remove prototypes with no matching function
ok mpi@

Implement rule 5.5 of RFC 6724 (Default Address Selection for IPv6)

Rule 5.5: Prefer addresses in a prefix advertised by the next-hop.

For this we have to track the (link-local) address of the advertising
router per interface address and compare it with the selected route.

Rule 5.5 is useful in multi-homing setups where we have more than one
prefix and default router. We have to use the source address with the
correct default gateway otherwise traffic is likely going to be
dropped because of BCP 38.

While here refactor in6_update_ifa() a bit to make the code clearer
and consistently use (var & flag) instead of (var & flag) != 0.

Patiently reviewed by & OK bluhm.

Merge struct route and struct route_in6.

Use a common struct route for both inet and inet6. Unfortunately
struct sockaddr is shorter than sockaddr_in6, so netinet/in.h has
to be exposed from net/route.h. Struct route has to be bsd visible
for userland as netstat kvm code inspects inp_route. Internet PCB
and TCP SYN cache can use a plain struct route now. All specific
sockaddr types for inet and inet6 are embeded there.

OK claudio@

Route cache function returns hit or miss.

The route_cache() function can easily return whether it was a cache
hit or miss. Then the logic to perform a route lookup gets a bit
simpler. Some more complicated if (ro->ro_rt == NULL) checks still
exist elsewhere.
Also use route cache in in_pcbselsrc() instead of filling struct
route manually.

OK claudio@

Use the route generation number also for IPv6.

Implement route6_cache() to check whether the cached route is still
valid and otherwise fill caching parameter of struct route_in6.
Also count cache hits and misses in netstat. in_pcbrtentry() uses
route cache now.

OK claudio@

Add route generation number to route cache.

The outgoing route is cached at the inpcb. This cache was only
invalidated when the socket closes or if the route gets invalid.
More specific routes were not detected. Especially with dynamic
routing protocols, sockets must be closed and reopened to use the
correct route. Running ping during a route change shows the problem.

To solve this, add a route generation number that is updated whenever
the routing table changes. The lookup in struct route is put into
the route_cache() function. If the generation number is too old,
the cached route gets discarded.

Implement route_cache() for ip_output() and ip_forward() first.
IPv6 and more places will follow.

OK claudio@

Declare address parameter in TCP SYN cache const.

tcp6_ctlinput() casted a constant sockaddr_sin6 to non-const sockaddr.
sa6_src may be &sa6_any which lives in read-only data section.
Better pass down the const addresses to syn_cache_lookup(). They
are needed for hash lookup and are not modified.

OK mvs@

Remove struct inpcb from in6_embedscope() parameters.

rip6_output() did modify inp_outputopts6 temporarily to provide
different ip6_pktopts to in6_embedscope(). Better pass inp_outputopts6
and inp_moptions6 as separate arguments to in6_embedscope().
Simplify the code that deals with these options in in6_embedscope().
Doucument inp_moptions and inp_moptions6 as protected by net lock.

OK kn@

rtable_match() takes constant destination.

For implementing MP safe route lookup, it helps to know which
function parameters are constant. Add some const declarations, so
that the compiler guarantees that sockaddr dst parameter of
rtable_match() does not change.

OK dlg@

factor out the code that does sanity checks on ipv6 headers and addresses.

this will allow these checks to be reused for ip packet inspection
in bridge, veb, and tpmr.

ok bluhm@ sashan@

spelling

ok gnezdo@ semarie@ mpi@

Convert ip6_sysctl to sysctl_bounded_args

Tighter limits and OK by sashan

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Kernel is missing propper input validation when configuring IPv6
addresses. Implement in6_sa2sin6() to validate inet6 address family
and address length. The SIOCGIFDSTADDR_IN6, SIOCGIFNETMASK_IN6,
SIOCGIFAFLAG_IN6, SIOCGIFALIFETIME_IN6, and SIOCDIFADDR_IN6 ioctl(2)
are safe now.
OK visa@

In in_cksum() and in6_cksum() convert types to C99 style and make
both functions consistent. In in_cksum() panic if len is longer
than mbuf, but in in6_cksum() do not panic if off and len match
exactly to the end of mbuf.
OK claudio@

Convert inetctlerrmap to u_char like inet6ctlerrmap. That is also
what FreeBSD does. Remove old #if 0 version of inet6ctlerrmap.
OK mpi@

The global zero addresses must not change, mark them constant.
OK tb@ visa@

Implement RFC 7217: "A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Autoconfiguration."

"An IPv6 address configured using this method is stable within each
subnet, but the corresponding Interface Identifier changes when the
host moves from one network to another. This method is meant to be an
alternative to generating Interface Identifiers based on hardware
addresses."

OK naddy, sthen

Sprinkle some NET_ASSERT_LOCKED(), const and co to prepare running
pr_input handlers without KERNEL_LOCK().

ok visa@

Use in6_get_rand_ifid() instead of get_last_resort_ifid() and delete the
get_last_resort_ifid() function because eww.
Also if your system is so constraint that you end up in
in6_get_rand_ifid() you don't deserve a random ifid that stays
stable over reboots.
Simplify code a bit since get_ifid() can no longer fail. It couldn't
fail before either because that code path was #if 0'ed.
While here sprinkle in some in6_ prefixes, pointed out by stsp.
OK stsp

Validate sockaddr from userland in central functions. This results
in common checks for unix, inet, inet6 instead of partial checks
here and there. Some checks are already done at a higher layer,
but better be paranoid with user input.
OK claudio@ millert@

Get rid of ip6.maxifprefixes and ip6.maxifdefrouters, the kernel no
longer tracks prefixes or default routers from router advertisements.
Pointed out by jmc.
ports tree grepping sthen, who only found nsh
OK mpi, sthen

Keep ipv6_input() definition inside _KERNEL.

Unbreak userland, found the hardway by deraadt@

Introduce ipv{4,6}_input(), two wrappers around IP queues.

This will help transitionning to an un-KERNEL_LOCK()ed IP
forwarding path.

Disucssed with bluhm@, ok claudio@

Introduce sstosa() for converting sockaddr_storage with a type safe
inline function instead of casting it to sockaddr. While there,
use inline instead of __inline for all these conversions. Some
struct sockaddr casts can be avoided completely.
OK dhill@ mpi@

Fix comments about a few ipv6 sockoptions

OK millert@ florian@

Remove PIM support from the multicast stack.

ok mpi@

Convert some of the remaining usages of time_second to time_uptime.

time_second is unix time so it can be affected by clock changes.
time_uptime is monotonic so it isnt affected by clock changes. that
in turn means route expiries wont jump with clock changes if set
against time_uptime.

the expiry is translated into unix time for export to userland though.

Should fix mismatch between route timers that were already converted
and ND default routers that were still using time_second.

Tested by matthieu@ and sthen@

ok sthen@, dlg@

Implement IPV6_MINHOPCOUNT support.

Useful to implement GTSM support in daemons such as bgpd(8). Diff from
2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@

Kill sysctl net.inet6.ip6.rr_prune

We don't support Router Renumbering and there are no plans to change
that. ok mpi@

Remove sysctl net.inet6.ip6.v6only

This sysctl is a no-op, read-only since it was introduced. There are no
plans to support IPv4-mapped addresses on OpenBSD, thus this sysctl is
meaningless.

