[PATCH iproute2-next 0/2] Add support for neigh_forward_grat

[PATCH iproute2-next 0/2] Add support for neigh_forward_grat

[Danielle Ratson]

The existing neighbor suppression unconditionally suppresses gratuitous
ARP and unsolicited Neighbor Advertisements, which breaks legitimate use
cases like Multi-Homing and EVPN where these announcements need to
propagate across the VXLAN fabric.

This series adds a new neigh_forward_grat option that provides
independent control of gratuitous ARP and unsolicited NA forwarding.
When neigh_suppress is enabled and neigh_forward_grat is also enabled,
regular neighbor discovery is suppressed while gratuitous announcements
are forwarded.

Both port-level control (via IFLA_BRPORT_NEIGH_FORWARD_GRAT) and
per-VLAN control (via BRIDGE_VLANDB_ENTRY_NEIGH_FORWARD_GRAT) are
provided. The default value of OFF preserves existing behavior.

The new attributes use NLA_U8, although the kernel netlink guideline
recommends NLA_U32 as the minimum integer type on the grounds that
alignment makes smaller types equivalent on the wire. For a simple
on/off attribute there is no technical advantage to u32 over u8, and
keeping u8 preserves consistency with all surrounding bridge port
attributes and avoids introducing new helpers alongside the existing
infrastructure.

Patch #1: adds port-level support via ip link and bridge link commands.
Patch #2: adds per-VLAN support via bridge vlan command.

Danielle Ratson (2):
  iplink: bridge_slave: Add support for neigh_forward_grat
  bridge: vlan: Add support for neigh_forward_grat

 bridge/link.c            | 14 ++++++++++++++
 bridge/vlan.c            | 18 ++++++++++++++++++
 ip/iplink_bridge_slave.c | 10 ++++++++++
 man/man8/bridge.8        | 25 ++++++++++++++++++++++++-
 man/man8/ip-link.8.in    | 10 ++++++++++
 5 files changed, 76 insertions(+), 1 deletion(-)

-- 
2.51.0

[PATCH iproute2-next 1/2] iplink: bridge_slave: Add support for neigh_forward_grat

[Danielle Ratson]

Add support for controlling gratuitous ARP and unsolicited NA
forwarding at the port level via the neigh_forward_grat option.

This allows configuring the option via:
$ ip link set dev <port> type bridge_slave neigh_forward_grat {on|off}

Or via the bridge command:
$ bridge link set dev <port> neigh_forward_grat {on|off}

Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Danielle Ratson <danieller@nvidia.com>
---
 bridge/link.c            | 14 ++++++++++++++
 ip/iplink_bridge_slave.c | 10 ++++++++++
 man/man8/bridge.8        | 10 ++++++++++
 man/man8/ip-link.8.in    | 10 ++++++++++
 4 files changed, 44 insertions(+)

