On Tue, Aug 19, 2003 at 03:34:43PM +0100, Richard Underwood wrote:
> As an example, I have a router/firewall for the office that has two
> interface cards, both with perfectly valid internal addresses - these
> addresses aren't used anywhere else on the network.
> Two of the interfaces are: 172.20.240.2/24 and 172.24.0.1/16. My
> default gateway is 172.20.240.1 and there aren't any other non-interface
> routes. If I do:
> # arp -d 172.24.0.80
> # ping -I 172.20.240.2 172.24.0.80
> I see:
> 16:18:40.856328 arp who-has 172.24.0.80 tell 172.20.240.2
> 16:18:40.856431 arp reply 172.24.0.80 is-at 0:50:da:44:f:37
> Now, since 172.24.0.80 is a Linux box, it's happily adding
> 172.20.240.2 into its ARP table and reply to it, hence the reply.
> But if I was to do this in the other direction (arp -d 172.20.240.1;
> ping -I 172.24.0.1 172.20.240.1) then I'd lose connectivity over my default
> route because 172.20.240.1 won't accept ARP packets from IP numbers not on
> the connected subnet. The <incomplete> ARP entry will block any further ARP
> requests from valid IP numbers.
This is exactly the case I calmly discussed privately with David then Alexey.
Both explained me that in fact, the remote host shouldn't be filtering the ARP
requests based on the source IP they provide, but agreed that it seems to be a
general trend today. Alexey proposed a slight change which can at least solve
this very common case by preventing the system from using the local address as
a source IP if it is not on the interface through which the request is sent.
Obviously it will not solve all very special cases, which people can work
around with arptables, but it will solve this common one.