FreeBSD/Linux Kernel Cross Reference
sys/netinet6/nd6.c
1 /*-
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 * $KAME: nd6.c,v 1.144 2001/05/24 07:44:00 itojun Exp $
30 */
31
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD: src/sys/netinet6/nd6.c,v 1.92 2008/10/02 15:37:58 zec Exp $");
34
35 #include "opt_inet.h"
36 #include "opt_inet6.h"
37 #include "opt_mac.h"
38
39 #include <sys/param.h>
40 #include <sys/systm.h>
41 #include <sys/callout.h>
42 #include <sys/malloc.h>
43 #include <sys/mbuf.h>
44 #include <sys/socket.h>
45 #include <sys/sockio.h>
46 #include <sys/time.h>
47 #include <sys/kernel.h>
48 #include <sys/protosw.h>
49 #include <sys/errno.h>
50 #include <sys/syslog.h>
51 #include <sys/queue.h>
52 #include <sys/sysctl.h>
53
54 #include <net/if.h>
55 #include <net/if_arc.h>
56 #include <net/if_dl.h>
57 #include <net/if_types.h>
58 #include <net/iso88025.h>
59 #include <net/fddi.h>
60 #include <net/route.h>
61
62 #include <netinet/in.h>
63 #include <netinet/if_ether.h>
64 #include <netinet6/in6_var.h>
65 #include <netinet/ip6.h>
66 #include <netinet6/ip6_var.h>
67 #include <netinet6/scope6_var.h>
68 #include <netinet6/nd6.h>
69 #include <netinet/icmp6.h>
70
71 #include <sys/limits.h>
72 #include <sys/vimage.h>
73
74 #include <security/mac/mac_framework.h>
75
76 #define ND6_SLOWTIMER_INTERVAL (60 * 60) /* 1 hour */
77 #define ND6_RECALC_REACHTM_INTERVAL (60 * 120) /* 2 hours */
78
79 #define SIN6(s) ((struct sockaddr_in6 *)s)
80 #define SDL(s) ((struct sockaddr_dl *)s)
81
82 /* timer values */
83 int nd6_prune = 1; /* walk list every 1 seconds */
84 int nd6_delay = 5; /* delay first probe time 5 second */
85 int nd6_umaxtries = 3; /* maximum unicast query */
86 int nd6_mmaxtries = 3; /* maximum multicast query */
87 int nd6_useloopback = 1; /* use loopback interface for local traffic */
88 int nd6_gctimer = (60 * 60 * 24); /* 1 day: garbage collection timer */
89
90 /* preventing too many loops in ND option parsing */
91 int nd6_maxndopt = 10; /* max # of ND options allowed */
92
93 int nd6_maxnudhint = 0; /* max # of subsequent upper layer hints */
94 int nd6_maxqueuelen = 1; /* max # of packets cached in unresolved ND entries */
95
96 #ifdef ND6_DEBUG
97 int nd6_debug = 1;
98 #else
99 int nd6_debug = 0;
100 #endif
101
102 /* for debugging? */
103 static int nd6_inuse, nd6_allocated;
104
105 struct llinfo_nd6 llinfo_nd6 = {&llinfo_nd6, &llinfo_nd6};
106 struct nd_drhead nd_defrouter;
107 struct nd_prhead nd_prefix = { 0 };
108
109 int nd6_recalc_reachtm_interval = ND6_RECALC_REACHTM_INTERVAL;
110 static struct sockaddr_in6 all1_sa;
111
112 static int nd6_is_new_addr_neighbor __P((struct sockaddr_in6 *,
113 struct ifnet *));
114 static void nd6_setmtu0(struct ifnet *, struct nd_ifinfo *);
115 static void nd6_slowtimo(void *);
116 static int regen_tmpaddr(struct in6_ifaddr *);
117 static struct llinfo_nd6 *nd6_free(struct rtentry *, int);
118 static void nd6_llinfo_timer(void *);
119 static void clear_llinfo_pqueue(struct llinfo_nd6 *);
120
121 struct callout nd6_slowtimo_ch;
122 struct callout nd6_timer_ch;
123 extern struct callout in6_tmpaddrtimer_ch;
124
125 void
126 nd6_init(void)
127 {
128 INIT_VNET_INET6(curvnet);
129 static int nd6_init_done = 0;
130 int i;
131
132 if (nd6_init_done) {
133 log(LOG_NOTICE, "nd6_init called more than once(ignored)\n");
134 return;
135 }
136
137 all1_sa.sin6_family = AF_INET6;
138 all1_sa.sin6_len = sizeof(struct sockaddr_in6);
139 for (i = 0; i < sizeof(all1_sa.sin6_addr); i++)
140 all1_sa.sin6_addr.s6_addr[i] = 0xff;
141
142 /* initialization of the default router list */
143 TAILQ_INIT(&V_nd_defrouter);
144 /* start timer */
145 callout_init(&V_nd6_slowtimo_ch, 0);
146 callout_reset(&V_nd6_slowtimo_ch, ND6_SLOWTIMER_INTERVAL * hz,
147 nd6_slowtimo, NULL);
148
149 nd6_init_done = 1;
150
151 }
152
153 struct nd_ifinfo *
154 nd6_ifattach(struct ifnet *ifp)
155 {
156 struct nd_ifinfo *nd;
157
158 nd = (struct nd_ifinfo *)malloc(sizeof(*nd), M_IP6NDP, M_WAITOK);
159 bzero(nd, sizeof(*nd));
160
161 nd->initialized = 1;
162
163 nd->chlim = IPV6_DEFHLIM;
164 nd->basereachable = REACHABLE_TIME;
165 nd->reachable = ND_COMPUTE_RTIME(nd->basereachable);
166 nd->retrans = RETRANS_TIMER;
167 /*
168 * Note that the default value of ip6_accept_rtadv is 0, which means
169 * we won't accept RAs by default even if we set ND6_IFF_ACCEPT_RTADV
170 * here.
