network: preseed default-gateway neighbor

This change mirrors host networking into the guest as before, but now also
includes the default gateway neighbor entry for each interface.

Pods using overlay/synthetic gateways (e.g., 169.254.1.1) can hit a
first-connect race while the guest performs the initial ARP. Preseeding the
gateway neighbor removes that latency and makes early connections (e.g.,
to the API Service) deterministic.

Signed-off-by: Saul Paredes <[email protected]>

Author: Redent0r

src/runtime/virtcontainers/network.go

@@ -315,13 +315,16 @@ func generateVCNetworkStructures(ctx context.Context, endpoints []Endpoint) ([]*
 			routes = append(routes, &r)
 		}
 
+		gatewaySet := gatewaySetFromRoutes(endpoint.Properties().Routes)
+
 		for _, neigh := range endpoint.Properties().Neighbors {
-			var n pbTypes.ARPNeighbor
 
-			if !validGuestNeighbor(neigh) {
+			if !validGuestNeighbor(neigh, gatewaySet) {
 				continue
 			}
 
+			var n pbTypes.ARPNeighbor
+
 			n.Device = endpoint.Name()
 			n.State = int32(neigh.State)
 			n.Flags = int32(neigh.Flags)

src/runtime/virtcontainers/network_linux.go

@@ -1614,7 +1614,39 @@ func validGuestRoute(route netlink.Route) bool {
 	return route.Protocol != unix.RTPROT_KERNEL
 }
 
-func validGuestNeighbor(neigh netlink.Neigh) bool {
-	// We add only static ARP entries
-	return neigh.State == netlink.NUD_PERMANENT
+// neighbor is valid if it is static or a default-gateway
+func validGuestNeighbor(neigh netlink.Neigh, gatewaySet map[string]struct{}) bool {
+	// need a MAC for the guest
+	if neigh.HardwareAddr == nil {
+		return false
+	}
+	// Keep all static entries
+	if neigh.State == netlink.NUD_PERMANENT {
+		return true
+	}
+	// Gateway-only exception: allow the default-gateway IP:
+	// On some setups, the pod subnet gateway does not appear in the host ARP cache as a static entry.
+	// On these setups an ARP request storm happens when many Kata PODs are started at the same time and they all look for the gateway MAC address.
+	// This forces the gateway to churn a lot of ARP requests and render the ARP request full, hence dropping some ARP requests.
+	// Manually pre-populating the ARP entry in the UVM guest ARP cache for that gateway solves that problem.
+	_, isGw := gatewaySet[neigh.IP.String()]
+	return isGw
+}
+
+// helper: default routes => set of gateway IP strings
+func gatewaySetFromRoutes(routes []netlink.Route) map[string]struct{} {
+	gatewaySet := make(map[string]struct{})
+	for _, route := range routes {
+		if route.Gw == nil {
+			continue
+		}
+		if route.Dst == nil {
+			gatewaySet[route.Gw.String()] = struct{}{}
+			continue
+		}
+		if ones, _ := route.Dst.Mask.Size(); ones == 0 { // 0.0.0.0/0 or ::/0
+			gatewaySet[route.Gw.String()] = struct{}{}
+		}
+	}
+	return gatewaySet
 }