From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=f39YM5Xz;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id DF5155A0271
	for <passt-dev@passt.top>; Sat, 27 Sep 2025 01:25:37 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1758929136;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=bIoPlOd7I5yBta/yq9lvTSNrLhvNUKT5jJDrXNE+bUU=;
	b=f39YM5XzbU6qYjCyI41w6V0PjMQWxb66fTiUa3Q5vgXCv1/GoVSYyzGOnACLRZnzJji1eL
	ejPgiLPU5HW0hYSpXHXc+QO+h5JNzrZNll3smtB6QwxQwYul4aiIx+O+Bspmn8LJKXPw3l
	XhHUEm0dubzLZsu74NXX4hNchxC9kyY=
Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com
 [209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-639-64sWMuqlNDas4lYW36OSiA-1; Fri, 26 Sep 2025 19:25:35 -0400
X-MC-Unique: 64sWMuqlNDas4lYW36OSiA-1
X-Mimecast-MFC-AGG-ID: 64sWMuqlNDas4lYW36OSiA_1758929134
Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-78ea15d3583so52018896d6.1
        for <passt-dev@passt.top>; Fri, 26 Sep 2025 16:25:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758929134; x=1759533934;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=bIoPlOd7I5yBta/yq9lvTSNrLhvNUKT5jJDrXNE+bUU=;
        b=Sm3zUM5TbtHPwf0ncYSQJtWLSX+Ih9hng5PtGTU4ac5sjsIlMZBBKJ918WBM1Hmubz
         OQjt2d7ez5WTOU6l7yOZ9gxei6+Z0SwG61mKouKyJDow7GkljgXrA6m90PRv7gXVA/nF
         I0tK17G7NaMp+1gyFGrLmkbE0I+9HObmCteZnpgNZsHvQmycW7o3feulgbMdcyQ0WueG
         2Ovnwh2iwyzoXCvfWw1LarKwKMjip/+iBxTT0lKxxhsZsXrTsQfN5fYq6kOpe1URrC+Q
         TVWJdLgoOg2iHc+VioBW4DthV9C5/k8z75hZvcQjnC5s51kPZLIfz2qcIzxfLw52h74m
         ylvA==
X-Forwarded-Encrypted: i=1; AJvYcCVlpKX6RMhPCvInxxHgjxPi5+T/NTOLWzuDNvK8fCFOGspQq+LXwRSp3zW+KKwu4mjJ3ivZdFZOR70=@passt.top
X-Gm-Message-State: AOJu0YwKvNB7aial+Gn2extZlMQfnfq32W6vImSOsAgcPziBESKbC6tq
	7vtsi15HjyJoIGEy6i/R99ViW1Mruz0GyIkpCDc0JSVV2J7kkU9ANKtdr0cvE/hU45WrcReqYJU
	275B2TVA224L/Jt75mQ6pY+xiDBKGYSfB+BcNHw2H0RPbn/GyZCPjhQ==
X-Gm-Gg: ASbGncu/Viwxm0kSWzSUEcI8vBYfBsFKncyOemR8mGnWmxyelXOQNQSxGHcDq2tZF9T
	uLP2OF+AzJH25HJ7X4xJkw0kV2zyBZiENsTr1cxtj9CRH+lKnTeGqlFMgkB3P7OoK5xYLYZURvo
	FxnHNO9qhocvzdpML9IQgmbWd87bwMBmQahrDs8t9AoJjgwyszFuJRJBaVd5YYys/ZPy9lCCqrD
	Qk1n1883AJ9LVYXyWTL2DhenynqfGtk21YwGVTvEabjKuoxYg6lSLNOrDLa4dKmWLUZ2YWS8lpz
	hrCynkRMg4KuK1WXyFG108pzwvQzXIE+kIl2jkvoI0LaEvFxjZB45E5840wmO7skjphTlW4q6Qq
	PZcIQ0OzLZg==
X-Received: by 2002:a05:6214:e42:b0:7ec:c39f:ff83 with SMTP id 6a1803df08f44-7fc28642249mr141649886d6.12.1758929134584;
        Fri, 26 Sep 2025 16:25:34 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHmQbw6aHIJ2fugKqEQCSrNetp8tdMc0kehWFZV3+09cxUNCeKxgaNIcvt5MLXmYUbMIXiuyA==
X-Received: by 2002:a05:6214:e42:b0:7ec:c39f:ff83 with SMTP id 6a1803df08f44-7fc28642249mr141649706d6.12.1758929134225;
        Fri, 26 Sep 2025 16:25:34 -0700 (PDT)
Received: from ?IPV6:2001:4958:2193:9901:6217:960c:2ef1:f0f3? ([2001:4958:2193:9901:6217:960c:2ef1:f0f3])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-80166e2f320sm33529976d6.37.2025.09.26.16.25.33
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 26 Sep 2025 16:25:33 -0700 (PDT)
Message-ID: <2cf5fd66-a5f5-45b0-8e4d-57ab56bf874c@redhat.com>
Date: Fri, 26 Sep 2025 19:25:33 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v9 9/9] arp/ndp: send gratuitous ARP / unsolicitated NA
 when MAC cache entry added
To: David Gibson <david@gibson.dropbear.id.au>
References: <20250924011330.1168921-1-jmaloy@redhat.com>
 <20250924011330.1168921-10-jmaloy@redhat.com> <aNNj_gE_o_xCJGrQ@zatzit>
From: Jon Maloy <jmaloy@redhat.com>
In-Reply-To: <aNNj_gE_o_xCJGrQ@zatzit>
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: TQbx5HjEhfBzpV6uAveerYXW6Nq43kAGtD3KMpyyNNg_1758929134
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID-Hash: XHIOKIKXMJAQTMZVKF2RBEJ4QQDQHGQP
X-Message-ID-Hash: XHIOKIKXMJAQTMZVKF2RBEJ4QQDQHGQP
X-MailFrom: jmaloy@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: sbrivio@redhat.com, dgibson@redhat.com, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/2cf5fd66-a5f5-45b0-8e4d-57ab56bf874c@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/XHIOKIKXMJAQTMZVKF2RBEJ4QQDQHGQP/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


