Martian source / Martian packets
In Linux, by default, packets are considered individually for routing purposes. Thus, all the routing algorithm determines where to send a packet based on that packet itself, without taking into consideration that the packet may be a response packet of sorts.
In a typical setup, this means that all outgoing traffic is going out over one interface, say, eth0 even if the incoming packet was sent to interface eth1.
One typical side effect of this algorithm is creation of so called "martian packets". A martian packet is an IP packet which specifies a source or destination address that is either reserved for special-use by Internet Assigned Numbers Authority (IANA) or does not belong to the subnet on which this interface exists, and that makes no sense. [RFC 1812]. For example, if two interfaces are connected to two subnets of 10 network, and default router is configured for eth0, then without expisit routing statement you can‘t respond to the packet send to eth1, which is not on the local segment for this network.
In other words, a martian packet header source IP address is usually a IP address that iether:
- should not be routable
- came from a wrong subnet.
For example, a 127.0.0.0/8 IP address coming through a router, would be labeled as being martian, as such packets should be local only and should not travel via the network.
RFC 1812 defines the term a martian source the following way:
"An IP source address is invalid if it is a special IP address, as defined in 4.2.2.11 or 5.3.7, or is not a unicast address.
"An IP destination address is invalid if it is among those defined as illegal destinations in 4.2.3.1, or is a Class E address (except 255.255.255.255).
"A router SHOULD NOT forward any packet that has an invalid IP source address or a source address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a source address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.
"A router SHOULD NOT forward any packet that has an invalid IP destination address or a destination address on network 0. A router SHOULD NOT forward, except over a loop-back interface, any packet that has a destination address on network 127. A router MAY have a switch that allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks.
"If a router discards a packet because of these rules, it SHOULD log at least the IP source address, the IP destination address, and, if the problem was with the source address, the physical interface on which the packet was received and the link Layer address of the hostor router from which the packet was received."
Martian source is network traffic from the wrong subnet appearing on an interface. For example if:
eth0 has IP 192.168.0.1 on subnet 255.255.255.0 eth1 has IP 192.168.1.1 on subnet 255.255.255.0
This means that eth0 should only see IP traffic from IP addresses from its subnet (192.168.0.x) and eth1 should only see traffic from its subnet (192.168.1.x)
If an IP on the network is still configured with a previous network address (202.167.2.34) and is seen on eth1 it will be seen as martian source.
If one of the machines on the network 192.168.0.x is plugged into the wrong switch and is effectively on the same network segment (physical) as eth1, then you will see martian source from that IP address (or you have multiple networks that the Linux box is not aware of)
Martian source is not a major thing, but such messages help making you aware of the fact that something in your network setup is either setup incorrectly, or not configured optimally.
This behavior is controlled by setting in /etc/sysctl.conf
# Controls source route verification net.ipv4.conf.default.rp_filter = 1
There is a other situation you can see the martian source.
Server 1 | Server 2 |
eth0: 10.249.111.10 netmask 255.255.255.0 eth2: 192.168.111.10 netmask 255.255.255.0 eth2:1: 10.249.111.161 netmask 255.255.255.0 |
eth0: 10.249.111.11 netmask 255.255.255.0 eth2: 192.168.111.11 netmask 255.255.255.0 eth2:1: 10.249.111.162 netmask 255.255.255.0 |
Generally connect from Server 1 eth0 to server 2 eth2:1 should be ok vice versa. But the kernel on server 2 will report :
IPv4: martian source 10.249.111.162 from 10.249.111.10, on dev eth2
ll header: 00000000: ff ff ff ff ff ff 02 13 02 00 28 7f 08 06 ..........(...
It looks like the kernel will compare with the source address with the eth2 address (192.168.111.xx) then it will find this is a martian source address.
Kernel just printk the source address and the actually destion address "martian source 10.249.111.162 from 10.249.111.10", is this a bug ? I think It should printk the eth2‘s address, that we know what happen.