From owner-freebsd-security  Wed Dec  5 10:32:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP
	id A924837B405; Wed,  5 Dec 2001 10:31:34 -0800 (PST)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fB5IV0C90013;
	Wed, 5 Dec 2001 20:31:00 +0200 (EET)
	(envelope-from ru)
Date: Wed, 5 Dec 2001 20:31:00 +0200
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: "Crist J . Clark" <cjc@FreeBSD.ORG>, net@FreeBSD.ORG,
	security@FreeBSD.ORG
Subject: Re: NOARP - gateway must answer and have frozen ARP table
Message-ID: <20011205203100.A89520@sunbay.com>
References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org> <20011205231735.A1361@grosbein.pp.ru> <20011205193859.B79705@sunbay.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011205193859.B79705@sunbay.com>
User-Agent: Mutt/1.3.23i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Dec 05, 2001 at 07:38:59PM +0200, Ruslan Ermilov wrote:
> On Wed, Dec 05, 2001 at 11:17:35PM +0700, Eugene Grosbein wrote:
> > On Wed, Dec 05, 2001 at 04:03:16AM -0800, Crist J . Clark wrote:
> > 
> > > > Not sure what is correct list, this is about network security.
> > > > Flag NOARP did not work for ethernet interface before 4.4-RELEASE.
> > > > We needed static ARP table so used local patch for it.
> > > > 4.4-RELEASE implemented NOARP but in the different way.
> > > See PR 31873.
> > 
> > I have read this PR and other discussions. 
> > And I want to say that this 'intended' behavour is useless for some
> > configurations. A machine acting as public gateway must respond 
> > to ARP requests for its IP. And it often must not allow modifying 
> > its ARP table. So I'm asking to have another behavour as an option. 
> > Perhaps, tunable as sysctl.
> > 
> > We use this scheme several years in production, keeping our local patches.
> > It seems this scheme is used widely, I've seen several different patches
> > implementing this since 2.2.x. We use one of them.
> > 
> Eugene,
> 
> The below patch implements this facility, activated by setting the
> net.link.ether.inet.static_arp sysctl to a non-zero value.  It also
> fixes an mbuf leak in arpresolve() if IFF_NOARP flag is set on an
> interface, and an address resolution is attempted over it.
> 
> I am also going to add support for static ARP table to rc.conf(5),
> which should address PR conf/23063.
> 
> Let me know what do you think about the patch.
> 
Here's the version for -CURRENT:

Index: if_ether.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.88
diff -u -p -r1.88 if_ether.c
--- if_ether.c	5 Dec 2001 18:13:34 -0000	1.88
+++ if_ether.c	5 Dec 2001 18:26:00 -0000
@@ -107,6 +107,7 @@ static int	arp_inuse, arp_allocated;
 static int	arp_maxtries = 5;
 static int	useloopback = 1; /* use loopback interface for local traffic */
 static int	arp_proxyall = 0;
+static int	static_arp = 0;
 
 SYSCTL_INT(_net_link_ether_inet, OID_AUTO, maxtries, CTLFLAG_RW,
 	   &arp_maxtries, 0, "");
@@ -114,6 +115,8 @@ SYSCTL_INT(_net_link_ether_inet, OID_AUT
 	   &useloopback, 0, "");
 SYSCTL_INT(_net_link_ether_inet, OID_AUTO, proxyall, CTLFLAG_RW,
 	   &arp_proxyall, 0, "");
+SYSCTL_INT(_net_link_ether_inet, OID_AUTO, static_arp, CTLFLAG_RW,
+	   &static_arp, 0, "");
 
 static void	arp_init __P((void));
 static void	arp_rtrequest __P((int, struct rtentry *, struct rt_addrinfo *));
@@ -436,7 +439,7 @@ arpresolve(ifp, rt, m, dst, desten, rt0)
 	 * Probably should not allocate empty llinfo struct if we are
 	 * not going to be sending out an arp request.
 	 */
-	if (ifp->if_flags & IFF_NOARP) {
+	if (ifp->if_flags & IFF_NOARP || static_arp) {
 		m_freem(m);
 		return (0);
 	}
@@ -632,6 +635,8 @@ match:
 		itaddr = myaddr;
 		goto reply;
 	}
+	if (static_arp)
+		goto reply;
 	la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0);
 	if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) {
 		/* the following is not an error when doing bridging */


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message