]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/netinet6/nd6.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-1504.15.3.tar.gz
[apple/xnu.git] / bsd / netinet6 / nd6.c
diff --git a/bsd/netinet6/nd6.c b/bsd/netinet6/nd6.c
index 766b6c6e11356929af47446708c0aa3cf1c41e6c..d7174604287c4904562793e2726f8dbfaa1cee8e 100644 (file)
--- a/bsd/netinet6/nd6.c
+++ b/bsd/netinet6/nd6.c
@@ -1,4 +1,33 @@
-/*     $KAME: nd6.c,v 1.51.2.1 2000/04/13 11:59:29 jinmei Exp $        */
+/*
+ * Copyright (c) 2008-2009 Apple Inc. All rights reserved.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ * 
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
+ */
+
+/*     $FreeBSD: src/sys/netinet6/nd6.c,v 1.20 2002/08/02 20:49:14 rwatson Exp $       */
+/*     $KAME: nd6.c,v 1.144 2001/05/24 07:44:00 itojun Exp $   */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -45,37 +74,26 @@
 #include <sys/sockio.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/sockio.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
+#include <sys/sysctl.h>
 #include <sys/errno.h>
 #include <sys/errno.h>
-#if !(defined(__FreeBSD__) && __FreeBSD__ >= 3)
-#include <sys/ioctl.h>
-#endif
 #include <sys/syslog.h>
 #include <sys/protosw.h>
 #include <sys/syslog.h>
 #include <sys/protosw.h>
+#include <sys/proc.h>
 #include <kern/queue.h>
 #include <kern/queue.h>
+#include <kern/zalloc.h>
 
 
+#define DONT_WARN_OBSOLETE
 #include <net/if.h>
 #include <net/if_dl.h>
 #include <net/if_types.h>
 #include <net/if.h>
 #include <net/if_dl.h>
 #include <net/if_types.h>
-#if !(defined(__bsdi__) && _BSDI_VERSION >= 199802) && !defined(__APPLE__)
 #include <net/if_atm.h>
 #include <net/if_atm.h>
-#endif
 #include <net/route.h>
 #include <net/dlil.h>
 
 #include <netinet/in.h>
 #include <net/route.h>
 #include <net/dlil.h>
 
 #include <netinet/in.h>
-#ifndef __NetBSD__
+#include <netinet/in_arp.h>
 #include <netinet/if_ether.h>
 #include <netinet/if_ether.h>
-#if __FreeBSD__
 #include <netinet/if_fddi.h>
 #include <netinet/if_fddi.h>
-#endif
-#ifdef __bsdi__
-#include <net/if_fddi.h>
-#endif
-#else /* __NetBSD__ */
-#include <net/if_ether.h>
-#include <netinet/if_inarp.h>
-#include <net/if_fddi.h>
-#endif /* __NetBSD__ */
 #include <netinet6/in6_var.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/in6_var.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
@@ -83,20 +101,17 @@
 #include <netinet6/in6_prefix.h>
 #include <netinet/icmp6.h>
 
 #include <netinet6/in6_prefix.h>
 #include <netinet/icmp6.h>
 
-#ifndef __bsdi__
 #include "loop.h"
 #include "loop.h"
-#endif
-#if defined(__NetBSD__) || defined(__OpenBSD__)
-extern struct ifnet loif[NLOOP];
-#endif
 
 #include <net/net_osdep.h>
 
 #define ND6_SLOWTIMER_INTERVAL (60 * 60) /* 1 hour */
 #define ND6_RECALC_REACHTM_INTERVAL (60 * 120) /* 2 hours */
 
 
 #include <net/net_osdep.h>
 
 #define ND6_SLOWTIMER_INTERVAL (60 * 60) /* 1 hour */
 #define ND6_RECALC_REACHTM_INTERVAL (60 * 120) /* 2 hours */
 
+#define        SA(p) ((struct sockaddr *)(p))
 #define SIN6(s) ((struct sockaddr_in6 *)s)
 #define SDL(s) ((struct sockaddr_dl *)s)
 #define SIN6(s) ((struct sockaddr_in6 *)s)
 #define SDL(s) ((struct sockaddr_dl *)s)
+#define        equal(a1, a2) (bcmp((caddr_t)(a1), (caddr_t)(a2), (a1)->sa_len) == 0)
 
 /* timer values */
 int    nd6_prune       = 1;    /* walk list every 1 seconds */
 
 /* timer values */
 int    nd6_prune       = 1;    /* walk list every 1 seconds */
@@ -104,27 +119,103 @@ int      nd6_delay       = 5;    /* delay first probe time 5 second */
 int    nd6_umaxtries   = 3;    /* maximum unicast query */
 int    nd6_mmaxtries   = 3;    /* maximum multicast query */
 int    nd6_useloopback = 1;    /* use loopback interface for local traffic */
 int    nd6_umaxtries   = 3;    /* maximum unicast query */
 int    nd6_mmaxtries   = 3;    /* maximum multicast query */
 int    nd6_useloopback = 1;    /* use loopback interface for local traffic */
+int    nd6_gctimer     = (60 * 60 * 24); /* 1 day: garbage collection timer */
 
 /* preventing too many loops in ND option parsing */
 int nd6_maxndopt = 10; /* max # of ND options allowed */
 
 
 /* preventing too many loops in ND option parsing */
 int nd6_maxndopt = 10; /* max # of ND options allowed */
 
+int nd6_maxnudhint = 0;        /* max # of subsequent upper layer hints */
+
+#if ND6_DEBUG
+int nd6_debug = 1;
+#else
+int nd6_debug = 0;
+#endif
+
 /* for debugging? */
 static int nd6_inuse, nd6_allocated;
 
 /* for debugging? */
 static int nd6_inuse, nd6_allocated;
 
-struct llinfo_nd6 llinfo_nd6 = {&llinfo_nd6, &llinfo_nd6};
+/*
+ * Synchronization notes:
+ *
+ * The global list of ND entries are stored in llinfo_nd6; an entry
+ * gets inserted into the list when the route is created and gets
+ * removed from the list when it is deleted; this is done as part
+ * of RTM_ADD/RTM_RESOLVE/RTM_DELETE in nd6_rtrequest().
+ *
+ * Because rnh_lock and rt_lock for the entry are held during those
+ * operations, the same locks (and thus lock ordering) must be used
+ * elsewhere to access the relevant data structure fields:
+ *
+ * ln_next, ln_prev, ln_rt
+ *
+ *     - Routing lock (rnh_lock)
+ *
+ * ln_hold, ln_asked, ln_expire, ln_state, ln_router, ln_byhint, ln_flags
+ *
+ *     - Routing entry lock (rt_lock)
+ *
+ * Due to the dependency on rt_lock, llinfo_nd6 has the same lifetime
+ * as the route entry itself.  When a route is deleted (RTM_DELETE),
+ * it is simply removed from the global list but the memory is not
+ * freed until the route itself is freed.
+ */
+struct llinfo_nd6 llinfo_nd6 = {
+       &llinfo_nd6, &llinfo_nd6, NULL, NULL, 0, 0, 0, 0, 0, 0
+};
+
+/* Protected by nd_if_rwlock */
+size_t nd_ifinfo_indexlim = 32; /* increased for 5589193 */
 struct nd_ifinfo *nd_ifinfo = NULL;
 struct nd_ifinfo *nd_ifinfo = NULL;
+
+static lck_grp_attr_t  *nd_if_rwlock_grp_attr;
+static lck_grp_t       *nd_if_rwlock_grp;
+static lck_attr_t      *nd_if_rwlock_attr;
+lck_rw_t               *nd_if_rwlock;
+
+/* Protected by nd6_mutex */
 struct nd_drhead nd_defrouter;
 struct nd_prhead nd_prefix = { 0 };
 
 int nd6_recalc_reachtm_interval = ND6_RECALC_REACHTM_INTERVAL;
 static struct sockaddr_in6 all1_sa;
 
 struct nd_drhead nd_defrouter;
 struct nd_prhead nd_prefix = { 0 };
 
 int nd6_recalc_reachtm_interval = ND6_RECALC_REACHTM_INTERVAL;
 static struct sockaddr_in6 all1_sa;
 
-static void nd6_slowtimo __P((void *));
-static void nd6_slowtimo_funneled __P((void *));
+static int regen_tmpaddr(struct in6_ifaddr *);
+extern lck_mtx_t *ip6_mutex;
+extern lck_mtx_t *nd6_mutex;
 
 
-#if MIP6
-void (*mip6_expired_defrouter_hook)(struct nd_defrouter *dr) = 0;
-#endif
+static void nd6_slowtimo(void *ignored_arg);
+static struct llinfo_nd6 *nd6_llinfo_alloc(void);
+static void nd6_llinfo_free(void *);
+
+static void nd6_siocgdrlst(void *, int);
+static void nd6_siocgprlst(void *, int);
+
+/*
+ * Insertion and removal from llinfo_nd6 must be done with rnh_lock held.
+ */
+#define LN_DEQUEUE(_ln) do {                                           \
+       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_OWNED);                 \
+       RT_LOCK_ASSERT_HELD((_ln)->ln_rt);                              \
+       (_ln)->ln_next->ln_prev = (_ln)->ln_prev;                       \
+       (_ln)->ln_prev->ln_next = (_ln)->ln_next;                       \
+       (_ln)->ln_prev = (_ln)->ln_next = NULL;                         \
+       (_ln)->ln_flags &= ~ND6_LNF_IN_USE;                             \
+} while (0)
+
+#define LN_INSERTHEAD(_ln) do {                                                \
+       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_OWNED);                 \
+       RT_LOCK_ASSERT_HELD((_ln)->ln_rt);                              \
+       (_ln)->ln_next = llinfo_nd6.ln_next;                            \
+       llinfo_nd6.ln_next = (_ln);                                     \
+       (_ln)->ln_prev = &llinfo_nd6;                                   \
+       (_ln)->ln_next->ln_prev = (_ln);                                \
+       (_ln)->ln_flags |= ND6_LNF_IN_USE;                              \
+} while (0)
+
+static struct zone *llinfo_nd6_zone;
+#define        LLINFO_ND6_ZONE_MAX     256             /* maximum elements in zone */
+#define        LLINFO_ND6_ZONE_NAME    "llinfo_nd6"    /* name for zone */
 
 void
 nd6_init()
 
 void
 nd6_init()
@@ -133,7 +224,7 @@ nd6_init()
        int i;
 
        if (nd6_init_done) {
        int i;
 
        if (nd6_init_done) {
-               log(LOG_NOTICE, "nd6_init called more than once(ignored)\n");
+               log(LOG_NOTICE, "nd6_init called more than once (ignored)\n");
                return;
        }
 
                return;
        }
 
@@ -145,50 +236,115 @@ nd6_init()
        /* initialization of the default router list */
        TAILQ_INIT(&nd_defrouter);
 
        /* initialization of the default router list */
        TAILQ_INIT(&nd_defrouter);
 
+       nd_if_rwlock_grp_attr = lck_grp_attr_alloc_init();
+       nd_if_rwlock_grp = lck_grp_alloc_init("nd_if_rwlock",
+           nd_if_rwlock_grp_attr);
+       nd_if_rwlock_attr = lck_attr_alloc_init();
+       nd_if_rwlock = lck_rw_alloc_init(nd_if_rwlock_grp, nd_if_rwlock_attr);
+
+       llinfo_nd6_zone = zinit(sizeof (struct llinfo_nd6),
+           LLINFO_ND6_ZONE_MAX * sizeof (struct llinfo_nd6), 0,
+           LLINFO_ND6_ZONE_NAME);
+       if (llinfo_nd6_zone == NULL)
+               panic("%s: failed allocating llinfo_nd6_zone", __func__);
+
+       zone_change(llinfo_nd6_zone, Z_EXPAND, TRUE);
+
        nd6_init_done = 1;
 
        /* start timer */
        nd6_init_done = 1;
 
        /* start timer */
-       timeout(nd6_slowtimo_funneled, (caddr_t)0, ND6_SLOWTIMER_INTERVAL * hz);
+       timeout(nd6_slowtimo, (caddr_t)0, ND6_SLOWTIMER_INTERVAL * hz);
 }
 
 }
 
-void
-nd6_ifattach(ifp)
-       struct ifnet *ifp;
+static struct llinfo_nd6 *
+nd6_llinfo_alloc(void)
+{
+       return (zalloc(llinfo_nd6_zone));
+}
+
+static void
+nd6_llinfo_free(void *arg)
+{
+       struct llinfo_nd6 *ln = arg;
+
+       if (ln->ln_next != NULL || ln->ln_prev != NULL) {
+               panic("%s: trying to free %p when it is in use", __func__, ln);
+               /* NOTREACHED */
+       }
+
+       /* Just in case there's anything there, free it */
+       if (ln->ln_hold != NULL) {
+               m_freem(ln->ln_hold);
+               ln->ln_hold = NULL;
+       }
+
+       zfree(llinfo_nd6_zone, ln);
+}
+
+int
+nd6_ifattach(struct ifnet *ifp)
 {
 {
-       static size_t if_indexlim = 8;
 
        /*
         * We have some arrays that should be indexed by if_index.
         * since if_index will grow dynamically, they should grow too.
         */
 
        /*
         * We have some arrays that should be indexed by if_index.
         * since if_index will grow dynamically, they should grow too.
         */
-       if (nd_ifinfo == NULL || if_index >= if_indexlim) {
+       lck_rw_lock_exclusive(nd_if_rwlock);
+       if (nd_ifinfo == NULL || if_index >= nd_ifinfo_indexlim) {
                size_t n;
                caddr_t q;
                size_t n;
                caddr_t q;
+               size_t newlim = nd_ifinfo_indexlim;
 
 
-               while (if_index >= if_indexlim)
-                       if_indexlim <<= 1;
+               while (if_index >= newlim)
+                       newlim <<= 1;
 
                /* grow nd_ifinfo */
 
                /* grow nd_ifinfo */
-               n = if_indexlim * sizeof(struct nd_ifinfo);
+               n = newlim * sizeof(struct nd_ifinfo);
                q = (caddr_t)_MALLOC(n, M_IP6NDP, M_WAITOK);
                q = (caddr_t)_MALLOC(n, M_IP6NDP, M_WAITOK);
+               if (q == NULL) {
+                       lck_rw_done(nd_if_rwlock);
+                       return ENOBUFS;
+               }
                bzero(q, n);
                bzero(q, n);
+               nd_ifinfo_indexlim = newlim;
                if (nd_ifinfo) {
                        bcopy((caddr_t)nd_ifinfo, q, n/2);
                if (nd_ifinfo) {
                        bcopy((caddr_t)nd_ifinfo, q, n/2);
-                       _FREE((caddr_t)nd_ifinfo, M_IP6NDP);
+                       /*
+                        * We might want to pattern fill the old
+                        * array to catch use-after-free cases.
+                        */
+                       FREE((caddr_t)nd_ifinfo, M_IP6NDP);
                }
                nd_ifinfo = (struct nd_ifinfo *)q;
        }
                }
                nd_ifinfo = (struct nd_ifinfo *)q;
        }
+       lck_rw_done(nd_if_rwlock);
 
 #define ND nd_ifinfo[ifp->if_index]
 
 #define ND nd_ifinfo[ifp->if_index]
-       ND.linkmtu = ifindex2ifnet[ifp->if_index]->if_mtu;
+
+       /*
+        * Don't initialize if called twice.
+        * XXX: to detect this, we should choose a member that is never set
+        * before initialization of the ND structure itself.  We formaly used
+        * the linkmtu member, which was not suitable because it could be 
+        * initialized via "ifconfig mtu".
+        */
+       lck_rw_lock_shared(nd_if_rwlock);
+       if (ND.basereachable) {
+               lck_rw_done(nd_if_rwlock);
+               return 0;
+       }
+       ND.linkmtu = ifp->if_mtu;
        ND.chlim = IPV6_DEFHLIM;
        ND.basereachable = REACHABLE_TIME;
        ND.reachable = ND_COMPUTE_RTIME(ND.basereachable);
        ND.retrans = RETRANS_TIMER;
        ND.receivedra = 0;
        ND.flags = ND6_IFF_PERFORMNUD;
        ND.chlim = IPV6_DEFHLIM;
        ND.basereachable = REACHABLE_TIME;
        ND.reachable = ND_COMPUTE_RTIME(ND.basereachable);
        ND.retrans = RETRANS_TIMER;
        ND.receivedra = 0;
        ND.flags = ND6_IFF_PERFORMNUD;
+       lck_rw_done(nd_if_rwlock);
        nd6_setmtu(ifp);
 #undef ND
        nd6_setmtu(ifp);
 #undef ND
+       
+       return 0;
 }
 
 /*
 }
 
 /*
@@ -196,67 +352,60 @@ nd6_ifattach(ifp)
  * changes, which means we might have to adjust the ND level MTU.
  */
 void
  * changes, which means we might have to adjust the ND level MTU.
  */
 void
-nd6_setmtu(ifp)
-       struct ifnet *ifp;
+nd6_setmtu(struct ifnet *ifp)
 {
 {
-       struct nd_ifinfo *ndi = &nd_ifinfo[ifp->if_index];
-       u_long oldmaxmtu = ndi->maxmtu;
-       u_long oldlinkmtu = ndi->linkmtu;
-
-       switch(ifp->if_type) {
-        case IFT_ARCNET:       /* XXX MTU handling needs more work */
-                ndi->maxmtu = MIN(60480, ifp->if_mtu);
-                break;
-        case IFT_ETHER:
-                ndi->maxmtu = MIN(ETHERMTU, ifp->if_mtu);
-                break;
-#if defined(__FreeBSD__) || defined(__bsdi__)
-        case IFT_FDDI:
-                ndi->maxmtu = MIN(FDDIIPMTU, ifp->if_mtu);
-                break;
-#endif
-#if !(defined(__bsdi__) && _BSDI_VERSION >= 199802) && !defined (__APPLE__)
-        case IFT_ATM:
-                ndi->maxmtu = MIN(ATMMTU, ifp->if_mtu);
-                break;
-#endif
-        default:
-                ndi->maxmtu = ifp->if_mtu;
-                break;
+       struct nd_ifinfo *ndi;
+       u_int32_t oldmaxmtu, maxmtu;
+
+       /*
+        * Make sure IPv6 is enabled for the interface first, 
+        * because this can be called directly from SIOCSIFMTU for IPv4
+        */
+       lck_rw_lock_shared(nd_if_rwlock);
+       if (ifp->if_index >= nd_ifinfo_indexlim) {
+               lck_rw_done(nd_if_rwlock);
+               return; /* we're  out of bound for nd_ifinfo */
        }
 
        }
 
-       if (oldmaxmtu != ndi->maxmtu) {
-               /*
-                * If the ND level MTU is not set yet, or if the maxmtu
-                * is reset to a smaller value than the ND level MTU,
-                * also reset the ND level MTU.
-                */
-               if (ndi->linkmtu == 0 ||
-                   ndi->maxmtu < ndi->linkmtu) {
-                       ndi->linkmtu = ndi->maxmtu;
-                       /* also adjust in6_maxmtu if necessary. */
-                       if (oldlinkmtu == 0) {
-                               /*
-                                * XXX: the case analysis is grotty, but
-                                * it is not efficient to call in6_setmaxmtu()
-                                * here when we are during the initialization
-                                * procedure.
-                                */
-                               if (in6_maxmtu < ndi->linkmtu)
-                                       in6_maxmtu = ndi->linkmtu;
-                       }
-                       else
-                               in6_setmaxmtu();
-               }
+       ndi = &nd_ifinfo[ifp->if_index];
+       oldmaxmtu = ndi->maxmtu;
+
+       /*
+        * The ND level maxmtu is somewhat redundant to the interface MTU
+        * and is an implementation artifact of KAME.  Instead of hard-
+        * limiting the maxmtu based on the interface type here, we simply
+        * take the if_mtu value since SIOCSIFMTU would have taken care of
+        * the sanity checks related to the maximum MTU allowed for the
+        * interface (a value that is known only by the interface layer),
+        * by sending the request down via ifnet_ioctl().  The use of the
+        * ND level maxmtu and linkmtu (the latter obtained via RA) are done
+        * via IN6_LINKMTU() which does further checking against if_mtu.
+        */
+       maxmtu = ndi->maxmtu = ifp->if_mtu;
+
+       /*
+       * Decreasing the interface MTU under IPV6 minimum MTU may cause
+       * undesirable situation.  We thus notify the operator of the change
+       * explicitly.  The check for oldmaxmtu is necessary to restrict the
+       * log to the case of changing the MTU, not initializing it.
+       */
+       if (oldmaxmtu >= IPV6_MMTU && ndi->maxmtu < IPV6_MMTU) {
+               log(LOG_NOTICE, "nd6_setmtu: "
+                   "new link MTU on %s%d (%u) is too small for IPv6\n",
+                   ifp->if_name, ifp->if_unit, (uint32_t)ndi->maxmtu);
        }
        }
-#undef MIN
+       lck_rw_done(nd_if_rwlock);
+
+       /* also adjust in6_maxmtu if necessary. */
+       if (maxmtu > in6_maxmtu)
+               in6_setmaxmtu();
 }
 
 void
 }
 
 void
-nd6_option_init(opt, icmp6len, ndopts)
-       void *opt;
-       int icmp6len;
-       union nd_opts *ndopts;
+nd6_option_init(
+       void *opt,
+       int icmp6len,
+       union nd_opts *ndopts)
 {
        bzero(ndopts, sizeof(*ndopts));
        ndopts->nd_opts_search = (struct nd_opt_hdr *)opt;
 {
        bzero(ndopts, sizeof(*ndopts));
        ndopts->nd_opts_search = (struct nd_opt_hdr *)opt;
@@ -273,8 +422,8 @@ nd6_option_init(opt, icmp6len, ndopts)
  * Take one ND option.
  */
 struct nd_opt_hdr *
  * Take one ND option.
  */
 struct nd_opt_hdr *
-nd6_option(ndopts)
-       union nd_opts *ndopts;
+nd6_option(
+       union nd_opts *ndopts)
 {
        struct nd_opt_hdr *nd_opt;
        int olen;
 {
        struct nd_opt_hdr *nd_opt;
        int olen;
@@ -290,6 +439,12 @@ nd6_option(ndopts)
 
        nd_opt = ndopts->nd_opts_search;
 
 
        nd_opt = ndopts->nd_opts_search;
 
+       /* make sure nd_opt_len is inside the buffer */
+       if ((caddr_t)&nd_opt->nd_opt_len >= (caddr_t)ndopts->nd_opts_last) {
+               bzero(ndopts, sizeof(*ndopts));
+               return NULL;
+       }
+
        olen = nd_opt->nd_opt_len << 3;
        if (olen == 0) {
                /*
        olen = nd_opt->nd_opt_len << 3;
        if (olen == 0) {
                /*
@@ -301,7 +456,12 @@ nd6_option(ndopts)
        }
 
        ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen);
        }
 
        ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen);
-       if (!(ndopts->nd_opts_search < ndopts->nd_opts_last)) {
+       if (ndopts->nd_opts_search > ndopts->nd_opts_last) {
+               /* option overruns the end of buffer, invalid */
+               bzero(ndopts, sizeof(*ndopts));
+               return NULL;
+       } else if (ndopts->nd_opts_search == ndopts->nd_opts_last) {
+               /* reached the end of options chain */
                ndopts->nd_opts_done = 1;
                ndopts->nd_opts_search = NULL;
        }
                ndopts->nd_opts_done = 1;
                ndopts->nd_opts_search = NULL;
        }
@@ -314,8 +474,8 @@ nd6_option(ndopts)
  * multiple options of the same type.
  */
 int
  * multiple options of the same type.
  */
 int
-nd6_options(ndopts)
-       union nd_opts *ndopts;
+nd6_options(
+       union nd_opts *ndopts)
 {
        struct nd_opt_hdr *nd_opt;
        int i = 0;
 {
        struct nd_opt_hdr *nd_opt;
        int i = 0;
@@ -334,6 +494,7 @@ nd6_options(ndopts)
                         * Message validation requires that all included
                         * options have a length that is greater than zero.
                         */
                         * Message validation requires that all included
                         * options have a length that is greater than zero.
                         */
+                       icmp6stat.icp6s_nd_badopt++;
                        bzero(ndopts, sizeof(*ndopts));
                        return -1;
                }
                        bzero(ndopts, sizeof(*ndopts));
                        return -1;
                }
@@ -346,10 +507,10 @@ nd6_options(ndopts)
                case ND_OPT_TARGET_LINKADDR:
                case ND_OPT_MTU:
                case ND_OPT_REDIRECTED_HEADER:
                case ND_OPT_TARGET_LINKADDR:
                case ND_OPT_MTU:
                case ND_OPT_REDIRECTED_HEADER:
-               case ND_OPT_ADV_INTERVAL:
                        if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
                        if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
-                               printf("duplicated ND6 option found "
-                                       "(type=%d)\n", nd_opt->nd_opt_type);
+                               nd6log((LOG_INFO,
+                                   "duplicated ND6 option found (type=%d)\n",
+                                   nd_opt->nd_opt_type));
                                /* XXX bark? */
                        } else {
                                ndopts->nd_opt_array[nd_opt->nd_opt_type]
                                /* XXX bark? */
                        } else {
                                ndopts->nd_opt_array[nd_opt->nd_opt_type]
@@ -364,23 +525,21 @@ nd6_options(ndopts)
                        ndopts->nd_opts_pi_end =
                                (struct nd_opt_prefix_info *)nd_opt;
                        break;
                        ndopts->nd_opts_pi_end =
                                (struct nd_opt_prefix_info *)nd_opt;
                        break;
-               case ND_OPT_HA_INFORMATION:
-                       break;
                default:
                        /*
                         * Unknown options must be silently ignored,
                         * to accomodate future extension to the protocol.
                         */
                default:
                        /*
                         * Unknown options must be silently ignored,
                         * to accomodate future extension to the protocol.
                         */
-                       log(LOG_DEBUG,
+                       nd6log((LOG_DEBUG,
                            "nd6_options: unsupported option %d - "
                            "nd6_options: unsupported option %d - "
-                           "option ignored\n", nd_opt->nd_opt_type);
+                           "option ignored\n", nd_opt->nd_opt_type));
                }
 
 skip1:
                i++;
                if (i > nd6_maxndopt) {
                        icmp6stat.icp6s_nd_toomanyopt++;
                }
 
 skip1:
                i++;
                if (i > nd6_maxndopt) {
                        icmp6stat.icp6s_nd_toomanyopt++;
-                       printf("too many loop in nd opt\n");
+                       nd6log((LOG_INFO, "too many loop in nd opt\n"));
                        break;
                }
 
                        break;
                }
 
@@ -391,208 +550,432 @@ skip1:
        return 0;
 }
 
        return 0;
 }
 
-/*
- * ND6 timer routine to expire default route list and prefix list
- */
-void
-nd6_timer_funneled(ignored_arg)
-       void    *ignored_arg;
-{
-#ifdef __APPLE__
-        boolean_t   funnel_state;
-       funnel_state = thread_funnel_set(network_flock, TRUE);
-#endif
-       nd6_timer(ignored_arg);
-#ifdef __APPLE__
-        (void) thread_funnel_set(network_flock, FALSE);
-#endif
-}
 void
 void
-nd6_timer(ignored_arg)
-       void    *ignored_arg;
+nd6_drain(__unused void        *ignored_arg)
 {
 {
-       int s;
-       register struct llinfo_nd6 *ln;
-       register struct nd_defrouter *dr;
-       register struct nd_prefix *pr;
-#if !(defined(__FreeBSD__) && __FreeBSD__ >= 3) && !defined (__APPLE__)
-       long time_second = time.tv_sec;
-#endif
-       
-#if __NetBSD__
-       s = splsoftnet();
-#else
-       s = splnet();
-#endif
-       timeout(nd6_timer_funneled, (caddr_t)0, nd6_prune * hz);
+       struct llinfo_nd6 *ln;
+       struct nd_defrouter *dr;
+       struct nd_prefix *pr;
+       struct ifnet *ifp = NULL;
+       struct in6_ifaddr *ia6, *nia6;
+       struct in6_addrlifetime *lt6;
+       struct timeval timenow;
 
 
+       getmicrotime(&timenow);
+again:
+       /*
+        * The global list llinfo_nd6 is modified by nd6_request() and is
+        * therefore protected by rnh_lock.  For obvious reasons, we cannot
+        * hold rnh_lock across calls that might lead to code paths which
+        * attempt to acquire rnh_lock, else we deadlock.  Hence for such
+        * cases we drop rt_lock and rnh_lock, make the calls, and repeat the
+        * loop.  To ensure that we don't process the same entry more than
+        * once in a single timeout, we mark the "already-seen" entries with
+        * ND6_LNF_TIMER_SKIP flag.  At the end of the loop, we do a second
+        * pass thru the entries and clear the flag so they can be processed
+        * during the next timeout.
+        */
+       lck_mtx_lock(rnh_lock);
        ln = llinfo_nd6.ln_next;
        ln = llinfo_nd6.ln_next;
-       /* XXX BSD/OS separates this code -- itojun */
-       while (ln && ln != &llinfo_nd6) {
+       while (ln != NULL && ln != &llinfo_nd6) {
                struct rtentry *rt;
                struct rtentry *rt;
-               struct ifnet *ifp;
                struct sockaddr_in6 *dst;
                struct sockaddr_in6 *dst;
-               struct llinfo_nd6 *next = ln->ln_next;
-               /* XXX: used for the DELAY case only: */
-               struct nd_ifinfo *ndi = NULL;
+               struct llinfo_nd6 *next;
+               struct nd_ifinfo ndi;
 
 
-               if ((rt = ln->ln_rt) == NULL) {
+               /* ln_next/prev/rt is protected by rnh_lock */
+               next = ln->ln_next;
+               rt = ln->ln_rt;
+               RT_LOCK(rt);
+
+               /* We've seen this already; skip it */
+               if (ln->ln_flags & ND6_LNF_TIMER_SKIP) {
+                       RT_UNLOCK(rt);
                        ln = next;
                        continue;
                }
                        ln = next;
                        continue;
                }
+
+               /* rt->rt_ifp should never be NULL */
                if ((ifp = rt->rt_ifp) == NULL) {
                if ((ifp = rt->rt_ifp) == NULL) {
+                       panic("%s: ln(%p) rt(%p) rt_ifp == NULL", __func__,
+                           ln, rt);
+                       /* NOTREACHED */
+               }
+
+               /* rt_llinfo must always be equal to ln */
+               if ((struct llinfo_nd6 *)rt->rt_llinfo != ln) {
+                       panic("%s: rt_llinfo(%p) is not equal to ln(%p)",
+                             __func__, rt->rt_llinfo, ln);
+                       /* NOTREACHED */
+               }
+
+               /* rt_key should never be NULL */
+               dst = (struct sockaddr_in6 *)rt_key(rt);
+               if (dst == NULL) {
+                       panic("%s: rt(%p) key is NULL ln(%p)", __func__,
+                           rt, ln);
+                       /* NOTREACHED */
+               }
+
+               /* Set the flag in case we jump to "again" */
+               ln->ln_flags |= ND6_LNF_TIMER_SKIP;
+
+               if (ln->ln_expire > timenow.tv_sec) {
+                       RT_UNLOCK(rt);
                        ln = next;
                        continue;
                }
                        ln = next;
                        continue;
                }
-               ndi = &nd_ifinfo[ifp->if_index];
-               dst = (struct sockaddr_in6 *)rt_key(rt);
 
 
-               if (ln->ln_expire > time_second) {
+               /* Make a copy (we're using it read-only anyway) */
+               lck_rw_lock_shared(nd_if_rwlock);
+               if (ifp->if_index >= nd_ifinfo_indexlim) {
+                       lck_rw_done(nd_if_rwlock);
+                       RT_UNLOCK(rt);
                        ln = next;
                        continue;
                }
                        ln = next;
                        continue;
                }
-               
-               /* sanity check */
-               if (!rt)
-                       panic("rt=0 in nd6_timer(ln=%p)\n", ln);
-               if (rt->rt_llinfo && (struct llinfo_nd6 *)rt->rt_llinfo != ln)
-                       panic("rt_llinfo(%p) is not equal to ln(%p)\n",
-                             rt->rt_llinfo, ln);
-               if (!dst)
-                       panic("dst=0 in nd6_timer(ln=%p)\n", ln);
+               ndi = nd_ifinfo[ifp->if_index];
+               lck_rw_done(nd_if_rwlock);
+
+               RT_LOCK_ASSERT_HELD(rt);
 
                switch (ln->ln_state) {
                case ND6_LLINFO_INCOMPLETE:
                        if (ln->ln_asked < nd6_mmaxtries) {
                                ln->ln_asked++;
 
                switch (ln->ln_state) {
                case ND6_LLINFO_INCOMPLETE:
                        if (ln->ln_asked < nd6_mmaxtries) {
                                ln->ln_asked++;
-                               ln->ln_expire = time_second +
-                                       nd_ifinfo[ifp->if_index].retrans / 1000;
+                               ln->ln_expire = timenow.tv_sec +
+                                   ndi.retrans / 1000;
+                               RT_ADDREF_LOCKED(rt);
+                               RT_UNLOCK(rt);
+                               lck_mtx_unlock(rnh_lock);
                                nd6_ns_output(ifp, NULL, &dst->sin6_addr,
                                nd6_ns_output(ifp, NULL, &dst->sin6_addr,
-                                       ln, 0);
+                                       ln, 0, 0);
+                               RT_REMREF(rt);
                        } else {
                                struct mbuf *m = ln->ln_hold;
                        } else {
                                struct mbuf *m = ln->ln_hold;
-                               if (m) {
-                                       if (rt->rt_ifp) {
-                                               /*
-                                                * Fake rcvif to make ICMP error
-                                                * more helpful in diagnosing
-                                                * for the receiver.
-                                                * XXX: should we consider
-                                                * older rcvif?
-                                                */
-                                               m->m_pkthdr.rcvif = rt->rt_ifp;
-                                       }
+                               ln->ln_hold = NULL;
+                               if (m != NULL) {
+                                       /*
+                                        * Fake rcvif to make ICMP error
+                                        * more helpful in diagnosing
+                                        * for the receiver.
+                                        * XXX: should we consider
+                                        * older rcvif?
+                                        */
+                                       m->m_pkthdr.rcvif = ifp;
+                                       RT_UNLOCK(rt);
+                                       lck_mtx_unlock(rnh_lock);
                                        icmp6_error(m, ICMP6_DST_UNREACH,
                                                    ICMP6_DST_UNREACH_ADDR, 0);
                                        icmp6_error(m, ICMP6_DST_UNREACH,
                                                    ICMP6_DST_UNREACH_ADDR, 0);
-                                       ln->ln_hold = NULL;
+                               } else {
+                                       RT_UNLOCK(rt);
+                                       lck_mtx_unlock(rnh_lock);
                                }
                                nd6_free(rt);
                        }
                                }
                                nd6_free(rt);
                        }
-                       break;
+                       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
+                       goto again;
+
                case ND6_LLINFO_REACHABLE:
                case ND6_LLINFO_REACHABLE:
-                       if (ln->ln_expire)
+                       if (ln->ln_expire) {
                                ln->ln_state = ND6_LLINFO_STALE;
                                ln->ln_state = ND6_LLINFO_STALE;
+                               ln->ln_expire = rt_expiry(rt, timenow.tv_sec,
+                                   nd6_gctimer);
+                       }
+                       RT_UNLOCK(rt);
                        break;
                        break;
-               /*
-                * ND6_LLINFO_STALE state requires nothing for timer
-                * routine.
-                */
+
+               case ND6_LLINFO_STALE:
+               case ND6_LLINFO_PURGE:
+                       /* Garbage Collection(RFC 2461 5.3) */
+                       if (ln->ln_expire) {
+                               RT_UNLOCK(rt);
+                               lck_mtx_unlock(rnh_lock);
+                               nd6_free(rt);
+                               lck_mtx_assert(rnh_lock,
+                                   LCK_MTX_ASSERT_NOTOWNED);
+                               goto again;
+                       } else {
+                               RT_UNLOCK(rt);
+                       }
+                       break;
+
                case ND6_LLINFO_DELAY:
                case ND6_LLINFO_DELAY:
-                       if (ndi && (ndi->flags & ND6_IFF_PERFORMNUD) != 0) {
+                       if ((ndi.flags & ND6_IFF_PERFORMNUD) != 0) {
                                /* We need NUD */
                                ln->ln_asked = 1;
                                ln->ln_state = ND6_LLINFO_PROBE;
                                /* We need NUD */
                                ln->ln_asked = 1;
                                ln->ln_state = ND6_LLINFO_PROBE;
-                               ln->ln_expire = time_second +
-                                       ndi->retrans / 1000;
+                               ln->ln_expire = timenow.tv_sec +
+                                       ndi.retrans / 1000;
+                               RT_ADDREF_LOCKED(rt);
+                               RT_UNLOCK(rt);
+                               lck_mtx_unlock(rnh_lock);
                                nd6_ns_output(ifp, &dst->sin6_addr,
                                nd6_ns_output(ifp, &dst->sin6_addr,
-                                             &dst->sin6_addr,
-                                             ln, 0);
+                                   &dst->sin6_addr, ln, 0, 0);
+                               lck_mtx_assert(rnh_lock,
+                                   LCK_MTX_ASSERT_NOTOWNED);
+                               RT_REMREF(rt);
+                               goto again;
                        }
                        }
-                       else
-                               ln->ln_state = ND6_LLINFO_STALE; /* XXX */
+                       ln->ln_state = ND6_LLINFO_STALE; /* XXX */
+                       ln->ln_expire = rt_expiry(rt, timenow.tv_sec,
+                           nd6_gctimer);
+                       RT_UNLOCK(rt);
                        break;
                        break;
+
                case ND6_LLINFO_PROBE:
                        if (ln->ln_asked < nd6_umaxtries) {
                                ln->ln_asked++;
                case ND6_LLINFO_PROBE:
                        if (ln->ln_asked < nd6_umaxtries) {
                                ln->ln_asked++;
-                               ln->ln_expire = time_second +
-                                       nd_ifinfo[ifp->if_index].retrans / 1000;
+                               ln->ln_expire = timenow.tv_sec +
+                                   ndi.retrans / 1000;
+                               RT_ADDREF_LOCKED(rt);
+                               RT_UNLOCK(rt);
+                               lck_mtx_unlock(rnh_lock);
                                nd6_ns_output(ifp, &dst->sin6_addr,
                                nd6_ns_output(ifp, &dst->sin6_addr,
-                                              &dst->sin6_addr, ln, 0);
+                                   &dst->sin6_addr, ln, 0, 0);
+                               RT_REMREF(rt);
                        } else {
                        } else {
+                               RT_UNLOCK(rt);
+                               lck_mtx_unlock(rnh_lock);
                                nd6_free(rt);
                        }
                                nd6_free(rt);
                        }
-                       break;
-               case ND6_LLINFO_WAITDELETE:
-                       nd6_free(rt);
+                       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
+                       goto again;
+
+               default:
+                       RT_UNLOCK(rt);
                        break;
                }
                ln = next;
        }
                        break;
                }
                ln = next;
        }
-       
-       /* expire */
+       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_OWNED);
+
+       /* Now clear the flag from all entries */
+       ln = llinfo_nd6.ln_next;
+       while (ln != NULL && ln != &llinfo_nd6) {
+               struct rtentry *rt = ln->ln_rt;
+               struct llinfo_nd6 *next = ln->ln_next;
+
+               RT_LOCK_SPIN(rt);
+               if (ln->ln_flags & ND6_LNF_TIMER_SKIP)
+                       ln->ln_flags &= ~ND6_LNF_TIMER_SKIP;
+               RT_UNLOCK(rt);
+               ln = next;
+       }
+       lck_mtx_unlock(rnh_lock);
+
+       /* expire default router list */
+       lck_mtx_lock(nd6_mutex);
        dr = TAILQ_FIRST(&nd_defrouter);
        while (dr) {
        dr = TAILQ_FIRST(&nd_defrouter);
        while (dr) {
-               if (dr->expire && dr->expire < time_second) {
+               if (dr->expire && dr->expire < timenow.tv_sec) {
                        struct nd_defrouter *t;
                        t = TAILQ_NEXT(dr, dr_entry);
                        struct nd_defrouter *t;
                        t = TAILQ_NEXT(dr, dr_entry);
-                       defrtrlist_del(dr);
+                       defrtrlist_del(dr, 1);
                        dr = t;
                } else {
                        dr = t;
                } else {
-#if MIP6
-                       if (mip6_expired_defrouter_hook)
-                               (*mip6_expired_defrouter_hook)(dr);
-#endif /* MIP6 */
                        dr = TAILQ_NEXT(dr, dr_entry);
                }
        }
                        dr = TAILQ_NEXT(dr, dr_entry);
                }
        }
-       pr = nd_prefix.lh_first;
-       while (pr) {
-               struct in6_ifaddr *ia6;
-               struct in6_addrlifetime *lt6;
 
 
-               if (IN6_IS_ADDR_UNSPECIFIED(&pr->ndpr_addr))
-                       ia6 = NULL;
-               else
-                       ia6 = in6ifa_ifpwithaddr(pr->ndpr_ifp, &pr->ndpr_addr);
-
-               if (ia6) {
-                       /* check address lifetime */
-                       lt6 = &ia6->ia6_lifetime;
-                       if (lt6->ia6t_preferred && lt6->ia6t_preferred < time_second)
-                               ia6->ia6_flags |= IN6_IFF_DEPRECATED;
-                       if (lt6->ia6t_expire && lt6->ia6t_expire < time_second) {
-                               if (!IN6_IS_ADDR_UNSPECIFIED(&pr->ndpr_addr))
-                                       in6_ifdel(pr->ndpr_ifp, &pr->ndpr_addr);
-                               /* xxx ND_OPT_PI_FLAG_ONLINK processing */
+       /*
+        * expire interface addresses.
+        * in the past the loop was inside prefix expiry processing.
+        * However, from a stricter speci-confrmance standpoint, we should
+        * rather separate address lifetimes and prefix lifetimes.
+        */
+  addrloop:
+       for (ia6 = in6_ifaddrs; ia6; ia6 = nia6) {
+               nia6 = ia6->ia_next;
+               /* check address lifetime */
+               lt6 = &ia6->ia6_lifetime;
+               if (IFA6_IS_INVALID(ia6)) {
+                       int regen = 0;
+
+                       /*
+                        * Extra reference for ourselves; it's no-op if
+                        * we don't have to regenerate temporary address,
+                        * otherwise it protects the address from going
+                        * away since we drop nd6_mutex below.
+                        */
+                       ifaref(&ia6->ia_ifa);
+
+                       /*
+                        * If the expiring address is temporary, try
+                        * regenerating a new one.  This would be useful when
+                        * we suspended a laptop PC, then turned it on after a
+                        * period that could invalidate all temporary
+                        * addresses.  Although we may have to restart the
+                        * loop (see below), it must be after purging the
+                        * address.  Otherwise, we'd see an infinite loop of
+                        * regeneration. 
+                        */
+                       if (ip6_use_tempaddr &&
+                           (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0) {
+                               /* NOTE: We have to drop the lock here because 
+                                * regen_tmpaddr() eventually calls in6_update_ifa(),  
+                                * which must take the lock and would otherwise cause a 
+                                * hang. This is safe because the goto addrloop 
+                                * leads to a reevaluation of the in6_ifaddrs list
+                                */
+                               lck_mtx_unlock(nd6_mutex);
+                               if (regen_tmpaddr(ia6) == 0) 
+                                       regen = 1;
+                               lck_mtx_lock(nd6_mutex);
+                       }
+
+                       in6_purgeaddr(&ia6->ia_ifa, 1);
+
+                       /* Release extra reference taken above */
+                       ifafree(&ia6->ia_ifa);
+
+                       if (regen)
+                               goto addrloop; /* XXX: see below */
+               }
+               if (IFA6_IS_DEPRECATED(ia6)) {
+                       int oldflags = ia6->ia6_flags;
+
+                       ia6->ia6_flags |= IN6_IFF_DEPRECATED;
+
+                       /*
+                        * If a temporary address has just become deprecated,
+                        * regenerate a new one if possible.
+                        */
+                       if (ip6_use_tempaddr &&
+                           (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
+                           (oldflags & IN6_IFF_DEPRECATED) == 0) {
+
+                               /* see NOTE above */
+                               lck_mtx_unlock(nd6_mutex);
+                               if (regen_tmpaddr(ia6) == 0) {
+                                       /*
+                                        * A new temporary address is
+                                        * generated.
+                                        * XXX: this means the address chain
+                                        * has changed while we are still in
+                                        * the loop.  Although the change
+                                        * would not cause disaster (because
+                                        * it's not a deletion, but an
+                                        * addition,) we'd rather restart the
+                                        * loop just for safety.  Or does this 
+                                        * significantly reduce performance??
+                                        */
+                                       lck_mtx_lock(nd6_mutex);
+                                       goto addrloop;
+                               }
+                               lck_mtx_lock(nd6_mutex);
                        }
                        }
+               } else {
+                       /*
+                        * A new RA might have made a deprecated address
+                        * preferred.
+                        */
+                       ia6->ia6_flags &= ~IN6_IFF_DEPRECATED;
                }
                }
+       }
 
