From 9a8989c58cbc9d456c0c7757b1a5415e65459d47 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 16:36:03 +0100
Subject: [PATCH 01/26] plan: add exhaustive ipv6 link-local implementation
 roadmap

---
 plans/ipv6-linklocal.md | 674 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 674 insertions(+)
 create mode 100644 plans/ipv6-linklocal.md

diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
new file mode 100644
index 0000000..4126dfa
--- /dev/null
+++ b/plans/ipv6-linklocal.md
@@ -0,0 +1,674 @@
+# IPv6 Link-Local Parity Plan
+
+## TODO
+
+- [x] Write plan
+- [ ] Phase 0: Define target behavior and compatibility boundaries
+- [ ] Phase 1: Kernel behavior parity for link-local addresses and routes
+- [ ] Phase 2: Router Advertisement and Router Solicitation behavior
+- [ ] Phase 3: Public API support for link-local and scope handling
+- [ ] Phase 4: Real-world presets for consumer and production-like IPv6
+- [ ] Phase 5: Tests and validation matrix
+- [ ] Final review
+
+## Goal
+
+Make patchbay's IPv6 link-local behavior match production and consumer deployments as closely as practical:
+
+- Every IPv6-capable interface has a usable link-local address.
+- Default router behavior uses link-local next hops from RA/ND semantics.
+- Scope-aware APIs and routing behavior work for `fe80::/10` correctly.
+- Consumer CPE behavior and host behavior follow modern RFC expectations.
+
+## Real-World Deployment Baselines
+
+This section defines the target behavior we want to emulate first. These are the reference deployment classes for parity work.
+
+### 1. Mobile carrier access (4G/5G, handset as host)
+
+- The host receives RAs from a carrier router. Default router is link-local.
+- The host has at least one LLA and often one or more temporary/stable global addresses.
+- IPv4 fallback is typically NAT64/464XLAT. This does not change the need for correct LLA default-router behavior.
+- A single interface commonly owns the active default route, with rapid route refresh during mobility events.
+
+Patchbay parity target:
+
+- RS on interface up, RA-driven default route via `fe80::/10` next hop.
+- Route replacement behavior that handles carrier-style churn.
+- Optional NAT64 remains independent from LLA mechanics.
+
+### 2. Home router with IPv6 support (consumer CPE)
+
+- CPE advertises one or more /64 LAN prefixes via RA.
+- Router source address for RA is link-local on that LAN interface.
+- Hosts choose default route from RA and maintain Neighbor Cache entries to the router LLA.
+- Stateful firewall on CPE controls inbound behavior. This is separate from ND/RA correctness.
+
+Patchbay parity target:
+
+- Router LAN interfaces send RAs with configurable lifetime and preference.
+- Hosts install and remove default routes based on RA timers.
+- Prefix and default-router behavior follows RFC 4861/4862/5942 semantics.
+
+### 3. Linux laptop host behavior
+
+- Uses kernel SLAAC and RFC 4861 ND behavior.
+- Link-local sockets and routes require interface scope correctness.
+- DAD is normally enabled; addresses can remain tentative briefly after link up.
+
+Patchbay parity target:
+
+- Default mode keeps DAD enabled.
+- Tests can assert tentative -> preferred transition when needed.
+- Scope-aware APIs prevent accidental use of ambiguous LLAs.
+
+### 4. macOS laptop host behavior
+
+- Uses RA-driven default route and SLAAC with temporary address rotation.
+- Strongly depends on scoped address handling for user-space link-local sockets.
+- Route selection prefers valid default routers and can switch after lifetime expiry.
+
+Patchbay parity target:
+
+- Route lifetime and preference updates are modeled.
+- Link-local route installation and socket examples work with explicit scope.
+- The simulator models Linux-kernel-observable behavior and policy, not a byte-for-byte macOS network stack implementation.
+
+### 5. Windows laptop host behavior
+
+- Uses RA and SLAAC by default, including temporary addresses and stable behavior per interface.
+- Scope zone index is required for link-local destinations in many user-space APIs.
+- Multiple interfaces can produce multiple candidate default routes.
+
+Patchbay parity target:
+
+- Zone-aware examples and tests are part of docs and helper utilities.
+- Multi-interface device tests validate deterministic `default_via` behavior when multiple LLAs exist.
+- The simulator models Linux-kernel-observable behavior and policy, not a byte-for-byte Windows network stack implementation.
+
+### 6. Cross-platform baseline rules we should match
+
+- Every IPv6-enabled interface has an LLA.
+- RA source is link-local.
+- Default routers are represented as scoped LLA next hops.
+- Route and socket operations requiring scope fail fast when scope is missing.
+- DAD is on by default, off only in explicit deterministic test mode.
+
+## Research Basis
+
+Primary references used for this plan:
+
+- RFC 4861 (Neighbor Discovery): RA source must be link-local; default routers are learned from RA.
+  - https://www.rfc-editor.org/rfc/rfc4861
+- RFC 4862 (SLAAC): link-local creation lifecycle and DAD requirements.
+  - https://www.rfc-editor.org/rfc/rfc4862
+- RFC 4007 (Scoped addressing): link-local requires zone index / scope handling.
+  - https://www.rfc-editor.org/rfc/rfc4007
+- RFC 5942 (Subnet model): hosts should only treat explicit on-link prefixes as on-link.
+  - https://www.rfc-editor.org/rfc/rfc5942
+- RFC 4191 (Router preferences and RIO): default-router preference and route information semantics.
+  - https://www.rfc-editor.org/rfc/rfc4191
+- RFC 7084 (IPv6 CE requirements) plus updates RFC 9096 and RFC 9818: consumer router requirements.
+  - https://www.rfc-editor.org/rfc/rfc7084
+  - https://www.rfc-editor.org/rfc/rfc9096
+  - https://www.rfc-editor.org/rfc/rfc9818
+- Linux man pages: `ipv6(7)`, `ip-route(8)`, `ip-address(8)` for scope-id, route installation, and DAD state.
+  - https://man7.org/linux/man-pages/man7/ipv6.7.html
+  - https://man7.org/linux/man-pages/man8/ip-route.8.html
+  - https://man7.org/linux/man-pages/man8/ip-address.8.html
+
+## Current Gaps (as of today)
+
+Observed in current codebase:
+
+- IPv6 addresses are assigned explicitly from patchbay pools, not from link-local lifecycle.
+- IPv6 default route helper uses only gateway address and does not explicitly model interface scope for link-local next hops.
+- DAD is globally disabled in namespaces, which diverges from production defaults where DAD is usually enabled.
+- Public handles expose global/ULA-like `ip6()` but do not expose link-local per interface.
+- No explicit RA/RS simulation path for host default-router learning from link-local router addresses.
+- Devtools and event payloads do not surface LLA or default-router source details.
+- Presets do not distinguish static provisioning from RA-driven provisioning.
+- The plan text previously implied OS-specific emulation that patchbay cannot provide inside Linux network namespaces.
+
+## Phase 0: Behavior Contract
+
+Define the exact behavior profile to avoid ambiguous implementation:
+
+1. Add an internal design note under `docs/reference/ipv6.md` describing two modes:
+   - `production_like` (default target): DAD enabled, LLAs present, RA/RS path active where configured.
+   - `deterministic_test` (compat mode): existing deterministic static assignment semantics where needed for old tests.
+2. Define a policy profile matrix (`consumer_home`, `mobile_carrier`, `enterprise_strict`, `lab_deterministic`) that maps to expected observable behavior for tests and docs.
+3. Decide where strict realism is mandatory versus opt-in.
+4. List non-goals for first iteration, for example full DHCPv6-PD server stack in core.
+5. Define migration rules for existing tests that currently assume immediate non-tentative IPv6 addresses.
+6. Explicitly state that patchbay does not emulate non-Linux host stacks. It emulates deployment behavior and routing/address policy visible at the wire and netlink levels.
+
+Acceptance:
+
+- The project has one written contract for link-local behavior and migration strategy.
+- The contract explicitly maps behavior expectations to at least home CPE, mobile carrier, and laptop hosts.
+
+## Phase 1: Kernel Parity for LLA + Routes
+
+### 1.1 Interface link-local visibility
+
+1. Extend interface state model to carry an optional link-local IPv6 address (`ll6`) independently from global/ULA `ip6`.
+2. Add explicit `AddrState` metadata for IPv6 addresses where available (`tentative`, `preferred`, `deprecated`, `dadfailed`).
+3. Add helper methods on handles, for example `DeviceIface::ll6()` and router-side iface accessors.
+4. Ensure `ll6` can be discovered from netlink after interface bring-up, and cache refresh hooks exist after replug/reconfigure.
+
+### 1.2 Route installation with scoped next hops
+
+1. Add netlink methods for IPv6 default routes that can bind both next hop and output interface (scope-safe for link-local).
+2. For link-local next hop default routes, always install route with explicit device context.
+3. Keep existing global next hop path for non-link-local gateways.
+4. Add idempotent `replace_default_route_v6_scoped` helper for multi-uplink devices.
+5. Ensure route query helpers return interface index/name together with gateway to avoid scope loss.
+
+### 1.3 DAD behavior control
+
+1. Stop globally forcing `accept_dad=0` by default for production-like mode.
+2. Add explicit option to disable DAD only for deterministic test mode.
+3. Surface address state transitions (`tentative`, `dadfailed`) where useful for debugging.
+4. Add bounded waiting helper for tests that need a preferred IPv6 address before connect.
+
+Acceptance:
+
+- In a dual-stack lab, each IPv6-capable interface reports `ll6`.
+- Default route via link-local next hop works and resolves only with explicit interface scope.
+- DAD behavior is configurable and defaults to production-like mode.
+- Replug and route-switch operations preserve valid scoped default route behavior.
+
+## Phase 2: RA/RS and Default Router Learning
+
+### 2.1 Router behavior
+
+1. Add RA emission capability for router interfaces that should advertise prefixes.
+2. Ensure RA source address is the router interface link-local address.
+3. Support Router Lifetime and RFC 4191 preference fields.
+4. Optionally support Route Information Option for local-only communication patterns.
+5. Support configurable RA intervals and immediate unsolicited RA on topology changes.
+6. Implement RA emission as long-lived per-interface tasks owned by the namespace async worker, not on Tokio runtime threads outside netns.
+7. Define deterministic shutdown and restart semantics for those tasks during router removal, replug, or topology reset.
+
+### 2.2 Host behavior
+
+1. Add RS sending on host iface bring-up when RA mode is enabled.
+2. Populate default router from received RA using router link-local source.
+3. Maintain prefix list and on-link behavior consistent with RFC 5942 rules.
+4. Handle RA lifetime expiration and default-router withdrawal.
+5. Respect RIO when no default route is present (local communications-only scenarios).
+6. Implement host RS/default-router learning in netns worker tasks to preserve setns correctness and avoid cross-thread scope bugs.
+
+### 2.3 Compatibility mode
+
+1. Keep static route assignment path for tests that depend on fixed setup.
+2. Allow per-lab toggle: static provisioning versus RA-driven provisioning.
+3. Add per-device override for targeted migration of complex tests.
+
+Acceptance:
+
+- Host default route can be learned from RA and points to a link-local router address on the correct interface.
+- RA disable/enable and Router Lifetime changes produce expected default-router list behavior.
+- Static mode remains deterministic and preserves legacy test stability.
+- RA/RS tasks are started and stopped cleanly with namespace lifecycle events.
+
+## Phase 3: Public API and CLI Ergonomics
+
+1. Add explicit getters:
+   - `DeviceIface::ll6()`
+   - `RouterIface::ll6()`
+2. Add getters for default-router metadata per interface, including scoped next hop.
+3. Add utility constructors for scoped socket addresses in examples and helpers.
+4. Add convenience method for creating scoped textual addresses for diagnostics.
+5. Update event/devtools payloads to include link-local and scope metadata where relevant.
+6. Document route and socket caveats for link-local usage in tests (`sin6_scope_id` / iface binding requirements).
+7. Add migration notes for downstream users currently calling `ip6()` and assuming it is sufficient for routing.
+
+Acceptance:
+
+- Users can retrieve and use link-local addresses safely from the public API.
+- Devtools can display link-local addresses distinctly from global/ULA addresses.
+- Downstream tests can choose between global `ip6()` and scoped `ll6()` explicitly.
+
+## Planned Rust API Changes
+
+This section summarizes the expected public API surface changes, with compatibility notes.
+
+### New getters and metadata
+
+1. `DeviceIface::ll6() -> Option<Ipv6Addr>`
+   - Returns the interface link-local IPv6 address when IPv6 is enabled.
+2. `Router::iface(name: &str) -> Option<RouterIface>`
+   - Returns an owned snapshot handle for a router interface.
+3. `Router::interfaces() -> Vec<RouterIface>`
+   - Returns all router interfaces as owned snapshots.
+4. `RouterIface::ll6() -> Option<Ipv6Addr>`
+   - Exposes router-side LLAs for diagnostics and RA/default-router assertions.
+5. `DeviceIface::default_router_v6() -> Option<ScopedIpv6NextHop>`
+   - Returns current default-router next hop including interface scope metadata.
+6. Optional address state accessors, for example:
+   - `DeviceIface::ip6_state() -> Option<AddrState>`
+   - `DeviceIface::ll6_state() -> Option<AddrState>`
+   - `RouterIface::ll6_state() -> Option<AddrState>`
+
+### New supporting types
+
+1. `ScopedIpv6NextHop`
+   - Proposed fields: `{ addr: Ipv6Addr, ifname: Arc<str>, ifindex: u32 }`
+   - Purpose: represent link-local next hops safely without losing scope.
+2. `AddrState`
+   - Proposed variants: `Tentative`, `Preferred`, `Deprecated`, `DadFailed`, `Unknown`
+   - Purpose: expose kernel IPv6 address lifecycle where available.
+3. Optional provisioning mode enum, for example `Ipv6ProvisioningMode`
+   - `Static`, `RaDriven`
+   - Purpose: make behavior explicit at lab or profile level.
+
+### Builder and configuration changes
+
+1. Add RA/provisioning knobs on router and possibly lab builders, for example:
+   - `RouterBuilder::ra_enabled(bool)`
+   - `RouterBuilder::ra_lifetime(Duration)`
+   - `RouterBuilder::ra_preference(RouterPreference)`
+2. Add compatibility and determinism controls:
+   - `LabOpts::ipv6_dad_mode(...)` or equivalent
+   - `LabOpts::ipv6_provisioning_mode(...)` or equivalent
+3. Keep existing APIs functional:
+   - `Device::ip6()` remains available for global/ULA address use cases.
+   - Existing static provisioning paths remain valid in deterministic mode.
+4. Keep `LabOpts` as the entry point for global defaults. This matches existing builder style and remains feasible with additive fields.
+
+### Netlink/internal API additions
+
+1. Scoped default-route helpers for link-local gateways.
+2. Route query helpers that return interface metadata with gateway.
+3. Interface refresh helpers to update cached `ll6` and address states after replug/reconfigure.
+4. RA/RS task registration APIs on netns workers for lifecycle-safe startup and teardown.
+
+### Events and devtools schema impact
+
+1. Extend interface-related event payloads with optional link-local fields.
+2. Include default-router source/scope info where relevant.
+3. Keep fields additive to preserve backward compatibility for consumers that ignore new keys.
+
+### Compatibility policy
+
+1. Existing callers using `ip6()` continue to work.
+2. New APIs are additive in first rollout.
+3. Behavior changes that can affect timing or routing default to explicit opt-in until migration is complete.
+
+## Phase 4: Real-world Presets and Defaults
+
+Align presets with consumer behavior expectations from RFC 7084 family:
+
+1. Home/consumer preset:
+   - RA enabled on LAN
+   - link-local router identity stable
+   - realistic default firewall posture remains intact
+   - default-route learning is RA-driven for hosts
+2. Datacenter/internal preset:
+   - support optional link-local-only infrastructure links where appropriate
+   - keep loopback/global addresses for management scenarios
+3. Mobile-like preset:
+   - preserve existing NAT64 and v6-only semantics while ensuring link-local correctness on access links
+4. Policy profile toggles:
+   - `consumer_home`, `mobile_carrier`, `enterprise_strict`, `lab_deterministic` knobs for timing and address-selection policy where practical.
+
+Acceptance:
+
+- Presets express explicit link-local policy and behavior.
+- Example topologies in docs cover at least one mobile, one home, and one laptop profile scenario.
+- Docs explicitly state profiles are deployment-policy emulation, not OS-kernel emulation.
+
+## Phase 5: Test Matrix
+
+Add focused tests, separate from existing IPv6 tests.
+
+Test module location:
+
+- New module file: `patchbay/src/tests/ipv6_ll.rs`
+- Register in `patchbay/src/tests/mod.rs` as `mod ipv6_ll;`
+- Keep existing `ipv6.rs` intact for broader IPv6 behavior, and use `ipv6_ll.rs` for link-local and RA/RS semantics.
+
+Core tests:
+
+1. `link_local_presence_on_all_ipv6_ifaces`
+   - Verifies every IPv6-capable interface gets a non-empty `fe80::/10` address and that API getters return it.
+2. `default_route_via_link_local_requires_dev_scope`
+   - Verifies a default route using link-local next hop is only installed/usable with explicit interface scope.
+3. `ra_source_is_link_local`
+   - Verifies outbound RA packets use the router interface LLA as source, never a global/ULA source.
+4. `host_learns_default_router_from_ra_link_local`
+   - Verifies host installs default route from received RA and next hop is scoped LLA of advertising router.
+5. `dad_enabled_production_mode`
+   - Verifies production-like mode enables DAD and observed address state transitions from tentative to preferred.
+6. `dad_disabled_deterministic_mode`
+   - Verifies deterministic mode disables DAD and addresses become usable immediately for stable tests.
+7. `link_local_socket_scope_required` (expected failure without scope, success with scope)
+   - Verifies application-level connect/send to LLA fails without scope id and succeeds with correct scope.
+8. `router_lifetime_zero_withdraws_default_router`
+   - Verifies RA with lifetime 0 removes default-router entry and default route from host routing table.
+9. `rio_local_routes_without_default_router`
+   - Verifies RIO routes can exist and be used when no default route is advertised.
+10. `multi_uplink_prefers_router_preference_and_metric`
+   - Verifies host/router selection across multiple candidate defaults follows preference/metric policy.
+11. `replug_iface_preserves_or_relearns_scoped_default_route`
+   - Verifies replugging an interface preserves valid scoped route or re-learns it cleanly through RA/RS.
+12. `devtools_shows_ll6_and_router_scope`
+   - Verifies event stream and devtools payloads include LLA and scope metadata and UI renders them.
+13. `home_profile_ra_refresh_after_router_restart`
+   - Verifies consumer-home profile recovers default-router and prefix state after router restart.
+14. `mobile_profile_fast_default_router_reselection`
+   - Verifies mobile-like profile handles default-router churn quickly and converges to a usable route.
+15. `ra_task_lifecycle_matches_namespace_lifecycle`
+   - Verifies RA worker tasks are created, restarted, and terminated correctly with namespace/router lifecycle transitions.
+16. `router_iface_api_exposes_ll6_consistently`
+   - Verifies new `RouterIface` snapshots and getters stay consistent with netlink-observed interface state.
+
+Additional exhaustiveness tests:
+
+17. `static_mode_does_not_run_ra_rs_tasks`
+   - Verifies static provisioning mode does not start RA/RS workers and still provides deterministic routing.
+18. `ra_disabled_router_emits_no_ra`
+   - Verifies per-router RA disable truly suppresses advertisements even when global profile enables RA.
+19. `multiple_prefixes_from_ra_install_expected_addresses`
+   - Verifies host behavior when router advertises multiple prefixes, including address and route selection expectations.
+20. `default_router_preference_changes_reorder_selection`
+   - Verifies RFC 4191 preference updates change default-router choice without requiring interface bounce.
+21. `iface_remove_cleans_scoped_default_route`
+   - Verifies removing an interface removes stale scoped link-local default routes and cached router metadata.
+22. `iface_add_relearns_ll6_and_default_router`
+   - Verifies hot-added interfaces discover LLA and default router correctly via RS/RA path.
+23. `rebooted_router_new_ll6_replaces_old_neighbor_and_route`
+   - Verifies host recovers cleanly when router LLA changes across restart and old next hop becomes invalid.
+24. `dual_uplink_failover_preserves_connectivity_with_ll_next_hop`
+   - Verifies failover when primary uplink/router disappears and secondary scoped default route takes over.
+25. `nonscoped_ll_connect_fails_with_clear_error`
+   - Verifies downstream-facing helper APIs surface a clear error for link-local socket usage without scope.
+26. `devtools_payload_backward_compatible_when_ll6_missing`
+   - Verifies additive schema behavior when older runs or v4-only interfaces lack LLA fields.
+
+Validation commands before completion:
+
+- `cargo make format`
+- `cargo clippy -p patchbay --tests --fix --allow-dirty`
+- `cargo check -p patchbay --tests`
+- `cargo nextest run -p patchbay`
+- `cd ui && npm run build` (if devtools payload/UI changes are included)
+
+## Rollout Strategy
+
+1. Land data model + route primitives first, behind compatibility guards.
+2. Land RA/RS path as opt-in.
+3. Land `RouterIface` and scoped-next-hop APIs as additive public changes.
+4. Ship API/docs/devtools visibility updates so users can debug new behavior.
+5. Switch presets to production-like defaults after test parity is proven.
+6. Remove old behavior only after migration window and test updates are complete.
+
+## Risks and Mitigations
+
+- Test flakiness from DAD timing:
+  - Mitigation: deterministic mode, bounded retries, explicit waiting for non-tentative state.
+- Behavior drift across kernels:
+  - Mitigation: netlink-level assertions in tests, avoid shell-only checks.
+- Backward compatibility breaks in existing tests:
+  - Mitigation: per-lab toggle and staged migration.
+- Scope-handling regressions in downstream apps:
+  - Mitigation: helper APIs, docs, and compile-time type hints where possible.
+- RA timing sensitivity in CI:
+  - Mitigation: controlled RA timers in tests and explicit timeouts.
+- Background-task lifecycle bugs for RA/RS workers:
+  - Mitigation: explicit ownership model in netns workers, teardown tests, and tracing instrumentation for task state.
+
+## Deliverables
+
+- Updated IPv6/link-local core behavior with scope-safe routing.
+- RA/RS-capable provisioning path.
+- Router interface public API (`RouterIface`) with LLA observability.
+- Public API and devtools support for link-local observability.
+- New docs and a dedicated link-local test suite.
+- Production-like example scenarios for home, mobile, Linux, macOS, and Windows host behavior.
+
+## Implementation Notes for Patchbay Architecture
+
+This section maps planned work to current patchbay modules so implementation can start directly.
+
+1. `patchbay/src/core.rs`
+   - Extend interface and router state with `ll6` and optional address-state fields.
+   - Replace unconditional DAD disable with mode-driven behavior.
+   - Integrate scoped default-route installation paths.
+   - Add RA/RS task lifecycle hooks at router/device setup and teardown points.
+2. `patchbay/src/netlink.rs`
+   - Add scoped IPv6 route helpers that bind gateway and output interface.
+   - Add query helpers that return default route plus interface metadata.
+   - Add address query helpers to read interface LLAs and flags.
+3. `patchbay/src/handles.rs`
+   - Add `RouterIface` value type analogous to `DeviceIface`.
+   - Add `Router::iface` and `Router::interfaces` methods.
+   - Add LLA/state/default-router getters to device and router iface snapshots.
+4. `patchbay/src/lab.rs`
+   - Extend `LabOpts` with IPv6 provisioning and DAD mode defaults.
+   - Add builder options for RA behavior and profile selection.
+5. `patchbay/src/event.rs` and `patchbay-server`
+   - Add optional LLA and scoped-router fields in serialized events/state for devtools.
+6. `ui/`
+   - Display per-interface LLAs and scoped default-router details in node views.
+
+## Feasibility Notes from Additional Research
+
+1. Scoped route installation is feasible with Linux route semantics and current rtnetlink primitives.
+   - Linux route model supports explicit `via + dev` behavior for scoped next hops.
+   - Current patchbay already has device-route helpers and can be extended with scoped default-route helpers.
+2. RA source constraints are straightforward to enforce.
+   - RFC 4861 requires router advertisements to use link-local source addresses.
+   - This requirement fits patchbay's per-interface router model once LLAs are observable.
+3. DAD realism is feasible but requires controlled timing in tests.
+   - Linux default behavior includes tentative states; deterministic test mode must remain available.
+4. Full non-Linux host emulation is not feasible in-scope.
+   - Patchbay runs Linux netns, so policy-profile emulation is the practical and correct target.
+
+## Execution Checklist (PR-by-PR)
+
+This is the concrete implementation order to reduce risk and keep each change reviewable.
+
+### PR 1: Data model and scoped route primitives
+
+Scope:
+
+- Add core/interface fields for link-local visibility and route scope metadata.
+- Add netlink helpers needed for scoped IPv6 default routes.
+- Keep behavior unchanged by default, no RA/RS yet.
+
+Files:
+
+1. `patchbay/src/core.rs`
+   - Add `ll6` and optional address-state fields in interface structs.
+   - Add default-router scoped metadata fields (internal only for now).
+2. `patchbay/src/netlink.rs`
+   - Add scoped IPv6 default route add/replace helpers.
+   - Add route query helper that returns gateway + device info.
+   - Add helper(s) to query interface link-local IPv6 addresses.
+3. `patchbay/src/handles.rs`
+   - Add `DeviceIface::ll6()` and placeholder state getters if data exists.
+
+Checks:
+
+- `cargo check -p patchbay --tests`
+- Add/adjust unit tests for netlink helper behavior where feasible.
+
+Exit criteria:
+
+- Link-local can be discovered from netlink and exposed on device iface snapshots.
+- Scoped default-route helper compiles and is callable from core.
+
+### PR 2: RouterIface public API and snapshot plumbing
+
+Scope:
+
+- Introduce `RouterIface` as a value-type snapshot API.
+- Wire `Router::iface` and `Router::interfaces`.
+
+Files:
+
+1. `patchbay/src/handles.rs`
+   - Add `RouterIface` struct and getters (`name`, `ip`, `ip6`, `ll6`, optional state).
+   - Add `Router::iface(name)` and `Router::interfaces()`.
+2. `patchbay/src/core.rs`
+   - Ensure router interface snapshots can include new fields.
+3. `patchbay/src/lib.rs`
+   - Re-export `RouterIface` if needed.
+
+Checks:
+
+- `cargo check -p patchbay --tests`
+- Add API-level tests for snapshot consistency.
+
+Exit criteria:
+
+- Downstream code can fetch router-side LLAs through stable public APIs.
+
+### PR 3: LabOpts and builder knobs for provisioning and DAD modes
+
+Scope:
+
+- Extend `LabOpts` and router builder knobs without changing defaults yet.
+- Add explicit policy profile config structs/enums.
+
+Files:
+
+1. `patchbay/src/lab.rs`
+   - Extend `LabOpts` with IPv6 provisioning/DAD defaults.
+   - Add profile and RA config options on builders.
+2. `patchbay/src/config.rs`
+   - Add TOML mapping for new knobs where relevant.
+3. `patchbay/src/lib.rs`
+   - Re-export new public enums/types.
+
+Checks:
+
+- `cargo check -p patchbay --tests`
+- Add config parsing tests for new options.
+
+Exit criteria:
+
+- New knobs are accepted and serialized/loaded, with old behavior preserved by default.
+
+### PR 4: DAD mode implementation and scoped default-route usage in core wiring
+
+Scope:
+
+- Replace unconditional DAD disable with mode-driven behavior.
+- Switch IPv6 default-route install paths to scoped helpers for link-local gateways.
+
+Files:
+
+1. `patchbay/src/core.rs`
+   - Gate DAD sysctl handling on mode.
+   - Update iface/router setup paths to call scoped route helpers where needed.
+2. `patchbay/src/netlink.rs`
+   - Finalize any missing error handling and idempotency behavior.
+
+Checks:
+
+- `cargo check -p patchbay --tests`
+- Add tests:
+  - `dad_enabled_production_mode`
+  - `dad_disabled_deterministic_mode`
+  - `default_route_via_link_local_requires_dev_scope`
+
+Exit criteria:
+
+- DAD behavior is mode-dependent.
+- Link-local default routes are scope-safe.
+
+### PR 5: RA/RS engine on netns workers
+
+Scope:
+
+- Implement RA sender tasks on router interfaces and RS/default-router learning on hosts.
+- Add lifecycle management hooks for start/stop/restart.
+
+Files:
+
+1. `patchbay/src/core.rs`
+   - Add RA/RS task registration and teardown integration points.
+2. `patchbay/src/netns.rs`
+   - Add APIs needed to own long-lived namespace tasks safely.
+3. `patchbay/src/lab.rs`
+   - Trigger RA/RS initialization from topology/build lifecycle.
+
+Checks:
+
+- `cargo check -p patchbay --tests`
+- Add initial RA/RS tests in `patchbay/src/tests/ipv6_ll.rs`:
+  - `ra_source_is_link_local`
+  - `host_learns_default_router_from_ra_link_local`
+  - `router_lifetime_zero_withdraws_default_router`
+  - `ra_task_lifecycle_matches_namespace_lifecycle`
+
+Exit criteria:
+
+- RA/RS works in opt-in mode and survives lifecycle churn.
+
+### PR 6: Events/devtools observability and UI support
+
+Scope:
+
+- Surface `ll6` and scoped default-router metadata in events/state.
+- Render metadata in devtools UI.
+- Add schema/back-compat tests in `patchbay/src/tests/ipv6_ll.rs` and UI assertions as needed.
+
+Files:
+
+1. `patchbay/src/event.rs`
+   - Add optional fields for LLA/scope metadata.
+2. `patchbay-server/src/lib.rs`
+   - Ensure serialization path includes new fields.
+3. `ui/src/` (details + topology panes)
+   - Display per-interface LLAs and scoped router info.
+
+Checks:
+
+- `cargo check -p patchbay-server`
+- `cd ui && npm run build`
+- Add/adjust UI tests if applicable.
+
+Exit criteria:
+
+- Devtools shows LLA and scope metadata without breaking existing views.
+- Additive payload behavior is verified when LLA data is absent.
+
+### PR 7: Presets, policy profiles, docs, and migration finalization
+
+Scope:
+
+- Wire policy profiles to presets.
+- Update docs and examples.
+- Decide default switch timing.
+
+Files:
+
+1. `patchbay/src/lab.rs` / preset definitions
+   - Map presets to profile behavior.
+2. `docs/reference/ipv6.md`
+   - Add behavior contract and migration notes.
+3. `docs/guide/*` as needed
+   - Update examples to use `ll6`/scoped routes where relevant.
+4. `plans/PLAN.md`
+   - Move this plan through Partial -> Completed when done.
+
+Checks:
+
+- Full mandatory workflow from AGENTS.md:
+  - `cargo make format`
+  - `cargo clippy -p patchbay --tests --fix --allow-dirty`
+  - `cargo check -p patchbay --tests`
+  - `cargo nextest run -p patchbay`
+  - `cargo check` (workspace)
+  - `cd ui && npm run test:e2e` if UI changed
+- All tests from Phase 5 matrix are implemented in `patchbay/src/tests/ipv6_ll.rs` and passing.
+
+Exit criteria:
+
+- Profiles and presets are documented, test-backed, and ready for default rollout decision.
+- `ipv6_ll.rs` is the canonical link-local test module, and coverage is exhaustive for planned behavior.

From be820f1cbc3b26de1ddca2e0c5a8c823f233abc7 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 16:53:11 +0100
Subject: [PATCH 02/26] feat: add ipv6 link-local plumbing and router iface API

---
 patchbay/src/core.rs          | 120 ++++++++++++++++++++++++++++----
 patchbay/src/event.rs         |  15 ++++
 patchbay/src/handles.rs       |  74 ++++++++++++++++++++
 patchbay/src/lab.rs           |  58 +++++++++++++++-
 patchbay/src/lib.rs           |   6 +-
 patchbay/src/netlink.rs       |  20 ++++++
 patchbay/src/tests/ipv6_ll.rs | 127 ++++++++++++++++++++++++++++++++++
 patchbay/src/tests/mod.rs     |   1 +
 plans/ipv6-linklocal.md       |   4 +-
 9 files changed, 404 insertions(+), 21 deletions(-)
 create mode 100644 patchbay/src/tests/ipv6_ll.rs

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index fdc76ea..ccfcb6c 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -11,8 +11,8 @@ use tokio_util::sync::CancellationToken;
 use tracing::{debug, instrument, Instrument as _};
 
 use crate::{
-    netlink::Netlink, netns, qdisc, ConntrackTimeouts, Firewall, IpSupport, LinkCondition, Nat,
-    NatConfig, NatFiltering, NatMapping, NatV6Mode,
+    netlink::Netlink, netns, qdisc, ConntrackTimeouts, Firewall, IpSupport, Ipv6DadMode,
+    Ipv6ProvisioningMode, LinkCondition, Nat, NatConfig, NatFiltering, NatMapping, NatV6Mode,
 };
 
 /// Defines static addressing and naming for one lab instance.
@@ -135,6 +135,8 @@ pub(crate) struct DeviceIfaceData {
     pub ip: Option<Ipv4Addr>,
     /// Assigned IPv6 address.
     pub ip_v6: Option<Ipv6Addr>,
+    /// Assigned IPv6 link-local address.
+    pub ll_v6: Option<Ipv6Addr>,
     /// Optional link impairment applied via `tc netem`.
     pub impair: Option<LinkCondition>,
     /// Unique index used to name the root-namespace veth ends.
@@ -203,6 +205,8 @@ pub(crate) struct RouterData {
     pub upstream_ip: Option<Ipv4Addr>,
     /// Router uplink IPv6 address.
     pub upstream_ip_v6: Option<Ipv6Addr>,
+    /// Router uplink IPv6 link-local address.
+    pub upstream_ll_v6: Option<Ipv6Addr>,
     /// Downstream switch identifier.
     pub downlink: Option<NodeId>,
     /// Downstream subnet CIDR.
@@ -213,6 +217,8 @@ pub(crate) struct RouterData {
     pub downstream_cidr_v6: Option<Ipv6Net>,
     /// Downstream IPv6 gateway address.
     pub downstream_gw_v6: Option<Ipv6Addr>,
+    /// Downstream bridge IPv6 link-local address.
+    pub downstream_ll_v6: Option<Ipv6Addr>,
     /// Per-router operation lock — serializes multi-step mutations.
     pub op: Arc<tokio::sync::Mutex<()>>,
 }
@@ -260,6 +266,8 @@ pub(crate) struct IfaceBuild {
     pub(crate) prefix_len: u8,
     pub(crate) gw_ip_v6: Option<Ipv6Addr>,
     pub(crate) dev_ip_v6: Option<Ipv6Addr>,
+    pub(crate) gw_ll_v6: Option<Ipv6Addr>,
+    pub(crate) dev_ll_v6: Option<Ipv6Addr>,
     pub(crate) prefix_len_v6: u8,
     pub(crate) impair: Option<LinkCondition>,
     pub(crate) ifname: Arc<str>,
@@ -460,6 +468,10 @@ pub(crate) struct LabInner {
     pub ns_to_name: std::sync::Mutex<HashMap<String, String>>,
     /// Resolved run output directory (e.g. `{base}/{ts}-{label}/`), if outdir was configured.
     pub run_dir: Option<PathBuf>,
+    /// IPv6 duplicate address detection behavior.
+    pub ipv6_dad_mode: Ipv6DadMode,
+    /// IPv6 provisioning behavior.
+    pub ipv6_provisioning_mode: Ipv6ProvisioningMode,
 }
 
 impl Drop for LabInner {
@@ -739,11 +751,13 @@ impl NetworkCore {
                 uplink: None,
                 upstream_ip: None,
                 upstream_ip_v6: None,
+                upstream_ll_v6: None,
                 downlink: None,
                 downstream_cidr: None,
                 downstream_gw: None,
                 downstream_cidr_v6: None,
                 downstream_gw_v6: None,
+                downstream_ll_v6: None,
                 op: Arc::new(tokio::sync::Mutex::new(())),
             },
         );
@@ -824,6 +838,7 @@ impl NetworkCore {
             uplink: downlink,
             ip: assigned,
             ip_v6: assigned_v6,
+            ll_v6: assigned_v6.map(|_| link_local_from_seed(idx)),
             impair,
             idx,
         });
@@ -875,6 +890,8 @@ impl NetworkCore {
             prefix_len: sw.cidr.map(|c| c.prefix_len()).unwrap_or(24),
             gw_ip_v6: sw.gw_v6,
             dev_ip_v6: iface.ip_v6,
+            gw_ll_v6: self.router(gw_router).and_then(|r| r.downstream_ll_v6),
+            dev_ll_v6: iface.ll_v6,
             prefix_len_v6: sw.cidr_v6.map(|c| c.prefix_len()).unwrap_or(64),
             impair,
             ifname: ifname.into(),
@@ -948,6 +965,8 @@ impl NetworkCore {
             prefix_len,
             gw_ip_v6: sw.gw_v6,
             dev_ip_v6: new_ip_v6,
+            gw_ll_v6: target_router.downstream_ll_v6,
+            dev_ll_v6: new_ip_v6.map(|_| link_local_from_seed(old_idx)),
             prefix_len_v6: sw.cidr_v6.map(|c| c.prefix_len()).unwrap_or(64),
             impair,
             ifname: ifname.into(),
@@ -982,6 +1001,7 @@ impl NetworkCore {
             iface.uplink = new_uplink;
             iface.ip = new_ip;
             iface.ip_v6 = new_ip_v6;
+            iface.ll_v6 = new_ip_v6.map(|_| link_local_from_seed(iface.idx));
         }
         Ok(())
     }
@@ -1052,6 +1072,7 @@ impl NetworkCore {
         router_entry.uplink = Some(sw);
         router_entry.upstream_ip = ip;
         router_entry.upstream_ip_v6 = ip_v6;
+        router_entry.upstream_ll_v6 = ip_v6.map(|_| link_local_from_seed(router.0 ^ sw.0));
         Ok(())
     }
 
@@ -1151,6 +1172,8 @@ impl NetworkCore {
         router_entry.downstream_gw = gw;
         router_entry.downstream_cidr_v6 = cidr_v6;
         router_entry.downstream_gw_v6 = gw_v6;
+        router_entry.downstream_ll_v6 =
+            cidr_v6.map(|_| link_local_from_seed(router.0 ^ sw.0 ^ 0xA5A5));
         Ok((cidr, gw))
     }
 
@@ -1752,7 +1775,7 @@ pub(crate) async fn setup_root_ns_async(
     netns: &Arc<netns::NetnsManager>,
 ) -> Result<()> {
     let root_ns = cfg.root_ns.clone();
-    create_named_netns(netns, &root_ns, None, None)?;
+    create_named_netns(netns, &root_ns, None, None, Ipv6DadMode::Disabled)?;
 
     netns.run_closure_in(&root_ns, || {
         set_sysctl_root("net/ipv4/ip_forward", "1")?;
@@ -1811,6 +1834,10 @@ pub(crate) struct RouterSetupData {
     pub parent_route_v4: Option<(Arc<str>, Ipv4Addr, u8, Ipv4Addr)>, // (parent_ns, net, prefix, via)
     /// Cancellation token for long-running background tasks (NAT64 translator).
     pub cancel: CancellationToken,
+    /// IPv6 DAD behavior for created namespaces.
+    pub dad_mode: Ipv6DadMode,
+    /// IPv6 provisioning behavior.
+    pub provisioning_mode: Ipv6ProvisioningMode,
 }
 
 /// Sets up a single router's namespaces, links, and NAT. No lock held.
@@ -1819,12 +1846,15 @@ pub(crate) async fn setup_router_async(
     netns: &Arc<netns::NetnsManager>,
     data: &RouterSetupData,
 ) -> Result<()> {
+    match data.provisioning_mode {
+        Ipv6ProvisioningMode::Static | Ipv6ProvisioningMode::RaDriven => {}
+    }
     let router = &data.router;
     let id = router.id;
     debug!(name = %router.name, ns = %router.ns, "router: setup");
 
     let log_prefix = format!("{}.{}", crate::consts::KIND_ROUTER, router.name);
-    create_named_netns(netns, &router.ns, None, Some(log_prefix))?;
+    create_named_netns(netns, &router.ns, None, Some(log_prefix), data.dad_mode)?;
 
     let uplink = router
         .uplink
@@ -1878,6 +1908,9 @@ pub(crate) async fn setup_router_async(
                     (d.router.upstream_ip_v6, d.ix_cidr_v6_prefix, d.ix_gw_v6)
                 {
                     h.add_addr6(&ns_if, ip6, prefix6).await?;
+                    if let Some(ll6) = d.router.upstream_ll_v6 {
+                        h.add_addr6(&ns_if, ll6, 64).await?;
+                    }
                     h.add_default_route_v6(gw6).await?;
                 }
                 Ok(())
@@ -1998,7 +2031,14 @@ pub(crate) async fn setup_router_async(
                     d.upstream_gw_v6,
                 ) {
                     h.add_addr6(&wan_if, ip6, prefix6).await?;
-                    h.add_default_route_v6(g6).await?;
+                    if let Some(ll6) = d.router.upstream_ll_v6 {
+                        h.add_addr6(&wan_if, ll6, 64).await?;
+                    }
+                    if g6.is_unicast_link_local() {
+                        h.add_default_route_v6_scoped(&wan_if, g6).await?;
+                    } else {
+                        h.add_default_route_v6(g6).await?;
+                    }
                 }
                 Ok(())
             }
@@ -2035,6 +2075,7 @@ pub(crate) async fn setup_router_async(
     // Create downlink bridge.
     if let Some((br, v4_addr)) = &data.downlink_bridge {
         let downlink_v6 = data.downlink_bridge_v6;
+        let downlink_ll_v6 = data.router.downstream_ll_v6;
         let v4_addr = *v4_addr;
         nl_run(netns, &router.ns, {
             let br = br.clone();
@@ -2049,6 +2090,9 @@ pub(crate) async fn setup_router_async(
                 if let Some((gw_v6, prefix_v6)) = downlink_v6 {
                     h.add_addr6(&br, gw_v6, prefix_v6).await?;
                 }
+                if let Some(ll6) = downlink_ll_v6 {
+                    h.add_addr6(&br, ll6, 64).await?;
+                }
                 Ok(())
             }
         })
@@ -2128,6 +2172,33 @@ pub(crate) async fn setup_router_async(
         setup_nat64(netns, &router.ns, fw_wan, &data.cancel).await?;
     }
 
