diff options
| -rw-r--r-- | sys/alpha/conf/GENERIC | 1 | ||||
| -rw-r--r-- | sys/alpha/conf/NOTES | 1 | ||||
| -rw-r--r-- | sys/amd64/conf/GENERIC | 1 | ||||
| -rw-r--r-- | sys/conf/NOTES | 8 | ||||
| -rw-r--r-- | sys/conf/options | 2 | ||||
| -rw-r--r-- | sys/i386/conf/GENERIC | 1 | ||||
| -rw-r--r-- | sys/i386/conf/LINT | 8 | ||||
| -rw-r--r-- | sys/i386/conf/NOTES | 8 | ||||
| -rw-r--r-- | sys/netinet/icmp_var.h | 5 | ||||
| -rw-r--r-- | sys/netinet/ip_icmp.c | 24 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 6 | ||||
| -rw-r--r-- | sys/netinet/tcp_reass.c | 6 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 4 |
13 files changed, 10 insertions, 65 deletions
diff --git a/sys/alpha/conf/GENERIC b/sys/alpha/conf/GENERIC index 3cb0b3e..1917eb1 100644 --- a/sys/alpha/conf/GENERIC +++ b/sys/alpha/conf/GENERIC @@ -64,7 +64,6 @@ options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extentions options _KPOSIX_PRIORITY_SCHEDULING -options ICMP_BANDLIM #Rate limit bad replies # Standard busses device isa diff --git a/sys/alpha/conf/NOTES b/sys/alpha/conf/NOTES index 3cb0b3e..1917eb1 100644 --- a/sys/alpha/conf/NOTES +++ b/sys/alpha/conf/NOTES @@ -64,7 +64,6 @@ options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extentions options _KPOSIX_PRIORITY_SCHEDULING -options ICMP_BANDLIM #Rate limit bad replies # Standard busses device isa diff --git a/sys/amd64/conf/GENERIC b/sys/amd64/conf/GENERIC index 766484b..6c344d9 100644 --- a/sys/amd64/conf/GENERIC +++ b/sys/amd64/conf/GENERIC @@ -51,7 +51,6 @@ options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING -options ICMP_BANDLIM #Rate limit bad replies options KBD_INSTALL_CDEV # install a CDEV entry in /dev # To make an SMP kernel, the next two are needed diff --git a/sys/conf/NOTES b/sys/conf/NOTES index c84085d..5596e93 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -542,14 +542,6 @@ options TCPDEBUG options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST -# ICMP_BANDLIM enables icmp error response bandwidth limiting. You -# typically want this option as it will help protect the machine from -# D.O.S. packet attacks. Use ICMP_BANDLIM_SUPPRESS_OUTPUT to prevent -# bandwidth limit messages from being dumped to console. -# -options ICMP_BANDLIM -options ICMP_BANDLIM_SUPPRESS_OUTPUT - # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. # BRIDGE enables bridging between ethernet cards -- see bridge(4). diff --git a/sys/conf/options b/sys/conf/options index 811ed94..c738de0 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -87,8 +87,6 @@ MSGSEG opt_sysvipc.h MSGSSZ opt_sysvipc.h MSGTQL opt_sysvipc.h UCONSOLE -ICMP_BANDLIM -ICMP_BANDLIM_SUPPRESS_OUTPUT opt_icmp_bandlim.h VFS_AIO # POSIX kernel options diff --git a/sys/i386/conf/GENERIC b/sys/i386/conf/GENERIC index 766484b..6c344d9 100644 --- a/sys/i386/conf/GENERIC +++ b/sys/i386/conf/GENERIC @@ -51,7 +51,6 @@ options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING -options ICMP_BANDLIM #Rate limit bad replies options KBD_INSTALL_CDEV # install a CDEV entry in /dev # To make an SMP kernel, the next two are needed diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT index c84085d..5596e93 100644 --- a/sys/i386/conf/LINT +++ b/sys/i386/conf/LINT @@ -542,14 +542,6 @@ options TCPDEBUG options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST -# ICMP_BANDLIM enables icmp error response bandwidth limiting. You -# typically want this option as it will help protect the machine from -# D.O.S. packet attacks. Use ICMP_BANDLIM_SUPPRESS_OUTPUT to prevent -# bandwidth limit messages from being dumped to console. -# -options ICMP_BANDLIM -options ICMP_BANDLIM_SUPPRESS_OUTPUT - # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. # BRIDGE enables bridging between ethernet cards -- see bridge(4). diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES index c84085d..5596e93 100644 --- a/sys/i386/conf/NOTES +++ b/sys/i386/conf/NOTES @@ -542,14 +542,6 @@ options TCPDEBUG options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST -# ICMP_BANDLIM enables icmp error response bandwidth limiting. You -# typically want this option as