Enable ARP filtering

[raja-grewal]

As per #279 (comment).

Changes

Set sysctl net.ipv4.conf.*.arp_filter=1

Mandatory Checklist

• Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

• I have tested it locally
• I have reviewed and updated any documentation if relevant
• I am providing new code and test(s) for it

[ArrayBolt3]

I may just be getting confused by the legitimately difficult-to-understand documentation for arp_ignore in Linux, but I don't see anything this option does that arp_ignore=2 doesn't already do. Personally though, I'm fine with enabling it though as a form of defense-in-depth (if a bug in Linux causes one option to just not work, the other one may be able to keep the system from becoming vulnerable anyway).

I do worry about how this and arp_ignore=2 may affect bridged networking under VirtualBox and libvirt. Won't these options prevent the VM from being able to find the IP addresses of any other device on the local network? If so, it may still be worth it to break that, but only if we document how to unbreak it and support doing so.

[raja-grewal]

Thanks for the review!

I agree, the kernel documentation is far from clear and that this setting is mainly enabled as a form of defence-in-depth on top of arp_ignore=2.

I also have concerns regarding its impact across the myriad of VM configurations.

Do you think the current documentation is sufficiently clear for a user?

[ArrayBolt3]

I guess the current documentation is clear for a user who know how ARP works in Linux. It's a bit cryptic, but the Wiki can help with that, and like in the other places, I'll want to add some bits to the Wiki for these things anyway.

@adrelanos Looks good to me, should be ready for merge.