This thread is more than 1 year old but I have additional information that may be helpful for anyone finding this thread in a search and needing control over packets on a hardware interface basis.
Summary:
Make sure the kernel parameter rp_filter is set to 0 when configuring to eliminate ARP Flux. [ /proc/sys/net/ipv4/conf/*/rp_filter = 0 (default) ]
----------
On Slackware64-14.2 the ARP Flux issue came up for me on a new server build this week. I found my solution from years ago no longer worked and that one setting was critical to the solution.
This week I solved the problem (eliminated ARP flux) by using the four following kernel settings ...
Quote:
/proc/sys/net/ipv4/conf/*/arp_ignore = 2
/proc/sys/net/ipv4/conf/*/arp_announce = 1
/proc/sys/net/ipv4/conf/*/arp_filter = 0 (default)
/proc/sys/net/ipv4/conf/*/rp_filter = 0 (default)
* represents any of default, all, eth0, eth1, etc or a shell wildcard in a script
|
In researching my problem I found the information on these settings in this 2014
article.
The key for me was to have
rp_filter=0. In the past part of my firewall rules always had this feature turned on (1). Apparently the ARP flux "fix" I used long ago no longer works with rp_filter enabled.
The author of the article linked above writes ...
Quote:
Now, on older kernels (2.4 and earlier), that was enough. But on newer kernels, an additional change is necessary due to the changes in how rp_filter is handled. So this would apply to kernels starting at 2.6 and onward through the current 3.x versions. So to make this work on 2.6+ kernels, we set the additional rp_filter value:
Code:
$ sysctl -w net.ipv4.conf.all.rp_filter=0
|
Other settings for the other features (arp_ignore, arp_announce, arp_filter) may also work as long as rp_filter is disabled (0). For example others have suggested arp_ignore=1 and arp_announce=2. Simply having rp_filter=0 and arp_filter=1 may also work. I have not yet experimented with the characteristics of these other combinations as I had a server to put online right away and my firewall rules were then working correctly. The settings you need will depend upon your networking goals.
Short descriptions of these settings can be found on your Slackware machine at
/usr/src/linux/Documentation/networking/ip-sysctl.txt.
I originally started enabling the rp_filter feature years ago on simple linux based routers that I set up which involved packet forwarding. This rp_filter feature to prevent spoofed packets (route/source verification) is probably not needed on a non-forwarding host so most people would probably have it disabled and not encounter the obstacle to the ARP flux solution that I did this week. But I'm posting this information in case it may be useful to someone.