Noticed by djm@, ok claudio@ mpi@ sthen@ henning@

rm unused kernel only IPV6_RECVRTHDRDSTOPTS sockopt. ok deraadt sthen

RFC 2292 API support was removed 9 years ago, but left in a binary compat
ABI form for the sake of existing programs. no programs from that era have
been able to run for quite some time. Kill it all.
ok deraadt florian millert mpi
(I believe this is my first IPv6 diff. Future, here I come!)

in6_embedscope() needs to lose some weight. Remove the last argument.
In all but two calls NULL is passed and in the other 2 cases the ifp
is only used to maybe feed it to in6_selecthlim() to select the hoplimit
for the link. Since in6_embedscope() only works on link-local addresses
it does not matter what hop limit we select since the destination is
directly reachable.
OK florian@ mpi@

It is time to put inet6 on a diet. Use the flensing knife and cut out
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@

More damned eye searing whitespace. No change to .o files.

ip6_sprintf is long gone; noticed by blambert

replace the use of ifqueues for most input queues serviced by netisr
with niqueues.

this change is so big because there's a lot of code that takes
pointers to different input queues (eg, ether_input picks between
ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through
to code to enqueue packets against the pointer. if i changed only
one of the input queues id have to add sepearate code paths, one
for ifqueues and one for niqueues in each of these places

by flipping all these input queues at once i can keep the currently
common code common.

testing by mpi@ sthen@ and rafael zalamena
ok mpi@ sthen@ claudio@ henning@

Implement 2 sysctl to retrieve the multicast forwarding cache (mf6c) and the
multicast interface table (mif6). Will be used by netstat soon.
Looked over by guenther@

provide a net.inet6.ip6.ifq sysctl so people can see and fiddle
with the ip6intrq.

ok claudio@

Correct some comments and merge in6_if_up() into in6_ifattach() to
reflect that IPv6 link-local addresses are no longer automagically
configured the first time an interface is brought up.

ok henning@, stsp@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

What have no need for a variable that holds the maximum MTU size of
interfaces with an IPv6 address.

ok henning@, mikeb@, deraadt@

Make the in6addr constant declarations and definitions consistent
in kernel and user land.
OK florian@ mpi@

Do not hand-roll all routers link local address.
pointed out & OK bluhm@

introduce the IFXF_AUTOCONF6 interface flag which controls wether we
accept rtadvs on that interface. the global net.inet6.ip6.accept_rtadv
sysctl just doesn't cut it, even tho the spec wants that - but in their
little absurd world, a host just has one interface by definition anyway...
the sysctlgoes away.
lots of head scratching, brain cell elemination etc from bluhm benno stsp
florian, excitement from simon and todd, ok bluhm stsp benno florian

Remove deprecated RFC2292 ancillary data convenience functions.
They are obsoleted by the RFC3542 api.

ok mpi@

move in6_cksum_phdr from in6.h to ip6_output.c to mirror in_cksum_phdr
ok henning@

Split the checksum calculation for IPv6 like for IPv4:
Always calculate the pseudo-header checksum.
Complete the checksum if hardware offload is not available.

Parts originally from NetBSD; ok henning@

kill kame version symbols and sysctl
ports tree grep run by sthen

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

Significant namespace cleanup of netinet6 symbols.

One worrying bit is in icmp6.h where some htols() and htonl() are
added, which may affect compatibility down the line. This component
can be reverted if issues show up. Ports tree greps indicate no issue.

ok claudio mpi etc

There are gasps of shock! Add a pmtu delay sysctl BUTTON for netinet6,
making the code the same as netinet4 along the way.
ok bluhm phessler

put the cksum diff back, of course with the bug fixed where we could
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.

Convert the satosin, sintosa, ifatoia, satosin6, sin6tosa, ifatoia6
defines into static inline functions. This allows the compiler to
check the source type before casting.
liked by many; OK mpi@ haesbaert@

My lack of faith... These lines should stay, reported by ajacoutot@.

ok sthen@

tedu faith(4), suggested by todd@ some weeks ago after a submission by
dhill.

ok krw@, mikeb@, tedu@ (implicit)

backout csum diff for the moment, requested by theo

redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!

add IPV6_RECVDSTPORT socket option, which enables us to get original
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.

from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm

Improve POSIX/SUS compliance of <netdb.h>, <sys/socket.h>, and <sys/un.h>.

Much ports testing of various versions by naddy@ and jasper@
ok matthew@, miller@

Instead of <arpa/inet.h> pulling in <netinet/in.h>, just copy in the
three things that it needed from there: INET_ADDRSTRLEN, INET6_ADDRSTRLEN,
and struct in_addr. Add protecting #ifndefs to netinet6?/in6?.h for those.

ok deraadt@

Improve compliance for <arpa/inet.h> and <netinet/in.h> to define/declare
all the symbols that POSIX says they must and fewer that they can't and,
most importantly, to not require a specific ordering of headers.

ports testing by naddy@
ok millert@ deraadt@

rdomain support for IPv6
ok mikeb

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@

recognize SO_RTABLE socket option at the SOL_SOCKET level;
discussed with and ok claudio

add a new IP level socket option IP_PIPEX. This option is used for L2TP
support by pipex.
OK henning@, "Carry on" blambert@

remove some unused netinet6 code
ok stsp@ henning@ claudio@

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning

Simple implementation of RFC4941, "Privacy Extensions for Stateless
Address Autoconfiguration in IPv6". For those among us who are paranoid
about broadcasting their MAC address to the IPv6 internet.

Man page help from jmc, testing by weerd, arc4random API hints from djm.

ok deraadt, claudio

IPv6 support for divert sockets.

tested by phessler@ pyr@
ok claudio@
"go ahead" deraadt@

delay /etc/netstart until IPv6-DAD (dup-address-detection) is completed.
ok fries, hshoexer, claudio

From KAME, allow adjustable limits on NDP entries and discovered routes.

ok mpf naddy

use the right capitalization for platform names

ok jsing@

Fix KAME cvsweb urls

switch IPv6 advanced API from RFC2292 to RFC3542 (2292 is superseded by 3542).
the kernel still handles RFC2292 set/getsockopts, so that compiled binary
has no trouble running. userland sees RFC3542 symbols only on header file
so new code has to use RFC3542 API.

bump libc shlib minor for function additions.

tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.

introduce sysctl net.inet6.ip6.multicast_mtudisc (for multicast routers).
deraadt ok. manpage nit by jmc.

move comment to a line where it makes more sense

change semantics of ff01::/16 to interface local multicast
(to sync up with more recent IPv6 spec)

ok from: deraadt mcbride

Add support for equal-cost multipath IP.

To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.

To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1

testing norby@
ok claudio@ henning@ hshoexer@

Do the same thing as for IPv4. Use a sysctl to enable/disable mfrowarding
and additionaly make the code part of the MROUTING option. Put it in deraadt@

First step in include files overhaul. Use __FOO_VISIBLE (as defined
in sys/cdefs.h) instead of _FOO_SOURCE. Also fix several namespace
pollution issues, including the byte order defines. OK deraadt@

First step towards more sane time handling in the kernel -- this changes
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.

ok art@ niklas@ nordin@

support IPV6_USE_MIN_MTU, to make BIND9 better.
(sorry about the mess yesterday)

back out tree breakage. Like, come on

support IPV6_USE_MIN_MTU, which is needed to run BIND9 well. from kame
markus ok

switch to sysctl_int_arr(); ok itojun, henning, miod, deraadt

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

sync with latest KAME in6_ifaddr/prefix/default router manipulation.
behavior changes:
- two iocts used by ndp(8) are now obsolete (backward compat provided).
use sysctl path instead.
- lo0 does not get ::1 automatically. it will get ::1 when lo0 comes up.

mistake in sysctl table

just for consistency/compatibility, have net.inet6.ip6.v6only sysctl MIB,
as well as set/getsockopt(IPV6_V6ONLY).

limit number of IPv6 fragments (not the fragment queue size) to
fight against lots-of-frags DoS attacks. sync w/kame

First round of __P removal in sys

branches: 1.25.2;
whitespace/comment sync with kame

comment; sockopt # 57-59 are also reserved

Add IPCOMP setsockopt policy controls. While here fix the other policies too

fix constness of IN6_{IS,ARE}_xx macros to conform to RFC2553.
sync with kame.

remove date string from KAME version identification, it is getting meaningless
as we merge random items daily. have comment that refers to kame COVERAGE
document. sync with kame

get rid of #ifdef IPV6FIREWALL (never used, will never be used)

pull in new pcb notification code from kame. better handling of scope address.

use __P() in prototype for non-ansi compilers.
From: Michael Shalayeff <mickey@lucifier.remote.dti.net>

move IPv6 IPsec sysctl # downward, to avoid number conflict in *BSD.
angelos ok

don't pull sys/queue.h in. sync better with kame.

