From nobody Sat Apr 18 19:08:42 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE683C433EF for ; Mon, 11 Jul 2022 17:51:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231649AbiGKRv0 (ORCPT ); Mon, 11 Jul 2022 13:51:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52452 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229903AbiGKRvT (ORCPT ); Mon, 11 Jul 2022 13:51:19 -0400 Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A7531837A; Mon, 11 Jul 2022 10:51:18 -0700 (PDT) Received: by mail-pg1-x52e.google.com with SMTP id 23so5339626pgc.8; Mon, 11 Jul 2022 10:51:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=4oDZ1Crn9MlQE04m4pVvJlit0fCvsFP5x7XIgH7fYfM=; b=b8LwSRw/PlW65zqssb8/WFS8QFhfvSLTlv+2tAg4djYUI+uysSprVrq3jSImT3Qs7Q NdMfjL8v45aMoZ7P7xv9JuHxvbZ5TmFzHVePbzJDTVEqvRZ70UgpMTUzyllZzQAO5lvx nEqjZ8E6qKYxo2jAT8WZVMGOE9mDLt5GDe2kgYpPMbrTJ+MpIleZmMBZ9196dNsXI7b4 DDknlx8XpcZ1QXbXhuaqu1sCn6WOnFEVHMRP3wTW9qtX7rc/Rl0jMUEQ9GK6IShYFoT/ GtcsrMLHvRcTTgQVw016jN8/bd4Te4B8bS0pX9htERsnbemCPihb0BI+igpP5qJKPbwX XB/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4oDZ1Crn9MlQE04m4pVvJlit0fCvsFP5x7XIgH7fYfM=; b=VgsxfFd+sJuN6I9y9VtaU5nkW7XB5bOFSOIvyTtjx163sYYuL6oIZ+iDjzwGqMN0JH skuvqlkA18cBImjraLmXoi+qLAS7yfVSWhh8GT2jw/OMlmNXUdgQyhwHbPGVnl1w5PAu 7FvVF+jwWatkK+h8bkZFkifgJgeuuSeDbw27w7wizEVGV3al+kDfm6q2d9uQjLXlQPRW n156lpuJ0YGOS/K5w7YeCY9igs8EOAsyzcWWg3TTDlIHn5nsJMAEX9aoeJrBlTNf8pJb g7/k9dIllTl/+uMuvxWdc17sem7n/kqP15wa3GezL6DozIQHfIdWlnyk/CSv6mhEzUiS FM9A== X-Gm-Message-State: AJIora+mAQeoXhfVQBbsnI4034OF36yuOvNk0lC21rrTuj0zB3N2AT8e kSb80U9spJKhBD5Gm1rVkgnRqwyXAdn/s+foLjA= X-Google-Smtp-Source: AGRyM1scyMivBoMnJl+5WqLQ90qHV1rOHD8vHnPgTUYntorLUvpupNY2EYI1H828kZeLbZyrdbB1sA== X-Received: by 2002:a63:de43:0:b0:40d:a0f0:441 with SMTP id y3-20020a63de43000000b0040da0f00441mr16569383pgi.121.1657561877486; Mon, 11 Jul 2022 10:51:17 -0700 (PDT) Received: from localhost.localdomain ([64.141.80.140]) by smtp.gmail.com with ESMTPSA id h14-20020a056a00000e00b0051bbe085f16sm5041737pfk.104.2022.07.11.10.51.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jul 2022 10:51:17 -0700 (PDT) From: Jaehee Park To: netdev@vger.kernel.org Cc: davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, linux-kernel@vger.kernel.org, aajith@arista.com, roopa@nvidia.com, aroulin@nvidia.com, sbrivio@redhat.com, jhpark1013@gmail.com Subject: [PATCH net-next 1/3] net: ipv4: new arp_accept option to accept garp only if in-network Date: Mon, 11 Jul 2022 13:51:16 -0400 Message-Id: <3d46841cb86de597157121c6c1f2dc6a8a8bf981.1657556229.git.jhpark1013@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In many deployments, we want the option to not learn a neighbor from garp if the src ip is not in the subnet of addresses configured on the interface. net.ipv4.arp_accept sysctl is currently used to control creation of a neigh from a received garp packet. This patch adds a new option '2' to net.ipv4.arp_accept which extends option '1' by including the subnet check. Signed-off-by: Jaehee Park Suggested-by: Roopa Prabhu --- Documentation/networking/ip-sysctl.rst | 4 +++- include/linux/inetdevice.h | 2 +- net/ipv4/arp.c | 24 ++++++++++++++++++++++-- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/network= ing/ip-sysctl.rst