From owner-freebsd-net  Mon Nov  5 19:19:25 2001
Delivered-To: freebsd-net@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 11DBD37B416
	for <freebsd-net@FreeBSD.ORG>; Mon,  5 Nov 2001 19:19:23 -0800 (PST)
Received: (qmail 31866 invoked by uid 1000); 6 Nov 2001 03:19:22 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 6 Nov 2001 03:19:22 -0000
Date: Mon, 5 Nov 2001 21:19:22 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Luigi Rizzo <rizzo@aciri.org>
Cc: <cjclark@alum.mit.edu>, <freebsd-net@FreeBSD.ORG>
Subject: Re: limiting outgoing ICMP's
In-Reply-To: <20011105184856.B79198@iguana.aciri.org>
Message-ID: <20011105211012.V31861-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Mon, 5 Nov 2001, Luigi Rizzo wrote:

> Am i wrong or all of the ICMP_BANDLIM stuff only deals with
> _incoming_ ICMP messages, and udp badport ?

The current setup is that badport_bandlim is called whenever a packet with
an abuseable response is received; if more than X per second have been
responded to, no more replies will be issued that second.  However, it
could be just as easily used if hooked in at the output stage.

> I see no way to intercept calls to icmp_error(), which is
> invoked both by ip_input and ip_fw.
>
> BTW, why the check to badport_bandlim is not moved inside
> icmp_error itself ?

You could add a new limiting type inside icmp_error if you wish; there's
no such call at present because nobody thought of it yet.

> For the records, the problem came out when sending packets to
> a FreeBSD router box which did not have a default route nor a route
> for the intended destination of the packet. Pretty easy to test.
>
> 	cheers
> 	luigi

Ah, that issue hadn't come up on my little LAN. :)

Sounds like a good place to rate limit replies, though.  Just add your new
types into icmp_var.h, add the new string into ip_icmp.c, add calls to
badport_bandlim at appropriate locations, and you should be done.  I'd be
glad to give a quick glance over the finished patch.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message