From owner-freebsd-net@FreeBSD.ORG Sat Dec 4 21:57:38 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08BC116A4CE for ; Sat, 4 Dec 2004 21:57:38 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D0C243D1D for ; Sat, 4 Dec 2004 21:57:37 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 47670 invoked from network); 4 Dec 2004 21:48:13 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 4 Dec 2004 21:48:13 -0000 Message-ID: <41B232D0.65561143@freebsd.org> Date: Sat, 04 Dec 2004 22:57:36 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Michal Mertl References: <41B07A9C.6070803@traveller.cz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: gnn@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: New Networking Project... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 21:57:38 -0000 Michal Mertl wrote: > > I looked at the project page and noticed one thing I found code for. > > Task: Rework code in FreeBSD's ip_icmp.c such that ICMP responses for > forwarding can be throttled also. Call badport_bandlim() before icmp_error()? > > Andres Oppermann wrote simple patch for it and posted it on net@ on January > 2004. > > His (updated) patch attached. > > Sorry Andre for speaking on your behalf but I was afraid your work might get > lost. It already got lost from my brains memory. :( Maybe I would have found it again when pruning my work trees. I'm going to commit it in the next few days. Thanks for posting it and reminding me! -- Andre > -- > Michal Mertl > > -------------------------------------------------------------------------------- > Index: icmp_var.h > =================================================================== > RCS file: /home/fcvs/cvs/src/sys/netinet/icmp_var.h,v > retrieving revision 1.24 > diff -u -r1.24 icmp_var.h > --- icmp_var.h 16 Aug 2004 18:32:07 -0000 1.24 > +++ icmp_var.h 3 Dec 2004 14:31:08 -0000 > @@ -78,11 +78,12 @@ > extern int badport_bandlim(int); > #define BANDLIM_UNLIMITED -1 > #define BANDLIM_ICMP_UNREACH 0 > -#define BANDLIM_ICMP_ECHO 1 > -#define BANDLIM_ICMP_TSTAMP 2 > -#define BANDLIM_RST_CLOSEDPORT 3 /* No connection, and no listeners */ > -#define BANDLIM_RST_OPENPORT 4 /* No connection, listener */ > -#define BANDLIM_MAX 4 > +#define BANDLIM_ICMP_UNREACH_HOST 1 > +#define BANDLIM_ICMP_ECHO 2 > +#define BANDLIM_ICMP_TSTAMP 3 > +#define BANDLIM_RST_CLOSEDPORT 4 /* No connection, and no listeners */ > +#define BANDLIM_RST_OPENPORT 5 /* No connection, listener */ > +#define BANDLIM_MAX 5 > #endif > > #endif > Index: ip_icmp.c > =================================================================== > RCS file: /home/fcvs/cvs/src/sys/netinet/ip_icmp.c,v > retrieving revision 1.97 > diff -u -r1.97 ip_icmp.c > --- ip_icmp.c 15 Sep 2004 20:13:26 -0000 1.97 > +++ ip_icmp.c 3 Dec 2004 14:31:08 -0000 > @@ -172,6 +172,18 @@ > if (n->m_flags & (M_BCAST|M_MCAST)) > goto freeit; > /* > + * Limit sending of ICMP host unreachable messages. > + * If we are acting as a router and someone is doing a sweep > + * scan (eg. nmap and/or numerous windows worms) for destinations > + * we are the gateway for but are not reachable (ie. a /24 on a > + * interface and only a couple of hosts on the ethernet) we would > + * generate a storm of ICMP host unreachable messages. > + */ > + if (type == ICMP_UNREACH && code == ICMP_UNREACH_HOST) { > + if (badport_bandlim(BANDLIM_ICMP_UNREACH_HOST) < 0) > + goto freeit; > + } > + /* > * First, formulate icmp message > */ > m = m_gethdr(M_DONTWAIT, MT_HEADER); > @@ -893,7 +905,8 @@ > struct timeval lasttime; > int curpps; > } rates[BANDLIM_MAX+1] = { > - { "icmp unreach response" }, > + { "icmp unreach port response" }, > + { "icmp unreach host response" }, > { "icmp ping response" }, > { "icmp tstamp response" }, > { "closed port RST response" },