The patch below takes two steps which come in handy in restrictive (as well as most likely small and static) setups: - it turns off ARP functionality on specified interfaces to not have your IP stack accept ARP packets possibly sent to you by strangers - it sets up your ARP table with fixed entries, otherwise one couldn't do IP communication with the hosts you know about and want to talk to Fix: Apply the patch and throw the rc.conf switches (turn on the _enable switch and fill in the _interfaces and _table)! Of course these fix entries should get applied on *all* the machines in the network segment in question, so none of them can be fooled. And I'm aware of the fact that, say, routers usually won't do (dynamic) ARP on one interface while they do on another. That's what the interface list is for. Deleting some already known ARP entries (we're talking a few seconds after bootup and interface configuration here) won't really hurt. They will be learned again quickly. Maybe one should not SHOUT this loud when there's no interface or table -- but I failed to come up with an example where this would be of real use to leave one of them blank. The most important "problem" I had with this patch is to identify a spot in rc.network where all the relevant interfaces are up but almost no traffic could have passed through them yet. Feel free to shove the code block to a more appropriate place. And of course the standard disclaimer applies: I'm not a native speaker nor are troff nor mdoc my native languages. :) Hopefully the patch will make its way unmangled now that I decided to shar(1) it. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.--uV3jQzcoANGp2dLQIhWbhnBBTa2Nsw0wnwRuG2jsInHiuoGV Content-Type: text/plain; name="file.shar" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.shar" # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # script.diff # config.diff # manpage.diff # echo x - script.diff sed 's/^X//' >script.diff << 'END-of-script.diff' XIndex: etc/rc.network X=================================================================== XRCS file: /CVSREPO/fbsd/src/etc/rc.network,v Xretrieving revision 1.88 Xdiff -u -5 -r1.88 rc.network X--- etc/rc.network 2000/10/12 11:25:57 1.88 X+++ etc/rc.network 2000/11/23 22:54:34 X@@ -233,10 +233,51 @@ X echo -n "Starting ppp as \"${ppp_user}\"" X su -m ${ppp_user} -c "exec ${ppp_command}" X ;; X esac X X+ # hardcode ARP table when asked to do so X+ # X+ case ${static_arp_enable} in X+ [Yy][Ee][Ss]) X+ echo -n ' static arp' X+ X+ # don't bother if we fall through, X+ # the loops below just become empty X+ [ -z "${static_arp_interfaces}" ] && echo -n ' NO INTERFACES' X+ [ -z "${static_arp_table}" ] && echo -n ' NO TABLE' X+ X+ # clear ARP functionality on all the interfaces X+ for IF in $static_arp_interfaces; do X+ /sbin/ifconfig $IF -arp X+ done X+ unset IF X+ X+ # delete (previously) "ARP'ed" IPs from the table X+ ADDRLIST=$( /usr/sbin/arp -an | /usr/bin/sed 's/^[^(]*(//; s/).*$//' ) X+ for ADDR in $ADDRLIST; do X+ /usr/sbin/arp -d $ADDR X+ done X+ unset ADDRLIST ADDR X+ X+ # fill in the new entries X+ # (for a starter or as the whole table) X+ for PAIR in $static_arp_table; do X+ /usr/sbin/arp -s $( echo $PAIR | tr '=' ' ' ) X+ done X+ unset PAIR X+ X+ # maybe: show the current table X+ case ${static_arp_verbose} in X+ [Yy][Ee][Ss]) X+ echo ' arp table dump:' X+ /usr/sbin/arp -an X+ ;; X+ esac X+ ;; X+ esac X+ X # Initialize IP filtering using ipfw X # X if /sbin/ipfw -q flush > /dev/null 2>&1; then X firewall_in_kernel=1 X else END-of-script.diff echo x - config.diff sed 's/^X//' >config.diff << 'END-of-config.diff' XIndex: etc/defaults/rc.conf X=================================================================== XRCS file: /CVSREPO/fbsd/src/etc/defaults/rc.conf,v Xretrieving revision 1.83 Xdiff -u -5 -r1.83 rc.conf X--- etc/defaults/rc.conf 2000/10/29 19:59:04 1.83 X+++ etc/defaults/rc.conf 2000/11/23 21:52:55 X@@ -188,10 +188,18 @@ X ipxrouted_enable="NO" # Set to YES to run the