Attachment 'icmp-fwd-ratelimit.diff'
Download 1 Index: icmp_var.h
2 ===================================================================
3 RCS file: /home/ncvs/src/sys/netinet/icmp_var.h,v
4 retrieving revision 1.25
5 diff -u -p -r1.25 icmp_var.h
6 --- icmp_var.h 7 Jan 2005 01:45:44 -0000 1.25
7 +++ icmp_var.h 24 Feb 2007 23:58:08 -0000
8 @@ -82,7 +82,11 @@ extern int badport_bandlim(int);
9 #define BANDLIM_ICMP_TSTAMP 2
10 #define BANDLIM_RST_CLOSEDPORT 3 /* No connection, and no listeners */
11 #define BANDLIM_RST_OPENPORT 4 /* No connection, listener */
12 -#define BANDLIM_MAX 4
13 +#define BANDLIM_ICMP_FWD_UNREACH 5 /* forwarding: limit unreachable */
14 +#define BANDLIM_ICMP_FWD_TIMXCEED 6 /* forwarding: limit time-exceeded */
15 +#define BANDLIM_ICMP_FWD_NEEDFRAG 7 /* forwarding: limit need-frag */
16 +#define BANDLIM_ICMP_FWD_FILTER 8 /* forwarding: limit admin-prohib */
17 +#define BANDLIM_MAX 8
18 #endif
19
20 #endif
21 Index: ip_fastfwd.c
22 ===================================================================
23 RCS file: /home/ncvs/src/sys/netinet/ip_fastfwd.c,v
24 retrieving revision 1.39
25 diff -u -p -r1.39 ip_fastfwd.c
26 --- ip_fastfwd.c 5 Feb 2007 00:15:40 -0000 1.39
27 +++ ip_fastfwd.c 24 Feb 2007 23:58:08 -0000
28 @@ -100,6 +100,7 @@
29 #include <netinet/ip.h>
30 #include <netinet/ip_var.h>
31 #include <netinet/ip_icmp.h>
32 +#include <netinet/icmp_var.h>
33 #include <netinet/ip_options.h>
34
35 #include <machine/in_cksum.h>
36 @@ -138,7 +139,11 @@ ip_findroute(struct route *ro, struct in
37 ipstat.ips_cantforward++;
38 if (rt)
39 RTFREE(rt);
40 - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
41 + if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) < 0) {
42 + m_freem(m);
43 + } else {
44 + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
45 + }
46 return NULL;
47 }
48 return dst;
49 @@ -295,8 +300,12 @@ ip_fastforward(struct mbuf *m)
50 if (ip_doopts == 1)
51 return m;
52 else if (ip_doopts == 2) {
53 - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
54 - 0, 0);
55 + if (badport_bandlim(BANDLIM_ICMP_FWD_FILTER) < 0) {
56 + m_freem(m);
57 + } else {
58 + icmp_error(m, ICMP_UNREACH,
59 + ICMP_UNREACH_FILTER_PROHIB, 0, 0);
60 + }
61 return NULL; /* mbuf already free'd */
62 }
63 /* else ignore IP options and continue */
64 @@ -394,7 +403,12 @@ passin:
65 if (!ipstealth) {
66 #endif
67 if (ip->ip_ttl <= IPTTLDEC) {
68 - icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0);
69 + if (badport_bandlim(BANDLIM_ICMP_FWD_TIMXCEED) < 0) {
70 + m_freem(m);
71 + } else {
72 + icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
73 + 0, 0);
74 + }
75 return NULL; /* mbuf already free'd */
76 }
77
78 @@ -501,8 +515,12 @@ passout:
79 */
80 if ((ro.ro_rt->rt_flags & RTF_REJECT) &&
81 ro.ro_rt->rt_rmx.rmx_expire >= time_uptime) {
82 - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
83 - goto consumed;
84 + if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) < 0) {
85 + goto drop;
86 + } else {
87 + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
88 + goto consumed;
89 + }
90 }
91
92 #ifndef ALTQ
93 @@ -521,8 +539,12 @@ passout:
94 * Check if media link state of interface is not down
95 */
96 if (ifp->if_link_state == LINK_STATE_DOWN) {
97 - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
98 - goto consumed;
99 + if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) < 0) {
100 + goto drop;
