On Thu, Oct 06, 2016 at 11:12:18PM +0200, Christian Weisgerber wrote:
> Something is very broken at the intersection of IPv6, NDP, and IPsec
> in -current.

I also see issues with IPv6 and NDP, but no IPsec involved.  There
are several other threads on bugs@ about broken IPv6.

It seems that sending neighbor solicitation retries for expired ND
entries does not work.  The diff below helps in my case, although
it is only a workaround and not MP safe.  It would be interesting
to know wether it also affects your scenario.

The RTF_CACHED code was introduced with this commit:
revision 1.190
date: 2016/08/22 16:01:52;  author: mpi;  state: Exp;  lines: +24 -6;  
commitid: Jx7agqiuXqs8RRGd;
Make the ``rt_gwroute'' pointer of RTF_GATEWAY entries immutable.

This means that no protection is needed to guarantee that the next hop
route wont be modified by CPU1 while CPU0 is dereferencing it in a L2
resolution functions.

While here also fix an ``ifa'' leak resulting in RTF_GATEWAY being always

dlg@ likes it, inputs and ok bluhm@


Index: netinet6/nd6.c
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/nd6.c,v
retrieving revision 1.193
diff -u -p -r1.193 nd6.c
--- netinet6/nd6.c      3 Oct 2016 12:33:21 -0000       1.193
+++ netinet6/nd6.c      13 Oct 2016 21:47:25 -0000
@@ -827,7 +827,7 @@ nd6_free(struct rtentry *rt, int gc)
         * caches, and disable the route entry not to be used in already
         * cached routes.
-       if (!ISSET(rt->rt_flags, RTF_STATIC|RTF_CACHED))
+       if (!ISSET(rt->rt_flags, RTF_STATIC))
                rtdeletemsg(rt, ifp, ifp->if_rdomain);

Reply via email to