Page MenuHomeFreeBSD
Differential D36903

pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf
ClosedPublic
Actions

Authored by kp on Oct 7 2022, 2:29 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Feb 18, 11:10 AM
Unknown Object (File)
Tue, Feb 17, 3:53 PM
Unknown Object (File)
Wed, Jan 28, 2:21 PM
Unknown Object (File)
Tue, Jan 27, 6:05 AM
Unknown Object (File)
Mon, Jan 26, 11:06 AM
Unknown Object (File)
Sun, Jan 25, 10:39 PM
Unknown Object (File)
Dec 12 2025, 1:23 PM
Unknown Object (File)
Dec 10 2025, 8:18 PM
View All Files
Subscribers
ae
darius-dons.net.au
farrokhi
glebius
imp
melifaro
zlei

Details

Reviewers
None
Group Reviewers
network
Commits
rGa974702e274c: pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf
Summary

PR: 266477
Event: Aberdeen Hackathon 2022

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Oct 7 2022, 2:29 PM
Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptOct 7 2022, 2:29 PM
kp requested review of this revision.Oct 7 2022, 2:29 PM
Harbormaster completed remote builds in B47734: Diff 111552.Oct 7 2022, 2:29 PM
zlei added a subscriber: zlei.Oct 7 2022, 3:38 PM

Is this for IPv4 ICMP only ?

kp added a comment.Oct 7 2022, 3:45 PM
In D36903#838094, @zlei.huang_gmail.com wrote:

Is this for IPv4 ICMP only ?

No. pf_send_icmp() is called for both IPv4 and IPv6. So we would indeed end up adding IPv6 ICMP errors to the IPv4 rate limits.
We should probably use the IPv6 rate limit for v6 errors. That function wants the destination IP address, but happily doesn't actually use it, so we can just pass NULL.

I'll see if I can update the patch.

kp updated this revision to Diff 111561.Oct 7 2022, 5:06 PM

Use the IPv6 rate limit check for IPv6 icmp errors

Herald added a subscriber: ae. · View Herald TranscriptOct 7 2022, 5:06 PM
Harbormaster completed remote builds in B47737: Diff 111561.Oct 7 2022, 5:06 PM
darius-dons.net.au added a subscriber: darius-dons.net.au.Oct 7 2022, 11:14 PM

That looks simple and good.

Relatedly BANDLIM_ICMP6_UNREACH is defined (sys/netinet/icmp_var.h) but never used (along with the associated struct icmp_rate entry in sys/netinet/ip_icmp.c)

zlei added a comment.Oct 8 2022, 1:00 AM

Looks good to me.

This revision was not accepted when it landed; it landed in state Needs Review.Oct 14 2022, 9:26 AM
Closed by commit rGa974702e274c: pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rGa974702e274c: pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf.

Revision Contents
Changeset List

PathSize
sys/
netinet/
1 line
netinet6/
3 lines
netpfil/
pf/
26 lines

Diff 111797

View Options

sys/netinet/icmp6.h

Loading...
View Options

sys/netinet6/icmp6.c

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...