Fwd [misc@]: Suppessing logging of arp movement messages

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd [misc@]: Suppessing logging of arp movement messages

Stuart Henderson
In gmane.os.openbsd.misc, [hidden email] wrote:

> hello all,
>
> I have finally build an internet gateway with OpenBSD 6.2 (AMD64), including pf and IPSec. Great stuff.
> Now I am seeing a lot of arp movement, that I know are caused by Apple's Bonjour Sleep Proxy.
>
> Nov  8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0
> Nov  8 00:00:58 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0
> Nov  8 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0
> Nov  8 00:02:04 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0
> Nov  8 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0
> Nov  8 00:03:28 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0
> Nov  8 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0
> Nov  8 00:04:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0
>
> These messages are repeating every 15-30 seconds for Apple devices like laptops that are in standby (sleep mode).
>
> On pfSense and FreeBSD you have a sysctl: net.link.ether.inet.log_arp_movements
> when set to zero it will no longer log the messages.
>
> Discussions can be found on internet dating back to 2010, but no solution has been provided for what I could find.
> I have not yet found any sysctl in OpenBSD to do the same. Did I miss something or does OpenBSD have any trick to not log these messages.
> Currently these messages are filling up the logs /var/run/dmesg.boot and /var/log/messages.

Because each log entry is different the usual "last message repeated
X times" squashing doesn't take place, so this provides a fairly easy
way for an on-net attacker to flood logs.

There might be something smarter that I haven't thought of that could be
done, but here's a simple diff to add a sysctl for inet. Not intended
for commit (at least, yet) as there are similar cases in inet6 to handle
too - it would be easy enough to add another sysctl there, but it might
make more sense to use a single af-independent sysctl as .Fx has.

Any thoughts (and suggestions for mib for an af-independent one if
that's the way to go)?

Index: lib/libc/gen/sysctl.3
===================================================================
RCS file: /cvs/src/lib/libc/gen/sysctl.3,v
retrieving revision 1.286
diff -u -p -r1.286 sysctl.3
--- lib/libc/gen/sysctl.3 7 Nov 2017 19:15:09 -0000 1.286
+++ lib/libc/gen/sysctl.3 14 Nov 2017 13:53:38 -0000
@@ -1141,6 +1141,7 @@ The currently defined protocols and name
 .It icmp Ta tstamprepl Ta integer Ta yes
 .It ip Ta arpdown Ta integer Ta yes
 .It ip Ta arptimeout Ta integer Ta yes
+.It ip Ta arplog Ta integer Ta yes
 .It ip Ta directed-broadcast Ta integer Ta yes
 .It ip Ta encdebug Ta integer Ta yes
 .It ip Ta forwarding Ta integer Ta yes
@@ -1305,6 +1306,9 @@ If set to 0, ignore timestamp requests.
 Lifetime of unresolved ARP entries, in seconds.
 .It Li ip.arptimeout Pq Va net.inet.ip.arptimeout
 Lifetime of resolved ARP entries, in seconds.
+.It Li ip.arplog Pq Va net.inet.ip.arplog
+If set to non-zero (default), log when the link-level address in
+an ARP entry is overwritten.
 .It Li ip.directed-broadcast Pq Va net.inet.ip.directed-broadcast
 Returns 1 if directed broadcast behavior is enabled for the host.
 .It Li ip.encdebug Pq Va net.inet.ip.encdebug
Index: sys/netinet/if_ether.c
===================================================================
RCS file: /cvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.231
diff -u -p -r1.231 if_ether.c
--- sys/netinet/if_ether.c 11 Aug 2017 21:24:19 -0000 1.231
+++ sys/netinet/if_ether.c 14 Nov 2017 13:53:38 -0000
@@ -78,6 +78,8 @@ int arpt_prune = (5 * 60); /* walk list
 int arpt_keep = (20 * 60); /* once resolved, cache for 20 minutes */
 int arpt_down = 20; /* once declared down, don't send for 20 secs */
 
+int arp_log = 1; /* log arp movement messages */
+
 void arpinvalidate(struct rtentry *);
 void arptfree(struct rtentry *);
 void arptimer(void *);
@@ -622,9 +624,10 @@ arpcache(struct ifnet *ifp, struct ether
  return (-1);
  } else {
  inet_ntop(AF_INET, spa, addr, sizeof(addr));
- log(LOG_INFO, "arp info overwritten for %s by "
-    "%s on %s\n", addr,
-    ether_sprintf(ea->arp_sha), ifp->if_xname);
+ if (arp_log)
+ log(LOG_INFO, "arp info overwritten for"
+    " %s by %s on %s\n", addr,
+    ether_sprintf(ea->arp_sha), ifp->if_xname);
  rt->rt_expire = 1;/* no longer static */
  }
  changed = 1;
Index: sys/netinet/if_ether.h
===================================================================
RCS file: /cvs/src/sys/netinet/if_ether.h,v
retrieving revision 1.73
diff -u -p -r1.73 if_ether.h
--- sys/netinet/if_ether.h 29 Nov 2016 10:09:57 -0000 1.73
+++ sys/netinet/if_ether.h 14 Nov 2017 13:53:38 -0000
@@ -209,6 +209,7 @@ struct arpcom {
 
 extern int arpt_keep; /* arp resolved cache expire */
 extern int arpt_down; /* arp down cache expire */
+extern int arp_log; /* log arp movement messages */
 
 extern u_int8_t etherbroadcastaddr[ETHER_ADDR_LEN];
 extern u_int8_t etheranyaddr[ETHER_ADDR_LEN];
Index: sys/netinet/in.h
===================================================================
RCS file: /cvs/src/sys/netinet/in.h,v
retrieving revision 1.126
diff -u -p -r1.126 in.h
--- sys/netinet/in.h 14 Nov 2017 09:30:17 -0000 1.126
+++ sys/netinet/in.h 14 Nov 2017 13:53:38 -0000
@@ -687,7 +687,8 @@ struct ip_mreq {
 #define IPCTL_MRTVIF 38
 #define IPCTL_ARPTIMEOUT 39
 #define IPCTL_ARPDOWN 40
-#define IPCTL_MAXID 41
+#define IPCTL_ARPLOG 41
+#define IPCTL_MAXID 42
 
 #define IPCTL_NAMES { \
  { 0, 0 }, \
@@ -731,6 +732,7 @@ struct ip_mreq {
  { "mrtvif", CTLTYPE_STRUCT }, \
  { "arptimeout", CTLTYPE_INT }, \
  { "arpdown", CTLTYPE_INT }, \
+ { "arplog", CTLTYPE_INT }, \
 }
 #define IPCTL_VARS { \
  NULL, \
@@ -774,6 +776,7 @@ struct ip_mreq {
  NULL, \
  &arpt_keep, \
  &arpt_down, \
+ &arp_log, \
 }
 
 #endif /* __BSD_VISIBLE */

Reply | Threaded
Open this post in threaded view
|

Re: Fwd [misc@]: Suppessing logging of arp movement messages

Alexander Bluhm
On Tue, Nov 14, 2017 at 02:04:27PM +0000, Stuart Henderson wrote:
> Any thoughts (and suggestions for mib for an af-independent one if
> that's the way to go)?

I have the requirement to log all arp overwrites in the local
network.  So I would like to keep the log message, it does no harm
in a controlled server environment.  With different user requirements
a sysctl knob may be justified.

An alternative would be that the user ignores kern.info in syslog.conf.

Although it would be nice to have common IPv4/IPv6 switches, sysctl
net is organized in inet and inet6.  Splitting arp and nd6 seems
the right thing, we have a bunch of these already.

OK bluhm@

> +    ether_sprintf(ea->arp_sha), ifp->if_xname);

This line is too long.

Reply | Threaded
Open this post in threaded view
|

Re: Fwd [misc@]: Suppessing logging of arp movement messages

Theo de Raadt-2
Might this be better per-interface, using ifconfig, then people can
disable logging on a particular subnet in hostname.* files?

> On Tue, Nov 14, 2017 at 02:04:27PM +0000, Stuart Henderson wrote:
> > Any thoughts (and suggestions for mib for an af-independent one if
> > that's the way to go)?
>
> I have the requirement to log all arp overwrites in the local
> network.  So I would like to keep the log message, it does no harm
> in a controlled server environment.  With different user requirements
> a sysctl knob may be justified.
>
> An alternative would be that the user ignores kern.info in syslog.conf.
>
> Although it would be nice to have common IPv4/IPv6 switches, sysctl
> net is organized in inet and inet6.  Splitting arp and nd6 seems
> the right thing, we have a bunch of these already.
>
> OK bluhm@
>
> > +    ether_sprintf(ea->arp_sha), ifp->if_xname);
>
> This line is too long.
>

Reply | Threaded
Open this post in threaded view
|

Re: Fwd [misc@]: Suppessing logging of arp movement messages

Stuart Henderson
On 2017/11/14 09:13, Theo de Raadt wrote:
> Might this be better per-interface, using ifconfig, then people can
> disable logging on a particular subnet in hostname.* files?

Hmm yes, that sounds a much better idea actually. And in that case
keeping v4 and v6 in one setting isn't as awkward as sysctl.
I'll try to figure out what's needed.

> > On Tue, Nov 14, 2017 at 02:04:27PM +0000, Stuart Henderson wrote:
> > > Any thoughts (and suggestions for mib for an af-independent one if
> > > that's the way to go)?
> >
> > I have the requirement to log all arp overwrites in the local
> > network.  So I would like to keep the log message, it does no harm
> > in a controlled server environment.  With different user requirements
> > a sysctl knob may be justified.

I totally agree, and think that keeping it on by default makes sense.

> > An alternative would be that the user ignores kern.info in syslog.conf.
> >
> > Although it would be nice to have common IPv4/IPv6 switches, sysctl
> > net is organized in inet and inet6.  Splitting arp and nd6 seems
> > the right thing, we have a bunch of these already.
> >
> > OK bluhm@
> >
> > > +    ether_sprintf(ea->arp_sha), ifp->if_xname);
> >
> > This line is too long.
> >
>