IPX routing daemon. X ipxrouted_flags="" # Flags for IPX routing daemon. X arpproxy_all="" # replaces obsolete kernel option ARP_PROXYALL. X forward_sourceroute="NO" # do source routing (only if gateway_enable is set to "YES") X accept_sourceroute="NO" # accept source routed packets to us X+static_arp_enable="NO" # hardcode ARP table? X+static_arp_verbose="NO" # dump ARP table after setting up? X+static_arp_interfaces="xl0" # turn ARP off on these interfaces X+static_arp_table="\ X+ 192.168.21.57=00:60:08:xx:xx:xx \ X+ 192.168.21.58=00:01:02:xx:xx:xx \ X+ 192.168.21.59=00:50:DA:xx:xx:xx \ X+ " X X ### ATM interface options: ### X atm_enable="NO" # Configure ATM interfaces (or NO). X #atm_netif_hea0="atm 1" # Network interfaces for physical interface. X #atm_sigmgr_hea0="uni31" # Signalling manager for physical interface. END-of-config.diff echo x - manpage.diff sed 's/^X//' >manpage.diff << 'END-of-manpage.diff' XIndex: share/man/man5/rc.conf.5 X=================================================================== XRCS file: /CVSREPO/fbsd/src/share/man/man5/rc.conf.5,v Xretrieving revision 1.84 Xdiff -u -5 -r1.84 rc.conf.5 X--- share/man/man5/rc.conf.5 2000/10/28 13:35:30 1.84 X+++ share/man/man5/rc.conf.5 2000/11/23 22:29:26 X@@ -563,10 +563,50 @@ X .Pa /etc/ppp/ppp.conf . X .It Ar ppp_user X (str) The name of the user under which ppp should be started. By X default, ppp is started as X .Ar root . X+.\" ----- static arp table -------------------------------------- X+.It Ar static_arp_enable X+(bool) Set to X+.Ar NO X+by default. X+Setting this to X+.Ar YES X+will turn off ARP for every interface specified in X+.Ar static_arp_interfaces X+and will put static ARP entries from the X+.Ar static_arp_table X+variable into the ARP table. X+.It Ar static_arp_verbose X+(bool) Set to X+.Ar NO X+by default. X+Setting this to X+.Ar YES X+will dump the current ARP table X+after filling it with static entries. X+This requires the X+.Ar static_arp_enable X+setting to be turned on. X+.It Ar static_arp_interfaces X+(str) Empty by default. X+Holds a white space separated list of interfaces X+on which ARP learning will be turned off. X+Depends on the X+.Ar static_arp_enable X+setting. X+.It Ar static_arp_table X+(str) Depends on the X+.Ar static_arp_enable X+setting and X+holds a white space separated list of elements X+each of the form IP address, equals sign, MAC address. X+For instance to hardcode two ARP table entries put X+.Qq Ar "192.168.21.57=00:60:08:01:02:03 192.168.21.58=00:01:02:04:05:06" X+into this variable. X+.\" ----- end of static arp ------------------------------------- X .It Ar rc_conf_files X (str) This option is used to specify a list of files that will override X the settings in X .Pa /etc/defaults/rc.conf . X The files will be read in the order in which they are specified and should END-of-manpage.diff exit How-To-Repeat: not of relevance, there's no problem here :)
Responsible Changed From-To: freebsd-bugs->ru I'm interested in this feature, and have some kernel side patches.
Responsible Changed From-To: ru->freebsd-bugs The kernel side has been implemented (IFF_STATICARP), but I've since lost the personal interest in implementing userland part, so pass it back to a community in case anyone wants to revise the patches in the PR.
Responsible Changed From-To: freebsd-bugs->bms I'll try to look at this (already worked on the kernel support with ru).
Responsible Changed From-To: bms->freebsd-net ENOTIME. If big ARP changes happen, then this should probably be taken on again and looked at after those changes happen. Also the rcNG system has been taken since these changes were submitted.
For now, ifconfig(8) has "staticarp/-arp" options implementing kernel side of the request, arp(8) has "-f" option to load list of MAC addresses into the kernel and we have rcNG system to call "arp -f /usr/local/etc/arp.list" at right moment during boot. That should be enough to do the job. If not, speak up. Close this after 11 years of inactivity.