From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202508 header.b=cf0wD+qi;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 243B95A026F
	for <passt-dev@passt.top>; Tue, 30 Sep 2025 02:56:47 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202508; t=1759193804;
	bh=6QREOO9KFYZXp9gMLw2N826qnMNWYO/FzvVAGRT7DhM=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=cf0wD+qiMBp1ZEJ0zStim8b9TYouxzcZUSkOQvKNTPZrwhmw9g8gcSqfPQcQ6dbKr
	 46pDeyP/6JJ01xYvjMUV6nE7kuDredceqIi9z2XJrtFJVWjak/SdkD740KKUVc245U
	 FJfvmxVmuc0DJENMGcJ/a5lZwJBRLLXfPp/yN8nLb7RqeC7+UWRHjhPkNHv3BrKeAX
	 w4GynHehHiU99yMhU29T3l/PY4trrG+5k/dC4Obr8siqe7+k12acBwgcyu+3GRHq8e
	 0/h6KO4Gz5GmiocaTT38jONkfpBFrQBe02uWQZYosOOlKhh+NTRi0W76DiQybupVBc
	 YywPIaH75nzGQ==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4cbKQ461xzz4w1m; Tue, 30 Sep 2025 10:56:44 +1000 (AEST)
Date: Tue, 30 Sep 2025 10:56:39 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH v11 3/9] arp/ndp: send gratuitous ARP / unsolicitated NA
 when MAC cache entry added
Message-ID: <aNsqxwGS7XmQrElB@zatzit>
References: <20250927192522.3024554-1-jmaloy@redhat.com>
 <20250927192522.3024554-4-jmaloy@redhat.com>
 <20250930015856.720ffe09@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="uyFfx60KKA88yp2m"
Content-Disposition: inline
In-Reply-To: <20250930015856.720ffe09@elisabeth>
Message-ID-Hash: 5JNXKXDGEQEHGVFNB4VOAYZKRCLALATL
X-Message-ID-Hash: 5JNXKXDGEQEHGVFNB4VOAYZKRCLALATL
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jon Maloy <jmaloy@redhat.com>, dgibson@redhat.com, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aNsqxwGS7XmQrElB@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/5JNXKXDGEQEHGVFNB4VOAYZKRCLALATL/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--uyFfx60KKA88yp2m
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 30, 2025 at 01:58:56AM +0200, Stefano Brivio wrote:
> On Sat, 27 Sep 2025 15:25:16 -0400
> Jon Maloy <jmaloy@redhat.com> wrote:
>=20
> > Gratuitious ARP and unsolicitated NA should be handled with caution
> > because of the risk of malignant users emitting them to disturb
> > network communication.
> >=20
> > There is however one case we where we know it is legitimate
> > and safe for us to send out such messages: The one time we switch
> > from using ctx->own_tap_mac to a MAC address received via the
> > recently added neigbour subscription function. Later changes to
> > the MAC address of a host in an existing entry cannot be fully
> > trusted, so we abstain from doing it in such cases.
> >=20
> > When sending this type of messages, we notice that the guest accepts
> > the update, but also asks for a confirmation in the form of a regular
> > ARP/NS request. This is responded to with the new value, and we have
> > exactly the effect we wanted.
> >=20
> > This commit adds this functionality.
> >=20
> > Signed-off-by: Jon Maloy <jmaloy@redhat.com>
> >=20
> > ---
> > v10: -Made small changes based of feedback from David G.
> > v11: -Moved from 'Gratuitous ARP reply' model to 'ARP Announcement'
> >       model.
> > ---
> >  arp.c | 41 +++++++++++++++++++++++++++++++++++++++++
> >  arp.h |  2 ++
> >  fwd.c |  8 ++++++++
> >  ndp.c | 10 ++++++++++
> >  ndp.h |  1 +
> >  5 files changed, 62 insertions(+)
> >=20
> > diff --git a/arp.c b/arp.c
> > index ad088b1..57e7b59 100644
> > --- a/arp.c
> > +++ b/arp.c
> > @@ -146,3 +146,44 @@ void arp_send_init_req(const struct ctx *c)
> >  	debug("Sending initial ARP request for guest MAC address");
> >  	tap_send_single(c, &req, sizeof(req));
> >  }
> > +
> > +/**
> > + * arp_send_gratuitous() - Send a gratuitous ARP announcement for an I=
Pv4 host
> > + * @c:		Execution context
> > + * @ip:	IPv4 address we announce as owned by @mac
> > + * @mac:	MAC address to advertise for @ip
> > + */
> > +void arp_send_gratuitous(const struct ctx *c, struct in_addr *ip,
> > +			 const unsigned char *mac)
> > +{
> > +	char ip_str[INET_ADDRSTRLEN];
> > +	struct {
> > +		struct ethhdr eh;
> > +		struct arphdr ah;
> > +		struct arpmsg am;
> > +	} __attribute__((__packed__)) annc;
> > +
> > +	/* Ethernet header */
> > +	annc.eh.h_proto =3D htons(ETH_P_ARP);
> > +	memcpy(annc.eh.h_dest, MAC_BROADCAST, sizeof(annc.eh.h_dest));
> > +	memcpy(annc.eh.h_source, mac, sizeof(annc.eh.h_source));
> > +
> > +	/* ARP header */
> > +	annc.ah.ar_op =3D htons(ARPOP_REQUEST);
> > +	annc.ah.ar_hrd =3D htons(ARPHRD_ETHER);
> > +	annc.ah.ar_pro =3D htons(ETH_P_IP);
> > +	annc.ah.ar_hln =3D ETH_ALEN;
> > +	annc.ah.ar_pln =3D 4;
> > +
> > +	/* ARP message */
> > +	memcpy(annc.am.sha, mac, sizeof(annc.am.sha));
> > +	memcpy(annc.am.sip, ip, sizeof(annc.am.sip));
> > +	memcpy(annc.am.tha, MAC_BROADCAST, sizeof(annc.am.tha));
> > +	memcpy(annc.am.tip, ip, sizeof(annc.am.tip));
> > +
> > +	inet_ntop(AF_INET, ip, ip_str, sizeof(ip_str));
> > +	debug("Sending ARP announcement for %s", ip_str);
> > +
> > +	tap_send_single(c, &annc, sizeof(annc));
> > +}
> > +
>=20
> Nit: git show / log highlights this excess newline in red, and I merely
> relay the pedantry.
>=20
> > diff --git a/arp.h b/arp.h
> > index d5ad0e1..2cf1326 100644
> > --- a/arp.h
> > +++ b/arp.h
> > @@ -22,5 +22,7 @@ struct arpmsg {
> > =20
> >  int arp(const struct ctx *c, struct iov_tail *data);
> >  void arp_send_init_req(const struct ctx *c);
> > +void arp_send_gratuitous(const struct ctx *c, struct in_addr *ip,
> > +			 const unsigned char *mac);
> > =20
> >  #endif /* ARP_H */
> > diff --git a/fwd.c b/fwd.c
> > index 2fd6cee..7f38b40 100644
> > --- a/fwd.c
> > +++ b/fwd.c
> > @@ -26,6 +26,8 @@
> >  #include "passt.h"
> >  #include "lineread.h"
> >  #include "flow_table.h"
> > +#include "arp.h"
> > +#include "ndp.h"
> > =20
> >  /* Empheral port range: values from RFC 6335 */
> >  static in_port_t fwd_ephemeral_min =3D (1 << 15) + (1 << 14);
> > @@ -131,6 +133,12 @@ void fwd_neigh_table_update(const struct ctx *c,
> > =20
> >  	memcpy(&e->addr, addr, sizeof(*addr));
> >  	memcpy(e->mac, mac, ETH_ALEN);
> > +
> > +	/* Send gratuitous ARP / unsolicited NA for the new mapping */
> > +	if (inany_v4(addr))
> > +		arp_send_gratuitous(c, inany_v4(addr), e->mac);
> > +	else
> > +		ndp_send_unsolicited_na(c, &addr->a6);
> >  }
> > =20
> >  /**
> > diff --git a/ndp.c b/ndp.c
> > index 588b48f..d7f64a3 100644
> > --- a/ndp.c
> > +++ b/ndp.c
> > @@ -218,6 +218,16 @@ static void ndp_na(const struct ctx *c, const stru=
ct in6_addr *dst,
> >  	ndp_send(c, dst, &na, sizeof(na));
> >  }
> > =20
> > +/**
> > + * ndp_send_unsolicited_na() - Send unsolicited NA
>=20
> This comment, strictly speaking, should be related to the notification
> mechanism, but the usage here makes me wonder: do we want to announce
> link-layer addresses for link-local (IPv6) addresses as well?
>=20
> Those are not reachable from the guest. I'm not sure if we want to
> filter IPv6 addresses a bit, in general. I didn't really think it
> through.

