|
Hi
> I had gone through the documentation for preventing the arp problem, it had
> mentioned about the 2.2 kernels and the 2.0 kernels but there was no
> information about the 2.4 kernels. What is the easiest way to prevent the arp
> problem in a 2.4 kernel?
Apply the patch attached.
> 1)Is there a kernel patch like http://www.linux-vs.org/sdw_fullarpfix.patch
> there is for the 2.2.x kernels? Is there anything like Julian's
> arp_invisible sysctl in 2.4?
Yep, he and/or Alexey wrote it.
regards,
Roberto Nibali, ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'` --- v2.3.41/linux/include/linux/inetdevice.h.orig Sat Sep 11 07:06:19 1999
+++ linux/include/linux/inetdevice.h Sat Jan 29 14:51:12 2000
@@ -17,6 +17,7 @@
int forwarding;
int mc_forwarding;
int tag;
+ int hidden;
void *sysctl;
};
@@ -43,6 +44,7 @@
#define IN_DEV_LOG_MARTIANS(in_dev) (ipv4_devconf.log_martians ||
(in_dev)->cnf.log_martians)
#define IN_DEV_PROXY_ARP(in_dev) (ipv4_devconf.proxy_arp ||
(in_dev)->cnf.proxy_arp)
+#define IN_DEV_HIDDEN(in_dev) ((in_dev)->cnf.hidden &&
ipv4_devconf.hidden)
#define IN_DEV_SHARED_MEDIA(in_dev) (ipv4_devconf.shared_media ||
(in_dev)->cnf.shared_media)
#define IN_DEV_TX_REDIRECTS(in_dev) (ipv4_devconf.send_redirects ||
(in_dev)->cnf.send_redirects)
#define IN_DEV_SEC_REDIRECTS(in_dev) (ipv4_devconf.secure_redirects ||
(in_dev)->cnf.secure_redirects)
--- v2.3.41/linux/include/linux/sysctl.h.orig Sat Jan 29 09:02:10 2000
+++ linux/include/linux/sysctl.h Sat Jan 29 14:54:32 2000
@@ -300,7 +300,8 @@
NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE=9,
NET_IPV4_CONF_BOOTP_RELAY=10,
NET_IPV4_CONF_LOG_MARTIANS=11,
- NET_IPV4_CONF_TAG=12
+ NET_IPV4_CONF_TAG=12,
+ NET_IPV4_CONF_HIDDEN=13,
};
/* /proc/sys/net/ipv6 */
--- v2.3.41/linux/net/ipv4/arp.c.orig Sat Jan 29 09:02:14 2000
+++ linux/net/ipv4/arp.c Sun Jan 30 20:51:44 2000
@@ -65,6 +65,8 @@
* clean up the APFDDI & gen. FDDI bits.
* Alexey Kuznetsov: new arp state machine;
* now it is in net/core/neighbour.c.
+ * Julian Anastasov: "hidden" flag: hide the
+ * interface and don't reply for it
*/
/* RFC1122 Status:
@@ -328,12 +330,23 @@
static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
{
u32 saddr;
+ int from_skb;
+ struct in_device *in_dev2 = NULL;
+ struct net_device *dev2 = NULL;
u8 *dst_ha = NULL;
struct net_device *dev = neigh->dev;
u32 target = *(u32*)neigh->primary_key;
int probes = atomic_read(&neigh->probes);
- if (skb && inet_addr_type(skb->nh.iph->saddr) == RTN_LOCAL)
+ from_skb = (skb &&
+ (dev2 = ip_dev_find(skb->nh.iph->saddr)) != NULL &&
+ (in_dev2 = in_dev_get(dev2)) != NULL &&
+ !IN_DEV_HIDDEN(in_dev2));
+ if (dev2) {
+ if (in_dev2) in_dev_put(in_dev2);
+ dev_put(dev2);
+ }
+ if (from_skb)
saddr = skb->nh.iph->saddr;
else
saddr = inet_select_addr(dev, target, RT_SCOPE_LINK);
@@ -706,9 +719,22 @@
/* Special case: IPv4 duplicate address detection packet (RFC2131) */
if (sip == 0) {
- if (arp->ar_op == __constant_htons(ARPOP_REQUEST) &&
- inet_addr_type(tip) == RTN_LOCAL)
+ int reply;
+ struct net_device *dev2 = NULL;
+ struct in_device *in_dev2 = NULL;
+
+ reply =
+ (arp->ar_op == __constant_htons(ARPOP_REQUEST) &&
