d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
51508de112
freebsd-dev/sys/netinet/icmp_var.h
Matthew Dillon 51508de112 Reviewed by: freebsd-current 
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.
1998-12-03 20:23:21 +00:00

91 lines
3.4 KiB
C
Raw Blame History

/*
* Copyright (c) 1982, 1986, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)icmp_var.h 8.1 (Berkeley) 6/10/93
* $Id: icmp_var.h,v 1.9 1997/09/07 05:26:34 bde Exp $
*/
#ifndef _NETINET_ICMP_VAR_H_
#define _NETINET_ICMP_VAR_H_
#include "opt_icmp_bandlim.h" /* for ICMP_BANDLIM */
/*
* Variables related to this implementation
* of the internet control message protocol.
*/
struct icmpstat {
/* statistics related to icmp packets generated */
u_long icps_error; /* # of calls to icmp_error */
u_long icps_oldshort; /* no error 'cuz old ip too short */
u_long icps_oldicmp; /* no error 'cuz old was icmp */
u_long icps_outhist[ICMP_MAXTYPE + 1];
/* statistics related to input messages processed */
u_long icps_badcode; /* icmp_code out of range */
u_long icps_tooshort; /* packet < ICMP_MINLEN */
u_long icps_checksum; /* bad checksum */
u_long icps_badlen; /* calculated bound mismatch */
u_long icps_reflect; /* number of responses */
u_long icps_inhist[ICMP_MAXTYPE + 1];
u_long icps_bmcastecho; /* b/mcast echo requests dropped */
u_long icps_bmcasttstamp; /* b/mcast tstamp requests dropped */
};
/*
* Names for ICMP sysctl objects
*/
#define ICMPCTL_MASKREPL 1 /* allow replies to netmask requests */
#define ICMPCTL_STATS 2 /* statistics (read-only) */
#ifdef ICMP_BANDLIM
#define ICMPCTL_ICMPLIM 3
#define ICMPCTL_MAXID 4
#define ICMP_BANDLIM_INFO { "icmplim", CTLTYPE_INT },
#else
#define ICMPCTL_MAXID 3
#define ICMP_BANDLIM_INFO
#endif
#define ICMPCTL_NAMES { \
{ 0, 0 }, \
{ "maskrepl", CTLTYPE_INT }, \
{ "stats", CTLTYPE_STRUCT }, \
ICMP_BANDLIM_INFO \
}
#ifdef ICMP_BANDLIM
extern int badport_bandlim __P((int));
#endif
#endif
Reference in New Issue View Git Blame Copy Permalink