[PATCH iproute2 -next 0/4] ip, neigh: Add managed neighbor support

[PATCH iproute2 -next 0/4] ip, neigh: Add managed neighbor support

[Daniel Borkmann]

iproute2 patches to add support for managed neighbor entries as per recent
net-next commits:

  2ed08b5ead3c ("Merge branch 'Managed-Neighbor-Entries'")
  c47fedba94bc ("Merge branch 'minor-managed-neighbor-follow-ups'")

Thanks!

Daniel Borkmann (4):
  Update kernel headers
  ip, neigh: Fix up spacing in netlink dump
  ip, neigh: Add missing NTF_USE support
  ip, neigh: Add NTF_EXT_MANAGED support

 include/uapi/linux/neighbour.h | 35 +++++++++++++++++++++----------
 ip/ipneigh.c                   | 38 ++++++++++++++++++++++------------
 man/man8/ip-neighbour.8        | 17 +++++++++++++++
 3 files changed, 66 insertions(+), 24 deletions(-)

-- 
2.27.0

[PATCH iproute2 -next 1/4] Update kernel headers

[Daniel Borkmann]

Update kernel headers to commits:

    2c611ad97a82 ("net, neigh: Extend neigh->flags to 32 bit to allow for extensions")
    7482e3841d52 ("net, neigh: Add NTF_MANAGED flag for managed neighbor entries")

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 include/uapi/linux/neighbour.h | 35 +++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
index 00a60695..db05fb55 100644
--- a/include/uapi/linux/neighbour.h
+++ b/include/uapi/linux/neighbour.h
@@ -31,6 +31,7 @@ enum {
 	NDA_PROTOCOL,  /* Originator of entry */
 	NDA_NH_ID,
 	NDA_FDB_EXT_ATTRS,
+	NDA_FLAGS_EXT,
 	__NDA_MAX
 };
 
@@ -40,14 +41,16 @@ enum {
  *	Neighbor Cache Entry Flags
  */
 
-#define NTF_USE		0x01
-#define NTF_SELF	0x02
-#define NTF_MASTER	0x04
-#define NTF_PROXY	0x08	/* == ATF_PUBL */
-#define NTF_EXT_LEARNED	0x10
-#define NTF_OFFLOADED   0x20
-#define NTF_STICKY	0x40
-#define NTF_ROUTER	0x80
+#define NTF_USE		(1 << 0)
+#define NTF_SELF	(1 << 1)
+#define NTF_MASTER	(1 << 2)
+#define NTF_PROXY	(1 << 3)	/* == ATF_PUBL */
+#define NTF_EXT_LEARNED	(1 << 4)
+#define NTF_OFFLOADED   (1 << 5)
+#define NTF_STICKY	(1 << 6)
+#define NTF_ROUTER	(1 << 7)
+/* Extended flags under NDA_FLAGS_EXT: */
+#define NTF_EXT_MANAGED	(1 << 0)
 
 /*
  *	Neighbor Cache Entry States.
@@ -65,12 +68,22 @@ enum {
 #define NUD_PERMANENT	0x80
 #define NUD_NONE	0x00
 
-/* NUD_NOARP & NUD_PERMANENT are pseudostates, they never change
- * and make no address resolution or NUD.
- * NUD_PERMANENT also cannot be deleted by garbage collectors.
+/* NUD_NOARP & NUD_PERMANENT are pseudostates, they never change and make no
+ * address resolution or NUD.
+ *
+ * NUD_PERMANENT also cannot be deleted by garbage collectors. This holds true
+ * for dynamic entries with NTF_EXT_LEARNED flag as well. However, upon carrier
+ * down event, NUD_PERMANENT entries are not flushed whereas NTF_EXT_LEARNED
+ * flagged entries explicitly are (which is also consistent with the routing
+ * subsystem).
+ *
  * When NTF_EXT_LEARNED is set for a bridge fdb entry the different cache entry
  * states don't make sense and thus are ignored. Such entries don't age and
  * can roam.
+ *
+ * NTF_EXT_MANAGED flagged neigbor entries are managed by the kernel on behalf
+ * of a user space control plane, and automatically refreshed so that (if
+ * possible) they remain in NUD_REACHABLE state.
  */
 
 struct nda_cacheinfo {
-- 
2.27.0

[PATCH iproute2 -next 2/4] ip, neigh: Fix up spacing in netlink dump

[Daniel Borkmann]

Fix up spacing to consistently add a single ' ' after an attribute has
been printed. Currently, it is a bit of a mix of before and after which
can lead to double spacing to be printed.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 ip/ipneigh.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/ip/ipneigh.c b/ip/ipneigh.c
index b778de00..564e787c 100644
--- a/ip/ipneigh.c
+++ b/ip/ipneigh.c
@@ -235,7 +235,7 @@ static void print_neigh_state(unsigned int nud)
 #define PRINT_FLAG(f)						\
 	if (nud & NUD_##f) {					\
 		nud &= ~NUD_##f;				\
-		print_string(PRINT_ANY, NULL, " %s", #f);	\
+		print_string(PRINT_ANY, NULL, "%s ", #f);	\
 	}
 
