xref: /freebsd/sys/netinet6/nd6_nbr.c (revision 2e3f49888ec8851bafb22011533217487764fdb0)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the project nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  *
31  *	$KAME: nd6_nbr.c,v 1.86 2002/01/21 02:33:04 jinmei Exp $
32  */
33 
34 #include <sys/cdefs.h>
35 #include "opt_inet.h"
36 #include "opt_inet6.h"
37 #include "opt_ipsec.h"
38 
39 #include <sys/param.h>
40 #include <sys/systm.h>
41 #include <sys/eventhandler.h>
42 #include <sys/malloc.h>
43 #include <sys/libkern.h>
44 #include <sys/lock.h>
45 #include <sys/rwlock.h>
46 #include <sys/mbuf.h>
47 #include <sys/socket.h>
48 #include <sys/sockio.h>
49 #include <sys/time.h>
50 #include <sys/kernel.h>
51 #include <sys/errno.h>
52 #include <sys/sysctl.h>
53 #include <sys/syslog.h>
54 #include <sys/queue.h>
55 #include <sys/callout.h>
56 #include <sys/refcount.h>
57 
58 #include <net/if.h>
59 #include <net/if_types.h>
60 #include <net/if_dl.h>
61 #include <net/if_var.h>
62 #include <net/if_private.h>
63 #include <net/route.h>
64 #include <net/vnet.h>
65 
66 #include <netinet/in.h>
67 #include <netinet/in_var.h>
68 #include <net/if_llatbl.h>
69 #include <netinet6/in6_var.h>
70 #include <netinet6/in6_ifattach.h>
71 #include <netinet/ip6.h>
72 #include <netinet6/ip6_var.h>
73 #include <netinet6/scope6_var.h>
74 #include <netinet6/nd6.h>
75 #include <netinet/icmp6.h>
76 #include <netinet/ip_carp.h>
77 #include <netinet6/send.h>
78 
79 #define SDL(s) ((struct sockaddr_dl *)s)
80 
81 struct dadq;
82 static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *);
83 static void nd6_dad_add(struct dadq *dp);
84 static void nd6_dad_del(struct dadq *dp);
85 static void nd6_dad_rele(struct dadq *);
86 static void nd6_dad_starttimer(struct dadq *, int);
87 static void nd6_dad_stoptimer(struct dadq *);
88 static void nd6_dad_timer(void *);
89 static void nd6_dad_duplicated(struct ifaddr *, struct dadq *);
90 static void nd6_dad_ns_output(struct dadq *);
91 static void nd6_dad_ns_input(struct ifaddr *, struct nd_opt_nonce *);
92 static void nd6_dad_na_input(struct ifaddr *);
93 static void nd6_na_output_fib(struct ifnet *, const struct in6_addr *,
94     const struct in6_addr *, u_long, int, struct sockaddr *, u_int);
95 static void nd6_ns_output_fib(struct ifnet *, const struct in6_addr *,
96     const struct in6_addr *, const struct in6_addr *, uint8_t *, u_int);
97 
98 static struct ifaddr *nd6_proxy_fill_sdl(struct ifnet *,
99     const struct in6_addr *, struct sockaddr_dl *);
100 
101 VNET_DEFINE_STATIC(int, dad_enhanced) = 1;
102 #define	V_dad_enhanced			VNET(dad_enhanced)
103 
104 SYSCTL_DECL(_net_inet6_ip6);
105 SYSCTL_INT(_net_inet6_ip6, OID_AUTO, dad_enhanced, CTLFLAG_VNET | CTLFLAG_RW,
106     &VNET_NAME(dad_enhanced), 0,
107     "Enable Enhanced DAD, which adds a random nonce to NS messages for DAD.");
108 
109 VNET_DEFINE_STATIC(int, dad_maxtry) = 15;	/* max # of *tries* to
110 						   transmit DAD packet */
111 #define	V_dad_maxtry			VNET(dad_maxtry)
112 
113 /*
114  * Input a Neighbor Solicitation Message.
115  *
116  * Based on RFC 2461
117  * Based on RFC 2462 (duplicate address detection)
118  */
119 void
120 nd6_ns_input(struct mbuf *m, int off, int icmp6len)
121 {
122 	struct ifnet *ifp;
123 	struct ip6_hdr *ip6;
124 	struct nd_neighbor_solicit *nd_ns;
125 	struct in6_addr daddr6, myaddr6, saddr6, taddr6;
126 	struct ifaddr *ifa;
127 	struct sockaddr_dl proxydl;
128 	union nd_opts ndopts;
129 	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
130 	char *lladdr;
131 	int anycast, lladdrlen, proxy, rflag, tentative, tlladdr;
132 
133 	ifa = NULL;
134 
135 	/* RFC 6980: Nodes MUST silently ignore fragments */
136 	if(m->m_flags & M_FRAGMENTED)
137 		goto freeit;
138 
139 	ifp = m->m_pkthdr.rcvif;
140 	ip6 = mtod(m, struct ip6_hdr *);
141 	if (__predict_false(ip6->ip6_hlim != 255)) {
142 		ICMP6STAT_INC(icp6s_invlhlim);
143 		nd6log((LOG_ERR,
144 		    "nd6_ns_input: invalid hlim (%d) from %s to %s on %s\n",
145 		    ip6->ip6_hlim, ip6_sprintf(ip6bufs, &ip6->ip6_src),
146 		    ip6_sprintf(ip6bufd, &ip6->ip6_dst), if_name(ifp)));
147 		goto bads;
148 	}
149 
150 	if (m->m_len < off + icmp6len) {
151 		m = m_pullup(m, off + icmp6len);
152 		if (m == NULL) {
153 			IP6STAT_INC(ip6s_exthdrtoolong);
154 			return;
155 		}
156 	}
157 	ip6 = mtod(m, struct ip6_hdr *);
158 	nd_ns = (struct nd_neighbor_solicit *)((caddr_t)ip6 + off);
159 
160 	saddr6 = ip6->ip6_src;
161 	daddr6 = ip6->ip6_dst;
162 	taddr6 = nd_ns->nd_ns_target;
163 	if (in6_setscope(&taddr6, ifp, NULL) != 0)
164 		goto bad;
165 
166 	rflag = (V_ip6_forwarding) ? ND_NA_FLAG_ROUTER : 0;
167 	if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV && V_ip6_norbit_raif)
168 		rflag = 0;
169 
170 	if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
171 		/* dst has to be a solicited node multicast address. */
172 		if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL &&
173 		    /* don't check ifindex portion */
174 		    daddr6.s6_addr32[1] == 0 &&
175 		    daddr6.s6_addr32[2] == IPV6_ADDR_INT32_ONE &&
176 		    daddr6.s6_addr8[12] == 0xff) {
177 			; /* good */
178 		} else {
179 			nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet "
180 			    "(wrong ip6 dst)\n"));
181 			goto bad;
182 		}
183 	} else if (!V_nd6_onlink_ns_rfc4861) {
184 		struct sockaddr_in6 src_sa6;
185 
186 		/*
187 		 * According to recent IETF discussions, it is not a good idea
188 		 * to accept a NS from an address which would not be deemed
189 		 * to be a neighbor otherwise.  This point is expected to be
190 		 * clarified in future revisions of the specification.
191 		 */
192 		bzero(&src_sa6, sizeof(src_sa6));
193 		src_sa6.sin6_family = AF_INET6;
194 		src_sa6.sin6_len = sizeof(src_sa6);
195 		src_sa6.sin6_addr = saddr6;
196 		if (nd6_is_addr_neighbor(&src_sa6, ifp) == 0) {
197 			nd6log((LOG_INFO, "nd6_ns_input: "
198 				"NS packet from non-neighbor\n"));
199 			goto bad;
200 		}
201 	}
202 
203 	if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
204 		nd6log((LOG_INFO, "nd6_ns_input: bad NS target (multicast)\n"));
205 		goto bad;
206 	}
207 
208 	icmp6len -= sizeof(*nd_ns);
209 	nd6_option_init(nd_ns + 1, icmp6len, &ndopts);
210 	if (nd6_options(&ndopts) < 0) {
211 		nd6log((LOG_INFO,
212 		    "nd6_ns_input: invalid ND option, ignored\n"));
213 		/* nd6_options have incremented stats */
214 		goto freeit;
215 	}
216 
217 	lladdr = NULL;
218 	lladdrlen = 0;
219 	if (ndopts.nd_opts_src_lladdr) {
220 		lladdr = (char *)(ndopts.nd_opts_src_lladdr + 1);
221 		lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3;
222 	}
223 
224 	if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && lladdr) {
225 		nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet "
226 		    "(link-layer address option)\n"));
227 		goto bad;
228 	}
229 
230 	/*
231 	 * Attaching target link-layer address to the NA?
