[RFC] rc.d script for binding static arp pairs and logging options

From: Xin LI <delphij_at_delphij.net>
Date: Wed, 02 Jan 2008 11:26:59 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Here is a rc.d script that I use on my own server, which provides two
functionalities:

 - Bind ARP pairs specified in rc.conf (*);
 - Set ARP logging options (+).

* Similar to routing settings, one need to set up some sort of "ARP
pairs" like this:

	static_arp_pairs="gw"
	arp_gw="172.16.1.1 00:1c:58:6a:7b:49"

+ By setting one or more of the following options to "NO" it would set
appropriate sysctl for arp logging settings to zero to disable logging:

	log_arp_permanent_modify
	log_arp_movements
	log_arp_wrong_iface

This script could be useful for those who use FreeBSD in a
uncontrollable network (i.e. your network administrator does not care
about viruses that attacks the network with fake ARP broadcasts).

I wonder whether this script would be useful for general consumption?
Other comments are also welcome :-)

Cheers,
- --
Xin LI <delphij_at_delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFHe+WCi+vbBBjt66ARAvA/AJ9zv5Wtif9DPgDPT89ZOOoueu+w9gCeK3gY
4GEETsKg53j19QLFd3IZKkc=
=rLKv
-----END PGP SIGNATURE-----

#!/bin/sh
#
# Copyright (c) 2008  Xin LI <delphij_at_FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# Configure static ARP table and logging options
#
# $FreeBSD$
#

# PROVIDE: arp
# REQUIRE: netif
# KEYWORD: nojail

. /etc/rc.subr

name="arp"
start_cmd="arp_start"
stop_cmd="arp_stop"
extra_commands="options static"
static_cmd="static_start"
options_cmd="options_start"

arp_start()
{
	options_start
	static_start
}

arp_stop()
{
	static_stop
}

options_start()
{
	echo -n 'Additional ARP logging options:'
	if [ -n ${log_arp_perment_modify} ]; then
		case ${log_arp_permanent_modify} in
		[Nn][Oo])
			echo -n ' do not'
			sysctl net.link.ether.inet.log_arp_permanent_modify=0 >/dev/null
			;;
		*)
			sysctl net.link.ether.inet.log_arp_permanent_modify=1 >/dev/null
                	;;
        	esac
		echo -n ' log arp replies from MACs different than the one in the permanent arp entry;'
	fi
	if [ -n ${log_arp_movements} ]; then
		case ${log_arp_movements} in
		[Nn][Oo])
			echo -n ' do not'
			sysctl net.link.ether.inet.log_arp_movements=0 >/dev/null
			;;
		*)
			sysctl net.link.ether.inet.log_arp_movements=1 >/dev/null
                	;;
        	esac
		echo -n ' log arp replies from MACs different than the one in the cache;'
	fi
	if [ -n ${log_arp_wrong_iface} ]; then
		case ${log_arp_wrong_iface} in
		[Nn][Oo])
			echo -n ' do not'
			sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null
			;;
		*)
			sysctl net.link.ether.inet.log_arp_wrong_iface=1 >/dev/null
                	;;
        	esac
		echo -n ' log arp packets arriving on the wrong interface'
	fi
	echo '.'
}


static_start()
{
	if [ -n "${static_arp_pairs}" ]; then
		echo -n 'Binding static ARP pair:'
		for e in ${static_arp_pairs}; do
			echo -n " ${e}"
			eval arp_args=\$arp_${e}
			arp -S ${arp_args} >/dev/null 2>&1
		done
		echo '.'
	fi
}

static_stop()
{
	if [ -n "${static_arp_pairs}" ]; then
		echo -n 'Unbinding static ARP pair:'
		for e in ${static_arp_pairs}; do
			echo -n " ${e}"
			eval arp_args=\$arp_${e}
			arp_args=`echo ${arp_args} | sed -e s,..:..:..:..:..:..,,g`
			arp -d ${arp_args} >/dev/null 2>&1
		done
		echo '.'
	fi
}

load_rc_config $name
run_rc_command "$1"
Received on Wed Jan 02 2008 - 18:27:14 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:24 UTC