Ever happened to have ARP replies coming from the wrong interface? Maybe not, in that case, have a nice day :P.

On mostly Linux default configuration, the kernel will sometimes reply to ARP request from “the wrong” interface, assuming that even if a packet would arrive on that “wrong” interface, it would be routed correctly to the other interface, or at least it would reach the final host.

This is the case when you have multiple IPs on different interfaces connected to the same L2 network, for whatever reason you may want to have that (you usually don’t want it). And, if you are doing any source- or interface-base firewalling, this will give you headaches (since you would receive traffic from where you won’t expect it).

A rather ugly sketch of the problem:

A rather ugly sketch of the problem

Luckily, you can force the kernel to reply to ARP requests only for requests that are received on the right interface.

By adding the following to your /etc/systctl.conf

net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2

the kernel will:

  • Reply only if the target IP address is local address configured on the incoming interface and both with the sender’s IP address are part from same subnet on this interface
  • Try to avoid local addresses that are not in the target’s subnet for this interface.

The full documentation is available here.

P.S. you can also do it at runtime:

sudo sysctl -w net.ipv4.conf.all.arp_ignore=1
sudo sysctl -w net.ipv4.conf.all.arp_announce=2