Index: sys/netinet/icmp_var.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/icmp_var.h,v retrieving revision 1.16 diff -u -r1.16 icmp_var.h --- sys/netinet/icmp_var.h 2000/05/22 16:12:28 1.16 +++ sys/netinet/icmp_var.h 2000/12/15 21:29:18 @@ -77,6 +77,12 @@ #ifdef _KERNEL SYSCTL_DECL(_net_inet_icmp); extern int badport_bandlim __P((int)); +#define BANDLIM_UNREACH 0 +#define BANDLIM_RST_NOTOPEN 1 +#define BANDLIM_RST_OPEN 2 +#define BANDLIM_ECHO 3 +#define BANDLIM_TSTAMP 4 +#define BANDLIM_MAX 4 #endif #endif Index: sys/netinet/ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.46 diff -u -r1.46 ip_icmp.c --- sys/netinet/ip_icmp.c 2000/11/02 09:46:23 1.46 +++ sys/netinet/ip_icmp.c 2000/12/15 21:29:27 @@ -449,7 +449,10 @@ break; } icp->icmp_type = ICMP_ECHOREPLY; - goto reflect; + if (badport_bandlim(BANDLIM_ECHO) < 0) + goto freeit; + else + goto reflect; case ICMP_TSTAMP: if (!icmpbmcastecho @@ -464,7 +467,10 @@ icp->icmp_type = ICMP_TSTAMPREPLY; icp->icmp_rtime = iptime(); icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! */ - goto reflect; + if (badport_bandlim(BANDLIM_TSTAMP) < 0) + goto freeit; + else + goto reflect; case ICMP_MASKREQ: #define satosin(sa) ((struct sockaddr_in *)(sa)) @@ -821,16 +827,23 @@ int badport_bandlim(int which) { - static int lticks[2]; - static int lpackets[2]; + static int lticks[BANDLIM_MAX + 1]; + static int lpackets[BANDLIM_MAX + 1]; int dticks; + const char *bandlimittype[] = { + "Limiting icmp unreach response", + "Limiting closed port RST response", + "Limiting open port RST response", + "Limiting icmp ping response", + "Limiting icmp tstamp response" + }; /* * Return ok status if feature disabled or argument out of * ranage. */ - if (icmplim <= 0 || which >= 2 || which < 0) + if (icmplim <= 0 || which > BANDLIM_MAX || which < 0) return(0); dticks = ticks - lticks[which]; @@ -840,7 +853,8 @@ if ((unsigned int)dticks > hz) { if (lpackets[which] > icmplim && icmplim_output) { - printf("icmp-response bandwidth limit %d/%d pps\n", + printf("%s from %d to %d packets per second\n", + bandlimittype[which], lpackets[which], icmplim ); Index: sys/netinet/tcp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.120 diff -u -r1.120 tcp_input.c --- sys/netinet/tcp_input.c 2000/12/08 21:50:47 1.120 +++ sys/netinet/tcp_input.c 2000/12/15 21:29:32 @@ -392,6 +392,7 @@ struct ip6_hdr *ip6 = NULL; int isipv6; #endif /* INET6 */ + int rstreason = 0; /* For badport_bandlim accounting purposes */ #ifdef INET6 isipv6 = (mtod(m, struct ip *)->ip_v == 6) ? 1 : 0; @@ -641,11 +642,14 @@ goto drop; } } + rstreason = BANDLIM_RST_NOTOPEN; goto maybedropwithreset; } tp = intotcpcb(inp); - if (tp == 0) + if (tp == 0) { + rstreason = BANDLIM_RST_NOTOPEN; goto maybedropwithreset; + } if (tp->t_state == TCPS_CLOSED) goto drop; @@ -2259,7 +2263,9 @@ * we think we are under attack or not. */ maybedropwithreset: - if (badport_bandlim(1) < 0) + if (rstreason != BANDLIM_RST_NOTOPEN) + rstreason = BANDLIM_RST_OPEN; + if (badport_bandlim(rstreason) < 0) goto drop; /* fall through */ dropwithreset: Index: sys/netinet/udp_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.78 diff -u -r1.78 udp_usrreq.c --- sys/netinet/udp_usrreq.c 2000/11/01 16:56:33 1.78 +++ sys/netinet/udp_usrreq.c 2000/12/15 21:29:40 @@ -353,7 +353,7 @@ udpstat.udps_noportbcast++; goto bad; } - if (badport_bandlim(0) < 0) + if (badport_bandlim(BANDLIM_UNREACH) < 0) goto bad; if (blackhole) goto bad;