Hi,
I have a machine with multiple network cards with different IP
addresses assigned. All are in the same network (I need this for
whatever reason). But when a arp request
appears on the wire for any of these IP addresses, all the interfaces go
ahead and give their respective ethernet addresses against that IP
address (I have seen this with tcpdump). This causes the other machines to
pick up wrong ethernet address against the IP address.
Anybody having any idea why such a thing might happen. All cards
are with DEC 21140 chip. I am using RH6.2 with kernel version 2.2.14-5.0.
I am ready to give more info on the configuration etc (ifconfig
dump, routing table etc.).
TIA
sourav
--------------------------------------------------------------------------------
Sourav Sen wrote:
>
> Hi,
> I have a machine with multiple network cards with different IP
> addresses assigned. All are in the same network (I need this for
> whatever reason). But when a arp request
> appears on the wire for any of these IP addresses, all the interfaces go
> ahead and give their respective ethernet addresses against that IP
> address (I have seen this with tcpdump). This causes the other machines to
> pick up wrong ethernet address against the IP address.
Yep, this is the default behaviour since multiple links on one subnet is
an unusual situation (I ran into the same problem). The solution is to apply
the arpfilter patch to the kernel, recompile, and then write a 1 to
/proc/sys/net/ipv4/conf/all/arp_filter to enable it for all interfaces.
This patch enforces that NICs will only respond to arps for IP addresses
that they own.
--
Chris Friesen | MailStop: 043/33/F10
Nortel Networks | work: (613) 765-0557
3500 Carling Avenue | fax: (613) 765-2986
Nepean, ON K2H 8E9 Canada | email: [email protected]
Chris Friesen wrote:
>
> Sourav Sen wrote:
> >
> > Hi,
> > I have a machine with multiple network cards with different IP
> > addresses assigned. All are in the same network (I need this for
> > whatever reason). But when a arp request
> > appears on the wire for any of these IP addresses, all the interfaces go
> > ahead and give their respective ethernet addresses against that IP
> > address (I have seen this with tcpdump). This causes the other machines to
> > pick up wrong ethernet address against the IP address.
>
> Yep, this is the default behaviour since multiple links on one subnet is
> an unusual situation (I ran into the same problem). The solution is to apply
> the arpfilter patch to the kernel, recompile, and then write a 1 to
> /proc/sys/net/ipv4/conf/all/arp_filter to enable it for all interfaces.
> This patch enforces that NICs will only respond to arps for IP addresses
> that they own.
The arp-filter patch is in the kernel since about 2.4.4, so you just need
to turn it on...
Ben
>
> --
> Chris Friesen | MailStop: 043/33/F10
> Nortel Networks | work: (613) 765-0557
> 3500 Carling Avenue | fax: (613) 765-2986
> Nepean, ON K2H 8E9 Canada | email: [email protected]
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Ben Greear <[email protected]> <[email protected]>
President of Candela Technologies Inc http://www.candelatech.com
ScryMUD: http://scry.wanfear.com http://scry.wanfear.com/~greear
On Mon, 23 Jul 2001, Ben Greear wrote:
> The arp-filter patch is in the kernel since about 2.4.4, so you just need
> to turn it on...
on a related note:
if i have 2 logical subnets on the wire, linux listening on both, is
there any way to get linux to fully route packets between the 2
subnets?
at the moment it just issues a icmp_redirect, which isn't good enough
for certain hosts (eg win9x at least).
> Ben
regards,
--
Paul Jakma [email protected] [email protected]
PGP5 key: http://www.clubi.ie/jakma/publickey.txt
-------------------------------------------
Fortune:
How come everyone's going so slow if it's called rush hour?
Ben Greear wrote:
> The arp-filter patch is in the kernel since about 2.4.4, so you just need
> to turn it on...
The original poster stated he was using 2.2.14.
