/** @file
 * @brief IPv6 privacy extension (RFC 8981)
 */

/*
 * Copyright (c) 2018 Intel Corporation
 * Copyright (c) 2024 Nordic Semiconductor
 *
 * SPDX-License-Identifier: Apache-2.0
 */

#include <zephyr/logging/log.h>
LOG_MODULE_REGISTER(net_ipv6_pe, CONFIG_NET_IPV6_PE_LOG_LEVEL);

#include <errno.h>
#include <stdlib.h>

#include <zephyr/kernel.h>
#include <zephyr/random/random.h>

#include <mbedtls/md.h>

#include <zephyr/net/net_core.h>
#include <zephyr/net/net_pkt.h>
#include <zephyr/net/net_if.h>

#include "net_private.h"
#include "ipv6.h"

/* From RFC 5453 */
static const struct in6_addr reserved_anycast_subnet = { { {
			0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80,
			0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
		} } };

/* RFC 8981 ch 3.8 preferred lifetime must be smaller than valid lifetime */
BUILD_ASSERT(CONFIG_NET_IPV6_PE_TEMP_PREFERRED_LIFETIME <
	     CONFIG_NET_IPV6_PE_TEMP_VALID_LIFETIME);

/* IPv6 privacy extension (RFC 8981) constants. Note that the code uses
 * seconds value internally for applicaple options. These are also values
 * that can be changed at runtime if needed as recommended in RFC 8981
 * chapter 3.6.
 */
static uint32_t temp_valid_lifetime =
	CONFIG_NET_IPV6_PE_TEMP_VALID_LIFETIME * SEC_PER_MIN;
#define TEMP_VALID_LIFETIME temp_valid_lifetime

static uint32_t temp_preferred_lifetime =
	CONFIG_NET_IPV6_PE_TEMP_PREFERRED_LIFETIME * SEC_PER_MIN;
#define TEMP_PREFERRED_LIFETIME temp_preferred_lifetime

/* This is the upper bound on DESYNC_FACTOR. The value is in seconds.
 * See RFC 8981 ch 3.8 for details.
 *
 * RFC says the DESYNC_FACTOR should be 0.4 times the preferred lifetime.
 * This is too short for Zephyr as it means that the address is very long
 * time in deprecated state and not being used. Make this 7% of the preferred
 * time to deprecate the addresses later.
 */
#define MAX_DESYNC_FACTOR   ((uint32_t)((uint64_t)TEMP_PREFERRED_LIFETIME * \
				       (uint64_t)7U) / (uint64_t)100U)
#define DESYNC_FACTOR(ipv6) ((ipv6)->desync_factor)

#define TEMP_IDGEN_RETRIES      CONFIG_NET_IPV6_PE_TEMP_IDGEN_RETRIES

/* The REGEN_ADVANCE is in seconds
 * retrans_timer (in ms) is specified in RFC 4861
 * dup_addr_detect_transmits (in ms) is specified in RFC 4862
 */
static inline uint32_t REGEN_ADVANCE(uint32_t retrans_timer,
				     uint32_t dup_addr_detect_transmits)
{
	return (2U + (uint32_t)((uint64_t)TEMP_IDGEN_RETRIES *
				(uint64_t)retrans_timer *
				(uint64_t)dup_addr_detect_transmits /
				(uint64_t)1000U));
}

#if CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT > 0
/* Is this denylisting filter or not */
static bool ipv6_pe_denylist;
static struct in6_addr ipv6_pe_filter[CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT];

static K_MUTEX_DEFINE(lock);
#endif

/* We need to periodically update the private address. */
static struct k_work_delayable temp_lifetime;

static bool ipv6_pe_use_this_prefix(const struct in6_addr *prefix)
{
#if CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT > 0
	int filter_found = false;
	bool ret = true;

	k_mutex_lock(&lock, K_FOREVER);

