Is there any possibility for ndq_vnet != ndq_ifa->ifa_ifp->if_vnet?

Do we expect any substantial contention on this lock? I'd suggest not to virtualize it.

I also prefer not to virtualize it.
However, I plan to implement all delayed NDP related RFCs that are currently unaddressed.
For instance:

• Anycast advertisement delay rule (RFC 4861, 7.2.7)
• Proxy advertisement delay rule (RFC 4861, 7.2.8)

There are additional RFC/rules that require delaying as well.
I'm worried that we might end up facing contention on this lock.
Why?
IPv6 can and will have multiple addresses per interface.
In production, I saw many cases with more than 50+ jails, and each having two or more IPv6 addesses.
Consider this scenario:

1. sysrc jail_parallel_start="YES" (which is common)
2. boot or service jail restart
3. Attempting to assign more than 100 IPv6 addresses simultaneously.

I don't know how to measure lock contention, AFAIK, witness(4) only helps with order violations.
I would appreciate if you could introduce me to any facility that records contention.
I can use rw_try_lock and counting it for measurement, I think it would affect how it behaves.

Anyway, I will remove queue virtualization for now and will rollback when you think it's needed.

About in6_addr, I don't think we can attach the queue to the in6_addr.
At least, this is what I was trying to do first and failed to do it without introducing too much complexity.

About in6_addr, I don't think we can attach the queue to the in6_addr.
At least, this is what I was trying to do first and failed to do it without introducing too much complexity.

Oh, missed this comment. Can you please elaborate on what the complexity is? Seems to be straightforward at the first glance.

Let's confirm we both are talking about in6_ifaddr, not about in6_addr.

Can you please elaborate on what the complexity is? Seems to be straightforward at the first glance.

On the GRAND, llifaddr event, and other delaying rules that I'm aware of,
we want to enumerate per interface to find out how many delayed ND packets exist,
which is usually one per unique address, since delaying rules apply to network, not address.
This demands it to be on ifnet itself, which is not what we want.
Since we don't want to add this queue to ifnet for obvious reasons, the next candidate is in6_ifaddr,
which is associated with each unique address and that's not what we want.
because we don't have many entry per address.
we have many entries per interface.
IMHO, enumerating each queue for every address per interface is longer and more cumbersome,
especially considering we have to filter these addresses to determine their anycast/proxy flags or DAD status.

If I understood you correct, we don't need a queue at all. The entry is to become a part of in6_ifaddr and in case we need overall counter of delayed packets per interface, depending on how often we need that count, we can either iterate the address list or we can store the counter in in6_ifextra.

If I still don't understand that correct, let's talk about that online right after tomorrow's transport meeting.

This assert is too late. If ifa was null, we would panic at struct ifnet *ifp = ifa->ifa_ifp;. I don't think asserting here has a value, since if used incorrectly it will panic anyway.

You can avoid goto here easily.

I thought this way is cleaner.
These are alternatives I can think of.

feels weird since nobody before me done it (fgrep -A2 -r in6_setscope sys)

if (in6_setscope(&taddr6, ifp, NULL) == 0)
    nd6_na_output_fib(ifp, &taddr6, IFA_IN6(ifa), flags, tlladdr, NULL, ifp->if_fib);

NET_EPOCH_EXIT(et);
CURVNET_RESTORE();

feels long

if (in6_setscope(&taddr6, ifp, NULL) != 0) {
    NET_EPOCH_EXIT(et);
    CURVNET_RESTORE();
    return;
}
    
nd6_na_output_fib(ifp, &taddr6, IFA_IN6(ifa), flags, tlladdr, NULL, ifp->if_fib);

NET_EPOCH_EXIT(et);
CURVNET_RESTORE();

feels over protective

error = in6_setscope(&taddr6, ifp, NULL);

if (error == 0)
    nd6_na_output_fib(ifp, &taddr6, IFA_IN6(ifa), flags, tlladdr, NULL, ifp->if_fib);

NET_EPOCH_EXIT(et);
CURVNET_RESTORE();

which one is better to replace or is there any other way that I didn't think of?

What do we achieve separating this function into a separate not inlined function? It is used only once. I always prefer not to separate a function that is used only once. This doesn't improve readability. There can be exclusions somtimes, of course.

This is used only once, I'd suggest to just do TAILQ_INIT() right here. Easier to understand for a new reader of code.

Unfortunately callout_drain() can't be called in non-sleepable context :( And we are in epoch here. Unfortunately, WITNESS didn't warn you about that. I'll take a look if WITNESS can be improved here.

Shouldn't this be an assertion? How can we happen to have an ndq entry with ifaddr that belongs to a different interface?

What do we achieve separating this function into a separate not inlined function? It is used only once. I always prefer not to separate a function that is used only once. This doesn't improve readability. There can be exclusions somtimes, of course.

I tried to follow the implementation of same event in IPv4. (arp_handle_ifllchange() in sys/netinet/if_ether.c).
However, I agree, the same event in ARP implementation has too many nested function too (arp_announce_ifaddr, arp_request, ...).
I'll merge it into a single function.

It was useful when I had a per-VNET lock to initialize. now it's useless. I'll fix that.

Note to myself. This line in the callout(9) manual means it could sleep:

This function MUST NOT be called while holding any locks on which the
callout might block

Let me see what can I do about it.

Shouldn't this be an assertion? How can we happen to have an ndq entry with ifaddr that belongs to a different interface?

It doesn't need to be an assertion either. You're right.
I was a little excited that I managed to make that panic go away and didn't double check. sorry :"(

We have same problem on ipv6 dad too.

1. nd6_ifdetach (enters epoch)
2. nd6_dad_stop()
3. nd6_dad_stoptimer()
4. callout_drain()

It is ok for nd6_dad_stoptimer() to call callout_drain(), the problem arises when it happens in a epoch read section.

Can we instead acquire the if_addr write lock and use callout_stop()? I don't think we should be using the net_epoch to synchronize DAD-related data structures: DAD operations are rare and do not really benefit from the concurrency enabled by epoch(9). It is much easier to reason about the correctness of code if it just uses regular locks. Really, net_epoch should mainly be used in data paths.

It is ok for nd6_dad_stoptimer() to call callout_drain(), the problem arises when it happens in a epoch read section.

So you mean it's ok to add an indirect function to call callout_drain() in the middle of NET_EPOCH_ENTER?
because, AFAICU, this is exactly what happens for dad_stop.

GRAND is somehow different from DAD. but i'm working on removing epoch.

I like the very first:

if (in6_setscope(&taddr6, ifp, NULL) == 0)
    nd6_na_output_fib(ifp, &taddr6, IFA_IN6(ifa), flags, tlladdr, NULL, ifp->if_fib);

You may also augment with __predict_true().

This callout_stop() may not succeed and in that case nd6_queue_rel() will free the memory. But the callout thread is already blocked in softclock_call_cc(0 at line 1544. Blocked on the lock that nd6_queue_rel() just destroyed. Yep, unfortunately our callout(9) is a minefield.

There is an undocumented flag to callout that you may find useful. See efcb2ec8cb81ea44c58e41082c6d965f9493099f.