171 */
172 nd->flags = (ND6_IFF_PERFORMNUD | ND6_IFF_ACCEPT_RTADV);
173
174 /* XXX: we cannot call nd6_setmtu since ifp is not fully initialized */
175 nd6_setmtu0(ifp, nd);
176
177 return nd;
178 }
179
180 void
181 nd6_ifdetach(struct nd_ifinfo *nd)
182 {
183
184 free(nd, M_IP6NDP);
185 }
186
187 /*
188 * Reset ND level link MTU. This function is called when the physical MTU
189 * changes, which means we might have to adjust the ND level MTU.
190 */
191 void
192 nd6_setmtu(struct ifnet *ifp)
193 {
194
195 nd6_setmtu0(ifp, ND_IFINFO(ifp));
196 }
197
198 /* XXX todo: do not maintain copy of ifp->if_mtu in ndi->maxmtu */
199 void
200 nd6_setmtu0(struct ifnet *ifp, struct nd_ifinfo *ndi)
201 {
202 INIT_VNET_INET6(ifp->if_vnet);
203 u_int32_t omaxmtu;
204
205 omaxmtu = ndi->maxmtu;
206
207 switch (ifp->if_type) {
208 case IFT_ARCNET:
209 ndi->maxmtu = MIN(ARC_PHDS_MAXMTU, ifp->if_mtu); /* RFC2497 */
210 break;
211 case IFT_FDDI:
212 ndi->maxmtu = MIN(FDDIIPMTU, ifp->if_mtu); /* RFC2467 */
213 break;
214 case IFT_ISO88025:
215 ndi->maxmtu = MIN(ISO88025_MAX_MTU, ifp->if_mtu);
216 break;
217 default:
218 ndi->maxmtu = ifp->if_mtu;
219 break;
220 }
221
222 /*
223 * Decreasing the interface MTU under IPV6 minimum MTU may cause
224 * undesirable situation. We thus notify the operator of the change
225 * explicitly. The check for omaxmtu is necessary to restrict the
226 * log to the case of changing the MTU, not initializing it.
227 */
228 if (omaxmtu >= IPV6_MMTU && ndi->maxmtu < IPV6_MMTU) {
229 log(LOG_NOTICE, "nd6_setmtu0: "
230 "new link MTU on %s (%lu) is too small for IPv6\n",
231 if_name(ifp), (unsigned long)ndi->maxmtu);
232 }
233
234 if (ndi->maxmtu > V_in6_maxmtu)
235 in6_setmaxmtu(); /* check all interfaces just in case */
236
237 #undef MIN
238 }
239
240 void
241 nd6_option_init(void *opt, int icmp6len, union nd_opts *ndopts)
242 {
243
244 bzero(ndopts, sizeof(*ndopts));
245 ndopts->nd_opts_search = (struct nd_opt_hdr *)opt;
246 ndopts->nd_opts_last
247 = (struct nd_opt_hdr *)(((u_char *)opt) + icmp6len);
248
249 if (icmp6len == 0) {
250 ndopts->nd_opts_done = 1;
251 ndopts->nd_opts_search = NULL;
252 }
253 }
254
255 /*
256 * Take one ND option.
257 */
258 struct nd_opt_hdr *
259 nd6_option(union nd_opts *ndopts)
260 {
261 struct nd_opt_hdr *nd_opt;
262 int olen;
263
264 if (ndopts == NULL)
265 panic("ndopts == NULL in nd6_option");
266 if (ndopts->nd_opts_last == NULL)
267 panic("uninitialized ndopts in nd6_option");
268 if (ndopts->nd_opts_search == NULL)
269 return NULL;
270 if (ndopts->nd_opts_done)
271 return NULL;
272
273 nd_opt = ndopts->nd_opts_search;
274
275 /* make sure nd_opt_len is inside the buffer */
276 if ((caddr_t)&nd_opt->nd_opt_len >= (caddr_t)ndopts->nd_opts_last) {
277 bzero(ndopts, sizeof(*ndopts));
278 return NULL;
279 }
280
281 olen = nd_opt->nd_opt_len << 3;
282 if (olen == 0) {
283 /*
284 * Message validation requires that all included
285 * options have a length that is greater than zero.
