Date: Wed, 24 Sep 2003 20:46:32 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Bruce M Simpson <bms@spc.org> Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp Message-ID: <20030924174632.GB31618@sunbay.com> In-Reply-To: <20030924173900.GK650@saboteur.dek.spc.org> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <20030924173900.GK650@saboteur.dek.spc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--jousvV0MzM2p6OtC
Content-Type: multipart/mixed; boundary="rJwd6BRFiFCcLxzm"
Content-Disposition: inline
--rJwd6BRFiFCcLxzm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Sep 24, 2003 at 06:39:00PM +0100, Bruce M Simpson wrote:
> On Wed, Sep 24, 2003 at 07:21:11PM +0300, Ruslan Ermilov wrote:
> > On Wed, Sep 24, 2003 at 07:44:26AM -0700, Michael Sierchio wrote:
> > > Using static ARP entries and turning off ARP on the interface
> > > should be a workaround. Whether this is remotely feasible
> > > depends on your situation.
> > >=20
> > I still have not committed the code that supports static ARP
> > on an interface -- there's currently no way to do static ARP
> > only, if you disable ARP on an interface it will be disabled
> > in its whole.
>=20
> I'd like to review and potentially test this patch before it goes in, as =
it
> sounds interesting and useful to us.
>=20
Attached.
Cheers,
--=20
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software Ltd,
ru@FreeBSD.org FreeBSD committer
--rJwd6BRFiFCcLxzm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p
Content-Transfer-Encoding: quoted-printable
Index: sys/net/if.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/net/if.h,v
retrieving revision 1.81
diff -u -p -u -r1.81 if.h
--- sys/net/if.h 14 Nov 2002 23:16:18 -0000 1.81
+++ sys/net/if.h 26 Dec 2002 15:46:31 -0000
@@ -150,6 +150,7 @@ struct if_data {
#define IFF_POLLING 0x10000 /* Interface is in polling mode. */
#define IFF_PPROMISC 0x20000 /* user-requested promisc mode */
#define IFF_MONITOR 0x40000 /* user-requested monitor mode */
+#define IFF_STATICARP 0x80000 /* static ARP */
=20
/* flags set internally only: */
#define IFF_CANTCHANGE \
Index: sys/netinet/if_ether.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.105
diff -u -p -u -r1.105 if_ether.c
--- sys/netinet/if_ether.c 23 Sep 2003 16:39:31 -0000 1.105
+++ sys/netinet/if_ether.c 24 Sep 2003 00:10:06 -0000
@@ -454,12 +454,12 @@ arpresolve(ifp, rt, m, dst, desten, rt0)
return 1;
}
/*
- * If ARP is disabled on this interface, stop.
+ * If ARP is disabled or static on this interface, stop.
* XXX
* Probably should not allocate empty llinfo struct if we are
* not going to be sending out an arp request.
*/
- if (ifp->if_flags & IFF_NOARP) {
+ if (ifp->if_flags & (IFF_NOARP | IFF_STATICARP)) {
m_freem(m);
return (0);
}
@@ -650,6 +650,8 @@ match:
itaddr =3D myaddr;
goto reply;
}
+ if (ifp->if_flags & IFF_STATICARP)
+ goto reply;
la =3D arplookup(isaddr.s_addr, itaddr.s_addr =3D=3D myaddr.s_addr, 0);
if (la && (rt =3D la->la_rt) && (sdl =3D SDL(rt->rt_gateway))) {
/* the following is not an error when doing bridging */
Index: sbin/ifconfig/ifconfig.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.8,v
retrieving revision 1.71
diff -u -p -u -r1.71 ifconfig.8
--- sbin/ifconfig/ifconfig.8 14 May 2003 16:22:16 -0000 1.71
+++ sbin/ifconfig/ifconfig.8 15 May 2003 00:08:09 -0000
@@ -227,6 +227,18 @@ addresses and
.It Fl arp
Disable the use of the Address Resolution Protocol
.Pq Xr arp 4 .
+.It Cm staticarp
+If the Address Resolution Protocol is enabled,
+the host will only reply to requests for its addresses,
+and will never send any requests.
+.It Fl staticarp
+If the Address Resolution Protocol is enabled,
+the host will perform normally,
+sending out requests,
+listening for replies,
+and allowing gratuitous requests to update the
+.Tn ARP
+table.
.It Cm broadcast
(Inet only.)
Specify the address to use to represent broadcasts to the
Index: sbin/ifconfig/ifconfig.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.90
diff -u -p -u -r1.90 ifconfig.c
--- sbin/ifconfig/ifconfig.c 28 Apr 2003 16:37:38 -0000 1.90
+++ sbin/ifconfig/ifconfig.c 30 Apr 2003 07:02:20 -0000
@@ -234,6 +234,8 @@ struct cmd {
{ "-link2", -IFF_LINK2, setifflags },
{ "monitor", IFF_MONITOR, setifflags },
{ "-monitor", -IFF_MONITOR, setifflags },
+ { "staticarp", IFF_STATICARP, setifflags },
+ { "-staticarp", -IFF_STATICARP, setifflags },
#ifdef USE_IF_MEDIA
{ "media", NEXTARG, setmedia },
{ "mode", NEXTARG, setmediamode },
@@ -1037,7 +1039,7 @@ setifmtu(const char *val, int dummy __un
#define IFFBITS \
"\020\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6SMART\7RUNNING" \
"\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2=
" \
-"\20MULTICAST\023MONITOR"
+"\20MULTICAST\023MONITOR\024STATICARP"
=20
#define IFCAPBITS \
"\003\1RXCSUM\2TXCSUM\3NETCONS\4VLAN_MTU\5VLAN_HWTAGGING\6JUMBO_MTU"
--rJwd6BRFiFCcLxzm--
--jousvV0MzM2p6OtC
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE/cdh4Ukv4P6juNwoRAviOAJ4h8KSEganpveJ8S9O36Ihej+EcOgCeJZki
WvoCBGReN5KsakdZ0oXOBFA=
=CZpH
-----END PGP SIGNATURE-----
--jousvV0MzM2p6OtC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030924174632.GB31618>