Re: [patch] sysctl to not log arp "host is not on local network"

[Adrien Urban <adrien.urban%nbs-system.com@localhost>]

On 11/13/14 14:27, Christos Zoulas wrote:
> While I would be inclined to add such a patch, why don't you use a packet
> filter and kill the offending packet before it reaches the network stack.
> This is a safer solution for me, since it handles the "known" case, and
> it will warn if other broken machines appear in your network in the future.


On our specific network, such packet are "legit", and need to be
replied, even from the netbsd servers.


Our load-balancers need to do arp-query directly on that network (they
use direct-routing, so they need the arp of the real-server), but do not
have any IP in the network themselves.

I'm guessing the "offending" packet are something like:


ARP, Request who has 10.y.y.y, tell 10.x.x.x

Where 10.y.y.y is a "Real-Server" on the network, and 10.x.x.x is the
load-balancer IP (on an other network).

Yeah, reply would be routed through the gateway, which is not ideal, but
it currently works on our infrastructure (1000+ of linux hosts, a few
NetBSD, and introducing more NetBSD alternatives :).


Alternative I see to only hide "known" case would be to handle a list of
ip/network to "hide", but that would mean much more work within the
kernel, and i doubt doing such "heavy" work - to decide if it should log
it or not - would be a good idea.


Regards,
-- 
Adrien URBAN, Expert Systèmes - Réseaux - Sécurité - Responsable R&D
---
NBS System (Paris - London) | www.nbs-system.com | twitter : @nbs_system
Std: +33 158 566 080 / Fax: +33 158 566 081