Testing for whether a sandbox is not of a particular type can be
performed much more efficiently and ergonomically when encoded as a
bitmask instead of a slice.

Signed-off-by: Cory Snider <[email protected]>

Configure the kernel to send unsolicited ARPs (IPv4) and neighbor
advertisements (IPv6) when a container's interface is brought up. If a
stale entry for the address is present in neighbors' caches, receiving
an unsolicited advertisement will trigger an update to the cache entry.
This greatly shortens the time for the IP address to be reachable upon
reassignment to a container interface with a different MAC address.

Signed-off-by: Cory Snider <[email protected]>

Deriving a stable MAC address from the interface's IP address is a
clever workaround for the cache-invalidation problem with neighbour
containers' ARP caches when the IP address is reassigned. But this
workaround is only viable on single-stack IPv4 container networks.
Pulling the same trick with IPv6 addresses is not viable as a 128-bit
IPv6 address is too long to derive a unique 48-bit MAC address from. The
requirement to keep the IP->MAC mapping stable across reassignments is
even more impractical on a dual-stack container network as the IPv4 and
IPv6 addresses would effectively have to be assigned as a matching pair.
Users have the option to set a static IP or have IPAM allocate one for
each of a container endpoint's IPv4 and IPv6 addresses, so it would be
an unacceptable breaking change to constrain IPv6 address assignment
configuration based on the endpoint's IPv4 address assignment
configuration or vice versa.

There is a standard mechanism to handle cache invalidation when an IP
address is reassigned to a link with a different MAC address: gratuitous
(unsolicted) ARP/ND notifications. Remove the stable MAC address
workaround from the bridge network driver now that unsolicited ARP/ND
notifications are enabled by default on container network interfaces.

Signed-off-by: Cory Snider <[email protected]>

func (*Namespace) AddNeighbor is only ever called with the force
parameter set to false. Remove the parameter and eliminate dead code.

Signed-off-by: Cory Snider <[email protected]>

Scope local variables as narrowly as possible.

Signed-off-by: Cory Snider <[email protected]>

The Namespace keeps some state for each inserted neighbor-table entry in
order to delete the entry (and any related entries) given only the IP
and MAC address of the entry to delete. The per-neighbor state required
to delete the entry happens to be the options passed into the
AddNeighbor call and a cached copy of the link name inside the network
namespace, which can be trivially looked up in O(n) time. Drop
neighbor-entry tracking by requiring callers to pass the same arguments
into DeleteNeighbor as they had passed to AddNeighbor.

Signed-off-by: Cory Snider <[email protected]>

peerEntry values no longer have to be marshaled or unmarshaled to be
stored in a SetMatrix.

Signed-off-by: Cory Snider <[email protected]>

Broadcast a proxy neighbor announcement for a remote peer to local peers
when discovered in order to update local ARP/ND caches in case the IP
address was previously assigned to another container.

Signed-off-by: Cory Snider <[email protected]>

With ARP announcements and proxy ARP announcements in place, the
MAC-from-IP workaround is no longer necessary. Remove the workaround, as
it is impeding the implementation of IPv6 and dual-stack overlay
networks.

Signed-off-by: Cory Snider <[email protected]>

With randomly-generated MAC addresses going into wider use in the most
commonly used container network drivers, it is imperative to avoid
address collisions. Increase the number of random bits in randomly-
generated MAC addresses from 32 bits to 46 bits.

Signed-off-by: Cory Snider <[email protected]>