xref: /netbsd-src/sys/netinet6/nd6_nbr.c (revision 8a751b5cf905401b3aae58980b021daf967a4397)
1 /*	$NetBSD: nd6_nbr.c,v 1.185 2024/11/13 09:25:52 roy Exp $	*/
2 /*	$KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $	*/
3 
4 /*
5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. Neither the name of the project nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.185 2024/11/13 09:25:52 roy Exp $");
35 
36 #ifdef _KERNEL_OPT
37 #include "opt_inet.h"
38 #include "opt_net_mpsafe.h"
39 #endif
40 
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/kmem.h>
44 #include <sys/mbuf.h>
45 #include <sys/socket.h>
46 #include <sys/socketvar.h>
47 #include <sys/sockio.h>
48 #include <sys/time.h>
49 #include <sys/kernel.h>
50 #include <sys/errno.h>
51 #include <sys/ioctl.h>
52 #include <sys/syslog.h>
53 #include <sys/queue.h>
54 #include <sys/callout.h>
55 #include <sys/cprng.h>
56 
57 #include <net/if.h>
58 #include <net/if_types.h>
59 #include <net/if_dl.h>
60 #include <net/if_llatbl.h>
61 #include <net/nd.h>
62 #include <net/route.h>
63 
64 #include <netinet/in.h>
65 #include <netinet/in_var.h>
66 #include <netinet6/in6_var.h>
67 #include <netinet6/in6_ifattach.h>
68 #include <netinet/ip6.h>
69 #include <netinet6/ip6_var.h>
70 #include <netinet6/scope6_var.h>
71 #include <netinet6/nd6.h>
72 #include <netinet/icmp6.h>
73 #include <netinet6/icmp6_private.h>
74 
75 #include "carp.h"
76 #if NCARP > 0
77 #include <netinet/ip_carp.h>
78 #endif
79 
80 struct dadq;
81 static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *, bool *);
82 static bool nd6_dad_ownnonce(struct ifaddr *, struct nd_opt_nonce *nonce);
83 static void nd6_dad_starttimer(struct dadq *, int);
84 static void nd6_dad_destroytimer(struct dadq *);
85 static void nd6_dad_timer(struct dadq *);
86 static void nd6_dad_ns_output(struct dadq *, struct ifaddr *);
87 static void nd6_dad_input(struct ifaddr *, struct nd_opt_nonce *,
88     const struct sockaddr_dl *);
89 static void nd6_dad_duplicated(struct ifaddr *, struct dadq *,
90     const struct sockaddr_dl *);
91 
92 static int dad_maxtry = 15;	/* max # of *tries* to transmit DAD packet */
93 
94 /*
95  * Input a Neighbor Solicitation Message.
96  *
97  * Based on RFC 2461
98  * Based on RFC 2462 (duplicate address detection)
99  */
100 void
101 nd6_ns_input(struct mbuf *m, int off, int icmp6len)
102 {
103 	struct ifnet *ifp, *ifpc;
104 	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
105 	struct nd_neighbor_solicit *nd_ns;
106 	struct in6_addr saddr6 = ip6->ip6_src;
107 	struct in6_addr daddr6 = ip6->ip6_dst;
108 	struct in6_addr taddr6;
109 	struct in6_addr myaddr6;
110 	char *lladdr = NULL;
111 	struct ifaddr *ifa = NULL;
112 	int lladdrlen = 0;
113 	int anycast = 0, proxy = 0, tentative = 0;
114 	int router = ip6_forwarding;
115 	int tlladdr;
116 	union nd_opts ndopts;
117 	const struct sockaddr_dl *proxydl = NULL;
118 	struct psref psref;
119 	struct psref psref_c;
120 	struct psref psref_ia;
121 	char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN];
122 
123 	ifp = ifpc = m_get_rcvif_psref(m, &psref);
124 	if (ifp == NULL)
125 		goto freeit;
126 
127 	IP6_EXTHDR_GET(nd_ns, struct nd_neighbor_solicit *, m, off, icmp6len);
128 	if (nd_ns == NULL) {
129 		ICMP6_STATINC(ICMP6_STAT_TOOSHORT);
130 		m_put_rcvif_psref(ifp, &psref);
131 		return;
132 	}
133 	ip6 = mtod(m, struct ip6_hdr *); /* adjust pointer for safety */
134 	taddr6 = nd_ns->nd_ns_target;
135 	if (in6_setscope(&taddr6, ifp, NULL) != 0)
136 		goto bad;
137 
138 	if (ip6->ip6_hlim != 255) {
139 		nd6log(LOG_ERR, "invalid hlim (%d) from %s to %s on %s\n",
140 		    ip6->ip6_hlim, IN6_PRINT(ip6buf, &ip6->ip6_src),
141 		    IN6_PRINT(ip6buf2, &ip6->ip6_dst), if_name(ifp));
142 		goto bad;
143 	}
144 
145 	if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
146 		/* dst has to be a solicited node multicast address. */
147 		/* don't check ifindex portion */
148 		if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL &&
149 		    daddr6.s6_addr32[1] == 0 &&
150 		    daddr6.s6_addr32[2] == IPV6_ADDR_INT32_ONE &&
151 		    daddr6.s6_addr8[12] == 0xff) {
152 			; /* good */
153 		} else {
154 			nd6log(LOG_INFO, "bad DAD packet (wrong ip6 dst)\n");
155 			goto bad;
156 		}
157 	} else {
158 		struct sockaddr_in6 ssin6;
159 
160 		/*
161 		 * Make sure the source address is from a neighbor's address.
162 		 */
163 		sockaddr_in6_init(&ssin6, &saddr6, 0, 0, 0);
164 		if (nd6_is_addr_neighbor(&ssin6, ifp) == 0) {
165 			nd6log(LOG_INFO,
166 			    "NS packet from non-neighbor %s on %s\n",
167 			    IN6_PRINT(ip6buf, &saddr6), if_name(ifp));
168 			goto bad;
169 		}
170 	}
171 
172 	if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
173 		nd6log(LOG_INFO, "bad NS target (multicast)\n");
174 		goto bad;
175 	}
176 
177 	icmp6len -= sizeof(*nd_ns);
178 	nd6_option_init(nd_ns + 1, icmp6len, &ndopts);
179 	if (nd6_options(&ndopts) < 0) {
180 		nd6log(LOG_INFO, "invalid ND option, ignored\n");
181 		/* nd6_options have incremented stats */
182 		goto freeit;
183 	}
184 
185 	if (ndopts.nd_opts_src_lladdr) {
186 		lladdr = (char *)(ndopts.nd_opts_src_lladdr + 1);
187 		lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3;
188 	}
189 
190 	if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && lladdr) {
191 		nd6log(LOG_INFO,
192 		    "bad DAD packet (link-layer address option)\n");
193 		goto bad;
194 	}
195 
196 	/*
197 	 * Attaching target link-layer address to the NA?
198 	 * (RFC 2461 7.2.4)
199 	 *
200 	 * NS IP dst is multicast			MUST add
201 	 * Otherwise					MAY be omitted
202 	 *
203 	 * In this implementation, we omit the target link-layer address
204 	 * in the "MAY" case.
