From owner-freebsd-current@FreeBSD.ORG  Wed Jan  2 19:27:14 2008
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B82E216A417;
	Wed,  2 Jan 2008 19:27:14 +0000 (UTC)
	(envelope-from delphij@delphij.net)
Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net
	[IPv6:2001:470:1f03:2c9::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 7561913C45B;
	Wed,  2 Jan 2008 19:27:13 +0000 (UTC)
	(envelope-from delphij@delphij.net)
Received: from tarsier.geekcn.org (unknown [202.108.54.204])
	(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by tarsier.delphij.net (Postfix) with ESMTP id 0CF3428448;
	Thu,  3 Jan 2008 03:27:11 +0800 (CST)
Received: from localhost (unknown [202.108.54.204])
	by tarsier.geekcn.org (Postfix) with ESMTP id DF6F3EDADD0;
	Thu,  3 Jan 2008 03:27:10 +0800 (CST)
X-Virus-Scanned: amavisd-new at geekcn.org
Received: from tarsier.geekcn.org ([202.108.54.204])
	by localhost (mail.geekcn.org [202.108.54.204]) (amavisd-new,
	port 10024)
	with ESMTP id hxP8RNf2e1oR; Thu,  3 Jan 2008 03:27:03 +0800 (CST)
Received: from charlie.delphij.net (71.5.7.139.ptr.us.xo.net [71.5.7.139])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by tarsier.geekcn.org (Postfix) with ESMTP id 478AEEDADC9;
	Thu,  3 Jan 2008 03:27:02 +0800 (CST)
DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns;
	h=message-id:date:from:reply-to:organization:user-agent:
	mime-version:to:subject:x-enigmail-version:openpgp:content-type;
	b=RCy/u6GeAdi/wRe7lhKYJyUU/sK1PDwKgeAXNuoWopkENZQvsDUrgh9DVxwDMhLYd
	xIYGuNxFm8v3jhe0EwcRg==
Message-ID: <477BE583.6080202@delphij.net>
Date: Wed, 02 Jan 2008 11:26:59 -0800
From: Xin LI <delphij@delphij.net>
Organization: The FreeBSD Project
User-Agent: Thunderbird 2.0.0.9 (X11/20071125)
MIME-Version: 1.0
To: freebsd-rc@FreeBSD.org, FreeBSD Current <freebsd-current@freebsd.org>
X-Enigmail-Version: 0.95.5
OpenPGP: id=18EDEBA0;
	url=http://www.delphij.net/delphij.asc
Content-Type: multipart/mixed; boundary="------------080003070301000505080207"
Cc: 
Subject: [RFC] rc.d script for binding static arp pairs and logging options
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: d@delphij.net
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2008 19:27:14 -0000

This is a multi-part message in MIME format.
--------------080003070301000505080207
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Here is a rc.d script that I use on my own server, which provides two
functionalities:

 - Bind ARP pairs specified in rc.conf (*);
 - Set ARP logging options (+).

* Similar to routing settings, one need to set up some sort of "ARP
pairs" like this:

	static_arp_pairs="gw"
	arp_gw="172.16.1.1 00:1c:58:6a:7b:49"

+ By setting one or more of the following options to "NO" it would set
appropriate sysctl for arp logging settings to zero to disable logging:

	log_arp_permanent_modify
	log_arp_movements
	log_arp_wrong_iface

This script could be useful for those who use FreeBSD in a
uncontrollable network (i.e. your network administrator does not care
about viruses that attacks the network with fake ARP broadcasts).

I wonder whether this script would be useful for general consumption?
Other comments are also welcome :-)

Cheers,
- --
Xin LI <delphij@delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFHe+WCi+vbBBjt66ARAvA/AJ9zv5Wtif9DPgDPT89ZOOoueu+w9gCeK3gY
4GEETsKg53j19QLFd3IZKkc=
=rLKv
-----END PGP SIGNATURE-----

--------------080003070301000505080207
Content-Type: text/plain;
 name="arp"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="arp"

#!/bin/sh
#
# Copyright (c) 2008  Xin LI <delphij@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# Configure static ARP table and logging options
#
# $FreeBSD$
#

# PROVIDE: arp
# REQUIRE: netif
# KEYWORD: nojail

. /etc/rc.subr

name="arp"
start_cmd="arp_start"
stop_cmd="arp_stop"
extra_commands="options static"
static_cmd="static_start"
options_cmd="options_start"

arp_start()
{
	options_start
	static_start
}

arp_stop()
{
	static_stop
}

options_start()
{
	echo -n 'Additional ARP logging options:'
	if [ -n ${log_arp_perment_modify} ]; then
		case ${log_arp_permanent_modify} in
		[Nn][Oo])
			echo -n ' do not'
			sysctl net.link.ether.inet.log_arp_permanent_modify=0 >/dev/null
			;;
		*)
			sysctl net.link.ether.inet.log_arp_permanent_modify=1 >/dev/null
                	;;
        	esac
		echo -n ' log arp replies from MACs different than the one in the permanent arp entry;'
	fi
	if [ -n ${log_arp_movements} ]; then
		case ${log_arp_movements} in
		[Nn][Oo])
			echo -n ' do not'
			sysctl net.link.ether.inet.log_arp_movements=0 >/dev/null
			;;
		*)
			sysctl net.link.ether.inet.log_arp_movements=1 >/dev/null
                	;;
        	esac
		echo -n ' log arp replies from MACs different than the one in the cache;'
	fi
	if [ -n ${log_arp_wrong_iface} ]; then
		case ${log_arp_wrong_iface} in
		[Nn][Oo])
			echo -n ' do not'
			sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null
			;;
		*)
			sysctl net.link.ether.inet.log_arp_wrong_iface=1 >/dev/null
                	;;
        	esac
		echo -n ' log arp packets arriving on the wrong interface'
	fi
	echo '.'
}


static_start()
{
	if [ -n "${static_arp_pairs}" ]; then
		echo -n 'Binding static ARP pair:'
		for e in ${static_arp_pairs}; do
			echo -n " ${e}"
			eval arp_args=\$arp_${e}
			arp -S ${arp_args} >/dev/null 2>&1
		done
		echo '.'
	fi
}

static_stop()
{
	if [ -n "${static_arp_pairs}" ]; then
		echo -n 'Unbinding static ARP pair:'
		for e in ${static_arp_pairs}; do
			echo -n " ${e}"
			eval arp_args=\$arp_${e}
			arp_args=`echo ${arp_args} | sed -e s,..:..:..:..:..:..,,g`
			arp -d ${arp_args} >/dev/null 2>&1
		done
		echo '.'
	fi
}

load_rc_config $name
run_rc_command "$1"

--------------080003070301000505080207--