Linux kernel Parameters Arp_ignore & arp_announce Detailed

Arp_ignore defines the different response modes for ARP queries that target addresses to native IP.
Arp_announce the source IP address in the ARP Request packet sent on the network interface (NIC), the host chooses the IP address of the source IP or current network interface card of the IP packet as the source IP address of the ARP Request packet according to the different value of this parameter.

net.ipv4.conf.all.arp_announce
net.ipv4.conf.default.arp_announce
net.ipv4.conf.lo.arp_announce
net.ipv4.conf.eth0.arp_announce
net.ipv4.conf.eth1.arp_announce
net.ipv4.conf.eth2.arp_announce
……

If the value of the Arp_announce parameter is not configured on a network interface (NIC), the arp_announce configured on default will be applied to the network interface. The value that actually takes effect on all network interfaces is the larger value in the Arp_announce parameter value configured on all and the corresponding network interface.

The value of the arp_announce parameter and its meaning are as follows:

• 0-(default) Use any native address on any network interface (ETH0,ETH1,LO) for ARP requests. In other words, if the source IP in the IP packet is different from the IP address of the network interface card that is currently sending the ARP request (but this IP is still the IP address on the other network interface card on the host), the source IP address in the ARP Request packet will use the same IP address on the host as the source IP in the IP packet. Instead of using the IP address of the network interface card that is currently sending the ARP request.
• 1-try to avoid using an IP address that is not in the subnet segment of the network interface (NIC) as the source IP address for the ARP request. This mode is useful when the host receiving this ARP request requires that the source IP address of the ARP request be the same subnet segment as the receiver IP. The source IP in the IP packet is checked for one of the IPs within the subnet segment on all network interfaces. If a network interface is found with an IP that is exactly the same subnet segment as the source IP in the IP packet, the network interface card is used for the ARP request. If the source IP in the IP packet does not belong to the IP within the subnet segment on each network interface, then the Level 2 is used for processing.
• 2-Always use the best local IP address corresponding to the destination IP address as the source IP address for the ARP request. In this mode, the source IP address of the IP packet is ignored and an attempt is to select a native address that can communicate with the destination IP address. The first is to select all network interfaces The subnet contains the native IP address of the destination IP address. If there is no appropriate address, the current network interface or other network interface that is likely to receive the ARP response is selected to send the ARP request, and the IP address of the network interface card that sends the ARP request is set to the source IP of the ARP request.

Rightarp_announceA more detailed description of the parameters

Suppose a Linux server x has three network interfaces: Eth0,eth1 and eth2, respectively. Each interface has an IP address of: IP0,IP1 and IP2, respectively. When the local application tries to send IP0 IP packets through eth2. If the MAC address of the target node is not resolved. This Linux server x sends an ARP request to get the MAC address of the target (or gateway). In this case, what is the source IP address of the ARP request package? IP0 (the source IP in the IP packet) or IP2 (the IP of the network interface that sends the ARP Request packet eth2)? In fact, for most routers, the source IP address in the ARP Request packet uses the IP address configured on the network interface that sent the ARP Request packet (IP2 in the example above). However, the behavior of the Linux server is a different point. In Linux server through the kernel data of Linuxarp_announce, the choice of source address in ARP request is fully configurable. If we want to use IP2 instead of IP0 in ARP requests, we shouldarp_announcechange the value to 1 or 2. The default value is 0-allows the use of IP0 as the source IP in the ARP request package.

In fact, the arp_announce is to solve the Linux server as a router ARP problem, because routers are generally dynamic learning ARP packets (generally dynamic configuration DHCP). When the intranet's Linux machine sends an IP packet to the outside, it requests the router's MAC address and sends an ARP request that includes its own IP address and MAC address. Instead of using the IP address of the network interface card above the sending device (the default value is 0), Linux defaults to the source IP address of the IP packet as the source IP address inside the ARParp_announce. In this way, the source address of all ARP request packets is the same VIP address under the LVS schema, then the ARP request will include the VIP address and the device Mac. The router receives this ARP request will update its own ARP cache, this will cause IP spoofing, VIP is robbed, so there will be problems.

Why is the ARP cache updated and when is it updated? In order to reduce the number of ARP requests, when the host receives the request for its own ARP requests, it will put the source IP and the source Mac into its own ARP table, convenient for the next communication. If you receive a package that is not asking for your own (ARP is broadcast and everyone receives it), it will be discarded, so that there is too much useless data in the ARP table causing the useful records to be deleted.

