Enable Linux bridge ProxyArpWifi

djlwilder · djlwilder · commit 1acb0edc70b3 · 2017-05-05T09:12:41.000-07:00
This change enables the Linux bridge's ProxyArpWiFi feature eliminating
the need flood ARP packets. When an endpoint is created the bridge
driver already has the data needed to complete arp and fdb table
entries. Rather than let the kernel discover this information on its own
we populate the arp and fdb tables when the endpoint is configured. All
other broadcast traffic will pass normal allowing the administrator
to manage it using ebtables.

Linux bridge ProxyArpWifi is enabled with:
--opt com.docker.network.bridge.proxyarp=1

Dependencies:
linux kernel v4.1-rc1 or later(commit 842a9ae08a25671db3d4f689eed68b4d64be15)

Updated based on review comments from aboch.

Signed-off-by: David Wilder &lt;wilder@us.ibm.com&gt;
diff --git a/drivers/bridge/bridge.go b/drivers/bridge/bridge.go
@@ -60,6 +60,7 @@ type networkConfiguration struct {
 	EnableIPv6           bool
 	EnableIPMasquerade   bool
 	EnableICC            bool
+	EnableProxyArp       bool
 	Mtu                  int
 	DefaultBindingIP     net.IP
 	DefaultBridge        bool
@@ -240,6 +241,10 @@ func (c *networkConfiguration) fromLabels(labels map[string]string) error {
 			if c.DefaultBindingIP = net.ParseIP(value); c.DefaultBindingIP == nil {
 				return parseErr(label, value, "nil ip")
 			}
+		case EnableProxyArp:
+			if c.EnableProxyArp, err = strconv.ParseBool(value); err != nil {
+				return parseErr(label, value, err.Error())
+			}
 		case netlabel.ContainerIfacePrefix:
 			c.ContainerIfacePrefix = value
 		}
@@ -449,6 +454,7 @@ func parseNetworkGenericOptions(data interface{}) (*networkConfiguration, error)
 		config = &networkConfiguration{
 			EnableICC:          true,
 			EnableIPMasquerade: true,
+			EnableProxyArp:     false,
 		}
 		err = config.fromLabels(opt)
 	case options.Generic:
@@ -1043,6 +1049,49 @@ func (d *driver) CreateEndpoint(nid, eid string, ifInfo driverapi.InterfaceInfo,
 		}
 	}
 
+	// The bridge proxy arp feature requires three things to happen:
+	// 1) Set the proxyarpwifi flag on the container side bridge port to disable ARP packet flooding.
+	// 2) Generate an arp entry in the host's ARP table mapping the containers IP address to its MAC.
+	// 3) Generate a static FDB entry for the containers MAC address.
+
+	if config.EnableProxyArp {
+
+		BridgeIF, err := d.nlh.LinkByName(config.BridgeName)
+		if err != nil {
+			return fmt.Errorf("could not find interface with destination name %s: %v", config.BridgeName, err)
+		}
+
+		err = d.nlh.LinkSetBrProxyArpWiFi(host, true)
+		if err != nil {
+			return fmt.Errorf("unable to set BridgeProxyArp mode on %s: %v", hostIfName, err)
+		}
+
+		nlnh := &netlink.Neigh{
+			IP:           endpoint.addr.IP,
+			HardwareAddr: endpoint.macAddress,
+		}
+
+		// Generate the permanent arp entry.
+		nlnh.State = netlink.NUD_PERMANENT
+		nlnh.LinkIndex = BridgeIF.Attrs().Index
+
+		if err := d.nlh.NeighSet(nlnh); err != nil {
+			return fmt.Errorf("Failed to add neighbor entry: %v", err)
+		}
+		logrus.Debugf("An arp entry has been created: Interface=%s Ip=%s MAC=%s", config.BridgeName, nlnh.IP, nlnh.HardwareAddr)
+
+		// Generate the static fdb entry.
+		nlnh.State = netlink.NUD_NOARP
+		nlnh.Flags = netlink.NTF_MASTER
+		nlnh.Family = syscall.AF_BRIDGE
+		nlnh.LinkIndex = host.Attrs().Index
+
+		if err := d.nlh.NeighSet(nlnh); err != nil {
+			return fmt.Errorf("Failed to add fdb entry: %v", err)
+		}
+		logrus.Debugf("An fdb entry has been created: Interface=%s  MAC=%s", hostIfName, nlnh.HardwareAddr)
+	}
+
 	// Up the host interface after finishing all netlink configuration
 	if err = d.nlh.LinkSetUp(host); err != nil {
 		return fmt.Errorf("could not set link up for host interface %s: %v", hostIfName, err)
diff --git a/drivers/bridge/bridge_store.go b/drivers/bridge/bridge_store.go
@@ -137,6 +137,7 @@ func (ncfg *networkConfiguration) MarshalJSON() ([]byte, error) {
 	nMap["EnableIPv6"] = ncfg.EnableIPv6
 	nMap["EnableIPMasquerade"] = ncfg.EnableIPMasquerade
 	nMap["EnableICC"] = ncfg.EnableICC
+	nMap["EnableProxyArp"] = ncfg.EnableProxyArp
 	nMap["Mtu"] = ncfg.Mtu
 	nMap["Internal"] = ncfg.Internal
 	nMap["DefaultBridge"] = ncfg.DefaultBridge
@@ -201,6 +202,10 @@ func (ncfg *networkConfiguration) UnmarshalJSON(b []byte) error {
 		ncfg.BridgeIfaceCreator = ifaceCreator(v.(float64))
 	}
 