diff --git a/bridge/link.c b/bridge/link.c
index 7638797d..370d7de4 100644
--- a/bridge/link.c
+++ b/bridge/link.c
@@ -174,6 +174,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
 				     "neigh_vlan_suppress %s ",
 				     rta_getattr_u8(at));
 		}
+		if (prtb[IFLA_BRPORT_NEIGH_FORWARD_GRAT])
+			print_on_off(PRINT_ANY, "neigh_forward_grat", "neigh_forward_grat %s ",
+				     rta_getattr_u8(prtb[IFLA_BRPORT_NEIGH_FORWARD_GRAT]));
 		if (prtb[IFLA_BRPORT_VLAN_TUNNEL])
 			print_on_off(PRINT_ANY, "vlan_tunnel", "vlan_tunnel %s ",
 				     rta_getattr_u8(prtb[IFLA_BRPORT_VLAN_TUNNEL]));
@@ -313,6 +316,7 @@ static void usage(void)
 		"                               [ mcast_max_groups MAX_GROUPS ]\n"
 		"                               [ neigh_suppress {on | off} ]\n"
 		"                               [ neigh_vlan_suppress {on | off} ]\n"
+		"                               [ neigh_forward_grat {on | off} ]\n"
 		"                               [ vlan_tunnel {on | off} ]\n"
 		"                               [ isolated {on | off} ]\n"
 		"                               [ locked {on | off} ]\n"
@@ -343,6 +347,7 @@ static int brlink_modify(int argc, char **argv)
 	int backup_port_idx = -1;
 	__s8 neigh_suppress = -1;
 	__s8 neigh_vlan_suppress = -1;
+	__s8 neigh_forward_grat = -1;
 	__s8 learning = -1;
 	__s8 learning_sync = -1;
 	__s8 flood = -1;
@@ -474,6 +479,12 @@ static int brlink_modify(int argc, char **argv)
 							   *argv, &ret);
 			if (ret)
 				return ret;
+		} else if (strcmp(*argv, "neigh_forward_grat") == 0) {
+			NEXT_ARG();
+			neigh_forward_grat = parse_on_off("neigh_forward_grat",
+							  *argv, &ret);
+			if (ret)
+				return ret;
 		} else if (strcmp(*argv, "vlan_tunnel") == 0) {
 			NEXT_ARG();
 			vlan_tunnel = parse_on_off("vlan_tunnel", *argv, &ret);
@@ -579,6 +590,9 @@ static int brlink_modify(int argc, char **argv)
 	if (neigh_vlan_suppress != -1)
 		addattr8(&req.n, sizeof(req), IFLA_BRPORT_NEIGH_VLAN_SUPPRESS,
 			 neigh_vlan_suppress);
+	if (neigh_forward_grat != -1)
+		addattr8(&req.n, sizeof(req), IFLA_BRPORT_NEIGH_FORWARD_GRAT,
+			 neigh_forward_grat);
 	if (vlan_tunnel != -1)
 		addattr8(&req.n, sizeof(req), IFLA_BRPORT_VLAN_TUNNEL,
 			 vlan_tunnel);
diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
index 3821923b..1be02041 100644
--- a/ip/iplink_bridge_slave.c
+++ b/ip/iplink_bridge_slave.c
@@ -38,6 +38,7 @@ static void print_explain(FILE *f)
 		"			[ group_fwd_mask MASK ]\n"
 		"			[ neigh_suppress {on | off} ]\n"
 		"			[ neigh_vlan_suppress {on | off} ]\n"
+		"			[ neigh_forward_grat {on | off} ]\n"
 		"			[ vlan_tunnel {on | off} ]\n"
 		"			[ isolated {on | off} ]\n"
 		"			[ locked {on | off} ]\n"
@@ -275,6 +276,11 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
 			     "neigh_vlan_suppress %s ",
 			     rta_getattr_u8(tb[IFLA_BRPORT_NEIGH_VLAN_SUPPRESS]));
 
+	if (tb[IFLA_BRPORT_NEIGH_FORWARD_GRAT])
+		print_on_off(PRINT_ANY, "neigh_forward_grat",
+			     "neigh_forward_grat %s ",
+			     rta_getattr_u8(tb[IFLA_BRPORT_NEIGH_FORWARD_GRAT]));
+
 	if (tb[IFLA_BRPORT_GROUP_FWD_MASK]) {
 		char convbuf[256];
 		__u16 fwd_mask;
@@ -415,6 +421,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
 			NEXT_ARG();
 			bridge_slave_parse_on_off("neigh_vlan_suppress", *argv,
 						  n, IFLA_BRPORT_NEIGH_VLAN_SUPPRESS);
+		} else if (strcmp(*argv, "neigh_forward_grat") == 0) {
+			NEXT_ARG();
+			bridge_slave_parse_on_off("neigh_forward_grat", *argv,
+						  n, IFLA_BRPORT_NEIGH_FORWARD_GRAT);
 		} else if (matches(*argv, "group_fwd_mask") == 0) {
 			__u16 mask;
 
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index fe800d3f..aae6c75a 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -55,6 +55,7 @@ bridge \- show / manipulate bridge addresses and devices
 .BR mcast_to_unicast " { " on " | " off " } ] [ "
 .BR neigh_suppress " { " on " | " off " } ] [ "
 .BR neigh_vlan_suppress " { " on " | " off " } ] [ "
+.BR neigh_forward_grat " { " on " | " off " } ] [ "
 .BR vlan_tunnel " { " on " | " off " } ] [ "
 .BR isolated " { " on " | " off " } ] [ "
 .BR locked " { " on " | " off " } ] [ "
@@ -659,6 +660,15 @@ enabled on the port. When on, the \fBbridge link\fR option \fBneigh_suppress\fR
 has no effect and the per-VLAN state is set using the \fBbridge vlan\fR option
 \fBneigh_suppress\fR. By default this flag is off.
 