	ARRAY_FOR_EACH(ipv6_pe_filter, i) {
		if (net_ipv6_is_addr_unspecified(&ipv6_pe_filter[i])) {
			continue;
		}

		filter_found = true;

		if (net_ipv6_addr_cmp(prefix, &ipv6_pe_filter[i])) {
			if (ipv6_pe_denylist) {
				ret = false;
			}

			goto out;
		}
	}

	if (filter_found) {
		/* There was no match so if we are deny listing, then this
		 * address must be acceptable.
		 */
		if (!ipv6_pe_denylist) {
			ret = false;
			goto out;
		}
	}

out:
	k_mutex_unlock(&lock);

	return ret;
#else
	ARG_UNUSED(prefix);

	return true;
#endif
}

static bool ipv6_pe_prefix_already_exists(struct net_if_ipv6 *ipv6,
					  const struct in6_addr *prefix)
{
	ARRAY_FOR_EACH(ipv6->unicast, i) {
		if (!ipv6->unicast[i].is_used ||
		    ipv6->unicast[i].address.family != AF_INET6 ||
		    !ipv6->unicast[i].is_temporary ||
		    ipv6->unicast[i].addr_state == NET_ADDR_DEPRECATED) {
			continue;
		}

		if (net_ipv6_is_prefix(
			    (uint8_t *)&ipv6->unicast[i].address.in6_addr,
			    (uint8_t *)prefix, 64)) {
			return true;
		}
	}

	return false;
}

static int ipv6_pe_prefix_remove(struct net_if *iface,
				 struct net_if_ipv6 *ipv6,
				 const struct in6_addr *prefix)
{
	int count = 0;

	ARRAY_FOR_EACH(ipv6->unicast, i) {
		if (ipv6->unicast[i].is_used &&
		    ipv6->unicast[i].address.family == AF_INET6 &&
		    ipv6->unicast[i].is_temporary &&
		    net_ipv6_is_prefix(
			    (uint8_t *)&ipv6->unicast[i].address.in6_addr,
			    (uint8_t *)prefix, 64)) {
			net_if_ipv6_addr_rm(iface,
					    &ipv6->unicast[i].address.in6_addr);
			count++;
		}
	}

	return count;
}

static bool ipv6_pe_prefix_update_lifetimes(struct net_if_ipv6 *ipv6,
					    const struct in6_addr *prefix,
					    uint32_t vlifetime)
{
	int32_t addr_age, new_age;

	ARRAY_FOR_EACH(ipv6->unicast, i) {
		if (!(ipv6->unicast[i].is_used &&
		      ipv6->unicast[i].address.family == AF_INET6 &&
		      ipv6->unicast[i].is_temporary &&
		      ipv6->unicast[i].addr_state == NET_ADDR_PREFERRED &&
		      net_ipv6_is_prefix(
			      (uint8_t *)&ipv6->unicast[i].address.in6_addr,
			      (uint8_t *)prefix, 64))) {
			continue;
		}

		addr_age = (uint32_t)(k_uptime_get() / 1000UL) -
			ipv6->unicast[i].addr_create_time;
		new_age = abs(addr_age) + vlifetime;

		if ((new_age >= TEMP_VALID_LIFETIME) ||
		    (new_age >= (TEMP_PREFERRED_LIFETIME -
				 DESYNC_FACTOR(ipv6)))) {
			break;
		}

		net_if_ipv6_addr_update_lifetime(&ipv6->unicast[i], vlifetime);

		/* RFC 8981 ch 3.5, "... at most one temporary address per
		 * prefix should be in a non-deprecated state at any given
		 * time on a given interface."
		 * Because of this there is no need to continue the loop.
		 */
		return true;
	}

	return false;
}

/* RFC 8981 ch 3.3.2 */
static void gen_temporary_iid(struct net_if *iface,
			      const struct in6_addr *prefix,
			      uint8_t *network_id, size_t network_id_len,
			      uint8_t dad_counter,
			      uint8_t *temporary_iid,
			      size_t temporary_iid_len)
{
	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
	mbedtls_md_context_t ctx;
	uint8_t digest[32];
	static bool once;
	static uint8_t secret_key[16]; /* Min 128 bits, RFC 8981 ch 3.3.2 */
	struct {
		struct in6_addr prefix;
		uint32_t current_time;
		uint8_t network_id[16];
		uint8_t mac[6];
		uint8_t dad_counter;
	} buf = {
		.current_time = k_uptime_get_32(),
		.dad_counter = dad_counter,
	};

	memcpy(&buf.prefix, prefix, sizeof(struct in6_addr));

	if (network_id != NULL && network_id_len > 0) {
		memcpy(buf.network_id, network_id,
		       MIN(network_id_len, sizeof(buf.network_id)));
	}

