ip arp - ARP filtering via netlink Julian Anastasov , March 2002 This document explains the iproute2 extension for ARP filtering - iparp. CONTENTS: 1. Introduction 2. The different ARP tables 3. ARP rule parameters and keys 4. iparp commands 5. iparp examples 5.1 Example for clusters 5.2 Example for proxy ARP 5.3 Example for VRRP 5.4 Other examples 1. Introduction iparp controls the ARP protocol by using rules ordered in ARP tables: input, output and forward. Each rule is identified by its preference value which is unique in each table. Currently, iparp is not an universal filter for the ARP protocol. The iparp decisions depend mostly on other parts of the IP stack such as routing and neighbour address resolution. Don't use iparp only for security purposes. 2. The different ARP tables The ARP protocol code can match received and locally generated ARP requests against ARP rules in different tables and to alter the locally generated ARP requests and replies. The different tables are used in three different cases: input remote host requests link layer information for IP address that is locally configured in our host output our host prepares ARP request datagram for resolving another host (target) forward remote host requests link layer information for IP address that is not configured in our host but the ARP code is willing to reply to it according to the routes (proxy ARP) When an ARP rule matches ARP request the rule's action is applied: the request is dropped or passed. The rules are listed in ascending order according to their preference value (priority). The lowest value is the most preferred. The ARP filtering rules are considered only when the ARP code is ready to reply to remote ARP request or to send ARP request. As result, the default action for tables "input" and "forward" depends on other things such as device flags (rp_filter, arp_filter, medium_id, proxy_arp) and the routing rules. If the default action is to ignore the remote ARP request the ARP rules are not analyzed. For table output the default action is always allow. 3. ARP rule parameters and keys Each ARP rule includes list of parameters. Some of them are keys uniquely identifying the rule (the preference value), other parameters are used only for lookup (packet matching) and finally there are parameters that describe the action performed if the matching succeeds. table TABLE_NAME Specifies the table name: input/output/forward preference N Synonyms: rule, order, priority Priority, uniquely identifying the rule Packet Matching parameters: from PREFIX Specifies the IP prefix value (IP/Netmask) for the sender. If used for commands "list" and "flush" the parameter can be specified additionally in the following forms which allow selection of multiple rules: from root ROOT_PREFIX match all rules with "from PREFIX" value that is subset of the ROOT_PREFIX from match PREFIX match all rules with "from ROOT_PREFIX" value where PREFIX is subset of the ROOT_PREFIX to PREFIX Specifies the IP prefix value (IP/Netmask) for the target. If used for commands "list" and "flush" the parameter can be specified additionally in the following forms which allow selection of multiple rules: to root ROOT_PREFIX match all rules with "to PREFIX" value that is subset of the ROOT_PREFIX to match PREFIX match all rules with "to ROOT_PREFIX" value where PREFIX is subset of the ROOT_PREFIX llfrom LLPREFIX Specifies the link layer address prefix value for the sender. If the value is shorter than the actual device hardware address this parameter matches many senders. llto LLPREFIX Specifies the link layer address prefix value for the target. If the value is shorter than the actual device hardware address this parameter matches many targets. broadcasts Specifies that the rule matches only packets not destined directly to our link layer address. unicasts Specifies that the rule matches only packets destined directly to our link layer address. iif IFACE_PREFIX Specifies the input interface name or prefix. The '+' symbol can be used as a wildcard value matching all next characters in the interface name. Can be used only for tables input and forward and matches the interface where the request is received. Examples: iif eth0 - match only eth0 iif eth+ - match all eth interfaces oif IFACE_PREFIX Specifies the output interface name or prefix. The '+' symbol can be used as a wildcard value matching all next characters in the interface name. Can be used only for tables forward and output. While for table output oif matches the interface where our request is sent, for table forward oif matches the interface where the resolved route points to. Examples: oif eth0 - match only eth0 oif eth+ - match all eth interfaces Action: action POLICY Specify the action to be applied if the rule is matched. Any of the actions stops the lookup for matching rule. Action "deny" ignores the ARP packet (it is dropped). When a rule with action "allow" is matched the ARP packet is altered according to the following parameters. Parameters for altering our ARP requests and replies: src IP The parameter specifies IP address to be announced as sender in our ARP requests resolving a target host. It can be used only for rules in table "output". The special value 0.0.0.0 allows the ARP code to select the preferred IP address to the target. If used for commands "list" and "flush" the parameter can be specified additionally in the following form which allows selection of multiple rules: src root ROOT_PREFIX match all rules with "src IP" value that is subset of the ROOT_PREFIX llsrc LLADDR Specifies the link layer address value to use as sender's address instead of the default interface value. lldst LLADDR Specifies the link layer address value to use as target's address instead of the default value (the old target's link layer address or a broadcast value). Parameters for statistics: packets N Specifies the rule counter. If used for "list" or "flush" commands the parameter defines the minimum value used to select the rules. When specified in commands that create or change rule this is the new value for the rule's packet counter. By default, the packet counter is increased each time when a packet is matched. 