From nobody@FreeBSD.org  Tue Jan 15 07:38:21 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 112D337B41A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 15 Jan 2002 07:38:21 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0FFcLR51705;
	Tue, 15 Jan 2002 07:38:21 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201151538.g0FFcLR51705@freefall.freebsd.org>
Date: Tue, 15 Jan 2002 07:38:21 -0800 (PST)
From: "idan l." <shadow@tty64.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: black hole ignored ports
X-Send-Pr-Version: www-1.0

>Number:         33923
>Category:       conf
>Synopsis:       black hole ignored ports
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 15 07:40:00 PST 2002
>Closed-Date:    Tue Jan 15 19:56:46 PST 2002
>Last-Modified:  Tue Jan 15 20:08:07 PST 2002
>Originator:     idan l.
>Release:        FreeBSD 4.4 stable
>Organization:
none.ltd
>Environment:
FreeBSD shadow.localhost 4.4-STABLE FreeBSD 4.4-
GMT 2002     root@shadow.localhost:/usr/src/sys
>Description:
a new sysctl that will allow the blackhole option to ignore ports such as 
111(portmap) 113(identd) this will allow the user to work faster due to the fact that some services such as irc 
\check if identd(port 113) is running and the blackhole optino take time till the packet timed out \
>How-To-Repeat:
sysctl net.inet.tcp.blackhole=1
telnet irc.bitchx.org 6667
		
>Fix:
# the patch contain a new option to sysctl and refer to the file #sys/netinet/tcp_input.c
#I've compiled and test that option and didn't findany problems tho #you should make your own tests before deciding on putting in your #releases
37c37
< #include "opt_ipfw.h"		
---
> #include "opt_ipfw.h"		/* for ipfw_fwd		*/
101,119d100
< char blackhole_ig_ports[256];
< 
< static int handle_bhole_ig_ports(SYSCTL_HANDLER_ARGS) 
< {
<     int error;
<     
<     error = sysctl_handle_string(oidp,blackhole_ig_ports,sizeof(blackhole_ig_ports),
< 	    req);
< 	    
<     return error;
< }
< 
< SYSCTL_PROC(_net_inet_tcp,OID_AUTO,blackhole_ig_ports,
< 	    CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_PRISON,0,0,handle_bhole_ig_ports,
< 	    "A","blackhole ignore ports");
< 
< char *strtok(char *,const char*);
< char *strtok_r(char *,const char *,char **);
< 	    	    
359d339
< 	char *ptr = 0,temp_str[sizeof(blackhole_ig_ports)+1];
643,657c623,625
< 
< 			    if (thflags & TH_SYN) { 
< 				
< 				strcpy(temp_str,blackhole_ig_ports);
< 				for(ptr = strtok(temp_str,":")
< 				;ptr;ptr = strtok(NULL,":")) { 
< 				    if(strtol(ptr,(char **)NULL,10) == ntohs(
< 				    th->th_dport)) goto bhole_continue;
< 			
< 				}			
< 		
< 				goto drop;
< 			    }
< 			    
< 			    break;
---
> 				if (thflags & TH_SYN)
> 					goto drop;
> 				break;
664d631
< bhole_continue:		
2968,3034d2934
< 
< /* strtok copied from libc (/usr/src/lib/libc/string/strtok.c) */
< char *
< strtok_r(char *s, const char *delim, char **last)
< {
<     char *spanp;
<     int c, sc;
<     char *tok;
<     if (s == NULL && (s = *last) == NULL)
<     {
<         return NULL;
<     }
<     /*
<      * Skip (span) leading delimiters (s += strspn(s, delim), sort of).
<      */
< cont:
<     c = *s++;
<     for (spanp = (char *)delim; (sc = *spanp++) != 0; )
<     {
<         if (c == sc)
<         {
<             goto cont;
<         }
<     }
< 
<     if (c == 0)         /* no non-delimiter characters */
<     {
<         *last = NULL;
<         return NULL;
<     }
<     tok = s - 1;
<     /*
<      * Scan token (scan for delimiters: s += strcspn(s, delim), sort of).
<      * Note that delim must have one NUL; we stop if we see that, too.
<      */
<     for (;;)
<     {
<         c = *s++;
<         spanp = (char *)delim;
<         do
<         {
<             if ((sc = *spanp++) == c)
<             {
<                 if (c == 0)
<                 {
<                     s = NULL;
<                 }
<                 else
<                 {
<                     char *w = s - 1;
<                     *w = '\0';
<                 }
<                 *last = s;
<                 return tok;
<             }
<         }
<         while (sc != 0);
<     }
<     /* NOTREACHED */
< }
< char *
< strtok(char *s, const char *delim)
< {
<     static char *last;
<     return strtok_r(s, delim, &last);
< }
< 

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: cjc 
State-Changed-When: Tue Jan 15 19:56:46 PST 2002 
State-Changed-Why:  
Thanks for the patch, but if you want more complex "blackhole" 
behavior, the right way to go is to set up firewalling, note the 
"WARNING" section of blackhole(4). 

ipfw reset tcp from any to me 113 setup 
<more ports to be reset> 
ipfw drop tcp from any to me setup 

Will pretty much do what you want. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33923 
>Unformatted:
