Description of problem: When using AS 2.1 to serve http requests load balanced by IBM's WebSphere Edge product, this patch was necessary: http://www.ssi.bg/~ja/hidden-2.4.5-1.diff What we saw was this behavior: the linux box was responding to an arp request for an IP address that was configured as a virtual interface (lo:1). The router would broadcast an arp for the IP, which physically belonged to the edge server, and the linux box would reply, saying that it belonged to himself. Broadcast arps were no longer responded to incorrectly after we applied the patch as described here: http://www-3.ibm.com/software/webservers/edgeserver/doc/v20/nd5mst.htm#HDRLINPATCH However, the linux boxes were still replying to directed arps with the incorrect information, just as before. So we modified the patch so that it would not try to determine whether the incoming packet was a broadcast arp or a directed arp. This succeeded in stopping the linux boxes from replying to arp requests for any IP that it did not own a physical interface for.
the hidden patch is absolutely wrong; and recompiled kernels aren't supported. Use the netfilter arpfilter feature instead
Are the userspace tools capable of setting up such an ARP filter? I am having trouble finding any documentation or userspace code. Thanks,
that's a question for the server os folks
arpfilter will not solve this problem (why?: arp requests). Use an iptables transparent proxy instead. *Don't* assign the vip to any interface or alias, instead use a rule like the following on the real servers: iptables -t nat -A PREROUTING -p tcp -d <VIP> --dport <vport> -j REDIRECT You can vary the incantation to be more or less picky about which packets are redirected to the host. Basically the machine masquerades the packets to itself. Since the vip is never raised on an interface, there is no arp problem.
The latest arpfilter_jf (RHEA-2004:055-06) resolves this problem. You will need to use it to set up two rules: one to block incoming arp requests for the hidden ip, and a second to mangle outgoing arp requests that might use the hidden ip. Example arptables rules: % arptables -A IN -d $HIDDEN_IP -j DROP % arptables -A OUT -s $HIDDEN_IP -j mangle --mangle-ip-s $PUBLIC_IP