add reject+blackhole keywords to install entries with RTF_BLACKHOLE

and RTF_REJECT, respectively

PR:		bin/79228
Submitted by:	Dan Lukes <dan@obluda.cz>
MFC after:	2 weeks

2 files changed, 23 insertions, 4 deletions

diff --git a/usr.sbin/arp/arp.8 b/usr.sbin/arp/arp.8
index 17b55fd..32b46fd 100644
--- a/usr.sbin/arp/arp.8
+++ b/usr.sbin/arp/arp.8
@@ -53,10 +53,14 @@
 .Nm
 .Fl s Ar hostname ether_addr
 .Op Cm temp
+.Op Cm reject
+.Op Cm backhole
 .Op Cm pub Op Cm only
 .Nm
 .Fl S Ar hostname ether_addr
 .Op Cm temp
+.Op Cm reject
+.Op Cm backhole
 .Op Cm pub Op Cm only
 .Nm
 .Fl f Ar filename
@@ -148,6 +152,18 @@ This type of entry is created automatically if
 detects that a routing table entry for
 .Ar hostname
 already exists.
+.Pp
+If the
+.Cm reject
+keyword is specified the entry will be marked so that traffic to
+the host will be discarded and the sender will be notified the
+host is unreachable.
+The
+.Cm blackhole
+keyword is similar in that traffic discarded but the sender is
+not notified.
+These can be used to block external traffic to a host without
+using a firewall.
 .It Fl S Ar hostname ether_addr
 Is just like
 .Fl s
diff --git a/usr.sbin/arp/arp.c b/usr.sbin/arp/arp.c
index 65b55ad..c8ef3e9 100644
--- a/usr.sbin/arp/arp.c
+++ b/usr.sbin/arp/arp.c
@@ -321,8 +321,7 @@ set(int argc, char **argv)
 			struct timeval tv;
 			gettimeofday(&tv, 0);
 			expire_time = tv.tv_sec + 20 * 60;
-		}
-		else if (strncmp(argv[0], "pub", 3) == 0) {
+		} else if (strncmp(argv[0], "pub", 3) == 0) {
 			flags |= RTF_ANNOUNCE;
 			doing_proxy = 1;
 			if (argc && strncmp(argv[1], "only", 3) == 0) {
@@ -330,6 +329,10 @@ set(int argc, char **argv)
 				dst->sin_other = SIN_PROXY;
 				argc--; argv++;
 			}
+		} else if (strncmp(argv[0], "blackhole", 9) == 0) {
+			flags |= RTF_BLACKHOLE;
+		} else if (strncmp(argv[0], "reject", 6) == 0) {
+			flags |= RTF_REJECT;
 		} else if (strncmp(argv[0], "trail", 5) == 0) {
 			/* XXX deprecated and undocumented feature */
 			printf("%s: Sending trailers is no longer supported\n",
@@ -627,8 +630,8 @@ usage(void)
 		"       arp [-n] [-i interface] -a",
 		"       arp -d hostname [pub]",
 		"       arp -d [-i interface] -a",
-		"       arp -s hostname ether_addr [temp] [pub [only]]",
-		"       arp -S hostname ether_addr [temp] [pub [only]]",
+		"       arp -s hostname ether_addr [temp] [reject] [blackhole] [pub [only]]",
+		"       arp -S hostname ether_addr [temp] [reject] [blackhole] [pub [only]]",
 		"       arp -f filename");
 	exit(1);
 }