Date: Mon, 21 Feb 2005 23:48:55 +0300 (MSK) From: Maxim Konovalov <maxim@macomnet.ru> To: gnn@freebsd.org Cc: current@freebsd.org Subject: Re: OpenBSD's tcpdrop(8) Message-ID: <20050221233338.B70997@mp2.macomnet.net> In-Reply-To: <m2vf8mj59c.wl%gnn@neville-neil.com> References: <20050123193559.V91742@mp2.macomnet.net> <m2vf8mj59c.wl%gnn@neville-neil.com>
next in thread | previous in thread | raw e-mail | index | archive | help
George, On Tue, 22 Feb 2005, 00:34+0900, gnn@freebsd.org wrote: > At Sun, 23 Jan 2005 20:05:26 +0300 (MSK), > Maxim Konovalov wrote: > > > > Hello, > > > > I've ported OpenBSD's tcpdrop(8) and a relevant kernel part. > > >From the man page, http://tinyurl.com/4lvo9 > > > > The tcpdrop command drops the TCP connection specified by the local > > address laddr, port lport and the foreign address faddr, port fport. > > > > There are patches for HEAD and RELENG_4: > > > > http://people.freebsd.org/~maxim/diff/tcpdrop.diff > > http://people.freebsd.org/~maxim/diff/tcpdrop.diff-4 > > > > Two questions: do we want to have it in the base system? Does the > > diff look OK (I didn't test IPv6 part)? > > Hi Maxim, > > I finally got around to testing this on IPv6. It was not an > exhaustive test but I used NetPIPE to run a client and server over > localhost (::1) for IPv6 and then forced a drop. The machine is a > PIII SMP box (elephant if you know the test lab stuff). No problems > encountered, and I can only do the drop as root, which is what I would > hope and expect. Thank you very much for testing! A version with the correct locking (rwatson@) and improved IPv6 (ume@) is already in the tree. > A very cool feature. I vote for it being in the base system. Are > there jail issues? I haven't thought that aspect of the security of > this feature through yet. We do not allow to modify sysctls in jail by default (!CTLFLAG_PRISON case) so I think net.inet.tcp.drop is jail-safe. And it does not allow to discover an existent (or non-existent) tcp connection in the host system from the jail. -- Maxim Konovalov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050221233338.B70997>