Date: Wed, 5 Dec 2001 19:38:59 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Eugene Grosbein <eugen@grosbein.pp.ru> Cc: "Crist J . Clark" <cjc@FreeBSD.ORG>, net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: NOARP - gateway must answer and have frozen ARP table Message-ID: <20011205193859.B79705@sunbay.com> In-Reply-To: <20011205231735.A1361@grosbein.pp.ru> References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org> <20011205231735.A1361@grosbein.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 05, 2001 at 11:17:35PM +0700, Eugene Grosbein wrote:
> On Wed, Dec 05, 2001 at 04:03:16AM -0800, Crist J . Clark wrote:
>
> > > Not sure what is correct list, this is about network security.
> > > Flag NOARP did not work for ethernet interface before 4.4-RELEASE.
> > > We needed static ARP table so used local patch for it.
> > > 4.4-RELEASE implemented NOARP but in the different way.
> > See PR 31873.
>
> I have read this PR and other discussions.
> And I want to say that this 'intended' behavour is useless for some
> configurations. A machine acting as public gateway must respond
> to ARP requests for its IP. And it often must not allow modifying
> its ARP table. So I'm asking to have another behavour as an option.
> Perhaps, tunable as sysctl.
>
> We use this scheme several years in production, keeping our local patches.
> It seems this scheme is used widely, I've seen several different patches
> implementing this since 2.2.x. We use one of them.
>
Eugene,
The below patch implements this facility, activated by setting the
net.link.ether.inet.static_arp sysctl to a non-zero value. It also
fixes an mbuf leak in arpresolve() if IFF_NOARP flag is set on an
interface, and an address resolution is attempted over it.
I am also going to add support for static ARP table to rc.conf(5),
which should address PR conf/23063.
Let me know what do you think about the patch.
Index: if_ether.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.64.2.11
diff -u -p -r1.64.2.11 if_ether.c
--- if_ether.c 2001/07/25 17:27:56 1.64.2.11
+++ if_ether.c 2001/12/05 17:29:02
@@ -106,6 +106,7 @@ static int arp_inuse, arp_allocated;
static int arp_maxtries = 5;
static int useloopback = 1; /* use loopback interface for local traffic */
static int arp_proxyall = 0;
+static int static_arp = 0;
SYSCTL_INT(_net_link_ether_inet, OID_AUTO, maxtries, CTLFLAG_RW,
&arp_maxtries, 0, "");
@@ -113,6 +114,8 @@ SYSCTL_INT(_net_link_ether_inet, OID_AUT
&useloopback, 0, "");
SYSCTL_INT(_net_link_ether_inet, OID_AUTO, proxyall, CTLFLAG_RW,
&arp_proxyall, 0, "");
+SYSCTL_INT(_net_link_ether_inet, OID_AUTO, static_arp, CTLFLAG_RW,
+ &static_arp, 0, "");
static void arp_rtrequest __P((int, struct rtentry *, struct sockaddr *));
static void arprequest __P((struct arpcom *,
@@ -408,8 +411,10 @@ arpresolve(ac, rt, m, dst, desten, rt0)
* Probably should not allocate empty llinfo struct if we are
* not going to be sending out an arp request.
*/
- if (ac->ac_if.if_flags & IFF_NOARP)
+ if (ac->ac_if.if_flags & IFF_NOARP || static_arp) {
+ m_freem(m);
return (0);
+ }
/*
* There is an arptab entry, but no ethernet address
* response yet. Replace the held mbuf with this
@@ -580,6 +585,8 @@ in_arpinput(m)
itaddr = myaddr;
goto reply;
}
+ if (static_arp)
+ goto reply;
la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0);
if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) {
/* the following is not an error when doing bridging */
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011205193859.B79705>