PROBLEM: (networking) large static ARP kernel table does not work

From: Roman Zagustin
Date: Wed Jun 23 2004 - 06:17:03 EST

Next message: Christoph Rohland: "RE: [patch][rfc] expandable anonymous shared mappings"
Previous message: Oleg Drokin: "Re: Strange NOTAIL inheritance behaviour in Reiserfs 3.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!

1. The kernel does not match the static ip/mac records on large ARP
table.

2. I have an ethernet network segment of B class (mask /22)
I've noticed that kernel do not check the ip/mac combinations
staticaly entered by "arp -s ip mac", when the table is >800 entries.
With small table it works perfectly.

3. I suppose that it is a kernel problem.

4. The kernel version is:
root@stargate:/proc/net# cat /proc/version
Linux version 2.6.7-rc3-bk2 (root@stargate) (gcc version 3.2.3) #1 Thu Jun 10 14:59:21 EEST 2004
(I've tried 2.4.25 and other versions - the same result)

5. I run ping to the server from the 172.16.3.230 computer.
Then I've changed the static mac record on the server:

arp -s 172.16.3.230 00:00:00:00:00:01

The MAC address of the 172.16.3.230 is really different!
And after that, the 172.16.3.230 computer is tlill able to access
the server.

root@stargate:/proc/net# arp -s 172.16.3.230 00:00:00:00:00:01
root@stargate:/proc/net# arp -n|grep 172.16.3.230
172.16.3.230 ether 00:00:00:00:00:01 CM eth3
root@stargate:/proc/net# arp -d 172.16.3.230
root@stargate:/proc/net# arp -s 172.16.3.230 00:00:00:00:00:01
root@stargate:/proc/net# tcpdump -i eth3 host 172.16.3.230
tcpdump: listening on eth3
13:20:54.511204 172.16.3.230 > 172.16.0.4: icmp: echo request
13:20:54.514237 172.16.0.4 > 172.16.3.230: icmp: echo reply
13:20:55.512436 172.16.3.230 > 172.16.0.4: icmp: echo request
13:20:55.512549 172.16.0.4 > 172.16.3.230: icmp: echo reply
13:20:56.513894 172.16.3.230 > 172.16.0.4: icmp: echo request
<skipped>

root@stargate:/proc/net# arp -n|wc -l
823

Almost all records in arp table are static.
Because I need to prevent users from being able to access the server
with changed IP addresses (spoofed ip)

The server is router with firewall and traffic shaper.
And have enougth resources:

14:02:36 up 12 days, 21:43, 2 users, load average: 0.08, 0.09, 0.08
47 processes: 45 sleeping, 2 running, 0 zombie, 0 stopped
CPU states: 0.0% user 0.6% system 0.0% nice 0.0% iowait 99.3% idle
Mem: 1037116k av, 1025972k used, 11144k free, 0k shrd, 125624k buff
74948k active, 748664k inactive
Swap: 136512k av, 0k used, 136512k free 681800k cached

The problem appears only when the ARP table is very large.
Because with small table (about 200) it works as it should.
It does not depend on server load.

The linux distribution is Slackware 9.1.

There are no errors or warnings in system logs about the arp table.
The same problem was noticed on comletely different computer.
I know that this problem is common as I found some peope on INET
with the same trouble.
I do not want to use the iptables for checking every packet for
IP/MAC correspondence, because it will rise the load.

Thank you!

--
Best regards,
Roman mailto:zagustin@xxxxxxxxx

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Rohland: "RE: [patch][rfc] expandable anonymous shared mappings"
Previous message: Oleg Drokin: "Re: Strange NOTAIL inheritance behaviour in Reiserfs 3.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]