[SCM] Samba Shared Repository - branch master updated

Anoop C S anoopcs at samba.org
Thu Oct 17 18:54:01 UTC 2024 

The branch, master has been updated
       via  919510d86ba ctdb-scripts: Don't set arp_filter=1 by default in 10.interface
      from  ce10b28566e third_party/heimdal: Import lorikeet-heimdal-202410161454 (commit 0d61538a16b5051c820702f0711102112cd01a83)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 919510d86ba18bdda2011512632e059f1088a6a1
Author: Martin Schwenke <mschwenke at ddn.com>
Date:   Tue Oct 15 14:11:15 2024 +1100

    ctdb-scripts: Don't set arp_filter=1 by default in 10.interface
    
    That is, no longer set sysctl net.ipv4.conf.all.arp_filter=1 in
    10.interface.  Only do this in 13.per_ip_routing.
    
    This effectively reverts commit
    0ebd7beb4bcae324acf8e733500a983d22b47e9b by Ronnie Sahlberg from 2007.
    I have discussed this with Ronnie.  This setting was originally added
    to force incoming traffic to the interface hosting each IP.  This
    would spread the load across multiple interfaces hosting the same
    subnet.  Without the setting, incoming traffic would go to the first
    interface to answer an ARP request, so could be unbalanced if one
    interface tended to answer more quickly.
    
    However, networks are now faster and interface bonding/teaming works
    well in Linux, so it is less likely that multiple interfaces will be
    used in this way.
    
    Also, problems are occurring in exactly the case this is meant to
    help: when multiple interfaces host the same subnet.
    
    The Linux kernel documentation for this option says:
    
      arp_filter - BOOLEAN
            - 1 - Allows you to have multiple network interfaces on the same
              subnet, and have the ARPs for each interface be answered
              based on whether or not the kernel would route a packet from
              the ARP'd IP out that interface (therefore you must use source
              based routing for this to work). In other words it allows control
              of which cards (usually 1) will respond to an arp request.
    
            - 0 - (default) The kernel can respond to arp requests with addresses
              from other interfaces. This may seem wrong but it usually makes
              sense, because it increases the chance of successful communication.
              IP addresses are owned by the complete host on Linux, not by
              particular interfaces. Only for more complex setups like load-
              balancing, does this behaviour cause problems.
    
            arp_filter for the interface will be enabled if at least one of
            conf/{all,interface}/arp_filter is set to TRUE,
            it will be disabled otherwise
    
    Note the part for arp_filter=1 that says "you must use source based
    routing for this to work".  The problems are probably due to a lack of
    source-based routing when this is only used with 10.interface.  In
    this case, outbound packets can come from a different
    interface (corresponding to the first matching route), with a
    different MAC address.  There is clearly some infrastructure or packet
    filtering out there that objects to such asymmetric packet flows.
    
    So, drop this setting from 10.interface because it isn't working as
    intended.  Continue to enable it in 13.per_ip_routing, which exists to
    set up the required source-based routing.
    
    This change may affect balancing of packet flows when public IP
    addresses can be hosted by multiple interfaces, but does not stop that
    feature from working.
    
    Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
    Reviewed-by: Anoop C S <anoopcs at samba.org>
    
    Autobuild-User(master): Anoop C S <anoopcs at samba.org>
    Autobuild-Date(master): Thu Oct 17 18:53:32 UTC 2024 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 ctdb/config/events/legacy/10.interface.script | 6 ------
 1 file changed, 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/config/events/legacy/10.interface.script b/ctdb/config/events/legacy/10.interface.script
index fdc559ee1c8..9aa067b4a61 100755
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@@ -121,12 +121,6 @@ ctdb_check_args "$@"
 
 case "$1" in
 init)
-	# make sure that we only respond to ARP messages from the NIC where
-	# a particular ip address is associated.
-	get_proc sys/net/ipv4/conf/all/arp_filter >/dev/null 2>&1 && {
-	    set_proc sys/net/ipv4/conf/all/arp_filter 1
-	}
-
 	_promote="sys/net/ipv4/conf/all/promote_secondaries"
 	get_proc "$_promote" >/dev/null 2>&1 || \
 	    die "Public IPs only supported if promote_secondaries is available"


-- 
Samba Shared Repository

More information about the samba-cvs mailing list