aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/icmp.h7
-rw-r--r--include/net/netns/ipv4.h7
-rw-r--r--net/ipv4/icmp.c60
-rw-r--r--net/ipv4/sysctl_net_ipv4.c12
4 files changed, 44 insertions, 42 deletions
diff --git a/include/net/icmp.h b/include/net/icmp.h
index faba64db8ff0..dddb839ff4b5 100644
--- a/include/net/icmp.h
+++ b/include/net/icmp.h
@@ -65,11 +65,4 @@ static inline struct raw_sock *raw_sk(const struct sock *sk)
65 return (struct raw_sock *)sk; 65 return (struct raw_sock *)sk;
66} 66}
67 67
68extern int sysctl_icmp_echo_ignore_all;
69extern int sysctl_icmp_echo_ignore_broadcasts;
70extern int sysctl_icmp_ignore_bogus_error_responses;
71extern int sysctl_icmp_errors_use_inbound_ifaddr;
72extern int sysctl_icmp_ratelimit;
73extern int sysctl_icmp_ratemask;
74
75#endif /* _ICMP_H */ 68#endif /* _ICMP_H */
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 504fde174525..e3de0ff8ea4b 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -35,5 +35,12 @@ struct netns_ipv4 {
35 struct xt_table *iptable_raw; 35 struct xt_table *iptable_raw;
36 struct xt_table *arptable_filter; 36 struct xt_table *arptable_filter;
37#endif 37#endif
38
39 int sysctl_icmp_echo_ignore_all;
40 int sysctl_icmp_echo_ignore_broadcasts;
41 int sysctl_icmp_ignore_bogus_error_responses;
42 int sysctl_icmp_ratelimit;
43 int sysctl_icmp_ratemask;
44 int sysctl_icmp_errors_use_inbound_ifaddr;
38}; 45};
39#endif 46#endif
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f38f093ef751..958a38445120 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -188,29 +188,6 @@ struct icmp_err icmp_err_convert[] = {
188 }, 188 },
189}; 189};
190 190
191/* Control parameters for ECHO replies. */
192int sysctl_icmp_echo_ignore_all __read_mostly;
193int sysctl_icmp_echo_ignore_broadcasts __read_mostly = 1;
194
195/* Control parameter - ignore bogus broadcast responses? */
196int sysctl_icmp_ignore_bogus_error_responses __read_mostly = 1;
197
198/*
199 * Configurable global rate limit.
200 *
201 * ratelimit defines tokens/packet consumed for dst->rate_token bucket
202 * ratemask defines which icmp types are ratelimited by setting
203 * it's bit position.
204 *
205 * default:
206 * dest unreachable (3), source quench (4),
207 * time exceeded (11), parameter problem (12)
208 */
209
210int sysctl_icmp_ratelimit __read_mostly = 1 * HZ;
211int sysctl_icmp_ratemask __read_mostly = 0x1818;
212int sysctl_icmp_errors_use_inbound_ifaddr __read_mostly;
213
214/* 191/*
215 * ICMP control array. This specifies what to do with each ICMP. 192 * ICMP control array. This specifies what to do with each ICMP.
216 */ 193 */
@@ -310,8 +287,8 @@ static inline int icmpv4_xrlim_allow(struct rtable *rt, int type, int code)
310 goto out; 287 goto out;
311 288
312 /* Limit if icmp type is enabled in ratemask. */ 289 /* Limit if icmp type is enabled in ratemask. */
313 if ((1 << type) & sysctl_icmp_ratemask) 290 if ((1 << type) & init_net.ipv4.sysctl_icmp_ratemask)
314 rc = xrlim_allow(dst, sysctl_icmp_ratelimit); 291 rc = xrlim_allow(dst, init_net.ipv4.sysctl_icmp_ratelimit);
315out: 292out:
316 return rc; 293 return rc;
317} 294}
@@ -523,7 +500,8 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
523 if (!(rt->rt_flags & RTCF_LOCAL)) { 500 if (!(rt->rt_flags & RTCF_LOCAL)) {
524 struct net_device *dev = NULL; 501 struct net_device *dev = NULL;
525 502
526 if (rt->fl.iif && sysctl_icmp_errors_use_inbound_ifaddr) 503 if (rt->fl.iif &&
504 init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr)
527 dev = dev_get_by_index(net, rt->fl.iif); 505 dev = dev_get_by_index(net, rt->fl.iif);
528 506
529 if (dev) { 507 if (dev) {
@@ -745,7 +723,7 @@ static void icmp_unreach(struct sk_buff *skb)
745 * get the other vendor to fix their kit. 723 * get the other vendor to fix their kit.