Chris
--
Chris Friesen | MailStop: 043/33/F10
Nortel Networks | work: (613) 765-0557
3500 Carling Avenue | fax: (613) 765-2986
Nepean, ON K2H 8E9 Canada | email: [email protected]
Paul Jakma wrote:
>
> On Mon, 23 Jul 2001, Ben Greear wrote:
>
> > The arp-filter patch is in the kernel since about 2.4.4, so you just need
> > to turn it on...
>
> on a related note:
>
> if i have 2 logical subnets on the wire, linux listening on both, is
> there any way to get linux to fully route packets between the 2
> subnets?
You'll have to draw a diagram or do a better job of describing
your network: I have no idea what you're trying to do!
I think you could use VLANs for what you want to do, but if your
windows boxes can't handle ICMP-redirects, they probably can't
handle VLANs either...
Ben
--
Ben Greear <[email protected]> <[email protected]>
President of Candela Technologies Inc http://www.candelatech.com
ScryMUD: http://scry.wanfear.com http://scry.wanfear.com/~greear
I've done this before... I used ethernet aliases to put an alias on one
subnet and the master (non-alias) on the other. Then it was just a matter
of some ipchains rules and turning on forwarding.
Matt
On Tue, Jul 24, 2001 at 02:10:33AM +0100, Paul Jakma wrote:
> On Mon, 23 Jul 2001, Ben Greear wrote:
>
> > The arp-filter patch is in the kernel since about 2.4.4, so you just need
> > to turn it on...
>
> on a related note:
>
> if i have 2 logical subnets on the wire, linux listening on both, is
> there any way to get linux to fully route packets between the 2
> subnets?
>
> at the moment it just issues a icmp_redirect, which isn't good enough
> for certain hosts (eg win9x at least).
>
> > Ben
>
> regards,
> --
> Paul Jakma [email protected] [email protected]
> PGP5 key: http://www.clubi.ie/jakma/publickey.txt
> -------------------------------------------
> Fortune:
> How come everyone's going so slow if it's called rush hour?
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Matthew Dharm Home: [email protected]
Maintainer, Linux USB Mass Storage Driver
It's not that hard. No matter what the problem is, tell the customer
to reinstall Windows.
-- Nurse
User Friendly, 3/22/1998
On Mon, 23 Jul 2001, Ben Greear wrote:
> You'll have to draw a diagram or do a better job of describing
> your network: I have no idea what you're trying to do!
same wire, 2 logical nets, linux box has one card listening on both
nets. i want it to fully route between them (because the windows
boxes can't).
linux:eth0 192.168.x windows / linux
eth0:1 192.168.y windows / linux
i can not for the life of me get linux to fully route packets between
eth0 and eth0:1. in the end i had to add a second NIC, eth1.
note that linux clients have absolutely no problem with redirects and
192.168.x subnet boxes have no problem talking to 192.168.y boxes.
windows however apparently needs someone to route the packets.
> I think you could use VLANs for what you want to do, but if your
> windows boxes can't handle ICMP-redirects, they probably can't
> handle VLANs either...
nope.. (plus my switch seems to get flaky just with plain adaptive
partitioning within the switch, so i wouldn't trust it with anything
fancy like VLAN)
ultimately i want to make the subnets be physically distinct. but
that'll take time. in the meantime i need linux to route packets
between logical subnets - not send redirects.
> Ben
regards,
--
Paul Jakma [email protected] [email protected]
PGP5 key: http://www.clubi.ie/jakma/publickey.txt
-------------------------------------------
Fortune:
Human beings were created by water to transport it uphill.
Dominik Kubla <[email protected]> writes:
> On Tue, Jul 24, 2001 at 02:10:33AM +0100, Paul Jakma wrote:
>
> > if i have 2 logical subnets on the wire, linux listening on both, is
> > there any way to get linux to fully route packets between the 2
> > subnets?
> >
> > at the moment it just issues a icmp_redirect, which isn't good enough
> > for certain hosts (eg win9x at least).
