rc.conf: tcp_drop_synfin option

banshee root at vault13.org
Mon Mar 19 18:24:13 UTC 2007 

        No, in that case, it will sysctl will turn on SYN+FIN drop, but if we us
e cut -d ' ' -f 2, it will return 0 (by default at start up time this sysctl var=0) and print error msg. if you use -f 4, then it will check, that SYN+FIN funct
ion is turned on, no meter how.

On Mon, Mar 19, 2007 at 02:51:10PM +0300, pluknet wrote:
> On 19/03/07, banshee <root at vault13.org> wrote:
> >On Mon, Mar 19, 2007 at 12:48:01PM +0300, pluknet wrote:
> >> Hi.
> >>
> >> On 18/03/07, banshee <root at vault13.org> wrote:
> >> >
> >> >        Hello everyone!
> >> >
> >> >        I have an tcp_drop_synfin="yes" option in my rc.conf, but it
> >> >        doesn't work correct. Here is the dmesg -a part:
> >> >
> >> >        [...]
> >> >        Additional routing options:
> >> >         ignore ICMP redirect=3DYES
> >> >         log ICMP redirect=3DYES
> >> >         drop SYN+FIN packets=3DYES
> >> >        sysctl:
> >> >        unknown oid 'net.inet.tcp.drop_synfin'
> >> >        [...]
> >> >
> >> >        I've been thinking about making a patch for it 
> >(/etc/rc.d/routing,
> >> >        lines 22-127), but i just didn't find something in `sysctl -a`
> >> >        list that can be used. If this option removed, then may be the
> >> >        lines 124-125 in /etc/rc.d/routing should be changed (something 
> >as
> >> >        in attach)? I'm interested in making patch for it :-)
> >>
> >> Didn't you forget to add the TCP_DROP_SYNFIN option in your kernel 
> >config?
> >>
> >> >        Best regards, banshee, vault13.org...
> >>
> >> pluknet
> >
> >        Ups... No, I didn't forget to include it, i've just compiled the 
> >        wrong kernel :-)
> >        Anyway, i've made some changes to routing file, just to see, is 
> >        this sysctl var set correctly (i know, the code is ugly).
> 
> >From attach:
> -		echo -n ' drop SYN+FIN packets=YES'
> -		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
> +		if [ "`sysctl net.inet.tcp.drop_synfin=1 | cut -d ' ' -f 4`" 
> \
> +						= "1" ]; then
> 
> Perhaps it would be more careful to make a so-called "const" check:
> -		echo -n ' drop SYN+FIN packets=YES'
> 		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
> +		if [ "`sysctl net.inet.tcp.drop_synfin | cut -d ' ' -f 2`" \
> +						= "1" ]; then
> 
> >
> pluknet
> 
> ps
> sorry for my English
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"

-- 

        Contra vim mortis, non est medicaments...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 825 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20070319/dd0df974/attachment.pgp

More information about the freebsd-current mailing list