746 */ 724 */
747 725
748 if (!sysctl_icmp_ignore_bogus_error_responses && 726 if (!init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses &&
749 inet_addr_type(net, iph->daddr) == RTN_BROADCAST) { 727 inet_addr_type(net, iph->daddr) == RTN_BROADCAST) {
750 if (net_ratelimit()) 728 if (net_ratelimit())
751 printk(KERN_WARNING "%u.%u.%u.%u sent an invalid ICMP " 729 printk(KERN_WARNING "%u.%u.%u.%u sent an invalid ICMP "
@@ -840,7 +818,7 @@ out_err:
840 818
841static void icmp_echo(struct sk_buff *skb) 819static void icmp_echo(struct sk_buff *skb)
842{ 820{
843 if (!sysctl_icmp_echo_ignore_all) { 821 if (!init_net.ipv4.sysctl_icmp_echo_ignore_all) {
844 struct icmp_bxm icmp_param; 822 struct icmp_bxm icmp_param;
845 823
846 icmp_param.data.icmph = *icmp_hdr(skb); 824 icmp_param.data.icmph = *icmp_hdr(skb);
@@ -1051,7 +1029,7 @@ int icmp_rcv(struct sk_buff *skb)
1051 */ 1029 */
1052 if ((icmph->type == ICMP_ECHO || 1030 if ((icmph->type == ICMP_ECHO ||
1053 icmph->type == ICMP_TIMESTAMP) && 1031 icmph->type == ICMP_TIMESTAMP) &&
1054 sysctl_icmp_echo_ignore_broadcasts) { 1032 init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts) {
1055 goto error; 1033 goto error;
1056 } 1034 }
1057 if (icmph->type != ICMP_ECHO && 1035 if (icmph->type != ICMP_ECHO &&
@@ -1195,6 +1173,30 @@ int __net_init icmp_sk_init(struct net *net)
1195 */ 1173 */
1196 sk->sk_prot->unhash(sk); 1174 sk->sk_prot->unhash(sk);
1197 } 1175 }
1176
1177 /* Control parameters for ECHO replies. */
1178 net->ipv4.sysctl_icmp_echo_ignore_all = 0;
1179 net->ipv4.sysctl_icmp_echo_ignore_broadcasts = 1;
1180
1181 /* Control parameter - ignore bogus broadcast responses? */
1182 net->ipv4.sysctl_icmp_ignore_bogus_error_responses = 1;
1183
1184 /*
1185 * Configurable global rate limit.
1186 *
1187 * ratelimit defines tokens/packet consumed for dst->rate_token
1188 * bucket ratemask defines which icmp types are ratelimited by
1189 * setting it's bit position.
