vh/NetAlertX
1
0
Fork 0
mirror of https://github.com/jokob-sk/NetAlertX.git synced 2026-03-30 23:03:03 -07:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Detect sysctls only, don't modify sysctls; allow user to modify.

Browse Source
This commit is contained in:
Adam Outler
2026-03-02 19:42:00 +00:00
parent b0aa5d0e45
commit 0555105473
1 changed files with 11 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
install/production-filesystem/entrypoint.d/37-host-optimization.sh
View File

@@ -1,92 +1,30 @@
#!/bin/sh
# 37-host-optimization.sh: Apply and validate network optimizations (ARP flux fix)
# 37-host-optimization.sh: Detect ARP flux sysctl configuration.
#
# This script improves detection accuracy by ensuring proper ARP behavior.
# It attempts to apply sysctl settings and warns if not possible.
# This script does not change host/kernel settings.
# --- Color Codes ---
RED=$(printf '\033[1;31m')
YELLOW=$(printf '\033[1;33m')
RESET=$(printf '\033[0m')
# --- Skip flag ---
if [ -n "${SKIP_OPTIMIZATIONS:-}" ]; then
exit 0
fi
# --- Helpers ---
get_sysctl() {
sysctl -n "$1" 2>/dev/null || echo "unknown"
}
set_sysctl_if_needed() {
key="$1"
expected="$2"
current="$(get_sysctl "$key")"
# Already correct
if [ "$current" = "$expected" ]; then
return 0
fi
# Try to apply
if sysctl -w "$key=$expected" >/dev/null 2>&1; then
return 0
fi
# Failed
return 1
}
# --- Apply Settings (best effort) ---
failed=0
set_sysctl_if_needed net.ipv4.conf.all.arp_ignore 1 || failed=1
set_sysctl_if_needed net.ipv4.conf.all.arp_announce 2 || failed=1
set_sysctl_if_needed net.ipv4.conf.default.arp_ignore 1 || failed=1
set_sysctl_if_needed net.ipv4.conf.default.arp_announce 2 || failed=1
[ "$(sysctl -n net.ipv4.conf.all.arp_ignore 2>/dev/null || echo unknown)" = "1" ] || failed=1
[ "$(sysctl -n net.ipv4.conf.all.arp_announce 2>/dev/null || echo unknown)" = "2" ] || failed=1
# --- Validate final state ---
all_ignore="$(get_sysctl net.ipv4.conf.all.arp_ignore)"
all_announce="$(get_sysctl net.ipv4.conf.all.arp_announce)"
# --- Warning Output ---
if [ "$all_ignore" != "1" ] || [ "$all_announce" != "2" ]; then
if [ "$failed" -eq 1 ]; then
>&2 printf "%s" "${YELLOW}"
>&2 cat <<EOF
>&2 cat <<'EOF'
══════════════════════════════════════════════════════════════════════════════
⚠️ ATTENTION: ARP flux protection not enabled.
NetAlertX relies on ARP for device detection. Your system currently allows
ARP replies from incorrect interfaces (ARP flux), which may result in:
• False devices being detected
• IP/MAC mismatches
• Flapping device states
• Incorrect network topology
This is common when running in Docker or multi-interface environments.
──────────────────────────────────────────────────────────────────────────
Recommended fix (Docker Compose):
sysctls:
net.ipv4.conf.all.arp_ignore: 1
net.ipv4.conf.all.arp_announce: 2
──────────────────────────────────────────────────────────────────────────
Alternatively, apply on the host:
⚠️ WARNING: ARP flux sysctls are not set.
Expected values:
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
Detection accuracy may be reduced until this is configured.
Detection accuracy may be reduced until configured.
See: https://docs.netalertx.com/docker-troubleshooting/arp-flux-sysctls/
══════════════════════════════════════════════════════════════════════════════
EOF
>&2 printf "%s" "${RESET}"