M #-: Change tproxy strategy for handling ARP requests (#3279)

- Prevent ARP requests from reaching other HVs
- Rename incorrectly named "comm" to "cmdline"

(cherry picked from commit 0bd451171fb6551f8dc8f7d5b38ab6ec9f6a9cef)

src/vnm_mad/remotes/lib/tproxy

@@ -326,8 +326,8 @@ module VNMMAD
 
         class Daemon
 
-            def initialize(comm)
-                @comm = comm
+            def initialize(cmdline)
+                @cmdline = cmdline
             end
 
             def run(argv = ARGV.dup, &block)
@@ -346,13 +346,13 @@ module VNMMAD
                 end
                 if pid.nil? && ['start', 'restart'].include?(argv[0])
                     fork do
-                        $0 = @comm
+                        $0 = @cmdline
 
                         Process.setsid
 
                         $stdin.reopen '/dev/null'
 
-                        $stdout.reopen "#{LOG_LOCATION}/#{@comm}.log", 'a'
+                        $stdout.reopen "#{LOG_LOCATION}/#{@cmdline}.log", 'a'
                         $stdout.sync = true
 
                         $stderr.reopen $stdout
@@ -369,7 +369,7 @@ module VNMMAD
                 o, _, s = Open3.capture3 'ps', '--no-headers', '-wwo', 'pid,cmd', '-C', 'ruby'
                 o.lines
                  .map  {|line| line.strip.split(' ', 2) }
-                 .find {|_, cmd| cmd == @comm } if s.success?
+                 .find {|_, cmd| cmd == @cmdline } if s.success?
             end
 
         end

src/vnm_mad/remotes/lib/tproxy.rb

@@ -90,28 +90,23 @@ module VNMMAD
 
             ip_netns_exec(brdev, "ip route replace default dev #{brdev}a")
 
-            veth_mac = ip_netns_exec(brdev,
-                                     "ip -j link show dev #{brdev}a",
-                                     :expect_json => true).dig(0, 0, 'address')
-
-            # This is required to avoid 169.254.16.9 address conflicts in case of VNETs
-            # used on multiple different HV hosts are attached to multiple guest VMs.
-            # Basically, we short-circuit any 169.254.16.9 communication and
-            # forcefully redirect every packet destined to 169.254.16.9 to be handled
-            # locally (regardless of the actual ARP resolution in guest VMs).
+            # Prevent ARP requests from being propagated to other HV machines.
+            # It reduces network traffic and ensures that the closest HV handles
+            # proxied packets.
             nft(ERB.new(<<~NFT).result(binding))
                 table bridge one_tproxy {
                     chain ch_<%= brdev %> {
-                        type filter hook prerouting priority dstnat; policy accept;
+                        type filter hook forward priority filter; policy accept;
                     };
                 };
                 flush chain bridge one_tproxy ch_<%= brdev %>;
                 table bridge one_tproxy {
                     chain ch_<%= brdev %> {
                         meta ibrname "<%= brdev %>" \
-                        ip daddr 169.254.16.9 \
-                        meta pkttype set host ether daddr set <%= veth_mac %> \
-                        accept;
+                        oifname != "<%= brdev %>b" \
+                        arp operation request \
+                        arp daddr ip 169.254.16.9 \
+                        drop;
                     };
                 };
             NFT
@@ -149,7 +144,7 @@ module VNMMAD
             nft(ERB.new(<<~NFT).result(binding))
                 table bridge one_tproxy {
                     chain ch_<%= brdev %> {
-                        type filter hook prerouting priority dstnat; policy accept;
+                        type filter hook forward priority filter; policy accept;
                     };
                 };
                 delete chain bridge one_tproxy ch_<%= brdev %>;