Is it important to fix warnings about martian packets in the kernel ring buffer?
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
These are the outputs I see when I run dmesg
[1373335.656608] device eth0 entered promiscuous mode
[1373364.891962] device eth1 entered promiscuous mode
[1374537.599978] IPv4: martian source 10.5.0.2 from 203.115.192.116, on dev eth0
[1374562.256536] device eth1 left promiscuous mode
[1375229.342282] device eth1 entered promiscuous mode
[1376178.967446] device eth0 left promiscuous mode
[1376182.455498] device eth0 entered promiscuous mode
- Q1) I know that martian packets have source addresses that are using non-routable IPs. This host is a Google compute instance with an ephemeral public IP. What does "martian source 10.5.0.2 from 203.115.192.116" mean ?
- Q2) Should I iptables filter these (for security sake) ?
debian networking google-cloud
asked Sep 7 at 19:03
Bon Ami
3081410
add a comment |Â
up vote
3
down vote
favorite
These are the outputs I see when I run dmesg
[1373335.656608] device eth0 entered promiscuous mode
[1373364.891962] device eth1 entered promiscuous mode
[1374537.599978] IPv4: martian source 10.5.0.2 from 203.115.192.116, on dev eth0
[1374562.256536] device eth1 left promiscuous mode
[1375229.342282] device eth1 entered promiscuous mode
[1376178.967446] device eth0 left promiscuous mode
[1376182.455498] device eth0 entered promiscuous mode
- Q1) I know that martian packets have source addresses that are using non-routable IPs. This host is a Google compute instance with an ephemeral public IP. What does "martian source 10.5.0.2 from 203.115.192.116" mean ?
- Q2) Should I iptables filter these (for security sake) ?
debian networking google-cloud
asked Sep 7 at 19:03
Bon Ami
3081410
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
These are the outputs I see when I run dmesg
[1373335.656608] device eth0 entered promiscuous mode
[1373364.891962] device eth1 entered promiscuous mode
[1374537.599978] IPv4: martian source 10.5.0.2 from 203.115.192.116, on dev eth0
[1374562.256536] device eth1 left promiscuous mode
[1375229.342282] device eth1 entered promiscuous mode
[1376178.967446] device eth0 left promiscuous mode
[1376182.455498] device eth0 entered promiscuous mode
- Q1) I know that martian packets have source addresses that are using non-routable IPs. This host is a Google compute instance with an ephemeral public IP. What does "martian source 10.5.0.2 from 203.115.192.116" mean ?
- Q2) Should I iptables filter these (for security sake) ?
debian networking google-cloud
asked Sep 7 at 19:03
Bon Ami
3081410
These are the outputs I see when I run dmesg
[1373335.656608] device eth0 entered promiscuous mode
[1373364.891962] device eth1 entered promiscuous mode
[1374537.599978] IPv4: martian source 10.5.0.2 from 203.115.192.116, on dev eth0
[1374562.256536] device eth1 left promiscuous mode
[1375229.342282] device eth1 entered promiscuous mode
[1376178.967446] device eth0 left promiscuous mode
[1376182.455498] device eth0 entered promiscuous mode
- Q1) I know that martian packets have source addresses that are using non-routable IPs. This host is a Google compute instance with an ephemeral public IP. What does "martian source 10.5.0.2 from 203.115.192.116" mean ?
- Q2) Should I iptables filter these (for security sake) ?
debian networking google-cloud
debian networking google-cloud
asked Sep 7 at 19:03
Bon Ami
3081410
asked Sep 7 at 19:03
Bon Ami
3081410
asked Sep 7 at 19:03
Bon Ami
3081410
asked Sep 7 at 19:03
Bon Ami
3081410
asked Sep 7 at 19:03
Bon Ami
3081410
3081410
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
Martian packets are when an expected local address is seen in that interface (e.g. packets local to the network with a different network of that packet).
While it is not an advised network design, it can happen some networks have "martian" packets by design (e.g. VLANs/physical networks with several logical networks).
If you are using iptables in a server, it might not be a bad idea filtering out packets that you should not see.
Note that however, while I would have martian logging in a pre-production setting, I would prefer to not log martian as that usually it generates a lot of logs, and taxes your I/O operations.
answered Sep 7 at 19:24
Rui F Ribeiro
36.8k1273117
add a comment |Â
up vote
1
down vote
A packet arriving on an interface is considered "martian" if a hypothetical reply packet would be routed through a different interface. In your case 203.115.192.116 sent a packet to 10.5.0.2, which arrived on your eth0 interface. If 10.5.0.2 is your address, ip route get 203.115.192.116 correctly reports an interface different from eth0, and you actually intend to do such asymmetric routing, then these martian logs should be disabled like
echo 0 > /proc/sys/net/ipv4/conf/eth0/log_martians
and rp_filter must be disabled as well. Otherwise (and this seems much more probable) there is a routing problem somewhere which should be fixed. If it can't be fixed (quite possible in a hosted cloud environment), you can disable logging altogether like above or drop more selectively by iptables (the filter chain may be too late for that, though).
answered Sep 9 at 7:27
Ferenc Wágner
2,799920
$ ip route get 203.115.192.116returns eth0 (not asymmetric).
