6e8e19ddfafd1f37e61e4ca21e73de2be509f3bd
[dragonfly.git] / sys / net / sppp / if_spppsubr.c
1 /*
2  * Synchronous PPP/Cisco link level subroutines.
3  * Keepalive protocol implemented in both Cisco and PPP modes.
4  *
5  * Copyright (C) 1994-1996 Cronyx Engineering Ltd.
6  * Author: Serge Vakulenko, <vak@cronyx.ru>
7  *
8  * Heavily revamped to conform to RFC 1661.
9  * Copyright (C) 1997, 2001 Joerg Wunsch.
10  *
11  * This software is distributed with NO WARRANTIES, not even the implied
12  * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
13  *
14  * Authors grant any other persons or organisations permission to use
15  * or modify this software as long as this message is kept with the software,
16  * all derivative works or modified versions.
17  *
18  * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997
19  *
20  * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $
21  * $DragonFly: src/sys/net/sppp/if_spppsubr.c,v 1.4 2003/08/07 21:54:32 dillon Exp $
22  */
23
24 #include <sys/param.h>
25
26 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
27 #include "opt_inet.h"
28 #include "opt_inet6.h"
29 #include "opt_ipx.h"
30 #endif
31
32 #ifdef NetBSD1_3
33 #  if NetBSD1_3 > 6
34 #      include "opt_inet.h"
35 #      include "opt_inet6.h"
36 #      include "opt_iso.h"
37 #  endif
38 #endif
39
40 #include <sys/systm.h>
41 #include <sys/kernel.h>
42 #include <sys/module.h>
43 #include <sys/sockio.h>
44 #include <sys/socket.h>
45 #include <sys/syslog.h>
46 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
47 #include <sys/random.h>
48 #endif
49 #include <sys/malloc.h>
50 #include <sys/mbuf.h>
51
52 #if defined (__OpenBSD__)
53 #include <sys/md5k.h>
54 #else
55 #include <sys/md5.h>
56 #endif
57
58 #include <net/if.h>
59 #include <net/netisr.h>
60 #include <net/if_types.h>
61 #include <net/route.h>
62 #include <netinet/in.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <net/slcompress.h>
66
67 #if defined (__NetBSD__) || defined (__OpenBSD__)
68 #include <machine/cpu.h> /* XXX for softnet */
69 #endif
70
71 #include <machine/stdarg.h>
72
73 #include <netinet/in.h>
74 #include <netinet/in_systm.h>
75 #include <netinet/in_var.h>
76
77 #ifdef INET
78 #include <netinet/ip.h>
79 #include <netinet/tcp.h>
80 #endif
81
82 #if defined (__FreeBSD__) || defined (__OpenBSD__)
83 # include <netinet/if_ether.h>
84 #else
85 # include <net/ethertypes.h>
86 #endif
87
88 #ifdef IPX
89 #include <netproto/ipx/ipx.h>
90 #include <netproto/ipx/ipx_if.h>
91 #endif
92
93 #ifdef NS
94 #include <netns/ns.h>
95 #include <netns/ns_if.h>
96 #endif
97
98 #include "if_sppp.h"
99
100 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
101 # define UNTIMEOUT(fun, arg, handle) untimeout(fun, arg, handle)
102 # define TIMEOUT(fun, arg1, arg2, handle) handle = timeout(fun, arg1, arg2)
103 # define IOCTL_CMD_T    u_long
104 #else
105 # define UNTIMEOUT(fun, arg, handle) untimeout(fun, arg)
106 # define TIMEOUT(fun, arg1, arg2, handle) timeout(fun, arg1, arg2)
107 # define IOCTL_CMD_T    int
108 #endif
109
110 #define MAXALIVECNT     3               /* max. alive packets */
111
112 /*
113  * Interface flags that can be set in an ifconfig command.
114  *
115  * Setting link0 will make the link passive, i.e. it will be marked
116  * as being administrative openable, but won't be opened to begin
117  * with.  Incoming calls will be answered, or subsequent calls with
118  * -link1 will cause the administrative open of the LCP layer.
119  *
120  * Setting link1 will cause the link to auto-dial only as packets
121  * arrive to be sent.
122  *
123  * Setting IFF_DEBUG will syslog the option negotiation and state
124  * transitions at level kern.debug.  Note: all logs consistently look
125  * like
126  *
127  *   <if-name><unit>: <proto-name> <additional info...>
128  *
129  * with <if-name><unit> being something like "bppp0", and <proto-name>
130  * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc.
131  */
132
133 #define IFF_PASSIVE     IFF_LINK0       /* wait passively for connection */
134 #define IFF_AUTO        IFF_LINK1       /* auto-dial on output */
135 #define IFF_CISCO       IFF_LINK2       /* auto-dial on output */
136
137 #define PPP_ALLSTATIONS 0xff            /* All-Stations broadcast address */
138 #define PPP_UI          0x03            /* Unnumbered Information */
139 #define PPP_IP          0x0021          /* Internet Protocol */
140 #define PPP_ISO         0x0023          /* ISO OSI Protocol */
141 #define PPP_XNS         0x0025          /* Xerox NS Protocol */
142 #define PPP_IPX         0x002b          /* Novell IPX Protocol */
143 #define PPP_VJ_COMP     0x002d          /* VJ compressed TCP/IP */
144 #define PPP_VJ_UCOMP    0x002f          /* VJ uncompressed TCP/IP */
145 #define PPP_IPV6        0x0057          /* Internet Protocol Version 6 */
146 #define PPP_LCP         0xc021          /* Link Control Protocol */
147 #define PPP_PAP         0xc023          /* Password Authentication Protocol */
148 #define PPP_CHAP        0xc223          /* Challenge-Handshake Auth Protocol */
149 #define PPP_IPCP        0x8021          /* Internet Protocol Control Protocol */
150 #define PPP_IPV6CP      0x8057          /* IPv6 Control Protocol */
151
152 #define CONF_REQ        1               /* PPP configure request */
153 #define CONF_ACK        2               /* PPP configure acknowledge */
154 #define CONF_NAK        3               /* PPP configure negative ack */
155 #define CONF_REJ        4               /* PPP configure reject */
156 #define TERM_REQ        5               /* PPP terminate request */
157 #define TERM_ACK        6               /* PPP terminate acknowledge */
158 #define CODE_REJ        7               /* PPP code reject */
159 #define PROTO_REJ       8               /* PPP protocol reject */
160 #define ECHO_REQ        9               /* PPP echo request */
161 #define ECHO_REPLY      10              /* PPP echo reply */
162 #define DISC_REQ        11              /* PPP discard request */
163
164 #define LCP_OPT_MRU             1       /* maximum receive unit */
165 #define LCP_OPT_ASYNC_MAP       2       /* async control character map */
166 #define LCP_OPT_AUTH_PROTO      3       /* authentication protocol */
167 #define LCP_OPT_QUAL_PROTO      4       /* quality protocol */
168 #define LCP_OPT_MAGIC           5       /* magic number */
169 #define LCP_OPT_RESERVED        6       /* reserved */
170 #define LCP_OPT_PROTO_COMP      7       /* protocol field compression */
171 #define LCP_OPT_ADDR_COMP       8       /* address/control field compression */
172
173 #define IPCP_OPT_ADDRESSES      1       /* both IP addresses; deprecated */
174 #define IPCP_OPT_COMPRESSION    2       /* IP compression protocol (VJ) */
175 #define IPCP_OPT_ADDRESS        3       /* local IP address */
176
177 #define IPV6CP_OPT_IFID 1       /* interface identifier */
178 #define IPV6CP_OPT_COMPRESSION  2       /* IPv6 compression protocol */
179
180 #define IPCP_COMP_VJ            0x2d    /* Code for VJ compression */
181
182 #define PAP_REQ                 1       /* PAP name/password request */
183 #define PAP_ACK                 2       /* PAP acknowledge */
184 #define PAP_NAK                 3       /* PAP fail */
185
186 #define CHAP_CHALLENGE          1       /* CHAP challenge request */
187 #define CHAP_RESPONSE           2       /* CHAP challenge response */
188 #define CHAP_SUCCESS            3       /* CHAP response ok */
189 #define CHAP_FAILURE            4       /* CHAP response failed */
190
191 #define CHAP_MD5                5       /* hash algorithm - MD5 */
192
193 #define CISCO_MULTICAST         0x8f    /* Cisco multicast address */
194 #define CISCO_UNICAST           0x0f    /* Cisco unicast address */
195 #define CISCO_KEEPALIVE         0x8035  /* Cisco keepalive protocol */
196 #define CISCO_ADDR_REQ          0       /* Cisco address request */
197 #define CISCO_ADDR_REPLY        1       /* Cisco address reply */
198 #define CISCO_KEEPALIVE_REQ     2       /* Cisco keepalive request */
199
200 /* states are named and numbered according to RFC 1661 */
201 #define STATE_INITIAL   0
202 #define STATE_STARTING  1
203 #define STATE_CLOSED    2
204 #define STATE_STOPPED   3
205 #define STATE_CLOSING   4
206 #define STATE_STOPPING  5
207 #define STATE_REQ_SENT  6
208 #define STATE_ACK_RCVD  7
209 #define STATE_ACK_SENT  8
210 #define STATE_OPENED    9
211
212 struct ppp_header {
213         u_char address;
214         u_char control;
215         u_short protocol;
216 } __attribute__((__packed__));
217 #define PPP_HEADER_LEN          sizeof (struct ppp_header)
218
219 struct lcp_header {
220         u_char type;
221         u_char ident;
222         u_short len;
223 } __attribute__((__packed__));
224 #define LCP_HEADER_LEN          sizeof (struct lcp_header)
225
226 struct cisco_packet {
227         u_long type;
228         u_long par1;
229         u_long par2;
230         u_short rel;
231         u_short time0;
232         u_short time1;
233 } __attribute__((__packed__));
234 #define CISCO_PACKET_LEN        sizeof (struct cisco_packet)
235
236 /*
237  * We follow the spelling and capitalization of RFC 1661 here, to make
238  * it easier comparing with the standard.  Please refer to this RFC in
239  * case you can't make sense out of these abbreviation; it will also
240  * explain the semantics related to the various events and actions.
241  */
242 struct cp {
243         u_short proto;          /* PPP control protocol number */
244         u_char protoidx;        /* index into state table in struct sppp */
245         u_char flags;
246 #define CP_LCP          0x01    /* this is the LCP */
247 #define CP_AUTH         0x02    /* this is an authentication protocol */
248 #define CP_NCP          0x04    /* this is a NCP */
249 #define CP_QUAL         0x08    /* this is a quality reporting protocol */
250         const char *name;       /* name of this control protocol */
251         /* event handlers */
252         void    (*Up)(struct sppp *sp);
253         void    (*Down)(struct sppp *sp);
254         void    (*Open)(struct sppp *sp);
255         void    (*Close)(struct sppp *sp);
256         void    (*TO)(void *sp);
257         int     (*RCR)(struct sppp *sp, struct lcp_header *h, int len);
258         void    (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len);
259         void    (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len);
260         /* actions */
261         void    (*tlu)(struct sppp *sp);
262         void    (*tld)(struct sppp *sp);
263         void    (*tls)(struct sppp *sp);
264         void    (*tlf)(struct sppp *sp);
265         void    (*scr)(struct sppp *sp);
266 };
267
268 static struct sppp *spppq;
269 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
270 static struct callout_handle keepalive_ch;
271 #endif
272
273 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
274 #define SPP_FMT         "%s%d: "
275 #define SPP_ARGS(ifp)   (ifp)->if_name, (ifp)->if_unit
276 #else
277 #define SPP_FMT         "%s: "
278 #define SPP_ARGS(ifp)   (ifp)->if_xname
279 #endif
280
281 #ifdef INET
282 /*
283  * The following disgusting hack gets around the problem that IP TOS
284  * can't be set yet.  We want to put "interactive" traffic on a high
285  * priority queue.  To decide if traffic is interactive, we check that
286  * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control.
287  *
288  * XXX is this really still necessary?  - joerg -
289  */
290 static u_short interactive_ports[8] = {
291         0,      513,    0,      0,
292         0,      21,     0,      23,
293 };
294 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p))
295 #endif
296
297 /* almost every function needs these */
298 #define STDDCL                                                  \
299         struct ifnet *ifp = &sp->pp_if;                         \
300         int debug = ifp->if_flags & IFF_DEBUG
301
302 static int sppp_output(struct ifnet *ifp, struct mbuf *m,
303                        struct sockaddr *dst, struct rtentry *rt);
304
305 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2);
306 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m);
307
308 static void sppp_cp_input(const struct cp *cp, struct sppp *sp,
309                           struct mbuf *m);
310 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
311                          u_char ident, u_short len, void *data);
312 /* static void sppp_cp_timeout(void *arg); */
313 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp,
314                                  int newstate);
315 static void sppp_auth_send(const struct cp *cp,
316                            struct sppp *sp, unsigned int type, unsigned int id,
317                            ...);
318
319 static void sppp_up_event(const struct cp *cp, struct sppp *sp);
320 static void sppp_down_event(const struct cp *cp, struct sppp *sp);
321 static void sppp_open_event(const struct cp *cp, struct sppp *sp);
322 static void sppp_close_event(const struct cp *cp, struct sppp *sp);
323 static void sppp_to_event(const struct cp *cp, struct sppp *sp);
324
325 static void sppp_null(struct sppp *sp);
326
327 static void sppp_lcp_init(struct sppp *sp);
328 static void sppp_lcp_up(struct sppp *sp);
329 static void sppp_lcp_down(struct sppp *sp);
330 static void sppp_lcp_open(struct sppp *sp);
331 static void sppp_lcp_close(struct sppp *sp);
332 static void sppp_lcp_TO(void *sp);
333 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
334 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
335 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
336 static void sppp_lcp_tlu(struct sppp *sp);
337 static void sppp_lcp_tld(struct sppp *sp);
338 static void sppp_lcp_tls(struct sppp *sp);
339 static void sppp_lcp_tlf(struct sppp *sp);
340 static void sppp_lcp_scr(struct sppp *sp);
341 static void sppp_lcp_check_and_close(struct sppp *sp);
342 static int sppp_ncp_check(struct sppp *sp);
343
344 static void sppp_ipcp_init(struct sppp *sp);
345 static void sppp_ipcp_up(struct sppp *sp);
346 static void sppp_ipcp_down(struct sppp *sp);
347 static void sppp_ipcp_open(struct sppp *sp);
348 static void sppp_ipcp_close(struct sppp *sp);
349 static void sppp_ipcp_TO(void *sp);
350 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
351 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
352 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
353 static void sppp_ipcp_tlu(struct sppp *sp);
354 static void sppp_ipcp_tld(struct sppp *sp);
355 static void sppp_ipcp_tls(struct sppp *sp);
356 static void sppp_ipcp_tlf(struct sppp *sp);
357 static void sppp_ipcp_scr(struct sppp *sp);
358
359 static void sppp_ipv6cp_init(struct sppp *sp);
360 static void sppp_ipv6cp_up(struct sppp *sp);
361 static void sppp_ipv6cp_down(struct sppp *sp);
362 static void sppp_ipv6cp_open(struct sppp *sp);
363 static void sppp_ipv6cp_close(struct sppp *sp);
364 static void sppp_ipv6cp_TO(void *sp);
365 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len);
366 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
367 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
368 static void sppp_ipv6cp_tlu(struct sppp *sp);
369 static void sppp_ipv6cp_tld(struct sppp *sp);
370 static void sppp_ipv6cp_tls(struct sppp *sp);
371 static void sppp_ipv6cp_tlf(struct sppp *sp);
372 static void sppp_ipv6cp_scr(struct sppp *sp);
373
374 static void sppp_pap_input(struct sppp *sp, struct mbuf *m);
375 static void sppp_pap_init(struct sppp *sp);
376 static void sppp_pap_open(struct sppp *sp);
377 static void sppp_pap_close(struct sppp *sp);
378 static void sppp_pap_TO(void *sp);
379 static void sppp_pap_my_TO(void *sp);
380 static void sppp_pap_tlu(struct sppp *sp);
381 static void sppp_pap_tld(struct sppp *sp);
382 static void sppp_pap_scr(struct sppp *sp);
383
384 static void sppp_chap_input(struct sppp *sp, struct mbuf *m);
385 static void sppp_chap_init(struct sppp *sp);
386 static void sppp_chap_open(struct sppp *sp);
387 static void sppp_chap_close(struct sppp *sp);
388 static void sppp_chap_TO(void *sp);
389 static void sppp_chap_tlu(struct sppp *sp);
390 static void sppp_chap_tld(struct sppp *sp);
391 static void sppp_chap_scr(struct sppp *sp);
392
393 static const char *sppp_auth_type_name(u_short proto, u_char type);
394 static const char *sppp_cp_type_name(u_char type);
395 static const char *sppp_dotted_quad(u_long addr);
396 static const char *sppp_ipcp_opt_name(u_char opt);
397 #ifdef INET6
398 static const char *sppp_ipv6cp_opt_name(u_char opt);
399 #endif
400 static const char *sppp_lcp_opt_name(u_char opt);
401 static const char *sppp_phase_name(enum ppp_phase phase);
402 static const char *sppp_proto_name(u_short proto);
403 static const char *sppp_state_name(int state);
404 static int sppp_params(struct sppp *sp, u_long cmd, void *data);
405 static int sppp_strnlen(u_char *p, int max);
406 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst,
407                               u_long *srcmask);
408 static void sppp_keepalive(void *dummy);
409 static void sppp_phase_network(struct sppp *sp);
410 static void sppp_print_bytes(const u_char *p, u_short len);
411 static void sppp_print_string(const char *p, u_short len);
412 static void sppp_qflush(struct ifqueue *ifq);
413 static void sppp_set_ip_addr(struct sppp *sp, u_long src);
414 #ifdef INET6
415 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src,
416                                struct in6_addr *dst, struct in6_addr *srcmask);
417 #ifdef IPV6CP_MYIFID_DYN
418 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src);
419 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src);
420 #endif
421 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src);
422 #endif
423
424 /* our control protocol descriptors */
425 static const struct cp lcp = {
426         PPP_LCP, IDX_LCP, CP_LCP, "lcp",
427         sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close,
428         sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak,
429         sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf,
430         sppp_lcp_scr
431 };
432
433 static const struct cp ipcp = {
434         PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp",
435         sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close,
436         sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak,
437         sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf,
438         sppp_ipcp_scr
439 };
440
441 static const struct cp ipv6cp = {
442         PPP_IPV6CP, IDX_IPV6CP,
443 #ifdef INET6    /*don't run IPv6CP if there's no IPv6 support*/
444         CP_NCP,
445 #else
446         0,
447 #endif
448         "ipv6cp",
449         sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close,
450         sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak,
451         sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf,
452         sppp_ipv6cp_scr
453 };
454
455 static const struct cp pap = {
456         PPP_PAP, IDX_PAP, CP_AUTH, "pap",
457         sppp_null, sppp_null, sppp_pap_open, sppp_pap_close,
458         sppp_pap_TO, 0, 0, 0,
459         sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null,
460         sppp_pap_scr
461 };
462
463 static const struct cp chap = {
464         PPP_CHAP, IDX_CHAP, CP_AUTH, "chap",
465         sppp_null, sppp_null, sppp_chap_open, sppp_chap_close,
466         sppp_chap_TO, 0, 0, 0,
467         sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null,
468         sppp_chap_scr
469 };
470
471 static const struct cp *cps[IDX_COUNT] = {
472         &lcp,                   /* IDX_LCP */
473         &ipcp,                  /* IDX_IPCP */
474         &ipv6cp,                /* IDX_IPV6CP */
475         &pap,                   /* IDX_PAP */
476         &chap,                  /* IDX_CHAP */
477 };
478
479 static int
480 sppp_modevent(module_t mod, int type, void *unused)
481 {
482         switch (type) {
483         case MOD_LOAD:
484                 break;
485         case MOD_UNLOAD:
486                 return EACCES;
487                 break;
488         default:
489                 break;
490         }
491         return 0;
492 }
493 static moduledata_t spppmod = {
494         "sppp",
495         sppp_modevent,
496         0
497 };
498 MODULE_VERSION(sppp, 1);
499 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY);
500
501 /*
502  * Exported functions, comprising our interface to the lower layer.