1190 *
1191 * default:
1192 * dest unreachable (3), source quench (4),
1193 * time exceeded (11), parameter problem (12)
1194 */
1195
1196 net->ipv4.sysctl_icmp_ratelimit = 1 * HZ;
1197 net->ipv4.sysctl_icmp_ratemask = 0x1818;
1198 net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr = 0;
1199
1198 return 0; 1200 return 0;
1199 1201
1200fail: 1202fail:
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index c2fca3024d2e..e9585c02f243 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -406,7 +406,7 @@ static struct ctl_table ipv4_table[] = {
406 { 406 {
407 .ctl_name = NET_IPV4_ICMP_ECHO_IGNORE_ALL, 407 .ctl_name = NET_IPV4_ICMP_ECHO_IGNORE_ALL,
408 .procname = "icmp_echo_ignore_all", 408 .procname = "icmp_echo_ignore_all",
409 .data = &sysctl_icmp_echo_ignore_all, 409 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all,
410 .maxlen = sizeof(int), 410 .maxlen = sizeof(int),
411 .mode = 0644, 411 .mode = 0644,
412 .proc_handler = &proc_dointvec 412 .proc_handler = &proc_dointvec
@@ -414,7 +414,7 @@ static struct ctl_table ipv4_table[] = {
414 { 414 {
415 .ctl_name = NET_IPV4_ICMP_ECHO_IGNORE_BROADCASTS, 415 .ctl_name = NET_IPV4_ICMP_ECHO_IGNORE_BROADCASTS,
416 .procname = "icmp_echo_ignore_broadcasts", 416 .procname = "icmp_echo_ignore_broadcasts",
417 .data = &sysctl_icmp_echo_ignore_broadcasts, 417 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts,
418 .maxlen = sizeof(int), 418 .maxlen = sizeof(int),
419 .mode = 0644, 419 .mode = 0644,
420 .proc_handler = &proc_dointvec 420 .proc_handler = &proc_dointvec
@@ -422,7 +422,7 @@ static struct ctl_table ipv4_table[] = {
422 { 422 {
423 .ctl_name = NET_IPV4_ICMP_IGNORE_BOGUS_ERROR_RESPONSES, 423 .ctl_name = NET_IPV4_ICMP_IGNORE_BOGUS_ERROR_RESPONSES,
424 .procname = "icmp_ignore_bogus_error_responses", 424 .procname = "icmp_ignore_bogus_error_responses",
425 .data = &sysctl_icmp_ignore_bogus_error_responses, 425 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses,
426 .maxlen = sizeof(int), 426 .maxlen = sizeof(int),
427 .mode = 0644, 427 .mode = 0644,
428 .proc_handler = &proc_dointvec 428 .proc_handler = &proc_dointvec
@@ -430,7 +430,7 @@ static struct ctl_table ipv4_table[] = {
430 { 430 {
431 .ctl_name = NET_IPV4_ICMP_ERRORS_USE_INBOUND_IFADDR, 431 .ctl_name = NET_IPV4_ICMP_ERRORS_USE_INBOUND_IFADDR,
432 .procname = "icmp_errors_use_inbound_ifaddr", 432 .procname = "icmp_errors_use_inbound_ifaddr",
433 .data = &sysctl_icmp_errors_use_inbound_ifaddr, 433 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr,
434 .maxlen = sizeof(int), 434 .maxlen = sizeof(int),
435 .mode = 0644, 435 .mode = 0644,
436 .proc_handler = &proc_dointvec 436 .proc_handler = &proc_dointvec
@@ -588,7 +588,7 @@ static struct ctl_table ipv4_table[] = {
588 { 588 {
589 .ctl_name = NET_IPV4_ICMP_RATELIMIT, 589 .ctl_name = NET_IPV4_ICMP_RATELIMIT,
590 .procname = "icmp_ratelimit", 590 .procname = "icmp_ratelimit",
591 .data = &sysctl_icmp_ratelimit, 591 .data = &init_net.ipv4.sysctl_icmp_ratelimit,
592 .maxlen = sizeof(int), 592 .maxlen = sizeof(int),
593 .mode = 0644, 593 .mode = 0644,
594 .proc_handler = &proc_dointvec 594 .proc_handler = &proc_dointvec
@@ -596,7 +596,7 @@ static struct ctl_table ipv4_table[] = {
596 { 596 {
597 .ctl_name = NET_IPV4_ICMP_RATEMASK, 597 .ctl_name = NET_IPV4_ICMP_RATEMASK,
598 .procname = "icmp_ratemask", 598 .procname = "icmp_ratemask",
599 .data = &sysctl_icmp_ratemask, 599 .data = &init_net.ipv4.sysctl_icmp_ratemask,
600 .maxlen = sizeof(int), 600 .maxlen = sizeof(int),
601 .mode = 0644, 601 .mode = 0644,
602 .proc_handler = &proc_dointvec 602 .proc_handler = &proc_dointvec
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-28 00:22:31 -0500