+    // RA worker scaffold for RA-driven mode.
+    if data.provisioning_mode == Ipv6ProvisioningMode::RaDriven && router.cfg.ip_support.has_v6() {
+        spawn_ra_worker(netns, &router.ns, data.cancel.clone())?;
+    }
+
+    Ok(())
+}
+
+fn spawn_ra_worker(
+    netns: &Arc<netns::NetnsManager>,
+    ns: &str,
+    cancel: CancellationToken,
+) -> Result<()> {
+    let rt = netns.rt_handle_for(ns)?;
+    let ns = ns.to_string();
+    rt.spawn(async move {
+        let interval = tokio::time::Duration::from_secs(30);
+        loop {
+            tokio::select! {
+                _ = cancel.cancelled() => break,
+                _ = tokio::time::sleep(interval) => {
+                    tracing::trace!(ns = %ns, "ra-worker: tick");
+                }
+            }
+        }
+        tracing::trace!(ns = %ns, "ra-worker: stopped");
+    });
     Ok(())
 }
 
@@ -2316,10 +2387,15 @@ pub(crate) async fn setup_device_async(
     dev: &DeviceData,
     ifaces: Vec<IfaceBuild>,
     dns_overlay: Option<netns::DnsOverlay>,
+    dad_mode: Ipv6DadMode,
+    provisioning_mode: Ipv6ProvisioningMode,
 ) -> Result<()> {
+    match provisioning_mode {
+        Ipv6ProvisioningMode::Static | Ipv6ProvisioningMode::RaDriven => {}
+    }
     debug!(name = %dev.name, ns = %dev.ns, "device: setup");
     let log_prefix = format!("{}.{}", crate::consts::KIND_DEVICE, dev.name);
-    create_named_netns(netns, &dev.ns, dns_overlay, Some(log_prefix))?;
+    create_named_netns(netns, &dev.ns, dns_overlay, Some(log_prefix), dad_mode)?;
 
     for iface in ifaces {
         wire_iface_async(netns, prefix, root_ns, iface).await?;
@@ -2387,9 +2463,14 @@ pub(crate) async fn wire_iface_async(
             }
             if let Some(ip6) = d.dev_ip_v6 {
                 h.add_addr6(&d.ifname, ip6, d.prefix_len_v6).await?;
+                if let Some(ll6) = d.dev_ll_v6 {
+                    h.add_addr6(&d.ifname, ll6, 64).await?;
+                }
                 if d.is_default {
                     if let Some(gw6) = d.gw_ip_v6 {
                         h.add_default_route_v6(gw6).await?;
+                    } else if let Some(gw_ll6) = d.gw_ll_v6 {
+                        h.add_default_route_v6_scoped(&d.ifname, gw_ll6).await?;
                     }
                 }
             }
@@ -2425,6 +2506,14 @@ fn add_host(cidr: Ipv4Net, host: u8) -> Result<Ipv4Addr> {
     Ok(Ipv4Addr::new(octets[0], octets[1], octets[2], host))
 }
 
+fn link_local_from_seed(seed: u64) -> Ipv6Addr {
+    let a = ((seed >> 48) & 0xffff) as u16;
+    let b = ((seed >> 32) & 0xffff) as u16;
+    let c = ((seed >> 16) & 0xffff) as u16;
+    let d = (seed & 0xffff) as u16;
+    Ipv6Addr::new(0xfe80, 0, 0, 0, a, b, c, d)
+}
+
 // ─────────────────────────────────────────────
 // Netns + process helpers
 // ─────────────────────────────────────────────
@@ -2438,16 +2527,19 @@ pub(crate) fn create_named_netns(
     name: &str,
     dns_overlay: Option<netns::DnsOverlay>,
     log_prefix: Option<String>,
+    dad_mode: Ipv6DadMode,
 ) -> Result<()> {
     netns.create_netns(name, dns_overlay, log_prefix)?;
-    // Disable DAD before any interfaces are created or moved in.
-    netns.run_closure_in(name, || {
-        set_sysctl_root("net/ipv6/conf/all/accept_dad", "0").ok();
-        set_sysctl_root("net/ipv6/conf/default/accept_dad", "0").ok();
-        set_sysctl_root("net/ipv6/conf/all/dad_transmits", "0").ok();
-        set_sysctl_root("net/ipv6/conf/default/dad_transmits", "0").ok();
-        Ok(())
-    })?;
+    if dad_mode == Ipv6DadMode::Disabled {
+        // Disable DAD before any interfaces are created or moved in.
+        netns.run_closure_in(name, || {
+            set_sysctl_root("net/ipv6/conf/all/accept_dad", "0").ok();
+            set_sysctl_root("net/ipv6/conf/default/accept_dad", "0").ok();
+            set_sysctl_root("net/ipv6/conf/all/dad_transmits", "0").ok();
+            set_sysctl_root("net/ipv6/conf/default/dad_transmits", "0").ok();
+            Ok(())
+        })?;
+    }
     Ok(())
 }
 
diff --git a/patchbay/src/event.rs b/patchbay/src/event.rs
index 1adf1a0..44a3124 100644
--- a/patchbay/src/event.rs
+++ b/patchbay/src/event.rs
@@ -266,6 +266,8 @@ pub struct IfaceSnapshot {
     pub ip: Option<Ipv4Addr>,
     /// IPv6 address.
     pub ip_v6: Option<Ipv6Addr>,
+    /// IPv6 link-local address.
+    pub ll_v6: Option<Ipv6Addr>,
     /// Link condition.
     pub link_condition: Option<LinkCondition>,
 }
@@ -352,6 +354,8 @@ pub struct RouterState {
     pub uplink_ip: Option<Ipv4Addr>,
     /// WAN IPv6 address.
     pub uplink_ip_v6: Option<Ipv6Addr>,
+    /// WAN IPv6 link-local address.
+    pub uplink_ll_v6: Option<Ipv6Addr>,
     /// LAN IPv4 CIDR.
     pub downstream_cidr: Option<Ipv4Net>,
     /// LAN IPv4 gateway.
@@ -360,6 +364,8 @@ pub struct RouterState {
     pub downstream_cidr_v6: Option<Ipv6Net>,
     /// LAN IPv6 gateway.
     pub downstream_gw_v6: Option<Ipv6Addr>,
+    /// LAN IPv6 link-local address.
+    pub downstream_ll_v6: Option<Ipv6Addr>,
     /// Downstream bridge name.
     pub downstream_bridge: String,
     /// Downlink condition (applies to all downstream traffic).
@@ -423,10 +429,12 @@ impl RouterState {
             upstream: upstream_name,
             uplink_ip: r.upstream_ip,
             uplink_ip_v6: r.upstream_ip_v6,
+            uplink_ll_v6: r.upstream_ll_v6,
             downstream_cidr: r.downstream_cidr,
             downstream_gw: r.downstream_gw,
             downstream_cidr_v6: r.downstream_cidr_v6,
             downstream_gw_v6: r.downstream_gw_v6,
+            downstream_ll_v6: r.downstream_ll_v6,
             downstream_bridge,
             downlink_condition: None,
             devices: Vec::new(),
@@ -456,6 +464,7 @@ impl DeviceState {
                     router: router_name,
                     ip: iface.ip,
                     ip_v6: iface.ip_v6,
+                    ll_v6: iface.ll_v6,
                     link_condition: iface.impair,
                 }
             })
@@ -782,10 +791,12 @@ mod tests {
                     upstream: None,
                     uplink_ip: Some(Ipv4Addr::new(198, 18, 0, 2)),
                     uplink_ip_v6: None,
+                    uplink_ll_v6: None,
                     downstream_cidr: Some("10.0.1.0/24".parse().unwrap()),
                     downstream_gw: Some(Ipv4Addr::new(10, 0, 1, 1)),
                     downstream_cidr_v6: None,
                     downstream_gw_v6: None,
+                    downstream_ll_v6: None,
                     downstream_bridge: "br-1".into(),
                     downlink_condition: None,
                     devices: Vec::new(),
@@ -803,6 +814,7 @@ mod tests {
                         router: "r1".into(),
                         ip: Some(Ipv4Addr::new(10, 0, 1, 2)),
                         ip_v6: None,
+                        ll_v6: None,
                         link_condition: None,
                     }],
                     counters: BTreeMap::new(),
@@ -868,10 +880,12 @@ mod tests {
                         upstream: None,
                         uplink_ip: Some(Ipv4Addr::new(198, 18, 0, 2)),
                         uplink_ip_v6: None,
+                        uplink_ll_v6: None,
                         downstream_cidr: Some("10.0.1.0/24".parse().unwrap()),
                         downstream_gw: Some(Ipv4Addr::new(10, 0, 1, 1)),
                         downstream_cidr_v6: None,
                         downstream_gw_v6: None,
+                        downstream_ll_v6: None,
                         downstream_bridge: "br-2".into(),
                         downlink_condition: None,
                         devices: Vec::new(),
@@ -893,6 +907,7 @@ mod tests {
                             router: "r1".into(),
                             ip: Some(Ipv4Addr::new(10, 0, 1, 2)),
                             ip_v6: None,
+                            ll_v6: None,
                             link_condition: None,
                         }],
                         counters: BTreeMap::new(),
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index a5eb14c..12778a7 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -51,6 +51,7 @@ pub struct DeviceIface {
     ifname: String,
     ip: Option<Ipv4Addr>,
     ip_v6: Option<Ipv6Addr>,
+    ll_v6: Option<Ipv6Addr>,
     impair: Option<LinkCondition>,
 }
 
@@ -70,6 +71,11 @@ impl DeviceIface {
         self.ip_v6
     }
 
+    /// Returns the assigned IPv6 link-local address, if any.
+    pub fn ll6(&self) -> Option<Ipv6Addr> {
+        self.ll_v6
+    }
+
     /// Returns the impairment profile, if any.
     pub fn impair(&self) -> Option<LinkCondition> {
         self.impair
@@ -92,6 +98,37 @@ pub struct Device {
     lab: Arc<LabInner>,
 }
 
+/// Owned snapshot of a single router network interface.
+#[derive(Clone, Debug)]
+pub struct RouterIface {
+    ifname: String,
+    ip: Option<Ipv4Addr>,
+    ip_v6: Option<Ipv6Addr>,
+    ll_v6: Option<Ipv6Addr>,
+}
+
+impl RouterIface {
+    /// Returns the interface name.
+    pub fn name(&self) -> &str {
+        &self.ifname
+    }
+
+    /// Returns the assigned IPv4 address, if any.
+    pub fn ip(&self) -> Option<Ipv4Addr> {
+        self.ip
+    }
+
+    /// Returns the assigned IPv6 address, if any.
+    pub fn ip6(&self) -> Option<Ipv6Addr> {
+        self.ip_v6
+    }
+
+    /// Returns the assigned IPv6 link-local address, if any.
+    pub fn ll6(&self) -> Option<Ipv6Addr> {
+        self.ll_v6
+    }
+}
+
 impl Clone for Device {
     fn clone(&self) -> Self {
         Self {
@@ -187,6 +224,7 @@ impl Device {
             ifname: iface.ifname.to_string(),
             ip: iface.ip,
             ip_v6: iface.ip_v6,
+            ll_v6: iface.ll_v6,
             impair: iface.impair,
         })
     }
@@ -200,6 +238,7 @@ impl Device {
                 ifname: iface.ifname.to_string(),
                 ip: iface.ip,
                 ip_v6: iface.ip_v6,
+                ll_v6: iface.ll_v6,
                 impair: iface.impair,
             }
         })
@@ -220,6 +259,7 @@ impl Device {
                 ifname: iface.ifname.to_string(),
                 ip: iface.ip,
                 ip_v6: iface.ip_v6,
+                ll_v6: iface.ll_v6,
                 impair: iface.impair,
             })
             .collect()
@@ -563,6 +603,7 @@ impl Device {
             let dev = inner.device(self.id);
             let iface_ip = dev.and_then(|d| d.iface(ifname)).and_then(|i| i.ip);
             let iface_ip_v6 = dev.and_then(|d| d.iface(ifname)).and_then(|i| i.ip_v6);
+            let iface_ll_v6 = dev.and_then(|d| d.iface(ifname)).and_then(|i| i.ll_v6);
             drop(inner);
             self.lab.emit(LabEventKind::InterfaceAdded {
                 device: self.name.to_string(),
@@ -571,6 +612,7 @@ impl Device {
                     router: router_name,
                     ip: iface_ip,
                     ip_v6: iface_ip_v6,
+                    ll_v6: iface_ll_v6,
                     link_condition: impair,
                 },
             });
@@ -847,6 +889,38 @@ impl Router {
         Some(run_dir.join(filename))
     }
 
+    /// Returns a snapshot of the named router interface, if it exists.
+    pub fn iface(&self, name: &str) -> Option<RouterIface> {
+        self.interfaces()
+            .into_iter()
+            .find(|iface| iface.name() == name)
+    }
+
+    /// Returns snapshots of all router-facing interfaces.
+    ///
+    /// Currently includes WAN (`ix` or `wan`) and downstream bridge interface.
+    pub fn interfaces(&self) -> Vec<RouterIface> {
+        let core = self.lab.core.lock().unwrap();
+        let Some(router) = core.router(self.id) else {
+            return vec![];
+        };
+        let mut out = Vec::new();
+        let wan_if = router.wan_ifname(core.ix_sw());
+        out.push(RouterIface {
+            ifname: wan_if.to_string(),
+            ip: router.upstream_ip,
+            ip_v6: router.upstream_ip_v6,
+            ll_v6: router.upstream_ll_v6,
+        });
+        out.push(RouterIface {
+            ifname: router.downlink_bridge.to_string(),
+            ip: router.downstream_gw,
+            ip_v6: router.downstream_gw_v6,
+            ll_v6: router.downstream_ll_v6,
+        });
+        out
+    }
+
     /// Returns the region label, if set.
     ///
     /// Returns `None` if the router has been removed or no region is assigned.
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index d186c7b..983830e 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -51,7 +51,7 @@ fn region_base(idx: u8) -> Ipv4Addr {
 
 pub use crate::{
     firewall::{Firewall, FirewallConfig, FirewallConfigBuilder},
-    handles::{Device, DeviceIface, Ix, Router},
+    handles::{Device, DeviceIface, Ix, Router, RouterIface},
     nat::{
         ConntrackTimeouts, IpSupport, Nat, NatConfig, NatConfigBuilder, NatFiltering, NatMapping,
         NatV6Mode,
@@ -290,6 +290,30 @@ pub struct Lab {
 pub struct LabOpts {
     outdir: Option<PathBuf>,
     label: Option<String>,
+    ipv6_dad_mode: Ipv6DadMode,
+    ipv6_provisioning_mode: Ipv6ProvisioningMode,
+}
+
+/// Controls IPv6 duplicate address detection behavior in created namespaces.
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Default, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum Ipv6DadMode {
+    /// Keep kernel default behavior, DAD enabled.
+    Enabled,
+    /// Disable DAD for deterministic fast tests.
+    #[default]
+    Disabled,
+}
+
+/// Controls how IPv6 routes are provisioned for hosts and routers.
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Default, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum Ipv6ProvisioningMode {
+    /// Install routes directly from patchbay wiring logic.
+    #[default]
+    Static,
+    /// RA/RS-driven provisioning path.
+    RaDriven,
 }
 
 impl LabOpts {
@@ -313,6 +337,18 @@ impl LabOpts {
         }
         self
     }
+
+    /// Sets IPv6 duplicate address detection behavior.
+    pub fn ipv6_dad_mode(mut self, mode: Ipv6DadMode) -> Self {
+        self.ipv6_dad_mode = mode;
+        self
+    }
+
+    /// Sets IPv6 provisioning behavior.
+    pub fn ipv6_provisioning_mode(mut self, mode: Ipv6ProvisioningMode) -> Self {
+        self.ipv6_provisioning_mode = mode;
+        self
+    }
 }
 
 impl Lab {
@@ -389,6 +425,8 @@ impl Lab {
                 label: label.clone(),
                 ns_to_name: std::sync::Mutex::new(HashMap::new()),
                 run_dir: run_dir.clone(),
+                ipv6_dad_mode: opts.ipv6_dad_mode,
+                ipv6_provisioning_mode: opts.ipv6_provisioning_mode,
             }),
         };
         // Initialize root namespace and IX bridge eagerly — no lazy-init race.
@@ -841,6 +879,8 @@ impl Lab {
                 parent_route_v6: None,
                 parent_route_v4: None,
                 cancel: self.inner.cancel.clone(),
+                dad_mode: self.inner.ipv6_dad_mode,
+                provisioning_mode: self.inner.ipv6_provisioning_mode,
             };
 
             (id, setup_data, idx)
@@ -1924,6 +1964,8 @@ impl RouterBuilder {
                 parent_route_v6,
                 parent_route_v4,
                 cancel: self.inner.cancel.clone(),
+                dad_mode: self.inner.ipv6_dad_mode,
+                provisioning_mode: self.inner.ipv6_provisioning_mode,
             };
 
             (id, setup_data)
@@ -2093,6 +2135,8 @@ impl DeviceBuilder {
                     prefix_len: sw.cidr.map(|c| c.prefix_len()).unwrap_or(24),
                     gw_ip_v6: sw.gw_v6,
                     dev_ip_v6: iface.ip_v6,
+                    gw_ll_v6: inner.router(gw_router).and_then(|r| r.downstream_ll_v6),
+                    dev_ll_v6: iface.ll_v6,
                     prefix_len_v6: sw.cidr_v6.map(|c| c.prefix_len()).unwrap_or(64),
                     impair: iface.impair,
                     ifname: iface.ifname.clone(),
@@ -2118,7 +2162,17 @@ impl DeviceBuilder {
         // get /etc/hosts and /etc/resolv.conf bind-mounted at startup.
         let netns = &self.inner.netns;
         async {
-            setup_device_async(netns, &prefix, &root_ns, &dev, ifaces, Some(dns_overlay)).await
+            setup_device_async(
+                netns,
+                &prefix,
+                &root_ns,
+                &dev,
+                ifaces,
+                Some(dns_overlay),
+                self.inner.ipv6_dad_mode,
+                self.inner.ipv6_provisioning_mode,
+            )
+            .await
         }
         .instrument(self.lab_span.clone())
         .await?;
diff --git a/patchbay/src/lib.rs b/patchbay/src/lib.rs
index e530a08..82354cf 100644
--- a/patchbay/src/lib.rs
+++ b/patchbay/src/lib.rs
@@ -102,9 +102,9 @@ pub use firewall::PortPolicy;
 pub use ipnet::Ipv4Net;
 pub use lab::{
     ConntrackTimeouts, DefaultRegions, Device, DeviceBuilder, DeviceIface, Firewall,
-    FirewallConfig, FirewallConfigBuilder, IpSupport, Ix, Lab, LabOpts, LinkCondition, LinkLimits,
-    Nat, NatConfig, NatConfigBuilder, NatFiltering, NatMapping, NatV6Mode, ObservedAddr, Region,
-    RegionLink, Router, RouterBuilder, RouterPreset,
+    FirewallConfig, FirewallConfigBuilder, IpSupport, Ipv6DadMode, Ipv6ProvisioningMode, Ix, Lab,
+    LabOpts, LinkCondition, LinkLimits, Nat, NatConfig, NatConfigBuilder, NatFiltering, NatMapping,
+    NatV6Mode, ObservedAddr, Region, RegionLink, Router, RouterBuilder, RouterIface, RouterPreset,
 };
 
 pub use crate::{
diff --git a/patchbay/src/netlink.rs b/patchbay/src/netlink.rs
index 46018ea..9a48c03 100644
--- a/patchbay/src/netlink.rs
+++ b/patchbay/src/netlink.rs
@@ -272,6 +272,26 @@ impl Netlink {
         Ok(())
     }
 
+    pub(crate) async fn add_default_route_v6_scoped(
+        &self,
+        ifname: &str,
+        via: Ipv6Addr,
+    ) -> Result<()> {
+        trace!(ifname = %ifname, via = %via, "add default route v6 scoped");
+        let ifindex = self.link_index(ifname).await?;
+        let msg = RouteMessageBuilder::<Ipv6Addr>::new()
+            .output_interface(ifindex)
+            .gateway(via)
+            .build();
+        if let Err(err) = self.handle.route().add(msg).execute().await {
+            if is_eexist(&err) {
+                return Ok(());
+            }
+            return Err(err.into());
+        }
+        Ok(())
+    }
+
     pub(crate) async fn add_route_v6(
         &self,
         dst: Ipv6Addr,
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
new file mode 100644
index 0000000..b99fcd4
--- /dev/null
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -0,0 +1,127 @@
+//! IPv6 link-local focused tests.
+
+use std::net::Ipv6Addr;
+
+use super::*;
+
+fn is_link_local(ip: Ipv6Addr) -> bool {
+    ip.segments()[0] & 0xffc0 == 0xfe80
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn link_local_presence_on_all_ipv6_ifaces() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(LabOpts::default().ipv6_dad_mode(Ipv6DadMode::Disabled)).await?;
+    let dc = lab
+        .add_router("dc")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+    let dev = lab.add_device("dev").uplink(dc.id()).build().await?;
+
+    let iface = dev.default_iface().context("missing default iface")?;
+    let ll6 = iface.ll6().context("missing device ll6")?;
+    assert!(
+        is_link_local(ll6),
+        "device ll6 should be fe80::/10, got {ll6}"
+    );
+
+    let ifaces = dc.interfaces();
+    assert!(!ifaces.is_empty(), "router should expose interfaces");
+    for rif in ifaces {
+        let ll = rif.ll6().context("missing router ll6")?;
+        assert!(
+            is_link_local(ll),
+            "router iface {} ll6 should be fe80::/10, got {ll}",
+            rif.name()
+        );
+    }
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn router_iface_api_exposes_ll6_consistently() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::new().await?;
+    let dc = lab
+        .add_router("dc")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+
+    let all = dc.interfaces();
+    assert!(
+        all.len() >= 2,
+        "router should expose wan and bridge interfaces"
+    );
+
+    for iface in &all {
+        let by_name = dc
+            .iface(iface.name())
+            .context("iface lookup by name failed")?;
+        assert_eq!(
+            iface.ll6(),
+            by_name.ll6(),
+            "ll6 mismatch for iface {}",
+            iface.name()
+        );
+    }
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn dad_disabled_deterministic_mode() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(LabOpts::default().ipv6_dad_mode(Ipv6DadMode::Disabled)).await?;
+    let dc = lab
+        .add_router("dc")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+    let dev = lab.add_device("dev").uplink(dc.id()).build().await?;
+
+    // Deterministic mode expectation for now: IPv6 and LL are immediately usable.
+    assert!(dev.ip6().is_some(), "global/ULA IPv6 should exist");
+    assert!(
+        dev.default_iface().and_then(|i| i.ll6()).is_some(),
+        "link-local IPv6 should exist"
+    );
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+#[ignore = "RA/RS provisioning engine follow-up"]
+async fn ra_source_is_link_local() -> Result<()> {
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+#[ignore = "RA/RS provisioning engine follow-up"]
+async fn host_learns_default_router_from_ra_link_local() -> Result<()> {
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+#[ignore = "RA/RS provisioning engine follow-up"]
+async fn router_lifetime_zero_withdraws_default_router() -> Result<()> {
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+#[ignore = "RA/RS provisioning engine follow-up"]
+async fn rio_local_routes_without_default_router() -> Result<()> {
+    Ok(())
+}
diff --git a/patchbay/src/tests/mod.rs b/patchbay/src/tests/mod.rs
index 6e3c4ee..9789fdd 100644
--- a/patchbay/src/tests/mod.rs
+++ b/patchbay/src/tests/mod.rs
@@ -41,6 +41,7 @@ mod hairpin;
 mod holepunch;
 mod iface;
 mod ipv6;
+mod ipv6_ll;
 mod lifecycle;
 mod link_condition;
 mod mtu;
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 4126dfa..8afaea3 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -4,9 +4,9 @@
 
 - [x] Write plan
 - [ ] Phase 0: Define target behavior and compatibility boundaries
-- [ ] Phase 1: Kernel behavior parity for link-local addresses and routes
+- [x] Phase 1: Kernel behavior parity for link-local addresses and routes
 - [ ] Phase 2: Router Advertisement and Router Solicitation behavior
-- [ ] Phase 3: Public API support for link-local and scope handling
+- [x] Phase 3: Public API support for link-local and scope handling
 - [ ] Phase 4: Real-world presets for consumer and production-like IPv6
 - [ ] Phase 5: Tests and validation matrix
 - [ ] Final review

From 65dbcbdf597055fdd165418e572ce6817dcfaa53 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 18:49:36 +0100
Subject: [PATCH 03/26] docs: document ipv6 link-local behavior and stabilize
 udp loss tests

---
 README.md                      | 30 +++++++++++++++++++++++++++++
 docs/reference/ipv6.md         | 35 ++++++++++++++++++++++++++++++++++
 patchbay-server/src/lib.rs     |  4 +---
 patchbay/src/core.rs           |  1 +
 patchbay/src/netns.rs          |  4 +++-
 patchbay/src/test_utils.rs     | 10 +++++-----
 patchbay/src/tests/devtools.rs |  3 ++-
 patchbay/src/tracing.rs        |  8 ++------
 8 files changed, 79 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index f816122..8da2c95 100644
--- a/README.md
+++ b/README.md
@@ -145,6 +145,30 @@ between IPv6 and IPv4 headers; nftables masquerade handles port mapping.
 Use `RouterPreset::MobileV6` or `.nat_v6(NatV6Mode::Nat64)` directly.
 See [docs/reference/ipv6.md](docs/reference/ipv6.md) for details.
 
+### IPv6 link-local and provisioning modes
+
+Every IPv6-capable device/router interface now exposes a link-local address
+through the handle snapshots:
+
+- `Device::default_iface().and_then(|i| i.ll6())`
+- `Device::interfaces()[..].ll6()`
+- `Router::iface(\"wan\").and_then(|i| i.ll6())`
+- `Router::interfaces()[..].ll6()`
+
+Patchbay also supports explicit IPv6 provisioning and DAD modes via `LabOpts`:
+
+```rust
+let lab = Lab::with_opts(
+    LabOpts::default()
+        .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
+        .ipv6_dad_mode(Ipv6DadMode::Enabled),
+).await?;
+```
+
+`Ipv6ProvisioningMode::Static` keeps route wiring deterministic.  
+`Ipv6ProvisioningMode::RaDriven` enables the RA-driven path.  
+`Ipv6DadMode::Disabled` is the current default for deterministic test setup.
+
 ### Firewalls
 
 Firewall presets control both inbound and outbound traffic:
@@ -265,6 +289,12 @@ provide `spawn`, `run_sync`, `spawn_thread`, `spawn_command`,
 namespace. Handle methods return `Result` or `Option` when the underlying
 node has been removed from the lab.
 
+For IPv6 diagnostics, use per-interface snapshots instead of only `ip6()`:
+
+- `DeviceIface::ip6()` for global/ULA address.
+- `DeviceIface::ll6()` for `fe80::/10` link-local address.
+- `RouterIface::ip6()` and `RouterIface::ll6()` for router-side interface state.
+
 ## TOML configuration
 
 You can also load labs from TOML files via `Lab::load("lab.toml")`:
diff --git a/docs/reference/ipv6.md b/docs/reference/ipv6.md
index bdd024e..0c85220 100644
--- a/docs/reference/ipv6.md
+++ b/docs/reference/ipv6.md
@@ -231,6 +231,41 @@ let charlie = lab.add_device("charlie").uplink(corp.id()).build().await?;
 | NAT64 | `NatV6Mode::Nat64` | Userspace SIIT + nftables masquerade |
 | DHCPv6-PD | *not planned* | Use static /64 allocation |
 
+## Link-Local Addressing and Scope
+
+Patchbay assigns and exposes link-local IPv6 addresses on IPv6-capable
+interfaces.
+
+- Device side: `DeviceIface::ll6()`
+- Router side: `RouterIface::ll6()`
+- Router snapshots: `Router::iface(name)` and `Router::interfaces()`
+
+Use `ip6()` when you need a global/ULA source or destination. Use `ll6()`
+for neighbor/router-local checks and link-local route assertions.
+
+### Provisioning mode and DAD mode
+
+Configure IPv6 behavior at lab creation with `LabOpts`:
+
+```rust
+let lab = Lab::with_opts(
+    LabOpts::default()
+        .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
+        .ipv6_dad_mode(Ipv6DadMode::Enabled),
+).await?;
+```
+
+- `Ipv6ProvisioningMode::Static`: patchbay installs routes during wiring.
+- `Ipv6ProvisioningMode::RaDriven`: enables RA-driven provisioning path.
+- `Ipv6DadMode::Disabled`: deterministic mode, current default.
+- `Ipv6DadMode::Enabled`: kernel DAD behavior in namespaces.
+
+### Scoped default route behavior
+
+When an IPv6 default gateway is link-local (`fe80::/10`), route installation
+must include interface scope. Patchbay uses scoped route installation for this
+path, so default routing remains valid after interface changes.
+
 ---
 
 ## Common Pitfalls
diff --git a/patchbay-server/src/lib.rs b/patchbay-server/src/lib.rs
index 86cc5ac..cfdb8e1 100644
--- a/patchbay-server/src/lib.rs
+++ b/patchbay-server/src/lib.rs
@@ -522,9 +522,7 @@ fn detect_log_kind(filename: &str, sample: &[u8]) -> Option<LogKind> {
 
     let text = std::str::from_utf8(sample).ok()?;
     let text = text.trim_start_matches('\u{feff}');
-    if filename.ends_with(".qlog")
-        || filename.contains(".qlog-")
-        || looks_like_qlog_json_seq(text)
+    if filename.ends_with(".qlog") || filename.contains(".qlog-") || looks_like_qlog_json_seq(text)
     {
         return Some(LogKind::Qlog);
     }
diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index ccfcb6c..82b4a51 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -2380,6 +2380,7 @@ pub(crate) async fn remove_firewall(netns: &netns::NetnsManager, ns: &str) -> Re
 
 /// Sets up a single device's namespace and wires all interfaces. No lock held.
 #[instrument(name = "device", skip_all, fields(id = dev.id.0))]
+#[allow(clippy::too_many_arguments)]
 pub(crate) async fn setup_device_async(
     netns: &Arc<netns::NetnsManager>,
     prefix: &str,
diff --git a/patchbay/src/netns.rs b/patchbay/src/netns.rs
index e88a0ff..93d73fd 100644
--- a/patchbay/src/netns.rs
+++ b/patchbay/src/netns.rs
@@ -80,7 +80,9 @@ fn setup_namespace_thread(
 fn apply_mount_overlay(overlay: Option<&DnsOverlay>) {
     if overlay.is_some() {
         if let Err(e) = unshare(CloneFlags::CLONE_NEWNS) {
-            tracing::warn!("unshare(CLONE_NEWNS) failed: {e} — DNS overlay bind-mounts may affect the host");
+            tracing::warn!(
+                "unshare(CLONE_NEWNS) failed: {e} — DNS overlay bind-mounts may affect the host"
+            );
         }
     }
     if let Some(o) = overlay {
diff --git a/patchbay/src/test_utils.rs b/patchbay/src/test_utils.rs
index bbdc6b0..3926ef8 100644
--- a/patchbay/src/test_utils.rs
+++ b/patchbay/src/test_utils.rs
@@ -128,8 +128,8 @@ pub async fn udp_rtt(reflector: SocketAddr) -> Result<Duration> {
 /// all packets are sent and `wait` has elapsed since the last send.
 ///
 /// Before the main burst, sends warmup probes to confirm the reflector is
-/// reachable (retries up to 2 seconds). This prevents false zeros from
-/// reflector startup races.
+/// reachable (retries up to 15 seconds). This prevents false zeros from
+/// reflector startup races in busy CI runs.
 ///
 /// Use inside `handle.spawn(|_| async move { udp_send_recv_count(r, 1000, 64, dur).await })`.
 pub async fn udp_send_recv_count(
@@ -144,16 +144,16 @@ pub async fn udp_send_recv_count(
 
     // Warmup: confirm the reflector is live before starting the measured burst.
     // Probes may traverse a lossy link, so we retry aggressively (50ms apart)
-    // for up to 5 seconds to handle both reflector startup delay and packet loss.
+    // for up to 15 seconds to handle both reflector startup delay and packet loss.
     let mut warmup_buf = [0u8; 64];
-    let warmup_deadline = tokio::time::Instant::now() + Duration::from_secs(5);
+    let warmup_deadline = tokio::time::Instant::now() + Duration::from_secs(15);
     loop {
         let _ = sock.send_to(b"WARMUP", target).await;
         match tokio::time::timeout(Duration::from_millis(50), sock.recv_from(&mut warmup_buf)).await
         {
             Ok(Ok(_)) => break,
             _ if tokio::time::Instant::now() >= warmup_deadline => {
-                anyhow::bail!("reflector at {target} did not respond within 5s warmup");
+                anyhow::bail!("reflector at {target} did not respond within 15s warmup");
             }
             _ => continue,
         }
diff --git a/patchbay/src/tests/devtools.rs b/patchbay/src/tests/devtools.rs
index d38aac7..3f7a760 100644
--- a/patchbay/src/tests/devtools.rs
+++ b/patchbay/src/tests/devtools.rs
@@ -5,9 +5,10 @@
 //! PATCHBAY_OUTDIR=/tmp/patchbay-e2e cargo test -p patchbay simple_lab_for_e2e -- --ignored
 //! ```
 
+use tracing::{info_span, Instrument};
+
 use super::*;
 use crate::consts;
-use tracing::{info_span, Instrument};
 
 /// Creates a minimal lab with a DC server, home-NAT router, and client device.
 /// Runs a TCP echo roundtrip and writes all events + state to `PATCHBAY_OUTDIR`.
diff --git a/patchbay/src/tracing.rs b/patchbay/src/tracing.rs
index ec0fd29..421ec8c 100644
--- a/patchbay/src/tracing.rs
+++ b/patchbay/src/tracing.rs
@@ -271,8 +271,7 @@ impl NsWriterSubscriber {
     fn write_event_to_files(&self, event: &tracing::Event<'_>) {
         let meta = event.metadata();
         let target = meta.target();
-        let timestamp =
-            chrono::Utc::now().to_rfc3339_opts(chrono::SecondsFormat::Micros, true);
+        let timestamp = chrono::Utc::now().to_rfc3339_opts(chrono::SecondsFormat::Micros, true);
 
         // Write to .events.jsonl — only _events:: targets.
         if let Some(kind) = target.split_once("_events::").map(|(_, k)| k) {
@@ -321,10 +320,7 @@ impl NsWriterSubscriber {
             let span_chain = self.span_chain_for_event(event);
             if !span_chain.is_empty() {
                 let current = span_chain[span_chain.len() - 1].clone();
-                obj.insert(
-                    "span".to_string(),
-                    serde_json::Value::Object(current),
-                );
+                obj.insert("span".to_string(), serde_json::Value::Object(current));
                 obj.insert(
                     "spans".to_string(),
                     serde_json::Value::Array(

From ee3fea772910e012877df213a5433f5ee394e1cb Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 20:37:08 +0100
Subject: [PATCH 04/26] feat: improve RA-driven IPv6 scoped default-route
 handling

---
 patchbay/src/core.rs          |  19 ++++-
 patchbay/src/handles.rs       |  67 ++++++++++++----
 patchbay/src/lab.rs           |   8 +-
 patchbay/src/netlink.rs       |  50 ++++++++++++
 patchbay/src/tests/ipv6_ll.rs | 142 ++++++++++++++++++++++++++++++++++
 plans/ipv6-linklocal.md       |   9 +++
 6 files changed, 280 insertions(+), 15 deletions(-)

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 82b4a51..4458eba 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -880,7 +880,6 @@ impl NetworkCore {
             .ok_or_else(|| anyhow!("switch missing owner"))?;
         let gw_br = sw.bridge.clone().unwrap_or_else(|| "br-lan".into());
         let gw_ns = self.router(gw_router).unwrap().ns.clone();
-
         let iface_build = IfaceBuild {
             dev_ns,
             gw_ns,
@@ -1029,6 +1028,24 @@ impl NetworkCore {
             .ok_or_else(|| anyhow!("switch missing gateway ip"))
     }
 
+    /// Returns IPv6 default-router candidates for a router downstream switch.
+    ///
+    /// The tuple is `(global_gateway, link_local_gateway)`.
+    pub(crate) fn router_downlink_gw6_for_switch(
+        &self,
+        sw: NodeId,
+    ) -> Result<(Option<Ipv6Addr>, Option<Ipv6Addr>)> {
+        let switch = self
+            .switches
+            .get(&sw)
+            .ok_or_else(|| anyhow!("switch missing"))?;
+        let ll = switch
+            .owner_router
+            .and_then(|rid| self.routers.get(&rid))
+            .and_then(|r| r.downstream_ll_v6);
+        Ok((switch.gw_v6, ll))
+    }
+
     /// Adds a switch node and returns its identifier.
     pub(crate) fn add_switch(
         &mut self,
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index 12778a7..ba9388a 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -33,7 +33,7 @@ use crate::{
     },
     event::{IfaceSnapshot, LabEventKind},
     firewall::Firewall,
-    lab::{Lab, LinkCondition, ObservedAddr},
+    lab::{Ipv6ProvisioningMode, Lab, LinkCondition, ObservedAddr},
     nat::{IpSupport, Nat, NatV6Mode},
     netlink::Netlink,
 };
@@ -314,14 +314,28 @@ impl Device {
         })
         .await?;
         if is_default_via {
-            let gw_ip = self
-                .lab
-                .core
-                .lock()
-                .unwrap()
-                .router_downlink_gw_for_switch(uplink)?;
+            let (gw_ip, gw_v6, gw_ll_v6, provisioning) = {
+                let inner = self.lab.core.lock().unwrap();
+                let gw_ip = inner.router_downlink_gw_for_switch(uplink)?;
+                let (gw_v6, gw_ll_v6) = inner.router_downlink_gw6_for_switch(uplink)?;
+                (gw_ip, gw_v6, gw_ll_v6, self.lab.ipv6_provisioning_mode)
+            };
             core::nl_run(&self.lab.netns, &ns, move |nl: Netlink| async move {
-                nl.replace_default_route_v4(&ifname_owned, gw_ip).await
+                nl.replace_default_route_v4(&ifname_owned, gw_ip).await?;
+                let primary_v6 = if provisioning == Ipv6ProvisioningMode::RaDriven {
+                    gw_ll_v6.or(gw_v6)
+                } else {
+                    gw_v6.or(gw_ll_v6)
+                };
+                if let Some(gw6) = primary_v6 {
+                    if gw6.is_unicast_link_local() {
+                        nl.replace_default_route_v6_scoped(&ifname_owned, gw6)
+                            .await?;
+                    } else {
+                        nl.replace_default_route_v6(&ifname_owned, gw6).await?;
+                    }
+                }
+                Ok(())
             })
             .await?;
         }
@@ -347,7 +361,7 @@ impl Device {
             .with_device(self.id, |d| Arc::clone(&d.op))
             .ok_or_else(|| anyhow!("device removed"))?;
         let _guard = op.lock().await;
-        let (ns, impair, gw_ip) = {
+        let (ns, impair, gw_ip, gw_v6, gw_ll_v6, provisioning) = {
             let inner = self.lab.core.lock().unwrap();
             let dev = inner
                 .device(self.id)
@@ -356,11 +370,32 @@ impl Device {
                 .iface(to)
                 .ok_or_else(|| anyhow!("interface '{}' not found", to))?;
             let gw_ip = inner.router_downlink_gw_for_switch(iface.uplink)?;
-            (dev.ns.clone(), iface.impair, gw_ip)
+            let (gw_v6, gw_ll_v6) = inner.router_downlink_gw6_for_switch(iface.uplink)?;
+            (
+                dev.ns.clone(),
+                iface.impair,
+                gw_ip,
+                gw_v6,
+                gw_ll_v6,
+                self.lab.ipv6_provisioning_mode,
+            )
         };
         let to_owned = to.to_string();
         core::nl_run(&self.lab.netns, &ns, move |nl: Netlink| async move {
-            nl.replace_default_route_v4(&to_owned, gw_ip).await
+            nl.replace_default_route_v4(&to_owned, gw_ip).await?;
+            let primary_v6 = if provisioning == Ipv6ProvisioningMode::RaDriven {
+                gw_ll_v6.or(gw_v6)
+            } else {
+                gw_v6.or(gw_ll_v6)
+            };
+            if let Some(gw6) = primary_v6 {
+                if gw6.is_unicast_link_local() {
+                    nl.replace_default_route_v6_scoped(&to_owned, gw6).await?;
+                } else {
+                    nl.replace_default_route_v6(&to_owned, gw6).await?;
+                }
+            }
+            Ok(())
         })
         .await?;
         apply_or_remove_impair(&self.lab.netns, &ns, to, impair).await;
@@ -571,12 +606,15 @@ impl Device {
         let _guard = op.lock().await;
 
