人気ブログランキング | 話題のタグを見る

監視ツール メモ(Hobbit Monitor)


Linux Kernel 2.6 ARP

■ 構成

[host]x---------a[host]b----------y[host]
#ping b
#arp a

■ ARP

+--------+
|Hardware| 2 bytes
|MAC |
|Address |
|Type |
+--------+
|Protocol| 2 bytes
|Address |
|Type |
+--------+
|Hardware| 1 byte
|MAC |
|Address |
|Size |
+--------+
|Protocol| 1 byte
|Address |
|Size |
+--------+
|Op | 2 bytes
+--------+
|Sender | 6 bytes (depends on the above size field)
|MAC |
|Address |
+--------+
|Sender | 4 bytes (depends on the above size field)
|IP |
|Address |
+--------+
|Target | 6 bytes (depends on the above size field)
|MAC |
|Address |
+--------+
|Target | 4 bytes (depends on the above size field)
|IP |
|Address |
+--------+


■ arp_announce - INTEGER

インターフェースから出すARPリクエストをつくるとき、
ソースIPアドレス部分にどのIPを入れるか。

□ レベル 0 (デフォルト)

IPパケットに中のソースIPアドレスをそのまま使う。
ローカルのIPアドレスならどれでもOK。

□ レベル 1

ARPターゲット(Target IP Address)と違うサブネットに属するローカルIPを
Sender IP Address に入れることは避けようとする。
マッチするものがなければレベル2に従う。

□ レベル 2

IPパケットに中のソースIPアドレスは無視。
常に最適なローカルIPアドレスを使おうとする。
ARPターゲットと同じIPサブネットに属するローカルIPアドレスを選択。
最適なものがなければ、送出先または全てのインタフェースの中の最初の
ローカルIPアドレスを使う。



■ arp_ignore - INTEGER

ローカルIPアドレスがターゲットとなったARPリクエストにたいして
どう応答するか。

□ レベル 0 (デフォルト)

ローカルIPに設定されているどのIPアドレスに対しても応答する。

□ レベル 1

ARPリクエストを受信したインタフェースに設定してあるIPアドレス
に対してだけ応答する。

□ レベル 2

ARPリクエストを受信したインタフェースに設定してあるIPアドレス
に対してだけ応答する。
ただし、Sender IP Address もそそのIPアドレスと同じサブネットに
属している場合のみ。

□ レベル 3

scope host で設定されたローカルIPアドレスについては応答しない。
global と link アドレスだけに対して応答する。

□ レベル 4-7

予約

□ レベル 8

全てのローカルアドレスに対するARPリクエストに応答しない

■ arp_filter - BOOLEAN

□ レベル 1

同じサブネットに複数のネットワークインタフェースをつけれる。
どちらのカードがARPリクエストに応えるのかを決めることができる。

□ レベル 0 (デフォルト)

他のネットワークカードから受信したARPリクエストに応答することが
できる。ローカルIPアドレスであればどのインタフェースからARPリクエスト
を受信しても応答を返す。


■rp_filter - INTEGER
0 - 送信元IPの評価はしない
1 - 厳密モード(RFC3704)
受信パケットごとにフォワーディングDBを評価する。
受信インタフェースアがその宛先に対する最適経路でないとき
確認失敗となる。
デフォルトではそれらのパケットは破棄される
2 - ユルイモード(RFC3704)
受信パケットごとにフォワーディングDBを評価する。
受信インタフェースアからその宛先に対する到達性がない時
確認失敗となる。

デフォルト0、ディストリビューションによっては起動時に書き換える

======================================================
2.6.9-55.EL

# pwd
/proc/sys/net/ipv4/conf
# ls -F
all/ default/ eth0/ eth1/ lo/
#
# ls all
accept_redirects arp_ignore force_igmp_version medium_id send_redirects
accept_source_route bootp_relay forwarding proxy_arp shared_media
arp_announce disable_policy log_martians rp_filter tag
arp_filter disable_xfrm mc_forwarding secure_redirects
# cat */rp_filter
0
1
1
1
1
# cat */arp_announce
0
0
0
0
0
# cat */arp_ignore
0
0
0
0
0
# cat */arp_filter
0
0
0
0
0
#