On 2025-09-23 23:22, David Gibson wrote:
> On Tue, Sep 23, 2025 at 09:13:30PM -0400, Jon Maloy wrote:
>> Gratuitious ARP and unsolicitated NA should be handled with caution
>> because of the risk of malignant users emitting them to disturb
>> network communication.
>>
[...]
>> +	req.ah.ar_op = htons(ARPOP_REPLY);
>> +	req.ah.ar_hrd = htons(ARPHRD_ETHER);
>> +	req.ah.ar_pro = htons(ETH_P_IP);
>> +	req.ah.ar_hln = ETH_ALEN;
>> +	req.ah.ar_pln = 4;
>> +
>> +	/* ARP message */
>> +	memcpy(req.am.sha, mac, sizeof(req.am.sha));
>> +	memcpy(req.am.sip, &ip, sizeof(req.am.sip));
>> +	memcpy(req.am.tha, MAC_BROADCAST, sizeof(req.am.tha));
>> +	memcpy(req.am.tip, &ip, sizeof(req.am.tip));
> 
> So, I was trying to check if it made sense to use the same IP for both
> source and target here, and came across
>      https://www.rfc-editor.org/rfc/rfc5227#section-3
> 
> Which suggests we should (counter intuitively) be using ARP requests,
> not ARP replies for announcements.

I have now read through it, and it seems to come to the conclusion
that this is not advisable. In principle it should work, if all 
implementations stick to standard, but there might be stacks which are 
not stateless in this regard, i.e., they only accepts ARP replies as a 
response to a sent request.
In short, I think I will stick to my current approach, since it is 
evidently harmless and is proven to work.

///jon


> 
>> +	inet_ntop(AF_INET, &ip, ip_str, sizeof(ip_str));
>> +	debug("Sending gratuitous ARP for %s", ip_str);
>> +	tap_send_single(c, &req, sizeof(req));
>> +}
>> diff --git a/arp.h b/arp.h
>> index d5ad0e1..b0dbb56 100644
>> --- a/arp.h
>> +++ b/arp.h
>> @@ -22,5 +22,7 @@ struct arpmsg {
>>   
>>   int arp(const struct ctx *c, struct iov_tail *data);
>>   void arp_send_init_req(const struct ctx *c);
>> +void arp_send_gratuitous(const struct ctx *c, struct in_addr ip,
>> +			 const unsigned char *mac);
>>   
>>   #endif /* ARP_H */
>> diff --git a/fwd.c b/fwd.c
>> index c6348ab..879a351 100644
>> --- a/fwd.c
>> +++ b/fwd.c
>> @@ -26,6 +26,8 @@
>>   #include "passt.h"
>>   #include "lineread.h"
>>   #include "flow_table.h"
>> +#include "arp.h"
>> +#include "ndp.h"
>>   
>>   /* Empheral port range: values from RFC 6335 */
>>   static in_port_t fwd_ephemeral_min = (1 << 15) + (1 << 14);
>> @@ -129,6 +131,15 @@ void fwd_neigh_mac_cache_alloc(const struct ctx *c,
>>   
>>   	memcpy(&e->addr, addr, sizeof(*addr));
>>   	memcpy(e->mac, mac, ETH_ALEN);
>> +
>> +	/* Send gratuitous ARP / unsolicited NA for the new mapping */
> 
> AFAICT this doesn't actually implement what the commit message
> describes - it seems to always send an ARP/NA when the neighbour table
> is updated.
> 
>> +	if (inany_v4(addr)) {
>> +		struct in_addr ip4 = *inany_v4(addr);
>> +
>> +		arp_send_gratuitous(c, ip4, e->mac);
>> +	} else {
>> +		ndp_send_unsolicited_na(c, &addr->a6);
>> +	}
>>   }
>>   
>>   /**
>> diff --git a/ndp.c b/ndp.c
>> index 70b68aa..8914f31 100644
>> --- a/ndp.c
>> +++ b/ndp.c
>> @@ -226,6 +226,16 @@ static void ndp_na(const struct ctx *c, const struct in6_addr *dst,
>>   	ndp_send(c, dst, &na, sizeof(na));
>>   }
>>   
>> +/**
>> + * ndp_send_unsolicited_na() - Send unsolicited NA
>> + * @c:		Execution context
>> + * @addr:	IPv6 address to advertise
>> + */
>> +void ndp_send_unsolicited_na(const struct ctx *c, const struct in6_addr *addr)
>> +{
>> +	ndp_na(c, &in6addr_ll_all_nodes, addr);
>> +}
>> +
>>   /**
>>    * ndp_ra() - Send an NDP Router Advertisement (RA) message
>>    * @c:		Execution context
>> diff --git a/ndp.h b/ndp.h
>> index 781ea86..320009c 100644
>> --- a/ndp.h
>> +++ b/ndp.h
>> @@ -12,5 +12,6 @@ int ndp(const struct ctx *c, const struct in6_addr *saddr,
>>   	struct iov_tail *data);
>>   void ndp_timer(const struct ctx *c, const struct timespec *now);
>>   void ndp_send_init_req(const struct ctx *c);
>> +void ndp_send_unsolicited_na(const struct ctx *c, const struct in6_addr *addr);
>>   
>>   #endif /* NDP_H */
>> -- 
>> 2.50.1
>>
>