From: Andi Kleen <ak@suse.de>
To: dean gaudet <dean-list-linux-kernel@arctic.org>
Cc: linux-kernel@vger.kernel.org, davem@redhat.com
Subject: Re: [BUG?] unwanted proxy arp in 2.4.19-pre10
Date: 14 Jul 2002 20:40:23 +0200 [thread overview]
Message-ID: <p73lm8eup9k.fsf@oldwotan.suse.de> (raw)
In-Reply-To: dean gaudet's message of "14 Jul 2002 19:33:04 +0200"
dean gaudet <dean-list-linux-kernel@arctic.org> writes:
> On Sat, 13 Jul 2002, David S. Miller wrote:
>
> >
> > You have to use specific source-routing settings in conjuntion with
> > enabling arp_filter in order for arp_filter to have any effect.
> >
> > This is a FAQ.
>
> a couple google queries yielded no answer to this faq... is there a posted
> example somewhere?
arpfilter normally needs no special routing entries, unless you want
to do weird things (like filtering ARP based on source). The main use
of arp filter is to prevent multiple arp answers on multiple devices
when the host has more than one interface to the same network. The other
use is to allow load balancing for incoming connections together
with multi path routing.
It can be abused for more complex filtering scenaries:
The arpfilter routing decision takes the reversed address tuple in account.
When the routing decision yields the device that the ARP arrived on
then the ARP is answered otherwise not.
You can construct policy routing rules that match the ARP requests you
want to prevent with some tricks, but do not match outgoing packets.
Easy? It's not easy, but nobody said it was.
The main use of this seem to be certain HA failover setups.
Some people use a patch that allows to disable ARP per interface for it
("hidden") but for some reasons it was not integrated.
>
> is the default behaviour of use to anyone? this question comes up like
> every other month.
It would be likely easier/more straightforward if there was a special
ARP routing table that is only consulted by ARP filter (as an extension
to the current multi table routing). Then you could just put reject routes
there to filter ARP Unfortunately nobody has stepped forward to implement it
yet, so it remained a dream so far.
Another thing that was implemented is a netfilter chain for ARP, but
afaik there are no filtering modules for it yet, so Joe User cannot
use it. It likely just exists somewhere as a proprietary module in
someone's firewall appliance and all they did was to contribute the
hook. It probably would not be hard to rewrite a filter module for it,
but again nobody did it yet.
Hope this helps,
-Andi
next parent reply other threads:[~2002-07-14 18:37 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020713.205930.101495830.davem@redhat.com.suse.lists.linux.kernel>
[not found] ` <Pine.LNX.4.44.0207141026440.4252-100000@twinlark.arctic.org.suse.lists.linux.kernel>
2002-07-14 18:40 ` Andi Kleen [this message]
2002-07-15 5:37 ` [BUG?] unwanted proxy arp in 2.4.19-pre10 David S. Miller
2002-07-16 22:32 Julian Anastasov
2002-07-16 20:04 ` Daniel Gryniewicz
2002-07-16 23:41 ` Julian Anastasov
-- strict thread matches above, loose matches on Subject: below --
2002-07-14 22:35 Julian Anastasov
2002-07-15 5:40 ` David S. Miller
2002-07-14 10:34 Julian Anastasov
2002-07-23 22:06 ` Bill Davidsen
2002-07-13 16:21 Bill Davidsen
2002-07-13 18:28 ` Alan Cox
2002-07-13 19:19 ` Gerhard Mack
2002-07-14 1:52 ` Alan Cox
2002-07-14 3:17 ` Bill Davidsen
2002-07-14 3:59 ` David S. Miller
2002-07-14 17:29 ` dean gaudet
2002-07-15 1:39 ` Bill Davidsen
2002-07-15 5:45 ` David S. Miller
2002-07-15 10:39 ` Bill Davidsen
2002-07-15 1:46 ` Bill Davidsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=p73lm8eup9k.fsf@oldwotan.suse.de \
--to=ak@suse.de \
--cc=davem@redhat.com \
--cc=dean-list-linux-kernel@arctic.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.