RTF_ANNOUNCE) != 0 &&
1294 		    (ifp->if_flags & IFF_MULTICAST) != 0) {
1295 			struct in6_addr llsol;
1296 			struct in6_multi *in6m;
1297 
1298 			llsol = SIN6(rt_key(rt))->sin6_addr;
1299 			llsol.s6_addr16[0] = htons(0xff02);
1300 			llsol.s6_addr16[1] = htons(ifp->if_index);
1301 			llsol.s6_addr32[1] = 0;
1302 			llsol.s6_addr32[2] = htonl(1);
1303 			llsol.s6_addr8[12] = 0xff;
1304 
1305 			IN6_LOOKUP_MULTI(llsol, ifp, in6m);
1306 			if (in6m)
1307 				in6_delmulti(in6m);
1308 		}
1309 		nd6_inuse--;
1310 		ln->ln_next->ln_prev = ln->ln_prev;
1311 		ln->ln_prev->ln_next = ln->ln_next;
1312 		ln->ln_prev = NULL;
1313 		rt->rt_llinfo = 0;
1314 		rt->rt_flags &= ~RTF_LLINFO;
1315 		if (ln->ln_hold)
1316 			m_freem(ln->ln_hold);
1317 		Free((caddr_t)ln);
1318 	}
1319 }
1320 
1321 int
1322 nd6_ioctl(cmd, data, ifp)
1323 	u_long cmd;
1324 	caddr_t	data;
1325 	struct ifnet *ifp;
1326 {
1327 	struct in6_drlist *drl = (struct in6_drlist *)data;
1328 	struct in6_prlist *prl = (struct in6_prlist *)data;
1329 	struct in6_ndireq *ndi = (struct in6_ndireq *)data;
1330 	struct in6_nbrinfo *nbi = (struct in6_nbrinfo *)data;
1331 	struct in6_ndifreq *ndif = (struct in6_ndifreq *)data;
1332 	struct nd_defrouter *dr, any;
1333 	struct nd_prefix *pr;
1334 	struct rtentry *rt;
1335 	int i = 0, error = 0;
1336 	int s;
1337 
1338 	switch (cmd) {
1339 	case SIOCGDRLST_IN6:
1340 		/*
1341 		 * obsolete API, use sysctl under net.inet6.icmp6
1342 		 */
1343 		bzero(drl, sizeof(*drl));
1344 		s = splnet();
1345 		dr = TAILQ_FIRST(&nd_defrouter);
1346 		while (dr && i < DRLSTSIZ) {
1347 			drl->defrouter[i].rtaddr = dr->rtaddr;
1348 			if (IN6_IS_ADDR_LINKLOCAL(&drl->defrouter[i].rtaddr)) {
1349 				/* XXX: need to this hack for KAME stack */
1350 				drl->defrouter[i].rtaddr.s6_addr16[1] = 0;
1351 			} else
1352 				log(LOG_ERR,
1353 				    "default router list contains a "
1354 				    "non-linklocal address(%s)\n",
1355 				    ip6_sprintf(&drl->defrouter[i].rtaddr));
1356 
1357 			drl->defrouter[i].flags = dr->flags;
1358 			drl->defrouter[i].rtlifetime = dr->rtlifetime;
1359 			drl->defrouter[i].expire = dr->expire;
1360 			drl->defrouter[i].if_index = dr->ifp->if_index;
1361 			i++;
1362 			dr = TAILQ_NEXT(dr, dr_entry);
1363 		}
1364 		splx(s);
1365 		break;
1366 	case SIOCGPRLST_IN6:
1367 		/*
1368 		 * obsolete API, use sysctl under net.inet6.icmp6
1369 		 */
1370 		/*
1371 		 * XXX meaning of fields, especialy "raflags", is very
1372 		 * differnet between RA prefix list and RR/static prefix list.
1373 		 * how about separating ioctls into two?