205 	 */
206 #if 0 /* too much! */
207 	ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &daddr6);
208 	if (ifa && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST))
209 		tlladdr = 0;
210 	else
211 #endif
212 	if (!IN6_IS_ADDR_MULTICAST(&daddr6))
213 		tlladdr = 0;
214 	else
215 		tlladdr = 1;
216 
217 	/*
218 	 * Target address (taddr6) must be either:
219 	 * (1) Valid unicast/anycast address for my receiving interface,
220 	 * (2) Unicast address for which I'm offering proxy service, or
221 	 * (3) "tentative" address on which DAD is being performed.
222 	 */
223 	/* (1) and (3) check. */
224 #if NCARP > 0
225 	if (ifp->if_carp && ifp->if_type != IFT_CARP) {
226 		int s = pserialize_read_enter();
227 		ifa = carp_iamatch6(ifp->if_carp, &taddr6);
228 		if (ifa != NULL) {
229 			ifa_acquire(ifa, &psref_ia);
230 			if (ifa->ifa_ifp && ifa->ifa_ifp != ifp) {
231 				ifpc = ifa->ifa_ifp;
232 				if_acquire(ifpc, &psref_c);
233 			}
234 		}
235 
236 
237 		pserialize_read_exit(s);
238 	} else
239 		ifa = NULL;
240 	if (!ifa)
241 		ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6,
242 		    &psref_ia);
243 #else
244 	ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6,
245 	    &psref_ia);
246 #endif
247 
248 	/* (2) check. */
249 	if (ifa == NULL) {
250 		struct rtentry *rt;
251 		struct sockaddr_in6 tsin6;
252 
253 		sockaddr_in6_init(&tsin6, &taddr6, 0, 0, 0);
254 
255 		rt = rtalloc1(sin6tosa(&tsin6), 0);
256 		if (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
257 		    rt->rt_gateway->sa_family == AF_LINK) {
258 			/*
259 			 * proxy NDP for single entry
260 			 */
261 			ifa = (struct ifaddr *)in6ifa_ifpforlinklocal_psref(ifp,
262 				IN6_IFF_NOTREADY|IN6_IFF_ANYCAST, &psref_ia);
263 			if (ifa) {
264 				proxy = 1;
265 				proxydl = satocsdl(rt->rt_gateway);
266 				router = 0;	/* XXX */
267 			}
268 		}
269 		if (rt)
270 			rt_unref(rt);
271 	}
272 	if (ifa == NULL) {
273 		/*
274 		 * We've got an NS packet, and we don't have that address
275 		 * assigned for us.  We MUST silently ignore it.
276 		 * See RFC2461 7.2.3.
277 		 */
278 		goto freeit;
279 	}
280 	myaddr6 = *IFA_IN6(ifa);
281 	anycast = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST;
282 	tentative = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE;
283 	if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DUPLICATED)
284 		goto freeit;
285 
286 	if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
287 		nd6log(LOG_INFO, "lladdrlen mismatch for %s "
288 		    "(if %d, NS packet %d)\n",
289 		    IN6_PRINT(ip6buf, &taddr6),
290 		    ifp->if_addrlen, lladdrlen - 2);
291 		goto bad;
292 	}
293 
294 	if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) {
295 		nd6log(LOG_INFO, "duplicate IP6 address %s\n",
296 		    IN6_PRINT(ip6buf, &saddr6));
297 		goto freeit;
298 	}
299 
300 	/*
301 	 * We have neighbor solicitation packet, with target address equals to
302 	 * one of my tentative address.
303 	 *
304 	 * src addr	how to process?
305 	 * ---		---
306 	 * multicast	of course, invalid (rejected in ip6_input)
307 	 * unicast	somebody is doing address resolution -> ignore
308 	 * unspec	dup address detection
309 	 *
310 	 * The processing is defined in RFC 2462.
311 	 */
312 	if (tentative) {
313 		/*
314 		 * If source address is unspecified address, it is for
315 		 * duplicate address detection.
316 		 *
317 		 * If not, the packet is for address resolution;
318 		 * silently ignore it.
319 		 */
320 		if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
321 			struct sockaddr_dl sdl, *sdlp;
322 
323 			if (lladdr != NULL)
324 				sdlp = sockaddr_dl_init(&sdl, sizeof(sdl),
325 				    ifp->if_index, ifp->if_type,
326 				    NULL, 0, lladdr, lladdrlen);
327 			else
328 				sdlp = NULL;
329 			nd6_dad_input(ifa, ndopts.nd_opts_nonce, sdlp);
330 		}
331 		goto freeit;
332 	}
333 
334 	/*
335 	 * It looks that sender is performing DAD.
336 	 * Check that the nonce is not being used by the same address
337 	 * on another interface.
338 	 */
339 	if (IN6_IS_ADDR_UNSPECIFIED(&saddr6) && ndopts.nd_opts_nonce != NULL) {
340 		if (nd6_dad_ownnonce(ifa, ndopts.nd_opts_nonce))
341 			goto freeit;
342 	}
343 
344 	ifa_release(ifa, &psref_ia);
345 	ifa = NULL;
346 
347 	/*
348 	 * If the source address is unspecified address, entries must not
349 	 * be created or updated.
350 	 * It looks that sender is performing DAD.  Output NA toward
351 	 * all-node multicast address, to tell the sender that I'm using
352 	 * the address.
353 	 * S bit ("solicited") must be zero.
