diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 1998-01-06 01:38:37 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 1998-01-06 01:38:37 +0000 |
commit | f44e028a400b34117134467ba6702a22e65044f8 (patch) | |
tree | 1fbd5c0a60c2acace4bd9962b9bbebbb949030da | |
parent | 8af452ff04a0c662c97daaf6723e326fb8551371 (diff) |
net.inet.icmp.bmcastecho: do not smurf to smurfing broadcast packets
-rw-r--r-- | sys/netinet/icmp_var.h | 7 | ||||
-rw-r--r-- | sys/netinet/ip_icmp.c | 17 |
2 files changed, 21 insertions, 3 deletions
diff --git a/sys/netinet/icmp_var.h b/sys/netinet/icmp_var.h index 42e34bac175..b955a464d28 100644 --- a/sys/netinet/icmp_var.h +++ b/sys/netinet/icmp_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp_var.h,v 1.3 1997/08/26 20:02:30 deraadt Exp $ */ +/* $OpenBSD: icmp_var.h,v 1.4 1998/01/06 01:38:35 deraadt Exp $ */ /* $NetBSD: icmp_var.h,v 1.8 1995/03/26 20:32:19 jtc Exp $ */ /* @@ -52,6 +52,7 @@ struct icmpstat { u_long icps_checksum; /* bad checksum */ u_long icps_badlen; /* calculated bound mismatch */ u_long icps_reflect; /* number of responses */ + u_long icps_bmcastecho; /* rejected broadcast icmps */ u_long icps_inhist[ICMP_MAXTYPE + 1]; }; @@ -59,11 +60,13 @@ struct icmpstat { * Names for ICMP sysctl objects */ #define ICMPCTL_MASKREPL 1 /* allow replies to netmask requests */ -#define ICMPCTL_MAXID 2 +#define ICMPCTL_BMCASTECHO 2 /* reply to icmps to broadcast/mcast */ +#define ICMPCTL_MAXID 3 #define ICMPCTL_NAMES { \ { 0, 0 }, \ { "maskrepl", CTLTYPE_INT }, \ + { "bmcastecho", CTLTYPE_INT }, \ } #ifdef _KERNEL diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 511c364e810..8571efe8258 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.7 1997/06/05 15:05:41 deraadt Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.8 1998/01/06 01:38:36 deraadt Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -69,6 +69,7 @@ */ int icmpmaskrepl = 0; +int icmpbmcastecho = 0; #ifdef ICMPPRINTFS int icmpprintfs = 0; #endif @@ -328,10 +329,22 @@ icmp_input(m, va_alist) break; case ICMP_ECHO: + if (!icmpbmcastecho && + (m->m_flags & (M_MCAST | M_BCAST)) != 0 && + IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { + icmpstat.icps_bmcastecho++; + break; + } icp->icmp_type = ICMP_ECHOREPLY; goto reflect; case ICMP_TSTAMP: + if (!icmpbmcastecho && + (m->m_flags & (M_MCAST | M_BCAST)) != 0 && + IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { + icmpstat.icps_bmcastecho++; + break; + } if (icmplen < ICMP_TSLEN) { icmpstat.icps_badlen++; break; @@ -615,6 +628,8 @@ icmp_sysctl(name, namelen, oldp, oldlenp, newp, newlen) switch (name[0]) { case ICMPCTL_MASKREPL: return (sysctl_int(oldp, oldlenp, newp, newlen, &icmpmaskrepl)); + case ICMPCTL_BMCASTECHO: + return (sysctl_int(oldp, oldlenp, newp, newlen, &icmpbmcastecho)); default: return (ENOPROTOOPT); } |