286 */
287 bzero(ndopts, sizeof(*ndopts));
288 return NULL;
289 }
290
291 ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen);
292 if (ndopts->nd_opts_search > ndopts->nd_opts_last) {
293 /* option overruns the end of buffer, invalid */
294 bzero(ndopts, sizeof(*ndopts));
295 return NULL;
296 } else if (ndopts->nd_opts_search == ndopts->nd_opts_last) {
297 /* reached the end of options chain */
298 ndopts->nd_opts_done = 1;
299 ndopts->nd_opts_search = NULL;
300 }
301 return nd_opt;
302 }
303
304 /*
305 * Parse multiple ND options.
306 * This function is much easier to use, for ND routines that do not need
307 * multiple options of the same type.
308 */
309 int
310 nd6_options(union nd_opts *ndopts)
311 {
312 INIT_VNET_INET6(curvnet);
313 struct nd_opt_hdr *nd_opt;
314 int i = 0;
315
316 if (ndopts == NULL)
317 panic("ndopts == NULL in nd6_options");
318 if (ndopts->nd_opts_last == NULL)
319 panic("uninitialized ndopts in nd6_options");
320 if (ndopts->nd_opts_search == NULL)
321 return 0;
322
323 while (1) {
324 nd_opt = nd6_option(ndopts);
325 if (nd_opt == NULL && ndopts->nd_opts_last == NULL) {
326 /*
327 * Message validation requires that all included
328 * options have a length that is greater than zero.
329 */
330 V_icmp6stat.icp6s_nd_badopt++;
331 bzero(ndopts, sizeof(*ndopts));
332 return -1;
333 }
334
335 if (nd_opt == NULL)
336 goto skip1;
337
338 switch (nd_opt->nd_opt_type) {
339 case ND_OPT_SOURCE_LINKADDR:
340 case ND_OPT_TARGET_LINKADDR:
341 case ND_OPT_MTU:
342 case ND_OPT_REDIRECTED_HEADER:
343 if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
344 nd6log((LOG_INFO,
345 "duplicated ND6 option found (type=%d)\n",
346 nd_opt->nd_opt_type));
347 /* XXX bark? */
348 } else {
349 ndopts->nd_opt_array[nd_opt->nd_opt_type]
350 = nd_opt;
351 }
352 break;
353 case ND_OPT_PREFIX_INFORMATION:
354 if (ndopts->nd_opt_array[nd_opt->nd_opt_type] == 0) {
355 ndopts->nd_opt_array[nd_opt->nd_opt_type]
356 = nd_opt;
357 }
358 ndopts->nd_opts_pi_end =
359 (struct nd_opt_prefix_info *)nd_opt;
360 break;
361 default:
362 /*
363 * Unknown options must be silently ignored,
364 * to accomodate future extension to the protocol.
365 */
366 nd6log((LOG_DEBUG,
367 "nd6_options: unsupported option %d - "
368 "option ignored\n", nd_opt->nd_opt_type));
369 }
370
371 skip1:
372 i++;
373 if (i > V_nd6_maxndopt) {
374 V_icmp6stat.icp6s_nd_toomanyopt++;
375 nd6log((LOG_INFO, "too many loop in nd opt\n"));
376 break;
377 }
378
379 if (ndopts->nd_opts_done)
380 break;
381 }
382
383 return 0;
384 }
385
386 /*
387 * ND6 timer routine to handle ND6 entries
388 */
389 void
390 nd6_llinfo_settimer(struct llinfo_nd6 *ln, long tick)
391 {
392 if (tick < 0) {
393 ln->ln_expire = 0;
394 ln->ln_ntick = 0;
395 callout_stop(&ln->ln_timer_ch);
396 } else {
397 ln->ln_expire = time_second + tick / hz;
398 if (tick > INT_MAX) {
399 ln->ln_ntick = tick - INT_MAX;
400 callout_reset(&ln->ln_timer_ch, INT_MAX,
401 nd6_llinfo_timer, ln);
402 } else {
403 ln->ln_ntick = 0;
404 callout_reset(&ln->ln_timer_ch, tick,
405 nd6_llinfo_timer, ln);
406 }
407 }
408 }
