feat(gateway): refresh remote MAC learning

The LAN switch has to keep learning that remote client MAC addresses live on
the gateway port. Once the gateway injects a remote client's traffic, that
learning can age out if the client is quiet, breaking the Layer 2 illusion.

Track valid remote-client source MACs observed in relay traffic and inject a
small padded CAM refresh frame for each known MAC every 60 seconds. The refresh
frame uses the remote MAC as the Ethernet source and the gateway NIC MAC as the
destination, with a local experimental EtherType so hosts should ignore it.

PacketSocket now reads the wired interface hardware address with SIOCGIFHWADDR
when opening the AF_PACKET socket. Non-Ethernet or invalid source interfaces
fail early instead of starting a gateway that cannot emit refresh traffic.

Test Plan:
- cargo fmt --check
- cargo test --workspace
- cargo clippy --workspace --all-targets -- -D warnings
- git diff --check

Refs: PLAN.md Linux gateway CAM-table refresh

crates/lanparty-gateway/src/lib.rs

@@ -1,12 +1,13 @@
 //! Linux LAN gateway control-plane connection.
 //!
-//! This crate owns the gateway binary's relay connection and, in later slices,
-//! will add the AF_PACKET capture/injection loop that feeds Ethernet frames into
-//! this established QUIC session.
+//! This crate owns the gateway binary's relay connection and Linux AF_PACKET
+//! bridge loop that moves Ethernet frames between the relay and wired LAN.
 
 #[cfg(target_os = "linux")]
 mod packet;
 
+#[cfg(target_os = "linux")]
+use std::{collections::BTreeSet, time::Duration};
 use std::{
     fs,
     net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
@@ -22,7 +23,8 @@ use lanparty_ctrl::{
     RoomCode, ServerWelcome, decode_control_frame, encode_control_message,
 };
 use lanparty_proto::{
-    EthernetFrame, FrameType, MAX_STANDARD_ETHERNET_FRAME_LEN, decode_datagram, encode_datagram,
+    EthernetFrame, FrameType, MAX_STANDARD_ETHERNET_FRAME_LEN, MacAddr, decode_datagram,
+    encode_datagram,
 };
 use quinn::{ClientConfig, Endpoint, crypto::rustls::QuicClientConfig};
 use rustls::pki_types::CertificateDer;
@@ -33,6 +35,15 @@ use tokio::io::unix::AsyncFd;
 pub use packet::PacketSocket;
 
 const MAX_CONTROL_FRAME_LEN: usize = CONTROL_LENGTH_PREFIX_LEN + MAX_CONTROL_MESSAGE_LEN;
+#[cfg(target_os = "linux")]
+const CAM_REFRESH_INTERVAL: Duration = Duration::from_secs(60);
+#[cfg(target_os = "linux")]
+// Local experimental EtherType for frames whose only job is switch MAC learning.
+const CAM_REFRESH_ETHERTYPE: u16 = 0x88b5;
+#[cfg(target_os = "linux")]
+const CAM_REFRESH_PAYLOAD: &[u8] = b"lanparty-cam-refresh";
+#[cfg(target_os = "linux")]
+const MIN_ETHERNET_FRAME_WITHOUT_FCS: usize = 60;
 
 #[derive(Debug, Parser)]
 #[command(
@@ -209,6 +220,12 @@ impl GatewayConnection {
 
     #[cfg(target_os = "linux")]
     pub async fn bridge_until_shutdown(self, packet_socket: PacketSocket) -> Result<()> {
+        let mut cam_refresh = CamRefresh::new(packet_socket.interface_mac());
+        let mut cam_refresh_tick = tokio::time::interval_at(
+            tokio::time::Instant::now() + CAM_REFRESH_INTERVAL,
+            CAM_REFRESH_INTERVAL,
+        );
+        cam_refresh_tick.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Delay);
         let packet_socket = AsyncFd::new(packet_socket)
             .context("failed to register AF_PACKET socket with Tokio")?;
         let Self {
@@ -230,7 +247,14 @@ impl GatewayConnection {
                     send_gateway_ethernet(&connection, &welcome, &lan_frame?)?;
                 }
                 relay_frame = recv_gateway_ethernet(&connection, &welcome) => {
-                    write_lan_ethernet(&packet_socket, relay_frame?.payload()).await?;
+                    let relay_frame = relay_frame?;
+                    cam_refresh.observe_remote_frame(relay_frame.payload())?;
+                    write_lan_ethernet(&packet_socket, relay_frame.payload()).await?;
+                }
+                _ = cam_refresh_tick.tick() => {
+                    for frame in cam_refresh.refresh_frames() {
+                        write_lan_ethernet(&packet_socket, &frame).await?;
+                    }
                 }
             }
         }
@@ -329,6 +353,56 @@ async fn write_lan_ethernet(packet_socket: &AsyncFd<PacketSocket>, frame: &[u8])
     }
 }
 