 	PRINT_FLAG(INCOMPLETE);
@@ -423,27 +423,27 @@ int print_neigh(struct nlmsghdr *n, void *arg)
 			fprintf(fp, "lladdr ");
 
 		print_color_string(PRINT_ANY, COLOR_MAC,
-				   "lladdr", "%s", lladdr);
+				   "lladdr", "%s ", lladdr);
 	}
 
 	if (r->ndm_flags & NTF_ROUTER)
-		print_null(PRINT_ANY, "router", " %s", "router");
+		print_null(PRINT_ANY, "router", "%s ", "router");
 
 	if (r->ndm_flags & NTF_PROXY)
-		print_null(PRINT_ANY, "proxy", " %s", "proxy");
+		print_null(PRINT_ANY, "proxy", "%s ", "proxy");
 
 	if (r->ndm_flags & NTF_EXT_LEARNED)
-		print_null(PRINT_ANY, "extern_learn", " %s ", "extern_learn");
+		print_null(PRINT_ANY, "extern_learn", "%s ", "extern_learn");
 
 	if (r->ndm_flags & NTF_OFFLOADED)
-		print_null(PRINT_ANY, "offload", " %s", "offload");
+		print_null(PRINT_ANY, "offload", "%s ", "offload");
 
 	if (show_stats) {
 		if (tb[NDA_CACHEINFO])
 			print_cacheinfo(RTA_DATA(tb[NDA_CACHEINFO]));
 
 		if (tb[NDA_PROBES])
-			print_uint(PRINT_ANY, "probes", " probes %u",
+			print_uint(PRINT_ANY, "probes", "probes %u ",
 				   rta_getattr_u32(tb[NDA_PROBES]));
 	}
 
@@ -453,7 +453,7 @@ int print_neigh(struct nlmsghdr *n, void *arg)
 	if (protocol) {
 		SPRINT_BUF(b1);
 
-		print_string(PRINT_ANY, "protocol", " proto %s ",
+		print_string(PRINT_ANY, "protocol", "proto %s ",
 			     rtnl_rtprot_n2a(protocol, b1, sizeof(b1)));
 	}
 
-- 
2.27.0

[PATCH iproute2 -next 3/4] ip, neigh: Add missing NTF_USE support

[Daniel Borkmann]

Currently, ip neigh does not support the NTF_USE flag. Similar to other flags
such as extern_learn, add cmdline support. The flag dump support is explicitly
missing here, since the kernel does not propagate the flag back to user space.

Usage example:

  # ./ip/ip n replace 192.168.178.30 dev enp5s0 use extern_learn
  # ./ip/ip n
  192.168.178.30 dev enp5s0 lladdr f4:8c:50:5e:71:9a extern_learn REACHABLE
  [...]

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 ip/ipneigh.c            | 4 +++-
 man/man8/ip-neighbour.8 | 8 ++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ip/ipneigh.c b/ip/ipneigh.c
index 564e787c..9510e03e 100644
--- a/ip/ipneigh.c
+++ b/ip/ipneigh.c
@@ -51,7 +51,7 @@ static void usage(void)
 	fprintf(stderr,
 		"Usage: ip neigh { add | del | change | replace }\n"
 		"		{ ADDR [ lladdr LLADDR ] [ nud STATE ] proxy ADDR }\n"
-		"		[ dev DEV ] [ router ] [ extern_learn ] [ protocol PROTO ]\n"
+		"		[ dev DEV ] [ router ] [ use ] [ extern_learn ] [ protocol PROTO ]\n"
 		"\n"
 		"	ip neigh { show | flush } [ proxy ] [ to PREFIX ] [ dev DEV ] [ nud STATE ]\n"
 		"				  [ vrf NAME ]\n"
@@ -148,6 +148,8 @@ static int ipneigh_modify(int cmd, int flags, int argc, char **argv)
 			req.ndm.ndm_flags |= NTF_PROXY;
 		} else if (strcmp(*argv, "router") == 0) {
 			req.ndm.ndm_flags |= NTF_ROUTER;
+		} else if (strcmp(*argv, "use") == 0) {
+			req.ndm.ndm_flags |= NTF_USE;
 		} else if (matches(*argv, "extern_learn") == 0) {
 			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
 		} else if (strcmp(*argv, "dev") == 0) {
diff --git a/man/man8/ip-neighbour.8 b/man/man8/ip-neighbour.8
index a27f9ef8..ed2dcd5a 100644
--- a/man/man8/ip-neighbour.8
+++ b/man/man8/ip-neighbour.8
@@ -25,6 +25,7 @@ ip-neighbour \- neighbour/arp tables management.
 .B  dev
 .IR DEV " ] [ "
 .BR router " ] [ "
+.BR use " ] [ "
 .BR extern_learn " ]"
 
