bridge: Do not suppress ARP probes and DAD NS unconditionally

When neighbor suppression is enabled on a VXLAN port, the bridge is
expected to reply to ARP/NS messages on behalf of remote hosts when both
FDB and neighbor entries exist. This allows the bridge to suppress
flooding of these messages to the VXLAN overlay.

According to RFC 9161 ("Operational Aspects of Proxy ARP/ND in Ethernet
Virtual Private Networks"):
"A PE SHOULD reply to broadcast/multicast address resolution messages,
i.e., ARP Requests, ARP probes, NS messages, as well as DAD NS messages.
An ARP probe is an ARP Request constructed with an all-zero sender IP
address that may be used by hosts for IPv4 Address Conflict Detection as
specified in [RFC5227]".

However, the current implementation unconditionally suppresses ARP probes
and DAD Neighbor Solicitations, which breaks Duplicate Address Detection
(DAD) over EVPN.

For DAD to work correctly over the VXLAN fabric:
- When the bridge does not know the answer:
  flood the probe/DAD packet to allow remote VTEPs to respond.
- When the bridge knows the answer:
  reply to indicate the address is in use.

Fix by adjusting the early suppression checks to exclude ARP probes and
DAD NS from unconditional suppression.

When replying to a DAD NS, br_nd_send() is adjusted to set the NA
destination to the all-nodes multicast address (ff02::1) and clear the
Solicited flag, in accordance with RFC 4861 section 7.2.4.

Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Danielle Ratson <danieller@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260429062405.1386417-2-danieller@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c
index deb1ab1f24b05921417502bfb9508e6de4e78c2e..3205346f298cad161c4d334eed1ad21a86b3821f 100644 (file)
--- a/net/bridge/br_arp_nd_proxy.c
+++ b/net/bridge/br_arp_nd_proxy.c
@@ -164,7 +164,7 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
                        return;
                if (parp->ar_op != htons(ARPOP_RREQUEST) &&
                    parp->ar_op != htons(ARPOP_RREPLY) &&
-                   (ipv4_is_zeronet(sip) || sip == tip)) {
+                   sip == tip) {
                        /* prevent flooding to neigh suppress ports */
                        BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                        return;
@@ -262,6 +262,7 @@ static void br_nd_send(struct net_bridge *br, struct net_bridge_port *p,
        int ns_olen;
        int i, len;
        u8 *daddr;
+       bool dad;
        u16 pvid;
 
        if (!dev || skb_linearize(request))
@@ -300,8 +301,13 @@ static void br_nd_send(struct net_bridge *br, struct net_bridge_port *p,
                }
        }
 
+       dad = ipv6_addr_any(&ipv6_hdr(request)->saddr);
+
        /* Ethernet header */
-       ether_addr_copy(eth_hdr(reply)->h_dest, daddr);
+       if (dad)
+               ipv6_eth_mc_map(&in6addr_linklocal_allnodes, eth_hdr(reply)->h_dest);
+       else
+               ether_addr_copy(eth_hdr(reply)->h_dest, daddr);
        ether_addr_copy(eth_hdr(reply)->h_source, n->ha);
        eth_hdr(reply)->h_proto = htons(ETH_P_IPV6);
        reply->protocol = htons(ETH_P_IPV6);
@@ -317,7 +323,7 @@ static void br_nd_send(struct net_bridge *br, struct net_bridge_port *p,
        pip6->priority = ipv6_hdr(request)->priority;
        pip6->nexthdr = IPPROTO_ICMPV6;
        pip6->hop_limit = 255;
-       pip6->daddr = ipv6_hdr(request)->saddr;
+       pip6->daddr = dad ? in6addr_linklocal_allnodes : ipv6_hdr(request)->saddr;
        pip6->saddr = *(struct in6_addr *)n->primary_key;
 
        skb_pull(reply, sizeof(struct ipv6hdr));
@@ -330,7 +336,7 @@ static void br_nd_send(struct net_bridge *br, struct net_bridge_port *p,
        na->icmph.icmp6_type = NDISC_NEIGHBOUR_ADVERTISEMENT;
        na->icmph.icmp6_router = (n->flags & NTF_ROUTER) ? 1 : 0;
        na->icmph.icmp6_override = 1;
-       na->icmph.icmp6_solicited = 1;
+       na->icmph.icmp6_solicited = dad ? 0 : 1;
        na->target = ns->target;
        ether_addr_copy(&na->opt[2], n->ha);
        na->opt[0] = ND_OPT_TARGET_LL_ADDR;
@@ -435,7 +441,7 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
        saddr = &iphdr->saddr;
        daddr = &iphdr->daddr;
 
-       if (ipv6_addr_any(saddr) || !ipv6_addr_cmp(saddr, daddr)) {
+       if (!ipv6_addr_cmp(saddr, daddr)) {
                /* prevent flooding to neigh suppress ports */
                BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                return;