New Networking Project...

Michal Mertl mime at traveller.cz
Fri Dec 3 06:39:27 PST 2004 

I looked at the project page and noticed one thing I found code for.

Task: Rework code in FreeBSD's ip_icmp.c such that ICMP responses for 
forwarding can be throttled also. Call badport_bandlim() before icmp_error()?

Andres Oppermann wrote simple patch for it and posted it on net@ on January 
2004.

His (updated) patch attached.

Sorry Andre for speaking on your behalf but I was afraid your work might get 
lost.

-- 
Michal Mertl

-------------- next part --------------
Index: icmp_var.h
===================================================================
RCS file: /home/fcvs/cvs/src/sys/netinet/icmp_var.h,v
retrieving revision 1.24
diff -u -r1.24 icmp_var.h
--- icmp_var.h	16 Aug 2004 18:32:07 -0000	1.24
+++ icmp_var.h	3 Dec 2004 14:31:08 -0000
@@ -78,11 +78,12 @@
 extern int badport_bandlim(int);
 #define BANDLIM_UNLIMITED -1
 #define BANDLIM_ICMP_UNREACH 0
-#define BANDLIM_ICMP_ECHO 1
-#define BANDLIM_ICMP_TSTAMP 2
-#define BANDLIM_RST_CLOSEDPORT 3 /* No connection, and no listeners */
-#define BANDLIM_RST_OPENPORT 4   /* No connection, listener */
-#define BANDLIM_MAX 4
+#define BANDLIM_ICMP_UNREACH_HOST 1
+#define BANDLIM_ICMP_ECHO 2
+#define BANDLIM_ICMP_TSTAMP 3
+#define BANDLIM_RST_CLOSEDPORT 4	/* No connection, and no listeners */
+#define BANDLIM_RST_OPENPORT 5		/* No connection, listener */
+#define BANDLIM_MAX 5
 #endif
 
 #endif
Index: ip_icmp.c
===================================================================
RCS file: /home/fcvs/cvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.97
diff -u -r1.97 ip_icmp.c
--- ip_icmp.c	15 Sep 2004 20:13:26 -0000	1.97
+++ ip_icmp.c	3 Dec 2004 14:31:08 -0000
@@ -172,6 +172,18 @@
 	if (n->m_flags & (M_BCAST|M_MCAST))
 		goto freeit;
 	/*
+	 * Limit sending of ICMP host unreachable messages.
+	 * If we are acting as a router and someone is doing a sweep
+	 * scan (eg. nmap and/or numerous windows worms) for destinations
+	 * we are the gateway for but are not reachable (ie. a /24 on a
+	 * interface and only a couple of hosts on the ethernet) we would
+	 * generate a storm of ICMP host unreachable messages.
+	 */
+	if (type == ICMP_UNREACH && code == ICMP_UNREACH_HOST) {
+		if (badport_bandlim(BANDLIM_ICMP_UNREACH_HOST) < 0)
+			goto freeit;
+	}
+	/*
 	 * First, formulate icmp message
 	 */
 	m = m_gethdr(M_DONTWAIT, MT_HEADER);
@@ -893,7 +905,8 @@
 		struct timeval	lasttime;
 		int		curpps;
 	} rates[BANDLIM_MAX+1] = {
-		{ "icmp unreach response" },
+		{ "icmp unreach port response" },
+		{ "icmp unreach host response" },
 		{ "icmp ping response" },
 		{ "icmp tstamp response" },
 		{ "closed port RST response" },

More information about the freebsd-net mailing list