Background: While deploying a service, I noticed that the container’s network behavior was consistently problematic. After some research, I discovered that the “local delivery mechanism” was the culprit, so I decided to take some notes.
When a data packet’s destination IP is one of the local machine’s IP addresses (regardless of which interface it arrives on), the operating system will deliver the packet directly to a local application for processing, rather than forwarding it or dropping it. This behavior is called:
- Local delivery
- Or, more descriptively: the IP belongs to the local machine (a local delivery decision)
This is standard behavior in the TCP/IP stack, supported by both Windows and Linux.
🔍 An Example#
Imagine you have a Linux host with two network interfaces:
eth0:192.168.1.4/24eth1:192.168.5.4/24
You are running a web service on this host, listening on 0.0.0.0:80.
Now, another machine at 192.168.5.30 sends an HTTP request to 192.168.1.4:80. However, due to a routing error or an incorrect ARP response, this packet actually arrives at the host’s eth1 interface (192.168.5.4).
The result: Linux can still process this request normally. It inspects the packet’s destination IP, 192.168.1.4, recognizes it as a local IP address, and therefore delivers the packet directly to the listening web service.
This is a classic example of “local delivery”.
⚙️ How Do Linux and Windows Differ?#
| Feature | Windows | Linux |
|---|---|---|
| Local Delivery Enabled by Default | ✅ Yes | ✅ Yes |
| IP Forwarding Enabled by Default | ❌ No | ❌ No (by default) |
| Configuration Method | GUI / Registry / PowerShell | sysctl parameters (e.g., net.ipv4.ip_forward) |
| Allows Accessing Local IPs Across Interfaces | ✅ Yes | ✅ Yes |
As you can see, their core behavior regarding “local delivery” is identical.
🛠️ Linux Kernel Parameters Affecting Local Delivery#
Although local delivery is the default behavior, you can modify it in specific scenarios by adjusting kernel parameters.
1. rp_filter (Reverse Path Filtering)#
If strict rp_filter is enabled, Linux might drop packets that “arrive on the wrong interface.” This is a security mechanism to prevent IP source spoofing.
1net.ipv4.conf.all.rp_filter = 1
rp_filter typically has several modes:
strict: Requires that the packet’s inbound interface is the best path to its source address according to the system’s routing table. In our example, this could cause the packet to be dropped.loose: Only requires that the source address is reachable in the routing table, regardless of which interface it arrives on.disabled: Completely disablesrp_filter.
You can check your current setting with the following command:
1sysctl net.ipv4.conf.all.rp_filter
2. accept_local#
1net.ipv4.conf.all.accept_local = 1
This parameter explicitly allows an interface to accept packets whose destination IP is local but does not belong to that specific interface. This is enabled by default and is one of the key enablers of the local delivery mechanism.