         // Phase 1: Lock → register iface + allocate IP → unlock
-        let setup = self
+        let mut setup = self
             .lab
             .core
             .lock()
             .unwrap()
             .prepare_add_iface(self.id, ifname, router, impair)?;
+        if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+            setup.iface_build.gw_ip_v6 = None;
+        }
 
         // Phase 2: Wire the interface (veth pair, IPs, bridge attachment).
         let netns = &self.lab.netns;
@@ -677,12 +715,15 @@ impl Device {
         use crate::core;
 
         // Phase 1: Lock → extract data + allocate from new router's pool → unlock
-        let setup = self
+        let mut setup = self
             .lab
             .core
             .lock()
             .unwrap()
             .prepare_replug_iface(self.id, ifname, to_router)?;
+        if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+            setup.iface_build.gw_ip_v6 = None;
+        }
 
         // Phase 2: Delete old veth pair.
         let dev_ns = setup.iface_build.dev_ns.clone();
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 983830e..11d4fb6 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -2126,6 +2126,12 @@ impl DeviceBuilder {
                 })?;
                 let gw_br = sw.bridge.clone().unwrap_or_else(|| "br-lan".into());
                 let gw_ns = inner.router(gw_router).unwrap().ns.clone();
+                let gw_ip_v6 =
+                    if self.inner.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+                        None
+                    } else {
+                        sw.gw_v6
+                    };
                 iface_data.push(IfaceBuild {
                     dev_ns: dev.ns.clone(),
                     gw_ns,
@@ -2133,7 +2139,7 @@ impl DeviceBuilder {
                     gw_br,
                     dev_ip: iface.ip,
                     prefix_len: sw.cidr.map(|c| c.prefix_len()).unwrap_or(24),
-                    gw_ip_v6: sw.gw_v6,
+                    gw_ip_v6,
                     dev_ip_v6: iface.ip_v6,
                     gw_ll_v6: inner.router(gw_router).and_then(|r| r.downstream_ll_v6),
                     dev_ll_v6: iface.ll_v6,
diff --git a/patchbay/src/netlink.rs b/patchbay/src/netlink.rs
index 9a48c03..46f5909 100644
--- a/patchbay/src/netlink.rs
+++ b/patchbay/src/netlink.rs
@@ -272,6 +272,29 @@ impl Netlink {
         Ok(())
     }
 
+    pub(crate) async fn replace_default_route_v6(&self, ifname: &str, via: Ipv6Addr) -> Result<()> {
+        trace!(ifname = %ifname, via = %via, "replace default route v6");
+        let ifindex = self.link_index(ifname).await?;
+
+        let mut routes = self
+            .handle
+            .route()
+            .get(RouteMessageBuilder::<Ipv6Addr>::new().build())
+            .execute();
+        while let Some(route) = routes.try_next().await? {
+            if route.header.destination_prefix_length == 0 {
+                let _ = self.handle.route().del(route).execute().await;
+            }
+        }
+
+        let msg = RouteMessageBuilder::<Ipv6Addr>::new()
+            .output_interface(ifindex)
+            .gateway(via)
+            .build();
+        self.handle.route().add(msg).execute().await?;
+        Ok(())
+    }
+
     pub(crate) async fn add_default_route_v6_scoped(
         &self,
         ifname: &str,
@@ -292,6 +315,33 @@ impl Netlink {
         Ok(())
     }
 
+    pub(crate) async fn replace_default_route_v6_scoped(
+        &self,
+        ifname: &str,
+        via: Ipv6Addr,
+    ) -> Result<()> {
+        trace!(ifname = %ifname, via = %via, "replace default route v6 scoped");
+        let ifindex = self.link_index(ifname).await?;
+
+        let mut routes = self
+            .handle
+            .route()
+            .get(RouteMessageBuilder::<Ipv6Addr>::new().build())
+            .execute();
+        while let Some(route) = routes.try_next().await? {
+            if route.header.destination_prefix_length == 0 {
+                let _ = self.handle.route().del(route).execute().await;
+            }
+        }
+
+        let msg = RouteMessageBuilder::<Ipv6Addr>::new()
+            .output_interface(ifindex)
+            .gateway(via)
+            .build();
+        self.handle.route().add(msg).execute().await?;
+        Ok(())
+    }
+
     pub(crate) async fn add_route_v6(
         &self,
         dst: Ipv6Addr,
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index b99fcd4..d02587a 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -98,6 +98,148 @@ async fn dad_disabled_deterministic_mode() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_default_route_uses_scoped_ll_and_switches_iface() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r1 = lab
+        .add_router("r1")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+    let r2 = lab
+        .add_router("r2")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+    let dev = lab
+        .add_device("dev")
+        .iface("eth0", r1.id(), None)
+        .iface("eth1", r2.id(), None)
+        .default_via("eth0")
+        .build()
+        .await?;
+
+    let route0 = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route0.contains("via fe80:"),
+        "expected link-local default route, got: {route0:?}"
+    );
+    assert!(
+        route0.contains("dev eth0"),
+        "expected default route via eth0, got: {route0:?}"
+    );
+
+    dev.set_default_route("eth1").await?;
+
+    let route1 = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route1.contains("via fe80:"),
+        "expected link-local default route after switch, got: {route1:?}"
+    );
+    assert!(
+        route1.contains("dev eth1"),
+        "expected default route via eth1 after switch, got: {route1:?}"
+    );
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_link_up_restores_scoped_ll_default_route() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r1 = lab
+        .add_router("r1")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+    let dev = lab
+        .add_device("dev")
+        .iface("eth0", r1.id(), None)
+        .default_via("eth0")
+        .build()
+        .await?;
+
+    let before = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(before.contains("via fe80:"), "expected LL default route");
+    assert!(
+        before.contains("dev eth0"),
+        "expected default route via eth0"
+    );
+
+    dev.link_down("eth0").await?;
+    let during = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        during.trim().is_empty(),
+        "expected no default v6 route while link is down, got: {during:?}"
+    );
+
+    dev.link_up("eth0").await?;
+    let after = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(after.contains("via fe80:"), "expected LL default route");
+    assert!(
+        after.contains("dev eth0"),
+        "expected default route via eth0"
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
 #[ignore = "RA/RS provisioning engine follow-up"]
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 8afaea3..a96061b 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -364,6 +364,7 @@ Core tests:
    - Verifies RA worker tasks are created, restarted, and terminated correctly with namespace/router lifecycle transitions.
 16. `router_iface_api_exposes_ll6_consistently`
    - Verifies new `RouterIface` snapshots and getters stay consistent with netlink-observed interface state.
+    - Status: implemented.
 
 Additional exhaustiveness tests:
 
@@ -388,6 +389,14 @@ Additional exhaustiveness tests:
 26. `devtools_payload_backward_compatible_when_ll6_missing`
    - Verifies additive schema behavior when older runs or v4-only interfaces lack LLA fields.
 
+Implemented in `patchbay/src/tests/ipv6_ll.rs` so far:
+
+- `link_local_presence_on_all_ipv6_ifaces`
+- `router_iface_api_exposes_ll6_consistently`
+- `dad_disabled_deterministic_mode`
+- `radriven_default_route_uses_scoped_ll_and_switches_iface`
+- `radriven_link_up_restores_scoped_ll_default_route`
+
 Validation commands before completion:
 
 - `cargo make format`

From e729af5c5ce05008c5e4e3c537dafd0f293946ea Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 20:45:17 +0100
Subject: [PATCH 05/26] feat: add router RA controls and worker gating

---
 patchbay/src/config.rs        |  4 ++
 patchbay/src/core.rs          | 27 ++++++++--
 patchbay/src/lab.rs           | 38 ++++++++++++++
 patchbay/src/tests/ipv6_ll.rs | 94 ++++++++++++++++++++++++++++++++++-
 plans/ipv6-linklocal.md       |  7 +++
 5 files changed, 165 insertions(+), 5 deletions(-)

diff --git a/patchbay/src/config.rs b/patchbay/src/config.rs
index b54b90f..b25f4e6 100644
--- a/patchbay/src/config.rs
+++ b/patchbay/src/config.rs
@@ -45,4 +45,8 @@ pub struct RouterConfig {
     /// IPv6 NAT mode.  Defaults to `"none"`.
     #[serde(default)]
     pub nat_v6: NatV6Mode,
+    /// Optional override for RA emission in RA-driven provisioning mode.
+    pub ra_enabled: Option<bool>,
+    /// Optional RA interval in seconds.
+    pub ra_interval_secs: Option<u64>,
 }
diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 4458eba..f8b2f7e 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -82,6 +82,10 @@ pub(crate) struct RouterConfig {
     pub block_icmp_frag_needed: bool,
     /// Firewall preset for the router's forward chain.
     pub firewall: Firewall,
+    /// Whether this router emits Router Advertisements in RA-driven mode.
+    pub ra_enabled: bool,
+    /// Router Advertisement interval in seconds.
+    pub ra_interval_secs: u64,
 }
 
 impl RouterConfig {
@@ -746,6 +750,8 @@ impl NetworkCore {
                     mtu: None,
                     block_icmp_frag_needed: false,
                     firewall: Firewall::None,
+                    ra_enabled: true,
+                    ra_interval_secs: 30,
                 },
                 downlink_bridge,
                 uplink: None,
@@ -1855,6 +1861,10 @@ pub(crate) struct RouterSetupData {
     pub dad_mode: Ipv6DadMode,
     /// IPv6 provisioning behavior.
     pub provisioning_mode: Ipv6ProvisioningMode,
+    /// Whether RA worker should run for this router.
+    pub ra_enabled: bool,
+    /// RA worker interval in seconds.
+    pub ra_interval_secs: u64,
 }
 
 /// Sets up a single router's namespaces, links, and NAT. No lock held.
@@ -2190,8 +2200,16 @@ pub(crate) async fn setup_router_async(
     }
 
     // RA worker scaffold for RA-driven mode.
-    if data.provisioning_mode == Ipv6ProvisioningMode::RaDriven && router.cfg.ip_support.has_v6() {
-        spawn_ra_worker(netns, &router.ns, data.cancel.clone())?;
+    if data.provisioning_mode == Ipv6ProvisioningMode::RaDriven
+        && data.ra_enabled
+        && router.cfg.ip_support.has_v6()
+    {
+        spawn_ra_worker(
+            netns,
+            &router.ns,
+            data.cancel.clone(),
+            data.ra_interval_secs.max(1),
+        )?;
     }
 
     Ok(())
@@ -2201,16 +2219,17 @@ fn spawn_ra_worker(
     netns: &Arc<netns::NetnsManager>,
     ns: &str,
     cancel: CancellationToken,
+    interval_secs: u64,
 ) -> Result<()> {
     let rt = netns.rt_handle_for(ns)?;
     let ns = ns.to_string();
     rt.spawn(async move {
-        let interval = tokio::time::Duration::from_secs(30);
+        let interval = tokio::time::Duration::from_secs(interval_secs.max(1));
         loop {
             tokio::select! {
                 _ = cancel.cancelled() => break,
                 _ = tokio::time::sleep(interval) => {
-                    tracing::trace!(ns = %ns, "ra-worker: tick");
+                    tracing::trace!(ns = %ns, interval_secs, "ra-worker: tick");
                 }
             }
         }
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 11d4fb6..c7f0af9 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -536,6 +536,12 @@ impl Lab {
                     .nat(rcfg.nat)
                     .ip_support(rcfg.ip_support)
                     .nat_v6(rcfg.nat_v6);
+                if let Some(enabled) = rcfg.ra_enabled {
+                    rb = rb.ra_enabled(enabled);
+                }
+                if let Some(interval) = rcfg.ra_interval_secs {
+                    rb = rb.ra_interval_secs(interval);
+                }
                 // TODO: support region assignment from TOML config via add_region.
                 if let Some(u) = upstream {
                     rb = rb.upstream(u);
@@ -707,6 +713,8 @@ impl Lab {
             mtu: None,
             block_icmp_frag_needed: false,
             firewall: Firewall::None,
+            ra_enabled: true,
+            ra_interval_secs: 30,
             result: Ok(()),
         }
     }
@@ -855,6 +863,8 @@ impl Lab {
                 let sw = inner.switch(sw_id)?;
                 Some((sw.gw_v6?, sw.cidr_v6?.prefix_len()))
             });
+            let ra_enabled = router.cfg.ra_enabled;
+            let ra_interval_secs = router.cfg.ra_interval_secs.max(1);
 
             let setup_data = RouterSetupData {
                 router,
@@ -881,6 +891,8 @@ impl Lab {
                 cancel: self.inner.cancel.clone(),
                 dad_mode: self.inner.ipv6_dad_mode,
                 provisioning_mode: self.inner.ipv6_provisioning_mode,
+                ra_enabled,
+                ra_interval_secs,
             };
 
             (id, setup_data, idx)
@@ -1549,6 +1561,8 @@ pub struct RouterBuilder {
     mtu: Option<u32>,
     block_icmp_frag_needed: bool,
     firewall: Firewall,
+    ra_enabled: bool,
+    ra_interval_secs: u64,
     result: Result<()>,
 }
 
@@ -1575,6 +1589,8 @@ impl RouterBuilder {
             mtu: None,
             block_icmp_frag_needed: false,
             firewall: Firewall::None,
+            ra_enabled: true,
+            ra_interval_secs: 30,
             result: Err(err),
         }
     }
@@ -1711,6 +1727,22 @@ impl RouterBuilder {
         self
     }
 
+    /// Enables or disables router advertisement emission in RA-driven mode.
+    pub fn ra_enabled(mut self, enabled: bool) -> Self {
+        if self.result.is_ok() {
+            self.ra_enabled = enabled;
+        }
+        self
+    }
+
+    /// Sets the RA interval in seconds, clamped to at least 1 second.
+    pub fn ra_interval_secs(mut self, secs: u64) -> Self {
+        if self.result.is_ok() {
+            self.ra_interval_secs = secs.max(1);
+        }
+        self
+    }
+
     /// Overrides the downstream subnet instead of auto-allocating from the pool.
     ///
     /// The gateway address is the `.1` host of the given CIDR. Device addresses
@@ -1748,6 +1780,8 @@ impl RouterBuilder {
                 r.cfg.mtu = self.mtu;
                 r.cfg.block_icmp_frag_needed = self.block_icmp_frag_needed;
                 r.cfg.firewall = self.firewall.clone();
+                r.cfg.ra_enabled = self.ra_enabled;
+                r.cfg.ra_interval_secs = self.ra_interval_secs.max(1);
             }
             let has_v4 = self.ip_support.has_v4();
             let has_v6 = self.ip_support.has_v6();
@@ -1937,6 +1971,8 @@ impl RouterBuilder {
             };
 
             let has_v6 = router.cfg.ip_support.has_v6();
+            let ra_enabled = router.cfg.ra_enabled;
+            let ra_interval_secs = router.cfg.ra_interval_secs.max(1);
             let setup_data = RouterSetupData {
                 router,
                 root_ns: cfg.root_ns.clone(),
@@ -1966,6 +2002,8 @@ impl RouterBuilder {
                 cancel: self.inner.cancel.clone(),
                 dad_mode: self.inner.ipv6_dad_mode,
                 provisioning_mode: self.inner.ipv6_provisioning_mode,
+                ra_enabled,
+                ra_interval_secs,
             };
 
             (id, setup_data)
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index d02587a..933f77d 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -1,6 +1,11 @@
 //! IPv6 link-local focused tests.
 
-use std::net::Ipv6Addr;
+use std::{
+    fs,
+    net::Ipv6Addr,
+    path::Path,
+    time::{Duration, SystemTime, UNIX_EPOCH},
+};
 
 use super::*;
 
@@ -8,6 +13,19 @@ fn is_link_local(ip: Ipv6Addr) -> bool {
     ip.segments()[0] & 0xffc0 == 0xfe80
 }
 
+async fn wait_for_file_contains(path: &Path, needle: &str, timeout: Duration) -> Result<bool> {
+    let start = tokio::time::Instant::now();
+    while start.elapsed() < timeout {
+        if let Ok(content) = fs::read_to_string(path) {
+            if content.contains(needle) {
+                return Ok(true);
+            }
+        }
+        tokio::time::sleep(Duration::from_millis(100)).await;
+    }
+    Ok(false)
+}
+
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
 async fn link_local_presence_on_all_ipv6_ifaces() -> Result<()> {
@@ -240,6 +258,80 @@ async fn radriven_link_up_restores_scoped_ll_default_route() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_ra_worker_respects_router_enable_flag() -> Result<()> {
+    check_caps()?;
+
+    let unique = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_nanos();
+    let outdir = std::env::temp_dir().join(format!("patchbay-ra-worker-{unique}"));
+    fs::create_dir_all(&outdir)?;
+    std::env::set_var("PATCHBAY_LOG", "trace");
+
+    let lab_enabled = Lab::with_opts(
+        LabOpts::default()
+            .outdir(&outdir)
+            .label("ra-enabled")
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r_enabled = lab_enabled
+        .add_router("r-enabled")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_interval_secs(1)
+        .build()
+        .await?;
+    let _dev_enabled = lab_enabled
+        .add_device("d-enabled")
+        .uplink(r_enabled.id())
+        .build()
+        .await?;
+    let enabled_trace = r_enabled
+        .filepath("tracing.jsonl")
+        .context("missing enabled router tracing path")?;
+    let has_tick =
+        wait_for_file_contains(&enabled_trace, "ra-worker: tick", Duration::from_secs(3)).await?;
+    assert!(has_tick, "expected RA worker tick in tracing log");
+    drop(lab_enabled);
+
+    let lab_disabled = Lab::with_opts(
+        LabOpts::default()
+            .outdir(&outdir)
+            .label("ra-disabled")
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r_disabled = lab_disabled
+        .add_router("r-disabled")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(false)
+        .ra_interval_secs(1)
+        .build()
+        .await?;
+    let _dev_disabled = lab_disabled
+        .add_device("d-disabled")
+        .uplink(r_disabled.id())
+        .build()
+        .await?;
+    tokio::time::sleep(Duration::from_secs(2)).await;
+    let disabled_trace = r_disabled
+        .filepath("tracing.jsonl")
+        .context("missing disabled router tracing path")?;
+    let disabled_content = fs::read_to_string(&disabled_trace).unwrap_or_default();
+    assert!(
+        !disabled_content.contains("ra-worker: tick"),
+        "unexpected RA worker tick while RA is disabled"
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
 #[ignore = "RA/RS provisioning engine follow-up"]
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index a96061b..ed14b22 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -396,6 +396,13 @@ Implemented in `patchbay/src/tests/ipv6_ll.rs` so far:
 - `dad_disabled_deterministic_mode`
 - `radriven_default_route_uses_scoped_ll_and_switches_iface`
 - `radriven_link_up_restores_scoped_ll_default_route`
+- `radriven_ra_worker_respects_router_enable_flag`
+
+Implemented control-plane scaffolding so far:
+
+- Router-level RA controls: `ra_enabled(bool)` and `ra_interval_secs(u64)`.
+- TOML support for router RA controls: `ra_enabled`, `ra_interval_secs`.
+- RA worker now honors per-router enable flag and configured interval.
 
 Validation commands before completion:
 

From 2053d3454f572ea95190cc80af6070169a8eb162 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 21:09:57 +0100
Subject: [PATCH 06/26] feat: emit RA advertisement events with lifetime
 metadata

---
 patchbay/src/config.rs        |  2 ++
 patchbay/src/core.rs          | 45 +++++++++++++++++++++++++++++++----
 patchbay/src/lab.rs           | 19 +++++++++++++++
 patchbay/src/tests/ipv6_ll.rs | 44 +++++++++++++++++++++++++++++++++-
 4 files changed, 105 insertions(+), 5 deletions(-)

diff --git a/patchbay/src/config.rs b/patchbay/src/config.rs
index b25f4e6..972bd78 100644
--- a/patchbay/src/config.rs
+++ b/patchbay/src/config.rs
@@ -49,4 +49,6 @@ pub struct RouterConfig {
     pub ra_enabled: Option<bool>,
     /// Optional RA interval in seconds.
     pub ra_interval_secs: Option<u64>,
+    /// Optional RA lifetime in seconds.
+    pub ra_lifetime_secs: Option<u64>,
 }
diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index f8b2f7e..31951a2 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -86,6 +86,8 @@ pub(crate) struct RouterConfig {
     pub ra_enabled: bool,
     /// Router Advertisement interval in seconds.
     pub ra_interval_secs: u64,
+    /// Router Advertisement lifetime in seconds.
+    pub ra_lifetime_secs: u64,
 }
 
 impl RouterConfig {
@@ -752,6 +754,7 @@ impl NetworkCore {
                     firewall: Firewall::None,
                     ra_enabled: true,
                     ra_interval_secs: 30,
+                    ra_lifetime_secs: 1800,
                 },
                 downlink_bridge,
                 uplink: None,
@@ -1865,6 +1868,8 @@ pub(crate) struct RouterSetupData {
     pub ra_enabled: bool,
     /// RA worker interval in seconds.
     pub ra_interval_secs: u64,
+    /// RA lifetime in seconds.
+    pub ra_lifetime_secs: u64,
 }
 
 /// Sets up a single router's namespaces, links, and NAT. No lock held.
@@ -2208,7 +2213,13 @@ pub(crate) async fn setup_router_async(
             netns,
             &router.ns,
             data.cancel.clone(),
-            data.ra_interval_secs.max(1),
+            RaWorkerCfg {
+                router_name: router.name.to_string(),
+                iface: router.downlink_bridge.to_string(),
+                src_ll: router.downstream_ll_v6,
+                interval_secs: data.ra_interval_secs.max(1),
+                lifetime_secs: data.ra_lifetime_secs.max(1),
+            },
         )?;
     }
 
@@ -2219,17 +2230,35 @@ fn spawn_ra_worker(
     netns: &Arc<netns::NetnsManager>,
     ns: &str,
     cancel: CancellationToken,
-    interval_secs: u64,
+    cfg: RaWorkerCfg,
 ) -> Result<()> {
     let rt = netns.rt_handle_for(ns)?;
     let ns = ns.to_string();
     rt.spawn(async move {
-        let interval = tokio::time::Duration::from_secs(interval_secs.max(1));
+        let interval = tokio::time::Duration::from_secs(cfg.interval_secs.max(1));
+        let emit_ra = || {
+            if let Some(src) = cfg.src_ll {
+                tracing::info!(
+                    target: "patchbay::_events::RouterAdvertisement",
+                    ns = %ns,
+                    router = %cfg.router_name,
+                    iface = %cfg.iface,
+                    src = %src,
+                    lifetime_secs = cfg.lifetime_secs,
+                    interval_secs = cfg.interval_secs,
+                    "router advertisement"
+                );
+            } else {
+                tracing::warn!(ns = %ns, router = %cfg.router_name, "ra-worker: missing link-local source address");
+            }
+        };
+        emit_ra();
         loop {
             tokio::select! {
                 _ = cancel.cancelled() => break,
                 _ = tokio::time::sleep(interval) => {
-                    tracing::trace!(ns = %ns, interval_secs, "ra-worker: tick");
+                    tracing::trace!(ns = %ns, interval_secs = cfg.interval_secs, "ra-worker: tick");
+                    emit_ra();
                 }
             }
         }
@@ -2238,6 +2267,14 @@ fn spawn_ra_worker(
     Ok(())
 }
 
+struct RaWorkerCfg {
+    router_name: String,
+    iface: String,
+    src_ll: Option<Ipv6Addr>,
+    interval_secs: u64,
+    lifetime_secs: u64,
+}
+
 /// Sets up NAT64 in the router namespace:
 /// 1. Creates TUN device `nat64`
 /// 2. Assigns the NAT64 IPv4 pool address
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index c7f0af9..084a7d6 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -542,6 +542,9 @@ impl Lab {
                 if let Some(interval) = rcfg.ra_interval_secs {
                     rb = rb.ra_interval_secs(interval);
                 }
+                if let Some(lifetime) = rcfg.ra_lifetime_secs {
+                    rb = rb.ra_lifetime_secs(lifetime);
+                }
                 // TODO: support region assignment from TOML config via add_region.
                 if let Some(u) = upstream {
                     rb = rb.upstream(u);
@@ -715,6 +718,7 @@ impl Lab {
             firewall: Firewall::None,
             ra_enabled: true,
             ra_interval_secs: 30,
+            ra_lifetime_secs: 1800,
             result: Ok(()),
         }
     }
@@ -865,6 +869,7 @@ impl Lab {
             });
             let ra_enabled = router.cfg.ra_enabled;
             let ra_interval_secs = router.cfg.ra_interval_secs.max(1);
+            let ra_lifetime_secs = router.cfg.ra_lifetime_secs.max(1);
 
             let setup_data = RouterSetupData {
                 router,
@@ -893,6 +898,7 @@ impl Lab {
                 provisioning_mode: self.inner.ipv6_provisioning_mode,
                 ra_enabled,
                 ra_interval_secs,
+                ra_lifetime_secs,
             };
 
             (id, setup_data, idx)
@@ -1563,6 +1569,7 @@ pub struct RouterBuilder {
     firewall: Firewall,
     ra_enabled: bool,
     ra_interval_secs: u64,
+    ra_lifetime_secs: u64,
     result: Result<()>,
 }
 
@@ -1591,6 +1598,7 @@ impl RouterBuilder {
             firewall: Firewall::None,
             ra_enabled: true,
             ra_interval_secs: 30,
+            ra_lifetime_secs: 1800,
             result: Err(err),
         }
     }
@@ -1743,6 +1751,14 @@ impl RouterBuilder {
         self
     }
 
+    /// Sets Router Advertisement lifetime in seconds, clamped to at least 1 second.
+    pub fn ra_lifetime_secs(mut self, secs: u64) -> Self {
+        if self.result.is_ok() {
+            self.ra_lifetime_secs = secs.max(1);
+        }
+        self
+    }
+
     /// Overrides the downstream subnet instead of auto-allocating from the pool.
     ///
     /// The gateway address is the `.1` host of the given CIDR. Device addresses
@@ -1782,6 +1798,7 @@ impl RouterBuilder {
                 r.cfg.firewall = self.firewall.clone();
                 r.cfg.ra_enabled = self.ra_enabled;
                 r.cfg.ra_interval_secs = self.ra_interval_secs.max(1);
+                r.cfg.ra_lifetime_secs = self.ra_lifetime_secs.max(1);
             }
             let has_v4 = self.ip_support.has_v4();
             let has_v6 = self.ip_support.has_v6();
@@ -1973,6 +1990,7 @@ impl RouterBuilder {
             let has_v6 = router.cfg.ip_support.has_v6();
             let ra_enabled = router.cfg.ra_enabled;
             let ra_interval_secs = router.cfg.ra_interval_secs.max(1);
+            let ra_lifetime_secs = router.cfg.ra_lifetime_secs.max(1);
             let setup_data = RouterSetupData {
                 router,
                 root_ns: cfg.root_ns.clone(),
@@ -2004,6 +2022,7 @@ impl RouterBuilder {
                 provisioning_mode: self.inner.ipv6_provisioning_mode,
                 ra_enabled,
                 ra_interval_secs,
+                ra_lifetime_secs,
             };
 
             (id, setup_data)
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 933f77d..d131211 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -334,8 +334,50 @@ async fn radriven_ra_worker_respects_router_enable_flag() -> Result<()> {
 
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
-#[ignore = "RA/RS provisioning engine follow-up"]
 async fn ra_source_is_link_local() -> Result<()> {
+    check_caps()?;
+
+    let unique = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_nanos();
+    let outdir = std::env::temp_dir().join(format!("patchbay-ra-events-{unique}"));
+    fs::create_dir_all(&outdir)?;
+    std::env::set_var("PATCHBAY_LOG", "trace");
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .outdir(&outdir)
+            .label("ra-src-ll")
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_interval_secs(1)
+        .build()
+        .await?;
+    let _dev = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let events = r
+        .filepath("events.jsonl")
+        .context("missing router events path")?;
+    let has_ra_kind = wait_for_file_contains(
+        &events,
+        "\"kind\":\"RouterAdvertisement\"",
+        Duration::from_secs(3),
+    )
+    .await?;
+    assert!(
+        has_ra_kind,
+        "expected RouterAdvertisement event in events log"
+    );
+    let has_ll_src =
+        wait_for_file_contains(&events, "\"src\":\"fe80:", Duration::from_secs(3)).await?;
+    assert!(has_ll_src, "expected link-local RA source in events log");
     Ok(())
 }
 

From 7752a122865bd33ab752f1e576cd23b835a72845 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 21:49:29 +0100
Subject: [PATCH 07/26] feat: handle RA lifetime zero for radriven default
 routes

---
 patchbay/src/core.rs          | 33 +++++++++++--
 patchbay/src/handles.rs       | 27 +++++++++--
 patchbay/src/lab.rs           | 25 +++++++---
 patchbay/src/tests/ipv6_ll.rs | 88 ++++++++++++++++++++++++++++++++++-
 plans/ipv6-linklocal.md       |  7 ++-
 5 files changed, 162 insertions(+), 18 deletions(-)

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 31951a2..ffe05a3 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -887,8 +887,16 @@ impl NetworkCore {
         let gw_router = sw
             .owner_router
             .ok_or_else(|| anyhow!("switch missing owner"))?;
+        let gw_router_data = self
+            .router(gw_router)
+            .ok_or_else(|| anyhow!("gateway router missing"))?;
         let gw_br = sw.bridge.clone().unwrap_or_else(|| "br-lan".into());
-        let gw_ns = self.router(gw_router).unwrap().ns.clone();
+        let gw_ns = gw_router_data.ns.clone();
+        let gw_ll_v6 = if gw_router_data.cfg.ra_enabled && gw_router_data.cfg.ra_lifetime_secs > 0 {
+            gw_router_data.downstream_ll_v6
+        } else {
+            None
+        };
         let iface_build = IfaceBuild {
             dev_ns,
             gw_ns,
@@ -898,7 +906,7 @@ impl NetworkCore {
             prefix_len: sw.cidr.map(|c| c.prefix_len()).unwrap_or(24),
             gw_ip_v6: sw.gw_v6,
             dev_ip_v6: iface.ip_v6,
-            gw_ll_v6: self.router(gw_router).and_then(|r| r.downstream_ll_v6),
+            gw_ll_v6,
             dev_ll_v6: iface.ll_v6,
             prefix_len_v6: sw.cidr_v6.map(|c| c.prefix_len()).unwrap_or(64),
             impair,
@@ -973,7 +981,11 @@ impl NetworkCore {
             prefix_len,
             gw_ip_v6: sw.gw_v6,
             dev_ip_v6: new_ip_v6,
-            gw_ll_v6: target_router.downstream_ll_v6,
+            gw_ll_v6: if target_router.cfg.ra_enabled && target_router.cfg.ra_lifetime_secs > 0 {
+                target_router.downstream_ll_v6
+            } else {
+                None
+            },
             dev_ll_v6: new_ip_v6.map(|_| link_local_from_seed(old_idx)),
             prefix_len_v6: sw.cidr_v6.map(|c| c.prefix_len()).unwrap_or(64),
             impair,
@@ -1055,6 +1067,19 @@ impl NetworkCore {
         Ok((switch.gw_v6, ll))
     }
 
+    /// Returns whether RA-driven default-route learning is active for this switch.
+    pub(crate) fn ra_default_enabled_for_switch(&self, sw: NodeId) -> Result<bool> {
+        let switch = self
+            .switches
+            .get(&sw)
+            .ok_or_else(|| anyhow!("switch missing"))?;
+        let router = switch
+            .owner_router
+            .and_then(|rid| self.routers.get(&rid))
+            .ok_or_else(|| anyhow!("switch missing owner router"))?;
+        Ok(router.cfg.ra_enabled && router.cfg.ra_lifetime_secs > 0)
+    }
+
     /// Adds a switch node and returns its identifier.
     pub(crate) fn add_switch(
         &mut self,
@@ -2218,7 +2243,7 @@ pub(crate) async fn setup_router_async(
                 iface: router.downlink_bridge.to_string(),
                 src_ll: router.downstream_ll_v6,
                 interval_secs: data.ra_interval_secs.max(1),
-                lifetime_secs: data.ra_lifetime_secs.max(1),
+                lifetime_secs: data.ra_lifetime_secs,
             },
         )?;
     }
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index ba9388a..406b6ed 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -314,16 +314,27 @@ impl Device {
         })
         .await?;
         if is_default_via {
-            let (gw_ip, gw_v6, gw_ll_v6, provisioning) = {
+            let (gw_ip, gw_v6, gw_ll_v6, provisioning, ra_default_enabled) = {
                 let inner = self.lab.core.lock().unwrap();
                 let gw_ip = inner.router_downlink_gw_for_switch(uplink)?;
                 let (gw_v6, gw_ll_v6) = inner.router_downlink_gw6_for_switch(uplink)?;
-                (gw_ip, gw_v6, gw_ll_v6, self.lab.ipv6_provisioning_mode)
+                let ra_default_enabled = inner.ra_default_enabled_for_switch(uplink)?;
+                (
+                    gw_ip,
+                    gw_v6,
+                    gw_ll_v6,
+                    self.lab.ipv6_provisioning_mode,
+                    ra_default_enabled,
+                )
             };
             core::nl_run(&self.lab.netns, &ns, move |nl: Netlink| async move {
                 nl.replace_default_route_v4(&ifname_owned, gw_ip).await?;
                 let primary_v6 = if provisioning == Ipv6ProvisioningMode::RaDriven {
-                    gw_ll_v6.or(gw_v6)
+                    if ra_default_enabled {
+                        gw_ll_v6.or(gw_v6)
+                    } else {
+                        None
+                    }
                 } else {
                     gw_v6.or(gw_ll_v6)
                 };
@@ -361,7 +372,7 @@ impl Device {
             .with_device(self.id, |d| Arc::clone(&d.op))
             .ok_or_else(|| anyhow!("device removed"))?;
         let _guard = op.lock().await;
-        let (ns, impair, gw_ip, gw_v6, gw_ll_v6, provisioning) = {
+        let (ns, impair, gw_ip, gw_v6, gw_ll_v6, provisioning, ra_default_enabled) = {
             let inner = self.lab.core.lock().unwrap();
             let dev = inner
                 .device(self.id)
@@ -371,6 +382,7 @@ impl Device {
                 .ok_or_else(|| anyhow!("interface '{}' not found", to))?;
             let gw_ip = inner.router_downlink_gw_for_switch(iface.uplink)?;
             let (gw_v6, gw_ll_v6) = inner.router_downlink_gw6_for_switch(iface.uplink)?;
+            let ra_default_enabled = inner.ra_default_enabled_for_switch(iface.uplink)?;
             (
                 dev.ns.clone(),
                 iface.impair,
@@ -378,13 +390,18 @@ impl Device {
                 gw_v6,
                 gw_ll_v6,
                 self.lab.ipv6_provisioning_mode,
+                ra_default_enabled,
             )
         };
         let to_owned = to.to_string();
         core::nl_run(&self.lab.netns, &ns, move |nl: Netlink| async move {
             nl.replace_default_route_v4(&to_owned, gw_ip).await?;
             let primary_v6 = if provisioning == Ipv6ProvisioningMode::RaDriven {
-                gw_ll_v6.or(gw_v6)
+                if ra_default_enabled {
+                    gw_ll_v6.or(gw_v6)
+                } else {
+                    None
+                }
             } else {
                 gw_v6.or(gw_ll_v6)
             };
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 084a7d6..78b94b5 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -869,7 +869,7 @@ impl Lab {
             });
             let ra_enabled = router.cfg.ra_enabled;
             let ra_interval_secs = router.cfg.ra_interval_secs.max(1);
-            let ra_lifetime_secs = router.cfg.ra_lifetime_secs.max(1);
+            let ra_lifetime_secs = router.cfg.ra_lifetime_secs;
 
             let setup_data = RouterSetupData {
                 router,
@@ -1751,10 +1751,12 @@ impl RouterBuilder {
         self
     }
 
-    /// Sets Router Advertisement lifetime in seconds, clamped to at least 1 second.
+    /// Sets Router Advertisement lifetime in seconds.
+    ///
+    /// A value of `0` advertises default-router withdrawal semantics.
     pub fn ra_lifetime_secs(mut self, secs: u64) -> Self {
         if self.result.is_ok() {
-            self.ra_lifetime_secs = secs.max(1);
+            self.ra_lifetime_secs = secs;
         }
         self
     }
@@ -1798,7 +1800,7 @@ impl RouterBuilder {
                 r.cfg.firewall = self.firewall.clone();
                 r.cfg.ra_enabled = self.ra_enabled;
                 r.cfg.ra_interval_secs = self.ra_interval_secs.max(1);
-                r.cfg.ra_lifetime_secs = self.ra_lifetime_secs.max(1);
+                r.cfg.ra_lifetime_secs = self.ra_lifetime_secs;
             }
             let has_v4 = self.ip_support.has_v4();
             let has_v6 = self.ip_support.has_v6();
@@ -1990,7 +1992,7 @@ impl RouterBuilder {
             let has_v6 = router.cfg.ip_support.has_v6();
             let ra_enabled = router.cfg.ra_enabled;
             let ra_interval_secs = router.cfg.ra_interval_secs.max(1);
-            let ra_lifetime_secs = router.cfg.ra_lifetime_secs.max(1);
+            let ra_lifetime_secs = router.cfg.ra_lifetime_secs;
             let setup_data = RouterSetupData {
                 router,
                 root_ns: cfg.root_ns.clone(),
@@ -2189,6 +2191,17 @@ impl DeviceBuilder {
                     } else {
                         sw.gw_v6
                     };
+                let gw_ll_v6 = inner.router(gw_router).and_then(|r| {
+                    if self.inner.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+                        if r.cfg.ra_enabled && r.cfg.ra_lifetime_secs > 0 {
+                            r.downstream_ll_v6
+                        } else {
+                            None
+                        }
+                    } else {
+                        r.downstream_ll_v6
+                    }
+                });
                 iface_data.push(IfaceBuild {
                     dev_ns: dev.ns.clone(),
                     gw_ns,
@@ -2198,7 +2211,7 @@ impl DeviceBuilder {
                     prefix_len: sw.cidr.map(|c| c.prefix_len()).unwrap_or(24),
                     gw_ip_v6,
                     dev_ip_v6: iface.ip_v6,
-                    gw_ll_v6: inner.router(gw_router).and_then(|r| r.downstream_ll_v6),
+                    gw_ll_v6,
                     dev_ll_v6: iface.ll_v6,
                     prefix_len_v6: sw.cidr_v6.map(|c| c.prefix_len()).unwrap_or(64),
                     impair: iface.impair,
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index d131211..91be901 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -383,15 +383,99 @@ async fn ra_source_is_link_local() -> Result<()> {
 
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
-#[ignore = "RA/RS provisioning engine follow-up"]
 async fn host_learns_default_router_from_ra_link_local() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_interval_secs(1)
+        .ra_lifetime_secs(120)
+        .build()
+        .await?;
+    let dev = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let route = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route.contains("via fe80:"),
+        "expected RA-driven default via LL router, got: {route:?}"
+    );
+    assert!(
+        route.contains("dev eth0"),
+        "expected RA-driven default on eth0, got: {route:?}"
+    );
     Ok(())
 }
 
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
-#[ignore = "RA/RS provisioning engine follow-up"]
 async fn router_lifetime_zero_withdraws_default_router() -> Result<()> {
+    check_caps()?;
+
+    let unique = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_nanos();
+    let outdir = std::env::temp_dir().join(format!("patchbay-ra-lifetime-zero-{unique}"));
+    fs::create_dir_all(&outdir)?;
+    std::env::set_var("PATCHBAY_LOG", "trace");
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .outdir(&outdir)
+            .label("ra-lifetime-zero")
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_interval_secs(1)
+        .ra_lifetime_secs(0)
+        .build()
+        .await?;
+    let dev = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let route = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route.trim().is_empty(),
+        "expected no default v6 route when RA lifetime is zero, got: {route:?}"
+    );
+
+    let events = r
+        .filepath("events.jsonl")
+        .context("missing router events path")?;
+    let has_lifetime_zero =
+        wait_for_file_contains(&events, "\"lifetime_secs\":0", Duration::from_secs(3)).await?;
+    assert!(
+        has_lifetime_zero,
+        "expected RouterAdvertisement event with zero lifetime"
+    );
     Ok(())
 }
 
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index ed14b22..226d6a7 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -397,12 +397,17 @@ Implemented in `patchbay/src/tests/ipv6_ll.rs` so far:
 - `radriven_default_route_uses_scoped_ll_and_switches_iface`
 - `radriven_link_up_restores_scoped_ll_default_route`
 - `radriven_ra_worker_respects_router_enable_flag`
+- `ra_source_is_link_local`
+- `host_learns_default_router_from_ra_link_local`
+- `router_lifetime_zero_withdraws_default_router`
 
 Implemented control-plane scaffolding so far:
 
 - Router-level RA controls: `ra_enabled(bool)` and `ra_interval_secs(u64)`.
-- TOML support for router RA controls: `ra_enabled`, `ra_interval_secs`.
+- Router-level RA lifetime control: `ra_lifetime_secs(u64)`, including zero-lifetime withdrawal semantics for RA-driven default routing.
+- TOML support for router RA controls: `ra_enabled`, `ra_interval_secs`, `ra_lifetime_secs`.
 - RA worker now honors per-router enable flag and configured interval.
+- RA worker emits `RouterAdvertisement` events with `src`, `interval_secs`, and `lifetime_secs`.
 
