Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Mar 2007 14:51:10 +0300
From:      pluknet <pluknet@gmail.com>
To:        banshee <root@vault13.org>, pluknet <pluknet@gmail.com>,  freebsd-current@freebsd.org
Subject:   Re: rc.conf: tcp_drop_synfin option
Message-ID:  <a31046fc0703190451i70442035q90e0a2eb0c98e6c3@mail.gmail.com>
In-Reply-To: <20070319112333.GA832@vault.net.vault13.org>
References:  <20070318152101.GA70619@vault13.org> <a31046fc0703190248g7b8ba445g7ef5fb282823883c@mail.gmail.com> <20070319112333.GA832@vault.net.vault13.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 19/03/07, banshee <root@vault13.org> wrote:
> On Mon, Mar 19, 2007 at 12:48:01PM +0300, pluknet wrote:
> > Hi.
> >
> > On 18/03/07, banshee <root@vault13.org> wrote:
> > >
> > >        Hello everyone!
> > >
> > >        I have an tcp_drop_synfin="yes" option in my rc.conf, but it
> > >        doesn't work correct. Here is the dmesg -a part:
> > >
> > >        [...]
> > >        Additional routing options:
> > >         ignore ICMP redirect=3DYES
> > >         log ICMP redirect=3DYES
> > >         drop SYN+FIN packets=3DYES
> > >        sysctl:
> > >        unknown oid 'net.inet.tcp.drop_synfin'
> > >        [...]
> > >
> > >        I've been thinking about making a patch for it (/etc/rc.d/routing,
> > >        lines 22-127), but i just didn't find something in `sysctl -a`
> > >        list that can be used. If this option removed, then may be the
> > >        lines 124-125 in /etc/rc.d/routing should be changed (something as
> > >        in attach)? I'm interested in making patch for it :-)
> >
> > Didn't you forget to add the TCP_DROP_SYNFIN option in your kernel config?
> >
> > >        Best regards, banshee, vault13.org...
> >
> > pluknet
>
>         Ups... No, I didn't forget to include it, i've just compiled the wrong kernel :-)
>         Anyway, i've made some changes to routing file, just to see, is this sysctl var set correctly (i know, the code is ugly).

>From attach:
-		echo -n ' drop SYN+FIN packets=YES'
-		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
+		if [ "`sysctl net.inet.tcp.drop_synfin=1 | cut -d ' ' -f 4`" \
+						= "1" ]; then

Perhaps it would be more careful to make a so-called "const" check:
-		echo -n ' drop SYN+FIN packets=YES'
		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
+		if [ "`sysctl net.inet.tcp.drop_synfin | cut -d ' ' -f 2`" \
+						= "1" ]; then

>
pluknet

ps
sorry for my English

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a31046fc0703190451i70442035q90e0a2eb0c98e6c3>