Attachment 'icmp-fwd-ratelimit.diff'

Download

   1 Index: icmp_var.h
   2 ===================================================================
   3 RCS file: /home/ncvs/src/sys/netinet/icmp_var.h,v
   4 retrieving revision 1.25
   5 diff -u -p -r1.25 icmp_var.h
   6 --- icmp_var.h	7 Jan 2005 01:45:44 -0000	1.25
   7 +++ icmp_var.h	24 Feb 2007 23:58:08 -0000
   8 @@ -82,7 +82,11 @@ extern int badport_bandlim(int);
   9  #define BANDLIM_ICMP_TSTAMP 2
  10  #define BANDLIM_RST_CLOSEDPORT 3 /* No connection, and no listeners */
  11  #define BANDLIM_RST_OPENPORT 4   /* No connection, listener */
  12 -#define BANDLIM_MAX 4
  13 +#define	BANDLIM_ICMP_FWD_UNREACH	5 /* forwarding: limit unreachable */
  14 +#define	BANDLIM_ICMP_FWD_TIMXCEED	6 /* forwarding: limit time-exceeded */
  15 +#define	BANDLIM_ICMP_FWD_NEEDFRAG	7 /* forwarding: limit need-frag */
  16 +#define	BANDLIM_ICMP_FWD_FILTER		8 /* forwarding: limit admin-prohib */
  17 +#define BANDLIM_MAX 8
  18  #endif
  19  
  20  #endif
  21 Index: ip_fastfwd.c
  22 ===================================================================
  23 RCS file: /home/ncvs/src/sys/netinet/ip_fastfwd.c,v
  24 retrieving revision 1.39
  25 diff -u -p -r1.39 ip_fastfwd.c
  26 --- ip_fastfwd.c	5 Feb 2007 00:15:40 -0000	1.39
  27 +++ ip_fastfwd.c	24 Feb 2007 23:58:08 -0000
  28 @@ -100,6 +100,7 @@
  29  #include <netinet/ip.h>
  30  #include <netinet/ip_var.h>
  31  #include <netinet/ip_icmp.h>
  32 +#include <netinet/icmp_var.h>
  33  #include <netinet/ip_options.h>
  34  
  35  #include <machine/in_cksum.h>
  36 @@ -138,7 +139,11 @@ ip_findroute(struct route *ro, struct in
  37  		ipstat.ips_cantforward++;
  38  		if (rt)
  39  			RTFREE(rt);
  40 -		icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
  41 +		if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) < 0) {
  42 +			m_freem(m);
  43 +		} else {
  44 +			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
  45 +		}
  46  		return NULL;
  47  	}
  48  	return dst;
  49 @@ -295,8 +300,12 @@ ip_fastforward(struct mbuf *m)
  50  		if (ip_doopts == 1)
  51  			return m;
  52  		else if (ip_doopts == 2) {
  53 -			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
  54 -				0, 0);
  55 +			if (badport_bandlim(BANDLIM_ICMP_FWD_FILTER) < 0) {
  56 +				m_freem(m);
  57 +			} else {
  58 +				icmp_error(m, ICMP_UNREACH,
  59 +				    ICMP_UNREACH_FILTER_PROHIB, 0, 0);
  60 +			}
  61  			return NULL;	/* mbuf already free'd */
  62  		}
  63  		/* else ignore IP options and continue */
  64 @@ -394,7 +403,12 @@ passin:
  65  	if (!ipstealth) {
  66  #endif
  67  	if (ip->ip_ttl <= IPTTLDEC) {
  68 -		icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0);
  69 +		if (badport_bandlim(BANDLIM_ICMP_FWD_TIMXCEED) < 0) {
  70 +			m_freem(m);
  71 +		} else {
  72 +			icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
  73 +			    0, 0);
  74 +		}
  75  		return NULL;	/* mbuf already free'd */
  76  	}
  77  
  78 @@ -501,8 +515,12 @@ passout:
  79  	 */
  80  	if ((ro.ro_rt->rt_flags & RTF_REJECT) &&
  81  	    ro.ro_rt->rt_rmx.rmx_expire >= time_uptime) {
  82 -		icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
  83 -		goto consumed;
  84 +		if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) < 0) {
  85 +			goto drop;
  86 +		} else {
  87 +			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
  88 +			goto consumed;
  89 +		}
  90  	}
  91  
  92  #ifndef ALTQ
  93 @@ -521,8 +539,12 @@ passout:
  94  	 * Check if media link state of interface is not down
  95  	 */
  96  	if (ifp->if_link_state == LINK_STATE_DOWN) {
  97 -		icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
  98 -		goto consumed;
  99 +		if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) < 0) {
