networkd: support proxy_arp_pvlan sysctl

The proxy ARP private VLAN sysctl is useful for VLAN aggregation, see
https://sysctl-explorer.net/net/ipv4/proxy_arp_pvlan/ for details.

NEWS

@@ -10,6 +10,12 @@ CHANGES WITH 256 in spe:
           section, then all assigned VLAN IDs on the interface that are not
           configured in the .network file are removed.
 
+        Network Management:
+
+        * systemd-networkd's proxy support gained a new option to configure
+          a private VLAN variant of the proxy ARP supported by the kernel
+          under the name IPv4ProxyARPPrivateVLAN=.
+
 CHANGES WITH 255:
 
         Announcements of Future Feature Removals and Incompatible Changes:

man/systemd.network.xml

@@ -928,6 +928,21 @@ Table=1234</programlisting></para>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>IPv4ProxyARPPrivateVLAN=</varname></term>
+        <listitem>
+          <para>Takes a boolean. Configures proxy ARP private VLAN for IPv4, also known as VLAN aggregation,
+          private VLAN, source-port filtering, port-isolation, or MAC-forced forwarding.</para>
+
+          <para>This variant of the ARP proxy technique will allow the ARP proxy to reply back to the same
+          interface.</para>
+
+          <para>See <ulink url="https://tools.ietf.org/html/rfc3069">RFC 3069</ulink>. When unset,
+          the kernel's default will be used.</para>
+          <xi:include href="version-info.xml" xpointer="v256"/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>IPv6ProxyNDP=</varname></term>
         <listitem>

src/network/networkd-network-gperf.gperf

@@ -138,6 +138,7 @@ Network.IPv4RouteLocalnet,                   config_parse_tristate,
 Network.ActiveSlave,                         config_parse_bool,                                        0,                             offsetof(Network, active_slave)
 Network.PrimarySlave,                        config_parse_bool,                                        0,                             offsetof(Network, primary_slave)
 Network.IPv4ProxyARP,                        config_parse_tristate,                                    0,                             offsetof(Network, proxy_arp)
+Network.IPv4ProxyARPPrivateVLAN,             config_parse_tristate,                                    0,                             offsetof(Network, proxy_arp_pvlan)
 Network.ProxyARP,                            config_parse_tristate,                                    0,                             offsetof(Network, proxy_arp)
 Network.IPv6ProxyNDPAddress,                 config_parse_ipv6_proxy_ndp_address,                      0,                             0
 Network.IPv4ReversePathFilter,               config_parse_ip_reverse_path_filter,                      0,                             offsetof(Network, ipv4_rp_filter)

src/network/networkd-network.c

@@ -473,6 +473,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
                 .ipv6_dad_transmits = -1,
                 .ipv6_proxy_ndp = -1,
                 .proxy_arp = -1,
+                .proxy_arp_pvlan = -1,
                 .ipv4_rp_filter = _IP_REVERSE_PATH_FILTER_INVALID,
 
                 .ipv6_accept_ra = -1,

src/network/networkd-network.h

@@ -325,6 +325,7 @@ struct Network {
         int ipv6_dad_transmits;
         uint8_t ipv6_hop_limit;
         int proxy_arp;
+        int proxy_arp_pvlan;
         uint32_t ipv6_mtu;
         IPv6PrivacyExtensions ipv6_privacy_extensions;
         IPReversePathFilter ipv4_rp_filter;

src/network/networkd-sysctl.c

@@ -58,6 +58,18 @@ static int link_set_proxy_arp(Link *link) {
         return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp", link->network->proxy_arp > 0);
 }
 
+static int link_set_proxy_arp_pvlan(Link *link) {
+        assert(link);
+
+        if (!link_is_configured_for_family(link, AF_INET))
+                return 0;
+
+        if (link->network->proxy_arp_pvlan < 0)
+                return 0;
+
+        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp_pvlan", link->network->proxy_arp_pvlan > 0);
+}
+
 static bool link_ip_forward_enabled(Link *link, int family) {
         assert(link);
         assert(IN_SET(family, AF_INET, AF_INET6));
@@ -257,6 +269,10 @@ int link_set_sysctl(Link *link) {
         if (r < 0)
                log_link_warning_errno(link, r, "Cannot configure proxy ARP for interface, ignoring: %m");
 
+        r = link_set_proxy_arp_pvlan(link);
+        if (r < 0)
+                log_link_warning_errno(link, r, "Cannot configure proxy ARP private VLAN for interface, ignoring: %m");
+
         r = link_set_ipv4_forward(link);
         if (r < 0)
                 log_link_warning_errno(link, r, "Cannot turn on IPv4 packet forwarding, ignoring: %m");

test/fuzz/fuzz-network-parser/sysctl

@@ -7,4 +7,5 @@ IPv6PrivacyExtensions=true
 IPv6DuplicateAddressDetection=3
 IPv6HopLimit=5
 IPv4ProxyARP=true
+IPv4ProxyARPPrivateVLAN=true
 IPv6ProxyNDP=true

test/fuzz/fuzz-unit-file/directives-all.service

@@ -472,6 +472,7 @@ IPForward=
 IPMasquerade=
 IPv4LLRoute=
 IPv4ProxyARP=
+IPv4ProxyARPPrivateVLAN=
 IPv6AcceptRA=
 IPv6DuplicateAddressDetection=
 IPv6FlowLabel=

test/test-network/conf/25-sysctl.network

@@ -7,6 +7,7 @@ IPForward=yes
 IPv6DuplicateAddressDetection=3
 IPv6HopLimit=5
 IPv4ProxyARP=yes
+IPv4ProxyARPPrivateVLAN=yes
 IPv6ProxyNDP=yes
 IPv6AcceptRA=no
 IPv4AcceptLocal=yes

test/test-network/systemd-networkd-tests.py

@@ -3592,6 +3592,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
         self.check_ipv6_sysctl_attr('dummy98', 'proxy_ndp', '1')
         self.check_ipv4_sysctl_attr('dummy98', 'forwarding', '1')
         self.check_ipv4_sysctl_attr('dummy98', 'proxy_arp', '1')
+        self.check_ipv4_sysctl_attr('dummy98', 'proxy_arp_pvlan', '1')
         self.check_ipv4_sysctl_attr('dummy98', 'accept_local', '1')
         self.check_ipv4_sysctl_attr('dummy98', 'rp_filter', '0')