Using the hidden interface to disable ARP

From LVSKB
Jump to: navigation, search

Introduction

The "hidden" flag on interface is to hide an interface from the ARP protocol. When the "hidden" flag is enabled at an interface, any IP address configured at the hidden interface will not participate ARP.

The "hidden" device flag is available in the Linux 2.2 kernel series starting from 2.2.14. For the "hidden" device flag on the Linux kernel 2.4 and 2.6, you need to apply the hidden patch against the Linux kernel 2.4 and 2.6 respectively. Please go to Julian's Software Patches and Docs to download the hidden patches.

Note that for the Linux kernel 2.4 and 2.6, you may use the arp_announce/arp_ignore flag on interface (see Using arp_announce/arp_ignore to disable ARP), then you will not need to patch and rebuild the kernel.

Disable ARP for VIP

The configuration instructions to hide interface from ARP for LVS are as follows:

# Start the hiding interface functionality
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
# Hide all addresses for this interface
echo 1 > /proc/sys/net/ipv4/conf/<interface_name>/hidden

Note that once an interface is set hidden, all the addresses of the interface is hidden from ARP broadcast and being included in the ARP response of other addresses. So, it is not good to configure VIP on the aliases of real Ethernet interfaces and make it hidden, unless you have a unused Ethernet interface.

For LVS/DR clusters, it is good to configure VIPs on the aliases of dummy or loopback device and hide the corresponding device. Then, you can configure as many VIPs as you want.

For LVS/TUN clusters, first you need to configure tunl0 device up, then configure VIPs on the aliases of tunnel/dummy/loopback device and hide that device. A configuration example is as follows:

# Insert the ipip module
insmod ipip
# Make the tunl0 device up
ifconfig tunl0 up
# Start the hiding interface functionality
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
# Hide all addresses for this tunnel device
echo 1 > /proc/sys/net/ipv4/conf/tunl0/hidden
# Configure a VIP on an alias of tunnel device
ifconfig tunl0:0 <VIP> up

Note that configuring the tunl0 device up is to make the kernel decapsulate the received ipip packets correctly. Now, you can configure as many VIPs as you want for LVS/TUN.

References