232 	 * (RFC 2461 7.2.4)
233 	 *
234 	 * NS IP dst is unicast/anycast			MUST NOT add
235 	 * NS IP dst is solicited-node multicast	MUST add
236 	 *
237 	 * In implementation, we add target link-layer address by default.
238 	 * We do not add one in MUST NOT cases.
239 	 */
240 	if (!IN6_IS_ADDR_MULTICAST(&daddr6))
241 		tlladdr = 0;
242 	else
243 		tlladdr = 1;
244 
245 	/*
246 	 * Target address (taddr6) must be either:
247 	 * (1) Valid unicast/anycast address for my receiving interface,
248 	 * (2) Unicast address for which I'm offering proxy service, or
249 	 * (3) "tentative" address on which DAD is being performed.
250 	 */
251 	/* (1) and (3) check. */
252 	if (ifp->if_carp)
253 		ifa = (*carp_iamatch6_p)(ifp, &taddr6);
254 	else
255 		ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6);
256 
257 	/* (2) check. */
258 	proxy = 0;
259 	if (ifa == NULL) {
260 		if ((ifa = nd6_proxy_fill_sdl(ifp, &taddr6, &proxydl)) != NULL)
261 			proxy = 1;
262 	}
263 	if (ifa == NULL) {
264 		/*
265 		 * We've got an NS packet, and we don't have that address
266 		 * assigned for us.  We MUST silently ignore it.
267 		 * See RFC2461 7.2.3.
268 		 */
269 		goto freeit;
270 	}
271 	myaddr6 = *IFA_IN6(ifa);
272 	anycast = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST;
273 	tentative = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE;
274 	if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DUPLICATED)
275 		goto freeit;
276 
277 	if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
278 		nd6log((LOG_INFO, "nd6_ns_input: lladdrlen mismatch for %s "
279 		    "(if %d, NS packet %d)\n",
280 		    ip6_sprintf(ip6bufs, &taddr6),
281 		    ifp->if_addrlen, lladdrlen - 2));
282 		goto bad;
283 	}
284 
285 	if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) {
286 		nd6log((LOG_INFO, "nd6_ns_input: duplicate IP6 address %s\n",
287 		    ip6_sprintf(ip6bufs, &saddr6)));
288 		goto freeit;
289 	}
290 
291 	/*
292 	 * We have neighbor solicitation packet, with target address equals to
293 	 * one of my tentative address.
294 	 *
295 	 * src addr	how to process?
296 	 * ---		---
297 	 * multicast	of course, invalid (rejected in ip6_input)
298 	 * unicast	somebody is doing address resolution -> ignore
299 	 * unspec	dup address detection
300 	 *
301 	 * The processing is defined in RFC 2462.
302 	 */
303 	if (tentative) {
304 		/*
305 		 * If source address is unspecified address, it is for
306 		 * duplicate address detection.
307 		 *
308 		 * If not, the packet is for addess resolution;
309 		 * silently ignore it.
310 		 */
311 		if (IN6_IS_ADDR_UNSPECIFIED(&saddr6))
312 			nd6_dad_ns_input(ifa, ndopts.nd_opts_nonce);
313 
314 		goto freeit;
315 	}
316 
317 	/*
318 	 * If the source address is unspecified address, entries must not
319 	 * be created or updated.
320 	 * It looks that sender is performing DAD.  Output NA toward
321 	 * all-node multicast address, to tell the sender that I'm using
322 	 * the address.
323 	 * S bit ("solicited") must be zero.
324 	 */
325 	if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
326 		struct in6_addr in6_all;
327 
328 		in6_all = in6addr_linklocal_allnodes;
329 		if (in6_setscope(&in6_all, ifp, NULL) != 0)
330 			goto bad;
331 		nd6_na_output_fib(ifp, &in6_all, &taddr6,
332 		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
333 		    rflag, tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL,
334 		    M_GETFIB(m));
335 		goto freeit;
336 	}
337 
338 	nd6_cache_lladdr(ifp, &saddr6, lladdr, lladdrlen,
339 	    ND_NEIGHBOR_SOLICIT, 0);
340 
341 	nd6_na_output_fib(ifp, &saddr6, &taddr6,
342 	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
343 	    rflag | ND_NA_FLAG_SOLICITED, tlladdr,
344 	    proxy ? (struct sockaddr *)&proxydl : NULL, M_GETFIB(m));
345  freeit:
346 	if (ifa != NULL)
347 		ifa_free(ifa);
348 	m_freem(m);
349 	return;
350 
351  bad:
352 	nd6log((LOG_ERR, "nd6_ns_input: src=%s\n",
353 		ip6_sprintf(ip6bufs, &saddr6)));
354 	nd6log((LOG_ERR, "nd6_ns_input: dst=%s\n",
355 		ip6_sprintf(ip6bufs, &daddr6)));
356 	nd6log((LOG_ERR, "nd6_ns_input: tgt=%s\n",
357 		ip6_sprintf(ip6bufs, &taddr6)));
358  bads:
359 	ICMP6STAT_INC(icp6s_badns);
360 	if (ifa != NULL)
361 		ifa_free(ifa);
362 	m_freem(m);
363 }
364 
365 static struct ifaddr *
366 nd6_proxy_fill_sdl(struct ifnet *ifp, const struct in6_addr *taddr6,
367     struct sockaddr_dl *sdl)
368 {
369 	struct ifaddr *ifa;
370 	struct llentry *ln;
371 
372 	ifa = NULL;
373 	ln = nd6_lookup(taddr6, LLE_SF(AF_INET6, 0), ifp);
374 	if (ln == NULL)
375 		return (ifa);
376 	if ((ln->la_flags & (LLE_PUB | LLE_VALID)) == (LLE_PUB | LLE_VALID)) {
377 		link_init_sdl(ifp, (struct sockaddr *)sdl, ifp->if_type);
378 		sdl->sdl_alen = ifp->if_addrlen;
379 		bcopy(ln->ll_addr, &sdl->sdl_data, ifp->if_addrlen);
380 		LLE_RUNLOCK(ln);
381 		ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp,
382 		    IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
383 	} else
384 		LLE_RUNLOCK(ln);
385 
386 	return (ifa);
387 }
388 
389 /*
390  * Output a Neighbor Solicitation Message. Caller specifies:
391  *	- ICMP6 header source IP6 address
392  *	- ND6 header target IP6 address
393  *	- ND6 header source datalink address
394  *
395  * Based on RFC 2461
396  * Based on RFC 2462 (duplicate address detection)
397  *
398  *    ln - for source address determination
399  * nonce - If non-NULL, NS is used for duplicate address detection and
400  *         the value (length is ND_OPT_NONCE_LEN) is used as a random nonce.