 Validation commands before completion:
 

From 6d96fa2e65fc89d81eef812782584e1a8e93315e Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 23:50:41 +0100
Subject: [PATCH 08/26] feat: emit rs tracing events in radriven control path

---
 patchbay/src/core.rs          | 36 +++++++++++++++++++++++++++++++++++
 patchbay/src/handles.rs       | 34 +++++++++++++++++++++++++++++++++
 patchbay/src/tests/ipv6_ll.rs | 11 +++++++++++
 plans/ipv6-linklocal.md       |  1 +
 4 files changed, 82 insertions(+)

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index ffe05a3..28f4427 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -2492,6 +2492,16 @@ pub(crate) async fn setup_device_async(
     match provisioning_mode {
         Ipv6ProvisioningMode::Static | Ipv6ProvisioningMode::RaDriven => {}
     }
+    let rs_ifaces: Vec<(Arc<str>, Option<Ipv6Addr>)> =
+        if provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+            ifaces
+                .iter()
+                .filter(|iface| iface.is_default && iface.dev_ip_v6.is_some())
+                .map(|iface| (iface.ifname.clone(), iface.gw_ll_v6))
+                .collect()
+        } else {
+            Vec::new()
+        };
     debug!(name = %dev.name, ns = %dev.ns, "device: setup");
     let log_prefix = format!("{}.{}", crate::consts::KIND_DEVICE, dev.name);
     create_named_netns(netns, &dev.ns, dns_overlay, Some(log_prefix), dad_mode)?;
@@ -2500,6 +2510,32 @@ pub(crate) async fn setup_device_async(
         wire_iface_async(netns, prefix, root_ns, iface).await?;
     }
 
+    for (ifname, router_ll) in rs_ifaces {
+        match router_ll {
+            Some(router_ll) => {
+                tracing::info!(
+                    target: "patchbay::_events::RouterSolicitation",
+                    ns = %dev.ns,
+                    device = %dev.name,
+                    iface = %ifname,
+                    dst = "ff02::2",
+                    router_ll = %router_ll,
+                    "router solicitation"
+                );
+            }
+            None => {
+                tracing::info!(
+                    target: "patchbay::_events::RouterSolicitation",
+                    ns = %dev.ns,
+                    device = %dev.name,
+                    iface = %ifname,
+                    dst = "ff02::2",
+                    "router solicitation"
+                );
+            }
+        }
+    }
+
     // Apply MTU on all device interfaces if configured.
     if let Some(mtu) = dev.mtu {
         let dev_ns = dev.ns.clone();
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index 406b6ed..fe10904 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -38,6 +38,32 @@ use crate::{
     netlink::Netlink,
 };
 
+fn emit_router_solicitation(ns: &str, device: &str, iface: &str, router_ll: Option<Ipv6Addr>) {
+    match router_ll {
+        Some(router_ll) => {
+            tracing::info!(
+                target: "patchbay::_events::RouterSolicitation",
+                ns = %ns,
+                device = %device,
+                iface = %iface,
+                dst = "ff02::2",
+                router_ll = %router_ll,
+                "router solicitation"
+            );
+        }
+        None => {
+            tracing::info!(
+                target: "patchbay::_events::RouterSolicitation",
+                ns = %ns,
+                device = %device,
+                iface = %iface,
+                dst = "ff02::2",
+                "router solicitation"
+            );
+        }
+    }
+}
+
 // ─────────────────────────────────────────────
 // Device / Router / DeviceIface handles
 // ─────────────────────────────────────────────
@@ -349,6 +375,10 @@ impl Device {
                 Ok(())
             })
             .await?;
+            if provisioning == Ipv6ProvisioningMode::RaDriven {
+                let rs_router_ll = if ra_default_enabled { gw_ll_v6 } else { None };
+                emit_router_solicitation(&ns, &self.name, ifname, rs_router_ll);
+            }
         }
         self.lab.emit(LabEventKind::LinkUp {
             device: self.name.to_string(),
@@ -415,6 +445,10 @@ impl Device {
             Ok(())
         })
         .await?;
+        if provisioning == Ipv6ProvisioningMode::RaDriven {
+            let rs_router_ll = if ra_default_enabled { gw_ll_v6 } else { None };
+            emit_router_solicitation(&ns, &self.name, to, rs_router_ll);
+        }
         apply_or_remove_impair(&self.lab.netns, &ns, to, impair).await;
         self.lab
             .core
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 91be901..1a0b76e 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -386,8 +386,18 @@ async fn ra_source_is_link_local() -> Result<()> {
 async fn host_learns_default_router_from_ra_link_local() -> Result<()> {
     check_caps()?;
 
+    let unique = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_nanos();
+    let outdir = std::env::temp_dir().join(format!("patchbay-rs-learn-{unique}"));
+    fs::create_dir_all(&outdir)?;
+    std::env::set_var("PATCHBAY_LOG", "trace");
+
     let lab = Lab::with_opts(
         LabOpts::default()
+            .outdir(&outdir)
+            .label("rs-learn")
             .ipv6_dad_mode(Ipv6DadMode::Disabled)
             .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
     )
@@ -419,6 +429,7 @@ async fn host_learns_default_router_from_ra_link_local() -> Result<()> {
         route.contains("dev eth0"),
         "expected RA-driven default on eth0, got: {route:?}"
     );
+
     Ok(())
 }
 
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 226d6a7..70cf177 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -408,6 +408,7 @@ Implemented control-plane scaffolding so far:
 - TOML support for router RA controls: `ra_enabled`, `ra_interval_secs`, `ra_lifetime_secs`.
 - RA worker now honors per-router enable flag and configured interval.
 - RA worker emits `RouterAdvertisement` events with `src`, `interval_secs`, and `lifetime_secs`.
+- RA-driven host control path emits `RouterSolicitation` tracing events on initial default-iface setup, link-up restore, and explicit default-route switches.
 
 Validation commands before completion:
 

From 1af73cd813d130f742312427fb593c6ae6c098c1 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Tue, 3 Mar 2026 23:59:42 +0100
Subject: [PATCH 09/26] feat: persist radriven router solicitation events to
 node logs

---
 patchbay/src/core.rs          | 52 ++++++++++++++----------
 patchbay/src/handles.rs       | 75 +++++++++++++++++++++++------------
 patchbay/src/tests/ipv6_ll.rs | 14 +++++++
 3 files changed, 94 insertions(+), 47 deletions(-)

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 28f4427..ca24e95 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -2511,29 +2511,37 @@ pub(crate) async fn setup_device_async(
     }
 
     for (ifname, router_ll) in rs_ifaces {
-        match router_ll {
-            Some(router_ll) => {
-                tracing::info!(
-                    target: "patchbay::_events::RouterSolicitation",
-                    ns = %dev.ns,
-                    device = %dev.name,
-                    iface = %ifname,
-                    dst = "ff02::2",
-                    router_ll = %router_ll,
-                    "router solicitation"
-                );
-            }
-            None => {
-                tracing::info!(
-                    target: "patchbay::_events::RouterSolicitation",
-                    ns = %dev.ns,
-                    device = %dev.name,
-                    iface = %ifname,
-                    dst = "ff02::2",
-                    "router solicitation"
-                );
+        let ns = dev.ns.clone();
+        let ns_for_log = ns.clone();
+        let dev_name = dev.name.to_string();
+        let iface = ifname.to_string();
+        nl_run(netns, &ns, move |_h: Netlink| async move {
+            match router_ll {
+                Some(router_ll) => {
+                    tracing::info!(
+                        target: "patchbay::_events::RouterSolicitation",
+                        ns = %ns_for_log,
+                        device = %dev_name,
+                        iface = %iface,
+                        dst = "ff02::2",
+                        router_ll = %router_ll,
+                        "router solicitation"
+                    );
+                }
+                None => {
+                    tracing::info!(
+                        target: "patchbay::_events::RouterSolicitation",
+                        ns = %ns_for_log,
+                        device = %dev_name,
+                        iface = %iface,
+                        dst = "ff02::2",
+                        "router solicitation"
+                    );
+                }
             }
-        }
+            Ok(())
+        })
+        .await?;
     }
 
     // Apply MTU on all device interfaces if configured.
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index fe10904..1a18fba 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -38,30 +38,41 @@ use crate::{
     netlink::Netlink,
 };
 
-fn emit_router_solicitation(ns: &str, device: &str, iface: &str, router_ll: Option<Ipv6Addr>) {
-    match router_ll {
-        Some(router_ll) => {
-            tracing::info!(
-                target: "patchbay::_events::RouterSolicitation",
-                ns = %ns,
-                device = %device,
-                iface = %iface,
-                dst = "ff02::2",
-                router_ll = %router_ll,
-                "router solicitation"
-            );
-        }
-        None => {
-            tracing::info!(
-                target: "patchbay::_events::RouterSolicitation",
-                ns = %ns,
-                device = %device,
-                iface = %iface,
-                dst = "ff02::2",
-                "router solicitation"
-            );
+async fn emit_router_solicitation(
+    netns: &Arc<crate::netns::NetnsManager>,
+    ns: String,
+    device: String,
+    iface: String,
+    router_ll: Option<Ipv6Addr>,
+) -> Result<()> {
+    let ns_for_log = ns.clone();
+    core::nl_run(netns, &ns, move |_h: Netlink| async move {
+        match router_ll {
+            Some(router_ll) => {
+                tracing::info!(
+                    target: "patchbay::_events::RouterSolicitation",
+                    ns = %ns_for_log,
+                    device = %device,
+                    iface = %iface,
+                    dst = "ff02::2",
+                    router_ll = %router_ll,
+                    "router solicitation"
+                );
+            }
+            None => {
+                tracing::info!(
+                    target: "patchbay::_events::RouterSolicitation",
+                    ns = %ns_for_log,
+                    device = %device,
+                    iface = %iface,
+                    dst = "ff02::2",
+                    "router solicitation"
+                );
+            }
         }
-    }
+        Ok(())
+    })
+    .await
 }
 
 // ─────────────────────────────────────────────
@@ -377,7 +388,14 @@ impl Device {
             .await?;
             if provisioning == Ipv6ProvisioningMode::RaDriven {
                 let rs_router_ll = if ra_default_enabled { gw_ll_v6 } else { None };
-                emit_router_solicitation(&ns, &self.name, ifname, rs_router_ll);
+                emit_router_solicitation(
+                    &self.lab.netns,
+                    ns.to_string(),
+                    self.name.to_string(),
+                    ifname.to_string(),
+                    rs_router_ll,
+                )
+                .await?;
             }
         }
         self.lab.emit(LabEventKind::LinkUp {
@@ -447,7 +465,14 @@ impl Device {
         .await?;
         if provisioning == Ipv6ProvisioningMode::RaDriven {
             let rs_router_ll = if ra_default_enabled { gw_ll_v6 } else { None };
-            emit_router_solicitation(&ns, &self.name, to, rs_router_ll);
+            emit_router_solicitation(
+                &self.lab.netns,
+                ns.to_string(),
+                self.name.to_string(),
+                to.to_string(),
+                rs_router_ll,
+            )
+            .await?;
         }
         apply_or_remove_impair(&self.lab.netns, &ns, to, impair).await;
         self.lab
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 1a0b76e..d1f679b 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -430,6 +430,20 @@ async fn host_learns_default_router_from_ra_link_local() -> Result<()> {
         "expected RA-driven default on eth0, got: {route:?}"
     );
 
+    let dev_events = dev
+        .filepath("events.jsonl")
+        .context("missing device events path")?;
+    let has_rs = wait_for_file_contains(
+        &dev_events,
+        "\"kind\":\"RouterSolicitation\"",
+        Duration::from_secs(3),
+    )
+    .await?;
+    assert!(
+        has_rs,
+        "expected RouterSolicitation event in device events log"
+    );
+
     Ok(())
 }
 

From 48ae37c48441e0763459671684de35f2b80048fb Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 09:16:52 +0100
Subject: [PATCH 10/26] test: cover local v6 routing without default router in
 radriven mode

---
 patchbay/src/tests/ipv6_ll.rs | 70 ++++++++++++++++++++++++++++++++++-
 1 file changed, 69 insertions(+), 1 deletion(-)

diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index d1f679b..1623ae9 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -506,7 +506,75 @@ async fn router_lifetime_zero_withdraws_default_router() -> Result<()> {
 
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
-#[ignore = "RA/RS provisioning engine follow-up"]
 async fn rio_local_routes_without_default_router() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_lifetime_secs(0)
+        .build()
+        .await?;
+    let d1 = lab.add_device("d1").uplink(r.id()).build().await?;
+    let d2 = lab.add_device("d2").uplink(r.id()).build().await?;
+
+    let route_default = d1.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route_default.trim().is_empty(),
+        "expected no default v6 route when lifetime is zero, got: {route_default:?}"
+    );
+
+    let pfx = d1.ip6().context("missing d1 v6 address")?.segments();
+    let subnet = format!("{:x}:{:x}:{:x}:{:x}::/64", pfx[0], pfx[1], pfx[2], pfx[3]);
+    let local_route = d1.run_sync({
+        let subnet = subnet.clone();
+        move || {
+            let out = std::process::Command::new("ip")
+                .args(["-6", "route", "show", &subnet])
+                .output()?;
+            if !out.status.success() {
+                anyhow::bail!(
+                    "ip -6 route show {} failed with status {}",
+                    subnet,
+                    out.status
+                );
+            }
+            Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+        }
+    })?;
+    assert!(
+        local_route.contains("dev eth0"),
+        "expected local /64 route on eth0, got: {local_route:?}"
+    );
+
+    let d2_v6 = d2.ip6().context("missing d2 v6 address")?;
+    let route_get = d1.run_sync(move || {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "get", &d2_v6.to_string()])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route get failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route_get.contains("dev eth0"),
+        "expected local route lookup on eth0, got: {route_get:?}"
+    );
     Ok(())
 }

From 22e8b4cb1ded18df280dbda9d65ed0d2e3b98e74 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 11:31:03 +0100
Subject: [PATCH 11/26] feat: add runtime router RA controls for radriven route
 refresh

---
 patchbay/src/handles.rs       |  69 +++++++++++++++++++++
 patchbay/src/tests/ipv6_ll.rs | 110 ++++++++++++++++++++++++++++++++++
 2 files changed, 179 insertions(+)

diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index 1a18fba..a7d169f 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -1120,8 +1120,77 @@ impl Router {
         self.lab.with_router(self.id, |r| r.cfg.nat_v6)
     }
 
+    /// Returns whether RA emission is enabled for this router, if present.
+    pub fn ra_enabled(&self) -> Option<bool> {
+        self.lab.with_router(self.id, |r| r.cfg.ra_enabled)
+    }
+
+    /// Returns RA emission interval in seconds for this router, if present.
+    pub fn ra_interval_secs(&self) -> Option<u64> {
+        self.lab.with_router(self.id, |r| r.cfg.ra_interval_secs)
+    }
+
+    /// Returns RA lifetime in seconds for this router, if present.
+    pub fn ra_lifetime_secs(&self) -> Option<u64> {
+        self.lab.with_router(self.id, |r| r.cfg.ra_lifetime_secs)
+    }
+
     // ── Dynamic operations ──────────────────────────────────────────────
 
+    /// Updates the RA enabled flag at runtime.
+    ///
+    /// This affects subsequent RA-driven route refresh operations and any
+    /// future device wiring. Existing RA worker task lifecycle is not changed.
+    pub async fn set_ra_enabled(&self, enabled: bool) -> Result<()> {
+        let op = self
+            .lab
+            .with_router(self.id, |r| Arc::clone(&r.op))
+            .ok_or_else(|| anyhow!("router removed"))?;
+        let _guard = op.lock().await;
+        let mut inner = self.lab.core.lock().unwrap();
+        let router = inner
+            .router_mut(self.id)
+            .ok_or_else(|| anyhow!("router removed"))?;
+        router.cfg.ra_enabled = enabled;
+        Ok(())
+    }
+
+    /// Updates RA interval in seconds at runtime.
+    ///
+    /// Value is clamped to at least one second.
+    /// Existing RA worker task lifecycle is not changed.
+    pub async fn set_ra_interval_secs(&self, secs: u64) -> Result<()> {
+        let op = self
+            .lab
+            .with_router(self.id, |r| Arc::clone(&r.op))
+            .ok_or_else(|| anyhow!("router removed"))?;
+        let _guard = op.lock().await;
+        let mut inner = self.lab.core.lock().unwrap();
+        let router = inner
+            .router_mut(self.id)
+            .ok_or_else(|| anyhow!("router removed"))?;
+        router.cfg.ra_interval_secs = secs.max(1);
+        Ok(())
+    }
+
+    /// Updates RA lifetime in seconds at runtime.
+    ///
+    /// A value of `0` represents default-router withdrawal semantics.
+    /// Existing RA worker task lifecycle is not changed.
+    pub async fn set_ra_lifetime_secs(&self, secs: u64) -> Result<()> {
+        let op = self
+            .lab
+            .with_router(self.id, |r| Arc::clone(&r.op))
+            .ok_or_else(|| anyhow!("router removed"))?;
+        let _guard = op.lock().await;
+        let mut inner = self.lab.core.lock().unwrap();
+        let router = inner
+            .router_mut(self.id)
+            .ok_or_else(|| anyhow!("router removed"))?;
+        router.cfg.ra_lifetime_secs = secs;
+        Ok(())
+    }
+
     /// Replaces NAT rules on this router at runtime.
     ///
     /// Flushes the `ip nat` and `ip filter` nftables tables, then re-applies
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 1623ae9..c3a31de 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -578,3 +578,113 @@ async fn rio_local_routes_without_default_router() -> Result<()> {
     );
     Ok(())
 }
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_runtime_ra_disable_removes_default_route_on_refresh() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_lifetime_secs(120)
+        .build()
+        .await?;
+    let dev = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let before = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        before.contains("via fe80:"),
+        "expected initial LL default route"
+    );
+
+    r.set_ra_enabled(false).await?;
+    assert_eq!(r.ra_enabled(), Some(false));
+    dev.link_down("eth0").await?;
+    dev.link_up("eth0").await?;
+
+    let after = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        after.trim().is_empty(),
+        "expected no v6 default route after runtime RA disable, got: {after:?}"
+    );
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_runtime_ra_lifetime_zero_removes_default_route_on_refresh() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_lifetime_secs(120)
+        .build()
+        .await?;
+    let dev = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let before = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        before.contains("via fe80:"),
+        "expected initial LL default route"
+    );
+
+    r.set_ra_lifetime_secs(0).await?;
+    assert_eq!(r.ra_lifetime_secs(), Some(0));
+    dev.link_down("eth0").await?;
+    dev.link_up("eth0").await?;
+
+    let after = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        after.trim().is_empty(),
+        "expected no v6 default route after runtime lifetime=0, got: {after:?}"
+    );
+    Ok(())
+}

From 988d3d016b5f983d12e3e39b241f829ddfc1beb7 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 11:45:49 +0100
Subject: [PATCH 12/26] feat: reconcile radriven v6 default routes on runtime
 RA changes

---
 patchbay/src/core.rs          |  30 ++++++++
 patchbay/src/handles.rs       |  72 +++++++++++++++---
 patchbay/src/netlink.rs       |  15 ++++
 patchbay/src/tests/ipv6_ll.rs | 135 ++++++++++++++++++++++++++++++++++
 4 files changed, 242 insertions(+), 10 deletions(-)

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index ca24e95..9c0587a 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -130,6 +130,11 @@ pub(crate) struct ReplugIfaceSetup {
     pub root_ns: Arc<str>,
 }
 
+pub(crate) struct DeviceDefaultV6RouteTarget {
+    pub ns: Arc<str>,
+    pub ifname: Arc<str>,
+}
+
 /// One network interface on a device, connected to a router's downstream switch.
 #[derive(Clone, Debug)]
 pub(crate) struct DeviceIfaceData {
@@ -1067,6 +1072,31 @@ impl NetworkCore {
         Ok((switch.gw_v6, ll))
     }
 
+    pub(crate) fn router_default_v6_targets(
+        &self,
+        router: NodeId,
+    ) -> Result<Vec<DeviceDefaultV6RouteTarget>> {
+        let downlink = self
+            .router(router)
+            .ok_or_else(|| anyhow!("router removed"))?
+            .downlink
+            .ok_or_else(|| anyhow!("router has no downlink"))?;
+
+        let mut out = Vec::new();
+        for dev in self.devices.values() {
+            let Some(iface) = dev.iface(&dev.default_via) else {
+                continue;
+            };
+            if iface.uplink == downlink && iface.ip_v6.is_some() {
+                out.push(DeviceDefaultV6RouteTarget {
+                    ns: dev.ns.clone(),
+                    ifname: iface.ifname.clone(),
+                });
+            }
+        }
+        Ok(out)
+    }
+
     /// Returns whether RA-driven default-route learning is active for this switch.
     pub(crate) fn ra_default_enabled_for_switch(&self, sw: NodeId) -> Result<bool> {
         let switch = self
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index a7d169f..15edb31 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -75,6 +75,30 @@ async fn emit_router_solicitation(
     .await
 }
 
+async fn reconcile_radriven_default_v6_routes(
+    lab: &Arc<LabInner>,
+    router: NodeId,
+    install_ll: Option<Ipv6Addr>,
+) -> Result<()> {
+    let targets = {
+        let inner = lab.core.lock().unwrap();
+        inner.router_default_v6_targets(router)?
+    };
+    for t in targets {
+        let ifname = t.ifname.to_string();
+        core::nl_run(&lab.netns, &t.ns, move |nl: Netlink| async move {
+            if let Some(ll) = install_ll {
+                nl.replace_default_route_v6_scoped(&ifname, ll).await?;
+            } else {
+                nl.clear_default_route_v6().await?;
+            }
+            Ok(())
+        })
+        .await?;
+    }
+    Ok(())
+}
+
 // ─────────────────────────────────────────────
 // Device / Router / DeviceIface handles
 // ─────────────────────────────────────────────
@@ -1147,11 +1171,25 @@ impl Router {
             .with_router(self.id, |r| Arc::clone(&r.op))
             .ok_or_else(|| anyhow!("router removed"))?;
         let _guard = op.lock().await;
-        let mut inner = self.lab.core.lock().unwrap();
-        let router = inner
-            .router_mut(self.id)
-            .ok_or_else(|| anyhow!("router removed"))?;
-        router.cfg.ra_enabled = enabled;
+        let install_ll = {
+            let mut inner = self.lab.core.lock().unwrap();
+            let router = inner
+                .router_mut(self.id)
+                .ok_or_else(|| anyhow!("router removed"))?;
+            router.cfg.ra_enabled = enabled;
+            let ll = router.downstream_ll_v6;
+            if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven
+                && router.cfg.ra_enabled
+                && router.cfg.ra_lifetime_secs > 0
+            {
+                ll
+            } else {
+                None
+            }
+        };
+        if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+            reconcile_radriven_default_v6_routes(&self.lab, self.id, install_ll).await?;
+        }
         Ok(())
     }
 
@@ -1183,11 +1221,25 @@ impl Router {
             .with_router(self.id, |r| Arc::clone(&r.op))
             .ok_or_else(|| anyhow!("router removed"))?;
         let _guard = op.lock().await;
-        let mut inner = self.lab.core.lock().unwrap();
-        let router = inner
-            .router_mut(self.id)
-            .ok_or_else(|| anyhow!("router removed"))?;
-        router.cfg.ra_lifetime_secs = secs;
+        let install_ll = {
+            let mut inner = self.lab.core.lock().unwrap();
+            let router = inner
+                .router_mut(self.id)
+                .ok_or_else(|| anyhow!("router removed"))?;
+            router.cfg.ra_lifetime_secs = secs;
+            let ll = router.downstream_ll_v6;
+            if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven
+                && router.cfg.ra_enabled
+                && router.cfg.ra_lifetime_secs > 0
+            {
+                ll
+            } else {
+                None
+            }
+        };
+        if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+            reconcile_radriven_default_v6_routes(&self.lab, self.id, install_ll).await?;
+        }
         Ok(())
     }
 
diff --git a/patchbay/src/netlink.rs b/patchbay/src/netlink.rs
index 46f5909..038f477 100644
--- a/patchbay/src/netlink.rs
+++ b/patchbay/src/netlink.rs
@@ -342,6 +342,21 @@ impl Netlink {
         Ok(())
     }
 
+    pub(crate) async fn clear_default_route_v6(&self) -> Result<()> {
+        trace!("clear default route v6");
+        let mut routes = self
+            .handle
+            .route()
+            .get(RouteMessageBuilder::<Ipv6Addr>::new().build())
+            .execute();
+        while let Some(route) = routes.try_next().await? {
+            if route.header.destination_prefix_length == 0 {
+                let _ = self.handle.route().del(route).execute().await;
+            }
+        }
+        Ok(())
+    }
+
     pub(crate) async fn add_route_v6(
         &self,
         dst: Ipv6Addr,
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index c3a31de..9dcc999 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -688,3 +688,138 @@ async fn radriven_runtime_ra_lifetime_zero_removes_default_route_on_refresh() ->
     );
     Ok(())
 }
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_runtime_ra_disable_updates_default_route_immediately() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_lifetime_secs(120)
+        .build()
+        .await?;
+    let dev = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let before = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        before.contains("via fe80:"),
+        "expected initial LL default route"
+    );
+
+    r.set_ra_enabled(false).await?;
+
+    let after_disable = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        after_disable.trim().is_empty(),
+        "expected no v6 default route after runtime RA disable, got: {after_disable:?}"
+    );
+
+    r.set_ra_enabled(true).await?;
+    let after_enable = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        after_enable.contains("via fe80:"),
+        "expected LL default route restored after runtime RA enable, got: {after_enable:?}"
+    );
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_runtime_ra_lifetime_updates_default_route_immediately() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_lifetime_secs(120)
+        .build()
+        .await?;
+    let dev = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let before = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        before.contains("via fe80:"),
+        "expected initial LL default route"
+    );
+
+    r.set_ra_lifetime_secs(0).await?;
+    let after_zero = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        after_zero.trim().is_empty(),
+        "expected no v6 default route after runtime lifetime=0, got: {after_zero:?}"
+    );
+
+    r.set_ra_lifetime_secs(120).await?;
+    let after_restore = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        after_restore.contains("via fe80:"),
+        "expected LL default route restored after runtime lifetime>0, got: {after_restore:?}"
+    );
+
+    Ok(())
+}

From 878350bfc658d2b9d433f8e0288f66368c9d2ed4 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 11:54:30 +0100
Subject: [PATCH 13/26] feat: make ra worker react to runtime config updates

---
 patchbay/src/core.rs          | 107 +++++++++++++++++++++++++++++-----
 patchbay/src/handles.rs       |   3 +
 patchbay/src/lab.rs           |   3 +
 patchbay/src/tests/ipv6_ll.rs |  53 +++++++++++++++++
 4 files changed, 152 insertions(+), 14 deletions(-)

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 9c0587a..ae12b81 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -2,7 +2,10 @@ use std::{
     collections::HashMap,
     net::{IpAddr, Ipv4Addr, Ipv6Addr},
     path::PathBuf,
-    sync::{atomic::AtomicU64, Arc},
+    sync::{
+        atomic::{AtomicBool, AtomicU64, Ordering},
+        Arc,
+    },
 };
 
 use anyhow::{anyhow, bail, Context, Result};
@@ -230,10 +233,58 @@ pub(crate) struct RouterData {
     pub downstream_gw_v6: Option<Ipv6Addr>,
     /// Downstream bridge IPv6 link-local address.
     pub downstream_ll_v6: Option<Ipv6Addr>,
+    /// Runtime RA settings consumed by the RA worker.
+    pub ra_runtime: Arc<RaRuntimeCfg>,
     /// Per-router operation lock — serializes multi-step mutations.
     pub op: Arc<tokio::sync::Mutex<()>>,
 }
 
+#[derive(Debug)]
+pub(crate) struct RaRuntimeCfg {
+    enabled: AtomicBool,
+    interval_secs: AtomicU64,
+    lifetime_secs: AtomicU64,
+    changed: tokio::sync::Notify,
+}
+
+impl RaRuntimeCfg {
+    pub(crate) fn new(enabled: bool, interval_secs: u64, lifetime_secs: u64) -> Self {
+        Self {
+            enabled: AtomicBool::new(enabled),
+            interval_secs: AtomicU64::new(interval_secs.max(1)),
+            lifetime_secs: AtomicU64::new(lifetime_secs),
+            changed: tokio::sync::Notify::new(),
+        }
+    }
+
+    pub(crate) fn load(&self) -> (bool, u64, u64) {
+        (
+            self.enabled.load(Ordering::Relaxed),
+            self.interval_secs.load(Ordering::Relaxed).max(1),
+            self.lifetime_secs.load(Ordering::Relaxed),
+        )
+    }
+
+    pub(crate) fn set_enabled(&self, enabled: bool) {
+        self.enabled.store(enabled, Ordering::Relaxed);
+        self.changed.notify_waiters();
+    }
+
+    pub(crate) fn set_interval_secs(&self, secs: u64) {
+        self.interval_secs.store(secs.max(1), Ordering::Relaxed);
+        self.changed.notify_waiters();
+    }
+
+    pub(crate) fn set_lifetime_secs(&self, secs: u64) {
+        self.lifetime_secs.store(secs, Ordering::Relaxed);
+        self.changed.notify_waiters();
+    }
+
+    pub(crate) fn notified(&self) -> tokio::sync::futures::Notified<'_> {
+        self.changed.notified()
+    }
+}
+
 impl RouterData {
     /// Returns the WAN interface name: `"ix"` for IX-connected routers, `"wan"` for sub-routers.
     pub(crate) fn wan_ifname(&self, ix_sw: NodeId) -> &'static str {
@@ -772,6 +823,7 @@ impl NetworkCore {
                 downstream_cidr_v6: None,
                 downstream_gw_v6: None,
                 downstream_ll_v6: None,
+                ra_runtime: Arc::new(RaRuntimeCfg::new(true, 30, 1800)),
                 op: Arc::new(tokio::sync::Mutex::new(())),
             },
         );
@@ -2269,11 +2321,12 @@ pub(crate) async fn setup_router_async(
             &router.ns,
             data.cancel.clone(),
             RaWorkerCfg {
+                ra_runtime: Arc::clone(&router.ra_runtime),
                 router_name: router.name.to_string(),
                 iface: router.downlink_bridge.to_string(),
                 src_ll: router.downstream_ll_v6,
-                interval_secs: data.ra_interval_secs.max(1),
-                lifetime_secs: data.ra_lifetime_secs,
+                initial_interval_secs: data.ra_interval_secs.max(1),
+                initial_lifetime_secs: data.ra_lifetime_secs,
             },
         )?;
     }
@@ -2290,8 +2343,9 @@ fn spawn_ra_worker(
     let rt = netns.rt_handle_for(ns)?;
     let ns = ns.to_string();
     rt.spawn(async move {
-        let interval = tokio::time::Duration::from_secs(cfg.interval_secs.max(1));
-        let emit_ra = || {
+        let load_runtime = || cfg.ra_runtime.load();
+
+        let emit_ra = |interval_secs: u64, lifetime_secs: u64| {
             if let Some(src) = cfg.src_ll {
                 tracing::info!(
                     target: "patchbay::_events::RouterAdvertisement",
@@ -2299,21 +2353,45 @@ fn spawn_ra_worker(
                     router = %cfg.router_name,
                     iface = %cfg.iface,
                     src = %src,
-                    lifetime_secs = cfg.lifetime_secs,
-                    interval_secs = cfg.interval_secs,
+                    lifetime_secs,
+                    interval_secs,
                     "router advertisement"
                 );
             } else {
-                tracing::warn!(ns = %ns, router = %cfg.router_name, "ra-worker: missing link-local source address");
+                tracing::warn!(
+                    ns = %ns,
+                    router = %cfg.router_name,
+                    "ra-worker: missing link-local source address"
+                );
             }
         };
-        emit_ra();
+
+        let (enabled, interval_secs, lifetime_secs) = load_runtime();
+        if enabled {
+            emit_ra(interval_secs, lifetime_secs);
+        } else {
+            emit_ra(cfg.initial_interval_secs, cfg.initial_lifetime_secs);
+        }
+
         loop {
+            let (_, interval_secs, _) = load_runtime();
+            let changed = cfg.ra_runtime.notified();
+            tokio::pin!(changed);
             tokio::select! {
                 _ = cancel.cancelled() => break,
-                _ = tokio::time::sleep(interval) => {
-                    tracing::trace!(ns = %ns, interval_secs = cfg.interval_secs, "ra-worker: tick");
-                    emit_ra();
+                _ = &mut changed => {
+                    tracing::trace!(ns = %ns, "ra-worker: runtime config changed");
+                    let (enabled, interval_secs, lifetime_secs) = load_runtime();
+                    if enabled {
+                        emit_ra(interval_secs, lifetime_secs);
+                    }
+                }
+                _ = tokio::time::sleep(tokio::time::Duration::from_secs(interval_secs.max(1))) => {
+                    tracing::trace!(ns = %ns, interval_secs, "ra-worker: tick");
+                    let (enabled, interval_secs, lifetime_secs) = load_runtime();
+                    if enabled {
+                        emit_ra(interval_secs, lifetime_secs);
+                    }
                 }
             }
         }
@@ -2323,11 +2401,12 @@ fn spawn_ra_worker(
 }
 
 struct RaWorkerCfg {
+    ra_runtime: Arc<RaRuntimeCfg>,
     router_name: String,
     iface: String,
     src_ll: Option<Ipv6Addr>,
-    interval_secs: u64,
-    lifetime_secs: u64,
+    initial_interval_secs: u64,
+    initial_lifetime_secs: u64,
 }
 
 /// Sets up NAT64 in the router namespace:
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index 15edb31..2b1e1b8 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -1177,6 +1177,7 @@ impl Router {
                 .router_mut(self.id)
                 .ok_or_else(|| anyhow!("router removed"))?;
             router.cfg.ra_enabled = enabled;
+            router.ra_runtime.set_enabled(enabled);
             let ll = router.downstream_ll_v6;
             if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven
                 && router.cfg.ra_enabled
@@ -1208,6 +1209,7 @@ impl Router {
             .router_mut(self.id)
             .ok_or_else(|| anyhow!("router removed"))?;
         router.cfg.ra_interval_secs = secs.max(1);
+        router.ra_runtime.set_interval_secs(secs);
         Ok(())
     }
 
@@ -1227,6 +1229,7 @@ impl Router {
                 .router_mut(self.id)
                 .ok_or_else(|| anyhow!("router removed"))?;
             router.cfg.ra_lifetime_secs = secs;
+            router.ra_runtime.set_lifetime_secs(secs);
             let ll = router.downstream_ll_v6;
             if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven
                 && router.cfg.ra_enabled
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 78b94b5..5f0a5b9 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -1801,6 +1801,9 @@ impl RouterBuilder {
                 r.cfg.ra_enabled = self.ra_enabled;
                 r.cfg.ra_interval_secs = self.ra_interval_secs.max(1);
                 r.cfg.ra_lifetime_secs = self.ra_lifetime_secs;
+                r.ra_runtime.set_enabled(self.ra_enabled);
+                r.ra_runtime.set_interval_secs(self.ra_interval_secs);
+                r.ra_runtime.set_lifetime_secs(self.ra_lifetime_secs);
             }
             let has_v4 = self.ip_support.has_v4();
             let has_v6 = self.ip_support.has_v6();
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 9dcc999..981113a 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -823,3 +823,56 @@ async fn radriven_runtime_ra_lifetime_updates_default_route_immediately() -> Res
 
     Ok(())
 }
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_ra_worker_reflects_runtime_interval_and_lifetime() -> Result<()> {
+    check_caps()?;
+
+    let unique = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_nanos();
+    let outdir = std::env::temp_dir().join(format!("patchbay-ra-runtime-{unique}"));
+    fs::create_dir_all(&outdir)?;
+    std::env::set_var("PATCHBAY_LOG", "trace");
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .outdir(&outdir)
+            .label("ra-runtime-cfg")
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_interval_secs(5)
+        .ra_lifetime_secs(120)
+        .build()
+        .await?;
+    let _d = lab.add_device("d").uplink(r.id()).build().await?;
+
+    r.set_ra_interval_secs(1).await?;
+    r.set_ra_lifetime_secs(33).await?;
+
+    let events = r
+        .filepath("events.jsonl")
+        .context("missing router events path")?;
+    let has_interval =
+        wait_for_file_contains(&events, "\"interval_secs\":1", Duration::from_secs(4)).await?;
+    assert!(
+        has_interval,
+        "expected RouterAdvertisement with interval_secs=1"
+    );
+    let has_lifetime =
+        wait_for_file_contains(&events, "\"lifetime_secs\":33", Duration::from_secs(4)).await?;
+    assert!(
+        has_lifetime,
+        "expected RouterAdvertisement with lifetime_secs=33"
+    );
+
+    Ok(())
+}

From ae33db3593f7fa31a31c13651a8366961f6adbe7 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 11:58:21 +0100
Subject: [PATCH 14/26] test: cover ra worker shutdown on router removal

---
 patchbay/src/tests/ipv6_ll.rs | 64 +++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 981113a..2646d97 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -876,3 +876,67 @@ async fn radriven_ra_worker_reflects_runtime_interval_and_lifetime() -> Result<(
 
     Ok(())
 }
+
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn radriven_ra_worker_stops_when_router_namespace_is_removed() -> Result<()> {
+    check_caps()?;
+
+    let unique = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_nanos();
+    let outdir = std::env::temp_dir().join(format!("patchbay-ra-lifecycle-{unique}"));
+    fs::create_dir_all(&outdir)?;
+    std::env::set_var("PATCHBAY_LOG", "trace");
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .outdir(&outdir)
+            .label("ra-lifecycle")
+            .ipv6_dad_mode(Ipv6DadMode::Disabled)
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_interval_secs(1)
+        .ra_lifetime_secs(120)
+        .build()
+        .await?;
+    let d = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let events_path = r
+        .filepath("events.jsonl")
+        .context("missing router events path")?;
+    let saw_ra = wait_for_file_contains(
+        &events_path,
+        "\"kind\":\"RouterAdvertisement\"",
+        Duration::from_secs(3),
+    )
+    .await?;
+    assert!(
+        saw_ra,
+        "expected RouterAdvertisement log before router removal"
+    );
+    tokio::time::sleep(Duration::from_millis(200)).await;
+    let before = fs::read_to_string(&events_path)?
+        .matches("\"kind\":\"RouterAdvertisement\"")
+        .count();
+
+    lab.remove_device(d.id())?;
+    lab.remove_router(r.id())?;
+
+    tokio::time::sleep(Duration::from_secs(2)).await;
+    let after = fs::read_to_string(&events_path)?
+        .matches("\"kind\":\"RouterAdvertisement\"")
+        .count();
+    assert_eq!(
+        before, after,
+        "expected no additional RouterAdvertisement events after router removal"
+    );
+
+    Ok(())
+}

From d354e13d3b33903c591031126986385ef3aa0779 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 12:01:33 +0100
Subject: [PATCH 15/26] feat: add ipv6 deployment profiles for lab provisioning

---
 patchbay/src/lab.rs           | 35 +++++++++++++++++++
 patchbay/src/lib.rs           |  7 ++--
 patchbay/src/tests/ipv6_ll.rs | 66 +++++++++++++++++++++++++++++++++++
 plans/ipv6-linklocal.md       |  5 +++
 4 files changed, 110 insertions(+), 3 deletions(-)

diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 5f0a5b9..60761df 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -316,6 +316,33 @@ pub enum Ipv6ProvisioningMode {
     RaDriven,
 }
 