409
410 static void
411 nd6_llinfo_timer(void *arg)
412 {
413 struct llinfo_nd6 *ln;
414 struct rtentry *rt;
415 struct in6_addr *dst;
416 struct ifnet *ifp;
417 struct nd_ifinfo *ndi = NULL;
418
419 ln = (struct llinfo_nd6 *)arg;
420
421 if (ln->ln_ntick > 0) {
422 if (ln->ln_ntick > INT_MAX) {
423 ln->ln_ntick -= INT_MAX;
424 nd6_llinfo_settimer(ln, INT_MAX);
425 } else {
426 ln->ln_ntick = 0;
427 nd6_llinfo_settimer(ln, ln->ln_ntick);
428 }
429 return;
430 }
431
432 if ((rt = ln->ln_rt) == NULL)
433 panic("ln->ln_rt == NULL");
434 if ((ifp = rt->rt_ifp) == NULL)
435 panic("ln->ln_rt->rt_ifp == NULL");
436 ndi = ND_IFINFO(ifp);
437
438 CURVNET_SET(ifp->if_vnet);
439 INIT_VNET_INET6(curvnet);
440
441 /* sanity check */
442 if (rt->rt_llinfo && (struct llinfo_nd6 *)rt->rt_llinfo != ln)
443 panic("rt_llinfo(%p) is not equal to ln(%p)",
444 rt->rt_llinfo, ln);
445 if (rt_key(rt) == NULL)
446 panic("rt key is NULL in nd6_timer(ln=%p)", ln);
447
448 dst = &((struct sockaddr_in6 *)rt_key(rt))->sin6_addr;
449
450 switch (ln->ln_state) {
451 case ND6_LLINFO_INCOMPLETE:
452 if (ln->ln_asked < V_nd6_mmaxtries) {
453 ln->ln_asked++;
454 nd6_llinfo_settimer(ln, (long)ndi->retrans * hz / 1000);
455 nd6_ns_output(ifp, NULL, dst, ln, 0);
456 } else {
457 struct mbuf *m = ln->ln_hold;
458 if (m) {
459 struct mbuf *m0;
460
461 /*
462 * assuming every packet in ln_hold has the
463 * same IP header
464 */
465 m0 = m->m_nextpkt;
466 m->m_nextpkt = NULL;
467 icmp6_error2(m, ICMP6_DST_UNREACH,
468 ICMP6_DST_UNREACH_ADDR, 0, rt->rt_ifp);
469
470 ln->ln_hold = m0;
471 clear_llinfo_pqueue(ln);
472 }
473 if (rt && rt->rt_llinfo)
474 (void)nd6_free(rt, 0);
475 ln = NULL;
476 }
477 break;
478 case ND6_LLINFO_REACHABLE:
479 if (!ND6_LLINFO_PERMANENT(ln)) {
480 ln->ln_state = ND6_LLINFO_STALE;
481 nd6_llinfo_settimer(ln, (long)V_nd6_gctimer * hz);
482 }
483 break;
484
485 case ND6_LLINFO_STALE:
486 /* Garbage Collection(RFC 2461 5.3) */
487 if (!ND6_LLINFO_PERMANENT(ln)) {
488 if (rt && rt->rt_llinfo)
489 (void)nd6_free(rt, 1);
490 ln = NULL;
491 }
492 break;
493
494 case ND6_LLINFO_DELAY:
495 if (ndi && (ndi->flags & ND6_IFF_PERFORMNUD) != 0) {
496 /* We need NUD */
497 ln->ln_asked = 1;
498 ln->ln_state = ND6_LLINFO_PROBE;
499 nd6_llinfo_settimer(ln, (long)ndi->retrans * hz / 1000);
500 nd6_ns_output(ifp, dst, dst, ln, 0);
501 } else {
502 ln->ln_state = ND6_LLINFO_STALE; /* XXX */
503 nd6_llinfo_settimer(ln, (long)V_nd6_gctimer * hz);
504 }
505 break;
506 case ND6_LLINFO_PROBE:
507 if (ln->ln_asked < V_nd6_umaxtries) {
508 ln->ln_asked++;
509 nd6_llinfo_settimer(ln, (long)ndi->retrans * hz / 1000);
510 nd6_ns_output(ifp, dst, dst, ln, 0);
511 } else if (rt->rt_ifa != NULL &&
512 rt->rt_ifa->ifa_addr->sa_family == AF_INET6 &&
513 (((struct in6_ifaddr *)rt->rt_ifa)->ia_flags & IFA_ROUTE)) {
514 /*
515 * This is an unreachable neighbor whose address is
516 * specified as the destination of a p2p interface
517 * (see in6_ifinit()). We should not free the entry
518 * since this is sort of a "static" entry generated
519 * via interface address configuration.
