Oops, what a mistake. I missed the fact that icmp_send() isn't actually used for replying to ICMP_ECHO_REQUEST's etc. so no matter how you change the table in question, none of the replies are going to be limited... so what you need to do is add a call to the check in question to icmp_reply() as well, which is something that can already be called real kernel hacking. Here's how I'm doing it; however... 1) I haven't yet rebooted with this code... wish me luck ;) 2) Am I missing something? ping -f and ping -l get mostly ignored Here's the bit of code, in icmp_reply() right at the beginning (after local varable definitions) : #ifndef CONFIG_NO_ICMP_LIMIT if(!xrlim_allow(icmp_param->icmph.type, skb->nh.iph->saddr)) return; #endif I'll let you know how my tests with the thing proceed ;) (Sorry for bad formatting, I managed to break my PPP thingy playing around with filedescriptors, it seems, and this remote lynx doesn't quite handle text-fields properly, it seems... :P) |