503  */
504
505 /*
506  * Process the received packet.
507  */
508 void
509 sppp_input(struct ifnet *ifp, struct mbuf *m)
510 {
511         struct ppp_header *h;
512         struct ifqueue *inq = 0;
513         int s;
514         struct sppp *sp = (struct sppp *)ifp;
515         u_char *iphdr;
516         int hlen, vjlen, do_account = 0;
517         int debug = ifp->if_flags & IFF_DEBUG;
518
519         if (ifp->if_flags & IFF_UP)
520                 /* Count received bytes, add FCS and one flag */
521                 ifp->if_ibytes += m->m_pkthdr.len + 3;
522
523         if (m->m_pkthdr.len <= PPP_HEADER_LEN) {
524                 /* Too small packet, drop it. */
525                 if (debug)
526                         log(LOG_DEBUG,
527                             SPP_FMT "input packet is too small, %d bytes\n",
528                             SPP_ARGS(ifp), m->m_pkthdr.len);
529           drop:
530                 m_freem (m);
531           drop2:
532                 ++ifp->if_ierrors;
533                 ++ifp->if_iqdrops;
534                 return;
535         }
536
537         /* Get PPP header. */
538         h = mtod (m, struct ppp_header*);
539         m_adj (m, PPP_HEADER_LEN);
540
541         switch (h->address) {
542         case PPP_ALLSTATIONS:
543                 if (h->control != PPP_UI)
544                         goto invalid;
545                 if (sp->pp_mode == IFF_CISCO) {
546                         if (debug)
547                                 log(LOG_DEBUG,
548                                     SPP_FMT "PPP packet in Cisco mode "
549                                     "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
550                                     SPP_ARGS(ifp),
551                                     h->address, h->control, ntohs(h->protocol));
552                         goto drop;
553                 }
554                 switch (ntohs (h->protocol)) {
555                 default:
556                         if (debug)
557                                 log(LOG_DEBUG,
558                                     SPP_FMT "rejecting protocol "
559                                     "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
560                                     SPP_ARGS(ifp),
561                                     h->address, h->control, ntohs(h->protocol));
562                         if (sp->state[IDX_LCP] == STATE_OPENED)
563                                 sppp_cp_send (sp, PPP_LCP, PROTO_REJ,
564                                         ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2,
565                                         &h->protocol);
566                         ++ifp->if_noproto;
567                         goto drop;
568                 case PPP_LCP:
569                         sppp_cp_input(&lcp, sp, m);
570                         m_freem (m);
571                         return;
572                 case PPP_PAP:
573                         if (sp->pp_phase >= PHASE_AUTHENTICATE)
574                                 sppp_pap_input(sp, m);
575                         m_freem (m);
576                         return;
577                 case PPP_CHAP:
578                         if (sp->pp_phase >= PHASE_AUTHENTICATE)
579                                 sppp_chap_input(sp, m);
580                         m_freem (m);
581                         return;
582 #ifdef INET
583                 case PPP_IPCP:
584                         if (sp->pp_phase == PHASE_NETWORK)
585                                 sppp_cp_input(&ipcp, sp, m);
586                         m_freem (m);
587                         return;
588                 case PPP_IP:
589                         if (sp->state[IDX_IPCP] == STATE_OPENED) {
590                                 schednetisr (NETISR_IP);
591                                 inq = &ipintrq;
592                         }
593                         do_account++;
594                         break;
595                 case PPP_VJ_COMP:
596                         if (sp->state[IDX_IPCP] == STATE_OPENED) {
597                                 if ((vjlen =
598                                      sl_uncompress_tcp_core(mtod(m, u_char *),
599                                                             m->m_len, m->m_len,
600                                                             TYPE_COMPRESSED_TCP,
601                                                             sp->pp_comp,
602                                                             &iphdr, &hlen)) <= 0) {
603                                         if (debug)
604                                                 log(LOG_INFO,
605                             SPP_FMT "VJ uncompress failed on compressed packet\n",
606                                                     SPP_ARGS(ifp));
607                                         goto drop;
608                                 }
609
610                                 /*
611                                  * Trim the VJ header off the packet, and prepend
612                                  * the uncompressed IP header (which will usually
613                                  * end up in two chained mbufs since there's not
614                                  * enough leading space in the existing mbuf).
615                                  */
616                                 m_adj(m, vjlen);
617                                 M_PREPEND(m, hlen, M_DONTWAIT);
618                                 if (m == NULL)
619                                         goto drop2;
620                                 bcopy(iphdr, mtod(m, u_char *), hlen);
621
622                                 schednetisr (NETISR_IP);
623                                 inq = &ipintrq;
624                         }
625                         do_account++;
626                         break;
627                 case PPP_VJ_UCOMP:
628                         if (sp->state[IDX_IPCP] == STATE_OPENED) {
629                                 if (sl_uncompress_tcp_core(mtod(m, u_char *),
630                                                            m->m_len, m->m_len,
631                                                            TYPE_UNCOMPRESSED_TCP,
632                                                            sp->pp_comp,
633                                                            &iphdr, &hlen) != 0) {
634                                         if (debug)
635                                                 log(LOG_INFO,
636                             SPP_FMT "VJ uncompress failed on uncompressed packet\n",
637                                                     SPP_ARGS(ifp));
638                                         goto drop;
639                                 }
640                                 schednetisr (NETISR_IP);
641                                 inq = &ipintrq;
642                         }
643                         do_account++;
644                         break;
645 #endif
646 #ifdef INET6
647                 case PPP_IPV6CP:
648                         if (sp->pp_phase == PHASE_NETWORK)
649                             sppp_cp_input(&ipv6cp, sp, m);
650                         m_freem (m);
651                         return;
652
653                 case PPP_IPV6:
654                         if (sp->state[IDX_IPV6CP] == STATE_OPENED) {
655                                 schednetisr (NETISR_IPV6);
656                                 inq = &ip6intrq;
657                         }
658                         do_account++;
659                         break;
660 #endif
661 #ifdef IPX
662                 case PPP_IPX:
663                         /* IPX IPXCP not implemented yet */
664                         if (sp->pp_phase == PHASE_NETWORK) {
665                                 schednetisr (NETISR_IPX);
666                                 inq = &ipxintrq;
667                         }
668                         do_account++;
669                         break;
670 #endif
671 #ifdef NS
672                 case PPP_XNS:
673                         /* XNS IDPCP not implemented yet */
674                         if (sp->pp_phase == PHASE_NETWORK) {
675                                 schednetisr (NETISR_NS);
676                                 inq = &nsintrq;
677                         }
678                         do_account++;
679                         break;
680 #endif
681                 }
682                 break;
683         case CISCO_MULTICAST:
684         case CISCO_UNICAST:
685                 /* Don't check the control field here (RFC 1547). */
686                 if (sp->pp_mode != IFF_CISCO) {
687                         if (debug)
688                                 log(LOG_DEBUG,
689                                     SPP_FMT "Cisco packet in PPP mode "
690                                     "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
691                                     SPP_ARGS(ifp),
692                                     h->address, h->control, ntohs(h->protocol));
693                         goto drop;
694                 }
695                 switch (ntohs (h->protocol)) {
696                 default:
697                         ++ifp->if_noproto;
698                         goto invalid;
699                 case CISCO_KEEPALIVE:
700                         sppp_cisco_input ((struct sppp*) ifp, m);
701                         m_freem (m);
702                         return;
703 #ifdef INET
704                 case ETHERTYPE_IP:
705                         schednetisr (NETISR_IP);
706                         inq = &ipintrq;
707                         do_account++;
708                         break;
709 #endif
710 #ifdef INET6
711                 case ETHERTYPE_IPV6:
712                         schednetisr (NETISR_IPV6);
713                         inq = &ip6intrq;
714                         do_account++;
715                         break;
716 #endif
717 #ifdef IPX
718                 case ETHERTYPE_IPX:
719                         schednetisr (NETISR_IPX);
720                         inq = &ipxintrq;
721                         do_account++;
722                         break;
723 #endif
724 #ifdef NS
725                 case ETHERTYPE_NS:
726                         schednetisr (NETISR_NS);
727                         inq = &nsintrq;
728                         do_account++;
729                         break;
730 #endif
731                 }
732                 break;
733         default:        /* Invalid PPP packet. */
734           invalid:
735                 if (debug)
736                         log(LOG_DEBUG,
737                             SPP_FMT "invalid input packet "
738                             "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
739                             SPP_ARGS(ifp),
740                             h->address, h->control, ntohs(h->protocol));
741                 goto drop;
742         }
743
744         if (! (ifp->if_flags & IFF_UP) || ! inq)
745                 goto drop;
746
747         /* Check queue. */
748         s = splimp();
749         if (IF_QFULL (inq)) {
750                 /* Queue overflow. */
751                 IF_DROP(inq);
752                 splx(s);
753                 if (debug)
754                         log(LOG_DEBUG, SPP_FMT "protocol queue overflow\n",
755                                 SPP_ARGS(ifp));
756                 goto drop;
757         }
758         IF_ENQUEUE(inq, m);
759         splx(s);
760         if (do_account)
761                 /*
762                  * Do only account for network packets, not for control
763                  * packets.  This is used by some subsystems to detect
764                  * idle lines.
765                  */
766                 sp->pp_last_recv = time_second;
767 }
768
769 /*
770  * Enqueue transmit packet.
771  */
772 static int
773 sppp_output(struct ifnet *ifp, struct mbuf *m,
774             struct sockaddr *dst, struct rtentry *rt)
775 {
776         struct sppp *sp = (struct sppp*) ifp;
777         struct ppp_header *h;
778         struct ifqueue *ifq = NULL;
779         int s, rv = 0;
780         int ipproto = PPP_IP;
781         int debug = ifp->if_flags & IFF_DEBUG;
782
783         s = splimp();
784
785         if ((ifp->if_flags & IFF_UP) == 0 ||
786             (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) {
787 #ifdef INET6
788           drop:
789 #endif
790                 m_freem (m);
791                 splx (s);
792                 return (ENETDOWN);
793         }
794
795         if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) {
796 #ifdef INET6
797                 /*
798                  * XXX
799                  *
800                  * Hack to prevent the initialization-time generated
801                  * IPv6 multicast packet to erroneously cause a
802                  * dialout event in case IPv6 has been
803                  * administratively disabled on that interface.
804                  */
805                 if (dst->sa_family == AF_INET6 &&
806                     !(sp->confflags & CONF_ENABLE_IPV6))
807                         goto drop;
808 #endif
809                 /*
810                  * Interface is not yet running, but auto-dial.  Need
811                  * to start LCP for it.
812                  */
813                 ifp->if_flags |= IFF_RUNNING;
814                 splx(s);
815                 lcp.Open(sp);
816                 s = splimp();
817         }
818
819         ifq = &ifp->if_snd;
820 #ifdef INET
821         if (dst->sa_family == AF_INET) {
822                 /* XXX Check mbuf length here? */
823                 struct ip *ip = mtod (m, struct ip*);
824                 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl);
825
826                 /*
827                  * When using dynamic local IP address assignment by using
828                  * 0.0.0.0 as a local address, the first TCP session will
829                  * not connect because the local TCP checksum is computed
830                  * using 0.0.0.0 which will later become our real IP address
831                  * so the TCP checksum computed at the remote end will
832                  * become invalid. So we
833                  * - don't let packets with src ip addr 0 thru
834                  * - we flag TCP packets with src ip 0 as an error
835                  */
836
837                 if(ip->ip_src.s_addr == INADDR_ANY)     /* -hm */
838                 {
839                         m_freem(m);
840                         splx(s);
841                         if(ip->ip_p == IPPROTO_TCP)
842                                 return(EADDRNOTAVAIL);
843                         else
844                                 return(0);
845                 }
846
847                 /*
848                  * Put low delay, telnet, rlogin and ftp control packets
849                  * in front of the queue.
850                  */
851                 if (IF_QFULL (&sp->pp_fastq))
852                         ;
853                 else if (ip->ip_tos & IPTOS_LOWDELAY)
854                         ifq = &sp->pp_fastq;
855                 else if (m->m_len < sizeof *ip + sizeof *tcp)
856                         ;
857                 else if (ip->ip_p != IPPROTO_TCP)
858                         ;
859                 else if (INTERACTIVE (ntohs (tcp->th_sport)))
860                         ifq = &sp->pp_fastq;
861                 else if (INTERACTIVE (ntohs (tcp->th_dport)))
862                         ifq = &sp->pp_fastq;
863
864                 /*
865                  * Do IP Header compression
866                  */
867                 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) &&
868                     ip->ip_p == IPPROTO_TCP)
869                         switch (sl_compress_tcp(m, ip, sp->pp_comp,
870                                                 sp->ipcp.compress_cid)) {
871                         case TYPE_COMPRESSED_TCP:
872                                 ipproto = PPP_VJ_COMP;
873                                 break;
874                         case TYPE_UNCOMPRESSED_TCP:
875                                 ipproto = PPP_VJ_UCOMP;
876                                 break;
877                         case TYPE_IP:
878                                 ipproto = PPP_IP;
879                                 break;
880                         default:
881                                 m_freem(m);
882                                 splx(s);
883                                 return (EINVAL);
884                         }
885         }
886 #endif
887
888 #ifdef INET6
889         if (dst->sa_family == AF_INET6) {
890                 /* XXX do something tricky here? */
891         }
892 #endif
893
894         /*
895          * Prepend general data packet PPP header. For now, IP only.
