When using bridge neighbor suppression in EVPN deployments, Duplicate Address Detection (DAD) is currently broken for both IPv4 (ARP probes) and IPv6 (DAD Neighbor Solicitations). This prevents proper address conflict detection across the VXLAN fabric.
The neighbor suppression feature allows the bridge to reply to ARP/NS messages on behalf of remote hosts when FDB and neighbor entries exist, suppressing unnecessary flooding over the VXLAN overlay. However, the current implementation unconditionally suppresses ARP probes and DAD NS, which breaks DAD. For DAD to work correctly: - When the bridge doesn't know the answer: flood the probe/DAD packet to allow remote VTEPs to respond. - When the bridge knows the answer: reply to indicate the address is in use. This series fixes the issue by adjusting the early suppression checks to exclude ARP probes and DAD NS from unconditional suppression, allowing them to reach the normal FDB lookup path. Gratuitous ARP and IPv6 unsolicited-NA messages are still suppressed unconditionally as before. Patchset overview: Patch #1: Fixes the unconditional suppression. Patch #2: Adds selftests. Danielle Ratson (2): bridge: Do not suppress ARP probes and DAD NS unconditionally selftests: net: Add tests for ARP probe and DAD NS handling net/bridge/br_arp_nd_proxy.c | 16 ++- .../net/test_bridge_neigh_suppress.sh | 126 ++++++++++++++++++ 2 files changed, 137 insertions(+), 5 deletions(-) -- 2.51.0
