From 664640fdd4b71003915056886e32ed09f0d7bd43 Mon Sep 17 00:00:00 2001
From: djm <>
Date: Wed, 9 Jul 2008 20:23:47 +0000
Subject: [PATCH] automatically populate net.inet.(tcp|udp).baddynamic with the
 contents of /etc/services so as to avoid randomly allocating source ports
 that correspond to well-known services. Auto-filling of the baddynamic tables
 is performed before reading sysctl.conf, so it is still possible to add or
 subtract ports, or override the autofilling entirely there.

Note that this requires a new kernel and /sbin/sysctl.

feedback markus@ ok markus@ deraadt@ millert@
---
 src/etc/rc | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/etc/rc b/src/etc/rc
index 68bac01b..350a19a0 100644
--- a/src/etc/rc
+++ b/src/etc/rc
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc,v 1.317 2008/06/15 04:49:34 sturm Exp $
+#	$OpenBSD: rc,v 1.318 2008/07/09 20:23:47 djm Exp $
 
 # System startup script run by init on autoboot
 # or after single-user.
@@ -116,6 +116,34 @@ random_seed()
 	fi
 }
 
+fill_baddynamic()
+{
+	local _service="$1"
+	local _sysctl="net.inet.${_service}.baddynamic"
+	local _name _port _srv _junk _ban
+	local _i=0
+	grep "/${_service}" /etc/services | { 
+		IFS=" 	/"
+		while read _name _port _srv _junk; do
+			[ "x${_srv}" = "x${_service}" ] || continue;
+			if [ "x${_ban}" = "x" ]; then
+				_ban="+${_port}"
+			else
+				_ban="${_ban},+${_port}"
+			fi
+			# Flush before argv gets too long
+			if [ $((++_i)) -gt 128 ]; then
+				sysctl ${_sysctl}=${_ban} >/dev/null
+				_ban=""
+				_i=0
+			fi
+		done; 
+		if [ "x${_ban}" != "x" ]; then
+			sysctl ${_sysctl}=${_ban} >/dev/null
+		fi
+	}
+}
+
 # End subroutines
 
 stty status '^T'
@@ -253,6 +281,10 @@ if [ X"${pf}" != X"NO" ]; then
 	pfctl -e
 fi
 
+# Fill net.inet.(tcp|udp).baddynamic lists from /etc/services
+fill_baddynamic udp
+fill_baddynamic tcp
+
 sysctl_conf
 
 # set hostname, turn on network