Per-route ARP control for Linux 2.4 in two parts: Julian Anastasov a) filtering ARP probes b) selection of the source IP in the ARP probes 1. Part one: filtering ARP probes - semantic: "don't reply for input routes marked noarp" - we add "noarp" flag for the "ip route" command - we add "hidden" flag for the "ip addr add" command and this is propagated to the created local route, i.e. "ip addr add IP[/mask] ... hidden" is converted to "ip route add table local local IP[/mask] ... noarp - we don't distinguish broadcast/unicast probes (skb->pkt_type), may be this is useful in cases where we must block the unicast probes. - only local and unicast routes are filtered, for example: a) local routes ip route add table local local 192.168.0.100 dev lo noarp b) unicast routes ip rule add prio 100 from 192.168.0.100 table 100 ip route add table 100 default via 192.168.0.1 dev eth0 src 192.168.0.2 noarp 2. Part two: source address selection for our probes - semantic: "in our probes announce the preferred source address for the target if the original route in the skb is marked noarp" Sometimes we don't want to announce particular addresses, for example, if they are marked hidden/noarp in local routes - the symmetry. In this case we add noarp route and then fallback to the preferred source address no matter it is marked as hidden. The RTCF_NOARP flag in the output routes is checked in this case (arp_solicit): ip rule from ... ip route add ... noarp Example installation: - iproute2: tar xfz iproute2-2.4.7-now-ss010824.tar.gz or tar xfz iproute2-2.2.4-now-ss001007.tar.gz cd iproute2 patch -p1 < iproute2-noarp-1.diff - kernel: cd /usr/src/linux patch -p1 < noarp-2.4.5-1.diff Notes for the LVS users: Until the second part of the ARP problem is not fixed permanently in the kernel it remains the most difficult thing to use. Currently, the right way to hide IP address (VIP) using this method is: VIP=192.168.0.100 DIP=192.168.0.2 GATEWAY=192.168.0.1 1. Hide VIP from all remote ARP probes 1.1 With "ip addr" ip addr add 192.168.0.100 dev lo hidden 1.2 With "ip route" ip route add table local local 192.168.0.100 dev lo noarp 2. Don't announce VIP in our probes # For all VIPs: ip rule add prio 100 from 192.168.0.100 table 100 # Announce another address when talking with local clients ip route add table 100 192.168.0.0/24 dev eth0 src 192.168.0.2 noarp # Announce another address when talking to world ip route add table 100 default via 192.168.0.1 dev eth0 src 192.168.0.2 noarp For already defined addresses/routes "ip route change ... noarp" can be used to place the route in "noarp" mode. Of course, "ip route flush cache" is the final thing to do. In the near feature (hey, this is not a promise) it is possible the IP addresses to be hidden only by solving part 1, i.e. only with "ip addr add ... hidden"