Bug 193689 - [PATCH] Add ICMP timestamp sysctl
Summary: [PATCH] Add ICMP timestamp sysctl
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-16 19:03 UTC by Anthony Cornehl
Modified: 2015-04-16 19:11 UTC (History)
4 users (show)

See Also:
bugmeister: mfc-stable10?
bugmeister: mfc-stable9?
bugmeister: mfc-stable8?


Attachments
ICMP timestamp sysctl patch (2.05 KB, patch)
2014-09-16 19:03 UTC, Anthony Cornehl
no flags Details | Diff
Update ICMP timestamp sysctl patch (1.97 KB, patch)
2014-09-23 20:43 UTC, Pedro F. Giffuni
no flags Details | Diff
Update ICMP timestamp sysctl patch (1.92 KB, patch)
2014-09-23 20:53 UTC, Pedro F. Giffuni
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Anthony Cornehl 2014-09-16 19:03:12 UTC
Created attachment 147384 [details]
ICMP timestamp sysctl patch

EMC Isilon OneFS has been using this patch for a few years, based on the OpenBSD patch: http://marc.info/?l=openbsd-bugs&m=101994870923315&w=3

Network security scanners check for the presence of ICMP timestamps, so this patch adds a switch to disable ICMP timestamp replies and enable deploying in those environments.
Comment 1 Pedro F. Giffuni freebsd_committer 2014-09-23 20:43:47 UTC
Created attachment 147625 [details]
Update ICMP timestamp sysctl patch

icmp_var.h needed a small update as we now also have ICMPCTL_MAXID.
Apply some style(9) issues while here: we use a TAB after #define
Comment 2 Pedro F. Giffuni freebsd_committer 2014-09-23 20:45:27 UTC
Patch has been reported to work by the HardenedBSD guys.
Comment 3 Pedro F. Giffuni freebsd_committer 2014-09-23 20:53:23 UTC
Created attachment 147626 [details]
Update ICMP timestamp sysctl patch

Bah ...

ICMPCTL_MAXID is a thing from 10-stable... sorry for that.
The tabs do apply.
Comment 4 commit-hook freebsd_committer 2014-10-01 18:08:26 UTC
A commit references this bug:

Author: markj
Date: Wed Oct  1 18:07:36 UTC 2014
New revision: 272378
URL: https://svnweb.freebsd.org/changeset/base/272378

Log:
  Add a sysctl, net.inet.icmp.tstamprepl, which can be used to disable replies
  to ICMP Timestamp packets.

  PR:		193689
  Submitted by:	Anthony Cornehl <accornehl@gmail.com>
  MFC after:	3 weeks
  Sponsored by:	EMC / Isilon Storage Division

Changes:
  head/share/man/man4/icmp.4
  head/sys/netinet/ip_icmp.c
Comment 5 Mark Johnston freebsd_committer 2014-10-01 18:12:16 UTC
I ended up committing a slightly modified form of the patch. The sysctl (correctly) uses OID_AUTO, so there's no need to #define an oid for it in icmp_var.h. And since it doesn't use a reserved OID, it's not correct to document it in sysctl.3 - icmp.4 is where all the ICMP sysctls are documented.
Comment 6 commit-hook freebsd_committer 2015-04-16 19:10:15 UTC
A commit references this bug:

Author: markj
Date: Thu Apr 16 19:09:26 UTC 2015
New revision: 281609
URL: https://svnweb.freebsd.org/changeset/base/281609

Log:
  MFC r272378:
  Add net.inet.icmp.tstamprepl.

  PR:	193689

Changes:
_U  stable/10/
  stable/10/share/man/man4/icmp.4
  stable/10/sys/netinet/ip_icmp.c