From owner-freebsd-current@FreeBSD.ORG Mon Feb 21 20:48:57 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED52316A4CE; Mon, 21 Feb 2005 20:48:57 +0000 (GMT) Received: from mp2.macomnet.net (mp2.macomnet.net [195.128.64.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD96A43D45; Mon, 21 Feb 2005 20:48:56 +0000 (GMT) (envelope-from maxim@macomnet.ru) Received-SPF: pass (mp2.macomnet.net: domain of maxim@macomnet.ru designates 127.0.0.1 as permitted sender) receiver=mp2.macomnet.net; client_ip=127.0.0.1; envelope-from=maxim@macomnet.ru; Received: from localhost (localhost [127.0.0.1]) by mp2.macomnet.net (8.12.11/8.12.11) with ESMTP id j1LKmteo071280; Mon, 21 Feb 2005 23:48:55 +0300 (MSK) (envelope-from maxim@macomnet.ru) Date: Mon, 21 Feb 2005 23:48:55 +0300 (MSK) From: Maxim Konovalov To: gnn@freebsd.org In-Reply-To: Message-ID: <20050221233338.B70997@mp2.macomnet.net> References: <20050123193559.V91742@mp2.macomnet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-SpamTest-Info: Profile: Formal (208/050203) X-SpamTest-Info: Profile: Detect Hard (4/030526) X-SpamTest-Info: Profile: SysLog X-SpamTest-Info: Profile: Marking - Keywords (2/030321) X-SpamTest-Status: Not detected X-SpamTest-Version: SMTP-Filter Version 2.0.0 [0124], SpamtestISP/Release cc: current@freebsd.org Subject: Re: OpenBSD's tcpdrop(8) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 20:48:58 -0000 George, On Tue, 22 Feb 2005, 00:34+0900, gnn@freebsd.org wrote: > At Sun, 23 Jan 2005 20:05:26 +0300 (MSK), > Maxim Konovalov wrote: > > > > Hello, > > > > I've ported OpenBSD's tcpdrop(8) and a relevant kernel part. > > >From the man page, http://tinyurl.com/4lvo9 > > > > The tcpdrop command drops the TCP connection specified by the local > > address laddr, port lport and the foreign address faddr, port fport. > > > > There are patches for HEAD and RELENG_4: > > > > http://people.freebsd.org/~maxim/diff/tcpdrop.diff > > http://people.freebsd.org/~maxim/diff/tcpdrop.diff-4 > > > > Two questions: do we want to have it in the base system? Does the > > diff look OK (I didn't test IPv6 part)? > > Hi Maxim, > > I finally got around to testing this on IPv6. It was not an > exhaustive test but I used NetPIPE to run a client and server over > localhost (::1) for IPv6 and then forced a drop. The machine is a > PIII SMP box (elephant if you know the test lab stuff). No problems > encountered, and I can only do the drop as root, which is what I would > hope and expect. Thank you very much for testing! A version with the correct locking (rwatson@) and improved IPv6 (ume@) is already in the tree. > A very cool feature. I vote for it being in the base system. Are > there jail issues? I haven't thought that aspect of the security of > this feature through yet. We do not allow to modify sysctls in jail by default (!CTLFLAG_PRISON case) so I think net.inet.tcp.drop is jail-safe. And it does not allow to discover an existent (or non-existent) tcp connection in the host system from the jail. -- Maxim Konovalov