 
+       /* expire prefix list */
+       pr = nd_prefix.lh_first;
+       while (pr) {
                /*
                 * check prefix lifetime.
                 * since pltime is just for autoconf, pltime processing for
                 * prefix is not necessary.
                /*
                 * check prefix lifetime.
                 * since pltime is just for autoconf, pltime processing for
                 * prefix is not necessary.
-                *
-                * we offset expire time by NDPR_KEEP_EXPIRE, so that we
-                * can use the old prefix information to validate the
-                * next prefix information to come.  See prelist_update()
-                * for actual validation.
                 */
                 */
-               if (pr->ndpr_expire
-                && pr->ndpr_expire + NDPR_KEEP_EXPIRED < time_second) {
+               if (pr->ndpr_expire && pr->ndpr_expire < timenow.tv_sec) {
                        struct nd_prefix *t;
                        t = pr->ndpr_next;
 
                        /*
                         * address expiration and prefix expiration are
                        struct nd_prefix *t;
                        t = pr->ndpr_next;
 
                        /*
                         * address expiration and prefix expiration are
-                        * separate.  NEVER perform in6_ifdel here.
+                        * separate.  NEVER perform in6_purgeaddr here.
                         */
 
                         */
 
-                       prelist_remove(pr);
+                       prelist_remove(pr, 1);
                        pr = t;
                } else
                        pr = pr->ndpr_next;
        }
                        pr = t;
                } else
                        pr = pr->ndpr_next;
        }
-       splx(s);
+       lck_mtx_unlock(nd6_mutex);
+}
+
+/*
+ * ND6 timer routine to expire default route list and prefix list
+ */
+void
+nd6_timer(__unused void        *ignored_arg)
+{
+       nd6_drain(NULL);
+       timeout(nd6_timer, (caddr_t)0, nd6_prune * hz);
+}
+
+static int
+regen_tmpaddr(
+       struct in6_ifaddr *ia6) /* deprecated/invalidated temporary address */
+{
+       struct ifaddr *ifa;
+       struct ifnet *ifp;
+       struct in6_ifaddr *public_ifa6 = NULL;
+       struct timeval timenow;
+
+       getmicrotime(&timenow);
+
+       ifp = ia6->ia_ifa.ifa_ifp;
+       ifnet_lock_exclusive(ifp);
+       for (ifa = ifp->if_addrlist.tqh_first; ifa;
+            ifa = ifa->ifa_list.tqe_next)
+       {
+               struct in6_ifaddr *it6;
+
+               if (ifa->ifa_addr->sa_family != AF_INET6)
+                       continue;
+
+               it6 = (struct in6_ifaddr *)ifa;
+
+               /* ignore no autoconf addresses. */
+               if ((it6->ia6_flags & IN6_IFF_AUTOCONF) == 0)
+                       continue;
+
+               /* ignore autoconf addresses with different prefixes. */
+               if (it6->ia6_ndpr == NULL || it6->ia6_ndpr != ia6->ia6_ndpr)
+                       continue;
+
+               /*
+                * Now we are looking at an autoconf address with the same
+                * prefix as ours.  If the address is temporary and is still
+                * preferred, do not create another one.  It would be rare, but
+                * could happen, for example, when we resume a laptop PC after
+                * a long period.
+                */
+               if ((it6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
+                   !IFA6_IS_DEPRECATED(it6)) {
+                       public_ifa6 = NULL;
+                       break;
+               }
+
+               /*
+                * This is a public autoconf address that has the same prefix
+                * as ours.  If it is preferred, keep it.  We can't break the
+                * loop here, because there may be a still-preferred temporary
+                * address with the prefix.
+                */
+               if (!IFA6_IS_DEPRECATED(it6))
+                   public_ifa6 = it6;
+       }
+       ifnet_lock_done(ifp);
+
+       if (public_ifa6 != NULL) {
+               int e;
+
+               if ((e = in6_tmpifadd(public_ifa6, 0, M_WAITOK)) != 0) {
+                       log(LOG_NOTICE, "regen_tmpaddr: failed to create a new"
+                           " tmp addr,errno=%d\n", e);
+                       return(-1);
+               }
+               return(0);
+       }
+
+       return(-1);
 }
 
 /*
 }
 
 /*
@@ -600,14 +983,15 @@ nd6_timer(ignored_arg)
  * ifp goes away.
  */
 void
  * ifp goes away.
  */
 void
-nd6_purge(ifp)
-       struct ifnet *ifp;
+nd6_purge(
+       struct ifnet *ifp)
 {
 {
-       struct llinfo_nd6 *ln, *nln;
+       struct llinfo_nd6 *ln;
        struct nd_defrouter *dr, *ndr, drany;
        struct nd_prefix *pr, *npr;
 
        /* Nuke default router list entries toward ifp */
        struct nd_defrouter *dr, *ndr, drany;
        struct nd_prefix *pr, *npr;
 
        /* Nuke default router list entries toward ifp */
+       lck_mtx_lock(nd6_mutex);
        if ((dr = TAILQ_FIRST(&nd_defrouter)) != NULL) {
                /*
                 * The first entry of the list may be stored in
        if ((dr = TAILQ_FIRST(&nd_defrouter)) != NULL) {
                /*
                 * The first entry of the list may be stored in
@@ -616,31 +1000,46 @@ nd6_purge(ifp)
                for (dr = TAILQ_NEXT(dr, dr_entry); dr; dr = ndr) {
                        ndr = TAILQ_NEXT(dr, dr_entry);
                        if (dr->ifp == ifp)
                for (dr = TAILQ_NEXT(dr, dr_entry); dr; dr = ndr) {
                        ndr = TAILQ_NEXT(dr, dr_entry);
                        if (dr->ifp == ifp)
-                               defrtrlist_del(dr);
+                               defrtrlist_del(dr, 1);
                }
                dr = TAILQ_FIRST(&nd_defrouter);
                if (dr->ifp == ifp)
                }
                dr = TAILQ_FIRST(&nd_defrouter);
                if (dr->ifp == ifp)
-                       defrtrlist_del(dr);
+                       defrtrlist_del(dr, 1);
        }
 
        /* Nuke prefix list entries toward ifp */
        for (pr = nd_prefix.lh_first; pr; pr = npr) {
                npr = pr->ndpr_next;
                if (pr->ndpr_ifp == ifp) {
        }
 
        /* Nuke prefix list entries toward ifp */
        for (pr = nd_prefix.lh_first; pr; pr = npr) {
                npr = pr->ndpr_next;
                if (pr->ndpr_ifp == ifp) {
-                       if (!IN6_IS_ADDR_UNSPECIFIED(&pr->ndpr_addr))
-                               in6_ifdel(pr->ndpr_ifp, &pr->ndpr_addr);
-                       prelist_remove(pr);
+                       /*
+                        * Previously, pr->ndpr_addr is removed as well,
+                        * but I strongly believe we don't have to do it.
+                        * nd6_purge() is only called from in6_ifdetach(),
+                        * which removes all the associated interface addresses
+                        * by itself.
+                        * (jinmei@kame.net 20010129)
+                        */
+                       prelist_remove(pr, 1);
                }
        }
 
        /* cancel default outgoing interface setting */
                }
        }
 
        /* cancel default outgoing interface setting */
-       if (nd6_defifindex == ifp->if_index)
+       if (nd6_defifindex == ifp->if_index) {
+               /* Release nd6_mutex as it will be acquired 
+                * during nd6_setdefaultiface again
+                */ 
+               lck_mtx_unlock(nd6_mutex);
                nd6_setdefaultiface(0);
                nd6_setdefaultiface(0);
+               lck_mtx_lock(nd6_mutex);
+       }
 
 
-       /* refresh default router list */
-       bzero(&drany, sizeof(drany));
-       defrouter_delreq(&drany, 0);
-       defrouter_select();
+       if (!ip6_forwarding && (ip6_accept_rtadv || (ifp->if_eflags & IFEF_ACCEPT_RTADVD))) { 
+               /* refresh default router list */
+               bzero(&drany, sizeof(drany));
+               defrouter_delreq(&drany, 0);
+               defrouter_select();
+       }
+       lck_mtx_unlock(nd6_mutex);
 
        /*
         * Nuke neighbor cache entries for the ifp.
 
        /*
         * Nuke neighbor cache entries for the ifp.
@@ -648,51 +1047,54 @@ nd6_purge(ifp)
         * due to KAME goto ours hack.  See RTM_RESOLVE case in
         * nd6_rtrequest(), and ip6_input().
         */
         * due to KAME goto ours hack.  See RTM_RESOLVE case in
         * nd6_rtrequest(), and ip6_input().
         */
+again:
+       lck_mtx_lock(rnh_lock);
        ln = llinfo_nd6.ln_next;
        ln = llinfo_nd6.ln_next;
-       while (ln && ln != &llinfo_nd6) {
-               struct rtentry *rt;
-               struct sockaddr_dl *sdl;
-
-               nln = ln->ln_next;
-               rt = ln->ln_rt;
-               if (rt && rt->rt_gateway &&
-                   rt->rt_gateway->sa_family == AF_LINK) {
-                       sdl = (struct sockaddr_dl *)rt->rt_gateway;
-                       if (sdl->sdl_index == ifp->if_index)
-                               nd6_free(rt);
-               }
-               ln = nln;
-       }
-
-       /*
-        * Neighbor cache entry for interface route will be retained
-        * with ND6_LLINFO_WAITDELETE state, by nd6_free().  Nuke it.
-        */
-       ln = llinfo_nd6.ln_next;
-       while (ln && ln != &llinfo_nd6) {
+       while (ln != NULL && ln != &llinfo_nd6) {
                struct rtentry *rt;
                struct rtentry *rt;
-               struct sockaddr_dl *sdl;
+               struct llinfo_nd6 *nln;
 
                nln = ln->ln_next;
                rt = ln->ln_rt;
 
                nln = ln->ln_next;
                rt = ln->ln_rt;
-               if (rt && rt->rt_gateway &&
-                   rt->rt_gateway->sa_family == AF_LINK) {
-                       sdl = (struct sockaddr_dl *)rt->rt_gateway;
-                       if (sdl->sdl_index == ifp->if_index) {
-                               rtrequest(RTM_DELETE, rt_key(rt),
-                                   (struct sockaddr *)0, rt_mask(rt), 0,
-                                   (struct rtentry **)0);
-                       }
+               RT_LOCK(rt);
+               if (rt->rt_gateway != NULL &&
+                   rt->rt_gateway->sa_family == AF_LINK &&
+                   SDL(rt->rt_gateway)->sdl_index == ifp->if_index) {
+                       RT_UNLOCK(rt);
+                       lck_mtx_unlock(rnh_lock);
+                       /*
+                        * See comments on nd6_timer() for reasons why
+                        * this loop is repeated; we bite the costs of
+                        * going thru the same llinfo_nd6 more than once
+                        * here, since this purge happens during detach,
+                        * and that unlike the timer case, it's possible
+                        * there's more than one purges happening at the
+                        * same time (thus a flag wouldn't buy anything).
+                        */
+                       nd6_free(rt);
+                       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
+                       goto again;
+               } else {
+                       RT_UNLOCK(rt);
                }
                ln = nln;
        }
                }
                ln = nln;
        }
+       lck_mtx_unlock(rnh_lock);
 }
 
 }
 
+/*
+ * Upon success, the returned route will be locked and the caller is
+ * responsible for releasing the reference and doing RT_UNLOCK(rt).
+ * This routine does not require rnh_lock to be held by the caller,
+ * although it needs to be indicated of such a case in order to call
+ * the correct variant of the relevant routing routines.
+ */
 struct rtentry *
 struct rtentry *
-nd6_lookup(addr6, create, ifp)
-       struct in6_addr *addr6;
-       int create;
-       struct ifnet *ifp;
+nd6_lookup(
+       struct in6_addr *addr6,
+       int create,
+       struct ifnet *ifp,
+       int rt_locked)
 {
        struct rtentry *rt;
        struct sockaddr_in6 sin6;
 {
        struct rtentry *rt;
        struct sockaddr_in6 sin6;
@@ -701,25 +1103,37 @@ nd6_lookup(addr6, create, ifp)
        sin6.sin6_len = sizeof(struct sockaddr_in6);
        sin6.sin6_family = AF_INET6;
        sin6.sin6_addr = *addr6;
        sin6.sin6_len = sizeof(struct sockaddr_in6);
        sin6.sin6_family = AF_INET6;
        sin6.sin6_addr = *addr6;
-       rt = rtalloc1((struct sockaddr *)&sin6, create
-#if __FreeBSD__ || defined (__APPLE__)
-                     , 0UL
-#endif /*__FreeBSD__*/
-                     );
-       if (rt && (rt->rt_flags & RTF_LLINFO) == 0) {
-               /*
-                * This is the case for the default route.
-                * If we want to create a neighbor cache for the address, we
-                * should free the route for the destination and allocate an
-                * interface route.
-                */
-               if (create) {
-                       RTFREE(rt);
-                       rt = 0;
+#if SCOPEDROUTING
+       sin6.sin6_scope_id = in6_addr2scopeid(ifp, addr6);
+#endif
+       if (rt_locked)
+               lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_OWNED);
+
+       rt = rt_locked ? rtalloc1_locked((struct sockaddr *)&sin6, create, 0) :
+           rtalloc1((struct sockaddr *)&sin6, create, 0);
+
+       if (rt != NULL) {
+               RT_LOCK(rt);
+               if ((rt->rt_flags & RTF_LLINFO) == 0) {
+                       /*
+                        * This is the case for the default route.  If we
+                        * want to create a neighbor cache for the address,
+                        * we should free the route for the destination and
+                        * allocate an interface route.
+                        */
+                       if (create) {
+                               RT_UNLOCK(rt);
+                               if (rt_locked)
+                                       rtfree_locked(rt);
+                               else
+                                       rtfree(rt);
+                               rt = NULL;
+                       }
                }
        }
                }
        }
-       if (!rt) {
+       if (rt == NULL) {
                if (create && ifp) {
                if (create && ifp) {
+                       struct ifaddr *ifa;
                        int e;
 
                        /*
                        int e;
 
                        /*
@@ -729,57 +1143,74 @@ nd6_lookup(addr6, create, ifp)
                         * This hack is necessary for a neighbor which can't
                         * be covered by our own prefix.
                         */
                         * This hack is necessary for a neighbor which can't
                         * be covered by our own prefix.
                         */
-                       struct ifaddr *ifa =
-                               ifaof_ifpforaddr((struct sockaddr *)&sin6, ifp);
+                       ifa = ifaof_ifpforaddr((struct sockaddr *)&sin6, ifp);
                        if (ifa == NULL)
                                return(NULL);
 
                        /*
                        if (ifa == NULL)
                                return(NULL);
 
                        /*
-                        * Create a new route. RTF_LLINFO is necessary
+                        * Create a new route.  RTF_LLINFO is necessary
                         * to create a Neighbor Cache entry for the
                         * destination in nd6_rtrequest which will be
                         * to create a Neighbor Cache entry for the
                         * destination in nd6_rtrequest which will be
-                        * called in rtequest via ifa->ifa_rtrequest.
+                        * called in rtrequest via ifa->ifa_rtrequest.
                         */
                         */
-                       if ((e = rtrequest(RTM_ADD, (struct sockaddr *)&sin6,
-                                          ifa->ifa_addr,
-                                          (struct sockaddr *)&all1_sa,
-                                          (ifa->ifa_flags |
-                                           RTF_HOST | RTF_LLINFO) &
-                                          ~RTF_CLONING,
-                                          &rt)) != 0)
-                               log(LOG_ERR,
-                                   "nd6_lookup: failed to add route for a "
-                                   "neighbor(%s), errno=%d\n",
-                                   ip6_sprintf(addr6), e);
+                       if (!rt_locked)
+                               lck_mtx_lock(rnh_lock);
+                       if ((e = rtrequest_locked(RTM_ADD,
+                           (struct sockaddr *)&sin6, ifa->ifa_addr,
+                           (struct sockaddr *)&all1_sa,
+                           (ifa->ifa_flags | RTF_HOST | RTF_LLINFO) &
+                           ~RTF_CLONING, &rt)) != 0) {
+                               if (e != EEXIST)
+                                       log(LOG_ERR, "%s: failed to add route "
+                                           "for a neighbor(%s), errno=%d\n",
+                                           __func__, ip6_sprintf(addr6), e);
+                       }
+                       if (!rt_locked)
+                               lck_mtx_unlock(rnh_lock);
+                       ifafree(ifa);
                        if (rt == NULL)
                                return(NULL);
                        if (rt == NULL)
                                return(NULL);
+
+                       RT_LOCK(rt);
                        if (rt->rt_llinfo) {
                        if (rt->rt_llinfo) {
-                               struct llinfo_nd6 *ln =
-                                       (struct llinfo_nd6 *)rt->rt_llinfo;
+                               struct llinfo_nd6 *ln = rt->rt_llinfo;
                                ln->ln_state = ND6_LLINFO_NOSTATE;
                        }
                                ln->ln_state = ND6_LLINFO_NOSTATE;
                        }
-               }
-               else
+               } else {
                        return(NULL);
                        return(NULL);
+               }
        }
        }
-       rt->rt_refcnt--;
+       RT_LOCK_ASSERT_HELD(rt);
        /*
         * Validation for the entry.
        /*
         * Validation for the entry.
+        * Note that the check for rt_llinfo is necessary because a cloned
+        * route from a parent route that has the L flag (e.g. the default
+        * route to a p2p interface) may have the flag, too, while the
+        * destination is not actually a neighbor.
         * XXX: we can't use rt->rt_ifp to check for the interface, since
         *      it might be the loopback interface if the entry is for our
         *      own address on a non-loopback interface. Instead, we should
         * XXX: we can't use rt->rt_ifp to check for the interface, since
         *      it might be the loopback interface if the entry is for our
         *      own address on a non-loopback interface. Instead, we should
-        *      use rt->rt_ifa->ifa_ifp, which would specify the REAL interface.
+        *      use rt->rt_ifa->ifa_ifp, which would specify the REAL
+        *      interface.
         */
         */
-       if ((rt->rt_flags & RTF_GATEWAY) || (rt->rt_flags & RTF_LLINFO) == 0 ||
-           rt->rt_gateway->sa_family != AF_LINK ||
+       if (ifp == NULL || (ifp->if_type == IFT_PPP) ||
+           (ifp->if_eflags & IFEF_NOAUTOIPV6LL) ||
+           (rt->rt_flags & RTF_GATEWAY) || (rt->rt_flags & RTF_LLINFO) == 0 ||
+           rt->rt_gateway->sa_family != AF_LINK ||  rt->rt_llinfo == NULL ||
            (ifp && rt->rt_ifa->ifa_ifp != ifp)) {
            (ifp && rt->rt_ifa->ifa_ifp != ifp)) {
+               RT_REMREF_LOCKED(rt);
+               RT_UNLOCK(rt);
                if (create) {
                if (create) {
-                       log(LOG_DEBUG, "nd6_lookup: failed to lookup %s (if = %s)\n",
-                           ip6_sprintf(addr6), ifp ? if_name(ifp) : "unspec");
+                       log(LOG_DEBUG, "%s: failed to lookup %s "
+                           "(if = %s)\n", __func__, ip6_sprintf(addr6),
+                           ifp ? if_name(ifp) : "unspec");
                        /* xxx more logs... kazu */
                }
                        /* xxx more logs... kazu */
                }
-               return(0);
+               return(NULL);
        }
        }
+       /*
+        * Caller needs to release reference and call RT_UNLOCK(rt).
+        */
        return(rt);
 }
 
        return(rt);
 }
 
@@ -788,49 +1219,61 @@ nd6_lookup(addr6, create, ifp)
  * XXX: should take care of the destination of a p2p link?
  */
 int
  * XXX: should take care of the destination of a p2p link?
  */
 int
-nd6_is_addr_neighbor(addr, ifp)
-       struct in6_addr *addr;
-       struct ifnet *ifp;
+nd6_is_addr_neighbor(
+       struct sockaddr_in6 *addr,
+       struct ifnet *ifp,
+       int    rt_locked)
 {
 {
-       register struct ifaddr *ifa;
+       struct ifaddr *ifa;
+       struct rtentry *rt;
        int i;
 
 #define IFADDR6(a) ((((struct in6_ifaddr *)(a))->ia_addr).sin6_addr)
 #define IFMASK6(a) ((((struct in6_ifaddr *)(a))->ia_prefixmask).sin6_addr)
 
        int i;
 
 #define IFADDR6(a) ((((struct in6_ifaddr *)(a))->ia_addr).sin6_addr)
 #define IFMASK6(a) ((((struct in6_ifaddr *)(a))->ia_prefixmask).sin6_addr)
 
-       /* A link-local address is always a neighbor. */
-       if (IN6_IS_ADDR_LINKLOCAL(addr))
+       /*
+        * A link-local address is always a neighbor.
+        * XXX: we should use the sin6_scope_id field rather than the embedded
+        * interface index.
+        */
+       if (IN6_IS_ADDR_LINKLOCAL(&addr->sin6_addr) &&
+           ntohs(*(u_int16_t *)&addr->sin6_addr.s6_addr[2]) == ifp->if_index)
                return(1);
 
        /*
         * If the address matches one of our addresses,
         * it should be a neighbor.
         */
                return(1);
 
        /*
         * If the address matches one of our addresses,
         * it should be a neighbor.
         */
-#if defined(__bsdi__) || (defined(__FreeBSD__) && __FreeBSD__ < 3)
-       for (ifa = ifp->if_addrlist; ifa; ifa = ifa->ifa_next)
-#else
+       ifnet_lock_shared(ifp);
        for (ifa = ifp->if_addrlist.tqh_first;
             ifa;
             ifa = ifa->ifa_list.tqe_next)
        for (ifa = ifp->if_addrlist.tqh_first;
             ifa;
             ifa = ifa->ifa_list.tqe_next)
-#endif
        {
                if (ifa->ifa_addr->sa_family != AF_INET6)
        {
                if (ifa->ifa_addr->sa_family != AF_INET6)
-                       next: continue;
+                       continue;
 
                for (i = 0; i < 4; i++) {
 
                for (i = 0; i < 4; i++) {
-                       if ((IFADDR6(ifa).s6_addr32[i] ^ addr->s6_addr32[i]) &
-                           IFMASK6(ifa).s6_addr32[i])
-                               goto next;
+                       if ((IFADDR6(ifa).s6_addr32[i] ^
+                            addr->sin6_addr.s6_addr32[i]) &
+                               IFMASK6(ifa).s6_addr32[i])
+                               continue;
                }
                }
+               ifnet_lock_done(ifp);
                return(1);
        }
                return(1);
        }
+       ifnet_lock_done(ifp);
 
