BE: Better arpo-scan accuracy w/ system optimization

Signed-off-by: jokob-sk <jokob.sk@gmail.com>
2026-03-31 07:12:23 -07:00 · 2026-02-24 07:07:55 +11:00
parent 1a364e2fe2
commit 8fc78f02e9
2 changed files with 94 additions and 1 deletions
--- a/install/production-filesystem/entrypoint.d/36-override-individual-settings.sh
+++ b/install/production-filesystem/entrypoint.d/36-override-individual-settings.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# 36-override-loaded-plugins.sh - Applies environment variable overrides to app.conf
+# 36-override-individual-settings.sh - Applies environment variable overrides to app.conf

 set -eu

--- a/install/production-filesystem/entrypoint.d/37-host-optimization.sh
+++ b/install/production-filesystem/entrypoint.d/37-host-optimization.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+
+# 37-host-optimization.sh: Apply and validate network optimizations (ARP flux fix)
+#
+# This script improves detection accuracy by ensuring proper ARP behavior.
+# It attempts to apply sysctl settings and warns if not possible.
+
+# --- Color Codes ---
+RED=$(printf '\033[1;31m')
+YELLOW=$(printf '\033[1;33m')
+RESET=$(printf '\033[0m')
+
+# --- Skip flag ---
+if [ -n "${SKIP_OPTIMIZATIONS:-}" ]; then
+    exit 0
+fi
+
+# --- Helpers ---
+
+get_sysctl() {
+    sysctl -n "$1" 2>/dev/null || echo "unknown"
+}
+
+set_sysctl_if_needed() {
+    key="$1"
+    expected="$2"
+
+    current="$(get_sysctl "$key")"
+
+    # Already correct
+    if [ "$current" = "$expected" ]; then
+        return 0
+    fi
+
+    # Try to apply
+    if sysctl -w "$key=$expected" >/dev/null 2>&1; then
+        return 0
+    fi
+
+    # Failed
+    return 1
+}
+
+# --- Apply Settings (best effort) ---
+
+failed=0
+
+set_sysctl_if_needed net.ipv4.conf.all.arp_ignore 1 || failed=1
+set_sysctl_if_needed net.ipv4.conf.all.arp_announce 2 || failed=1
+set_sysctl_if_needed net.ipv4.conf.default.arp_ignore 1 || failed=1
+set_sysctl_if_needed net.ipv4.conf.default.arp_announce 2 || failed=1
+
+# --- Validate final state ---
+
+all_ignore="$(get_sysctl net.ipv4.conf.all.arp_ignore)"
+all_announce="$(get_sysctl net.ipv4.conf.all.arp_announce)"
+
+# --- Warning Output ---
+
+if [ "$all_ignore" != "1" ] || [ "$all_announce" != "2" ]; then
+    >&2 printf "%s" "${YELLOW}"
+    >&2 cat <<EOF
+══════════════════════════════════════════════════════════════════════════════
+⚠️  ATTENTION: ARP flux protection not enabled.
+
+    NetAlertX relies on ARP for device detection. Your system currently allows
+    ARP replies from incorrect interfaces (ARP flux), which may result in:
+
+      • False devices being detected
+      • IP/MAC mismatches
+      • Flapping device states
+      • Incorrect network topology
+
+    This is common when running in Docker or multi-interface environments.
+
+    ──────────────────────────────────────────────────────────────────────────
+    Recommended fix (Docker Compose):
+
+    sysctls:
+      net.ipv4.conf.all.arp_ignore: 1
+      net.ipv4.conf.all.arp_announce: 2
+
+    ──────────────────────────────────────────────────────────────────────────
+    Alternatively, apply on the host:
+
+      net.ipv4.conf.all.arp_ignore=1
+      net.ipv4.conf.all.arp_announce=2
+
+    Detection accuracy may be reduced until this is configured.
+══════════════════════════════════════════════════════════════════════════════
+EOF
+    >&2 printf "%s" "${RESET}"
+fi