1374 		 */
1375 		bzero(prl, sizeof(*prl));
1376 		s = splnet();
1377 		pr = nd_prefix.lh_first;
1378 		while (pr && i < PRLSTSIZ) {
1379 			struct nd_pfxrouter *pfr;
1380 			int j;
1381 
1382 			(void)in6_embedscope(&prl->prefix[i].prefix,
1383 			    &pr->ndpr_prefix, NULL, NULL);
1384 			prl->prefix[i].raflags = pr->ndpr_raf;
1385 			prl->prefix[i].prefixlen = pr->ndpr_plen;
1386 			prl->prefix[i].vltime = pr->ndpr_vltime;
1387 			prl->prefix[i].pltime = pr->ndpr_pltime;
1388 			prl->prefix[i].if_index = pr->ndpr_ifp->if_index;
1389 			prl->prefix[i].expire = pr->ndpr_expire;
1390 
1391 			pfr = pr->ndpr_advrtrs.lh_first;
1392 			j = 0;
1393 			while (pfr) {
1394 				if (j < DRLSTSIZ) {
1395 #define RTRADDR prl->prefix[i].advrtr[j]
1396 					RTRADDR = pfr->router->rtaddr;
1397 					if (IN6_IS_ADDR_LINKLOCAL(&RTRADDR)) {
1398 						/* XXX: hack for KAME */
1399 						RTRADDR.s6_addr16[1] = 0;
1400 					} else
1401 						log(LOG_ERR,
1402 						    "a router(%s) advertises "
1403 						    "a prefix with "
1404 						    "non-link local address\n",
1405 						    ip6_sprintf(&RTRADDR));
1406 #undef RTRADDR
1407 				}
1408 				j++;
1409 				pfr = pfr->pfr_next;
1410 			}
1411 			prl->prefix[i].advrtrs = j;
1412 			prl->prefix[i].origin = PR_ORIG_RA;
1413 
1414 			i++;
1415 			pr = pr->ndpr_next;
1416 		}
1417 	      {
1418 		struct rr_prefix *rpp;
1419 
1420 		for (rpp = LIST_FIRST(&rr_prefix); rpp;
1421 		     rpp = LIST_NEXT(rpp, rp_entry)) {
1422 			if (i >= PRLSTSIZ)
1423 				break;
1424 			(void)in6_embedscope(&prl->prefix[i].prefix,
1425 			    &pr->ndpr_prefix, NULL, NULL);
1426 			prl->prefix[i].raflags = rpp->rp_raf;
1427 			prl->prefix[i].prefixlen = rpp->rp_plen;
1428 			prl->prefix[i].vltime = rpp->rp_vltime;
1429 			prl->prefix[i].pltime = rpp->rp_pltime;
1430 			prl->prefix[i].if_index = rpp->rp_ifp->if_index;
1431 			prl->prefix[i].expire = rpp->rp_expire;
1432 			prl->prefix[i].advrtrs = 0;
1433 			prl->prefix[i].origin = rpp->rp_origin;
1434 			i++;
1435 		}
1436 	      }
1437 		splx(s);
1438 
1439 		break;
1440 	case OSIOCGIFINFO_IN6:
1441 		if (!nd_ifinfo || i >= nd_ifinfo_indexlim) {
1442 			error = EINVAL;
1443 			break;
1444 		}
1445 		ndi->ndi.linkmtu = nd_ifinfo[ifp->if_index].linkmtu;
1446 		ndi->ndi.maxmtu = nd_ifinfo[ifp->if_index].maxmtu;
1447 		ndi->ndi.basereachable =
1448 		    nd_ifinfo[ifp->if_index].basereachable;
1449 		ndi->ndi.reachable = nd_ifinfo[ifp->if_index].reachable;
1450 		ndi->ndi.retrans = nd_ifinfo[ifp->if_index].retrans;
1451 		ndi->ndi.flags = nd_ifinfo[ifp->if_index].flags;
1452 		ndi->ndi.recalctm = nd_ifinfo[ifp->if_index].recalctm;
1453 		ndi->ndi.chlim = nd_ifinfo[ifp->if_index].chlim;
1454 		ndi->ndi.receivedra = nd_ifinfo[ifp->if_index].receivedra;
1455 		break;
1456 	case SIOCGIFINFO_IN6:
1457 		if (!nd_ifinfo || i >= nd_ifinfo_indexlim) {
1458 			error = EINVAL;
1459 			break;
1460 		}
1461 		ndi->ndi = nd_ifinfo[ifp->if_index];
1462 		break;
1463 	case SIOCSIFINFO_FLAGS:
1464 		/* XXX: almost all other fields of ndi->ndi is unused */
1465 		if (!nd_ifinfo || i >= nd_ifinfo_indexlim) {
1466 			error = EINVAL;
1467 			break;
1468 		}
1469 		nd_ifinfo[ifp->if_index].flags = ndi->ndi.flags;
1470 		break;
1471 	case SIOCSNDFLUSH_IN6:	/* XXX: the ioctl name is confusing... */
1472 		/* flush default router list */
1473 		/*
1474 		 * xxx sumikawa: should not delete route if default
1475 		 * route equals to the top of default router list
1476 		 */
1477 		bzero(&any, sizeof(any));
1478 		defrouter_delreq(&any, 0);
1479 		defrouter_select();
1480 		/* xxx sumikawa: flush prefix list */
1481 		break;
1482 	case SIOCSPFXFLUSH_IN6:
1483 	    {
1484 		/* flush all the prefix advertised by routers */
1485 		struct nd_prefix *pr, *next;
1486 
1487 		s = splnet();
1488 		for (pr = nd_prefix.lh_first; pr; pr = next) {
1489 			struct in6_ifaddr *ia, *ia_next;
1490 
1491 			next = pr->ndpr_next;
1492 
1493 			if (IN6_IS_ADDR_LINKLOCAL(&pr->ndpr_prefix.sin6_addr))
1494 				continue; /* XXX */
1495 
1496 			/* do we really have to remove addresses as well? */
1497 			for (ia = in6_ifaddr; ia; ia = ia_next) {
1498 				/* ia might be removed. keep the next ptr. */
1499 				ia_next = ia->ia_next;
1500 
1501 				if ((ia->ia6_flags & IN6_IFF_AUTOCONF) == 0)
1502 					continue;
1503 
1504 				if (ia->ia6_ndpr == pr)
1505 					in6_purgeaddr(&ia->ia_ifa);
1506 			}
1507 			prelist_remove(pr);
1508 		}
1509 		splx(s);
1510 		break;
1511 	    }
1512 	case SIOCSRTRFLUSH_IN6:
1513 	    {
1514 		/* flush all the default routers */
1515 		struct nd_defrouter *dr, *next;
1516 
1517 		s = splnet();
1518 		if ((dr = TAILQ_FIRST(&nd_defrouter)) != NULL) {
1519 			/*
1520 			 * The first entry of the list may be stored in
1521 			 * the routing table, so we'll delete it later.
