rc.conf: tcp_drop_synfin option
pluknet
pluknet at gmail.com
Mon Mar 19 11:51:14 UTC 2007
On 19/03/07, banshee <root at vault13.org> wrote:
> On Mon, Mar 19, 2007 at 12:48:01PM +0300, pluknet wrote:
> > Hi.
> >
> > On 18/03/07, banshee <root at vault13.org> wrote:
> > >
> > > Hello everyone!
> > >
> > > I have an tcp_drop_synfin="yes" option in my rc.conf, but it
> > > doesn't work correct. Here is the dmesg -a part:
> > >
> > > [...]
> > > Additional routing options:
> > > ignore ICMP redirect=3DYES
> > > log ICMP redirect=3DYES
> > > drop SYN+FIN packets=3DYES
> > > sysctl:
> > > unknown oid 'net.inet.tcp.drop_synfin'
> > > [...]
> > >
> > > I've been thinking about making a patch for it (/etc/rc.d/routing,
> > > lines 22-127), but i just didn't find something in `sysctl -a`
> > > list that can be used. If this option removed, then may be the
> > > lines 124-125 in /etc/rc.d/routing should be changed (something as
> > > in attach)? I'm interested in making patch for it :-)
> >
> > Didn't you forget to add the TCP_DROP_SYNFIN option in your kernel config?
> >
> > > Best regards, banshee, vault13.org...
> >
> > pluknet
>
> Ups... No, I didn't forget to include it, i've just compiled the wrong kernel :-)
> Anyway, i've made some changes to routing file, just to see, is this sysctl var set correctly (i know, the code is ugly).
>From attach:
- echo -n ' drop SYN+FIN packets=YES'
- sysctl net.inet.tcp.drop_synfin=1 >/dev/null
+ if [ "`sysctl net.inet.tcp.drop_synfin=1 | cut -d ' ' -f 4`" \
+ = "1" ]; then
Perhaps it would be more careful to make a so-called "const" check:
- echo -n ' drop SYN+FIN packets=YES'
sysctl net.inet.tcp.drop_synfin=1 >/dev/null
+ if [ "`sysctl net.inet.tcp.drop_synfin | cut -d ' ' -f 2`" \
+ = "1" ]; then
>
pluknet
ps
sorry for my English
More information about the freebsd-current
mailing list