401  */
402 static void
403 nd6_ns_output_fib(struct ifnet *ifp, const struct in6_addr *saddr6,
404     const struct in6_addr *daddr6, const struct in6_addr *taddr6,
405     uint8_t *nonce, u_int fibnum)
406 {
407 	struct mbuf *m;
408 	struct m_tag *mtag;
409 	struct ip6_hdr *ip6;
410 	struct nd_neighbor_solicit *nd_ns;
411 	struct ip6_moptions im6o;
412 	int icmp6len;
413 	int maxlen;
414 
415 	NET_EPOCH_ASSERT();
416 
417 	if (IN6_IS_ADDR_MULTICAST(taddr6))
418 		return;
419 
420 	/* estimate the size of message */
421 	maxlen = sizeof(*ip6) + sizeof(*nd_ns);
422 	maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7;
423 	KASSERT(max_linkhdr + maxlen <= MCLBYTES, (
424 	    "%s: max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)",
425 	    __func__, max_linkhdr, maxlen, MCLBYTES));
426 
427 	if (max_linkhdr + maxlen > MHLEN)
428 		m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
429 	else
430 		m = m_gethdr(M_NOWAIT, MT_DATA);
431 	if (m == NULL)
432 		return;
433 	M_SETFIB(m, fibnum);
434 
435 	if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) {
436 		m->m_flags |= M_MCAST;
437 		im6o.im6o_multicast_ifp = ifp;
438 		im6o.im6o_multicast_hlim = 255;
439 		im6o.im6o_multicast_loop = 0;
440 	}
441 
442 	icmp6len = sizeof(*nd_ns);
443 	m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len;
444 	m->m_data += max_linkhdr;	/* or M_ALIGN() equivalent? */
445 
446 	/* fill neighbor solicitation packet */
447 	ip6 = mtod(m, struct ip6_hdr *);
448 	ip6->ip6_flow = 0;
449 	ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
450 	ip6->ip6_vfc |= IPV6_VERSION;
451 	/* ip6->ip6_plen will be set later */
452 	ip6->ip6_nxt = IPPROTO_ICMPV6;
453 	ip6->ip6_hlim = 255;
454 	if (daddr6)
455 		ip6->ip6_dst = *daddr6;
456 	else {
457 		ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
458 		ip6->ip6_dst.s6_addr16[1] = 0;
459 		ip6->ip6_dst.s6_addr32[1] = 0;
460 		ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE;
461 		ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3];
462 		ip6->ip6_dst.s6_addr8[12] = 0xff;
463 		if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0)
464 			goto bad;
465 	}
466 	if (nonce == NULL) {
467 		char ip6buf[INET6_ADDRSTRLEN];
468 		struct ifaddr *ifa = NULL;
469 
470 		/*
471 		 * RFC2461 7.2.2:
472 		 * "If the source address of the packet prompting the
473 		 * solicitation is the same as one of the addresses assigned
474 		 * to the outgoing interface, that address SHOULD be placed
475 		 * in the IP Source Address of the outgoing solicitation.
476 		 * Otherwise, any one of the addresses assigned to the
477 		 * interface should be used."
478 		 *
479 		 * We use the source address for the prompting packet
480 		 * (saddr6), if saddr6 belongs to the outgoing interface.
481 		 * Otherwise, we perform the source address selection as usual.
482 		 */
483 		if (saddr6 != NULL)
484 			ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, saddr6);
485 		if (ifa == NULL) {
486 			int error;
487 			struct in6_addr dst6, src6;
488 			uint32_t scopeid;
489 
490 			in6_splitscope(&ip6->ip6_dst, &dst6, &scopeid);
491 			error = in6_selectsrc_addr(fibnum, &dst6,
492 			    scopeid, ifp, &src6, NULL);
493 			if (error) {
494 				nd6log((LOG_DEBUG, "%s: source can't be "
495 				    "determined: dst=%s, error=%d\n", __func__,
496 				    ip6_sprintf(ip6buf, &dst6),
497 				    error));
498 				goto bad;
499 			}
500 			ip6->ip6_src = src6;
501 		} else
502 			ip6->ip6_src = *saddr6;
503 
504 		if (ifp->if_carp != NULL) {
505 			/*
506 			 * Check that selected source address belongs to
507 			 * CARP addresses.
508 			 */
509 			if (ifa == NULL)
510 				ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp,
511 				    &ip6->ip6_src);
512 			/*
513 			 * Do not send NS for CARP address if we are not
514 			 * the CARP master.
515 			 */
516 			if (ifa != NULL && ifa->ifa_carp != NULL &&
517 			    !(*carp_master_p)(ifa)) {
518 				nd6log((LOG_DEBUG,
519 				    "nd6_ns_output: NS from BACKUP CARP address %s\n",
520 				    ip6_sprintf(ip6buf, &ip6->ip6_src)));
521 				ifa_free(ifa);
522 				goto bad;
523 			}
524 		}
525 		if (ifa != NULL)
526 			ifa_free(ifa);
527 	} else {
528 		/*
529 		 * Source address for DAD packet must always be IPv6
530 		 * unspecified address. (0::0)
531 		 * We actually don't have to 0-clear the address (we did it
532 		 * above), but we do so here explicitly to make the intention
533 		 * clearer.
534 		 */
535 		bzero(&ip6->ip6_src, sizeof(ip6->ip6_src));
536 	}
537 	nd_ns = (struct nd_neighbor_solicit *)(ip6 + 1);
538 	nd_ns->nd_ns_type = ND_NEIGHBOR_SOLICIT;
539 	nd_ns->nd_ns_code = 0;
540 	nd_ns->nd_ns_reserved = 0;
541 	nd_ns->nd_ns_target = *taddr6;
542 	in6_clearscope(&nd_ns->nd_ns_target); /* XXX */
543 
544 	/*
545 	 * Add source link-layer address option.
546 	 *
547 	 *				spec		implementation
548 	 *				---		---
549 	 * DAD packet			MUST NOT	do not add the option
550 	 * there's no link layer address:
551 	 *				impossible	do not add the option
552 	 * there's link layer address:
553 	 *	Multicast NS		MUST add one	add the option
554 	 *	Unicast NS		SHOULD add one	add the option
555 	 */
556 	if (nonce == NULL) {
557 		struct nd_opt_hdr *nd_opt;
558 		char *mac;
559 		int optlen;
560 
561 		mac = NULL;
562 		if (ifp->if_carp)
563 			mac = (*carp_macmatch6_p)(ifp, m, &ip6->ip6_src);
564 		if (mac == NULL)
565 			mac = nd6_ifptomac(ifp);
566 
567 		if (mac != NULL) {
568 			nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
569 			optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
570 			/* 8 byte alignments... */
571 			optlen = (optlen + 7) & ~7;
572 			m->m_pkthdr.len += optlen;
573 			m->m_len += optlen;
574 			icmp6len += optlen;
575 			bzero(nd_opt, optlen);
576 			nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR;
577 			nd_opt->nd_opt_len = optlen >> 3;
578 			bcopy(mac, nd_opt + 1, ifp->if_addrlen);
579 		}
580 	}
581 	/*
582 	 * Add a Nonce option (RFC 3971) to detect looped back NS messages.
583 	 * This behavior is documented as Enhanced Duplicate Address
584 	 * Detection in RFC 7527.
585 	 * net.inet6.ip6.dad_enhanced=0 disables this.
586 	 */
587 	if (V_dad_enhanced != 0 && nonce != NULL) {
588 		int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN;
589 		struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
590 		/* 8-byte alignment is required. */
591 		optlen = (optlen + 7) & ~7;
592 
593 		m->m_pkthdr.len += optlen;
594 		m->m_len += optlen;
595 		icmp6len += optlen;
596 		bzero((caddr_t)nd_opt, optlen);
597 		nd_opt->nd_opt_type = ND_OPT_NONCE;
598 		nd_opt->nd_opt_len = optlen >> 3;
599 		bcopy(nonce, (caddr_t)(nd_opt + 1), ND_OPT_NONCE_LEN);
600 	}
601 	ip6->ip6_plen = htons((u_short)icmp6len);
602 	nd_ns->nd_ns_cksum = 0;
603 	nd_ns->nd_ns_cksum =
604 	    in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len);
605 
606 	if (send_sendso_input_hook != NULL) {
607 		mtag = m_tag_get(PACKET_TAG_ND_OUTGOING,
608 			sizeof(unsigned short), M_NOWAIT);
609 		if (mtag == NULL)
610 			goto bad;
611 		*(unsigned short *)(mtag + 1) = nd_ns->nd_ns_type;
612 		m_tag_prepend(m, mtag);
613 	}
614 
615 	ip6_output(m, NULL, NULL, (nonce != NULL) ? IPV6_UNSPECSRC : 0,
616 	    &im6o, NULL, NULL);
617 	icmp6_ifstat_inc(ifp, ifs6_out_msg);
618 	icmp6_ifstat_inc(ifp, ifs6_out_neighborsolicit);
619 	ICMP6STAT_INC(icp6s_outhist[ND_NEIGHBOR_SOLICIT]);
620 
621 	return;
622 
623   bad:
624 	m_freem(m);
625 }
626 
627 #ifndef BURN_BRIDGES
628 void
629 nd6_ns_output(struct ifnet *ifp, const struct in6_addr *saddr6,
630     const struct in6_addr *daddr6, const struct in6_addr *taddr6,uint8_t *nonce)
631 {
632 
633 	nd6_ns_output_fib(ifp, saddr6, daddr6, taddr6, nonce, RT_DEFAULT_FIB);
634 }
635 #endif
636 /*
637  * Neighbor advertisement input handling.
