PR/42243: Yasuoka Masahiko: Add "net.inet.icmp.bmcastecho" sysctl support,

to disable icmp replies to the broadcast address.
2009-12-07 18:47:24 +00:00 · 2009-12-07 18:47:24 +00:00 · adf7e47145
commit adf7e47145
parent 04489f616a
3 changed files with 34 additions and 6 deletions
--- a/share/man/man7/sysctl.7
+++ b/share/man/man7/sysctl.7
@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.7,v 1.27 2009/10/05 10:47:52 wiz Exp $
+.\"	$NetBSD: sysctl.7,v 1.28 2009/12/07 18:47:24 christos Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -983,6 +983,7 @@ The currently defined protocols and names are:
 .It icmp	maskrepl	integer	yes
 .It icmp	rediraccept	integer	yes
 .It icmp	redirtimeout	integer	yes
+.It icmp	bmcastecho	integer	yes
 .It ip	allowsrcrt	integer	yes
 .It ip	anonportmax	integer	yes
 .It ip	anonportmin	integer	yes
@ -1192,6 +1193,9 @@ ICMP redirect.
 This defaults to 600 seconds.
 .It Li icmp.returndatabytes
 Number of bytes to return in an ICMP error message.
+.It Li icmp.bmcastecho
+If set to 1, enables responding to ICMP echo or timestamp request to the
+broadcast address.
 .It Li tcp.ack_on_push
 If set to 1, TCP is to immediately transmit an ACK upon reception of
 a packet with PUSH set.
--- a/sys/netinet/icmp_var.h
+++ b/sys/netinet/icmp_var.h
@ -1,4 +1,4 @@
-/*	$NetBSD: icmp_var.h,v 1.27 2008/04/12 05:58:22 thorpej Exp $	*/
+/*	$NetBSD: icmp_var.h,v 1.28 2009/12/07 18:47:24 christos Exp $	*/

 /*
 * Copyright (c) 1982, 1986, 1993
@ -57,7 +57,10 @@
 		/* space for ICMP_MAXTYPE + 1 (19) counters */
 #define	ICMP_STAT_PMTUCHG	46	/* path MTU changes */

-#define	ICMP_NSTATS		47
+#define	ICMP_STAT_BMCASTECHO	47	/* b/mcast echo requests dropped */
+#define	ICMP_STAT_BMCASTTSTAMP	48	/* b/mcast tstamp requests dropped */
+
+#define	ICMP_NSTATS		49

 #if ICMP_MAXTYPE != 18
 #error ICMP_MAXTYPE too large for ICMP statistics
@ -75,7 +78,8 @@
 #define ICMPCTL_REDIRACCEPT	5	/* Accept redirects from routers */
 #define ICMPCTL_REDIRTIMEOUT	6	/* Remove routes added via redirects */
 #define	ICMPCTL_STATS		7	/* ICMP statistics */
-#define ICMPCTL_MAXID		8
+#define ICMPCTL_BMCASTECHO	8	/* allow broad/mult-cast echo */
+#define ICMPCTL_MAXID		9

 #define ICMPCTL_NAMES { \
 	{ 0, 0 }, \
@ -86,6 +90,7 @@
 	{ "rediraccept", CTLTYPE_INT }, \
 	{ "redirtimeout", CTLTYPE_INT }, \
 	{ "stats", CTLTYPE_STRUCT }, \
+	{ "bmcastecho", CTLTYPE_INT }, \
 }

 #ifdef _KERNEL
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_icmp.c,v 1.121 2009/09/16 15:23:05 pooka Exp $	*/
+/*	$NetBSD: ip_icmp.c,v 1.122 2009/12/07 18:47:24 christos Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -94,7 +94,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.121 2009/09/16 15:23:05 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.122 2009/12/07 18:47:24 christos Exp $");

 #include "opt_ipsec.h"

@ -142,6 +142,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.121 2009/09/16 15:23:05 pooka Exp $");
 */

 int	icmpmaskrepl = 0;
+int	icmpbmcastecho = 0;
 #ifdef ICMPPRINTFS
 int	icmpprintfs = 0;
 #endif
@ -542,6 +543,11 @@ icmp_input(struct mbuf *m, ...)
 		break;

 	case ICMP_ECHO:
+		if (!icmpbmcastecho &&
+		    (m->m_flags & (M_MCAST | M_BCAST)) != 0)  {
+			ICMP_STATINC(ICMP_STAT_BMCASTECHO);
+			break;
+		}
 		icp->icmp_type = ICMP_ECHOREPLY;
 		goto reflect;

@ -550,6 +556,11 @@ icmp_input(struct mbuf *m, ...)
 			ICMP_STATINC(ICMP_STAT_BADLEN);
 			break;
 		}
+		if (!icmpbmcastecho &&
+		    (m->m_flags & (M_MCAST | M_BCAST)) != 0)  {
+			ICMP_STATINC(ICMP_STAT_BMCASTTSTAMP);
+			break;
+		}
 		icp->icmp_type = ICMP_TSTAMPREPLY;
 		icp->icmp_rtime = iptime();
 		icp->icmp_ttime = icp->icmp_rtime;	/* bogus, do later! */
@ -1055,6 +1066,14 @@ sysctl_netinet_icmp_setup(struct sysctllog **clog)
 		       sysctl_net_inet_icmp_stats, 0, NULL, 0,
 		       CTL_NET, PF_INET, IPPROTO_ICMP, ICMPCTL_STATS,
 		       CTL_EOL);
+	sysctl_createv(clog, 0, NULL, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "bmcastecho",
+		       SYSCTL_DESCR("Respond to ICMP_ECHO or ICMP_TIMESTAMP "
+				    "message to the broadcast or multicast"),
+		       NULL, 0, &icmpbmcastecho, 0,
+		       CTL_NET, PF_INET, IPPROTO_ICMP, ICMPCTL_BMCASTECHO,
+		       CTL_EOL);
 }

 void