354 	 */
355 	if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
356 		struct in6_addr in6_all;
357 
358 		in6_all = in6addr_linklocal_allnodes;
359 		if (in6_setscope(&in6_all, ifp, NULL) != 0)
360 			goto bad;
361 		nd6_na_output(ifpc, &in6_all, &taddr6,
362 		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
363 		    (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
364 		    tlladdr, (const struct sockaddr *)proxydl);
365 		goto freeit;
366 	}
367 
368 	nd6_cache_lladdr(ifpc, &saddr6, lladdr, lladdrlen, ND_NEIGHBOR_SOLICIT, 0);
369 
370 	nd6_na_output(ifp, &saddr6, &taddr6,
371 	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
372 	    (router ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
373 	    tlladdr, (const struct sockaddr *)proxydl);
374  freeit:
375 	ifa_release(ifa, &psref_ia);
376 	m_put_rcvif_psref(ifp, &psref);
377 	if (ifp != ifpc)
378 		if_put(ifpc, &psref_c);
379 
380 	m_freem(m);
381 	return;
382 
383  bad:
384 	nd6log(LOG_ERR, "src=%s\n", IN6_PRINT(ip6buf, &saddr6));
385 	nd6log(LOG_ERR, "dst=%s\n", IN6_PRINT(ip6buf, &daddr6));
386 	nd6log(LOG_ERR, "tgt=%s\n", IN6_PRINT(ip6buf, &taddr6));
387 	ICMP6_STATINC(ICMP6_STAT_BADNS);
388 	ifa_release(ifa, &psref_ia);
389 	m_put_rcvif_psref(ifp, &psref);
390 	m_freem(m);
391 }
392 
393 /*
394  * Output a Neighbor Solicitation Message. Caller specifies:
395  *	- ICMP6 header source IP6 address
396  *	- ND6 header target IP6 address
397  *	- ND6 header source datalink address
398  *
399  * Based on RFC 2461
400  * Based on RFC 2462 (duplicate address detection)
401  */
402 void
403 nd6_ns_output(struct ifnet *ifp, const struct in6_addr *daddr6,
404     const struct in6_addr *taddr6,
405     const struct in6_addr *hsrc,
406     const uint8_t *nonce	/* duplicate address detection */)
407 {
408 	struct mbuf *m;
409 	struct ip6_hdr *ip6;
410 	struct nd_neighbor_solicit *nd_ns;
411 	const struct in6_addr *src;
412 	struct in6_addr src_in;
413 	struct ip6_moptions im6o;
414 	int icmp6len;
415 	int maxlen;
416 	const void *mac;
417 	struct route ro;
418 
419 	if (IN6_IS_ADDR_MULTICAST(taddr6))
420 		return;
421 
422 	memset(&ro, 0, sizeof(ro));
423 
424 	/* estimate the size of message */
425 	maxlen = sizeof(*ip6) + sizeof(*nd_ns);
426 	maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7;
427 	KASSERTMSG(max_linkhdr + maxlen <= MCLBYTES,
428 	    "max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)",
429 	    max_linkhdr, maxlen, MCLBYTES);
430 
431 	MGETHDR(m, M_DONTWAIT, MT_DATA);
432 	if (m && max_linkhdr + maxlen >= MHLEN) {
433 		MCLGET(m, M_DONTWAIT);
434 		if ((m->m_flags & M_EXT) == 0) {
435 			m_free(m);
436 			m = NULL;
437 		}
438 	}
439 	if (m == NULL)
440 		return;
441 	m_reset_rcvif(m);
442 
443 	if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) {
444 		m->m_flags |= M_MCAST;
445 		im6o.im6o_multicast_if_index = if_get_index(ifp);
446 		im6o.im6o_multicast_hlim = 255;
447 		im6o.im6o_multicast_loop = 0;
448 	}
449 
450 	icmp6len = sizeof(*nd_ns);
451 	m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len;
452 	m->m_data += max_linkhdr;	/* or m_align() equivalent? */
453 
454 	/* fill neighbor solicitation packet */
455 	ip6 = mtod(m, struct ip6_hdr *);
456 	ip6->ip6_flow = 0;
457 	ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
458 	ip6->ip6_vfc |= IPV6_VERSION;
459 	/* ip6->ip6_plen will be set later */
460 	ip6->ip6_nxt = IPPROTO_ICMPV6;
461 	ip6->ip6_hlim = 255;
462 	if (daddr6)
463 		ip6->ip6_dst = *daddr6;
464 	else {
465 		ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
466 		ip6->ip6_dst.s6_addr16[1] = 0;
467 		ip6->ip6_dst.s6_addr32[1] = 0;
468 		ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE;
469 		ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3];
470 		ip6->ip6_dst.s6_addr8[12] = 0xff;
471 		if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0)
472 			goto bad;
473 	}
474 	if (nonce == NULL) {
475 		int s;
476 		/*
477 		 * RFC2461 7.2.2:
478 		 * "If the source address of the packet prompting the
479 		 * solicitation is the same as one of the addresses assigned
480 		 * to the outgoing interface, that address SHOULD be placed
481 		 * in the IP Source Address of the outgoing solicitation.
482 		 * Otherwise, any one of the addresses assigned to the
483 		 * interface should be used."
484 		 *
485 		 * We use the source address for the prompting packet
486 		 * (hsrc), if:
487 		 * - hsrc is given from the caller (by giving "ln"), and
488 		 * - hsrc belongs to the outgoing interface.
489 		 * Otherwise, we perform the source address selection as usual.
490 		 */
491 		s = pserialize_read_enter();
492 		if (hsrc && in6ifa_ifpwithaddr(ifp, hsrc)) {
493 			pserialize_read_exit(s);
494 			src = hsrc;
495 		} else {
496 			int error;
497 			struct sockaddr_in6 dst_sa;
498 
499 			pserialize_read_exit(s);
500 
501 			sockaddr_in6_init(&dst_sa, &ip6->ip6_dst, 0, 0, 0);
502 
503 			error = in6_selectsrc(&dst_sa, NULL,
504 			    NULL, &ro, NULL, NULL, NULL, &src_in);
505 			if (error != 0) {
506 				char ip6buf[INET6_ADDRSTRLEN];
507 				nd6log(LOG_DEBUG, "source can't be "
508 				    "determined: dst=%s, error=%d\n",
509 				    IN6_PRINT(ip6buf, &dst_sa.sin6_addr),
510 				    error);
511 				goto bad;
512 			}
513 			src = &src_in;
514 		}
515 	} else {
516 		/*
517 		 * Source address for DAD packet must always be IPv6
518 		 * unspecified address. (0::0)
519 		 * We actually don't have to 0-clear the address (we did it
520 		 * above), but we do so here explicitly to make the intention
521 		 * clearer.
522 		 */
523 		memset(&src_in, 0, sizeof(src_in));
524 		src = &src_in;
525 	}
526 	ip6->ip6_src = *src;
527 	nd_ns = (struct nd_neighbor_solicit *)(ip6 + 1);
528 	nd_ns->nd_ns_type = ND_NEIGHBOR_SOLICIT;
529 	nd_ns->nd_ns_code = 0;
530 	nd_ns->nd_ns_reserved = 0;
531 	nd_ns->nd_ns_target = *taddr6;
532 	in6_clearscope(&nd_ns->nd_ns_target); /* XXX */
533 
534 	/*
535 	 * Add source link-layer address option.
536 	 *
537 	 *				spec		implementation
538 	 *				---		---
539 	 * DAD packet			MUST NOT	do not add the option
540 	 * there's no link layer address:
541 	 *				impossible	do not add the option
542 	 * there's link layer address:
543 	 *	Multicast NS		MUST add one	add the option
544 	 *	Unicast NS		SHOULD add one	add the option
545 	 */
546 	if (nonce == NULL && (mac = nd6_ifptomac(ifp))) {
547 		int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
548 		struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
549 		/* 8 byte alignments... */
550 		optlen = (optlen + 7) & ~7;
551 
552 		m->m_pkthdr.len += optlen;
553 		m->m_len += optlen;
554 		icmp6len += optlen;
555 		memset((void *)nd_opt, 0, optlen);
556 		nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR;
557 		nd_opt->nd_opt_len = optlen >> 3;
558 		memcpy((void *)(nd_opt + 1), mac, ifp->if_addrlen);
559 	}
560 
561 	/* Add a nonce option (RFC 3971) to detect looped back NS messages.
562 	 * This behavior is documented in RFC 7527. */
563 	if (nonce != NULL) {
564 		int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN;
565 		struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
566 
567 		/* 8-byte alignment is required. */
568 		optlen = (optlen + 7) & ~7;
569 		m->m_pkthdr.len += optlen;
570 		m->m_len += optlen;
571 		icmp6len += optlen;
572 		memset(nd_opt, 0, optlen);
573 		nd_opt->nd_opt_type = ND_OPT_NONCE;
574 		nd_opt->nd_opt_len = optlen >> 3;
575 		memcpy(nd_opt + 1, nonce, ND_OPT_NONCE_LEN);
576 	}
577 
578 	ip6->ip6_plen = htons((u_int16_t)icmp6len);
579 	nd_ns->nd_ns_cksum = 0;
580 	nd_ns->nd_ns_cksum =
581 	    in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len);
582 
583 	ip6_output(m, NULL, &ro, nonce != NULL ? IPV6_UNSPECSRC : 0,
584 	    &im6o, NULL, NULL);
585 	icmp6_ifstat_inc(ifp, ifs6_out_msg);
586 	icmp6_ifstat_inc(ifp, ifs6_out_neighborsolicit);
587 	ICMP6_STATINC(ICMP6_STAT_OUTHIST + ND_NEIGHBOR_SOLICIT);
588 
589 	rtcache_free(&ro);
590 	return;
591 
592   bad:
593 	rtcache_free(&ro);
594 	m_freem(m);
595 	return;
596 }
597 
598 /*
599  * Neighbor advertisement input handling.