520 */
521 ln->ln_asked = 0;
522 ln->ln_expire = 0; /* make it permanent */
523 ln->ln_state = ND6_LLINFO_STALE;
524 } else {
525 if (rt && rt->rt_llinfo)
526 (void)nd6_free(rt, 0);
527 ln = NULL;
528 }
529 break;
530 }
531 CURVNET_RESTORE();
532 }
533
534
535 /*
536 * ND6 timer routine to expire default route list and prefix list
537 */
538 void
539 nd6_timer(void *arg)
540 {
541 CURVNET_SET_QUIET((struct vnet *) arg);
542 INIT_VNET_INET6((struct vnet *) arg);
543 int s;
544 struct nd_defrouter *dr;
545 struct nd_prefix *pr;
546 struct in6_ifaddr *ia6, *nia6;
547 struct in6_addrlifetime *lt6;
548
549 callout_reset(&V_nd6_timer_ch, V_nd6_prune * hz,
550 nd6_timer, NULL);
551
552 /* expire default router list */
553 s = splnet();
554 dr = TAILQ_FIRST(&V_nd_defrouter);
555 while (dr) {
556 if (dr->expire && dr->expire < time_second) {
557 struct nd_defrouter *t;
558 t = TAILQ_NEXT(dr, dr_entry);
559 defrtrlist_del(dr);
560 dr = t;
561 } else {
562 dr = TAILQ_NEXT(dr, dr_entry);
563 }
564 }
565
566 /*
567 * expire interface addresses.
568 * in the past the loop was inside prefix expiry processing.
569 * However, from a stricter speci-confrmance standpoint, we should
570 * rather separate address lifetimes and prefix lifetimes.
571 */
572 addrloop:
573 for (ia6 = V_in6_ifaddr; ia6; ia6 = nia6) {
574 nia6 = ia6->ia_next;
575 /* check address lifetime */
576 lt6 = &ia6->ia6_lifetime;
577 if (IFA6_IS_INVALID(ia6)) {
578 int regen = 0;
579
580 /*
581 * If the expiring address is temporary, try
582 * regenerating a new one. This would be useful when
583 * we suspended a laptop PC, then turned it on after a
584 * period that could invalidate all temporary
585 * addresses. Although we may have to restart the
586 * loop (see below), it must be after purging the
587 * address. Otherwise, we'd see an infinite loop of
588 * regeneration.
589 */
590 if (V_ip6_use_tempaddr &&
591 (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0) {
592 if (regen_tmpaddr(ia6) == 0)
593 regen = 1;
594 }
595
596 in6_purgeaddr(&ia6->ia_ifa);
597
598 if (regen)
599 goto addrloop; /* XXX: see below */
600 } else if (IFA6_IS_DEPRECATED(ia6)) {
601 int oldflags = ia6->ia6_flags;
602
603 ia6->ia6_flags |= IN6_IFF_DEPRECATED;
604
605 /*
606 * If a temporary address has just become deprecated,
607 * regenerate a new one if possible.
608 */
609 if (V_ip6_use_tempaddr &&
610 (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
611 (oldflags & IN6_IFF_DEPRECATED) == 0) {
612
613 if (regen_tmpaddr(ia6) == 0) {
614 /*
615 * A new temporary address is
616 * generated.
617 * XXX: this means the address chain
618 * has changed while we are still in
619 * the loop. Although the change
620 * would not cause disaster (because
621 * it's not a deletion, but an
622 * addition,) we'd rather restart the
623 * loop just for safety. Or does this
624 * significantly reduce performance??
625 */
626 goto addrloop;
627 }
628 }
629 } else {
630 /*
631 * A new RA might have made a deprecated address
632 * preferred.
633 */
634 ia6->ia6_flags &= ~IN6_IFF_DEPRECATED;
635 }
636 }
637
638 /* expire prefix list */
639 pr = V_nd_prefix.lh_first;
640 while (pr) {
641 /*
642 * check prefix lifetime.
643 * since pltime is just for autoconf, pltime processing for
644 * prefix is not necessary.
645 */
646 if (pr->ndpr_vltime != ND6_INFINITE_LIFETIME &&
647 time_second - pr->ndpr_lastupdate > pr->ndpr_vltime) {
648 struct nd_prefix *t;
649 t = pr->ndpr_next;
650
651 /*
652 * address expiration and prefix expiration are
653 * separate. NEVER perform in6_purgeaddr here.