	memcpy(buf.mac, net_if_get_link_addr(iface)->addr,
	       MIN(sizeof(buf.mac), net_if_get_link_addr(iface)->len));

	if (!once) {
		sys_rand_get(&secret_key, sizeof(secret_key));
		once = true;
	}

	mbedtls_md_init(&ctx);
	mbedtls_md_setup(&ctx, md_info, true);
	mbedtls_md_hmac_starts(&ctx, secret_key, sizeof(secret_key));
	mbedtls_md_hmac_update(&ctx, (uint8_t *)&buf, sizeof(buf));
	mbedtls_md_hmac_finish(&ctx, digest);
	mbedtls_md_free(&ctx);

	memcpy(temporary_iid, digest, MIN(sizeof(digest), temporary_iid_len));
}

void net_ipv6_pe_start(struct net_if *iface, const struct in6_addr *prefix,
		       uint32_t vlifetime, uint32_t preferred_lifetime)
{
	struct net_if_addr *ifaddr;
	struct net_if_ipv6 *ipv6;
	struct in6_addr addr;
	k_ticks_t remaining;
	k_timeout_t vlifetimeout;
	int i, dad_count = 1;
	int32_t lifetime;
	bool valid = false;

	net_if_lock(iface);

	if (net_if_config_ipv6_get(iface, &ipv6) < 0) {
		NET_WARN("Cannot do DAD IPv6 config is not valid.");
		goto out;
	}

	if (!ipv6) {
		goto out;
	}

	/* Check if user agrees to use this prefix */
	if (!ipv6_pe_use_this_prefix(prefix)) {
		NET_DBG("Prefix %s/64 is not to be used",
			net_sprint_ipv6_addr(prefix));
		goto out;
	}

	/* If the prefix is already added and it is still valid and is not
	 * deprecated, then we do not try to add it again.
	 */
	if (ipv6_pe_prefix_already_exists(ipv6, prefix)) {
		if (vlifetime == 0) {
			i = ipv6_pe_prefix_remove(iface, ipv6, prefix);

			NET_DBG("Removed %d addresses using prefix %s/64",
				i, net_sprint_ipv6_addr(prefix));
		} else {
			ipv6_pe_prefix_update_lifetimes(ipv6, prefix, vlifetime);
		}

		goto out;
	}

	preferred_lifetime = MIN(preferred_lifetime,
				 TEMP_PREFERRED_LIFETIME -
				 DESYNC_FACTOR(ipv6));
	if (preferred_lifetime == 0 ||
	    preferred_lifetime <= REGEN_ADVANCE(ipv6->retrans_timer, 1U)) {
		NET_DBG("Too short preferred lifetime (%u <= %u), temp address not "
			"created for prefix %s/64", preferred_lifetime,
			REGEN_ADVANCE(ipv6->retrans_timer, 1U),
			net_sprint_ipv6_addr(prefix));
		goto out;
	}

	NET_DBG("Starting PE process for prefix %s/64",
		net_sprint_ipv6_addr(prefix));

	net_ipaddr_copy(&addr, prefix);

	do {
		gen_temporary_iid(iface, prefix,
				  COND_CODE_1(CONFIG_NET_INTERFACE_NAME,
					      (iface->config.name,
					       sizeof(iface->config.name)),
					      (net_if_get_device(iface)->name,
					       strlen(net_if_get_device(iface)->name))),
				  dad_count,
				  &addr.s6_addr[8], 8U);

		ifaddr = net_if_ipv6_addr_lookup(&addr, NULL);
		if (ifaddr == NULL && !net_ipv6_is_addr_unspecified(&addr) &&
		    memcmp(&addr, &reserved_anycast_subnet,
			   sizeof(struct in6_addr)) != 0) {
			valid = true;
			break;
		}

	} while (dad_count++ < TEMP_IDGEN_RETRIES);

	if (valid == false) {
		NET_WARN("Could not create a valid iid for prefix %s/64 for interface %d",
			 net_sprint_ipv6_addr(prefix),
			 net_if_get_by_iface(iface));
		NET_WARN("Disabling IPv6 PE for interface %d",
			 net_if_get_by_iface(iface));
		net_mgmt_event_notify(NET_EVENT_IPV6_PE_DISABLED, iface);
		iface->pe_enabled = false;
		goto out;
	}

	vlifetime = MIN(TEMP_VALID_LIFETIME, vlifetime);

	ifaddr = net_if_ipv6_addr_add(iface, &addr, NET_ADDR_AUTOCONF, vlifetime);
	if (!ifaddr) {
		NET_ERR("Cannot add %s address to interface %d",
			net_sprint_ipv6_addr(&addr),
			net_if_get_by_iface(iface));
		goto out;
	}

	lifetime = TEMP_VALID_LIFETIME -
		REGEN_ADVANCE(net_if_ipv6_get_retrans_timer(iface), 1U);

