Date: Sat, 29 Apr 2000 21:20:11 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: net@freebsd.org Subject: Additional rate limiting for icmp Message-ID: <Pine.BSF.4.21.0004292052400.753-200000@achilles.silby.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1928537973-957060913=:880 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.BSF.4.21.0004292115411.894@achilles.silby.com> I've thrown together a patch that extends icmp_bandlim to limit the rate of icmp echo and tstamp responses. I've tested it on my 3.4 box, though the patch appears to apply to 4 and current equally well; there haven't been any significant changes to the codepath. I haven't tested its operation on a 4 or current box yet. At the same time, I've enhanced the logging so that you can see which type of response it is rate limiting (icmp unreach / rst / echo / tstamp). Note that since each type of response is limited by a seperate bucket, this patch won't affect the operation of the existing icmp unreach / rst rate limting at all. A echo flood won't cause rst to be suppressed. While the patch doesn't totally negate the effect of being flooded with icmp echo or tstamp requests, it does ensure that you don't waste your outgoing bandwidth responding to a bogus flood, and should help boxes handle such floods better. I'd appreciate it if someone could review this patch and see if it's ready to be committed to current/4/3. Thanks, Mike "Silby" Silbersack --0-1928537973-957060913=:880 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="ip_icmp.c.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.BSF.4.21.0004292115130.880@achilles.silby.com> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="ip_icmp.c.patch" KioqIGlwX2ljbXAuYy4zLjQJRnJpIEFwciAyOCAxNjoyMDo1NSAyMDAwDQot LS0gaXBfaWNtcC5jLjMuNC5zaWxieQlTYXQgQXByIDI5IDIwOjU4OjI4IDIw MDANCioqKioqKioqKioqKioqKg0KKioqIDQxMCw0MTUgKioqKg0KLS0tIDQx MCw0MTkgLS0tLQ0KICAJCQlpY21wc3RhdC5pY3BzX2JtY2FzdGVjaG8rKzsN CiAgCQkJYnJlYWs7DQogIAkJfQ0KKyAjaWZkZWYgSUNNUF9CQU5ETElNDQor IAkJaWYgKGJhZHBvcnRfYmFuZGxpbSgyKSA8IDApDQorIAkJCWJyZWFrOw0K KyAjZW5kaWYNCiAgCQlpY3AtPmljbXBfdHlwZSA9IElDTVBfRUNIT1JFUExZ Ow0KICAJCWdvdG8gcmVmbGVjdDsNCiAgDQoqKioqKioqKioqKioqKioNCioq KiA0MjMsNDI4ICoqKioNCi0tLSA0MjcsNDM2IC0tLS0NCiAgCQkJaWNtcHN0 YXQuaWNwc19iYWRsZW4rKzsNCiAgCQkJYnJlYWs7DQogIAkJfQ0KKyAjaWZk ZWYgSUNNUF9CQU5ETElNDQorIAkJaWYgKGJhZHBvcnRfYmFuZGxpbSgzKSA8 IDApDQorIAkJCSBicmVhazsNCisgI2VuZGlmDQogIAkJaWNwLT5pY21wX3R5 cGUgPSBJQ01QX1RTVEFNUFJFUExZOw0KICAJCWljcC0+aWNtcF9ydGltZSA9 IGlwdGltZSgpOw0KICAJCWljcC0+aWNtcF90dGltZSA9IGljcC0+aWNtcF9y