        /*
         * Even if the address matches none of our addresses, it might be
 
        /*
         * Even if the address matches none of our addresses, it might be
-        * in the neighbor cache.
+        * in the neighbor cache.  Callee returns a locked route upon
+        * success.
         */
         */
-       if (nd6_lookup(addr, 0, ifp))
+       if ((rt = nd6_lookup(&addr->sin6_addr, 0, ifp, rt_locked)) != NULL) {
+               RT_LOCK_ASSERT_HELD(rt);
+               RT_REMREF_LOCKED(rt);
+               RT_UNLOCK(rt);
                return(1);
                return(1);
+       }
 
        return(0);
 #undef IFADDR6
 
        return(0);
 #undef IFADDR6
@@ -841,36 +1284,49 @@ nd6_is_addr_neighbor(addr, ifp)
  * Free an nd6 llinfo entry.
  */
 void
  * Free an nd6 llinfo entry.
  */
 void
-nd6_free(rt)
-       struct rtentry *rt;
+nd6_free(
+       struct rtentry *rt)
 {
 {
-       struct llinfo_nd6 *ln = (struct llinfo_nd6 *)rt->rt_llinfo;
-       struct sockaddr_dl *sdl;
-       struct in6_addr in6 = ((struct sockaddr_in6 *)rt_key(rt))->sin6_addr;
+       struct llinfo_nd6 *ln;
+       struct in6_addr in6;
        struct nd_defrouter *dr;
 
        struct nd_defrouter *dr;
 
+       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
+       RT_LOCK_ASSERT_NOTHELD(rt);
+       lck_mtx_lock(nd6_mutex);
+
+       RT_LOCK(rt);
+       RT_ADDREF_LOCKED(rt);   /* Extra ref */
+       ln = rt->rt_llinfo;
+       in6 = ((struct sockaddr_in6 *)rt_key(rt))->sin6_addr;
+
        /*
        /*
-        * Clear all destination cache entries for the neighbor.
-        * XXX: is it better to restrict this to hosts?
+        * Prevent another thread from modifying rt_key, rt_gateway
+        * via rt_setgate() after the rt_lock is dropped by marking
+        * the route as defunct.
         */
         */
-       pfctlinput(PRC_HOSTDEAD, rt_key(rt));
+       rt->rt_flags |= RTF_CONDEMNED;
 
 
-       if (!ip6_forwarding && ip6_accept_rtadv) { /* XXX: too restrictive? */
-               int s;
-#ifdef __NetBSD__
-               s = splsoftnet();
-#else
-               s = splnet();
-#endif
-               dr = defrouter_lookup(&((struct sockaddr_in6 *)rt_key(rt))->sin6_addr,
-                                     rt->rt_ifp);
-               if (ln->ln_router || dr) {
+       /*
+        * we used to have pfctlinput(PRC_HOSTDEAD) here. 
+        * even though it is not harmful, it was not really necessary.
+        */
+
+       if (!ip6_forwarding && (ip6_accept_rtadv ||
+           (rt->rt_ifp->if_eflags & IFEF_ACCEPT_RTADVD))) {
+               dr = defrouter_lookup(&((struct sockaddr_in6 *)rt_key(rt))->
+                   sin6_addr, rt->rt_ifp);
+
+               if ((ln && ln->ln_router) || dr) {
                        /*
                         * rt6_flush must be called whether or not the neighbor
                         * is in the Default Router List.
                         * See a corresponding comment in nd6_na_input().
                         */
                        /*
                         * rt6_flush must be called whether or not the neighbor
                         * is in the Default Router List.
                         * See a corresponding comment in nd6_na_input().
                         */
+                       RT_UNLOCK(rt);
                        rt6_flush(&in6, rt->rt_ifp);
                        rt6_flush(&in6, rt->rt_ifp);
+               } else {
+                       RT_UNLOCK(rt);
                }
 
                if (dr) {
                }
 
                if (dr) {
@@ -883,12 +1339,22 @@ nd6_free(rt)
                        /*
                         * Temporarily fake the state to choose a new default
                         * router and to perform on-link determination of
                        /*
                         * Temporarily fake the state to choose a new default
                         * router and to perform on-link determination of
-                        * prefixes coreectly.
+                        * prefixes correctly.
                         * Below the state will be set correctly,
                         * or the entry itself will be deleted.
                         */
                         * Below the state will be set correctly,
                         * or the entry itself will be deleted.
                         */
+                       RT_LOCK_SPIN(rt);
                        ln->ln_state = ND6_LLINFO_INCOMPLETE;
 
                        ln->ln_state = ND6_LLINFO_INCOMPLETE;
 
+                       /*
+                        * Since defrouter_select() does not affect the
+                        * on-link determination and MIP6 needs the check
+                        * before the default router selection, we perform
+                        * the check now.
+                        */
+                       RT_UNLOCK(rt);
+                       pfxlist_onlink_check(1);
+
                        if (dr == TAILQ_FIRST(&nd_defrouter)) {
                                /*
                                 * It is used as the current default router,
                        if (dr == TAILQ_FIRST(&nd_defrouter)) {
                                /*
                                 * It is used as the current default router,
@@ -902,22 +1368,23 @@ nd6_free(rt)
 
                                defrouter_select();
                        }
 
                                defrouter_select();
                        }
-                       pfxlist_onlink_check();
                }
                }
-               splx(s);
-       }
-
-       if (rt->rt_refcnt > 0 && (sdl = SDL(rt->rt_gateway)) &&
-           sdl->sdl_family == AF_LINK) {
-               sdl->sdl_alen = 0;
-               ln->ln_state = ND6_LLINFO_WAITDELETE;
-               ln->ln_asked = 0;
-               rt->rt_flags &= ~RTF_REJECT;
-               return;
+               RT_LOCK_ASSERT_NOTHELD(rt);
+       } else {
+               RT_UNLOCK(rt);
        }
 
        }
 
-       rtrequest(RTM_DELETE, rt_key(rt), (struct sockaddr *)0,
+       lck_mtx_unlock(nd6_mutex);
+       /*
+        * Detach the route from the routing tree and the list of neighbor
+        * caches, and disable the route entry not to be used in already
+        * cached routes.
+        */
+       (void) rtrequest(RTM_DELETE, rt_key(rt), (struct sockaddr *)0,
                  rt_mask(rt), 0, (struct rtentry **)0);
                  rt_mask(rt), 0, (struct rtentry **)0);
+
+       /* Extra ref held above; now free it */
+       rtfree(rt);
 }
 
 /*
 }
 
 /*
@@ -926,14 +1393,15 @@ nd6_free(rt)
  * XXX cost-effective metods?
  */
 void
  * XXX cost-effective metods?
  */
 void
-nd6_nud_hint(rt, dst6)
-       struct rtentry *rt;
-       struct in6_addr *dst6;
+nd6_nud_hint(
+       struct rtentry *rt,
+       struct in6_addr *dst6,
+       int force)
 {
        struct llinfo_nd6 *ln;
 {
        struct llinfo_nd6 *ln;
-#if !(defined(__FreeBSD__) && __FreeBSD__ >= 3) && !defined (__APPLE__)
-       long time_second = time.tv_sec;
-#endif
+       struct timeval timenow;
+
+       getmicrotime(&timenow);
 
        /*
         * If the caller specified "rt", use that.  Otherwise, resolve the
 
        /*
         * If the caller specified "rt", use that.  Otherwise, resolve the
@@ -942,152 +1410,122 @@ nd6_nud_hint(rt, dst6)
        if (!rt) {
                if (!dst6)
                        return;
        if (!rt) {
                if (!dst6)
                        return;
-               if (!(rt = nd6_lookup(dst6, 0, NULL)))
+               /* Callee returns a locked route upon success */
+               if ((rt = nd6_lookup(dst6, 0, NULL, 0)) == NULL)
                        return;
                        return;
+               RT_LOCK_ASSERT_HELD(rt);
+       } else {
+               RT_LOCK(rt);
+               RT_ADDREF_LOCKED(rt);
        }
 
        }
 
-       if ((rt->rt_flags & RTF_GATEWAY)
-        || (rt->rt_flags & RTF_LLINFO) == 0
-        || !rt->rt_llinfo
-        || !rt->rt_gateway
-        || rt->rt_gateway->sa_family != AF_LINK) {
+       if ((rt->rt_flags & RTF_GATEWAY) != 0 ||
+           (rt->rt_flags & RTF_LLINFO) == 0 ||
+           !rt->rt_llinfo || !rt->rt_gateway ||
+           rt->rt_gateway->sa_family != AF_LINK) {
                /* This is not a host route. */
                /* This is not a host route. */
-               return;
+               goto done;
        }
 
        }
 
-       ln = (struct llinfo_nd6 *)rt->rt_llinfo;
+       ln = rt->rt_llinfo;
        if (ln->ln_state < ND6_LLINFO_REACHABLE)
        if (ln->ln_state < ND6_LLINFO_REACHABLE)
-               return;
-
-       ln->ln_state = ND6_LLINFO_REACHABLE;
-       if (ln->ln_expire && nd_ifinfo)
-               ln->ln_expire = time_second +
-                       (rt->rt_ifp ? nd_ifinfo[rt->rt_ifp->if_index].reachable : 0) ;
-}
-
-#if OLDIP6OUTPUT
-/*
- * Resolve an IP6 address into an ethernet address. If success,
- * desten is filled in. If there is no entry in ndptab,
- * set one up and multicast a solicitation for the IP6 address.
- * Hold onto this mbuf and resend it once the address
- * is finally resolved. A return value of 1 indicates
- * that desten has been filled in and the packet should be sent
- * normally; a 0 return indicates that the packet has been
- * taken over here, either now or for later transmission.
- */
-int
-nd6_resolve(ifp, rt, m, dst, desten)
-       struct ifnet *ifp;
-       struct rtentry *rt;
-       struct mbuf *m;
-       struct sockaddr *dst;
-       u_char *desten;
-{
-       struct llinfo_nd6 *ln = (struct llinfo_nd6 *)NULL;
-       struct sockaddr_dl *sdl;
-#if !(defined(__FreeBSD__) && __FreeBSD__ >= 3) && !defined (__APPLE__)
-       long time_second = time.tv_sec;
-#endif
+               goto done;
 
 
-       if (m->m_flags & M_MCAST) {
-               switch (ifp->if_type) {
-               case IFT_ETHER:
-               case IFT_FDDI:                  
-                       ETHER_MAP_IPV6_MULTICAST(&SIN6(dst)->sin6_addr,
-                                                desten);
-                       return(1);
-                       break;
-               case IFT_ARCNET:
-                       *desten = 0;
-                       return(1);
-                       break;
-               default:
-                       return(0);
-               }
-       }
-       if (rt && (rt->rt_flags & RTF_LLINFO) != 0)
-               ln = (struct llinfo_nd6 *)rt->rt_llinfo;
-       else {
-               if ((rt = nd6_lookup(&(SIN6(dst)->sin6_addr), 1, ifp)) != NULL)
-                       ln = (struct llinfo_nd6 *)rt->rt_llinfo;
-       }
-       if (!ln || !rt) {
-               log(LOG_DEBUG, "nd6_resolve: can't allocate llinfo for %s\n",
-                       ip6_sprintf(&(SIN6(dst)->sin6_addr)));
-               m_freem(m);
-               return(0);
-       }
-       sdl = SDL(rt->rt_gateway);
        /*
        /*
-        * Ckeck the address family and length is valid, the address
-        * is resolved; otherwise, try to resolve.
+        * if we get upper-layer reachability confirmation many times,
+        * it is possible we have false information.
         */
         */
-       if (ln->ln_state >= ND6_LLINFO_REACHABLE
-          && sdl->sdl_family == AF_LINK
-          && sdl->sdl_alen != 0) {
-               bcopy(LLADDR(sdl), desten, sdl->sdl_alen);
-               if (ln->ln_state == ND6_LLINFO_STALE) {
-                       ln->ln_asked = 0;
-                       ln->ln_state = ND6_LLINFO_DELAY;
-                       ln->ln_expire = time_second + nd6_delay;
-               }
-               return(1);
+       if (!force) {
+               ln->ln_byhint++;
+               if (ln->ln_byhint > nd6_maxnudhint)
+                       goto done;
        }
        }
-       /*
-        * There is an ndp entry, but no ethernet address
-        * response yet. Replace the held mbuf with this
-        * latest one.
-        *
-        * XXX Does the code conform to rate-limiting rule?
-        * (RFC 2461 7.2.2)
-        */
-       if (ln->ln_state == ND6_LLINFO_WAITDELETE ||
-           ln->ln_state == ND6_LLINFO_NOSTATE)
-               ln->ln_state = ND6_LLINFO_INCOMPLETE;
-       if (ln->ln_hold)
-               m_freem(ln->ln_hold);
-       ln->ln_hold = m;
+
+       ln->ln_state = ND6_LLINFO_REACHABLE;
        if (ln->ln_expire) {
        if (ln->ln_expire) {
-               rt->rt_flags &= ~RTF_REJECT;
-               if (ln->ln_asked < nd6_mmaxtries &&
-                   ln->ln_expire < time_second) {
-                       ln->ln_asked++;
-                       ln->ln_expire = time_second +
-                               nd_ifinfo[ifp->if_index].retrans / 1000;
-                       nd6_ns_output(ifp, NULL, &(SIN6(dst)->sin6_addr),
-                               ln, 0);
-               }
+               lck_rw_lock_shared(nd_if_rwlock);
+               ln->ln_expire = rt_expiry(rt, timenow.tv_sec,
+                       nd_ifinfo[rt->rt_ifp->if_index].reachable);
+               lck_rw_done(nd_if_rwlock);
        }
        }
-       return(0);
+done:
+       RT_REMREF_LOCKED(rt);
+       RT_UNLOCK(rt);
 }
 }
-#endif /* OLDIP6OUTPUT */
 
 void
 
 void
-#if defined(__bsdi__) && _BSDI_VERSION >= 199802
-nd6_rtrequest(req, rt, info)
-       int     req;
-       struct rtentry *rt;
-       struct rt_addrinfo *info; /* xxx unused */
-#else
-nd6_rtrequest(req, rt, sa)
-       int     req;
-       struct rtentry *rt;
-       struct sockaddr *sa; /* xxx unused */
-#endif
+nd6_rtrequest(
+       int     req,
+       struct rtentry *rt,
+       __unused struct sockaddr *sa)
 {
        struct sockaddr *gate = rt->rt_gateway;
 {
        struct sockaddr *gate = rt->rt_gateway;
-       struct llinfo_nd6 *ln = (struct llinfo_nd6 *)rt->rt_llinfo;
-       static struct sockaddr_dl null_sdl = {sizeof(null_sdl), AF_LINK};
+       struct llinfo_nd6 *ln = rt->rt_llinfo;
+       static struct sockaddr_dl null_sdl = {sizeof(null_sdl), AF_LINK, 0, 0, 0, 0, 0, 
+                                                                                       {0,0,0,0,0,0,0,0,0,0,0,0,} };
        struct ifnet *ifp = rt->rt_ifp;
        struct ifaddr *ifa;
        struct ifnet *ifp = rt->rt_ifp;
        struct ifaddr *ifa;
-#if !(defined(__FreeBSD__) && __FreeBSD__ >= 3) && !defined (__APPLE__)
-       long time_second = time.tv_sec;
-#endif
+       struct timeval timenow;
+
+       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_OWNED);
+       RT_LOCK_ASSERT_HELD(rt);
+
+       if ((rt->rt_flags & RTF_GATEWAY))
+               return;
 
 
-       if (rt->rt_flags & RTF_GATEWAY)
+       if (nd6_need_cache(ifp) == 0 && (rt->rt_flags & RTF_HOST) == 0) {
+               /*
+                * This is probably an interface direct route for a link
+                * which does not need neighbor caches (e.g. fe80::%lo0/64).
+                * We do not need special treatment below for such a route.
+                * Moreover, the RTF_LLINFO flag which would be set below
+                * would annoy the ndp(8) command.
+                */
                return;
                return;
+       }
+
+       if (req == RTM_RESOLVE) {
+               int no_nd_cache;
+
+               if (!nd6_need_cache(ifp)) {     /* stf case */
+                       no_nd_cache = 1;
+               } else {
+                       /*
+                        * nd6_is_addr_neighbor() may call nd6_lookup(),
+                        * therefore we drop rt_lock to avoid deadlock
+                        * during the lookup.  Using rt_key(rt) is still
+                        * safe because it won't change while rnh_lock
+                        * is held.
+                        */
+                       RT_ADDREF_LOCKED(rt);
+                       RT_UNLOCK(rt);
+                       no_nd_cache = !nd6_is_addr_neighbor(
+                           (struct sockaddr_in6 *)rt_key(rt), ifp, 1);
+                       RT_LOCK(rt);
+                       RT_REMREF_LOCKED(rt);
+               }
+
+               /*
+                * FreeBSD and BSD/OS often make a cloned host route based
+                * on a less-specific route (e.g. the default route).
+                * If the less specific route does not have a "gateway"
+                * (this is the case when the route just goes to a p2p or an
+                * stf interface), we'll mistakenly make a neighbor cache for
+                * the host route, and will see strange neighbor solicitation
+                * for the corresponding destination.  In order to avoid the
+                * confusion, we check if the destination of the route is
+                * a neighbor in terms of neighbor discovery, and stop the
+                * process if not.  Additionally, we remove the LLINFO flag
+                * so that ndp(8) will not try to get the neighbor information
+                * of the destination.
+                */
+               if (no_nd_cache) {
+                       rt->rt_flags &= ~RTF_LLINFO;
+                       return;
+               }
+       }
 
 
+       getmicrotime(&timenow);
        switch (req) {
        case RTM_ADD:
                /*
        switch (req) {
        case RTM_ADD:
                /*
@@ -1100,28 +1538,23 @@ nd6_rtrequest(req, rt, sa)
                if (rt->rt_flags & (RTF_CLONING | RTF_LLINFO)) {
                        /*
                         * Case 1: This route should come from
                if (rt->rt_flags & (RTF_CLONING | RTF_LLINFO)) {
                        /*
                         * Case 1: This route should come from
-                        * a route to interface. RTF_LLINFO flag is set
+                        * a route to interface.  RTF_LLINFO flag is set
                         * for a host route whose destination should be
                         * treated as on-link.
                         */
                         * for a host route whose destination should be
                         * treated as on-link.
                         */
-                       rt_setgate(rt, rt_key(rt),
-                                  (struct sockaddr *)&null_sdl);
-                       gate = rt->rt_gateway;
-                       SDL(gate)->sdl_type = ifp->if_type;
-                       SDL(gate)->sdl_index = ifp->if_index;
-                       if (ln)
-                               ln->ln_expire = time_second;
-#if 1
-                       if (ln && ln->ln_expire == 0) {
-                               /* cludge for desktops */
-#if 0
-                               printf("nd6_request: time.tv_sec is zero; "
-                                      "treat it as 1\n");
-#endif
-                               ln->ln_expire = 1;
+                       if (rt_setgate(rt, rt_key(rt),
+                           (struct sockaddr *)&null_sdl) == 0) {
+                               gate = rt->rt_gateway;
+                               SDL(gate)->sdl_type = ifp->if_type;
+                               SDL(gate)->sdl_index = ifp->if_index;
+                               /*
+                                * In case we're called before 1.0 sec.
+                                * has elapsed.
+                                */
+                               if (ln != NULL)
+                                       ln->ln_expire = MAX(timenow.tv_sec, 1);
                        }
                        }
-#endif
-                       if (rt->rt_flags & RTF_CLONING)
+                       if ((rt->rt_flags & RTF_CLONING))
                                break;
                }
                /*
                                break;
                }
                /*
@@ -1134,10 +1567,10 @@ nd6_rtrequest(req, rt, sa)
                 *   (7.2.6 paragraph 4), however, it also says that we
                 *   SHOULD provide a mechanism to prevent multicast NA storm.
                 *   we don't have anything like it right now.
                 *   (7.2.6 paragraph 4), however, it also says that we
                 *   SHOULD provide a mechanism to prevent multicast NA storm.
                 *   we don't have anything like it right now.
-                *   note that the mechanism need a mutual agreement
+                *   note that the mechanism needs a mutual agreement
                 *   between proxies, which means that we need to implement
                 *   between proxies, which means that we need to implement
-                *   a new protocol, or new kludge.
-                * - from RFC2461 6.2.4, host MUST NOT send unsolicited NA.
+                *   a new protocol, or new kludge.
+                * - from RFC2461 6.2.4, host MUST NOT send an unsolicited NA.
                 *   we need to check ip6forwarding before sending it.
                 *   (or should we allow proxy ND configuration only for
                 *   routers?  there's no mention about proxy ND from hosts)
                 *   we need to check ip6forwarding before sending it.
                 *   (or should we allow proxy ND configuration only for
                 *   routers?  there's no mention about proxy ND from hosts)
@@ -1153,7 +1586,7 @@ nd6_rtrequest(req, rt, sa)
 #endif
                /* FALLTHROUGH */
        case RTM_RESOLVE:
 #endif
                /* FALLTHROUGH */
        case RTM_RESOLVE:
-               if ((ifp->if_flags & IFF_POINTOPOINT) == 0) {
+               if ((ifp->if_flags & (IFF_POINTOPOINT | IFF_LOOPBACK)) == 0) {
                        /*
                         * Address resolution isn't necessary for a point to
                         * point link, so we can skip this test for a p2p link.
                        /*
                         * Address resolution isn't necessary for a point to
                         * point link, so we can skip this test for a p2p link.
@@ -1161,7 +1594,8 @@ nd6_rtrequest(req, rt, sa)
                        if (gate->sa_family != AF_LINK ||
                            gate->sa_len < sizeof(null_sdl)) {
                                log(LOG_DEBUG,
                        if (gate->sa_family != AF_LINK ||
                            gate->sa_len < sizeof(null_sdl)) {
                                log(LOG_DEBUG,
-                                   "nd6_rtrequest: bad gateway value\n");
+                                   "nd6_rtrequest: bad gateway value: %s\n",
+                                   if_name(ifp));
                                break;
                        }
                        SDL(gate)->sdl_type = ifp->if_type;
                                break;
                        }
                        SDL(gate)->sdl_type = ifp->if_type;
@@ -1173,12 +1607,13 @@ nd6_rtrequest(req, rt, sa)
                 * Case 2: This route may come from cloning, or a manual route
                 * add with a LL address.
                 */
                 * Case 2: This route may come from cloning, or a manual route
                 * add with a LL address.
                 */
-               R_Malloc(ln, struct llinfo_nd6 *, sizeof(*ln));
-               rt->rt_llinfo = (caddr_t)ln;
-               if (!ln) {
+               rt->rt_llinfo = ln = nd6_llinfo_alloc();
+               if (ln == NULL) {
                        log(LOG_DEBUG, "nd6_rtrequest: malloc failed\n");
                        break;
                }
                        log(LOG_DEBUG, "nd6_rtrequest: malloc failed\n");
                        break;
                }
+               rt->rt_llinfo_free = nd6_llinfo_free;
+
                nd6_inuse++;
                nd6_allocated++;
                Bzero(ln, sizeof(*ln));
                nd6_inuse++;
                nd6_allocated++;
                Bzero(ln, sizeof(*ln));
@@ -1191,19 +1626,51 @@ nd6_rtrequest(req, rt, sa)
                         * which is specified by ndp command.
                         */
                        ln->ln_state = ND6_LLINFO_REACHABLE;
                         * which is specified by ndp command.
                         */
                        ln->ln_state = ND6_LLINFO_REACHABLE;
+                       ln->ln_byhint = 0;
                } else {
                        /*
                         * When req == RTM_RESOLVE, rt is created and
                         * initialized in rtrequest(), so rt_expire is 0.
                         */
                        ln->ln_state = ND6_LLINFO_NOSTATE;
                } else {
                        /*
                         * When req == RTM_RESOLVE, rt is created and
                         * initialized in rtrequest(), so rt_expire is 0.
                         */
                        ln->ln_state = ND6_LLINFO_NOSTATE;
-                       ln->ln_expire = time_second;
+                       /* In case we're called before 1.0 sec. has elapsed */
+                       ln->ln_expire = MAX(timenow.tv_sec, 1);
                }
                rt->rt_flags |= RTF_LLINFO;
                }
                rt->rt_flags |= RTF_LLINFO;
-               ln->ln_next = llinfo_nd6.ln_next;
-               llinfo_nd6.ln_next = ln;
-               ln->ln_prev = &llinfo_nd6;
-               ln->ln_next->ln_prev = ln;
+               LN_INSERTHEAD(ln);
+
+               /*
+                * If we have too many cache entries, initiate immediate
+                * purging for some "less recently used" entries.  Note that
+                * we cannot directly call nd6_free() here because it would
+                * cause re-entering rtable related routines triggering an LOR
+                * problem.
+                */
+               if (ip6_neighborgcthresh >= 0 &&
+                   nd6_inuse >= ip6_neighborgcthresh) {
+                       int i;
+
+                       for (i = 0; i < 10 && llinfo_nd6.ln_prev != ln; i++) {
+                               struct llinfo_nd6 *ln_end = llinfo_nd6.ln_prev;
+                               struct rtentry *rt_end = ln_end->ln_rt;
+
+                               /* Move this entry to the head */
+                               RT_LOCK(rt_end);
+                               LN_DEQUEUE(ln_end);
+                               LN_INSERTHEAD(ln_end);
+
+                               if (ln_end->ln_expire == 0) {
+                                       RT_UNLOCK(rt_end);
+                                       continue;
+                               }
+                               if (ln_end->ln_state > ND6_LLINFO_INCOMPLETE)
+                                       ln_end->ln_state = ND6_LLINFO_STALE;
+                               else
+                                       ln_end->ln_state = ND6_LLINFO_PURGE;
+                               ln_end->ln_expire = timenow.tv_sec;
+                               RT_UNLOCK(rt_end);
+                       }
+               }
 