101 + } else {
102 + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
103 + goto consumed;
104 + }
105 }
106
107 /*
108 @@ -551,8 +573,10 @@ passout:
109 */
110 if (ip->ip_off & IP_DF) {
111 ipstat.ips_cantfrag++;
112 - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
113 - 0, mtu);
114 + if (badport_bandlim(BANDLIM_ICMP_FWD_NEEDFRAG) < 0)
115 + goto drop;
116 + icmp_error(m, ICMP_UNREACH,
117 + ICMP_UNREACH_NEEDFRAG, 0, mtu);
118 goto consumed;
119 } else {
120 /*
121 Index: ip_icmp.c
122 ===================================================================
123 RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
124 retrieving revision 1.113
125 diff -u -p -r1.113 ip_icmp.c
126 --- ip_icmp.c 22 Oct 2006 11:52:16 -0000 1.113
127 +++ ip_icmp.c 24 Feb 2007 23:58:09 -0000
128 @@ -905,7 +905,12 @@ badport_bandlim(int which)
129 { "icmp ping response" },
130 { "icmp tstamp response" },
131 { "closed port RST response" },
132 - { "open port RST response" }
133 + { "open port RST response" },
134 + /* Messages generated by forwarding path */
135 + { "icmp forward unreach response" },
136 + { "icmp forward ttl exceeded response" },
137 + { "icmp forward need fragment response" },
138 + { "icmp forward admin prohibited response" }
139 };
140
141 /*
142 Index: ip_input.c
143 ===================================================================
144 RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v
145 retrieving revision 1.324
146 diff -u -p -r1.324 ip_input.c
147 --- ip_input.c 3 Feb 2007 06:45:51 -0000 1.324
148 +++ ip_input.c 24 Feb 2007 23:58:10 -0000
149 @@ -65,6 +65,7 @@
150 #include <netinet/in_pcb.h>
151 #include <netinet/ip_var.h>
152 #include <netinet/ip_icmp.h>
153 +#include <netinet/icmp_var.h>
154 #include <netinet/ip_options.h>
155 #include <machine/in_cksum.h>
156 #ifdef DEV_CARP
157 @@ -1260,8 +1261,10 @@ ip_forward(struct mbuf *m, int srcrt)
158 if (!ipstealth) {
159 #endif
160 if (ip->ip_ttl <= IPTTLDEC) {
161 - icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
162 - 0, 0);
163 + if (badport_bandlim(BANDLIM_ICMP_FWD_TIMXCEED) >= 0) {
164 + icmp_error(m, ICMP_TIMXCEED,
165 + ICMP_TIMXCEED_INTRANS, 0, 0);
166 + }
167 return;
168 }
169 #ifdef IPSTEALTH
170 @@ -1269,7 +1272,8 @@ ip_forward(struct mbuf *m, int srcrt)
171 #endif
172
173 if (!srcrt && (ia = ip_rtaddr(ip->ip_dst)) == NULL) {
174 - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
175 + if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) >= 0)
176 + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
177 return;
178 }
179
180 @@ -1386,6 +1390,10 @@ ip_forward(struct mbuf *m, int srcrt)
181 default:
182 type = ICMP_UNREACH;
183 code = ICMP_UNREACH_HOST;
184 + if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) < 0) {
185 + m_freem(mcopy);
186 + return;
187 + }
188 break;
189
190 case EMSGSIZE:
191 @@ -1407,6 +1415,10 @@ ip_forward(struct mbuf *m, int srcrt)
192 mtu = ip_next_mtu(ip->ip_len, 0);
193 }
194 ipstat.ips_cantfrag++;
195 + if (badport_bandlim(BANDLIM_ICMP_FWD_NEEDFRAG) < 0) {
196 + m_freem(mcopy);
197 + return;
198 + }
199 break;
200
201 case ENOBUFS:
202 @@ -1431,6 +1443,7 @@ ip_forward(struct mbuf *m, int srcrt)
203 m_freem(mcopy);
204 return;
205 }
206 +
207 icmp_error(mcopy, type, code, dest.s_addr, mtu);
208 }
209
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.You are not allowed to attach a file to this page.