Published 2024年6月24日 by

linux arp 参数整理 – arp_filter

arp_filter

    • 控制系统对不同网络接口上收到的 ARP 请求的响应行为
    • 取值范围:
      • 1 – 允许您在同一子网上拥有多个网络接口,并根据内核是否会从ARP请求的IP地址出路由数据包来决定是否应答ARP请求(因此,这需要使用基于源的路由来实现)。换句话说,它允许控制哪些网卡(通常是一个)将响应ARP请求。
      • 0 – (默认)内核可以用其他接口的地址来响应ARP请求。这看似不正确,但通常是有意义的,因为它增加了成功通信的机会。在Linux上,IP地址是由整个主机拥有的,而不是特定的接口拥有。只有在更复杂的设置中,如负载均衡,这种行为才会引起问题。如果设置了conf/{all,interface}/arp_filter中的至少一个为TRUE,那么该接口的arp_filter将被启用,否则将被禁用
        目录 隐藏
        1 验证
        2 参考

验证

还是使用负载均衡的环境, rs1地址

# ip netns exec rs1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 10.1.1.10/32 scope global lo
       valid_lft forever preferred_lft forever
264: veth-rs1@if263: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:11:22:33:44:99 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.1.1.13/24 scope global veth-rs1
       valid_lft forever preferred_lft forever
    inet 10.1.1.11/24 scope global secondary veth-rs1
       valid_lft forever preferred_lft forever
271: veth-rs1-extra@if270: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 66:82:27:71:76:15 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.168.1.3/24 scope global veth-rs1-extra
       valid_lft forever preferred_lft foreversshezh

设置arp_ignore, arp_filter为默认值0

# ip netns exec rs1 sysctl -w net.ipv4.conf.all.arp_ignore=0
net.ipv4.conf.all.arp_ignore = 0
# ip netns exec rs1 sysctl net.ipv4.conf.default.arp_filter
net.ipv4.conf.default.arp_filter = 0

# ip netns exec client arping 10.1.1.13 -c 3
ARPING 10.1.1.13 from 10.1.1.20 veth-client
Unicast reply from 10.1.1.13 [66:82:27:71:76:15]  0.768ms
Unicast reply from 10.1.1.13 [00:11:22:33:44:99]  0.838ms
Unicast reply from 10.1.1.13 [00:11:22:33:44:99]  0.697ms
Unicast reply from 10.1.1.13 [00:11:22:33:44:99]  0.671ms
Sent 3 probes (1 broadcast(s))
Received 4 response(s)

 

这部分在 http://linux-ip.net/html/ether-arp.html#ether-arp-flux , https://robertlathanh.com/2009/08/two-subnetworks-on-one-lan-and-linux-arp_filter/comment-page-1/

 

设置arp_filter=1, 恢复正常。

#ip netns exec rs1 sysctl -w net.ipv4.conf.all.arp_filter=1
net.ipv4.conf.all.arp_filter = 1

# ip netns exec client arping 10.1.1.13 -c 3
ARPING 10.1.1.13 from 10.1.1.20 veth-client
Unicast reply from 10.1.1.13 [00:11:22:33:44:99]  0.786ms
Unicast reply from 10.1.1.13 [00:11:22:33:44:99]  0.666ms
Unicast reply from 10.1.1.13 [00:11:22:33:44:99]  0.673ms
Sent 3 probes (1 broadcast(s))
Received 3 response(s)

这里如果单独设置 arp_ignore=1也是正常的

参考

图片from林佳興

 

garlic

garlic

ARTS Share

Comments are closed.