From owner-freebsd-security  Tue Dec  4 21:44:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80])
	by hub.freebsd.org (Postfix) with ESMTP
	id D340C37B419; Tue,  4 Dec 2001 21:44:27 -0800 (PST)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.11.6/8.11.6) id fB55iUE84014;
	Wed, 5 Dec 2001 12:44:30 +0700 (KRAT)
	(envelope-from eugen)
Date: Wed, 5 Dec 2001 12:44:30 +0700
From: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
To: security@freebsd.org
Cc: net@freebsd.org
Subject: NOARP - gateway must answer and have frozen ARP table
Message-ID: <20011205124430.A83642@svzserv.kemerovo.su>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi!
Not sure what is correct list, this is about network security.

Flag NOARP did not work for ethernet interface before 4.4-RELEASE.
We needed static ARP table so used local patch for it.
4.4-RELEASE implemented NOARP but in the different way.

Now a router even does not respond to clients asking for its link address,
that is not very wise. We cannot force all our clients to use static
ARP entries for our router (their gateway). So we patched 4.4 sources again.
The needed behavour is static ARP table filled at boot time with arp(8)
and there must be answers for router's own ethernet address. 
Can there be an option to enable this behavour in FreeBSD distribution?

Here is a patch for 4.4. Please review.

--- netinet/if_ether.c.orig	Mon Aug  6 15:26:06 2001
+++ netinet/if_ether.c	Sun Nov 11 21:01:07 2001
@@ -408,8 +408,10 @@
 	 * Probably should not allocate empty llinfo struct if we are
 	 * not going to be sending out an arp request.
 	 */
+/*VK
 	if (ac->ac_if.if_flags & IFF_NOARP)
 		return (0);
+VK*/
 	/*
 	 * There is an arptab entry, but no ethernet address
 	 * response yet.  Replace the held mbuf with this
@@ -580,6 +582,7 @@
 		itaddr = myaddr;
 		goto reply;
 	}
+/*VV*/	if (!(ac->ac_if.if_flags & IFF_NOARP)) {
 	la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0);
 	if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) {
 		/* the following is not an error when doing bridging */
@@ -651,6 +654,7 @@
 			la->la_hold = 0;
 		}
 	}
+/*VV*/	}
 reply:
 	if (op != ARPOP_REQUEST) {
 		m_freem(m);
--- net/if_ethersubr.c.orig	Wed Nov  7 22:34:36 2001
+++ net/if_ethersubr.c	Sun Nov 11 21:10:20 2001
@@ -554,11 +554,12 @@
 		break;
 
 	case ETHERTYPE_ARP:
-		if (ifp->if_flags & IFF_NOARP) {
+/*VK		if (ifp->if_flags & IFF_NOARP) { VK*/
 			/* Discard packet if ARP is disabled on interface */
-			m_freem(m);
+/*VK			m_freem(m);
 			return;
 		}
+VK*/
 		schednetisr(NETISR_ARP);
 		inq = &arpintrq;
 		break;

Eugene Grosbein

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message