New Networking Project...

Andre Oppermann andre at freebsd.org
Sat Dec 4 13:57:38 PST 2004


Michal Mertl wrote:
> 
> I looked at the project page and noticed one thing I found code for.
> 
> Task: Rework code in FreeBSD's ip_icmp.c such that ICMP responses for
> forwarding can be throttled also. Call badport_bandlim() before icmp_error()?
> 
> Andres Oppermann wrote simple patch for it and posted it on net@ on January
> 2004.
> 
> His (updated) patch attached.
> 
> Sorry Andre for speaking on your behalf but I was afraid your work might get
> lost.

It already got lost from my brains memory. :(  Maybe I would have found it
again when pruning my work trees.  I'm going to commit it in the next few
days.  Thanks for posting it and reminding me!

-- 
Andre


> --
> Michal Mertl
> 
>   --------------------------------------------------------------------------------
> Index: icmp_var.h
> ===================================================================
> RCS file: /home/fcvs/cvs/src/sys/netinet/icmp_var.h,v
> retrieving revision 1.24
> diff -u -r1.24 icmp_var.h
> --- icmp_var.h  16 Aug 2004 18:32:07 -0000      1.24
> +++ icmp_var.h  3 Dec 2004 14:31:08 -0000
> @@ -78,11 +78,12 @@
>  extern int badport_bandlim(int);
>  #define BANDLIM_UNLIMITED -1
>  #define BANDLIM_ICMP_UNREACH 0
> -#define BANDLIM_ICMP_ECHO 1
> -#define BANDLIM_ICMP_TSTAMP 2
> -#define BANDLIM_RST_CLOSEDPORT 3 /* No connection, and no listeners */
> -#define BANDLIM_RST_OPENPORT 4   /* No connection, listener */
> -#define BANDLIM_MAX 4
> +#define BANDLIM_ICMP_UNREACH_HOST 1
> +#define BANDLIM_ICMP_ECHO 2
> +#define BANDLIM_ICMP_TSTAMP 3
> +#define BANDLIM_RST_CLOSEDPORT 4       /* No connection, and no listeners */
> +#define BANDLIM_RST_OPENPORT 5         /* No connection, listener */
> +#define BANDLIM_MAX 5
>  #endif
> 
>  #endif
> Index: ip_icmp.c
> ===================================================================
> RCS file: /home/fcvs/cvs/src/sys/netinet/ip_icmp.c,v
> retrieving revision 1.97
> diff -u -r1.97 ip_icmp.c
> --- ip_icmp.c   15 Sep 2004 20:13:26 -0000      1.97
> +++ ip_icmp.c   3 Dec 2004 14:31:08 -0000
> @@ -172,6 +172,18 @@
>         if (n->m_flags & (M_BCAST|M_MCAST))
>                 goto freeit;
>         /*
> +        * Limit sending of ICMP host unreachable messages.
> +        * If we are acting as a router and someone is doing a sweep
> +        * scan (eg. nmap and/or numerous windows worms) for destinations
> +        * we are the gateway for but are not reachable (ie. a /24 on a
> +        * interface and only a couple of hosts on the ethernet) we would
> +        * generate a storm of ICMP host unreachable messages.
> +        */
> +       if (type == ICMP_UNREACH && code == ICMP_UNREACH_HOST) {
> +               if (badport_bandlim(BANDLIM_ICMP_UNREACH_HOST) < 0)
> +                       goto freeit;
> +       }
> +       /*
>          * First, formulate icmp message
>          */
>         m = m_gethdr(M_DONTWAIT, MT_HEADER);
> @@ -893,7 +905,8 @@
>                 struct timeval  lasttime;
>                 int             curpps;
>         } rates[BANDLIM_MAX+1] = {
> -               { "icmp unreach response" },
> +               { "icmp unreach port response" },
> +               { "icmp unreach host response" },
>                 { "icmp ping response" },
>                 { "icmp tstamp response" },
>                 { "closed port RST response" },


More information about the freebsd-net mailing list