638  *
639  * Based on RFC 2461
640  * Based on RFC 2462 (duplicate address detection)
641  *
642  * the following items are not implemented yet:
643  * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD)
644  * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD)
645  */
646 void
647 nd6_na_input(struct mbuf *m, int off, int icmp6len)
648 {
649 	struct ifnet *ifp;
650 	struct ip6_hdr *ip6;
651 	struct ifaddr *ifa;
652 	struct llentry *ln;
653 	struct mbuf *chain;
654 	struct nd_neighbor_advert *nd_na;
655 	struct in6_addr daddr6, taddr6;
656 	union nd_opts ndopts;
657 	u_char linkhdr[LLE_MAX_LINKHDR];
658 	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
659 	char *lladdr;
660 	size_t linkhdrsize;
661 	int flags, is_override, is_router, is_solicited;
662 	int lladdr_off, lladdrlen, checklink;
663 	bool flush_holdchain = false;
664 
665 	NET_EPOCH_ASSERT();
666 
667 	chain = NULL;
668 	ln = NULL;
669 	checklink = 0;
670 
671 	/* RFC 6980: Nodes MUST silently ignore fragments */
672 	if(m->m_flags & M_FRAGMENTED)
673 		goto freeit;
674 
675 	ifp = m->m_pkthdr.rcvif;
676 	ip6 = mtod(m, struct ip6_hdr *);
677 	if (__predict_false(ip6->ip6_hlim != 255)) {
678 		ICMP6STAT_INC(icp6s_invlhlim);
679 		nd6log((LOG_ERR,
680 		    "nd6_na_input: invalid hlim (%d) from %s to %s on %s\n",
681 		    ip6->ip6_hlim, ip6_sprintf(ip6bufs, &ip6->ip6_src),
682 		    ip6_sprintf(ip6bufd, &ip6->ip6_dst), if_name(ifp)));
683 		goto bad;
684 	}
685 
686 	if (m->m_len < off + icmp6len) {
687 		m = m_pullup(m, off + icmp6len);
688 		if (m == NULL) {
689 			IP6STAT_INC(ip6s_exthdrtoolong);
690 			return;
691 		}
692 	}
693 	ip6 = mtod(m, struct ip6_hdr *);
694 	nd_na = (struct nd_neighbor_advert *)((caddr_t)ip6 + off);
695 
696 	flags = nd_na->nd_na_flags_reserved;
697 	is_router = ((flags & ND_NA_FLAG_ROUTER) != 0);
698 	is_solicited = ((flags & ND_NA_FLAG_SOLICITED) != 0);
699 	is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0);
700 
701 	taddr6 = nd_na->nd_na_target;
702 	if (in6_setscope(&taddr6, ifp, NULL))
703 		goto bad;	/* XXX: impossible */
704 
705 	if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
706 		nd6log((LOG_ERR,
707 		    "nd6_na_input: invalid target address %s\n",
708 		    ip6_sprintf(ip6bufs, &taddr6)));
709 		goto bad;
710 	}
711 
712 	daddr6 = ip6->ip6_dst;
713 	if (IN6_IS_ADDR_MULTICAST(&daddr6))
714 		if (is_solicited) {
715 			nd6log((LOG_ERR,
716 			    "nd6_na_input: a solicited adv is multicasted\n"));
717 			goto bad;
718 		}
719 
720 	icmp6len -= sizeof(*nd_na);
721 	nd6_option_init(nd_na + 1, icmp6len, &ndopts);
722 	if (nd6_options(&ndopts) < 0) {
723 		nd6log((LOG_INFO,
724 		    "nd6_na_input: invalid ND option, ignored\n"));
725 		/* nd6_options have incremented stats */
726 		goto freeit;
727 	}
728 
729 	lladdr = NULL;
730 	lladdrlen = 0;
731 	if (ndopts.nd_opts_tgt_lladdr) {
732 		lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1);
733 		lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3;
734 	}
735 
736 	ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6);
737 	if (ifa != NULL && ifa->ifa_carp != NULL) {
738 		/*
739 		 * Silently ignore NAs for CARP addresses if we are not
740 		 * the CARP master.
741 		 */
742 		if (!(*carp_master_p)(ifa)) {
743 			nd6log((LOG_DEBUG,
744 			    "nd6_na_input: NA for BACKUP CARP address %s\n",
745 			    ip6_sprintf(ip6bufs, &taddr6)));
746 			ifa_free(ifa);
747 			goto freeit;
748 		}
749 	}
750 	/*
751 	 * Target address matches one of my interface address.
752 	 *
753 	 * If my address is tentative, this means that there's somebody
754 	 * already using the same address as mine.  This indicates DAD failure.
755 	 * This is defined in RFC 2462.
756 	 *
757 	 * Otherwise, process as defined in RFC 2461.
758 	 */
759 	if (ifa
760 	 && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) {
761 		nd6_dad_na_input(ifa);
762 		ifa_free(ifa);
763 		goto freeit;
764 	}
765 
766 	/* Just for safety, maybe unnecessary. */
767 	if (ifa) {
768 		ifa_free(ifa);
769 		log(LOG_ERR,
770 		    "nd6_na_input: duplicate IP6 address %s\n",
771 		    ip6_sprintf(ip6bufs, &taddr6));
772 		goto freeit;
773 	}
774 
775 	if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
776 		nd6log((LOG_INFO, "nd6_na_input: lladdrlen mismatch for %s "
777 		    "(if %d, NA packet %d)\n", ip6_sprintf(ip6bufs, &taddr6),
778 		    ifp->if_addrlen, lladdrlen - 2));
779 		goto bad;
780 	}
781 
782 	/*
783 	 * If no neighbor cache entry is found, NA SHOULD silently be
784 	 * discarded.
785 	 */
786 	ln = nd6_lookup(&taddr6, LLE_SF(AF_INET6, LLE_EXCLUSIVE), ifp);
787 	if (ln == NULL) {
788 		goto freeit;
789 	}
790 
791 	/*
792 	 * Do not try to override static entry.
793 	 */
794 	if (ln->la_flags & LLE_STATIC)
795 		goto freeit;
796 
797 	if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
798 		/*
799 		 * If the link-layer has address, and no lladdr option came,
800 		 * discard the packet.
801 		 */
802 		if (ifp->if_addrlen && lladdr == NULL) {
803 			goto freeit;
804 		}
805 
806 		/*
807 		 * Record link-layer address, and update the state.
808 		 */
809 		if (!nd6_try_set_entry_addr(ifp, ln, lladdr))
810 			goto freeit;
811 
812 		flush_holdchain = true;
813 		if (is_solicited)
814 			nd6_llinfo_setstate(ln, ND6_LLINFO_REACHABLE);
815 		else
816 			nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
817 		EVENTHANDLER_INVOKE(lle_event, ln, LLENTRY_RESOLVED);
818 		if ((ln->ln_router = is_router) != 0) {
819 			/*
820 			 * This means a router's state has changed from
821 			 * non-reachable to probably reachable, and might
822 			 * affect the status of associated prefixes..
823 			 */
824 			checklink = 1;
825 		}
826 	} else {
827 		int llchange;
828 
829 		/*
830 		 * Check if the link-layer address has changed or not.
831 		 */
832 		if (lladdr == NULL)
833 			llchange = 0;
834 		else {
835 			if (ln->la_flags & LLE_VALID) {
836 				if (bcmp(lladdr, ln->ll_addr, ifp->if_addrlen))
837 					llchange = 1;
838 				else
839 					llchange = 0;
840 			} else
841 				llchange = 1;
842 		}
843 
844 		/*
845 		 * This is VERY complex.  Look at it with care.