Fix typo; ds@ds.primasoft.bg

allow IPsec-related get/setsockopt on IPv6 socket. due to number conflict
they must be IPV6_xx instead of IP_xx.

actually, since in_ctloutput() does not check address family of inpcb,
getsockopt(IPPROTO_IP, IP_xx) may work - never tested this.

net.inet.ip.gif_ttl (and IPv6 counterpart) is never used.
enforce type checking on IN6_ARE_ADDR_EQUAL.

bring in recent KAME changes (only important and stable ones, as usual).
- remove net.inet6.ip6.nd6_proxyall. introduce proxy NDP code works
just like "arp -s".
- revise source address selection.
be more careful about use of yet-to-be-valid addresses as source.
- as router, transmit ICMP6_DST_UNREACH_BEYONDSCOPE against out-of-scope
packet forwarding attempt.
- path MTU discovery takes care of routing header properly.
- be more strict about mbuf chain parsing.
- nuke xxCTL_VARS #define, they are for BSDI.
- disable SIOCSIFDSTADDR_IN6/SIOCSIFNETMASK_IN6 ioctl, they do not fit
IPv6 model where multiple address on interface is normal.
(kernel side supports them for a while for backward compat,
the support will be nuked shortly)
- introduce "default outgoing interface" (for spec conformance in very
rare case)

use more modern types

branches: 1.10.2;
improve RFC2553/2292 conformance. netinet6/{ip6,icmp6,in6}.h should not
be included.
neitnet6/{ip6,icmp6}.h includes #error statements only - i'll remove them
couple of days later.

Add RCS tags, remove unused header files and code, remove a few
unnecessary ifdefs...

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

Replace 'in6a_words' (old NRL convention) with 's6_addr32' (new BSDI et al.
convention that is more common and more specific as to the access size)

Demangled the INET6 stuff so as not to require any extra options and not to
be mutually exclusive with the IPSEC option.

Synchronized changes needed to integrate into OpenBSD with the NRL source
tree so we can have a unified netinet6 directory.

_KERNEL, and other cleanup

merge INPROTO_* tables

use _KERNEL, add ipv6intrq decl

missed file

Implement rule 5.5 of RFC 6724 (Default Address Selection for IPv6)

Rule 5.5: Prefer addresses in a prefix advertised by the next-hop.

For this we have to track the (link-local) address of the advertising
router per interface address and compare it with the selected route.

Rule 5.5 is useful in multi-homing setups where we have more than one
prefix and default router. We have to use the source address with the
correct default gateway otherwise traffic is likely going to be
dropped because of BCP 38.

While here refactor in6_update_ifa() a bit to make the code clearer
and consistently use (var & flag) instead of (var & flag) != 0.

Patiently reviewed by & OK bluhm.

Merge struct route and struct route_in6.

Use a common struct route for both inet and inet6. Unfortunately
struct sockaddr is shorter than sockaddr_in6, so netinet/in.h has
to be exposed from net/route.h. Struct route has to be bsd visible
for userland as netstat kvm code inspects inp_route. Internet PCB
and TCP SYN cache can use a plain struct route now. All specific
sockaddr types for inet and inet6 are embeded there.

OK claudio@

Route cache function returns hit or miss.

The route_cache() function can easily return whether it was a cache
hit or miss. Then the logic to perform a route lookup gets a bit
simpler. Some more complicated if (ro->ro_rt == NULL) checks still
exist elsewhere.
Also use route cache in in_pcbselsrc() instead of filling struct
route manually.

OK claudio@

Use the route generation number also for IPv6.

Implement route6_cache() to check whether the cached route is still
valid and otherwise fill caching parameter of struct route_in6.
Also count cache hits and misses in netstat. in_pcbrtentry() uses
route cache now.

OK claudio@

Add route generation number to route cache.

The outgoing route is cached at the inpcb. This cache was only
invalidated when the socket closes or if the route gets invalid.
More specific routes were not detected. Especially with dynamic
routing protocols, sockets must be closed and reopened to use the
correct route. Running ping during a route change shows the problem.

To solve this, add a route generation number that is updated whenever
the routing table changes. The lookup in struct route is put into
the route_cache() function. If the generation number is too old,
the cached route gets discarded.

Implement route_cache() for ip_output() and ip_forward() first.
IPv6 and more places will follow.

OK claudio@

Declare address parameter in TCP SYN cache const.

tcp6_ctlinput() casted a constant sockaddr_sin6 to non-const sockaddr.
sa6_src may be &sa6_any which lives in read-only data section.
Better pass down the const addresses to syn_cache_lookup(). They
are needed for hash lookup and are not modified.

OK mvs@

Remove struct inpcb from in6_embedscope() parameters.

rip6_output() did modify inp_outputopts6 temporarily to provide
different ip6_pktopts to in6_embedscope(). Better pass inp_outputopts6
and inp_moptions6 as separate arguments to in6_embedscope().
Simplify the code that deals with these options in in6_embedscope().
Doucument inp_moptions and inp_moptions6 as protected by net lock.

OK kn@

rtable_match() takes constant destination.

For implementing MP safe route lookup, it helps to know which
function parameters are constant. Add some const declarations, so
that the compiler guarantees that sockaddr dst parameter of
rtable_match() does not change.

OK dlg@

factor out the code that does sanity checks on ipv6 headers and addresses.

this will allow these checks to be reused for ip packet inspection
in bridge, veb, and tpmr.

ok bluhm@ sashan@

spelling

ok gnezdo@ semarie@ mpi@

Convert ip6_sysctl to sysctl_bounded_args

Tighter limits and OK by sashan

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Kernel is missing propper input validation when configuring IPv6
addresses. Implement in6_sa2sin6() to validate inet6 address family
and address length. The SIOCGIFDSTADDR_IN6, SIOCGIFNETMASK_IN6,
SIOCGIFAFLAG_IN6, SIOCGIFALIFETIME_IN6, and SIOCDIFADDR_IN6 ioctl(2)
are safe now.
OK visa@

In in_cksum() and in6_cksum() convert types to C99 style and make
both functions consistent. In in_cksum() panic if len is longer
than mbuf, but in in6_cksum() do not panic if off and len match
exactly to the end of mbuf.
OK claudio@

Convert inetctlerrmap to u_char like inet6ctlerrmap. That is also
what FreeBSD does. Remove old #if 0 version of inet6ctlerrmap.
OK mpi@

The global zero addresses must not change, mark them constant.
OK tb@ visa@

Implement RFC 7217: "A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Autoconfiguration."

"An IPv6 address configured using this method is stable within each
subnet, but the corresponding Interface Identifier changes when the
host moves from one network to another. This method is meant to be an
alternative to generating Interface Identifiers based on hardware
addresses."

OK naddy, sthen

Sprinkle some NET_ASSERT_LOCKED(), const and co to prepare running
pr_input handlers without KERNEL_LOCK().

ok visa@

Use in6_get_rand_ifid() instead of get_last_resort_ifid() and delete the
get_last_resort_ifid() function because eww.
Also if your system is so constraint that you end up in
in6_get_rand_ifid() you don't deserve a random ifid that stays
stable over reboots.
Simplify code a bit since get_ifid() can no longer fail. It couldn't
fail before either because that code path was #if 0'ed.
While here sprinkle in some in6_ prefixes, pointed out by stsp.
OK stsp

Validate sockaddr from userland in central functions. This results
in common checks for unix, inet, inet6 instead of partial checks
here and there. Some checks are already done at a higher layer,
but better be paranoid with user input.
OK claudio@ millert@

Get rid of ip6.maxifprefixes and ip6.maxifdefrouters, the kernel no
longer tracks prefixes or default routers from router advertisements.
Pointed out by jmc.
ports tree grepping sthen, who only found nsh
OK mpi, sthen

Keep ipv6_input() definition inside _KERNEL.

