diff options
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/icmp_var.h | 5 | ||||
-rw-r--r-- | sys/netinet/ip_icmp.c | 24 | ||||
-rw-r--r-- | sys/netinet/tcp_input.c | 6 | ||||
-rw-r--r-- | sys/netinet/tcp_reass.c | 6 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 4 |
5 files changed, 10 insertions, 35 deletions
diff --git a/sys/netinet/icmp_var.h b/sys/netinet/icmp_var.h index 62f09b1..2eeef54 100644 --- a/sys/netinet/icmp_var.h +++ b/sys/netinet/icmp_var.h @@ -37,9 +37,6 @@ #ifndef _NETINET_ICMP_VAR_H_ #define _NETINET_ICMP_VAR_H_ -#ifdef _KERNEL -#include "opt_icmp_bandlim.h" /* for ICMP_BANDLIM */ -#endif /* * Variables related to this implementation @@ -79,9 +76,7 @@ struct icmpstat { #ifdef _KERNEL SYSCTL_DECL(_net_inet_icmp); -#ifdef ICMP_BANDLIM extern int badport_bandlim __P((int)); #endif -#endif #endif diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index a18f875..c4ea24c 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -91,23 +91,13 @@ static int log_redirect = 0; SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW, &log_redirect, 0, ""); -#ifdef ICMP_BANDLIM - -/* - * ICMP error-response bandwidth limiting sysctl. If not enabled, sysctl - * variable content is -1 and read-only. - */ - static int icmplim = 200; SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW, &icmplim, 0, ""); -#else -static int icmplim = -1; -SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RD, - &icmplim, 0, ""); - -#endif +static int icmplim_output = 1; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW, + &icmplim_output, 0, ""); /* * ICMP broadcast echo sysctl @@ -800,7 +790,6 @@ ip_next_mtu(mtu, dir) } #endif -#ifdef ICMP_BANDLIM /* * badport_bandlim() - check for ICMP bandwidth limit @@ -842,13 +831,11 @@ badport_bandlim(int which) */ if ((unsigned int)dticks > hz) { - if (lpackets[which] > icmplim) { -#ifndef ICMP_BANDLIM_SUPPRESS_OUTPUT + if (lpackets[which] > icmplim && icmplim_output) { printf("icmp-response bandwidth limit %d/%d pps\n", lpackets[which], icmplim ); -#endif } lticks[which] = ticks; lpackets[which] = 0; @@ -864,6 +851,3 @@ badport_bandlim(int which) return(0); } -#endif - - diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 49ceba6..28fb89e 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -60,7 +60,7 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> -#include <netinet/ip_icmp.h> /* for ICMP_BANDLIM */ +#include <netinet/ip_icmp.h> #ifdef INET6 #include <netinet/ip6.h> #include <netinet/in_var.h> @@ -75,7 +75,7 @@ #ifdef INET6 #include <netinet6/ip6_var.h> #endif -#include <netinet/icmp_var.h> /* for ICMP_BANDLIM */ +#include <netinet/icmp_var.h> #include <netinet/tcp.h> #include <netinet/tcp_fsm.h> #include <netinet/tcp_seq.h> @@ -2251,10 +2251,8 @@ dropafterack: * we think we are under attack or not. */ maybedropwithreset: -#ifdef ICMP_BANDLIM if (badport_bandlim(1) < 0) goto drop; -#endif /* fall through */ dropwithreset: #ifdef TCP_RESTRICT_RST diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 49ceba6..28fb89e 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -60,7 +60,7 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> -#include <netinet/ip_icmp.h> /* for ICMP_BANDLIM */ +#include <netinet/ip_icmp.h> #ifdef INET6 #include <netinet/ip6.h> #include <netinet/in_var.h> @@ -75,7 +75,7 @@ #ifdef INET6 #include <netinet6/ip6_var.h> #endif -#include <netinet/icmp_var.h> /* for ICMP_BANDLIM */ +#include <netinet/icmp_var.h> #include <netinet/tcp.h> #include <netinet/tcp_fsm.h> #include <netinet/tcp_seq.h> @@ -2251,10 +2251,8 @@ dropafterack: * we think we are under attack or not. */ maybedropwithreset: -#ifdef ICMP_BANDLIM if (badport_bandlim(1) < 0) goto drop; -#endif /* fall through */ dropwithreset: #ifdef TCP_RESTRICT_RST diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index b8700de..2bb10e6 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -350,10 +350,10 @@ udp_input(m, off, proto) goto bad; } *ip = save_ip; -#ifdef ICMP_BANDLIM + if (badport_bandlim(0) < 0) goto bad; -#endif + if (!blackhole) icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0); else |