600  *
601  * Based on RFC 2461
602  * Based on RFC 2462 (duplicate address detection)
603  *
604  * the following items are not implemented yet:
605  * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD)
606  * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD)
607  */
608 void
609 nd6_na_input(struct mbuf *m, int off, int icmp6len)
610 {
611 	struct ifnet *ifp;
612 	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
613 	struct nd_neighbor_advert *nd_na;
614 	struct in6_addr saddr6 = ip6->ip6_src;
615 	struct in6_addr daddr6 = ip6->ip6_dst;
616 	struct in6_addr taddr6;
617 	int flags;
618 	int is_router;
619 	int is_solicited;
620 	int is_override;
621 	int rt_cmd;
622 	char *lladdr = NULL;
623 	int lladdrlen = 0;
624 	struct ifaddr *ifa;
625 	struct llentry *ln = NULL;
626 	union nd_opts ndopts;
627 	struct sockaddr_in6 ssin6;
628 	struct psref psref;
629 	struct psref psref_ia;
630 	char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN];
631 
632 	ifp = m_get_rcvif_psref(m, &psref);
633 	if (ifp == NULL)
634 		goto freeit;
635 
636 	if (ip6->ip6_hlim != 255) {
637 		nd6log(LOG_ERR,
638 		    "invalid hlim (%d) from %s to %s on %s\n",
639 		    ip6->ip6_hlim, IN6_PRINT(ip6buf, &ip6->ip6_src),
640 		    IN6_PRINT(ip6buf2, &ip6->ip6_dst), if_name(ifp));
641 		goto bad;
642 	}
643 
644 	IP6_EXTHDR_GET(nd_na, struct nd_neighbor_advert *, m, off, icmp6len);
645 	if (nd_na == NULL) {
646 		m_put_rcvif_psref(ifp, &psref);
647 		ICMP6_STATINC(ICMP6_STAT_TOOSHORT);
648 		return;
649 	}
650 
651 	flags = nd_na->nd_na_flags_reserved;
652 	is_router = ((flags & ND_NA_FLAG_ROUTER) != 0);
653 	is_solicited = ((flags & ND_NA_FLAG_SOLICITED) != 0);
654 	is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0);
655 
656 	taddr6 = nd_na->nd_na_target;
657 	if (in6_setscope(&taddr6, ifp, NULL)) {
658 		goto bad;
659 	}
660 
661 	if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
662 		nd6log(LOG_ERR, "invalid target address %s\n",
663 		    IN6_PRINT(ip6buf, &taddr6));
664 		goto bad;
665 	}
666 	if (is_solicited && IN6_IS_ADDR_MULTICAST(&daddr6)) {
667 		nd6log(LOG_ERR, "a solicited adv is multicasted\n");
668 		goto bad;
669 	}
670 
671 	icmp6len -= sizeof(*nd_na);
672 	nd6_option_init(nd_na + 1, icmp6len, &ndopts);
673 	if (nd6_options(&ndopts) < 0) {
674 		nd6log(LOG_INFO, "invalid ND option, ignored\n");
675 		/* nd6_options have incremented stats */
676 		goto freeit;
677 	}
678 
679 	if (ndopts.nd_opts_tgt_lladdr != NULL) {
680 		struct ifnet *ifp_ll;
681 		struct psref psref_ll;
682 
683 		lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1);
684 		lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3;
685 
686 		if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
687 			nd6log(LOG_INFO, "lladdrlen mismatch for %s "
688 			    "(if %d, NA packet %d)\n",
689 			    IN6_PRINT(ip6buf, &taddr6),
690 			    ifp->if_addrlen, lladdrlen - 2);
691 			goto bad;
692 		}
693 
694 		ifp_ll = if_get_bylla(lladdr, ifp->if_addrlen, &psref_ll);
695 		if (ifp_ll != NULL) {
696 			/* it's from me, ignore it. */
697 			if_put(ifp_ll, &psref_ll);
698 			goto freeit;
699 		}
700 	}
701 
702 	ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, &psref_ia);
703 
704 	/*
705 	 * Target address matches one of my interface address.
706 	 *
707 	 * If my address is tentative, this means that there's somebody
708 	 * already using the same address as mine.  This indicates DAD failure.
709 	 * This is defined in RFC 2462.
710 	 *
711 	 * Otherwise, process as defined in RFC 2461.
712 	 */
713 	if (ifa) {
714 		if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE) {
715 			struct sockaddr_dl sdl, *sdlp;
716 
717 			if (lladdr != NULL)
718 				sdlp = sockaddr_dl_init(&sdl, sizeof(sdl),
719 				    ifp->if_index, ifp->if_type,
720 				    NULL, 0, lladdr, lladdrlen);
721 			else
722 				sdlp = NULL;
723 			nd6_dad_input(ifa, NULL, sdlp);
724 		} else
725 			log(LOG_ERR,
726 			    "nd6_na_input: duplicate IP6 address %s\n",
727 			    IN6_PRINT(ip6buf, &taddr6));
728 		ifa_release(ifa, &psref_ia);
729 		ifa = NULL;
730 		goto freeit;
731 	}
732 
733 	/*
734 	 * Make sure the source address is from a neighbor's address.
735 	 */
736 	sockaddr_in6_init(&ssin6, &saddr6, 0, 0, 0);
737 	if (nd6_is_addr_neighbor(&ssin6, ifp) == 0) {
738 		nd6log(LOG_INFO, "ND packet from non-neighbor %s on %s\n",
739 		    IN6_PRINT(ip6buf, &saddr6), if_name(ifp));
740 		goto bad;
741 	}
742 
743 	/*
744 	 * If no neighbor cache entry is found, NA SHOULD silently be
745 	 * discarded.
746 	 */
747 	ln = nd6_lookup(&taddr6, ifp, true);
748 	if (ln == NULL)
749 		goto freeit;
750 
751 	rt_cmd = 0;
752 	if (ln->ln_state <= ND_LLINFO_INCOMPLETE) {
753 		/*
754 		 * If the link-layer has address, and no lladdr option came,
755 		 * discard the packet.
756 		 */
757 		if (ifp->if_addrlen && !lladdr)
758 			goto freeit;
759 
760 		/*
761 		 * Record link-layer address, and update the state.
762 		 */
763 		memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen);
764 		ln->la_flags |= LLE_VALID;
765 		rt_cmd = RTM_ADD;
766 		if (is_solicited) {
767 			ln->ln_state = ND_LLINFO_REACHABLE;
768 			ln->ln_byhint = 0;
769 			if (!ND_IS_LLINFO_PERMANENT(ln))
770 				nd_set_timer(ln, ND_TIMER_REACHABLE);
771 		} else {
772 			ln->ln_state = ND_LLINFO_STALE;
773 			nd_set_timer(ln, ND_TIMER_GC);
774 		}
775 	} else {
776 		bool llchange;
777 
778 		/*
779 		 * Check if the link-layer address has changed or not.
780 		 */
781 		if (lladdr == NULL)
782 			llchange = false;
783 		else {
784 			if (ln->la_flags & LLE_VALID) {
785 				if (memcmp(lladdr, &ln->ll_addr, ifp->if_addrlen))
786 					llchange = true;
787 				else
788 					llchange = false;
789 			} else
790 				llchange = true;
791 		}
792 		if (llchange)
793 			rt_cmd = RTM_CHANGE;
794 
795 		/*
796 		 * This is VERY complex.  Look at it with care.
797 		 *
798 		 * override solicit lladdr llchange	action
799 		 *					(L: record lladdr)
800 		 *
801 		 *	0	0	n	--	(2c)
802 		 *	0	0	y	n	(2b) L
803 		 *	0	0	y	y	(1)    REACHABLE->STALE
804 		 *	0	1	n	--	(2c)   *->REACHABLE
805 		 *	0	1	y	n	(2b) L *->REACHABLE
806 		 *	0	1	y	y	(1)    REACHABLE->STALE
807 		 *	1	0	n	--	(2a)
808 		 *	1	0	y	n	(2a) L
809 		 *	1	0	y	y	(2a) L *->STALE
810 		 *	1	1	n	--	(2a)   *->REACHABLE
811 		 *	1	1	y	n	(2a) L *->REACHABLE
812 		 *	1	1	y	y	(2a) L *->REACHABLE
813 		 */
814 		if (!is_override && lladdr != NULL && llchange) { /* (1) */
815 			/*
816 			 * If state is REACHABLE, make it STALE.
817 			 * no other updates should be done.
818 			 */
819 			if (ln->ln_state == ND_LLINFO_REACHABLE) {
820 				ln->ln_state = ND_LLINFO_STALE;
821 				nd_set_timer(ln, ND_TIMER_GC);
822 			}
823 			goto freeit;
824 		} else if (is_override				   /* (2a) */
825 		    || (!is_override && lladdr != NULL && !llchange) /* (2b) */
826 		    || lladdr == NULL) {			   /* (2c) */
827 			/*
828 			 * Update link-local address, if any.
829 			 */
830 			if (lladdr != NULL) {
831 				memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen);
832 				ln->la_flags |= LLE_VALID;
833 			}
834 
835 			/*
836 			 * If solicited, make the state REACHABLE.
837 			 * If not solicited and the link-layer address was
838 			 * changed, make it STALE.
839 			 */
840 			if (is_solicited) {
841 				ln->ln_state = ND_LLINFO_REACHABLE;
842 				ln->ln_byhint = 0;
843 				if (!ND_IS_LLINFO_PERMANENT(ln))
844 					nd_set_timer(ln, ND_TIMER_REACHABLE);
845 			} else {
846 				if (lladdr && llchange) {
847 					ln->ln_state = ND_LLINFO_STALE;
848 					nd_set_timer(ln, ND_TIMER_GC);
849 				}
850 			}
851 		}
852 		ln->ln_router = is_router;
853 	}
854         /*
855 	 * XXX: does this matter?
856 	 * rt->rt_flags &= ~RTF_REJECT;
857 	 */
858 	ln->ln_asked = 0;
859 	nd6_llinfo_release_pkts(ln, ifp);
860 
861 	if (rt_cmd != 0) {
862 		struct sockaddr_in6 sin6;
863 
864 		sockaddr_in6_init(&sin6, &ln->r_l3addr.addr6, 0, 0, 0);
865 		rt_clonedmsg(rt_cmd, sin6tosa(&ssin6), sin6tosa(&sin6),
866 		    (char *)&ln->ll_addr, ln->lle_tbl->llt_ifp);
867 	}
868 
869  freeit:
870 	if (ln != NULL)
871 		LLE_WUNLOCK(ln);
872 
873 	m_put_rcvif_psref(ifp, &psref);
874 	m_freem(m);
875 	return;
876 
877  bad:
878 	if (ln != NULL)
879 		LLE_WUNLOCK(ln);
880 
881 	ICMP6_STATINC(ICMP6_STAT_BADNA);
882 	m_put_rcvif_psref(ifp, &psref);
883 	m_freem(m);
884 }
885 
886 /*
887  * Neighbor advertisement output handling.
888  *
889  * Based on RFC 2461
890  *
891  * the following items are not implemented yet:
892  * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD)
893  * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD)
894  */
895 void
896 nd6_na_output(
897 	struct ifnet *ifp,
898 	const struct in6_addr *daddr6_0,
899 	const struct in6_addr *taddr6,
900 	u_long flags,
901 	int tlladdr,		/* 1 if include target link-layer address */
902 	const struct sockaddr *sdl0)	/* sockaddr_dl (= proxy NA) or NULL */
903 {
904 	struct mbuf *m;
905 	struct ip6_hdr *ip6;
906 	struct nd_neighbor_advert *nd_na;
907 	struct ip6_moptions im6o;
908 	struct sockaddr *dst;
909 	union {
910 		struct sockaddr		dst;
911 		struct sockaddr_in6	dst6;
912 	} u;
913 	struct in6_addr daddr6;
914 	int icmp6len, maxlen, error;
915 	const void *mac;
916 	struct route ro;
917 
918 	mac = NULL;
919 	memset(&ro, 0, sizeof(ro));
920 
921 	daddr6 = *daddr6_0;	/* make a local copy for modification */
922 
923 	/* estimate the size of message */
924 	maxlen = sizeof(*ip6) + sizeof(*nd_na);
925 	maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7;
926 	KASSERTMSG(max_linkhdr + maxlen <= MCLBYTES,
927 	    "max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)",
928 	    max_linkhdr, maxlen, MCLBYTES);
929 
930 	MGETHDR(m, M_DONTWAIT, MT_DATA);
931 	if (m && max_linkhdr + maxlen >= MHLEN) {
932 		MCLGET(m, M_DONTWAIT);
933 		if ((m->m_flags & M_EXT) == 0) {
934 			m_free(m);
935 			m = NULL;
936 		}
937 	}
938 	if (m == NULL)
939 		return;
940 	m_reset_rcvif(m);
941 
942 	if (IN6_IS_ADDR_MULTICAST(&daddr6)) {
943 		m->m_flags |= M_MCAST;
944 		im6o.im6o_multicast_if_index = if_get_index(ifp);
945 		im6o.im6o_multicast_hlim = 255;
946 		im6o.im6o_multicast_loop = 0;
947 	}
948 
949 	icmp6len = sizeof(*nd_na);
950 	m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len;
951 	m->m_data += max_linkhdr;	/* or m_align() equivalent? */
952 
953 	/* fill neighbor advertisement packet */
954 	ip6 = mtod(m, struct ip6_hdr *);
955 	ip6->ip6_flow = 0;
956 	ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
957 	ip6->ip6_vfc |= IPV6_VERSION;
958 	ip6->ip6_nxt = IPPROTO_ICMPV6;
959 	ip6->ip6_hlim = 255;
960 	if (IN6_IS_ADDR_UNSPECIFIED(&daddr6)) {
961 		/* reply to DAD */
962 		daddr6.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
963 		daddr6.s6_addr16[1] = 0;
964 		daddr6.s6_addr32[1] = 0;
965 		daddr6.s6_addr32[2] = 0;
966 		daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE;
967 		if (in6_setscope(&daddr6, ifp, NULL))
968 			goto bad;
969 
970 		flags &= ~ND_NA_FLAG_SOLICITED;
971 	}
972 	ip6->ip6_dst = daddr6;
973 	sockaddr_in6_init(&u.dst6, &daddr6, 0, 0, 0);
974 	dst = &u.dst;
975 	if (rtcache_setdst(&ro, dst) != 0)
976 		goto bad;
977 
978 	/*
979 	 * Select a source whose scope is the same as that of the dest.
980 	 */
981 	error = in6_selectsrc(satosin6(dst), NULL, NULL, &ro, NULL, NULL, NULL,
982 	    &ip6->ip6_src);
983 	if (error != 0) {
984 		char ip6buf[INET6_ADDRSTRLEN];
985 		nd6log(LOG_DEBUG, "source can't be "
986 		    "determined: dst=%s, error=%d\n",
987 		    IN6_PRINT(ip6buf, &satocsin6(dst)->sin6_addr), error);
988 		goto bad;
989 	}
990 	nd_na = (struct nd_neighbor_advert *)(ip6 + 1);
991 	nd_na->nd_na_type = ND_NEIGHBOR_ADVERT;
992 	nd_na->nd_na_code = 0;
993 	nd_na->nd_na_target = *taddr6;
994 	in6_clearscope(&nd_na->nd_na_target); /* XXX */
995 
996 	/*
997 	 * "tlladdr" indicates NS's condition for adding tlladdr or not.
998 	 * see nd6_ns_input() for details.
999 	 * Basically, if NS packet is sent to unicast/anycast addr,
1000 	 * target lladdr option SHOULD NOT be included.
1001 	 */
1002 	if (tlladdr) {
1003 		/*
1004 		 * sdl0 != NULL indicates proxy NA.  If we do proxy, use
1005 		 * lladdr in sdl0.  If we are not proxying (sending NA for
1006 		 * my address) use lladdr configured for the interface.
1007 		 */
1008 		if (sdl0 == NULL)
1009 			mac = nd6_ifptomac(ifp);
1010 		else if (sdl0->sa_family == AF_LINK) {
1011 			const struct sockaddr_dl *sdl;
1012 			sdl = satocsdl(sdl0);
1013 			if (sdl->sdl_alen == ifp->if_addrlen)
1014 				mac = CLLADDR(sdl);
1015 		}
1016 	}
1017 	if (tlladdr && mac) {
1018 		int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
1019 		struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_na + 1);
1020 
1021 		/* roundup to 8 bytes alignment! */
1022 		optlen = (optlen + 7) & ~7;
1023 
1024 		m->m_pkthdr.len += optlen;
1025 		m->m_len += optlen;
1026 		icmp6len += optlen;
1027 		memset((void *)nd_opt, 0, optlen);
1028 		nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
1029 		nd_opt->nd_opt_len = optlen >> 3;
1030 		memcpy((void *)(nd_opt + 1), mac, ifp->if_addrlen);
1031 	} else
1032 		flags &= ~ND_NA_FLAG_OVERRIDE;
1033 
1034 	ip6->ip6_plen = htons((u_int16_t)icmp6len);
1035 	nd_na->nd_na_flags_reserved = flags;
1036 	nd_na->nd_na_cksum = 0;
1037 	nd_na->nd_na_cksum =
1038 	    in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len);
1039 
1040 	ip6_output(m, NULL, NULL, 0, &im6o, NULL, NULL);
1041 
1042 	icmp6_ifstat_inc(ifp, ifs6_out_msg);
1043 	icmp6_ifstat_inc(ifp, ifs6_out_neighboradvert);
1044 	ICMP6_STATINC(ICMP6_STAT_OUTHIST + ND_NEIGHBOR_ADVERT);
1045 
1046 	rtcache_free(&ro);
1047 	return;
1048 
1049   bad:
1050 	rtcache_free(&ro);
1051 	m_freem(m);
1052 	return;
1053 }
1054 
1055 const void *
1056 nd6_ifptomac(const struct ifnet *ifp)
1057 {
1058 	switch (ifp->if_type) {
1059 	case IFT_ARCNET:
1060 	case IFT_ETHER:
1061 	case IFT_IEEE1394:
1062 	case IFT_PROPVIRTUAL:
1063 	case IFT_CARP:
1064 	case IFT_L2VLAN:
1065 	case IFT_IEEE80211:
1066 		return CLLADDR(ifp->if_sadl);
1067 	default:
1068 		return NULL;
1069 	}
1070 }
1071 
1072 TAILQ_HEAD(dadq_head, dadq);
1073 struct dadq {
1074 	TAILQ_ENTRY(dadq) dad_list;
1075 	struct ifaddr *dad_ifa;
1076 	int dad_count;			/* max NS to send */
1077 	int dad_ns_tcount;		/* # of trials to send NS */
1078 	int dad_ns_ocount;		/* NS sent so far */
1079 	int dad_ns_lcount;		/* looped back NS */
1080 	struct callout dad_timer_ch;
1081 #define	ND_OPT_NONCE_STORE	3	/* dad_count should not exceed this */
1082 	/*
1083 	 * The default ip6_dad_count is 1 as specified by RFC 4862 and
1084 	 * practically must users won't exceed this.
1085 	 * A storage of 3 is defaulted to here, in-case the administrator wants
1086 	 * to match the equivalent behaviour in our ARP implementation.
1087 	 * This constraint could be removed by sending the on wire nonce as
1088 	 * hmac(key, dad_ns_ocount), but that would increase the nonce size
1089 	 * sent on the wire.
