copy PERM ARP entries from namespace on boot

copy and setup PERMANENT (static) ARP entries
from CNI namespace to the sandbox

Fixes #3301

2 files changed, 29 insertions, 0 deletions

diff --git a/runsc/boot/network.go b/runsc/boot/network.go
index 9fb3ebd95..00595a95f 100644
--- a/runsc/boot/network.go
+++ b/runsc/boot/network.go
@@ -78,6 +78,11 @@ type DefaultRoute struct {
 	Name  string
 }
 
+type Neighbor struct {
+	IP net.IP
+	HardwareAddr net.HardwareAddr
+}
+
 // FDBasedLink configures an fd-based link.
 type FDBasedLink struct {
 	Name               string
@@ -90,6 +95,7 @@ type FDBasedLink struct {
 	RXChecksumOffload  bool
 	LinkAddress        net.HardwareAddr
 	QDisc              config.QueueingDiscipline
+	Neighbors          []Neighbor
 
 	// NumChannels controls how many underlying FD's are to be used to
 	// create this endpoint.
@@ -241,6 +247,11 @@ func (n *Network) CreateLinksAndRoutes(args *CreateLinksAndRoutesArgs, _ *struct
 			}
 			routes = append(routes, route)
 		}
+
+		for _, neigh := range link.Neighbors {
+			proto, tcpipAddr := ipToAddressAndProto(neigh.IP)
+			n.Stack.AddStaticNeighbor(nicID, proto, tcpipAddr, tcpip.LinkAddress(neigh.HardwareAddr))
+		}
 	}
 
 	if !args.Defaultv4Gateway.Route.Empty() {
diff --git a/runsc/sandbox/network.go b/runsc/sandbox/network.go
index 3451d1037..26aed6242 100644
--- a/runsc/sandbox/network.go
+++ b/runsc/sandbox/network.go
@@ -173,6 +173,23 @@ func createInterfacesAndRoutesFromNS(conn *urpc.Client, nsPath string, hardwareG
 			continue
 		}
 
+		// Collect data from the ARP table.
+		dump, err := netlink.NeighList(iface.Index, 0)
+		if err != nil {
+			 return fmt.Errorf("fetching ARP table for %q: %w", iface.Name, err)
+		}
+
+		var neighbors []boot.Neighbor
+		for _, n := range dump {
+			// There are only two "good" states NUD_PERMANENT and NUD_REACHABLE,
+			// but NUD_REACHABLE is fully dynamic and will be re-probed anyway.
+			if n.State == netlink.NUD_PERMANENT {
+				log.Debugf("Copying a static ARP entry: %+v %+v", n.IP, n.HardwareAddr)
+				// No flags are copied because Stack.AddStaticNeighbor does not support flags right now.
+				neighbors = append(neighbors, boot.Neighbor{IP: n.IP, HardwareAddr: n.HardwareAddr})
+			}
+		}
+
 		// Scrape the routes before removing the address, since that
 		// will remove the routes as well.
 		routes, defv4, defv6, err := routesForIface(iface)
@@ -203,6 +220,7 @@ func createInterfacesAndRoutesFromNS(conn *urpc.Client, nsPath string, hardwareG
 			RXChecksumOffload: rxChecksumOffload,
 			NumChannels:       numNetworkChannels,
 			QDisc:             qDisc,
+			Neighbors:         neighbors,
 		}
 
 		// Get the link for the interface.