	DESYNC_FACTOR(ipv6) = sys_rand32_get() % MAX_DESYNC_FACTOR;

	/* Make sure that the address timeout happens at least two seconds
	 * after the deprecation.
	 */
	DESYNC_FACTOR(ipv6) = MIN(DESYNC_FACTOR(ipv6) + 2U, lifetime);

	ifaddr->is_temporary = true;
	ifaddr->addr_preferred_lifetime = preferred_lifetime;
	ifaddr->addr_timeout = ifaddr->addr_preferred_lifetime - DESYNC_FACTOR(ipv6);
	ifaddr->addr_create_time = (uint32_t)(k_uptime_get() / 1000UL);

	NET_DBG("Lifetime %d desync %d timeout %d preferred %d valid %d",
		lifetime, DESYNC_FACTOR(ipv6), ifaddr->addr_timeout,
		ifaddr->addr_preferred_lifetime, vlifetime);

	NET_DBG("Starting DAD for %s iface %d", net_sprint_ipv6_addr(&addr),
		net_if_get_by_iface(iface));

	net_if_ipv6_start_dad(iface, ifaddr);

	vlifetimeout = K_SECONDS(ifaddr->addr_timeout);

	remaining = k_work_delayable_remaining_get(&temp_lifetime);
	if (remaining == 0 || remaining > vlifetimeout.ticks) {
		NET_DBG("Next check for temp addresses in %d seconds",
			ifaddr->addr_timeout);
		k_work_schedule(&temp_lifetime, vlifetimeout);
	}

out:
	net_if_unlock(iface);
}

#if CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT > 0

static void iface_cb(struct net_if *iface, void *user_data)
{
	bool is_new_filter_denylist = !ipv6_pe_denylist;
	struct in6_addr *prefix = user_data;
	struct net_if_ipv6 *ipv6;
	int ret;

	net_if_lock(iface);

	if (net_if_config_ipv6_get(iface, &ipv6) < 0) {
		goto out;
	}

	if (!ipv6) {
		goto out;
	}

	ARRAY_FOR_EACH(ipv6->unicast, i) {
		if (!ipv6->unicast[i].is_used ||
		    ipv6->unicast[i].address.family != AF_INET6 ||
		    !ipv6->unicast[i].is_temporary) {
			continue;
		}

		ret = net_ipv6_is_prefix(
				(uint8_t *)&ipv6->unicast[i].address.in6_addr,
				(uint8_t *)prefix, 64);

		/* TODO: Do this removal gracefully so that applications
		 * have time to cope with this change.
		 */
		if (is_new_filter_denylist) {
			if (ret) {
				net_if_ipv6_addr_rm(iface,
					    &ipv6->unicast[i].address.in6_addr);
			}
		} else {
			if (!ret) {
				net_if_ipv6_addr_rm(iface,
					    &ipv6->unicast[i].address.in6_addr);
			}
		}
	}

out:
	net_if_unlock(iface);
}

/* If we change filter value, then check if existing IPv6 prefixes will
 * conflict with the new filter.
 */
static void ipv6_pe_recheck_filters(bool is_denylist)
{
	k_mutex_lock(&lock, K_FOREVER);

	ARRAY_FOR_EACH(ipv6_pe_filter, i) {
		if (net_ipv6_is_addr_unspecified(&ipv6_pe_filter[i])) {
			continue;
		}

		net_if_foreach(iface_cb, &ipv6_pe_filter[i]);
	}

	k_mutex_unlock(&lock);
}
#endif /* CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT > 0 */