+#[cfg(target_os = "linux")]
+#[derive(Debug, Clone)]
+struct CamRefresh {
+    gateway_mac: MacAddr,
+    remote_macs: BTreeSet<MacAddr>,
+}
+
+#[cfg(target_os = "linux")]
+impl CamRefresh {
+    fn new(gateway_mac: MacAddr) -> Self {
+        Self {
+            gateway_mac,
+            remote_macs: BTreeSet::new(),
+        }
+    }
+
+    fn observe_remote_frame(&mut self, frame: &[u8]) -> Result<()> {
+        let frame = EthernetFrame::parse(frame).context("relay Ethernet frame is malformed")?;
+        let source = frame.source();
+        if source.is_valid_client_identity() {
+            self.remote_macs.insert(source);
+        }
+
+        Ok(())
+    }
+
+    fn refresh_frames(&self) -> Vec<Vec<u8>> {
+        self.remote_macs
+            .iter()
+            .map(|source| cam_refresh_frame(*source, self.gateway_mac))
+            .collect()
+    }
+
+    #[cfg(test)]
+    fn remote_mac_count(&self) -> usize {
+        self.remote_macs.len()
+    }
+}
+
+#[cfg(target_os = "linux")]
+fn cam_refresh_frame(source: MacAddr, destination: MacAddr) -> Vec<u8> {
+    let mut frame = Vec::with_capacity(MIN_ETHERNET_FRAME_WITHOUT_FCS);
+    frame.extend_from_slice(&destination.octets());
+    frame.extend_from_slice(&source.octets());
+    frame.extend_from_slice(&CAM_REFRESH_ETHERTYPE.to_be_bytes());
+    frame.extend_from_slice(CAM_REFRESH_PAYLOAD);
+    frame.resize(MIN_ETHERNET_FRAME_WITHOUT_FCS, 0);
+    frame
+}
+
 pub async fn connect_gateway(config: GatewayConfig) -> Result<GatewayConnection> {
     let client_config = relay_client_config(config.relay_ca_cert_der())?;
     let mut endpoint = Endpoint::client(client_bind_addr(config.relay_addr()))
@@ -542,6 +616,46 @@ mod tests {
             .unwrap();
     }
 
+    #[cfg(target_os = "linux")]
+    #[test]
+    fn builds_padded_cam_refresh_frame() {
+        let gateway_mac = MacAddr::new([0x0a, 0, 0, 0, 0, 1]);
+        let remote_mac = MacAddr::new([0x02, 0, 0, 0, 0, 2]);
+
+        let frame = cam_refresh_frame(remote_mac, gateway_mac);
+        let parsed = EthernetFrame::parse(&frame).unwrap();
+
+        assert_eq!(frame.len(), MIN_ETHERNET_FRAME_WITHOUT_FCS);
+        assert_eq!(parsed.destination(), gateway_mac);
+        assert_eq!(parsed.source(), remote_mac);
+        assert_eq!(parsed.ethertype_or_len(), CAM_REFRESH_ETHERTYPE);
+        assert!(frame[14..].starts_with(CAM_REFRESH_PAYLOAD));
+    }
+
+    #[cfg(target_os = "linux")]
+    #[test]
+    fn tracks_valid_remote_macs_for_cam_refresh() {
+        let gateway_mac = MacAddr::new([0x0a, 0, 0, 0, 0, 1]);
+        let remote_mac = MacAddr::new([0x02, 0, 0, 0, 0, 2]);
+        let invalid_remote_mac = MacAddr::BROADCAST;
+        let mut refresh = CamRefresh::new(gateway_mac);
+
+        refresh
+            .observe_remote_frame(&ethernet_frame_from(remote_mac, b"remote"))
+            .unwrap();
+        refresh
+            .observe_remote_frame(&ethernet_frame_from(invalid_remote_mac, b"ignored"))
+            .unwrap();
+
+        let frames = refresh.refresh_frames();
+        let refresh_frame = EthernetFrame::parse(&frames[0]).unwrap();
+
+        assert_eq!(refresh.remote_mac_count(), 1);
+        assert_eq!(frames.len(), 1);
+        assert_eq!(refresh_frame.source(), remote_mac);
+        assert_eq!(refresh_frame.destination(), gateway_mac);
+    }
+
     fn test_server_config() -> (ServerConfig, CertificateDer<'static>) {
         let certified_key =
             rcgen::generate_simple_self_signed(vec!["lanparty-relay.local".into()]).unwrap();
@@ -567,9 +681,13 @@ mod tests {
     }
 
     fn ethernet_frame(payload: &[u8]) -> Vec<u8> {
+        ethernet_frame_from(MacAddr::new([0x02, 0, 0, 0, 0, 1]), payload)
+    }
+
+    fn ethernet_frame_from(source: MacAddr, payload: &[u8]) -> Vec<u8> {
         let mut frame = Vec::new();
         frame.extend_from_slice(&[0x02, 0, 0, 0, 0, 2]);
-        frame.extend_from_slice(&[0x02, 0, 0, 0, 0, 1]);
+        frame.extend_from_slice(&source.octets());
         frame.extend_from_slice(&0x0800_u16.to_be_bytes());
         frame.extend_from_slice(payload);
         frame