index 4c8bbf5acfd1..599373601a2b 100644 --- a/Documentation/networking/ip-sysctl.rst +++ b/Documentation/networking/ip-sysctl.rst @@ -1633,12 +1633,14 @@ arp_notify - BOOLEAN or hardware address changes. =3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 -arp_accept - BOOLEAN +arp_accept - INTEGER Define behavior for gratuitous ARP frames who's IP is not already present in the ARP table: =20 - 0 - don't create new entries in the ARP table - 1 - create new entries in the ARP table + - 2 - create new entries only if src ip is in the same subnet as + the configured address on the received interface =20 Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on. diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h index ead323243e7b..ddb27fc0ee8c 100644 --- a/include/linux/inetdevice.h +++ b/include/linux/inetdevice.h @@ -131,7 +131,7 @@ static inline void ipv4_devconf_setall(struct in_device= *in_dev) IN_DEV_ORCONF((in_dev), IGNORE_ROUTES_WITH_LINKDOWN) =20 #define IN_DEV_ARPFILTER(in_dev) IN_DEV_ORCONF((in_dev), ARPFILTER) -#define IN_DEV_ARP_ACCEPT(in_dev) IN_DEV_ORCONF((in_dev), ARP_ACCEPT) +#define IN_DEV_ARP_ACCEPT(in_dev) IN_DEV_MAXCONF((in_dev), ARP_ACCEPT) #define IN_DEV_ARP_ANNOUNCE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE) #define IN_DEV_ARP_IGNORE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_IGNORE) #define IN_DEV_ARP_NOTIFY(in_dev) IN_DEV_MAXCONF((in_dev), ARP_NOTIFY) diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c index af2f12ffc9ca..5eedb042c50b 100644 --- a/net/ipv4/arp.c +++ b/net/ipv4/arp.c @@ -429,6 +429,26 @@ static int arp_ignore(struct in_device *in_dev, __be32= sip, __be32 tip) return !inet_confirm_addr(net, in_dev, sip, tip, scope); } =20 +static int arp_accept(struct in_device *in_dev, __be32 sip) +{ + struct net *net =3D dev_net(in_dev->dev); + int scope =3D RT_SCOPE_LINK; + + switch (IN_DEV_ARP_ACCEPT(in_dev)) { + case 0: /* don't create new entries from garp */ + return 0; + case 1: /* create new entries from garp */ + return 1; + case 2: /* + * create garp only if sip is in the same subnet + * as an address configured on the incoming interface + */ + return inet_confirm_addr(net, in_dev, sip, 0, scope) ? 1 : 0; + default: + return 0; + } +} + static int arp_filter(__be32 sip, __be32 tip, struct net_device *dev) { struct rtable *rt; @@ -868,12 +888,12 @@ static int arp_process(struct net *net, struct sock *= sk, struct sk_buff *skb) n =3D __neigh_lookup(&arp_tbl, &sip, dev, 0); =20 addr_type =3D -1; - if (n || IN_DEV_ARP_ACCEPT(in_dev)) { + if (n || arp_accept(in_dev, sip)) { is_garp =3D arp_is_garp(net, dev, &addr_type, arp->ar_op, sip, tip, sha, tha); } =20 - if (IN_DEV_ARP_ACCEPT(in_dev)) { + if (arp_accept(in_dev, sip)) { /* Unsolicited ARP is not accepted by default. It is possible, that this option should be enabled for some devices (strip is candidate) --=20 2.30.2 From nobody Sat Apr 18 19:08:42 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76449C43334 for ; Mon, 11 Jul 2022 17:51:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231688AbiGKRva (ORCPT ); Mon, 11 Jul 2022 13:51:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52466 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230492AbiGKRvT (ORCPT ); Mon, 11 Jul 2022 13:51:19 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E8A477A5D; Mon, 11 Jul 2022 10:51:19 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id a15so5482056pjs.0; Mon, 11 Jul 2022 10:51:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hT5O4b/xtjj0nqx+Ih2gE+TubJQ0wi3YFJCk1WxbPgE=; b=nySU2uIuk976j5mjoMSiA42jR5UkiNkD+KgtHll1YHJcLBQuhLoeof+mp4wIDBYqFc NUULX553vmeH6m9Be1kUxR/QQLfzeO2rT7/7YH5NQFlsR79kNjAbX6l9OTQH51I3gndx 3Zg1XgTQbeYDsywJF2MB6uX+C0md373XFDKWGkwfI209DhV8rhE1vd+thEKKKFv1Uidr /eTJPLVhCQrqW4Yp2+OS+6815AWPRpQjUlMkNazGaDlfdlbiQERjVn+l8R3Eo/W8NF8p 7PLVK72oqjWVwgXEFRH8lPnlhnA4fjA41SbNTaxqIM6SpWY5dJbi1Rxc9sSlzrGQx86l vVbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hT5O4b/xtjj0nqx+Ih2gE+TubJQ0wi3YFJCk1WxbPgE=; b=qKloQkkkDjNOlGzFUrs0IXGi2QiMcEqqMPYGVr/Nt+PvSmVVrKRpRXrOAmtX1lqy4I 1qoQPh2DFykcYoo560IFscyTZA6vqSUnmCBq+o3PhYFLbEHTX9hFQW+aDI7LseLo6nmd jqPt6T+mMisLcgpiAX74ZiKvS/010XBxuPa4xxrUo1rWmrSFzptqk3dcfoc/KA824PCv t3W0XlCIlwFBDsPT8nN6dFWyvOaAduzwdYwm4XkEiu3WaZ9UWGPXmqkNK/sHFJxfv9qJ XkJ4wZ8ydki9d3WaD0LNeSKqbCtmsJyP6341GQt62bemg/NSDS4/WKHGTIKrFEQ6KSO6 mt0w== X-Gm-Message-State: AJIora+z5kfUWPk40et8KX8+xwRy8qlYYIewGO7zFY4jnW5FdA44i/NF N3RK26uMKHO9GOb01j6v1QK7nlYgVh5wELdBcA0= X-Google-Smtp-Source: AGRyM1uH0D9a1Nd0iFMGN0N/p3tYR6aHkvve+XK/rxBiU3O6VIZR/ZXnbL04EdO5tQ4Lyt4tfCVDuw== X-Received: by 2002:a17:903:120c:b0:167:8847:21f2 with SMTP id l12-20020a170903120c00b00167884721f2mr19483187plh.11.1657561878582; Mon, 11 Jul 2022 10:51:18 -0700 (PDT) Received: from localhost.localdomain ([64.141.80.140]) by smtp.gmail.com with ESMTPSA id h14-20020a056a00000e00b0051bbe085f16sm5041737pfk.104.2022.07.11.10.51.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jul 2022 10:51:18 -0700 (PDT) From: Jaehee Park To: netdev@vger.kernel.org Cc: davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, linux-kernel@vger.kernel.org, aajith@arista.com, roopa@nvidia.com, aroulin@nvidia.com, sbrivio@redhat.com, jhpark1013@gmail.com Subject: [PATCH net-next 2/3] net: ipv6: new accept_untracked_na option to accept na only if in-network Date: Mon, 11 Jul 2022 13:51:17 -0400 Message-Id: X-Mailer: git-send-email 2.30.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This patch adds a third knob, '2', which extends the accept_untracked_na option to learn a neighbor only if the src ip is in the same subnet of addresses configured on the interfaces. This is similar to the arp_accept configuration for ipv4. Signed-off-by: Jaehee Park Suggested-by: Roopa Prabhu --- Documentation/networking/ip-sysctl.rst | 50 +++++++++++++++----------- net/ipv6/addrconf.c | 2 +- net/ipv6/ndisc.c | 29 ++++++++++++--- 3 files changed, 55 insertions(+), 26 deletions(-) diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/network= ing/ip-sysctl.rst index 599373601a2b..2ee32224cae8 100644 --- a/Documentation/networking/ip-sysctl.rst +++ b/Documentation/networking/ip-sysctl.rst @@ -2482,27 +2482,36 @@ drop_unsolicited_na - BOOLEAN =20 By default this is turned off. =20 -accept_untracked_na - BOOLEAN - Add a new neighbour cache entry in STALE state for routers on receiving