martian source false positive

A

AlpsView

Member
Apr 1, 2025
37
1
8
I get the following log line every minute on the PVE host:

Code: 
Jul 18 00:49:58 proxmox kernel: IPv4: martian source 192.168.6.255 from 192.168.6.30, on dev fwbr1007i0

Now, on 192.168.6.30 a DLNA server is running configured to send out a broadcast every 60 seconds. So what PVE sees is valid and wanted traffic.
Anyway to teach PVE so, to make it stop reporting and poluting the log file?
 
Hi,

this is controlled by the net.ipv4.conf.<interface>.log_martians sysctl - by default this is turned off, so you might need to first check where it get's enabled (typically somewhere in /etc/sysctl.d/).

See also the kernel documentation: https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html#:~:text=log_martians

You can check the current status across all interfaces using grep . /proc/sys/net/ipv4/conf/*/log_martians, and toggle it at runtime using sysctl net.ipv4.conf.<interface>.log_martians=0|1.

As it's on a firewall bridge, either you can turn it off globaly (by using the all entry) or e.g. after the guest starts using a hook script.
 
Hi Christoph
thanks a lot for your reply.
I was looking not to generally turn the martians logging on or off but rather similar to a firewall rule to only turn off the reporting of that specific communication. I guess that's not possible? I was hoping there could be a list of rules what is classified as martians where I could override or deactivate the related rule only.
 
AlpsView said:
I was hoping there could be a list of rules what is classified as martians where I could override or deactivate the related rule only.
Click to expand...
Martian packets (addresses) are defined per RFC 1812 section 5.3.7, so there is by definition nothing to configure w.r.t. to classification.

AlpsView said:
I was looking not to generally turn the martians logging on or off
Click to expand...
You can turn it of per-interface as written above, i.e. turning it only off for the specific fwbr, leaving it enabled for all other interfaces.

You can also (try) using the nftables-based firewall, which does not need separate fwbr anymore - although not sure if that just means it will get logged somewhere else.
 
You must log in or register to reply here.
Top Bottom