                /*
                 * check if rt_key(rt) is one of my address assigned
 
                /*
                 * check if rt_key(rt) is one of my address assigned
@@ -1215,22 +1682,21 @@ nd6_rtrequest(req, rt, sa)
                        caddr_t macp = nd6_ifptomac(ifp);
                        ln->ln_expire = 0;
                        ln->ln_state = ND6_LLINFO_REACHABLE;
                        caddr_t macp = nd6_ifptomac(ifp);
                        ln->ln_expire = 0;
                        ln->ln_state = ND6_LLINFO_REACHABLE;
+                       ln->ln_byhint = 0;
                        if (macp) {
                                Bcopy(macp, LLADDR(SDL(gate)), ifp->if_addrlen);
                                SDL(gate)->sdl_alen = ifp->if_addrlen;
                        }
                        if (nd6_useloopback) {
                        if (macp) {
                                Bcopy(macp, LLADDR(SDL(gate)), ifp->if_addrlen);
                                SDL(gate)->sdl_alen = ifp->if_addrlen;
                        }
                        if (nd6_useloopback) {
-#ifdef __bsdi__
-#if _BSDI_VERSION >= 199802
-                               extern struct ifnet *loifp;
-                               rt->rt_ifp = loifp;     /*XXX*/
-#else
-                               extern struct ifnet loif;
-                               rt->rt_ifp = &loif;     /*XXX*/
-#endif
-#else /* non-bsdi */
-                               rt->rt_ifp = &loif[0];  /*XXX*/
-#endif
+#if IFNET_ROUTE_REFCNT
+                               /* Adjust route ref count for the interfaces */
+                               if (rt->rt_if_ref_fn != NULL &&
+                                   rt->rt_ifp != lo_ifp) {
+                                       rt->rt_if_ref_fn(lo_ifp, 1);
+                                       rt->rt_if_ref_fn(rt->rt_ifp, -1);
+                               }
+#endif /* IFNET_ROUTE_REFCNT */
+                               rt->rt_ifp = lo_ifp;    /* XXX */
                                /*
                                 * Make sure rt_ifa be equal to the ifaddr
                                 * corresponding to the address.
                                /*
                                 * Make sure rt_ifa be equal to the ifaddr
                                 * corresponding to the address.
@@ -1240,14 +1706,14 @@ nd6_rtrequest(req, rt, sa)
                                 * of the loopback address.
                                 */
                                if (ifa != rt->rt_ifa) {
                                 * of the loopback address.
                                 */
                                if (ifa != rt->rt_ifa) {
-                                       rt->rt_ifa->ifa_refcnt--;
-                                       ifa->ifa_refcnt++;
-                                       rt->rt_ifa = ifa;
+                                       rtsetifa(rt, ifa);
                                }
                        }
                                }
                        }
+                       ifafree(ifa);
                } else if (rt->rt_flags & RTF_ANNOUNCE) {
                        ln->ln_expire = 0;
                        ln->ln_state = ND6_LLINFO_REACHABLE;
                } else if (rt->rt_flags & RTF_ANNOUNCE) {
                        ln->ln_expire = 0;
                        ln->ln_state = ND6_LLINFO_REACHABLE;
+                       ln->ln_byhint = 0;
 
                        /* join solicited node multicast for proxy ND */
                        if (ifp->if_flags & IFF_MULTICAST) {
 
                        /* join solicited node multicast for proxy ND */
                        if (ifp->if_flags & IFF_MULTICAST) {
@@ -1261,10 +1727,11 @@ nd6_rtrequest(req, rt, sa)
                                llsol.s6_addr32[2] = htonl(1);
                                llsol.s6_addr8[12] = 0xff;
 
                                llsol.s6_addr32[2] = htonl(1);
                                llsol.s6_addr8[12] = 0xff;
 
-                               (void)in6_addmulti(&llsol, ifp, &error);
-                               if (error)
-                                       printf(
-"nd6_rtrequest: could not join solicited node multicast (errno=%d)\n", error);
+                               if (!in6_addmulti(&llsol, ifp, &error, 0)) {
+                                       nd6log((LOG_ERR, "%s: failed to join "
+                                           "%s (errno=%d)\n", if_name(ifp),
+                                           ip6_sprintf(&llsol), error));
+                               }
                        }
                }
                break;
                        }
                }
                break;
@@ -1285,226 +1752,288 @@ nd6_rtrequest(req, rt, sa)
                        llsol.s6_addr32[2] = htonl(1);
                        llsol.s6_addr8[12] = 0xff;
 
                        llsol.s6_addr32[2] = htonl(1);
                        llsol.s6_addr8[12] = 0xff;
 
+                       ifnet_lock_shared(ifp);
                        IN6_LOOKUP_MULTI(llsol, ifp, in6m);
                        IN6_LOOKUP_MULTI(llsol, ifp, in6m);
+                       ifnet_lock_done(ifp);
                        if (in6m)
                        if (in6m)
-                               in6_delmulti(in6m);
+                               in6_delmulti(in6m, 0);
                }
                nd6_inuse--;
                }
                nd6_inuse--;
-               ln->ln_next->ln_prev = ln->ln_prev;
-               ln->ln_prev->ln_next = ln->ln_next;
-               ln->ln_prev = NULL;
-               rt->rt_llinfo = 0;
+               /*
+                * Unchain it but defer the actual freeing until the route
+                * itself is to be freed.  rt->rt_llinfo still points to
+                * llinfo_nd6, and likewise, ln->ln_rt stil points to this
+                * route entry, except that RTF_LLINFO is now cleared.
+                */
+               if (ln->ln_flags & ND6_LNF_IN_USE)
+                       LN_DEQUEUE(ln);
                rt->rt_flags &= ~RTF_LLINFO;
                rt->rt_flags &= ~RTF_LLINFO;
-               if (ln->ln_hold)
+               if (ln->ln_hold != NULL)
                        m_freem(ln->ln_hold);
                        m_freem(ln->ln_hold);
-               Free((caddr_t)ln);
+               ln->ln_hold = NULL;
        }
 }
 
        }
 }
 
-void
-#if defined(__bsdi__) && _BSDI_VERSION >= 199802
-nd6_p2p_rtrequest(req, rt, info)
-       int     req;
-       struct rtentry *rt;
-       struct rt_addrinfo *info; /* xxx unused */
-#else
-nd6_p2p_rtrequest(req, rt, sa)
-       int     req;
-       struct rtentry *rt;
-       struct sockaddr *sa; /* xxx unused */
-#endif
+static void
+nd6_siocgdrlst(void *data, int data_is_64)
 {
 {
-       struct sockaddr *gate = rt->rt_gateway;
-       static struct sockaddr_dl null_sdl = {sizeof(null_sdl), AF_LINK};
-       struct ifnet *ifp = rt->rt_ifp;
-       struct ifaddr *ifa;
-
-       if (rt->rt_flags & RTF_GATEWAY)
-               return;
-
-       switch (req) {
-       case RTM_ADD:
-               /*
-                * There is no backward compatibility :)
-                *
-                * if ((rt->rt_flags & RTF_HOST) == 0 &&
-                *     SIN(rt_mask(rt))->sin_addr.s_addr != 0xffffffff)
-                *         rt->rt_flags |= RTF_CLONING;
-                */
-               if (rt->rt_flags & RTF_CLONING) {
-                       /*
-                        * Case 1: This route should come from
-                        * a route to interface.
-                        */
-                       rt_setgate(rt, rt_key(rt),
-                                  (struct sockaddr *)&null_sdl);
-                       gate = rt->rt_gateway;
-                       SDL(gate)->sdl_type = ifp->if_type;
-                       SDL(gate)->sdl_index = ifp->if_index;
-                       break;
-               }
-               /* Announce a new entry if requested. */
-               if (rt->rt_flags & RTF_ANNOUNCE)
-                       nd6_na_output(ifp,
-                                     &SIN6(rt_key(rt))->sin6_addr,
-                                     &SIN6(rt_key(rt))->sin6_addr,
-                                     ip6_forwarding ? ND_NA_FLAG_ROUTER : 0,
-                                     1, NULL);
-               /* FALLTHROUGH */
-       case RTM_RESOLVE:
-               /*
-                * check if rt_key(rt) is one of my address assigned
-                * to the interface.
-                */
-               ifa = (struct ifaddr *)in6ifa_ifpwithaddr(rt->rt_ifp,
-                                         &SIN6(rt_key(rt))->sin6_addr);
-               if (ifa) {
-                       if (nd6_useloopback) {
-#ifdef __bsdi__
-#if _BSDI_VERSION >= 199802
-                               extern struct ifnet *loifp;
-                               rt->rt_ifp = loifp;     /*XXX*/
-#else
-                               extern struct ifnet loif;
-                               rt->rt_ifp = &loif;     /*XXX*/
-#endif
-#else
-                               rt->rt_ifp = &loif[0];  /*XXX*/
-#endif /*__bsdi__*/
-                       }
-               }
-               break;
-       }
-}
+       struct in6_drlist_64 *drl_64 = (struct in6_drlist_64 *)data;
+       struct in6_drlist_32 *drl_32 = (struct in6_drlist_32 *)data;
+       struct nd_defrouter *dr;
+       int i = 0;
 
 
-int
-nd6_ioctl(cmd, data, ifp)
-       u_long cmd;
-       caddr_t data;
-       struct ifnet *ifp;
-{
-       struct in6_drlist *drl = (struct in6_drlist *)data;
-       struct in6_prlist *prl = (struct in6_prlist *)data;
-       struct in6_ndireq *ndi = (struct in6_ndireq *)data;
-       struct in6_nbrinfo *nbi = (struct in6_nbrinfo *)data;
-       struct in6_ndifreq *ndif = (struct in6_ndifreq *)data;
-       struct nd_defrouter *dr, any;
-       struct nd_prefix *pr;
-       struct rtentry *rt;
-       int i = 0, error = 0;
-       int s;
+       lck_mtx_assert(nd6_mutex, LCK_MTX_ASSERT_OWNED);
 
 
-       switch (cmd) {
-       case SIOCGDRLST_IN6:
-               bzero(drl, sizeof(*drl));
-#ifdef __NetBSD__
-               s = splsoftnet();
-#else
-               s = splnet();
-#endif
-               dr = TAILQ_FIRST(&nd_defrouter);
+       bzero(data, data_is_64 ? sizeof (*drl_64) : sizeof (*drl_32));
+       dr = TAILQ_FIRST(&nd_defrouter);
+       if (data_is_64) {
+               /* For 64-bit process */
                while (dr && i < DRLSTSIZ) {
                while (dr && i < DRLSTSIZ) {
-                       drl->defrouter[i].rtaddr = dr->rtaddr;
-                       if (IN6_IS_ADDR_LINKLOCAL(&drl->defrouter[i].rtaddr)) {
+                       drl_64->defrouter[i].rtaddr = dr->rtaddr;
+                       if (IN6_IS_ADDR_LINKLOCAL(&drl_64->defrouter[i].rtaddr)) {
                                /* XXX: need to this hack for KAME stack */
                                /* XXX: need to this hack for KAME stack */
-                               drl->defrouter[i].rtaddr.s6_addr16[1] = 0;
-                       }
-                       else
+                               drl_64->defrouter[i].rtaddr.s6_addr16[1] = 0;
+                       } else {
                                log(LOG_ERR,
                                    "default router list contains a "
                                    "non-linklocal address(%s)\n",
                                log(LOG_ERR,
                                    "default router list contains a "
                                    "non-linklocal address(%s)\n",
-                                   ip6_sprintf(&drl->defrouter[i].rtaddr));
-
-                       drl->defrouter[i].flags = dr->flags;
-                       drl->defrouter[i].rtlifetime = dr->rtlifetime;
-                       drl->defrouter[i].expire = dr->expire;
-                       drl->defrouter[i].if_index = dr->ifp->if_index;
+                                   ip6_sprintf(&drl_64->defrouter[i].rtaddr));
+                       }
+                       drl_64->defrouter[i].flags = dr->flags;
+                       drl_64->defrouter[i].rtlifetime = dr->rtlifetime;
+                       drl_64->defrouter[i].expire = dr->expire;
+                       drl_64->defrouter[i].if_index = dr->ifp->if_index;
                        i++;
                        dr = TAILQ_NEXT(dr, dr_entry);
                }
                        i++;
                        dr = TAILQ_NEXT(dr, dr_entry);
                }
-               splx(s);
-               break;
-       case SIOCGPRLST_IN6:
-               /*
-                * XXX meaning of fields, especialy "raflags", is very
-                * differnet between RA prefix list and RR/static prefix list.
-                * how about separating ioctls into two?
-                */
-               bzero(prl, sizeof(*prl));
-#ifdef __NetBSD__
-               s = splsoftnet();
-#else
-               s = splnet();
-#endif
-               pr = nd_prefix.lh_first;
+               return;
+       }
+       /* For 32-bit process */
+       while (dr && i < DRLSTSIZ) {
+               drl_32->defrouter[i].rtaddr = dr->rtaddr;
+               if (IN6_IS_ADDR_LINKLOCAL(&drl_32->defrouter[i].rtaddr)) {
+                       /* XXX: need to this hack for KAME stack */
+                       drl_32->defrouter[i].rtaddr.s6_addr16[1] = 0;
+               } else {
+                       log(LOG_ERR,
+                           "default router list contains a "
+                           "non-linklocal address(%s)\n",
+                           ip6_sprintf(&drl_32->defrouter[i].rtaddr));
+               }
+               drl_32->defrouter[i].flags = dr->flags;
+               drl_32->defrouter[i].rtlifetime = dr->rtlifetime;
+               drl_32->defrouter[i].expire = dr->expire;
+               drl_32->defrouter[i].if_index = dr->ifp->if_index;
+               i++;
+               dr = TAILQ_NEXT(dr, dr_entry);
+       }
+}
+
+static void
+nd6_siocgprlst(void *data, int data_is_64)
+{
+       struct in6_prlist_64 *prl_64 = (struct in6_prlist_64 *)data;
+       struct in6_prlist_32 *prl_32 = (struct in6_prlist_32 *)data;
+       struct nd_prefix *pr;
+       struct rr_prefix *rpp;
+       int i = 0;
+
+       lck_mtx_assert(nd6_mutex, LCK_MTX_ASSERT_OWNED);
+       /*
+        * XXX meaning of fields, especialy "raflags", is very
+        * differnet between RA prefix list and RR/static prefix list.
+        * how about separating ioctls into two?
+        */
+       bzero(data, data_is_64 ? sizeof (*prl_64) : sizeof (*prl_32));
+       pr = nd_prefix.lh_first;
+       if (data_is_64) {
+               /* For 64-bit process */
                while (pr && i < PRLSTSIZ) {
                        struct nd_pfxrouter *pfr;
                        int j;
 
                while (pr && i < PRLSTSIZ) {
                        struct nd_pfxrouter *pfr;
                        int j;
 
-                       prl->prefix[i].prefix = pr->ndpr_prefix.sin6_addr;
-                       prl->prefix[i].raflags = pr->ndpr_raf;
-                       prl->prefix[i].prefixlen = pr->ndpr_plen;
-                       prl->prefix[i].vltime = pr->ndpr_vltime;
-                       prl->prefix[i].pltime = pr->ndpr_pltime;
-                       prl->prefix[i].if_index = pr->ndpr_ifp->if_index;
-                       prl->prefix[i].expire = pr->ndpr_expire;
+                       (void) in6_embedscope(&prl_64->prefix[i].prefix,
+                           &pr->ndpr_prefix, NULL, NULL);
+                       prl_64->prefix[i].raflags = pr->ndpr_raf;
+                       prl_64->prefix[i].prefixlen = pr->ndpr_plen;
+                       prl_64->prefix[i].vltime = pr->ndpr_vltime;
+                       prl_64->prefix[i].pltime = pr->ndpr_pltime;
+                       prl_64->prefix[i].if_index = pr->ndpr_ifp->if_index;
+                       prl_64->prefix[i].expire = pr->ndpr_expire;
 
                        pfr = pr->ndpr_advrtrs.lh_first;
                        j = 0;
 
                        pfr = pr->ndpr_advrtrs.lh_first;
                        j = 0;
-                       while(pfr) {
+                       while (pfr) {
                                if (j < DRLSTSIZ) {
                                if (j < DRLSTSIZ) {
-#define RTRADDR prl->prefix[i].advrtr[j]
+#define RTRADDR prl_64->prefix[i].advrtr[j]
                                        RTRADDR = pfr->router->rtaddr;
                                        if (IN6_IS_ADDR_LINKLOCAL(&RTRADDR)) {
                                                /* XXX: hack for KAME */
                                                RTRADDR.s6_addr16[1] = 0;
                                        RTRADDR = pfr->router->rtaddr;
                                        if (IN6_IS_ADDR_LINKLOCAL(&RTRADDR)) {
                                                /* XXX: hack for KAME */
                                                RTRADDR.s6_addr16[1] = 0;
-                                       }
-                                       else
+                                       } else {
                                                log(LOG_ERR,
                                                    "a router(%s) advertises "
                                                    "a prefix with "
                                                    "non-link local address\n",
                                                    ip6_sprintf(&RTRADDR));
                                                log(LOG_ERR,
                                                    "a router(%s) advertises "
                                                    "a prefix with "
                                                    "non-link local address\n",
                                                    ip6_sprintf(&RTRADDR));
+                                       }
 #undef RTRADDR
                                }
                                j++;
                                pfr = pfr->pfr_next;
                        }
 #undef RTRADDR
                                }
                                j++;
                                pfr = pfr->pfr_next;
                        }
-                       prl->prefix[i].advrtrs = j;
-                       prl->prefix[i].origin = PR_ORIG_RA;
+                       prl_64->prefix[i].advrtrs = j;
+                       prl_64->prefix[i].origin = PR_ORIG_RA;
 
