From drbrain@magnesium.net  Sun Feb  3 12:23:36 2002
Return-Path: <drbrain@magnesium.net>
Received: from magnesium.net (toxic.magnesium.net [207.154.84.15])
	by hub.freebsd.org (Postfix) with SMTP id 99B8D37B416
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  3 Feb 2002 12:23:35 -0800 (PST)
Received: (qmail 23717 invoked by uid 1100); 3 Feb 2002 20:23:35 -0000
Message-Id: <20020203202335.GA23544@segment7.net>
Date: Sun, 3 Feb 2002 12:23:35 -0800
From: Eric Hodel <drbrain@segment7.net>
To: FreeBSD-gnats-submit@freebsd.org
Subject: ICMP bandwidth limiting does not indicate interface
X-Send-Pr-Version: 3.113

>Number:         34591
>Category:       kern
>Synopsis:       ICMP bandwidth limiting does not indicate interface
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    andre
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 03 12:30:01 PST 2002
>Closed-Date:    Wed Sep 14 16:41:32 GMT 2005
>Last-Modified:  Wed Sep 14 16:41:32 GMT 2005
>Originator:     Eric Hodel
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD PII350.home.segment7.net 5.0-CURRENT FreeBSD 5.0-CURRENT #6: Sat
 Feb 2 17:14:25 PST 2002 root@PII350.home.segment7.net:/disks/current/obj/disks/
current/src/sys/PII350 i386

>Description:
When limiting the ICMP responses, the interface upon which the
bandwidth is being limited is not displayed. For a machine with
multiple interfaces, the administrator will have to employ other
tools to determine which interface is affected

>How-To-Repeat:
nmap localhost

Will display the following message on the console:
Limiting closed port RST response from 470 to 200 packets per second

nmap can be installed from /usr/ports/security/nmap

>Fix:
Send the interface name and number to badport_bandlim and display
them in the message like this:

Limiting closed port RST response from 470 to 200 packets per second on lo0

The attache patch adds this functionality

--- patch begins here ---
Index: icmp_var.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/icmp_var.h,v
retrieving revision 1.20
diff -c -r1.20 icmp_var.h
*** icmp_var.h	2001/12/14 19:30:42	1.20
--- icmp_var.h	2002/02/03 20:01:59
***************
*** 78,84 ****
  
  #ifdef _KERNEL
  SYSCTL_DECL(_net_inet_icmp);
! extern int badport_bandlim __P((int));
  #define BANDLIM_UNLIMITED -1
  #define BANDLIM_ICMP_UNREACH 0
  #define BANDLIM_ICMP_ECHO 1
--- 78,84 ----
  
  #ifdef _KERNEL
  SYSCTL_DECL(_net_inet_icmp);
! extern int badport_bandlim __P((int, const char *, short));
  #define BANDLIM_UNLIMITED -1
  #define BANDLIM_ICMP_UNREACH 0
  #define BANDLIM_ICMP_ECHO 1
Index: ip_icmp.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.66
diff -c -r1.66 ip_icmp.c
*** ip_icmp.c	2002/01/11 12:13:57	1.66
--- ip_icmp.c	2002/02/03 20:02:00
***************
*** 437,443 ****
  			break;
  		}
  		icp->icmp_type = ICMP_ECHOREPLY;
! 		if (badport_bandlim(BANDLIM_ICMP_ECHO) < 0)
  			goto freeit;
  		else
  			goto reflect;
--- 437,445 ----
  			break;
  		}
  		icp->icmp_type = ICMP_ECHOREPLY;
! 		if (badport_bandlim(BANDLIM_ICMP_ECHO,
! 				m->m_pkthdr.rcvif->if_name,
! 				m->m_pkthdr.rcvif->if_unit) < 0)
  			goto freeit;
  		else
  			goto reflect;
***************
*** 455,461 ****
  		icp->icmp_type = ICMP_TSTAMPREPLY;
  		icp->icmp_rtime = iptime();
  		icp->icmp_ttime = icp->icmp_rtime;	/* bogus, do later! */
! 		if (badport_bandlim(BANDLIM_ICMP_TSTAMP) < 0)
  			goto freeit;
  		else
  			goto reflect;
--- 457,465 ----
  		icp->icmp_type = ICMP_TSTAMPREPLY;
  		icp->icmp_rtime = iptime();
  		icp->icmp_ttime = icp->icmp_rtime;	/* bogus, do later! */
! 		if (badport_bandlim(BANDLIM_ICMP_TSTAMP,
! 				m->m_pkthdr.rcvif->if_name,
! 				m->m_pkthdr.rcvif->if_unit) < 1)
  			goto freeit;
  		else
  			goto reflect;
***************
*** 821,827 ****
   */
  
  int
! badport_bandlim(int which)
  {
  	static int lticks[BANDLIM_MAX + 1];
  	static int lpackets[BANDLIM_MAX + 1];
--- 825,831 ----
   */
  
  int
! badport_bandlim(int which, const char *if_name, short if_unit)
  {
  	static int lticks[BANDLIM_MAX + 1];
  	static int lpackets[BANDLIM_MAX + 1];
***************
*** 849,858 ****
  
  	if ((unsigned int)dticks > hz) {
  		if (lpackets[which] > icmplim && icmplim_output) {
! 			printf("%s from %d to %d packets per second\n",
  				bandlimittype[which],
  				lpackets[which],
! 				icmplim
  			);
  		}
  		lticks[which] = ticks;
--- 853,864 ----
  
  	if ((unsigned int)dticks > hz) {
  		if (lpackets[which] > icmplim && icmplim_output) {
! 			printf("%s from %d to %d packets per second on %s%d\n",
  				bandlimittype[which],
  				lpackets[which],
! 				icmplim,
! 				if_name,
! 				if_unit
  			);
  		}
  		lticks[which] = ticks;
Index: tcp_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.146
diff -c -r1.146 tcp_input.c
*** tcp_input.c	2002/01/04 17:21:27	1.146
--- tcp_input.c	2002/02/03 20:02:05
***************
*** 2178,2184 ****
  	/*
  	 * Perform bandwidth limiting.
  	 */
! 	if (badport_bandlim(rstreason) < 0)
  		goto drop;
   
  #ifdef TCPDEBUG
--- 2178,2186 ----
  	/*
  	 * Perform bandwidth limiting.
  	 */
! 	if (badport_bandlim(rstreason,
! 			m->m_pkthdr.rcvif->if_name,
! 			m->m_pkthdr.rcvif->if_unit) < 0)
  		goto drop;
   
  #ifdef TCPDEBUG
Index: udp_usrreq.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/udp_usrreq.c,v
retrieving revision 1.100
diff -c -r1.100 udp_usrreq.c
*** udp_usrreq.c	2001/11/08 02:13:17	1.100
--- udp_usrreq.c	2002/02/03 20:02:07
***************
*** 358,364 ****
  			udpstat.udps_noportbcast++;
  			goto bad;
  		}
! 		if (badport_bandlim(BANDLIM_ICMP_UNREACH) < 0)
  			goto bad;
  		if (blackhole)
  			goto bad;
--- 358,366 ----
  			udpstat.udps_noportbcast++;
  			goto bad;
  		}
! 		if (badport_bandlim(BANDLIM_ICMP_UNREACH,
! 				m->m_pkthdr.rcvif->if_name,
! 				m->m_pkthdr.rcvif->if_unit) < 0)
  			goto bad;
  		if (blackhole)
  			goto bad;
--- patch ends here ---


>Release-Note:
>Audit-Trail:

From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Eric Hodel <drbrain@segment7.net>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/34591: ICMP bandwidth limiting does not indicate interface
Date: Wed, 6 Feb 2002 17:46:30 -0800

 On Sun, Feb 03, 2002 at 12:23:35PM -0800, Eric Hodel wrote:
 [snip]
 
 > >Description:
 > When limiting the ICMP responses, the interface upon which the
 > bandwidth is being limited is not displayed. For a machine with
 > multiple interfaces, the administrator will have to employ other
 > tools to determine which interface is affected
 
 The patch is somewhat bogus since right now, the limiting has nothing
 to do with interfaces. That is, if you have a 200 limit and there are
 75 packets on if0, 75 packets on if1, and 75 packets on if2, you'll
 hit the limit. But which one should be displayed in the message? There
 is also the situation where there is a storm on if0, but a ICMP
 message from if1, where there is a low bandwidth, happens to trip the
 alarm.
 
 Now how often do situations like that happen? I really couldn't
 say. The patches provide a first approximation of the interface with
 the trouble, but can actually provide false information which I think
 may be more trouble than its worth.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->analyzed 
State-Changed-By: andre 
State-Changed-When: Sat Dec 27 08:38:34 PST 2003 
State-Changed-Why:  
Take over. 


Responsible-Changed-From-To: freebsd-bugs->andre 
Responsible-Changed-By: andre 
Responsible-Changed-When: Sat Dec 27 08:38:34 PST 2003 
Responsible-Changed-Why:  
Take over. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34591 
State-Changed-From-To: analyzed->closed 
State-Changed-By: andre 
State-Changed-When: Wed Sep 14 16:39:46 GMT 2005 
State-Changed-Why:  
ICMP bandwidth limiting is a global function, not per interface. 
Thus is doesn't make sense to print the ifp of the packet tripping 
into the limiter.  We don't have any plans to change limiting to 
be per interface. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34591 
>Unformatted:
