Proxy arp
0 likes1,187 views
The document discusses using proxy ARP to allow multiple containers and VMs to share a single network interface on the host machine. It notes some limitations of alternative approaches like Linux bridges, Open vSwitch, and MACVLAN. It also describes some issues with proxy ARP like stealing MAC addresses and requiring static routing. The proposed solution is to use arptables to selectively allow ARP requests from specific IP addresses to prevent MAC address conflicts while enabling network access for containers and VMs.
Proxy arp
- 1. PROXY_ARP Marian HackMan Marinov <mm@1h.com>
- 3. Add a router to the bunch
- 5. With Containers/VM Host MachineHost Machine
- 10. Why not use OpenVswitch, brctl or even MACVLAN ● Linux bridge is limited to around 200Mbit/s ● OpenVswitch eats a lot of RAM and CPU. When you receive DDoS your whole system goes down ● both OpenVswitch and MACVLAN do not allow you to use iptables/ebtables and leak broadcasts
- 11. proxy_arp issues ● stealing MACs of neighboring machines – arptables helps with that – static ARP entries speedup the responses and also help with the security ● requires static routing for each container/VM – but you can solve that with BIRD ● gratuitous and unsolicited ARP requests simply don't work – that is why I wrote arpsniff: https://github.com/Kyup-com/arpsniff
- 12. # arping -I eth0 -U 192.168.0.10 does not work :( # arping -I eth0 -A 192.168.0.10 does not work :(
- 13. Solution - arp stealing # arptables -P OUT DROP # arptables -I OUT -j ACCEPT -o eth0 -z XX:XX:XX.. -s 192.168.0.100 # arptables -I OUT -j ACCEPT -o eth0 -z XX:XX:XX.. -s 192.168.0.10 # arptables -I OUT -j ACCEPT -o veth0
- 14. THANK YOUUUUTHANK YOUUUU Marian HackMan Marinov <mm@1h.com>