Add a sysctl to control the generation of source quench packets,

and set it to 0 by default. Partially obtained from: NetBSD Suggested by: David Gilbert MFC after: 5 days
2002-11-19 17:06:06 +00:00 · 2002-11-19 17:06:06 +00:00 · df285b3d1d
commit df285b3d1d
parent e5562bee60
1 changed files with 20 additions and 2 deletions
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -125,6 +125,11 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, maxfragpackets, CTLFLAG_RW,
 	&ip_maxfragpackets, 0,
 	"Maximum number of IPv4 fragment reassembly queue entries");

+static int	ip_sendsourcequench = 0;
+SYSCTL_INT(_net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW,
+	&ip_sendsourcequench, 0,
+	"Enable the transmission of source quench packets");
+
 /*
 * XXX - Setting ip_checkinterface mostly implements the receive side of
 * the Strong ES model described in RFC 1122, but since the routing table
@ -1971,8 +1976,21 @@ ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop)
 		break;

 	case ENOBUFS:
-		type = ICMP_SOURCEQUENCH;
-		code = 0;
+		/*
+		 * A router should not generate ICMP_SOURCEQUENCH as
+		 * required in RFC1812 Requirements for IP Version 4 Routers.
+		 * Source quench could be a big problem under DoS attacks,
+		 * or if the underlying interface is rate-limited.
+		 * Those who need source quench packets may re-enable them
+		 * via the net.inet.ip.sendsourcequench sysctl.
+		 */
+		if (ip_sendsourcequench == 0) {
+			m_freem(mcopy);
+			return;
+		} else {
+			type = ICMP_SOURCEQUENCH;
+			code = 0;
+		}
 		break;

 	case EACCES:			/* ipfw denied packet */