summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>1998-01-06 01:38:37 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>1998-01-06 01:38:37 +0000
commitf44e028a400b34117134467ba6702a22e65044f8 (patch)
tree1fbd5c0a60c2acace4bd9962b9bbebbb949030da
parent8af452ff04a0c662c97daaf6723e326fb8551371 (diff)
net.inet.icmp.bmcastecho: do not smurf to smurfing broadcast packets
-rw-r--r--sys/netinet/icmp_var.h7
-rw-r--r--sys/netinet/ip_icmp.c17
2 files changed, 21 insertions, 3 deletions
diff --git a/sys/netinet/icmp_var.h b/sys/netinet/icmp_var.h
index 42e34bac175..b955a464d28 100644
--- a/sys/netinet/icmp_var.h
+++ b/sys/netinet/icmp_var.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: icmp_var.h,v 1.3 1997/08/26 20:02:30 deraadt Exp $ */
+/* $OpenBSD: icmp_var.h,v 1.4 1998/01/06 01:38:35 deraadt Exp $ */
/* $NetBSD: icmp_var.h,v 1.8 1995/03/26 20:32:19 jtc Exp $ */
/*
@@ -52,6 +52,7 @@ struct icmpstat {
u_long icps_checksum; /* bad checksum */
u_long icps_badlen; /* calculated bound mismatch */
u_long icps_reflect; /* number of responses */
+ u_long icps_bmcastecho; /* rejected broadcast icmps */
u_long icps_inhist[ICMP_MAXTYPE + 1];
};
@@ -59,11 +60,13 @@ struct icmpstat {
* Names for ICMP sysctl objects
*/
#define ICMPCTL_MASKREPL 1 /* allow replies to netmask requests */
-#define ICMPCTL_MAXID 2
+#define ICMPCTL_BMCASTECHO 2 /* reply to icmps to broadcast/mcast */
+#define ICMPCTL_MAXID 3
#define ICMPCTL_NAMES { \
{ 0, 0 }, \
{ "maskrepl", CTLTYPE_INT }, \
+ { "bmcastecho", CTLTYPE_INT }, \
}
#ifdef _KERNEL
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 511c364e810..8571efe8258 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_icmp.c,v 1.7 1997/06/05 15:05:41 deraadt Exp $ */
+/* $OpenBSD: ip_icmp.c,v 1.8 1998/01/06 01:38:36 deraadt Exp $ */
/* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */
/*
@@ -69,6 +69,7 @@
*/
int icmpmaskrepl = 0;
+int icmpbmcastecho = 0;
#ifdef ICMPPRINTFS
int icmpprintfs = 0;
#endif
@@ -328,10 +329,22 @@ icmp_input(m, va_alist)
break;
case ICMP_ECHO:
+ if (!icmpbmcastecho &&
+ (m->m_flags & (M_MCAST | M_BCAST)) != 0 &&
+ IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
+ icmpstat.icps_bmcastecho++;
+ break;
+ }
icp->icmp_type = ICMP_ECHOREPLY;
goto reflect;
case ICMP_TSTAMP:
+ if (!icmpbmcastecho &&
+ (m->m_flags & (M_MCAST | M_BCAST)) != 0 &&
+ IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
+ icmpstat.icps_bmcastecho++;
+ break;
+ }
if (icmplen < ICMP_TSLEN) {
icmpstat.icps_badlen++;
break;
@@ -615,6 +628,8 @@ icmp_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
switch (name[0]) {
case ICMPCTL_MASKREPL:
return (sysctl_int(oldp, oldlenp, newp, newlen, &icmpmaskrepl));
+ case ICMPCTL_BMCASTECHO:
+ return (sysctl_int(oldp, oldlenp, newp, newlen, &icmpbmcastecho));
default:
return (ENOPROTOOPT);
}