From: Felix Fietkau <nbd@nbd.name>
To: Nikolay Aleksandrov <razor@blackwall.org>,
Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH net-next] net: bridge: do not send arp replies if src and target hw addr is the same
Date: Tue, 9 Jan 2024 13:41:47 +0100 [thread overview]
Message-ID: <bdb86076-d4ce-49b3-8ceb-742f61f05559@nbd.name> (raw)
In-Reply-To: <2b3bbe3a-6796-458c-88f9-1458a449d79c@blackwall.org>
On 09.01.24 13:02, Nikolay Aleksandrov wrote:
> On 09/01/2024 13:58, Felix Fietkau wrote:
>> On 09.01.24 12:36, Paolo Abeni wrote:
>>> On Thu, 2024-01-04 at 15:25 +0100, Felix Fietkau wrote:
>>>> There are broken devices in the wild that handle duplicate IP address
>>>> detection by sending out ARP requests for the IP that they received from a
>>>> DHCP server and refuse the address if they get a reply.
>>>> When proxyarp is enabled, they would go into a loop of requesting an address
>>>> and then NAKing it again.
>>>
>>> Can you instead provide the same functionality with some nft/tc
>>> ingress/ebpf filter?
>>>
>>> I feel uneasy to hard code this kind of policy, even if it looks
>>> sensible. I suspect it could break some other currently working weird
>>> device behavior.
>>>
>>> Otherwise it could be nice provide some arpfilter flag to
>>> enable/disable this kind filtering.
>>
>> I don't see how it could break anything, because it wouldn't suppress non-proxied responses. nft/arpfilter is just too expensive, and I don't think it makes sense to force the use of tc filters to suppress nonsensical responses generated by the bridge layer.
>>
>> - Felix
>>
>
> I also share Paolo's concerns, and I don't think such specific policy
> should be hardcoded in the bridge. It can already be achieved via tc/nft/ebpf
> as mentioned. Also please CC bridge maintainers for bridge patches, I saw this
> one because of Paolo's earlier reply.
Why is this 'specific policy'? I'm not changing the bridge to filter
quirky ARP responses generated elsewhere. I'm simply changing the bridge
code to avoid generating nonsensical ARP responses by itself.
Also, I can't replicate the exact behavior with a nft/tc filter, because
a filter can't differentiate between forwarded ARP responses and bogus
fake responses generated by the bridge code itself.
The concern regarding breaking existing devices also makes no sense to
me at all. From my perspective, proxyarp is an optimization that you
should be able to turn on without breaking breaking existing devices.
The fact that the current code violates that expectation is something
I'm trying to fix.
- Felix
next prev parent reply other threads:[~2024-01-09 12:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-04 14:25 [PATCH net-next] net: bridge: do not send arp replies if src and target hw addr is the same Felix Fietkau
2024-01-09 11:36 ` Paolo Abeni
2024-01-09 11:58 ` Felix Fietkau
2024-01-09 12:02 ` Nikolay Aleksandrov
2024-01-09 12:41 ` Felix Fietkau [this message]
2024-01-09 12:14 ` Paolo Abeni
2024-01-09 12:18 ` Nikolay Aleksandrov
2024-01-09 12:49 ` Dave Taht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bdb86076-d4ce-49b3-8ceb-742f61f05559@nbd.name \
--to=nbd@nbd.name \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox