Re: forwarded message on Source Quench Packets.

Thu, 14 Nov 2002 10:48:00 -0800 


On Wed, 13 Nov 2002 [EMAIL PROTECTED] wrote:

> > Mike Silbersack <[EMAIL PROTECTED]> wrote:
> > >
> > >I can see how these source quench messages would cause problems if a DoS
> > >is being routed through a FreeBSD router, and I think that your patch
> > >makes sense.  Are there any objections to me committing this in a few
> > >days?
> >
> > Doesn't FreeBSD rate-limit ICMP as required by the RFC? If there is a
> > but it's that the rate-limiting isn't happening, not that source-quench
> > packets are being generated. If it's important that FreeBSD routers not
> > generate them then it should be a sysctl option.
> I am second for a sysctl option.
> One of requirements when licensing networks
> in Russia is source-quench support.

Ok, here's the patch I intend to commit; please give it a quick lookover
to see if I made any mistakes.  This should provde the sysctl
functionality requested.

Thanks,

Mike "Silby" Silbersack

diff -u -r /usr/src/sys.old/netinet/ip_input.c /usr/src/sys/netinet/ip_input.c
--- /usr/src/sys.old/netinet/ip_input.c Thu Nov 14 12:37:43 2002
+++ /usr/src/sys/netinet/ip_input.c     Thu Nov 14 12:45:21 2002
@@ -125,6 +125,11 @@
        &ip_maxfragpackets, 0,
        "Maximum number of IPv4 fragment reassembly queue entries");
 
+static int     ip_sendsourcequench = 0;
+SYSCTL_INT(_net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW,
+       &ip_sendsourcequench, 0,
+       "Enable the transmission of source quench packets");
+
 /*
  * XXX - Setting ip_checkinterface mostly implements the receive side of
  * the Strong ES model described in RFC 1122, but since the routing table
@@ -1970,8 +1975,21 @@
                break;
 
        case ENOBUFS:
-               type = ICMP_SOURCEQUENCH;
-               code = 0;
+               /*
+                * A router should not generate ICMP_SOURCEQUENCH as
+                * required in RFC1812 Requirements for IP Version 4 Routers.
+                * Source quench could be a big problem under DoS attacks,
+                * or if the underlying interface is rate-limited.
+                * Those who need source quench packets may re-enable them
+                * via the net.inet.ip.sendsourcequench sysctl.
+                */
+               if (ip_sendsourcequench == 0) {
+                       m_freem(mcopy);
+                       return;
+               } else {
+                       type = ICMP_SOURCEQUENCH;
+                       code = 0;
+               }
                break;
 
        case EACCES:                    /* ipfw denied packet */

Reply via email to