Hi,
In 2.2.x and/or 2.4.x, is there any way of preventing IP address[es]
attached to interface aliases being selected as a source address when
userland code creates a socket without binding to a particular address ?
>From Documentation/proc.txt:
/proc/sys/net/ipv4/conf/hidden
Hide addresses attached to this device from another devices. Such
addresses will never be selected by source address autoselection
mechanism, host does not answer broadcast ARP requests for them, does
not announce it as source address of ARP requests, but they are still
reachable via IP. This flag is activated only if it is enabled both in
specific device section and in "all" section.
The part about "Such addresses will never be selected by source address
autoselection" seems to be exactly what I want. I'm not so sure
about the "does not answer broadcast ARP requests" part. Does this mean
that an interface marked as 'hidden' can't accept incoming connections ?
However the proc entry applies per real interface and there doesn't seem
to be a way of applying it per alias interface.
The situation is...
I have a host ("gw") currently running 2.2.16, connected via a single
physical interface to a switch. Also on the switch are several upstream
providers, and a bunch of other devices: hosts, access servers etc. The
switch is VLANed so that there is no direct traffic between the
upstreams and the other devices, it's all routed by gw. Gw is running
BGP (Zebra) to the upstreams. To establish the BGP sessions, gw has
several interface aliases with IP addresses as assigned by the
upstreams.
With the interface aliases configured, "gw" is sending packets into our
network with source addresses of the interface aliases. This causes
issues with firewalling etc., but also causes problems for protocols
that require forward and reverse name lookups to match (e.g. kerberos),
as we are not in control of these IPs. I'd like to prevent the box from
using the IPs on the aliases as source addresses, except of course when
an application binds to that address.
Is there a way to do this ?
Or is there a better way of dealing with the problem ?
Cheers,
Chris.
Hello,
Chris Dunlop wrote:
> using the IPs on the aliases as source addresses, except of course when
> an application binds to that address.
>
> Is there a way to do this ?
ip addr add 192.168.0.1/24 brd + dev eth0 scope host
^^^^^^^^^^
default is "scope global" (achieved with ifconfig too). There
is a "scope link" too.
Such address (scope host):
- will not be autoselected for the ARP probes (only scope link and global)
- will be answered/used in ARP replies (hidden=1 stops this)
- will not be autoselected in IP talks with neighbours on the links
and with talks to external hosts
- the programs can bind to it and to talk with everyone
The rule is to set the proper scope for the addresses and to add
preferred source addresses in your routes using the "ip" command,
especially for the default gateway:
ip route add ... src SRC_IP
hidden=1 is the next step to hide an IP address but it is not needed
for your setup. It is needed when many hosts share same IP address
or for other ARP filtering purposes.
Regards
--
Julian Anastasov <[email protected]>