dGltZTsJLyogYm9ndXMsIGRvIGxhdGVyISAqLw0KKioqKioqKioqKioqKioq DQoqKiogNzY3LDc3MiAqKioqDQotLS0gNzc1LDc4MiAtLS0tDQogICAqCUZv ciBub3cgd2Ugc2VwYXJhdGUgdGhlIFRDUCBhbmQgVURQIHN1YnN5c3RlbXMg dy8gZGlmZmVyZW50ICd3aGljaCcNCiAgICoJdmFsdWVzLiAgV2UgbWF5IGV2 ZW50dWFsbHkgcmVtb3ZlIHRoaXMgc2VwYXJhdGlvbiAoYW5kIHNpbXBsaWZ5 IHRoZQ0KICAgKgljb2RlIGZ1cnRoZXIpLg0KKyAgKgkNCisgICoJMCA9PSBV RFAsIDEgPT0gVENQLCAyID09IElDTVBfRUNITywgMyA9PSBJQ01QX1RTVEFN UA0KICAgKg0KICAgKglOb3RlIHRoYXQgdGhlIHByaW50aW5nIG9mIHRoZSBl cnJvciBtZXNzYWdlIGlzIGRlbGF5ZWQgc28gd2UgY2FuDQogICAqCXByb3Bl cmx5IHByaW50IHRoZSBpY21wIGVycm9yIHJhdGUgdGhhdCB0aGUgc3lzdGVt IHdhcyB0cnlpbmcgdG8gZG8NCioqKioqKioqKioqKioqKg0KKioqIDc3NSw3 OTMgKioqKg0KICAgKglkZWxheSB3aXRoIG1vcmUgY29tcGxleCBjb2RlLg0K ICAgKi8NCiAgDQogIGludA0KICBiYWRwb3J0X2JhbmRsaW0oaW50IHdoaWNo KQ0KICB7DQohIAlzdGF0aWMgaW50IGx0aWNrc1syXTsNCiEgCXN0YXRpYyBp bnQgbHBhY2tldHNbMl07DQogIAlpbnQgZHRpY2tzOw0KICANCiAgCS8qDQog IAkgKiBSZXR1cm4gb2sgc3RhdHVzIGlmIGZlYXR1cmUgZGlzYWJsZWQgb3Ig YXJndW1lbnQgb3V0IG9mDQogIAkgKiByYW5hZ2UuDQogIAkgKi8NCiAgDQoh IAlpZiAoaWNtcGxpbSA8PSAwIHx8IHdoaWNoID49IDIgfHwgd2hpY2ggPCAw KQ0KICAJCXJldHVybigwKTsNCiAgCWR0aWNrcyA9IHRpY2tzIC0gbHRpY2tz W3doaWNoXTsNCiAgDQotLS0gNzg1LDgwNiAtLS0tDQogICAqCWRlbGF5IHdp dGggbW9yZSBjb21wbGV4IGNvZGUuDQogICAqLw0KICANCisgI2RlZmluZSBu dW1wYWNrZXR0eXBlcyA0DQorIA0KICBpbnQNCiAgYmFkcG9ydF9iYW5kbGlt KGludCB3aGljaCkNCiAgew0KISAJc3RhdGljIGludCBsdGlja3NbbnVtcGFj a2V0dHlwZXNdOw0KISAJc3RhdGljIGludCBscGFja2V0c1tudW1wYWNrZXR0 eXBlc107DQogIAlpbnQgZHRpY2tzOw0KKyAJY29uc3QgY2hhciAqcGFja2V0 dHlwZVtdID0geyJpY21wIHBvcnQgdW5yZWFjaGFibGUiLCJSU1QiLCJpY21w IGVjaG8iLCJpY21wIHRzdGFtcCJ9Ow0KICANCiAgCS8qDQogIAkgKiBSZXR1 cm4gb2sgc3RhdHVzIGlmIGZlYXR1cmUgZGlzYWJsZWQgb3IgYXJndW1lbnQg b3V0IG9mDQogIAkgKiByYW5hZ2UuDQogIAkgKi8NCiAgDQohIAlpZiAoaWNt cGxpbSA8PSAwIHx8IHdoaWNoID49IG51bXBhY2tldHR5cGVzIHx8IHdoaWNo IDwgMCkNCiAgCQlyZXR1cm4oMCk7DQogIAlkdGlja3MgPSB0aWNrcyAtIGx0 aWNrc1t3aGljaF07DQogIA0KKioqKioqKioqKioqKioqDQoqKiogNzk3LDgw MyAqKioqDQogIA0KICAJaWYgKCh1bnNpZ25lZCBpbnQpZHRpY2tzID4gaHop IHsNCiAgCQlpZiAobHBhY2tldHNbd2hpY2hdID4gaWNtcGxpbSkgew0KISAJ CQlwcmludGYoImljbXAtcmVzcG9uc2UgYmFuZHdpZHRoIGxpbWl0ICVkLyVk IHBwc1xuIiwNCiAgCQkJCWxwYWNrZXRzW3doaWNoXSwNCiAgCQkJCWljbXBs aW0NCiAgCQkJKTsNCi0tLSA4MTAsODE3IC0tLS0NCiAgDQogIAlpZiAoKHVu c2lnbmVkIGludClkdGlja3MgPiBoeikgew0KICAJCWlmIChscGFja2V0c1t3 aGljaF0gPiBpY21wbGltKSB7DQohIAkJCXByaW50ZigiJXMtcmVzcG9uc2Ug YmFuZHdpZHRoIGxpbWl0ICVkLyVkIHBwc1xuIiwNCiEgCQkJCXBhY2tldHR5 cGVbd2hpY2hdLA0KICAJCQkJbHBhY2tldHNbd2hpY2hdLA0KICAJCQkJaWNt cGxpbQ0KICAJCQkpOw0K --0-1928537973-957060913=:880-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004292052400.753-200000>