More ARP things and a semi-required patch

Dagmar d'Surreal dagmar.wants at nospam.com
Thu Feb 19 09:12:11 PST 2004


On Wed, 2004-02-18 at 12:39, Tarek W. wrote:
> On Tue, 2004-02-17 at 20:00, Dagmar d'Surreal wrote: [snipped]
> > For those of you who are now looking into the magic that is ARP, there's
> > a patch you may very well want to apply to your kernel to reduce some of
> > your pain and frustration with the inobviously strange way Linux handles
> > ARP.  Not that this behaviour is explicitly _wrong_, but that on an
> > incorrectly run network, it can break when otherwise it might be useful
> > (there are uses for its behaviour, although at the moment I can't
> > remember any good ones).  Enabling this patch breaks nothing you
> > wouldn't expect it to (if you're doing an HA or
> > multi-homed/multi-interface configuration, you probably already know
> > about this anyway).
> > 
> > The issue is that, by default, Linux will reply to ARP queries on _any_
> > interface for all IP addresses it's interfaces are bound to.  This can
> > cause both you and the administrators of networks you are connected to
> > some headaches, particularly if there's clueless losers on your external
> > network allowing private network traffic to leak out.
> 
> arp_filter prohibits this
> 
> the issue of several interfaces on the same subnet will be covered in
> linux-ip very soon

>From linux/Documentation/ip-sysctl.txt:

arp_filter - BOOLEAN
       1 - Allows you to have multiple network interfaces on the same
       subnet, and have the ARPs for each interface be answered
       based on whether or not the kernel would route a packet from
       the ARP'd IP out that interface (therefore you must use source
       based routing for this to work). In other words it allows control
       of which cards (usually 1) will respond to an arp request.

...

The hidden patch doesn't need any special routing, and I don't see how
this would prevent it from ARPing for internal private interfaces.  (It
could be that the documentation is a bit too terse for clarity.)
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list