From owner-freebsd-security Thu Dec 26 12: 0:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3774537B405 for ; Thu, 26 Dec 2002 12:00:28 -0800 (PST) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id B52A743EDC for ; Thu, 26 Dec 2002 12:00:22 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (root@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with SMTP id gBQK0GxV074726 for ; Thu, 26 Dec 2002 22:00:16 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with ESMTP id gBQK0AeY074695 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 26 Dec 2002 22:00:14 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Submit) id gBQK09fu074688; Thu, 26 Dec 2002 22:00:09 +0200 (EET) Date: Thu, 26 Dec 2002 22:00:08 +0200 From: Ruslan Ermilov To: Eugene Grosbein Cc: net@freebsd.org, security@freebsd.org Subject: Static ARP (was: Re: NOARP - gateway must answer and have frozen ARP table) Message-ID: <20021226200008.GA70966@sunbay.com> References: <20011205040316.H40864@blossom.cjclark.org> <20011205231735.A1361@grosbein.pp.ru> <20011205193859.B79705@sunbay.com> <200112051835.fB5IZqH95521@whizzo.transsys.com> <20011205204526.B89520@sunbay.com> <200112051852.fB5IqmH95809@whizzo.transsys.com> <20011205121928.A3061@blossom.cjclark.org> <200112062059.MAA02282@windsor.research.att.com> <20011207110542.J13705@sunbay.com> <3C11C24B.A980A646@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6zdv2QT/q3FMhpsV" Content-Disposition: inline In-Reply-To: <3C11C24B.A980A646@svzserv.kemerovo.su> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --6zdv2QT/q3FMhpsV Content-Type: multipart/mixed; boundary="CUfgB8w4ZwR/yMy5" Content-Disposition: inline --CUfgB8w4ZwR/yMy5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 08, 2001 at 02:33:31PM +0700, Eugene Grosbein wrote: > > OK, I have a proposal that should fit both opinions. I'll keep the > > net.link.ether.inet.static_arp to mean what it means now (keep ARP > > table static, no updates except from local process through a routing > > socket writes), and will add another sysctl that will switch the > > meaning of IFF_NOARP from "no arp" to "static arp on this interface". > > How about this? >=20 > This would be the best souliution at least for us :-) >=20 OK, enough of cooling off. :-) The attached patch (for 5.0-CURRENT) adds the IFF_STATICARP per-interface flag, which does the obvious thing. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --CUfgB8w4ZwR/yMy5 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Content-Transfer-Encoding: quoted-printable Index: sys/net/if.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/net/if.h,v retrieving revision 1.81 diff -u -p -r1.81 if.h --- sys/net/if.h 14 Nov 2002 23:16:18 -0000 1.81 +++ sys/net/if.h 26 Dec 2002 19:57:41 -0000 @@ -150,6 +150,7 @@ struct if_data { #define IFF_POLLING 0x10000 /* Interface is in polling mode. */ #define IFF_PPROMISC 0x20000 /* user-requested promisc mode */ #define IFF_MONITOR 0x40000 /* user-requested monitor mode */ +#define IFF_STATICARP 0x80000 /* static ARP */ =20 /* flags set internally only: */ #define IFF_CANTCHANGE \ Index: sys/netinet/if_ether.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v retrieving revision 1.96 diff -u -p -r1.96 if_ether.c --- sys/netinet/if_ether.c 31 Jul 2002 16:45:16 -0000 1.96 +++ sys/netinet/if_ether.c 26 Dec 2002 19:57:41 -0000 @@ -448,12 +448,12 @@ arpresolve(ifp, rt, m, dst, desten, rt0) return 1; } /* - * If ARP is disabled on this interface, stop. + * If ARP is disabled or static on this interface, stop. * XXX * Probably should not allocate empty llinfo struct if we are * not going to be sending out an arp request. */ - if (ifp->if_flags & IFF_NOARP) { + if (ifp->if_flags & (IFF_NOARP | IFF_STATICARP)) { m_freem(m); return (0); } @@ -654,6 +654,8 @@ match: itaddr =3D myaddr; goto reply; } + if (ifp->if_flags & IFF_STATICARP) + goto reply; la =3D arplookup(isaddr.s_addr, itaddr.s_addr =3D=3D myaddr.s_addr, 0); if (la && (rt =3D la->la_rt) && (sdl =3D SDL(rt->rt_gateway))) { /* the following is not an error when doing bridging */ Index: sbin/ifconfig/ifconfig.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.8,v retrieving revision 1.66 diff -u -p -r1.66 ifconfig.8 --- sbin/ifconfig/ifconfig.8 25 Nov 2002 16:01:28 -0000 1.66 +++ sbin/ifconfig/ifconfig.8 26 Dec 2002 19:57:41 -0000 @@ -227,6 +227,18 @@ addresses and .It Fl arp Disable the use of the Address Resolution Protocol .Pq Xr arp 4 . +.It Cm staticarp +If the Address Resolution Protocol is enabled, +the host will only reply to requests for its addresses, +and will never send any requests. +.It Fl staticarp +If the Address Resolution Protocol is enabled, +the host will perform normally, +sending out requests, +listening for replies, +and allowing gratuitous requests to update the +.Tn ARP +table. .It Cm broadcast (Inet only.) Specify the address to use to represent broadcasts to the Index: sbin/ifconfig/ifconfig.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.c,v retrieving revision 1.85 diff -u -p -r1.85 ifconfig.c --- sbin/ifconfig/ifconfig.c 15 Nov 2002 00:02:21 -0000 1.85 +++ sbin/ifconfig/ifconfig.c 26 Dec 2002 19:57:41 -0000 @@ -243,6 +243,8 @@ struct cmd { { "-link2", -IFF_LINK2, setifflags }, { "monitor", IFF_MONITOR, setifflags }, { "-monitor", -IFF_MONITOR, setifflags }, + { "staticarp", IFF_STATICARP, setifflags }, + { "-staticarp", -IFF_STATICARP, setifflags }, #ifdef USE_IF_MEDIA { "media", NEXTARG, setmedia }, { "mediaopt", NEXTARG, setmediaopt }, @@ -1065,7 +1067,7 @@ setifmtu(const char *val, int dummy __un #define IFFBITS \ "\020\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6SMART\7RUNNING" \ "\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2= " \ -"\20MULTICAST\023MONITOR" +"\20MULTICAST\023MONITOR\024STATICARP" =20 #define IFCAPBITS \ "\003\1RXCSUM\2TXCSUM\3NETCONS\4VLAN_MTU\5VLAN_HWTAGGING\6JUMBO_MTU" --CUfgB8w4ZwR/yMy5-- --6zdv2QT/q3FMhpsV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+C1/IUkv4P6juNwoRAn9FAJ9X1HFqxXl//v/dEMvEy1bW0Cgu6QCfXm3L sA/tpDjtJkSEG+4D0XDIXdU= =XcqZ -----END PGP SIGNATURE----- --6zdv2QT/q3FMhpsV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message