Respond to ARP requests only if the target IP address is on-link

[raja-grewal]

As per #279 (comment).

Changes

Set sysctl net.ipv4.conf.*.arp_ignore=2

Mandatory Checklist

• Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

• I have tested it locally
• I have reviewed and updated any documentation if relevant
• I am providing new code and test(s) for it

[ArrayBolt3]

Seems very useful. I mentioned some concerns here: #289 (comment) This should still be usable though as long as we document how to undo it.

Minor nitpick, but there seems to be some extra whitespace (two spaces in a row) in the comments above the actual sysctl option.

[raja-grewal]

Thanks for the review!

The double spaces in the README.md are there to limit line length.

As per the documentation (see also the recent Mullvad VPN audit), I think enabling this setting is currently a high-priority concern.

[ArrayBolt3]

kk, that's fine. I can document this in the Wiki for us, and I agree this is important.

@adrelanos I consider this ready to merge.

[adrelanos]

This caused some issues:

• After recent update, Windows HVM can no longer network through Whonix gateway QubesOS/qubes-issues#9990
• https://forums.whonix.org/t/recent-whonix-gateway-17-update-breaks-vpn-and-other-passthrough-functionality/21826

[ArrayBolt3]

Not a surprise, as mentioned in other comments this change was going to probably break things, thus why it's important to document how to undo it. We may be able to improve our documentation so that people running into these problems know what to change though.

[ArrayBolt3]

The current wiki documentation on this is at https://www.kicksecure.com/wiki/Networking#ARP_sysctl_settings