Proposal to Change Default Value of net.ipv4.conf.all.arp_announce from 0 to 2

filippocarletti · October 23, 2024, 12:35pm

Hi all,

I’d like to propose an improvement to the default configuration of the net.ipv4.conf.all.arp_announce setting.

Current Scenario

The default value of 0 for arp_announce implies that ARP requests are sent with the first primary IP address assigned to the outgoing interface, regardless of whether this address is the best source address to reach the target IP. The rationale for keeping it as 0 is understandable — the IP address is considered to belong to the system rather than the interface.

In my current setup, I have two IPs configured on the same wan interface:

x.y.z.207/31
a.b.c.169/29

When sending an ARP request, the system is using the wrong source IP, which in my case is a.b.c.169. This causes incorrect ARP traffic as shown below:

19:33:34.624390 ARP, Request who-has x.y.z.206 tell a.b.c.169, length 28  # wrong
14:41:43.189659 ARP, Request who-has x.y.z.206 tell x.y.z.207, length 28  # right

The ISP router at x.y.z.206 doesn't respond to ARP request from an IP outside of his known network (x.y.z.206/31), it has net.ipv4.conf.all.arp_ignore set to 1 (as even OpenWrt does, see /etc/sysctl.d/10-default.conf).
The correct behavior would be to use an IP from the appropriate subnet (x.y.z.207), but due to the default arp_announce=0 setting, the system sends ARP requests using a.b.c.169 instead.

I've modified /etc/sysctl.conf to solve the problem:

net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2

P.S. Is this forum the best place for these kind of discussion? Should I move to a github issue or a thread in the openwrt-devel mailing list?

Hostle · October 23, 2024, 1:00pm

can this not be achieved via a simple uci_defaults script ? Generally, in these cases, the needs of many, out weigh the needs of one. When you're the one, you need to handle these issues yourself, usually by building from the sdk, the image builder, or a full build system.

Boilerplate4U · October 23, 2024, 3:22pm

@filippocarletti - The Linux network stack is extremely versatile (some would argue it's even too versatile) to meet all sorts of requirements. That's why there is /etc/sysctl.conf, where you can adjust your system's defaults or configure options for a single interface.

For example, check out to this example on adjusting ARP behavior in Linux servers: Adjusting ARP Behavior on Linux Servers

Link to the official Linux IPv4 documentation for arp_announce and arp_ignore: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

filippocarletti · October 24, 2024, 10:53am

As I said, I have changed the arp_announce settings for my system.
I'm trying to understand if a new default setting could benefit the OpenWrt community.

Boilerplate4U · October 24, 2024, 10:59am

Well, you already did by opening this thread!

But if you mean setting these as the default in the OpenWRT kernel, I doubt it. You could at least try by submitting a PR on GitHub.

lleachii · October 24, 2024, 11:20am

ARP on a point-to-point link (i.e. /31)?

You lost me.

What's the use case of the /29 if your ISP's gateway is on the /31 subnet?

filippocarletti · October 24, 2024, 12:01pm

It's an additional network the ISP route to us. That's probably why their router doesn't know it.
We use that a.b.c.d/29 for our systems.

brada4 · October 24, 2024, 12:19pm

Nothing prevents you from making a PR on subject. There is no damage in common use cases, and probably yours covers 2/3 of remaining corners.
Maybe the process will become a bit lengthier that some realistic seetup needs checkbox to undo hardening.

lleachii · October 24, 2024, 1:59pm

OpenWrt has the ability to configure another "interface" @wan, or on the same PHY/interface...or if this subnet is routed to you - there's other options. This is in addition to listing it together. This would probably be the best use case to configure the other network/subnet.

I would try the documented options first.

Make an entirely new interface on your router and address it as:

a.b.c.169/29

Network: a.b.c.168/29
Usable Host IP Range: a.b.c.169 - a.b.c.174
Broadcast Address: a.b.c.175

The router will know to route traffic to it. This is Standard Practice.

Firewall zone wan: exclude these IPs, do not masquerade, as the ISP routes these IPs to you.

does not equal a.b.c.168/29

lleachii · October 24, 2024, 2:35pm

Is this on Ethernet WAN or via Wireguard?

I ask because...

Are these 2 threads related?