FreeBSD Security Advisory FreeBSD-SA-03:14.arp

Ruslan Ermilov ru at freebsd.org
Wed Sep 24 10:46:59 PDT 2003 

On Wed, Sep 24, 2003 at 06:39:00PM +0100, Bruce M Simpson wrote:
> On Wed, Sep 24, 2003 at 07:21:11PM +0300, Ruslan Ermilov wrote:
> > On Wed, Sep 24, 2003 at 07:44:26AM -0700, Michael Sierchio wrote:
> > > Using static ARP entries and turning off ARP on the interface
> > > should be a workaround.  Whether this is remotely feasible
> > > depends on your situation.
> > > 
> > I still have not committed the code that supports static ARP
> > on an interface -- there's currently no way to do static ARP
> > only, if you disable ARP on an interface it will be disabled
> > in its whole.
> 
> I'd like to review and potentially test this patch before it goes in, as it
> sounds interesting and useful to us.
> 
Attached.


Cheers,
-- 
Ruslan Ermilov		Sysadmin and DBA,
ru at sunbay.com		Sunbay Software Ltd,
ru at FreeBSD.org		FreeBSD committer
-------------- next part --------------
Index: sys/net/if.h
===================================================================
RCS file: /home/ncvs/src/sys/net/if.h,v
retrieving revision 1.81
diff -u -p -u -r1.81 if.h
--- sys/net/if.h	14 Nov 2002 23:16:18 -0000	1.81
+++ sys/net/if.h	26 Dec 2002 15:46:31 -0000
@@ -150,6 +150,7 @@ struct if_data {
 #define	IFF_POLLING	0x10000		/* Interface is in polling mode. */
 #define	IFF_PPROMISC	0x20000		/* user-requested promisc mode */
 #define	IFF_MONITOR	0x40000		/* user-requested monitor mode */
+#define	IFF_STATICARP	0x80000		/* static ARP */
 
 /* flags set internally only: */
 #define	IFF_CANTCHANGE \
Index: sys/netinet/if_ether.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.105
diff -u -p -u -r1.105 if_ether.c
--- sys/netinet/if_ether.c	23 Sep 2003 16:39:31 -0000	1.105
+++ sys/netinet/if_ether.c	24 Sep 2003 00:10:06 -0000
@@ -454,12 +454,12 @@ arpresolve(ifp, rt, m, dst, desten, rt0)
 		return 1;
 	}
 	/*
-	 * If ARP is disabled on this interface, stop.
+	 * If ARP is disabled or static on this interface, stop.
 	 * XXX
 	 * Probably should not allocate empty llinfo struct if we are
 	 * not going to be sending out an arp request.
 	 */
-	if (ifp->if_flags & IFF_NOARP) {
+	if (ifp->if_flags & (IFF_NOARP | IFF_STATICARP)) {
 		m_freem(m);
 		return (0);
 	}
@@ -650,6 +650,8 @@ match:
 		itaddr = myaddr;
 		goto reply;
 	}
+	if (ifp->if_flags & IFF_STATICARP)
+		goto reply;
 	la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0);
 	if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) {
 		/* the following is not an error when doing bridging */
Index: sbin/ifconfig/ifconfig.8
===================================================================
RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.8,v
retrieving revision 1.71
diff -u -p -u -r1.71 ifconfig.8
--- sbin/ifconfig/ifconfig.8	14 May 2003 16:22:16 -0000	1.71
+++ sbin/ifconfig/ifconfig.8	15 May 2003 00:08:09 -0000
@@ -227,6 +227,18 @@ addresses and
 .It Fl arp
 Disable the use of the Address Resolution Protocol
 .Pq Xr arp 4 .
+.It Cm staticarp
+If the Address Resolution Protocol is enabled,
+the host will only reply to requests for its addresses,
+and will never send any requests.
+.It Fl staticarp
+If the Address Resolution Protocol is enabled,
+the host will perform normally,
+sending out requests,
+listening for replies,
+and allowing gratuitous requests to update the
+.Tn ARP
+table.
 .It Cm broadcast
 (Inet only.)
 Specify the address to use to represent broadcasts to the
Index: sbin/ifconfig/ifconfig.c
===================================================================
RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.90
diff -u -p -u -r1.90 ifconfig.c
--- sbin/ifconfig/ifconfig.c	28 Apr 2003 16:37:38 -0000	1.90
+++ sbin/ifconfig/ifconfig.c	30 Apr 2003 07:02:20 -0000
@@ -234,6 +234,8 @@ struct	cmd {
 	{ "-link2",	-IFF_LINK2,	setifflags },
 	{ "monitor",	IFF_MONITOR,	setifflags },
 	{ "-monitor",	-IFF_MONITOR,	setifflags },
+	{ "staticarp",	IFF_STATICARP,	setifflags },
+	{ "-staticarp",	-IFF_STATICARP,	setifflags },
 #ifdef USE_IF_MEDIA
 	{ "media",	NEXTARG,	setmedia },
 	{ "mode",	NEXTARG,	setmediamode },
@@ -1037,7 +1039,7 @@ setifmtu(const char *val, int dummy __un
 #define	IFFBITS \
 "\020\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6SMART\7RUNNING" \
 "\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2" \
-"\20MULTICAST\023MONITOR"
+"\20MULTICAST\023MONITOR\024STATICARP"
 
 #define	IFCAPBITS \
 "\003\1RXCSUM\2TXCSUM\3NETCONS\4VLAN_MTU\5VLAN_HWTAGGING\6JUMBO_MTU"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030924/9fa00238/attachment.bin

More information about the freebsd-security mailing list