How to configure

There are several configuration options for configuring the Arp_ignore & arp_announce parameters in the Linux kernel, as described below.

How to configure temporarily in effect

The temporary effect of the configuration, after the system restarts, or the system's network services after the restart will be invalidated. This method can be used for ad hoc testing, or for experimentation.

Configuring with the SYSCTL directive

The-w parameter of the SYSCTL command can modify the kernel parameters of Linux in real time and take effect. So use the following command to modify Arp_ignore & Arp_announce in the Linux kernel parameters.

sysctl -w net.ipv4.conf.default.arp_ignore=1
sysctl -w net.ipv4.conf.all.arp_ignore=1
sysctl -w net.ipv4.conf.lo.arp_ignore=1
sysctl -w net.ipv4.conf.eth0.arp_ignore=1
sysctl -w net.ipv4.conf.eth1.arp_ignore=1
……

sysctl -w net.ipv4.conf.default.arp_announce =1
sysctl -w net.ipv4.conf.all.arp_announce =1
sysctl -w net.ipv4.conf.lo.arp_announce =1
sysctl -w net.ipv4.conf.eth0.arp_announce =1
sysctl -w net.ipv4.conf.eth1.arp_announce =1
……

For a more detailed description of the SYSCTL directive, see the Linux System Man Manual (man sysctl), or other articles about the sysctl instructions.

Modifying the mapping file for kernel parameters

The values of the network interface ARP request and response configuration parameters Arp_ignore & arp_announce in the Linux system are documented in the kernel parameter configuration file mapped by the Linux file system. You can use the VI editor to modify the contents of a file, or use the following directives to modify the contents of the file:

echo 1 > /proc/sys/net/ipv4/conf/default/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/eth1/arp_ignore
……

echo 1 > /proc/sys/net/ipv4/conf/default/arp_announce 
echo 1 > /proc/sys/net/ipv4/conf/all/arp_announce 
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_announce 
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_announce 
echo 1 > /proc/sys/net/ipv4/conf/eth1/arp_announce 
……

Configuration mode for permanent entry

The permanent configuration will remain in effect until the system restarts, or when the system's network service is restarted. This approach can be used for deployment of production environments.

Modifying the/etc/sysctl.conf configuration file can achieve the purpose of permanent entry.

There is an entry in the sysctl.conf configuration file named can be added as a configuration item in the following code snippet to configure the Arp_ignore & arp_announce parameters for each network interface in the Linux kernel.

net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.eth0.arp_ignore=1
net.ipv4.conf.eth1.arp_ignore=1
……

net.ipv4.conf.default.arp_announce =1
net.ipv4.conf.all.arp_announce =1
net.ipv4.conf.lo.arp_announce =1
net.ipv4.conf.eth0.arp_announce =1
net.ipv4.conf.eth1.arp_announce =1
……

It is important to note that the new configuration will take effect after you modify the sysctl.conf file to execute the instruction Sysctl-p.

For a more detailed description of the SYSCTL directive and the sysctl.conf configuration file, see the Linux System Man Manual (man sysctl and Man sysctl.conf), or other articles about sysctl directives and sysctl.conf configuration files.

Description

This article is the author on the internet read a lot about Arp_ignore & Arp_announce articles, according to their own understanding of the summary. Due to individual level restrictions, there are inevitably mistakes. If you find the fallacy in reading, also hope to point out, with a view to common progress.

Json_null
Links: https://www.jianshu.com/p/a682ecae9693
Source: Pinterest
Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please specify the source.

Linux kernel Parameters Arp_ignore & arp_announce Detailed

Alibaba Cloud Hot Products
Elastic Compute Service (ECS)	Dedicated Host (DDH)	ApsaraDB RDS for MySQL (RDS)	ApsaraDB for PolarDB(PolarDB)	AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL)	Data Transmission Service (DTS)	Server Load Balancer (SLB)	Global Accelerator (GA)	Cloud Enterprise Network (CEN)
Object Storage Service (OSS)	Content Delivery Network (CDN)	Short Message Service (SMS)	Container Service for Kubernetes (ACK)	Data Lake Analytics (DLA)
ApsaraDB for Redis (Redis)	ApsaraDB for MongoDB (MongoDB)	NAT Gateway	VPN Gateway	Cloud Firewall
Anti-DDoS	Web Application Firewall (WAF)	Log Service	DataWorks	MaxCompute
Elastic MapReduce (EMR)	Elasticsearch