a - neighbour advertisement (either solicited or unsolicited) with target - link-layer address option specified if no neighbour entry is already - present for the advertised IPv6 address. Without this knob, NAs received - for untracked addresses (absent in neighbour cache) are silently ignored. - - This is as per router-side behaviour documented in RFC9131. - - This has lower precedence than drop_unsolicited_na. - - This will optimize the return path for the initial off-link communication - that is initiated by a directly connected host, by ensuring that - the first-hop router which turns on this setting doesn't have to - buffer the initial return packets to do neighbour-solicitation. - The prerequisite is that the host is configured to send - unsolicited neighbour advertisements on interface bringup. - This setting should be used in conjunction with the ndisc_notify setting - on the host to satisfy this prerequisite. +accept_untracked_na - INTEGER + Define behavior for accepting neighbor advertisements from devices that + are absent in the neighbor cache: =20 - By default this is turned off. + - 0 - (default) Do not accept unsolicited and untracked neighbor + advertisements. + + - 1 - Add a new neighbor cache entry in STALE state for routers on + receiving a neighbor advertisement (either solicited or unsolicited) + with target link-layer address option specified if no neighbor entry + is already present for the advertised IPv6 address. Without this knob, + NAs received for untracked addresses (absent in neighbor cache) are + silently ignored. + + This is as per router-side behavior documented in RFC9131. + + This has lower precedence than drop_unsolicited_na. + + This will optimize the return path for the initial off-link + communication that is initiated by a directly connected host, by + ensuring that the first-hop router which turns on this setting doesn't + have to buffer the initial return packets to do neighbor-solicitation. + The prerequisite is that the host is configured to send unsolicited + neighbor advertisements on interface bringup. This setting should be + used in conjunction with the ndisc_notify setting on the host to + satisfy this prerequisite. + + - 2 - Extend option (1) to add a new neighbor cache entry only if the + source IP is in the same subnet as the configured address on the + received interface. =20 enhanced_dad - BOOLEAN Include a nonce option in the IPv6 neighbor solicitation messages used for @@ -2984,4 +2993,3 @@ max_dgram_qlen - INTEGER The maximum length of dgram socket receive queue =20 Default: 10 - diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 88becb037eb6..6ed807b6c647 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -7042,7 +7042,7 @@ static const struct ctl_table addrconf_sysctl[] =3D { .data =3D &ipv6_devconf.accept_untracked_na, .maxlen =3D sizeof(int), .mode =3D 0644, - .proc_handler =3D proc_dointvec_minmax, + .proc_handler =3D proc_dointvec, .extra1 =3D (void *)SYSCTL_ZERO, .extra2 =3D (void *)SYSCTL_ONE, }, diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index cd84cbdac0a2..57b0b1c9123a 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -967,6 +967,26 @@ static void