 100 +			goto drop;
 101 +		} else {
 102 +			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
 103 +			goto consumed;
 104 +		}
 105  	}
 106  
 107  	/*
 108 @@ -551,8 +573,10 @@ passout:
 109  		 */
 110  		if (ip->ip_off & IP_DF) {
 111  			ipstat.ips_cantfrag++;
 112 -			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
 113 -				0, mtu);
 114 +			if (badport_bandlim(BANDLIM_ICMP_FWD_NEEDFRAG) < 0)
 115 +				goto drop;
 116 +			icmp_error(m, ICMP_UNREACH,
 117 +				   ICMP_UNREACH_NEEDFRAG, 0, mtu);
 118  			goto consumed;
 119  		} else {
 120  			/*
 121 Index: ip_icmp.c
 122 ===================================================================
 123 RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
 124 retrieving revision 1.113
 125 diff -u -p -r1.113 ip_icmp.c
 126 --- ip_icmp.c	22 Oct 2006 11:52:16 -0000	1.113
 127 +++ ip_icmp.c	24 Feb 2007 23:58:09 -0000
 128 @@ -905,7 +905,12 @@ badport_bandlim(int which)
 129  		{ "icmp ping response" },
 130  		{ "icmp tstamp response" },
 131  		{ "closed port RST response" },
 132 -		{ "open port RST response" }
 133 +		{ "open port RST response" },
 134 +		/* Messages generated by forwarding path */
 135 +		{ "icmp forward unreach response" },
 136 +		{ "icmp forward ttl exceeded response" },
 137 +		{ "icmp forward need fragment response" },
 138 +		{ "icmp forward admin prohibited response" }
 139  	};
 140  
 141  	/*
 142 Index: ip_input.c
 143 ===================================================================
 144 RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v
 145 retrieving revision 1.324
 146 diff -u -p -r1.324 ip_input.c
 147 --- ip_input.c	3 Feb 2007 06:45:51 -0000	1.324
 148 +++ ip_input.c	24 Feb 2007 23:58:10 -0000
 149 @@ -65,6 +65,7 @@
 150  #include <netinet/in_pcb.h>
 151  #include <netinet/ip_var.h>
 152  #include <netinet/ip_icmp.h>
 153 +#include <netinet/icmp_var.h>
 154  #include <netinet/ip_options.h>
 155  #include <machine/in_cksum.h>
 156  #ifdef DEV_CARP
 157 @@ -1260,8 +1261,10 @@ ip_forward(struct mbuf *m, int srcrt)
 158  	if (!ipstealth) {
 159  #endif
 160  		if (ip->ip_ttl <= IPTTLDEC) {
 161 -			icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
 162 -			    0, 0);
 163 +			if (badport_bandlim(BANDLIM_ICMP_FWD_TIMXCEED) >= 0) {
 164 +				icmp_error(m, ICMP_TIMXCEED,
 165 +				    ICMP_TIMXCEED_INTRANS, 0, 0);
 166 +			}
 167  			return;
 168  		}
 169  #ifdef IPSTEALTH
 170 @@ -1269,7 +1272,8 @@ ip_forward(struct mbuf *m, int srcrt)
 171  #endif
 172  
 173  	if (!srcrt && (ia = ip_rtaddr(ip->ip_dst)) == NULL) {
 174 -		icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
 175 +		if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) >= 0)
 176 +			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
 177  		return;
 178  	}
 179  
 180 @@ -1386,6 +1390,10 @@ ip_forward(struct mbuf *m, int srcrt)
 181  	default:
 182  		type = ICMP_UNREACH;
 183  		code = ICMP_UNREACH_HOST;
 184 +		if (badport_bandlim(BANDLIM_ICMP_FWD_UNREACH) < 0) {
 185 +			m_freem(mcopy);
 186 +			return;
 187 +		}
 188  		break;
 189  
 190  	case EMSGSIZE:
 191 @@ -1407,6 +1415,10 @@ ip_forward(struct mbuf *m, int srcrt)
 192  				mtu = ip_next_mtu(ip->ip_len, 0);
 193  		}
 194  		ipstat.ips_cantfrag++;
 195 +		if (badport_bandlim(BANDLIM_ICMP_FWD_NEEDFRAG) < 0) {
 196 +			m_freem(mcopy);
 197 +			return;
 198 +		}
 199  		break;
 200  
 201  	case ENOBUFS:
 202 @@ -1431,6 +1443,7 @@ ip_forward(struct mbuf *m, int srcrt)
 203  		m_freem(mcopy);
 204  		return;
 205  	}
 206 +
 207  	icmp_error(mcopy, type, code, dest.s_addr, mtu);
 208  }
 209  

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.

You are not allowed to attach a file to this page.