– Bon Ami
Sep 10 at 0:45
And still you get martian reports from that IP on eth0? I'm baffled. Is 10.5.0.2 your address at least? Please include thell headerline following the martian report and the output of theip a,ping -c3 203.115.192.116,ip route get 203.115.192.116andip neigh show to 203.115.192.116commands (in this order) into your question.
– Ferenc Wágner
Sep 10 at 11:00
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Martian packets are when an expected local address is seen in that interface (e.g. packets local to the network with a different network of that packet).
While it is not an advised network design, it can happen some networks have "martian" packets by design (e.g. VLANs/physical networks with several logical networks).
If you are using iptables in a server, it might not be a bad idea filtering out packets that you should not see.
Note that however, while I would have martian logging in a pre-production setting, I would prefer to not log martian as that usually it generates a lot of logs, and taxes your I/O operations.
answered Sep 7 at 19:24
Rui F Ribeiro
36.8k1273117
add a comment |Â
up vote
2
down vote
Martian packets are when an expected local address is seen in that interface (e.g. packets local to the network with a different network of that packet).
While it is not an advised network design, it can happen some networks have "martian" packets by design (e.g. VLANs/physical networks with several logical networks).
If you are using iptables in a server, it might not be a bad idea filtering out packets that you should not see.
Note that however, while I would have martian logging in a pre-production setting, I would prefer to not log martian as that usually it generates a lot of logs, and taxes your I/O operations.
answered Sep 7 at 19:24
Rui F Ribeiro
36.8k1273117
add a comment |Â
up vote
2
down vote
up vote
2
down vote
Martian packets are when an expected local address is seen in that interface (e.g. packets local to the network with a different network of that packet).
While it is not an advised network design, it can happen some networks have "martian" packets by design (e.g. VLANs/physical networks with several logical networks).
If you are using iptables in a server, it might not be a bad idea filtering out packets that you should not see.
Note that however, while I would have martian logging in a pre-production setting, I would prefer to not log martian as that usually it generates a lot of logs, and taxes your I/O operations.
answered Sep 7 at 19:24
Rui F Ribeiro
36.8k1273117
Martian packets are when an expected local address is seen in that interface (e.g. packets local to the network with a different network of that packet).
While it is not an advised network design, it can happen some networks have "martian" packets by design (e.g. VLANs/physical networks with several logical networks).
If you are using iptables in a server, it might not be a bad idea filtering out packets that you should not see.
Note that however, while I would have martian logging in a pre-production setting, I would prefer to not log martian as that usually it generates a lot of logs, and taxes your I/O operations.
answered Sep 7 at 19:24
Rui F Ribeiro
36.8k1273117
answered Sep 7 at 19:24
Rui F Ribeiro
36.8k1273117
answered Sep 7 at 19:24
Rui F Ribeiro
36.8k1273117
answered Sep 7 at 19:24
Rui F Ribeiro
36.8k1273117
36.8k1273117
add a comment |Â
add a comment |Â
up vote
1
down vote
A packet arriving on an interface is considered "martian" if a hypothetical reply packet would be routed through a different interface. In your case 203.115.192.116 sent a packet to 10.5.0.2, which arrived on your eth0 interface. If 10.5.0.2 is your address, ip route get 203.115.192.116 correctly reports an interface different from eth0, and you actually intend to do such asymmetric routing, then these martian logs should be disabled like
echo 0 > /proc/sys/net/ipv4/conf/eth0/log_martians
and rp_filter must be disabled as well. Otherwise (and this seems much more probable) there is a routing problem somewhere which should be fixed. If it can't be fixed (quite possible in a hosted cloud environment), you can disable logging altogether like above or drop more selectively by iptables (the filter chain may be too late for that, though).
answered Sep 9 at 7:27
Ferenc Wágner
2,799920
$ ip route get 203.115.192.116returns eth0 (not asymmetric).
– Bon Ami
Sep 10 at 0:45
And still you get martian reports from that IP on eth0? I'm baffled. Is 10.5.0.2 your address at least? Please include thell headerline following the martian report and the output of theip a,ping -c3 203.115.192.116,ip route get 203.115.192.116andip neigh show to 203.115.192.116commands (in this order) into your question.
