client: use NDP neighbor table for IPv6 client identification

Currently, persistent clients configured with a MAC address can only be
identified when they query over IPv4 (via DHCP lease lookup).  When the
same device queries over IPv6, AGH cannot resolve the source IPv6
address back to a MAC address, so the client appears unidentified and
per-client filtering rules don't apply.

Add an NDP (Neighbor Discovery Protocol) cache to Storage that
periodically reads the kernel's IPv6 neighbor table (`ip -6 neigh`) and
maps IPv6 addresses to MAC addresses.  The cache is refreshed alongside
ARP updates and on-demand when an address is not found and the cache is
stale (>30s).

The NDP lookup is used as a fallback in findByIP, FindLoose, and
ApplyClientFiltering when the DHCP lease lookup returns no result.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: AndyHazz

internal/client/storage.go

@@ -1,12 +1,16 @@
 package client
 
 import (
+	"bufio"
+	"bytes"
 	"context"
 	"fmt"
 	"log/slog"
 	"net"
 	"net/netip"
+	"os/exec"
 	"slices"
+	"strings"
 	"sync"
 	"time"
 
@@ -150,6 +154,12 @@ type Storage struct {
 	// arpDB is used to update [SourceARP] runtime client information.
 	arpDB arpdb.Interface
 
+	// ndpCache maps IPv6 addresses to MAC addresses from the kernel NDP
+	// neighbor table.  Used to identify persistent clients querying over IPv6.
+	ndpCache   map[netip.Addr]net.HardwareAddr
+	ndpCacheMu sync.RWMutex
+	ndpCacheAt time.Time
+
 	// done is the shutdown signaling channel.
 	done chan struct{}
 
@@ -182,6 +192,7 @@ func NewStorage(ctx context.Context, conf *StorageConfig) (s *Storage, err error
 		dhcp:                   conf.DHCP,
 		etcHosts:               conf.EtcHosts,
 		arpDB:                  conf.ARPDB,
+		ndpCache:               make(map[netip.Addr]net.HardwareAddr),
 		done:                   make(chan struct{}),
 		allowedTags:            tags,
 		arpClientsUpdatePeriod: conf.ARPClientsUpdatePeriod,
@@ -241,6 +252,75 @@ func (s *Storage) ReloadARP(ctx context.Context) {
 	if s.arpDB != nil {
 		s.addFromSystemARP(ctx)
 	}
+
+	s.refreshNDP()
+}
+
+// refreshNDP reads the IPv6 neighbor table from the kernel and caches the
+// IPv6 address to MAC address mappings.
+func (s *Storage) refreshNDP() {
+	out, err := exec.Command("ip", "-6", "neigh").Output()
+	if err != nil {
+		return
+	}
+
+	cache := make(map[netip.Addr]net.HardwareAddr)
+	sc := bufio.NewScanner(bytes.NewReader(out))
+	for sc.Scan() {
+		fields := strings.Fields(sc.Text())
+		if len(fields) < 5 {
+			continue
+		}
+
+		ip, parseErr := netip.ParseAddr(fields[0])
+		if parseErr != nil {
+			continue
+		}
+
+		for i, f := range fields {
+			if f == "lladdr" && i+1 < len(fields) {
+				mac, macErr := net.ParseMAC(fields[i+1])
+				if macErr == nil {
+					cache[ip] = mac
+				}
+
+				break
+			}
+		}
+	}
+
+	s.ndpCacheMu.Lock()
+	s.ndpCache = cache
+	s.ndpCacheAt = time.Now()
+	s.ndpCacheMu.Unlock()
+}
+
+// macFromNDP returns the MAC address for the given IPv6 address from the NDP
+// neighbor cache.  If the cache is stale (>30s) and the address is not found,
+// it refreshes the cache and retries once.
+func (s *Storage) macFromNDP(ip netip.Addr) net.HardwareAddr {
+	if !ip.Is6() {
+		return nil
+	}
+
+	s.ndpCacheMu.RLock()
+	mac := s.ndpCache[ip]
+	stale := time.Since(s.ndpCacheAt) > 30*time.Second
+	s.ndpCacheMu.RUnlock()
+
+	if mac != nil {
+		return mac
+	}
+
+	if stale {
+		s.refreshNDP()
+
+		s.ndpCacheMu.RLock()
+		mac = s.ndpCache[ip]
+		s.ndpCacheMu.RUnlock()
+	}
+
+	return mac
 }
 
 // addFromSystemARP adds the IP-hostname pairings from the output of the arp -a
@@ -568,6 +648,12 @@ func (s *Storage) findByIP(addr netip.Addr) (p *Persistent, ok bool) {
 	}
 
 	foundMAC := s.dhcp.MACByIP(addr)
+	if foundMAC == nil {
+		// Fall back to the NDP neighbor table for IPv6 addresses that
+		// don't have a corresponding DHCPv4 lease.
+		foundMAC = s.macFromNDP(addr)
+	}
+
 	if foundMAC != nil {
 		return s.index.findByMAC(foundMAC)
 	}
@@ -594,6 +680,10 @@ func (s *Storage) FindLoose(ip netip.Addr, id string) (p *Persistent, ok bool) {
 	}
 
 	foundMAC := s.dhcp.MACByIP(ip)
+	if foundMAC == nil {
+		foundMAC = s.macFromNDP(ip)
+	}
+
 	if foundMAC != nil {
 		return s.index.findByMAC(foundMAC)
 	}
@@ -775,6 +865,10 @@ func (s *Storage) ApplyClientFiltering(id string, addr netip.Addr, setts *filter
 
 	if !ok {
 		foundMAC := s.dhcp.MACByIP(addr)
+		if foundMAC == nil {
+			foundMAC = s.macFromNDP(addr)
+		}
+
 		if foundMAC != nil {
 			c, ok = s.index.findByMAC(foundMAC)
 		}