Comments on: Linux ARP code

By: rdoetjes

rdoetjes — Fri, 29 Dec 2006 17:00:09 +0000

I agree the IP stack in Linux is generaly very dodgy. Specially since the 2.6 rewrite.
When looking through Linux code in comparison with BSD and Solaris you will be amazed about the inconsitencies in coding style, the “assumptions” that pointers will be created without proper checks. Really scary stuff!
Specially in kernel space my idea is: there are too many Linux kernel contributers and too little auditors which doesn’t help the stability and future of the Linux kernel.

By: nhruby

nhruby — Fri, 08 Dec 2006 16:31:08 +0000

Heh. I could never get any of the arp sysctl tunables to do the right thing (at least on RHEL) when doing DSR.

I got fed up and did it the ham fisted way with arptables (package name arptables_vj) and just discard all outbound ARPs for the VIP on the Real Servers.

By: mark

mark — Mon, 04 Dec 2006 22:40:03 +0000

I should note that based on the docs, you’d think that setting arp_ignore=1 (via sysctl) would “correct” the behavior and you’d only get ARP replies on the interface you desire, but until I read the code it was unclear to me why I was still seeing ARPs coming from hosts with the source address set to an IP on one of the loopbacks. Now I know that you need arp_ignore=1 *and* arp_announce=2 to make a Linux host “do the right thing”.

(where “right”, as zdzichu pointed out, is open to interpretation)

By: mark

mark — Mon, 04 Dec 2006 22:33:57 +0000

You hit the problem with DSR (Direct Server Response) configs behind load balancers too, where the “Virtual” IP on the load balancer is configured on the loopback interface of each host in the pool.

Understanding how Linux will behave in such an environment is a little tricky, since there are two tunables (IN_DEV_ARP_ANNOUNCE and IN_DEV_ARP_IGNORE) with somewhat overlapping agendas that dictate how ARP requests are handled.

By: adb

adb — Mon, 04 Dec 2006 13:45:31 +0000

The other host shouldn’t be ARPing for an address it didn’t expect to find on the mutually-attached subnet, so normally you don’t run into this behavior. Cable into wrong interface at one end could certainly do it for you. And a few years ago this was part of an issue with Linux hosts sharing multiple VLANs, especially when there were iptables rules prohibiting traffic arriving on the wrong one.

By: zdzichu

zdzichu — Sat, 02 Dec 2006 13:14:30 +0000

Because Linux treats IP addresses as host addresses, not interface addresses. It will answer for ARP question for any of host IP address on all interfaces, giving proper MAC.
That’s why downed interface retain IP address and communication with this IP is still possible through other ifaces.
It’s one of two valid interpretation of some RFC.