                        i++;
                        pr = pr->ndpr_next;
                }
 
                        i++;
                        pr = pr->ndpr_next;
                }
-             {
-               struct rr_prefix *rpp;
 
                for (rpp = LIST_FIRST(&rr_prefix); rpp;
                     rpp = LIST_NEXT(rpp, rp_entry)) {
                        if (i >= PRLSTSIZ)
                                break;
 
                for (rpp = LIST_FIRST(&rr_prefix); rpp;
                     rpp = LIST_NEXT(rpp, rp_entry)) {
                        if (i >= PRLSTSIZ)
                                break;
-                       prl->prefix[i].prefix = rpp->rp_prefix.sin6_addr;
-                       prl->prefix[i].raflags = rpp->rp_raf;
-                       prl->prefix[i].prefixlen = rpp->rp_plen;
-                       prl->prefix[i].vltime = rpp->rp_vltime;
-                       prl->prefix[i].pltime = rpp->rp_pltime;
-                       prl->prefix[i].if_index = rpp->rp_ifp->if_index;
-                       prl->prefix[i].expire = rpp->rp_expire;
-                       prl->prefix[i].advrtrs = 0;
-                       prl->prefix[i].origin = rpp->rp_origin;
+                       (void) in6_embedscope(&prl_64->prefix[i].prefix,
+                           &pr->ndpr_prefix, NULL, NULL);
+                       prl_64->prefix[i].raflags = rpp->rp_raf;
+                       prl_64->prefix[i].prefixlen = rpp->rp_plen;
+                       prl_64->prefix[i].vltime = rpp->rp_vltime;
+                       prl_64->prefix[i].pltime = rpp->rp_pltime;
+                       prl_64->prefix[i].if_index = rpp->rp_ifp->if_index;
+                       prl_64->prefix[i].expire = rpp->rp_expire;
+                       prl_64->prefix[i].advrtrs = 0;
+                       prl_64->prefix[i].origin = rpp->rp_origin;
                        i++;
                }
                        i++;
                }
-             }
-               splx(s);
+               return;
+       }
+       /* For 32-bit process */
+       while (pr && i < PRLSTSIZ) {
+               struct nd_pfxrouter *pfr;
+               int j;
+
+               (void) in6_embedscope(&prl_32->prefix[i].prefix,
+                   &pr->ndpr_prefix, NULL, NULL);
+               prl_32->prefix[i].raflags = pr->ndpr_raf;
+               prl_32->prefix[i].prefixlen = pr->ndpr_plen;
+               prl_32->prefix[i].vltime = pr->ndpr_vltime;
+               prl_32->prefix[i].pltime = pr->ndpr_pltime;
+               prl_32->prefix[i].if_index = pr->ndpr_ifp->if_index;
+               prl_32->prefix[i].expire = pr->ndpr_expire;
+
+               pfr = pr->ndpr_advrtrs.lh_first;
+               j = 0;
+               while (pfr) {
+                       if (j < DRLSTSIZ) {
+#define RTRADDR prl_32->prefix[i].advrtr[j]
+                               RTRADDR = pfr->router->rtaddr;
+                               if (IN6_IS_ADDR_LINKLOCAL(&RTRADDR)) {
+                                       /* XXX: hack for KAME */
+                                       RTRADDR.s6_addr16[1] = 0;
+                               } else {
+                                       log(LOG_ERR,
+                                           "a router(%s) advertises "
+                                           "a prefix with "
+                                           "non-link local address\n",
+                                           ip6_sprintf(&RTRADDR));
+                               }
+#undef RTRADDR
+                       }
+                       j++;
+                       pfr = pfr->pfr_next;
+               }
+               prl_32->prefix[i].advrtrs = j;
+               prl_32->prefix[i].origin = PR_ORIG_RA;
+
+               i++;
+               pr = pr->ndpr_next;
+       }
+
+       for (rpp = LIST_FIRST(&rr_prefix); rpp;
+            rpp = LIST_NEXT(rpp, rp_entry)) {
+               if (i >= PRLSTSIZ)
+                       break;
+               (void) in6_embedscope(&prl_32->prefix[i].prefix,
+                   &pr->ndpr_prefix, NULL, NULL);
+               prl_32->prefix[i].raflags = rpp->rp_raf;
+               prl_32->prefix[i].prefixlen = rpp->rp_plen;
+               prl_32->prefix[i].vltime = rpp->rp_vltime;
+               prl_32->prefix[i].pltime = rpp->rp_pltime;
+               prl_32->prefix[i].if_index = rpp->rp_ifp->if_index;
+               prl_32->prefix[i].expire = rpp->rp_expire;
+               prl_32->prefix[i].advrtrs = 0;
+               prl_32->prefix[i].origin = rpp->rp_origin;
+               i++;
+       }
+}
+
+int
+nd6_ioctl(u_long cmd, caddr_t data, struct ifnet *ifp)
+{
+       struct in6_ndireq *ndi = (struct in6_ndireq *)data;
+       struct in6_ondireq *ondi = (struct in6_ondireq *)data;
+       struct nd_defrouter *dr, any;
+       struct nd_prefix *pr;
+       struct rtentry *rt;
+       int i = ifp->if_index, error = 0;
+
+       switch (cmd) {
+       case SIOCGDRLST_IN6_32:
+       case SIOCGDRLST_IN6_64:
+               /*
+                * obsolete API, use sysctl under net.inet6.icmp6
+                */
+               lck_mtx_lock(nd6_mutex);
+               nd6_siocgdrlst(data, cmd == SIOCGDRLST_IN6_64);
+               lck_mtx_unlock(nd6_mutex);
+               break;
 
 
+       case SIOCGPRLST_IN6_32:
+       case SIOCGPRLST_IN6_64:
+               /*
+                * obsolete API, use sysctl under net.inet6.icmp6
+                */
+               lck_mtx_lock(nd6_mutex);
+               nd6_siocgprlst(data, cmd == SIOCGPRLST_IN6_64);
+               lck_mtx_unlock(nd6_mutex);
                break;
                break;
+
+       case OSIOCGIFINFO_IN6:
        case SIOCGIFINFO_IN6:
        case SIOCGIFINFO_IN6:
-               ndi->ndi = nd_ifinfo[ifp->if_index];
+               /*
+                * SIOCGIFINFO_IN6 ioctl is encoded with in6_ondireq
+                * instead of in6_ndireq, so we treat it as such.
+                */
+               lck_rw_lock_shared(nd_if_rwlock);
+               if (!nd_ifinfo || i >= nd_ifinfo_indexlim) {
+                       lck_rw_done(nd_if_rwlock);
+                       error = EINVAL;
+                       break;
+               }
+               ondi->ndi.linkmtu = IN6_LINKMTU(ifp);
+               ondi->ndi.maxmtu = nd_ifinfo[i].maxmtu;
+               ondi->ndi.basereachable = nd_ifinfo[i].basereachable;
+               ondi->ndi.reachable = nd_ifinfo[i].reachable;
+               ondi->ndi.retrans = nd_ifinfo[i].retrans;
+               ondi->ndi.flags = nd_ifinfo[i].flags;
+               ondi->ndi.recalctm = nd_ifinfo[i].recalctm;
+               ondi->ndi.chlim = nd_ifinfo[i].chlim;
+               ondi->ndi.receivedra = nd_ifinfo[i].receivedra;
+               lck_rw_done(nd_if_rwlock);
                break;
                break;
+
        case SIOCSIFINFO_FLAGS:
                /* XXX: almost all other fields of ndi->ndi is unused */
        case SIOCSIFINFO_FLAGS:
                /* XXX: almost all other fields of ndi->ndi is unused */
-               nd_ifinfo[ifp->if_index].flags = ndi->ndi.flags;
-               break;
+               lck_rw_lock_shared(nd_if_rwlock);
+               if (!nd_ifinfo || i >= nd_ifinfo_indexlim) {
+                       lck_rw_done(nd_if_rwlock);
+                       error = EINVAL;
+                       break;
+               }
+               nd_ifinfo[i].flags = ndi->ndi.flags;
+               lck_rw_done(nd_if_rwlock);
+               break;
+
        case SIOCSNDFLUSH_IN6:  /* XXX: the ioctl name is confusing... */
                /* flush default router list */
                /*
        case SIOCSNDFLUSH_IN6:  /* XXX: the ioctl name is confusing... */
                /* flush default router list */
                /*
@@ -1512,39 +2041,48 @@ nd6_ioctl(cmd, data, ifp)
                 * route equals to the top of default router list
                 */
                bzero(&any, sizeof(any));
                 * route equals to the top of default router list
                 */
                bzero(&any, sizeof(any));
-               defrouter_delreq(&any, 0);
+               lck_mtx_lock(nd6_mutex);
+               defrouter_delreq(&any, 1);
                defrouter_select();
                defrouter_select();
+               lck_mtx_unlock(nd6_mutex);
                /* xxx sumikawa: flush prefix list */
                break;
                /* xxx sumikawa: flush prefix list */
                break;
-       case SIOCSPFXFLUSH_IN6:
-           {
+
+       case SIOCSPFXFLUSH_IN6: {
                /* flush all the prefix advertised by routers */
                /* flush all the prefix advertised by routers */
-               struct nd_prefix *pr, *next;
+               struct nd_prefix *next;
+               lck_mtx_lock(nd6_mutex);
 
 
-#ifdef __NetBSD__
-               s = splsoftnet();
-#else
-               s = splnet();
-#endif
                for (pr = nd_prefix.lh_first; pr; pr = next) {
                for (pr = nd_prefix.lh_first; pr; pr = next) {
+                       struct in6_ifaddr *ia, *ia_next;
+
                        next = pr->ndpr_next;
                        next = pr->ndpr_next;
-                       if (!IN6_IS_ADDR_UNSPECIFIED(&pr->ndpr_addr))
-                               in6_ifdel(pr->ndpr_ifp, &pr->ndpr_addr);
-                       prelist_remove(pr);
+
+                       if (IN6_IS_ADDR_LINKLOCAL(&pr->ndpr_prefix.sin6_addr))
+                               continue; /* XXX */
+
+                       /* do we really have to remove addresses as well? */
+                       for (ia = in6_ifaddrs; ia; ia = ia_next) {
+                               /* ia might be removed.  keep the next ptr. */
+                               ia_next = ia->ia_next;
+
+                               if ((ia->ia6_flags & IN6_IFF_AUTOCONF) == 0)
+                                       continue;
+
+                               if (ia->ia6_ndpr == pr)
+                                       in6_purgeaddr(&ia->ia_ifa, 1);
+                       }
+                       prelist_remove(pr, 1);
                }
                }
-               splx(s);
+               lck_mtx_unlock(nd6_mutex);
                break;
                break;
-           }
-       case SIOCSRTRFLUSH_IN6:
-           {
+       }
+
+       case SIOCSRTRFLUSH_IN6: {
                /* flush all the default routers */
                /* flush all the default routers */
-               struct nd_defrouter *dr, *next;
+               struct nd_defrouter *next;
 
 
-#ifdef __NetBSD__
-               s = splsoftnet();
-#else
-               s = splnet();
-#endif
+               lck_mtx_lock(nd6_mutex);
                if ((dr = TAILQ_FIRST(&nd_defrouter)) != NULL) {
                        /*
                         * The first entry of the list may be stored in
                if ((dr = TAILQ_FIRST(&nd_defrouter)) != NULL) {
                        /*
                         * The first entry of the list may be stored in
@@ -1552,71 +2090,119 @@ nd6_ioctl(cmd, data, ifp)
                         */
                        for (dr = TAILQ_NEXT(dr, dr_entry); dr; dr = next) {
                                next = TAILQ_NEXT(dr, dr_entry);
                         */
                        for (dr = TAILQ_NEXT(dr, dr_entry); dr; dr = next) {
                                next = TAILQ_NEXT(dr, dr_entry);
-                               defrtrlist_del(dr);
+                               defrtrlist_del(dr, 1);
                        }
                        }
-                       defrtrlist_del(TAILQ_FIRST(&nd_defrouter));
+                       defrtrlist_del(TAILQ_FIRST(&nd_defrouter), 1);
                }
                }
-               splx(s);
+               lck_mtx_unlock(nd6_mutex);
                break;
                break;
-           }
-       case SIOCGNBRINFO_IN6:
-           {
+       }
+
+       case SIOCGNBRINFO_IN6_32: {
                struct llinfo_nd6 *ln;
                struct llinfo_nd6 *ln;
-               struct in6_addr nb_addr = nbi->addr; /* make local for safety */
+               struct in6_nbrinfo_32 *nbi_32 = (struct in6_nbrinfo_32 *)data;
+               /* make local for safety */
+               struct in6_addr nb_addr = nbi_32->addr;
 
                /*
                 * XXX: KAME specific hack for scoped addresses
                 *      XXXX: for other scopes than link-local?
                 */
 
                /*
                 * XXX: KAME specific hack for scoped addresses
                 *      XXXX: for other scopes than link-local?
                 */
-               if (IN6_IS_ADDR_LINKLOCAL(&nbi->addr) ||
-                   IN6_IS_ADDR_MC_LINKLOCAL(&nbi->addr)) {
+               if (IN6_IS_ADDR_LINKLOCAL(&nbi_32->addr) ||
+                   IN6_IS_ADDR_MC_LINKLOCAL(&nbi_32->addr)) {
                        u_int16_t *idp = (u_int16_t *)&nb_addr.s6_addr[2];
 
                        if (*idp == 0)
                                *idp = htons(ifp->if_index);
                }
 
                        u_int16_t *idp = (u_int16_t *)&nb_addr.s6_addr[2];
 
                        if (*idp == 0)
                                *idp = htons(ifp->if_index);
                }
 
-#ifdef __NetBSD__
-               s = splsoftnet();
-#else
-               s = splnet();
-#endif
-               if ((rt = nd6_lookup(&nb_addr, 0, ifp)) == NULL) {
+               /* Callee returns a locked route upon success */
+               if ((rt = nd6_lookup(&nb_addr, 0, ifp, 0)) == NULL) {
                        error = EINVAL;
                        error = EINVAL;
-                       splx(s);
                        break;
                }
                        break;
                }
-               ln = (struct llinfo_nd6 *)rt->rt_llinfo;
-               nbi->state = ln->ln_state;
-               nbi->asked = ln->ln_asked;
-               nbi->isrouter = ln->ln_router;
-               nbi->expire = ln->ln_expire;
-               splx(s);
-               
+               RT_LOCK_ASSERT_HELD(rt);
+               ln = rt->rt_llinfo;
+               nbi_32->state = ln->ln_state;
+               nbi_32->asked = ln->ln_asked;
+               nbi_32->isrouter = ln->ln_router;
+               nbi_32->expire = ln->ln_expire;
+               RT_REMREF_LOCKED(rt);
+               RT_UNLOCK(rt);
                break;
                break;
-           }
-       case SIOCGDEFIFACE_IN6: /* XXX: should be implemented as a sysctl? */
-               ndif->ifindex = nd6_defifindex;
+       }
+
+       case SIOCGNBRINFO_IN6_64: {
+               struct llinfo_nd6 *ln;
+               struct in6_nbrinfo_64 *nbi_64 = (struct in6_nbrinfo_64 *)data;
+               /* make local for safety */
+               struct in6_addr nb_addr = nbi_64->addr;
+
+               /*
+                * XXX: KAME specific hack for scoped addresses
+                *      XXXX: for other scopes than link-local?
+                */
+               if (IN6_IS_ADDR_LINKLOCAL(&nbi_64->addr) ||
+                   IN6_IS_ADDR_MC_LINKLOCAL(&nbi_64->addr)) {
+                       u_int16_t *idp = (u_int16_t *)&nb_addr.s6_addr[2];
+
+                       if (*idp == 0)
+                               *idp = htons(ifp->if_index);
+               }
+
+               /* Callee returns a locked route upon success */
+               if ((rt = nd6_lookup(&nb_addr, 0, ifp, 0)) == NULL) {
+                       error = EINVAL;
+                       break;
+               }
+               RT_LOCK_ASSERT_HELD(rt);
+               ln = rt->rt_llinfo;
+               nbi_64->state = ln->ln_state;
+               nbi_64->asked = ln->ln_asked;
+               nbi_64->isrouter = ln->ln_router;
+               nbi_64->expire = ln->ln_expire;
+               RT_REMREF_LOCKED(rt);
+               RT_UNLOCK(rt);
                break;
                break;
-       case SIOCSDEFIFACE_IN6: /* XXX: should be implemented as a sysctl? */
-               return(nd6_setdefaultiface(ndif->ifindex));
+       }
+
+       case SIOCGDEFIFACE_IN6_32: /* XXX: should be implemented as a sysctl? */
+       case SIOCGDEFIFACE_IN6_64: {
+               struct in6_ndifreq_64 *ndif_64 = (struct in6_ndifreq_64 *)data;
+               struct in6_ndifreq_32 *ndif_32 = (struct in6_ndifreq_32 *)data;
+
+               if (cmd == SIOCGDEFIFACE_IN6_64)
+                       ndif_64->ifindex = nd6_defifindex;
+               else
+                       ndif_32->ifindex = nd6_defifindex;
                break;
        }
                break;
        }
-       return(error);
+
+       case SIOCSDEFIFACE_IN6_32: /* XXX: should be implemented as a sysctl? */
+       case SIOCSDEFIFACE_IN6_64: {
+               struct in6_ndifreq_64 *ndif_64 = (struct in6_ndifreq_64 *)data;
+               struct in6_ndifreq_32 *ndif_32 = (struct in6_ndifreq_32 *)data;
+
+               return (nd6_setdefaultiface(cmd == SIOCSDEFIFACE_IN6_64 ?
+                   ndif_64->ifindex : ndif_32->ifindex));
+               /* NOTREACHED */
+       }
+       }
+       return (error);
 }
 
 /*
  * Create neighbor cache entry and cache link-layer address,
  * on reception of inbound ND6 packets. (RS/RA/NS/redirect)
  */
 }
 
 /*
  * Create neighbor cache entry and cache link-layer address,
  * on reception of inbound ND6 packets. (RS/RA/NS/redirect)
  */
-struct rtentry *
-nd6_cache_lladdr(ifp, from, lladdr, lladdrlen, type, code)
-       struct ifnet *ifp;
-       struct in6_addr *from;
-       char *lladdr;
-       int lladdrlen;
-       int type;       /* ICMP6 type */
-       int code;       /* type dependent information */
+void
+nd6_cache_lladdr(
+       struct ifnet *ifp,
+       struct in6_addr *from,
+       char *lladdr,
+       __unused int lladdrlen,
+       int type,       /* ICMP6 type */
+       int code)       /* type dependent information */
 {
        struct rtentry *rt = NULL;
        struct llinfo_nd6 *ln = NULL;
 {
        struct rtentry *rt = NULL;
        struct llinfo_nd6 *ln = NULL;
@@ -1626,9 +2212,7 @@ nd6_cache_lladdr(ifp, from, lladdr, lladdrlen, type, code)
        int olladdr;
        int llchange;
        int newstate = 0;
        int olladdr;
        int llchange;
        int newstate = 0;
-#if !(defined(__FreeBSD__) && __FreeBSD__ >= 3) && !defined (__APPLE__)
-       long time_second = time.tv_sec;
-#endif
+       struct timeval timenow;
 
        if (!ifp)
                panic("ifp == NULL in nd6_cache_lladdr");
 
        if (!ifp)
                panic("ifp == NULL in nd6_cache_lladdr");
@@ -1637,7 +2221,7 @@ nd6_cache_lladdr(ifp, from, lladdr, lladdrlen, type, code)
 
        /* nothing must be updated for unspecified address */
        if (IN6_IS_ADDR_UNSPECIFIED(from))
 
        /* nothing must be updated for unspecified address */
        if (IN6_IS_ADDR_UNSPECIFIED(from))
-               return NULL;
+               return;
 
        /*
         * Validation about ifp->if_addrlen and lladdrlen must be done in
 
        /*
         * Validation about ifp->if_addrlen and lladdrlen must be done in
@@ -1648,28 +2232,39 @@ nd6_cache_lladdr(ifp, from, lladdr, lladdrlen, type, code)
         * Spec says nothing in sections for RA, RS and NA.  There's small
         * description on it in NS section (RFC 2461 7.2.3).
         */
         * Spec says nothing in sections for RA, RS and NA.  There's small
         * description on it in NS section (RFC 2461 7.2.3).
         */
+       getmicrotime(&timenow);
 
 
-       rt = nd6_lookup(from, 0, ifp);
-       if (!rt) {
+       rt = nd6_lookup(from, 0, ifp, 0);
+       if (rt == NULL) {
 #if 0
                /* nothing must be done if there's no lladdr */
                if (!lladdr || !lladdrlen)
 #if 0
                /* nothing must be done if there's no lladdr */
                if (!lladdr || !lladdrlen)
-                       return NULL;
+                       return;
 #endif
 
 #endif
 
-               rt = nd6_lookup(from, 1, ifp);
+               if ((rt = nd6_lookup(from, 1, ifp, 0)) == NULL)
+                       return;
+               RT_LOCK_ASSERT_HELD(rt);
                is_newentry = 1;
                is_newentry = 1;
-       } else
+       } else {
+               RT_LOCK_ASSERT_HELD(rt);
+               /* do nothing if static ndp is set */
+               if (rt->rt_flags & RTF_STATIC) {
+                       RT_REMREF_LOCKED(rt);
+                       RT_UNLOCK(rt);
+                       return;
+               }
                is_newentry = 0;
                is_newentry = 0;
+       }
 
 
-       if (!rt)
-               return NULL;
        if ((rt->rt_flags & (RTF_GATEWAY | RTF_LLINFO)) != RTF_LLINFO) {
 fail:
        if ((rt->rt_flags & (RTF_GATEWAY | RTF_LLINFO)) != RTF_LLINFO) {
 fail:
+               RT_UNLOCK(rt);
                nd6_free(rt);
                nd6_free(rt);
-               return NULL;
+               rtfree(rt);
+               return;
        }
        }
-       ln = (struct llinfo_nd6 *)rt->rt_llinfo;
+       ln = rt->rt_llinfo;
        if (!ln)
                goto fail;
        if (!rt->rt_gateway)
        if (!ln)
                goto fail;
        if (!rt->rt_gateway)
@@ -1698,7 +2293,7 @@ fail:
         *      1       --      y       --      (7) * STALE
         */
 
         *      1       --      y       --      (7) * STALE
         */
 
-       if (lladdr) {           /*(3-5) and (7)*/
+       if (lladdr) {           /* (3-5) and (7) */
                /*
                 * Record source link-layer address
                 * XXX is it dependent to ifp->if_type?
                /*
                 * Record source link-layer address
                 * XXX is it dependent to ifp->if_type?
@@ -1708,17 +2303,17 @@ fail:
        }
 
        if (!is_newentry) {
        }
 
        if (!is_newentry) {
-               if ((!olladdr && lladdr)                /*(3)*/
-                || (olladdr && lladdr && llchange)) {  /*(5)*/
+               if ((!olladdr && lladdr)                /* (3) */
+                || (olladdr && lladdr && llchange)) {  /* (5) */
                        do_update = 1;
                        newstate = ND6_LLINFO_STALE;
                        do_update = 1;
                        newstate = ND6_LLINFO_STALE;
-               } else                                  /*(1-2,4)*/
+               } else                                  /* (1-2,4) */
                        do_update = 0;
        } else {
                do_update = 1;
                        do_update = 0;
        } else {
                do_update = 1;
-               if (!lladdr)                            /*(6)*/
+               if (!lladdr)                            /* (6) */
                        newstate = ND6_LLINFO_NOSTATE;
                        newstate = ND6_LLINFO_NOSTATE;
-               else                                    /*(7)*/
+               else                                    /* (7) */
                        newstate = ND6_LLINFO_STALE;
        }
 
