summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_icmp.c
diff options
context:
space:
mode:
authorbmilekic <bmilekic@FreeBSD.org>2000-12-15 21:45:49 +0000
committerbmilekic <bmilekic@FreeBSD.org>2000-12-15 21:45:49 +0000
commite94f2430fb2b086b446da459becc9ea7f44ac5cd (patch)
tree9443c1527c0c9aa78146d857e74f4f7296a15f97 /sys/netinet/ip_icmp.c
parent415f02cbaf57fb59bc31f00b3a78c1421286196e (diff)
downloadFreeBSD-src-e94f2430fb2b086b446da459becc9ea7f44ac5cd.zip
FreeBSD-src-e94f2430fb2b086b446da459becc9ea7f44ac5cd.tar.gz
Change the following:
1. ICMP ECHO and TSTAMP replies are now rate limited. 2. RSTs generated due to packets sent to open and unopen ports are now limited by seperate counters. 3. Each rate limiting queue now has its own description, as follows: Limiting icmp unreach response from 439 to 200 packets per second Limiting closed port RST response from 283 to 200 packets per second Limiting open port RST response from 18724 to 200 packets per second Limiting icmp ping response from 211 to 200 packets per second Limiting icmp tstamp response from 394 to 200 packets per second Submitted by: Mike Silbersack <silby@silby.com>
Diffstat (limited to 'sys/netinet/ip_icmp.c')
-rw-r--r--sys/netinet/ip_icmp.c26
1 files changed, 20 insertions, 6 deletions
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index eb68d1d..5a44807 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -449,7 +449,10 @@ icmp_input(m, off, proto)
break;
}
icp->icmp_type = ICMP_ECHOREPLY;
- goto reflect;
+ if (badport_bandlim(BANDLIM_ECHO) < 0)
+ goto freeit;
+ else
+ goto reflect;
case ICMP_TSTAMP:
if (!icmpbmcastecho
@@ -464,7 +467,10 @@ icmp_input(m, off, proto)
icp->icmp_type = ICMP_TSTAMPREPLY;
icp->icmp_rtime = iptime();
icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! */
- goto reflect;
+ if (badport_bandlim(BANDLIM_TSTAMP) < 0)
+ goto freeit;
+ else
+ goto reflect;
case ICMP_MASKREQ:
#define satosin(sa) ((struct sockaddr_in *)(sa))
@@ -821,16 +827,23 @@ ip_next_mtu(mtu, dir)
int
badport_bandlim(int which)
{
- static int lticks[2];
- static int lpackets[2];
+ static int lticks[BANDLIM_MAX + 1];
+ static int lpackets[BANDLIM_MAX + 1];
int dticks;
+ const char *bandlimittype[] = {
+ "Limiting icmp unreach response",
+ "Limiting closed port RST response",
+ "Limiting open port RST response",
+ "Limiting icmp ping response",
+ "Limiting icmp tstamp response"
+ };
/*
* Return ok status if feature disabled or argument out of
* ranage.
*/
- if (icmplim <= 0 || which >= 2 || which < 0)
+ if (icmplim <= 0 || which > BANDLIM_MAX || which < 0)
return(0);
dticks = ticks - lticks[which];
@@ -840,7 +853,8 @@ badport_bandlim(int which)
if ((unsigned int)dticks > hz) {
if (lpackets[which] > icmplim && icmplim_output) {
- printf("icmp-response bandwidth limit %d/%d pps\n",
+ printf("%s from %d to %d packets per second\n",
+ bandlimittype[which],
lpackets[which],
icmplim
);
OpenPOWER on IntegriCloud