846 		 *
847 		 * override solicit lladdr llchange	action
848 		 *					(L: record lladdr)
849 		 *
850 		 *	0	0	n	--	(2c)
851 		 *	0	0	y	n	(2b) L
852 		 *	0	0	y	y	(1)    REACHABLE->STALE
853 		 *	0	1	n	--	(2c)   *->REACHABLE
854 		 *	0	1	y	n	(2b) L *->REACHABLE
855 		 *	0	1	y	y	(1)    REACHABLE->STALE
856 		 *	1	0	n	--	(2a)
857 		 *	1	0	y	n	(2a) L
858 		 *	1	0	y	y	(2a) L *->STALE
859 		 *	1	1	n	--	(2a)   *->REACHABLE
860 		 *	1	1	y	n	(2a) L *->REACHABLE
861 		 *	1	1	y	y	(2a) L *->REACHABLE
862 		 */
863 		if (!is_override && (lladdr != NULL && llchange)) {  /* (1) */
864 			/*
865 			 * If state is REACHABLE, make it STALE.
866 			 * no other updates should be done.
867 			 */
868 			if (ln->ln_state == ND6_LLINFO_REACHABLE)
869 				nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
870 			goto freeit;
871 		} else if (is_override				   /* (2a) */
872 			|| (!is_override && (lladdr != NULL && !llchange)) /* (2b) */
873 			|| lladdr == NULL) {			   /* (2c) */
874 			/*
875 			 * Update link-local address, if any.
876 			 */
877 			if (lladdr != NULL) {
878 				linkhdrsize = sizeof(linkhdr);
879 				if (lltable_calc_llheader(ifp, AF_INET6, lladdr,
880 				    linkhdr, &linkhdrsize, &lladdr_off) != 0)
881 					goto freeit;
882 				if (lltable_try_set_entry_addr(ifp, ln, linkhdr,
883 				    linkhdrsize, lladdr_off) == 0)
884 					goto freeit;
885 				EVENTHANDLER_INVOKE(lle_event, ln,
886 				    LLENTRY_RESOLVED);
887 			}
888 
889 			/*
890 			 * If solicited, make the state REACHABLE.
891 			 * If not solicited and the link-layer address was
892 			 * changed, make it STALE.
893 			 */
894 			if (is_solicited)
895 				nd6_llinfo_setstate(ln, ND6_LLINFO_REACHABLE);
896 			else {
897 				if (lladdr != NULL && llchange)
898 					nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
899 			}
900 		}
901 
902 		if (ln->ln_router && !is_router) {
903 			/*
904 			 * The peer dropped the router flag.
905 			 * Remove the sender from the Default Router List and
906 			 * update the Destination Cache entries.
907 			 */
908 			struct ifnet *nd6_ifp;
909 
910 			nd6_ifp = lltable_get_ifp(ln->lle_tbl);
911 			if (!defrouter_remove(&ln->r_l3addr.addr6, nd6_ifp) &&
912 			    (ND_IFINFO(nd6_ifp)->flags &
913 			     ND6_IFF_ACCEPT_RTADV) != 0)
914 				/*
915 				 * Even if the neighbor is not in the default
916 				 * router list, the neighbor may be used as a
917 				 * next hop for some destinations (e.g. redirect
918 				 * case). So we must call rt6_flush explicitly.
919 				 */
920 				rt6_flush(&ip6->ip6_src, ifp);
921 		}
922 		ln->ln_router = is_router;
923 	}
924         /* XXX - QL
925 	 *  Does this matter?
926 	 *  rt->rt_flags &= ~RTF_REJECT;
927 	 */
928 	ln->la_asked = 0;
929 	if (ln->la_hold != NULL)
930 		chain = nd6_grab_holdchain(ln);
931  freeit:
932 	if (ln != NULL)
933 		LLE_WUNLOCK(ln);
934 
935 	if (chain != NULL)
936 		nd6_flush_holdchain(ifp, ln, chain);
937 	if (flush_holdchain)
938 		nd6_flush_children_holdchain(ifp, ln);
939 
940 	if (checklink)
941 		pfxlist_onlink_check();
942 
943 	m_freem(m);
944 	return;
945 
946  bad:
947 	if (ln != NULL)
948 		LLE_WUNLOCK(ln);
949 
950 	ICMP6STAT_INC(icp6s_badna);
951 	m_freem(m);
952 }
953 
954 /*
955  * Neighbor advertisement output handling.
956  *
957  * Based on RFC 2461
958  *
959  * the following items are not implemented yet:
960  * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD)
961  * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD)
962  *
963  * tlladdr - 1 if include target link-layer address
964  * sdl0 - sockaddr_dl (= proxy NA) or NULL
965  */
966 static void
967 nd6_na_output_fib(struct ifnet *ifp, const struct in6_addr *daddr6_0,
968     const struct in6_addr *taddr6, u_long flags, int tlladdr,
969     struct sockaddr *sdl0, u_int fibnum)
970 {
971 	struct mbuf *m;
972 	struct m_tag *mtag;
973 	struct ip6_hdr *ip6;
974 	struct nd_neighbor_advert *nd_na;
975 	struct ip6_moptions im6o;
976 	struct in6_addr daddr6, dst6, src6;
977 	uint32_t scopeid;
978 
979 	NET_EPOCH_ASSERT();
980 
981 	int icmp6len, maxlen, error;
982 	caddr_t mac = NULL;
983 
984 	daddr6 = *daddr6_0;	/* make a local copy for modification */
985 
986 	/* estimate the size of message */
987 	maxlen = sizeof(*ip6) + sizeof(*nd_na);
988 	maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7;
989 	KASSERT(max_linkhdr + maxlen <= MCLBYTES, (
990 	    "%s: max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)",
991 	    __func__, max_linkhdr, maxlen, MCLBYTES));
992 
993 	if (max_linkhdr + maxlen > MHLEN)
994 		m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
995 	else
996 		m = m_gethdr(M_NOWAIT, MT_DATA);
997 	if (m == NULL)
998 		return;
999 	M_SETFIB(m, fibnum);
1000 
1001 	if (IN6_IS_ADDR_MULTICAST(&daddr6)) {
1002 		m->m_flags |= M_MCAST;
1003 		im6o.im6o_multicast_ifp = ifp;
1004 		im6o.im6o_multicast_hlim = 255;
1005 		im6o.im6o_multicast_loop = 0;
1006 	}
1007 
1008 	icmp6len = sizeof(*nd_na);
1009 	m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len;
1010 	m->m_data += max_linkhdr;	/* or M_ALIGN() equivalent? */
1011 
1012 	/* fill neighbor advertisement packet */
1013 	ip6 = mtod(m, struct ip6_hdr *);
1014 	ip6->ip6_flow = 0;
1015 	ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
1016 	ip6->ip6_vfc |= IPV6_VERSION;
1017 	ip6->ip6_nxt = IPPROTO_ICMPV6;
1018 	ip6->ip6_hlim = 255;
1019 	if (IN6_IS_ADDR_UNSPECIFIED(&daddr6)) {
1020 		/* reply to DAD */
1021 		daddr6.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
1022 		daddr6.s6_addr16[1] = 0;
1023 		daddr6.s6_addr32[1] = 0;
1024 		daddr6.s6_addr32[2] = 0;
1025 		daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE;
1026 		if (in6_setscope(&daddr6, ifp, NULL))
1027 			goto bad;
1028 
1029 		flags &= ~ND_NA_FLAG_SOLICITED;
1030 	}
1031 	ip6->ip6_dst = daddr6;
1032 
1033 	/*
1034 	 * Select a source whose scope is the same as that of the dest.
