From e94f2430fb2b086b446da459becc9ea7f44ac5cd Mon Sep 17 00:00:00 2001 From: bmilekic Date: Fri, 15 Dec 2000 21:45:49 +0000 Subject: Change the following: 1. ICMP ECHO and TSTAMP replies are now rate limited. 2. RSTs generated due to packets sent to open and unopen ports are now limited by seperate counters. 3. Each rate limiting queue now has its own description, as follows: Limiting icmp unreach response from 439 to 200 packets per second Limiting closed port RST response from 283 to 200 packets per second Limiting open port RST response from 18724 to 200 packets per second Limiting icmp ping response from 211 to 200 packets per second Limiting icmp tstamp response from 394 to 200 packets per second Submitted by: Mike Silbersack --- sys/netinet/tcp_input.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'sys/netinet/tcp_input.c') diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index cb7e05e..367fc95 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -392,6 +392,7 @@ tcp_input(m, off0, proto) struct ip6_hdr *ip6 = NULL; int isipv6; #endif /* INET6 */ + int rstreason = 0; /* For badport_bandlim accounting purposes */ #ifdef INET6 isipv6 = (mtod(m, struct ip *)->ip_v == 6) ? 1 : 0; @@ -641,11 +642,14 @@ findpcb: goto drop; } } + rstreason = BANDLIM_RST_NOTOPEN; goto maybedropwithreset; } tp = intotcpcb(inp); - if (tp == 0) + if (tp == 0) { + rstreason = BANDLIM_RST_NOTOPEN; goto maybedropwithreset; + } if (tp->t_state == TCPS_CLOSED) goto drop; @@ -2259,7 +2263,9 @@ dropafterack: * we think we are under attack or not. */ maybedropwithreset: - if (badport_bandlim(1) < 0) + if (rstreason != BANDLIM_RST_NOTOPEN) + rstreason = BANDLIM_RST_OPEN; + if (badport_bandlim(rstreason) < 0) goto drop; /* fall through */ dropwithreset: -- cgit v1.1