While adding that #define CONFIG_IP_IGNORE_ECHO_REQUESTS into
linux/net/ipv4/icmp.c will work fine for now, I'd suggest
putting it into the configuration-headers so it doesn't tangle
up with further patches, or, should that define later move
into different file(s), lose it's efficiency. This is also
the easiest way to make sure all future versions of the
kernel you compile get that setting defined.
Unfortunately, I'm not quite sure where you can stick it without messing up the kernel autoconfig ;) If anybody has any input on this, it would be most welcome. Meanwhile, if you're worried that ignoring _all_ echo-requests may be a bit too rough move, there's a way to make the kernel ignore them selectively. This is available at least in the 2.1.X series, unfortunately I don't know if it's elsewhere. While browsing the net earlier I came upon a site with cross- referenced kernel sources for all major Linux distributions, so I thought I'd check it out from there, but naturally I didn't save the URL anywhere, typical, so if somebody knows that site I'd appreciate to know too ;) But back on track... so how do you make that selective ignore? Simple, first make sure CONFIG_NO_ICMP_LIMIT _isn't_ defined - don't worry how, it won't be ;) Next, in linux/net/ipv4/icmp.c go to the end of the file where there is a table of ICMP definitions - the first entry is after /* ECHO REPLY (0) */ This is, incidentally, what you need to change. Change the NULL on that line to &xrl_generic. So what does that do? I suggest you look at the source and try to figure that out yourself - it's not that hard, and allows you better diddle with it. (However, the limit-code seems pretty inefficient to me, and is no use against spoofed ICMP-floods, so I suggest relying on it with caution)
|