1035 	 */
1036 	in6_splitscope(&daddr6, &dst6, &scopeid);
1037 	error = in6_selectsrc_addr(fibnum, &dst6,
1038 	    scopeid, ifp, &src6, NULL);
1039 	if (error) {
1040 		char ip6buf[INET6_ADDRSTRLEN];
1041 		nd6log((LOG_DEBUG, "nd6_na_output: source can't be "
1042 		    "determined: dst=%s, error=%d\n",
1043 		    ip6_sprintf(ip6buf, &daddr6), error));
1044 		goto bad;
1045 	}
1046 	ip6->ip6_src = src6;
1047 	nd_na = (struct nd_neighbor_advert *)(ip6 + 1);
1048 	nd_na->nd_na_type = ND_NEIGHBOR_ADVERT;
1049 	nd_na->nd_na_code = 0;
1050 	nd_na->nd_na_target = *taddr6;
1051 	in6_clearscope(&nd_na->nd_na_target); /* XXX */
1052 
1053 	/*
1054 	 * "tlladdr" indicates NS's condition for adding tlladdr or not.
1055 	 * see nd6_ns_input() for details.
1056 	 * Basically, if NS packet is sent to unicast/anycast addr,
1057 	 * target lladdr option SHOULD NOT be included.
1058 	 */
1059 	if (tlladdr) {
1060 		/*
1061 		 * sdl0 != NULL indicates proxy NA.  If we do proxy, use
1062 		 * lladdr in sdl0.  If we are not proxying (sending NA for
1063 		 * my address) use lladdr configured for the interface.
1064 		 */
1065 		if (sdl0 == NULL) {
1066 			if (ifp->if_carp)
1067 				mac = (*carp_macmatch6_p)(ifp, m, taddr6);
1068 			if (mac == NULL)
1069 				mac = nd6_ifptomac(ifp);
1070 		} else if (sdl0->sa_family == AF_LINK) {
1071 			struct sockaddr_dl *sdl;
1072 			sdl = (struct sockaddr_dl *)sdl0;
1073 			if (sdl->sdl_alen == ifp->if_addrlen)
1074 				mac = LLADDR(sdl);
1075 		}
1076 	}
1077 	if (tlladdr && mac) {
1078 		int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
1079 		struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_na + 1);
1080 
1081 		/* roundup to 8 bytes alignment! */
1082 		optlen = (optlen + 7) & ~7;
1083 
1084 		m->m_pkthdr.len += optlen;
1085 		m->m_len += optlen;
1086 		icmp6len += optlen;
1087 		bzero((caddr_t)nd_opt, optlen);
1088 		nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
1089 		nd_opt->nd_opt_len = optlen >> 3;
1090 		bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen);
1091 	} else
1092 		flags &= ~ND_NA_FLAG_OVERRIDE;
1093 
1094 	ip6->ip6_plen = htons((u_short)icmp6len);
1095 	nd_na->nd_na_flags_reserved = flags;
1096 	nd_na->nd_na_cksum = 0;
1097 	nd_na->nd_na_cksum =
1098 	    in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len);
1099 
1100 	if (send_sendso_input_hook != NULL) {
1101 		mtag = m_tag_get(PACKET_TAG_ND_OUTGOING,
1102 		    sizeof(unsigned short), M_NOWAIT);
1103 		if (mtag == NULL)
1104 			goto bad;
1105 		*(unsigned short *)(mtag + 1) = nd_na->nd_na_type;
1106 		m_tag_prepend(m, mtag);
1107 	}
1108 
1109 	ip6_output(m, NULL, NULL, 0, &im6o, NULL, NULL);
1110 	icmp6_ifstat_inc(ifp, ifs6_out_msg);
1111 	icmp6_ifstat_inc(ifp, ifs6_out_neighboradvert);
1112 	ICMP6STAT_INC(icp6s_outhist[ND_NEIGHBOR_ADVERT]);
1113 
1114 	return;
1115 
1116   bad:
1117 	m_freem(m);
1118 }
1119 
1120 #ifndef BURN_BRIDGES
1121 void
1122 nd6_na_output(struct ifnet *ifp, const struct in6_addr *daddr6_0,
1123     const struct in6_addr *taddr6, u_long flags, int tlladdr,
1124     struct sockaddr *sdl0)
1125 {
1126 
1127 	nd6_na_output_fib(ifp, daddr6_0, taddr6, flags, tlladdr, sdl0,
1128 	    RT_DEFAULT_FIB);
1129 }
1130 #endif
1131 
1132 caddr_t
1133 nd6_ifptomac(struct ifnet *ifp)
1134 {
1135 	switch (ifp->if_type) {
1136 	case IFT_ETHER:
1137 	case IFT_IEEE1394:
1138 	case IFT_L2VLAN:
1139 	case IFT_INFINIBAND:
1140 	case IFT_BRIDGE:
1141 		return IF_LLADDR(ifp);
1142 	default:
1143 		return NULL;
1144 	}
1145 }
1146 
1147 struct dadq {
1148 	TAILQ_ENTRY(dadq) dad_list;
1149 	struct ifaddr *dad_ifa;
1150 	int dad_count;		/* max NS to send */
1151 	int dad_ns_tcount;	/* # of trials to send NS */
1152 	int dad_ns_ocount;	/* NS sent so far */
1153 	int dad_ns_icount;
1154 	int dad_na_icount;
1155 	int dad_ns_lcount;	/* looped back NS */
1156 	int dad_loopbackprobe;	/* probing state for loopback detection */
1157 	struct callout dad_timer_ch;
1158 	struct vnet *dad_vnet;
1159 	u_int dad_refcnt;
1160 #define	ND_OPT_NONCE_LEN32 \
1161 		((ND_OPT_NONCE_LEN + sizeof(uint32_t) - 1)/sizeof(uint32_t))
1162 	uint32_t dad_nonce[ND_OPT_NONCE_LEN32];
1163 	bool dad_ondadq;	/* on dadq? Protected by DADQ_WLOCK. */
1164 };
1165 
1166 VNET_DEFINE_STATIC(TAILQ_HEAD(, dadq), dadq);
1167 VNET_DEFINE_STATIC(struct rwlock, dad_rwlock);
1168 #define	V_dadq			VNET(dadq)
1169 #define	V_dad_rwlock		VNET(dad_rwlock)
1170 
1171 #define	DADQ_LOCKPTR()		(&V_dad_rwlock)
1172 #define	DADQ_LOCK_INIT()	rw_init(DADQ_LOCKPTR(), "nd6 DAD queue")
1173 #define	DADQ_RLOCK()		rw_rlock(DADQ_LOCKPTR())
1174 #define	DADQ_RUNLOCK()		rw_runlock(DADQ_LOCKPTR())
1175 #define	DADQ_WLOCK()		rw_wlock(DADQ_LOCKPTR())
1176 #define	DADQ_WUNLOCK()		rw_wunlock(DADQ_LOCKPTR())
1177 
1178 #define	DADQ_LOCK_ASSERT()	rw_assert(DADQ_LOCKPTR(), RA_LOCKED);
1179 #define	DADQ_RLOCK_ASSERT()	rw_assert(DADQ_LOCKPTR(), RA_RLOCKED);
1180 #define	DADQ_WLOCK_ASSERT()	rw_assert(DADQ_LOCKPTR(), RA_WLOCKED);
1181 
1182 static void
1183 nd6_dad_add(struct dadq *dp)
1184 {
1185 	DADQ_WLOCK_ASSERT();
1186 
1187 	TAILQ_INSERT_TAIL(&V_dadq, dp, dad_list);
1188 	dp->dad_ondadq = true;
1189 }
1190 
1191 static void
1192 nd6_dad_del(struct dadq *dp)
1193 {
1194 	DADQ_WLOCK_ASSERT();
1195 
1196 	if (dp->dad_ondadq) {
1197 		/*
1198 		 * Remove dp from the dadq and release the dadq's
1199 		 * reference.
1200 		 */
1201 		TAILQ_REMOVE(&V_dadq, dp, dad_list);
1202 		dp->dad_ondadq = false;
1203 		nd6_dad_rele(dp);
1204 	}
1205 }
1206 
1207 static struct dadq *
1208 nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *n)
1209 {
1210 	struct dadq *dp;
1211 
1212 	DADQ_LOCK_ASSERT();
1213 
1214 	TAILQ_FOREACH(dp, &V_dadq, dad_list) {
1215 		if (dp->dad_ifa != ifa)
1216 			continue;
1217 
1218 		/*
1219 		 * Skip if the nonce matches the received one.