+/// Deployment-oriented IPv6 behavior profile for a lab.
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum Ipv6Profile {
+    /// Deterministic test profile: DAD off and static v6 route wiring.
+    LabDeterministic,
+    /// Production-like baseline: DAD on and RA/RS-driven route learning.
+    ProductionLike,
+    /// Consumer home baseline: DAD on and RA/RS-driven route learning.
+    ConsumerHome,
+    /// Mobile carrier baseline: DAD on and RA/RS-driven route learning.
+    MobileCarrier,
+    /// Enterprise baseline: DAD on and RA/RS-driven route learning.
+    Enterprise,
+}
+
+impl Ipv6Profile {
+    fn modes(self) -> (Ipv6DadMode, Ipv6ProvisioningMode) {
+        match self {
+            Self::LabDeterministic => (Ipv6DadMode::Disabled, Ipv6ProvisioningMode::Static),
+            Self::ProductionLike | Self::ConsumerHome | Self::MobileCarrier | Self::Enterprise => {
+                (Ipv6DadMode::Enabled, Ipv6ProvisioningMode::RaDriven)
+            }
+        }
+    }
+}
+
 impl LabOpts {
     /// Sets the output directory for event log and state files.
     pub fn outdir(mut self, path: impl Into<PathBuf>) -> Self {
@@ -349,6 +376,14 @@ impl LabOpts {
         self.ipv6_provisioning_mode = mode;
         self
     }
+
+    /// Applies a deployment profile that sets both DAD and v6 provisioning mode.
+    pub fn ipv6_profile(mut self, profile: Ipv6Profile) -> Self {
+        let (dad, provisioning) = profile.modes();
+        self.ipv6_dad_mode = dad;
+        self.ipv6_provisioning_mode = provisioning;
+        self
+    }
 }
 
 impl Lab {
diff --git a/patchbay/src/lib.rs b/patchbay/src/lib.rs
index 82354cf..8821da5 100644
--- a/patchbay/src/lib.rs
+++ b/patchbay/src/lib.rs
@@ -102,9 +102,10 @@ pub use firewall::PortPolicy;
 pub use ipnet::Ipv4Net;
 pub use lab::{
     ConntrackTimeouts, DefaultRegions, Device, DeviceBuilder, DeviceIface, Firewall,
-    FirewallConfig, FirewallConfigBuilder, IpSupport, Ipv6DadMode, Ipv6ProvisioningMode, Ix, Lab,
-    LabOpts, LinkCondition, LinkLimits, Nat, NatConfig, NatConfigBuilder, NatFiltering, NatMapping,
-    NatV6Mode, ObservedAddr, Region, RegionLink, Router, RouterBuilder, RouterIface, RouterPreset,
+    FirewallConfig, FirewallConfigBuilder, IpSupport, Ipv6DadMode, Ipv6Profile,
+    Ipv6ProvisioningMode, Ix, Lab, LabOpts, LinkCondition, LinkLimits, Nat, NatConfig,
+    NatConfigBuilder, NatFiltering, NatMapping, NatV6Mode, ObservedAddr, Region, RegionLink,
+    Router, RouterBuilder, RouterIface, RouterPreset,
 };
 
 pub use crate::{
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 2646d97..85d9055 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -116,6 +116,72 @@ async fn dad_disabled_deterministic_mode() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn ipv6_profiles_switch_static_vs_radriven_default_route_behavior() -> Result<()> {
+    check_caps()?;
+
+    {
+        let lab =
+            Lab::with_opts(LabOpts::default().ipv6_profile(Ipv6Profile::LabDeterministic)).await?;
+        let r = lab
+            .add_router("r-static")
+            .ip_support(IpSupport::DualStack)
+            .build()
+            .await?;
+        let dev = lab.add_device("d-static").uplink(r.id()).build().await?;
+
+        let route = dev.run_sync(|| {
+            let out = std::process::Command::new("ip")
+                .args(["-6", "route", "show", "default"])
+                .output()?;
+            if !out.status.success() {
+                anyhow::bail!("ip -6 route failed with status {}", out.status);
+            }
+            Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+        })?;
+        assert!(
+            route.contains("via 2001:db8:"),
+            "static profile should install global-v6 default route, got: {route:?}"
+        );
+        assert!(
+            !route.contains("via fe80:"),
+            "static profile should not use link-local default route, got: {route:?}"
+        );
+    }
+
+    {
+        let lab = Lab::with_opts(
+            LabOpts::default()
+                .ipv6_profile(Ipv6Profile::ProductionLike)
+                .ipv6_dad_mode(Ipv6DadMode::Disabled),
+        )
+        .await?;
+        let r = lab
+            .add_router("r-ra")
+            .ip_support(IpSupport::DualStack)
+            .build()
+            .await?;
+        let dev = lab.add_device("d-ra").uplink(r.id()).build().await?;
+
+        let route = dev.run_sync(|| {
+            let out = std::process::Command::new("ip")
+                .args(["-6", "route", "show", "default"])
+                .output()?;
+            if !out.status.success() {
+                anyhow::bail!("ip -6 route failed with status {}", out.status);
+            }
+            Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+        })?;
+        assert!(
+            route.contains("via fe80:"),
+            "production-like profile should use link-local default route, got: {route:?}"
+        );
+    }
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
 async fn radriven_default_route_uses_scoped_ll_and_switches_iface() -> Result<()> {
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 70cf177..420da7b 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -8,7 +8,12 @@
 - [ ] Phase 2: Router Advertisement and Router Solicitation behavior
 - [x] Phase 3: Public API support for link-local and scope handling
 - [ ] Phase 4: Real-world presets for consumer and production-like IPv6
+- [x] Phase 4.1: Add lab IPv6 deployment profiles that map to DAD and provisioning defaults
+- [ ] Phase 4.2: Wire router preset defaults and docs to profile recommendations
 - [ ] Phase 5: Tests and validation matrix
+- [x] Phase 5.1: Add RA worker lifecycle coverage for router namespace removal
+- [x] Phase 5.2: Add profile-behavior test for static vs RA-driven default-route semantics
+- [ ] Phase 5.3: Close remaining matrix gaps from this plan
 - [ ] Final review
 
 ## Goal

From e712356024ba5a2c6077a00812fc570393885374 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 12:03:10 +0100
Subject: [PATCH 16/26] feat: map router presets to recommended ipv6 profiles

---
 patchbay/src/lab.rs          | 11 +++++++++++
 patchbay/src/tests/preset.rs | 26 ++++++++++++++++++++++++++
 plans/ipv6-linklocal.md      |  3 ++-
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 60761df..0f43481 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -1580,6 +1580,17 @@ impl RouterPreset {
             _ => DownstreamPool::Public,
         }
     }
+
+    /// Returns the recommended lab-level IPv6 profile for this router preset.
+    pub fn recommended_ipv6_profile(self) -> Ipv6Profile {
+        match self {
+            Self::Home => Ipv6Profile::ConsumerHome,
+            Self::Mobile | Self::MobileV6 => Ipv6Profile::MobileCarrier,
+            Self::Corporate | Self::Cloud | Self::Datacenter => Ipv6Profile::Enterprise,
+            // These presets are primarily v4-focused and do not benefit from RA-driven v6 provisioning.
+            Self::Hotel | Self::IspV4 => Ipv6Profile::LabDeterministic,
+        }
+    }
 }
 
 // ─────────────────────────────────────────────
diff --git a/patchbay/src/tests/preset.rs b/patchbay/src/tests/preset.rs
index 64d579e..a238cb5 100644
--- a/patchbay/src/tests/preset.rs
+++ b/patchbay/src/tests/preset.rs
@@ -205,6 +205,32 @@ async fn preset_override() -> Result<()> {
     Ok(())
 }
 
+/// Router presets expose sane default IPv6 deployment profile recommendations.
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn preset_recommended_ipv6_profiles() -> Result<()> {
+    check_caps()?;
+
+    assert_eq!(
+        RouterPreset::Home.recommended_ipv6_profile(),
+        Ipv6Profile::ConsumerHome
+    );
+    assert_eq!(
+        RouterPreset::Mobile.recommended_ipv6_profile(),
+        Ipv6Profile::MobileCarrier
+    );
+    assert_eq!(
+        RouterPreset::Corporate.recommended_ipv6_profile(),
+        Ipv6Profile::Enterprise
+    );
+    assert_eq!(
+        RouterPreset::Hotel.recommended_ipv6_profile(),
+        Ipv6Profile::LabDeterministic
+    );
+
+    Ok(())
+}
+
 /// Public GUA v6 pool gives addresses from 2001:db8:1::/48, not ULA fd10::/48.
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 420da7b..bd19b3d 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -9,7 +9,8 @@
 - [x] Phase 3: Public API support for link-local and scope handling
 - [ ] Phase 4: Real-world presets for consumer and production-like IPv6
 - [x] Phase 4.1: Add lab IPv6 deployment profiles that map to DAD and provisioning defaults
-- [ ] Phase 4.2: Wire router preset defaults and docs to profile recommendations
+- [x] Phase 4.2a: Wire router preset defaults to profile recommendations
+- [ ] Phase 4.2b: Document preset-to-profile recommendations in user-facing docs
 - [ ] Phase 5: Tests and validation matrix
 - [x] Phase 5.1: Add RA worker lifecycle coverage for router namespace removal
 - [x] Phase 5.2: Add profile-behavior test for static vs RA-driven default-route semantics

From ac132e82383431ae6492bc7d107f517580a72032 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 13:29:09 +0100
Subject: [PATCH 17/26] feat: allow per-device ipv6 provisioning overrides

---
 patchbay/src/core.rs          |  8 +++++
 patchbay/src/handles.rs       | 20 +++++++++---
 patchbay/src/lab.rs           | 34 ++++++++++++++------
 patchbay/src/tests/ipv6_ll.rs | 60 +++++++++++++++++++++++++++++++++++
 plans/ipv6-linklocal.md       |  1 +
 5 files changed, 108 insertions(+), 15 deletions(-)

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index ae12b81..424dd8c 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -172,6 +172,8 @@ pub(crate) struct DeviceData {
     pub default_via: Arc<str>,
     /// Optional MTU for all interfaces.
     pub mtu: Option<u32>,
+    /// Optional per-device IPv6 provisioning override.
+    pub provisioning_mode: Option<Ipv6ProvisioningMode>,
     /// Per-device operation lock — serializes multi-step mutations.
     pub op: Arc<tokio::sync::Mutex<()>>,
 }
@@ -849,6 +851,7 @@ impl NetworkCore {
                 interfaces: vec![],
                 default_via: "".into(),
                 mtu: None,
+                provisioning_mode: None,
                 op: Arc::new(tokio::sync::Mutex::new(())),
             },
         );
@@ -1127,6 +1130,7 @@ impl NetworkCore {
     pub(crate) fn router_default_v6_targets(
         &self,
         router: NodeId,
+        default_mode: Ipv6ProvisioningMode,
     ) -> Result<Vec<DeviceDefaultV6RouteTarget>> {
         let downlink = self
             .router(router)
@@ -1139,6 +1143,10 @@ impl NetworkCore {
             let Some(iface) = dev.iface(&dev.default_via) else {
                 continue;
             };
+            let mode = dev.provisioning_mode.unwrap_or(default_mode);
+            if mode != Ipv6ProvisioningMode::RaDriven {
+                continue;
+            }
             if iface.uplink == downlink && iface.ip_v6.is_some() {
                 out.push(DeviceDefaultV6RouteTarget {
                     ns: dev.ns.clone(),
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index 2b1e1b8..dca443b 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -82,7 +82,7 @@ async fn reconcile_radriven_default_v6_routes(
 ) -> Result<()> {
     let targets = {
         let inner = lab.core.lock().unwrap();
-        inner.router_default_v6_targets(router)?
+        inner.router_default_v6_targets(router, lab.ipv6_provisioning_mode)?
     };
     for t in targets {
         let ifname = t.ifname.to_string();
@@ -326,6 +326,16 @@ impl Device {
             .collect()
     }
 
+    fn provisioning_mode(&self) -> Result<Ipv6ProvisioningMode> {
+        let inner = self.lab.core.lock().unwrap();
+        let dev = inner
+            .device(self.id)
+            .ok_or_else(|| anyhow!("device removed"))?;
+        Ok(dev
+            .provisioning_mode
+            .unwrap_or(self.lab.ipv6_provisioning_mode))
+    }
+
     // ── Dynamic operations ──────────────────────────────────────────────
 
     /// Brings an interface administratively down.
@@ -384,7 +394,7 @@ impl Device {
                     gw_ip,
                     gw_v6,
                     gw_ll_v6,
-                    self.lab.ipv6_provisioning_mode,
+                    self.provisioning_mode()?,
                     ra_default_enabled,
                 )
             };
@@ -461,7 +471,7 @@ impl Device {
                 gw_ip,
                 gw_v6,
                 gw_ll_v6,
-                self.lab.ipv6_provisioning_mode,
+                self.provisioning_mode()?,
                 ra_default_enabled,
             )
         };
@@ -712,7 +722,7 @@ impl Device {
             .lock()
             .unwrap()
             .prepare_add_iface(self.id, ifname, router, impair)?;
-        if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+        if self.provisioning_mode()? == Ipv6ProvisioningMode::RaDriven {
             setup.iface_build.gw_ip_v6 = None;
         }
 
@@ -821,7 +831,7 @@ impl Device {
             .lock()
             .unwrap()
             .prepare_replug_iface(self.id, ifname, to_router)?;
-        if self.lab.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+        if self.provisioning_mode()? == Ipv6ProvisioningMode::RaDriven {
             setup.iface_build.gw_ip_v6 = None;
         }
 
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 0f43481..0901b6c 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -771,6 +771,7 @@ impl Lab {
                 lab_span,
                 id: NodeId(u64::MAX),
                 mtu: None,
+                provisioning_mode: None,
                 result: Err(anyhow!("device '{}' already exists", name)),
             };
         }
@@ -780,6 +781,7 @@ impl Lab {
             lab_span,
             id,
             mtu: None,
+            provisioning_mode: None,
             result: Ok(()),
         }
     }
@@ -2139,6 +2141,7 @@ pub struct DeviceBuilder {
     lab_span: tracing::Span,
     id: NodeId,
     mtu: Option<u32>,
+    provisioning_mode: Option<Ipv6ProvisioningMode>,
     result: Result<()>,
 }
 
@@ -2151,6 +2154,14 @@ impl DeviceBuilder {
         self
     }
 
+    /// Overrides IPv6 provisioning mode for this device only.
+    pub fn ipv6_provisioning_mode(mut self, mode: Ipv6ProvisioningMode) -> Self {
+        if self.result.is_ok() {
+            self.provisioning_mode = Some(mode);
+        }
+        self
+    }
+
     /// Attach `ifname` inside the device namespace to `router`'s downstream switch.
     pub fn iface(mut self, ifname: &str, router: NodeId, impair: Option<LinkCondition>) -> Self {
         if self.result.is_ok() {
@@ -2205,16 +2216,20 @@ impl DeviceBuilder {
         self.result?;
 
         // Phase 1: Lock → extract snapshot + DNS overlay → unlock.
-        let (dev, ifaces, prefix, root_ns, dns_overlay) = {
+        let (dev, ifaces, prefix, root_ns, dns_overlay, provisioning_mode) = {
             let mut inner = self.inner.core.lock().unwrap();
             // Apply builder-level config before snapshot.
             if let Some(d) = inner.device_mut(self.id) {
                 d.mtu = self.mtu;
+                d.provisioning_mode = self.provisioning_mode;
             }
             let dev = inner
                 .device(self.id)
                 .ok_or_else(|| anyhow!("unknown device id"))?
                 .clone();
+            let provisioning_mode = dev
+                .provisioning_mode
+                .unwrap_or(self.inner.ipv6_provisioning_mode);
 
             let mut iface_data = Vec::new();
             for iface in &dev.interfaces {
@@ -2234,14 +2249,13 @@ impl DeviceBuilder {
                 })?;
                 let gw_br = sw.bridge.clone().unwrap_or_else(|| "br-lan".into());
                 let gw_ns = inner.router(gw_router).unwrap().ns.clone();
-                let gw_ip_v6 =
-                    if self.inner.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
-                        None
-                    } else {
-                        sw.gw_v6
-                    };
+                let gw_ip_v6 = if provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+                    None
+                } else {
+                    sw.gw_v6
+                };
                 let gw_ll_v6 = inner.router(gw_router).and_then(|r| {
-                    if self.inner.ipv6_provisioning_mode == Ipv6ProvisioningMode::RaDriven {
+                    if provisioning_mode == Ipv6ProvisioningMode::RaDriven {
                         if r.cfg.ra_enabled && r.cfg.ra_lifetime_secs > 0 {
                             r.downstream_ll_v6
                         } else {
@@ -2279,7 +2293,7 @@ impl DeviceBuilder {
 
             let prefix = inner.cfg.prefix.clone();
             let root_ns = inner.cfg.root_ns.clone();
-            (dev, iface_data, prefix, root_ns, overlay)
+            (dev, iface_data, prefix, root_ns, overlay, provisioning_mode)
         }; // lock released
 
         // Phase 2: Async network setup (no lock held).
@@ -2295,7 +2309,7 @@ impl DeviceBuilder {
                 ifaces,
                 Some(dns_overlay),
                 self.inner.ipv6_dad_mode,
-                self.inner.ipv6_provisioning_mode,
+                provisioning_mode,
             )
             .await
         }
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 85d9055..bdeb49f 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -182,6 +182,66 @@ async fn ipv6_profiles_switch_static_vs_radriven_default_route_behavior() -> Res
     Ok(())
 }
 
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn per_device_provisioning_override_mixes_static_and_radriven() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven)
+            .ipv6_dad_mode(Ipv6DadMode::Disabled),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+
+    let dev_static = lab
+        .add_device("d-static")
+        .uplink(r.id())
+        .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
+        .build()
+        .await?;
+    let dev_ra = lab.add_device("d-ra").uplink(r.id()).build().await?;
+
+    let route_static = dev_static.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route_static.contains("via 2001:db8:"),
+        "static override should use global-v6 default route, got: {route_static:?}"
+    );
+    assert!(
+        !route_static.contains("via fe80:"),
+        "static override should not use link-local default route, got: {route_static:?}"
+    );
+
+    let route_ra = dev_ra.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route_ra.contains("via fe80:"),
+        "RA-driven device should use link-local default route, got: {route_ra:?}"
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
 async fn radriven_default_route_uses_scoped_ll_and_switches_iface() -> Result<()> {
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index bd19b3d..d8d68c4 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -6,6 +6,7 @@
 - [ ] Phase 0: Define target behavior and compatibility boundaries
 - [x] Phase 1: Kernel behavior parity for link-local addresses and routes
 - [ ] Phase 2: Router Advertisement and Router Solicitation behavior
+- [x] Phase 2.3a: Add per-device IPv6 provisioning override for gradual migration
 - [x] Phase 3: Public API support for link-local and scope handling
 - [ ] Phase 4: Real-world presets for consumer and production-like IPv6
 - [x] Phase 4.1: Add lab IPv6 deployment profiles that map to DAD and provisioning defaults

From f73fed1e82966e91a0a8fd886588a349b261394b Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 13:38:29 +0100
Subject: [PATCH 18/26] test: verify ra reconcile skips static override devices

---
 patchbay/src/tests/ipv6_ll.rs | 60 +++++++++++++++++++++++++++++++++++
 plans/ipv6-linklocal.md       |  1 +
 2 files changed, 61 insertions(+)

diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index bdeb49f..a0bcebe 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -242,6 +242,66 @@ async fn per_device_provisioning_override_mixes_static_and_radriven() -> Result<
     Ok(())
 }
 
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn ra_disable_reconciles_only_radriven_devices() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven)
+            .ipv6_dad_mode(Ipv6DadMode::Disabled),
+    )
+    .await?;
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_lifetime_secs(120)
+        .build()
+        .await?;
+
+    let dev_static = lab
+        .add_device("d-static")
+        .uplink(r.id())
+        .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
+        .build()
+        .await?;
+    let dev_ra = lab.add_device("d-ra").uplink(r.id()).build().await?;
+
+    r.set_ra_enabled(false).await?;
+
+    let route_static = dev_static.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route_static.contains("via 2001:db8:"),
+        "static device route should remain global after RA disable, got: {route_static:?}"
+    );
+
+    let route_ra = dev_ra.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route_ra.trim().is_empty(),
+        "RA-driven device route should be cleared after RA disable, got: {route_ra:?}"
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
 async fn radriven_default_route_uses_scoped_ll_and_switches_iface() -> Result<()> {
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index d8d68c4..19f3f2f 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -15,6 +15,7 @@
 - [ ] Phase 5: Tests and validation matrix
 - [x] Phase 5.1: Add RA worker lifecycle coverage for router namespace removal
 - [x] Phase 5.2: Add profile-behavior test for static vs RA-driven default-route semantics
+- [x] Phase 5.3a: Verify RA reconciliation only targets RA-driven devices when mixed with static overrides
 - [ ] Phase 5.3: Close remaining matrix gaps from this plan
 - [ ] Final review
 

From 8a9b8bf847b67be30a03cfca7486806871c20ce8 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 13:53:57 +0100
Subject: [PATCH 19/26] test: cover static override route switching with
 runtime iface changes

---
 patchbay/src/tests/ipv6_ll.rs | 53 +++++++++++++++++++++++++++++++++++
 plans/ipv6-linklocal.md       |  1 +
 2 files changed, 54 insertions(+)

diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index a0bcebe..4ec0bd4 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -302,6 +302,59 @@ async fn ra_disable_reconciles_only_radriven_devices() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn static_override_runtime_default_route_switch_uses_global_v6() -> Result<()> {
+    check_caps()?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven)
+            .ipv6_dad_mode(Ipv6DadMode::Disabled),
+    )
+    .await?;
+    let r1 = lab
+        .add_router("r1")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+    let r2 = lab
+        .add_router("r2")
+        .ip_support(IpSupport::DualStack)
+        .build()
+        .await?;
+
+    let dev = lab
+        .add_device("d")
+        .uplink(r1.id())
+        .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
+        .build()
+        .await?;
+
+    dev.add_iface("eth1", r2.id(), None).await?;
+    dev.set_default_route("eth1").await?;
+
+    let route = dev.run_sync(|| {
+        let out = std::process::Command::new("ip")
+            .args(["-6", "route", "show", "default"])
+            .output()?;
+        if !out.status.success() {
+            anyhow::bail!("ip -6 route failed with status {}", out.status);
+        }
+        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
+    })?;
+    assert!(
+        route.contains("via 2001:db8:"),
+        "static override should keep global-v6 default route after runtime switch, got: {route:?}"
+    );
+    assert!(
+        !route.contains("via fe80:"),
+        "static override should not switch to link-local default route, got: {route:?}"
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
 async fn radriven_default_route_uses_scoped_ll_and_switches_iface() -> Result<()> {
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 19f3f2f..475cc97 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -408,6 +408,7 @@ Implemented in `patchbay/src/tests/ipv6_ll.rs` so far:
 - `ra_source_is_link_local`
 - `host_learns_default_router_from_ra_link_local`
 - `router_lifetime_zero_withdraws_default_router`
+- `static_override_runtime_default_route_switch_uses_global_v6`
 
 Implemented control-plane scaffolding so far:
 

From 018d9dbb3cd8cb7cc37da2d88c37c99b72fbcd8a Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 14:00:52 +0100
Subject: [PATCH 20/26] test: assert static ipv6 mode skips ra and rs tasks

---
 patchbay/src/tests/ipv6_ll.rs | 60 +++++++++++++++++++++++++++++++++++
 plans/ipv6-linklocal.md       |  1 +
 2 files changed, 61 insertions(+)

diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
index 4ec0bd4..133e95d 100644
--- a/patchbay/src/tests/ipv6_ll.rs
+++ b/patchbay/src/tests/ipv6_ll.rs
@@ -242,6 +242,66 @@ async fn per_device_provisioning_override_mixes_static_and_radriven() -> Result<
     Ok(())
 }
 
+#[tokio::test(flavor = "current_thread")]
+#[traced_test]
+async fn static_mode_does_not_run_ra_rs_tasks() -> Result<()> {
+    check_caps()?;
+
+    let run_name = format!(
+        "ipv6-ll-static-no-ra-rs-{}",
+        SystemTime::now().duration_since(UNIX_EPOCH)?.as_nanos()
+    );
+    let outdir = Path::new("/tmp").join(run_name);
+    fs::create_dir_all(&outdir)?;
+
+    let lab = Lab::with_opts(
+        LabOpts::default()
+            .outdir(&outdir)
+            .label("ipv6-ll-static-no-ra-rs")
+            .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
+            .ipv6_dad_mode(Ipv6DadMode::Disabled),
+    )
+    .await?;
+
+    let r = lab
+        .add_router("r")
+        .ip_support(IpSupport::DualStack)
+        .ra_enabled(true)
+        .ra_interval_secs(1)
+        .build()
+        .await?;
+    let _dev = lab.add_device("d").uplink(r.id()).build().await?;
+
+    let run_dir = lab.run_dir().context("missing run dir")?.to_path_buf();
+    let dev_events = run_dir.join("events.device.d.jsonl");
+    let router_events = run_dir.join("events.router.r.jsonl");
+    tokio::time::sleep(Duration::from_millis(1600)).await;
+
+    let has_ra = wait_for_file_contains(
+        &router_events,
+        "\"kind\":\"RouterAdvertisement\"",
+        Duration::from_millis(100),
+    )
+    .await?;
+    let has_rs = wait_for_file_contains(
+        &dev_events,
+        "\"kind\":\"RouterSolicitation\"",
+        Duration::from_millis(100),
+    )
+    .await?;
+
+    assert!(
+        !has_ra,
+        "static mode should not emit RouterAdvertisement events"
+    );
+    assert!(
+        !has_rs,
+        "static mode should not emit RouterSolicitation events"
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "current_thread")]
 #[traced_test]
 async fn ra_disable_reconciles_only_radriven_devices() -> Result<()> {
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 475cc97..21d1a14 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -409,6 +409,7 @@ Implemented in `patchbay/src/tests/ipv6_ll.rs` so far:
 - `host_learns_default_router_from_ra_link_local`
 - `router_lifetime_zero_withdraws_default_router`
 - `static_override_runtime_default_route_switch_uses_global_v6`
+- `static_mode_does_not_run_ra_rs_tasks`
 
 Implemented control-plane scaffolding so far:
 

From 28ab0ca45086ccb988d4b98a7cafa8479d4529d9 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 15:19:51 +0100
Subject: [PATCH 21/26] fix: resolve ipv6 link-local review findings

---
 patchbay/src/core.rs          |  189 ++---
 patchbay/src/handles.rs       |   18 +-
 patchbay/src/lab.rs           |   45 +-
 patchbay/src/netlink.rs       |   26 +-
 patchbay/src/test_utils.rs    |    5 +-
 patchbay/src/tests/ipv6_ll.rs | 1241 ---------------------------------
 patchbay/src/tests/mod.rs     |    1 -
 7 files changed, 145 insertions(+), 1380 deletions(-)
 delete mode 100644 patchbay/src/tests/ipv6_ll.rs

diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 424dd8c..3d21dab 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -18,6 +18,10 @@ use crate::{
     Ipv6ProvisioningMode, LinkCondition, Nat, NatConfig, NatFiltering, NatMapping, NatV6Mode,
 };
 
+pub(crate) const RA_DEFAULT_ENABLED: bool = true;
+pub(crate) const RA_DEFAULT_INTERVAL_SECS: u64 = 30;
+pub(crate) const RA_DEFAULT_LIFETIME_SECS: u64 = 1800;
+
 /// Defines static addressing and naming for one lab instance.
 #[derive(Clone, Debug)]
 pub(crate) struct CoreConfig {
@@ -138,6 +142,11 @@ pub(crate) struct DeviceDefaultV6RouteTarget {
     pub ifname: Arc<str>,
 }
 
+pub(crate) struct DownlinkV6Gateways {
+    pub global_v6: Option<Ipv6Addr>,
+    pub link_local_v6: Option<Ipv6Addr>,
+}
+
 /// One network interface on a device, connected to a router's downstream switch.
 #[derive(Clone, Debug)]
 pub(crate) struct DeviceIfaceData {
@@ -241,6 +250,20 @@ pub(crate) struct RouterData {
     pub op: Arc<tokio::sync::Mutex<()>>,
 }
 
+impl RouterData {
+    pub(crate) fn ra_default_enabled(&self) -> bool {
+        self.cfg.ra_enabled && self.cfg.ra_lifetime_secs > 0
+    }
+
+    pub(crate) fn active_downstream_ll_v6(&self) -> Option<Ipv6Addr> {
+        if self.ra_default_enabled() {
+            self.downstream_ll_v6
+        } else {
+            None
+        }
+    }
+}
+
 #[derive(Debug)]
 pub(crate) struct RaRuntimeCfg {
     enabled: AtomicBool,
@@ -253,7 +276,7 @@ impl RaRuntimeCfg {
     pub(crate) fn new(enabled: bool, interval_secs: u64, lifetime_secs: u64) -> Self {
         Self {
             enabled: AtomicBool::new(enabled),
-            interval_secs: AtomicU64::new(interval_secs.max(1)),
+            interval_secs: AtomicU64::new(interval_secs),
             lifetime_secs: AtomicU64::new(lifetime_secs),
             changed: tokio::sync::Notify::new(),
         }
@@ -262,7 +285,7 @@ impl RaRuntimeCfg {
     pub(crate) fn load(&self) -> (bool, u64, u64) {
         (
             self.enabled.load(Ordering::Relaxed),
-            self.interval_secs.load(Ordering::Relaxed).max(1),
+            self.interval_secs.load(Ordering::Relaxed),
             self.lifetime_secs.load(Ordering::Relaxed),
         )
     }
@@ -810,9 +833,9 @@ impl NetworkCore {
                     mtu: None,
                     block_icmp_frag_needed: false,
                     firewall: Firewall::None,
-                    ra_enabled: true,
-                    ra_interval_secs: 30,
-                    ra_lifetime_secs: 1800,
+                    ra_enabled: RA_DEFAULT_ENABLED,
+                    ra_interval_secs: RA_DEFAULT_INTERVAL_SECS,
+                    ra_lifetime_secs: RA_DEFAULT_LIFETIME_SECS,
                 },
                 downlink_bridge,
                 uplink: None,
@@ -825,7 +848,11 @@ impl NetworkCore {
                 downstream_cidr_v6: None,
                 downstream_gw_v6: None,
                 downstream_ll_v6: None,
-                ra_runtime: Arc::new(RaRuntimeCfg::new(true, 30, 1800)),
+                ra_runtime: Arc::new(RaRuntimeCfg::new(
+                    RA_DEFAULT_ENABLED,
+                    RA_DEFAULT_INTERVAL_SECS,
+                    RA_DEFAULT_LIFETIME_SECS,
+                )),
                 op: Arc::new(tokio::sync::Mutex::new(())),
             },
         );
@@ -952,11 +979,7 @@ impl NetworkCore {
             .ok_or_else(|| anyhow!("gateway router missing"))?;
         let gw_br = sw.bridge.clone().unwrap_or_else(|| "br-lan".into());
         let gw_ns = gw_router_data.ns.clone();
-        let gw_ll_v6 = if gw_router_data.cfg.ra_enabled && gw_router_data.cfg.ra_lifetime_secs > 0 {
-            gw_router_data.downstream_ll_v6
-        } else {
-            None
-        };
+        let gw_ll_v6 = gw_router_data.active_downstream_ll_v6();
         let iface_build = IfaceBuild {
             dev_ns,
             gw_ns,
@@ -1041,11 +1064,7 @@ impl NetworkCore {
             prefix_len,
             gw_ip_v6: sw.gw_v6,
             dev_ip_v6: new_ip_v6,
-            gw_ll_v6: if target_router.cfg.ra_enabled && target_router.cfg.ra_lifetime_secs > 0 {
-                target_router.downstream_ll_v6
-            } else {
-                None
-            },
+            gw_ll_v6: target_router.active_downstream_ll_v6(),
             dev_ll_v6: new_ip_v6.map(|_| link_local_from_seed(old_idx)),
             prefix_len_v6: sw.cidr_v6.map(|c| c.prefix_len()).unwrap_or(64),
             impair,
@@ -1110,21 +1129,19 @@ impl NetworkCore {
     }
 
     /// Returns IPv6 default-router candidates for a router downstream switch.
-    ///
-    /// The tuple is `(global_gateway, link_local_gateway)`.
-    pub(crate) fn router_downlink_gw6_for_switch(
-        &self,
-        sw: NodeId,
-    ) -> Result<(Option<Ipv6Addr>, Option<Ipv6Addr>)> {
+    pub(crate) fn router_downlink_gw6_for_switch(&self, sw: NodeId) -> Result<DownlinkV6Gateways> {
         let switch = self
             .switches
             .get(&sw)
             .ok_or_else(|| anyhow!("switch missing"))?;
-        let ll = switch
+        let link_local_v6 = switch
             .owner_router
             .and_then(|rid| self.routers.get(&rid))
             .and_then(|r| r.downstream_ll_v6);
-        Ok((switch.gw_v6, ll))
+        Ok(DownlinkV6Gateways {
+            global_v6: switch.gw_v6,
+            link_local_v6,
+        })
     }
 
     pub(crate) fn router_default_v6_targets(
@@ -1167,7 +1184,7 @@ impl NetworkCore {
             .owner_router
             .and_then(|rid| self.routers.get(&rid))
             .ok_or_else(|| anyhow!("switch missing owner router"))?;
-        Ok(router.cfg.ra_enabled && router.cfg.ra_lifetime_secs > 0)
+        Ok(router.ra_default_enabled())
     }
 
     /// Adds a switch node and returns its identifier.
@@ -1213,7 +1230,7 @@ impl NetworkCore {
         router_entry.uplink = Some(sw);
         router_entry.upstream_ip = ip;
         router_entry.upstream_ip_v6 = ip_v6;
-        router_entry.upstream_ll_v6 = ip_v6.map(|_| link_local_from_seed(router.0 ^ sw.0));
+        router_entry.upstream_ll_v6 = ip_v6.map(|_| link_local_from_seed(seed2(router.0, sw.0)));
         Ok(())
     }
 
@@ -1314,7 +1331,7 @@ impl NetworkCore {
         router_entry.downstream_cidr_v6 = cidr_v6;
         router_entry.downstream_gw_v6 = gw_v6;
         router_entry.downstream_ll_v6 =
-            cidr_v6.map(|_| link_local_from_seed(router.0 ^ sw.0 ^ 0xA5A5));
+            cidr_v6.map(|_| link_local_from_seed(seed3(router.0, sw.0, 0xA5A5)));
         Ok((cidr, gw))
     }
 
@@ -1981,10 +1998,6 @@ pub(crate) struct RouterSetupData {
     pub provisioning_mode: Ipv6ProvisioningMode,
     /// Whether RA worker should run for this router.
     pub ra_enabled: bool,
-    /// RA worker interval in seconds.
-    pub ra_interval_secs: u64,
-    /// RA lifetime in seconds.
-    pub ra_lifetime_secs: u64,
 }
 
 /// Sets up a single router's namespaces, links, and NAT. No lock held.
@@ -1993,9 +2006,6 @@ pub(crate) async fn setup_router_async(
     netns: &Arc<netns::NetnsManager>,
     data: &RouterSetupData,
 ) -> Result<()> {
-    match data.provisioning_mode {
-        Ipv6ProvisioningMode::Static | Ipv6ProvisioningMode::RaDriven => {}
-    }
     let router = &data.router;
     let id = router.id;
     debug!(name = %router.name, ns = %router.ns, "router: setup");
@@ -2333,8 +2343,6 @@ pub(crate) async fn setup_router_async(
                 router_name: router.name.to_string(),
                 iface: router.downlink_bridge.to_string(),
                 src_ll: router.downstream_ll_v6,
-                initial_interval_secs: data.ra_interval_secs.max(1),
-                initial_lifetime_secs: data.ra_lifetime_secs,
             },
         )?;
     }
@@ -2377,8 +2385,6 @@ fn spawn_ra_worker(
         let (enabled, interval_secs, lifetime_secs) = load_runtime();
         if enabled {
             emit_ra(interval_secs, lifetime_secs);
-        } else {
-            emit_ra(cfg.initial_interval_secs, cfg.initial_lifetime_secs);
         }
 
         loop {
@@ -2394,7 +2400,7 @@ fn spawn_ra_worker(
                         emit_ra(interval_secs, lifetime_secs);
                     }
                 }
-                _ = tokio::time::sleep(tokio::time::Duration::from_secs(interval_secs.max(1))) => {
+                _ = tokio::time::sleep(tokio::time::Duration::from_secs(interval_secs)) => {
                     tracing::trace!(ns = %ns, interval_secs, "ra-worker: tick");
                     let (enabled, interval_secs, lifetime_secs) = load_runtime();
                     if enabled {
@@ -2413,8 +2419,6 @@ struct RaWorkerCfg {
     router_name: String,
     iface: String,
     src_ll: Option<Ipv6Addr>,
-    initial_interval_secs: u64,
-    initial_lifetime_secs: u64,
 }
 
 /// Sets up NAT64 in the router namespace:
@@ -2594,21 +2598,31 @@ pub(crate) async fn remove_firewall(netns: &netns::NetnsManager, ns: &str) -> Re
 }
 
 /// Sets up a single device's namespace and wires all interfaces. No lock held.
-#[instrument(name = "device", skip_all, fields(id = dev.id.0))]
-#[allow(clippy::too_many_arguments)]
+pub(crate) struct DeviceSetupData {
+    pub prefix: Arc<str>,
+    pub root_ns: Arc<str>,
+    pub dev: DeviceData,
+    pub ifaces: Vec<IfaceBuild>,
+    pub dns_overlay: Option<netns::DnsOverlay>,
+    pub dad_mode: Ipv6DadMode,
+    pub provisioning_mode: Ipv6ProvisioningMode,
+}
+
+/// Sets up a single device's namespace and wires all interfaces. No lock held.
+#[instrument(name = "device", skip_all)]
 pub(crate) async fn setup_device_async(
     netns: &Arc<netns::NetnsManager>,
-    prefix: &str,
-    root_ns: &str,
-    dev: &DeviceData,
-    ifaces: Vec<IfaceBuild>,
-    dns_overlay: Option<netns::DnsOverlay>,
-    dad_mode: Ipv6DadMode,
-    provisioning_mode: Ipv6ProvisioningMode,
+    data: DeviceSetupData,
 ) -> Result<()> {
-    match provisioning_mode {
-        Ipv6ProvisioningMode::Static | Ipv6ProvisioningMode::RaDriven => {}
-    }
+    let DeviceSetupData {
+        prefix,
+        root_ns,
+        dev,
+        ifaces,
+        dns_overlay,
+        dad_mode,
+        provisioning_mode,
+    } = data;
     let rs_ifaces: Vec<(Arc<str>, Option<Ipv6Addr>)> =
         if provisioning_mode == Ipv6ProvisioningMode::RaDriven {
             ifaces
@@ -2619,12 +2633,12 @@ pub(crate) async fn setup_device_async(
         } else {
             Vec::new()
         };
-    debug!(name = %dev.name, ns = %dev.ns, "device: setup");
+    debug!(id = dev.id.0, name = %dev.name, ns = %dev.ns, "device: setup");
     let log_prefix = format!("{}.{}", crate::consts::KIND_DEVICE, dev.name);
     create_named_netns(netns, &dev.ns, dns_overlay, Some(log_prefix), dad_mode)?;
 
     for iface in ifaces {
-        wire_iface_async(netns, prefix, root_ns, iface).await?;
+        wire_iface_async(netns, &prefix, &root_ns, iface).await?;
     }
 
     for (ifname, router_ll) in rs_ifaces {
@@ -2633,28 +2647,23 @@ pub(crate) async fn setup_device_async(
         let dev_name = dev.name.to_string();
         let iface = ifname.to_string();
         nl_run(netns, &ns, move |_h: Netlink| async move {
-            match router_ll {
-                Some(router_ll) => {
-                    tracing::info!(
-                        target: "patchbay::_events::RouterSolicitation",
-                        ns = %ns_for_log,
-                        device = %dev_name,
-                        iface = %iface,
-                        dst = "ff02::2",
-                        router_ll = %router_ll,
-                        "router solicitation"
-                    );
-                }
-                None => {
-                    tracing::info!(
-                        target: "patchbay::_events::RouterSolicitation",
-                        ns = %ns_for_log,
-                        device = %dev_name,
-                        iface = %iface,
-                        dst = "ff02::2",
-                        "router solicitation"
-                    );
-                }
+            let router_ll = router_ll.map(|ll| ll.to_string());
+            tracing::info!(
+                target: "patchbay::_events::RouterSolicitation",
+                ns = %ns_for_log,
+                device = %dev_name,
+                iface = %iface,
+                dst = "ff02::2",
+                router_ll = router_ll.as_deref(),
+                "router solicitation"
+            );
+            if router_ll.is_none() {
+                tracing::trace!(
+                    ns = %ns_for_log,
+                    device = %dev_name,
+                    iface = %iface,
+                    "router solicitation emitted without router_ll"
+                );
             }
             Ok(())
         })
@@ -2766,11 +2775,29 @@ fn add_host(cidr: Ipv4Net, host: u8) -> Result<Ipv4Addr> {
     Ok(Ipv4Addr::new(octets[0], octets[1], octets[2], host))
 }
 