#if CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT > 0
static void send_filter_event(struct in6_addr *addr, bool is_denylist,
			      int event_type)
{
	if (IS_ENABLED(CONFIG_NET_MGMT_EVENT_INFO)) {
		struct net_event_ipv6_pe_filter info;

		net_ipaddr_copy(&info.prefix, addr);
		info.is_deny_list = is_denylist;

		net_mgmt_event_notify_with_info(event_type,
						NULL,
						(const void *)&info,
						sizeof(info));
	} else {
		net_mgmt_event_notify(event_type, NULL);
	}
}
#endif

int net_ipv6_pe_add_filter(struct in6_addr *addr, bool is_denylist)
{
#if CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT > 0
	bool found = false;
	int free_slot = -1;
	int ret = 0;

	k_mutex_lock(&lock, K_FOREVER);

	ARRAY_FOR_EACH(ipv6_pe_filter, i) {
		if (free_slot < 0 &&
		    net_ipv6_is_addr_unspecified(&ipv6_pe_filter[i])) {
			free_slot = i;
			continue;
		}

		if (net_ipv6_is_prefix((uint8_t *)addr,
				       (uint8_t *)&ipv6_pe_filter[i],
				       64)) {
			found = true;
			break;
		}
	}

	if (found) {
		NET_DBG("Filter %s already in the list",
			net_sprint_ipv6_addr(addr));
		ret = -EALREADY;
		goto out;
	}

	if (free_slot < 0) {
		NET_DBG("All filters in use");
		ret = -ENOMEM;
		goto out;
	}

	net_ipaddr_copy(&ipv6_pe_filter[free_slot], addr);

	if (ipv6_pe_denylist != is_denylist) {
		ipv6_pe_recheck_filters(is_denylist);
	}

	ipv6_pe_denylist = is_denylist ? true : false;

	NET_DBG("Adding %s list filter %s",
		ipv6_pe_denylist ? "deny" : "allow",
		net_sprint_ipv6_addr(&ipv6_pe_filter[free_slot]));

	send_filter_event(&ipv6_pe_filter[free_slot],
			  is_denylist,
			  NET_EVENT_IPV6_PE_FILTER_ADD);
out:
	k_mutex_unlock(&lock);

	return ret;
#else
	ARG_UNUSED(addr);
	ARG_UNUSED(is_denylist);

	return -ENOTSUP;
#endif
}

int net_ipv6_pe_del_filter(struct in6_addr *addr)
{
#if CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT > 0
	int ret = -ENOENT;

	k_mutex_lock(&lock, K_FOREVER);

	ARRAY_FOR_EACH(ipv6_pe_filter, i) {
		if (net_ipv6_addr_cmp(&ipv6_pe_filter[i], addr)) {
			NET_DBG("Removing %s list filter %s",
				ipv6_pe_denylist ? "deny" : "allow",
				net_sprint_ipv6_addr(&ipv6_pe_filter[i]));

			send_filter_event(&ipv6_pe_filter[i],
					  ipv6_pe_denylist,
					  NET_EVENT_IPV6_PE_FILTER_DEL);

			net_ipaddr_copy(&ipv6_pe_filter[i],
					net_ipv6_unspecified_address());

			ret = 0;
			goto out;
		}
	}

out:
	k_mutex_unlock(&lock);

	return ret;
#else
	ARG_UNUSED(addr);

	return -ENOTSUP;
#endif
}

bool net_ipv6_pe_check_dad(int count)
{
	return count <= TEMP_IDGEN_RETRIES;
}

int net_ipv6_pe_filter_foreach(net_ipv6_pe_filter_cb_t cb, void *user_data)
{
#if CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT > 0
	int i, count = 0;

	k_mutex_lock(&lock, K_FOREVER);

	for (i = 0; i < CONFIG_NET_IPV6_PE_FILTER_PREFIX_COUNT; i++) {
		if (net_ipv6_is_addr_unspecified(&ipv6_pe_filter[i])) {
			continue;
		}

		cb(&ipv6_pe_filter[i], ipv6_pe_denylist, user_data);

		count++;
	}

	k_mutex_unlock(&lock);

	return count;
#else
	ARG_UNUSED(cb);
	ARG_UNUSED(user_data);

	return 0;
#endif
}

struct deprecated_work {
	struct k_work_delayable work;
	struct net_if *iface;
	struct in6_addr addr;
};

static struct deprecated_work trigger_deprecated_event;

static void send_deprecated_event(struct k_work *work)
{
	struct k_work_delayable *dwork = k_work_delayable_from_work(work);
	struct deprecated_work *dw = CONTAINER_OF(dwork,
						  struct deprecated_work,
						  work);