ndisc_recv_ns(struct sk_buff *skb) in6_dev_put(idev); } =20 +static int accept_untracked_na(struct net_device *dev, struct in6_addr *sa= ddr) +{ + struct inet6_dev *idev =3D __in6_dev_get(dev); + + switch (idev->cnf.accept_untracked_na) { + case 0: /* don't accept untracked (absent in neighbor cache) */ + return 0; + case 1: /* create new entries if entry currently untracked */ + return 1; + case 2: /* + * create new entries from untracked only if saddr is in the + * same subnet as an address configured on the incoming + * interface + */ + return ipv6_chk_prefix(saddr, dev) ? 1 : 0; + default: + return 0; + } +} + static void ndisc_recv_na(struct sk_buff *skb) { struct nd_msg *msg =3D (struct nd_msg *)skb_transport_header(skb); @@ -1062,10 +1082,11 @@ static void ndisc_recv_na(struct sk_buff *skb) */ new_state =3D msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE; if (!neigh && lladdr && - idev && idev->cnf.forwarding && - idev->cnf.accept_untracked_na) { - neigh =3D neigh_create(&nd_tbl, &msg->target, dev); - new_state =3D NUD_STALE; + idev && idev->cnf.forwarding) { + if (accept_untracked_na(dev, saddr)) { + neigh =3D neigh_create(&nd_tbl, &msg->target, dev); + new_state =3D NUD_STALE; + } } =20 if (neigh && !IS_ERR(neigh)) { --=20 2.30.2 From nobody Sat Apr 18 19:08:42 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9ABD6C43334 for ; Mon, 11 Jul 2022 17:51:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231764AbiGKRvf (ORCPT ); Mon, 11 Jul 2022 13:51:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231529AbiGKRvW (ORCPT ); Mon, 11 Jul 2022 13:51:22 -0400 Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BBBF7A50D; Mon, 11 Jul 2022 10:51:20 -0700 (PDT) Received: by mail-pg1-x52e.google.com with SMTP id q82so5346396pgq.6; Mon, 11 Jul 2022 10:51:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7PGWFEffg3zMDOlD/zgOOAgbmBKxyjMewRRrRw64gNU=; b=qC37QSPt9OHoEJ7VAH3+fSJZYXxcvdZmVHJbzwjYHIPIu1tXQiI0sYuN2+yuHJuyBW vT2MDok/qF+DCTVc9JnWD+82al3ekFGfz0+6rNkEiklAmPsWMjVtwQivvEGBompz1Z8M olYgi7b/AMyIkpmWn3KJl0co5+/zOu7y2dkTgLzBaJUTvNZinVNu+neVkpGuTley7jS+ FeDx/si356JIfwn96Mw6Z1q8kZ7DBYafHVHzFDl9YjtbL/s2ECA3ZGX/KFmMYmQ/K5Oz 7CTkmt41NP2RPlo207gsgs3ZtAlwQ9jdkBRkVDjoLw8jz4KlduiwDIqIRXH0288m/Xeu zDFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7PGWFEffg3zMDOlD/zgOOAgbmBKxyjMewRRrRw64gNU=; b=bhQtLl3xExrEolIYceq7ZyrG+Suorw5zPXulreBGHhzFLBTuH0Jhif7Csr4HRXRhL8 p/B4M1GxLiGRx0+BK0rVhBAy4TeLjfcIfnZ3/FziPkgyUhdRiMKhy60p67+qe3pNoXTt QlX3bIg5b0qqZr6tly1OcBGPT/c8lTAJFr2288LX53fIlEcXVFQpNrse2IpMnsjyL204 nzGKkPTc8mRb8N6Di83HdIk+qC9ZmIjTAj780ODhrWgkjQ5uOOAUPfqTB2yb3hWbwikW rh5cEgP8IY7PCQJYWuI0HfBJRTrq0yFMG3fCMSYnIgsQD07e1PVHiIzCIpxyH1YmiN5J Deig== X-Gm-Message-State: AJIora9VhApbBX1JSeNt0CzesYbf6fp/je75YAAfFYBLWb3Yd9jeW+sf zl+gGoTQcntWNCbnVLpUuWJpfau0OCHBLNyhXqk= X-Google-Smtp-Source: AGRyM1v36hkp+xu9PUuE5ide1slhD6zquUjT1DIo50El7SXmkMrae5MO1pkhJ4n9rVB9Z0oTQg2SOA== X-Received: by 2002:a63:2c90:0:b0:40c:fe76:59ef with SMTP id s138-20020a632c90000000b0040cfe7659efmr16535776pgs.288.1657561879623; Mon, 11 Jul 2022 10:51:19 -0700 (PDT) Received: from localhost.localdomain ([64.141.80.140]) by smtp.gmail.com with ESMTPSA id h14-20020a056a00000e00b0051bbe085f16sm5041737pfk.104.2022.07.11.10.51.