From owner-freebsd-current@FreeBSD.ORG Mon Mar 19 18:17:40 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BA76C16A4E7 for ; Mon, 19 Mar 2007 18:17:40 +0000 (UTC) (envelope-from freeman@vault13.org) Received: from vault13.org (ip246-74.baltnet.ru [217.168.74.246]) by mx1.freebsd.org (Postfix) with ESMTP id 7B1D813C43E for ; Mon, 19 Mar 2007 18:17:38 +0000 (UTC) (envelope-from freeman@vault13.org) Received: from vault.net.vault13.org (ip2-13.net.vault13.org [192.168.2.13]) by vault13.org (8.13.6/8.13.6) with ESMTP id l2JIMEbP050259 for ; Mon, 19 Mar 2007 21:22:14 +0300 (MSK) (envelope-from freeman@vault13.org) Received: from ip2-13.net.vault13.org (localhost [127.0.0.1]) by vault.net.vault13.org (8.13.6/8.13.6) with ESMTP id l2JIGf1V003595 for ; Mon, 19 Mar 2007 21:16:41 +0300 (MSK) (envelope-from freeman@ip2-13.net.vault13.org) Received: (from freeman@localhost) by ip2-13.net.vault13.org (8.13.6/8.13.6/Submit) id l2JIGZZN003594 for freebsd-current@freebsd.org; Mon, 19 Mar 2007 21:16:36 +0300 (MSK) (envelope-from freeman) Date: Mon, 19 Mar 2007 21:16:35 +0300 From: banshee To: freebsd-current@freebsd.org Message-ID: <20070319181635.GE1057@vault.net.vault13.org> Mail-Followup-To: banshee , freebsd-current@freebsd.org References: <20070318152101.GA70619@vault13.org> <20070319112333.GA832@vault.net.vault13.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xJK8B5Wah2CMJs8h" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://vault13.org/home/gpg-pub-key.asc X-Spam-Status: No, score=-1.4 required=2.0 tests=ALL_TRUSTED autolearn=failed version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on vault13.org Subject: Re: rc.conf: tcp_drop_synfin option X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 18:17:40 -0000 --xJK8B5Wah2CMJs8h Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable No, in that case, it will sysctl will turn on SYN+FIN drop, but if = we us e cut -d ' ' -f 2, it will return 0 (by default at start up time this sysct= l var=3D0) and print error msg. if you use -f 4, then it will check, that S= YN+FIN funct ion is turned on, no meter how. On Mon, Mar 19, 2007 at 02:51:10PM +0300, pluknet wrote: > On 19/03/07, banshee wrote: > >On Mon, Mar 19, 2007 at 12:48:01PM +0300, pluknet wrote: > >> Hi. > >> > >> On 18/03/07, banshee wrote: > >> > > >> > Hello everyone! > >> > > >> > I have an tcp_drop_synfin=3D"yes" option in my rc.conf, but it > >> > doesn't work correct. Here is the dmesg -a part: > >> > > >> > [...] > >> > Additional routing options: > >> > ignore ICMP redirect=3D3DYES > >> > log ICMP redirect=3D3DYES > >> > drop SYN+FIN packets=3D3DYES > >> > sysctl: > >> > unknown oid 'net.inet.tcp.drop_synfin' > >> > [...] > >> > > >> > I've been thinking about making a patch for it=20 > >(/etc/rc.d/routing, > >> > lines 22-127), but i just didn't find something in `sysctl -a` > >> > list that can be used. If this option removed, then may be the > >> > lines 124-125 in /etc/rc.d/routing should be changed (somethi= ng=20 > >as > >> > in attach)? I'm interested in making patch for it :-) > >> > >> Didn't you forget to add the TCP_DROP_SYNFIN option in your kernel=20 > >config? > >> > >> > Best regards, banshee, vault13.org... > >> > >> pluknet > > > > Ups... No, I didn't forget to include it, i've just compiled the= =20 > > wrong kernel :-) > > Anyway, i've made some changes to routing file, just to see, is= =20 > > this sysctl var set correctly (i know, the code is ugly). >=20 > >From attach: > - echo -n ' drop SYN+FIN packets=3DYES' > - sysctl net.inet.tcp.drop_synfin=3D1 >/dev/null > + if [ "`sysctl net.inet.tcp.drop_synfin=3D1 | cut -d ' ' -f 4`"=20 > \ > + =3D "1" ]; then >=20 > Perhaps it would be more careful to make a so-called "const" check: > - echo -n ' drop SYN+FIN packets=3DYES' > sysctl net.inet.tcp.drop_synfin=3D1 >/dev/null > + if [ "`sysctl net.inet.tcp.drop_synfin | cut -d ' ' -f 2`" \ > + =3D "1" ]; then >=20 > > > pluknet >=20 > ps > sorry for my English > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" --=20 Contra vim mortis, non est medicaments... --xJK8B5Wah2CMJs8h Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iQIVAwUBRf7TgYklF6acR4MmAQIWnA//VNYSEJxbYo9wot48T6gW2AH72jMovHyP qE8zO8+vYDwIO4pZa+LpQZJ0XLls9HhErCnqNa3QTClz7+FaooZMBtIFQ+6WJPEs JC6ppvgd1IEKxi0htSAr/eep2OfkglGWEmBh/0rwxGxNGizENq6w+/TNIIl0Om94 wmbxgWdwmM5HF6N5D6LxHTFIX29GejOgBUGb1+cj+diQBO/tGaX5ceON8AE0JbOP uRpU/Rr/JF8F98OEhVAgtJL0MftgHJ7yEnJd70kS3Wvt3bxlYAk9ped9+6w5jsDC FTBK8NdbuooHzLMFwY8YVLAbdUhFwZX/Pq3BtGQfbtXxDz62h29fYge51cDYzB+W Z0b091wY52bHIiNyZDXkg0pJtOqacWgvOTYEZgfPM37Z/7LMRDTG4LZyDo7GLWPJ uZbHDbpZY+sAazQjWcweacQoSnV75kMBvSOJIYTQaHahzQaAvkHSedyH71DsRxhs p2rGk03pSWyUdEmzYtfvwsIJspXh1L34IBy1w/xweYCYy0zc68zFlHIo86SLLWqJ IJynlyEgaIjGTjPVDSejZGvvS5qMuRe1nHzkP7Kh72ZZZQxsIerh6Ky//vOGBkFs NbjQKGO34DpptKmhGw+lE10sJ/GcC6J8NTbIVp543sfxZ76+odXz5qSspxJF7OB6 cKokPSZirDA= =MHef -----END PGP SIGNATURE----- --xJK8B5Wah2CMJs8h--