                        newstate = ND6_LLINFO_STALE;
        }
 
@@ -1729,21 +2324,30 @@ fail:
                ln->ln_state = newstate;
 
                if (ln->ln_state == ND6_LLINFO_STALE) {
                ln->ln_state = newstate;
 
                if (ln->ln_state == ND6_LLINFO_STALE) {
-                       rt->rt_flags &= ~RTF_REJECT;
-                       if (ln->ln_hold) {
-#if OLDIP6OUTPUT
-                               (*ifp->if_output)(ifp, ln->ln_hold,
-                                                 rt_key(rt), rt);
-#else
-                               nd6_output(ifp, ln->ln_hold,
-                                          (struct sockaddr_in6 *)rt_key(rt),
-                                          rt);
-#endif
-                               ln->ln_hold = 0;
+                       struct mbuf *m = ln->ln_hold;
+                       /*
+                        * XXX: since nd6_output() below will cause
+                        * state tansition to DELAY and reset the timer,
+                        * we must set the timer now, although it is actually
+                        * meaningless.
+                        */
+                       ln->ln_expire = rt_expiry(rt, timenow.tv_sec,
+                           nd6_gctimer);
+                       ln->ln_hold = NULL;
+
+                       if (m != NULL) {
+                               /*
+                                * we assume ifp is not a p2p here, so just
+                                * set the 2nd argument as the 1st one.
+                                */
+                               RT_UNLOCK(rt);
+                               nd6_output(ifp, ifp, m,
+                                   (struct sockaddr_in6 *)rt_key(rt), rt, 0);
+                               RT_LOCK(rt);
                        }
                } else if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
                        /* probe right away */
                        }
                } else if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
                        /* probe right away */
-                       ln->ln_expire = time_second;
+                       ln->ln_expire = timenow.tv_sec;
                }
        }
 
                }
        }
 
@@ -1781,7 +2385,7 @@ fail:
                /*
                 * New entry must have is_router flag cleared.
                 */
                /*
                 * New entry must have is_router flag cleared.
                 */
-               if (is_newentry)        /*(6-7)*/
+               if (is_newentry)        /* (6-7) */
                        ln->ln_router = 0;
                break;
        case ND_REDIRECT:
                        ln->ln_router = 0;
                break;
        case ND_REDIRECT:
@@ -1789,11 +2393,10 @@ fail:
                 * If the icmp is a redirect to a better router, always set the
                 * is_router flag. Otherwise, if the entry is newly created,
                 * clear the flag. [RFC 2461, sec 8.3]
                 * If the icmp is a redirect to a better router, always set the
                 * is_router flag. Otherwise, if the entry is newly created,
                 * clear the flag. [RFC 2461, sec 8.3]
-                *
                 */
                if (code == ND_REDIRECT_ROUTER)
                        ln->ln_router = 1;
                 */
                if (code == ND_REDIRECT_ROUTER)
                        ln->ln_router = 1;
-               else if (is_newentry) /*(6-7)*/
+               else if (is_newentry) /* (6-7) */
                        ln->ln_router = 0;
                break;
        case ND_ROUTER_SOLICIT:
                        ln->ln_router = 0;
                break;
        case ND_ROUTER_SOLICIT:
@@ -1806,46 +2409,52 @@ fail:
                /*
                 * Mark an entry with lladdr as a router.
                 */
                /*
                 * Mark an entry with lladdr as a router.
                 */
-               if ((!is_newentry && (olladdr || lladdr))       /*(2-5)*/
-                || (is_newentry && lladdr)) {                  /*(7)*/
+               if ((!is_newentry && (olladdr || lladdr))       /* (2-5) */
+                || (is_newentry && lladdr)) {                  /* (7) */
                        ln->ln_router = 1;
                }
                break;
        }
 
                        ln->ln_router = 1;
                }
                break;
        }
 
-       return rt;
-}
-
-static void
-nd6_slowtimo_funneled(ignored_arg)
-       void    *ignored_arg;
-{
-#ifdef __APPLE__
-        boolean_t   funnel_state;
-       funnel_state = thread_funnel_set(network_flock, TRUE);
-#endif
-       nd6_slowtimo(ignored_arg);
-#ifdef __APPLE__
-        (void) thread_funnel_set(network_flock, FALSE);
-#endif
+       /*
+        * When the link-layer address of a router changes, select the
+        * best router again.  In particular, when the neighbor entry is newly
+        * created, it might affect the selection policy.
+        * Question: can we restrict the first condition to the "is_newentry"
+        * case?
+        * XXX: when we hear an RA from a new router with the link-layer
+        * address option, defrouter_select() is called twice, since
+        * defrtrlist_update called the function as well.  However, I believe
+        * we can compromise the overhead, since it only happens the first
+        * time.
+        * XXX: although defrouter_select() should not have a bad effect
+        * for those are not autoconfigured hosts, we explicitly avoid such
+        * cases for safety.
+        */
+       if (do_update && ln->ln_router && !ip6_forwarding &&
+           (ip6_accept_rtadv || (ifp->if_eflags & IFEF_ACCEPT_RTADVD))) {
+               RT_REMREF_LOCKED(rt);
+               RT_UNLOCK(rt);
+               lck_mtx_lock(nd6_mutex);
+               defrouter_select();
+               lck_mtx_unlock(nd6_mutex);
+       } else {
+               RT_REMREF_LOCKED(rt);
+               RT_UNLOCK(rt);
+       }
 }
 
 static void
 }
 
 static void
-nd6_slowtimo(ignored_arg)
-    void *ignored_arg;
+nd6_slowtimo(
+    __unused void *ignored_arg)
 {
 {
-       int s;
-       register int i;
-       register struct nd_ifinfo *nd6if;
-
-#ifdef __NetBSD__
-       s = splsoftnet();
-#else
-       s = splnet();
-#endif
+       int i;
+       struct nd_ifinfo *nd6if;
 
 
-       timeout(nd6_slowtimo_funneled, (caddr_t)0, ND6_SLOWTIMER_INTERVAL * hz);
+       lck_rw_lock_shared(nd_if_rwlock);
        for (i = 1; i < if_index + 1; i++) {
        for (i = 1; i < if_index + 1; i++) {
+               if (!nd_ifinfo || i >= nd_ifinfo_indexlim)
+                       break;
                nd6if = &nd_ifinfo[i];
                if (nd6if->basereachable && /* already initialized */
                    (nd6if->recalctm -= ND6_SLOWTIMER_INTERVAL) <= 0) {
                nd6if = &nd_ifinfo[i];
                if (nd6if->basereachable && /* already initialized */
                    (nd6if->recalctm -= ND6_SLOWTIMER_INTERVAL) <= 0) {
@@ -1859,96 +2468,207 @@ nd6_slowtimo(ignored_arg)
                        nd6if->reachable = ND_COMPUTE_RTIME(nd6if->basereachable);
                }
        }
                        nd6if->reachable = ND_COMPUTE_RTIME(nd6if->basereachable);
                }
        }
-       splx(s);
-
+       lck_rw_done(nd_if_rwlock);
+       timeout(nd6_slowtimo, (caddr_t)0, ND6_SLOWTIMER_INTERVAL * hz);
 }
 
 #define senderr(e) { error = (e); goto bad;}
 int
 }
 
 #define senderr(e) { error = (e); goto bad;}
 int
-nd6_output(ifp, m0, dst, rt0)
-       register struct ifnet *ifp;
-       struct mbuf *m0;
-       struct sockaddr_in6 *dst;
-       struct rtentry *rt0;
+nd6_output(struct ifnet *ifp, struct ifnet *origifp, struct mbuf *m0,
+    struct sockaddr_in6 *dst, struct rtentry *hint0, int locked)
 {
 {
-       register struct mbuf *m = m0;
-       register struct rtentry *rt = rt0;
+       struct mbuf *m = m0;
+       struct rtentry *rt = hint0, *hint = hint0;
        struct llinfo_nd6 *ln = NULL;
        int error = 0;
        struct llinfo_nd6 *ln = NULL;
        int error = 0;
-#if !(defined(__FreeBSD__) && __FreeBSD__ >= 3) && !defined (__APPLE__)
-       long time_second = time.tv_sec;
-#endif
-
-       if (IN6_IS_ADDR_MULTICAST(&dst->sin6_addr))
-               goto sendpkt;
+       struct timeval timenow;
+       struct rtentry *rtrele = NULL;
 
 
-       /*
-        * XXX: we currently do not make neighbor cache on any interface
-        * other than ARCnet, Ethernet, FDDI and GIF.
-        *
-        * draft-ietf-ngtrans-mech-04.txt says:
-        * - unidirectional tunnels needs no ND
-        */
-       switch (ifp->if_type) {
-       case IFT_ARCNET:
-       case IFT_ETHER:
-       case IFT_FDDI:
-       case IFT_GIF:           /* XXX need more cases? */
-               break;
-       default:
-               goto sendpkt;
+       if (rt != NULL) {
+               RT_LOCK_SPIN(rt);
+               RT_ADDREF_LOCKED(rt);
        }
 
        }
 
-       if ((ifp->if_flags & IFF_POINTOPOINT) != 0 &&
-           (nd_ifinfo[ifp->if_index].flags & ND6_IFF_PERFORMNUD) == 0)
+       if (IN6_IS_ADDR_MULTICAST(&dst->sin6_addr) || !nd6_need_cache(ifp)) {
+               if (rt != NULL)
+                       RT_UNLOCK(rt);
                goto sendpkt;
                goto sendpkt;
+       }
 
        /*
 
        /*
-        * next hop determination. This routine is derived from ether_outpout.
+        * Next hop determination.  Because we may involve the gateway route
+        * in addition to the original route, locking is rather complicated.
+        * The general concept is that regardless of whether the route points
+        * to the original route or to the gateway route, this routine takes
+        * an extra reference on such a route.  This extra reference will be
+        * released at the end.
+        *
+        * Care must be taken to ensure that the "hint0" route never gets freed
+        * via rtfree(), since the caller may have stored it inside a struct
+        * route with a reference held for that placeholder.
+        *
+        * This logic is similar to, though not exactly the same as the one
+        * used by arp_route_to_gateway_route().
         */
         */
-       if (rt) {
-               if ((rt->rt_flags & RTF_UP) == 0) {
-#if __FreeBSD__ || defined (__APPLE__)
-                       if ((rt0 = rt = rtalloc1((struct sockaddr *)dst, 1, 0UL)) !=
-                               NULL)
-#else
-                       if ((rt0 = rt = rtalloc1((struct sockaddr *)dst, 1)) !=
-                               NULL)
-#endif
-                       {
-                               rt->rt_refcnt--;
-                               if (rt->rt_ifp != ifp)
-                                       return nd6_output(ifp, m0, dst, rt); /* XXX: loop care? */
-                       } else
+       if (rt != NULL) {
+               /*
+                * We have a reference to "rt" by now (or below via rtalloc1),
+                * which will either be released or freed at the end of this
+                * routine.
+                */
+               RT_LOCK_ASSERT_HELD(rt);
+               if (!(rt->rt_flags & RTF_UP)) {
+                       RT_REMREF_LOCKED(rt);
+                       RT_UNLOCK(rt);
+                       if ((hint = rt = rtalloc1((struct sockaddr *)dst,
+                           1, 0)) != NULL) {
+                               RT_LOCK_SPIN(rt);
+                               if (rt->rt_ifp != ifp) {
+                                       /* XXX: loop care? */
+                                       RT_UNLOCK(rt);
+                                       error = nd6_output(ifp, origifp, m0,
+                                           dst, rt, locked);
+                                       rtfree(rt);
+                                       return (error);
+                               }
+                       } else {
                                senderr(EHOSTUNREACH);
                                senderr(EHOSTUNREACH);
+                       }
                }
                }
+
                if (rt->rt_flags & RTF_GATEWAY) {
                if (rt->rt_flags & RTF_GATEWAY) {
-                       if (rt->rt_gwroute == 0)
+                       struct rtentry *gwrt;
+                       struct in6_ifaddr *ia6 = NULL;
+                       struct sockaddr_in6 gw6;
+
+                       gw6 = *((struct sockaddr_in6 *)rt->rt_gateway);
+                       /*
+                        * Must drop rt_lock since nd6_is_addr_neighbor()
+                        * calls nd6_lookup() and acquires rnh_lock.
+                        */
+                       RT_UNLOCK(rt);
+
+                       /*
+                        * We skip link-layer address resolution and NUD
+                        * if the gateway is not a neighbor from ND point
+                        * of view, regardless of the value of nd_ifinfo.flags.
+                        * The second condition is a bit tricky; we skip
+                        * if the gateway is our own address, which is
+                        * sometimes used to install a route to a p2p link.
+                        */
+                       if (!nd6_is_addr_neighbor(&gw6, ifp, 0) ||
+                           (ia6 = in6ifa_ifpwithaddr(ifp, &gw6.sin6_addr))) {
+                               /*
+                                * We allow this kind of tricky route only
+                                * when the outgoing interface is p2p.
+                                * XXX: we may need a more generic rule here.
+                                */
+                               if (ia6 != NULL)
+                                       ifafree(&ia6->ia_ifa);
+                               if ((ifp->if_flags & IFF_POINTOPOINT) == 0)
+                                       senderr(EHOSTUNREACH);
+                               goto sendpkt;
+                       }
+
+                       RT_LOCK_SPIN(rt);
+                       gw6 = *((struct sockaddr_in6 *)rt->rt_gateway);
+
+                       /* If hint is now down, give up */
+                       if (!(rt->rt_flags & RTF_UP)) {
+                               RT_UNLOCK(rt);
+                               senderr(EHOSTUNREACH);
+                       }
+
+                       /* If there's no gateway route, look it up */
+                       if ((gwrt = rt->rt_gwroute) == NULL) {
+                               RT_UNLOCK(rt);
                                goto lookup;
                                goto lookup;
-                       if (((rt = rt->rt_gwroute)->rt_flags & RTF_UP) == 0) {
-                               rtfree(rt); rt = rt0;
-#if __FreeBSD__ || defined (__APPLE__)
-                       lookup: rt->rt_gwroute = rtalloc1(rt->rt_gateway, 1, 0UL);
-#else
-                       lookup: rt->rt_gwroute = rtalloc1(rt->rt_gateway, 1);
-#endif
-                               if ((rt = rt->rt_gwroute) == 0)
+                       }
+                       /* Become a regular mutex */
+                       RT_CONVERT_LOCK(rt);
+
+                       /*
+                        * Take gwrt's lock while holding route's lock;
+                        * this is okay since gwrt never points back
+                        * to rt, so no lock ordering issues.
+                        */
+                       RT_LOCK_SPIN(gwrt);
+                       if (!(gwrt->rt_flags & RTF_UP)) {
+                               struct rtentry *ogwrt;
+
+                               rt->rt_gwroute = NULL;
+                               RT_UNLOCK(gwrt);
+                               RT_UNLOCK(rt);
+                               rtfree(gwrt);
+lookup:
+                               gwrt = rtalloc1((struct sockaddr *)&gw6, 1, 0);
+
+                               RT_LOCK(rt);
+                               /*
+                                * Bail out if the route is down, no route
+                                * to gateway, circular route, or if the
+                                * gateway portion of "rt" has changed.
+                                */
+                               if (!(rt->rt_flags & RTF_UP) ||
+                                   gwrt == NULL || gwrt == rt ||
+                                   !equal(SA(&gw6), rt->rt_gateway)) {
+                                       if (gwrt == rt) {
+                                               RT_REMREF_LOCKED(gwrt);
+                                               gwrt = NULL;
+                                       }
+                                       RT_UNLOCK(rt);
+                                       if (gwrt != NULL)
+                                               rtfree(gwrt);
                                        senderr(EHOSTUNREACH);
                                        senderr(EHOSTUNREACH);
-#ifdef __bsdi__
-                               /* the "G" test below also prevents rt == rt0 */
-                               if ((rt->rt_flags & RTF_GATEWAY) ||
-                                   (rt->rt_ifp != ifp)) {
-                                       rt->rt_refcnt--;
-                                       rt0->rt_gwroute = 0;
+                               }
+
+                               /* Remove any existing gwrt */
+                               ogwrt = rt->rt_gwroute;
+                               if ((rt->rt_gwroute = gwrt) != NULL)
+                                       RT_ADDREF(gwrt);
+
+                               RT_UNLOCK(rt);
+                               /* Now free the replaced gwrt */
+                               if (ogwrt != NULL)
+                                       rtfree(ogwrt);
+                               /* If still no route to gateway, bail out */
+                               if (gwrt == NULL)
+                                       senderr(EHOSTUNREACH);
+                               /* Remember to release/free "rt" at the end */
+                               rtrele = rt;
+                               rt = gwrt;
+                               RT_LOCK_SPIN(rt);
+                               /* If gwrt is now down, give up */
+                               if (!(rt->rt_flags & RTF_UP)) {
+                                       RT_UNLOCK(rt);
+                                       rtfree(rt);
+                                       rt = NULL;
+                                       /* "rtrele" == original "rt" */
                                        senderr(EHOSTUNREACH);
                                }
                                        senderr(EHOSTUNREACH);
                                }
-#endif
+                       } else {
+                               RT_ADDREF_LOCKED(gwrt);
+                               RT_UNLOCK(gwrt);
+                               RT_UNLOCK(rt);
+                               RT_LOCK_SPIN(gwrt);
+                               /* If gwrt is now down, give up */
+                               if (!(gwrt->rt_flags & RTF_UP)) {
+                                       RT_UNLOCK(gwrt);
+                                       rtfree(gwrt);
+                                       senderr(EHOSTUNREACH);
+                               }
+                               /* Remember to release/free "rt" at the end */
+                               rtrele = rt;
+                               rt = gwrt;
                        }
                }
                        }
                }
-               if (rt->rt_flags & RTF_REJECT)
-                       senderr(rt == rt0 ? EHOSTDOWN : EHOSTUNREACH);
+               /* Become a regular mutex */
+               RT_CONVERT_LOCK(rt);
        }
 
        }
 
+       if (rt != NULL)
+               RT_LOCK_ASSERT_HELD(rt);
+
        /*
         * Address resolution or Neighbor Unreachability Detection
         * for the next hop.
        /*
         * Address resolution or Neighbor Unreachability Detection
         * for the next hop.
@@ -1957,23 +2677,64 @@ nd6_output(ifp, m0, dst, rt0)
         */
 
        /* Look up the neighbor cache for the nexthop */
         */
 
        /* Look up the neighbor cache for the nexthop */
-       if (rt && (rt->rt_flags & RTF_LLINFO) != 0)
-               ln = (struct llinfo_nd6 *)rt->rt_llinfo;
-       else {
-               if ((rt = nd6_lookup(&dst->sin6_addr, 1, ifp)) != NULL)
-                       ln = (struct llinfo_nd6 *)rt->rt_llinfo;
+       if (rt && (rt->rt_flags & RTF_LLINFO) != 0) {
+               ln = rt->rt_llinfo;
+       } else {
+               /*
+                * Since nd6_is_addr_neighbor() internally calls nd6_lookup(),
+                * the condition below is not very efficient.  But we believe
+                * it is tolerable, because this should be a rare case.
+                * Must drop rt_lock since nd6_is_addr_neighbor() calls
+                * nd6_lookup() and acquires rnh_lock.
+                */
+               if (rt != NULL)
+                       RT_UNLOCK(rt);
+               if (nd6_is_addr_neighbor(dst, ifp, 0)) {
+                       /* "rtrele" may have been used, so clean up "rt" now */
+                       if (rt != NULL) {
+                               /* Don't free "hint0" */
+                               if (rt == hint0)
+                                       RT_REMREF(rt);
+                               else
+                                       rtfree(rt);
+                       }
+                       /* Callee returns a locked route upon success */
+                       rt = nd6_lookup(&dst->sin6_addr, 1, ifp, 0);
+                       if (rt != NULL) {
+                               RT_LOCK_ASSERT_HELD(rt);
+                               ln = rt->rt_llinfo;
+                       }
+               } else if (rt != NULL) {
+                       RT_LOCK(rt);
+               }
        }
        }
+
        if (!ln || !rt) {
        if (!ln || !rt) {
-               log(LOG_DEBUG, "nd6_output: can't allocate llinfo for %s "
-                   "(ln=%p, rt=%p)\n",
-                   ip6_sprintf(&dst->sin6_addr), ln, rt);
-               senderr(EIO);   /* XXX: good error? */
+               if (rt != NULL)
+                       RT_UNLOCK(rt);
+               lck_rw_lock_shared(nd_if_rwlock);
+               if ((ifp->if_flags & IFF_POINTOPOINT) == 0 &&
+                   !(nd_ifinfo[ifp->if_index].flags & ND6_IFF_PERFORMNUD)) {
+                       lck_rw_done(nd_if_rwlock);
+                       log(LOG_DEBUG,
+                           "nd6_output: can't allocate llinfo for %s "
+                           "(ln=%p, rt=%p)\n",
+                           ip6_sprintf(&dst->sin6_addr), ln, rt);
+                       senderr(EIO);   /* XXX: good error? */
+               }
+               lck_rw_done(nd_if_rwlock);
+
+               goto sendpkt;   /* send anyway */
        }
 
        }
 
+       getmicrotime(&timenow);
+
        /* We don't have to do link-layer address resolution on a p2p link. */
        if ((ifp->if_flags & IFF_POINTOPOINT) != 0 &&
        /* We don't have to do link-layer address resolution on a p2p link. */
        if ((ifp->if_flags & IFF_POINTOPOINT) != 0 &&
-           ln->ln_state < ND6_LLINFO_REACHABLE)
+           ln->ln_state < ND6_LLINFO_REACHABLE) {
                ln->ln_state = ND6_LLINFO_STALE;
                ln->ln_state = ND6_LLINFO_STALE;
+               ln->ln_expire = rt_expiry(rt, timenow.tv_sec, nd6_gctimer);
+       }
 
        /*
         * The first time we send a packet to a neighbor whose entry is
 
        /*
         * The first time we send a packet to a neighbor whose entry is
@@ -1985,95 +2746,558 @@ nd6_output(ifp, m0, dst, rt0)
        if (ln->ln_state == ND6_LLINFO_STALE) {
                ln->ln_asked = 0;
                ln->ln_state = ND6_LLINFO_DELAY;
        if (ln->ln_state == ND6_LLINFO_STALE) {
                ln->ln_asked = 0;
                ln->ln_state = ND6_LLINFO_DELAY;
-               ln->ln_expire = time_second + nd6_delay;
+               ln->ln_expire = rt_expiry(rt, timenow.tv_sec, nd6_delay);
        }
 
        /*
         * If the neighbor cache entry has a state other than INCOMPLETE
        }
 
        /*
         * If the neighbor cache entry has a state other than INCOMPLETE
-        * (i.e. its link-layer address is already reloved), just
+        * (i.e. its link-layer address is already resolved), just
         * send the packet.
         */
         * send the packet.
         */
-       if (ln->ln_state > ND6_LLINFO_INCOMPLETE)
+       if (ln->ln_state > ND6_LLINFO_INCOMPLETE) {
+               RT_UNLOCK(rt);
+               /*
+                * Move this entry to the head of the queue so that it is
+                * less likely for this entry to be a target of forced
+                * garbage collection (see nd6_rtrequest()).
+                */
+               lck_mtx_lock(rnh_lock);
+               RT_LOCK_SPIN(rt);
+               if (ln->ln_flags & ND6_LNF_IN_USE) {
+                       LN_DEQUEUE(ln);
+                       LN_INSERTHEAD(ln);
+               }
+               RT_UNLOCK(rt);
+               lck_mtx_unlock(rnh_lock);
                goto sendpkt;
                goto sendpkt;
+       }
 