+.TP
+.BR "neigh_forward_grat on " or " neigh_forward_grat off "
+Controls whether gratuitous ARP packets and unsolicited Neighbor Advertisement
+packets are forwarded when neighbor suppression is enabled on the port.
+By default this flag is off, meaning gratuitous ARP and unsolicited NA packets
+will be suppressed when neighbor suppression is enabled. Setting this flag to
+on allows these packets to be forwarded even when neighbor suppression is
+enabled.
+
 .TP
 .BR "vlan_tunnel on " or " vlan_tunnel off "
 Controls whether vlan to tunnel mapping is enabled on the port. By
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index ef45fe08..e89b2db3 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -2677,6 +2677,8 @@ the following additional arguments are supported:
 ] [
 .BR neigh_vlan_suppress " { " on " | " off " }"
 ] [
+.BR neigh_forward_grat " { " on " | " off " }"
+] [
 .BR vlan_tunnel " { " on " | " off " }"
 ] [
 .BR isolated " { " on " | " off " }"
@@ -2791,6 +2793,14 @@ is enabled on the port. When on, the \fBbridge link\fR option
 \fBneigh_suppress\fR has no effect and the per-VLAN state is set using the
 \fBbridge vlan\fR option \fBneigh_suppress\fR. By default this flag is off.
 
+.BR neigh_forward_grat " { " on " | " off " }"
+- controls whether gratuitous ARP packets and unsolicited Neighbor
+Advertisement packets are forwarded when neighbor suppression is enabled
+on the port. By default this flag is off, meaning gratuitous ARP and
+unsolicited NA packets will be suppressed when neighbor suppression is
+enabled. Setting this flag to on allows these packets to be forwarded even
+when neighbor suppression is enabled.
+
 .BR vlan_tunnel " { " on " | " off " }"
 - controls whether vlan to tunnel mapping is enabled on the port. By
 default this flag is off.
-- 
2.51.0

[PATCH iproute2-next 2/2] bridge: vlan: Add support for neigh_forward_grat

[Danielle Ratson]

Add support for controlling gratuitous ARP and unsolicited NA
forwarding at the per-VLAN level via the neigh_forward_grat option.

This allows configuring the option via:
$ bridge vlan set dev <port> vid <vlan> neigh_forward_grat {on|off}

Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Danielle Ratson <danieller@nvidia.com>
---
 bridge/vlan.c     | 18 ++++++++++++++++++
 man/man8/bridge.8 | 15 ++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/bridge/vlan.c b/bridge/vlan.c
index 27d31ba8..ff03ac86 100644
--- a/bridge/vlan.c
+++ b/bridge/vlan.c
@@ -39,6 +39,7 @@ static void usage(void)
 		"                                               [ mcast_router MULTICAST_ROUTER ]\n"
 		"                                               [ mcast_max_groups MAX_GROUPS ]\n"
 		"                                               [ neigh_suppress {on | off} ]\n"
+		"                                               [ neigh_forward_grat {on | off} ]\n"
 		"       bridge vlan { show } [ dev DEV ] [ vid VLAN_ID ]\n"
 		"       bridge vlan { tunnelshow } [ dev DEV ] [ vid VLAN_ID ]\n"
 		"       bridge vlan global { set } vid VLAN_ID dev DEV\n"
@@ -368,6 +369,18 @@ static int vlan_option_set(int argc, char **argv)
 			addattr8(&req.n, sizeof(req),
 				 BRIDGE_VLANDB_ENTRY_NEIGH_SUPPRESS,
 				 neigh_suppress);
+		} else if (strcmp(*argv, "neigh_forward_grat") == 0) {
+			bool neigh_forward_grat;
+			int ret;
+
+			NEXT_ARG();
+			neigh_forward_grat = parse_on_off("neigh_forward_grat",
+							  *argv, &ret);
+			if (ret)
+				return ret;
+			addattr8(&req.n, sizeof(req),
+				 BRIDGE_VLANDB_ENTRY_NEIGH_FORWARD_GRAT,
+				 neigh_forward_grat);
 		} else {
 			if (matches(*argv, "help") == 0)
 				NEXT_ARG();
@@ -1012,6 +1025,11 @@ static void print_vlan_opts(struct rtattr *a, int ifindex)
 		print_on_off(PRINT_ANY, "neigh_suppress", "neigh_suppress %s ",
 			     rta_getattr_u8(vattr));
 	}
+	if (vtb[BRIDGE_VLANDB_ENTRY_NEIGH_FORWARD_GRAT]) {
+		vattr = vtb[BRIDGE_VLANDB_ENTRY_NEIGH_FORWARD_GRAT];
+		print_on_off(PRINT_ANY, "neigh_forward_grat",
+			     "neigh_forward_grat %s ", rta_getattr_u8(vattr));
+	}
 	print_nl();
 	if (show_stats)
 		bridge_print_vlan_stats_only(&vstats);
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index aae6c75a..d2323521 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -241,7 +241,8 @@ bridge \- show / manipulate bridge addresses and devices
 .IR MAX_GROUPS " ] [ "
 .B mcast_router
 .IR MULTICAST_ROUTER " ] [ "
-.BR neigh_suppress " { " on " | " off " } ]"
+.BR neigh_suppress " { " on " | " off " } ] [ "
+.BR neigh_forward_grat " { " on " | " off " } ]"
 
