From owner-freebsd-security Tue Jan 25 9:33:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 5237314DFA for ; Tue, 25 Jan 2000 09:33:19 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id JAA04770; Tue, 25 Jan 2000 09:33:16 -0800 (PST) (envelope-from dillon) Date: Tue, 25 Jan 2000 09:33:16 -0800 (PST) From: Matthew Dillon Message-Id: <200001251733.JAA04770@apollo.backplane.com> To: Warner Losh Cc: security@FreeBSD.ORG Subject: Re: Merged patches References: <200001251637.JAA04226@harmony.village.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :this patch. I'm thinking seriously of removing the ICMP_BANDLIM :option as an option (eg compile the code in no matter what), but :raising the limit from 100 to 1000 or something like that so it won't :normally impact people, but those desiring to harden their servers can :drift the number downward. : :Comment? : :Warner I'd increase the default to 200, no higher. 1000 is probably too high a rate. I found a bug in the patch: : #endif :- if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) :- goto drop; :+ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || :+ IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || :+ IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr))) : #ifdef INET6 : if (isipv6) { : MALLOC(sin6, struct sockaddr_in6 *, sizeof *sin6, In the above section, the 'goto drop' was removed. Shouldn't that stay in? The body of this 'if' statement is now the conditional that follows it, which is not what I think you meant to do. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message