On Mon, 30 Jul 2001, Pekka Savola wrote:
> On Sun, 29 Jul 2001 kuznet@xxxxxxxxxxxxx wrote:
>
> > Hello!
> >
> > > So in conclusion:
> > >
> > > with net.ipv4.icmp_echoreply_rate=0:
> >
> > Congratulations! That's why I do not see this, forgot to ping before. :-)
> >
> > The patch is enclosed.
>
> Alexey, there is a tiny problem with your patch.
>
> If you reboot the computer, the _first_ ping/scan attempt will not return
> icmp dest unreachable. All of the rest do. If the network was quiet
> enough, I guess there might be some circumstances where this could be
> applicable again..
As this happening is rather rare, would there be resistance for adding
this as an intermediate fix, to be replaced later with a bigger overhaul
if that is to be decided?
For 99.9% of cases, this works rather well and the 0.1% is the same as
before (== acceptable). Returning ICMP unreachables after being pinged is
IMO rather important.
> > --- ../dust/vger3-010728/linux/net/ipv4/icmp.c Thu Jun 14 22:49:44 2001
> > +++ linux/net/ipv4/icmp.c Sun Jul 29 19:52:55 2001
> > @@ -240,12 +240,15 @@
> > int xrlim_allow(struct dst_entry *dst, int timeout)
> > {
> > unsigned long now;
> > + static int burst;
> >
> > now = jiffies;
> > dst->rate_tokens += now - dst->rate_last;
> > dst->rate_last = now;
> > - if (dst->rate_tokens > XRLIM_BURST_FACTOR*timeout)
> > - dst->rate_tokens = XRLIM_BURST_FACTOR*timeout;
> > + if (burst < XRLIM_BURST_FACTOR*timeout)
> > + burst = XRLIM_BURST_FACTOR*timeout;
> > + if (dst->rate_tokens > burst)
> > + dst->rate_tokens = burst;
> > if (dst->rate_tokens >= timeout) {
> > dst->rate_tokens -= timeout;
> > return 1;
> >
>
>
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
|