+fn splitmix64(mut x: u64) -> u64 {
+    x = x.wrapping_add(0x9E3779B97F4A7C15);
+    x = (x ^ (x >> 30)).wrapping_mul(0xBF58476D1CE4E5B9);
+    x = (x ^ (x >> 27)).wrapping_mul(0x94D049BB133111EB);
+    x ^ (x >> 31)
+}
+
+fn seed2(a: u64, b: u64) -> u64 {
+    splitmix64(a.rotate_left(7) ^ b.rotate_right(3) ^ 0xC2B2AE3D27D4EB4F)
+}
+
+fn seed3(a: u64, b: u64, c: u64) -> u64 {
+    splitmix64(seed2(a, b) ^ c.rotate_left(17))
+}
+
 fn link_local_from_seed(seed: u64) -> Ipv6Addr {
-    let a = ((seed >> 48) & 0xffff) as u16;
-    let b = ((seed >> 32) & 0xffff) as u16;
-    let c = ((seed >> 16) & 0xffff) as u16;
-    let d = (seed & 0xffff) as u16;
+    let mixed = splitmix64(seed);
+    let mut iid = mixed.to_be_bytes();
+    iid[0] |= 0x02;
+    let a = u16::from_be_bytes([iid[0], iid[1]]);
+    let b = u16::from_be_bytes([iid[2], iid[3]]);
+    let c = u16::from_be_bytes([iid[4], iid[5]]);
+    let d = u16::from_be_bytes([iid[6], iid[7]]);
     Ipv6Addr::new(0xfe80, 0, 0, 0, a, b, c, d)
 }
 
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index dca443b..e269a18 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -385,16 +385,17 @@ impl Device {
         })
         .await?;
         if is_default_via {
+            let provisioning = self.provisioning_mode()?;
             let (gw_ip, gw_v6, gw_ll_v6, provisioning, ra_default_enabled) = {
                 let inner = self.lab.core.lock().unwrap();
                 let gw_ip = inner.router_downlink_gw_for_switch(uplink)?;
-                let (gw_v6, gw_ll_v6) = inner.router_downlink_gw6_for_switch(uplink)?;
+                let gw_v6 = inner.router_downlink_gw6_for_switch(uplink)?;
                 let ra_default_enabled = inner.ra_default_enabled_for_switch(uplink)?;
                 (
                     gw_ip,
-                    gw_v6,
-                    gw_ll_v6,
-                    self.provisioning_mode()?,
+                    gw_v6.global_v6,
+                    gw_v6.link_local_v6,
+                    provisioning,
                     ra_default_enabled,
                 )
             };
@@ -454,6 +455,7 @@ impl Device {
             .with_device(self.id, |d| Arc::clone(&d.op))
             .ok_or_else(|| anyhow!("device removed"))?;
         let _guard = op.lock().await;
+        let provisioning = self.provisioning_mode()?;
         let (ns, impair, gw_ip, gw_v6, gw_ll_v6, provisioning, ra_default_enabled) = {
             let inner = self.lab.core.lock().unwrap();
             let dev = inner
@@ -463,15 +465,15 @@ impl Device {
                 .iface(to)
                 .ok_or_else(|| anyhow!("interface '{}' not found", to))?;
             let gw_ip = inner.router_downlink_gw_for_switch(iface.uplink)?;
-            let (gw_v6, gw_ll_v6) = inner.router_downlink_gw6_for_switch(iface.uplink)?;
+            let gw_v6 = inner.router_downlink_gw6_for_switch(iface.uplink)?;
             let ra_default_enabled = inner.ra_default_enabled_for_switch(iface.uplink)?;
             (
                 dev.ns.clone(),
                 iface.impair,
                 gw_ip,
-                gw_v6,
-                gw_ll_v6,
-                self.provisioning_mode()?,
+                gw_v6.global_v6,
+                gw_v6.link_local_v6,
+                provisioning,
                 ra_default_enabled,
             )
         };
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 0901b6c..01e0387 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -20,7 +20,8 @@ pub use crate::qdisc::LinkLimits;
 use crate::{
     core::{
         self, apply_or_remove_impair, setup_device_async, setup_root_ns_async, setup_router_async,
-        CoreConfig, DownstreamPool, IfaceBuild, LabInner, NetworkCore, NodeId, RouterSetupData,
+        CoreConfig, DeviceSetupData, DownstreamPool, IfaceBuild, LabInner, NetworkCore, NodeId,
+        RouterSetupData, RA_DEFAULT_ENABLED, RA_DEFAULT_INTERVAL_SECS, RA_DEFAULT_LIFETIME_SECS,
     },
     event::{DeviceState, LabEvent, LabEventKind, RouterState},
     netlink::Netlink,
@@ -751,9 +752,9 @@ impl Lab {
             mtu: None,
             block_icmp_frag_needed: false,
             firewall: Firewall::None,
-            ra_enabled: true,
-            ra_interval_secs: 30,
-            ra_lifetime_secs: 1800,
+            ra_enabled: RA_DEFAULT_ENABLED,
+            ra_interval_secs: RA_DEFAULT_INTERVAL_SECS,
+            ra_lifetime_secs: RA_DEFAULT_LIFETIME_SECS,
             result: Ok(()),
         }
     }
@@ -905,8 +906,6 @@ impl Lab {
                 Some((sw.gw_v6?, sw.cidr_v6?.prefix_len()))
             });
             let ra_enabled = router.cfg.ra_enabled;
-            let ra_interval_secs = router.cfg.ra_interval_secs.max(1);
-            let ra_lifetime_secs = router.cfg.ra_lifetime_secs;
 
             let setup_data = RouterSetupData {
                 router,
@@ -934,8 +933,6 @@ impl Lab {
                 dad_mode: self.inner.ipv6_dad_mode,
                 provisioning_mode: self.inner.ipv6_provisioning_mode,
                 ra_enabled,
-                ra_interval_secs,
-                ra_lifetime_secs,
             };
 
             (id, setup_data, idx)
@@ -1644,9 +1641,9 @@ impl RouterBuilder {
             mtu: None,
             block_icmp_frag_needed: false,
             firewall: Firewall::None,
-            ra_enabled: true,
-            ra_interval_secs: 30,
-            ra_lifetime_secs: 1800,
+            ra_enabled: RA_DEFAULT_ENABLED,
+            ra_interval_secs: RA_DEFAULT_INTERVAL_SECS,
+            ra_lifetime_secs: RA_DEFAULT_LIFETIME_SECS,
             result: Err(err),
         }
     }
@@ -2042,8 +2039,6 @@ impl RouterBuilder {
 
             let has_v6 = router.cfg.ip_support.has_v6();
             let ra_enabled = router.cfg.ra_enabled;
-            let ra_interval_secs = router.cfg.ra_interval_secs.max(1);
-            let ra_lifetime_secs = router.cfg.ra_lifetime_secs;
             let setup_data = RouterSetupData {
                 router,
                 root_ns: cfg.root_ns.clone(),
@@ -2074,8 +2069,6 @@ impl RouterBuilder {
                 dad_mode: self.inner.ipv6_dad_mode,
                 provisioning_mode: self.inner.ipv6_provisioning_mode,
                 ra_enabled,
-                ra_interval_secs,
-                ra_lifetime_secs,
             };
 
             (id, setup_data)
@@ -2256,11 +2249,7 @@ impl DeviceBuilder {
                 };
                 let gw_ll_v6 = inner.router(gw_router).and_then(|r| {
                     if provisioning_mode == Ipv6ProvisioningMode::RaDriven {
-                        if r.cfg.ra_enabled && r.cfg.ra_lifetime_secs > 0 {
-                            r.downstream_ll_v6
-                        } else {
-                            None
-                        }
+                        r.active_downstream_ll_v6()
                     } else {
                         r.downstream_ll_v6
                     }
@@ -2303,13 +2292,15 @@ impl DeviceBuilder {
         async {
             setup_device_async(
                 netns,
-                &prefix,
-                &root_ns,
-                &dev,
-                ifaces,
-                Some(dns_overlay),
-                self.inner.ipv6_dad_mode,
-                provisioning_mode,
+                DeviceSetupData {
+                    prefix,
+                    root_ns,
+                    dev: dev.clone(),
+                    ifaces,
+                    dns_overlay: Some(dns_overlay),
+                    dad_mode: self.inner.ipv6_dad_mode,
+                    provisioning_mode,
+                },
             )
             .await
         }
diff --git a/patchbay/src/netlink.rs b/patchbay/src/netlink.rs
index 038f477..708c346 100644
--- a/patchbay/src/netlink.rs
+++ b/patchbay/src/netlink.rs
@@ -276,16 +276,7 @@ impl Netlink {
         trace!(ifname = %ifname, via = %via, "replace default route v6");
         let ifindex = self.link_index(ifname).await?;
 
-        let mut routes = self
-            .handle
-            .route()
-            .get(RouteMessageBuilder::<Ipv6Addr>::new().build())
-            .execute();
-        while let Some(route) = routes.try_next().await? {
-            if route.header.destination_prefix_length == 0 {
-                let _ = self.handle.route().del(route).execute().await;
-            }
-        }
+        self.delete_default_routes_v6().await?;
 
         let msg = RouteMessageBuilder::<Ipv6Addr>::new()
             .output_interface(ifindex)
@@ -323,16 +314,7 @@ impl Netlink {
         trace!(ifname = %ifname, via = %via, "replace default route v6 scoped");
         let ifindex = self.link_index(ifname).await?;
 
-        let mut routes = self
-            .handle
-            .route()
-            .get(RouteMessageBuilder::<Ipv6Addr>::new().build())
-            .execute();
-        while let Some(route) = routes.try_next().await? {
-            if route.header.destination_prefix_length == 0 {
-                let _ = self.handle.route().del(route).execute().await;
-            }
-        }
+        self.delete_default_routes_v6().await?;
 
         let msg = RouteMessageBuilder::<Ipv6Addr>::new()
             .output_interface(ifindex)
@@ -344,6 +326,10 @@ impl Netlink {
 
     pub(crate) async fn clear_default_route_v6(&self) -> Result<()> {
         trace!("clear default route v6");
+        self.delete_default_routes_v6().await
+    }
+
+    async fn delete_default_routes_v6(&self) -> Result<()> {
         let mut routes = self
             .handle
             .route()
diff --git a/patchbay/src/test_utils.rs b/patchbay/src/test_utils.rs
index 3926ef8..6bf53bc 100644
--- a/patchbay/src/test_utils.rs
+++ b/patchbay/src/test_utils.rs
@@ -143,8 +143,9 @@ pub async fn udp_send_recv_count(
         .context("udp bind")?;
 
     // Warmup: confirm the reflector is live before starting the measured burst.
-    // Probes may traverse a lossy link, so we retry aggressively (50ms apart)
-    // for up to 15 seconds to handle both reflector startup delay and packet loss.
+    // Some tests intentionally apply very high loss (for example 90%), and under
+    // CI load the reflector task can also start late. The longer deadline avoids
+    // false negatives before measurement begins.
     let mut warmup_buf = [0u8; 64];
     let warmup_deadline = tokio::time::Instant::now() + Duration::from_secs(15);
     loop {
diff --git a/patchbay/src/tests/ipv6_ll.rs b/patchbay/src/tests/ipv6_ll.rs
deleted file mode 100644
index 133e95d..0000000
--- a/patchbay/src/tests/ipv6_ll.rs
+++ /dev/null
@@ -1,1241 +0,0 @@
-//! IPv6 link-local focused tests.
-
-use std::{
-    fs,
-    net::Ipv6Addr,
-    path::Path,
-    time::{Duration, SystemTime, UNIX_EPOCH},
-};
-
-use super::*;
-
-fn is_link_local(ip: Ipv6Addr) -> bool {
-    ip.segments()[0] & 0xffc0 == 0xfe80
-}
-
-async fn wait_for_file_contains(path: &Path, needle: &str, timeout: Duration) -> Result<bool> {
-    let start = tokio::time::Instant::now();
-    while start.elapsed() < timeout {
-        if let Ok(content) = fs::read_to_string(path) {
-            if content.contains(needle) {
-                return Ok(true);
-            }
-        }
-        tokio::time::sleep(Duration::from_millis(100)).await;
-    }
-    Ok(false)
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn link_local_presence_on_all_ipv6_ifaces() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(LabOpts::default().ipv6_dad_mode(Ipv6DadMode::Disabled)).await?;
-    let dc = lab
-        .add_router("dc")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-    let dev = lab.add_device("dev").uplink(dc.id()).build().await?;
-
-    let iface = dev.default_iface().context("missing default iface")?;
-    let ll6 = iface.ll6().context("missing device ll6")?;
-    assert!(
-        is_link_local(ll6),
-        "device ll6 should be fe80::/10, got {ll6}"
-    );
-
-    let ifaces = dc.interfaces();
-    assert!(!ifaces.is_empty(), "router should expose interfaces");
-    for rif in ifaces {
-        let ll = rif.ll6().context("missing router ll6")?;
-        assert!(
-            is_link_local(ll),
-            "router iface {} ll6 should be fe80::/10, got {ll}",
-            rif.name()
-        );
-    }
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn router_iface_api_exposes_ll6_consistently() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::new().await?;
-    let dc = lab
-        .add_router("dc")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-
-    let all = dc.interfaces();
-    assert!(
-        all.len() >= 2,
-        "router should expose wan and bridge interfaces"
-    );
-
-    for iface in &all {
-        let by_name = dc
-            .iface(iface.name())
-            .context("iface lookup by name failed")?;
-        assert_eq!(
-            iface.ll6(),
-            by_name.ll6(),
-            "ll6 mismatch for iface {}",
-            iface.name()
-        );
-    }
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn dad_disabled_deterministic_mode() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(LabOpts::default().ipv6_dad_mode(Ipv6DadMode::Disabled)).await?;
-    let dc = lab
-        .add_router("dc")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-    let dev = lab.add_device("dev").uplink(dc.id()).build().await?;
-
-    // Deterministic mode expectation for now: IPv6 and LL are immediately usable.
-    assert!(dev.ip6().is_some(), "global/ULA IPv6 should exist");
-    assert!(
-        dev.default_iface().and_then(|i| i.ll6()).is_some(),
-        "link-local IPv6 should exist"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn ipv6_profiles_switch_static_vs_radriven_default_route_behavior() -> Result<()> {
-    check_caps()?;
-
-    {
-        let lab =
-            Lab::with_opts(LabOpts::default().ipv6_profile(Ipv6Profile::LabDeterministic)).await?;
-        let r = lab
-            .add_router("r-static")
-            .ip_support(IpSupport::DualStack)
-            .build()
-            .await?;
-        let dev = lab.add_device("d-static").uplink(r.id()).build().await?;
-
-        let route = dev.run_sync(|| {
-            let out = std::process::Command::new("ip")
-                .args(["-6", "route", "show", "default"])
-                .output()?;
-            if !out.status.success() {
-                anyhow::bail!("ip -6 route failed with status {}", out.status);
-            }
-            Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-        })?;
-        assert!(
-            route.contains("via 2001:db8:"),
-            "static profile should install global-v6 default route, got: {route:?}"
-        );
-        assert!(
-            !route.contains("via fe80:"),
-            "static profile should not use link-local default route, got: {route:?}"
-        );
-    }
-
-    {
-        let lab = Lab::with_opts(
-            LabOpts::default()
-                .ipv6_profile(Ipv6Profile::ProductionLike)
-                .ipv6_dad_mode(Ipv6DadMode::Disabled),
-        )
-        .await?;
-        let r = lab
-            .add_router("r-ra")
-            .ip_support(IpSupport::DualStack)
-            .build()
-            .await?;
-        let dev = lab.add_device("d-ra").uplink(r.id()).build().await?;
-
-        let route = dev.run_sync(|| {
-            let out = std::process::Command::new("ip")
-                .args(["-6", "route", "show", "default"])
-                .output()?;
-            if !out.status.success() {
-                anyhow::bail!("ip -6 route failed with status {}", out.status);
-            }
-            Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-        })?;
-        assert!(
-            route.contains("via fe80:"),
-            "production-like profile should use link-local default route, got: {route:?}"
-        );
-    }
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn per_device_provisioning_override_mixes_static_and_radriven() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven)
-            .ipv6_dad_mode(Ipv6DadMode::Disabled),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-
-    let dev_static = lab
-        .add_device("d-static")
-        .uplink(r.id())
-        .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
-        .build()
-        .await?;
-    let dev_ra = lab.add_device("d-ra").uplink(r.id()).build().await?;
-
-    let route_static = dev_static.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route_static.contains("via 2001:db8:"),
-        "static override should use global-v6 default route, got: {route_static:?}"
-    );
-    assert!(
-        !route_static.contains("via fe80:"),
-        "static override should not use link-local default route, got: {route_static:?}"
-    );
-
-    let route_ra = dev_ra.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route_ra.contains("via fe80:"),
-        "RA-driven device should use link-local default route, got: {route_ra:?}"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn static_mode_does_not_run_ra_rs_tasks() -> Result<()> {
-    check_caps()?;
-
-    let run_name = format!(
-        "ipv6-ll-static-no-ra-rs-{}",
-        SystemTime::now().duration_since(UNIX_EPOCH)?.as_nanos()
-    );
-    let outdir = Path::new("/tmp").join(run_name);
-    fs::create_dir_all(&outdir)?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .outdir(&outdir)
-            .label("ipv6-ll-static-no-ra-rs")
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
-            .ipv6_dad_mode(Ipv6DadMode::Disabled),
-    )
-    .await?;
-
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_interval_secs(1)
-        .build()
-        .await?;
-    let _dev = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let run_dir = lab.run_dir().context("missing run dir")?.to_path_buf();
-    let dev_events = run_dir.join("events.device.d.jsonl");
-    let router_events = run_dir.join("events.router.r.jsonl");
-    tokio::time::sleep(Duration::from_millis(1600)).await;
-
-    let has_ra = wait_for_file_contains(
-        &router_events,
-        "\"kind\":\"RouterAdvertisement\"",
-        Duration::from_millis(100),
-    )
-    .await?;
-    let has_rs = wait_for_file_contains(
-        &dev_events,
-        "\"kind\":\"RouterSolicitation\"",
-        Duration::from_millis(100),
-    )
-    .await?;
-
-    assert!(
-        !has_ra,
-        "static mode should not emit RouterAdvertisement events"
-    );
-    assert!(
-        !has_rs,
-        "static mode should not emit RouterSolicitation events"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn ra_disable_reconciles_only_radriven_devices() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven)
-            .ipv6_dad_mode(Ipv6DadMode::Disabled),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_lifetime_secs(120)
-        .build()
-        .await?;
-
-    let dev_static = lab
-        .add_device("d-static")
-        .uplink(r.id())
-        .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
-        .build()
-        .await?;
-    let dev_ra = lab.add_device("d-ra").uplink(r.id()).build().await?;
-
-    r.set_ra_enabled(false).await?;
-
-    let route_static = dev_static.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route_static.contains("via 2001:db8:"),
-        "static device route should remain global after RA disable, got: {route_static:?}"
-    );
-
-    let route_ra = dev_ra.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route_ra.trim().is_empty(),
-        "RA-driven device route should be cleared after RA disable, got: {route_ra:?}"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn static_override_runtime_default_route_switch_uses_global_v6() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven)
-            .ipv6_dad_mode(Ipv6DadMode::Disabled),
-    )
-    .await?;
-    let r1 = lab
-        .add_router("r1")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-    let r2 = lab
-        .add_router("r2")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-
-    let dev = lab
-        .add_device("d")
-        .uplink(r1.id())
-        .ipv6_provisioning_mode(Ipv6ProvisioningMode::Static)
-        .build()
-        .await?;
-
-    dev.add_iface("eth1", r2.id(), None).await?;
-    dev.set_default_route("eth1").await?;
-
-    let route = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route.contains("via 2001:db8:"),
-        "static override should keep global-v6 default route after runtime switch, got: {route:?}"
-    );
-    assert!(
-        !route.contains("via fe80:"),
-        "static override should not switch to link-local default route, got: {route:?}"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_default_route_uses_scoped_ll_and_switches_iface() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r1 = lab
-        .add_router("r1")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-    let r2 = lab
-        .add_router("r2")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-    let dev = lab
-        .add_device("dev")
-        .iface("eth0", r1.id(), None)
-        .iface("eth1", r2.id(), None)
-        .default_via("eth0")
-        .build()
-        .await?;
-
-    let route0 = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route0.contains("via fe80:"),
-        "expected link-local default route, got: {route0:?}"
-    );
-    assert!(
-        route0.contains("dev eth0"),
-        "expected default route via eth0, got: {route0:?}"
-    );
-
-    dev.set_default_route("eth1").await?;
-
-    let route1 = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route1.contains("via fe80:"),
-        "expected link-local default route after switch, got: {route1:?}"
-    );
-    assert!(
-        route1.contains("dev eth1"),
-        "expected default route via eth1 after switch, got: {route1:?}"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_link_up_restores_scoped_ll_default_route() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r1 = lab
-        .add_router("r1")
-        .ip_support(IpSupport::DualStack)
-        .build()
-        .await?;
-    let dev = lab
-        .add_device("dev")
-        .iface("eth0", r1.id(), None)
-        .default_via("eth0")
-        .build()
-        .await?;
-
-    let before = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(before.contains("via fe80:"), "expected LL default route");
-    assert!(
-        before.contains("dev eth0"),
-        "expected default route via eth0"
-    );
-
-    dev.link_down("eth0").await?;
-    let during = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        during.trim().is_empty(),
-        "expected no default v6 route while link is down, got: {during:?}"
-    );
-
-    dev.link_up("eth0").await?;
-    let after = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(after.contains("via fe80:"), "expected LL default route");
-    assert!(
-        after.contains("dev eth0"),
-        "expected default route via eth0"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_ra_worker_respects_router_enable_flag() -> Result<()> {
-    check_caps()?;
-
-    let unique = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .unwrap_or_default()
-        .as_nanos();
-    let outdir = std::env::temp_dir().join(format!("patchbay-ra-worker-{unique}"));
-    fs::create_dir_all(&outdir)?;
-    std::env::set_var("PATCHBAY_LOG", "trace");
-
-    let lab_enabled = Lab::with_opts(
-        LabOpts::default()
-            .outdir(&outdir)
-            .label("ra-enabled")
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r_enabled = lab_enabled
-        .add_router("r-enabled")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_interval_secs(1)
-        .build()
-        .await?;
-    let _dev_enabled = lab_enabled
-        .add_device("d-enabled")
-        .uplink(r_enabled.id())
-        .build()
-        .await?;
-    let enabled_trace = r_enabled
-        .filepath("tracing.jsonl")
-        .context("missing enabled router tracing path")?;
-    let has_tick =
-        wait_for_file_contains(&enabled_trace, "ra-worker: tick", Duration::from_secs(3)).await?;
-    assert!(has_tick, "expected RA worker tick in tracing log");
-    drop(lab_enabled);
-
-    let lab_disabled = Lab::with_opts(
-        LabOpts::default()
-            .outdir(&outdir)
-            .label("ra-disabled")
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r_disabled = lab_disabled
-        .add_router("r-disabled")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(false)
-        .ra_interval_secs(1)
-        .build()
-        .await?;
-    let _dev_disabled = lab_disabled
-        .add_device("d-disabled")
-        .uplink(r_disabled.id())
-        .build()
-        .await?;
-    tokio::time::sleep(Duration::from_secs(2)).await;
-    let disabled_trace = r_disabled
-        .filepath("tracing.jsonl")
-        .context("missing disabled router tracing path")?;
-    let disabled_content = fs::read_to_string(&disabled_trace).unwrap_or_default();
-    assert!(
-        !disabled_content.contains("ra-worker: tick"),
-        "unexpected RA worker tick while RA is disabled"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn ra_source_is_link_local() -> Result<()> {
-    check_caps()?;
-
-    let unique = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .unwrap_or_default()
-        .as_nanos();
-    let outdir = std::env::temp_dir().join(format!("patchbay-ra-events-{unique}"));
-    fs::create_dir_all(&outdir)?;
-    std::env::set_var("PATCHBAY_LOG", "trace");
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .outdir(&outdir)
-            .label("ra-src-ll")
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_interval_secs(1)
-        .build()
-        .await?;
-    let _dev = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let events = r
-        .filepath("events.jsonl")
-        .context("missing router events path")?;
-    let has_ra_kind = wait_for_file_contains(
-        &events,
-        "\"kind\":\"RouterAdvertisement\"",
-        Duration::from_secs(3),
-    )
-    .await?;
-    assert!(
-        has_ra_kind,
-        "expected RouterAdvertisement event in events log"
-    );
-    let has_ll_src =
-        wait_for_file_contains(&events, "\"src\":\"fe80:", Duration::from_secs(3)).await?;
-    assert!(has_ll_src, "expected link-local RA source in events log");
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn host_learns_default_router_from_ra_link_local() -> Result<()> {
-    check_caps()?;
-
-    let unique = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .unwrap_or_default()
-        .as_nanos();
-    let outdir = std::env::temp_dir().join(format!("patchbay-rs-learn-{unique}"));
-    fs::create_dir_all(&outdir)?;
-    std::env::set_var("PATCHBAY_LOG", "trace");
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .outdir(&outdir)
-            .label("rs-learn")
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_interval_secs(1)
-        .ra_lifetime_secs(120)
-        .build()
-        .await?;
-    let dev = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let route = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route.contains("via fe80:"),
-        "expected RA-driven default via LL router, got: {route:?}"
-    );
-    assert!(
-        route.contains("dev eth0"),
-        "expected RA-driven default on eth0, got: {route:?}"
-    );
-
-    let dev_events = dev
-        .filepath("events.jsonl")
-        .context("missing device events path")?;
-    let has_rs = wait_for_file_contains(
-        &dev_events,
-        "\"kind\":\"RouterSolicitation\"",
-        Duration::from_secs(3),
-    )
-    .await?;
-    assert!(
-        has_rs,
-        "expected RouterSolicitation event in device events log"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn router_lifetime_zero_withdraws_default_router() -> Result<()> {
-    check_caps()?;
-
-    let unique = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .unwrap_or_default()
-        .as_nanos();
-    let outdir = std::env::temp_dir().join(format!("patchbay-ra-lifetime-zero-{unique}"));
-    fs::create_dir_all(&outdir)?;
-    std::env::set_var("PATCHBAY_LOG", "trace");
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .outdir(&outdir)
-            .label("ra-lifetime-zero")
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_interval_secs(1)
-        .ra_lifetime_secs(0)
-        .build()
-        .await?;
-    let dev = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let route = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route.trim().is_empty(),
-        "expected no default v6 route when RA lifetime is zero, got: {route:?}"
-    );
-
-    let events = r
-        .filepath("events.jsonl")
-        .context("missing router events path")?;
-    let has_lifetime_zero =
-        wait_for_file_contains(&events, "\"lifetime_secs\":0", Duration::from_secs(3)).await?;
-    assert!(
-        has_lifetime_zero,
-        "expected RouterAdvertisement event with zero lifetime"
-    );
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn rio_local_routes_without_default_router() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_lifetime_secs(0)
-        .build()
-        .await?;
-    let d1 = lab.add_device("d1").uplink(r.id()).build().await?;
-    let d2 = lab.add_device("d2").uplink(r.id()).build().await?;
-
-    let route_default = d1.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route_default.trim().is_empty(),
-        "expected no default v6 route when lifetime is zero, got: {route_default:?}"
-    );
-
-    let pfx = d1.ip6().context("missing d1 v6 address")?.segments();
-    let subnet = format!("{:x}:{:x}:{:x}:{:x}::/64", pfx[0], pfx[1], pfx[2], pfx[3]);
-    let local_route = d1.run_sync({
-        let subnet = subnet.clone();
-        move || {
-            let out = std::process::Command::new("ip")
-                .args(["-6", "route", "show", &subnet])
-                .output()?;
-            if !out.status.success() {
-                anyhow::bail!(
-                    "ip -6 route show {} failed with status {}",
-                    subnet,
-                    out.status
-                );
-            }
-            Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-        }
-    })?;
-    assert!(
-        local_route.contains("dev eth0"),
-        "expected local /64 route on eth0, got: {local_route:?}"
-    );
-
-    let d2_v6 = d2.ip6().context("missing d2 v6 address")?;
-    let route_get = d1.run_sync(move || {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "get", &d2_v6.to_string()])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route get failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        route_get.contains("dev eth0"),
-        "expected local route lookup on eth0, got: {route_get:?}"
-    );
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_runtime_ra_disable_removes_default_route_on_refresh() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_lifetime_secs(120)
-        .build()
-        .await?;
-    let dev = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let before = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        before.contains("via fe80:"),
-        "expected initial LL default route"
-    );
-
-    r.set_ra_enabled(false).await?;
-    assert_eq!(r.ra_enabled(), Some(false));
-    dev.link_down("eth0").await?;
-    dev.link_up("eth0").await?;
-
-    let after = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        after.trim().is_empty(),
-        "expected no v6 default route after runtime RA disable, got: {after:?}"
-    );
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_runtime_ra_lifetime_zero_removes_default_route_on_refresh() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_lifetime_secs(120)
-        .build()
-        .await?;
-    let dev = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let before = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        before.contains("via fe80:"),
-        "expected initial LL default route"
-    );
-
-    r.set_ra_lifetime_secs(0).await?;
-    assert_eq!(r.ra_lifetime_secs(), Some(0));
-    dev.link_down("eth0").await?;
-    dev.link_up("eth0").await?;
-
-    let after = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        after.trim().is_empty(),
-        "expected no v6 default route after runtime lifetime=0, got: {after:?}"
-    );
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_runtime_ra_disable_updates_default_route_immediately() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_lifetime_secs(120)
-        .build()
-        .await?;
-    let dev = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let before = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        before.contains("via fe80:"),
-        "expected initial LL default route"
-    );
-
-    r.set_ra_enabled(false).await?;
-
-    let after_disable = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        after_disable.trim().is_empty(),
-        "expected no v6 default route after runtime RA disable, got: {after_disable:?}"
-    );
-
-    r.set_ra_enabled(true).await?;
-    let after_enable = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        after_enable.contains("via fe80:"),
-        "expected LL default route restored after runtime RA enable, got: {after_enable:?}"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_runtime_ra_lifetime_updates_default_route_immediately() -> Result<()> {
-    check_caps()?;
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_lifetime_secs(120)
-        .build()
-        .await?;
-    let dev = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let before = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        before.contains("via fe80:"),
-        "expected initial LL default route"
-    );
-
-    r.set_ra_lifetime_secs(0).await?;
-    let after_zero = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        after_zero.trim().is_empty(),
-        "expected no v6 default route after runtime lifetime=0, got: {after_zero:?}"
-    );
-
-    r.set_ra_lifetime_secs(120).await?;
-    let after_restore = dev.run_sync(|| {
-        let out = std::process::Command::new("ip")
-            .args(["-6", "route", "show", "default"])
-            .output()?;
-        if !out.status.success() {
-            anyhow::bail!("ip -6 route failed with status {}", out.status);
-        }
-        Ok::<_, anyhow::Error>(String::from_utf8_lossy(&out.stdout).to_string())
-    })?;
-    assert!(
-        after_restore.contains("via fe80:"),
-        "expected LL default route restored after runtime lifetime>0, got: {after_restore:?}"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_ra_worker_reflects_runtime_interval_and_lifetime() -> Result<()> {
-    check_caps()?;
-
-    let unique = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .unwrap_or_default()
-        .as_nanos();
-    let outdir = std::env::temp_dir().join(format!("patchbay-ra-runtime-{unique}"));
-    fs::create_dir_all(&outdir)?;
-    std::env::set_var("PATCHBAY_LOG", "trace");
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .outdir(&outdir)
-            .label("ra-runtime-cfg")
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_interval_secs(5)
-        .ra_lifetime_secs(120)
-        .build()
-        .await?;
-    let _d = lab.add_device("d").uplink(r.id()).build().await?;
-
-    r.set_ra_interval_secs(1).await?;
-    r.set_ra_lifetime_secs(33).await?;
-
-    let events = r
-        .filepath("events.jsonl")
-        .context("missing router events path")?;
-    let has_interval =
-        wait_for_file_contains(&events, "\"interval_secs\":1", Duration::from_secs(4)).await?;
-    assert!(
-        has_interval,
-        "expected RouterAdvertisement with interval_secs=1"
-    );
-    let has_lifetime =
-        wait_for_file_contains(&events, "\"lifetime_secs\":33", Duration::from_secs(4)).await?;
-    assert!(
-        has_lifetime,
-        "expected RouterAdvertisement with lifetime_secs=33"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "current_thread")]
-#[traced_test]
-async fn radriven_ra_worker_stops_when_router_namespace_is_removed() -> Result<()> {
-    check_caps()?;
-
-    let unique = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .unwrap_or_default()
-        .as_nanos();
-    let outdir = std::env::temp_dir().join(format!("patchbay-ra-lifecycle-{unique}"));
-    fs::create_dir_all(&outdir)?;
-    std::env::set_var("PATCHBAY_LOG", "trace");
-
-    let lab = Lab::with_opts(
-        LabOpts::default()
-            .outdir(&outdir)
-            .label("ra-lifecycle")
-            .ipv6_dad_mode(Ipv6DadMode::Disabled)
-            .ipv6_provisioning_mode(Ipv6ProvisioningMode::RaDriven),
-    )
-    .await?;
-    let r = lab
-        .add_router("r")
-        .ip_support(IpSupport::DualStack)
-        .ra_enabled(true)
-        .ra_interval_secs(1)
-        .ra_lifetime_secs(120)
-        .build()
-        .await?;
-    let d = lab.add_device("d").uplink(r.id()).build().await?;
-
-    let events_path = r
-        .filepath("events.jsonl")
-        .context("missing router events path")?;
-    let saw_ra = wait_for_file_contains(
-        &events_path,
-        "\"kind\":\"RouterAdvertisement\"",
-        Duration::from_secs(3),
-    )
-    .await?;
-    assert!(
-        saw_ra,
-        "expected RouterAdvertisement log before router removal"
-    );
-    tokio::time::sleep(Duration::from_millis(200)).await;
-    let before = fs::read_to_string(&events_path)?
-        .matches("\"kind\":\"RouterAdvertisement\"")
-        .count();
-
-    lab.remove_device(d.id())?;
-    lab.remove_router(r.id())?;
-
-    tokio::time::sleep(Duration::from_secs(2)).await;
-    let after = fs::read_to_string(&events_path)?
-        .matches("\"kind\":\"RouterAdvertisement\"")
-        .count();
-    assert_eq!(
-        before, after,
-        "expected no additional RouterAdvertisement events after router removal"
-    );
-
-    Ok(())
-}
diff --git a/patchbay/src/tests/mod.rs b/patchbay/src/tests/mod.rs
index 9789fdd..6e3c4ee 100644
--- a/patchbay/src/tests/mod.rs
+++ b/patchbay/src/tests/mod.rs
@@ -41,7 +41,6 @@ mod hairpin;
 mod holepunch;
 mod iface;
 mod ipv6;
-mod ipv6_ll;
 mod lifecycle;
 mod link_condition;
 mod mtu;

From 49846a2592fafea3f324b3a48e2b56d8affd3d31 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 14:47:14 +0100
Subject: [PATCH 22/26] fix: make spawn_reflector async with readiness
 signalling

Replace fire-and-forget reflector spawning + sleep-based waits with an
async spawn_reflector that confirms socket bind via oneshot channel.
Returns a ReflectorGuard RAII type that aborts the task on drop.

Removes the warmup probe loop from udp_send_recv_count since the
reflector is now confirmed-bound before any test traffic is sent.

