From owner-cvs-all Sun Sep 20 08:38:08 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA09679 for cvs-all-outgoing; Sun, 20 Sep 1998 08:38:08 -0700 (PDT) (envelope-from owner-cvs-all) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA09662 for ; Sun, 20 Sep 1998 08:38:04 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 19514 invoked by uid 1001); 20 Sep 1998 15:37:37 +0000 (GMT) To: fenner@parc.xerox.com Cc: jkoshy@FreeBSD.ORG, cvs-committers@FreeBSD.ORG Subject: Re: cvs commit: src/etc rc.network rc.conf src/sys/netinet ip_icmp.c src/lib/libc/gen sysctl.3 In-Reply-To: Your message of "Tue, 15 Sep 1998 14:29:22 PDT" References: <199809152129.OAA08611@mango.parc.xerox.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 20 Sep 1998 17:37:37 +0200 Message-ID: <19512.906305857@verdi.nethelp.no> Sender: owner-cvs-all@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I think this should be split and bcastecho should default to off and > mcastecho should default to on. It's generally harder to forge the > source address with multicast so SMURF-like attacks don't really work, > and pinging multicast addresses is an extremely useful debugging tool. OK, patch relative to ip_icmp.c 1.31 included. I also gave the time stamp reply its own sysctl, with default to off. Thus we now have: % sysctl net.inet.icmp net.inet.icmp.maskrepl: 0 net.inet.icmp.bcastecho: 0 net.inet.icmp.mcastecho: 1 net.inet.icmp.tstampreply: 0 I've tested the changes (yes, even the time stamp reply). Seems to work fine here. Feel free to call it 'tstamprepl' instead of 'tstampreply' in order to be in the same style as 'maskrepl'. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- *** ip_icmp.c.orig Tue Sep 15 12:49:03 1998 --- ip_icmp.c Sun Sep 20 16:57:40 1998 *************** *** 69,76 **** SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); ! static int icmpbmcastecho = 0; ! SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, 0, ""); #ifdef ICMPPRINTFS --- 69,84 ---- SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); ! static int icmpbcastecho = 0; ! SYSCTL_INT(_net_inet_icmp, OID_AUTO, bcastecho, CTLFLAG_RW, &icmpbcastecho, ! 0, ""); ! ! static int icmpmcastecho = 1; ! SYSCTL_INT(_net_inet_icmp, OID_AUTO, mcastecho, CTLFLAG_RW, &icmpmcastecho, ! 0, ""); ! ! static int icmptstampreply = 0; ! SYSCTL_INT(_net_inet_icmp, OID_AUTO, tstampreply, CTLFLAG_RW, &icmptstampreply, 0, ""); #ifdef ICMPPRINTFS *************** *** 374,381 **** break; case ICMP_ECHO: ! if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { icmpstat.icps_bmcastecho++; break; } --- 382,394 ---- break; case ICMP_ECHO: ! if (!icmpbcastecho ! && (m->m_flags & M_BCAST) != 0) { ! icmpstat.icps_bmcastecho++; ! break; ! } ! if (!icmpmcastecho ! && (m->m_flags & M_MCAST) != 0) { icmpstat.icps_bmcastecho++; break; } *************** *** 383,393 **** goto reflect; case ICMP_TSTAMP: ! if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { ! icmpstat.icps_bmcasttstamp++; break; - } if (icmplen < ICMP_TSLEN) { icmpstat.icps_badlen++; break; --- 396,403 ---- goto reflect; case ICMP_TSTAMP: ! if (!icmptstampreply) break; if (icmplen < ICMP_TSLEN) { icmpstat.icps_badlen++; break;