896          */
897         M_PREPEND (m, PPP_HEADER_LEN, M_DONTWAIT);
898         if (! m) {
899                 if (debug)
900                         log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n",
901                                 SPP_ARGS(ifp));
902                 ++ifp->if_oerrors;
903                 splx (s);
904                 return (ENOBUFS);
905         }
906         /*
907          * May want to check size of packet
908          * (albeit due to the implementation it's always enough)
909          */
910         h = mtod (m, struct ppp_header*);
911         if (sp->pp_mode == IFF_CISCO) {
912                 h->address = CISCO_UNICAST;        /* unicast address */
913                 h->control = 0;
914         } else {
915                 h->address = PPP_ALLSTATIONS;        /* broadcast address */
916                 h->control = PPP_UI;                 /* Unnumbered Info */
917         }
918
919         switch (dst->sa_family) {
920 #ifdef INET
921         case AF_INET:   /* Internet Protocol */
922                 if (sp->pp_mode == IFF_CISCO)
923                         h->protocol = htons (ETHERTYPE_IP);
924                 else {
925                         /*
926                          * Don't choke with an ENETDOWN early.  It's
927                          * possible that we just started dialing out,
928                          * so don't drop the packet immediately.  If
929                          * we notice that we run out of buffer space
930                          * below, we will however remember that we are
931                          * not ready to carry IP packets, and return
932                          * ENETDOWN, as opposed to ENOBUFS.
933                          */
934                         h->protocol = htons(ipproto);
935                         if (sp->state[IDX_IPCP] != STATE_OPENED)
936                                 rv = ENETDOWN;
937                 }
938                 break;
939 #endif
940 #ifdef INET6
941         case AF_INET6:   /* Internet Protocol */
942                 if (sp->pp_mode == IFF_CISCO)
943                         h->protocol = htons (ETHERTYPE_IPV6);
944                 else {
945                         /*
946                          * Don't choke with an ENETDOWN early.  It's
947                          * possible that we just started dialing out,
948                          * so don't drop the packet immediately.  If
949                          * we notice that we run out of buffer space
950                          * below, we will however remember that we are
951                          * not ready to carry IP packets, and return
952                          * ENETDOWN, as opposed to ENOBUFS.
953                          */
954                         h->protocol = htons(PPP_IPV6);
955                         if (sp->state[IDX_IPV6CP] != STATE_OPENED)
956                                 rv = ENETDOWN;
957                 }
958                 break;
959 #endif
960 #ifdef NS
961         case AF_NS:     /* Xerox NS Protocol */
962                 h->protocol = htons (sp->pp_mode == IFF_CISCO ?
963                         ETHERTYPE_NS : PPP_XNS);
964                 break;
965 #endif
966 #ifdef IPX
967         case AF_IPX:     /* Novell IPX Protocol */
968                 h->protocol = htons (sp->pp_mode == IFF_CISCO ?
969                         ETHERTYPE_IPX : PPP_IPX);
970                 break;
971 #endif
972         default:
973                 m_freem (m);
974                 ++ifp->if_oerrors;
975                 splx (s);
976                 return (EAFNOSUPPORT);
977         }
978
979         /*
980          * Queue message on interface, and start output if interface
981          * not yet active.
982          */
983         if (IF_QFULL (ifq)) {
984                 IF_DROP (&ifp->if_snd);
985                 m_freem (m);
986                 ++ifp->if_oerrors;
987                 splx (s);
988                 return (rv? rv: ENOBUFS);
989         }
990         IF_ENQUEUE (ifq, m);
991         if (! (ifp->if_flags & IFF_OACTIVE))
992                 (*ifp->if_start) (ifp);
993
994         /*
995          * Count output packets and bytes.
996          * The packet length includes header, FCS and 1 flag,
997          * according to RFC 1333.
998          */
999         ifp->if_obytes += m->m_pkthdr.len + 3;
1000         splx (s);
1001         /*
1002          * Unlike in sppp_input(), we can always bump the timestamp
1003          * here since sppp_output() is only called on behalf of
1004          * network-layer traffic; control-layer traffic is handled
1005          * by sppp_cp_send().
1006          */
1007         sp->pp_last_sent = time_second;
1008         return (0);
1009 }
1010
1011 void
1012 sppp_attach(struct ifnet *ifp)
1013 {
1014         struct sppp *sp = (struct sppp*) ifp;
1015
1016         /* Initialize keepalive handler. */
1017         if (! spppq)
1018                 TIMEOUT(sppp_keepalive, 0, hz * 10, keepalive_ch);
1019
1020         /* Insert new entry into the keepalive list. */
1021         sp->pp_next = spppq;
1022         spppq = sp;
1023
1024         sp->pp_if.if_mtu = PP_MTU;
1025         sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
1026         sp->pp_if.if_type = IFT_PPP;
1027         sp->pp_if.if_output = sppp_output;
1028 #if 0
1029         sp->pp_flags = PP_KEEPALIVE;
1030 #endif
1031         sp->pp_if.if_snd.ifq_maxlen = 32;
1032         sp->pp_fastq.ifq_maxlen = 32;
1033         sp->pp_cpq.ifq_maxlen = 20;
1034         sp->pp_loopcnt = 0;
1035         sp->pp_alivecnt = 0;
1036         bzero(&sp->pp_seq[0], sizeof(sp->pp_seq));
1037         bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq));
1038         sp->pp_phase = PHASE_DEAD;
1039         sp->pp_up = lcp.Up;
1040         sp->pp_down = lcp.Down;
1041         sp->pp_last_recv = sp->pp_last_sent = time_second;
1042         sp->confflags = 0;
1043 #ifdef INET
1044         sp->confflags |= CONF_ENABLE_VJ;
1045 #endif
1046 #ifdef INET6
1047         sp->confflags |= CONF_ENABLE_IPV6;
1048 #endif
1049         sp->pp_comp = malloc(sizeof(struct slcompress), M_TEMP, M_WAIT);
1050         sl_compress_init(sp->pp_comp, -1);
1051         sppp_lcp_init(sp);
1052         sppp_ipcp_init(sp);
1053         sppp_ipv6cp_init(sp);
1054         sppp_pap_init(sp);
1055         sppp_chap_init(sp);
1056 }
1057
1058 void
1059 sppp_detach(struct ifnet *ifp)
1060 {
1061         struct sppp **q, *p, *sp = (struct sppp*) ifp;
1062         int i;
1063
1064         /* Remove the entry from the keepalive list. */
1065         for (q = &spppq; (p = *q); q = &p->pp_next)
1066                 if (p == sp) {
1067                         *q = p->pp_next;
1068                         break;
1069                 }
1070
1071         /* Stop keepalive handler. */
1072         if (! spppq)
1073                 UNTIMEOUT(sppp_keepalive, 0, keepalive_ch);
1074
1075         for (i = 0; i < IDX_COUNT; i++)
1076                 UNTIMEOUT((cps[i])->TO, (void *)sp, sp->ch[i]);
1077         UNTIMEOUT(sppp_pap_my_TO, (void *)sp, sp->pap_my_to_ch);
1078 }
1079
1080 /*
1081  * Flush the interface output queue.
1082  */
1083 void
1084 sppp_flush(struct ifnet *ifp)
1085 {
1086         struct sppp *sp = (struct sppp*) ifp;
1087
1088         sppp_qflush (&sp->pp_if.if_snd);
1089         sppp_qflush (&sp->pp_fastq);
1090         sppp_qflush (&sp->pp_cpq);
1091 }
1092
1093 /*
1094  * Check if the output queue is empty.
1095  */
1096 int
1097 sppp_isempty(struct ifnet *ifp)
1098 {
1099         struct sppp *sp = (struct sppp*) ifp;
1100         int empty, s;
1101
1102         s = splimp();
1103         empty = !sp->pp_fastq.ifq_head && !sp->pp_cpq.ifq_head &&
1104                 !sp->pp_if.if_snd.ifq_head;
1105         splx(s);
1106         return (empty);
1107 }
1108
1109 /*
1110  * Get next packet to send.
1111  */
1112 struct mbuf *
1113 sppp_dequeue(struct ifnet *ifp)
1114 {
1115         struct sppp *sp = (struct sppp*) ifp;
1116         struct mbuf *m;
1117         int s;
1118
1119         s = splimp();
1120         /*
1121          * Process only the control protocol queue until we have at
1122          * least one NCP open.
1123          *
1124          * Do always serve all three queues in Cisco mode.
1125          */
1126         IF_DEQUEUE(&sp->pp_cpq, m);
1127         if (m == NULL &&
1128             (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) {
1129                 IF_DEQUEUE(&sp->pp_fastq, m);
1130                 if (m == NULL)
1131                         IF_DEQUEUE (&sp->pp_if.if_snd, m);
1132         }
1133         splx(s);
1134         return m;
1135 }
1136
1137 /*
1138  * Pick the next packet, do not remove it from the queue.
1139  */
1140 struct mbuf *
1141 sppp_pick(struct ifnet *ifp)
1142 {
1143         struct sppp *sp = (struct sppp*)ifp;
1144         struct mbuf *m;
1145         int s;
1146
1147         s= splimp ();
1148
1149         m = sp->pp_cpq.ifq_head;
1150         if (m == NULL &&
1151             (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO))
1152                 if ((m = sp->pp_fastq.ifq_head) == NULL)
1153                         m = sp->pp_if.if_snd.ifq_head;
1154         splx (s);
1155         return (m);
1156 }
1157
1158 /*
1159  * Process an ioctl request.  Called on low priority level.
1160  */
1161 int
1162 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data)
1163 {
1164         struct ifreq *ifr = (struct ifreq*) data;
1165         struct sppp *sp = (struct sppp*) ifp;
1166         int s, rv, going_up, going_down, newmode;
1167
1168         s = splimp();
1169         rv = 0;
1170         switch (cmd) {
1171         case SIOCAIFADDR:
1172         case SIOCSIFDSTADDR:
1173                 break;
1174
1175         case SIOCSIFADDR:
1176                 /* set the interface "up" when assigning an IP address */
1177                 ifp->if_flags |= IFF_UP;
1178                 /* fall through... */
1179
1180         case SIOCSIFFLAGS:
1181                 going_up = ifp->if_flags & IFF_UP &&
1182                         (ifp->if_flags & IFF_RUNNING) == 0;
1183                 going_down = (ifp->if_flags & IFF_UP) == 0 &&
1184                         ifp->if_flags & IFF_RUNNING;
1185
1186                 newmode = ifp->if_flags & IFF_PASSIVE;
1187                 if (!newmode)
1188                         newmode = ifp->if_flags & IFF_AUTO;
1189                 if (!newmode)
1190                         newmode = ifp->if_flags & IFF_CISCO;
1191                 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO);
1192                 ifp->if_flags |= newmode;
1193
1194                 if (newmode != sp->pp_mode) {
1195                         going_down = 1;
1196                         if (!going_up)
1197                                 going_up = ifp->if_flags & IFF_RUNNING;
1198                 }
1199
1200                 if (going_down) {
1201                         if (sp->pp_mode != IFF_CISCO)
1202                                 lcp.Close(sp);
1203                         else if (sp->pp_tlf)
1204                                 (sp->pp_tlf)(sp);
1205                         sppp_flush(ifp);
1206                         ifp->if_flags &= ~IFF_RUNNING;
1207                         sp->pp_mode = newmode;
1208                 }
1209
1210                 if (going_up) {
1211                         if (sp->pp_mode != IFF_CISCO)
1212                                 lcp.Close(sp);
1213                         sp->pp_mode = newmode;
1214                         if (sp->pp_mode == 0) {
1215                                 ifp->if_flags |= IFF_RUNNING;
1216                                 lcp.Open(sp);
1217                         }
1218                         if (sp->pp_mode == IFF_CISCO) {
1219                                 if (sp->pp_tls)
1220                                         (sp->pp_tls)(sp);
1221                                 ifp->if_flags |= IFF_RUNNING;
1222                         }
1223                 }
1224
1225                 break;
1226
1227 #ifdef SIOCSIFMTU
1228 #ifndef ifr_mtu
1229 #define ifr_mtu ifr_metric
1230 #endif
1231         case SIOCSIFMTU:
1232                 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru)
1233                         return (EINVAL);
1234                 ifp->if_mtu = ifr->ifr_mtu;
1235                 break;
1236 #endif
1237 #ifdef SLIOCSETMTU
1238         case SLIOCSETMTU:
1239                 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru)
1240                         return (EINVAL);
1241                 ifp->if_mtu = *(short*)data;
1242                 break;
1243 #endif
1244 #ifdef SIOCGIFMTU
1245         case SIOCGIFMTU:
1246                 ifr->ifr_mtu = ifp->if_mtu;
1247                 break;
1248 #endif
1249 #ifdef SLIOCGETMTU
1250         case SLIOCGETMTU:
1251                 *(short*)data = ifp->if_mtu;
1252                 break;
1253 #endif
1254         case SIOCADDMULTI:
1255         case SIOCDELMULTI:
1256                 break;
1257
1258         case SIOCGIFGENERIC:
1259         case SIOCSIFGENERIC:
1260                 rv = sppp_params(sp, cmd, data);
1261                 break;
1262
1263         default:
1264                 rv = ENOTTY;
1265         }
1266         splx(s);
1267         return rv;
1268 }
1269
1270 /*
1271  * Cisco framing implementation.
1272  */
1273
1274 /*
1275  * Handle incoming Cisco keepalive protocol packets.
1276  */
1277 static void
1278 sppp_cisco_input(struct sppp *sp, struct mbuf *m)
1279 {
1280         STDDCL;
1281         struct cisco_packet *h;
1282         u_long me, mymask;
1283
1284         if (m->m_pkthdr.len < CISCO_PACKET_LEN) {
1285                 if (debug)
1286                         log(LOG_DEBUG,
1287                             SPP_FMT "cisco invalid packet length: %d bytes\n",
1288                             SPP_ARGS(ifp), m->m_pkthdr.len);
1289                 return;
1290         }
1291         h = mtod (m, struct cisco_packet*);
1292         if (debug)
1293                 log(LOG_DEBUG,
1294                     SPP_FMT "cisco input: %d bytes "
1295                     "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n",
1296                     SPP_ARGS(ifp), m->m_pkthdr.len,
1297                     (u_long)ntohl (h->type), (u_long)h->par1, (u_long)h->par2, (u_int)h->rel,
1298                     (u_int)h->time0, (u_int)h->time1);
1299         switch (ntohl (h->type)) {
1300         default:
1301                 if (debug)
1302                         addlog(SPP_FMT "cisco unknown packet type: 0x%lx\n",
1303                                SPP_ARGS(ifp), (u_long)ntohl (h->type));
1304                 break;
1305         case CISCO_ADDR_REPLY:
1306                 /* Reply on address request, ignore */
1307                 break;
1308         case CISCO_KEEPALIVE_REQ:
1309                 sp->pp_alivecnt = 0;
1310                 sp->pp_rseq[IDX_LCP] = ntohl (h->par1);
1311                 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) {
1312                         /* Local and remote sequence numbers are equal.
1313                          * Probably, the line is in loopback mode. */
1314                         if (sp->pp_loopcnt >= MAXALIVECNT) {
1315                                 printf (SPP_FMT "loopback\n",
1316                                         SPP_ARGS(ifp));
1317                                 sp->pp_loopcnt = 0;
1318                                 if (ifp->if_flags & IFF_UP) {
1319                                         if_down (ifp);
1320                                         sppp_qflush (&sp->pp_cpq);
1321                                 }
1322                         }
1323                         ++sp->pp_loopcnt;
1324
1325                         /* Generate new local sequence number */
1326 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
1327                         sp->pp_seq[IDX_LCP] = random();
1328 #else
1329                         sp->pp_seq[IDX_LCP] ^= time.tv_sec ^ time.tv_usec;
1330 #endif
1331                         break;
1332                 }
1333                 sp->pp_loopcnt = 0;
1334                 if (! (ifp->if_flags & IFF_UP) &&
1335                     (ifp->if_flags & IFF_RUNNING)) {
1336                         if_up(ifp);
1337                         printf (SPP_FMT "up\n", SPP_ARGS(ifp));
1338                 }
1339                 break;
1340         case CISCO_ADDR_REQ:
1341                 sppp_get_ip_addrs(sp, &me, 0, &mymask);
1342                 if (me != 0L)
1343                         sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask);
1344                 break;
1345         }
1346 }
1347
1348 /*
1349  * Send Cisco keepalive packet.