======================================================


http://www-didc.lbl.gov/TCP-tuning/ip-sysctl-2.6.txt
http://www.ssi.bg/~ja/

http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

/proc/sys/net/ipv4/* Variables:

IP Variables:

ip_local_port_range - 2 INTEGERS
Defines the local port range that is used by TCP and UDP to
choose the local port. The first number is the first, the
second the last local port number. Default value depends on
amount of memory available on the system:
> 128Mb 32768-61000
< 128Mb 1024-4999 or even less.
This number defines number of active connections, which this
system can issue simultaneously to systems not supporting
TCP extensions (timestamps). With tcp_tw_recycle enabled
(i.e. by default) range 1024-4999 is enough to issue up to
2000 connections per second to systems supporting timestamps.

ip_local_reserved_ports - list of comma separated ranges
Specify the ports which are reserved for known third-party
applications. These ports will not be used by automatic port
assignments (e.g. when calling connect() or bind() with port
number 0). Explicit port allocation behavior is unchanged.

The format used for both input and output is a comma separated
list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and
10). Writing to the file will clear all previously reserved
ports and update the current list with the one given in the
input.

Note that ip_local_port_range and ip_local_reserved_ports
settings are independent and both are considered by the kernel
when determining which ports are available for automatic port
assignments.

You can reserve ports which are not in the current
ip_local_port_range, e.g.:

$ cat /proc/sys/net/ipv4/ip_local_port_range
3200061000
$ cat /proc/sys/net/ipv4/ip_local_reserved_ports
8080,9148

although this is redundant. However such a setting is useful
if later the port range is changed to a value that will
include the reserved ports.

Default: Empty

ip_nonlocal_bind - BOOLEAN
If set, allows processes to bind() to non-local IP addresses,
which can be quite useful - but may break some applications.
Default: 0

ip_dynaddr - BOOLEAN
If set non-zero, enables support for dynamic addresses.
If set to a non-zero value larger than 1, a kernel log
message will be printed when dynamic address rewriting
occurs.
Default: 0

icmp_echo_ignore_all - BOOLEAN
If set non-zero, then the kernel will ignore all ICMP ECHO
requests sent to it.
Default: 0

icmp_echo_ignore_broadcasts - BOOLEAN
If set non-zero, then the kernel will ignore all ICMP ECHO and
TIMESTAMP requests sent to it via broadcast/multicast.
Default: 1

icmp_ratelimit - INTEGER
Limit the maximal rates for sending ICMP packets whose type matches
icmp_ratemask (see below) to specific targets.
0 to disable any limiting,
otherwise the minimal space between responses in milliseconds.
Default: 1000

icmp_ratemask - INTEGER
Mask made of ICMP types for which rates are being limited.
Significant bits: IHGFEDCBA9876543210
Default mask: 0000001100000011000 (6168)

Bit definitions (see include/linux/icmp.h):
0 Echo Reply
3 Destination Unreachable *
4 Source Quench *
5 Redirect
8 Echo Request
B Time Exceeded *
C Parameter Problem *
D Timestamp Request
E Timestamp Reply
F Info Request
G Info Reply
H Address Mask Request
I Address Mask Reply

* These are rate limited by default (see default mask above)

icmp_ignore_bogus_error_responses - BOOLEAN
Some routers violate RFC1122 by sending bogus responses to broadcast
frames. Such violations are normally logged via a kernel warning.
If this is set to TRUE, the kernel will not give such warnings, which
will avoid log file clutter.
Default: FALSE

icmp_errors_use_inbound_ifaddr - BOOLEAN

If zero, icmp error messages are sent with the primary address of
the exiting interface.