 .ti -8
@@ -91,6 +92,13 @@ indicates whether we are proxying for this neighbour entry
 .BI router
 indicates whether neighbour is a router
 
+.TP
+.BI use
+this neigh entry is in "use". This option can be used to indicate to
+the kernel that a controller is using this dynamic entry. If the entry
+does not exist, the kernel will resolve it. If it exists, an attempt
+to refresh the neighbor entry will be triggered.
+
 .TP
 .BI extern_learn
 this neigh entry was learned externally. This option can be used to
-- 
2.27.0

[PATCH iproute2 -next 4/4] ip, neigh: Add NTF_EXT_MANAGED support

[Daniel Borkmann]

Currently, ip neigh does not support the NTF_EXT_MANAGED flag. Add cmdline
support.

Usage example:

  # ./ip/ip n replace 192.168.178.30 dev enp5s0 managed extern_learn
  # ./ip/ip n
  192.168.178.30 dev enp5s0 lladdr f4:8c:50:5e:71:9a managed extern_learn REACHABLE
  [...]

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 ip/ipneigh.c            | 20 +++++++++++++++-----
 man/man8/ip-neighbour.8 |  9 +++++++++
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/ip/ipneigh.c b/ip/ipneigh.c
index 9510e03e..9a56b4a5 100644
--- a/ip/ipneigh.c
+++ b/ip/ipneigh.c
@@ -51,7 +51,8 @@ static void usage(void)
 	fprintf(stderr,
 		"Usage: ip neigh { add | del | change | replace }\n"
 		"		{ ADDR [ lladdr LLADDR ] [ nud STATE ] proxy ADDR }\n"
-		"		[ dev DEV ] [ router ] [ use ] [ extern_learn ] [ protocol PROTO ]\n"
+		"		[ dev DEV ] [ router ] [ use ] [ managed ] [ extern_learn ]\n"
+		"		[ protocol PROTO ]\n"
 		"\n"
 		"	ip neigh { show | flush } [ proxy ] [ to PREFIX ] [ dev DEV ] [ nud STATE ]\n"
 		"				  [ vrf NAME ]\n"
@@ -115,6 +116,7 @@ static int ipneigh_modify(int cmd, int flags, int argc, char **argv)
 		.ndm.ndm_family = preferred_family,
 		.ndm.ndm_state = NUD_PERMANENT,
 	};
+	__u32 ext_flags = 0;
 	char  *dev = NULL;
 	int dst_ok = 0;
 	int dev_ok = 0;
@@ -150,6 +152,9 @@ static int ipneigh_modify(int cmd, int flags, int argc, char **argv)
 			req.ndm.ndm_flags |= NTF_ROUTER;
 		} else if (strcmp(*argv, "use") == 0) {
 			req.ndm.ndm_flags |= NTF_USE;
+		} else if (strcmp(*argv, "managed") == 0) {
+			ext_flags |= NTF_EXT_MANAGED;
+			req.ndm.ndm_state = NUD_NONE;
 		} else if (matches(*argv, "extern_learn") == 0) {
 			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
 		} else if (strcmp(*argv, "dev") == 0) {
@@ -185,7 +190,10 @@ static int ipneigh_modify(int cmd, int flags, int argc, char **argv)
 	req.ndm.ndm_family = dst.family;
 	if (addattr_l(&req.n, sizeof(req), NDA_DST, &dst.data, dst.bytelen) < 0)
 		return -1;
-
+	if (ext_flags &&
+	    addattr_l(&req.n, sizeof(req), NDA_FLAGS_EXT, &ext_flags,
+		      sizeof(ext_flags)) < 0)
+		return -1;
 	if (lla && strcmp(lla, "null")) {
 		char llabuf[20];
 		int l;
@@ -305,6 +313,7 @@ int print_neigh(struct nlmsghdr *n, void *arg)
 	int len = n->nlmsg_len;
 	struct rtattr *tb[NDA_MAX+1];
 	static int logit = 1;
+	__u32 ext_flags = 0;
 	__u8 protocol = 0;
 
 	if (n->nlmsg_type != RTM_NEWNEIGH && n->nlmsg_type != RTM_DELNEIGH &&
@@ -348,6 +357,8 @@ int print_neigh(struct nlmsghdr *n, void *arg)
 
 	if (tb[NDA_PROTOCOL])
 		protocol = rta_getattr_u8(tb[NDA_PROTOCOL]);
+	if (tb[NDA_FLAGS_EXT])
+		ext_flags = rta_getattr_u32(tb[NDA_FLAGS_EXT]);
 