+	if v, ok := nMap["EnableProxyArp"]; ok {
+		ncfg.EnableProxyArp = v.(bool)
+	}
+
 	return nil
 }
 
diff --git a/drivers/bridge/bridge_test.go b/drivers/bridge/bridge_test.go
@@ -276,6 +276,7 @@ func TestCreateFullOptionsLabels(t *testing.T) {
 		DefaultBridge:      "true",
 		EnableICC:          "true",
 		EnableIPMasquerade: "true",
+		EnableProxyArp:     "true",
 		DefaultBindingIP:   bndIPs,
 	}
 
@@ -319,6 +320,10 @@ func TestCreateFullOptionsLabels(t *testing.T) {
 		t.Fatal("incongruent EnableIPMasquerade in bridge network")
 	}
 
+	if !nw.config.EnableProxyArp {
+		t.Fatal("incongruent EnableProxyArp in bridge network")
+	}
+
 	bndIP := net.ParseIP(bndIPs)
 	if !bndIP.Equal(nw.config.DefaultBindingIP) {
 		t.Fatalf("Unexpected: %v", nw.config.DefaultBindingIP)
@@ -1071,3 +1076,54 @@ func TestCreateWithExistingBridge(t *testing.T) {
 		t.Fatal("Deleting bridge network that using existing bridge interface unexpectedly deleted the bridge interface")
 	}
 }
+
+func TestProxyArp(t *testing.T) {
+	if !testutils.IsRunningInContainer() {
+		defer testutils.SetupTestOSContext(t)()
+	}
+	d := newDriver()
+
+	err := d.configure(nil)
+	if err != nil {
+		t.Fatalf("Failed to setup driver config: %v", err)
+	}
+
+	netconfig := &networkConfiguration{BridgeName: DefaultBridgeName, EnableProxyArp: true, DefaultBridge: true}
+	genericOption := make(map[string]interface{})
+	genericOption[netlabel.GenericData] = netconfig
+
+	ipdList := getIPv4Data(t, "")
+
+	err = d.CreateNetwork("ProxyArpTest", genericOption, nil, ipdList, nil)
+	if err != nil {
+		t.Fatalf("Bridge creation failed: %v", err)
+	}
+
+	te := newTestEndpoint(ipdList[0].Pool, 10)
+	err = d.CreateEndpoint("ProxyArpTest", "ep", te.Interface(), nil)
+	if err != nil {
+		t.Fatalf("Failed to create endpoint: %v", err)
+	}
+
+	BridgeIF, err := netlink.LinkByName(DefaultBridgeName)
+	if err != nil {
+		t.Fatalf("Failed to lookup bridge interface: %v", err)
+	}
+
+	dump, err := netlink.NeighList(BridgeIF.Attrs().Index, 0)
+	if err != nil {
+		t.Errorf("Failed to NeighList: %v", err)
+	}
+
+	FoundNeigh := 0
+	for _, v := range dump {
+		if v.State&netlink.NUD_PERMANENT != 0 &&
+			bytes.Equal(te.iface.mac, v.HardwareAddr) &&
+			te.iface.addr.IP.Equal(v.IP) {
+			FoundNeigh++
+		}
+	}
+	if FoundNeigh != 1 {
+		t.Errorf("Expected a single match in the neighbor table got %d matches", FoundNeigh)
+	}
+}
diff --git a/drivers/bridge/labels.go b/drivers/bridge/labels.go
@@ -15,4 +15,7 @@ const (
 
 	// DefaultBridge label
 	DefaultBridge = "com.docker.network.bridge.default_bridge"
+
+	// EnableProxyArp label
+	EnableProxyArp = "com.docker.network.bridge.proxyarp"
 )

Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,7 @@ const (`
`15`	`15`
`16`	`16`	`// DefaultBridge label`
`17`	`17`	`DefaultBridge = "com.docker.network.bridge.default_bridge"`
	`18`	`+`
	`19`	`+ // EnableProxyArp label`
	`20`	`+ EnableProxyArp = "com.docker.network.bridge.proxyarp"`
`18`	`21`	`)`