Date: Wed, 5 Dec 2001 20:31:00 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Eugene Grosbein <eugen@grosbein.pp.ru> Cc: "Crist J . Clark" <cjc@FreeBSD.ORG>, net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: NOARP - gateway must answer and have frozen ARP table Message-ID: <20011205203100.A89520@sunbay.com> In-Reply-To: <20011205193859.B79705@sunbay.com> References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org> <20011205231735.A1361@grosbein.pp.ru> <20011205193859.B79705@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 05, 2001 at 07:38:59PM +0200, Ruslan Ermilov wrote:
> On Wed, Dec 05, 2001 at 11:17:35PM +0700, Eugene Grosbein wrote:
> > On Wed, Dec 05, 2001 at 04:03:16AM -0800, Crist J . Clark wrote:
> >
> > > > Not sure what is correct list, this is about network security.
> > > > Flag NOARP did not work for ethernet interface before 4.4-RELEASE.
> > > > We needed static ARP table so used local patch for it.
> > > > 4.4-RELEASE implemented NOARP but in the different way.
> > > See PR 31873.
> >
> > I have read this PR and other discussions.
> > And I want to say that this 'intended' behavour is useless for some
> > configurations. A machine acting as public gateway must respond
> > to ARP requests for its IP. And it often must not allow modifying
> > its ARP table. So I'm asking to have another behavour as an option.
> > Perhaps, tunable as sysctl.
> >
> > We use this scheme several years in production, keeping our local patches.
> > It seems this scheme is used widely, I've seen several different patches
> > implementing this since 2.2.x. We use one of them.
> >
> Eugene,
>
> The below patch implements this facility, activated by setting the
> net.link.ether.inet.static_arp sysctl to a non-zero value. It also
> fixes an mbuf leak in arpresolve() if IFF_NOARP flag is set on an
> interface, and an address resolution is attempted over it.
>
> I am also going to add support for static ARP table to rc.conf(5),
> which should address PR conf/23063.
>
> Let me know what do you think about the patch.
>
Here's the version for -CURRENT:
Index: if_ether.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.88
diff -u -p -r1.88 if_ether.c
--- if_ether.c 5 Dec 2001 18:13:34 -0000 1.88
+++ if_ether.c 5 Dec 2001 18:26:00 -0000
@@ -107,6 +107,7 @@ static int arp_inuse, arp_allocated;
static int arp_maxtries = 5;
static int useloopback = 1; /* use loopback interface for local traffic */
static int arp_proxyall = 0;
+static int static_arp = 0;
SYSCTL_INT(_net_link_ether_inet, OID_AUTO, maxtries, CTLFLAG_RW,
&arp_maxtries, 0, "");
@@ -114,6 +115,8 @@ SYSCTL_INT(_net_link_ether_inet, OID_AUT
&useloopback, 0, "");
SYSCTL_INT(_net_link_ether_inet, OID_AUTO, proxyall, CTLFLAG_RW,
&arp_proxyall, 0, "");
+SYSCTL_INT(_net_link_ether_inet, OID_AUTO, static_arp, CTLFLAG_RW,
+ &static_arp, 0, "");
static void arp_init __P((void));
static void arp_rtrequest __P((int, struct rtentry *, struct rt_addrinfo *));
@@ -436,7 +439,7 @@ arpresolve(ifp, rt, m, dst, desten, rt0)
* Probably should not allocate empty llinfo struct if we are
* not going to be sending out an arp request.
*/
- if (ifp->if_flags & IFF_NOARP) {
+ if (ifp->if_flags & IFF_NOARP || static_arp) {
m_freem(m);
return (0);
}
@@ -632,6 +635,8 @@ match:
itaddr = myaddr;
goto reply;
}
+ if (static_arp)
+ goto reply;
la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0);
if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) {
/* the following is not an error when doing bridging */
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011205203100.A89520>