Unbreak userland, found the hardway by deraadt@

Introduce ipv{4,6}_input(), two wrappers around IP queues.

This will help transitionning to an un-KERNEL_LOCK()ed IP
forwarding path.

Disucssed with bluhm@, ok claudio@

Introduce sstosa() for converting sockaddr_storage with a type safe
inline function instead of casting it to sockaddr. While there,
use inline instead of __inline for all these conversions. Some
struct sockaddr casts can be avoided completely.
OK dhill@ mpi@

Fix comments about a few ipv6 sockoptions

OK millert@ florian@

Remove PIM support from the multicast stack.

ok mpi@

Convert some of the remaining usages of time_second to time_uptime.

time_second is unix time so it can be affected by clock changes.
time_uptime is monotonic so it isnt affected by clock changes. that
in turn means route expiries wont jump with clock changes if set
against time_uptime.

the expiry is translated into unix time for export to userland though.

Should fix mismatch between route timers that were already converted
and ND default routers that were still using time_second.

Tested by matthieu@ and sthen@

ok sthen@, dlg@

Implement IPV6_MINHOPCOUNT support.

Useful to implement GTSM support in daemons such as bgpd(8). Diff from
2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@

Kill sysctl net.inet6.ip6.rr_prune

We don't support Router Renumbering and there are no plans to change
that. ok mpi@

Remove sysctl net.inet6.ip6.v6only

This sysctl is a no-op, read-only since it was introduced. There are no
plans to support IPv4-mapped addresses on OpenBSD, thus this sysctl is
meaningless.

Noticed by djm@, ok claudio@ mpi@ sthen@ henning@

rm unused kernel only IPV6_RECVRTHDRDSTOPTS sockopt. ok deraadt sthen

RFC 2292 API support was removed 9 years ago, but left in a binary compat
ABI form for the sake of existing programs. no programs from that era have
been able to run for quite some time. Kill it all.
ok deraadt florian millert mpi
(I believe this is my first IPv6 diff. Future, here I come!)

in6_embedscope() needs to lose some weight. Remove the last argument.
In all but two calls NULL is passed and in the other 2 cases the ifp
is only used to maybe feed it to in6_selecthlim() to select the hoplimit
for the link. Since in6_embedscope() only works on link-local addresses
it does not matter what hop limit we select since the destination is
directly reachable.
OK florian@ mpi@

It is time to put inet6 on a diet. Use the flensing knife and cut out
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@

More damned eye searing whitespace. No change to .o files.

ip6_sprintf is long gone; noticed by blambert

replace the use of ifqueues for most input queues serviced by netisr
with niqueues.

this change is so big because there's a lot of code that takes
pointers to different input queues (eg, ether_input picks between
ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through
to code to enqueue packets against the pointer. if i changed only
one of the input queues id have to add sepearate code paths, one
for ifqueues and one for niqueues in each of these places

by flipping all these input queues at once i can keep the currently
common code common.

testing by mpi@ sthen@ and rafael zalamena
ok mpi@ sthen@ claudio@ henning@

Implement 2 sysctl to retrieve the multicast forwarding cache (mf6c) and the
multicast interface table (mif6). Will be used by netstat soon.
Looked over by guenther@

provide a net.inet6.ip6.ifq sysctl so people can see and fiddle
with the ip6intrq.

ok claudio@

Correct some comments and merge in6_if_up() into in6_ifattach() to
reflect that IPv6 link-local addresses are no longer automagically
configured the first time an interface is brought up.

ok henning@, stsp@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

What have no need for a variable that holds the maximum MTU size of
interfaces with an IPv6 address.

ok henning@, mikeb@, deraadt@

Make the in6addr constant declarations and definitions consistent
in kernel and user land.
OK florian@ mpi@

Do not hand-roll all routers link local address.
pointed out & OK bluhm@

introduce the IFXF_AUTOCONF6 interface flag which controls wether we
accept rtadvs on that interface. the global net.inet6.ip6.accept_rtadv
sysctl just doesn't cut it, even tho the spec wants that - but in their
little absurd world, a host just has one interface by definition anyway...
the sysctlgoes away.
lots of head scratching, brain cell elemination etc from bluhm benno stsp
florian, excitement from simon and todd, ok bluhm stsp benno florian

Remove deprecated RFC2292 ancillary data convenience functions.
They are obsoleted by the RFC3542 api.

ok mpi@

move in6_cksum_phdr from in6.h to ip6_output.c to mirror in_cksum_phdr
ok henning@

Split the checksum calculation for IPv6 like for IPv4:
Always calculate the pseudo-header checksum.
Complete the checksum if hardware offload is not available.

Parts originally from NetBSD; ok henning@

kill kame version symbols and sysctl
ports tree grep run by sthen

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

Significant namespace cleanup of netinet6 symbols.

One worrying bit is in icmp6.h where some htols() and htonl() are
added, which may affect compatibility down the line. This component
can be reverted if issues show up. Ports tree greps indicate no issue.

ok claudio mpi etc

There are gasps of shock! Add a pmtu delay sysctl BUTTON for netinet6,
making the code the same as netinet4 along the way.
ok bluhm phessler

put the cksum diff back, of course with the bug fixed where we could
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.

Convert the satosin, sintosa, ifatoia, satosin6, sin6tosa, ifatoia6
defines into static inline functions. This allows the compiler to
check the source type before casting.
liked by many; OK mpi@ haesbaert@

My lack of faith... These lines should stay, reported by ajacoutot@.

ok sthen@

tedu faith(4), suggested by todd@ some weeks ago after a submission by
dhill.

ok krw@, mikeb@, tedu@ (implicit)

backout csum diff for the moment, requested by theo

redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!

add IPV6_RECVDSTPORT socket option, which enables us to get original
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.

from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm

Improve POSIX/SUS compliance of <netdb.h>, <sys/socket.h>, and <sys/un.h>.

Much ports testing of various versions by naddy@ and jasper@
ok matthew@, miller@

Instead of <arpa/inet.h> pulling in <netinet/in.h>, just copy in the
three things that it needed from there: INET_ADDRSTRLEN, INET6_ADDRSTRLEN,
and struct in_addr. Add protecting #ifndefs to netinet6?/in6?.h for those.

ok deraadt@

Improve compliance for <arpa/inet.h> and <netinet/in.h> to define/declare
all the symbols that POSIX says they must and fewer that they can't and,
most importantly, to not require a specific ordering of headers.

ports testing by naddy@
ok millert@ deraadt@

rdomain support for IPv6
ok mikeb

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@

recognize SO_RTABLE socket option at the SOL_SOCKET level;
discussed with and ok claudio

add a new IP level socket option IP_PIPEX. This option is used for L2TP
support by pipex.
OK henning@, "Carry on" blambert@

remove some unused netinet6 code
ok stsp@ henning@ claudio@

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning

Simple implementation of RFC4941, "Privacy Extensions for Stateless
Address Autoconfiguration in IPv6". For those among us who are paranoid
about broadcasting their MAC address to the IPv6 internet.

