Re: Howto disable ARP response from lo
From: Michal Soltys
Date: Thu May 29 2008 - 07:00:24 EST
Nico Schottelius wrote:
I currently set lo to not send arp replies for virtual ipn
(realserver of linux virtual server pool) this way:
ip link set lo arp off
arp off is ignored in case of lo interface (no link level address at all
What you're experiencing, is that by default, Linux treats ip addresses
as assigned to the host instead of interface. And you can "change" that
When you set arp_ignore=1, you pretty much told your system to limit arp
reply to the address configured on incoming interface, not anywhere on
your host. arp_ignore=2 limits it further to the same subnet as well.
Another way is to add your address with scope host (on any interface),
and set arp_filter=3. This will keep "address belongs to host"
behaviour, but will ignore requests for host scoped addresses.
arp_filter is used for something else - actually it's roughly analogous
to rp_filter. Considering that reverse path check was successful,
arp_filter accepted it.
Btw, it's probably better to leave lo alone, and use dummy driver, if
you need another interface.
There's always heavier artillery like e.g. arptables, should your config
become complex enough to require it.
Is there some document available that summarises the problems with
arp on Linux including those when using an ip-address on lo for load balancing?
Well - Documentation/networking/ip-sysctl.txt is tight, but pretty
detailed. Googling for 'virtual server arp' variations will get some
results as well.
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html