[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e5d1e7da-0b90-45d7-b7ab-75ce2ef79208@nbd.name>
Date: Tue, 9 Jan 2024 12:58:13 +0100
From: Felix Fietkau <nbd@....name>
To: Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next] net: bridge: do not send arp replies if src and
target hw addr is the same
On 09.01.24 12:36, Paolo Abeni wrote:
> On Thu, 2024-01-04 at 15:25 +0100, Felix Fietkau wrote:
>> There are broken devices in the wild that handle duplicate IP address
>> detection by sending out ARP requests for the IP that they received from a
>> DHCP server and refuse the address if they get a reply.
>> When proxyarp is enabled, they would go into a loop of requesting an address
>> and then NAKing it again.
>
> Can you instead provide the same functionality with some nft/tc
> ingress/ebpf filter?
>
> I feel uneasy to hard code this kind of policy, even if it looks
> sensible. I suspect it could break some other currently working weird
> device behavior.
>
> Otherwise it could be nice provide some arpfilter flag to
> enable/disable this kind filtering.
I don't see how it could break anything, because it wouldn't suppress
non-proxied responses. nft/arpfilter is just too expensive, and I don't
think it makes sense to force the use of tc filters to suppress
nonsensical responses generated by the bridge layer.
- Felix
Powered by blists - more mailing lists