网站导航
> 文档中心 > Linux rp_filter和arp_filter参数浅析

Linux rp_filter和arp_filter参数浅析

网友: 文档中心 2022-04-22 20:54:39

​ 在默认配置下,只要ARP请求中的目标IP配置在本机,无论其是否配置在收到ARP请求数据包的接口上,Linux收包接口都会以身MAC地址发送ARP响应。若是不希望接口响应所有本机IP,可以通过修改arp_ignore参数来调整

测试环境

网卡 IP
机器1-ens33 192.168.1.11
机器1-ens36 192.168.1.12
机器2-ens160 192.168.1.15
vmare1 192.168.1.1

实验

# 查看网络信息[root@node1 ~]# ip addr1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever    inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000    link/ether 00:0c:29:ec:1c:2d brd ff:ff:ff:ff:ff:ff    inet 192.168.1.11/24 brd 192.168.1.255 scope global noprefixroute ens33valid_lft forever preferred_lft forever    inet6 fe80::624c:c1db:e3b4:9165/64 scope link noprefixroute valid_lft forever preferred_lft forever3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000    link/ether 00:0c:29:ec:1c:37 brd ff:ff:ff:ff:ff:ff    inet 192.168.1.12/24 brd 192.168.1.255 scope global noprefixroute ens36valid_lft forever preferred_lft forever    inet6 fe80::5dab:f84:95b8:1f/64 scope link noprefixroute valid_lft forever preferred_lft forever# 查看此时路由信息[root@node1 ~]# ip route192.168.1.0/24 dev ens33 proto kernel scope link src 192.168.1.11 metric 100 192.168.1.0/24 dev ens36 proto kernel scope link src 192.168.1.12 metric 101# arp_filter和rp_filter全开    sysctl -w net.ipv4.conf.all.arp_filter=1    sysctl -w net.ipv4.conf.all.rp_filter=1    sysctl -w net.ipv4.conf.ens36.arp_filter=1    sysctl -w net.ipv4.conf.ens36.rp_filter=1    sysctl -w net.ipv4.conf.default.arp_filter=1    sysctl -w net.ipv4.conf.default.rp_filter=1    sysctl -w net.ipv4.conf.ens33.arp_filter=1    sysctl -w net.ipv4.conf.ens33.rp_filter=1    sysctl -w net.ipv4.conf.lo.arp_filter=1    sysctl -w net.ipv4.conf.lo.rp_filter=1# 机器2 ping 192.168.1.12[root@localhost ~]# ping 192.168.1.12PING 192.168.1.12 (192.168.1.12) 56(84) bytes of data.64 bytes from 192.168.1.12: icmp_seq=1 ttl=64 time=0.397 ms64 bytes from 192.168.1.12: icmp_seq=2 ttl=64 time=0.393 ms64 bytes from 192.168.1.12: icmp_seq=3 ttl=64 time=1.15 ms64 bytes from 192.168.1.12: icmp_seq=4 ttl=64 time=0.583 # 机器2查看arp,可以发现机器一对外只回复了ens33的MAC地址(因为ens36收到后,查询路由表发现需要把包从ens33发出,收发不是同一个接口,立刻把数据包丢了)[root@localhost ~]# arp -nAddress    HWtype  HWaddress    Flags Mask     Iface192.168.1.12      ether   00:0c:29:ec:1c:2d   Cens160192.168.1.1ether   00:50:56:c0:00:01   Cens160192.168.1.11      ether   00:0c:29:ec:1c:2d   Cens160# 机器1升级ens36优先级[root@node1 ~]# ip route192.168.1.0/24 dev ens36 scope link 192.168.1.0/24 dev ens33 scope link metric 100# 机器2 查看MAC,发现此时对外MAC地址为ens36的了[root@localhost ~]# arp -nAddress    HWtype  HWaddress    Flags Mask     Iface192.168.1.12      ether   00:0c:29:ec:1c:37   Cens160192.168.1.1ether   00:50:56:c0:00:01   Cens160192.168.1.11      ether   00:0c:29:ec:1c:37   Cens160
# arp_filter和rp_filter全关    sysctl -w net.ipv4.conf.all.arp_filter=0    sysctl -w net.ipv4.conf.all.rp_filter=0    sysctl -w net.ipv4.conf.ens36.arp_filter=0    sysctl -w net.ipv4.conf.ens36.rp_filter=0    sysctl -w net.ipv4.conf.default.arp_filter=0    sysctl -w net.ipv4.conf.default.rp_filter=0    sysctl -w net.ipv4.conf.ens33.arp_filter=0    sysctl -w net.ipv4.conf.ens33.rp_filter=0    sysctl -w net.ipv4.conf.lo.arp_filter=0    sysctl -w net.ipv4.conf.lo.rp_filter=0# 查看机器1 路由[root@node1 ~]# ip route192.168.1.0/24 dev ens33 proto kernel scope link src 192.168.1.11 metric 100 192.168.1.0/24 dev ens36 proto kernel scope link src 192.168.1.12 metric 101# 机器2 ping 机器1[root@localhost ~]# ping -c 1 192.168.1.11PING 192.168.1.11 (192.168.1.11) 56(84) bytes of data.64 bytes from 192.168.1.11: icmp_seq=1 ttl=64 time=0.849 ms--- 192.168.1.11 ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.849/0.849/0.849/0.000 ms[root@localhost ~]# ping -c 1 192.168.1.12PING 192.168.1.12 (192.168.1.12) 56(84) bytes of data.64 bytes from 192.168.1.12: icmp_seq=1 ttl=64 time=0.572 ms--- 192.168.1.12 ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.572/0.572/0.572/0.000 ms# 查看机器的tcpdump抓包,发现现在二张网卡开始同时对外提供MAC地址了,在之前二张网卡只会对外响应一个MAC地址(但是在这种情况下先发的响应包可能会被后响应的覆盖)[root@node1 ~]# tcpdump -i any arp -Nnvtcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes09:06:09.155324 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.11 tell 192.168.1.15, length 4609:06:09.155351 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.11 is-at 00:0c:29:ec:1c:2d, length 2809:06:09.155632 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.11 tell 192.168.1.15, length 4609:06:09.155641 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.11 is-at 00:0c:29:ec:1c:37, length 2809:06:10.834215 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.12 tell 192.168.1.15, length 4609:06:10.834238 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.12 is-at 00:0c:29:ec:1c:2d, length 2809:06:10.834330 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.12 tell 192.168.1.15, length 4609:06:10.834336 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.12 is-at 00:0c:29:ec:1c:37, length 28
网络标签:

相关问题