Bug 80934
Summary: | Incorrectly responding to ARP requests | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 2.1 | Reporter: | Dave Johnson <johnsond> |
Component: | kernel | Assignee: | Larry Woodman <lwoodman> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2.1 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | arptables_jf-0.0.7-0.3E | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-05-17 21:29:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dave Johnson
2003-01-02 16:00:53 UTC
the hidden patch is absolutely wrong; and recompiled kernels aren't supported. Use the netfilter arpfilter feature instead Are the userspace tools capable of setting up such an ARP filter? I am having trouble finding any documentation or userspace code. Thanks, that's a question for the server os folks arpfilter will not solve this problem (why?: arp requests). Use an iptables transparent proxy instead. *Don't* assign the vip to any interface or alias, instead use a rule like the following on the real servers: iptables -t nat -A PREROUTING -p tcp -d <VIP> --dport <vport> -j REDIRECT You can vary the incantation to be more or less picky about which packets are redirected to the host. Basically the machine masquerades the packets to itself. Since the vip is never raised on an interface, there is no arp problem. The latest arpfilter_jf (RHEA-2004:055-06) resolves this problem. You will need to use it to set up two rules: one to block incoming arp requests for the hidden ip, and a second to mangle outgoing arp requests that might use the hidden ip. Example arptables rules: % arptables -A IN -d $HIDDEN_IP -j DROP % arptables -A OUT -s $HIDDEN_IP -j mangle --mangle-ip-s $PUBLIC_IP |