New hack: MULTI-NIC-ARP-LOCK

2010-09-25 00:29:17 +00:00 · 2010-09-25 00:29:17 +00:00 · a2fd85688c
commit a2fd85688c
parent e5d681caf1
2 changed files with 17 additions and 2 deletions
--- a/include/functions
+++ b/include/functions
@ -138,7 +138,17 @@ function apply_ipv4_hack {
 			else
 				display_c RED "\nError: could not load $MOD_U32 module into the kernel.  Not using fix."
 			fi
-		;;	
+		;;
+		MULTI-NIC-ARP-LOCK)
+			# MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
+			#						do not actually have the IP in question.  In some (alot in my case),
+			#						I have things going through specific wires for a reason.  This fixes
+			#						that and makes it behave as expected.
+			for i in default all; do
+				echo "1" > /proc/sys/net/ipv4/conf/$i/arp_ignore
+				echo "2" > /proc/sys/net/ipv4/conf/$i/arp_announce
+			done
+		;;
 		esac
 		shift
 	done
--- a/options.default
+++ b/options.default
@ -62,8 +62,13 @@ IPv4_MARK=$BASEDIR/ipv4-marks

 # Hacks to either block specific kinds of attacks or fix problems
 #
-# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
+# NS-IN-DDOS - 			Block DNS DDoS using NS/IN spoof, see:
 # http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
+# 
+# MULTI-NIC-ARP-LOCK -	By default, in Linux, arp requests may be answered by interfaces that
+#						do not actually have the IP in question.  In some (alot in my case),
+#						I have things going through specific wires for a reason.  This fixes
+#						that and makes it behave as expected.
 #
 HACK_IPV4="NS-IN-DDOS"