Date: Sun, 20 Sep 1998 17:37:37 +0200 From: sthaug@nethelp.no To: fenner@parc.xerox.com Cc: jkoshy@FreeBSD.ORG, cvs-committers@FreeBSD.ORG Subject: Re: cvs commit: src/etc rc.network rc.conf src/sys/netinet ip_icmp.c src/lib/libc/gen sysctl.3 Message-ID: <19512.906305857@verdi.nethelp.no> In-Reply-To: Your message of "Tue, 15 Sep 1998 14:29:22 PDT" References: <199809152129.OAA08611@mango.parc.xerox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I think this should be split and bcastecho should default to off and
> mcastecho should default to on. It's generally harder to forge the
> source address with multicast so SMURF-like attacks don't really work,
> and pinging multicast addresses is an extremely useful debugging tool.
OK, patch relative to ip_icmp.c 1.31 included. I also gave the time
stamp reply its own sysctl, with default to off. Thus we now have:
% sysctl net.inet.icmp
net.inet.icmp.maskrepl: 0
net.inet.icmp.bcastecho: 0
net.inet.icmp.mcastecho: 1
net.inet.icmp.tstampreply: 0
I've tested the changes (yes, even the time stamp reply). Seems to work
fine here.
Feel free to call it 'tstamprepl' instead of 'tstampreply' in order to
be in the same style as 'maskrepl'.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
----------------------------------------------------------------------
*** ip_icmp.c.orig Tue Sep 15 12:49:03 1998
--- ip_icmp.c Sun Sep 20 16:57:40 1998
***************
*** 69,76 ****
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
! static int icmpbmcastecho = 0;
! SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
0, "");
#ifdef ICMPPRINTFS
--- 69,84 ----
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
! static int icmpbcastecho = 0;
! SYSCTL_INT(_net_inet_icmp, OID_AUTO, bcastecho, CTLFLAG_RW, &icmpbcastecho,
! 0, "");
!
! static int icmpmcastecho = 1;
! SYSCTL_INT(_net_inet_icmp, OID_AUTO, mcastecho, CTLFLAG_RW, &icmpmcastecho,
! 0, "");
!
! static int icmptstampreply = 0;
! SYSCTL_INT(_net_inet_icmp, OID_AUTO, tstampreply, CTLFLAG_RW, &icmptstampreply,
0, "");
#ifdef ICMPPRINTFS
***************
*** 374,381 ****
break;
case ICMP_ECHO:
! if (!icmpbmcastecho
! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcastecho++;
break;
}
--- 382,394 ----
break;
case ICMP_ECHO:
! if (!icmpbcastecho
! && (m->m_flags & M_BCAST) != 0) {
! icmpstat.icps_bmcastecho++;
! break;
! }
! if (!icmpmcastecho
! && (m->m_flags & M_MCAST) != 0) {
icmpstat.icps_bmcastecho++;
break;
}
***************
*** 383,393 ****
goto reflect;
case ICMP_TSTAMP:
! if (!icmpbmcastecho
! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
! icmpstat.icps_bmcasttstamp++;
break;
- }
if (icmplen < ICMP_TSLEN) {
icmpstat.icps_badlen++;
break;
--- 396,403 ----
goto reflect;
case ICMP_TSTAMP:
! if (!icmptstampreply)
break;
if (icmplen < ICMP_TSLEN) {
icmpstat.icps_badlen++;
break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19512.906305857>