1090 	 */
1091 	uint8_t dad_nonce[ND_OPT_NONCE_STORE][ND_OPT_NONCE_LEN];
1092 };
1093 
1094 static struct dadq_head dadq;
1095 static kmutex_t nd6_dad_lock;
1096 
1097 void
1098 nd6_nbr_init(void)
1099 {
1100 
1101 	TAILQ_INIT(&dadq);
1102 	mutex_init(&nd6_dad_lock, MUTEX_DEFAULT, IPL_NONE);
1103 }
1104 
1105 static struct dadq *
1106 nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *nonce, bool *found_nonce)
1107 {
1108 	struct in6_addr *myaddr6, *dadaddr6;
1109 	bool match_ifa;
1110 	struct dadq *dp;
1111 	int i, nonce_max;
1112 
1113 	KASSERT(mutex_owned(&nd6_dad_lock));
1114 	KASSERT(ifa != NULL);
1115 
1116 	myaddr6 = IFA_IN6(ifa);
1117 	if (nonce != NULL &&
1118 	    nonce->nd_opt_nonce_len != (ND_OPT_NONCE_LEN + 2) / 8)
1119 		nonce = NULL;
1120 	match_ifa = nonce == NULL || found_nonce == NULL || *found_nonce == false;
1121 	if (found_nonce != NULL)
1122 		*found_nonce = false;
1123 
1124 	TAILQ_FOREACH(dp, &dadq, dad_list) {
1125 		if (match_ifa) {
1126 			if (dp->dad_ifa != ifa)
1127 				continue;
1128 		} else {
1129 			dadaddr6 = IFA_IN6(dp->dad_ifa);
1130 			if (!IN6_ARE_ADDR_EQUAL(myaddr6, dadaddr6))
1131 				continue;
1132 		}
1133 
1134 		if (nonce == NULL)
1135 			break;
1136 
1137 		nonce_max = MIN(dp->dad_ns_ocount, ND_OPT_NONCE_STORE);
1138 		for (i = 0; i < nonce_max; i++) {
1139 			if (memcmp(nonce->nd_opt_nonce,
1140 			    dp->dad_nonce[i],
1141 			    ND_OPT_NONCE_LEN) == 0)
1142 				break;
1143 		}
1144 		if (i < nonce_max) {
1145 			char ip6buf[INET6_ADDRSTRLEN];
1146 
1147 			*found_nonce = true;
1148 			log(LOG_DEBUG,
1149 			    "%s: detected a looped back NS message for %s\n",
1150 			    if_name(ifa->ifa_ifp), IN6_PRINT(ip6buf, myaddr6));
1151 			dp->dad_ns_lcount++;
1152 			continue;
1153 		}
1154 
1155 		break;
1156 	}
1157 	return dp;
1158 }
1159 
1160 static bool
1161 nd6_dad_ownnonce(struct ifaddr *ifa, struct nd_opt_nonce *nonce)
1162 {
1163 	bool found_nonce = true;
1164 
1165 	mutex_enter(&nd6_dad_lock);
1166 	nd6_dad_find(ifa, nonce, &found_nonce);
1167 	mutex_exit(&nd6_dad_lock);
1168 
1169 	return found_nonce;
1170 }
1171 
1172 static void
1173 nd6_dad_starttimer(struct dadq *dp, int ticks)
1174 {
1175 
1176 	callout_reset(&dp->dad_timer_ch, ticks,
1177 	    (void (*)(void *))nd6_dad_timer, dp);
1178 }
1179 
1180 static void
1181 nd6_dad_stoptimer(struct dadq *dp)
1182 {
1183 
1184 	KASSERT(mutex_owned(&nd6_dad_lock));
1185 
1186 	TAILQ_REMOVE(&dadq, dp, dad_list);
1187 	/* Tell the timer that dp is being destroyed. */
1188 	dp->dad_ifa = NULL;
1189 	callout_halt(&dp->dad_timer_ch, &nd6_dad_lock);
1190 }
1191 
1192 static void
1193 nd6_dad_destroytimer(struct dadq *dp)
1194 {
1195 
1196 	KASSERT(dp->dad_ifa == NULL);
1197 	callout_destroy(&dp->dad_timer_ch);
1198 	kmem_intr_free(dp, sizeof(*dp));
1199 }
1200 
1201 /*
1202  * Start Duplicate Address Detection (DAD) for specified interface address.
1203  *
1204  * Note that callout is used when xtick > 0 and not when xtick == 0.
1205  *
1206  * xtick: minimum delay ticks for IFF_UP event
1207  */
1208 void
1209 nd6_dad_start(struct ifaddr *ifa, int xtick)
1210 {
1211 	struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1212 	struct dadq *dp;
1213 	char ip6buf[INET6_ADDRSTRLEN];
1214 
1215 	/*
1216 	 * If we don't need DAD, don't do it.
1217 	 * There are several cases:
1218 	 * - DAD is disabled
1219 	 * - the interface address is anycast
1220 	 */
1221 	if (!(ia->ia6_flags & IN6_IFF_TENTATIVE)) {
1222 		log(LOG_DEBUG,
1223 			"nd6_dad_start: called with non-tentative address "
1224 			"%s(%s)\n",
1225 			IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr),
1226 			if_name(ifa->ifa_ifp));
1227 		return;
1228 	}
1229 	if (ia->ia6_flags & IN6_IFF_ANYCAST || !ip6_dad_enabled()) {
1230 		ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1231 		rt_addrmsg(RTM_NEWADDR, ifa);
1232 		return;
1233 	}
1234 	if (!(ifa->ifa_ifp->if_flags & IFF_UP))
1235 		return;
1236 
1237 	dp = kmem_intr_alloc(sizeof(*dp), KM_NOSLEEP);
1238 
1239 	mutex_enter(&nd6_dad_lock);
1240 	if (nd6_dad_find(ifa, NULL, NULL) != NULL) {
1241 		mutex_exit(&nd6_dad_lock);
1242 		/* DAD already in progress */
1243 		if (dp != NULL)
1244 			kmem_intr_free(dp, sizeof(*dp));
1245 		return;
1246 	}
1247 
1248 	if (dp == NULL) {
1249 		mutex_exit(&nd6_dad_lock);
1250 		log(LOG_ERR, "nd6_dad_start: memory allocation failed for "
1251 			"%s(%s)\n",
1252 			IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr),
1253 			if_name(ifa->ifa_ifp));
1254 		return;
1255 	}
1256 
1257 	/*
1258 	 * Send NS packet for DAD, ip6_dad_count times.
1259 	 * Note that we must delay the first transmission, if this is the
1260 	 * first packet to be sent from the interface after interface
1261 	 * (re)initialization.
1262 	 */
1263 	callout_init(&dp->dad_timer_ch, CALLOUT_MPSAFE);
1264 	dp->dad_ifa = ifa;
1265 	ifaref(ifa);	/* just for safety */
1266 	dp->dad_count = ip6_dad_count;
1267 	dp->dad_ns_ocount = dp->dad_ns_tcount = 0;
1268 	dp->dad_ns_lcount = 0;
1269 	TAILQ_INSERT_TAIL(&dadq, (struct dadq *)dp, dad_list);
1270 
1271 	nd6log(LOG_DEBUG, "%s: starting DAD for %s\n", if_name(ifa->ifa_ifp),
1272 	    IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr));
1273 
1274 	if (xtick == 0) {
1275 		nd6_dad_ns_output(dp, ifa);
1276 		nd6_dad_starttimer(dp,
1277 		    (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000);
1278 	} else
1279 		nd6_dad_starttimer(dp, xtick);
1280 	mutex_exit(&nd6_dad_lock);
1281 }
1282 
1283 /*
1284  * terminate DAD unconditionally.  used for address removals.
