ARP Snooping for Switch NI to learn Interface IP #3203
Conversation
naiming-zededa
requested review from
milan-zededa,
eriknordmark and
rvs
as code owners
naiming-zededa
force-pushed
the
naiming-arp-snoop
branch
from
2308a5a to
e7bb7d0
Compare
| if arp == nil { | ||
| return nil, false | ||
| } | ||
|
|
There was a problem hiding this comment.
Below this point you can return isARP as true - however, currently it is irrelevant since there is no other packet processing after this function
There was a problem hiding this comment.
yes, but the 'real' meaning is we got an 'arp IP address'. We'll see later when there is more items
There was a problem hiding this comment.
In that case you can drop isARP and just do len(addrUpdates) != 0 instead.
In processDHCPPacket the boolean is used to decide if after processDHCPPacket we should try to run processDADProbe. Because even if processDHCPPacket learned nothing about IP assignments but confirmed that the packet is DHCP, there is no point trying to run processDADProbe.
docs/CONFIG-PROPERTIES.md
Outdated
| @@ -51,6 +51,7 @@ | |||
| | netdump.topic.postonboard.interval | integer in seconds | 1 day | how frequently (in seconds) can be netdumps of the same topic published after device has been onboarded | | |||
| | netdump.topic.maxcount | integer | 10 | maximum number of netdumps that can be published for each topic. The oldest netdump is unpublished should a new netdump exceed the limit. | |||
| | netdump.downloader.with.pcap | boolean | false | include packet captures inside netdumps for download requests. However, even if enabled, TCP segments carrying non-empty payload (i.e. content which is being downloaded) are excluded and the overall PCAP size is limited to 64MB. | | |||
| | disable.switch.ni.arpsnoop | boolean | false | disable ARP Snooping on switch Network Instance, may need device reboot to take effect | | |||
There was a problem hiding this comment.
I noticed that most boolean config options vaguely follow template: <topic>.<item>.enable.<feature>
I would therefore propose something like network.switch.enable.arpsnoop
WDYT?
There was a problem hiding this comment.
Sure @milan-zededa
There was a problem hiding this comment.
And if you do it as an enable.X.Y knob you can set the default value to enabled.
|
Right that was my concern. I think it will be a very corner case someone wants to disable it, and to handle dynamically seems quite complex to me. |
pkg/pillar/types/global.go
Outdated
| @@ -849,6 +851,7 @@ func NewConfigItemSpecMap() ConfigItemSpecMap { | |||
| configItemSpecMap.AddBoolItem(DisableDHCPAllOnesNetMask, false) | |||
| configItemSpecMap.AddBoolItem(ProcessCloudInitMultiPart, false) | |||
| configItemSpecMap.AddBoolItem(ConsoleAccess, true) // Controller likely default to false | |||
| configItemSpecMap.AddBoolItem(DisableARPSnoop, false) | |||
There was a problem hiding this comment.
You need to update global_test.go and run make test;
The unittest fails with
=== FAIL: types TestNewConfigItemSpecMap (0.00s)
time="2023-05-11T16:58:25Z" level=error msg="getEveMemoryLimitInBytes failed: open /hostfs/sys/fs/cgroup/memory/eve/memory.soft_limit_in_bytes: no such file or directory"
global_test.go:206: GlobalSettings has more (53) than expected keys (52)
There was a problem hiding this comment.
Missed that. will add and run test.
naiming-zededa
force-pushed
the
naiming-arp-snoop
branch
from
e7bb7d0 to
77e27aa
Compare
|
ran 'make test', seems to be fine: === SKIP: cmd/zedrouter TestRunDnsmasq (0.00s) === SKIP: hypervisor TestGetDomsCPUMem (10.00s) DONE 215 tests, 3 skipped in 767.007s but above unit tests still failed in this PR. |
Try cd pkg/pillar/types; go test I know from experience that adding a configItem requires touching global_test.go |
naiming-zededa
force-pushed
the
naiming-arp-snoop
branch
from
77e27aa to
7d6eec3
Compare
|
@naiming-zededa @milan-zededa @uncleDecart do we have any current tests in Eden which cover DHCP snooping which we can extend to cover ARP snooping? |
I'm not aware of that. |
|
I think i found a bug in this code, let me add a fix to this. |
Yes we do: https://raw.githubusercontent.com/lf-edge/eden/master/tests/eclient/testdata/app_dhcp.txt |
naiming-zededa
force-pushed
the
naiming-arp-snoop
branch
from
7d6eec3 to
2ced26f
Compare
|
Updated for the fix. The App's side can be either the sender or receiver side since we allow both request and reply. |
Signed-off-by: Naiming Shen <naiming@zededa.com>
naiming-zededa
force-pushed
the
naiming-arp-snoop
branch
from
2ced26f to
63ea9f1
Compare
@naiming-zededa can you add an item to jira to add an ARP snooping test along the lines of the current/future dhcp snooping test? |
|
@eriknordmark will do. thanks. |
This patch fixes an issue of EdgeView treats EVE App on switch-NI with static Intf IP
configuration inside the App as 'External' IP address which can be disallowed by EdgeView policy.
The patch extends the EVE switch-NI snooping operation currently of DNS and DHCP,
to now including the ARP request and reply. This gives us the capability of learning the
App IP addresses on switch-NI in all the conditions. In rare cases, if a user does
not want this ARP snooping, it can be disabled by a configitem knob, but it may require
a device reboot if the App is already running.