On 13/04/2023 12:58, Ido Schimmel wrote:
> Background
> ==========
>
> In order to minimize the flooding of ARP and ND messages in the VXLAN
> network, EVPN includes provisions [1] that allow participating VTEPs to
> suppress such messages in case they know the MAC-IP binding and can
> reply on behalf of the remote host. In Linux, the above is implemented
> in the bridge driver using a per-port option called "neigh_suppress"
> that was added in kernel version 4.15 [2].
>
> Motivation
> ==========
>
> Some applications use ARP messages as keepalives between the application
> nodes in the network. This works perfectly well when two nodes are
> connected to the same VTEP. When a node goes down it will stop
> responding to ARP requests and the other node will notice it
> immediately.
>
> However, when the two nodes are connected to different VTEPs and
> neighbor suppression is enabled, the local VTEP will reply to ARP
> requests even after the remote node went down, until certain timers
> expire and the EVPN control plane decides to withdraw the MAC/IP
> Advertisement route for the address. Therefore, some users would like to
> be able to disable neighbor suppression on VLANs where such applications
> reside and keep it enabled on the rest.
>
> Implementation
> ==============
>
> The proposed solution is to allow user space to control neighbor
> suppression on a per-{Port, VLAN} basis, in a similar fashion to other
> per-port options that gained per-{Port, VLAN} counterparts such as
> "mcast_router". This allows users to benefit from the operational
> simplicity and scalability associated with shared VXLAN devices (i.e.,
> external / collect-metadata mode), while still allowing for per-VLAN/VNI
> neighbor suppression control.
>
> The user interface is extended with a new "neigh_vlan_suppress" bridge
> port option that allows user space to enable per-{Port, VLAN} neighbor
> suppression on the bridge port. When enabled, the existing
> "neigh_suppress" option has no effect and neighbor suppression is
> controlled using a new "neigh_suppress" VLAN option. Example usage:
>
> # bridge link set dev vxlan0 neigh_vlan_suppress on
> # bridge vlan add vid 10 dev vxlan0
> # bridge vlan set vid 10 dev vxlan0 neigh_suppress on
>
> Testing
> =======
>
> Tested using existing bridge selftests. Added a dedicated selftest in
> the last patch.
>
> Patchset overview
> =================
>
> Patches #1-#5 are preparations.
>
> Patch #6 adds per-{Port, VLAN} neighbor suppression support to the
> bridge's data path.
>
> Patches #7-#8 add the required netlink attributes to enable the feature.
>
> Patch #9 adds a selftest.
>
> iproute2 patches can be found here [3].
>
> [1] https://www.rfc-editor.org/rfc/rfc7432#section-10
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a42317785c898c0ed46db45a33b0cc71b671bf29
> [3] https://github.com/idosch/iproute2/tree/submit/neigh_suppress_v1
>
> Ido Schimmel (9):
> bridge: Reorder neighbor suppression check when flooding
> bridge: Pass VLAN ID to br_flood()
> bridge: Add internal flags for per-{Port, VLAN} neighbor suppression
> bridge: Take per-{Port, VLAN} neighbor suppression into account
> bridge: Encapsulate data path neighbor suppression logic
> bridge: Add per-{Port, VLAN} neighbor suppression data path support
> bridge: vlan: Allow setting VLAN neighbor suppression state
> bridge: Allow setting per-{Port, VLAN} neighbor suppression state
> selftests: net: Add bridge neighbor suppression test
>
> include/linux/if_bridge.h | 1 +
> include/uapi/linux/if_bridge.h | 1 +
> include/uapi/linux/if_link.h | 1 +
> net/bridge/br_arp_nd_proxy.c | 33 +-
> net/bridge/br_device.c | 8 +-
> net/bridge/br_forward.c | 8 +-
> net/bridge/br_if.c | 2 +-
> net/bridge/br_input.c | 2 +-
> net/bridge/br_netlink.c | 8 +-
> net/bridge/br_private.h | 5 +-
> net/bridge/br_vlan.c | 1 +
> net/bridge/br_vlan_options.c | 20 +-
> net/core/rtnetlink.c | 2 +-
> tools/testing/selftests/net/Makefile | 1 +
> .../net/test_bridge_neigh_suppress.sh | 862 ++++++++++++++++++
> 15 files changed, 936 insertions(+), 19 deletions(-)
> create mode 100755 tools/testing/selftests/net/test_bridge_neigh_suppress.sh
>
The set looks good to me, nicely split and pretty straight-forward.
For the set:
Acked-by: Nikolay Aleksandrov <razor@xxxxxxxxxxxxx>
