On Thu, May 04, 2000 at 11:42:52AM +0300, Ville Nummela wrote:
> Andi Kleen wrote:
>
> > > This is a patch I've written in order to allow me to dynamically
> > > enable/disable sending replies to arp requests on a device. It adds a
> > 2.2 already has this option, it is called conf/*/hidden
> > 2.3 will get it too hopefully.
>
> >From the kernel documentation:
>
> hidden
> Hide addresses attached to this device from another devices.
> Such addresses will never be selected by source address autoselection
> mechanism, host does not answer broadcast ARP requests for them,
>
> That kind of behavior is not what we want when implementing Mobile IP. We do
> not want to disable source address autoselection, just ARP.
That sounds broken. Assuming you select the source address and start
communicating from it on the local net, and the other host tries to do
ARP probing on you later -- you're dead.
If you changed the routing tables correctly (you only don't want to
answer ARP when you have a more specific routing table entry), then
I have a better patch: It controls ARP behaviour via the routing
table, which has a few other interesting advantages too. And unlike
yours it is error tolerant (when the mobile link goes away things work
again)
It also can do other things, e.g. load balancing for incoming ARP
using multipath routes and separation of nets on firewalls.
-Andi
--- ../lold/linux/include/net/snmp.h Wed Feb 9 20:06:11 2000
+++ linux/include/net/snmp.h Sat Apr 29 04:42:40 2000
@@ -178,6 +178,7 @@
unsigned long OfoPruned;
unsigned long OutOfWindowIcmps;
unsigned long LockDroppedIcmps;
+ unsigned long ArpFilter;
};
#endif
--- ../lold/linux/net/ipv4/proc.c Wed Feb 9 20:06:17 2000
+++ linux/net/ipv4/proc.c Tue Apr 25 23:27:40 2000
@@ -360,8 +360,8 @@
len = sprintf(buffer,
"TcpExt: SyncookiesSent SyncookiesRecv SyncookiesFailed"
" EmbryonicRsts PruneCalled RcvPruned OfoPruned"
- " OutOfWindowIcmps LockDroppedIcmps\n"
- "TcpExt: %lu %lu %lu %lu %lu %lu %lu %lu %lu\n",
+ " OutOfWindowIcmps LockDroppedIcmps ArpFilter\n"
+ "TcpExt: %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu\n",
net_statistics.SyncookiesSent,
net_statistics.SyncookiesRecv,
net_statistics.SyncookiesFailed,
@@ -370,7 +370,8 @@
net_statistics.RcvPruned,
net_statistics.OfoPruned,
net_statistics.OutOfWindowIcmps,
- net_statistics.LockDroppedIcmps);
+ net_statistics.LockDroppedIcmps,
+ net_statistics.ArpFilter);
if (offset >= len)
{
--- ../lold/linux/net/ipv4/arp.c Wed Feb 9 20:06:16 2000
+++ linux/net/ipv4/arp.c Sat Apr 29 16:14:22 2000
@@ -338,6 +338,22 @@
dst_ha, dev->dev_addr, NULL);
}
+static int arp_filter(__u32 sip, __u32 tip, struct device *dev)
+{
+ struct rtable *rt;
+ int flag = 0;
+ //unsigned long now;
+
+ if (ip_route_output(&rt, sip, tip, 0, 0) < 0)
+ return 1;
+ if (rt->u.dst.dev != dev) {
+ net_statistics.ArpFilter++;
+ flag = 1;
+ }
+ ip_rt_put(rt);
+ return flag;
+}
+
/* OBSOLETE FUNCTIONS */
/*
@@ -681,6 +697,7 @@
if (addr_type == RTN_LOCAL) {
n = neigh_event_ns(&arp_tbl, sha, &sip, dev);
if (n) {
+ int dont_send = 0;
if (ipv4_devconf.hidden &&
skb->pkt_type != PACKET_HOST) {
struct device *dev2;
@@ -690,12 +707,14 @@
dev2 != dev &&
(in_dev2 = dev2->ip_ptr) != NULL &&
IN_DEV_HIDDEN(in_dev2)) {
- neigh_release(n);
- goto out;
- }
+ dont_send = 1;
+ }
}
+ if (IN_DEV_ARPFILTER(in_dev))
+ dont_send |= arp_filter(sip,tip,dev);
- arp_send(ARPOP_REPLY,ETH_P_ARP,sip,dev,tip,sha,dev->dev_addr,sha);
+ if (!dont_send)
+ arp_send(ARPOP_REPLY,ETH_P_ARP,sip,dev,tip,sha,dev->dev_addr,sha);
neigh_release(n);
}
goto out;
--- ../lold/linux/include/linux/inetdevice.h Wed Feb 9 20:06:08 2000
+++ linux/include/linux/inetdevice.h Tue Apr 25 23:27:30 2000
@@ -17,6 +17,7 @@
int forwarding;
int mc_forwarding;
int hidden;
+ int arp_filter;
void *sysctl;
};
@@ -51,6 +52,9 @@
(ipv4_devconf.accept_redirects && (in_dev)->cnf.accept_redirects)) \
|| (!IN_DEV_FORWARD(in_dev) && \
(ipv4_devconf.accept_redirects || (in_dev)->cnf.accept_redirects)))
+
+#define IN_DEV_ARPFILTER(in_dev) (ipv4_devconf.arp_filter || \
+ (in_dev)->cnf.arp_filter)
struct in_ifaddr
{
--- ../lold/linux/net/ipv4/devinet.c Wed Feb 9 20:06:16 2000
+++ linux/net/ipv4/devinet.c Sat Apr 29 16:15:59 2000
@@ -932,7 +932,7 @@
static struct devinet_sysctl_table
{
struct ctl_table_header *sysctl_header;
- ctl_table devinet_vars[13];
+ ctl_table devinet_vars[14];
ctl_table devinet_dev[2];
ctl_table devinet_conf_dir[2];
ctl_table devinet_proto_dir[2];
@@ -974,6 +974,9 @@
&proc_dointvec},
{NET_IPV4_CONF_HIDDEN, "hidden",
&ipv4_devconf.hidden, sizeof(int), 0644, NULL,
+ &proc_dointvec},
+ {NET_IPV4_CONF_ARPFILTER, "arp_filter",
+ &ipv4_devconf.arp_filter, sizeof(int), 0644, NULL,
&proc_dointvec},
{0}},
--- ../lold/linux/include/linux/sysctl.h Wed Feb 9 20:06:10 2000
+++ linux/include/linux/sysctl.h Tue Apr 25 23:27:33 2000
@@ -269,7 +269,8 @@
NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE=9,
NET_IPV4_CONF_BOOTP_RELAY=10,
NET_IPV4_CONF_LOG_MARTIANS=11,
- NET_IPV4_CONF_HIDDEN=12
+ NET_IPV4_CONF_HIDDEN=12,
+ NET_IPV4_CONF_ARPFILTER=13
};
/* /proc/sys/net/ipv6 */
-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:14 EST