1522 			 */
1523 			for (dr = TAILQ_NEXT(dr, dr_entry); dr; dr = next) {
1524 				next = TAILQ_NEXT(dr, dr_entry);
1525 				defrtrlist_del(dr);
1526 			}
1527 			defrtrlist_del(TAILQ_FIRST(&nd_defrouter));
1528 		}
1529 		splx(s);
1530 		break;
1531 	    }
1532 	case SIOCGNBRINFO_IN6:
1533 	    {
1534 		struct llinfo_nd6 *ln;
1535 		struct in6_addr nb_addr = nbi->addr; /* make local for safety */
1536 
1537 		/*
1538 		 * XXX: KAME specific hack for scoped addresses
1539 		 *      XXXX: for other scopes than link-local?
1540 		 */
1541 		if (IN6_IS_ADDR_LINKLOCAL(&nbi->addr) ||
1542 		    IN6_IS_ADDR_MC_LINKLOCAL(&nbi->addr)) {
1543 			u_int16_t *idp = (u_int16_t *)&nb_addr.s6_addr[2];
1544 
1545 			if (*idp == 0)
1546 				*idp = htons(ifp->if_index);
1547 		}
1548 
1549 		s = splnet();
1550 		if ((rt = nd6_lookup(&nb_addr, 0, ifp)) == NULL) {
1551 			error = EINVAL;
1552 			splx(s);
1553 			break;
1554 		}
1555 		ln = (struct llinfo_nd6 *)rt->rt_llinfo;
1556 		nbi->state = ln->ln_state;
1557 		nbi->asked = ln->ln_asked;
1558 		nbi->isrouter = ln->ln_router;
1559 		nbi->expire = ln->ln_expire;
1560 		splx(s);
1561 
1562 		break;
1563 	    }
1564 	case SIOCGDEFIFACE_IN6:	/* XXX: should be implemented as a sysctl? */
1565 		ndif->ifindex = nd6_defifindex;
1566 		break;
1567 	case SIOCSDEFIFACE_IN6:	/* XXX: should be implemented as a sysctl? */
1568 		return(nd6_setdefaultiface(ndif->ifindex));
1569 		break;
1570 	}
1571 	return(error);
1572 }
1573 
1574 /*
1575  * Create neighbor cache entry and cache link-layer address,
1576  * on reception of inbound ND6 packets. (RS/RA/NS/redirect)
1577  */
1578 struct rtentry *
1579 nd6_cache_lladdr(ifp, from, lladdr, lladdrlen, type, code)
1580 	struct ifnet *ifp;
1581 	struct in6_addr *from;
1582 	char *lladdr;
1583 	int lladdrlen;
1584 	int type;	/* ICMP6 type */
1585 	int code;	/* type dependent information */
1586 {
1587 	struct rtentry *rt = NULL;
1588 	struct llinfo_nd6 *ln = NULL;
1589 	int is_newentry;
1590 	struct sockaddr_dl *sdl = NULL;
1591 	int do_update;
1592 	int olladdr;
1593 	int llchange;
1594 	int newstate = 0;
1595 
1596 	if (!ifp)
1597 		panic("ifp == NULL in nd6_cache_lladdr");
1598 	if (!from)
1599 		panic("from == NULL in nd6_cache_lladdr");
1600 
1601 	/* nothing must be updated for unspecified address */
1602 	if (IN6_IS_ADDR_UNSPECIFIED(from))
1603 		return NULL;
1604 
1605 	/*
1606 	 * Validation about ifp->if_addrlen and lladdrlen must be done in
1607 	 * the caller.
1608 	 *
1609 	 * XXX If the link does not have link-layer adderss, what should
1610 	 * we do? (ifp->if_addrlen == 0)
1611 	 * Spec says nothing in sections for RA, RS and NA.  There's small
1612 	 * description on it in NS section (RFC 2461 7.2.3).
1613 	 */
1614 
1615 	rt = nd6_lookup(from, 0, ifp);
1616 	if (!rt) {
1617 #if 0
1618 		/* nothing must be done if there's no lladdr */
1619 		if (!lladdr || !lladdrlen)
1620 			return NULL;
1621 #endif
1622 
1623 		rt = nd6_lookup(from, 1, ifp);
1624 		is_newentry = 1;
1625 	} else {
1626 		/* do nothing if static ndp is set */
1627 		if (rt->rt_flags & RTF_STATIC)
1628 			return NULL;
1629 		is_newentry = 0;
1630 	}
1631 
1632 	if (!rt)
1633 		return NULL;
1634 	if ((rt->rt_flags & (RTF_GATEWAY | RTF_LLINFO)) != RTF_LLINFO) {
1635 fail:
1636 		(void)nd6_free(rt);
1637 		return NULL;
1638 	}
1639 	ln = (struct llinfo_nd6 *)rt->rt_llinfo;
1640 	if (!ln)
1641 		goto fail;
1642 	if (!rt->rt_gateway)
1643 		goto fail;
1644 	if (rt->rt_gateway->sa_family != AF_LINK)
1645 		goto fail;
1646 	sdl = SDL(rt->rt_gateway);
1647 
1648 	olladdr = (sdl->sdl_alen) ? 1 : 0;
1649 	if (olladdr && lladdr) {
1650 		if (bcmp(lladdr, LLADDR(sdl), ifp->if_addrlen))
1651 			llchange = 1;
1652 		else
1653 			llchange = 0;
1654 	} else
1655 		llchange = 0;
1656 
1657 	/*
1658 	 * newentry olladdr  lladdr  llchange	(*=record)
1659 	 *	0	n	n	--	(1)
1660 	 *	0	y	n	--	(2)
1661 	 *	0	n	y	--	(3) * STALE
1662 	 *	0	y	y	n	(4) *
1663 	 *	0	y	y	y	(5) * STALE
1664 	 *	1	--	n	--	(6)   NOSTATE(= PASSIVE)
1665 	 *	1	--	y	--	(7) * STALE
1666 	 */
1667 
1668 	if (lladdr) {		/*(3-5) and (7)*/
1669 		/*
1670 		 * Record source link-layer address
1671 		 * XXX is it dependent to ifp->if_type?
1672 		 */
1673 		sdl->sdl_alen = ifp->if_addrlen;
1674 		bcopy(lladdr, LLADDR(sdl), ifp->if_addrlen);
1675 	}
1676 
1677 	if (!is_newentry) {
1678 		if ((!olladdr && lladdr)		/*(3)*/
1679 		 || (olladdr && lladdr && llchange)) {	/*(5)*/
1680 			do_update = 1;
1681 			newstate = ND6_LLINFO_STALE;
1682 		} else					/*(1-2,4)*/
1683 			do_update = 0;
1684 	} else {
1685 		do_update = 1;
1686 		if (!lladdr)				/*(6)*/
1687 			newstate = ND6_LLINFO_NOSTATE;
1688 		else					/*(7)*/
1689 			newstate = ND6_LLINFO_STALE;
1690 	}
1691 
1692 	if (do_update) {
1693 		/*
1694 		 * Update the state of the neighbor cache.
1695 		 */
1696 		ln->ln_state = newstate;
1697 
1698 		if (ln->ln_state == ND6_LLINFO_STALE) {
1699 			/*
1700 			 * XXX: since nd6_output() below will cause
1701 			 * state tansition to DELAY and reset the timer,
1702 			 * we must set the timer now, although it is actually
1703 			 * meaningless.
1704 			 */
1705 			ln->ln_expire = time_second + nd6_gctimer;
1706 
1707 			if (ln->ln_hold) {
1708 				/*
1709 				 * we assume ifp is not a p2p here, so just
1710 				 * set the 2nd argument as the 1st one.
1711 				 */
1712 				nd6_output(ifp, ifp, ln->ln_hold,
1713 					   (struct sockaddr_in6 *)rt_key(rt),
1714 					   rt);
1715 				ln->ln_hold = NULL;
1716 			}
1717 		} else if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
1718 			/* probe right away */
1719 			ln->ln_expire = time_second;
1720 		}
1721 	}
1722 
1723 	/*
1724 	 * ICMP6 type dependent behavior.
1725 	 *
1726 	 * NS: clear IsRouter if new entry
1727 	 * RS: clear IsRouter
1728 	 * RA: set IsRouter if there's lladdr
1729 	 * redir: clear IsRouter if new entry
1730 	 *
1731 	 * RA case, (1):
1732 	 * The spec says that we must set IsRouter in the following cases:
1733 	 * - If lladdr exist, set IsRouter.  This means (1-5).
1734 	 * - If it is old entry (!newentry), set IsRouter.  This means (7).
1735 	 * So, based on the spec, in (1-5) and (7) cases we must set IsRouter.
1736 	 * A quetion arises for (1) case.  (1) case has no lladdr in the
1737 	 * neighbor cache, this is similar to (6).
1738 	 * This case is rare but we figured that we MUST NOT set IsRouter.
1739 	 *
1740 	 * newentry olladdr  lladdr  llchange	    NS  RS  RA	redir
1741 	 *							D R
1742 	 *	0	n	n	--	(1)	c   ?     s
1743 	 *	0	y	n	--	(2)	c   s     s
1744 	 *	0	n	y	--	(3)	c   s     s
1745 	 *	0	y	y	n	(4)	c   s     s
1746 	 *	0	y	y	y	(5)	c   s     s
1747 	 *	1	--	n	--	(6) c	c 	c s
1748 	 *	1	--	y	--	(7) c	c   s	c s
1749 	 *
1750 	 *					(c=clear s=set)
1751 	 */
1752 	switch (type & 0xff) {
1753 	case ND_NEIGHBOR_SOLICIT:
1754 		/*
1755 		 * New entry must have is_router flag cleared.
1756 		 */
1757 		if (is_newentry)	/*(6-7)*/
1758 			ln->ln_router = 0;
1759 		break;
1760 	case ND_REDIRECT:
1761 		/*
1762 		 * If the icmp is a redirect to a better router, always set the
1763 		 * is_router flag. Otherwise, if the entry is newly created,
1764 		 * clear the flag. [RFC 2461, sec 8.3]
1765 		 */
1766 		if (code == ND_REDIRECT_ROUTER)
1767 			ln->ln_router = 1;
1768 		else if (is_newentry) /*(6-7)*/
1769 			ln->ln_router = 0;
1770 		break;
1771 	case ND_ROUTER_SOLICIT:
1772 		/*
1773 		 * is_router flag must always be cleared.
1774 		 */
1775 		ln->ln_router = 0;
1776 		break;
1777 	case ND_ROUTER_ADVERT:
1778 		/*
1779 		 * Mark an entry with lladdr as a router.
1780 		 */
1781 		if ((!is_newentry && (olladdr || lladdr))	/*(2-5)*/
1782 		 || (is_newentry && lladdr)) {			/*(7)*/
1783 			ln->ln_router = 1;
1784 		}
1785 		break;
1786 	}
1787 
1788 	/*
1789 	 * When the link-layer address of a router changes, select the
1790 	 * best router again.  In particular, when the neighbor entry is newly
1791 	 * created, it might affect the selection policy.
1792 	 * Question: can we restrict the first condition to the "is_newentry"
1793 	 * case?
1794 	 * XXX: when we hear an RA from a new router with the link-layer
1795 	 * address option, defrouter_select() is called twice, since
1796 	 * defrtrlist_update called the function as well.  However, I believe
1797 	 * we can compromise the overhead, since it only happens the first
1798 	 * time.
1799 	 * XXX: although defrouter_select() should not have a bad effect
1800 	 * for those are not autoconfigured hosts, we explicitly avoid such
1801 	 * cases for safety.
1802 	 */
1803 	if (do_update && ln->ln_router && !ip6_forwarding && ip6_accept_rtadv)
1804 		defrouter_select();
1805 
1806 	return rt;
1807 }
1808 
1809 static void
1810 nd6_slowtimo(ignored_arg)
1811     void *ignored_arg;
1812 {
1813 	int s = splnet();
1814 	int i;
1815 	struct nd_ifinfo *nd6if;
1816 
1817 	callout_reset(&nd6_slowtimo_ch, ND6_SLOWTIMER_INTERVAL * hz,
1818 	    nd6_slowtimo, NULL);
1819 	for (i = 1; i < if_index + 1; i++) {
1820 		if (!nd_ifinfo || i >= nd_ifinfo_indexlim)
1821 			continue;
1822 		nd6if = &nd_ifinfo[i];
1823 		if (nd6if->basereachable && /* already initialized */
1824 		    (nd6if->recalctm -= ND6_SLOWTIMER_INTERVAL) <= 0) {
1825 			/*
1826 			 * Since reachable time rarely changes by router
1827 			 * advertisements, we SHOULD insure that a new random
1828 			 * value gets recomputed at least once every few hours.
1829 			 * (RFC 2461, 6.3.4)
1830 			 */
1831 			nd6if->recalctm = nd6_recalc_reachtm_interval;
1832 			nd6if->reachable = ND_COMPUTE_RTIME(nd6if->basereachable);
1833 		}
1834 	}
1835 	splx(s);
1836 }
1837 
1838 #define senderr(e) { error = (e); goto bad;}
1839 int
1840 nd6_output(ifp, origifp, m0, dst, rt0)
1841 	struct ifnet *ifp;
1842 	struct ifnet *origifp;
1843 	struct mbuf *m0;
1844 	struct sockaddr_in6 *dst;
1845 	struct rtentry *rt0;
1846 {
1847 	struct mbuf *m = m0;
1848 	struct rtentry *rt = rt0;
1849 	struct sockaddr_in6 *gw6 = NULL;
1850 	struct llinfo_nd6 *ln = NULL;
1851 	int error = 0;
1852 
1853 	if (IN6_IS_ADDR_MULTICAST(&dst->sin6_addr))
1854 		goto sendpkt;
1855 
1856 	if (nd6_need_cache(ifp) == 0)
1857 		goto sendpkt;
1858 
1859 	/*
1860 	 * next hop determination. This routine is derived from ether_outpout.