Man page help from jmc, testing by weerd, arc4random API hints from djm.

ok deraadt, claudio

IPv6 support for divert sockets.

tested by phessler@ pyr@
ok claudio@
"go ahead" deraadt@

delay /etc/netstart until IPv6-DAD (dup-address-detection) is completed.
ok fries, hshoexer, claudio

From KAME, allow adjustable limits on NDP entries and discovered routes.

ok mpf naddy

use the right capitalization for platform names

ok jsing@

Fix KAME cvsweb urls

switch IPv6 advanced API from RFC2292 to RFC3542 (2292 is superseded by 3542).
the kernel still handles RFC2292 set/getsockopts, so that compiled binary
has no trouble running. userland sees RFC3542 symbols only on header file
so new code has to use RFC3542 API.

bump libc shlib minor for function additions.

tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.

introduce sysctl net.inet6.ip6.multicast_mtudisc (for multicast routers).
deraadt ok. manpage nit by jmc.

move comment to a line where it makes more sense

change semantics of ff01::/16 to interface local multicast
(to sync up with more recent IPv6 spec)

ok from: deraadt mcbride

Add support for equal-cost multipath IP.

To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.

To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1

testing norby@
ok claudio@ henning@ hshoexer@

Do the same thing as for IPv4. Use a sysctl to enable/disable mfrowarding
and additionaly make the code part of the MROUTING option. Put it in deraadt@

First step in include files overhaul. Use __FOO_VISIBLE (as defined
in sys/cdefs.h) instead of _FOO_SOURCE. Also fix several namespace
pollution issues, including the byte order defines. OK deraadt@

First step towards more sane time handling in the kernel -- this changes
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.

ok art@ niklas@ nordin@

support IPV6_USE_MIN_MTU, to make BIND9 better.
(sorry about the mess yesterday)

back out tree breakage. Like, come on

support IPV6_USE_MIN_MTU, which is needed to run BIND9 well. from kame
markus ok

switch to sysctl_int_arr(); ok itojun, henning, miod, deraadt

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

sync with latest KAME in6_ifaddr/prefix/default router manipulation.
behavior changes:
- two iocts used by ndp(8) are now obsolete (backward compat provided).
use sysctl path instead.
- lo0 does not get ::1 automatically. it will get ::1 when lo0 comes up.

mistake in sysctl table

just for consistency/compatibility, have net.inet6.ip6.v6only sysctl MIB,
as well as set/getsockopt(IPV6_V6ONLY).

limit number of IPv6 fragments (not the fragment queue size) to
fight against lots-of-frags DoS attacks. sync w/kame

First round of __P removal in sys

branches: 1.25.2;
whitespace/comment sync with kame

comment; sockopt # 57-59 are also reserved

Add IPCOMP setsockopt policy controls. While here fix the other policies too

fix constness of IN6_{IS,ARE}_xx macros to conform to RFC2553.
sync with kame.

remove date string from KAME version identification, it is getting meaningless
as we merge random items daily. have comment that refers to kame COVERAGE
document. sync with kame

get rid of #ifdef IPV6FIREWALL (never used, will never be used)

pull in new pcb notification code from kame. better handling of scope address.

use __P() in prototype for non-ansi compilers.
From: Michael Shalayeff <mickey@lucifier.remote.dti.net>

move IPv6 IPsec sysctl # downward, to avoid number conflict in *BSD.
angelos ok

don't pull sys/queue.h in. sync better with kame.

Fix typo; ds@ds.primasoft.bg

allow IPsec-related get/setsockopt on IPv6 socket. due to number conflict
they must be IPV6_xx instead of IP_xx.

actually, since in_ctloutput() does not check address family of inpcb,
getsockopt(IPPROTO_IP, IP_xx) may work - never tested this.

net.inet.ip.gif_ttl (and IPv6 counterpart) is never used.
enforce type checking on IN6_ARE_ADDR_EQUAL.

bring in recent KAME changes (only important and stable ones, as usual).
- remove net.inet6.ip6.nd6_proxyall. introduce proxy NDP code works
just like "arp -s".
- revise source address selection.
be more careful about use of yet-to-be-valid addresses as source.
- as router, transmit ICMP6_DST_UNREACH_BEYONDSCOPE against out-of-scope
packet forwarding attempt.
- path MTU discovery takes care of routing header properly.
- be more strict about mbuf chain parsing.
- nuke xxCTL_VARS #define, they are for BSDI.
- disable SIOCSIFDSTADDR_IN6/SIOCSIFNETMASK_IN6 ioctl, they do not fit
IPv6 model where multiple address on interface is normal.
(kernel side supports them for a while for backward compat,
the support will be nuked shortly)
- introduce "default outgoing interface" (for spec conformance in very
rare case)

use more modern types

branches: 1.10.2;
improve RFC2553/2292 conformance. netinet6/{ip6,icmp6,in6}.h should not
be included.
neitnet6/{ip6,icmp6}.h includes #error statements only - i'll remove them
couple of days later.

Add RCS tags, remove unused header files and code, remove a few
unnecessary ifdefs...

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

Replace 'in6a_words' (old NRL convention) with 's6_addr32' (new BSDI et al.
convention that is more common and more specific as to the access size)

Demangled the INET6 stuff so as not to require any extra options and not to
be mutually exclusive with the IPSEC option.

Synchronized changes needed to integrate into OpenBSD with the NRL source
tree so we can have a unified netinet6 directory.

_KERNEL, and other cleanup

merge INPROTO_* tables

use _KERNEL, add ipv6intrq decl

missed file

Merge struct route and struct route_in6.

Use a common struct route for both inet and inet6. Unfortunately
struct sockaddr is shorter than sockaddr_in6, so netinet/in.h has
to be exposed from net/route.h. Struct route has to be bsd visible
for userland as netstat kvm code inspects inp_route. Internet PCB
and TCP SYN cache can use a plain struct route now. All specific
sockaddr types for inet and inet6 are embeded there.

OK claudio@

Route cache function returns hit or miss.

The route_cache() function can easily return whether it was a cache
hit or miss. Then the logic to perform a route lookup gets a bit
simpler. Some more complicated if (ro->ro_rt == NULL) checks still
exist elsewhere.
Also use route cache in in_pcbselsrc() instead of filling struct
route manually.

OK claudio@

Use the route generation number also for IPv6.

Implement route6_cache() to check whether the cached route is still
valid and otherwise fill caching parameter of struct route_in6.
Also count cache hits and misses in netstat. in_pcbrtentry() uses
route cache now.

OK claudio@

Add route generation number to route cache.

The outgoing route is cached at the inpcb. This cache was only
invalidated when the socket closes or if the route gets invalid.
More specific routes were not detected. Especially with dynamic
routing protocols, sockets must be closed and reopened to use the
correct route. Running ping during a route change shows the problem.

To solve this, add a route generation number that is updated whenever
the routing table changes. The lookup in struct route is put into
the route_cache() function. If the generation number is too old,
the cached route gets discarded.

Implement route_cache() for ip_output() and ip_forward() first.
IPv6 and more places will follow.

OK claudio@

Declare address parameter in TCP SYN cache const.

tcp6_ctlinput() casted a constant sockaddr_sin6 to non-const sockaddr.
sa6_src may be &sa6_any which lives in read-only data section.
Better pass down the const addresses to syn_cache_lookup(). They
are needed for hash lookup and are not modified.

OK mvs@

Remove struct inpcb from in6_embedscope() parameters.

rip6_output() did modify inp_outputopts6 temporarily to provide
different ip6_pktopts to in6_embedscope(). Better pass inp_outputopts6
and inp_moptions6 as separate arguments to in6_embedscope().
Simplify the code that deals with these options in in6_embedscope().
Doucument inp_moptions and inp_moptions6 as protected by net lock.

OK kn@

rtable_match() takes constant destination.

For implementing MP safe route lookup, it helps to know which
function parameters are constant. Add some const declarations, so
that the compiler guarantees that sockaddr dst parameter of
rtable_match() does not change.

