Using the "hidden" device feature in Linux 2.2 and 2.4 Julian Anastasov The "hidden" device flag is included in the Linux 2.2 kernel series starting from 2.2.14. You still need to apply the patch for Linux 2.4 as it is not present in the mainstream kernel. New: As kernels 2.4.26 and 2.6.4 come with "arp_ignore" and "arp_announce" interface flags they can be used instead of the hidden flag. Why such feature exists: because Linux 2.2+ sends ARP replies through any device where an ARP probe is received, no matter on what device the requested IP addresses is configured. Many Linux users believe the NOARP device flag covers this feature but starting from Linux 2.2 it is already not true. The semantic of the "hidden" device flag can be explained in this way: Change the ARP behavior for addresses attached to specific interface: (1) don't reply for broadcast probes (2) don't announce the addresses in the ARP probes (3) the addresses are not selected by the source address autoselection mechanism. The feature is used in this way: # Enable the functionality echo 1 > /proc/sys/net/ipv4/conf/all/hidden # Hide all addresses on this interface echo 1 > /proc/sys/net/ipv4/conf//hidden At this point we can add IPv4 addresses on this device that will not be ARP replied in the following cases: - ARP probe comes from another device and requests IP addresses from device marked as "hidden" and - the ARP probe is a broadcast one In all other cases, i.e. when the ARP probe comes from the same device where the IP address is configured or when the probe is unicast one, the "hidden" feature does not prevent the ARP reply. IPv4 addresses configured on marked device will no be used from the source address selection mechanism. This is an essential requirement that avoids the entry for this IP address in ARP tables in other hosts to be updated as result of detecting our ARP probes with such source IP. Of course, such random autoselections can be avoided by specifying preferred source addresses in all routes. The hidden flag allows two or more interfaces to be connected to same hub and the ARP replies to go only through the interface used to receive the ARP probe. This is achieved by marking these ARP devices as hidden. Such usage is not recommended, though. There are other flags that control the ARP behavior and that should be preferred in such setups: rp_filter and arp_filter. The most used setup from the LVS users is when the Virtual IP addresses are configured on device "lo" after it is marked as "hidden": echo 1 > /proc/sys/net/ipv4/conf/all/hidden echo 1 > /proc/sys/net/ipv4/conf/lo/hidden # Now it is safe to add Virtual IP addresses. We are sure that # the device is already marked as hidden: ip addr add 10.0.0.1 dev lo The key in such usage is that device "lo" is selected because it is an NOARP one. Of course, any NOARP device can be marked hidden and used in the same way, for example, the dummy devices. The only difference is that device "lo" can be used to define networks from local addresses which is not possible for the other devices. Of course, don't try to configure same IP address on many devices because the result could be unexpected. Note that device "lo" can be used to setup networks from local addresses. The following two commands are quite different: ip addr add 10.0.0.1 dev lo ip addr add 10.0.0.1/24 dev lo The first one configures 1 local IP address while the second configures 256 local addresses.