I think (host) link-local addresses are actually reachable from the
guest.  I think the semantics of that are kind of confusing (at least
with multiple host links), and I've talked about disallowing that when
we don't have an explicitly selected host interface we're dealing
with.  But I haven't done that yet.

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--uyFfx60KKA88yp2m
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmjbKsYACgkQzQJF27ox
2GdLlA/8CmPhV7MyQI1TF9Cdn7X7Vd/hOLv1Cau+glHpJQelCHYQcKacJAP5g+jU
kYUhqoqrDlYKeLfIFhfIBuAtumuq7LtuSbL1ju8GliTSvCEpPCvaxVAo3M1oNAqK
xKHmIUIDpXETlq//CEnzTwuEAKA35f5u6it1YGfarG3tP42qZdhuVCRqj/ZMnYB4
iLbCQmiqrx9YUBb7FQzN6dqRJUcda3Qk+AeW8jKhtduApR70rKsNYG0XHZnys+PN
ZKvlQ1ujEUnNpNCbyLgb3QzRxrkqJ5aum5Ijsf6wcyPgz6jK6EEdsdMx1SAu9R3e
yt1RZHpyMG4y61R4JNN9PH2zwYq97s8mHPR0JtommM1fMfv8g3JOYzrycR+6p9G0
qwDwtNkVbg/iA0UhJLTiWCKewGk6qwIvsOHLzybL6RfFYVFSihJ9favrQHMODKqM
h3AIlkAGaTk6Xl3bbNCc+yYLdpUapdp1bbzvalnZCmI5VzSig+sSILR6hu29fjC2
XtRUb/W2XRZhCeAUNXzpBP8aWULR8YE9kEd8E75KoaB4nmVh9nlIrlY0nq30jehX
h2jYRWEXh6X2XBHQuzs5zirC/5QFlSKb9b6GjqVAyJF9r5LQ5cGtd/gTk5HhVPRg
KCGdCc0Izhf6/uNQJwaucLJQnBurTjTP4ohQaY33Nyt2iTTMiU8=
=yfzk
-----END PGP SIGNATURE-----

--uyFfx60KKA88yp2m--