Re: [BUG?] unwanted proxy arp in 2.4.19-pre10

• Next message: Tomas Szepe: "Re: IDE/ATAPI in 2.5"
• Previous message: Bart Verwilst: "sa2opl3 driver b0rkage?"
• Next in thread: David S. Miller: "Re: [BUG?] unwanted proxy arp in 2.4.19-pre10"
• Reply: David S. Miller: "Re: [BUG?] unwanted proxy arp in 2.4.19-pre10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

dean gaudet <dean-list-linux-kernel@arctic.org> writes:

> On Sat, 13 Jul 2002, David S. Miller wrote:
>
> >
> > You have to use specific source-routing settings in conjuntion with
> > enabling arp_filter in order for arp_filter to have any effect.
> >
> > This is a FAQ.
>
> a couple google queries yielded no answer to this faq... is there a posted
> example somewhere?

arpfilter normally needs no special routing entries, unless you want
to do weird things (like filtering ARP based on source). The main use
of arp filter is to prevent multiple arp answers on multiple devices
when the host has more than one interface to the same network. The other
use is to allow load balancing for incoming connections together
with multi path routing.

It can be abused for more complex filtering scenaries:

The arpfilter routing decision takes the reversed address tuple in account.
When the routing decision yields the device that the ARP arrived on
then the ARP is answered otherwise not.
You can construct policy routing rules that match the ARP requests you
want to prevent with some tricks, but do not match outgoing packets.
Easy? It's not easy, but nobody said it was.

The main use of this seem to be certain HA failover setups.
Some people use a patch that allows to disable ARP per interface for it
("hidden") but for some reasons it was not integrated.

>
> is the default behaviour of use to anyone? this question comes up like
> every other month.

It would be likely easier/more straightforward if there was a special
ARP routing table that is only consulted by ARP filter (as an extension
to the current multi table routing). Then you could just put reject routes
there to filter ARP Unfortunately nobody has stepped forward to implement it
yet, so it remained a dream so far.

Another thing that was implemented is a netfilter chain for ARP, but
afaik there are no filtering modules for it yet, so Joe User cannot
use it. It likely just exists somewhere as a proprietary module in
someone's firewall appliance and all they did was to contribute the
hook. It probably would not be hard to rewrite a filter module for it,
but again nobody did it yet.

Hope this helps,

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Tomas Szepe: "Re: IDE/ATAPI in 2.5"
• Previous message: Bart Verwilst: "sa2opl3 driver b0rkage?"
• Next in thread: David S. Miller: "Re: [BUG?] unwanted proxy arp in 2.4.19-pre10"
• Reply: David S. Miller: "Re: [BUG?] unwanted proxy arp in 2.4.19-pre10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jul 15 2002 - 22:00:28 EST