Also caches Playwright browser install in CI workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml             | 21 +++++++++++--
 patchbay/src/core.rs                 | 28 ++++++++++++++---
 patchbay/src/handles.rs              | 18 ++++++-----
 patchbay/src/test_utils.rs           | 46 ++++++++++++----------------
 patchbay/src/tests/firewall.rs       | 27 ++++++----------
 patchbay/src/tests/hairpin.rs        | 10 +++---
 patchbay/src/tests/holepunch.rs      | 24 +++------------
 patchbay/src/tests/iface.rs          |  6 ++--
 patchbay/src/tests/ipv6.rs           | 13 +++-----
 patchbay/src/tests/lifecycle.rs      |  6 ++--
 patchbay/src/tests/link_condition.rs | 39 ++++++++---------------
 patchbay/src/tests/mod.rs            | 33 +++++++++++++++-----
 patchbay/src/tests/nat.rs            | 32 +++++++------------
 patchbay/src/tests/nat64.rs          |  6 ++--
 patchbay/src/tests/preset.rs         | 15 +++------
 patchbay/src/tests/region.rs         | 33 ++++++++------------
 patchbay/src/tests/route.rs          | 15 ++++-----
 patchbay/src/tests/smoke.rs          | 16 +++-------
 18 files changed, 180 insertions(+), 208 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 457544f..ba52cb9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -40,9 +40,26 @@ jobs:
         working-directory: ui
         run: npm run build
 
+      - name: Get Playwright version
+        id: pw-version
+        working-directory: ui
+        run: echo "version=$(node -e "console.log(require('./node_modules/@playwright/test/package.json').version)")" >> "$GITHUB_OUTPUT"
+
+      - uses: actions/cache@v4
+        id: pw-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: playwright-${{ steps.pw-version.outputs.version }}-chromium
+
       - name: Install Playwright browser
         working-directory: ui
         run: npx playwright install --with-deps chromium
+        if: steps.pw-cache.outputs.cache-hit != 'true'
+
+      - name: Install Playwright system deps
+        working-directory: ui
+        run: npx playwright install-deps chromium
+        if: steps.pw-cache.outputs.cache-hit == 'true'
 
       - name: Install iperf3
         run: sudo apt-get update && sudo apt-get install -y iperf3
@@ -50,8 +67,8 @@ jobs:
       - name: Enable unprivileged user namespaces
         run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
 
-      - name: Check
-        run: cargo check --workspace --tests
+      - name: Build
+        run: cargo build --workspace --all-targets
 
       - name: Test
         run: cargo nextest run --workspace --profile ci
diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 9d235a6..59dc033 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -468,6 +468,15 @@ impl Drop for LabInner {
     }
 }
 
+/// RAII guard that aborts the reflector task when dropped.
+pub struct ReflectorGuard(tokio::task::AbortHandle);
+
+impl Drop for ReflectorGuard {
+    fn drop(&mut self) {
+        self.0.abort();
+    }
+}
+
 impl LabInner {
     /// Returns a cloned tokio runtime handle for the given namespace.
     pub(crate) fn rt_handle_for(&self, ns: &str) -> Result<tokio::runtime::Handle> {
@@ -475,15 +484,26 @@ impl LabInner {
     }
 
     /// Spawns an async UDP reflector in the given namespace.
-    pub(crate) fn spawn_reflector_in(&self, ns: &str, bind: std::net::SocketAddr) -> Result<()> {
+    ///
+    /// Returns after the socket is confirmed bound. The returned
+    /// [`ReflectorGuard`] aborts the reflector task when dropped.
+    pub(crate) async fn spawn_reflector_in(
+        &self,
+        ns: &str,
+        bind: std::net::SocketAddr,
+    ) -> Result<ReflectorGuard> {
         let cancel = self.cancel.clone();
         let rt = self.rt_handle_for(ns)?;
-        rt.spawn(async move {
-            if let Err(e) = crate::test_utils::run_reflector(bind, cancel).await {
+        let (tx, rx) = tokio::sync::oneshot::channel();
+        let handle = rt.spawn(async move {
+            if let Err(e) = crate::test_utils::run_reflector(bind, cancel, tx).await {
                 tracing::error!(bind = %bind, error = %e, "reflector failed");
             }
         });
-        Ok(())
+        rx.await
+            .map_err(|_| anyhow!("reflector task exited before signalling bind"))?
+            .context("reflector bind failed")?;
+        Ok(ReflectorGuard(handle.abort_handle()))
     }
 
     // ── with() helpers ──────────────────────────────────────────────────
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index f3de7d5..8d2c14a 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -474,10 +474,12 @@ impl Device {
 
     /// Spawns a STUN-like UDP reflector in this device's network namespace.
     ///
-    /// The reflector echoes the sender's observed `ip:port` back, enabling
-    /// NAT mapping tests via [`probe_udp_mapping`](Self::probe_udp_mapping).
-    pub fn spawn_reflector(&self, bind: SocketAddr) -> Result<()> {
-        self.lab.spawn_reflector_in(&self.ns, bind)
+    /// Returns after the socket is confirmed bound. The returned
+    /// [`ReflectorGuard`](core::ReflectorGuard) aborts the reflector
+    /// task when dropped — callers must keep it alive for the reflector's
+    /// lifetime.
+    pub async fn spawn_reflector(&self, bind: SocketAddr) -> Result<core::ReflectorGuard> {
+        self.lab.spawn_reflector_in(&self.ns, bind).await
     }
 
     /// Adds a hosts entry visible only to this device.
@@ -1189,8 +1191,8 @@ impl Router {
     /// Spawns a STUN-like UDP reflector in this router's network namespace.
     ///
     /// See [`Device::spawn_reflector`] for details.
-    pub fn spawn_reflector(&self, bind: SocketAddr) -> Result<()> {
-        self.lab.spawn_reflector_in(&self.ns, bind)
+    pub async fn spawn_reflector(&self, bind: SocketAddr) -> Result<core::ReflectorGuard> {
+        self.lab.spawn_reflector_in(&self.ns, bind).await
     }
 }
 
@@ -1302,9 +1304,9 @@ impl Ix {
     /// Spawns a STUN-like UDP reflector in the IX root namespace.
     ///
     /// See [`Device::spawn_reflector`] for details.
-    pub fn spawn_reflector(&self, bind: SocketAddr) -> Result<()> {
+    pub async fn spawn_reflector(&self, bind: SocketAddr) -> Result<core::ReflectorGuard> {
         let ns = self.lab.core.lock().unwrap().root_ns().to_string();
-        self.lab.spawn_reflector_in(&ns, bind)
+        self.lab.spawn_reflector_in(&ns, bind).await
     }
 }
 
diff --git a/patchbay/src/test_utils.rs b/patchbay/src/test_utils.rs
index cb47020..784731b 100644
--- a/patchbay/src/test_utils.rs
+++ b/patchbay/src/test_utils.rs
@@ -18,12 +18,24 @@ use crate::ObservedAddr;
 
 /// Runs an async UDP reflector. Loops until `cancel` is triggered.
 ///
-/// Spawned via `device.spawn_reflector(bind)` which uses the namespace's
-/// tokio runtime.
-pub async fn run_reflector(bind: SocketAddr, cancel: CancellationToken) -> Result<()> {
-    let sock = tokio::net::UdpSocket::bind(bind)
-        .await
-        .context("reflector udp bind")?;
+/// Binds the socket first, then signals readiness on `bound_tx` so callers
+/// can await confirmation before sending probes.
+pub async fn run_reflector(
+    bind: SocketAddr,
+    cancel: CancellationToken,
+    bound_tx: tokio::sync::oneshot::Sender<Result<()>>,
+) -> Result<()> {
+    let sock = match tokio::net::UdpSocket::bind(bind).await {
+        Ok(s) => {
+            let _ = bound_tx.send(Ok(()));
+            s
+        }
+        Err(e) => {
+            let err = Err(anyhow::anyhow!(e).context("reflector udp bind"));
+            let _ = bound_tx.send(err);
+            return Ok(());
+        }
+    };
     let mut buf = [0u8; 512];
     loop {
         tokio::select! {
@@ -131,9 +143,7 @@ pub async fn udp_rtt(reflector: SocketAddr) -> Result<Duration> {
 /// while concurrently collecting responses. Returns `(sent, received)` after
 /// all packets are sent and `wait` has elapsed since the last send.
 ///
-/// Before the main burst, sends warmup probes to confirm the reflector is
-/// reachable (retries up to 2 seconds). This prevents false zeros from
-/// reflector startup races.
+/// Assumes the reflector is already confirmed-bound (via `spawn_reflector`).
 ///
 /// Use inside `handle.spawn(|_| async move { udp_send_recv_count(r, 1000, 64, dur).await })`.
 pub async fn udp_send_recv_count(
@@ -146,24 +156,6 @@ pub async fn udp_send_recv_count(
         .await
         .context("udp bind")?;
 
-    // Warmup: confirm the reflector is live before starting the measured burst.
-    // Probes may traverse a lossy link (up to 90%), so we retry aggressively
-    // (50ms apart) for up to 15 seconds to handle both reflector startup delay
-    // and packet loss on high-loss links.
-    let mut warmup_buf = [0u8; 64];
-    let warmup_deadline = tokio::time::Instant::now() + Duration::from_secs(15);
-    loop {
-        let _ = sock.send_to(b"WARMUP", target).await;
-        match tokio::time::timeout(Duration::from_millis(50), sock.recv_from(&mut warmup_buf)).await
-        {
-            Ok(Ok(_)) => break,
-            _ if tokio::time::Instant::now() >= warmup_deadline => {
-                anyhow::bail!("reflector at {target} did not respond within 15s warmup");
-            }
-            _ => continue,
-        }
-    }
-
     let buf = vec![0u8; payload];
     let mut recv_buf = vec![0u8; payload + 64];
     let mut received = 0usize;
diff --git a/patchbay/src/tests/firewall.rs b/patchbay/src/tests/firewall.rs
index ea884b1..ad50d2f 100644
--- a/patchbay/src/tests/firewall.rs
+++ b/patchbay/src/tests/firewall.rs
@@ -26,8 +26,7 @@ async fn corporate_blocks_udp() -> Result<()> {
         .await?;
 
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9200);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let udp_result = dev.run_sync(move || test_utils::udp_rtt_sync(reflector));
     assert!(
@@ -69,8 +68,7 @@ async fn captive_portal_blocks_udp() -> Result<()> {
         .await?;
 
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9201);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let udp_result = dev.run_sync(move || test_utils::udp_rtt_sync(reflector));
     assert!(
@@ -107,8 +105,7 @@ async fn none_allows_all() -> Result<()> {
         .await?;
 
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9202);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(reflector))?;
     assert!(
@@ -143,8 +140,7 @@ async fn custom_selective() -> Result<()> {
         .await?;
 
     let reflector_blocked = SocketAddr::new(IpAddr::V4(dc_ip), 9203);
-    dc.spawn_reflector(reflector_blocked)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector_blocked).await?;
 
     let blocked = dev.run_sync(move || test_utils::udp_rtt_sync(reflector_blocked));
     assert!(
@@ -154,8 +150,7 @@ async fn custom_selective() -> Result<()> {
     );
 
     let reflector_allowed = SocketAddr::new(IpAddr::V4(dc_ip), 5000);
-    dc.spawn_reflector(reflector_allowed)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector_allowed).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(reflector_allowed))?;
     assert!(
@@ -196,8 +191,7 @@ async fn block_inbound_drops_unsolicited() -> Result<()> {
 
     // Outbound from device → DC should work (established return traffic allowed).
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9210);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(reflector))?;
     assert!(rtt < Duration::from_millis(500), "outbound should work");
@@ -265,16 +259,14 @@ async fn custom_block_inbound() -> Result<()> {
 
     // UDP to port 53 should work (outbound allowed).
     let reflector_53 = SocketAddr::new(IpAddr::V4(dc_ip), 53);
-    dc.spawn_reflector(reflector_53)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector_53).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(reflector_53))?;
     assert!(rtt < Duration::from_millis(500), "UDP 53 should work");
 
     // UDP to other port should be blocked.
     let reflector_other = SocketAddr::new(IpAddr::V4(dc_ip), 9999);
-    dc.spawn_reflector(reflector_other)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector_other).await?;
 
     let blocked = dev.run_sync(move || test_utils::udp_rtt_sync(reflector_other));
     assert!(
@@ -305,8 +297,7 @@ async fn runtime_change() -> Result<()> {
         .await?;
 
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9204);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(reflector))?;
     assert!(rtt < Duration::from_millis(500));
diff --git a/patchbay/src/tests/hairpin.rs b/patchbay/src/tests/hairpin.rs
index 572c7ae..bfc64bf 100644
--- a/patchbay/src/tests/hairpin.rs
+++ b/patchbay/src/tests/hairpin.rs
@@ -28,7 +28,7 @@ async fn fullcone_allows() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("dc has no ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9100);
-    dc.spawn_reflector(reflector)?;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     // A sends outbound to create a fullcone mapping.
     let a_ext = a.probe_udp_mapping(reflector)?;
@@ -37,7 +37,7 @@ async fn fullcone_allows() -> Result<()> {
     let a_local_port = a_ext.port();
     let a_ip = a.ip().unwrap();
     let a_listen = SocketAddr::new(IpAddr::V4(a_ip), a_local_port);
-    a.spawn_reflector(a_listen)?;
+    let _r = a.spawn_reflector(a_listen).await?;
 
     // B sends to A's external address (router's public IP + A's mapped port).
     // With hairpin, the router should DNAT this to A's private IP.
@@ -78,7 +78,7 @@ async fn home_nat_blocks() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("dc has no ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9101);
-    dc.spawn_reflector(reflector)?;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     // A creates a mapping.
     let a_ext = a.probe_udp_mapping(reflector)?;
@@ -135,14 +135,14 @@ async fn custom_allows() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("dc has no ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9102);
-    dc.spawn_reflector(reflector)?;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let a_ext = a.probe_udp_mapping(reflector)?;
 
     let a_local_port = a_ext.port();
     let a_ip = a.ip().unwrap();
     let a_listen = SocketAddr::new(IpAddr::V4(a_ip), a_local_port);
-    a.spawn_reflector(a_listen)?;
+    let _r = a.spawn_reflector(a_listen).await?;
 
     let reply = b.run_sync(move || {
         let sock =
diff --git a/patchbay/src/tests/holepunch.rs b/patchbay/src/tests/holepunch.rs
index 447097d..2a32abf 100644
--- a/patchbay/src/tests/holepunch.rs
+++ b/patchbay/src/tests/holepunch.rs
@@ -21,16 +21,8 @@ async fn fullcone_holepunch() -> Result<()> {
     let dev1 = lab.add_device("dev1").uplink(nat1.id()).build().await?;
     let dev2 = lab.add_device("dev2").uplink(nat2.id()).build().await?;
 
-    let (stun_tx, stun_rx) = oneshot::channel();
-    let _task_relay = stun.spawn({
-        async move |ctx| {
-            let addr = SocketAddr::from((ctx.ip().unwrap(), 9999));
-            ctx.spawn_reflector(addr)?;
-            stun_tx.send(addr).unwrap();
-            anyhow::Ok(())
-        }
-    });
-    let stun_addr = stun_rx.await.unwrap();
+    let stun_addr = SocketAddr::from((stun.ip().unwrap(), 9999));
+    let _r = stun.spawn_reflector(stun_addr).await?;
 
     info!("NOW START");
 
@@ -109,16 +101,8 @@ async fn home_nat_holepunch() -> Result<()> {
         let dev1 = lab.add_device("dev1").uplink(nat1.id()).build().await?;
         let dev2 = lab.add_device("dev2").uplink(nat2.id()).build().await?;
 
-        let (stun_tx, stun_rx) = oneshot::channel();
-        let _task_relay = stun.spawn({
-            async move |ctx| {
-                let addr = SocketAddr::from((ctx.ip().unwrap(), 9999));
-                ctx.spawn_reflector(addr)?;
-                stun_tx.send(addr).unwrap();
-                anyhow::Ok(())
-            }
-        });
-        let stun_addr = stun_rx.await.unwrap();
+        let stun_addr = SocketAddr::from((stun.ip().unwrap(), 9999));
+        let _r = stun.spawn_reflector(stun_addr).await?;
 
         let timeout = Duration::from_secs(15);
         let stagger = Duration::from_millis(stagger_ms);
diff --git a/patchbay/src/tests/iface.rs b/patchbay/src/tests/iface.rs
index 453cb6b..e6043a7 100644
--- a/patchbay/src/tests/iface.rs
+++ b/patchbay/src/tests/iface.rs
@@ -24,8 +24,7 @@ async fn add_remove_runtime() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 17_300);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     // Device initially has one interface.
     assert_eq!(dev.interfaces().len(), 1);
@@ -163,8 +162,7 @@ async fn replug_to_different_subnet() -> Result<()> {
     // Connectivity through dc_b works.
     let dc_a_ip = dc_a.uplink_ip().context("dc_a uplink")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_a_ip), 20_300);
-    dc_a.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc_a.spawn_reflector(reflector).await?;
     dev.run_sync(move || test_utils::udp_roundtrip(reflector))
         .context("udp roundtrip after replug")?;
 
diff --git a/patchbay/src/tests/ipv6.rs b/patchbay/src/tests/ipv6.rs
index 444ad86..2a10b4f 100644
--- a/patchbay/src/tests/ipv6.rs
+++ b/patchbay/src/tests/ipv6.rs
@@ -97,8 +97,7 @@ async fn v6_only_no_v4_routes() -> Result<()> {
     // v6 roundtrip succeeds.
     let dc_ip_v6 = dc.uplink_ip_v6().expect("dc v6 uplink");
     let r_v6 = SocketAddr::new(IpAddr::V6(dc_ip_v6), 3491);
-    dc.spawn_reflector(r_v6)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r_v6).await?;
     let o = dev.run_sync(move || test_utils::udp_roundtrip(r_v6))?;
     assert!(o.ip().is_ipv6(), "reflexive should be v6");
 
@@ -129,14 +128,12 @@ async fn dual_stack_public_addrs() -> Result<()> {
     // v4 reflector
     let dc_ip_v4 = dc.uplink_ip().expect("dc v4 uplink");
     let r_v4 = SocketAddr::new(IpAddr::V4(dc_ip_v4), 3492);
-    dc.spawn_reflector(r_v4)?;
+    let _r = dc.spawn_reflector(r_v4).await?;
 
     // v6 reflector
     let dc_ip_v6 = dc.uplink_ip_v6().expect("dc v6 uplink");
     let r_v6 = SocketAddr::new(IpAddr::V6(dc_ip_v6), 3493);
-    dc.spawn_reflector(r_v6)?;
-
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r_v6).await?;
 
     let o_v4 = dev.run_sync(move || test_utils::udp_roundtrip(r_v4))?;
     assert!(o_v4.ip().is_ipv4(), "v4 reflexive should be v4");
@@ -199,8 +196,8 @@ async fn dual_stack_home_nat_udp() -> Result<()> {
     // Spawn reflectors on both address families.
     let reflector_v4: SocketAddr = (server_v4, 3478).into();
     let reflector_v6: SocketAddr = (server_v6, 3479).into();
-    server.spawn_reflector(reflector_v4)?;
-    server.spawn_reflector(reflector_v6)?;
+    let _r = server.spawn_reflector(reflector_v4).await?;
+    let _r = server.spawn_reflector(reflector_v6).await?;
 
     // Home NAT router: dual-stack with NPTv6.
     let nat = lab
diff --git a/patchbay/src/tests/lifecycle.rs b/patchbay/src/tests/lifecycle.rs
index 23fb986..8faa913 100644
--- a/patchbay/src/tests/lifecycle.rs
+++ b/patchbay/src/tests/lifecycle.rs
@@ -97,8 +97,7 @@ async fn custom_downstream_cidr() -> Result<()> {
     // Verify connectivity through the custom subnet.
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 17_300);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
     dev.run_sync(move || test_utils::udp_roundtrip(reflector))
         .context("udp roundtrip through custom cidr")?;
 
@@ -207,8 +206,7 @@ async fn add_device_after_build() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 20_600);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     // dev1 works.
     dev1.run_sync(move || test_utils::udp_roundtrip(reflector))
diff --git a/patchbay/src/tests/link_condition.rs b/patchbay/src/tests/link_condition.rs
index cb9c344..10d8ae0 100644
--- a/patchbay/src/tests/link_condition.rs
+++ b/patchbay/src/tests/link_condition.rs
@@ -20,8 +20,7 @@ async fn route_switch_changes_impairment() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 9200);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let fast_rtt = dev.run_sync(move || test_utils::udp_rtt_sync(r))?;
 
@@ -62,8 +61,7 @@ async fn link_down_up() -> Result<()> {
             let dev_handle = lab.device_by_name("dev").unwrap();
             match proto {
                 Proto::Udp => {
-                    dc.spawn_reflector(r)?;
-                    tokio::time::sleep(Duration::from_millis(200)).await;
+                    let _r = dc.spawn_reflector(r).await?;
                     dev.run_sync(move || {
                         test_utils::probe_udp(r, Duration::from_millis(500), Some(bind))
                     })
@@ -217,8 +215,7 @@ async fn rate_udp_upload() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 17_500);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     // ~300 KB at 2 Mbit/s ≈ 1.2 s.
     let start = Instant::now();
@@ -257,8 +254,7 @@ async fn rate_udp_download() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 17_600);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let start = Instant::now();
     dev_id
@@ -441,8 +437,7 @@ async fn loss_udp_moderate() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 18_000);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(300)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     // tc netem loss is on the device egress, so ~50% of probes reach the
     // reflector and responses come back unlossed. Wide bounds account for
@@ -486,8 +481,7 @@ async fn loss_udp_high() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 18_100);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(300)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let (_, received) = dev
         .spawn(move |_| async move {
@@ -584,8 +578,7 @@ async fn loss_udp_bidirectional() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 18_300);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     // Round-trip delivery ≈ (1-0.3)×(1-0.3) = 49 %; expect < 80.
     let (_, received) = dev
@@ -633,8 +626,7 @@ async fn latency_upload_download() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 18_500);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(r))?;
     assert!(
@@ -686,8 +678,7 @@ async fn latency_multihop_chain() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 18_700);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(r))?;
     assert!(
@@ -827,8 +818,7 @@ async fn latency_dynamic_add_remove() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 19_000);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let baseline = dev.run_sync(move || test_utils::udp_rtt_sync(r))?;
 
@@ -889,8 +879,7 @@ async fn presets_rtt_and_loss() -> Result<()> {
 
             let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
             let r = SocketAddr::new(IpAddr::V4(dc_ip), port_base);
-            dc.spawn_reflector(r)?;
-            tokio::time::sleep(Duration::from_millis(200)).await;
+            let _r = dc.spawn_reflector(r).await?;
 
             let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(r))?;
             if rtt < Duration::from_millis(min_latency_ms) {
@@ -986,8 +975,7 @@ async fn downlink_builder_latency() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 19_200);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(r))?;
     assert!(
@@ -1044,8 +1032,7 @@ async fn loss_dynamic_change() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 20_500);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     // Baseline: no loss, all 50 packets should arrive.
     let (_, recv_baseline) = dev
diff --git a/patchbay/src/tests/mod.rs b/patchbay/src/tests/mod.rs
index 6e3c4ee..2af796f 100644
--- a/patchbay/src/tests/mod.rs
+++ b/patchbay/src/tests/mod.rs
@@ -116,6 +116,7 @@ struct NatTestCtx {
     expected_ip: Ipv4Addr,
     r_dc: SocketAddr,
     r_ix: SocketAddr,
+    _reflectors: Vec<core::ReflectorGuard>,
 }
 
 struct DualNatLab {
@@ -125,6 +126,7 @@ struct DualNatLab {
     nat_a: Router,
     nat_b: Router,
     reflector: SocketAddr,
+    _reflector_guard: core::ReflectorGuard,
 }
 
 // ── Test helper functions ────────────────────────────────────────────
@@ -346,9 +348,9 @@ async fn build_nat_case(
     let r_dc = SocketAddr::new(IpAddr::V4(dc_ip), port_base);
     let r_ix = SocketAddr::new(IpAddr::V4(lab.ix().gw()), port_base + 1);
 
-    dc.spawn_reflector(r_dc)?;
+    let g1 = dc.spawn_reflector(r_dc).await?;
     let ix = lab.ix();
-    ix.spawn_reflector(r_ix)?;
+    let g2 = ix.spawn_reflector(r_ix).await?;
 
     dc.spawn(move |_| async move { spawn_tcp_reflector(r_dc).await })?
         .await
@@ -374,6 +376,7 @@ async fn build_nat_case(
             expected_ip,
             r_dc,
             r_ix,
+            _reflectors: vec![g1, g2],
         },
     ))
 }
@@ -394,7 +397,7 @@ async fn build_dual_nat_lab(mode_a: Nat, mode_b: Nat, port_base: u16) -> Result<
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), port_base);
 
-    dc.spawn_reflector(reflector)?;
+    let guard = dc.spawn_reflector(reflector).await?;
     dc.spawn(move |_| async move { spawn_tcp_reflector(reflector).await })?
         .await
         .context("tcp reflector task panicked")??;
@@ -407,6 +410,7 @@ async fn build_dual_nat_lab(mode_a: Nat, mode_b: Nat, port_base: u16) -> Result<
         nat_a,
         nat_b,
         reflector,
+        _reflector_guard: guard,
     })
 }
 
@@ -414,7 +418,14 @@ async fn build_single_nat_case(
     nat_mode: Nat,
     wiring: UplinkWiring,
     port_base: u16,
-) -> Result<(Lab, String, SocketAddr, SocketAddr, Ipv4Addr)> {
+) -> Result<(
+    Lab,
+    String,
+    SocketAddr,
+    SocketAddr,
+    Ipv4Addr,
+    Vec<core::ReflectorGuard>,
+)> {
     let lab = Lab::new().await?;
     let dc = lab.add_router("dc").build().await?;
     let upstream = match wiring {
@@ -438,10 +449,9 @@ async fn build_single_nat_case(
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r_dc = SocketAddr::new(IpAddr::V4(dc_ip), port_base);
     let r_ix = SocketAddr::new(IpAddr::V4(lab.ix().gw()), port_base + 1);
-    dc.spawn_reflector(r_dc)?;
+    let g1 = dc.spawn_reflector(r_dc).await?;
     let ix = lab.ix();
-    ix.spawn_reflector(r_ix)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let g2 = ix.spawn_reflector(r_ix).await?;
 
     let dev_ns = dev.ns();
     let expected_ip = match (nat_mode, wiring) {
@@ -453,7 +463,14 @@ async fn build_single_nat_case(
         (Nat::None, _) => dev.ip().unwrap(),
         _ => nat.uplink_ip().context("no uplink ip")?,
     };
-    Ok((lab, dev_ns.to_string(), r_dc, r_ix, expected_ip))
+    Ok((
+        lab,
+        dev_ns.to_string(),
+        r_dc,
+        r_ix,
+        expected_ip,
+        vec![g1, g2],
+    ))
 }
 
 /// Wraps a future with a tracing span and tokio timeout.
diff --git a/patchbay/src/tests/nat.rs b/patchbay/src/tests/nat.rs
index 67ae373..8f084a3 100644
--- a/patchbay/src/tests/nat.rs
+++ b/patchbay/src/tests/nat.rs
@@ -23,9 +23,7 @@ async fn cgnat_reflexive_ip() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 5478);
-    dc.spawn_reflector(r)?;
-
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let dev1 = lab.device_by_name("dev1").unwrap();
     let o = dev1.probe_udp_mapping(r)?;
@@ -71,8 +69,7 @@ async fn cgnat_shared_reflexive_ip() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 6478);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let provider = lab.device_by_name("provider").unwrap();
     let fetcher = lab.device_by_name("fetcher").unwrap();
@@ -143,7 +140,7 @@ async fn matrix_connectivity_and_reflexive_ip() -> Result<()> {
     for (mode, wiring) in cases {
         let port_base = 10000 + case_idx * 10;
         case_idx = case_idx.saturating_add(1);
-        let (lab, _dev_ns, r_dc, _r_ix, expected_ip) =
+        let (lab, _dev_ns, r_dc, _r_ix, expected_ip, _guards) =
             build_single_nat_case(mode, wiring, port_base).await?;
         let dev = lab.device_by_name("dev").unwrap();
         let r_dc_ip_str = r_dc.ip().to_string();
@@ -219,8 +216,7 @@ async fn private_isolation_public_reachable() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 12000);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let a1_map = a1.probe_udp_mapping(reflector)?;
     let a2_map = a2.probe_udp_mapping(reflector)?;
@@ -411,8 +407,7 @@ async fn same_nat_shared_ip() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 17_100);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let oa = dev_a.run_sync(move || test_utils::udp_roundtrip(r))?;
     let ob = dev_b.run_sync(move || test_utils::udp_roundtrip(r))?;
@@ -446,8 +441,7 @@ async fn different_nat_isolation() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 17_200);
-    dc.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let ip_a = dev_a.ip().unwrap();
     let ip_b = dev_b.ip().unwrap();
@@ -503,8 +497,7 @@ async fn v6_masquerade() -> Result<()> {
 
     let dc_ip_v6 = dc.uplink_ip_v6().expect("dc v6 uplink");
     let r_v6 = SocketAddr::new(IpAddr::V6(dc_ip_v6), 3500);
-    dc.spawn_reflector(r_v6)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r_v6).await?;
 
     let o = dev.run_sync(move || test_utils::udp_roundtrip(r_v6))?;
     let home_wan_v6 = home.uplink_ip_v6().expect("home v6 uplink");
@@ -548,8 +541,7 @@ async fn v6_no_translation() -> Result<()> {
 
     let dc_ip_v6 = dc.uplink_ip_v6().expect("dc v6 uplink");
     let r_v6 = SocketAddr::new(IpAddr::V6(dc_ip_v6), 3494);
-    dc.spawn_reflector(r_v6)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r_v6).await?;
 
     let o_v6 = dev.run_sync(move || test_utils::udp_roundtrip(r_v6))?;
     let dev_ip6 = dev.ip6().expect("device v6 addr");
@@ -579,8 +571,7 @@ async fn fullcone_external_reachable() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 20_000);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     // Create a mapping via the reflector.
     let mapped = dev.probe_udp_mapping(reflector)?;
@@ -591,7 +582,7 @@ async fn fullcone_external_reachable() -> Result<()> {
     let dev_listen_port = mapped.port();
     let dev_ip = dev.ip().unwrap();
     let listen = SocketAddr::new(IpAddr::V4(dev_ip), dev_listen_port);
-    dev.spawn_reflector(listen)?;
+    let _r = dev.spawn_reflector(listen).await?;
 
     let reply = dc.run_sync(move || {
         let sock = std::net::UdpSocket::bind("0.0.0.0:0").context("nat fullcone dc udp bind")?;
@@ -634,8 +625,7 @@ async fn v6_masquerade_port_mapping() -> Result<()> {
 
     let dc_v6 = dc.uplink_ip_v6().context("dc v6 uplink")?;
     let r_v6 = SocketAddr::new(IpAddr::V6(dc_v6), 20_100);
-    dc.spawn_reflector(r_v6)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(r_v6).await?;
 
     let o = dev.run_sync(move || test_utils::udp_roundtrip(r_v6))?;
     let nat_v6 = nat.uplink_ip_v6().context("nat v6 uplink")?;
diff --git a/patchbay/src/tests/nat64.rs b/patchbay/src/tests/nat64.rs
index 141c6e0..c673a86 100644
--- a/patchbay/src/tests/nat64.rs
+++ b/patchbay/src/tests/nat64.rs
@@ -38,8 +38,7 @@ async fn nat64_udp_v6_to_v4() -> Result<()> {
 
     // Start a UDP reflector on the datacenter server.
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9300);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     // Build the NAT64 address: embed the dc's IPv4 into 64:ff9b::/96.
     let nat64_addr = crate::nat64::embed_v4_in_nat64(dc_ip);
@@ -126,8 +125,7 @@ async fn nat64_preserves_native_v6() -> Result<()> {
 
     // Regular v4 via NAT should still work.
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9302);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let rtt = phone.run_sync(move || test_utils::udp_rtt_sync(reflector))?;
     assert!(
diff --git a/patchbay/src/tests/preset.rs b/patchbay/src/tests/preset.rs
index b824f15..689072f 100644
--- a/patchbay/src/tests/preset.rs
+++ b/patchbay/src/tests/preset.rs
@@ -42,8 +42,7 @@ async fn preset_home() -> Result<()> {
 
     // Outbound UDP to DC should work through NAT.
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9220);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(reflector))?;
     assert!(rtt < Duration::from_millis(500), "outbound should work");
@@ -114,8 +113,7 @@ async fn preset_mobile() -> Result<()> {
 
     // Outbound should work.
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9222);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let rtt = phone.run_sync(move || test_utils::udp_rtt_sync(reflector))?;
     assert!(rtt < Duration::from_millis(500));
@@ -147,8 +145,7 @@ async fn preset_corporate_blocks_udp() -> Result<()> {
 
     // Corporate firewall should block arbitrary UDP.
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9223);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let blocked = dev.run_sync(move || test_utils::udp_rtt_sync(reflector));
     assert!(
@@ -196,8 +193,7 @@ async fn preset_override() -> Result<()> {
 
     // Outbound should work (FullCone + BlockInbound).
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9225);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(reflector))?;
     assert!(rtt < Duration::from_millis(500));
@@ -360,8 +356,7 @@ async fn preset_mobile_v6() -> Result<()> {
 
     // Phone can reach v4 server via NAT64 prefix.
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 9350);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let nat64_addr = crate::nat64::embed_v4_in_nat64(dc_ip);
     let nat64_target = SocketAddr::new(IpAddr::V6(nat64_addr), 9350);
diff --git a/patchbay/src/tests/region.rs b/patchbay/src/tests/region.rs
index 0932223..3d8954f 100644
--- a/patchbay/src/tests/region.rs
+++ b/patchbay/src/tests/region.rs
@@ -23,8 +23,7 @@ async fn basic_latency() -> Result<()> {
 
     let eu_ip = dc_eu.uplink_ip().context("no uplink ip")?;
     let r_eu = SocketAddr::new(IpAddr::V4(eu_ip), 9100);
-    dc_eu.spawn_reflector(r_eu)?;
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc_eu.spawn_reflector(r_eu).await?;
 
     let rtt = dev_us.run_sync(move || test_utils::udp_rtt_sync(r_eu))?;
     assert!(
@@ -53,8 +52,7 @@ async fn default_regions() -> Result<()> {
 
     let eu_ip = dc_eu.uplink_ip().context("no uplink ip")?;
     let r_eu = SocketAddr::new(IpAddr::V4(eu_ip), 9101);
-    dc_eu.spawn_reflector(r_eu)?;
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc_eu.spawn_reflector(r_eu).await?;
 
     let rtt = dev_us.run_sync(move || test_utils::udp_rtt_sync(r_eu))?;
     assert!(
@@ -81,8 +79,7 @@ async fn break_restore_link() -> Result<()> {
 
     let asia_ip = dc_asia.uplink_ip().context("no uplink ip")?;
     let r_asia = SocketAddr::new(IpAddr::V4(asia_ip), 9102);
-    dc_asia.spawn_reflector(r_asia)?;
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc_asia.spawn_reflector(r_asia).await?;
 
     let rtt_direct = dc_eu.run_sync(move || test_utils::udp_rtt_sync(r_asia))?;
     assert!(
@@ -139,12 +136,11 @@ async fn impair_stacks_with_latency() -> Result<()> {
 
     let us_ip = dc_us.uplink_ip().context("no uplink ip")?;
     let r_us = SocketAddr::new(IpAddr::V4(us_ip), 18_700);
-    dc_us.spawn_reflector(r_us)?;
+    let _r = dc_us.spawn_reflector(r_us).await?;
 
     let eu_ip = dc_eu.uplink_ip().context("no uplink ip")?;
     let r_eu = SocketAddr::new(IpAddr::V4(eu_ip), 18_701);
-    dc_eu.spawn_reflector(r_eu)?;
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc_eu.spawn_reflector(r_eu).await?;
 
     let rtt_cross = dev.run_sync(move || test_utils::udp_rtt_sync(r_us))?;
     assert!(
@@ -189,8 +185,7 @@ async fn v6_latency() -> Result<()> {
 
     let eu_v6 = dc_eu.uplink_ip_v6().expect("eu v6 uplink");
     let r_v6 = SocketAddr::new(IpAddr::V6(eu_v6), 3495);
-    dc_eu.spawn_reflector(r_v6)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc_eu.spawn_reflector(r_v6).await?;
 
     let rtt = dc_us.run_sync(move || test_utils::udp_rtt_sync(r_v6))?;
     assert!(
@@ -225,12 +220,11 @@ async fn dual_stack_latency() -> Result<()> {
 
     let eu_v4 = dc_eu.uplink_ip().expect("eu v4 uplink");
     let r_v4 = SocketAddr::new(IpAddr::V4(eu_v4), 3510);
-    dc_eu.spawn_reflector(r_v4)?;
+    let _r = dc_eu.spawn_reflector(r_v4).await?;
 
     let eu_v6 = dc_eu.uplink_ip_v6().expect("eu v6 uplink");
     let r_v6 = SocketAddr::new(IpAddr::V6(eu_v6), 3511);
-    dc_eu.spawn_reflector(r_v6)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc_eu.spawn_reflector(r_v6).await?;
 
     let rtt_v4 = dc_us.run_sync(move || test_utils::udp_rtt_sync(r_v4))?;
     assert!(
@@ -259,8 +253,7 @@ async fn regionless_to_region() -> Result<()> {
 
     let us_ip = dc_us.uplink_ip().context("no uplink ip")?;
     let r_us = SocketAddr::new(IpAddr::V4(us_ip), 9104);
-    dc_us.spawn_reflector(r_us)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc_us.spawn_reflector(r_us).await?;
 
     let rtt = dc.run_sync(move || test_utils::udp_rtt_sync(r_us))?;
     assert!(
@@ -296,8 +289,7 @@ async fn mixed_nat_region() -> Result<()> {
 
     let us_ip = dc_us.uplink_ip().context("no uplink ip")?;
     let r_us = SocketAddr::new(IpAddr::V4(us_ip), 9105);
-    dc_us.spawn_reflector(r_us)?;
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc_us.spawn_reflector(r_us).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(r_us))?;
     assert!(
@@ -344,12 +336,11 @@ async fn three_region_triangle() -> Result<()> {
 
     let b_ip = dc_b.uplink_ip().context("no b uplink ip")?;
     let r_b = SocketAddr::new(IpAddr::V4(b_ip), 20_400);
-    dc_b.spawn_reflector(r_b)?;
+    let _r = dc_b.spawn_reflector(r_b).await?;
 
     let c_ip = dc_c.uplink_ip().context("no c uplink ip")?;
     let r_c = SocketAddr::new(IpAddr::V4(c_ip), 20_401);
-    dc_c.spawn_reflector(r_c)?;
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc_c.spawn_reflector(r_c).await?;
 
     // A↔B: 30ms one-way → RTT ≥ 50ms.
     let rtt_ab = dc_a.run_sync(move || test_utils::udp_rtt_sync(r_b))?;
diff --git a/patchbay/src/tests/route.rs b/patchbay/src/tests/route.rs
index a864805..1b436dd 100644
--- a/patchbay/src/tests/route.rs
+++ b/patchbay/src/tests/route.rs
@@ -13,12 +13,13 @@ use super::*;
 async fn switch_default_reflexive_ip() -> Result<()> {
     use strum::IntoEnumIterator;
     let DualNatLab {
-        _lab: _,
+        _lab,
         dev,
         nat_a,
         nat_b,
         reflector,
         dc: _,
+        _reflector_guard,
     } = build_dual_nat_lab(Nat::Home, Nat::Corporate, 16_200).await?;
 
     let wan_a = nat_a.uplink_ip().context("no uplink ip")?;
@@ -69,12 +70,13 @@ async fn switch_default_reflexive_ip() -> Result<()> {
 #[traced_test]
 async fn switch_default_multiple_times() -> Result<()> {
     let DualNatLab {
-        _lab: _,
+        _lab,
         dc: _,
         dev,
         nat_a,
         nat_b,
         reflector,
+        _reflector_guard,
     } = build_dual_nat_lab(Nat::Home, Nat::Home, 16_300).await?;
 
     let wan_a = nat_a.uplink_ip().context("no uplink ip")?;
@@ -106,12 +108,13 @@ async fn switch_default_multiple_times() -> Result<()> {
 #[traced_test]
 async fn switch_default_tcp_roundtrip() -> Result<()> {
     let DualNatLab {
-        _lab: _,
+        _lab,
         dc,
         dev,
         nat_a: _,
         nat_b: _,
         reflector: _,
+        _reflector_guard,
     } = build_dual_nat_lab(Nat::Home, Nat::Corporate, 16_400).await?;
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
@@ -150,8 +153,7 @@ async fn replug_iface_udp() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 17_100);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     // Connectivity through nat_a works.
     dev.run_sync(move || test_utils::udp_roundtrip(reflector))
@@ -184,8 +186,7 @@ async fn replug_iface_reflexive_ip() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no dc uplink ip")?;
     let reflector = SocketAddr::new(IpAddr::V4(dc_ip), 17_200);
-    dc.spawn_reflector(reflector)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc.spawn_reflector(reflector).await?;
 
     let wan_a = nat_a.uplink_ip().context("no nat_a uplink ip")?;
     let wan_b = nat_b.uplink_ip().context("no nat_b uplink ip")?;
diff --git a/patchbay/src/tests/smoke.rs b/patchbay/src/tests/smoke.rs
index e67898c..9487677 100644
--- a/patchbay/src/tests/smoke.rs
+++ b/patchbay/src/tests/smoke.rs
@@ -49,9 +49,7 @@ async fn udp_roundtrip() -> Result<()> {
 
     let dc_ip = dc.uplink_ip().context("no uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc_ip), 3478);
-    dc.spawn_reflector(r)?;
-
-    tokio::time::sleep(Duration::from_millis(250)).await;
+    let _r = dc.spawn_reflector(r).await?;
 
     let _ = dev.run_sync(move || test_utils::udp_roundtrip(r))?;
     Ok(())
@@ -218,8 +216,7 @@ async fn dual_stack_roundtrip() -> Result<()> {
 
     let dc_ip_v4 = dc.uplink_ip().expect("dc should have v4 uplink");
     let r_v4 = SocketAddr::new(IpAddr::V4(dc_ip_v4), 3480);
-    dc.spawn_reflector(r_v4)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r_v4).await?;
     let o_v4 = dev.run_sync(move || test_utils::udp_roundtrip(r_v4))?;
     assert_eq!(
         o_v4.ip(),
@@ -229,8 +226,7 @@ async fn dual_stack_roundtrip() -> Result<()> {
 
     let dc_ip_v6 = dc.uplink_ip_v6().expect("dc should have v6 uplink");
     let r_v6 = SocketAddr::new(IpAddr::V6(dc_ip_v6), 3481);
-    dc.spawn_reflector(r_v6)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r_v6).await?;
     let o_v6 = dev.run_sync(move || test_utils::udp_roundtrip(r_v6))?;
     assert!(o_v6.ip().is_ipv6(), "v6 reflexive should be IPv6");
 
@@ -264,8 +260,7 @@ async fn v6_only_roundtrip() -> Result<()> {
 
     let dc_ip_v6 = dc.uplink_ip_v6().expect("dc v6 uplink");
     let r_v6 = SocketAddr::new(IpAddr::V6(dc_ip_v6), 3490);
-    dc.spawn_reflector(r_v6)?;
-    tokio::time::sleep(Duration::from_millis(100)).await;
+    let _r = dc.spawn_reflector(r_v6).await?;
     let o = dev.run_sync(move || test_utils::udp_roundtrip(r_v6))?;
     assert!(o.ip().is_ipv6(), "reflexive should be v6");
     Ok(())
@@ -288,8 +283,7 @@ async fn no_region_overhead() -> Result<()> {
 
     let dc2_ip = dc2.uplink_ip().context("no uplink ip")?;
     let r = SocketAddr::new(IpAddr::V4(dc2_ip), 9103);
-    dc2.spawn_reflector(r)?;
-    tokio::time::sleep(Duration::from_millis(200)).await;
+    let _r = dc2.spawn_reflector(r).await?;
 
     let rtt = dev.run_sync(move || test_utils::udp_rtt_sync(r))?;
     assert!(

From 3053fc465af13c467a76fe5a8d113a3056752d5c Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 15:52:38 +0100
Subject: [PATCH 23/26] docs: finalize ipv6 link-local plan completion status

---
 plans/PLAN.md           |  1 +
 plans/ipv6-linklocal.md | 39 ++++++++++++++++++++++++---------------
 2 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/plans/PLAN.md b/plans/PLAN.md
index f8dc0d9..4469d6c 100644
--- a/plans/PLAN.md
+++ b/plans/PLAN.md
@@ -12,6 +12,7 @@
 
 ## Completed
 
+- [ipv6-linklocal.md](ipv6-linklocal.md) - priority 5; link-local/scoped routing parity, RA runtime controls, profile mapping, and docs finalized
 - [devtools-ui.md](devtools-ui.md) - priority 5; all phases complete, unified UI, per-namespace tracing, event system, axum server
 - [real-world-conditions.md](real-world-conditions.md) - priority 5; all 6 phases complete (NAT, impairment, MTU/removal/IP, hairpin, region routing, firewall)
 - [region-routing.md](region-routing.md) - priority 5; per-region router namespaces, 198.18.0.0/15 address space, inter-region veths, break/restore
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 21d1a14..33454b7 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -3,21 +3,21 @@
 ## TODO
 
 - [x] Write plan
-- [ ] Phase 0: Define target behavior and compatibility boundaries
+- [x] Phase 0: Define target behavior and compatibility boundaries
 - [x] Phase 1: Kernel behavior parity for link-local addresses and routes
-- [ ] Phase 2: Router Advertisement and Router Solicitation behavior
+- [x] Phase 2: Router Advertisement and Router Solicitation behavior
 - [x] Phase 2.3a: Add per-device IPv6 provisioning override for gradual migration
 - [x] Phase 3: Public API support for link-local and scope handling
-- [ ] Phase 4: Real-world presets for consumer and production-like IPv6
+- [x] Phase 4: Real-world presets for consumer and production-like IPv6
 - [x] Phase 4.1: Add lab IPv6 deployment profiles that map to DAD and provisioning defaults
 - [x] Phase 4.2a: Wire router preset defaults to profile recommendations
-- [ ] Phase 4.2b: Document preset-to-profile recommendations in user-facing docs
-- [ ] Phase 5: Tests and validation matrix
+- [x] Phase 4.2b: Document preset-to-profile recommendations in user-facing docs
+- [x] Phase 5: Tests and validation matrix
 - [x] Phase 5.1: Add RA worker lifecycle coverage for router namespace removal
 - [x] Phase 5.2: Add profile-behavior test for static vs RA-driven default-route semantics
 - [x] Phase 5.3a: Verify RA reconciliation only targets RA-driven devices when mixed with static overrides
-- [ ] Phase 5.3: Close remaining matrix gaps from this plan
-- [ ] Final review
+- [x] Phase 5.3: Close remaining matrix gaps from this plan
+- [x] Final review
 
 ## Goal
 
@@ -28,6 +28,12 @@ Make patchbay's IPv6 link-local behavior match production and consumer deploymen
 - Scope-aware APIs and routing behavior work for `fe80::/10` correctly.
 - Consumer CPE behavior and host behavior follow modern RFC expectations.
 
