From owner-freebsd-security Mon Nov 27 3:19: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from samson.ff.phys.spbu.ru (gw.ff.phys.spbu.ru [195.19.232.5]) by hub.freebsd.org (Postfix) with ESMTP id 1996C37B4C5 for ; Mon, 27 Nov 2000 03:18:56 -0800 (PST) Received: (from uucp@localhost) by samson.ff.phys.spbu.ru (8.9.3/8.9.3) with UUCP id OAA26127; Mon, 27 Nov 2000 14:24:10 +0300 (MSK) Received: from perl.dkn (perl.dkn [192.168.1.7]) by whisky.dkn (8.8.8/8.8.7) with SMTP id OAA06846; Mon, 27 Nov 2000 14:19:25 +0300 (MSK) (envelope-from prof@infosite.ru) Message-ID: <007201c05863$e65f8480$0701a8c0@dkn> From: "Oleg A. Paraschenko" To: , "Dominick LaTrappe" Cc: References: <200011252212.PAA26585@faith.cs.utah.edu> <20001126123153.D70192@149.211.6.64.reflexcom.com> Subject: Re: static ARP tables Date: Mon, 27 Nov 2000 14:19:25 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! > > What I'd really like to see is a 'static' flag that can be added to > > individual ARP table entries. I have several networks with servers and > > routers whose MAC/IP/switchport associtions should never change, but also > > workstations that change all the time. > -s hostname ether_addr > Create an ARP entry for the host called hostname with the Ether- > net address ether_addr. The Ethernet address is given as six hex > bytes separated by colons. The entry will be permanent unless > the word temp is given in the command. ^^^^^^^^^ > In FreeBSD 2.2.7 term 'permanent' means that kernel will not delete ARP entry after time of inactivity of workstation. Any host on network can change IP, and kernel will say 'arp: %s moved from %6D to %6D', even if IP/MAC is set to 'permanent'. > > > > I'm going to try to work on a patch for this, though maybe someone already > > knows a hack? > I chanhed '/sys/netinet/if_ether.c' in order to disable IP/MAC changes. ---- Old file ... la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0); if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) { if (sdl->sdl_alen && bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) log(LOG_INFO, "arp: %s moved from %6D to %6D\n", inet_ntoa(isaddr), (u_char *)LLADDR(sdl), ":", ea->arp_sha, ":"); (void)memcpy(LLADDR(sdl), ea->arp_sha, sizeof(ea->arp_sha)); sdl->sdl_alen = sizeof(ea->arp_sha); ... ----- New file ... if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) { #ifndef DONT_MOVE_ARP if (sdl->sdl_alen && bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) log(LOG_INFO, "arp: %s moved from %6D to %6D\n", inet_ntoa(isaddr), (u_char *)LLADDR(sdl), ":", ea->arp_sha, ":"); (void)memcpy(LLADDR(sdl), ea->arp_sha, sizeof(ea->arp_sha)); #else // DONT_MOVE_ARP if (sdl->sdl_alen && bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) { log(LOG_INFO, "arp: %s will not be moved from %6D to %6D\n", inet_ntoa(isaddr), (u_char *)LLADDR(sdl), ":", ea->arp_sha, ":"); } else { (void)memcpy(LLADDR(sdl), ea->arp_sha, sizeof(ea->arp_sha)); } #endif // DONT_MOVE_ARP sdl->sdl_alen = sizeof(ea->arp_sha); ... -------- Probably it is not what you want, but you can start with it. Bye! ---- Oleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message