diff options
| -rw-r--r-- | sys/netinet/icmp_var.h | 18 | ||||
| -rw-r--r-- | sys/netinet/ip_icmp.c | 81 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 10 | ||||
| -rw-r--r-- | sys/netinet/tcp_reass.c | 10 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 8 |
5 files changed, 120 insertions, 7 deletions
diff --git a/sys/netinet/icmp_var.h b/sys/netinet/icmp_var.h index 13b778e..8c3a500 100644 --- a/sys/netinet/icmp_var.h +++ b/sys/netinet/icmp_var.h @@ -31,12 +31,14 @@ * SUCH DAMAGE. * * @(#)icmp_var.h 8.1 (Berkeley) 6/10/93 - * $Id: icmp_var.h,v 1.8 1997/08/25 16:29:25 wollman Exp $ + * $Id: icmp_var.h,v 1.9 1997/09/07 05:26:34 bde Exp $ */ #ifndef _NETINET_ICMP_VAR_H_ #define _NETINET_ICMP_VAR_H_ +#include "opt_icmp_bandlim.h" /* for ICMP_BANDLIM */ + /* * Variables related to this implementation * of the internet control message protocol. @@ -63,12 +65,26 @@ struct icmpstat { */ #define ICMPCTL_MASKREPL 1 /* allow replies to netmask requests */ #define ICMPCTL_STATS 2 /* statistics (read-only) */ + +#ifdef ICMP_BANDLIM +#define ICMPCTL_ICMPLIM 3 +#define ICMPCTL_MAXID 4 +#define ICMP_BANDLIM_INFO { "icmplim", CTLTYPE_INT }, +#else #define ICMPCTL_MAXID 3 +#define ICMP_BANDLIM_INFO +#endif + #define ICMPCTL_NAMES { \ { 0, 0 }, \ { "maskrepl", CTLTYPE_INT }, \ { "stats", CTLTYPE_STRUCT }, \ + ICMP_BANDLIM_INFO \ } +#ifdef ICMP_BANDLIM +extern int badport_bandlim __P((int)); +#endif + #endif diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 186b8e6..5541363 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_icmp.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_icmp.c,v 1.30 1998/05/26 11:34:30 dg Exp $ + * $Id: ip_icmp.c,v 1.31 1998/09/15 10:49:03 jkoshy Exp $ */ #include <sys/param.h> @@ -69,10 +69,23 @@ static int icmpmaskrepl = 0; SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); +#ifdef ICMP_BANDLIM + + /* + * ICMP error-response bandwidth limiting + */ + +static int icmplim = 100; +SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW, + &icmplim, 0, ""); + +#endif + static int icmpbmcastecho = 0; SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, 0, ""); + #ifdef ICMPPRINTFS int icmpprintfs = 0; #endif @@ -704,3 +717,69 @@ ip_next_mtu(mtu, dir) } } #endif + +#ifdef ICMP_BANDLIM + +/* + * badport_bandlim() - check for ICMP bandwidth limit + * + * Return 0 if it is ok to send an ICMP error response, -1 if we have + * hit our bandwidth limit and it is not ok. + * + * If icmplim is <= 0, the feature is disabled and 0 is returned. + * + * For now we separate the TCP and UDP subsystems w/ different 'which' + * values. We may eventually remove this separation (and simplify the + * code further). + * + * Note that the printing of the error message is delayed so we can + * properly print the icmp error rate that the system was trying to do + * (i.e. 22000/100 pps, etc...). This can cause long delays in printing + * the 'final' error, but it doesn't make sense to solve the printing + * delay with more complex code. + */ + +int +badport_bandlim(int which) +{ + static int lticks[2]; + static int lpackets[2]; + int dticks; + + /* + * Return ok status if feature disabled or argument out of + * ranage. + */ + + if (icmplim <= 0 || which >= 2 || which < 0) + return(0); + dticks = ticks - lticks[which]; + + /* + * reset stats