OK dlg@

factor out the code that does sanity checks on ipv6 headers and addresses.

this will allow these checks to be reused for ip packet inspection
in bridge, veb, and tpmr.

ok bluhm@ sashan@

spelling

ok gnezdo@ semarie@ mpi@

Convert ip6_sysctl to sysctl_bounded_args

Tighter limits and OK by sashan

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Kernel is missing propper input validation when configuring IPv6
addresses. Implement in6_sa2sin6() to validate inet6 address family
and address length. The SIOCGIFDSTADDR_IN6, SIOCGIFNETMASK_IN6,
SIOCGIFAFLAG_IN6, SIOCGIFALIFETIME_IN6, and SIOCDIFADDR_IN6 ioctl(2)
are safe now.
OK visa@

In in_cksum() and in6_cksum() convert types to C99 style and make
both functions consistent. In in_cksum() panic if len is longer
than mbuf, but in in6_cksum() do not panic if off and len match
exactly to the end of mbuf.
OK claudio@

Convert inetctlerrmap to u_char like inet6ctlerrmap. That is also
what FreeBSD does. Remove old #if 0 version of inet6ctlerrmap.
OK mpi@

The global zero addresses must not change, mark them constant.
OK tb@ visa@

Implement RFC 7217: "A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Autoconfiguration."

"An IPv6 address configured using this method is stable within each
subnet, but the corresponding Interface Identifier changes when the
host moves from one network to another. This method is meant to be an
alternative to generating Interface Identifiers based on hardware
addresses."

OK naddy, sthen

Sprinkle some NET_ASSERT_LOCKED(), const and co to prepare running
pr_input handlers without KERNEL_LOCK().

ok visa@

Use in6_get_rand_ifid() instead of get_last_resort_ifid() and delete the
get_last_resort_ifid() function because eww.
Also if your system is so constraint that you end up in
in6_get_rand_ifid() you don't deserve a random ifid that stays
stable over reboots.
Simplify code a bit since get_ifid() can no longer fail. It couldn't
fail before either because that code path was #if 0'ed.
While here sprinkle in some in6_ prefixes, pointed out by stsp.
OK stsp

Validate sockaddr from userland in central functions. This results
in common checks for unix, inet, inet6 instead of partial checks
here and there. Some checks are already done at a higher layer,
but better be paranoid with user input.
OK claudio@ millert@

Get rid of ip6.maxifprefixes and ip6.maxifdefrouters, the kernel no
longer tracks prefixes or default routers from router advertisements.
Pointed out by jmc.
ports tree grepping sthen, who only found nsh
OK mpi, sthen

Keep ipv6_input() definition inside _KERNEL.

Unbreak userland, found the hardway by deraadt@

Introduce ipv{4,6}_input(), two wrappers around IP queues.

This will help transitionning to an un-KERNEL_LOCK()ed IP
forwarding path.

Disucssed with bluhm@, ok claudio@

Introduce sstosa() for converting sockaddr_storage with a type safe
inline function instead of casting it to sockaddr. While there,
use inline instead of __inline for all these conversions. Some
struct sockaddr casts can be avoided completely.
OK dhill@ mpi@

Fix comments about a few ipv6 sockoptions

OK millert@ florian@

Remove PIM support from the multicast stack.

ok mpi@

Convert some of the remaining usages of time_second to time_uptime.

time_second is unix time so it can be affected by clock changes.
time_uptime is monotonic so it isnt affected by clock changes. that
in turn means route expiries wont jump with clock changes if set
against time_uptime.

the expiry is translated into unix time for export to userland though.

Should fix mismatch between route timers that were already converted
and ND default routers that were still using time_second.

Tested by matthieu@ and sthen@

ok sthen@, dlg@

Implement IPV6_MINHOPCOUNT support.

Useful to implement GTSM support in daemons such as bgpd(8). Diff from
2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@

Kill sysctl net.inet6.ip6.rr_prune

We don't support Router Renumbering and there are no plans to change
that. ok mpi@

Remove sysctl net.inet6.ip6.v6only

This sysctl is a no-op, read-only since it was introduced. There are no
plans to support IPv4-mapped addresses on OpenBSD, thus this sysctl is
meaningless.

Noticed by djm@, ok claudio@ mpi@ sthen@ henning@

rm unused kernel only IPV6_RECVRTHDRDSTOPTS sockopt. ok deraadt sthen

RFC 2292 API support was removed 9 years ago, but left in a binary compat
ABI form for the sake of existing programs. no programs from that era have
been able to run for quite some time. Kill it all.
ok deraadt florian millert mpi
(I believe this is my first IPv6 diff. Future, here I come!)

in6_embedscope() needs to lose some weight. Remove the last argument.
In all but two calls NULL is passed and in the other 2 cases the ifp
is only used to maybe feed it to in6_selecthlim() to select the hoplimit
for the link. Since in6_embedscope() only works on link-local addresses
it does not matter what hop limit we select since the destination is
directly reachable.
OK florian@ mpi@

It is time to put inet6 on a diet. Use the flensing knife and cut out
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@

More damned eye searing whitespace. No change to .o files.

ip6_sprintf is long gone; noticed by blambert

replace the use of ifqueues for most input queues serviced by netisr
with niqueues.

this change is so big because there's a lot of code that takes
pointers to different input queues (eg, ether_input picks between
ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through
to code to enqueue packets against the pointer. if i changed only
one of the input queues id have to add sepearate code paths, one
for ifqueues and one for niqueues in each of these places

by flipping all these input queues at once i can keep the currently
common code common.

testing by mpi@ sthen@ and rafael zalamena
ok mpi@ sthen@ claudio@ henning@

Implement 2 sysctl to retrieve the multicast forwarding cache (mf6c) and the
multicast interface table (mif6). Will be used by netstat soon.
Looked over by guenther@

provide a net.inet6.ip6.ifq sysctl so people can see and fiddle
with the ip6intrq.

ok claudio@

Correct some comments and merge in6_if_up() into in6_ifattach() to
reflect that IPv6 link-local addresses are no longer automagically
configured the first time an interface is brought up.

ok henning@, stsp@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

What have no need for a variable that holds the maximum MTU size of
interfaces with an IPv6 address.

ok henning@, mikeb@, deraadt@

Make the in6addr constant declarations and definitions consistent
in kernel and user land.
OK florian@ mpi@

Do not hand-roll all routers link local address.
pointed out & OK bluhm@

introduce the IFXF_AUTOCONF6 interface flag which controls wether we
accept rtadvs on that interface. the global net.inet6.ip6.accept_rtadv
sysctl just doesn't cut it, even tho the spec wants that - but in their
little absurd world, a host just has one interface by definition anyway...
the sysctlgoes away.
lots of head scratching, brain cell elemination etc from bluhm benno stsp
florian, excitement from simon and todd, ok bluhm stsp benno florian

Remove deprecated RFC2292 ancillary data convenience functions.
They are obsoleted by the RFC3542 api.

ok mpi@

move in6_cksum_phdr from in6.h to ip6_output.c to mirror in_cksum_phdr
ok henning@

Split the checksum calculation for IPv6 like for IPv4:
Always calculate the pseudo-header checksum.
Complete the checksum if hardware offload is not available.

Parts originally from NetBSD; ok henning@

kill kame version symbols and sysctl
ports tree grep run by sthen

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

Significant namespace cleanup of netinet6 symbols.

One worrying bit is in icmp6.h where some htols() and htonl() are
added, which may affect compatibility down the line. This component
can be reverted if issues show up. Ports tree greps indicate no issue.

ok claudio mpi etc

There are gasps of shock! Add a pmtu delay sysctl BUTTON for netinet6,
making the code the same as netinet4 along the way.
ok bluhm phessler

put the cksum diff back, of course with the bug fixed where we could
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.

