In gmane.os.openbsd.misc, [email protected] wrote:
> hello all,
>
> I have finally build an internet gateway with OpenBSD 6.2 (AMD64), including
> pf and IPSec. Great stuff.
> Now I am seeing a lot of arp movement, that I know are caused by Apple's
> Bonjour Sleep Proxy.
>
> Nov 8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 00:46:ab:ba:19:87 on vmx0
> Nov 8 00:00:58 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 9c:ab:3b:ca:fe:99 on vmx0
> Nov 8 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 00:46:ab:ba:19:87 on vmx0
> Nov 8 00:02:04 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 9c:ab:3b:ca:fe:99 on vmx0
> Nov 8 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 00:46:ab:ba:19:87 on vmx0
> Nov 8 00:03:28 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 9c:ab:3b:ca:fe:99 on vmx0
> Nov 8 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 00:46:ab:ba:19:87 on vmx0
> Nov 8 00:04:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 9c:ab:3b:ca:fe:99 on vmx0
>
> These messages are repeating every 15-30 seconds for Apple devices like
> laptops that are in standby (sleep mode).
>
> On pfSense and FreeBSD you have a sysctl:
> net.link.ether.inet.log_arp_movements
> when set to zero it will no longer log the messages.
>
> Discussions can be found on internet dating back to 2010, but no solution has
> been provided for what I could find.
> I have not yet found any sysctl in OpenBSD to do the same. Did I miss
> something or does OpenBSD have any trick to not log these messages.
> Currently these messages are filling up the logs /var/run/dmesg.boot and
> /var/log/messages.
Because each log entry is different the usual "last message repeated
X times" squashing doesn't take place, so this provides a fairly easy
way for an on-net attacker to flood logs.
There might be something smarter that I haven't thought of that could be
done, but here's a simple diff to add a sysctl for inet. Not intended
for commit (at least, yet) as there are similar cases in inet6 to handle
too - it would be easy enough to add another sysctl there, but it might
make more sense to use a single af-independent sysctl as .Fx has.
Any thoughts (and suggestions for mib for an af-independent one if
that's the way to go)?
Index: lib/libc/gen/sysctl.3
===================================================================
RCS file: /cvs/src/lib/libc/gen/sysctl.3,v
retrieving revision 1.286
diff -u -p -r1.286 sysctl.3
--- lib/libc/gen/sysctl.3 7 Nov 2017 19:15:09 -0000 1.286
+++ lib/libc/gen/sysctl.3 14 Nov 2017 13:53:38 -0000
@@ -1141,6 +1141,7 @@ The currently defined protocols and name
.It icmp Ta tstamprepl Ta integer Ta yes
.It ip Ta arpdown Ta integer Ta yes
.It ip Ta arptimeout Ta integer Ta yes
+.It ip Ta arplog Ta integer Ta yes
.It ip Ta directed-broadcast Ta integer Ta yes
.It ip Ta encdebug Ta integer Ta yes
.It ip Ta forwarding Ta integer Ta yes
@@ -1305,6 +1306,9 @@ If set to 0, ignore timestamp requests.
Lifetime of unresolved ARP entries, in seconds.
.It Li ip.arptimeout Pq Va net.inet.ip.arptimeout
Lifetime of resolved ARP entries, in seconds.
+.It Li ip.arplog Pq Va net.inet.ip.arplog
+If set to non-zero (default), log when the link-level address in
+an ARP entry is overwritten.
.It Li ip.directed-broadcast Pq Va net.inet.ip.directed-broadcast
Returns 1 if directed broadcast behavior is enabled for the host.
.It Li ip.encdebug Pq Va net.inet.ip.encdebug
Index: sys/netinet/if_ether.c
===================================================================
RCS file: /cvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.231
diff -u -p -r1.231 if_ether.c
--- sys/netinet/if_ether.c 11 Aug 2017 21:24:19 -0000 1.231
+++ sys/netinet/if_ether.c 14 Nov 2017 13:53:38 -0000
@@ -78,6 +78,8 @@ int arpt_prune = (5 * 60); /* walk list
int arpt_keep = (20 * 60); /* once resolved, cache for 20 minutes */
int arpt_down = 20; /* once declared down, don't send for 20 secs */
+int arp_log = 1; /* log arp movement messages */
+
void arpinvalidate(struct rtentry *);
void arptfree(struct rtentry *);
void arptimer(void *);
@@ -622,9 +624,10 @@ arpcache(struct ifnet *ifp, struct ether
return (-1);
} else {
inet_ntop(AF_INET, spa, addr, sizeof(addr));
- log(LOG_INFO, "arp info overwritten for %s by "
- "%s on %s\n", addr,
- ether_sprintf(ea->arp_sha), ifp->if_xname);
+ if (arp_log)
+ log(LOG_INFO, "arp info overwritten for"
+ " %s by %s on %s\n", addr,
+ ether_sprintf(ea->arp_sha),
ifp->if_xname);
rt->rt_expire = 1;/* no longer static */
}
changed = 1;
Index: sys/netinet/if_ether.h
===================================================================
RCS file: /cvs/src/sys/netinet/if_ether.h,v
retrieving revision 1.73
diff -u -p -r1.73 if_ether.h
--- sys/netinet/if_ether.h 29 Nov 2016 10:09:57 -0000 1.73
+++ sys/netinet/if_ether.h 14 Nov 2017 13:53:38 -0000
@@ -209,6 +209,7 @@ struct arpcom {
extern int arpt_keep; /* arp resolved cache expire */
extern int arpt_down; /* arp down cache expire */
+extern int arp_log; /* log arp movement messages */
extern u_int8_t etherbroadcastaddr[ETHER_ADDR_LEN];
extern u_int8_t etheranyaddr[ETHER_ADDR_LEN];
Index: sys/netinet/in.h
===================================================================
RCS file: /cvs/src/sys/netinet/in.h,v
retrieving revision 1.126
diff -u -p -r1.126 in.h
--- sys/netinet/in.h 14 Nov 2017 09:30:17 -0000 1.126
+++ sys/netinet/in.h 14 Nov 2017 13:53:38 -0000
@@ -687,7 +687,8 @@ struct ip_mreq {
#define IPCTL_MRTVIF 38
#define IPCTL_ARPTIMEOUT 39
#define IPCTL_ARPDOWN 40
-#define IPCTL_MAXID 41
+#define IPCTL_ARPLOG 41
+#define IPCTL_MAXID 42
#define IPCTL_NAMES { \
{ 0, 0 }, \
@@ -731,6 +732,7 @@ struct ip_mreq {
{ "mrtvif", CTLTYPE_STRUCT }, \
{ "arptimeout", CTLTYPE_INT }, \
{ "arpdown", CTLTYPE_INT }, \
+ { "arplog", CTLTYPE_INT }, \
}
#define IPCTL_VARS { \
NULL, \
@@ -774,6 +776,7 @@ struct ip_mreq {
NULL, \
&arpt_keep, \
&arpt_down, \
+ &arp_log, \
}
#endif /* __BSD_VISIBLE */