1861 	 */
1862 	if (rt) {
1863 		if ((rt->rt_flags & RTF_UP) == 0) {
1864 			if ((rt0 = rt = rtalloc1((struct sockaddr *)dst, 1, 0UL)) !=
1865 				NULL)
1866 			{
1867 				rt->rt_refcnt--;
1868 				if (rt->rt_ifp != ifp) {
1869 					/* XXX: loop care? */
1870 					return nd6_output(ifp, origifp, m0,
1871 							  dst, rt);
1872 				}
1873 			} else
1874 				senderr(EHOSTUNREACH);
1875 		}
1876 
1877 		if (rt->rt_flags & RTF_GATEWAY) {
1878 			gw6 = (struct sockaddr_in6 *)rt->rt_gateway;
1879 
1880 			/*
1881 			 * We skip link-layer address resolution and NUD
1882 			 * if the gateway is not a neighbor from ND point
1883 			 * of view, regardless the value of the
1884 			 * nd_ifinfo.flags.
1885 			 * The second condition is a bit tricky: we skip
1886 			 * if the gateway is our own address, which is
1887 			 * sometimes used to install a route to a p2p link.
1888 			 */
1889 			if (!nd6_is_addr_neighbor(gw6, ifp) ||
1890 			    in6ifa_ifpwithaddr(ifp, &gw6->sin6_addr)) {
1891 				/*
1892 				 * We allow this kind of tricky route only
1893 				 * when the outgoing interface is p2p.
1894 				 * XXX: we may need a more generic rule here.
1895 				 */
1896 				if ((ifp->if_flags & IFF_POINTOPOINT) == 0)
1897 					senderr(EHOSTUNREACH);
1898 
1899 				goto sendpkt;
1900 			}
1901 
1902 			if (rt->rt_gwroute == 0)
1903 				goto lookup;
1904 			if (((rt = rt->rt_gwroute)->rt_flags & RTF_UP) == 0) {
1905 				rtfree(rt); rt = rt0;
1906 			lookup: rt->rt_gwroute = rtalloc1(rt->rt_gateway, 1, 0UL);
1907 				if ((rt = rt->rt_gwroute) == 0)
1908 					senderr(EHOSTUNREACH);
1909 			}
1910 		}
1911 	}
1912 
1913 	/*
1914 	 * Address resolution or Neighbor Unreachability Detection
1915 	 * for the next hop.
1916 	 * At this point, the destination of the packet must be a unicast
1917 	 * or an anycast address(i.e. not a multicast).
1918 	 */
1919 
1920 	/* Look up the neighbor cache for the nexthop */
1921 	if (rt && (rt->rt_flags & RTF_LLINFO) != 0)
1922 		ln = (struct llinfo_nd6 *)rt->rt_llinfo;
1923 	else {
1924 		/*
1925 		 * Since nd6_is_addr_neighbor() internally calls nd6_lookup(),
1926 		 * the condition below is not very efficient. But we believe
1927 		 * it is tolerable, because this should be a rare case.
1928 		 */
1929 		if (nd6_is_addr_neighbor(dst, ifp) &&
1930 		    (rt = nd6_lookup(&dst->sin6_addr, 1, ifp)) != NULL)
1931 			ln = (struct llinfo_nd6 *)rt->rt_llinfo;
1932 	}
1933 	if (!ln || !rt) {
1934 		if ((ifp->if_flags & IFF_POINTOPOINT) == 0 &&
1935 		    !(nd_ifinfo[ifp->if_index].flags & ND6_IFF_PERFORMNUD)) {
1936 			log(LOG_DEBUG,
1937 			    "nd6_output: can't allocate llinfo for %s "
1938 			    "(ln=%p, rt=%p)\n",
1939 			    ip6_sprintf(&dst->sin6_addr), ln, rt);
1940 			senderr(EIO);	/* XXX: good error? */
1941 		}
1942 
1943 		goto sendpkt;	/* send anyway */
1944 	}
1945 
1946 	/* We don't have to do link-layer address resolution on a p2p link. */
1947 	if ((ifp->if_flags & IFF_POINTOPOINT) != 0 &&
1948 	    ln->ln_state < ND6_LLINFO_REACHABLE) {
1949 		ln->ln_state = ND6_LLINFO_STALE;
1950 		ln->ln_expire = time_second + nd6_gctimer;
1951 	}
1952 
1953 	/*
1954 	 * The first time we send a packet to a neighbor whose entry is
1955 	 * STALE, we have to change the state to DELAY and a sets a timer to
1956 	 * expire in DELAY_FIRST_PROBE_TIME seconds to ensure do
1957 	 * neighbor unreachability detection on expiration.
1958 	 * (RFC 2461 7.3.3)
1959 	 */
1960 	if (ln->ln_state == ND6_LLINFO_STALE) {
1961 		ln->ln_asked = 0;
1962 		ln->ln_state = ND6_LLINFO_DELAY;
1963 		ln->ln_expire = time_second + nd6_delay;
1964 	}
1965 
1966 	/*
1967 	 * If the neighbor cache entry has a state other than INCOMPLETE
1968 	 * (i.e. its link-layer address is already reloved), just
1969 	 * send the packet.
1970 	 */
1971 	if (ln->ln_state > ND6_LLINFO_INCOMPLETE)
1972 		goto sendpkt;
1973 
1974 	/*
1975 	 * There is a neighbor cache entry, but no ethernet address
1976 	 * response yet. Replace the held mbuf (if any) with this
1977 	 * latest one.
