vh/NetAlertX
1
0
Fork 0
mirror of https://github.com/jokob-sk/NetAlertX.git synced 2026-04-02 08:12:21 -07:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
93fc126da21c86aa27c7ff044bb9098d759d6d02
NetAlertX/docs/docker-troubleshooting/arp-flux-sysctls.md

2.5 KiB
Raw Blame History

ARP Flux Sysctls Not Set

Issue Description

NetAlertX detected that ARP flux protection sysctls are not set as expected:

  • net.ipv4.conf.all.arp_ignore=1
  • net.ipv4.conf.all.arp_announce=2

Security Ramifications

This is not a direct container breakout risk, but detection quality can degrade:

  • Incorrect IP/MAC associations
  • Device state flapping
  • Unreliable topology or presence data

Why You're Seeing This Issue

The running environment does not provide the expected kernel sysctl values. This is common in Docker setups where sysctls were not explicitly configured.

How to Correct the Issue

Option A: Via Docker (Standard Bridge Networking)

If you are using standard bridged networking (default), set these sysctls at container runtime.

  • In docker-compose.yml (preferred):

    services:
  netalertx:
    sysctls:
      net.ipv4.conf.all.arp_ignore: 1
      net.ipv4.conf.all.arp_announce: 2

  • For docker run:

    docker run \
  --sysctl net.ipv4.conf.all.arp_ignore=1 \
  --sysctl net.ipv4.conf.all.arp_announce=2 \
  ghcr.io/netalertx/netalertx:latest

Note: Setting net.ipv4.conf.all.arp_ignore and net.ipv4.conf.all.arp_announce may fail with "operation not permitted" unless the container is run with elevated privileges. To resolve this, you can:

  • Use --privileged with docker run.
  • Use the more restrictive --cap-add=NET_ADMIN (or cap_add: [NET_ADMIN] in docker-compose service definitions) to allow the sysctls to be applied at runtime.

Option B: Via Host OS (Required for network_mode: host)

If you are running the container with network_mode: host, modern Docker versions (specifically the runc runtime) will not allow you to set net.* sysctls via the container configuration. Attempting to do so will result in an OCI runtime error: sysctl "net.ipv4.conf.all.arp_announce" not allowed in host network namespace.

In this scenario, you must apply the settings directly on your host operating system:

  1. Remove the sysctls section from your docker-compose.yml.
  2. Apply on the host immediately: 
    sudo sysctl -w net.ipv4.conf.all.arp_ignore=1
sudo sysctl -w net.ipv4.conf.all.arp_announce=2
  3. Make persistent by adding the following lines to /etc/sysctl.conf on the host: 
    net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2

Additional Resources

For broader Docker Compose guidance, see: