[PATCH iproute2-next 0/2] ip neigh: Add support for "extern_valid" flag

[PATCH iproute2-next 0/2] ip neigh: Add support for "extern_valid" flag

[Ido Schimmel]

Add support for the new "extern_valid" neighbor flag [1].

Patch #1 updates the uAPI headers.

Patch #2 adds support for the new flag. See the commit message for
example usage and output.

[1] https://lore.kernel.org/all/20250626073111.244534-1-idosch@nvidia.com/

Ido Schimmel (2):
  Sync uAPI headers
  ip neigh: Add support for "extern_valid" flag

 include/uapi/linux/neighbour.h |  5 +++++
 ip/ipneigh.c                   |  6 +++++-
 man/man8/ip-neighbour.8        | 10 +++++++++-
 3 files changed, 19 insertions(+), 2 deletions(-)

-- 
2.50.0

[PATCH iproute2-next 1/2] Sync uAPI headers

[Ido Schimmel]

Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 include/uapi/linux/neighbour.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
index 5e67a7eaf4a7..1401f5730a00 100644
--- a/include/uapi/linux/neighbour.h
+++ b/include/uapi/linux/neighbour.h
@@ -54,6 +54,7 @@ enum {
 /* Extended flags under NDA_FLAGS_EXT: */
 #define NTF_EXT_MANAGED		(1 << 0)
 #define NTF_EXT_LOCKED		(1 << 1)
+#define NTF_EXT_EXT_VALIDATED	(1 << 2)
 
 /*
  *	Neighbor Cache Entry States.
@@ -92,6 +93,10 @@ enum {
  * bridge in response to a host trying to communicate via a locked bridge port
  * with MAB enabled. Their purpose is to notify user space that a host requires
  * authentication.
+ *
+ * NTF_EXT_EXT_VALIDATED flagged neighbor entries were externally validated by
+ * a user space control plane. The kernel will not remove or invalidate them,
+ * but it can probe them and notify user space when they become reachable.
  */
 
 struct nda_cacheinfo {
-- 
2.50.0

[PATCH iproute2-next 2/2] ip neigh: Add support for "extern_valid" flag

[Ido Schimmel]

Add support for the recently added "extern_valid" flag that can be used
to indicate to the kernel that a neighbor entry was learned and
determined to be valid externally. The kernel will not remove or
invalidate the entry, but it can probe the entry and notify user space
when the entry becomes reachable. The kernel will return the entry to
stale state if it did not receive a confirmation after probing the
entry.

Example usage and output:

 # ip neigh add 192.0.2.1 nud none dev br0.10 extern_valid
 Error: Cannot create externally validated neighbor with an invalid state.
 # ip neigh add 192.0.2.1 lladdr 00:11:22:33:44:55 nud stale dev br0.10 extern_valid
 $ ip neigh show dev br0.10
 192.0.2.1 lladdr 00:11:22:33:44:55 extern_valid STALE
 $ ip -j -p neigh show dev br0.10
 [ {
         "dst": "192.0.2.1",
         "lladdr": "00:11:22:33:44:55",
         "extern_valid": null,
         "state": [ "STALE" ]
     } ]

Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 ip/ipneigh.c            |  6 +++++-
 man/man8/ip-neighbour.8 | 10 +++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ip/ipneigh.c b/ip/ipneigh.c
index bd7f44e10426..e678545ad535 100644
--- a/ip/ipneigh.c
+++ b/ip/ipneigh.c
@@ -47,7 +47,7 @@ static void usage(void)
 		"Usage: ip neigh { add | del | change | replace }\n"
 		"                { ADDR [ lladdr LLADDR ] [ nud STATE ] proxy ADDR }\n"
 		"                [ dev DEV ] [ router ] [ use ] [ managed ] [ extern_learn ]\n"
-		"                [ protocol PROTO ]\n"
+		"                [ extern_valid ] [ protocol PROTO ]\n"
 		"\n"
 		"	ip neigh { show | flush } [ proxy ] [ to PREFIX ] [ dev DEV ] [ nud STATE ]\n"
 		"				  [ vrf NAME ] [ nomaster ]\n"
@@ -152,6 +152,8 @@ static int ipneigh_modify(int cmd, int flags, int argc, char **argv)
 			req.ndm.ndm_state = NUD_NONE;
 		} else if (matches(*argv, "extern_learn") == 0) {
 			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
+		} else if (strcmp(*argv, "extern_valid") == 0) {
+			ext_flags |= NTF_EXT_EXT_VALIDATED;
 		} else if (strcmp(*argv, "dev") == 0) {
 			NEXT_ARG();
 			dev = *argv;
@@ -446,6 +448,8 @@ int print_neigh(struct nlmsghdr *n, void *arg)
 		print_null(PRINT_ANY, "extern_learn", "%s ", "extern_learn");
 	if (r->ndm_flags & NTF_OFFLOADED)
 		print_null(PRINT_ANY, "offload", "%s ", "offload");
+	if (ext_flags & NTF_EXT_EXT_VALIDATED)
+		print_null(PRINT_ANY, "extern_valid", "%s ", "extern_valid");
 
 	if (show_stats) {
 		if (tb[NDA_CACHEINFO])
diff --git a/man/man8/ip-neighbour.8 b/man/man8/ip-neighbour.8
index 6fed47ced857..1f890c0d0c7c 100644
--- a/man/man8/ip-neighbour.8
+++ b/man/man8/ip-neighbour.8
@@ -27,7 +27,8 @@ ip-neighbour \- neighbour/arp tables management.
 .BR router " ] [ "
 .BR use " ] [ "
 .BR managed " ] [ "
-.BR extern_learn " ]"
+.BR extern_learn " ] [ "
+.BR extern_valid " ]"
 
 .ti -8
 .BR "ip neigh" " { " show " | " flush " } [ " proxy " ] [ " to
@@ -115,6 +116,13 @@ this neigh entry was learned externally. This option can be used to
 indicate to the kernel that this is a controller learnt dynamic entry.
 Kernel will not gc such an entry.
 
+.TP
+.BI extern_valid
+this neigh entry was learned and determined to be valid externally. The kernel
+will not remove or invalidate the entry, but it can probe the entry and notify
+user space when the entry becomes reachable. The kernel will return the entry
+to stale state if it did not receive a confirmation after probing the entry.
+
 .TP
 .BI lladdr " LLADDRESS"
 the link layer address of the neighbour.
-- 
2.50.0

Re: [PATCH iproute2-next 0/2] ip neigh: Add support for "extern_valid" flag

[patchwork-bot+netdevbpf]

Hello:

This series was applied to iproute2/iproute2-next.git (main)
by David Ahern <dsahern@kernel.org>:

On Tue, 1 Jul 2025 17:42:14 +0300 you wrote:
> Add support for the new "extern_valid" neighbor flag [1].
> 
> Patch #1 updates the uAPI headers.
> 
> Patch #2 adds support for the new flag. See the commit message for
> example usage and output.
> 
> [...]

Here is the summary with links:
  - [iproute2-next,1/2] Sync uAPI headers
    (no matching commit)
  - [iproute2-next,2/2] ip neigh: Add support for "extern_valid" flag
    https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/commit/?id=1ac42adcb600

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html