1978 	 *
1979 	 * XXX Does the code conform to rate-limiting rule?
1980 	 * (RFC 2461 7.2.2)
1981 	 */
1982 	if (ln->ln_state == ND6_LLINFO_NOSTATE)
1983 		ln->ln_state = ND6_LLINFO_INCOMPLETE;
1984 	if (ln->ln_hold)
1985 		m_freem(ln->ln_hold);
1986 	ln->ln_hold = m;
1987 	if (ln->ln_expire) {
1988 		if (ln->ln_asked < nd6_mmaxtries &&
1989 		    ln->ln_expire < time_second) {
1990 			ln->ln_asked++;
1991 			ln->ln_expire = time_second +
1992 				nd_ifinfo[ifp->if_index].retrans / 1000;
1993 			nd6_ns_output(ifp, NULL, &dst->sin6_addr, ln, 0);
1994 		}
1995 	}
1996 	return(0);
1997 
1998   sendpkt:
1999 
2000 	if ((ifp->if_flags & IFF_LOOPBACK) != 0) {
2001 		return((*ifp->if_output)(origifp, m, (struct sockaddr *)dst,
2002 					 rt));
2003 	}
2004 	return((*ifp->if_output)(ifp, m, (struct sockaddr *)dst, rt));
2005 
2006   bad:
2007 	if (m)
2008 		m_freem(m);
2009 	return (error);
2010 }
2011 #undef senderr
2012 
2013 int
2014 nd6_need_cache(ifp)
2015 	struct ifnet *ifp;
2016 {
2017 	/*
2018 	 * XXX: we currently do not make neighbor cache on any interface
2019 	 * other than ARCnet, Ethernet, FDDI and GIF.
2020 	 *
2021 	 * RFC2893 says:
2022 	 * - unidirectional tunnels needs no ND
2023 	 */
2024 	switch (ifp->if_type) {
2025 	case IFT_ARCNET:
2026 	case IFT_ETHER:
2027 	case IFT_FDDI:
2028 	case IFT_IEEE1394:
2029 #ifdef IFT_L2VLAN
2030 	case IFT_L2VLAN:
2031 #endif
2032 #ifdef IFT_IEEE80211
2033 	case IFT_IEEE80211:
2034 #endif
2035 	case IFT_GIF:		/* XXX need more cases? */
2036 		return(1);
2037 	default:
2038 		return(0);
2039 	}
2040 }
2041 
2042 int
2043 nd6_storelladdr(ifp, rt, m, dst, desten)
2044 	struct ifnet *ifp;
2045 	struct rtentry *rt;
2046 	struct mbuf *m;
2047 	struct sockaddr *dst;
2048 	u_char *desten;
2049 {
2050 	int i;
2051 	struct sockaddr_dl *sdl;
2052 
2053 	if (m->m_flags & M_MCAST) {
2054 		switch (ifp->if_type) {
2055 		case IFT_ETHER:
2056 		case IFT_FDDI:
2057 #ifdef IFT_L2VLAN
2058 	case IFT_L2VLAN:
2059 #endif
2060 #ifdef IFT_IEEE80211
2061 		case IFT_IEEE80211:
2062 #endif
2063 			ETHER_MAP_IPV6_MULTICAST(&SIN6(dst)->sin6_addr,
2064 						 desten);
2065 			return(1);
2066 		case IFT_IEEE1394:
2067 			for (i = 0; i < ifp->if_addrlen; i++)
2068 				desten[i] = ~0;
2069 			return(1);
2070 		case IFT_ARCNET:
2071 			*desten = 0;
2072 			return(1);
2073 		default:
2074 			m_freem(m);
2075 			return(0);
2076 		}
2077 	}
2078 
2079 	if (rt == NULL) {
2080 		/* this could happen, if we could not allocate memory */
2081 		m_freem(m);
2082 		return(0);
2083 	}
2084 	if (rt->rt_gateway->sa_family != AF_LINK) {
2085 		printf("nd6_storelladdr: something odd happens\n");
2086 		m_freem(m);
2087 		return(0);
2088 	}
2089 	sdl = SDL(rt->rt_gateway);
2090 	if (sdl->sdl_alen == 0) {
2091 		/* this should be impossible, but we bark here for debugging */
2092 		printf("nd6_storelladdr: sdl_alen == 0\n");
2093 		m_freem(m);
2094 		return(0);
2095 	}
2096 
2097 	bcopy(LLADDR(sdl), desten, sdl->sdl_alen);
2098 	return(1);
2099 }
2100 
2101 static int nd6_sysctl_drlist(SYSCTL_HANDLER_ARGS);
2102 static int nd6_sysctl_prlist(SYSCTL_HANDLER_ARGS);
2103 #ifdef SYSCTL_DECL
2104 SYSCTL_DECL(_net_inet6_icmp6);
2105 #endif
2106 SYSCTL_NODE(_net_inet6_icmp6, ICMPV6CTL_ND6_DRLIST, nd6_drlist,
2107 	CTLFLAG_RD, nd6_sysctl_drlist, "");
2108 SYSCTL_NODE(_net_inet6_icmp6, ICMPV6CTL_ND6_PRLIST, nd6_prlist,