1220 		 * +2 in the length is required because of type and
1221 		 * length fields are included in a header.
1222 		 */
1223 		if (n != NULL &&
1224 		    n->nd_opt_nonce_len == (ND_OPT_NONCE_LEN + 2) / 8 &&
1225 		    memcmp(&n->nd_opt_nonce[0], &dp->dad_nonce[0],
1226 		    ND_OPT_NONCE_LEN) == 0) {
1227 			dp->dad_ns_lcount++;
1228 			continue;
1229 		}
1230 		break;
1231 	}
1232 
1233 	return (dp);
1234 }
1235 
1236 static void
1237 nd6_dad_starttimer(struct dadq *dp, int ticks)
1238 {
1239 	DADQ_WLOCK_ASSERT();
1240 
1241 	callout_reset(&dp->dad_timer_ch, ticks, nd6_dad_timer, dp);
1242 }
1243 
1244 static void
1245 nd6_dad_stoptimer(struct dadq *dp)
1246 {
1247 	callout_drain(&dp->dad_timer_ch);
1248 }
1249 
1250 static void
1251 nd6_dad_rele(struct dadq *dp)
1252 {
1253 	if (refcount_release(&dp->dad_refcnt)) {
1254 		KASSERT(!dp->dad_ondadq, ("dp %p still on DAD queue", dp));
1255 		ifa_free(dp->dad_ifa);
1256 		free(dp, M_IP6NDP);
1257 	}
1258 }
1259 
1260 void
1261 nd6_dad_init(void)
1262 {
1263 	DADQ_LOCK_INIT();
1264 	TAILQ_INIT(&V_dadq);
1265 }
1266 
1267 /*
1268  * Start Duplicate Address Detection (DAD) for specified interface address.
1269  */
1270 void
1271 nd6_dad_start(struct ifaddr *ifa, int delay)
1272 {
1273 	struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1274 	struct dadq *dp;
1275 	char ip6buf[INET6_ADDRSTRLEN];
1276 
1277 	KASSERT((ia->ia6_flags & IN6_IFF_TENTATIVE) != 0,
1278 	    ("starting DAD on non-tentative address %p", ifa));
1279 
1280 	/*
1281 	 * If we don't need DAD, don't do it.
1282 	 * There are several cases:
1283 	 * - DAD is disabled globally or on the interface
1284 	 * - the interface address is anycast
1285 	 */
1286 	if ((ia->ia6_flags & IN6_IFF_ANYCAST) != 0 ||
1287 	    V_ip6_dad_count == 0 ||
1288 	    (ND_IFINFO(ifa->ifa_ifp)->flags & ND6_IFF_NO_DAD) != 0) {
1289 		ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1290 		return;
1291 	}
1292 	if ((ifa->ifa_ifp->if_flags & IFF_UP) == 0 ||
1293 	    (ifa->ifa_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
1294 	    (ND_IFINFO(ifa->ifa_ifp)->flags & ND6_IFF_IFDISABLED) != 0)
1295 		return;
1296 
1297 	DADQ_WLOCK();
1298 	if ((dp = nd6_dad_find(ifa, NULL)) != NULL) {
1299 		/*
1300 		 * DAD is already in progress.  Let the existing entry
1301 		 * finish it.
1302 		 */
1303 		DADQ_WUNLOCK();
1304 		return;
1305 	}
1306 
1307 	dp = malloc(sizeof(*dp), M_IP6NDP, M_NOWAIT | M_ZERO);
1308 	if (dp == NULL) {
1309 		log(LOG_ERR, "nd6_dad_start: memory allocation failed for "
1310 			"%s(%s)\n",
1311 			ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr),
1312 			ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1313 		return;
1314 	}
1315 	callout_init_rw(&dp->dad_timer_ch, DADQ_LOCKPTR(),
1316 	    CALLOUT_RETURNUNLOCKED);
1317 #ifdef VIMAGE
1318 	dp->dad_vnet = curvnet;
1319 #endif
1320 	nd6log((LOG_DEBUG, "%s: starting DAD for %s\n", if_name(ifa->ifa_ifp),
1321 	    ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr)));
1322 
1323 	/*
1324 	 * Send NS packet for DAD, ip6_dad_count times.
1325 	 * Note that we must delay the first transmission, if this is the
1326 	 * first packet to be sent from the interface after interface
1327 	 * (re)initialization.
1328 	 */
1329 	dp->dad_ifa = ifa;
1330 	ifa_ref(dp->dad_ifa);
1331 	dp->dad_count = V_ip6_dad_count;
1332 	dp->dad_ns_icount = dp->dad_na_icount = 0;
1333 	dp->dad_ns_ocount = dp->dad_ns_tcount = 0;
1334 	dp->dad_ns_lcount = dp->dad_loopbackprobe = 0;
1335 
1336 	/* Add this to the dadq and add a reference for the dadq. */
1337 	refcount_init(&dp->dad_refcnt, 1);
1338 	nd6_dad_add(dp);
1339 	nd6_dad_starttimer(dp, delay);
1340 	DADQ_WUNLOCK();
1341 }
1342 
1343 /*
1344  * terminate DAD unconditionally.  used for address removals.
1345  */
1346 void
1347 nd6_dad_stop(struct ifaddr *ifa)
1348 {
1349 	struct dadq *dp;
1350 
1351 	DADQ_WLOCK();
1352 	dp = nd6_dad_find(ifa, NULL);
1353 	if (dp == NULL) {
1354 		DADQ_WUNLOCK();
1355 		/* DAD wasn't started yet */
1356 		return;
1357 	}
1358 
1359 	/*
1360 	 * Acquire a temporary reference so that we can safely stop the callout.
1361 	 */
1362 	(void)refcount_acquire(&dp->dad_refcnt);
1363 	nd6_dad_del(dp);
1364 	DADQ_WUNLOCK();
1365 
1366 	nd6_dad_stoptimer(dp);
1367 	nd6_dad_rele(dp);
1368 }
1369 
1370 static void
1371 nd6_dad_timer(void *arg)
1372 {
1373 	struct dadq *dp = arg;
1374 	struct ifaddr *ifa = dp->dad_ifa;
1375 	struct ifnet *ifp = dp->dad_ifa->ifa_ifp;
1376 	struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1377 	char ip6buf[INET6_ADDRSTRLEN];
1378 	struct epoch_tracker et;
1379 
1380 	CURVNET_SET(dp->dad_vnet);
1381 	KASSERT(ia != NULL, ("DAD entry %p with no address", dp));
1382 
1383 	NET_EPOCH_ENTER(et);
1384 	if (ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) {
1385 		/* Do not need DAD for ifdisabled interface. */
1386 		log(LOG_ERR, "nd6_dad_timer: cancel DAD on %s because of "
1387 		    "ND6_IFF_IFDISABLED.\n", ifp->if_xname);
1388 		goto err;
1389 	}
1390 	if (ia->ia6_flags & IN6_IFF_DUPLICATED) {
1391 		log(LOG_ERR, "nd6_dad_timer: called with duplicated address "
1392 			"%s(%s)\n",
1393 			ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr),
1394 			ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1395 		goto err;
1396 	}
1397 	if ((ia->ia6_flags & IN6_IFF_TENTATIVE) == 0) {
1398 		log(LOG_ERR, "nd6_dad_timer: called with non-tentative address "
1399 			"%s(%s)\n",
1400 			ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr),
1401 			ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1402 		goto err;
1403 	}
1404 
1405 	/* Stop DAD if the interface is down even after dad_maxtry attempts. */
1406 	if ((dp->dad_ns_tcount > V_dad_maxtry) &&
1407 	    (((ifp->if_flags & IFF_UP) == 0) ||
1408 	     ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0))) {
1409 		nd6log((LOG_INFO, "%s: could not run DAD "
1410 		    "because the interface was down or not running.\n",
1411 		    if_name(ifa->ifa_ifp)));
1412 		goto err;
1413 	}
1414 
1415 	/* Need more checks? */
1416 	if (dp->dad_ns_ocount < dp->dad_count) {
1417 		/*
1418 		 * We have more NS to go.  Send NS packet for DAD.
