From owner-freebsd-net@FreeBSD.ORG Tue Nov 8 22:40:17 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA200106564A for ; Tue, 8 Nov 2011 22:40:17 +0000 (UTC) (envelope-from wittigal@msu.edu) Received: from sys01.mail.msu.edu (sys01.mail.msu.edu [35.9.75.101]) by mx1.freebsd.org (Postfix) with ESMTP id 9C9F88FC0A for ; Tue, 8 Nov 2011 22:40:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=msu.edu; s=mail; h=Mime-Version:To:Message-Id:Date:Subject:Content-Transfer-Encoding:Content-Type:From; bh=yRB9ioENag9mf3ZkYOrKX9avDEtV9JlmdFQNOcC5d3s=; b=cPhv8Cn2lJgaeF4sK7adwRyu0CWpYe1WTIG7EMSprowSr9xoU9uaX8qtOJKKulBh8Qr6DwqxCFQUF2MbByazrNByIvFjkiRHRWF0FtJQE9qWc/KqSvpyTOHsDzJdvpfvWViVoqxOW+wAvhpRM5WH8y55ZHn55G/xRrIi6JLPmHE=; Received: from prokofiev.bt.pa.msu.edu ([35.9.70.209] helo=[192.168.0.154]) Authenticated ID: wittigal by sys01.mail.msu.edu with esmtpsa (Exim 4.75 #3) (TLSv1:AES128-SHA:128) id 1RNtwM-000283-HT for freebsd-net@freebsd.org; Tue, 08 Nov 2011 17:14:46 -0500 From: Alexander Wittig Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 8 Nov 2011 17:14:45 -0500 Message-Id: <96A5211A-398B-4773-8C6A-2D772D241CF0@msu.edu> To: freebsd-net@freebsd.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-Virus: None found by Clam AV Subject: FreeBSD 9 and ARP multicast source address error messages X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 22:40:17 -0000 Hello I upgraded one of my machines from FreeBSD 8 to 9.0-RC1 (FreeBSD = bt.pa.msu.edu 9.0-RC1 FreeBSD 9.0-RC1 #3: Fri Oct 28 16:45:28 EDT 2011 = root@bt.pa.msu.edu:/usr/obj/usr/src/sys/ALEX i386), and ever since = that upgrade the kernel keeps flooding my log files with messages like = these: Nov 7 16:40:01 bt kernel: in_arp: source hardware address is = multicast.in_arp: source hardware address is multicast. Nov 7 16:42:02 bt kernel: in_arp: source hardware address is = multicast.in_arp: source hardware address is multicast. A Google search for these didn't reveal any useful results as to why = this happens or how to fix it. So I did a tcpdump and matched the time = stamps with packets, and I found the ones causing problems (the only = ones with a multicast bit set) to be like this: 16:40:01.099823 02:02:23:09:44:3c > 03:bf:23:09:44:87, ethertype ARP = (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 35.9.68.228 = is-at 03:bf:23:09:44:e4, length 46 0x0000: 03bf 2309 4487 0202 2309 443c 0806 0001 0x0010: 0800 0604 0002 03bf 2309 44e4 2309 44e4 0x0020: 02bf 2309 443c 2309 4487 0000 0000 0000 0x0030: 0000 0000 0000 0000 0000 0000 It appears the broadcast MAC 03:bf:23:09:44:87 is part of Microsoft's = network load balancing mechanism, with the 03:bf indicating that much = and the 23:09:44:87 containing the IP address of the load balance = cluster (35.9.68.228). These types of MACs seem to be commonly used in = their load balancing implementation. To prevent these messages from producing thousands of lines of logs each = day, I added the following two IPFW rules and enabled ethernet package = filtering (sysctl net.link.ether.ipfw=3D1): deny ip from any to any MAC 03:bf:00:00:00:00/16 any layer2 allow ip from any to any layer2 This effectively blocks those packages and the resulting error messages. = But I'm wondering if the newly added(?) ARP code in FBSD 9 is a bit too = fussy about these, or if MS is abusing the ARP protocol here. Either = way, this was never a problem with FBSD 7 or 8. Cheers, Alexander Please CC me on replies as I'm not subscribed to the freebsd-net list.=