654 */
655
656 prelist_remove(pr);
657 pr = t;
658 } else
659 pr = pr->ndpr_next;
660 }
661 splx(s);
662 CURVNET_RESTORE();
663 }
664
665 /*
666 * ia6 - deprecated/invalidated temporary address
667 */
668 static int
669 regen_tmpaddr(struct in6_ifaddr *ia6)
670 {
671 struct ifaddr *ifa;
672 struct ifnet *ifp;
673 struct in6_ifaddr *public_ifa6 = NULL;
674
675 ifp = ia6->ia_ifa.ifa_ifp;
676 for (ifa = ifp->if_addrlist.tqh_first; ifa;
677 ifa = ifa->ifa_list.tqe_next) {
678 struct in6_ifaddr *it6;
679
680 if (ifa->ifa_addr->sa_family != AF_INET6)
681 continue;
682
683 it6 = (struct in6_ifaddr *)ifa;
684
685 /* ignore no autoconf addresses. */
686 if ((it6->ia6_flags & IN6_IFF_AUTOCONF) == 0)
687 continue;
688
689 /* ignore autoconf addresses with different prefixes. */
690 if (it6->ia6_ndpr == NULL || it6->ia6_ndpr != ia6->ia6_ndpr)
691 continue;
692
693 /*
694 * Now we are looking at an autoconf address with the same
695 * prefix as ours. If the address is temporary and is still
696 * preferred, do not create another one. It would be rare, but
697 * could happen, for example, when we resume a laptop PC after
698 * a long period.
699 */
700 if ((it6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
701 !IFA6_IS_DEPRECATED(it6)) {
702 public_ifa6 = NULL;
703 break;
704 }
705
706 /*
707 * This is a public autoconf address that has the same prefix
708 * as ours. If it is preferred, keep it. We can't break the
709 * loop here, because there may be a still-preferred temporary
710 * address with the prefix.
711 */
712 if (!IFA6_IS_DEPRECATED(it6))
713 public_ifa6 = it6;
714 }
715
716 if (public_ifa6 != NULL) {
717 int e;
718
719 if ((e = in6_tmpifadd(public_ifa6, 0, 0)) != 0) {
720 log(LOG_NOTICE, "regen_tmpaddr: failed to create a new"
721 " tmp addr,errno=%d\n", e);
722 return (-1);
723 }
724 return (0);
725 }
726
727 return (-1);
728 }
729
730 /*
731 * Nuke neighbor cache/prefix/default router management table, right before
732 * ifp goes away.
733 */
734 void
735 nd6_purge(struct ifnet *ifp)
736 {
737 INIT_VNET_INET6(ifp->if_vnet);
738 struct llinfo_nd6 *ln, *nln;
739 struct nd_defrouter *dr, *ndr;
740 struct nd_prefix *pr, *npr;
741
742 /*
743 * Nuke default router list entries toward ifp.
744 * We defer removal of default router list entries that is installed
745 * in the routing table, in order to keep additional side effects as
746 * small as possible.
747 */
748 for (dr = TAILQ_FIRST(&V_nd_defrouter); dr; dr = ndr) {
749 ndr = TAILQ_NEXT(dr, dr_entry);
750 if (dr->installed)
751 continue;
752
753 if (dr->ifp == ifp)
754 defrtrlist_del(dr);
755 }
756
757 for (dr = TAILQ_FIRST(&V_nd_defrouter); dr; dr = ndr) {
758 ndr = TAILQ_NEXT(dr, dr_entry);
759 if (!dr->installed)
760 continue;
761
762 if (dr->ifp == ifp)
763 defrtrlist_del(dr);
764 }
765
766 /* Nuke prefix list entries toward ifp */
767 for (pr = V_nd_prefix.lh_first; pr; pr = npr) {
768 npr = pr->ndpr_next;
769 if (pr->ndpr_ifp == ifp) {
770 /*
771 * Because if_detach() does *not* release prefixes
772 * while purging addresses the reference count will
773 * still be above zero. We therefore reset it to
774 * make sure that the prefix really gets purged.
775 */
776 pr->ndpr_refcnt = 0;
777
778 /*
779 * Previously, pr->ndpr_addr is removed as well,
780 * but I strongly believe we don't have to do it.
781 * nd6_purge() is only called from in6_ifdetach(),
782 * which removes all the associated interface addresses
783 * by itself.
784 * (jinmei@kame.net 20010129)
785 */
786 prelist_remove(pr);
787 }
788 }
789
790 /* cancel default outgoing interface setting */
791 if (V_nd6_defifindex == ifp->if_index)
792 nd6_setdefaultiface(0);
793
794 if (!V_ip6_forwarding && V_ip6_accept_rtadv) { /* XXX: too restrictive? */
795 /* refresh default router list */
796 defrouter_select();
797 }
798
799 /*
800 * Nuke neighbor cache entries for the ifp.
801 * Note that rt->rt_ifp may not be the same as ifp,
802 * due to KAME goto ours hack. See RTM_RESOLVE case in
803 * nd6_rtrequest(), and ip6_input().
