sysctl'ize ICMP_BANDLIM and ICMP_BANDLIM_SUPPRESS_OUTPUT.

Suggested by: des/nbm

sys/alpha/conf/GENERIC

@@ -64,7 +64,6 @@ options 	SYSVMSG			#SYSV-style message queues
 options 	SYSVSEM			#SYSV-style semaphores
 options		P1003_1B		#Posix P1003_1B real-time extentions
 options 	_KPOSIX_PRIORITY_SCHEDULING
-options		ICMP_BANDLIM		#Rate limit bad replies
 
 # Standard busses
 device		isa

sys/alpha/conf/NOTES

@@ -64,7 +64,6 @@ options 	SYSVMSG			#SYSV-style message queues
 options 	SYSVSEM			#SYSV-style semaphores
 options		P1003_1B		#Posix P1003_1B real-time extentions
 options 	_KPOSIX_PRIORITY_SCHEDULING
-options		ICMP_BANDLIM		#Rate limit bad replies
 
 # Standard busses
 device		isa

sys/amd64/conf/GENERIC

@@ -51,7 +51,6 @@ options 	SYSVMSG			#SYSV-style message queues
 options 	SYSVSEM			#SYSV-style semaphores
 options 	P1003_1B		#Posix P1003_1B real-time extensions
 options 	_KPOSIX_PRIORITY_SCHEDULING
-options		ICMP_BANDLIM		#Rate limit bad replies
 options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
 
 # To make an SMP kernel, the next two are needed

sys/conf/NOTES

@@ -542,14 +542,6 @@ options 	TCPDEBUG
 options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
 options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
 
-# ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
-# typically want this option as it will help protect the machine from
-# D.O.S. packet attacks.  Use ICMP_BANDLIM_SUPPRESS_OUTPUT to prevent
-# bandwidth limit messages from being dumped to console.
-#
-options 	ICMP_BANDLIM
-options		ICMP_BANDLIM_SUPPRESS_OUTPUT
-
 # DUMMYNET enables the "dummynet" bandwidth limiter. You need
 # IPFIREWALL as well. See the dummynet(4) manpage for more info.
 # BRIDGE enables bridging between ethernet cards -- see bridge(4).

sys/conf/options

@@ -87,8 +87,6 @@ MSGSEG		opt_sysvipc.h
 MSGSSZ		opt_sysvipc.h
 MSGTQL		opt_sysvipc.h
 UCONSOLE
-ICMP_BANDLIM
-ICMP_BANDLIM_SUPPRESS_OUTPUT	opt_icmp_bandlim.h
 VFS_AIO
 
 # POSIX kernel options

sys/i386/conf/GENERIC

@@ -51,7 +51,6 @@ options 	SYSVMSG			#SYSV-style message queues
 options 	SYSVSEM			#SYSV-style semaphores
 options 	P1003_1B		#Posix P1003_1B real-time extensions
 options 	_KPOSIX_PRIORITY_SCHEDULING
-options		ICMP_BANDLIM		#Rate limit bad replies
 options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
 
 # To make an SMP kernel, the next two are needed

sys/i386/conf/LINT

@@ -542,14 +542,6 @@ options 	TCPDEBUG
 options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
 options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
 
-# ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
-# typically want this option as it will help protect the machine from
-# D.O.S. packet attacks.  Use ICMP_BANDLIM_SUPPRESS_OUTPUT to prevent
-# bandwidth limit messages from being dumped to console.
-#
-options 	ICMP_BANDLIM
-options		ICMP_BANDLIM_SUPPRESS_OUTPUT
-
 # DUMMYNET enables the "dummynet" bandwidth limiter. You need
 # IPFIREWALL as well. See the dummynet(4) manpage for more info.
 # BRIDGE enables bridging between ethernet cards -- see bridge(4).

sys/i386/conf/NOTES

@@ -542,14 +542,6 @@ options 	TCPDEBUG
 options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
 options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
 
-# ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
-# typically want this option as it will help protect the machine from
-# D.O.S. packet attacks.  Use ICMP_BANDLIM_SUPPRESS_OUTPUT to prevent
-# bandwidth limit messages from being dumped to console.
-#
-options 	ICMP_BANDLIM
-options		ICMP_BANDLIM_SUPPRESS_OUTPUT
-
 # DUMMYNET enables the "dummynet" bandwidth limiter. You need
 # IPFIREWALL as well. See the dummynet(4) manpage for more info.
 # BRIDGE enables bridging between ethernet cards -- see bridge(4).

sys/netinet/icmp_var.h

@@ -37,9 +37,6 @@
 #ifndef _NETINET_ICMP_VAR_H_
 #define _NETINET_ICMP_VAR_H_
 
-#ifdef _KERNEL
-#include "opt_icmp_bandlim.h"		/* for ICMP_BANDLIM     */
-#endif
 
