From: Jon Maloy <jmaloy@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: sbrivio@redhat.com, dgibson@redhat.com, passt-dev@passt.top
Subject: Re: [PATCH v3 2/8] arp/ndp: respond with true MAC address of LAN local remote hosts
Date: Tue, 5 Aug 2025 16:00:53 -0400 [thread overview]
Message-ID: <df71a297-cbae-4103-8d57-87853060f7b2@redhat.com> (raw)
In-Reply-To: <aH7vrcjbuClSBAtz@zatzit>
On 2025-07-21 21:55, David Gibson wrote:
> On Sun, Jun 29, 2025 at 01:13:41PM -0400, Jon Maloy wrote:
>> When we receive an ARP request or NDP neigbor solicitation over
>> the tap interface for a host on the local network segment attached
>> to the template interface, we respond with that host's real MAC
>> address.
>>
>> The local host, which is acting as a proxy for the default gateway,
>> is still exempted from this rule.
>>
>> Signed-off-by: Jon Maloy <jmaloy@redhat.com>
>>
>> ---
>> v3: - Added helper function to find out if a remote ip address is subject
>> to NAT. This filters out local host addresses which should be
>> presented with the passt/pasta local MAC address 9a:55:9a:55:9a:55 even
>> though it is on the local segment.
>> - Adapted to the change in nl_mac_get() function, so that we now consider
>> only the template interface when checking the ARP/NDP table.
>> ---
>> arp.c | 9 +++++++++
>> fwd.c | 2 +-
>> fwd.h | 3 ++-
>> inany.c | 15 +++++++++++++++
>> inany.h | 1 +
>> ndp.c | 9 +++++++++
>> 6 files changed, 37 insertions(+), 2 deletions(-)
>>
>> diff --git a/arp.c b/arp.c
>> index fc482bb..1952a63 100644
>> --- a/arp.c
>> +++ b/arp.c
>> @@ -29,6 +29,7 @@
>> #include "dhcp.h"
>> #include "passt.h"
>> #include "tap.h"
>> +#include "netlink.h"
>>
>> /**
>> * arp() - Check if this is a supported ARP message, reply as needed
>> @@ -40,6 +41,7 @@
>> int arp(const struct ctx *c, const struct pool *p)
>> {
>> unsigned char swap[4];
>> + union inany_addr tgt;
>> struct ethhdr *eh;
>> struct arphdr *ah;
>> struct arpmsg *am;
>> @@ -72,6 +74,13 @@ int arp(const struct ctx *c, const struct pool *p)
>> memcpy(am->tha, am->sha, sizeof(am->tha));
>> memcpy(am->sha, c->our_tap_mac, sizeof(am->sha));
>>
>> + /* Respond with true MAC address if remote host is on
>> + * the template interface's network segment
>> + */
>> + inany_from_af(&tgt, AF_INET, am->tip);
>> + if (!inany_nat(c, &tgt))
>> + nl_mac_get(nl_sock, &tgt, c->ifi4, am->sha);
>> +
>
> Hmm. Here's one concern about the overall concept here. If neither
> the guest nor the host has contacted this neighbour before, it
> probably won't be in the host's arp/neighbour table so this lookup
> will fail, and we'll use our_tap_mac. The guest then contacts it, so
> the host ARPs it. When the guest's ARP times out, it re-ARPs and this
> time gets the actual MAC address. i.e. it seems to me this approach
> may substantially increase the odds of the guest seeing a peer change
> MAC. Not sure if that's a problem.
I notice this recurring concern from you, but I see no suggestion for
how to handle it. Could I try to trigger a host ARP call, e.g., by
sending a preceding ping when certain conditions are fulfilled, or are
you saying the series is meaningless?
/jon
next prev parent reply other threads:[~2025-08-05 20:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-29 17:13 [PATCH v3 0/8] use true MAC address of LAN local remote hosts Jon Maloy
2025-06-29 17:13 ` [PATCH v3 1/8] netlink: add function to extract MAC addresses from NDP/ARP table Jon Maloy
2025-07-22 0:53 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 2/8] arp/ndp: respond with true MAC address of LAN local remote hosts Jon Maloy
2025-07-22 1:55 ` David Gibson
2025-08-05 20:00 ` Jon Maloy [this message]
2025-08-05 21:39 ` Stefano Brivio
2025-08-06 6:46 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 3/8] flow: add MAC address of LAN local remote hosts to flow Jon Maloy
2025-07-22 2:12 ` David Gibson
2025-07-22 2:33 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 4/8] udp: forward external source MAC address through tap interface Jon Maloy
2025-07-22 2:19 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 5/8] tcp: " Jon Maloy
2025-07-22 2:29 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 6/8] tap: change signature of function tap_push_l2h() Jon Maloy
2025-07-22 2:36 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 7/8] tcp: make tcp_rst_no_conn() respond with correct MAC address Jon Maloy
2025-07-22 2:39 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 8/8] icmp: let icmp use mac address from flowside structure Jon Maloy
2025-07-22 2:44 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df71a297-cbae-4103-8d57-87853060f7b2@redhat.com \
--to=jmaloy@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=dgibson@redhat.com \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).