Convert the satosin, sintosa, ifatoia, satosin6, sin6tosa, ifatoia6
defines into static inline functions. This allows the compiler to
check the source type before casting.
liked by many; OK mpi@ haesbaert@

My lack of faith... These lines should stay, reported by ajacoutot@.

ok sthen@

tedu faith(4), suggested by todd@ some weeks ago after a submission by
dhill.

ok krw@, mikeb@, tedu@ (implicit)

backout csum diff for the moment, requested by theo

redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!

add IPV6_RECVDSTPORT socket option, which enables us to get original
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.

from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm

Improve POSIX/SUS compliance of <netdb.h>, <sys/socket.h>, and <sys/un.h>.

Much ports testing of various versions by naddy@ and jasper@
ok matthew@, miller@

Instead of <arpa/inet.h> pulling in <netinet/in.h>, just copy in the
three things that it needed from there: INET_ADDRSTRLEN, INET6_ADDRSTRLEN,
and struct in_addr. Add protecting #ifndefs to netinet6?/in6?.h for those.

ok deraadt@

Improve compliance for <arpa/inet.h> and <netinet/in.h> to define/declare
all the symbols that POSIX says they must and fewer that they can't and,
most importantly, to not require a specific ordering of headers.

ports testing by naddy@
ok millert@ deraadt@

rdomain support for IPv6
ok mikeb

Since the IPv6 madness is not enough introduce NAT64 -- which is actually
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@

recognize SO_RTABLE socket option at the SOL_SOCKET level;
discussed with and ok claudio

add a new IP level socket option IP_PIPEX. This option is used for L2TP
support by pipex.
OK henning@, "Carry on" blambert@

remove some unused netinet6 code
ok stsp@ henning@ claudio@

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning

Simple implementation of RFC4941, "Privacy Extensions for Stateless
Address Autoconfiguration in IPv6". For those among us who are paranoid
about broadcasting their MAC address to the IPv6 internet.

Man page help from jmc, testing by weerd, arc4random API hints from djm.

ok deraadt, claudio

IPv6 support for divert sockets.

tested by phessler@ pyr@
ok claudio@
"go ahead" deraadt@

delay /etc/netstart until IPv6-DAD (dup-address-detection) is completed.
ok fries, hshoexer, claudio

From KAME, allow adjustable limits on NDP entries and discovered routes.

ok mpf naddy

use the right capitalization for platform names

ok jsing@

Fix KAME cvsweb urls

switch IPv6 advanced API from RFC2292 to RFC3542 (2292 is superseded by 3542).
the kernel still handles RFC2292 set/getsockopts, so that compiled binary
has no trouble running. userland sees RFC3542 symbols only on header file
so new code has to use RFC3542 API.

bump libc shlib minor for function additions.

tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.

introduce sysctl net.inet6.ip6.multicast_mtudisc (for multicast routers).
deraadt ok. manpage nit by jmc.

move comment to a line where it makes more sense

change semantics of ff01::/16 to interface local multicast
(to sync up with more recent IPv6 spec)

ok from: deraadt mcbride

Add support for equal-cost multipath IP.

To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.

To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1

testing norby@
ok claudio@ henning@ hshoexer@

Do the same thing as for IPv4. Use a sysctl to enable/disable mfrowarding
and additionaly make the code part of the MROUTING option. Put it in deraadt@

First step in include files overhaul. Use __FOO_VISIBLE (as defined
in sys/cdefs.h) instead of _FOO_SOURCE. Also fix several namespace
pollution issues, including the byte order defines. OK deraadt@

First step towards more sane time handling in the kernel -- this changes
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.

ok art@ niklas@ nordin@

support IPV6_USE_MIN_MTU, to make BIND9 better.
(sorry about the mess yesterday)

back out tree breakage. Like, come on

support IPV6_USE_MIN_MTU, which is needed to run BIND9 well. from kame
markus ok

switch to sysctl_int_arr(); ok itojun, henning, miod, deraadt

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

sync with latest KAME in6_ifaddr/prefix/default router manipulation.
behavior changes:
- two iocts used by ndp(8) are now obsolete (backward compat provided).
use sysctl path instead.
- lo0 does not get ::1 automatically. it will get ::1 when lo0 comes up.

mistake in sysctl table

just for consistency/compatibility, have net.inet6.ip6.v6only sysctl MIB,
as well as set/getsockopt(IPV6_V6ONLY).

limit number of IPv6 fragments (not the fragment queue size) to
fight against lots-of-frags DoS attacks. sync w/kame

First round of __P removal in sys

branches: 1.25.2;
whitespace/comment sync with kame

comment; sockopt # 57-59 are also reserved

Add IPCOMP setsockopt policy controls. While here fix the other policies too

fix constness of IN6_{IS,ARE}_xx macros to conform to RFC2553.
sync with kame.

remove date string from KAME version identification, it is getting meaningless
as we merge random items daily. have comment that refers to kame COVERAGE
document. sync with kame

get rid of #ifdef IPV6FIREWALL (never used, will never be used)

pull in new pcb notification code from kame. better handling of scope address.

use __P() in prototype for non-ansi compilers.
From: Michael Shalayeff <mickey@lucifier.remote.dti.net>

move IPv6 IPsec sysctl # downward, to avoid number conflict in *BSD.
angelos ok

don't pull sys/queue.h in. sync better with kame.

Fix typo; ds@ds.primasoft.bg

allow IPsec-related get/setsockopt on IPv6 socket. due to number conflict
they must be IPV6_xx instead of IP_xx.

actually, since in_ctloutput() does not check address family of inpcb,
getsockopt(IPPROTO_IP, IP_xx) may work - never tested this.

net.inet.ip.gif_ttl (and IPv6 counterpart) is never used.
enforce type checking on IN6_ARE_ADDR_EQUAL.

bring in recent KAME changes (only important and stable ones, as usual).
- remove net.inet6.ip6.nd6_proxyall. introduce proxy NDP code works
just like "arp -s".
- revise source address selection.
be more careful about use of yet-to-be-valid addresses as source.
- as router, transmit ICMP6_DST_UNREACH_BEYONDSCOPE against out-of-scope
packet forwarding attempt.
- path MTU discovery takes care of routing header properly.
- be more strict about mbuf chain parsing.
- nuke xxCTL_VARS #define, they are for BSDI.
- disable SIOCSIFDSTADDR_IN6/SIOCSIFNETMASK_IN6 ioctl, they do not fit
IPv6 model where multiple address on interface is normal.
(kernel side supports them for a while for backward compat,
the support will be nuked shortly)
- introduce "default outgoing interface" (for spec conformance in very
rare case)

use more modern types

branches: 1.10.2;
improve RFC2553/2292 conformance. netinet6/{ip6,icmp6,in6}.h should not
be included.
neitnet6/{ip6,icmp6}.h includes #error statements only - i'll remove them
couple of days later.

Add RCS tags, remove unused header files and code, remove a few
unnecessary ifdefs...

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

Replace 'in6a_words' (old NRL convention) with 's6_addr32' (new BSDI et al.
convention that is more common and more specific as to the access size)

Demangled the INET6 stuff so as not to require any extra options and not to
be mutually exclusive with the IPSEC option.

Synchronized changes needed to integrate into OpenBSD with the NRL source
tree so we can have a unified netinet6 directory.

_KERNEL, and other cleanup

merge INPROTO_* tables

use _KERNEL, add ipv6intrq decl

missed file

Route cache function returns hit or miss.

The route_cache() function can easily return whether it was a cache
hit or miss. Then the logic to perform a route lookup gets a bit
simpler. Some more complicated if (ro->ro_rt == NULL) checks still
exist elsewhere.
Also use route cache in in_pcbselsrc() instead of filling struct
route manually.

OK claudio@

Use the route generation number also for IPv6.

Implement route6_cache() to check whether the cached route is still
valid and otherwise fill caching parameter of struct route_in6.
Also count cache hits and misses in netstat. in_pcbrtentry() uses
route cache now.

OK claudio@

Add route generation number to route cache.