1350  */
1351 static void
1352 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2)
1353 {
1354         STDDCL;
1355         struct ppp_header *h;
1356         struct cisco_packet *ch;
1357         struct mbuf *m;
1358 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
1359         struct timeval tv;
1360 #else
1361         u_long t = (time.tv_sec - boottime.tv_sec) * 1000;
1362 #endif
1363
1364 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
1365         getmicrouptime(&tv);
1366 #endif
1367
1368         MGETHDR (m, M_DONTWAIT, MT_DATA);
1369         if (! m)
1370                 return;
1371         m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN;
1372         m->m_pkthdr.rcvif = 0;
1373
1374         h = mtod (m, struct ppp_header*);
1375         h->address = CISCO_MULTICAST;
1376         h->control = 0;
1377         h->protocol = htons (CISCO_KEEPALIVE);
1378
1379         ch = (struct cisco_packet*) (h + 1);
1380         ch->type = htonl (type);
1381         ch->par1 = htonl (par1);
1382         ch->par2 = htonl (par2);
1383         ch->rel = -1;
1384
1385 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
1386         ch->time0 = htons ((u_short) (tv.tv_sec >> 16));
1387         ch->time1 = htons ((u_short) tv.tv_sec);
1388 #else
1389         ch->time0 = htons ((u_short) (t >> 16));
1390         ch->time1 = htons ((u_short) t);
1391 #endif
1392
1393         if (debug)
1394                 log(LOG_DEBUG,
1395                     SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n",
1396                         SPP_ARGS(ifp), (u_long)ntohl (ch->type), (u_long)ch->par1,
1397                         (u_long)ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1);
1398
1399         if (IF_QFULL (&sp->pp_cpq)) {
1400                 IF_DROP (&sp->pp_fastq);
1401                 IF_DROP (&ifp->if_snd);
1402                 m_freem (m);
1403         } else
1404                 IF_ENQUEUE (&sp->pp_cpq, m);
1405         if (! (ifp->if_flags & IFF_OACTIVE))
1406                 (*ifp->if_start) (ifp);
1407         ifp->if_obytes += m->m_pkthdr.len + 3;
1408 }
1409
1410 /*
1411  * PPP protocol implementation.
1412  */
1413
1414 /*
1415  * Send PPP control protocol packet.
1416  */
1417 static void
1418 sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
1419              u_char ident, u_short len, void *data)
1420 {
1421         STDDCL;
1422         struct ppp_header *h;
1423         struct lcp_header *lh;
1424         struct mbuf *m;
1425
1426         if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN)
1427                 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN;
1428         MGETHDR (m, M_DONTWAIT, MT_DATA);
1429         if (! m)
1430                 return;
1431         m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len;
1432         m->m_pkthdr.rcvif = 0;
1433
1434         h = mtod (m, struct ppp_header*);
1435         h->address = PPP_ALLSTATIONS;        /* broadcast address */
1436         h->control = PPP_UI;                 /* Unnumbered Info */
1437         h->protocol = htons (proto);         /* Link Control Protocol */
1438
1439         lh = (struct lcp_header*) (h + 1);
1440         lh->type = type;
1441         lh->ident = ident;
1442         lh->len = htons (LCP_HEADER_LEN + len);
1443         if (len)
1444                 bcopy (data, lh+1, len);
1445
1446         if (debug) {
1447                 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d",
1448                     SPP_ARGS(ifp),
1449                     sppp_proto_name(proto),
1450                     sppp_cp_type_name (lh->type), lh->ident,
1451                     ntohs (lh->len));
1452                 sppp_print_bytes ((u_char*) (lh+1), len);
1453                 addlog(">\n");
1454         }
1455         if (IF_QFULL (&sp->pp_cpq)) {
1456                 IF_DROP (&sp->pp_fastq);
1457                 IF_DROP (&ifp->if_snd);
1458                 m_freem (m);
1459                 ++ifp->if_oerrors;
1460         } else
1461                 IF_ENQUEUE (&sp->pp_cpq, m);
1462         if (! (ifp->if_flags & IFF_OACTIVE))
1463                 (*ifp->if_start) (ifp);
1464         ifp->if_obytes += m->m_pkthdr.len + 3;
1465 }
1466
1467 /*
1468  * Handle incoming PPP control protocol packets.
1469  */
1470 static void
1471 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m)
1472 {
1473         STDDCL;
1474         struct lcp_header *h;
1475         int len = m->m_pkthdr.len;
1476         int rv;
1477         u_char *p;
1478
1479         if (len < 4) {
1480                 if (debug)
1481                         log(LOG_DEBUG,
1482                             SPP_FMT "%s invalid packet length: %d bytes\n",
1483                             SPP_ARGS(ifp), cp->name, len);
1484                 return;
1485         }
1486         h = mtod (m, struct lcp_header*);
1487         if (debug) {
1488                 log(LOG_DEBUG,
1489                     SPP_FMT "%s input(%s): <%s id=0x%x len=%d",
1490                     SPP_ARGS(ifp), cp->name,
1491                     sppp_state_name(sp->state[cp->protoidx]),
1492                     sppp_cp_type_name (h->type), h->ident, ntohs (h->len));
1493                 sppp_print_bytes ((u_char*) (h+1), len-4);
1494                 addlog(">\n");
1495         }
1496         if (len > ntohs (h->len))
1497                 len = ntohs (h->len);
1498         p = (u_char *)(h + 1);
1499         switch (h->type) {
1500         case CONF_REQ:
1501                 if (len < 4) {
1502                         if (debug)
1503                                 addlog(SPP_FMT "%s invalid conf-req length %d\n",
1504                                        SPP_ARGS(ifp), cp->name,
1505                                        len);
1506                         ++ifp->if_ierrors;
1507                         break;
1508                 }
1509                 /* handle states where RCR doesn't get a SCA/SCN */
1510                 switch (sp->state[cp->protoidx]) {
1511                 case STATE_CLOSING:
1512                 case STATE_STOPPING:
1513                         return;
1514                 case STATE_CLOSED:
1515                         sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident,
1516                                      0, 0);
1517                         return;
1518                 }
1519                 rv = (cp->RCR)(sp, h, len);
1520                 switch (sp->state[cp->protoidx]) {
1521                 case STATE_OPENED:
1522                         (cp->tld)(sp);
1523                         (cp->scr)(sp);
1524                         /* fall through... */
1525                 case STATE_ACK_SENT:
1526                 case STATE_REQ_SENT:
1527                         /*
1528                          * sppp_cp_change_state() have the side effect of
1529                          * restarting the timeouts. We want to avoid that
1530                          * if the state don't change, otherwise we won't
1531                          * ever timeout and resend a configuration request
1532                          * that got lost.
1533                          */
1534                         if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT:
1535                             STATE_REQ_SENT))
1536                                 break;
1537                         sppp_cp_change_state(cp, sp, rv?
1538                                              STATE_ACK_SENT: STATE_REQ_SENT);
1539                         break;
1540                 case STATE_STOPPED:
1541                         sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1542                         (cp->scr)(sp);
1543                         sppp_cp_change_state(cp, sp, rv?
1544                                              STATE_ACK_SENT: STATE_REQ_SENT);
1545                         break;
1546                 case STATE_ACK_RCVD:
1547                         if (rv) {
1548                                 sppp_cp_change_state(cp, sp, STATE_OPENED);
1549                                 if (debug)
1550                                         log(LOG_DEBUG, SPP_FMT "%s tlu\n",
1551                                             SPP_ARGS(ifp),
1552                                             cp->name);
1553                                 (cp->tlu)(sp);
1554                         } else
1555                                 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1556                         break;
1557                 default:
1558                         printf(SPP_FMT "%s illegal %s in state %s\n",
1559                                SPP_ARGS(ifp), cp->name,
1560                                sppp_cp_type_name(h->type),
1561                                sppp_state_name(sp->state[cp->protoidx]));
1562                         ++ifp->if_ierrors;
1563                 }
1564                 break;
1565         case CONF_ACK:
1566                 if (h->ident != sp->confid[cp->protoidx]) {
1567                         if (debug)
1568                                 addlog(SPP_FMT "%s id mismatch 0x%x != 0x%x\n",
1569                                        SPP_ARGS(ifp), cp->name,
1570                                        h->ident, sp->confid[cp->protoidx]);
1571                         ++ifp->if_ierrors;
1572                         break;
1573                 }
1574                 switch (sp->state[cp->protoidx]) {
1575                 case STATE_CLOSED:
1576                 case STATE_STOPPED:
1577                         sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1578                         break;
1579                 case STATE_CLOSING:
1580                 case STATE_STOPPING:
1581                         break;
1582                 case STATE_REQ_SENT:
1583                         sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1584                         sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1585                         break;
1586                 case STATE_OPENED:
1587                         (cp->tld)(sp);
1588                         /* fall through */
1589                 case STATE_ACK_RCVD:
1590                         (cp->scr)(sp);
1591                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1592                         break;
1593                 case STATE_ACK_SENT:
1594                         sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1595                         sppp_cp_change_state(cp, sp, STATE_OPENED);
1596                         if (debug)
1597                                 log(LOG_DEBUG, SPP_FMT "%s tlu\n",
1598                                        SPP_ARGS(ifp), cp->name);
1599                         (cp->tlu)(sp);
1600                         break;
1601                 default:
1602                         printf(SPP_FMT "%s illegal %s in state %s\n",
1603                                SPP_ARGS(ifp), cp->name,
1604                                sppp_cp_type_name(h->type),
1605                                sppp_state_name(sp->state[cp->protoidx]));
1606                         ++ifp->if_ierrors;
1607                 }
1608                 break;
1609         case CONF_NAK:
1610         case CONF_REJ:
1611                 if (h->ident != sp->confid[cp->protoidx]) {
1612                         if (debug)
1613                                 addlog(SPP_FMT "%s id mismatch 0x%x != 0x%x\n",
1614                                        SPP_ARGS(ifp), cp->name,
1615                                        h->ident, sp->confid[cp->protoidx]);
1616                         ++ifp->if_ierrors;
1617                         break;
1618                 }
1619                 if (h->type == CONF_NAK)
1620                         (cp->RCN_nak)(sp, h, len);
1621                 else /* CONF_REJ */
1622                         (cp->RCN_rej)(sp, h, len);
1623
1624                 switch (sp->state[cp->protoidx]) {
1625                 case STATE_CLOSED:
1626                 case STATE_STOPPED:
1627                         sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1628                         break;
1629                 case STATE_REQ_SENT:
1630                 case STATE_ACK_SENT:
1631                         sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1632                         /*
1633                          * Slow things down a bit if we think we might be
1634                          * in loopback. Depend on the timeout to send the
1635                          * next configuration request.
1636                          */
1637                         if (sp->pp_loopcnt)
1638                                 break;
1639                         (cp->scr)(sp);
1640                         break;
1641                 case STATE_OPENED:
1642                         (cp->tld)(sp);
1643                         /* fall through */
1644                 case STATE_ACK_RCVD:
1645                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1646                         (cp->scr)(sp);
1647                         break;
1648                 case STATE_CLOSING:
1649                 case STATE_STOPPING:
1650                         break;
1651                 default:
1652                         printf(SPP_FMT "%s illegal %s in state %s\n",
1653                                SPP_ARGS(ifp), cp->name,
1654                                sppp_cp_type_name(h->type),
1655                                sppp_state_name(sp->state[cp->protoidx]));
1656                         ++ifp->if_ierrors;
1657                 }
1658                 break;
1659
1660         case TERM_REQ:
1661                 switch (sp->state[cp->protoidx]) {
1662                 case STATE_ACK_RCVD:
1663                 case STATE_ACK_SENT:
1664                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1665                         /* fall through */
1666                 case STATE_CLOSED:
1667                 case STATE_STOPPED:
1668                 case STATE_CLOSING:
1669                 case STATE_STOPPING:
1670                 case STATE_REQ_SENT:
1671                   sta:
1672                         /* Send Terminate-Ack packet. */
1673                         if (debug)
1674                                 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n",
1675                                     SPP_ARGS(ifp), cp->name);
1676                         sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1677                         break;
1678                 case STATE_OPENED:
1679                         (cp->tld)(sp);
1680                         sp->rst_counter[cp->protoidx] = 0;
1681                         sppp_cp_change_state(cp, sp, STATE_STOPPING);
1682                         goto sta;
1683                         break;
1684                 default:
1685                         printf(SPP_FMT "%s illegal %s in state %s\n",
1686                                SPP_ARGS(ifp), cp->name,
1687                                sppp_cp_type_name(h->type),
1688                                sppp_state_name(sp->state[cp->protoidx]));
1689                         ++ifp->if_ierrors;
1690                 }
1691                 break;
1692         case TERM_ACK:
1693                 switch (sp->state[cp->protoidx]) {
1694                 case STATE_CLOSED:
1695                 case STATE_STOPPED:
1696                 case STATE_REQ_SENT:
1697                 case STATE_ACK_SENT:
1698                         break;
1699                 case STATE_CLOSING:
1700                         sppp_cp_change_state(cp, sp, STATE_CLOSED);
1701                         (cp->tlf)(sp);
1702                         break;
1703                 case STATE_STOPPING:
1704                         sppp_cp_change_state(cp, sp, STATE_STOPPED);
1705                         (cp->tlf)(sp);
1706                         break;
1707                 case STATE_ACK_RCVD:
1708                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1709                         break;
1710                 case STATE_OPENED:
1711                         (cp->tld)(sp);
1712                         (cp->scr)(sp);
1713                         sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1714                         break;
1715                 default:
1716                         printf(SPP_FMT "%s illegal %s in state %s\n",
1717                                SPP_ARGS(ifp), cp->name,
1718                                sppp_cp_type_name(h->type),
1719                                sppp_state_name(sp->state[cp->protoidx]));
1720                         ++ifp->if_ierrors;
1721                 }
1722                 break;
1723         case CODE_REJ:
1724                 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
1725                 log(LOG_INFO,
1726                     SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, "
1727                     "danger will robinson\n",
1728                     SPP_ARGS(ifp), cp->name,
1729                     sppp_cp_type_name(h->type), ntohs(*((u_short *)p)));
1730                 switch (sp->state[cp->protoidx]) {
1731                 case STATE_CLOSED:
1732                 case STATE_STOPPED:
1733                 case STATE_REQ_SENT:
1734                 case STATE_ACK_SENT:
1735                 case STATE_CLOSING:
1736                 case STATE_STOPPING:
1737                 case STATE_OPENED:
1738                         break;
1739                 case STATE_ACK_RCVD:
1740                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1741                         break;
1742                 default:
1743                         printf(SPP_FMT "%s illegal %s in state %s\n",
1744                                SPP_ARGS(ifp), cp->name,
1745                                sppp_cp_type_name(h->type),
1746                                sppp_state_name(sp->state[cp->protoidx]));
1747                         ++ifp->if_ierrors;
1748                 }
1749                 break;
1750         case PROTO_REJ:
1751             {
1752                 int catastrophic;
1753                 const struct cp *upper;
1754                 int i;
1755                 u_int16_t proto;
1756
1757                 catastrophic = 0;
1758                 upper = NULL;
1759                 proto = ntohs(*((u_int16_t *)p));
1760                 for (i = 0; i < IDX_COUNT; i++) {
1761                         if (cps[i]->proto == proto) {
1762                                 upper = cps[i];
1763                                 break;
1764                         }
1765                 }
1766                 if (upper == NULL)
1767                         catastrophic++;
1768
1769                 if (catastrophic || debug)
1770                         log(catastrophic? LOG_INFO: LOG_DEBUG,
1771                             SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n",
1772                             SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+',
1773                             sppp_cp_type_name(h->type), proto,
1774                             upper ? upper->name : "unknown",
1775                             upper ? sppp_state_name(sp->state[upper->protoidx]) : "?");
1776
1777                 /*
1778                  * if we got RXJ+ against conf-req, the peer does not implement
1779                  * this particular protocol type.  terminate the protocol.