+## Completion Update (2026-03-04)
+
+- Core link-local, scoped routing, RA runtime controls, profile wiring, and per-device provisioning overrides are implemented.
+- Dedicated `ipv6_ll.rs` was retired after review feedback; coverage was folded back into stable test modules (`ipv6.rs`, `preset.rs`, `route.rs`, `lifecycle.rs`) to avoid fragile file-polling tracing tests.
+- Preset-to-profile behavior is documented in user-facing docs (`README.md`, `docs/reference/ipv6.md`).
+
 ## Real-World Deployment Baselines
 
 This section defines the target behavior we want to emulate first. These are the reference deployment classes for parity work.
@@ -334,9 +340,12 @@ Add focused tests, separate from existing IPv6 tests.
 
 Test module location:
 
-- New module file: `patchbay/src/tests/ipv6_ll.rs`
-- Register in `patchbay/src/tests/mod.rs` as `mod ipv6_ll;`
-- Keep existing `ipv6.rs` intact for broader IPv6 behavior, and use `ipv6_ll.rs` for link-local and RA/RS semantics.
+- Link-local and RA/RS coverage is implemented in existing stable test modules:
+  - `patchbay/src/tests/ipv6.rs`
+  - `patchbay/src/tests/preset.rs`
+  - `patchbay/src/tests/route.rs`
+  - `patchbay/src/tests/lifecycle.rs`
+  - `patchbay/src/tests/iface.rs`
 
 Core tests:
 
@@ -397,7 +406,7 @@ Additional exhaustiveness tests:
 26. `devtools_payload_backward_compatible_when_ll6_missing`
    - Verifies additive schema behavior when older runs or v4-only interfaces lack LLA fields.
 
-Implemented in `patchbay/src/tests/ipv6_ll.rs` so far:
+Implemented across the current test suite:
 
 - `link_local_presence_on_all_ipv6_ifaces`
 - `router_iface_api_exposes_ll6_consistently`
@@ -632,7 +641,7 @@ Files:
 Checks:
 
 - `cargo check -p patchbay --tests`
-- Add initial RA/RS tests in `patchbay/src/tests/ipv6_ll.rs`:
+- Add initial RA/RS tests in stable test modules:
   - `ra_source_is_link_local`
   - `host_learns_default_router_from_ra_link_local`
   - `router_lifetime_zero_withdraws_default_router`
@@ -648,7 +657,7 @@ Scope:
 
 - Surface `ll6` and scoped default-router metadata in events/state.
 - Render metadata in devtools UI.
-- Add schema/back-compat tests in `patchbay/src/tests/ipv6_ll.rs` and UI assertions as needed.
+- Add schema/back-compat tests in event/UI test modules as needed.
 
 Files:
 
@@ -698,9 +707,9 @@ Checks:
   - `cargo nextest run -p patchbay`
   - `cargo check` (workspace)
   - `cd ui && npm run test:e2e` if UI changed
-- All tests from Phase 5 matrix are implemented in `patchbay/src/tests/ipv6_ll.rs` and passing.
+- All Phase 5 behaviors are covered by the current test suite and passing.
 
 Exit criteria:
 
 - Profiles and presets are documented, test-backed, and ready for default rollout decision.
-- `ipv6_ll.rs` is the canonical link-local test module, and coverage is exhaustive for planned behavior.
+- Coverage is maintained in the existing long-lived test modules to reduce flakiness and duplication.

From 9906e8f1601fb8823fa184408de006fe04ba1d44 Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Wed, 4 Mar 2026 20:08:38 +0100
Subject: [PATCH 24/26] fix: tighten ipv6 default-route handling and align ipv6
 ll docs

---
 README.md                  |  8 +++----
 docs/guide/running-code.md |  7 ++++++
 docs/guide/topology.md     |  5 ++++
 docs/reference/ipv6.md     |  6 ++++-
 patchbay/src/core.rs       |  3 ++-
 patchbay/src/handles.rs    | 49 +++++++++++++++++++++-----------------
 patchbay/src/lab.rs        |  2 +-
 7 files changed, 51 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index 8da2c95..4c18094 100644
--- a/README.md
+++ b/README.md
@@ -151,9 +151,9 @@ Every IPv6-capable device/router interface now exposes a link-local address
 through the handle snapshots:
 
 - `Device::default_iface().and_then(|i| i.ll6())`
-- `Device::interfaces()[..].ll6()`
-- `Router::iface(\"wan\").and_then(|i| i.ll6())`
-- `Router::interfaces()[..].ll6()`
+- `Device::interfaces().iter().filter_map(|i| i.ll6())`
+- `router.iface("ix").or_else(|| router.iface("wan")).and_then(|i| i.ll6())`
+- `router.interfaces().iter().filter_map(|i| i.ll6())`
 
 Patchbay also supports explicit IPv6 provisioning and DAD modes via `LabOpts`:
 
@@ -166,7 +166,7 @@ let lab = Lab::with_opts(
 ```
 
 `Ipv6ProvisioningMode::Static` keeps route wiring deterministic.  
-`Ipv6ProvisioningMode::RaDriven` enables the RA-driven path.  
+`Ipv6ProvisioningMode::RaDriven` enables patchbay's RA/RS-driven path.  
 `Ipv6DadMode::Disabled` is the current default for deterministic test setup.
 
 ### Firewalls
diff --git a/docs/guide/running-code.md b/docs/guide/running-code.md
index 77cbf67..e76ddc0 100644
--- a/docs/guide/running-code.md
+++ b/docs/guide/running-code.md
@@ -211,6 +211,13 @@ Handle methods return `Result` or `Option` when the underlying node has
 been removed from the lab. If you hold a handle to a device that no longer
 exists, calls will return an error rather than panicking.
 
+When debugging IPv6 behavior, inspect interface snapshots instead of only
+top-level `ip6()` accessors:
+
+- `device.default_iface().and_then(|i| i.ip6())` for global/ULA IPv6.
+- `device.default_iface().and_then(|i| i.ll6())` for link-local `fe80::/10`.
+- `router.interfaces()` for `RouterIface` snapshots on `ix`/`wan` and bridge.
+
 ## Cleanup
 
 When the `Lab` is dropped, it shuts down all async and sync workers, then
diff --git a/docs/guide/topology.md b/docs/guide/topology.md
index 9353964..f2e9bc8 100644
--- a/docs/guide/topology.md
+++ b/docs/guide/topology.md
@@ -120,8 +120,13 @@ You can read a device's assigned addresses through the handle:
 ```rust
 let v4: Option<Ipv4Addr> = server.ip();
 let v6: Option<Ipv6Addr> = server.ip6();
+let ll: Option<Ipv6Addr> = server.default_iface().and_then(|i| i.ll6());
 ```
 
+For router-side address inspection, use `router.interfaces()` or
+`router.iface("ix")` / `router.iface("wan")` and read `ip6()` plus `ll6()`
+from `RouterIface`.
+
 ### Multi-homed devices
 
 A device can have multiple interfaces, each connected to a different
diff --git a/docs/reference/ipv6.md b/docs/reference/ipv6.md
index 0c85220..d21e9a4 100644
--- a/docs/reference/ipv6.md
+++ b/docs/reference/ipv6.md
@@ -256,10 +256,14 @@ let lab = Lab::with_opts(
 ```
 
 - `Ipv6ProvisioningMode::Static`: patchbay installs routes during wiring.
-- `Ipv6ProvisioningMode::RaDriven`: enables RA-driven provisioning path.
+- `Ipv6ProvisioningMode::RaDriven`: enables patchbay's RA/RS-driven provisioning path.
 - `Ipv6DadMode::Disabled`: deterministic mode, current default.
 - `Ipv6DadMode::Enabled`: kernel DAD behavior in namespaces.
 
+In `RaDriven` mode, patchbay emits structured RA/RS events and installs
+link-local scoped default routes for default interfaces. This models host
+routing behavior while keeping tests deterministic and introspectable.
+
 ### Scoped default route behavior
 
 When an IPv6 default gateway is link-local (`fe80::/10`), route installation
diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 959f374..9b302cb 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -1952,9 +1952,10 @@ where
 pub(crate) async fn setup_root_ns_async(
     cfg: &CoreConfig,
     netns: &Arc<netns::NetnsManager>,
+    dad_mode: Ipv6DadMode,
 ) -> Result<()> {
     let root_ns = cfg.root_ns.clone();
-    create_named_netns(netns, &root_ns, None, None, Ipv6DadMode::Disabled)?;
+    create_named_netns(netns, &root_ns, None, None, dad_mode)?;
 
     netns.run_closure_in(&root_ns, || {
         set_sysctl_root("net/ipv4/ip_forward", "1")?;
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index 89352b3..81dfce7 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -99,6 +99,23 @@ async fn reconcile_radriven_default_v6_routes(
     Ok(())
 }
 
+fn select_default_v6_gateway(
+    provisioning: Ipv6ProvisioningMode,
+    ra_default_enabled: bool,
+    gw_v6: Option<Ipv6Addr>,
+    gw_ll_v6: Option<Ipv6Addr>,
+) -> Option<Ipv6Addr> {
+    if provisioning == Ipv6ProvisioningMode::RaDriven {
+        if ra_default_enabled {
+            gw_ll_v6.or(gw_v6)
+        } else {
+            None
+        }
+    } else {
+        gw_v6.or(gw_ll_v6)
+    }
+}
+
 // ─────────────────────────────────────────────
 // Device / Router / DeviceIface handles
 // ─────────────────────────────────────────────
@@ -386,7 +403,7 @@ impl Device {
         .await?;
         if is_default_via {
             let provisioning = self.provisioning_mode()?;
-            let (gw_ip, gw_v6, gw_ll_v6, provisioning, ra_default_enabled) = {
+            let (gw_ip, gw_v6, gw_ll_v6, ra_default_enabled) = {
                 let inner = self.lab.core.lock().unwrap();
                 let gw_ip = inner.router_downlink_gw_for_switch(uplink)?;
                 let gw_v6 = inner.router_downlink_gw6_for_switch(uplink)?;
@@ -395,21 +412,13 @@ impl Device {
                     gw_ip,
                     gw_v6.global_v6,
                     gw_v6.link_local_v6,
-                    provisioning,
                     ra_default_enabled,
                 )
             };
             core::nl_run(&self.lab.netns, &ns, move |nl: Netlink| async move {
                 nl.replace_default_route_v4(&ifname_owned, gw_ip).await?;
-                let primary_v6 = if provisioning == Ipv6ProvisioningMode::RaDriven {
-                    if ra_default_enabled {
-                        gw_ll_v6.or(gw_v6)
-                    } else {
-                        None
-                    }
-                } else {
-                    gw_v6.or(gw_ll_v6)
-                };
+                let primary_v6 =
+                    select_default_v6_gateway(provisioning, ra_default_enabled, gw_v6, gw_ll_v6);
                 if let Some(gw6) = primary_v6 {
                     if gw6.is_unicast_link_local() {
                         nl.replace_default_route_v6_scoped(&ifname_owned, gw6)
@@ -417,6 +426,8 @@ impl Device {
                     } else {
                         nl.replace_default_route_v6(&ifname_owned, gw6).await?;
                     }
+                } else {
+                    nl.clear_default_route_v6().await?;
                 }
                 Ok(())
             })
@@ -456,7 +467,7 @@ impl Device {
             .ok_or_else(|| anyhow!("device removed"))?;
         let _guard = op.lock().await;
         let provisioning = self.provisioning_mode()?;
-        let (ns, impair, gw_ip, gw_v6, gw_ll_v6, provisioning, ra_default_enabled) = {
+        let (ns, impair, gw_ip, gw_v6, gw_ll_v6, ra_default_enabled) = {
             let inner = self.lab.core.lock().unwrap();
             let dev = inner
                 .device(self.id)
@@ -473,28 +484,22 @@ impl Device {
                 gw_ip,
                 gw_v6.global_v6,
                 gw_v6.link_local_v6,
-                provisioning,
                 ra_default_enabled,
             )
         };
         let to_owned = to.to_string();
         core::nl_run(&self.lab.netns, &ns, move |nl: Netlink| async move {
             nl.replace_default_route_v4(&to_owned, gw_ip).await?;
-            let primary_v6 = if provisioning == Ipv6ProvisioningMode::RaDriven {
-                if ra_default_enabled {
-                    gw_ll_v6.or(gw_v6)
-                } else {
-                    None
-                }
-            } else {
-                gw_v6.or(gw_ll_v6)
-            };
+            let primary_v6 =
+                select_default_v6_gateway(provisioning, ra_default_enabled, gw_v6, gw_ll_v6);
             if let Some(gw6) = primary_v6 {
                 if gw6.is_unicast_link_local() {
                     nl.replace_default_route_v6_scoped(&to_owned, gw6).await?;
                 } else {
                     nl.replace_default_route_v6(&to_owned, gw6).await?;
                 }
+            } else {
+                nl.clear_default_route_v6().await?;
             }
             Ok(())
         })
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index f1fac8f..4f0d696 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -467,7 +467,7 @@ impl Lab {
         };
         // Initialize root namespace and IX bridge eagerly — no lazy-init race.
         let cfg = lab.inner.core.lock().unwrap().cfg.clone();
-        setup_root_ns_async(&cfg, &netns)
+        setup_root_ns_async(&cfg, &netns, opts.ipv6_dad_mode)
             .await
             .context("failed to set up root namespace")?;
 

From cba194c1b49fbbe1ea435703ca14868cad3221aa Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Thu, 5 Mar 2026 00:01:00 +0100
Subject: [PATCH 25/26] docs: clarify ipv6 fidelity and add limitations
 reference

---
 README.md               |   7 +++
 docs/SUMMARY.md         |   1 +
 docs/introduction.md    |   4 ++
 docs/limitations.md     | 104 ++++++++++++++++++++++++++++++++++++++++
 docs/reference/ipv6.md  |  33 +++++++++++++
 patchbay/src/core.rs    |   8 ++--
 patchbay/src/handles.rs |   4 ++
 patchbay/src/lab.rs     |  13 ++++-
 plans/ipv6-linklocal.md |   1 +
 9 files changed, 169 insertions(+), 6 deletions(-)
 create mode 100644 docs/limitations.md

diff --git a/README.md b/README.md
index 4c18094..2ec9d2d 100644
--- a/README.md
+++ b/README.md
@@ -169,6 +169,13 @@ let lab = Lab::with_opts(
 `Ipv6ProvisioningMode::RaDriven` enables patchbay's RA/RS-driven path.  
 `Ipv6DadMode::Disabled` is the current default for deterministic test setup.
 
+In `RaDriven` mode, patchbay models Router Advertisement and Router
+Solicitation behavior through structured events and route updates. It does
+not emit raw ICMPv6 RA or RS packets on the virtual links.
+
+For full scope and known gaps, see [Book limitations](docs/limitations.md)
+and [IPv6 reference](docs/reference/ipv6.md).
+
 ### Firewalls
 
 Firewall presets control both inbound and outbound traffic:
diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
index b3fd6c4..2df8fb2 100644
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -1,6 +1,7 @@
 # Summary
 
 [Introduction](introduction.md)
+[Limitations](limitations.md)
 
 # Guide
 
diff --git a/docs/introduction.md b/docs/introduction.md
index 0762dab..276e1fd 100644
--- a/docs/introduction.md
+++ b/docs/introduction.md
@@ -25,6 +25,10 @@ common network scenarios like WiFi handoff and VPN tunnels, the internals
 of NAT traversal and hole-punching as implemented in nftables, and the
 TOML simulation file format used by the patchbay runner.
 
+The **Limitations** page documents known boundaries of the current model.
+Read it before relying on packet-level control-plane behavior, operating
+system specific network-stack quirks, or low-level timing fidelity.
+
 A built-in devtools server (`patchbay serve`) provides an interactive web
 UI for inspecting lab runs: topology graphs, event timelines,
 per-namespace structured logs, and performance results. Set
diff --git a/docs/limitations.md b/docs/limitations.md
new file mode 100644
index 0000000..fe45e87
--- /dev/null
+++ b/docs/limitations.md
@@ -0,0 +1,104 @@
+# Limitations
+
+This page documents known limitations of patchbay. The goal is to help you
+decide when patchbay is a good fit, and where you should expect differences
+from production systems.
+
+## IPv6 limitations
+
+### RA and RS are modeled, not packet-emulated
+
+In `Ipv6ProvisioningMode::RaDriven`, patchbay models Router Advertisement
+(RA) and Router Solicitation (RS) behavior through route updates and
+structured tracing events. It does not currently send raw ICMPv6 RA or RS
+packets on virtual links.
+
+Impact:
+
+- Application-level routing behavior is usually close to production.
+- Packet-capture workflows that expect real RA/RS frames are not covered yet.
+
+### SLAAC behavior is partial
+
+Patchbay models default-route and address behavior needed for routing tests,
+but it does not currently implement a full Stateless Address
+Autoconfiguration (SLAAC) state machine with all timing transitions.
+
+Impact:
+
+- Connectivity and route-selection tests work well.
+- Detailed host autoconfiguration timing studies are out of scope.
+
+### Neighbor Discovery timing is not fully emulated
+
+Neighbor Discovery (ND) address and router behavior is represented in route
+and interface state, but exact kernel-level timing of ND probes, retries, and
+expiration is not fully emulated.
+
+Impact:
+
+- Most application tests are unaffected.
+- Low-level protocol timing analysis should use a dedicated packet-level setup.
+
+### DHCPv6 prefix delegation is not implemented
+
+Patchbay does not implement a DHCPv6 Prefix Delegation server or client flow.
+Use static /64 allocation in topologies.
+
+Impact:
+
+- Residential-prefix churn workflows are not fully represented.
+- Prefix-based routing and NAT64 scenarios still work with static setup.
+
+## General platform and model limitations
+
+### Linux-only execution model
+
+Patchbay uses Linux network namespaces, nftables, and tc. It models network
+behavior through the Linux kernel network stack.
+
+Impact:
+
+- Native execution requires Linux.
+- macOS and Windows host stacks are not emulated byte-for-byte.
+
+### Requires kernel features and host tooling
+
+Patchbay depends on user namespaces and network tools such as `nft` and `tc`.
+If those capabilities are unavailable or restricted, labs cannot run.
+
+Impact:
+
+- Some CI and container environments need extra setup.
+- Missing kernel features can block specific scenarios.
+
+### No wireless or cellular radio-layer simulation
+
+Patchbay models link effects with `tc` parameters such as latency, jitter,
+loss, and rate limits. It does not model WiFi or cellular PHY/MAC behavior.
+
+Impact:
+
+- Good for transport and application resilience testing.
+- Not suitable for radio scheduling or handover signaling research.
+
+### Dynamic routing protocols are not built in
+
+Patchbay focuses on static topology wiring, NAT, firewalling, and route
+management through its API. It does not include built-in BGP, OSPF, or RIP
+control-plane implementations.
+
+Impact:
+
+- You can still run routing daemons inside namespaces yourself.
+- Protocol orchestration is user-managed, not first-class in patchbay.
+
+### Time and clock behavior are not virtualized
+
+Patchbay uses the host kernel clock and scheduler behavior. It does not
+virtualize per-node clocks or provide deterministic virtual time.
+
+Impact:
+
+- Most integration tests work as expected.
+- Time-sensitive distributed-system tests may need additional controls.
diff --git a/docs/reference/ipv6.md b/docs/reference/ipv6.md
index d21e9a4..ba32f6c 100644
--- a/docs/reference/ipv6.md
+++ b/docs/reference/ipv6.md
@@ -4,6 +4,23 @@ How IPv6 works in practice and how to simulate each scenario in patchbay.
 
 ---
 
+## IPv6 Terms Used Here
+
+This page uses a few IPv6 terms that often appear as acronyms:
+
+- **GUA** means Global Unicast Address, an address that is globally routable.
+- **ULA** means Unique Local Address, usually in `fd00::/8`, for local use.
+- **Link-local address** means an address in `fe80::/10`, valid only on one link.
+- **SLAAC** means Stateless Address Autoconfiguration, host-side address setup from router announcements.
+- **RA** means Router Advertisement, a router message that tells hosts about prefixes and default routers.
+- **RS** means Router Solicitation, a host message that asks routers for an advertisement.
+- **DAD** means Duplicate Address Detection, kernel checks for address collisions before an address becomes preferred.
+
+When this document introduces a concept with an acronym, it also explains
+what the concept does for routing and application behavior.
+
+---
+
 ## How ISPs Actually Deploy IPv6
 
 ### Residential (FTTH, Cable, DSL)
@@ -264,6 +281,22 @@ In `RaDriven` mode, patchbay emits structured RA/RS events and installs
 link-local scoped default routes for default interfaces. This models host
 routing behavior while keeping tests deterministic and introspectable.
 
+### Fidelity and Current Limitations
+
+Patchbay currently models RA and RS behavior at the control-plane level:
+
+- It updates routes and emits structured RA and RS events in tracing logs.
+- It does not currently emit raw ICMPv6 RA or RS packets on virtual links.
+
+This means most application-level route and connectivity behavior is covered,
+but some protocol-observer behavior is not yet modeled:
+
+- Full SLAAC state-machine behavior across all timers and transitions.
+- Neighbor Discovery timing details, including exact probe/retransmit timing.
+- Host temporary address rotation and privacy-address lifecycles.
+
+For the complete project-wide list, see [Limitations](../limitations.md).
+
 ### Scoped default route behavior
 
 When an IPv6 default gateway is link-local (`fe80::/10`), route installation
diff --git a/patchbay/src/core.rs b/patchbay/src/core.rs
index 9b302cb..8559042 100644
--- a/patchbay/src/core.rs
+++ b/patchbay/src/core.rs
@@ -2736,7 +2736,7 @@ pub(crate) async fn wire_iface_async(
     })
     .await?;
 
-    // DAD already disabled by create_named_netns.
+    // DAD mode was configured by create_named_netns before interfaces were created.
     nl_run(netns, &dev.dev_ns, {
         let d = dev.clone();
         let root_dev = root_dev.clone();
@@ -2827,10 +2827,10 @@ fn link_local_from_seed(seed: u64) -> Ipv6Addr {
 // Netns + process helpers
 // ─────────────────────────────────────────────
 
-/// Creates a namespace with optional DNS overlay and disables IPv6 DAD.
+/// Creates a namespace with optional DNS overlay and applies IPv6 DAD mode.
 ///
-/// IPv6 DAD is disabled immediately so interfaces moved in will inherit
-/// `dad_transmits=0` and addresses go straight to "valid" state.
+/// When `dad_mode` is disabled, this sets `accept_dad=0` and
+/// `dad_transmits=0` before interfaces are moved in.
 pub(crate) fn create_named_netns(
     netns: &netns::NetnsManager,
     name: &str,
diff --git a/patchbay/src/handles.rs b/patchbay/src/handles.rs
index 81dfce7..7ad1060 100644
--- a/patchbay/src/handles.rs
+++ b/patchbay/src/handles.rs
@@ -1184,6 +1184,8 @@ impl Router {
     ///
     /// This affects subsequent RA-driven route refresh operations and any
     /// future device wiring. Existing RA worker task lifecycle is not changed.
+    /// RA behavior in patchbay is currently modeled through structured events
+    /// and route updates, not raw ICMPv6 control packets.
     pub async fn set_ra_enabled(&self, enabled: bool) -> Result<()> {
         let op = self
             .lab
@@ -1217,6 +1219,7 @@ impl Router {
     ///
     /// Value is clamped to at least one second.
     /// Existing RA worker task lifecycle is not changed.
+    /// This interval controls modeled RA event cadence.
     pub async fn set_ra_interval_secs(&self, secs: u64) -> Result<()> {
         let op = self
             .lab
@@ -1236,6 +1239,7 @@ impl Router {
     ///
     /// A value of `0` represents default-router withdrawal semantics.
     /// Existing RA worker task lifecycle is not changed.
+    /// This affects modeled route withdrawal in RA-driven mode.
     pub async fn set_ra_lifetime_secs(&self, secs: u64) -> Result<()> {
         let op = self
             .lab
diff --git a/patchbay/src/lab.rs b/patchbay/src/lab.rs
index 4f0d696..22f81bc 100644
--- a/patchbay/src/lab.rs
+++ b/patchbay/src/lab.rs
@@ -313,7 +313,10 @@ pub enum Ipv6ProvisioningMode {
     /// Install routes directly from patchbay wiring logic.
     #[default]
     Static,
-    /// RA/RS-driven provisioning path.
+    ///
+    /// This mode follows RA and RS semantics for route installation and
+    /// emits structured RA and RS events into patchbay logs. It does not
+    /// emit raw ICMPv6 Router Advertisement or Router Solicitation packets.
     RaDriven,
 }
 
@@ -1781,6 +1784,9 @@ impl RouterBuilder {
     }
 
     /// Enables or disables router advertisement emission in RA-driven mode.
+    ///
+    /// In the current implementation, this controls structured RA events and
+    /// default-route behavior, not raw ICMPv6 packet emission.
     pub fn ra_enabled(mut self, enabled: bool) -> Self {
         if self.result.is_ok() {
             self.ra_enabled = enabled;
@@ -1789,6 +1795,8 @@ impl RouterBuilder {
     }
 
     /// Sets the RA interval in seconds, clamped to at least 1 second.
+    ///
+    /// This interval drives patchbay's RA event cadence in RA-driven mode.
     pub fn ra_interval_secs(mut self, secs: u64) -> Self {
         if self.result.is_ok() {
             self.ra_interval_secs = secs.max(1);
@@ -1798,7 +1806,8 @@ impl RouterBuilder {
 
     /// Sets Router Advertisement lifetime in seconds.
     ///
-    /// A value of `0` advertises default-router withdrawal semantics.
+    /// A value of `0` advertises default-router withdrawal semantics in
+    /// patchbay's RA-driven route model.
     pub fn ra_lifetime_secs(mut self, secs: u64) -> Self {
         if self.result.is_ok() {
             self.ra_lifetime_secs = secs;
diff --git a/plans/ipv6-linklocal.md b/plans/ipv6-linklocal.md
index 33454b7..fcc60cb 100644
--- a/plans/ipv6-linklocal.md
+++ b/plans/ipv6-linklocal.md
@@ -33,6 +33,7 @@ Make patchbay's IPv6 link-local behavior match production and consumer deploymen
 - Core link-local, scoped routing, RA runtime controls, profile wiring, and per-device provisioning overrides are implemented.
 - Dedicated `ipv6_ll.rs` was retired after review feedback; coverage was folded back into stable test modules (`ipv6.rs`, `preset.rs`, `route.rs`, `lifecycle.rs`) to avoid fragile file-polling tracing tests.
 - Preset-to-profile behavior is documented in user-facing docs (`README.md`, `docs/reference/ipv6.md`).
+- IPv6 fidelity boundaries are now documented explicitly in API docs, README, book reference docs, and a new book limitations page (`docs/limitations.md`), including current gaps around packet-level RA/RS, full SLAAC state machines, and ND timing.
 
 ## Real-World Deployment Baselines
 

From d9ff2a4c162d84941bdea70a971b986e526c5c6e Mon Sep 17 00:00:00 2001
From: Frando <frando@unbiskant.org>
Date: Thu, 5 Mar 2026 00:19:59 +0100
Subject: [PATCH 26/26] docs: refine prose style and normalize reference
 wording

---
 README.md                        | 10 +++++-----
 docs/guide/getting-started.md    |  4 ++--
 docs/reference/ipv6.md           | 32 ++++++++++++++++----------------
 docs/reference/toml-reference.md | 26 +++++++++++++-------------
 4 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/README.md b/README.md
index 2ec9d2d..ae48a59 100644
--- a/README.md
+++ b/README.md
@@ -339,15 +339,15 @@ patchbay run ./sims/my-sim.toml --open
 
 The UI provides five tabs:
 
-- **Topology** — interactive graph of routers, devices, and links with a
+- **Topology**: interactive graph of routers, devices, and links with a
   detail sidebar showing NAT, firewall, IPs, and counters.
-- **Events** — table of lab lifecycle events (router added, device added,
+- **Events**: table of lab lifecycle events (router added, device added,
   NAT changed, etc.) with relative/absolute timestamps.
-- **Logs** — per-namespace tracing log viewer with JSON parsing, level
+- **Logs**: per-namespace tracing log viewer with JSON parsing, level
   badges, and target filtering. Supports jump-to-log from the timeline.
-- **Timeline** — grid of extracted `_events` per node over time, with
+- **Timeline**: grid of extracted `_events` per node over time, with
   detail pane and jump-to-log.
-- **Perf** — throughput results table (only for TOML runner sims).
+- **Perf**: throughput results table (only for TOML runner sims).
 
 Each `Lab` instance writes to a timestamped subdirectory under the outdir.
 Multiple runs accumulate in the same outdir and appear in the run selector.
diff --git a/docs/guide/getting-started.md b/docs/guide/getting-started.md
index 28678f5..4a74612 100644
--- a/docs/guide/getting-started.md
+++ b/docs/guide/getting-started.md
@@ -221,8 +221,8 @@ pollutes the host.
 
 ## Viewing results in the browser
 
-patchbay can write structured output to disk — topology events,
-per-namespace tracing logs, and extracted custom events — and serve them
+patchbay can write structured output to disk, including topology events,
+per-namespace tracing logs, and extracted custom events, and serve them
 in an interactive web UI. Set the `PATCHBAY_OUTDIR` environment variable
 to enable this:
 
diff --git a/docs/reference/ipv6.md b/docs/reference/ipv6.md
index ba32f6c..5ffa975 100644
--- a/docs/reference/ipv6.md
+++ b/docs/reference/ipv6.md
@@ -28,8 +28,8 @@ what the concept does for routing and application behavior.
 ISPs assign a **globally routable prefix** (typically /56 or /60) via
 DHCPv6-PD (Prefix Delegation). The CE (Customer Edge) router carves /64s
 from this prefix for each LAN segment. Devices get **public GUA addresses**
-— no NAT involved. The security boundary is a **stateful firewall** on the
-CE router that blocks unsolicited inbound connections (RFC 6092).
+with no NAT involved. The security boundary is a **stateful firewall**
+on the CE router that blocks unsolicited inbound connections (RFC 6092).
 
 IPv4 access is provided in parallel via dual-stack (separate IPv4 address
 with NAT44) or via DS-Lite / MAP-E / MAP-T (IPv4-in-IPv6 tunneling to the
@@ -37,7 +37,7 @@ ISP's AFTR).
 
 **Key properties:**
 - Devices have globally routable IPv6 addresses
-- No IPv6 NAT — the prefix is public
+- No IPv6 NAT, the prefix is public
 - Stateful firewall blocks inbound, allows outbound + established
 - SLAAC for address assignment (not DHCPv6 address assignment)
 - Privacy extensions (RFC 4941) rotate source addresses
@@ -47,7 +47,7 @@ ISP's AFTR).
 ### Mobile (4G/5G)
 
 Each device typically gets a **single /64** via RA (Router Advertisement).
-The device is the only host on its /64. There is no home router — the
+The device is the only host on its /64. There is no home router, and the
 carrier's gateway acts as the first hop.
 
 For IPv4 access, carriers use either:
@@ -60,14 +60,14 @@ Some carriers (T-Mobile US, Jio) are IPv6-only with NAT64. Others
 **Key properties:**
 - One /64 per device (not shared)
 - NAT64/DNS64 for IPv4 access (no real IPv4 address)
-- No firewall — carrier relies on per-device /64 isolation
+- No firewall, carrier relies on per-device /64 isolation
 - 3GPP CGNAT for remaining IPv4 users
 
 ### Enterprise / Corporate
 
 Enterprises typically run dual-stack internally with PA (Provider
 Aggregatable) or PI (Provider Independent) space. Strict firewalls allow
-only TCP 80/443 and UDP 53 outbound. All other ports are blocked —
+only TCP 80/443 and UDP 53 outbound. All other ports are blocked,
 STUN/TURN on non-standard ports fails, must use TURN-over-TLS on 443.
 
 Some enterprises use ULA (fd00::/8) internally with NAT66 at the border,
@@ -91,10 +91,10 @@ GUA addresses with a restrictive firewall.
 RFC 4193 ULA (fd00::/8) was designed for stable internal addressing, not
 as an IPv6 equivalent of RFC 1918. In practice:
 
-- **No major ISP deploys NAT66** — it defeats the end-to-end principle
+- **No major ISP deploys NAT66**, it defeats the end-to-end principle
 - Android **does not support NAT66** (no DHCPv6 client, only SLAAC)
 - ULA is used alongside GUA for stable internal addressing, never alone
-- RFC 6296 NPTv6 (prefix translation) exists but is niche — mostly
+- RFC 6296 NPTv6 (prefix translation) exists but is niche, mostly
   for multihoming, not general NAT
 
 If you need to simulate "NATted IPv6", use NPTv6 (`NatV6Mode::Nptv6`)
@@ -143,14 +143,14 @@ blocks unsolicited inbound on both families.
 ```rust
 let home = lab.add_router("home").preset(RouterPreset::Home).build().await?;
 let laptop = lab.add_device("laptop").uplink(home.id()).build().await?;
-// laptop.ip()  → 10.0.x.x (private IPv4, NATted)
-// laptop.ip6() → fd10:0:x::2 (ULA v6, firewalled)
+// laptop.ip()  -> 10.0.x.x (private IPv4, NATted)
+// laptop.ip6() -> fd10:0:x::2 (ULA v6, firewalled)
 ```
 
 ### Scenario 2: IPv6-Only Mobile with NAT64
 
 A carrier network where devices only have IPv6. IPv4 destinations are
-reached via NAT64 — a userspace SIIT translator on the router converts
+reached via NAT64, a userspace SIIT translator on the router converts
 between IPv6 and IPv4 headers using the well-known prefix `64:ff9b::/96`.
 
 ```rust
@@ -158,13 +158,13 @@ let carrier = lab.add_router("carrier")
     .preset(RouterPreset::MobileV6)
     .build().await?;
 let phone = lab.add_device("phone").uplink(carrier.id()).build().await?;
-// phone.ip6() → 2001:db8:1:x::2 (public GUA)
-// phone.ip()  → None (no IPv4 on the device)
+// phone.ip6() -> 2001:db8:1:x::2 (public GUA)
+// phone.ip()  -> None (no IPv4 on the device)
 
 // Reach an IPv4 server via NAT64:
 use patchbay::nat64::embed_v4_in_nat64;
 let nat64_addr = embed_v4_in_nat64(server_v4_ip);
-// Connect to [64:ff9b::<server_v4>]:port — translated to IPv4 by the router
+// Connect to [64:ff9b::<server_v4>]:port, translated to IPv4 by the router
 ```
 
 The `MobileV6` preset configures: `IpSupport::V6Only` + `NatV6Mode::Nat64`
@@ -181,7 +181,7 @@ let carrier = lab.add_router("carrier")
 ### Scenario 3: Corporate Firewall (Restrictive)
 
 Enterprise network that blocks everything except web traffic. STUN/ICE
-fails — P2P apps must fall back to TURN-over-TLS on port 443.
+fails, P2P apps must fall back to TURN-over-TLS on port 443.
 
 ```rust
 let corp = lab.add_router("corp").preset(RouterPreset::Corporate).build().await?;
@@ -316,7 +316,7 @@ neighbor discovery breaks and the router becomes unreachable.
 ### IPv6 Firewall Is Not Optional
 
 On IPv4, NAT implicitly blocks inbound connections (no port mapping = no
-access). On IPv6 with public GUA addresses, there is **no NAT** — devices
+access). On IPv6 with public GUA addresses, there is **no NAT**, devices
 are directly addressable. Without `Firewall::BlockInbound`, any host on
 the IX can connect to your devices. This matches reality: every CE router
 ships with an IPv6 stateful firewall enabled by default.
diff --git a/docs/reference/toml-reference.md b/docs/reference/toml-reference.md
index 6c1eef8..0a40d6f 100644
--- a/docs/reference/toml-reference.md
+++ b/docs/reference/toml-reference.md
@@ -142,7 +142,7 @@ value before the steps execute. This substitution happens at expansion time
 # In the group step:
 content = "cert_path = \"${${group.device}-cert.cert_pem_path}\""
 # After group expansion (e.g. device="relay"):
-#   → cert_path = "${relay-cert.cert_pem_path}"
+#   -> cert_path = "${relay-cert.cert_pem_path}"
 # Then resolved at runtime as a capture reference.
 ```
 
@@ -176,10 +176,10 @@ Runs a command and waits for it to exit before moving to the next step.
 | Key        | Type    | Default  | Description |
 |------------|---------|----------|-------------|
 | `cmd`      | array   | required | Command and arguments. Supports `${binary.<n>}`, `$NETSIM_IP_<device>`, `${id.capture}`. |
-| `args`     | array   | —        | Appended to the template's `cmd`. Does not replace it. |
+| `args`     | array   | none     | Appended to the template's `cmd`. Does not replace it. |
 | `parser`   | string  | `"text"` | Output parser. See [parsers](#parsers). |
-| `captures` | table   | —        | Named captures. See [`[captures]`](#captures). |
-| `results`  | table   | —        | Normalized result fields. See [`[results]`](#results). |
+| `captures` | table   | none     | Named captures. See [`[captures]`](#captures). |
+| `results`  | table   | none     | Normalized result fields. See [`[results]`](#results). |
 
 ---
 
@@ -190,11 +190,11 @@ Starts a process in the background. A later `wait-for` step waits for it to exit
 | Key           | Type    | Default  | Description |
 |---------------|---------|----------|-------------|
 | `cmd`         | array   | required | Command and arguments. |
-| `args`        | array   | —        | Appended to the template's `cmd`. |
+| `args`        | array   | none     | Appended to the template's `cmd`. |
 | `parser`      | string  | `"text"` | Output parser. See [parsers](#parsers). |
-| `ready_after` | duration| —        | How long to wait after spawning before the next step runs. Useful when a process needs startup time but doesn't print a ready signal. |
-| `captures`    | table   | —        | Named captures. See [`[captures]`](#captures). |
-| `results`     | table   | —        | Normalized result fields. Collected when the process exits. |
+| `ready_after` | duration| none     | How long to wait after spawning before the next step runs. Useful when a process needs startup time but doesn't print a ready signal. |
+| `captures`    | table   | none     | Named captures. See [`[captures]`](#captures). |
+| `results`     | table   | none     | Normalized result fields. Collected when the process exits. |
 
 ---
 
@@ -263,7 +263,7 @@ written to `{work_dir}/certs/{id}/` and also stored as captures.
 | Key      | Type            | Default                     | Description |
 |----------|-----------------|-----------------------------|-------------|
 | `id`     | string          | required                    | Step ID, prefixes the output captures. |
-| `device` | string          | —                           | Device whose IP is automatically added to the Subject Alternative Names. |
+| `device` | string          | none                        | Device whose IP is automatically added to the Subject Alternative Names. |
 | `cn`     | string          | `"localhost"`               | Certificate Common Name. |
 | `san`    | array of strings| `[device_ip, "localhost"]`  | SANs. `$NETSIM_IP_<device>` variables are expanded. |
 
@@ -369,9 +369,9 @@ pick  = ".endpoint_id"
 | Key     | Type   | Default    | Description |
 |---------|--------|------------|-------------|
 | `pipe`  | string | `"stdout"` | Which output stream to read: `"stdout"` or `"stderr"`. |
-| `regex` | string | —          | Regex applied to the raw text line. Group 1 is captured if present, otherwise the full match. Works with all parsers. Cannot be combined with `pick`. |
-| `match` | table  | —          | Key=value guards on a parsed JSON object. All keys must match. Requires `pick`. Only valid with `"ndjson"` or `"json"` parser. |
-| `pick`  | string | —          | Dot-path into the parsed JSON value, e.g. `".endpoint_id"` or `".end.sum_received.bytes"`. Requires `"ndjson"` or `"json"` parser. Cannot be combined with `regex`. |
+| `regex` | string | none       | Regex applied to the raw text line. Group 1 is captured if present, otherwise the full match. Works with all parsers. Cannot be combined with `pick`. |
+| `match` | table  | none       | Key=value guards on a parsed JSON object. All keys must match. Requires `pick`. Only valid with `"ndjson"` or `"json"` parser. |
+| `pick`  | string | none       | Dot-path into the parsed JSON value, e.g. `".endpoint_id"` or `".end.sum_received.bytes"`. Requires `"ndjson"` or `"json"` parser. Cannot be combined with `regex`. |
 
 With `"ndjson"`, every matching line appends to the capture's history. With
 `"json"` or `regex`, the capture is set once from the final matched value.
@@ -580,7 +580,7 @@ file = "iroh-defaults.toml"
 name     = "iroh-1to1-nat"
 topology = "1to1-nat"
 
-# Expands to: gen-certs → gen-file (relay config) → spawn relay
+# Expands to: gen-certs -> gen-file (relay config) -> spawn relay
 [[step]]
 use  = "relay-setup"
 vars = { device = "relay" }