icmp echo disable (or dont answer pings)

Joel Sherrill joel.sherrill at oarcorp.com
Tue May 30 14:15:26 UTC 2006


Comments please.  This does seem like a reasonable application feature.

--joel

Steven Johnson wrote:

>Hi,
>
>I've posted this before, but it seems to have been missed, because it
>was in a message with other info.
>
>We need to be able to prevent all ping's being echoed in my application,
>it's an end user security requirement.
>
>I've added a feature to the network stack to allow this to be toggled by
>the application (using a sysctl).  Patch is attached for comments.
>
>This patch is against 4.6.99.3
>
>Steven J
>  
>
>------------------------------------------------------------------------
>
>diff -Naur rtems-4.6.99.3-static-mbuf/cpukit/libnetworking/netinet/icmp_var.h rtems-4.6.99.3-icmpecho-alldisable/cpukit/libnetworking/netinet/icmp_var.h
>--- rtems-4.6.99.3-static-mbuf/cpukit/libnetworking/netinet/icmp_var.h	2006-04-27 10:48:53.000000000 +1100
>+++ rtems-4.6.99.3-icmpecho-alldisable/cpukit/libnetworking/netinet/icmp_var.h	2006-04-27 10:58:57.000000000 +1100
>@@ -54,6 +54,7 @@
> 	u_long	icps_badlen;		/* calculated bound mismatch */
> 	u_long	icps_reflect;		/* number of responses */
> 	u_long	icps_inhist[ICMP_MAXTYPE + 1];
>+        u_long  icps_allecho;           /* all echo requests dropped */
> 	u_long	icps_bmcastecho; 	/* b/mcast echo requests dropped */
> 	u_long	icps_bmcasttstamp; 	/* b/mcast tstamp requests dropped */
> };
>diff -Naur rtems-4.6.99.3-static-mbuf/cpukit/libnetworking/netinet/ip_icmp.c rtems-4.6.99.3-icmpecho-alldisable/cpukit/libnetworking/netinet/ip_icmp.c
>--- rtems-4.6.99.3-static-mbuf/cpukit/libnetworking/netinet/ip_icmp.c	2006-04-27 10:48:53.000000000 +1100
>+++ rtems-4.6.99.3-icmpecho-alldisable/cpukit/libnetworking/netinet/ip_icmp.c	2006-04-27 11:05:31.000000000 +1100
>@@ -88,6 +88,10 @@
> SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
> 	   0, "");
> 
>+static int  icmpallecho = 1;
>+SYSCTL_INT(_net_inet_icmp, OID_AUTO, allecho, CTLFLAG_RW, &icmpallecho,
>+	   0, "");
>+
> /* #define ICMPPRINTFS 1 */
> #ifdef ICMPPRINTFS
> int	icmpprintfs = 0;
>@@ -399,9 +403,10 @@
> 		break;
> 
> 	case ICMP_ECHO:
>-		if (!icmpbmcastecho
>-		    && (m->m_flags & (M_MCAST | M_BCAST)) != 0
>-		    && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
>+		if (!icmpallecho 
>+		    || (!icmpbmcastecho
>+			&& (m->m_flags & (M_MCAST | M_BCAST)) != 0
>+			&& IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))) {
> 			icmpstat.icps_bmcastecho++;
> 			break;
> 		}
>diff -Naur rtems-4.6.99.3-static-mbuf/cpukit/libnetworking/rtems/rtems_showicmpstat.c rtems-4.6.99.3-icmpecho-alldisable/cpukit/libnetworking/rtems/rtems_showicmpstat.c
>--- rtems-4.6.99.3-static-mbuf/cpukit/libnetworking/rtems/rtems_showicmpstat.c	2006-04-27 10:48:53.000000000 +1100
>+++ rtems-4.6.99.3-icmpecho-alldisable/cpukit/libnetworking/rtems/rtems_showicmpstat.c	2006-04-27 11:07:06.000000000 +1100
>@@ -52,6 +52,7 @@
> 	showicmpstat ("bad checksum", icmpstat.icps_checksum);
> 	showicmpstat ("calculated bound mismatch", icmpstat.icps_badlen);
> 	showicmpstat ("number of responses", icmpstat.icps_reflect);
>+        showicmpstat ("all echo requests dropped", icmpstat.icps_allecho);
> 	showicmpstat ("b/mcast echo requests dropped", icmpstat.icps_bmcastecho);
> 	showicmpstat ("b/mcast tstamp requests dropped", icmpstat.icps_bmcasttstamp);
> 	for (i = 0 ; i <= ICMP_MAXTYPE ; i++) {
>
>  
>




More information about the users mailing list