1285  */
1286 void
1287 nd6_dad_stop(struct ifaddr *ifa)
1288 {
1289 	struct dadq *dp;
1290 
1291 	mutex_enter(&nd6_dad_lock);
1292 	dp = nd6_dad_find(ifa, NULL, NULL);
1293 	if (dp == NULL) {
1294 		mutex_exit(&nd6_dad_lock);
1295 		/* DAD wasn't started yet */
1296 		return;
1297 	}
1298 
1299 	/* Prevent the timer from running anymore. */
1300 	nd6_dad_stoptimer(dp);
1301 
1302 	mutex_exit(&nd6_dad_lock);
1303 
1304 	nd6_dad_destroytimer(dp);
1305 	ifafree(ifa);
1306 }
1307 
1308 static void
1309 nd6_dad_timer(struct dadq *dp)
1310 {
1311 	struct ifaddr *ifa;
1312 	struct in6_ifaddr *ia;
1313 	char ip6buf[INET6_ADDRSTRLEN];
1314 	bool need_free = false;
1315 
1316 	KERNEL_LOCK_UNLESS_NET_MPSAFE();
1317 	mutex_enter(&nd6_dad_lock);
1318 
1319 	ifa = dp->dad_ifa;
1320 	if (ifa == NULL) {
1321 		/* dp is being destroyed by someone.  Do nothing. */
1322 		goto done;
1323 	}
1324 
1325 	ia = (struct in6_ifaddr *)ifa;
1326 	if (ia->ia6_flags & IN6_IFF_DUPLICATED) {
1327 		log(LOG_ERR, "nd6_dad_timer: called with duplicate address "
1328 			"%s(%s)\n",
1329 			IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr),
1330 			if_name(ifa->ifa_ifp));
1331 		goto done;
1332 	}
1333 	if ((ia->ia6_flags & IN6_IFF_TENTATIVE) == 0) {
1334 		log(LOG_ERR, "nd6_dad_timer: called with non-tentative address "
1335 			"%s(%s)\n",
1336 			IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr),
1337 			if_name(ifa->ifa_ifp));
1338 		goto done;
1339 	}
1340 
1341 	/* timeouted with IFF_{RUNNING,UP} check */
1342 	if (dp->dad_ns_tcount > dad_maxtry) {
1343 		nd6log(LOG_INFO, "%s: could not run DAD, driver problem?\n",
1344 			if_name(ifa->ifa_ifp));
1345 
1346 		nd6_dad_stoptimer(dp);
1347 		need_free = true;
1348 		goto done;
1349 	}
1350 
1351 	/* Need more checks? */
1352 	if (dp->dad_ns_ocount < dp->dad_count) {
1353 		/*
1354 		 * We have more NS to go.  Send NS packet for DAD.
1355 		 */
1356 		nd6_dad_ns_output(dp, ifa);
1357 		nd6_dad_starttimer(dp,
1358 		    (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000);
1359 	} else {
1360 		/*
1361 		 * We are done with DAD.  No NA came, no NS came.
1362 		 * No duplicate address found.
1363 		 */
1364 		ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1365 		rt_addrmsg(RTM_NEWADDR, ifa);
1366 
1367 		nd6log(LOG_DEBUG,
1368 		    "%s: DAD complete for %s - no duplicates found\n",
1369 		    if_name(ifa->ifa_ifp),
1370 		    IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr));
1371 
1372 		nd6_dad_stoptimer(dp);
1373 		need_free = true;
1374 	}
1375 done:
1376 	mutex_exit(&nd6_dad_lock);
1377 
1378 	if (need_free) {
1379 		nd6_dad_destroytimer(dp);
1380 		KASSERT(ifa != NULL);
1381 		ifafree(ifa);
1382 	}
1383 
1384 	KERNEL_UNLOCK_UNLESS_NET_MPSAFE();
1385 }
1386 
1387 static void
1388 nd6_dad_duplicated(struct ifaddr *ifa, struct dadq *dp,
1389     const struct sockaddr_dl *from)
1390 {
1391 	struct in6_ifaddr *ia;
1392 	struct ifnet *ifp;
1393 	char ip6buf[INET6_ADDRSTRLEN], llabuf[LLA_ADDRSTRLEN], *llastr;
1394 
1395 	KASSERT(mutex_owned(&nd6_dad_lock));
1396 	KASSERT(ifa != NULL);
1397 
1398 	ifp = ifa->ifa_ifp;
1399 	ia = (struct in6_ifaddr *)ifa;
1400 
1401 	ia->ia6_flags &= ~IN6_IFF_TENTATIVE;
1402 	ia->ia6_flags |= IN6_IFF_DUPLICATED;
1403 
1404 	if (__predict_false(from == NULL))
1405 		llastr = NULL;
1406 	else
1407 		llastr = lla_snprintf(llabuf, sizeof(llabuf),
1408 		    CLLADDR(from), from->sdl_alen);
1409 
1410 	log(LOG_ERR, "%s: DAD duplicate address %s from %s\n",
1411 	    if_name(ifp), IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), llastr);
1412 
1413 	/* Inform the routing socket that DAD has completed */
1414 	rt_addrmsg_src(RTM_NEWADDR, ifa, (const struct sockaddr *)from);
1415 
1416 	/*
1417 	 * If the address is a link-local address formed from an interface
1418 	 * identifier based on the hardware address which is supposed to be
1419 	 * uniquely assigned (e.g., EUI-64 for an Ethernet interface), IP
1420 	 * operation on the interface SHOULD be disabled.
1421 	 * [rfc2462bis-03 Section 5.4.5]
1422 	 */
1423 	if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) {
1424 		struct in6_addr in6;
1425 
1426 		/*
1427 		 * To avoid over-reaction, we only apply this logic when we are
1428 		 * very sure that hardware addresses are supposed to be unique.
1429 		 */
1430 		switch (ifp->if_type) {
1431 		case IFT_ETHER:
1432 		case IFT_ATM:
1433 		case IFT_IEEE1394:
1434 		case IFT_IEEE80211:
1435 			in6 = ia->ia_addr.sin6_addr;
1436 			if (in6_get_hw_ifid(ifp, &in6) == 0 &&
1437 			    IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
1438 				ND_IFINFO(ifp)->flags |= ND6_IFF_IFDISABLED;
1439 				log(LOG_ERR, "%s: possible hardware address "
1440 				    "duplication detected, disable IPv6\n",
1441 				    if_name(ifp));
1442 			}
1443 			break;
1444 		}
1445 	}
1446 }
1447 
1448 static void
1449 nd6_dad_ns_output(struct dadq *dp, struct ifaddr *ifa)
1450 {
1451 	struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1452 	struct ifnet *ifp = ifa->ifa_ifp;
1453 	uint8_t *nonce;
1454 
1455 	dp->dad_ns_tcount++;
1456 	if ((ifp->if_flags & IFF_UP) == 0) {
1457 #if 0
1458 		printf("%s: interface down?\n", if_name(ifp));
1459 #endif
1460 		return;
1461 	}
1462 	if ((ifp->if_flags & IFF_RUNNING) == 0) {
1463 #if 0
1464 		printf("%s: interface not running?\n", if_name(ifp));
1465 #endif
1466 		return;
1467 	}
1468 
1469 	dp->dad_ns_tcount = 0;
1470 	nonce = dp->dad_nonce[dp->dad_ns_ocount % ND_OPT_NONCE_STORE];
1471 	cprng_fast(nonce, ND_OPT_NONCE_LEN);
1472 	dp->dad_ns_ocount++;
1473 
1474 	nd6_ns_output(ifp, NULL, &ia->ia_addr.sin6_addr, NULL, nonce);
1475 }
1476 
1477 static void
1478 nd6_dad_input(struct ifaddr *ifa, struct nd_opt_nonce *nonce,
1479     const struct sockaddr_dl *from)
1480 {
1481 	struct dadq *dp;
1482 	bool found_nonce = false;
1483 
1484 	KASSERT(ifa != NULL);
1485 
1486 	mutex_enter(&nd6_dad_lock);
1487 	dp = nd6_dad_find(ifa, nonce, &found_nonce);
1488 	if (!found_nonce) {
1489 		nd6_dad_duplicated(ifa, dp, from);
1490 		if (dp != NULL)
1491 			nd6_dad_stoptimer(dp);
1492 	}
1493 	mutex_exit(&nd6_dad_lock);
1494 	if (dp != NULL) {
1495 		nd6_dad_destroytimer(dp);
1496 		ifafree(ifa);
1497 	}
1498 }
1499