when cumulative dt exceeds one second. + */ + + if ((unsigned int)dticks > hz) { + if (lpackets[which] > icmplim) { + printf("icmp-response bandwidth limit %d/%d pps\n", + lpackets[which], + icmplim + ); + } + lticks[which] = ticks; + lpackets[which] = 0; + } + + /* + * bump packet count + */ + + if (++lpackets[which] > icmplim) { + return(-1); + } + return(0); +} + +#endif + + diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index bb88d1639..97d1983 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -31,10 +31,10 @@ * SUCH DAMAGE. * * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95 - * $Id: tcp_input.c,v 1.80 1998/08/24 07:47:39 dfr Exp $ + * $Id: tcp_input.c,v 1.81 1998/09/11 16:04:03 wollman Exp $ */ -#include "opt_ipfw.h" /* for ipfw_fwd */ +#include "opt_ipfw.h" /* for ipfw_fwd */ #include "opt_tcpdebug.h" #include <sys/param.h> @@ -57,8 +57,10 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> +#include <netinet/ip_icmp.h> /* for ICMP_BANDLIM */ #include <netinet/in_pcb.h> #include <netinet/ip_var.h> +#include <netinet/icmp_var.h> /* for ICMP_BANDLIM */ #include <netinet/tcp.h> #include <netinet/tcp_fsm.h> #include <netinet/tcp_seq.h> @@ -397,6 +399,10 @@ findpcb: buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src), ntohs(ti->ti_sport)); } +#ifdef ICMP_BANDLIM + if (badport_bandlim(1) < 0) + goto drop; +#endif goto dropwithreset; } tp = intotcpcb(inp); diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index bb88d1639..97d1983 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -31,10 +31,10 @@ * SUCH DAMAGE. * * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95 - * $Id: tcp_input.c,v 1.80 1998/08/24 07:47:39 dfr Exp $ + * $Id: tcp_input.c,v 1.81 1998/09/11 16:04:03 wollman Exp $ */ -#include "opt_ipfw.h" /* for ipfw_fwd */ +#include "opt_ipfw.h" /* for ipfw_fwd */ #include "opt_tcpdebug.h" #include <sys/param.h> @@ -57,8 +57,10 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> +#include <netinet/ip_icmp.h> /* for ICMP_BANDLIM */ #include <netinet/in_pcb.h> #include <netinet/ip_var.h> +#include <netinet/icmp_var.h> /* for ICMP_BANDLIM */ #include <netinet/tcp.h> #include <netinet/tcp_fsm.h> #include <netinet/tcp_seq.h> @@ -397,6 +399,10 @@ findpcb: buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src), ntohs(ti->ti_sport)); } +#ifdef ICMP_BANDLIM + if (badport_bandlim(1) < 0) + goto drop; +#endif goto dropwithreset; } tp = intotcpcb(inp); diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index d5eae08..3462c70 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)udp_usrreq.c 8.6 (Berkeley) 5/23/95 - * $Id: udp_usrreq.c,v 1.47 1998/05/15 20:11:35 wollman Exp $ + * $Id: udp_usrreq.c,v 1.48 1998/08/24 07:47:39 dfr Exp $ */ #include <sys/param.h> @@ -57,6 +57,7 @@ #include <netinet/in_var.h> #include <netinet/ip_var.h> #include <netinet/ip_icmp.h> +#include <netinet/icmp_var.h> #include <netinet/udp.h> #include <netinet/udp_var.h> @@ -296,6 +297,10 @@ udp_input(m, iphlen) goto bad; } *ip = save_ip; +#ifdef ICMP_BANDLIM + if (badport_bandlim(0) < 0) + goto bad; +#endif icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0); return; } @@ -691,3 +696,4 @@ struct pr_usrreqs udp_usrreqs = { pru_rcvoob_notsupp, udp_send, pru_sense_null, udp_shutdown, in_setsockaddr, sosend, soreceive, sopoll }; + |
