From 8ede7eed8701fc7814efcdc12413cb9de011f0ac Mon Sep 17 00:00:00 2001 From: Michael Zappa Date: Tue, 25 Jan 2022 09:06:49 -0700 Subject: [PATCH 1/3] Disable DAD for container side veth Signed-off-by: Michael Zappa --- plugins/main/bridge/bridge.go | 28 +--------------------------- 1 file changed, 1 insertion(+), 27 deletions(-) diff --git a/plugins/main/bridge/bridge.go b/plugins/main/bridge/bridge.go index aecf22dec..dbccce795 100644 --- a/plugins/main/bridge/bridge.go +++ b/plugins/main/bridge/bridge.go @@ -18,7 +18,6 @@ import ( "encoding/json" "errors" "fmt" - "io/ioutil" "net" "os" "runtime" @@ -402,20 +401,6 @@ func setupBridge(n *NetConf) (*netlink.Bridge, *current.Interface, error) { }, nil } -// disableIPV6DAD disables IPv6 Duplicate Address Detection (DAD) -// for an interface, if the interface does not support enhanced_dad. -// We do this because interfaces with hairpin mode will see their own DAD packets -func disableIPV6DAD(ifName string) error { - // ehanced_dad sends a nonce with the DAD packets, so that we can safely - // ignore ourselves - enh, err := ioutil.ReadFile(fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/enhanced_dad", ifName)) - if err == nil && string(enh) == "1\n" { - return nil - } - f := fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/accept_dad", ifName) - return ioutil.WriteFile(f, []byte("0"), 0644) -} - func enableIPForward(family int) error { if family == netlink.FAMILY_V4 { return ip.EnableIP4Forward() @@ -516,18 +501,7 @@ func cmdAdd(args *skel.CmdArgs) error { // Configure the container hardware address and IP address(es) if err := netns.Do(func(_ ns.NetNS) error { - // Disable IPv6 DAD just in case hairpin mode is enabled on the - // bridge. Hairpin mode causes echos of neighbor solicitation - // packets, which causes DAD failures. - for _, ipc := range result.IPs { - if ipc.Address.IP.To4() == nil && (n.HairpinMode || n.PromiscMode) { - if err := disableIPV6DAD(args.IfName); err != nil { - return err - } - break - } - } - + _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_dad", args.IfName), "0") _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv4/conf/%s/arp_notify", args.IfName), "1") // Add the IP to the interface From 2be29608975a635c137fa423c8a540f17580ceb6 Mon Sep 17 00:00:00 2001 From: Michael Zappa Date: Wed, 9 Feb 2022 10:16:04 -0700 Subject: [PATCH 2/3] Add boolean to enable/disable dad Signed-off-by: Michael Zappa --- plugins/main/bridge/bridge.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/plugins/main/bridge/bridge.go b/plugins/main/bridge/bridge.go index dbccce795..fa4cedec3 100644 --- a/plugins/main/bridge/bridge.go +++ b/plugins/main/bridge/bridge.go @@ -56,6 +56,7 @@ type NetConf struct { PromiscMode bool `json:"promiscMode"` Vlan int `json:"vlan"` MacSpoofChk bool `json:"macspoofchk,omitempty"` + EnableDad bool `json:"enabledad,omitempty"` Args struct { Cni BridgeArgs `json:"cni,omitempty"` @@ -501,7 +502,11 @@ func cmdAdd(args *skel.CmdArgs) error { // Configure the container hardware address and IP address(es) if err := netns.Do(func(_ ns.NetNS) error { - _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_dad", args.IfName), "0") + if n.EnableDad { + _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_dad", args.IfName), "1") + } else { + _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_dad", args.IfName), "0") + } _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv4/conf/%s/arp_notify", args.IfName), "1") // Add the IP to the interface From ba47b49609c17c1c02b09a2481836839b05e701e Mon Sep 17 00:00:00 2001 From: Michael Zappa Date: Wed, 9 Feb 2022 10:29:13 -0700 Subject: [PATCH 3/3] Enhanced dad set to 1 Signed-off-by: Michael Zappa --- plugins/main/bridge/bridge.go | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/main/bridge/bridge.go b/plugins/main/bridge/bridge.go index fa4cedec3..379cd1ba0 100644 --- a/plugins/main/bridge/bridge.go +++ b/plugins/main/bridge/bridge.go @@ -503,6 +503,7 @@ func cmdAdd(args *skel.CmdArgs) error { // Configure the container hardware address and IP address(es) if err := netns.Do(func(_ ns.NetNS) error { if n.EnableDad { + _, _ = sysctl.Sysctl(fmt.Sprintf("/net/ipv6/conf/%s/enhanced_dad", args.IfName), "1") _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_dad", args.IfName), "1") } else { _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_dad", args.IfName), "0")