it will help protect the machine from -# D.O.S. packet attacks. Use ICMP_BANDLIM_SUPPRESS_OUTPUT to prevent -# bandwidth limit messages from being dumped to console. -# -options ICMP_BANDLIM -options ICMP_BANDLIM_SUPPRESS_OUTPUT - # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. # BRIDGE enables bridging between ethernet cards -- see bridge(4). diff --git a/sys/netinet/icmp_var.h b/sys/netinet/icmp_var.h index 62f09b1..2eeef54 100644 --- a/sys/netinet/icmp_var.h +++ b/sys/netinet/icmp_var.h @@ -37,9 +37,6 @@ #ifndef _NETINET_ICMP_VAR_H_ #define _NETINET_ICMP_VAR_H_ -#ifdef _KERNEL -#include "opt_icmp_bandlim.h" /* for ICMP_BANDLIM */ -#endif /* * Variables related to this implementation @@ -79,9 +76,7 @@ struct icmpstat { #ifdef _KERNEL SYSCTL_DECL(_net_inet_icmp); -#ifdef ICMP_BANDLIM extern int badport_bandlim __P((int)); #endif -#endif #endif diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index a18f875..c4ea24c 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -91,23 +91,13 @@ static int log_redirect = 0; SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW, &log_redirect, 0, ""); -#ifdef ICMP_BANDLIM - -/* - * ICMP error-response bandwidth limiting sysctl. If not enabled, sysctl - * variable content is -1 and read-only. - */ - static int icmplim = 200; SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW, &icmplim, 0, ""); -#else -static int icmplim = -1; -SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RD, - &icmplim, 0, ""); - -#endif +static int icmplim_output = 1; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW, + &icmplim_output, 0, ""); /* * ICMP broadcast echo sysctl @@ -800,7 +790,6 @@ ip_next_mtu(mtu, dir) } #endif -#ifdef ICMP_BANDLIM /* * badport_bandlim() - check for ICMP bandwidth limit @@ -842,13 +831,11 @@ badport_bandlim(int which) */ if ((unsigned int)dticks > hz) { - if (lpackets[which] > icmplim) { -#ifndef ICMP_BANDLIM_SUPPRESS_OUTPUT + if (lpackets[which] > icmplim && icmplim_output) { printf("icmp-response bandwidth limit %d/%d pps\n", lpackets[which], icmplim ); -#endif } lticks[which] = ticks; lpackets[which] = 0; @@ -864,6 +851,3 @@ badport_bandlim(int which) return(0); } -#endif - - diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 49ceba6..28fb89e 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -60,7 +60,7 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> -#include <netinet/ip_icmp.h> /* for ICMP_BANDLIM */ +#include <netinet/ip_icmp.h> #ifdef INET6 #include <netinet/ip6.h> #include <netinet/in_var.h> @@ -75,7 +75,7 @@ #ifdef INET6 #include <netinet6/ip6_var.h> #endif -#include <netinet/icmp_var.h> /* for ICMP_BANDLIM */ +#include <netinet/icmp_var.h> #include <netinet/tcp.h> #include <netinet/tcp_fsm.h> #include <netinet/tcp_seq.h> @@ -2251,10 +2251,8 @@ dropafterack: * we think we are under attack or not. */ maybedropwithreset: -#ifdef ICMP_BANDLIM if (badport_bandlim(1) < 0) goto drop; -#endif /* fall through */ dropwithreset: #ifdef TCP_RESTRICT_RST diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 49ceba6..28fb89e 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -60,7 +60,7 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> -#include <netinet/ip_icmp.h> /* for ICMP_BANDLIM */ +#include <netinet/ip_icmp.h> #ifdef INET6 #include <netinet/ip6.h> #include <netinet/in_var.h> @@ -75,7 +75,7 @@ #ifdef INET6 #include <netinet6/ip6_var.h> #endif -#include <netinet/icmp_var.h> /* for ICMP_BANDLIM */ +#include <netinet/icmp_var.h> #include <netinet/tcp.h> #include <netinet/tcp_fsm.h> #include <netinet/tcp_seq.h> @@ -2251,10 +2251,8 @@ dropafterack: * we think we are under attack or not. */ maybedropwithreset: -#ifdef ICMP_BANDLIM if (badport_bandlim(1) < 0) goto drop; -#endif /* fall through */ dropwithreset: #ifdef TCP_RESTRICT_RST diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index b8700de..2bb10e6 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -350,10 +350,10 @@ udp_input(m, off, proto) goto bad; } *ip = save_ip; -#ifdef ICMP_BANDLIM + if (badport_bandlim(0) < 0) goto bad; -#endif + if (!blackhole) icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0); else |