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jul 2022 10:51:19 -0700 (PDT) From: Jaehee Park To: netdev@vger.kernel.org Cc: davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, linux-kernel@vger.kernel.org, aajith@arista.com, roopa@nvidia.com, aroulin@nvidia.com, sbrivio@redhat.com, jhpark1013@gmail.com Subject: [PATCH net-next 3/3] selftests: net: arp_ndisc_untracked_subnets: test for arp_accept and accept_untracked_na Date: Mon, 11 Jul 2022 13:51:18 -0400 Message-Id: X-Mailer: git-send-email 2.30.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" ipv4 arp_accept has a new option '2' to create new neighbor entries only if the src ip is in the subnet of configured address on the interface. This selftest tests all options in arp_accept. ipv6 has a sysctl endpoint, accept_untracked_na, that defines the behavior for accepting untracked neighbor advertisements. A new option similar to that of arp_accept for learning only from the same subnet is added to accept_untracked_na. This selftest tests this new feature. Signed-off-by: Jaehee Park Suggested-by: Roopa Prabhu --- tools/testing/selftests/net/Makefile | 1 + .../net/arp_ndisc_untracked_subnets.sh | 281 ++++++++++++++++++ 2 files changed, 282 insertions(+) create mode 100755 tools/testing/selftests/net/arp_ndisc_untracked_subnets= .sh diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests= /net/Makefile index ddad703ace34..9c2e9e303c37 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -38,6 +38,7 @@ TEST_PROGS +=3D srv6_end_dt6_l3vpn_test.sh TEST_PROGS +=3D vrf_strict_mode_test.sh TEST_PROGS +=3D arp_ndisc_evict_nocarrier.sh TEST_PROGS +=3D ndisc_unsolicited_na_test.sh +TEST_PROGS +=3D arp_ndisc_untracked_subnets.sh TEST_PROGS +=3D stress_reuseport_listen.sh TEST_PROGS_EXTENDED :=3D in_netns.sh setup_loopback.sh setup_veth.sh TEST_PROGS_EXTENDED +=3D toeplitz_client.sh toeplitz.sh diff --git a/tools/testing/selftests/net/arp_ndisc_untracked_subnets.sh b/t= ools/testing/selftests/net/arp_ndisc_untracked_subnets.sh new file mode 100755 index 000000000000..57a14b4e26f2 --- /dev/null +++ b/tools/testing/selftests/net/arp_ndisc_untracked_subnets.sh @@ -0,0 +1,281 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# 2 namespaces: one host and one router. Use arping from the host to send a +# garp to the router. Router accepts or ignores based on its arp_accept +# configuration. + +TESTS=3D"arp ndisc" + +ROUTER_NS=3D"ns-router" +ROUTER_NS_V6=3D"ns-router-v6" +ROUTER_INTF=3D"veth-router" +ROUTER_ADDR=3D"10.0.10.1" +ROUTER_ADDR_V6=3D"2001:db8:abcd:0012::1" + +HOST_NS=3D"ns-host" +HOST_NS_V6=3D"ns-host-v6" +HOST_INTF=3D"veth-host" +HOST_ADDR=3D"10.0.10.2" +HOST_ADDR_V6=3D"2001:db8:abcd:0012::2" + +SUBNET_WIDTH=3D24 +SUBNET_WIDTH_V6=3D64 + +cleanup() { + ip netns del ${HOST_NS} + ip netns del ${ROUTER_NS} +} + +cleanup_v6() { + ip netns del ${HOST_NS_V6} + ip netns del ${ROUTER_NS_V6} +} + +setup() { + local arp_accept=3D$1 + + # setup two namespaces + ip netns add ${ROUTER_NS} + ip netns add ${HOST_NS} + + # setup interfaces veth0 and veth1, which are pairs in separate + # namespaces. veth0 is veth-router, veth1 is veth-host. + # first, setup the