src/sys/netinet/ip_icmp.c, branch release/3.5.0_cvs FreeBSD source tree This commit was manufactured by cvs2svn to create tag 2000-06-25T00:20:49+00:00 cvs2svn cvs2svn@FreeBSD.org 2000-06-25T00:20:49+00:00 8e878a0310eae754021dbd73ca928eaf7cf6a65c 'RELENG_3_5_0_RELEASE'. This commit was manufactured to restore the state of the 3.5-RELEASE image. Releases prior to 5.3-RELEASE are omitting the secure/ and crypto/ subdirs. 
'RELENG_3_5_0_RELEASE'.

This commit was manufactured to restore the state of the 3.5-RELEASE image.
Releases prior to 5.3-RELEASE are omitting the secure/ and crypto/ subdirs.
MFC: correct boundary checks against IP options 2000-06-08T15:11:50+00:00 Jonathan Lemon jlemon@FreeBSD.org 2000-06-08T15:11:50+00:00 4a2a2458ce06cf19c3f630feff2959045ebc2504 






MFC: Add the net.inet.icmp.drop_redirect, net.inet.icmp.log_redirect,
1999-10-14T11:49:38+00:00

Dag-Erling Smørgrav
des@FreeBSD.org

1999-10-14T11:49:38+00:00

2cff5ec308c720ff6ce71ca875b2f412c350525f

net.inet.tcp.drop_synfin and net.inet.tcp.restrict_rst sysctls.





net.inet.tcp.drop_synfin and net.inet.tcp.restrict_rst sysctls.







$Id$ -> $FreeBSD$
1999-08-29T16:33:42+00:00

Peter Wemm
peter@FreeBSD.org

1999-08-29T16:33:42+00:00

c4f617ca01b475bdf034553dfe123deeb1589899












MFC: When an incoming packet is reflected back as an ICMP reply, make sure we
1999-03-06T23:12:32+00:00

Archie Cobbs
archie@FreeBSD.org

1999-03-06T23:12:32+00:00

787a3af8ea279e6de4188e2b6b1eb47cc8b0732b

zero "m->m_pkthdr.rcvif", otherwise ipfw may wrongly match the outgoing packet.





zero "m->m_pkthdr.rcvif", otherwise ipfw may wrongly match the outgoing packet.







    Cleanup icmp_var.h, make icmp bandlim sysctl permanent but if ICMP_BANDLIM
1998-12-04T04:21:25+00:00

Matthew Dillon
dillon@FreeBSD.org

1998-12-04T04:21:25+00:00

5fce7fc47f06028dd000712d8df55ff54de36c09

    option not defined the sysctl int value is set to -1 and read-only.

    #ifdef KERNEL's added appropriately to wall off visibility of kernel
    routines from user code.





    option not defined the sysctl int value is set to -1 and read-only.

    #ifdef KERNEL's added appropriately to wall off visibility of kernel
    routines from user code.







Reviewed by:	freebsd-current
1998-12-03T20:23:21+00:00

Matthew Dillon
dillon@FreeBSD.org

1998-12-03T20:23:21+00:00

51508de112f6fd562148cad74dde057d9e9e7305

    Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.





    Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.







Turn off replies to ICMP echo requests for broadcast and multicast
1998-09-15T10:49:03+00:00

Joseph Koshy
jkoshy@FreeBSD.org

1998-09-15T10:49:03+00:00

61a4defd549e94b2bc43b5e964ceca6a12241540

addresses by default.

Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".

Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).

Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>





addresses by default.

Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".

Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).

Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>







Fixed logic in the test to drop ICMP echo and timestamp packets when
1998-05-26T11:34:30+00:00

David Greenman
dg@FreeBSD.org

1998-05-26T11:34:30+00:00

d311884fb6ec6734054955dce59fb7247c032969

net.inet.ip.icmp.bmcastecho = 0 by removing the extra check for the
address being a multicast address. The test now relies on the link
layer flags that indicate it was received via multicast. The previous
logic was broken and replied to ICMP echo/timestamp broadcasts even
when the sysctl option disallowed them.
Reviewed by:	wollman





net.inet.ip.icmp.bmcastecho = 0 by removing the extra check for the
address being a multicast address. The test now relies on the link
layer flags that indicate it was received via multicast. The previous
logic was broken and replied to ICMP echo/timestamp broadcasts even
when the sysctl option disallowed them.
Reviewed by:	wollman







ICMP Timestamp Request messages could have harbored the same sort of
1997-08-25T16:29:27+00:00

Garrett Wollman
wollman@FreeBSD.org

1997-08-25T16:29:27+00:00

fe0fb8abd09d4adf59261226e67e8dd58ecfd281

problem as Echo Requests when broad/multicast.  When multicast echo responses
are disabled, also do the same for timestamp responses.





problem as Echo Requests when broad/multicast.  When multicast echo responses
are disabled, also do the same for timestamp responses.