fix: don't set broadcast for /31 and /32 addresses

RFC 3021 defines /31 as point-to-point links without broadcast.
/32 addresses are host routes that don't need broadcast addresses.

Setting broadcast=IP for these prefixes confuses kernel routing
decisions, causing packets to be incorrectly broadcast instead
of routed through the gateway.

This particularly affected single-node clusters with VIP addresses
where the VIP's broadcast address could interfere with normal
routing to the gateway.

Signed-off-by: Chris Sanders <sanders.chris@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

Author: chris-sanders

internal/app/machined/pkg/controllers/network/address_spec.go

@@ -20,9 +20,9 @@ import (
 	"github.com/mdlayher/arp"
 	"github.com/siderolabs/go-pointer"
 	"go.uber.org/zap"
-	"go4.org/netipx"
 	"golang.org/x/sys/unix"
 
+	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network/internal/addressutil"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network/watch"
 	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@@ -240,7 +240,7 @@ func (ctrl *AddressSpecController) syncAddress(ctx context.Context, r controller
 			Attributes: &rtnetlink.AddressAttributes{
 				Address:   address.TypedSpec().Address.Addr().AsSlice(),
 				Local:     address.TypedSpec().Address.Addr().AsSlice(),
-				Broadcast: broadcastAddr(address.TypedSpec().Address),
+				Broadcast: addressutil.BroadcastAddr(address.TypedSpec().Address),
 				Flags:     uint32(address.TypedSpec().Flags),
 				Priority:  address.TypedSpec().Priority,
 			},
@@ -300,31 +300,3 @@ func (ctrl *AddressSpecController) gratuitousARP(logger *zap.Logger, linkIndex u
 
 	return nil
 }
-
-func broadcastAddr(addr netip.Prefix) net.IP {
-	if !addr.Addr().Is4() {
-		return nil
-	}
-
-	ipnet := netipx.PrefixIPNet(addr)
-
-	ip := ipnet.IP.To4()
-	if ip == nil {
-		return nil
-	}
-
-	mask := net.IP(ipnet.Mask).To4()
-
-	n := len(ip)
-	if n != len(mask) {
-		return nil
-	}
-
-	out := make(net.IP, n)
-
-	for i := range n {
-		out[i] = ip[i] | ^mask[i]
-	}
-
-	return out
-}

internal/app/machined/pkg/controllers/network/internal/addressutil/broadcast.go

@@ -0,0 +1,47 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package addressutil
+
+import (
+	"net"
+	"net/netip"
+
+	"go4.org/netipx"
+)
+
+// BroadcastAddr calculates the broadcast address for the given IPv4 prefix.
+//
+// If the address is not IPv4 or the prefix length is 31 or 32, nil is returned.
+func BroadcastAddr(addr netip.Prefix) net.IP {
+	if !addr.Addr().Is4() {
+		return nil
+	}
+
+	if addr.Bits() >= 31 {
+		return nil
+	}
+
+	ipnet := netipx.PrefixIPNet(addr)
+
+	ip := ipnet.IP.To4()
+	if ip == nil {
+		return nil
+	}
+
+	mask := net.IP(ipnet.Mask).To4()
+
+	n := len(ip)
+	if n != len(mask) {
+		return nil
+	}
+
+	out := make(net.IP, n)
+
+	for i := range n {
+		out[i] = ip[i] | ^mask[i]
+	}
+
+	return out
+}

internal/app/machined/pkg/controllers/network/internal/addressutil/broadcast_test.go

@@ -0,0 +1,88 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package addressutil_test
+
+import (
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network/internal/addressutil"
+)
+
+func TestBroadcastAddr(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		prefix  string
+		want    string
+		wantNil bool
+	}{
+		{
+			name:   "IPv4 /24 network",
+			prefix: "10.255.255.231/24",
+			want:   "10.255.255.255",
+		},
+		{
+			name:   "IPv4 /16 network",
+			prefix: "192.168.0.1/16",
+			want:   "192.168.255.255",
+		},
+		{
+			name:    "IPv4 /32 host route (VIP case)",
+			prefix:  "10.255.255.230/32",
+			wantNil: true, // Should return nil, not set broadcast
+		},
+		{
+			name:    "Another /32 host route",
+			prefix:  "192.168.1.100/32",
+			wantNil: true, // Should return nil, not set broadcast
+		},
+		{
+			name:    "IPv4 /31 point-to-point",
+			prefix:  "10.0.0.1/31",
+			wantNil: true, // RFC 3021 - /31 is point-to-point, no broadcast
+		},
+		{
+			name:   "IPv4 /8 network",
+			prefix: "10.0.0.1/8",
+			want:   "10.255.255.255",
+		},
+		{
+			name:    "IPv6 address (no broadcast)",
+			prefix:  "2001:db8::1/64",
+			wantNil: true, // IPv6 doesn't have broadcast
+		},
+		{
+			name:    "IPv6 /128 address",
+			prefix:  "2001:db8::1/128",
+			wantNil: true, // IPv6 doesn't have broadcast
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			prefix, err := netip.ParsePrefix(tt.prefix)
+			require.NoError(t, err)
+
+			got := addressutil.BroadcastAddr(prefix)
+
+			if tt.wantNil {
+				assert.Nil(t, got, "expected nil broadcast for %s", tt.prefix)
+			} else {
+				assert.NotNil(t, got, "expected broadcast address for %s", tt.prefix)
+
+				want := net.ParseIP(tt.want)
+				assert.True(t, got.Equal(want), "expected %v, got %v for %s", want, got, tt.prefix)
+			}
+		})
+	}
+}