From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:46:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 925FA16A4B3 for ; Wed, 24 Sep 2003 10:46:59 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6C2E43FBD for ; Wed, 24 Sep 2003 10:46:46 -0700 (PDT) (envelope-from ru@sunbay.com) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h8OHkfrX036777 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Sep 2003 20:46:41 +0300 (EEST) (envelope-from ru@sunbay.com) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h8OHkWNt036771; Wed, 24 Sep 2003 20:46:32 +0300 (EEST) (envelope-from ru) Date: Wed, 24 Sep 2003 20:46:32 +0300 From: Ruslan Ermilov To: Bruce M Simpson Message-ID: <20030924174632.GB31618@sunbay.com> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <20030924173900.GK650@saboteur.dek.spc.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jousvV0MzM2p6OtC" Content-Disposition: inline In-Reply-To: <20030924173900.GK650@saboteur.dek.spc.org> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:46:59 -0000 --jousvV0MzM2p6OtC Content-Type: multipart/mixed; boundary="rJwd6BRFiFCcLxzm" Content-Disposition: inline --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 24, 2003 at 06:39:00PM +0100, Bruce M Simpson wrote: > On Wed, Sep 24, 2003 at 07:21:11PM +0300, Ruslan Ermilov wrote: > > On Wed, Sep 24, 2003 at 07:44:26AM -0700, Michael Sierchio wrote: > > > Using static ARP entries and turning off ARP on the interface > > > should be a workaround. Whether this is remotely feasible > > > depends on your situation. > > >=20 > > I still have not committed the code that supports static ARP > > on an interface -- there's currently no way to do static ARP > > only, if you disable ARP on an interface it will be disabled > > in its whole. >=20 > I'd like to review and potentially test this patch before it goes in, as = it > sounds interesting and useful to us. >=20 Attached. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Content-Transfer-Encoding: quoted-printable Index: sys/net/if.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/net/if.h,v retrieving revision 1.81 diff -u -p -u -r1.81 if.h --- sys/net/if.h 14 Nov 2002 23:16:18 -0000 1.81 +++ sys/net/if.h 26 Dec 2002 15:46:31 -0000 @@ -150,6 +150,7 @@ struct if_data { #define IFF_POLLING 0x10000 /* Interface is in polling mode. */ #define IFF_PPROMISC 0x20000 /* user-requested promisc mode */ #define IFF_MONITOR 0x40000 /* user-requested monitor mode */ +#define IFF_STATICARP 0x80000 /* static ARP */ =20 /* flags set internally only: */ #define IFF_CANTCHANGE \ Index: sys/netinet/if_ether.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v retrieving revision 1.105 diff -u -p -u -r1.105 if_ether.c --- sys/netinet/if_ether.c 23 Sep 2003 16:39:31 -0000 1.105 +++ sys/netinet/if_ether.c 24 Sep 2003 00:10:06 -0000 @@ -454,12 +454,12 @@ arpresolve(ifp, rt, m, dst, desten, rt0) return 1; } /* - * If ARP is disabled on this interface, stop. + * If ARP is disabled or static on this interface, stop. * XXX * Probably should not allocate empty llinfo struct if we are * not going to be sending out an arp request. */ - if (ifp->if_flags & IFF_NOARP) { + if (ifp->if_flags & (IFF_NOARP | IFF_STATICARP)) { m_freem(m); return (0); } @@ -650,6 +650,8 @@ match: itaddr =3D myaddr; goto reply; } + if (ifp->if_flags & IFF_STATICARP) + goto reply; la =3D arplookup(isaddr.s_addr, itaddr.s_addr =3D=3D myaddr.s_addr, 0); if (la && (rt =3D la->la_rt) && (sdl =3D SDL(rt->rt_gateway))) { /* the following is not an error when doing bridging */ Index: sbin/ifconfig/ifconfig.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.8,v retrieving revision 1.71 diff -u -p -u -r1.71 ifconfig.8 --- sbin/ifconfig/ifconfig.8 14 May 2003 16:22:16 -0000 1.71 +++ sbin/ifconfig/ifconfig.8 15 May 2003 00:08:09 -0000 @@ -227,6 +227,18 @@ addresses and .It Fl arp Disable the use of the Address Resolution Protocol .Pq Xr arp 4 . +.It Cm staticarp +If the Address Resolution Protocol is enabled, +the host will only reply to requests for its addresses, +and will never send any requests. +.It Fl staticarp +If the Address Resolution Protocol is enabled, +the host will perform normally, +sending out requests, +listening for replies, +and allowing gratuitous requests to update the +.Tn ARP +table. .It Cm broadcast (Inet only.) Specify the address to use to represent broadcasts to the Index: sbin/ifconfig/ifconfig.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.c,v retrieving revision 1.90 diff -u -p -u -r1.90 ifconfig.c --- sbin/ifconfig/ifconfig.c 28 Apr 2003 16:37:38 -0000 1.90 +++ sbin/ifconfig/ifconfig.c 30 Apr 2003 07:02:20 -0000 @@ -234,6 +234,8 @@ struct cmd { { "-link2", -IFF_LINK2, setifflags }, { "monitor", IFF_MONITOR, setifflags }, { "-monitor", -IFF_MONITOR, setifflags }, + { "staticarp", IFF_STATICARP, setifflags }, + { "-staticarp", -IFF_STATICARP, setifflags }, #ifdef USE_IF_MEDIA { "media", NEXTARG, setmedia }, { "mode", NEXTARG, setmediamode }, @@ -1037,7 +1039,7 @@ setifmtu(const char *val, int dummy __un #define IFFBITS \ "\020\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6SMART\7RUNNING" \ "\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2= " \ -"\20MULTICAST\023MONITOR" +"\20MULTICAST\023MONITOR\024STATICARP" =20 #define IFCAPBITS \ "\003\1RXCSUM\2TXCSUM\3NETCONS\4VLAN_MTU\5VLAN_HWTAGGING\6JUMBO_MTU" --rJwd6BRFiFCcLxzm-- --jousvV0MzM2p6OtC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/cdh4Ukv4P6juNwoRAviOAJ4h8KSEganpveJ8S9O36Ihej+EcOgCeJZki WvoCBGReN5KsakdZ0oXOBFA= =CZpH -----END PGP SIGNATURE----- --jousvV0MzM2p6OtC--