Date: Wed, 02 Jan 2008 11:26:59 -0800 From: Xin LI <delphij@delphij.net> To: freebsd-rc@FreeBSD.org, FreeBSD Current <freebsd-current@freebsd.org> Subject: [RFC] rc.d script for binding static arp pairs and logging options Message-ID: <477BE583.6080202@delphij.net>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------080003070301000505080207 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Here is a rc.d script that I use on my own server, which provides two functionalities: - Bind ARP pairs specified in rc.conf (*); - Set ARP logging options (+). * Similar to routing settings, one need to set up some sort of "ARP pairs" like this: static_arp_pairs="gw" arp_gw="172.16.1.1 00:1c:58:6a:7b:49" + By setting one or more of the following options to "NO" it would set appropriate sysctl for arp logging settings to zero to disable logging: log_arp_permanent_modify log_arp_movements log_arp_wrong_iface This script could be useful for those who use FreeBSD in a uncontrollable network (i.e. your network administrator does not care about viruses that attacks the network with fake ARP broadcasts). I wonder whether this script would be useful for general consumption? Other comments are also welcome :-) Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHe+WCi+vbBBjt66ARAvA/AJ9zv5Wtif9DPgDPT89ZOOoueu+w9gCeK3gY 4GEETsKg53j19QLFd3IZKkc= =rLKv -----END PGP SIGNATURE----- --------------080003070301000505080207 Content-Type: text/plain; name="arp" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="arp" #!/bin/sh # # Copyright (c) 2008 Xin LI <delphij@FreeBSD.org> # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # Configure static ARP table and logging options # # $FreeBSD$ # # PROVIDE: arp # REQUIRE: netif # KEYWORD: nojail . /etc/rc.subr name="arp" start_cmd="arp_start" stop_cmd="arp_stop" extra_commands="options static" static_cmd="static_start" options_cmd="options_start" arp_start() { options_start static_start } arp_stop() { static_stop } options_start() { echo -n 'Additional ARP logging options:' if [ -n ${log_arp_perment_modify} ]; then case ${log_arp_permanent_modify} in [Nn][Oo]) echo -n ' do not' sysctl net.link.ether.inet.log_arp_permanent_modify=0 >/dev/null ;; *) sysctl net.link.ether.inet.log_arp_permanent_modify=1 >/dev/null ;; esac echo -n ' log arp replies from MACs different than the one in the permanent arp entry;' fi if [ -n ${log_arp_movements} ]; then case ${log_arp_movements} in [Nn][Oo]) echo -n ' do not' sysctl net.link.ether.inet.log_arp_movements=0 >/dev/null ;; *) sysctl net.link.ether.inet.log_arp_movements=1 >/dev/null ;; esac echo -n ' log arp replies from MACs different than the one in the cache;' fi if [ -n ${log_arp_wrong_iface} ]; then case ${log_arp_wrong_iface} in [Nn][Oo]) echo -n ' do not' sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null ;; *) sysctl net.link.ether.inet.log_arp_wrong_iface=1 >/dev/null ;; esac echo -n ' log arp packets arriving on the wrong interface' fi echo '.' } static_start() { if [ -n "${static_arp_pairs}" ]; then echo -n 'Binding static ARP pair:' for e in ${static_arp_pairs}; do echo -n " ${e}" eval arp_args=\$arp_${e} arp -S ${arp_args} >/dev/null 2>&1 done echo '.' fi } static_stop() { if [ -n "${static_arp_pairs}" ]; then echo -n 'Unbinding static ARP pair:' for e in ${static_arp_pairs}; do echo -n " ${e}" eval arp_args=\$arp_${e} arp_args=`echo ${arp_args} | sed -e s,..:..:..:..:..:..,,g` arp -d ${arp_args} >/dev/null 2>&1 done echo '.' fi } load_rc_config $name run_rc_command "$1" --------------080003070301000505080207--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?477BE583.6080202>