That's a fine plan if you can guarantee it. However, if someone _does_ get root
access to a box on a sensitive subnet, then it's nice to know they can't start
a packet sniffer without recompiling the kernel and rebooting.
Our University Computing Service has already suffered this kind of attack once
on their main server backbone, when a Solaris box was hacked. If promiscuous
mode isn't required, then it's entirely sensible to make it completely
impossible.
I'd like to see a CONFIG_DISABLE_PROMISC option, and will probably hack one
together next week.
For now, look through net/core/dev.c and muck about with dev_set_promiscuity()
---- ---- ----
David Woodhouse, Robinson College, CB3 9AN, England. (+44) 0976 658355
Dave@imladris.demon.co.uk http://www.imladris.demon.co.uk
finger pgp@dwmw2.robinson.cam.ac.uk for PGP key.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu