diff options
author | silby <silby@FreeBSD.org> | 2002-11-19 17:06:06 +0000 |
---|---|---|
committer | silby <silby@FreeBSD.org> | 2002-11-19 17:06:06 +0000 |
commit | bf4c000ea1651664b336df898193d998d923173b (patch) | |
tree | 2c100903f67776f2b4d31e979dc31d7aed6f7c0e /sys/netinet | |
parent | b34e17ef8c461d6c9523d3d5564dfa71bb4f0ca1 (diff) | |
download | FreeBSD-src-bf4c000ea1651664b336df898193d998d923173b.zip FreeBSD-src-bf4c000ea1651664b336df898193d998d923173b.tar.gz |
Add a sysctl to control the generation of source quench packets,
and set it to 0 by default.
Partially obtained from: NetBSD
Suggested by: David Gilbert
MFC after: 5 days
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_input.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index f928744..1c2863b 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -125,6 +125,11 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, maxfragpackets, CTLFLAG_RW, &ip_maxfragpackets, 0, "Maximum number of IPv4 fragment reassembly queue entries"); +static int ip_sendsourcequench = 0; +SYSCTL_INT(_net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW, + &ip_sendsourcequench, 0, + "Enable the transmission of source quench packets"); + /* * XXX - Setting ip_checkinterface mostly implements the receive side of * the Strong ES model described in RFC 1122, but since the routing table @@ -1971,8 +1976,21 @@ ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop) break; case ENOBUFS: - type = ICMP_SOURCEQUENCH; - code = 0; + /* + * A router should not generate ICMP_SOURCEQUENCH as + * required in RFC1812 Requirements for IP Version 4 Routers. + * Source quench could be a big problem under DoS attacks, + * or if the underlying interface is rate-limited. + * Those who need source quench packets may re-enable them + * via the net.inet.ip.sendsourcequench sysctl. + */ + if (ip_sendsourcequench == 0) { + m_freem(mcopy); + return; + } else { + type = ICMP_SOURCEQUENCH; + code = 0; + } break; case EACCES: /* ipfw denied packet */ |