On 4/2/26 06:38, Laine Stump wrote:
(One hopefully useful comment about GARP wembedded down there. Not
enough brain cells still firing to actually look at the code :-))
On 4/1/26 3:34 AM, Dion Bosschieter wrote:
+/*
+ * nftablesCreateSameIPSet creates libvirts same-ip-set,
+ * this nft set is used in nftablesHandleGarp
+ * in order to see if 'arp saddr ip == arp daddr ip'
+ *
+ * In nftables 'nft' we can't match 2 fields to eachother.
I asked Phil Sutter about this and he suggested that
'arp saddr ip ^ arp daddr == 0.0.0.0'
could work? Again, haven't tried it myself since it's after midnight,
but I wanted to relay what I'd heard :-)
Thank you for reaching out to Phil
It will work with the patch that Phil submitted yesterday:
https://lore.kernel.org/netfilter-devel/[email protected]/T/#t
I wonder what the best course of action for GARP is:
- check version of nft / kernel, to see if we can "arp saddr ip ^ arp
daddr ip == 0.0.0.0"
- otherwise fallback to current ugly solution
- or otherwise throw a warning and skip defining the GARP rule
- keep ugly workaround with a TODO for now until newer versions of
kernel and nft tooling are widespread
- try "arp saddr ip ^ arp daddr ip == 0.0.0.0" and ignore the error and
throw a warning
Any other suggestions are also welcome ofcourse :)
