diff -u /usr/src/sys/netinet.old/icmp_var.h /usr/src/sys/netinet/icmp_var.h --- /usr/src/sys/netinet.old/icmp_var.h Thu Nov 2 01:26:58 2000 +++ /usr/src/sys/netinet/icmp_var.h Sun Nov 19 20:32:49 2000 @@ -77,6 +77,12 @@ #ifdef _KERNEL SYSCTL_DECL(_net_inet_icmp); extern int badport_bandlim __P((int)); +#define BANDLIM_UNREACH 0 +#define BANDLIM_RST_NOTOPEN 1 +#define BANDLIM_RST_OPEN 2 +#define BANDLIM_ECHO 3 +#define BANDLIM_TSTAMP 4 +#define BANDLIM_MAX 4 #endif #endif diff -u /usr/src/sys/netinet.old/ip_icmp.c /usr/src/sys/netinet/ip_icmp.c --- /usr/src/sys/netinet.old/ip_icmp.c Thu Nov 2 01:26:58 2000 +++ /usr/src/sys/netinet/ip_icmp.c Sun Nov 19 20:37:45 2000 @@ -449,7 +449,10 @@ break; } icp->icmp_type = ICMP_ECHOREPLY; - goto reflect; + if (badport_bandlim(BANDLIM_ECHO) < 0) + goto freeit; + else + goto reflect; case ICMP_TSTAMP: if (!icmpbmcastecho @@ -464,7 +467,10 @@ icp->icmp_type = ICMP_TSTAMPREPLY; icp->icmp_rtime = iptime(); icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! */ - goto reflect; + if (badport_bandlim(BANDLIM_TSTAMP) < 0) + goto freeit; + else + goto reflect; case ICMP_MASKREQ: #define satosin(sa) ((struct sockaddr_in *)(sa)) @@ -821,16 +827,23 @@ int badport_bandlim(int which) { - static int lticks[2]; - static int lpackets[2]; + static int lticks[BANDLIM_MAX + 1]; + static int lpackets[BANDLIM_MAX + 1]; int dticks; + const char *bandlimittype[] = { + "Limiting icmp unreach response", + "Limiting closed port RST response", + "Limiting open port RST response", + "Limiting icmp ping response", + "Limiting icmp tstamp response" + }; /* * Return ok status if feature disabled or argument out of * ranage. */ - if (icmplim <= 0 || which >= 2 || which < 0) + if (icmplim <= 0 || which > BANDLIM_MAX || which < 0) return(0); dticks = ticks - lticks[which]; @@ -840,7 +853,8 @@ if ((unsigned int)dticks > hz) { if (lpackets[which] > icmplim && icmplim_output) { - printf("icmp-response bandwidth limit %d/%d pps\n", + printf("%s from %d to %d packets per second\n", + bandlimittype[which], lpackets[which], icmplim ); diff -u /usr/src/sys/netinet.old/tcp_input.c /usr/src/sys/netinet/tcp_input.c --- /usr/src/sys/netinet.old/tcp_input.c Thu Nov 2 01:26:58 2000 +++ /usr/src/sys/netinet/tcp_input.c Sun Nov 19 20:38:33 2000 @@ -392,6 +392,7 @@ struct ip6_hdr *ip6 = NULL; int isipv6; #endif /* INET6 */ + int rstreason = 0; /* For badport_bandlim accounting purposes */ #ifdef INET6 isipv6 = (mtod(m, struct ip *)->ip_v == 6) ? 1 : 0; @@ -641,11 +642,14 @@ goto drop; } } + rstreason = BANDLIM_RST_NOTOPEN; goto maybedropwithreset; } tp = intotcpcb(inp); - if (tp == 0) + if (tp == 0) { + rstreason = BANDLIM_RST_NOTOPEN; goto maybedropwithreset; + } if (tp->t_state == TCPS_CLOSED) goto drop; @@ -2255,7 +2259,9 @@ * we think we are under attack or not. */ maybedropwithreset: - if (badport_bandlim(1) < 0) + if (rstreason != BANDLIM_RST_NOTOPEN) + rstreason = BANDLIM_RST_OPEN; + if (badport_bandlim(rstreason) < 0) goto drop; /* fall through */ dropwithreset: diff -u /usr/src/sys/netinet.old/udp_usrreq.c /usr/src/sys/netinet/udp_usrreq.c --- /usr/src/sys/netinet.old/udp_usrreq.c Thu Nov 2 01:26:58 2000 +++ /usr/src/sys/netinet/udp_usrreq.c Thu Nov 2 02:54:10 2000 @@ -352,7 +352,7 @@ udpstat.udps_noportbcast++; goto bad; } - if (badport_bandlim(0) < 0) + if (badport_bandlim(BANDLIM_UNREACH) < 0) goto bad; if (blackhole) goto bad;