4. iparp commands The following is the list of the iparp commands (can be abbreviated): list, lst, show Show one or many ARP rules. These commands accept any of the existing rule parameters. append Create new ARP rule. If there is already rule with the specified preference or if the preference is not specified and there is another rule with same packet matching keys, the first free upper preference value is selected for the newly created rule. prepend, insert Create new ARP rule. If there is already rule with the specified preference or if the preference is not specified and there is another rule with same packet matching keys, the first free lower preference value is selected for the newly created rule. add, create Create new ARP rule. If there is already rule with the specified preference or if the preference is not specified and there is another rule with same packet matching keys, the command aborts with error. delete, remove Delete one ARP rule. If there is rule with the specified preference or if the preference is not specified and there is rule with same keys (all of them, not only the keys for packet matching), the rule is deleted. change, chg, update Change the ARP rule parameters. The rule is selected with the specified preference value or with the packet matching keys. If the preference value is specified then the packet matching keys can be changed because they are not used to find the rule. In any case, the command is intended to change all parameters for one rule (except the preference value). replace, set Create new ARP rule. These commands are combination of prepend and change. If there is no rule with the specified preference value or packet matching keys the new rule is created. If not, the new rule is prepended before the first matched. flush Remove one or many ARP rules. The command accepts any of the existing rule parameters, just like the command "list". test Search for rule with the specified preference value or with the packet matching keys. Return error if such rule exists. 5. iparp examples 5.1 Example for clusters For clusters where one IP address is shared among many servers we prefer only one of them to reply to ARP requests for this IP address. For all other servers we take the following actions: # drop all requests for the virtual IP ip arp add drop to 1.2.3.4 # do not announce the virtual IP in our requests, use another one ip arp add table output from 1.2.3.4 src 0 5.2 Example for proxy ARP # we assume that proxy ARP is enabled # do not allow proxy ARP for subnet ip arp add table forward drop to 192.168.0.0/24 # deny proxy ARP for routes via shapers ip arp add deny table forward oif shaper+ 5.3 Example for VRRP # to all requests for VRIP reply with Virtual MAC ip arp add to 1.2.3.4 llsrc 00:00:5E:00:01:10 # send all our requests from VRIP with VMAC ip arp add table output from 1.2.3.4 llsrc 00:00:5E:00:01:10 5.4 Other examples # deny requests for local addresses 192.168.0.4 and 192.168.0.5 root@Linux:~# ip arp add deny to 192.168.0.4 root@Linux:~# ip arp add deny to 192.168.0.5 # instead of 10.1.1.XXX announce 10.1.1.YYY when resolving # hosts from 10.2.0.0/24 root@Linux:~# ip arp append output 200 from 10.1.1.101 to 10.2.0.0/24 src 10.1.1.1 root@Linux:~# ip arp append output 200 from 10.1.1.102 src 10.1.1.2 root@Linux:~# ip arp append output 200 from 10.1.1.103 src 10.1.1.3 # instead of 10.1.1.103 announce 10.1.1.4 with different llsrc root@Linux:~# ip arp append output 200 from 10.1.1.103 src 10.1.1.4 llsrc 1:2:3:4:5:6 root@Linux:~# ip arp show input rule 98 deny from all to 192.168.0.5 input rule 99 deny from all to 192.168.0.4 output rule 200 allow from 10.1.1.101 to 10.2.0.0/24 src 10.1.1.1 output rule 201 allow from 10.1.1.102 to all src 10.1.1.2 output rule 202 allow from 10.1.1.103 to all src 10.1.1.3 output rule 203 allow from 10.1.1.103 to all llsrc 01:02:03:04:05:06 src 10.1.1.4 # prepend/append rules starting from preference 200 # announce the preferred source IP address instead of 10.1.1.104 root@Linux:~# ip arp prepend output 200 from 10.1.1.104 src 0.0.0.0 root@Linux:~# ip arp append output 200 from 10.1.1.0/24 src 10.1.1.1 root@Linux:~# ip arp show input rule 98 deny from all to 192.168.0.5 input rule 99 deny from all to 192.168.0.4 output rule 199 allow from 10.1.1.104 to all src 0.0.0.0 output rule 200 allow from 10.1.1.101 to 10.2.0.0/24 src 10.1.1.1 output rule 201 allow from 10.1.1.102 to all src 10.1.1.2 output rule 202 allow from 10.1.1.103 to all src 10.1.1.3 output rule 203 allow from 10.1.1.103 to all llsrc 01:02:03:04:05:06 src 10.1.1.4 output rule 204 allow from 10.1.1.0/24 to all src 10.1.1.1 # ignore broadcast requests for 192.168.2.0/24 when coming from # all eth devices root@Linux:~# ip arp append 300 deny broadcasts to 192.168.2.0/24 iif eth+ # match by source link layer address prefix root@Linux:~# ip arp append 300 deny to 192.168.3.0/24 llfrom 00:00:21 iif eth1 root@Linux:~# ip arp show input rule 98 deny from all to 192.168.0.5 input rule 99 deny from all to 192.168.0.4 input rule 300 deny from all to 192.168.2.0/24 iif eth+ broadcasts input rule 301 deny from all to 192.168.3.0/24 llfrom 00:00:21 iif eth1 output rule 199 allow from 10.1.1.104 to all src 0.0.0.0 output rule 200 allow from 10.1.1.101 to 10.2.0.0/24 src 10.1.1.1 output rule 201 allow from 10.1.1.102 to all src 10.1.1.2 output rule 202 allow from 10.1.1.103 to all src 10.1.1.3 output rule 203 allow from 10.1.1.103 to all llsrc 01:02:03:04:05:06 src 10.1.1.4 output rule 204 allow from 10.1.1.0/24 to all src 10.1.1.1 # deny proxy ARP for routes via shaper1 root@Linux:~# ip arp add deny forward oif shaper1 root@Linux:~# ip arp show table forward forward rule 99 deny from all to all oif shaper1