804 */
805 ln = V_llinfo_nd6.ln_next;
806 while (ln && ln != &V_llinfo_nd6) {
807 struct rtentry *rt;
808 struct sockaddr_dl *sdl;
809
810 nln = ln->ln_next;
811 rt = ln->ln_rt;
812 if (rt && rt->rt_gateway &&
813 rt->rt_gateway->sa_family == AF_LINK) {
814 sdl = (struct sockaddr_dl *)rt->rt_gateway;
815 if (sdl->sdl_index == ifp->if_index)
816 nln = nd6_free(rt, 0);
817 }
818 ln = nln;
819 }
820 }
821
822 struct rtentry *
823 nd6_lookup(struct in6_addr *addr6, int create, struct ifnet *ifp)
824 {
825 INIT_VNET_INET6(curvnet);
826 struct rtentry *rt;
827 struct sockaddr_in6 sin6;
828 char ip6buf[INET6_ADDRSTRLEN];
829
830 bzero(&sin6, sizeof(sin6));
831 sin6.sin6_len = sizeof(struct sockaddr_in6);
832 sin6.sin6_family = AF_INET6;
833 sin6.sin6_addr = *addr6;
834 rt = rtalloc1((struct sockaddr *)&sin6, create, 0UL);
835 if (rt) {
836 if ((rt->rt_flags & RTF_LLINFO) == 0 && create) {
837 /*
838 * This is the case for the default route.
839 * If we want to create a neighbor cache for the
840 * address, we should free the route for the
841 * destination and allocate an interface route.
842 */
843 RTFREE_LOCKED(rt);
844 rt = NULL;
845 }
846 }
847 if (rt == NULL) {
848 if (create && ifp) {
849 int e;
850
851 /*
852 * If no route is available and create is set,
853 * we allocate a host route for the destination
854 * and treat it like an interface route.
855 * This hack is necessary for a neighbor which can't
856 * be covered by our own prefix.
857 */
858 struct ifaddr *ifa =
859 ifaof_ifpforaddr((struct sockaddr *)&sin6, ifp);
860 if (ifa == NULL)
861 return (NULL);
862
863 /*
864 * Create a new route. RTF_LLINFO is necessary
865 * to create a Neighbor Cache entry for the
866 * destination in nd6_rtrequest which will be
867 * called in rtrequest via ifa->ifa_rtrequest.
868 */
869 if ((e = rtrequest(RTM_ADD, (struct sockaddr *)&sin6,
870 ifa->ifa_addr, (struct sockaddr *)&all1_sa,
871 (ifa->ifa_flags | RTF_HOST | RTF_LLINFO) &
872 ~RTF_CLONING, &rt)) != 0) {
873 log(LOG_ERR,
874 "nd6_lookup: failed to add route for a "
875 "neighbor(%s), errno=%d\n",
876 ip6_sprintf(ip6buf, addr6), e);
877 }
878 if (rt == NULL)
879 return (NULL);
880 RT_LOCK(rt);
881 if (rt->rt_llinfo) {
882 struct llinfo_nd6 *ln =
883 (struct llinfo_nd6 *)rt->rt_llinfo;
884 ln->ln_state = ND6_LLINFO_NOSTATE;
885 }
886 } else
887 return (NULL);
888 }
889 RT_LOCK_ASSERT(rt);
890 RT_REMREF(rt);
891 /*
892 * Validation for the entry.
893 * Note that the check for rt_llinfo is necessary because a cloned
894 * route from a parent route that has the L flag (e.g. the default
895 * route to a p2p interface) may have the flag, too, while the
896 * destination is not actually a neighbor.
897 * XXX: we can't use rt->rt_ifp to check for the interface, since
898 * it might be the loopback interface if the entry is for our
899 * own address on a non-loopback interface. Instead, we should
900 * use rt->rt_ifa->ifa_ifp, which would specify the REAL
901 * interface.
902 * Note also that ifa_ifp and ifp may differ when we connect two
903 * interfaces to a same link, install a link prefix to an interface,
904 * and try to install a neighbor cache on an interface that does not
905 * have a route to the prefix.
906 */
907 if ((rt->rt_flags & RTF_GATEWAY) || (rt->rt_flags & RTF_LLINFO) == 0 ||
908 rt->rt_gateway->sa_family != AF_LINK || rt->rt_llinfo == NULL ||
909 (ifp && rt->rt_ifa->ifa_ifp != ifp)) {
910 if (create) {
911 nd6log((LOG_DEBUG,
912 "nd6_lookup: failed to lookup %s (if = %s)\n",
913 ip6_sprintf(ip6buf, addr6),
914 ifp ? if_name(ifp) : "unspec"));
915 }
916 RT_UNLOCK(rt);
917 return (NULL);
918 }
919 RT_UNLOCK(rt); /* XXX not ready to return rt locked */
920 return (rt);
921 }
922
923 /*
924 * Test whether a given IPv6 address is a neighbor or not, ignoring
925 * the actual neighbor cache. The neighbor cache is ignored in order
926 * to not reenter the routing code from within itself.
927 */
928 static int
929 nd6_is_new_addr_neighbor(struct sockaddr_in6 *addr, struct ifnet *ifp)
930 {
931 INIT_VNET_INET6(ifp->if_vnet);
932 struct nd_prefix *pr;
933 struct ifaddr *dstaddr;
934
935 /*
936 * A link-local address is always a neighbor.
