Red Hat Bugzilla – Bug 68658
hidden-2.4.5-1.diff patch not included in 2.4 kernel leaving loopback arping problem
Last modified: 2008-08-01 12:22:52 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513 Description of problem: Additional IP addresses bound to the loopback interface for load balanceing will ARP for broadcast ARP requests on the network. When you have network load balanceing equiptment you do not want the loopback device to ARP for addresses on the loopback. In the 2.2 kernel you included in your default patches the "hidden" patch that added the proc entry that allowed you to hide an interface like "looback" or "all" from broadcast ARP requests. In the 2.4 kernel it seems to either been decited not to include or was forgotten about causeing anyone in a HA or load balanced enviroment useing loopback addresses to create custom kernels each time.You can get a copy of the patch at the following address: http://www.linux-vs.org/~julian/hidden-2.4.5-1.diff Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Add valid IP to loopback address 2.ping IP attached to loopback address on remote box. 3.type "arp" on the remote box and you will see the mac address of the physical nic on the remote box assigned to that ip address. Actual Results: The box responds to broadcast ARP requests without the option or proc entry to hide an interface so it does not respond. Expected Results: With the "hidden" patch it adds the "hidden" proc value to the net interfaces and allows you to hide an interface such as "lo" and "all" from broadcast ARP requests. With the "hidden" value set in HA or load balanced solutions the server will not respond to broadcast ARP requests allowing the traffic to be handled by the network load balanceing equiptment. The patch was included in the 2.2 kernel and needs to be added as well to the 2.4 kernel. Additional info: The following is a patch that was successfully applied and tested on the 2.4.9-37 kernel rpm. http://www.linux-vs.org/~julian/hidden-2.4.5-1.diff
The hidden diff is vetoed by the TCP/IP people. There also is a better method available in the AS and 7.3 kernels by means of netfilter-for-arp.
netfilter as well as useing "ARP=no" in the ifcfg-lo:0 seem to not be effective in this type of case. The loopback addresses seem to still respond to broadcast ARP requests. The hidden patch was the only thing found that resolved the problem.
2.4.18 (and the Advanced Server kernel) add a special netfilter-for-arp-packets mode, THAT is what I meant
Our production enviroment runs on Redhat linux 7.2 currently running the 2.4.9- 37 kernel. I can't seem to be able to find any feature that has been able to successfully hide the loopback address from broadcast ARP requests. Disableing proxy_ARP does not solve the problem either. It seems all the news group mention your suggestion but then that gets shot down as it does not solve the problem.
If you are able to successfully hide the loopback addresses from answering a broadcast ARP address in your testing on the RedHat provided 2.4.9-37 kernel for redhat 7.2 without the hidden patch please let the world know as anyone in a HA/load balanced solution is being forced to create custom kernels right now.
Thanks for the bug report. However, Red Hat no longer maintains this version of the product. Please upgrade to the latest version and open a new bug if the problem persists. The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, and if you believe this bug is interesting to them, please report the problem in the bug tracker at: http://bugzilla.fedora.us/