 /*
  * Variables related to this implementation
@@ -79,9 +76,7 @@ struct	icmpstat {
 
 #ifdef _KERNEL
 SYSCTL_DECL(_net_inet_icmp);
-#ifdef ICMP_BANDLIM
 extern int badport_bandlim __P((int));
 #endif
-#endif
 
 #endif

sys/netinet/ip_icmp.c

@@ -91,23 +91,13 @@ static int	log_redirect = 0;
 SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW, 
 	&log_redirect, 0, "");
 
-#ifdef ICMP_BANDLIM 
- 
-/*    
- * ICMP error-response bandwidth limiting sysctl.  If not enabled, sysctl
- *      variable content is -1 and read-only.
- */     
-    
 static int      icmplim = 200;
 SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 	&icmplim, 0, "");
-#else
 
-static int      icmplim = -1;
-SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RD,
-	&icmplim, 0, "");
-	
-#endif 
+static int	icmplim_output = 1;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
+	&icmplim_output, 0, "");
 
 /*
  * ICMP broadcast echo sysctl
@@ -800,7 +790,6 @@ ip_next_mtu(mtu, dir)
 }
 #endif
 
-#ifdef ICMP_BANDLIM
 
 /*
  * badport_bandlim() - check for ICMP bandwidth limit
@@ -842,13 +831,11 @@ badport_bandlim(int which)
 	 */
 
 	if ((unsigned int)dticks > hz) {
-		if (lpackets[which] > icmplim) {
-#ifndef ICMP_BANDLIM_SUPPRESS_OUTPUT
+		if (lpackets[which] > icmplim && icmplim_output) {
 			printf("icmp-response bandwidth limit %d/%d pps\n",
 				lpackets[which],
 				icmplim
 			);
-#endif
 		}
 		lticks[which] = ticks;
 		lpackets[which] = 0;
@@ -864,6 +851,3 @@ badport_bandlim(int which)
 	return(0);
 }
 
-#endif
-
-

sys/netinet/tcp_input.c

@@ -60,7 +60,7 @@
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
-#include <netinet/ip_icmp.h>	/* for ICMP_BANDLIM		*/
+#include <netinet/ip_icmp.h>	
 #ifdef INET6
 #include <netinet/ip6.h>
 #include <netinet/in_var.h>
@@ -75,7 +75,7 @@
 #ifdef INET6
 #include <netinet6/ip6_var.h>
 #endif
-#include <netinet/icmp_var.h>	/* for ICMP_BANDLIM		*/
+#include <netinet/icmp_var.h>	
 #include <netinet/tcp.h>
 #include <netinet/tcp_fsm.h>
 #include <netinet/tcp_seq.h>
@@ -2251,10 +2251,8 @@ tcp_input(m, off0, proto)
 	 * we think we are under attack or not.
 	 */
 maybedropwithreset:
-#ifdef ICMP_BANDLIM
 	if (badport_bandlim(1) < 0)
 		goto drop;
-#endif
 	/* fall through */
 dropwithreset:
 #ifdef TCP_RESTRICT_RST

sys/netinet/tcp_reass.c

@@ -60,7 +60,7 @@
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
-#include <netinet/ip_icmp.h>	/* for ICMP_BANDLIM		*/
+#include <netinet/ip_icmp.h>	
 #ifdef INET6
 #include <netinet/ip6.h>
 #include <netinet/in_var.h>
@@ -75,7 +75,7 @@
 #ifdef INET6
 #include <netinet6/ip6_var.h>
 #endif
-#include <netinet/icmp_var.h>	/* for ICMP_BANDLIM		*/
+#include <netinet/icmp_var.h>	
 #include <netinet/tcp.h>
 #include <netinet/tcp_fsm.h>
 #include <netinet/tcp_seq.h>
@@ -2251,10 +2251,8 @@ tcp_input(m, off0, proto)
 	 * we think we are under attack or not.
 	 */
 maybedropwithreset:
-#ifdef ICMP_BANDLIM
 	if (badport_bandlim(1) < 0)
 		goto drop;
-#endif
 	/* fall through */
 dropwithreset:
 #ifdef TCP_RESTRICT_RST

sys/netinet/udp_usrreq.c

@@ -350,10 +350,10 @@ udp_input(m, off, proto)
 			goto bad;
 		}
 		*ip = save_ip;
-#ifdef ICMP_BANDLIM
+
 		if (badport_bandlim(0) < 0)
 			goto bad;
-#endif
+
 		if (!blackhole)
 			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
 		else