        /*
         * There is a neighbor cache entry, but no ethernet address
 
        /*
         * There is a neighbor cache entry, but no ethernet address
-        * response yet. Replace the held mbuf (if any) with this
+        * response yet.  Replace the held mbuf (if any) with this
         * latest one.
         *
         * latest one.
         *
-        * XXX Does the code conform to rate-limiting rule?
-        * (RFC 2461 7.2.2)
+        * This code conforms to the rate-limiting rule described in Section
+        * 7.2.2 of RFC 2461, because the timer is set correctly after sending
+        * an NS below.
         */
         */
-       if (ln->ln_state == ND6_LLINFO_WAITDELETE ||
-           ln->ln_state == ND6_LLINFO_NOSTATE)
+       if (ln->ln_state == ND6_LLINFO_NOSTATE)
                ln->ln_state = ND6_LLINFO_INCOMPLETE;
        if (ln->ln_hold)
                m_freem(ln->ln_hold);
        ln->ln_hold = m;
                ln->ln_state = ND6_LLINFO_INCOMPLETE;
        if (ln->ln_hold)
                m_freem(ln->ln_hold);
        ln->ln_hold = m;
-       if (ln->ln_expire) {
-               rt->rt_flags &= ~RTF_REJECT;
-               if (ln->ln_asked < nd6_mmaxtries &&
-                   ln->ln_expire < time_second) {
-                       ln->ln_asked++;
-                       ln->ln_expire = time_second +
-                               nd_ifinfo[ifp->if_index].retrans / 1000;
-                       nd6_ns_output(ifp, NULL, &dst->sin6_addr, ln, 0);
+       if (ln->ln_expire && ln->ln_asked < nd6_mmaxtries &&
+           ln->ln_expire < timenow.tv_sec) {
+               ln->ln_asked++;
+               lck_rw_lock_shared(nd_if_rwlock);
+               ln->ln_expire = timenow.tv_sec +
+                       nd_ifinfo[ifp->if_index].retrans / 1000;
+               lck_rw_done(nd_if_rwlock);
+               RT_UNLOCK(rt);
+               /* We still have a reference on rt (for ln) */
+               nd6_ns_output(ifp, NULL, &dst->sin6_addr, ln, 0, locked);
+       } else {
+               RT_UNLOCK(rt);
+       }
+       /*
+        * Move this entry to the head of the queue so that it is
+        * less likely for this entry to be a target of forced
+        * garbage collection (see nd6_rtrequest()).
+        */
+       lck_mtx_lock(rnh_lock);
+       RT_LOCK_SPIN(rt);
+       if (ln->ln_flags & ND6_LNF_IN_USE) {
+               LN_DEQUEUE(ln);
+               LN_INSERTHEAD(ln);
+       }
+       /* Clean up "rt" now while we can */
+       if (rt == hint0) {
+               RT_REMREF_LOCKED(rt);
+               RT_UNLOCK(rt);
+       } else {
+               RT_UNLOCK(rt);
+               rtfree_locked(rt);
+       }
+       rt = NULL;      /* "rt" has been taken care of */
+       lck_mtx_unlock(rnh_lock);
+
+       error = 0;
+       goto release;
+
+sendpkt:
+       if (rt != NULL)
+               RT_LOCK_ASSERT_NOTHELD(rt);
+
+       /* Clean up HW checksum flags before sending the packet */
+       m->m_pkthdr.csum_data = 0;
+       m->m_pkthdr.csum_flags = 0;
+
+       if ((ifp->if_flags & IFF_LOOPBACK) != 0) {
+               /* forwarding rules require the original scope_id */
+               m->m_pkthdr.rcvif = origifp;
+               if (locked)
+                       lck_mtx_unlock(ip6_mutex);
+               error = dlil_output(origifp, PF_INET6, m, (caddr_t)rt,
+                   (struct sockaddr *)dst, 0);
+               if (locked)
+                       lck_mtx_lock(ip6_mutex);
+               goto release;
+       } else {
+               /* Do not allow loopback address to wind up on a wire */
+               struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
+
+               if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
+                       IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst))) {
+                       ip6stat.ip6s_badscope++;
+                       /*
+                        * Do not simply drop the packet just like a
+                        * firewall -- we want the the application to feel
+                        * the pain.  Return ENETUNREACH like ip6_output
+                        * does in some similar cases.  This can startle
+                        * the otherwise clueless process that specifies
+                        * loopback as the source address.
+                        */
+                       error = ENETUNREACH;
+                       goto bad;
                }
        }
                }
        }
-       return(0);
-       
-  sendpkt:
-#ifdef __APPLE__
-       return (dlil_output(ifptodlt(ifp, PF_INET6), m, rt, (struct sockaddr *)dst, 0));
-#else
-       return((*ifp->if_output)(ifp, m, (struct sockaddr *)dst, rt));
-#endif
-       
-  bad:
-       if (m)
+
+       m->m_pkthdr.rcvif = NULL;
+       if (locked)
+               lck_mtx_unlock(ip6_mutex);
+       error = dlil_output(ifp, PF_INET6, m, (caddr_t)rt,
+           (struct sockaddr *)dst, 0);
+       if (locked)
+               lck_mtx_lock(ip6_mutex);
+       goto release;
+
+bad:
+       if (m != NULL)
                m_freem(m);
                m_freem(m);
+
+release:
+       /* Clean up "rt" unless it's already been done */
+       if (rt != NULL) {
+               RT_LOCK_SPIN(rt);
+               if (rt == hint0) {
+                       RT_REMREF_LOCKED(rt);
+                       RT_UNLOCK(rt);
+               } else {
+                       RT_UNLOCK(rt);
+                       rtfree(rt);
+               }
+       }
+       /* And now clean up "rtrele" if there is any */
+       if (rtrele != NULL) {
+               RT_LOCK_SPIN(rtrele);
+               if (rtrele == hint0) {
+                       RT_REMREF_LOCKED(rtrele);
+                       RT_UNLOCK(rtrele);
+               } else {
+                       RT_UNLOCK(rtrele);
+                       rtfree(rtrele);
+               }
+       }
        return (error);
        return (error);
-}      
+}
 #undef senderr
 
 int
 #undef senderr
 
 int
-nd6_storelladdr(ifp, rt, m, dst, desten)
-       struct ifnet *ifp;
-       struct rtentry *rt;
-       struct mbuf *m;
-       struct sockaddr *dst;
-       u_char *desten;
+nd6_need_cache(
+       struct ifnet *ifp)
 {
 {
+       /*
+        * XXX: we currently do not make neighbor cache on any interface
+        * other than ARCnet, Ethernet, FDDI and GIF.
+        *
+        * RFC2893 says:
+        * - unidirectional tunnels needs no ND
+        */
+       switch (ifp->if_type) {
+       case IFT_ARCNET:
+       case IFT_ETHER:
+       case IFT_FDDI:
+       case IFT_IEEE1394:
+       case IFT_L2VLAN:
+       case IFT_IEEE8023ADLAG:
+#if IFT_IEEE80211
+       case IFT_IEEE80211:
+#endif
+       case IFT_BRIDGE:
+       case IFT_GIF:           /* XXX need more cases? */
+               return(1);
+       default:
+               return(0);
+       }
+}
+
+int
+nd6_storelladdr(
+       struct ifnet *ifp,
+       struct rtentry *rt,
+       struct mbuf *m,
+       struct sockaddr *dst,
+       u_char *desten)
+{
+       int i;
        struct sockaddr_dl *sdl;
 
        if (m->m_flags & M_MCAST) {
                switch (ifp->if_type) {
                case IFT_ETHER:
        struct sockaddr_dl *sdl;
 
        if (m->m_flags & M_MCAST) {
                switch (ifp->if_type) {
                case IFT_ETHER:
-               case IFT_FDDI:                  
+               case IFT_FDDI:
+               case IFT_L2VLAN:
+               case IFT_IEEE8023ADLAG:
+#if IFT_IEEE80211
+               case IFT_IEEE80211:
+#endif
+               case IFT_BRIDGE:
                        ETHER_MAP_IPV6_MULTICAST(&SIN6(dst)->sin6_addr,
                                                 desten);
                        return(1);
                        ETHER_MAP_IPV6_MULTICAST(&SIN6(dst)->sin6_addr,
                                                 desten);
                        return(1);
-                       break;
+               case IFT_IEEE1394:
+                       for (i = 0; i < ifp->if_addrlen; i++)
+                               desten[i] = ~0;
+                       return(1);
                case IFT_ARCNET:
                        *desten = 0;
                        return(1);
                default:
                case IFT_ARCNET:
                        *desten = 0;
                        return(1);
                default:
-                       return(0);
+                       return(0); /* caller will free mbuf */
                }
        }
 
                }
        }
 
-       if (rt == NULL ||
-           rt->rt_gateway->sa_family != AF_LINK) {
+       if (rt == NULL) {
+               /* this could happen, if we could not allocate memory */
+               return(0); /* caller will free mbuf */
+       }
+       RT_LOCK(rt);
+       if (rt->rt_gateway->sa_family != AF_LINK) {
                printf("nd6_storelladdr: something odd happens\n");
                printf("nd6_storelladdr: something odd happens\n");
-               return(0);
+               RT_UNLOCK(rt);
+               return(0); /* caller will free mbuf */
        }
        sdl = SDL(rt->rt_gateway);
        if (sdl->sdl_alen == 0) {
                /* this should be impossible, but we bark here for debugging */
                printf("nd6_storelladdr: sdl_alen == 0\n");
        }
        sdl = SDL(rt->rt_gateway);
        if (sdl->sdl_alen == 0) {
                /* this should be impossible, but we bark here for debugging */
                printf("nd6_storelladdr: sdl_alen == 0\n");
-               return(0);
+               RT_UNLOCK(rt);
+               return(0); /* caller will free mbuf */
        }
 
        bcopy(LLADDR(sdl), desten, sdl->sdl_alen);
        }
 
        bcopy(LLADDR(sdl), desten, sdl->sdl_alen);
+       RT_UNLOCK(rt);
        return(1);
 }
        return(1);
 }
+
+/*
+ * This is the ND pre-output routine; care must be taken to ensure that
+ * the "hint" route never gets freed via rtfree(), since the caller may
+ * have stored it inside a struct route with a reference held for that
+ * placeholder.
+ */
+errno_t
+nd6_lookup_ipv6(ifnet_t         ifp, const struct sockaddr_in6 *ip6_dest,
+    struct sockaddr_dl *ll_dest, size_t        ll_dest_len, route_t hint,
+    mbuf_t packet)
+{
+       route_t route = hint;
+       errno_t result = 0;
+       struct sockaddr_dl *sdl = NULL;
+       size_t  copy_len;
+
+       if (ip6_dest->sin6_family != AF_INET6)
+               return (EAFNOSUPPORT);
+
+       if ((ifp->if_flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING))
+               return (ENETDOWN);
+
+       if (hint != NULL) {
+               /*
+                * Callee holds a reference on the route and returns
+                * with the route entry locked, upon success.
+                */
+               result = arp_route_to_gateway_route(
+                   (const struct sockaddr*)ip6_dest, hint, &route);
+               if (result != 0)
+                       return (result);
+               if (route != NULL)
+                       RT_LOCK_ASSERT_HELD(route);
+       }
+
+       if ((packet->m_flags & M_MCAST) != 0) {
+               if (route != NULL)
+                       RT_UNLOCK(route);
+               result = dlil_resolve_multi(ifp,
+                   (const struct sockaddr*)ip6_dest,
+                   (struct sockaddr *)ll_dest, ll_dest_len);
+               if (route != NULL)
+                       RT_LOCK(route);
+               goto release;
+       }
+
+       if (route == NULL) {
+               /*
+                * This could happen, if we could not allocate memory or
+                * if arp_route_to_gateway_route() didn't return a route.
+                */
+               result = ENOBUFS;
+               goto release;
+       }
+
+       if (route->rt_gateway->sa_family != AF_LINK) {
+               printf("nd6_lookup_ipv6: gateway address not AF_LINK\n");
+               result = EADDRNOTAVAIL;
+               goto release;
+       }
+
+       sdl = SDL(route->rt_gateway);
+       if (sdl->sdl_alen == 0) {
+               /* this should be impossible, but we bark here for debugging */
+               printf("nd6_lookup_ipv6: sdl_alen == 0\n");
+               result = EHOSTUNREACH;
+               goto release;
+       }
+
+       copy_len = sdl->sdl_len <= ll_dest_len ? sdl->sdl_len : ll_dest_len;
+       bcopy(sdl, ll_dest, copy_len);
+
+release:
+       if (route != NULL) {
+               if (route == hint) {
+                       RT_REMREF_LOCKED(route);
+                       RT_UNLOCK(route);
+               } else {
+                       RT_UNLOCK(route);
+                       rtfree(route);
+               }
+       }
+       return (result);
+}
+
+SYSCTL_DECL(_net_inet6_icmp6);
+
+static int
+nd6_sysctl_drlist SYSCTL_HANDLER_ARGS
+{
+#pragma unused(oidp, arg1, arg2)
+       int error = 0;
+       char buf[1024];
+       struct nd_defrouter *dr;
+       int p64 = proc_is64bit(req->p);
+
+       if (req->newptr)
+               return (EPERM);
+
+       lck_mtx_lock(nd6_mutex);
+       if (p64) {
+               struct in6_defrouter_64 *d, *de;
+
+               for (dr = TAILQ_FIRST(&nd_defrouter);
+                    dr;
+                    dr = TAILQ_NEXT(dr, dr_entry)) {
+                       d = (struct in6_defrouter_64 *)buf;
+                       de = (struct in6_defrouter_64 *)(buf + sizeof (buf));
+
+                       if (d + 1 <= de) {
+                               bzero(d, sizeof (*d));
+                               d->rtaddr.sin6_family = AF_INET6;
+                               d->rtaddr.sin6_len = sizeof (d->rtaddr);
+                               if (in6_recoverscope(&d->rtaddr, &dr->rtaddr,
+                                   dr->ifp) != 0)
+                                       log(LOG_ERR,
+                                           "scope error in "
+                                           "default router list (%s)\n",
+                                           ip6_sprintf(&dr->rtaddr));
+                               d->flags = dr->flags;
+                               d->rtlifetime = dr->rtlifetime;
+                               d->expire = dr->expire;
+                               d->if_index = dr->ifp->if_index;
+                       } else {
+                               panic("buffer too short");
+                       }
+                       error = SYSCTL_OUT(req, buf, sizeof (*d));
+                       if (error)
+                               break;
+               }
+       } else {
+               struct in6_defrouter_32 *d_32, *de_32;
+
+               for (dr = TAILQ_FIRST(&nd_defrouter);
+                    dr;
+                    dr = TAILQ_NEXT(dr, dr_entry)) {
+                       d_32 = (struct in6_defrouter_32 *)buf;
+                       de_32 = (struct in6_defrouter_32 *)(buf + sizeof (buf));
+
+                       if (d_32 + 1 <= de_32) {
+                               bzero(d_32, sizeof (*d_32));
+                               d_32->rtaddr.sin6_family = AF_INET6;
+                               d_32->rtaddr.sin6_len = sizeof (d_32->rtaddr);
+                               if (in6_recoverscope(&d_32->rtaddr, &dr->rtaddr,
+                                   dr->ifp) != 0)
+                                       log(LOG_ERR,
+                                           "scope error in "
+                                           "default router list (%s)\n",
+                                           ip6_sprintf(&dr->rtaddr));
+                               d_32->flags = dr->flags;
+                               d_32->rtlifetime = dr->rtlifetime;
+                               d_32->expire = dr->expire;
+                               d_32->if_index = dr->ifp->if_index;
+                       } else {
+                               panic("buffer too short");
+                       }
+                       error = SYSCTL_OUT(req, buf, sizeof (*d_32));
+                       if (error)
+                               break;
+               }
+       }
+       lck_mtx_unlock(nd6_mutex);
+       return (error);
+}
+
+static int
+nd6_sysctl_prlist SYSCTL_HANDLER_ARGS
+{
+#pragma unused(oidp, arg1, arg2)
+       int error = 0;
+       char buf[1024];
+       struct nd_prefix *pr;
+       int p64 = proc_is64bit(req->p);
+
+       if (req->newptr)
+               return (EPERM);
+
+       lck_mtx_lock(nd6_mutex);
+       if (p64) {
+               struct in6_prefix_64 *p, *pe;
+
+               for (pr = nd_prefix.lh_first; pr; pr = pr->ndpr_next) {
+                       u_short advrtrs = 0;
+                       size_t advance;
+                       struct sockaddr_in6 *sin6, *s6;
+                       struct nd_pfxrouter *pfr;
+
+                       p = (struct in6_prefix_64 *)buf;
+                       pe = (struct in6_prefix_64 *)(buf + sizeof (buf));
+
+                       if (p + 1 <= pe) {
+                               bzero(p, sizeof (*p));
+                               sin6 = (struct sockaddr_in6 *)(p + 1);
+
+                               p->prefix = pr->ndpr_prefix;
+                               if (in6_recoverscope(&p->prefix,
+                                   &p->prefix.sin6_addr, pr->ndpr_ifp) != 0)
+                                       log(LOG_ERR,
+                                           "scope error in prefix list (%s)\n",
+                                           ip6_sprintf(&p->prefix.sin6_addr));
+                               p->raflags = pr->ndpr_raf;
+                               p->prefixlen = pr->ndpr_plen;
+                               p->vltime = pr->ndpr_vltime;
+                               p->pltime = pr->ndpr_pltime;
+                               p->if_index = pr->ndpr_ifp->if_index;
+                               p->expire = pr->ndpr_expire;
+                               p->refcnt = pr->ndpr_refcnt;
+                               p->flags = pr->ndpr_stateflags;
+                               p->origin = PR_ORIG_RA;
+                               advrtrs = 0;
+                               for (pfr = pr->ndpr_advrtrs.lh_first;
+                                    pfr;
+                                    pfr = pfr->pfr_next) {
+                                       if ((void *)&sin6[advrtrs + 1] >
+                                           (void *)pe) {
+                                               advrtrs++;
+                                               continue;
+                                       }
+                                       s6 = &sin6[advrtrs];
+                                       bzero(s6, sizeof (*s6));
+                                       s6->sin6_family = AF_INET6;
+                                       s6->sin6_len = sizeof (*sin6);
+                                       if (in6_recoverscope(s6,
+                                           &pfr->router->rtaddr,
+                                           pfr->router->ifp) != 0)
+                                               log(LOG_ERR, "scope error in "
+                                                   "prefix list (%s)\n",
+                                                   ip6_sprintf(&pfr->router->
+                                                   rtaddr));
+                                       advrtrs++;
+                               }
+                               p->advrtrs = advrtrs;
+                       } else {
+                               panic("buffer too short");
+                       }
+                       advance = sizeof (*p) + sizeof (*sin6) * advrtrs;
+                       error = SYSCTL_OUT(req, buf, advance);
+                       if (error)
+                               break;
+               }
+       } else {
+               struct in6_prefix_32 *p_32, *pe_32;
+
+               for (pr = nd_prefix.lh_first; pr; pr = pr->ndpr_next) {
+                       u_short advrtrs = 0;
+                       size_t advance;
+                       struct sockaddr_in6 *sin6, *s6;
+                       struct nd_pfxrouter *pfr;
+
+                       p_32 = (struct in6_prefix_32 *)buf;
+                       pe_32 = (struct in6_prefix_32 *)(buf + sizeof (buf));
+
+                       if (p_32 + 1 <= pe_32) {
+                               bzero(p_32, sizeof (*p_32));
+                               sin6 = (struct sockaddr_in6 *)(p_32 + 1);
+
+                               p_32->prefix = pr->ndpr_prefix;
+                               if (in6_recoverscope(&p_32->prefix,
+                                   &p_32->prefix.sin6_addr, pr->ndpr_ifp) != 0)
+                                       log(LOG_ERR, "scope error in prefix "
+                                           "list (%s)\n", ip6_sprintf(&p_32->
+                                           prefix.sin6_addr));
+                               p_32->raflags = pr->ndpr_raf;
+                               p_32->prefixlen = pr->ndpr_plen;
+                               p_32->vltime = pr->ndpr_vltime;
+                               p_32->pltime = pr->ndpr_pltime;
+                               p_32->if_index = pr->ndpr_ifp->if_index;
+                               p_32->expire = pr->ndpr_expire;
+                               p_32->refcnt = pr->ndpr_refcnt;
+                               p_32->flags = pr->ndpr_stateflags;
+                               p_32->origin = PR_ORIG_RA;
+                               advrtrs = 0;
+                               for (pfr = pr->ndpr_advrtrs.lh_first;
+                                    pfr;
+                                    pfr = pfr->pfr_next) {
+                                       if ((void *)&sin6[advrtrs + 1] >
+                                           (void *)pe_32) {
+                                               advrtrs++;
+                                               continue;
+                                       }
+                                       s6 = &sin6[advrtrs];
+                                       bzero(s6, sizeof (*s6));
+                                       s6->sin6_family = AF_INET6;
+                                       s6->sin6_len = sizeof (*sin6);
+                                       if (in6_recoverscope(s6,
+                                           &pfr->router->rtaddr,
+                                           pfr->router->ifp) != 0)
+                                               log(LOG_ERR, "scope error in "
+                                                   "prefix list (%s)\n",
+                                                   ip6_sprintf(&pfr->router->
+                                                   rtaddr));
+                                       advrtrs++;
+                               }
+                               p_32->advrtrs = advrtrs;
+                       } else {
+                               panic("buffer too short");
+                       }
+                       advance = sizeof (*p_32) + sizeof (*sin6) * advrtrs;
+                       error = SYSCTL_OUT(req, buf, advance);
+                       if (error)
+                               break;
+               }
+       }
+       lck_mtx_unlock(nd6_mutex);
+       return (error);
+}
+SYSCTL_PROC(_net_inet6_icmp6, ICMPV6CTL_ND6_DRLIST, nd6_drlist,
+       CTLFLAG_RD, 0, 0, nd6_sysctl_drlist, "S,in6_defrouter","");
+SYSCTL_PROC(_net_inet6_icmp6, ICMPV6CTL_ND6_PRLIST, nd6_prlist,
+       CTLFLAG_RD, 0, 0, nd6_sysctl_prlist, "S,in6_defrouter","");
+
mirror of XNU