inteface's link to the namespace + # then, set the interface "up" + ip netns exec ${ROUTER_NS} ip link add name ${ROUTER_INTF} \ + type veth peer name ${HOST_INTF} + + ip netns exec ${ROUTER_NS} ip link set dev ${ROUTER_INTF} up + ip netns exec ${ROUTER_NS} ip link set dev ${HOST_INTF} netns ${HO= ST_NS} + + ip netns exec ${HOST_NS} ip link set dev ${HOST_INTF} up + ip netns exec ${ROUTER_NS} ip addr add ${ROUTER_ADDR}/${SUBNET_WID= TH} \ + dev ${ROUTER_INTF} + + ip netns exec ${HOST_NS} ip addr add ${HOST_ADDR}/${SUBNET_WIDTH} \ + dev ${HOST_INTF} + ip netns exec ${HOST_NS} ip route add default via ${HOST_ADDR} \ + dev ${HOST_INTF} + ip netns exec ${ROUTER_NS} ip route add default via ${ROUTER_ADDR}= \ + dev ${ROUTER_INTF} + + ROUTER_CONF=3Dnet.ipv4.conf.${ROUTER_INTF} + ip netns exec ${ROUTER_NS} sysctl -w \ + ${ROUTER_CONF}.arp_accept=3D${arp_accept} >/dev/null 2>&1 +} + +setup_v6() { + local accept_untracked_na=3D$1 + + # setup two namespaces + ip netns add ${ROUTER_NS_V6} + ip netns add ${HOST_NS_V6} + + # setup interfaces veth0 and veth1, which are pairs in separate + # namespaces. veth0 is veth-router, veth1 is veth-host. + # first, setup the inteface's link to the namespace + # then, set the interface "up" + ip -6 -netns ${ROUTER_NS_V6} link add name ${ROUTER_INTF} \ + type veth peer name ${HOST_INTF} + + ip -6 -netns ${ROUTER_NS_V6} link set dev ${ROUTER_INTF} up + ip -6 -netns ${ROUTER_NS_V6} link set dev ${HOST_INTF} netns \ + ${HOST_NS_V6} + + ip -6 -netns ${HOST_NS_V6} link set dev ${HOST_INTF} up + ip -6 -netns ${ROUTER_NS_V6} addr add \ + ${ROUTER_ADDR_V6}/${SUBNET_WIDTH_V6} dev ${ROUTER_INTF} no= dad + + HOST_CONF=3Dnet.ipv6.conf.${HOST_INTF} + ip netns exec ${HOST_NS_V6} sysctl -qw ${HOST_CONF}.ndisc_notify= =3D1 + ip netns exec ${HOST_NS_V6} sysctl -qw ${HOST_CONF}.disable_ipv6= =3D0 + ip -6 -netns ${HOST_NS_V6} addr add ${HOST_ADDR_V6}/${SUBNET_WIDTH= _V6} \ + dev ${HOST_INTF} + + ROUTER_CONF=3Dnet.ipv6.conf.${ROUTER_INTF} + + ip netns exec ${ROUTER_NS_V6} sysctl -w \ + ${ROUTER_CONF}.forwarding=3D1 >/dev/null 2>&1 + ip netns exec ${ROUTER_NS_V6} sysctl -w \ + ${ROUTER_CONF}.drop_unsolicited_na=3D0 >/dev/null 2>&1 + ip netns exec ${ROUTER_NS_V6} sysctl -w \ + ${ROUTER_CONF}.accept_untracked_na=3D${accept_untracked_na= } \ + >/dev/null 2>&1 +} + +verify_arp() { + local arp_accept=3D$1 + local same_subnet=3D$2 + + # If no entries, there's an error, so stderr would not be 0. + neigh_show_output=3D$(ip netns exec ${ROUTER_NS} ip neigh get \ + ${HOST_ADDR} dev ${ROUTER_INTF} 2>/dev/null) + + if [ ${arp_accept} -eq 1 ]; then + # Neighbor entries expected. + [[ ${neigh_show_output} ]] + elif [ ${arp_accept} -eq 2 ]; then + if [ ${same_subnet} -eq 1 ]; then + # Neighbor entries expected. + [[ ${neigh_show_output} ]] + else + [[ -z ${neigh_show_output} ]] + fi + else + [[ -z ${neigh_show_output} ]] + fi + } + +arp_test_gratuitous() { + local arp_accept=3D$1 + local same_subnet=3D$2 + + if [ ${arp_accept} -eq 2 ]; then + test_msg=3D("test_arp: " + "accept_arp=3D$1 " + "same_subnet=3D$2") + if [ ${same_subnet} -eq 0 ]; then + HOST_ADDR=3D10.0.11.3 + else + HOST_ADDR=3D10.0.10.3 + fi + else + test_msg=3D("test_arp: " + "accept_arp=3D$1") + fi + # supply arp_accept option to setup which sets it in sysctl + setup ${arp_accept} + ip netns exec ${HOST_NS} arping -A -U ${HOST_ADDR} -c1 2>&1 >/dev/= null + verify_arp $1 $2 + + if [ $? -eq 0 ]; then + printf " TEST: %-60s [ OK ]\n" "${test_msg[*]}" + else + printf " TEST: %-60s [FAIL]\n" "${test_msg[*]}" + fi + cleanup +} + +arp_test_gratuitous_combinations() { + arp_test_gratuitous 0 + arp_test_gratuitous 1 + arp_test_gratuitous 2 0 # second entry indicates subnet or not + arp_test_gratuitous 2 1 +} + +cleanup_tcpdump() { + set -e + [[ ! -z ${tcpdump_stdout} ]] && rm -f ${tcpdump_stdout} + [[ ! -z ${tcpdump_stderr} ]] && rm -f ${tcpdump_stderr} + tcpdump_stdout=3D + tcpdump_stderr=3D + set +e +} + +start_tcpdump() { + set -e + tcpdump_stdout=3D`mktemp` + tcpdump_stderr=3D`mktemp` + ip netns exec ${ROUTER_NS_V6} timeout 15s \ + tcpdump --immediate-mode -tpni ${ROUTER_INTF} -c 1 \ + "icmp6 && icmp6[0] =3D=3D 136 && src ${HOST_ADDR_V6}" \ + > ${tcpdump_stdout} 2> /dev/null + set +e +} + +verify_ndisc() { + local accept_untracked_na=3D$1 + local same_subnet=3D$2 + + neigh_show_output=3D$(ip -6 -netns ${ROUTER_NS_V6} neigh show \ + to ${HOST_ADDR_V6} dev ${ROUTER_INTF} nud stale) + + if [ ${accept_untracked_na} -eq 1 ]; then + # Neighbour entry expected to be present for 011 case + [[ ${neigh_show_output} ]] + elif [ ${accept_untracked_na} -eq 2 ]; then + if [ ${same_subnet} -eq 1 ]; then + [[ ${neigh_show_output} ]] + else + [[ -z ${neigh_show_output} ]] + fi + else + # Neighbour entry expected to be absent for all other cases + [[ -z ${neigh_show_output} ]] + fi +} + +ndisc_test_untracked_advertisements() { + # HOST_ADDR_V6=3D"2001:db8:91::3" + # ROUTER_ADDR_V6=3D"2001:db8:91::1" + test_msg=3D("test_ndisc: " + "accept_untracked_na=3D$1") + + local accept_untracked_na=3D$1 + local same_subnet=3D$2 + if [ ${accept_untracked_na} -eq 2 ]; then + test_msg=3D("test_ndisc: " + "accept_untracked_na=3D$1 " + "same_subnet=3D$2") + if [ ${same_subnet} -eq 0 ]; then + # not same subnet + HOST_ADDR_V6=3D2000:db8:abcd:0013::4 + else + HOST_ADDR_V6=3D2001:db8:abcd:0012::3 + fi + fi + setup_v6 $1 $2 + start_tcpdump + verify_ndisc $1 $2 + + if [ $? -eq 0 ]; then + printf " TEST: %-60s [ OK ]\n" "${test_msg[*]}" + else + printf " TEST: %-60s [FAIL]\n" "${test_msg[*]}" + fi + + cleanup_tcpdump + cleanup_v6 +} + +ndisc_test_untracked_combinations() { + ndisc_test_untracked_advertisements 0 + ndisc_test_untracked_advertisements 1 + ndisc_test_untracked_advertisements 2 0 + ndisc_test_untracked_advertisements 2 1 +} + +##########################################################################= ###### +# usage + +usage() +{ + cat < Test(s) to run (default: all) + (options: $TESTS) +EOF +} + +##########################################################################= ###### +# main + +while getopts ":t:h" opt; do + case $opt in + t) TESTS=3D$OPTARG;; + h) usage; exit 0;; + *) usage; exit 1;; + esac +done + +for t in $TESTS +do + case $t in + arp_test_gratuitous_combinations|arp) arp_test_gratuitous_combinat= ions;; + ndisc_test_untracked_combinations|ndisc) \ + ndisc_test_untracked_combinations;; + help) echo "Test names: $TESTS"; exit 0;; +esac +done --=20 2.30.2