The HyperNews Linux KHG Discussion Pages

Feedback: ICMP send rate limit / ignoring

Forum: The Linux Kernel Hackers' Guide
Re: Question Can you block or ignore ICMP packets?
Keywords: ICMP ping Internet echo flood
Date: Thu, 15 May 1997 14:30:48 GMT
From: Jukka Santala <[email protected]>

While adding that #define CONFIG_IP_IGNORE_ECHO_REQUESTS into linux/net/ipv4/icmp.c will work fine for now, I'd suggest putting it into the configuration-headers so it doesn't tangle up with further patches, or, should that define later move into different file(s), lose it's efficiency. This is also the easiest way to make sure all future versions of the kernel you compile get that setting defined.

Unfortunately, I'm not quite sure where you can stick it without messing up the kernel autoconfig ;) If anybody has any input on this, it would be most welcome.

Meanwhile, if you're worried that ignoring _all_ echo-requests may be a bit too rough move, there's a way to make the kernel ignore them selectively. This is available at least in the 2.1.X series, unfortunately I don't know if it's elsewhere.

While browsing the net earlier I came upon a site with cross- referenced kernel sources for all major Linux distributions, so I thought I'd check it out from there, but naturally I didn't save the URL anywhere, typical, so if somebody knows that site I'd appreciate to know too ;)

But back on track... so how do you make that selective ignore? Simple, first make sure CONFIG_NO_ICMP_LIMIT _isn't_ defined - don't worry how, it won't be ;) Next, in linux/net/ipv4/icmp.c go to the end of the file where there is a table of ICMP definitions - the first entry is after /* ECHO REPLY (0) */ This is, incidentally, what you need to change. Change the NULL on that line to &xrl_generic. So what does that do? I suggest you look at the source and try to figure that out yourself - it's not that hard, and allows you better diddle with it. (However, the limit-code seems pretty inefficient to me, and is no use against spoofed ICMP-floods, so I suggest relying on it with caution)


1. More: Omission in earlier rate-limit... by Jukka Santala
-> News: Patch worked... by Jukka Santala