Date: Tue, 25 Jan 2000 09:33:16 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Warner Losh <imp@village.org> Cc: security@FreeBSD.ORG Subject: Re: Merged patches Message-ID: <200001251733.JAA04770@apollo.backplane.com> References: <200001251637.JAA04226@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:this patch. I'm thinking seriously of removing the ICMP_BANDLIM
:option as an option (eg compile the code in no matter what), but
:raising the limit from 100 to 1000 or something like that so it won't
:normally impact people, but those desiring to harden their servers can
:drift the number downward.
:
:Comment?
:
:Warner
I'd increase the default to 200, no higher. 1000 is probably too
high a rate.
I found a bug in the patch:
: #endif
:- if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
:- goto drop;
:+ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
:+ IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
:+ IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)))
: #ifdef INET6
: if (isipv6) {
: MALLOC(sin6, struct sockaddr_in6 *, sizeof *sin6,
In the above section, the 'goto drop' was removed. Shouldn't that stay
in? The body of this 'if' statement is now the conditional that
follows it, which is not what I think you meant to do.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001251733.JAA04770>