Re: Linux 2.2 - BSD/OS 4.1 ARP incompatibility

Mon, 04 Sep 2000 03:01:42 -0700 

On Mon, Sep 04, 2000 at 10:57:44AM +0100, Matthew Kirkwood wrote:
> > > With both interfaces up, it's impossible to apply anti-martian
> > > rules to the interfaces, since it's hard to predict which card
> > > will answer an ARP request.
> >
> > /proc/sys/net/ipv4/.../hidden
> 
> So when lightning fries the primary ethcard in the machine,
> I have to know the hw address of the second card to get in?
> 
> Also, it can be used to scan through a dual-homed host to
> determine the address range in use on the other side, which
> I'd rather wasn't possible.
> 
> /proc/sys/net/ipv4/\"correct\"_arp_reply_interface_selection
> maybe?

It is called arpfilter. Here is the old 2.2.16 version (applies to 2.4 with
minor changes)

It is useful for various things, one of them being automatic load balancing
for incoming connections using multipath routes.

-Andi


--- linux/include/linux/inetdevice.h.ARPFILTER  Tue Jan  4 19:12:24 2000
+++ linux/include/linux/inetdevice.h    Sat Jun 24 14:02:07 2000
@@ -17,6 +17,7 @@
        int     forwarding;
        int     mc_forwarding;
        int     hidden;
+       int     arp_filter; 
        void    *sysctl;
 };
 
@@ -51,6 +52,9 @@
          (ipv4_devconf.accept_redirects && (in_dev)->cnf.accept_redirects)) \
         || (!IN_DEV_FORWARD(in_dev) && \
          (ipv4_devconf.accept_redirects || (in_dev)->cnf.accept_redirects)))
+
+#define IN_DEV_ARPFILTER(in_dev)       (ipv4_devconf.arp_filter || \
+                                        (in_dev)->cnf.arp_filter)
 
 struct in_ifaddr
 {
--- linux/include/linux/sysctl.h.ARPFILTER      Fri Jun 23 17:47:22 2000
+++ linux/include/linux/sysctl.h        Sat Jun 24 14:02:07 2000
@@ -272,7 +272,8 @@
        NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE=9,
        NET_IPV4_CONF_BOOTP_RELAY=10,
        NET_IPV4_CONF_LOG_MARTIANS=11,
-       NET_IPV4_CONF_HIDDEN=12
+       NET_IPV4_CONF_HIDDEN=12,
+       NET_IPV4_CONF_ARPFILTER=13
 };
 
 /* /proc/sys/net/ipv6 */
--- linux/include/net/snmp.h.ARPFILTER  Fri Jun 23 17:47:05 2000
+++ linux/include/net/snmp.h    Sat Jun 24 14:04:19 2000
@@ -179,6 +179,7 @@
        unsigned long   OutOfWindowIcmps; 
        unsigned long   LockDroppedIcmps; 
        unsigned long   SockMallocOOM; 
+       unsigned long   ArpFilter;
 };
        
 #endif
--- linux/net/ipv4/proc.c.ARPFILTER     Fri Jun 23 17:47:06 2000
+++ linux/net/ipv4/proc.c       Sat Jun 24 14:03:48 2000
@@ -371,6 +371,10 @@
                      net_statistics.OutOfWindowIcmps,
                      net_statistics.LockDroppedIcmps,
                      net_statistics.SockMallocOOM);
+       len += sprintf(buffer + len, 
+                               "IpExt: ArpFilter\n"
+                               "IpExt: %lu\n",
+                         net_statistics.ArpFilter);            
 
        if (offset >= len)
        {
--- linux/net/ipv4/arp.c.ARPFILTER      Fri Jun 23 12:19:11 2000
+++ linux/net/ipv4/arp.c        Sat Jun 24 14:02:07 2000
@@ -339,6 +339,22 @@
                 dst_ha, dev->dev_addr, NULL);
 }
 
+static int arp_filter(__u32 sip, __u32 tip, struct device *dev)
+{
+       struct rtable *rt;
+       int flag = 0; 
+       //unsigned long now; 
+
+       if (ip_route_output(&rt, sip, tip, 0, 0) < 0) 
+               return 1;
+       if (rt->u.dst.dev != dev) { 
+               net_statistics.ArpFilter++; 
+               flag = 1; 
+       } 
+       ip_rt_put(rt); 
+       return flag; 
+} 
+
 /* OBSOLETE FUNCTIONS */
 
 /*
@@ -689,6 +705,7 @@
                if (addr_type == RTN_LOCAL) {
                        n = neigh_event_ns(&arp_tbl, sha, &sip, dev);
                        if (n) {
+                               int dont_send = 0; 
                                if (ipv4_devconf.hidden &&
                                    skb->pkt_type != PACKET_HOST) {
                                        struct device *dev2;
@@ -698,12 +715,14 @@
                                            dev2 != dev &&
                                            (in_dev2 = dev2->ip_ptr) != NULL &&
                                            IN_DEV_HIDDEN(in_dev2)) {
-                                               neigh_release(n);
-                                               goto out;
-                                       }
+                                               dont_send = 1; 
+                                       }       
                                }
+                               if (IN_DEV_ARPFILTER(in_dev))
+                                       dont_send |= arp_filter(sip,tip,dev); 
 
-                               
arp_send(ARPOP_REPLY,ETH_P_ARP,sip,dev,tip,sha,dev->dev_addr,sha);
+                               if (!dont_send) 
+                                       
+arp_send(ARPOP_REPLY,ETH_P_ARP,sip,dev,tip,sha,dev->dev_addr,sha);
                                neigh_release(n);
                        }
                        goto out;
--- linux/net/ipv4/devinet.c.ARPFILTER  Fri Jun 23 17:47:31 2000
+++ linux/net/ipv4/devinet.c    Sat Jun 24 14:02:07 2000
@@ -932,7 +932,7 @@
 static struct devinet_sysctl_table
 {
        struct ctl_table_header *sysctl_header;
-       ctl_table devinet_vars[13];
+       ctl_table devinet_vars[14];
        ctl_table devinet_dev[2];
        ctl_table devinet_conf_dir[2];
        ctl_table devinet_proto_dir[2];
@@ -974,6 +974,9 @@
          &proc_dointvec},
        {NET_IPV4_CONF_HIDDEN, "hidden",
          &ipv4_devconf.hidden, sizeof(int), 0644, NULL,
+         &proc_dointvec},
+       {NET_IPV4_CONF_ARPFILTER, "arp_filter",
+         &ipv4_devconf.arp_filter, sizeof(int), 0644, NULL,
          &proc_dointvec},
         {0}},
 



> 
> Matthew.
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [EMAIL PROTECTED]
> Please read the FAQ at http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/

Reply via email to