>
> Solaris 8 ditto.
>
> IMHO this is definitely a linux bug, since the kernel can not now about
> the true network topology: Cable sharing might just be used for this one
> system doing the routing/filtering/whatever between the two networks,
> while all the other hosts are in seperated switch segments. Not a common
> setup but you will see this often enough: head count is already 2... ;-)
This may be a stupid question, but does
cat 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
help the problem any (for the proper value of "eth0")? A college
roommate of mine once had the same problem, and clearing
send_redirects for the interface fixed it for him.
-- Michael Poole
On Tue, Jul 24, 2001 at 02:10:33AM +0100, Paul Jakma wrote:
> if i have 2 logical subnets on the wire, linux listening on both, is
> there any way to get linux to fully route packets between the 2
> subnets?
>
> at the moment it just issues a icmp_redirect, which isn't good enough
> for certain hosts (eg win9x at least).
Solaris 8 ditto.
IMHO this is definitely a linux bug, since the kernel can not now about
the true network topology: Cable sharing might just be used for this one
system doing the routing/filtering/whatever between the two networks,
while all the other hosts are in seperated switch segments. Not a common
setup but you will see this often enough: head count is already 2... ;-)
Dominik
--
A lovely thing to see: Kobayashi Issa
through the paper window's holes (1763-1828)
the galaxy. [taken from: David Brin - Sundiver]
On Tue, Jul 24, 2001 at 08:17:16AM -0400, Michael Poole wrote:
>
> This may be a stupid question, but does
> cat 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
> help the problem any (for the proper value of "eth0")? A college
> roommate of mine once had the same problem, and clearing
> send_redirects for the interface fixed it for him.
>
> -- Michael Poole
It may be a work-around, but it does not solve the problem.
There are legitimate uses of redirects and simply disabling them
might cause different problems. The correct solution is to have
the kernel treat aliased interfaces the same as interfaces on
different networking cards.
Dominik
--
ScioByte GmbH, Zum Schiersteiner Grund 2, 55127 Mainz (Germany)
Phone: +49 6131 550 117 Fax: +49 6131 610 99 16
GnuPG: 717F16BB / A384 F5F1 F566 5716 5485 27EF 3B00 C007 717F 16BB
On Tue, 24 Jul 2001, Dominik Kubla wrote:
> IMHO this is definitely a linux bug, since the kernel can not now about
> the true network topology:
but it does.. (see my other longer mail).
> Cable sharing might just be used for this one system doing the
> routing/filtering/whatever between the two networks, while all the
> other hosts are in seperated switch segments. Not a common setup
> but you will see this often enough: head count is already 2... ;-)
it should at least be possible..
eg, the linux router in question also runs an IDS to monitor traffic.
so even if windows /could/ follow redirects to other subnets i still
would want the linux box to route the traffic.. (rather than going
direct through the switch and never being seen by the linux IDS).
anyway..
(and yeah, i know it is not secure, just presume i have the switch
configured to lock certain ports to certain subnets).
> Dominik
--paulj
On 24 Jul 2001, Michael Poole wrote:
>
> This may be a stupid question, but does
> cat 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
> help the problem any (for the proper value of "eth0")? A college
> roommate of mine once had the same problem, and clearing
> send_redirects for the interface fixed it for him.
>
i'll have to try this sometime... but i'm a bit doubtful.
when i originally was looking at this (long time ago), i did consider
disabling redirects, but decided against because:
- i presumed that this would not affect network behaviour in any way
bar suppressing redirects
- i actually do need redirects :)
you see.....
i actually have /multiple/ linux boxes, each acting with a physically
independent subnet behind them, each box acting as router for that
subnet. one linux box is the internet router/firewall/proxy/etc.. it
is also the default gateway for the windows machines and the other
linux routers.
eg, something like:
(internet)
|
linux1
| |
(192.168.0/24) (192.168.3)
-----------------------------------------------------------------
| | | | | | | | | | | | | |
(192.168.0/24)
linux2 linux3 (windows hosts: 192.168.3/24)
| |
192.168.x/y 192.168.a/b
so i need redirects in order for the linux boxes to properly route
between themselves (they are all on the same logical subnet). however,
i need the linux box to fully route between 192.168.0/24 and
192.168.3/24 because the windows boxen are incapable of following
redirects to hosts where dst net != own net. (not an unreasonable
thing to do actually).
eventually i had to put an extra NIC into linux1 to get it to route
between 192.168.8.3.
(ironically though... linux1 knows fine well that the the 2 seperate
NICs are on the same wire - it will send replies to both nets from
either NIC! so why could it not have done routing between the subnets
when they were on the same NIC? it knew then too that it was the same
wire!)
eventually of course i'll throw the windows machines onto a
/physically/ distinct network. however, still a PITA that linux will
not route between subnets that are bound to the same link - and i'd
love to know if it is possible to make linux do it. (i would have
thought that would be the default behaviour).
also: suggestions were made to try ipchains... however ipchains was
already setup on the 'linux1' box with -j ACCEPT set for forwarding
where src/dst == 192.168/16. (what more can be done??).
so that isn't the answer, AFAICT.
> -- Michael Poole
regards,
--paulj
> IMHO this is definitely a linux bug, since the kernel can not now about
> the true network topology: Cable sharing might just be used for this one
> system doing the routing/filtering/whatever between the two networks,
> while all the other hosts are in seperated switch segments. Not a common
> setup but you will see this often enough: head count is already 2... ;-)
The default Linux, Solaris setup is the standard. Take it up with the IETF
if you don't like it.
On Tue, 24 Jul 2001, Alan Cox wrote:
> The default Linux, Solaris setup is the standard. Take it up with the IETF
> if you don't like it.
fair enough..
however, in the interests of flexibility and kindness to admins who
have to deal with legacy setups, is or would it be possible to make
linux be able to fully route packets between interfaces bound to the
same device?
thanks,
--
Paul Jakma [email protected] [email protected]
PGP5 key: http://www.clubi.ie/jakma/publickey.txt
-------------------------------------------
Fortune:
I've finally learned what "upward compatible" means. It means we get to
keep all our old mistakes.
-- Dennie van Tassel
> however, in the interests of flexibility and kindness to admins who
> have to deal with legacy setups, is or would it be possible to make
> linux be able to fully route packets between interfaces bound to the
> same device?
Turn on ip forwarding, turn off ip redirect sending. It can all be done
via /proc.
On Wed, Jul 25, 2001 at 12:11:52AM +0100, Alan Cox wrote:
> > however, in the interests of flexibility and kindness to admins who
> > have to deal with legacy setups, is or would it be possible to make
> > linux be able to fully route packets between interfaces bound to the
> > same device?
>
> Turn on ip forwarding, turn off ip redirect sending. It can all be done
> via /proc.
But that turns off all ip redirect sending, which may pose different
problems. Kind of sledgehammer approach wouldn't you agree? If somebody
were to produce a patch that allowed full routing between aliased interfaces
without turning off ip redirect sending, would you accept this?
Dominik
--
ScioByte GmbH, Zum Schiersteiner Grund 2, 55127 Mainz (Germany)
Phone: +49 6131 550 117 Fax: +49 6131 610 99 16
GnuPG: 717F16BB / A384 F5F1 F566 5716 5485 27EF 3B00 C007 717F 16BB
Hello!
> But that turns off all ip redirect sending, which may pose different
> problems. Kind of sledgehammer approach wouldn't you agree? If somebody
> were to produce a patch that allowed full routing between aliased interfaces
> without turning off ip redirect sending, would you accept this?
It is difficult to guess what do you mean exactly, but I could advise
you to look through ip-sysctl.txt about options controlling redirects.
If some case is missed here, shame on me...
Alexey