From: Jakub Kicinski <kuba@kernel.org>
Date: Fri, 1 May 2026 00:35:20 +0000 (-0700)
Subject: Merge branch 'bridge-do-not-suppress-arp-probes-and-dad-ns-unconditionally'
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4eb407d9da30681923c084dd4ce4af390ce76079;p=thirdparty%2Flinux.git

Merge branch 'bridge-do-not-suppress-arp-probes-and-dad-ns-unconditionally'

Danielle Ratson says:

====================
bridge: Do not suppress ARP probes and DAD NS unconditionally

When using bridge neighbor suppression in EVPN deployments, Duplicate
Address Detection (DAD) is currently broken for both IPv4 (ARP probes)
and IPv6 (DAD Neighbor Solicitations). This prevents proper address
conflict detection across the VXLAN fabric.

The neighbor suppression feature allows the bridge to reply to ARP/NS
messages on behalf of remote hosts when FDB and neighbor entries exist,
suppressing unnecessary flooding over the VXLAN overlay. However, the
current implementation unconditionally suppresses ARP probes and DAD NS,
which breaks DAD.

For DAD to work correctly:
- When the bridge doesn't know the answer:
  flood the probe/DAD packet to allow remote VTEPs to respond.
- When the bridge knows the answer:
  reply to indicate the address is in use.

This series fixes the issue by adjusting the early suppression checks to
exclude ARP probes and DAD NS from unconditional suppression, allowing
them to reach the normal FDB lookup path. Gratuitous ARP and IPv6
unsolicited-NA messages are still suppressed unconditionally as before.

Patchset overview:
Patch #1: Fixes the unconditional suppression.
Patch #2: Adds selftests.
====================

Link: https://patch.msgid.link/20260429062405.1386417-1-danieller@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

4eb407d9da30681923c084dd4ce4af390ce76079