2109 	CTLFLAG_RD, nd6_sysctl_prlist, "");
2110 
2111 static int
2112 nd6_sysctl_drlist(SYSCTL_HANDLER_ARGS)
2113 {
2114 	int error;
2115 	char buf[1024];
2116 	struct in6_defrouter *d, *de;
2117 	struct nd_defrouter *dr;
2118 
2119 	if (req->newptr)
2120 		return EPERM;
2121 	error = 0;
2122 
2123 	for (dr = TAILQ_FIRST(&nd_defrouter);
2124 	     dr;
2125 	     dr = TAILQ_NEXT(dr, dr_entry)) {
2126 		d = (struct in6_defrouter *)buf;
2127 		de = (struct in6_defrouter *)(buf + sizeof(buf));
2128 
2129 		if (d + 1 <= de) {
2130 			bzero(d, sizeof(*d));
2131 			d->rtaddr.sin6_family = AF_INET6;
2132 			d->rtaddr.sin6_len = sizeof(d->rtaddr);
2133 			if (in6_recoverscope(&d->rtaddr, &dr->rtaddr,
2134 			    dr->ifp) != 0)
2135 				log(LOG_ERR,
2136 				    "scope error in "
2137 				    "default router list (%s)\n",
2138 				    ip6_sprintf(&dr->rtaddr));
2139 			d->flags = dr->flags;
2140 			d->rtlifetime = dr->rtlifetime;
2141 			d->expire = dr->expire;
2142 			d->if_index = dr->ifp->if_index;
2143 		} else
2144 			panic("buffer too short");
2145 
2146 		error = SYSCTL_OUT(req, buf, sizeof(*d));
2147 		if (error)
2148 			break;
2149 	}
2150 	return error;
2151 }
2152 
2153 static int
2154 nd6_sysctl_prlist(SYSCTL_HANDLER_ARGS)
2155 {
2156 	int error;
2157 	char buf[1024];
2158 	struct in6_prefix *p, *pe;
2159 	struct nd_prefix *pr;
2160 
2161 	if (req->newptr)
2162 		return EPERM;
2163 	error = 0;
2164 
2165 	for (pr = nd_prefix.lh_first; pr; pr = pr->ndpr_next) {
2166 		u_short advrtrs;
2167 		size_t advance;
2168 		struct sockaddr_in6 *sin6, *s6;
2169 		struct nd_pfxrouter *pfr;
2170 
2171 		p = (struct in6_prefix *)buf;
2172 		pe = (struct in6_prefix *)(buf + sizeof(buf));
2173 
2174 		if (p + 1 <= pe) {
2175 			bzero(p, sizeof(*p));
2176 			sin6 = (struct sockaddr_in6 *)(p + 1);
2177 
2178 			p->prefix = pr->ndpr_prefix;
2179 			if (in6_recoverscope(&p->prefix,
2180 			    &p->prefix.sin6_addr, pr->ndpr_ifp) != 0)
2181 				log(LOG_ERR,
2182 				    "scope error in prefix list (%s)\n",
2183 				    ip6_sprintf(&p->prefix.sin6_addr));
2184 			p->raflags = pr->ndpr_raf;
2185 			p->prefixlen = pr->ndpr_plen;
2186 			p->vltime = pr->ndpr_vltime;
2187 			p->pltime = pr->ndpr_pltime;
2188 			p->if_index = pr->ndpr_ifp->if_index;
2189 			p->expire = pr->ndpr_expire;
2190 			p->refcnt = pr->ndpr_refcnt;
2191 			p->flags = pr->ndpr_stateflags;
2192 			p->origin = PR_ORIG_RA;
2193 			advrtrs = 0;
2194 			for (pfr = pr->ndpr_advrtrs.lh_first;
2195 			     pfr;
2196 			     pfr = pfr->pfr_next) {
2197 				if ((void *)&sin6[advrtrs + 1] >
2198 				    (void *)pe) {
2199 					advrtrs++;
2200 					continue;
2201 				}
2202 				s6 = &sin6[advrtrs];
2203 				bzero(s6, sizeof(*s6));
2204 				s6->sin6_family = AF_INET6;
2205 				s6->sin6_len = sizeof(*sin6);
2206 				if (in6_recoverscope(s6,
2207 				    &pfr->router->rtaddr,
2208 				    pfr->router->ifp) != 0)
2209 					log(LOG_ERR,
2210 					    "scope error in "
2211 					    "prefix list (%s)\n",
2212 					    ip6_sprintf(&pfr->router->rtaddr));
2213 				advrtrs++;
2214 			}
2215 			p->advrtrs = advrtrs;
2216 		} else
2217 			panic("buffer too short");
2218 
2219 		advance = sizeof(*p) + sizeof(*sin6) * advrtrs;
2220 		error = SYSCTL_OUT(req, buf, advance);
2221 		if (error)
2222 			break;
2223 	}
2224 	return error;
2225 }
2226