937 * XXX: a link does not necessarily specify a single interface.
938 */
939 if (IN6_IS_ADDR_LINKLOCAL(&addr->sin6_addr)) {
940 struct sockaddr_in6 sin6_copy;
941 u_int32_t zone;
942
943 /*
944 * We need sin6_copy since sa6_recoverscope() may modify the
945 * content (XXX).
946 */
947 sin6_copy = *addr;
948 if (sa6_recoverscope(&sin6_copy))
949 return (0); /* XXX: should be impossible */
950 if (in6_setscope(&sin6_copy.sin6_addr, ifp, &zone))
951 return (0);
952 if (sin6_copy.sin6_scope_id == zone)
953 return (1);
954 else
955 return (0);
956 }
957
958 /*
959 * If the address matches one of our addresses,
960 * it should be a neighbor.
961 * If the address matches one of our on-link prefixes, it should be a
962 * neighbor.
963 */
964 for (pr = V_nd_prefix.lh_first; pr; pr = pr->ndpr_next) {
965 if (pr->ndpr_ifp != ifp)
966 continue;
967
968 if (!(pr->ndpr_stateflags & NDPRF_ONLINK))
969 continue;
970
971 if (IN6_ARE_MASKED_ADDR_EQUAL(&pr->ndpr_prefix.sin6_addr,
972 &addr->sin6_addr, &pr->ndpr_mask))
973 return (1);
974 }
975
976 /*
977 * If the address is assigned on the node of the other side of
978 * a p2p interface, the address should be a neighbor.
979 */
980 dstaddr = ifa_ifwithdstaddr((struct sockaddr *)addr);
981 if ((dstaddr != NULL) && (dstaddr->ifa_ifp == ifp))
982 return (1);
983
984 /*
985 * If the default router list is empty, all addresses are regarded
986 * as on-link, and thus, as a neighbor.
987 * XXX: we restrict the condition to hosts, because routers usually do
988 * not have the "default router list".
989 */
990 if (!V_ip6_forwarding && TAILQ_FIRST(&V_nd_defrouter) == NULL &&
991 V_nd6_defifindex == ifp->if_index) {
992 return (1);
993 }
994
995 return (0);
996 }
997
998
999 /*
1000 * Detect if a given IPv6 address identifies a neighbor on a given link.
1001 * XXX: should take care of the destination of a p2p link?
1002 */
1003 int
1004 nd6_is_addr_neighbor(struct sockaddr_in6 *addr, struct ifnet *ifp)
1005 {
1006
1007 if (nd6_is_new_addr_neighbor(addr, ifp))
1008 return (1);
1009
1010 /*
1011 * Even if the address matches none of our addresses, it might be
1012 * in the neighbor cache.
1013 */
1014 if (nd6_lookup(&addr->sin6_addr, 0, ifp) != NULL)
1015 return (1);
1016
1017 return (0);
1018 }
1019
1020 /*
1021 * Free an nd6 llinfo entry.
1022 * Since the function would cause significant changes in the kernel, DO NOT
1023 * make it global, unless you have a strong reason for the change, and are sure
1024 * that the change is safe.
1025 */
1026 static struct llinfo_nd6 *
1027 nd6_free(struct rtentry *rt, int gc)
1028 {
1029 INIT_VNET_INET6(curvnet);
1030 struct llinfo_nd6 *ln = (struct llinfo_nd6 *)rt->rt_llinfo, *next;
1031 struct in6_addr in6 = ((struct sockaddr_in6 *)rt_key(rt))->sin6_addr;
1032 struct nd_defrouter *dr;
1033
1034 /*
1035 * we used to have pfctlinput(PRC_HOSTDEAD) here.
1036 * even though it is not harmful, it was not really necessary.
1037 */
1038
1039 /* cancel timer */
1040 nd6_llinfo_settimer(ln, -1);
1041
1042 if (!V_ip6_forwarding) {
1043 int s;
1044 s = splnet();
1045 dr = defrouter_lookup(&((struct sockaddr_in6 *)rt_key(rt))->sin6_addr,
1046 rt->rt_ifp);
1047
1048 if (dr != NULL && dr->expire &&
1049 ln->ln_state == ND6_LLINFO_STALE && gc) {
1050 /*
1051 * If the reason for the deletion is just garbage
1052 * collection, and the neighbor is an active default
1053 * router, do not delete it. Instead, reset the GC
1054 * timer using the router's lifetime.
1055 * Simply deleting the entry would affect default
1056 * router selection, which is not necessarily a good
1057 * thing, especially when we're using router preference
1058 * values.
1059 * XXX: the check for ln_state would be redundant,
1060 * but we intentionally keep it just in case.
1061 */
1062 if (dr->expire > time_secon |