+ (dev2 = ip_dev_find(tip)) != NULL &&
+ (dev2 == dev ||
+ ((in_dev2 = in_dev_get(dev2)) != NULL &&
+ !IN_DEV_HIDDEN(in_dev2))));
+ if (dev2) {
+ if (in_dev2) in_dev_put(in_dev2);
+ dev_put(dev2);
+ if (reply)
arp_send(ARPOP_REPLY,ETH_P_ARP,tip,dev,tip,sha,dev->dev_addr,dev->dev_addr);
+ }
goto out;
}
@@ -721,6 +747,26 @@
if (addr_type == RTN_LOCAL) {
n = neigh_event_ns(&arp_tbl, sha, &sip, dev);
if (n) {
+ if (ipv4_devconf.hidden &&
+ skb->pkt_type != PACKET_HOST) {
+ int skip;
+ struct net_device *dev2 = NULL;
+ struct in_device *in_dev2 = NULL;
+
+ skip =
+ ((dev2 = ip_dev_find(tip)) != NULL &&
+ dev2 != dev &&
+ (in_dev2=in_dev_get(dev2)) != NULL &&
+ IN_DEV_HIDDEN(in_dev2));
+ if (dev2) {
+ if (in_dev2) in_dev_put(in_dev2);
+ dev_put(dev2);
+ if (skip) {
+ neigh_release(n);
+ goto out;
+ }
+ }
+ }
arp_send(ARPOP_REPLY,ETH_P_ARP,sip,dev,tip,sha,dev->dev_addr,sha);
neigh_release(n);
}
--- v2.3.41/linux/net/ipv4/devinet.c.orig Wed Jan 12 08:46:50 2000
+++ linux/net/ipv4/devinet.c Sat Jan 29 15:13:34 2000
@@ -745,7 +745,8 @@
read_lock(&in_dev->lock);
for_primary_ifa(in_dev) {
- if (ifa->ifa_scope != RT_SCOPE_LINK &&
+ if (!IN_DEV_HIDDEN(in_dev) &&
+ ifa->ifa_scope != RT_SCOPE_LINK &&
ifa->ifa_scope <= scope) {
read_unlock(&in_dev->lock);
read_unlock(&inetdev_lock);
@@ -1027,7 +1028,7 @@
static struct devinet_sysctl_table
{
struct ctl_table_header *sysctl_header;
- ctl_table devinet_vars[13];
+ ctl_table devinet_vars[14];
ctl_table devinet_dev[2];
ctl_table devinet_conf_dir[2];
ctl_table devinet_proto_dir[2];
@@ -1069,6 +1070,9 @@
&proc_dointvec},
{NET_IPV4_CONF_TAG, "tag",
&ipv4_devconf.tag, sizeof(int), 0644, NULL,
+ &proc_dointvec},
+ {NET_IPV4_CONF_HIDDEN, "hidden",
+ &ipv4_devconf.hidden, sizeof(int), 0644, NULL,
&proc_dointvec},
{0}},
--- v2.3.41/linux/Documentation/networking/ip-sysctl.txt.orig Sat Jan 29
09:01:43 2000
+++ linux/Documentation/networking/ip-sysctl.txt Sat Jan 29 14:57:27 2000
@@ -299,6 +299,14 @@
Default value is 0. Note that some distributions enable it
in startip scripts.
+hidden - BOOLEAN
+ Hide addresses attached to this device from another devices.
+ Such addresses will never be selected by source address autoselection
+ mechanism, host does not answer broadcast ARP requests for them,
+ does not announce it as source address of ARP requests, but they
+ are still reachable via IP. This flag is activated only if it is
+ enabled both in specific device section and in "all" section.
+
Alexey Kuznetsov.
kuznet@xxxxxxxxxxxxx
--- v2.3.41/linux/Documentation/filesystems/proc.txt.orig Sat Nov 13
08:04:14 1999
+++ linux/Documentation/filesystems/proc.txt Sat Jan 29 15:01:54 2000
@@ -1490,6 +1490,16 @@
Determines whether to send ICMP redirects to other hosts.
+hidden
+------
+
+Hide addresses attached to this device from another devices.
+Such addresses will never be selected by source address autoselection
+mechanism, host does not answer broadcast ARP requests for them,
+does not announce it as source address of ARP requests, but they
+are still reachable via IP. This flag is activated only if it is
+enabled both in specific device section and in "all" section.
+
Routing settings
----------------
|