If non-zero, the message will be sent with the primary address of
the interface that received the packet that caused the icmp error.
This is the behaviour network many administrators will expect from
a router. And it can make debugging complicated network layouts
much easier.

Note that if no primary address exists for the interface selected,
then the primary address of the first non-loopback interface that
has one will be used regardless of this setting.

Default: 0

igmp_max_memberships - INTEGER
Change the maximum number of multicast groups we can subscribe to.
Default: 20

conf/interface/* changes special settings per interface (where "interface" is
the name of your network interface)
conf/all/* is special, changes the settings for all interfaces


log_martians - BOOLEAN
Log packets with impossible addresses to kernel log.
log_martians for the interface will be enabled if at least one of
conf/{all,interface}/log_martians is set to TRUE,
it will be disabled otherwise

accept_redirects - BOOLEAN
Accept ICMP redirect messages.
accept_redirects for the interface will be enabled if:
- both conf/{all,interface}/accept_redirects are TRUE in the case
forwarding for the interface is enabled
or
- at least one of conf/{all,interface}/accept_redirects is TRUE in the
case forwarding for the interface is disabled
accept_redirects for the interface will be disabled otherwise
default TRUE (host)
FALSE (router)

forwarding - BOOLEAN
Enable IP forwarding on this interface.

mc_forwarding - BOOLEAN
Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
and a multicast routing daemon is required.
conf/all/mc_forwarding must also be set to TRUE to enable multicast
routingfor the interface

medium_id - INTEGER
Integer value used to differentiate the devices by the medium they
are attached to. Two devices can have different id values when
the broadcast packets are received only on one of them.
The default value 0 means that the device is the only interface
to its medium, value of -1 means that medium is not known.

Currently, it is used to change the proxy_arp behavior:
the proxy_arp feature is enabled for packets forwarded between
two devices attached to different media.

proxy_arp - BOOLEAN
Do proxy arp.
proxy_arp for the interface will be enabled if at least one of
conf/{all,interface}/proxy_arp is set to TRUE,
it will be disabled otherwise

proxy_arp_pvlan - BOOLEAN
Private VLAN proxy arp.
Basically allow proxy arp replies back to the same interface
(from which the ARP request/solicitation was received).

This is done to support (ethernet) switch features, like RFC
3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to
the upstream router. As described in RFC 3069, it is possible
to allow these hosts to communicate through the upstream
router by proxy_arp'ing. Don't need to be used together with
proxy_arp.

This technology is known by different names:
In RFC 3069 it is called VLAN Aggregation.
Cisco and Allied Telesyn call it Private VLAN.
Hewlett-Packard call it Source-Port filtering or port-isolation.
Ericsson call it MAC-Forced Forwarding (RFC Draft).

shared_media - BOOLEAN
Send(router) or accept(host) RFC1620 shared media redirects.
Overrides ip_secure_redirects.
shared_media for the interface will be enabled if at least one of
conf/{all,interface}/shared_media is set to TRUE,
it will be disabled otherwise
default TRUE

secure_redirects - BOOLEAN
Accept ICMP redirect messages only for gateways,
listed in default gateway list.
secure_redirects for the interface will be enabled if at least one of
conf/{all,interface}/secure_redirects is set to TRUE,
it will be disabled otherwise
default TRUE

send_redirects - BOOLEAN
Send redirects, if router.
send_redirects for the interface will be enabled if at least one of
conf/{all,interface}/send_redirects is set to TRUE,
it will be disabled otherwise
Default: TRUE

bootp_relay - BOOLEAN
Accept packets with source address 0.b.c.d destined
not to this host as local ones. It is supposed, that
BOOTP relay daemon will catch and forward such packets.
conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay
for the interface
default FALSE
Not Implemented Yet.

accept_source_route - BOOLEAN
Accept packets with SRR option.
conf/all/accept_source_route must also be set to TRUE to accept packets
with SRR option on the interface
default TRUE (router)
FALSE (host)

accept_local - BOOLEAN
Accept packets with local source addresses. In combination with
suitable routing, this can be used to direct packets between two
local interfaces over the wire and have them accepted properly.
default FALSE

rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.

Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.

The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.

Default value is 0. Note that some distributions enable it
in startup scripts.

arp_filter - BOOLEAN
1 - Allows you to have multiple network interfaces on the same
subnet, and have the ARPs for each interface be answered
based on whether or not the kernel would route a packet from
the ARP'd IP out that interface (therefore you must use source
based routing for this to work). In other words it allows control
of which cards (usually 1) will respond to an arp request.

0 - (default) The kernel can respond to arp requests with addresses
from other interfaces. This may seem wrong but it usually makes
sense, because it increases the chance of successful communication.
IP addresses are owned by the complete host on Linux, not by
particular interfaces. Only for more complex setups like load-
balancing, does this behaviour cause problems.

arp_filter for the interface will be enabled if at least one of
conf/{all,interface}/arp_filter is set to TRUE,
it will be disabled otherwise

arp_announce - INTEGER
Define different restriction levels for announcing the local
source IP address from IP packets in ARP requests sent on
interface:
0 - (default) Use any local address, configured on any interface
1 - Try to avoid local addresses that are not in the target's
subnet for this interface. This mode is useful when target
hosts reachable via this interface require the source IP
address in ARP requests to be part of their logical network
configured on the receiving interface. When we generate the
request we will check all our subnets that include the
target IP and will preserve the source address if it is from
such subnet. If there is no such subnet we select source
address according to the rules for level 2.
2 - Always use the best local address for this target.
In this mode we ignore the source address in the IP packet
and try to select local address that we prefer for talks with
the target host. Such local address is selected by looking
for primary IP addresses on all our subnets on the outgoing
interface that include the target IP address. If no suitable
local address is found we select the first local address
we have on the outgoing interface or on all other interfaces,
with the hope we will receive reply for our request and
even sometimes no matter the source IP address we announce.

The max value from conf/{all,interface}/arp_announce is used.

Increasing the restriction level gives more chance for
receiving answer from the resolved target while decreasing
the level announces more valid sender's information.

arp_ignore - INTEGER
Define different modes for sending replies in response to
received ARP requests that resolve local target IP addresses:
0 - (default): reply for any local target IP address, configured
on any interface
1 - reply only if the target IP address is local address
configured on the incoming interface
2 - reply only if the target IP address is local address
configured on the incoming interface and both with the
sender's IP address are part from same subnet on this interface
3 - do not reply for local addresses configured with scope host,
only resolutions for global and link addresses are replied
4-7 - reserved
8 - do not reply for all local addresses

The max value from conf/{all,interface}/arp_ignore is used
when ARP request is received on the {interface}

arp_notify - BOOLEAN
Define mode for notification of address and device changes.
0 - (default): do nothing
1 - Generate gratuitous arp replies when device is brought up
or hardware address changes.

arp_accept - BOOLEAN
Define behavior for gratuitous ARP frames who's IP is not
already present in the ARP table:
0 - don't create new entries in the ARP table
1 - create new entries in the ARP table

Both replies and requests type gratuitous arp will trigger the
ARP table to be updated, if this setting is on.

If the ARP table already contains the IP address of the
gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.


app_solicit - INTEGER
The maximum number of probes to send to the user space ARP daemon
via netlink before dropping back to multicast probes (see
mcast_solicit). Defaults to 0.

disable_policy - BOOLEAN
Disable IPSEC policy (SPD) for this interface

disable_xfrm - BOOLEAN
Disable IPSEC encryption on this interface, whatever the policy



tag - INTEGER
Allows you to write a number, which can be used as required.
Default value is 0.

Alexey Kuznetsov.
kuznet@ms2.inr.ac.ru

Updated by:
Andi Kleen
ak@muc.de
Nicolas Delon
delon.nicolas@wanadoo.fr
by 2hot | 2008-05-05 22:40 | ARP

<< zabbix: solaris...      本家テスト? >>

Hobbitのメモとか
by 2hot