 	if (filter.protocol && filter.protocol != protocol)
 		return 0;
@@ -430,13 +441,12 @@ int print_neigh(struct nlmsghdr *n, void *arg)
 
 	if (r->ndm_flags & NTF_ROUTER)
 		print_null(PRINT_ANY, "router", "%s ", "router");
-
 	if (r->ndm_flags & NTF_PROXY)
 		print_null(PRINT_ANY, "proxy", "%s ", "proxy");
-
+	if (ext_flags & NTF_EXT_MANAGED)
+		print_null(PRINT_ANY, "managed", "%s ", "managed");
 	if (r->ndm_flags & NTF_EXT_LEARNED)
 		print_null(PRINT_ANY, "extern_learn", "%s ", "extern_learn");
-
 	if (r->ndm_flags & NTF_OFFLOADED)
 		print_null(PRINT_ANY, "offload", "%s ", "offload");
 
diff --git a/man/man8/ip-neighbour.8 b/man/man8/ip-neighbour.8
index ed2dcd5a..1331d7cb 100644
--- a/man/man8/ip-neighbour.8
+++ b/man/man8/ip-neighbour.8
@@ -26,6 +26,7 @@ ip-neighbour \- neighbour/arp tables management.
 .IR DEV " ] [ "
 .BR router " ] [ "
 .BR use " ] [ "
+.BR managed " ] [ "
 .BR extern_learn " ]"
 
 .ti -8
@@ -99,6 +100,14 @@ the kernel that a controller is using this dynamic entry. If the entry
 does not exist, the kernel will resolve it. If it exists, an attempt
 to refresh the neighbor entry will be triggered.
 
+.TP
+.BI managed
+this neigh entry is "managed". This option can be used to indicate to
+the kernel that a controller is using this dynamic entry. In contrast
+to "use", if the entry does not exist, the kernel will resolve it and
+periodically attempt to auto-refresh the neighbor entry such that it
+remains in resolved state when possible.
+
 .TP
 .BI extern_learn
 this neigh entry was learned externally. This option can be used to
-- 
2.27.0

Re: [PATCH iproute2 -next 3/4] ip, neigh: Add missing NTF_USE support

[David Ahern]

On 10/15/21 4:53 PM, Daniel Borkmann wrote:
> diff --git a/ip/ipneigh.c b/ip/ipneigh.c
> index 564e787c..9510e03e 100644
> --- a/ip/ipneigh.c
> +++ b/ip/ipneigh.c
> @@ -51,7 +51,7 @@ static void usage(void)
>  	fprintf(stderr,
>  		"Usage: ip neigh { add | del | change | replace }\n"
>  		"		{ ADDR [ lladdr LLADDR ] [ nud STATE ] proxy ADDR }\n"
> -		"		[ dev DEV ] [ router ] [ extern_learn ] [ protocol PROTO ]\n"
> +		"		[ dev DEV ] [ router ] [ use ] [ extern_learn ] [ protocol PROTO ]\n"
>  		"\n"
>  		"	ip neigh { show | flush } [ proxy ] [ to PREFIX ] [ dev DEV ] [ nud STATE ]\n"
>  		"				  [ vrf NAME ]\n"


does not apply to iproute2-next; looks like you made the change against
main branch.

Re: [PATCH iproute2 -next 3/4] ip, neigh: Add missing NTF_USE support

[Daniel Borkmann]

On 10/16/21 2:18 AM, David Ahern wrote:
> On 10/15/21 4:53 PM, Daniel Borkmann wrote:
>> diff --git a/ip/ipneigh.c b/ip/ipneigh.c
>> index 564e787c..9510e03e 100644
>> --- a/ip/ipneigh.c
>> +++ b/ip/ipneigh.c
>> @@ -51,7 +51,7 @@ static void usage(void)
>>   	fprintf(stderr,
>>   		"Usage: ip neigh { add | del | change | replace }\n"
>>   		"		{ ADDR [ lladdr LLADDR ] [ nud STATE ] proxy ADDR }\n"
>> -		"		[ dev DEV ] [ router ] [ extern_learn ] [ protocol PROTO ]\n"
>> +		"		[ dev DEV ] [ router ] [ use ] [ extern_learn ] [ protocol PROTO ]\n"
>>   		"\n"
>>   		"	ip neigh { show | flush } [ proxy ] [ to PREFIX ] [ dev DEV ] [ nud STATE ]\n"
>>   		"				  [ vrf NAME ]\n"
> 
> 
> does not apply to iproute2-next; looks like you made the change against
> main branch.

Sorry for the delay, was on PTO whole last week. Looks like it, will rebase and send a v2.

Thanks!
Daniel