RE: using sysctl.conf to set hidden interfaces

To: Ryan Hulsker <rhulsker@xxxxxxxxxxxxxxxxx>
Subject: RE: using sysctl.conf to set hidden interfaces
Cc: "'tc lewis'" <tcl@xxxxxxxxx>, "'Horms'" <horms@xxxxxxxxxxxx>, lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From: Julian Anastasov <uli@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 21 Jun 2000 07:36:18 +0300 (EEST)

On Tue, 20 Jun 2000, Ryan Hulsker wrote:

> >> net.ipv4.conf.all.hidden = 1
> >> net.ipv4.conf.default.hidden = 1

        This is the Linux 2.0 behavior. In most cases it is working
in 2.2. There are some exotic things you can't do with this setup
but this is not a big problem. The result is that the hosts on one
ARP media can see only your addresses configured on the same
interface (even if it is hidden). I have to warn you that the old
version of this patch (arp_invisible flag) hides everything. But
this is before 2.2.14.

        Some info from Documentation/proc.txt:

   Hide addresses attached to this device from another devices.

> >> 
> >>      These seem to do it for me.  The default for any new interfaces
> coming
> >> up is to make them hidden, which means all your interfaces are always
> hidden
> >> including lo.  This is not ideal, but I have yet to see it cause a
> problem
> >> in my configuration.  Can anyone think of any reason why this is not a
> good
> >> idea?

        This is not a bad idea if you understand what are the

> >
> > even your normal eth0 and lo?  doesn't that cause problems?  eth0 would
> > need to respond to arps to get any traffic, no?
>       You know, this did cross my mind when I did it, I was actually quite
> suprised that it worked.  But uppon further reflection i think I know the
> reason that it works.  I rebuilt all of my real servers and configured them
> as above. I also reconfigured the LVS machine, but never had to reboot it.
> I see that it has entries for all of the web servers in its arp table, but I
> fear that if I where to reboot the LVS machine, or clear its arp cache, the
> system would no longer work.
>       I am going to clear the arp cache on this machine tonight, after the
> developers and QA leave, and see what happens. 

        You can safely clear your dynamic ARP entries.

>       The other thing that I came across (or rather remembered) is that
> you can give ifconfig a "-arp" arg, this turns on "NO ARP" on the interface.
> This appears to work on the loopback interface.  Does this have the same
> effect as making it a hidden device?

        No! This is not the same thing. There is only one host on
the lo interface (yours). If an interface is not hidden its addresses
can be reported from any other interface which can talk ARP. The ARP
flag is not used for lo at all. And the 127/8 and 224/4 are not
reported from ARP (even if lo is with ARP flag set). This is the reason
you don't need to hide lo if the only configured address is 127/8.
You can hide with lo only addresses with netmask
May be you can hide some subnets too but they are treated as local
addresses. In this case the remote hosts can't use address from this
subnet. At least, you can't talk with them.

> Ryan Hulsker
> Unix System Administrator
> Service


Julian Anastasov <uli@xxxxxxxxxxxxxxxxxxxxxx>

<Prev in Thread] Current Thread [Next in Thread>