– Ferenc Wágner
Sep 10 at 11:00
add a comment |Â
up vote
1
down vote
A packet arriving on an interface is considered "martian" if a hypothetical reply packet would be routed through a different interface. In your case 203.115.192.116 sent a packet to 10.5.0.2, which arrived on your eth0 interface. If 10.5.0.2 is your address, ip route get 203.115.192.116 correctly reports an interface different from eth0, and you actually intend to do such asymmetric routing, then these martian logs should be disabled like
echo 0 > /proc/sys/net/ipv4/conf/eth0/log_martians
and rp_filter must be disabled as well. Otherwise (and this seems much more probable) there is a routing problem somewhere which should be fixed. If it can't be fixed (quite possible in a hosted cloud environment), you can disable logging altogether like above or drop more selectively by iptables (the filter chain may be too late for that, though).
answered Sep 9 at 7:27
Ferenc Wágner
2,799920
$ ip route get 203.115.192.116returns eth0 (not asymmetric).
– Bon Ami
Sep 10 at 0:45
And still you get martian reports from that IP on eth0? I'm baffled. Is 10.5.0.2 your address at least? Please include thell headerline following the martian report and the output of theip a,ping -c3 203.115.192.116,ip route get 203.115.192.116andip neigh show to 203.115.192.116commands (in this order) into your question.
– Ferenc Wágner
Sep 10 at 11:00
add a comment |Â
up vote
1
down vote
up vote
1
down vote
A packet arriving on an interface is considered "martian" if a hypothetical reply packet would be routed through a different interface. In your case 203.115.192.116 sent a packet to 10.5.0.2, which arrived on your eth0 interface. If 10.5.0.2 is your address, ip route get 203.115.192.116 correctly reports an interface different from eth0, and you actually intend to do such asymmetric routing, then these martian logs should be disabled like
echo 0 > /proc/sys/net/ipv4/conf/eth0/log_martians
and rp_filter must be disabled as well. Otherwise (and this seems much more probable) there is a routing problem somewhere which should be fixed. If it can't be fixed (quite possible in a hosted cloud environment), you can disable logging altogether like above or drop more selectively by iptables (the filter chain may be too late for that, though).
answered Sep 9 at 7:27
Ferenc Wágner
2,799920
A packet arriving on an interface is considered "martian" if a hypothetical reply packet would be routed through a different interface. In your case 203.115.192.116 sent a packet to 10.5.0.2, which arrived on your eth0 interface. If 10.5.0.2 is your address, ip route get 203.115.192.116 correctly reports an interface different from eth0, and you actually intend to do such asymmetric routing, then these martian logs should be disabled like
echo 0 > /proc/sys/net/ipv4/conf/eth0/log_martians
and rp_filter must be disabled as well. Otherwise (and this seems much more probable) there is a routing problem somewhere which should be fixed. If it can't be fixed (quite possible in a hosted cloud environment), you can disable logging altogether like above or drop more selectively by iptables (the filter chain may be too late for that, though).
answered Sep 9 at 7:27
Ferenc Wágner
2,799920
answered Sep 9 at 7:27
Ferenc Wágner
2,799920
answered Sep 9 at 7:27
Ferenc Wágner
2,799920
answered Sep 9 at 7:27
Ferenc Wágner
2,799920
2,799920
$ ip route get 203.115.192.116returns eth0 (not asymmetric).
– Bon Ami
Sep 10 at 0:45
And still you get martian reports from that IP on eth0? I'm baffled. Is 10.5.0.2 your address at least? Please include thell headerline following the martian report and the output of theip a,ping -c3 203.115.192.116,ip route get 203.115.192.116andip neigh show to 203.115.192.116commands (in this order) into your question.
– Ferenc Wágner
Sep 10 at 11:00
add a comment |Â
$ ip route get 203.115.192.116returns eth0 (not asymmetric).
– Bon Ami
Sep 10 at 0:45
And still you get martian reports from that IP on eth0? I'm baffled. Is 10.5.0.2 your address at least? Please include thell headerline following the martian report and the output of theip a,ping -c3 203.115.192.116,ip route get 203.115.192.116andip neigh show to 203.115.192.116commands (in this order) into your question.
– Ferenc Wágner
Sep 10 at 11:00
$ ip route get 203.115.192.116 returns eth0 (not asymmetric).– Bon Ami
Sep 10 at 0:45
$ ip route get 203.115.192.116 returns eth0 (not asymmetric).– Bon Ami
Sep 10 at 0:45
And still you get martian reports from that IP on eth0? I'm baffled. Is 10.5.0.2 your address at least? Please include the
ll header line following the martian report and the output of the ip a, ping -c3 203.115.192.116, ip route get 203.115.192.116 and ip neigh show to 203.115.192.116 commands (in this order) into your question.– Ferenc Wágner
Sep 10 at 11:00
And still you get martian reports from that IP on eth0? I'm baffled. Is 10.5.0.2 your address at least? Please include the
ll header line following the martian report and the output of the ip a, ping -c3 203.115.192.116, ip route get 203.115.192.116 and ip neigh show to 203.115.192.116 commands (in this order) into your question.– Ferenc Wágner
Sep 10 at 11:00
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f467608%2fis-it-important-to-fix-warnings-about-martian-packets-in-the-kernel-ring-buffer%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