1780                  */
1781                 if (upper && !catastrophic) {
1782                         if (sp->state[upper->protoidx] == STATE_REQ_SENT) {
1783                                 upper->Close(sp);
1784                                 break;
1785                         }
1786                 }
1787
1788                 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
1789                 switch (sp->state[cp->protoidx]) {
1790                 case STATE_CLOSED:
1791                 case STATE_STOPPED:
1792                 case STATE_REQ_SENT:
1793                 case STATE_ACK_SENT:
1794                 case STATE_CLOSING:
1795                 case STATE_STOPPING:
1796                 case STATE_OPENED:
1797                         break;
1798                 case STATE_ACK_RCVD:
1799                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1800                         break;
1801                 default:
1802                         printf(SPP_FMT "%s illegal %s in state %s\n",
1803                                SPP_ARGS(ifp), cp->name,
1804                                sppp_cp_type_name(h->type),
1805                                sppp_state_name(sp->state[cp->protoidx]));
1806                         ++ifp->if_ierrors;
1807                 }
1808                 break;
1809             }
1810         case DISC_REQ:
1811                 if (cp->proto != PPP_LCP)
1812                         goto illegal;
1813                 /* Discard the packet. */
1814                 break;
1815         case ECHO_REQ:
1816                 if (cp->proto != PPP_LCP)
1817                         goto illegal;
1818                 if (sp->state[cp->protoidx] != STATE_OPENED) {
1819                         if (debug)
1820                                 addlog(SPP_FMT "lcp echo req but lcp closed\n",
1821                                        SPP_ARGS(ifp));
1822                         ++ifp->if_ierrors;
1823                         break;
1824                 }
1825                 if (len < 8) {
1826                         if (debug)
1827                                 addlog(SPP_FMT "invalid lcp echo request "
1828                                        "packet length: %d bytes\n",
1829                                        SPP_ARGS(ifp), len);
1830                         break;
1831                 }
1832                 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) &&
1833                     ntohl (*(long*)(h+1)) == sp->lcp.magic) {
1834                         /* Line loopback mode detected. */
1835                         printf(SPP_FMT "loopback\n", SPP_ARGS(ifp));
1836                         sp->pp_loopcnt = MAXALIVECNT * 5;
1837                         if_down (ifp);
1838                         sppp_qflush (&sp->pp_cpq);
1839
1840                         /* Shut down the PPP link. */
1841                         /* XXX */
1842                         lcp.Down(sp);
1843                         lcp.Up(sp);
1844                         break;
1845                 }
1846                 *(long*)(h+1) = htonl (sp->lcp.magic);
1847                 if (debug)
1848                         addlog(SPP_FMT "got lcp echo req, sending echo rep\n",
1849                                SPP_ARGS(ifp));
1850                 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1);
1851                 break;
1852         case ECHO_REPLY:
1853                 if (cp->proto != PPP_LCP)
1854                         goto illegal;
1855                 if (h->ident != sp->lcp.echoid) {
1856                         ++ifp->if_ierrors;
1857                         break;
1858                 }
1859                 if (len < 8) {
1860                         if (debug)
1861                                 addlog(SPP_FMT "lcp invalid echo reply "
1862                                        "packet length: %d bytes\n",
1863                                        SPP_ARGS(ifp), len);
1864                         break;
1865                 }
1866                 if (debug)
1867                         addlog(SPP_FMT "lcp got echo rep\n",
1868                                SPP_ARGS(ifp));
1869                 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) ||
1870                     ntohl (*(long*)(h+1)) != sp->lcp.magic)
1871                         sp->pp_alivecnt = 0;
1872                 break;
1873         default:
1874                 /* Unknown packet type -- send Code-Reject packet. */
1875           illegal:
1876                 if (debug)
1877                         addlog(SPP_FMT "%s send code-rej for 0x%x\n",
1878                                SPP_ARGS(ifp), cp->name, h->type);
1879                 sppp_cp_send(sp, cp->proto, CODE_REJ,
1880                              ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h);
1881                 ++ifp->if_ierrors;
1882         }
1883 }
1884
1885
1886 /*
1887  * The generic part of all Up/Down/Open/Close/TO event handlers.
1888  * Basically, the state transition handling in the automaton.
1889  */
1890 static void
1891 sppp_up_event(const struct cp *cp, struct sppp *sp)
1892 {
1893         STDDCL;
1894
1895         if (debug)
1896                 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n",
1897                     SPP_ARGS(ifp), cp->name,
1898                     sppp_state_name(sp->state[cp->protoidx]));
1899
1900         switch (sp->state[cp->protoidx]) {
1901         case STATE_INITIAL:
1902                 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1903                 break;
1904         case STATE_STARTING:
1905                 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1906                 (cp->scr)(sp);
1907                 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1908                 break;
1909         default:
1910                 printf(SPP_FMT "%s illegal up in state %s\n",
1911                        SPP_ARGS(ifp), cp->name,
1912                        sppp_state_name(sp->state[cp->protoidx]));
1913         }
1914 }
1915
1916 static void
1917 sppp_down_event(const struct cp *cp, struct sppp *sp)
1918 {
1919         STDDCL;
1920
1921         if (debug)
1922                 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n",
1923                     SPP_ARGS(ifp), cp->name,
1924                     sppp_state_name(sp->state[cp->protoidx]));
1925
1926         switch (sp->state[cp->protoidx]) {
1927         case STATE_CLOSED:
1928         case STATE_CLOSING:
1929                 sppp_cp_change_state(cp, sp, STATE_INITIAL);
1930                 break;
1931         case STATE_STOPPED:
1932                 sppp_cp_change_state(cp, sp, STATE_STARTING);
1933                 (cp->tls)(sp);
1934                 break;
1935         case STATE_STOPPING:
1936         case STATE_REQ_SENT:
1937         case STATE_ACK_RCVD:
1938         case STATE_ACK_SENT:
1939                 sppp_cp_change_state(cp, sp, STATE_STARTING);
1940                 break;
1941         case STATE_OPENED:
1942                 (cp->tld)(sp);
1943                 sppp_cp_change_state(cp, sp, STATE_STARTING);
1944                 break;
1945         default:
1946                 printf(SPP_FMT "%s illegal down in state %s\n",
1947                        SPP_ARGS(ifp), cp->name,
1948                        sppp_state_name(sp->state[cp->protoidx]));
1949         }
1950 }
1951
1952
1953 static void
1954 sppp_open_event(const struct cp *cp, struct sppp *sp)
1955 {
1956         STDDCL;
1957
1958         if (debug)
1959                 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n",
1960                     SPP_ARGS(ifp), cp->name,
1961                     sppp_state_name(sp->state[cp->protoidx]));
1962
1963         switch (sp->state[cp->protoidx]) {
1964         case STATE_INITIAL:
1965                 sppp_cp_change_state(cp, sp, STATE_STARTING);
1966                 (cp->tls)(sp);
1967                 break;
1968         case STATE_STARTING:
1969                 break;
1970         case STATE_CLOSED:
1971                 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1972                 (cp->scr)(sp);
1973                 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1974                 break;
1975         case STATE_STOPPED:
1976                 /*
1977                  * Try escaping stopped state.  This seems to bite
1978                  * people occasionally, in particular for IPCP,
1979                  * presumably following previous IPCP negotiation
1980                  * aborts.  Somehow, we must have missed a Down event
1981                  * which would have caused a transition into starting
1982                  * state, so as a bandaid we force the Down event now.
1983                  * This effectively implements (something like the)
1984                  * `restart' option mentioned in the state transition
1985                  * table of RFC 1661.
1986                  */
1987                 sppp_cp_change_state(cp, sp, STATE_STARTING);
1988                 (cp->tls)(sp);
1989                 break;
1990         case STATE_STOPPING:
1991         case STATE_REQ_SENT:
1992         case STATE_ACK_RCVD:
1993         case STATE_ACK_SENT:
1994         case STATE_OPENED:
1995                 break;
1996         case STATE_CLOSING:
1997                 sppp_cp_change_state(cp, sp, STATE_STOPPING);
1998                 break;
1999         }
2000 }
2001
2002
2003 static void
2004 sppp_close_event(const struct cp *cp, struct sppp *sp)
2005 {
2006         STDDCL;
2007
2008         if (debug)
2009                 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n",
2010                     SPP_ARGS(ifp), cp->name,
2011                     sppp_state_name(sp->state[cp->protoidx]));
2012
2013         switch (sp->state[cp->protoidx]) {
2014         case STATE_INITIAL:
2015         case STATE_CLOSED:
2016         case STATE_CLOSING:
2017                 break;
2018         case STATE_STARTING:
2019                 sppp_cp_change_state(cp, sp, STATE_INITIAL);
2020                 (cp->tlf)(sp);
2021                 break;
2022         case STATE_STOPPED:
2023                 sppp_cp_change_state(cp, sp, STATE_CLOSED);
2024                 break;
2025         case STATE_STOPPING:
2026                 sppp_cp_change_state(cp, sp, STATE_CLOSING);
2027                 break;
2028         case STATE_OPENED:
2029                 (cp->tld)(sp);
2030                 /* fall through */
2031         case STATE_REQ_SENT:
2032         case STATE_ACK_RCVD:
2033         case STATE_ACK_SENT:
2034                 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate;
2035                 sppp_cp_send(sp, cp->proto, TERM_REQ,
2036                              ++sp->pp_seq[cp->protoidx], 0, 0);
2037                 sppp_cp_change_state(cp, sp, STATE_CLOSING);
2038                 break;
2039         }
2040 }
2041
2042 static void
2043 sppp_to_event(const struct cp *cp, struct sppp *sp)
2044 {
2045         STDDCL;
2046         int s;
2047
2048         s = splimp();
2049         if (debug)
2050                 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n",
2051                     SPP_ARGS(ifp), cp->name,
2052                     sppp_state_name(sp->state[cp->protoidx]),
2053                     sp->rst_counter[cp->protoidx]);
2054
2055         if (--sp->rst_counter[cp->protoidx] < 0)
2056                 /* TO- event */
2057                 switch (sp->state[cp->protoidx]) {
2058                 case STATE_CLOSING:
2059                         sppp_cp_change_state(cp, sp, STATE_CLOSED);
2060                         (cp->tlf)(sp);
2061                         break;
2062                 case STATE_STOPPING:
2063                         sppp_cp_change_state(cp, sp, STATE_STOPPED);
2064                         (cp->tlf)(sp);
2065                         break;
2066                 case STATE_REQ_SENT:
2067                 case STATE_ACK_RCVD:
2068                 case STATE_ACK_SENT:
2069                         sppp_cp_change_state(cp, sp, STATE_STOPPED);
2070                         (cp->tlf)(sp);
2071                         break;
2072                 }
2073         else
2074                 /* TO+ event */
2075                 switch (sp->state[cp->protoidx]) {
2076                 case STATE_CLOSING:
2077                 case STATE_STOPPING:
2078                         sppp_cp_send(sp, cp->proto, TERM_REQ,
2079                                      ++sp->pp_seq[cp->protoidx], 0, 0);
2080                         TIMEOUT(cp->TO, (void *)sp, sp->lcp.timeout,
2081                             sp->ch[cp->protoidx]);
2082                         break;
2083                 case STATE_REQ_SENT:
2084                 case STATE_ACK_RCVD:
2085                         (cp->scr)(sp);
2086                         /* sppp_cp_change_state() will restart the timer */
2087                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
2088                         break;
2089                 case STATE_ACK_SENT:
2090                         (cp->scr)(sp);
2091                         TIMEOUT(cp->TO, (void *)sp, sp->lcp.timeout,
2092                             sp->ch[cp->protoidx]);
2093                         break;
2094                 }
2095
2096         splx(s);
2097 }
2098
2099 /*
2100  * Change the state of a control protocol in the state automaton.
2101  * Takes care of starting/stopping the restart timer.
2102  */
2103 void
2104 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate)
2105 {
2106         sp->state[cp->protoidx] = newstate;
2107
2108         UNTIMEOUT(cp->TO, (void *)sp, sp->ch[cp->protoidx]);
2109         switch (newstate) {
2110         case STATE_INITIAL:
2111         case STATE_STARTING:
2112         case STATE_CLOSED:
2113         case STATE_STOPPED:
2114         case STATE_OPENED:
2115                 break;
2116         case STATE_CLOSING:
2117         case STATE_STOPPING:
2118         case STATE_REQ_SENT:
2119         case STATE_ACK_RCVD:
2120         case STATE_ACK_SENT:
2121                 TIMEOUT(cp->TO, (void *)sp, sp->lcp.timeout,
2122                     sp->ch[cp->protoidx]);
2123                 break;
2124         }
2125 }
2126
2127 /*
2128  *--------------------------------------------------------------------------*
2129  *                                                                          *
2130  *                         The LCP implementation.                          *
2131  *                                                                          *
2132  *--------------------------------------------------------------------------*
2133  */
2134 static void
2135 sppp_lcp_init(struct sppp *sp)
2136 {
2137         sp->lcp.opts = (1 << LCP_OPT_MAGIC);
2138         sp->lcp.magic = 0;
2139         sp->state[IDX_LCP] = STATE_INITIAL;
2140         sp->fail_counter[IDX_LCP] = 0;
2141         sp->pp_seq[IDX_LCP] = 0;
2142         sp->pp_rseq[IDX_LCP] = 0;
2143         sp->lcp.protos = 0;
2144         sp->lcp.mru = sp->lcp.their_mru = PP_MTU;
2145
2146         /* Note that these values are  relevant for all control protocols */
2147         sp->lcp.timeout = 3 * hz;
2148         sp->lcp.max_terminate = 2;
2149         sp->lcp.max_configure = 10;
2150         sp->lcp.max_failure = 10;
2151 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
2152         callout_handle_init(&sp->ch[IDX_LCP]);
2153 #endif
2154 }
2155
2156 static void
2157 sppp_lcp_up(struct sppp *sp)
2158 {
2159         STDDCL;
2160
2161         sp->pp_alivecnt = 0;
2162         sp->lcp.opts = (1 << LCP_OPT_MAGIC);
2163         sp->lcp.magic = 0;
2164         sp->lcp.protos = 0;
2165         sp->lcp.mru = sp->lcp.their_mru = PP_MTU;
2166         /*
2167          * If this interface is passive or dial-on-demand, and we are
2168          * still in Initial state, it means we've got an incoming
2169          * call.  Activate the interface.
2170          */
2171         if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) {
2172                 if (debug)
2173                         log(LOG_DEBUG,
2174                             SPP_FMT "Up event", SPP_ARGS(ifp));
2175                 ifp->if_flags |= IFF_RUNNING;
2176                 if (sp->state[IDX_LCP] == STATE_INITIAL) {
2177                         if (debug)
2178                                 addlog("(incoming call)\n");
2179                         sp->pp_flags |= PP_CALLIN;
2180                         lcp.Open(sp);
2181                 } else if (debug)
2182                         addlog("\n");
2183         } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 &&
2184                    (sp->state[IDX_LCP] == STATE_INITIAL)) {
2185                 ifp->if_flags |= IFF_RUNNING;
2186                 lcp.Open(sp);
2187         }
2188
2189         sppp_up_event(&lcp, sp);
2190 }
2191
2192 static void
2193 sppp_lcp_down(struct sppp *sp)
2194 {
2195         STDDCL;
2196
2197         sppp_down_event(&lcp, sp);
2198
2199         /*
2200          * If this is neither a dial-on-demand nor a passive
2201          * interface, simulate an ``ifconfig down'' action, so the
2202          * administrator can force a redial by another ``ifconfig
2203          * up''.  XXX For leased line operation, should we immediately
2204          * try to reopen the connection here?
2205          */
2206         if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) {
2207                 log(LOG_INFO,
2208                     SPP_FMT "Down event, taking interface down.\n",
2209                     SPP_ARGS(ifp));
2210                 if_down(ifp);
2211         } else {
2212                 if (debug)
2213                         log(LOG_DEBUG,
2214                             SPP_FMT "Down event (carrier loss)\n",
2215                             SPP_ARGS(ifp));
2216                 sp->pp_flags &= ~PP_CALLIN;
2217                 if (sp->state[IDX_LCP] != STATE_INITIAL)
2218                         lcp.Close(sp);
2219                 ifp->if_flags &= ~IFF_RUNNING;
2220         }
2221 }
2222
2223 static void
2224 sppp_lcp_open(struct sppp *sp)
2225 {
2226         /*
2227          * If we are authenticator, negotiate LCP_AUTH
2228          */
2229         if (sp->hisauth.proto != 0)
2230                 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO);
2231         else
2232                 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
2233         sp->pp_flags &= ~PP_NEEDAUTH;
2234         sppp_open_event(&lcp, sp);
2235 }
2236
2237 static void
2238 sppp_lcp_close(struct sppp *sp)
2239 {
2240         sppp_close_event(&lcp, sp);
2241 }
2242
2243 static void
2244 sppp_lcp_TO(void *cookie)
2245 {
2246         sppp_to_event(&lcp, (struct sppp *)cookie);
2247 }
2248
2249 /*
2250  * Analyze a configure request.  Return true if it was agreeable, and
2251  * caused action sca, false if it has been rejected or nak'ed, and
2252  * caused action scn.  (The return value is used to make the state
2253  * transition decision in the state automaton.)