 .ti -8
 .BR "bridge vlan" " [ " show " | " tunnelshow " ] [ "
@@ -1486,6 +1487,18 @@ for a given VLAN on a given port. By default this flag is off.
 Note that this option only takes effect when \fBbridge link\fR option
 \fBneigh_vlan_suppress\fR is enabled for a given port.
 
+.TP
+.BR "neigh_forward_grat on " or " neigh_forward_grat off "
+Controls whether gratuitous ARP packets and unsolicited Neighbor Advertisement
+packets are forwarded when neighbor suppression is enabled for a given VLAN
+on a given port. By default this flag is off, meaning gratuitous ARP and
+unsolicited NA packets will be suppressed when neighbor suppression is enabled.
+Setting this flag to on allows these packets to be forwarded even when
+neighbor suppression is enabled.
+
+Note that this option only takes effect when \fBbridge link\fR option
+\fBneigh_vlan_suppress\fR is enabled for a given port.
+
 .SS bridge vlan show - list vlan configuration.
 
 This command displays the current VLAN filter table.
-- 
2.51.0

Re: [PATCH iproute2-next 1/2] iplink: bridge_slave: Add support for neigh_forward_grat

[Nikolay Aleksandrov]

On Sun, May 17, 2026 at 11:25:00AM +0300, Danielle Ratson wrote:
> Add support for controlling gratuitous ARP and unsolicited NA
> forwarding at the port level via the neigh_forward_grat option.
> 
> This allows configuring the option via:
> $ ip link set dev <port> type bridge_slave neigh_forward_grat {on|off}
> 
> Or via the bridge command:
> $ bridge link set dev <port> neigh_forward_grat {on|off}
> 
> Reviewed-by: Ido Schimmel <idosch@nvidia.com>
> Reviewed-by: Petr Machata <petrm@nvidia.com>
> Signed-off-by: Danielle Ratson <danieller@nvidia.com>
> ---
>  bridge/link.c            | 14 ++++++++++++++
>  ip/iplink_bridge_slave.c | 10 ++++++++++
>  man/man8/bridge.8        | 10 ++++++++++
>  man/man8/ip-link.8.in    | 10 ++++++++++
>  4 files changed, 44 insertions(+)
> 
 
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>

Re: [PATCH iproute2-next 2/2] bridge: vlan: Add support for neigh_forward_grat

[Nikolay Aleksandrov]

On Sun, May 17, 2026 at 11:25:01AM +0300, Danielle Ratson wrote:
> Add support for controlling gratuitous ARP and unsolicited NA
> forwarding at the per-VLAN level via the neigh_forward_grat option.
> 
> This allows configuring the option via:
> $ bridge vlan set dev <port> vid <vlan> neigh_forward_grat {on|off}
> 
> Reviewed-by: Ido Schimmel <idosch@nvidia.com>
> Reviewed-by: Petr Machata <petrm@nvidia.com>
> Signed-off-by: Danielle Ratson <danieller@nvidia.com>
> ---
>  bridge/vlan.c     | 18 ++++++++++++++++++
>  man/man8/bridge.8 | 15 ++++++++++++++-
>  2 files changed, 32 insertions(+), 1 deletion(-)
> 
 
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>