1419 		 */
1420 		nd6_dad_starttimer(dp,
1421 		    (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000);
1422 		nd6_dad_ns_output(dp);
1423 		goto done;
1424 	} else {
1425 		/*
1426 		 * We have transmitted sufficient number of DAD packets.
1427 		 * See what we've got.
1428 		 */
1429 		if (dp->dad_ns_icount > 0 || dp->dad_na_icount > 0) {
1430 			/* We've seen NS or NA, means DAD has failed. */
1431 			nd6_dad_duplicated(ifa, dp);
1432 		} else if (V_dad_enhanced != 0 &&
1433 		    dp->dad_ns_lcount > 0 &&
1434 		    dp->dad_ns_lcount > dp->dad_loopbackprobe) {
1435 			/*
1436 			 * Sec. 4.1 in RFC 7527 requires transmission of
1437 			 * additional probes until the loopback condition
1438 			 * becomes clear when a looped back probe is detected.
1439 			 */
1440 			log(LOG_ERR, "%s: a looped back NS message is "
1441 			    "detected during DAD for %s.  "
1442 			    "Another DAD probes are being sent.\n",
1443 			    if_name(ifa->ifa_ifp),
1444 			    ip6_sprintf(ip6buf, IFA_IN6(ifa)));
1445 			dp->dad_loopbackprobe = dp->dad_ns_lcount;
1446 			/*
1447 			 * Send an NS immediately and increase dad_count by
1448 			 * V_nd6_mmaxtries - 1.
1449 			 */
1450 			dp->dad_count =
1451 			    dp->dad_ns_ocount + V_nd6_mmaxtries - 1;
1452 			nd6_dad_starttimer(dp,
1453 			    (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000);
1454 			nd6_dad_ns_output(dp);
1455 			goto done;
1456 		} else {
1457 			/*
1458 			 * We are done with DAD.  No NA came, no NS came.
1459 			 * No duplicate address found.  Check IFDISABLED flag
1460 			 * again in case that it is changed between the
1461 			 * beginning of this function and here.
1462 			 */
1463 			if ((ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) == 0)
1464 				ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1465 
1466 			nd6log((LOG_DEBUG,
1467 			    "%s: DAD complete for %s - no duplicates found\n",
1468 			    if_name(ifa->ifa_ifp),
1469 			    ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr)));
1470 			if (dp->dad_ns_lcount > 0)
1471 				log(LOG_ERR, "%s: DAD completed while "
1472 				    "a looped back NS message is detected "
1473 				    "during DAD for %s.\n",
1474 				    if_name(ifa->ifa_ifp),
1475 				    ip6_sprintf(ip6buf, IFA_IN6(ifa)));
1476 		}
1477 	}
1478 err:
1479 	nd6_dad_del(dp);
1480 	DADQ_WUNLOCK();
1481 done:
1482 	NET_EPOCH_EXIT(et);
1483 	CURVNET_RESTORE();
1484 }
1485 
1486 static void
1487 nd6_dad_duplicated(struct ifaddr *ifa, struct dadq *dp)
1488 {
1489 	struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1490 	struct ifnet *ifp;
1491 	char ip6buf[INET6_ADDRSTRLEN];
1492 
1493 	log(LOG_ERR, "%s: DAD detected duplicate IPv6 address %s: "
1494 	    "NS in/out/loopback=%d/%d/%d, NA in=%d\n",
1495 	    if_name(ifa->ifa_ifp), ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr),
1496 	    dp->dad_ns_icount, dp->dad_ns_ocount, dp->dad_ns_lcount,
1497 	    dp->dad_na_icount);
1498 
1499 	ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1500 	ia->ia6_flags |= IN6_IFF_DUPLICATED;
1501 
1502 	ifp = ifa->ifa_ifp;
1503 	log(LOG_ERR, "%s: DAD complete for %s - duplicate found\n",
1504 	    if_name(ifp), ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr));
1505 	log(LOG_ERR, "%s: manual intervention required\n",
1506 	    if_name(ifp));
1507 
1508 	/*
1509 	 * If the address is a link-local address formed from an interface
1510 	 * identifier based on the hardware address which is supposed to be
1511 	 * uniquely assigned (e.g., EUI-64 for an Ethernet interface), IP
1512 	 * operation on the interface SHOULD be disabled.
1513 	 * [RFC 4862, Section 5.4.5]
1514 	 */
1515 	if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) {
1516 		struct in6_addr in6;
1517 
1518 		/*
1519 		 * To avoid over-reaction, we only apply this logic when we are
1520 		 * very sure that hardware addresses are supposed to be unique.
1521 		 */
1522 		switch (ifp->if_type) {
1523 		case IFT_ETHER:
1524 		case IFT_ATM:
1525 		case IFT_IEEE1394:
1526 		case IFT_INFINIBAND:
1527 			in6 = ia->ia_addr.sin6_addr;
1528 			if (in6_get_hw_ifid(ifp, &in6) == 0 &&
1529 			    IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
1530 				ND_IFINFO(ifp)->flags |= ND6_IFF_IFDISABLED;
1531 				log(LOG_ERR, "%s: possible hardware address "
1532 				    "duplication detected, disable IPv6\n",
1533 				    if_name(ifp));
1534 			}
1535 			break;
1536 		}
1537 	}
1538 }
1539 
1540 /*
1541  * Transmit a neighbour solicitation for the purpose of DAD.  Returns with the
1542  * DAD queue unlocked.
1543  */
1544 static void
1545 nd6_dad_ns_output(struct dadq *dp)
1546 {
1547 	struct in6_ifaddr *ia = (struct in6_ifaddr *)dp->dad_ifa;
1548 	struct ifnet *ifp = dp->dad_ifa->ifa_ifp;
1549 	int i;
1550 
1551 	DADQ_WLOCK_ASSERT();
1552 
1553 	dp->dad_ns_tcount++;
1554 	if ((ifp->if_flags & IFF_UP) == 0) {
1555 		DADQ_WUNLOCK();
1556 		return;
1557 	}
1558 	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
1559 		DADQ_WUNLOCK();
1560 		return;
1561 	}
1562 
1563 	dp->dad_ns_ocount++;
1564 	if (V_dad_enhanced != 0) {
1565 		for (i = 0; i < ND_OPT_NONCE_LEN32; i++)
1566 			dp->dad_nonce[i] = arc4random();
1567 		/*
1568 		 * XXXHRS: Note that in the case that
1569 		 * DupAddrDetectTransmits > 1, multiple NS messages with
1570 		 * different nonces can be looped back in an unexpected
1571 		 * order.  The current implementation recognizes only
1572 		 * the latest nonce on the sender side.  Practically it
1573 		 * should work well in almost all cases.
1574 		 */
1575 	}
1576 	DADQ_WUNLOCK();
1577 	nd6_ns_output(ifp, NULL, NULL, &ia->ia_addr.sin6_addr,
1578 	    (uint8_t *)&dp->dad_nonce[0]);
1579 }
1580 
1581 static void
1582 nd6_dad_ns_input(struct ifaddr *ifa, struct nd_opt_nonce *ndopt_nonce)
1583 {
1584 	struct dadq *dp;
1585 
1586 	if (ifa == NULL)
1587 		panic("ifa == NULL in nd6_dad_ns_input");
1588 
1589 	/* Ignore Nonce option when Enhanced DAD is disabled. */
1590 	if (V_dad_enhanced == 0)
1591 		ndopt_nonce = NULL;
1592 	DADQ_RLOCK();
1593 	dp = nd6_dad_find(ifa, ndopt_nonce);
1594 	if (dp != NULL)
1595 		dp->dad_ns_icount++;
1596 	DADQ_RUNLOCK();
1597 }
1598 
1599 static void
1600 nd6_dad_na_input(struct ifaddr *ifa)
1601 {
1602 	struct dadq *dp;
1603 
1604 	if (ifa == NULL)
1605 		panic("ifa == NULL in nd6_dad_na_input");
1606 
1607 	DADQ_RLOCK();
1608 	dp = nd6_dad_find(ifa, NULL);
1609 	if (dp != NULL)
1610 		dp->dad_na_icount++;
1611 	DADQ_RUNLOCK();
1612 }
1613