	net_mgmt_event_notify_with_info(NET_EVENT_IPV6_ADDR_DEPRECATED,
					dw->iface, &dw->addr,
					sizeof(struct in6_addr));
}

static void renewal_cb(struct net_if *iface, void *user_data)
{
	struct net_if_ipv6 *ipv6;
	struct in6_addr prefix;

	if (net_if_config_ipv6_get(iface, &ipv6) < 0) {
		return;
	}

	if (!ipv6) {
		return;
	}

	ARRAY_FOR_EACH(ipv6->unicast, i) {
		int32_t diff;

		if (!ipv6->unicast[i].is_used ||
		    ipv6->unicast[i].address.family != AF_INET6 ||
		    !ipv6->unicast[i].is_temporary ||
		    ipv6->unicast[i].addr_state == NET_ADDR_DEPRECATED) {
			continue;
		}

		/* If the address is too old, then generate a new one
		 * and remove the old address.
		 */
		diff = (int32_t)(ipv6->unicast[i].addr_create_time -
			       ((uint32_t)(k_uptime_get() / 1000UL)));
		diff = abs(diff);

		if (diff < (ipv6->unicast[i].addr_preferred_lifetime -
			    REGEN_ADVANCE(ipv6->retrans_timer, 1U) -
			    DESYNC_FACTOR(ipv6))) {
			continue;
		}

		net_ipaddr_copy(&prefix, &ipv6->unicast[i].address.in6_addr);
		memset(prefix.s6_addr + 8, 0, sizeof(prefix) - 8);

		NET_DBG("IPv6 address %s is deprecated",
			net_sprint_ipv6_addr(&ipv6->unicast[i].address.in6_addr));

		ipv6->unicast[i].addr_state = NET_ADDR_DEPRECATED;

		/* Create a new temporary address and then notify users
		 * that the old address is deprecated so that they can
		 * re-connect to use the new address. We cannot send deprecated
		 * event immediately because the new IPv6 will need to do DAD
		 * and that takes a bit time.
		 */
		net_ipv6_pe_start(iface, &prefix,
				  TEMP_VALID_LIFETIME,
				  TEMP_PREFERRED_LIFETIME);

		/* It is very unlikely but still a small possibility that there
		 * could be another work already pending.
		 * Fixing this would require allocating space for the work
		 * somewhere. Currently this does not look like worth fixing.
		 * Print a warning if there is a work already pending.
		 */
		if (k_work_delayable_is_pending(&trigger_deprecated_event.work)) {
			NET_WARN("Work already pending for deprecated event sending.");
		}

		trigger_deprecated_event.iface = iface;
		memcpy(&trigger_deprecated_event.addr,
		       &ipv6->unicast[i].address.in6_addr,
		       sizeof(struct in6_addr));

		/* 500ms should be enough for DAD to pass */
		k_work_schedule(&trigger_deprecated_event.work, K_MSEC(500));
	}
}

static void ipv6_pe_renew(struct k_work *work)
{
	ARG_UNUSED(work);

	net_if_foreach(renewal_cb, NULL);
}

int net_ipv6_pe_init(struct net_if *iface)
{
	int32_t lifetime;
	int ret = 0;

	net_mgmt_event_notify(NET_EVENT_IPV6_PE_ENABLED, iface);

	lifetime = TEMP_VALID_LIFETIME -
		REGEN_ADVANCE(net_if_ipv6_get_retrans_timer(iface), 1U);

	if (lifetime <= 0) {
		iface->pe_enabled = false;
		net_mgmt_event_notify(NET_EVENT_IPV6_PE_DISABLED, iface);
		ret = -EINVAL;
		goto out;
	}

	iface->pe_enabled = true;
	iface->pe_prefer_public =
		IS_ENABLED(CONFIG_NET_IPV6_PE_PREFER_PUBLIC_ADDRESSES) ?
		true : false;

	k_work_init_delayable(&temp_lifetime, ipv6_pe_renew);
	k_work_init_delayable(&trigger_deprecated_event.work,
			      send_deprecated_event);

out:
	NET_DBG("pe %s prefer %s lifetime %d sec",
		iface->pe_enabled ? "enabled" : "disabled",
		iface->pe_prefer_public ? "public" : "temporary",
		lifetime);

	return ret;
}