The outgoing route is cached at the inpcb. This cache was only
invalidated when the socket closes or if the route gets invalid.
More specific routes were not detected. Especially with dynamic
routing protocols, sockets must be closed and reopened to use the
correct route. Running ping during a route change shows the problem.

To solve this, add a route generation number that is updated whenever
the routing table changes. The lookup in struct route is put into
the route_cache() function. If the generation number is too old,
the cached route gets discarded.

Implement route_cache() for ip_output() and ip_forward() first.
IPv6 and more places will follow.

OK claudio@

Declare address parameter in TCP SYN cache const.

tcp6_ctlinput() casted a constant sockaddr_sin6 to non-const sockaddr.
sa6_src may be &sa6_any which lives in read-only data section.
Better pass down the const addresses to syn_cache_lookup(). They
are needed for hash lookup and are not modified.

OK mvs@

Remove struct inpcb from in6_embedscope() parameters.

rip6_output() did modify inp_outputopts6 temporarily to provide
different ip6_pktopts to in6_embedscope(). Better pass inp_outputopts6
and inp_moptions6 as separate arguments to in6_embedscope().
Simplify the code that deals with these options in in6_embedscope().
Doucument inp_moptions and inp_moptions6 as protected by net lock.

OK kn@

rtable_match() takes constant destination.

For implementing MP safe route lookup, it helps to know which
function parameters are constant. Add some const declarations, so
that the compiler guarantees that sockaddr dst parameter of
rtable_match() does not change.

OK dlg@

factor out the code that does sanity checks on ipv6 headers and addresses.

this will allow these checks to be reused for ip packet inspection
in bridge, veb, and tpmr.

ok bluhm@ sashan@

spelling

ok gnezdo@ semarie@ mpi@

Convert ip6_sysctl to sysctl_bounded_args

Tighter limits and OK by sashan

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Kernel is missing propper input validation when configuring IPv6
addresses. Implement in6_sa2sin6() to validate inet6 address family
and address length. The SIOCGIFDSTADDR_IN6, SIOCGIFNETMASK_IN6,
SIOCGIFAFLAG_IN6, SIOCGIFALIFETIME_IN6, and SIOCDIFADDR_IN6 ioctl(2)
are safe now.
OK visa@

In in_cksum() and in6_cksum() convert types to C99 style and make
both functions consistent. In in_cksum() panic if len is longer
than mbuf, but in in6_cksum() do not panic if off and len match
exactly to the end of mbuf.
OK claudio@

Convert inetctlerrmap to u_char like inet6ctlerrmap. That is also
what FreeBSD does. Remove old #if 0 version of inet6ctlerrmap.
OK mpi@

The global zero addresses must not change, mark them constant.
OK tb@ visa@

Implement RFC 7217: "A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Autoconfiguration."

"An IPv6 address configured using this method is stable within each
subnet, but the corresponding Interface Identifier changes when the
host moves from one network to another. This method is meant to be an
alternative to generating Interface Identifiers based on hardware
addresses."

OK naddy, sthen

Sprinkle some NET_ASSERT_LOCKED(), const and co to prepare running
pr_input handlers without KERNEL_LOCK().

ok visa@

Use in6_get_rand_ifid() instead of get_last_resort_ifid() and delete the
get_last_resort_ifid() function because eww.
Also if your system is so constraint that you end up in
in6_get_rand_ifid() you don't deserve a random ifid that stays
stable over reboots.
Simplify code a bit since get_ifid() can no longer fail. It couldn't
fail before either because that code path was #if 0'ed.
While here sprinkle in some in6_ prefixes, pointed out by stsp.
OK stsp

Validate sockaddr from userland in central functions. This results
in common checks for unix, inet, inet6 instead of partial checks
here and there. Some checks are already done at a higher layer,
but better be paranoid with user input.
OK claudio@ millert@

Get rid of ip6.maxifprefixes and ip6.maxifdefrouters, the kernel no
longer tracks prefixes or default routers from router advertisements.
Pointed out by jmc.
ports tree grepping sthen, who only found nsh
OK mpi, sthen

Keep ipv6_input() definition inside _KERNEL.

Unbreak userland, found the hardway by deraadt@

Introduce ipv{4,6}_input(), two wrappers around IP queues.

This will help transitionning to an un-KERNEL_LOCK()ed IP
forwarding path.

Disucssed with bluhm@, ok claudio@

Introduce sstosa() for converting sockaddr_storage with a type safe
inline function instead of casting it to sockaddr. While there,
use inline instead of __inline for all these conversions. Some
struct sockaddr casts can be avoided completely.
OK dhill@ mpi@

Fix comments about a few ipv6 sockoptions

OK millert@ florian@

Remove PIM support from the multicast stack.

ok mpi@

Convert some of the remaining usages of time_second to time_uptime.

time_second is unix time so it can be affected by clock changes.
time_uptime is monotonic so it isnt affected by clock changes. that
in turn means route expiries wont jump with clock changes if set
against time_uptime.

the expiry is translated into unix time for export to userland though.

Should fix mismatch between route timers that were already converted
and ND default routers that were still using time_second.

Tested by matthieu@ and sthen@

ok sthen@, dlg@

Implement IPV6_MINHOPCOUNT support.

Useful to implement GTSM support in daemons such as bgpd(8). Diff from
2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@

Kill sysctl net.inet6.ip6.rr_prune

We don't support Router Renumbering and there are no plans to change
that. ok mpi@

Remove sysctl net.inet6.ip6.v6only

This sysctl is a no-op, read-only since it was introduced. There are no
plans to support IPv4-mapped addresses on OpenBSD, thus this sysctl is
meaningless.

Noticed by djm@, ok claudio@ mpi@ sthen@ henning@

rm unused kernel only IPV6_RECVRTHDRDSTOPTS sockopt. ok deraadt sthen

RFC 2292 API support was removed 9 years ago, but left in a binary compat
ABI form for the sake of existing programs. no programs from that era have
been able to run for quite some time. Kill it all.
ok deraadt florian millert mpi
(I believe this is my first IPv6 diff. Future, here I come!)

in6_embedscope() needs to lose some weight. Remove the last argument.
In all but two calls NULL is passed and in the other 2 cases the ifp
is only used to maybe feed it to in6_selecthlim() to select the hoplimit
for the link. Since in6_embedscope() only works on link-local addresses
it does not matter what hop limit we select since the destination is
directly reachable.
OK florian@ mpi@

It is time to put inet6 on a diet. Use the flensing knife and cut out
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@

More damned eye searing whitespace. No change to .o files.

ip6_sprintf is long gone; noticed by blambert

replace the use of ifqueues for most input queues serviced by netisr
with niqueues.

this change is so big because there's a lot of code that takes
pointers to different input queues (eg, ether_input picks between
ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through
to code to enqueue packets against the pointer. if i changed only
one of the input queues id have to add sepearate code paths, one
for ifqueues and one for niqueues in each of these places

by flipping all these input queues at once i can keep the currently
common code common.

testing by mpi@ sthen@ and rafael zalamena
ok mpi@ sthen@ claudio@ henning@

Implement 2 sysctl to retrieve the multicast forwarding cache (mf6c) and the
multicast interface table (mif6). Will be used by netstat soon.
Looked over by guenther@

provide a net.inet6.ip6.ifq sysctl so people can see and fiddle
with the ip6intrq.

ok claudio@

Correct some comments and merge in6_if_up() into in6_ifattach() to
reflect that IPv6 link-local addresses are no longer automagically
configured the first time an interface is brought up.

ok henning@, stsp@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

What have no need for a variable that holds the maximum MTU size of
interfaces with an IPv6 address.

ok henning@, mikeb@, deraadt@

Make the in6addr constant declarations and definitions consistent
in kernel and user land.
OK florian@ mpi@

Do not hand-roll all routers link local address.
pointed out & OK bluhm@