2254  */
2255 static int
2256 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
2257 {
2258         STDDCL;
2259         u_char *buf, *r, *p;
2260         int origlen, rlen;
2261         u_long nmagic;
2262         u_short authproto;
2263
2264         len -= 4;
2265         origlen = len;
2266         buf = r = malloc (len, M_TEMP, M_NOWAIT);
2267         if (! buf)
2268                 return (0);
2269
2270         if (debug)
2271                 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ",
2272                     SPP_ARGS(ifp));
2273
2274         /* pass 1: check for things that need to be rejected */
2275         p = (void*) (h+1);
2276         for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
2277                 if (debug)
2278                         addlog(" %s ", sppp_lcp_opt_name(*p));
2279                 switch (*p) {
2280                 case LCP_OPT_MAGIC:
2281                         /* Magic number. */
2282                         if (len >= 6 && p[1] == 6)
2283                                 continue;
2284                         if (debug)
2285                                 addlog("[invalid] ");
2286                         break;
2287                 case LCP_OPT_ASYNC_MAP:
2288                         /* Async control character map. */
2289                         if (len >= 6 && p[1] == 6)
2290                                 continue;
2291                         if (debug)
2292                                 addlog("[invalid] ");
2293                         break;
2294                 case LCP_OPT_MRU:
2295                         /* Maximum receive unit. */
2296                         if (len >= 4 && p[1] == 4)
2297                                 continue;
2298                         if (debug)
2299                                 addlog("[invalid] ");
2300                         break;
2301                 case LCP_OPT_AUTH_PROTO:
2302                         if (len < 4) {
2303                                 if (debug)
2304                                         addlog("[invalid] ");
2305                                 break;
2306                         }
2307                         authproto = (p[2] << 8) + p[3];
2308                         if (authproto == PPP_CHAP && p[1] != 5) {
2309                                 if (debug)
2310                                         addlog("[invalid chap len] ");
2311                                 break;
2312                         }
2313                         if (sp->myauth.proto == 0) {
2314                                 /* we are not configured to do auth */
2315                                 if (debug)
2316                                         addlog("[not configured] ");
2317                                 break;
2318                         }
2319                         /*
2320                          * Remote want us to authenticate, remember this,
2321                          * so we stay in PHASE_AUTHENTICATE after LCP got
2322                          * up.
2323                          */
2324                         sp->pp_flags |= PP_NEEDAUTH;
2325                         continue;
2326                 default:
2327                         /* Others not supported. */
2328                         if (debug)
2329                                 addlog("[rej] ");
2330                         break;
2331                 }
2332                 /* Add the option to rejected list. */
2333                 bcopy (p, r, p[1]);
2334                 r += p[1];
2335                 rlen += p[1];
2336         }
2337         if (rlen) {
2338                 if (debug)
2339                         addlog(" send conf-rej\n");
2340                 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
2341                 return 0;
2342         } else if (debug)
2343                 addlog("\n");
2344
2345         /*
2346          * pass 2: check for option values that are unacceptable and
2347          * thus require to be nak'ed.
2348          */
2349         if (debug)
2350                 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ",
2351                     SPP_ARGS(ifp));
2352
2353         p = (void*) (h+1);
2354         len = origlen;
2355         for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
2356                 if (debug)
2357                         addlog(" %s ", sppp_lcp_opt_name(*p));
2358                 switch (*p) {
2359                 case LCP_OPT_MAGIC:
2360                         /* Magic number -- extract. */
2361                         nmagic = (u_long)p[2] << 24 |
2362                                 (u_long)p[3] << 16 | p[4] << 8 | p[5];
2363                         if (nmagic != sp->lcp.magic) {
2364                                 sp->pp_loopcnt = 0;
2365                                 if (debug)
2366                                         addlog("0x%lx ", nmagic);
2367                                 continue;
2368                         }
2369                         if (debug && sp->pp_loopcnt < MAXALIVECNT*5)
2370                                 addlog("[glitch] ");
2371                         ++sp->pp_loopcnt;
2372                         /*
2373                          * We negate our magic here, and NAK it.  If
2374                          * we see it later in an NAK packet, we
2375                          * suggest a new one.
2376                          */
2377                         nmagic = ~sp->lcp.magic;
2378                         /* Gonna NAK it. */
2379                         p[2] = nmagic >> 24;
2380                         p[3] = nmagic >> 16;
2381                         p[4] = nmagic >> 8;
2382                         p[5] = nmagic;
2383                         break;
2384
2385                 case LCP_OPT_ASYNC_MAP:
2386                         /*
2387                          * Async control character map -- just ignore it.
2388                          *
2389                          * Quote from RFC 1662, chapter 6:
2390                          * To enable this functionality, synchronous PPP
2391                          * implementations MUST always respond to the
2392                          * Async-Control-Character-Map Configuration
2393                          * Option with the LCP Configure-Ack.  However,
2394                          * acceptance of the Configuration Option does
2395                          * not imply that the synchronous implementation
2396                          * will do any ACCM mapping.  Instead, all such
2397                          * octet mapping will be performed by the
2398                          * asynchronous-to-synchronous converter.
2399                          */
2400                         continue;
2401
2402                 case LCP_OPT_MRU:
2403                         /*
2404                          * Maximum receive unit.  Always agreeable,
2405                          * but ignored by now.
2406                          */
2407                         sp->lcp.their_mru = p[2] * 256 + p[3];
2408                         if (debug)
2409                                 addlog("%lu ", sp->lcp.their_mru);
2410                         continue;
2411
2412                 case LCP_OPT_AUTH_PROTO:
2413                         authproto = (p[2] << 8) + p[3];
2414                         if (sp->myauth.proto != authproto) {
2415                                 /* not agreed, nak */
2416                                 if (debug)
2417                                         addlog("[mine %s != his %s] ",
2418                                                sppp_proto_name(sp->hisauth.proto),
2419                                                sppp_proto_name(authproto));
2420                                 p[2] = sp->myauth.proto >> 8;
2421                                 p[3] = sp->myauth.proto;
2422                                 break;
2423                         }
2424                         if (authproto == PPP_CHAP && p[4] != CHAP_MD5) {
2425                                 if (debug)
2426                                         addlog("[chap not MD5] ");
2427                                 p[4] = CHAP_MD5;
2428                                 break;
2429                         }
2430                         continue;
2431                 }
2432                 /* Add the option to nak'ed list. */
2433                 bcopy (p, r, p[1]);
2434                 r += p[1];
2435                 rlen += p[1];
2436         }
2437         if (rlen) {
2438                 /*
2439                  * Local and remote magics equal -- loopback?
2440                  */
2441                 if (sp->pp_loopcnt >= MAXALIVECNT*5) {
2442                         if (sp->pp_loopcnt == MAXALIVECNT*5)
2443                                 printf (SPP_FMT "loopback\n",
2444                                         SPP_ARGS(ifp));
2445                         if (ifp->if_flags & IFF_UP) {
2446                                 if_down(ifp);
2447                                 sppp_qflush(&sp->pp_cpq);
2448                                 /* XXX ? */
2449                                 lcp.Down(sp);
2450                                 lcp.Up(sp);
2451                         }
2452                 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
2453                         if (debug)
2454                                 addlog(" max_failure (%d) exceeded, "
2455                                        "send conf-rej\n",
2456                                        sp->lcp.max_failure);
2457                         sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
2458                 } else {
2459                         if (debug)
2460                                 addlog(" send conf-nak\n");
2461                         sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf);
2462                 }
2463         } else {
2464                 if (debug)
2465                         addlog(" send conf-ack\n");
2466                 sp->fail_counter[IDX_LCP] = 0;
2467                 sp->pp_loopcnt = 0;
2468                 sppp_cp_send (sp, PPP_LCP, CONF_ACK,
2469                               h->ident, origlen, h+1);
2470         }
2471
2472         free (buf, M_TEMP);
2473         return (rlen == 0);
2474 }
2475
2476 /*
2477  * Analyze the LCP Configure-Reject option list, and adjust our
2478  * negotiation.
2479  */
2480 static void
2481 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
2482 {
2483         STDDCL;
2484         u_char *buf, *p;
2485
2486         len -= 4;
2487         buf = malloc (len, M_TEMP, M_NOWAIT);
2488         if (!buf)
2489                 return;
2490
2491         if (debug)
2492                 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ",
2493                     SPP_ARGS(ifp));
2494
2495         p = (void*) (h+1);
2496         for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
2497                 if (debug)
2498                         addlog(" %s ", sppp_lcp_opt_name(*p));
2499                 switch (*p) {
2500                 case LCP_OPT_MAGIC:
2501                         /* Magic number -- can't use it, use 0 */
2502                         sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC);
2503                         sp->lcp.magic = 0;
2504                         break;
2505                 case LCP_OPT_MRU:
2506                         /*
2507                          * Should not be rejected anyway, since we only
2508                          * negotiate a MRU if explicitly requested by
2509                          * peer.
2510                          */
2511                         sp->lcp.opts &= ~(1 << LCP_OPT_MRU);
2512                         break;
2513                 case LCP_OPT_AUTH_PROTO:
2514                         /*
2515                          * Peer doesn't want to authenticate himself,
2516                          * deny unless this is a dialout call, and
2517                          * AUTHFLAG_NOCALLOUT is set.
2518                          */
2519                         if ((sp->pp_flags & PP_CALLIN) == 0 &&
2520                             (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) {
2521                                 if (debug)
2522                                         addlog("[don't insist on auth "
2523                                                "for callout]");
2524                                 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
2525                                 break;
2526                         }
2527                         if (debug)
2528                                 addlog("[access denied]\n");
2529                         lcp.Close(sp);
2530                         break;
2531                 }
2532         }
2533         if (debug)
2534                 addlog("\n");
2535         free (buf, M_TEMP);
2536         return;
2537 }
2538
2539 /*
2540  * Analyze the LCP Configure-NAK option list, and adjust our
2541  * negotiation.
2542  */
2543 static void
2544 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
2545 {
2546         STDDCL;
2547         u_char *buf, *p;
2548         u_long magic;
2549
2550         len -= 4;
2551         buf = malloc (len, M_TEMP, M_NOWAIT);
2552         if (!buf)
2553                 return;
2554
2555         if (debug)
2556                 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ",
2557                     SPP_ARGS(ifp));
2558
2559         p = (void*) (h+1);
2560         for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
2561                 if (debug)
2562                         addlog(" %s ", sppp_lcp_opt_name(*p));
2563                 switch (*p) {
2564                 case LCP_OPT_MAGIC:
2565                         /* Magic number -- renegotiate */
2566                         if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) &&
2567                             len >= 6 && p[1] == 6) {
2568                                 magic = (u_long)p[2] << 24 |
2569                                         (u_long)p[3] << 16 | p[4] << 8 | p[5];
2570                                 /*
2571                                  * If the remote magic is our negated one,
2572                                  * this looks like a loopback problem.
2573                                  * Suggest a new magic to make sure.
2574                                  */
2575                                 if (magic == ~sp->lcp.magic) {
2576                                         if (debug)
2577                                                 addlog("magic glitch ");
2578 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
2579                                         sp->lcp.magic = random();
2580 #else
2581                                         sp->lcp.magic = time.tv_sec + time.tv_usec;
2582 #endif
2583                                 } else {
2584                                         sp->lcp.magic = magic;
2585                                         if (debug)
2586                                                 addlog("%lu ", magic);
2587                                 }
2588                         }
2589                         break;
2590                 case LCP_OPT_MRU:
2591                         /*
2592                          * Peer wants to advise us to negotiate an MRU.
2593                          * Agree on it if it's reasonable, or use
2594                          * default otherwise.
2595                          */
2596                         if (len >= 4 && p[1] == 4) {
2597                                 u_int mru = p[2] * 256 + p[3];
2598                                 if (debug)
2599                                         addlog("%d ", mru);
2600                                 if (mru < PP_MTU || mru > PP_MAX_MRU)
2601                                         mru = PP_MTU;
2602                                 sp->lcp.mru = mru;
2603                                 sp->lcp.opts |= (1 << LCP_OPT_MRU);
2604                         }
2605                         break;
2606                 case LCP_OPT_AUTH_PROTO:
2607                         /*
2608                          * Peer doesn't like our authentication method,
2609                          * deny.
2610                          */
2611                         if (debug)
2612                                 addlog("[access denied]\n");
2613                         lcp.Close(sp);
2614                         break;
2615                 }
2616         }
2617         if (debug)
2618                 addlog("\n");
2619         free (buf, M_TEMP);
2620         return;
2621 }
2622
2623 static void
2624 sppp_lcp_tlu(struct sppp *sp)
2625 {
2626         STDDCL;
2627         int i;
2628         u_long mask;
2629
2630         /* XXX ? */
2631         if (! (ifp->if_flags & IFF_UP) &&
2632             (ifp->if_flags & IFF_RUNNING)) {
2633                 /* Coming out of loopback mode. */
2634                 if_up(ifp);
2635                 printf (SPP_FMT "up\n", SPP_ARGS(ifp));
2636         }
2637
2638         for (i = 0; i < IDX_COUNT; i++)
2639                 if ((cps[i])->flags & CP_QUAL)
2640                         (cps[i])->Open(sp);
2641
2642         if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 ||
2643             (sp->pp_flags & PP_NEEDAUTH) != 0)
2644                 sp->pp_phase = PHASE_AUTHENTICATE;
2645         else
2646                 sp->pp_phase = PHASE_NETWORK;
2647
2648         if (debug)
2649                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
2650                     sppp_phase_name(sp->pp_phase));
2651
2652         /*
2653          * Open all authentication protocols.  This is even required
2654          * if we already proceeded to network phase, since it might be
2655          * that remote wants us to authenticate, so we might have to
2656          * send a PAP request.  Undesired authentication protocols
2657          * don't do anything when they get an Open event.
2658          */
2659         for (i = 0; i < IDX_COUNT; i++)
2660                 if ((cps[i])->flags & CP_AUTH)
2661                         (cps[i])->Open(sp);
2662
2663         if (sp->pp_phase == PHASE_NETWORK) {
2664                 /* Notify all NCPs. */
2665                 for (i = 0; i < IDX_COUNT; i++)
2666                         if (((cps[i])->flags & CP_NCP) &&
2667                             /*
2668                              * XXX
2669                              * Hack to administratively disable IPv6 if
2670                              * not desired.  Perhaps we should have another
2671                              * flag for this, but right now, we can make
2672                              * all struct cp's read/only.
2673                              */
2674                             (cps[i] != &ipv6cp ||
2675                              (sp->confflags & CONF_ENABLE_IPV6)))
2676                                 (cps[i])->Open(sp);
2677         }
2678
2679         /* Send Up events to all started protos. */
2680         for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2681                 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0)
2682                         (cps[i])->Up(sp);
2683
2684         /* notify low-level driver of state change */
2685         if (sp->pp_chg)
2686                 sp->pp_chg(sp, (int)sp->pp_phase);
2687         
2688         if (sp->pp_phase == PHASE_NETWORK)
2689                 /* if no NCP is starting, close down */
2690                 sppp_lcp_check_and_close(sp);
2691 }
2692
2693 static void
2694 sppp_lcp_tld(struct sppp *sp)
2695 {
2696         STDDCL;
2697         int i;
2698         u_long mask;
2699
2700         sp->pp_phase = PHASE_TERMINATE;
2701
2702         if (debug)
2703                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
2704                     sppp_phase_name(sp->pp_phase));
2705
2706         /*
2707          * Take upper layers down.  We send the Down event first and
2708          * the Close second to prevent the upper layers from sending
2709          * ``a flurry of terminate-request packets'', as the RFC
2710          * describes it.
