Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Nov 2002 12:51:25 -0600 (CST)
From:      Mike Silbersack <silby@silby.com>
To:        "."@babolo.ru
Cc:        Tony Finch <dot@dotat.at>, <freebsd-net@FreeBSD.ORG>
Subject:   Re: forwarded message on Source Quench Packets.
Message-ID:  <20021114124957.D521-200000@patrocles.silby.com>
In-Reply-To: <200211122103.gACL36X3054512@aaz.links.ru>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]


On Wed, 13 Nov 2002 .@babolo.ru wrote:

> > Mike Silbersack <silby@silby.com> wrote:
> > >
> > >I can see how these source quench messages would cause problems if a DoS
> > >is being routed through a FreeBSD router, and I think that your patch
> > >makes sense.  Are there any objections to me committing this in a few
> > >days?
> >
> > Doesn't FreeBSD rate-limit ICMP as required by the RFC? If there is a
> > but it's that the rate-limiting isn't happening, not that source-quench
> > packets are being generated. If it's important that FreeBSD routers not
> > generate them then it should be a sysctl option.
> I am second for a sysctl option.
> One of requirements when licensing networks
> in Russia is source-quench support.

Ok, here's the patch I intend to commit; please give it a quick lookover
to see if I made any mistakes.  This should provde the sysctl
functionality requested.

Thanks,

Mike "Silby" Silbersack

[-- Attachment #2 --]
diff -u -r /usr/src/sys.old/netinet/ip_input.c /usr/src/sys/netinet/ip_input.c
--- /usr/src/sys.old/netinet/ip_input.c	Thu Nov 14 12:37:43 2002
+++ /usr/src/sys/netinet/ip_input.c	Thu Nov 14 12:45:21 2002
@@ -125,6 +125,11 @@
 	&ip_maxfragpackets, 0,
 	"Maximum number of IPv4 fragment reassembly queue entries");
 
+static int	ip_sendsourcequench = 0;
+SYSCTL_INT(_net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW,
+	&ip_sendsourcequench, 0,
+	"Enable the transmission of source quench packets");
+
 /*
  * XXX - Setting ip_checkinterface mostly implements the receive side of
  * the Strong ES model described in RFC 1122, but since the routing table
@@ -1970,8 +1975,21 @@
 		break;
 
 	case ENOBUFS:
-		type = ICMP_SOURCEQUENCH;
-		code = 0;
+		/*
+		 * A router should not generate ICMP_SOURCEQUENCH as
+		 * required in RFC1812 Requirements for IP Version 4 Routers.
+		 * Source quench could be a big problem under DoS attacks,
+		 * or if the underlying interface is rate-limited.
+		 * Those who need source quench packets may re-enable them
+		 * via the net.inet.ip.sendsourcequench sysctl.
+		 */
+		if (ip_sendsourcequench == 0) {
+			m_freem(mcopy);
+			return;
+		} else {
+			type = ICMP_SOURCEQUENCH;
+			code = 0;
+		}
 		break;
 
 	case EACCES:			/* ipfw denied packet */
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021114124957.D521-200000>