arp_ignore=2 not working as expected

I am using arp_ignore=2 on all network interfaces to avoid that interfaces answer requests for IP addresses of the other network interfaces.

Unfortunately this does not seem to work correctly.

This is my IP configuration:

# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
       valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 9000 qdisc mq portid 248a0703006bfdc1 state DOWN group default qlen 1000
    link/ether 24:8a:07:6b:fd:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.2/24 brd 192.168.2.255 scope global eth2
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 0c:c4:7a:d8:69:42 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.175/16 brd 192.168.255.255 scope global eth0
       valid_lft forever preferred_lft forever
4: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 6000 qdisc mq state DOWN group default qlen 1000
    link/ether 0c:c4:7a:d8:69:43 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever

Anyhow the IP address 192.168.1.2 (eth1) can be accessed over eth0.
I guess one of the problems might be that eth1 uses an IP address (192.168.1.2) that is also valid in the network of eth0 (192.168.x.x).
But I am using arp_ignore=2 and the documentation says:

arp_ignore - INTEGER
2 - reply only if the target IP address is local address
    **configured on the incoming interface** and both with the
    sender's IP address are part from same subnet on this interface

So the target address 192.168.1.2 is not configured on the incoming interface eth0 and therefore I think the arp request shall not be answered.
Additionally this setting worked fine at least up to Suse 12.3.

Here is my arp_ignore config:

# sysctl -a | grep arp_ignore
net.ipv4.conf.all.arp_ignore = 2
net.ipv4.conf.default.arp_ignore = 2
net.ipv4.conf.eth0.arp_ignore = 2
net.ipv4.conf.eth1.arp_ignore = 2
net.ipv4.conf.eth2.arp_ignore = 2
net.ipv4.conf.lo.arp_ignore = 0

I would be grateful for any hints how to configure the system so that requests to 192.168.1.2 (eth1) are answered only by eth1.

Some infos about system configuration:

# uname -a
Linux swe5-sp 4.4.72-18.12-default #1 SMP Mon Jun 19 14:11:41 UTC 2017 (9c03296) x86_64 x86_64 x86_64 GNU/Linux

# rpm -qa | grep wicked
libwicked-0-6-0.6.40-6.3.1.x86_64
wicked-service-0.6.40-6.3.1.x86_64
wicked-0.6.40-6.3.1.x86_64

# cat /etc/sysconfig/network/ifcfg-eth0
BOOTPROTO='static'
BROADCAST=''
ETHTOOL_OPTIONS=''
NAME='Intel Ethernet controller'
NETWORK=''
MTU=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'
LINK_REQUIRED='no'
IPADDR='192.168.50.175'
NETMASK='255.255.0.0'

# cat /etc/sysconfig/network/ifcfg-eth1
BOOTPROTO='static'
BROADCAST=''
ETHTOOL_OPTIONS='-G eth1 rx 4096'
MTU='6000'
NAME='Intel Ethernet controller'
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'
LINK_REQUIRED='no'
IPADDR='192.168.1.2'
NETMASK='255.255.255.0'

# sysctl -a | grep arp
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.arp_ignore = 2
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.default.arp_accept = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.default.arp_ignore = 2
net.ipv4.conf.default.arp_notify = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.eth0.arp_accept = 0
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.eth0.arp_filter = 1
net.ipv4.conf.eth0.arp_ignore = 2
net.ipv4.conf.eth0.arp_notify = 1
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.eth1.arp_accept = 0
net.ipv4.conf.eth1.arp_announce = 2
net.ipv4.conf.eth1.arp_filter = 1
net.ipv4.conf.eth1.arp_ignore = 2
net.ipv4.conf.eth1.arp_notify = 1
net.ipv4.conf.eth1.proxy_arp = 0
net.ipv4.conf.eth1.proxy_arp_pvlan = 0
net.ipv4.conf.eth2.arp_accept = 0
net.ipv4.conf.eth2.arp_announce = 2
net.ipv4.conf.eth2.arp_filter = 1
net.ipv4.conf.eth2.arp_ignore = 2
net.ipv4.conf.eth2.arp_notify = 1
net.ipv4.conf.eth2.proxy_arp = 0
net.ipv4.conf.eth2.proxy_arp_pvlan = 0
net.ipv4.conf.lo.arp_accept = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_notify = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0

Older MSWindows were very “chatty” but nowadays more modern MSWindows do a lot less arping.
By default all Linux are configured to arp only when necessary.

Why are you trying to ignore arping? Especially on bootup and as necessary it can be important to your networking health.

IMO probably a better solution is that if you find one of your machines arping excessively to inspect the machine and make sure that it’s not configured to arp any more than necessary (There is a setting that changes the default to excessively arp).

If your intent is to hide your machine on your network, that’s a special use case.
Maybe there’s something in Kali (I haven’t looked) or a similar pentesting suite.
Based on a Google search, I turned up a very old but likely still relevant article suggesting that you don’t configure in an interface file, you configure the kernel through sysctl (recommended) or the /proc tree directly
http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP
There are also numerous articles on restricting arp on ruuters to ensure arps don’t traverse, but hardly anything I’ve found for individual host machines.

But keep in mind, unless you have a special objective no one should want to ignore arp requests on any machine because it would make it difficult for other machines to find and communicate with you.

TSU