2711          */
2712         for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2713                 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) {
2714                         (cps[i])->Down(sp);
2715                         (cps[i])->Close(sp);
2716                 }
2717 }
2718
2719 static void
2720 sppp_lcp_tls(struct sppp *sp)
2721 {
2722         STDDCL;
2723
2724         sp->pp_phase = PHASE_ESTABLISH;
2725
2726         if (debug)
2727                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
2728                     sppp_phase_name(sp->pp_phase));
2729
2730         /* Notify lower layer if desired. */
2731         if (sp->pp_tls)
2732                 (sp->pp_tls)(sp);
2733         else
2734                 (sp->pp_up)(sp);
2735 }
2736
2737 static void
2738 sppp_lcp_tlf(struct sppp *sp)
2739 {
2740         STDDCL;
2741
2742         sp->pp_phase = PHASE_DEAD;
2743         if (debug)
2744                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
2745                     sppp_phase_name(sp->pp_phase));
2746
2747         /* Notify lower layer if desired. */
2748         if (sp->pp_tlf)
2749                 (sp->pp_tlf)(sp);
2750         else
2751                 (sp->pp_down)(sp);
2752 }
2753
2754 static void
2755 sppp_lcp_scr(struct sppp *sp)
2756 {
2757         char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */];
2758         int i = 0;
2759         u_short authproto;
2760
2761         if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) {
2762                 if (! sp->lcp.magic)
2763 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
2764                         sp->lcp.magic = random();
2765 #else
2766                         sp->lcp.magic = time.tv_sec + time.tv_usec;
2767 #endif
2768                 opt[i++] = LCP_OPT_MAGIC;
2769                 opt[i++] = 6;
2770                 opt[i++] = sp->lcp.magic >> 24;
2771                 opt[i++] = sp->lcp.magic >> 16;
2772                 opt[i++] = sp->lcp.magic >> 8;
2773                 opt[i++] = sp->lcp.magic;
2774         }
2775
2776         if (sp->lcp.opts & (1 << LCP_OPT_MRU)) {
2777                 opt[i++] = LCP_OPT_MRU;
2778                 opt[i++] = 4;
2779                 opt[i++] = sp->lcp.mru >> 8;
2780                 opt[i++] = sp->lcp.mru;
2781         }
2782
2783         if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) {
2784                 authproto = sp->hisauth.proto;
2785                 opt[i++] = LCP_OPT_AUTH_PROTO;
2786                 opt[i++] = authproto == PPP_CHAP? 5: 4;
2787                 opt[i++] = authproto >> 8;
2788                 opt[i++] = authproto;
2789                 if (authproto == PPP_CHAP)
2790                         opt[i++] = CHAP_MD5;
2791         }
2792
2793         sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP];
2794         sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt);
2795 }
2796
2797 /*
2798  * Check the open NCPs, return true if at least one NCP is open.
2799  */
2800 static int
2801 sppp_ncp_check(struct sppp *sp)
2802 {
2803         int i, mask;
2804
2805         for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2806                 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP)
2807                         return 1;
2808         return 0;
2809 }
2810
2811 /*
2812  * Re-check the open NCPs and see if we should terminate the link.
2813  * Called by the NCPs during their tlf action handling.
2814  */
2815 static void
2816 sppp_lcp_check_and_close(struct sppp *sp)
2817 {
2818
2819         if (sp->pp_phase < PHASE_NETWORK)
2820                 /* don't bother, we are already going down */
2821                 return;
2822
2823         if (sppp_ncp_check(sp))
2824                 return;
2825
2826         lcp.Close(sp);
2827 }
2828
2829 /*
2830  *--------------------------------------------------------------------------*
2831  *                                                                          *
2832  *                        The IPCP implementation.                          *
2833  *                                                                          *
2834  *--------------------------------------------------------------------------*
2835  */
2836
2837 static void
2838 sppp_ipcp_init(struct sppp *sp)
2839 {
2840         sp->ipcp.opts = 0;
2841         sp->ipcp.flags = 0;
2842         sp->state[IDX_IPCP] = STATE_INITIAL;
2843         sp->fail_counter[IDX_IPCP] = 0;
2844         sp->pp_seq[IDX_IPCP] = 0;
2845         sp->pp_rseq[IDX_IPCP] = 0;
2846 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
2847         callout_handle_init(&sp->ch[IDX_IPCP]);
2848 #endif
2849 }
2850
2851 static void
2852 sppp_ipcp_up(struct sppp *sp)
2853 {
2854         sppp_up_event(&ipcp, sp);
2855 }
2856
2857 static void
2858 sppp_ipcp_down(struct sppp *sp)
2859 {
2860         sppp_down_event(&ipcp, sp);
2861 }
2862
2863 static void
2864 sppp_ipcp_open(struct sppp *sp)
2865 {
2866         STDDCL;
2867         u_long myaddr, hisaddr;
2868
2869         sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN |
2870                             IPCP_MYADDR_DYN | IPCP_VJ);
2871         sp->ipcp.opts = 0;
2872
2873         sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0);
2874         /*
2875          * If we don't have his address, this probably means our
2876          * interface doesn't want to talk IP at all.  (This could
2877          * be the case if somebody wants to speak only IPX, for
2878          * example.)  Don't open IPCP in this case.
2879          */
2880         if (hisaddr == 0L) {
2881                 /* XXX this message should go away */
2882                 if (debug)
2883                         log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n",
2884                             SPP_ARGS(ifp));
2885                 return;
2886         }
2887         if (myaddr == 0L) {
2888                 /*
2889                  * I don't have an assigned address, so i need to
2890                  * negotiate my address.
2891                  */
2892                 sp->ipcp.flags |= IPCP_MYADDR_DYN;
2893                 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
2894         } else
2895                 sp->ipcp.flags |= IPCP_MYADDR_SEEN;
2896         if (sp->confflags & CONF_ENABLE_VJ) {
2897                 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION);
2898                 sp->ipcp.max_state = MAX_STATES - 1;
2899                 sp->ipcp.compress_cid = 1;
2900         }
2901         sppp_open_event(&ipcp, sp);
2902 }
2903
2904 static void
2905 sppp_ipcp_close(struct sppp *sp)
2906 {
2907         sppp_close_event(&ipcp, sp);
2908         if (sp->ipcp.flags & IPCP_MYADDR_DYN)
2909                 /*
2910                  * My address was dynamic, clear it again.
2911                  */
2912                 sppp_set_ip_addr(sp, 0L);
2913 }
2914
2915 static void
2916 sppp_ipcp_TO(void *cookie)
2917 {
2918         sppp_to_event(&ipcp, (struct sppp *)cookie);
2919 }
2920
2921 /*
2922  * Analyze a configure request.  Return true if it was agreeable, and
2923  * caused action sca, false if it has been rejected or nak'ed, and
2924  * caused action scn.  (The return value is used to make the state
2925  * transition decision in the state automaton.)
2926  */
2927 static int
2928 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
2929 {
2930         u_char *buf, *r, *p;
2931         struct ifnet *ifp = &sp->pp_if;
2932         int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
2933         u_long hisaddr, desiredaddr;
2934         int gotmyaddr = 0;
2935         int desiredcomp;
2936
2937         len -= 4;
2938         origlen = len;
2939         /*
2940          * Make sure to allocate a buf that can at least hold a
2941          * conf-nak with an `address' option.  We might need it below.
2942          */
2943         buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT);
2944         if (! buf)
2945                 return (0);
2946
2947         /* pass 1: see if we can recognize them */
2948         if (debug)
2949                 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ",
2950                     SPP_ARGS(ifp));
2951         p = (void*) (h+1);
2952         for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
2953                 if (debug)
2954                         addlog(" %s ", sppp_ipcp_opt_name(*p));
2955                 switch (*p) {
2956                 case IPCP_OPT_COMPRESSION:
2957                         if (!(sp->confflags & CONF_ENABLE_VJ)) {
2958                                 /* VJ compression administratively disabled */
2959                                 if (debug)
2960                                         addlog("[locally disabled] ");
2961                                 break;
2962                         }
2963                         /*
2964                          * In theory, we should only conf-rej an
2965                          * option that is shorter than RFC 1618
2966                          * requires (i.e. < 4), and should conf-nak
2967                          * anything else that is not VJ.  However,
2968                          * since our algorithm always uses the
2969                          * original option to NAK it with new values,
2970                          * things would become more complicated.  In
2971                          * pratice, the only commonly implemented IP
2972                          * compression option is VJ anyway, so the
2973                          * difference is negligible.
2974                          */
2975                         if (len >= 6 && p[1] == 6) {
2976                                 /*
2977                                  * correctly formed compression option
2978                                  * that could be VJ compression
2979                                  */
2980                                 continue;
2981                         }
2982                         if (debug)
2983                                 addlog("optlen %d [invalid/unsupported] ",
2984                                     p[1]);
2985                         break;
2986                 case IPCP_OPT_ADDRESS:
2987                         if (len >= 6 && p[1] == 6) {
2988                                 /* correctly formed address option */
2989                                 continue;
2990                         }
2991                         if (debug)
2992                                 addlog("[invalid] ");
2993                         break;
2994                 default:
2995                         /* Others not supported. */
2996                         if (debug)
2997                                 addlog("[rej] ");
2998                         break;
2999                 }
3000                 /* Add the option to rejected list. */
3001                 bcopy (p, r, p[1]);
3002                 r += p[1];
3003                 rlen += p[1];
3004         }
3005         if (rlen) {
3006                 if (debug)
3007                         addlog(" send conf-rej\n");
3008                 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf);
3009                 return 0;
3010         } else if (debug)
3011                 addlog("\n");
3012
3013         /* pass 2: parse option values */
3014         sppp_get_ip_addrs(sp, 0, &hisaddr, 0);
3015         if (debug)
3016                 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ",
3017                        SPP_ARGS(ifp));
3018         p = (void*) (h+1);
3019         len = origlen;
3020         for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
3021                 if (debug)
3022                         addlog(" %s ", sppp_ipcp_opt_name(*p));
3023                 switch (*p) {
3024                 case IPCP_OPT_COMPRESSION:
3025                         desiredcomp = p[2] << 8 | p[3];
3026                         /* We only support VJ */
3027                         if (desiredcomp == IPCP_COMP_VJ) {
3028                                 if (debug)
3029                                         addlog("VJ [ack] ");
3030                                 sp->ipcp.flags |= IPCP_VJ;
3031                                 sl_compress_init(sp->pp_comp, p[4]);
3032                                 sp->ipcp.max_state = p[4];
3033                                 sp->ipcp.compress_cid = p[5];
3034                                 continue;
3035                         }
3036                         if (debug)
3037                                 addlog("compproto %#04x [not supported] ",
3038                                     desiredcomp);
3039                         p[2] = IPCP_COMP_VJ >> 8;
3040                         p[3] = IPCP_COMP_VJ;
3041                         p[4] = sp->ipcp.max_state;
3042                         p[5] = sp->ipcp.compress_cid;
3043                         break;
3044                 case IPCP_OPT_ADDRESS:
3045                         /* This is the address he wants in his end */
3046                         desiredaddr = p[2] << 24 | p[3] << 16 |
3047                                 p[4] << 8 | p[5];
3048                         if (desiredaddr == hisaddr ||
3049                             (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) {
3050                                 /*
3051                                  * Peer's address is same as our value,
3052                                  * or we have set it to 0.0.0.* to
3053                                  * indicate that we do not really care,
3054                                  * this is agreeable.  Gonna conf-ack
3055                                  * it.
3056                                  */
3057                                 if (debug)
3058                                         addlog("%s [ack] ",
3059                                                 sppp_dotted_quad(hisaddr));
3060                                 /* record that we've seen it already */
3061                                 sp->ipcp.flags |= IPCP_HISADDR_SEEN;
3062                                 continue;
3063                         }
3064                         /*
3065                          * The address wasn't agreeable.  This is either
3066                          * he sent us 0.0.0.0, asking to assign him an
3067                          * address, or he send us another address not
3068                          * matching our value.  Either case, we gonna
3069                          * conf-nak it with our value.
3070                          * XXX: we should "rej" if hisaddr == 0
3071                          */
3072                         if (debug) {
3073                                 if (desiredaddr == 0)
3074                                         addlog("[addr requested] ");
3075                                 else
3076                                         addlog("%s [not agreed] ",
3077                                                 sppp_dotted_quad(desiredaddr));
3078
3079                         }
3080                         p[2] = hisaddr >> 24;
3081                         p[3] = hisaddr >> 16;
3082                         p[4] = hisaddr >> 8;
3083                         p[5] = hisaddr;
3084                         break;
3085                 }
3086                 /* Add the option to nak'ed list. */
3087                 bcopy (p, r, p[1]);
3088                 r += p[1];
3089                 rlen += p[1];
3090         }
3091
3092         /*
3093          * If we are about to conf-ack the request, but haven't seen
3094          * his address so far, gonna conf-nak it instead, with the
3095          * `address' option present and our idea of his address being
3096          * filled in there, to request negotiation of both addresses.
3097          *
3098          * XXX This can result in an endless req - nak loop if peer
3099          * doesn't want to send us his address.  Q: What should we do
3100          * about it?  XXX  A: implement the max-failure counter.
3101          */
3102         if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) {
3103                 buf[0] = IPCP_OPT_ADDRESS;
3104                 buf[1] = 6;
3105                 buf[2] = hisaddr >> 24;
3106                 buf[3] = hisaddr >> 16;
3107                 buf[4] = hisaddr >> 8;
3108                 buf[5] = hisaddr;
3109                 rlen = 6;
3110                 if (debug)
3111                         addlog("still need hisaddr ");
3112         }
3113
3114         if (rlen) {
3115                 if (debug)
3116                         addlog(" send conf-nak\n");
3117                 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf);
3118         } else {
3119                 if (debug)
3120                         addlog(" send conf-ack\n");
3121                 sppp_cp_send (sp, PPP_IPCP, CONF_ACK,
3122                               h->ident, origlen, h+1);
3123         }
3124
3125         free (buf, M_TEMP);
3126         return (rlen == 0);
3127 }
3128
3129 /*
3130  * Analyze the IPCP Configure-Reject option list, and adjust our
3131  * negotiation.
3132  */
3133 static void
3134 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3135 {
3136         u_char *buf, *p;
3137         struct ifnet *ifp = &sp->pp_if;
3138         int debug = ifp->if_flags & IFF_DEBUG;
3139
3140         len -= 4;
3141         buf = malloc (len, M_TEMP, M_NOWAIT);
3142         if (!buf)
3143                 return;
3144
3145         if (debug)
3146                 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ",
3147                     SPP_ARGS(ifp));
3148
3149         p = (void*) (h+1);
3150         for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
3151                 if (debug)
3152                         addlog(" %s ", sppp_ipcp_opt_name(*p));
3153                 switch (*p) {
3154                 case IPCP_OPT_COMPRESSION:
3155                         sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION);
3156                         break;
3157                 case IPCP_OPT_ADDRESS:
3158                         /*
3159                          * Peer doesn't grok address option.  This is
3160                          * bad.  XXX  Should we better give up here?
3161                          * XXX We could try old "addresses" option...
3162                          */
3163                         sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS);
3164                         break;
3165                 }
3166         }
3167         if (debug)
3168                 addlog("\n");
3169         free (buf, M_TEMP);
3170         return;
3171 }
3172
3173 /*
3174  * Analyze the IPCP Configure-NAK option list, and adjust our
3175  * negotiation.
3176  */
3177 static void
3178 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3179 {
3180         u_char *buf, *p;
3181         struct ifnet *ifp = &sp->pp_if;
3182         int debug = ifp->if_flags & IFF_DEBUG;
3183         int desiredcomp;
3184         u_long wantaddr;
3185
3186         len -= 4;
3187         buf = malloc (len, M_TEMP, M_NOWAIT);
3188         if (!buf)
3189                 return;
3190
3191         if (debug)
3192                 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ",
3193                     SPP_ARGS(ifp));
3194
3195         p = (void*) (h+1);
3196         for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
3197                 if (debug)
3198                         addlog(" %s ", sppp_ipcp_opt_name(*p));
3199                 switch (*p) {
3200                 case IPCP_OPT_COMPRESSION:
3201                         if (len >= 6 && p[1] == 6) {
3202                                 desiredcomp = p[2] << 8 | p[3];
3203                                 if (debug)
3204                                         addlog("[wantcomp %#04x] ",
3205                                                 desiredcomp);
3206                                 if (desiredcomp == IPCP_COMP_VJ) {
3207                                         sl_compress_init(sp->pp_comp, p[4]);
3208                                         sp->ipcp.max_state = p[4];
3209                                         sp->ipcp.compress_cid = p[5];
3210                                         if (debug)
3211                                                 addlog("[agree] ");
3212                                 } else
3213                                         sp->ipcp.opts &=
3214                                                 ~(1 << IPCP_OPT_COMPRESSION);
3215                         }
3216                         break;
3217                 case IPCP_OPT_ADDRESS:
3218                         /*
3219                          * Peer doesn't like our local IP address.  See
3220                          * if we can do something for him.  We'll drop
3221                          * him our address then.
3222                          */
3223                         if (len >= 6 && p[1] == 6) {
3224                                 wantaddr = p[2] << 24 | p[3] << 16 |
3225                                         p[4] << 8 | p[5];
3226                                 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
3227                                 if (debug)
3228                                         addlog("[wantaddr %s] ",
3229                                                sppp_dotted_quad(wantaddr));
3230                                 /*
3231                                  * When doing dynamic address assignment,
3232                                  * we accept his offer.  Otherwise, we
3233                                  * ignore it and thus continue to negotiate
3234                                  * our already existing value.
3235                                  * XXX: Bogus, if he said no once, he'll
3236                                  * just say no again, might as well die.
3237                                  */
3238                                 if (sp->ipcp.flags & IPCP_MYADDR_DYN) {
3239                                         sppp_set_ip_addr(sp, wantaddr);
3240                                         if (debug)
3241                                                 addlog("[agree] ");
3242                                         sp->ipcp.flags |= IPCP_MYADDR_SEEN;
3243                                 }
3244                         }
3245                         break;
3246                 }
3247         }
3248         if (debug)
3249                 addlog("\n");
3250         free (buf, M_TEMP);
3251         return;
3252 }
3253
3254 static void
3255 sppp_ipcp_tlu(struct sppp *sp)
3256 {
3257         /* we are up - notify isdn daemon */
3258         if (sp->pp_con)
3259                 sp->pp_con(sp);
3260 }
3261
3262 static void
3263 sppp_ipcp_tld(struct sppp *sp)
3264 {
3265 }
3266
3267 static void
3268 sppp_ipcp_tls(struct sppp *sp)
3269 {
3270         /* indicate to LCP that it must stay alive */
3271         sp->lcp.protos |= (1 << IDX_IPCP);
3272 }
3273
3274 static void
3275 sppp_ipcp_tlf(struct sppp *sp)
3276 {
3277         /* we no longer need LCP */
3278         sp->lcp.protos &= ~(1 << IDX_IPCP);
3279         sppp_lcp_check_and_close(sp);
3280 }
3281
3282 static void
3283 sppp_ipcp_scr(struct sppp *sp)
3284 {
3285         char opt[6 /* compression */ + 6 /* address */];
3286         u_long ouraddr;
3287         int i = 0;
3288
3289         if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) {
3290                 opt[i++] = IPCP_OPT_COMPRESSION;
3291                 opt[i++] = 6;
3292                 opt[i++] = IPCP_COMP_VJ >> 8;
3293                 opt[i++] = IPCP_COMP_VJ;
3294                 opt[i++] = sp->ipcp.max_state;
3295                 opt[i++] = sp->ipcp.compress_cid;
3296         }
3297         if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) {
3298                 sppp_get_ip_addrs(sp, &ouraddr, 0, 0);
3299                 opt[i++] = IPCP_OPT_ADDRESS;
3300                 opt[i++] = 6;
3301                 opt[i++] = ouraddr >> 24;
3302                 opt[i++] = ouraddr >> 16;
3303                 opt[i++] = ouraddr >> 8;
3304                 opt[i++] = ouraddr;
3305         }
3306
3307         sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP];
3308         sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt);
3309 }
3310
3311 /*
3312  *--------------------------------------------------------------------------*
3313  *                                                                          *
3314  *                      The IPv6CP implementation.                          *
3315  *                                                                          *
3316  *--------------------------------------------------------------------------*
3317  */
3318
3319 #ifdef INET6
3320 static void
3321 sppp_ipv6cp_init(struct sppp *sp)
3322 {
3323         sp->ipv6cp.opts = 0;
3324         sp->ipv6cp.flags = 0;
3325         sp->state[IDX_IPV6CP] = STATE_INITIAL;
3326         sp->fail_counter[IDX_IPV6CP] = 0;
3327         sp->pp_seq[IDX_IPV6CP] = 0;
3328         sp->pp_rseq[IDX_IPV6CP] = 0;
3329 #if defined(__NetBSD__)
3330         callout_init(&sp->ch[IDX_IPV6CP]);
3331 #endif
3332 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
3333         callout_handle_init(&sp->ch[IDX_IPV6CP]);
3334 #endif
3335 }
3336
3337 static void
3338 sppp_ipv6cp_up(struct sppp *sp)
3339 {
3340         sppp_up_event(&ipv6cp, sp);
3341 }
3342
3343 static void
3344 sppp_ipv6cp_down(struct sppp *sp)
3345 {
3346         sppp_down_event(&ipv6cp, sp);
3347 }
3348
3349 static void
3350 sppp_ipv6cp_open(struct sppp *sp)
3351 {
3352         STDDCL;
3353         struct in6_addr myaddr, hisaddr;
3354
3355 #ifdef IPV6CP_MYIFID_DYN
3356         sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN);
3357 #else
3358         sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN;
3359 #endif
3360
3361         sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0);
3362         /*
3363          * If we don't have our address, this probably means our
3364          * interface doesn't want to talk IPv6 at all.  (This could
3365          * be the case if somebody wants to speak only IPX, for
3366          * example.)  Don't open IPv6CP in this case.
3367          */
3368         if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) {
3369                 /* XXX this message should go away */
3370                 if (debug)
3371                         log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n",
3372                             SPP_ARGS(ifp));
3373                 return;
3374         }
3375
3376         sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
3377         sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
3378         sppp_open_event(&ipv6cp, sp);
3379 }
3380
3381 static void
3382 sppp_ipv6cp_close(struct sppp *sp)
3383 {
3384         sppp_close_event(&ipv6cp, sp);
3385 }
3386
3387 static void
3388 sppp_ipv6cp_TO(void *cookie)
3389 {
3390         sppp_to_event(&ipv6cp, (struct sppp *)cookie);
3391 }
3392
3393 /*
3394  * Analyze a configure request.  Return true if it was agreeable, and
3395  * caused action sca, false if it has been rejected or nak'ed, and
3396  * caused action scn.  (The return value is used to make the state
3397  * transition decision in the state automaton.)
3398  */
3399 static int
3400 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
3401 {
3402         u_char *buf, *r, *p;
3403         struct ifnet *ifp = &sp->pp_if;
3404         int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
3405         struct in6_addr myaddr, desiredaddr, suggestaddr;
3406         int ifidcount;
3407         int type;
3408         int collision, nohisaddr;
3409
3410         len -= 4;
3411         origlen = len;
3412         /*
3413          * Make sure to allocate a buf that can at least hold a
3414          * conf-nak with an `address' option.  We might need it below.
3415          */
3416         buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT);
3417         if (! buf)
3418                 return (0);
3419
3420         /* pass 1: see if we can recognize them */
3421         if (debug)
3422                 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:",
3423                     SPP_ARGS(ifp));
3424         p = (void*) (h+1);
3425         ifidcount = 0;
3426         for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
3427                 if (debug)
3428                         addlog(" %s", sppp_ipv6cp_opt_name(*p));
3429                 switch (*p) {
3430                 case IPV6CP_OPT_IFID:
3431                         if (len >= 10 && p[1] == 10 && ifidcount == 0) {
3432                                 /* correctly formed address option */
3433                                 ifidcount++;
3434                                 continue;
3435                         }
3436                         if (debug)
3437                                 addlog(" [invalid]");
3438                         break;
3439 #ifdef notyet
3440                 case IPV6CP_OPT_COMPRESSION:
3441                         if (len >= 4 && p[1] >= 4) {
3442                                 /* correctly formed compress option */
3443                                 continue;
3444                         }
3445                         if (debug)
3446                                 addlog(" [invalid]");
3447                         break;
3448 #endif
3449                 default:
3450                         /* Others not supported. */
3451                         if (debug)
3452                                 addlog(" [rej]");
3453                         break;
3454                 }
3455                 /* Add the option to rejected list. */
3456                 bcopy (p, r, p[1]);
3457                 r += p[1];
3458                 rlen += p[1];
3459         }
3460         if (rlen) {
3461                 if (debug)
3462                         addlog(" send conf-rej\n");
3463                 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf);
3464                 goto end;
3465         } else if (debug)
3466                 addlog("\n");
3467
3468         /* pass 2: parse option values */
3469         sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
3470         if (debug)
3471                 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ",
3472                     SPP_ARGS(ifp));
3473         p = (void*) (h+1);
3474         len = origlen;
3475         type = CONF_ACK;
3476         for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
3477                 if (debug)
3478                         addlog(" %s", sppp_ipv6cp_opt_name(*p));
3479                 switch (*p) {
3480 #ifdef notyet
3481                 case IPV6CP_OPT_COMPRESSION:
3482                         continue;
3483 #endif
3484                 case IPV6CP_OPT_IFID:
3485                         bzero(&desiredaddr, sizeof(desiredaddr));
3486                         bcopy(&p[2], &desiredaddr.s6_addr[8], 8);
3487                         collision = (bcmp(&desiredaddr.s6_addr[8],
3488                                           &myaddr.s6_addr[8], 8) == 0);
3489                         nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr);
3490
3491                         desiredaddr.s6_addr16[0] = htons(0xfe80);
3492                         desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index);
3493
3494                         if (!collision && !nohisaddr) {
3495                                 /* no collision, hisaddr known - Conf-Ack */
3496                                 type = CONF_ACK;
3497
3498                                 if (debug) {
3499                                         addlog(" %s [%s]",
3500                                                ip6_sprintf(&desiredaddr),
3501                                                sppp_cp_type_name(type));
3502                                 }
3503                                 continue;
3504                         }
3505
3506                         bzero(&suggestaddr, sizeof(&suggestaddr));
3507                         if (collision && nohisaddr) {
3508                                 /* collision, hisaddr unknown - Conf-Rej */
3509                                 type = CONF_REJ;
3510                                 bzero(&p[2], 8);
3511                         } else {
3512                                 /*
3513                                  * - no collision, hisaddr unknown, or
3514                                  * - collision, hisaddr known
3515                                  * Conf-Nak, suggest hisaddr
3516                                  */
3517                                 type = CONF_NAK;
3518                                 sppp_suggest_ip6_addr(sp, &suggestaddr);
3519                                 bcopy(&suggestaddr.s6_addr[8], &p[2], 8);
3520                         }
3521                         if (debug)
3522                                 addlog(" %s [%s]", ip6_sprintf(&desiredaddr),
3523                                        sppp_cp_type_name(type));
3524                         break;
3525                 }
3526                 /* Add the option to nak'ed list. */
3527                 bcopy (p, r, p[1]);
3528                 r += p[1];
3529                 rlen += p[1];
3530         }
3531
3532         if (rlen == 0 && type == CONF_ACK) {
3533                 if (debug)
3534                         addlog(" send %s\n", sppp_cp_type_name(type));
3535                 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1);
3536         } else {
3537 #ifdef DIAGNOSTIC
3538                 if (type == CONF_ACK)
3539                         panic("IPv6CP RCR: CONF_ACK with non-zero rlen");
3540 #endif
3541
3542                 if (debug) {
3543                         addlog(" send %s suggest %s\n",
3544                                sppp_cp_type_name(type), ip6_sprintf(&suggestaddr));
3545                 }
3546                 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf);
3547         }
3548
3549  end:
3550         free (buf, M_TEMP);
3551         return (rlen == 0);
3552 }
3553
3554 /*
3555  * Analyze the IPv6CP Configure-Reject option list, and adjust our
3556  * negotiation.
3557  */
3558 static void
3559 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3560 {
3561         u_char *buf, *p;
3562         struct ifnet *ifp = &sp->pp_if;
3563         int debug = ifp->if_flags & IFF_DEBUG;
3564
3565         len -= 4;
3566         buf = malloc (len, M_TEMP, M_NOWAIT);
3567         if (!buf)
3568                 return;
3569
3570         if (debug)
3571                 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:",
3572                     SPP_ARGS(ifp));
3573
3574         p = (void*) (h+1);
3575         for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
3576                 if (debug)
3577                         addlog(" %s", sppp_ipv6cp_opt_name(*p));
3578                 switch (*p) {
3579                 case IPV6CP_OPT_IFID:
3580                         /*
3581                          * Peer doesn't grok address option.  This is
3582                          * bad.  XXX  Should we better give up here?
3583                          */
3584                         sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID);
3585                         break;
3586 #ifdef notyet
3587                 case IPV6CP_OPT_COMPRESS:
3588                         sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS);
3589                         break;
3590 #endif
3591                 }
3592         }
3593         if (debug)
3594                 addlog("\n");
3595         free (buf, M_TEMP);
3596         return;
3597 }
3598
3599 /*
3600  * Analyze the IPv6CP Configure-NAK option list, and adjust our
3601  * negotiation.
3602  */
3603 static void
3604 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3605 {
3606         u_char *buf, *p;
3607         struct ifnet *ifp = &sp->pp_if;
3608         int debug = ifp->if_flags & IFF_DEBUG;
3609         struct in6_addr suggestaddr;
3610
3611         len -= 4;
3612         buf = malloc (len, M_TEMP, M_NOWAIT);
3613         if (!buf)
3614                 return;
3615
3616         if (debug)
3617                 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:",
3618                     SPP_ARGS(ifp));
3619
3620         p = (void*) (h+1);
3621         for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
3622                 if (debug)
3623                         addlog(" %s", sppp_ipv6cp_opt_name(*p));
3624                 switch (*p) {
3625                 case IPV6CP_OPT_IFID:
3626                         /*
3627                          * Peer doesn't like our local ifid.  See
3628                          * if we can do something for him.  We'll drop
3629                          * him our address then.
3630                          */
3631                         if (len < 10 || p[1] != 10)
3632                                 break;
3633                         bzero(&suggestaddr, sizeof(suggestaddr));
3634                         suggestaddr.s6_addr16[0] = htons(0xfe80);
3635                         suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index);
3636                         bcopy(&p[2], &suggestaddr.s6_addr[8], 8);
3637
3638                         sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
3639                         if (debug)
3640                                 addlog(" [suggestaddr %s]",
3641                                        ip6_sprintf(&suggestaddr));
3642 #ifdef IPV6CP_MYIFID_DYN
3643                         /*
3644                          * When doing dynamic address assignment,
3645                          * we accept his offer.
3646                          */
3647                         if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) {
3648                                 struct in6_addr lastsuggest;
3649                                 /*
3650                                  * If <suggested myaddr from peer> equals to
3651                                  * <hisaddr we have suggested last time>,
3652                                  * we have a collision.  generate new random
3653                                  * ifid.
3654                                  */
3655                                 sppp_suggest_ip6_addr(&lastsuggest);
3656                                 if (IN6_ARE_ADDR_EQUAL(&suggestaddr,
3657                                                        lastsuggest)) {
3658                                         if (debug)
3659                                                 addlog(" [random]");
3660                                         sppp_gen_ip6_addr(sp, &suggestaddr);
3661                                 }
3662                                 sppp_set_ip6_addr(sp, &suggestaddr, 0);
3663                                 if (debug)
3664                                         addlog(" [agree]");
3665                                 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
3666                         }
3667 #else
3668                         /*
3669                          * Since we do not do dynamic address assignment,
3670                          * we ignore it and thus continue to negotiate
3671                          * our already existing value.  This can possibly
3672                          * go into infinite request-reject loop.
3673                          *
3674                          * This is not likely because we normally use
3675                          * ifid based on MAC-address.
3676                          * If you have no ethernet card on the node, too bad.
3677                          * XXX should we use fail_counter?
3678                          */
3679 #endif
3680                         break;
3681 #ifdef notyet
3682                 case IPV6CP_OPT_COMPRESS:
3683                         /*
3684                          * Peer wants different compression parameters.
3685                          */
3686                         break;
3687 #endif
3688                 }
3689         }
3690         if (debug)
3691                 addlog("\n");
3692         free (buf, M_TEMP);
3693         return;
3694 }
3695 static void
3696 sppp_ipv6cp_tlu(struct sppp *sp)
3697 {
3698         /* we are up - notify isdn daemon */
3699         if (sp->pp_con)
3700                 sp->pp_con(sp);
3701 }
3702
3703 static void
3704 sppp_ipv6cp_tld(struct sppp *sp)
3705 {
3706 }
3707
3708 static void
3709 sppp_ipv6cp_tls(struct sppp *sp)
3710 {
3711         /* indicate to LCP that it must stay alive */
3712         sp->lcp.protos |= (1 << IDX_IPV6CP);