New Networking Project...
Michal Mertl
mime at traveller.cz
Fri Dec 3 06:39:27 PST 2004
I looked at the project page and noticed one thing I found code for.
Task: Rework code in FreeBSD's ip_icmp.c such that ICMP responses for
forwarding can be throttled also. Call badport_bandlim() before icmp_error()?
Andres Oppermann wrote simple patch for it and posted it on net@ on January
2004.
His (updated) patch attached.
Sorry Andre for speaking on your behalf but I was afraid your work might get
lost.
--
Michal Mertl
-------------- next part --------------
Index: icmp_var.h
===================================================================
RCS file: /home/fcvs/cvs/src/sys/netinet/icmp_var.h,v
retrieving revision 1.24
diff -u -r1.24 icmp_var.h
--- icmp_var.h 16 Aug 2004 18:32:07 -0000 1.24
+++ icmp_var.h 3 Dec 2004 14:31:08 -0000
@@ -78,11 +78,12 @@
extern int badport_bandlim(int);
#define BANDLIM_UNLIMITED -1
#define BANDLIM_ICMP_UNREACH 0
-#define BANDLIM_ICMP_ECHO 1
-#define BANDLIM_ICMP_TSTAMP 2
-#define BANDLIM_RST_CLOSEDPORT 3 /* No connection, and no listeners */
-#define BANDLIM_RST_OPENPORT 4 /* No connection, listener */
-#define BANDLIM_MAX 4
+#define BANDLIM_ICMP_UNREACH_HOST 1
+#define BANDLIM_ICMP_ECHO 2
+#define BANDLIM_ICMP_TSTAMP 3
+#define BANDLIM_RST_CLOSEDPORT 4 /* No connection, and no listeners */
+#define BANDLIM_RST_OPENPORT 5 /* No connection, listener */
+#define BANDLIM_MAX 5
#endif
#endif
Index: ip_icmp.c
===================================================================
RCS file: /home/fcvs/cvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.97
diff -u -r1.97 ip_icmp.c
--- ip_icmp.c 15 Sep 2004 20:13:26 -0000 1.97
+++ ip_icmp.c 3 Dec 2004 14:31:08 -0000
@@ -172,6 +172,18 @@
if (n->m_flags & (M_BCAST|M_MCAST))
goto freeit;
/*
+ * Limit sending of ICMP host unreachable messages.
+ * If we are acting as a router and someone is doing a sweep
+ * scan (eg. nmap and/or numerous windows worms) for destinations
+ * we are the gateway for but are not reachable (ie. a /24 on a
+ * interface and only a couple of hosts on the ethernet) we would
+ * generate a storm of ICMP host unreachable messages.
+ */
+ if (type == ICMP_UNREACH && code == ICMP_UNREACH_HOST) {
+ if (badport_bandlim(BANDLIM_ICMP_UNREACH_HOST) < 0)
+ goto freeit;
+ }
+ /*
* First, formulate icmp message
*/
m = m_gethdr(M_DONTWAIT, MT_HEADER);
@@ -893,7 +905,8 @@
struct timeval lasttime;
int curpps;
} rates[BANDLIM_MAX+1] = {
- { "icmp unreach response" },
+ { "icmp unreach port response" },
+ { "icmp unreach host response" },
{ "icmp ping response" },
{ "icmp tstamp response" },
{ "closed port RST response" },
More information about the freebsd-net
mailing list