swtIrene 2014-03-03
有关arp_ignore的相关介绍:
arp_ignore-INTEGER
Definedifferentmodesforsendingrepliesinresponseto
receivedARPrequeststhatresolvelocaltargetIPaddresses:
0-(default):replyforanylocaltargetIPaddress,configured
onanyinterface
1-replyonlyifthetargetIPaddressislocaladdress
configuredontheincominginterface
2-replyonlyifthetargetIPaddressislocaladdress
configuredontheincominginterfaceandbothwiththe
sender'sIPaddressarepartfromsamesubnetonthisinterface
3-donotreplyforlocaladdressesconfiguredwithscopehost,
onlyresolutionsforglobalandlinkaddressesarereplied
4-7-reserved
8-donotreplyforalllocaladdresses
Themaxvaluefromconf/{all,interface}/arp_ignoreisused
whenARPrequestisreceivedonthe{interface}
arp_ignore:定义对目标地址为本地IP的ARP询问不同的应答模式0
0-(默认值):回应任何网络接口上对任何本地IP地址的arp查询请求
1-只回答目标IP地址是来访网络接口本地地址的ARP查询请求
2-只回答目标IP地址是来访网络接口本地地址的ARP查询请求,且来访IP必须在该网络接口的子网段内
3-不回应该网络界面的arp请求,而只对设置的唯一和连接地址做出回应
4-7-保留未使用
8-不回应所有(本地地址)的arp查询
有关arp_announce的相关介绍:
arp_announce-INTEGER
Definedifferentrestrictionlevelsforannouncingthelocal
sourceIPaddressfromIPpacketsinARPrequestssenton
interface:
0-(default)Useanylocaladdress,configuredonanyinterface
1-Trytoavoidlocaladdressesthatarenotinthetarget's
subnetforthisinterface.Thismodeisusefulwhentarget
hostsreachableviathisinterfacerequirethesourceIP
addressinARPrequeststobepartoftheirlogicalnetwork
configuredonthereceivinginterface.Whenwegeneratethe
requestwewillcheckalloursubnetsthatincludethe
targetIPandwillpreservethesourceaddressifitisfrom
suchsubnet.Ifthereisnosuchsubnetweselectsource
addressaccordingtotherulesforlevel2.
2-Alwaysusethebestlocaladdressforthistarget.
InthismodeweignorethesourceaddressintheIPpacket
andtrytoselectlocaladdressthatwepreferfortalkswith
thetargethost.Suchlocaladdressisselectedbylooking
forprimaryIPaddressesonalloursubnetsontheoutgoing
interfacethatincludethetargetIPaddress.Ifnosuitable
localaddressisfoundweselectthefirstlocaladdress
wehaveontheoutgoinginterfaceoronallotherinterfaces,
withthehopewewillreceivereplyforourrequestand
evensometimesnomatterthesourceIPaddressweannounce.
Themaxvaluefromconf/{all,interface}/arp_announceisused.
Increasingtherestrictionlevelgivesmorechancefor
receivinganswerfromtheresolvedtargetwhiledecreasing
thelevelannouncesmorevalidsender'sinformation.
arp_announce:对网络接口上,本地IP地址的发出的,ARP回应,作出相应级别的限制:确定不同程度的限制,宣布对来自本地源IP地址发出Arp请求的接口
0-(默认)在任意网络接口(eth0,eth1,lo)上的任何本地地址
1-尽量避免不在该网络接口子网段的本地地址做出arp回应.当发起ARP请求的源IP地址是被设置应该经由路由达到此网络接口的时候很有用.此时会检查来访IP是否为所有接口上的子网段内ip之一.如果改来访IP不属于各个网络接口上的子网段内,那么将采用级别2的方式来进行处理.
2-对查询目标使用最适当的本地地址.在此模式下将忽略这个IP数据包的源地址并尝试选择与能与该地址通信的本地地址.首要是选择所有的网络接口的子网中外出访问子网中包含该目标IP地址的本地地址.如果没有合适的地址被发现,将选择当前的发送网络接口或其他的有可能接受到该ARP回应的网络接口来进行发送.
关于对arp_announce理解的一点补充
AssumethatalinuxboxXhasthreeinterfaces-eth0,eth1andeth2.EachinterfacehasanIPaddressIP0,
IP1andIP2.WhenalocalapplicationtriestosendanIPpacketwithIP0throughtheeth2.Unfortunately,
thetargetnode’smacaddressisnotresolved.ThelinuxboxXwillsendtheARPrequesttoknow
themacaddressofthetarget(orthegateway).InthiscasewhatistheIPsourceaddressofthe
“ARPrequestmessage”?TheIP0-theIPsourceaddressofthetransmittingIPorIP2-theoutgoing
interface?Untilnow(actuallyjust3hoursbefore)ARPrequestusestheIPaddressassignedto
theoutgoinginterface(IP2intheaboveexample)Howeverthelinux’sbehaviorisalittlebit
different.ActuallytheselectionofsourceaddressinARPrequestistotallyconfigurable
bytheprocvariable“arp_announce”
IfwewanttousetheIP2nottheIP0intheARPrequest,weshouldchangethevalueto1or2.
Thedefaultvalueis0-allowIP0isusedforARPrequest.
其实就是路由器的问题,因为路由器一般是动态学习ARP包的(一般动态配置DHCP的话),当内网的机器要发送一个到外部的ip包,那么它就会请求路由器的Mac地址,发送一个arp请求,这个arp请求里面包括了自己的ip地址和Mac地址,而linux默认是使用ip的源ip地址作为arp里面的源ip地址,而不是使用发送设备上面的,这样在lvs这样的架构下,所有发送包都是同一个VIP地址,那么arp请求就会包括VIP地址和设备Mac,而路由器收到这个arp请求就会更新自己的arp缓存,这样就会造成ip欺骗了,VIP被抢夺,所以就会有问题。
arp缓存为什么会更新了,什么时候会更新呢,为了减少arp请求的次数,当主机接收到询问自己的arp请求的时候,就会把源ip和源Mac放入自己的arp表里面,方便接下来的通讯。如果收到不是询问自己的包(arp是广播的,所有人都收到),就会丢掉,这样不会造成arp表里面无用数据太多导致有用的记录被删除。
在设置参数的时候将arp_ignore设置为1,意味着当别人的arp请求过来的时候,如果接收的设备上面没有这个ip,就不做出响应,默认是0,只要这台机器上面任何一个设备上面有这个ip,就响应arp请求,并发送mac地址