Page MenuHomeFreeBSD

pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf
ClosedPublic

Authored by kp on Oct 7 2022, 2:29 PM.
Tags
None
Referenced Files
F105535870: D36903.diff
Tue, Dec 17, 9:35 AM
Unknown Object (File)
Thu, Nov 21, 6:47 AM
Unknown Object (File)
Tue, Nov 19, 10:22 PM
Unknown Object (File)
Tue, Nov 19, 9:52 PM
Unknown Object (File)
Sun, Nov 17, 6:49 PM
Unknown Object (File)
Sun, Nov 17, 6:43 PM
Unknown Object (File)
Sun, Nov 17, 6:25 PM
Unknown Object (File)
Nov 11 2024, 6:49 PM

Details

Summary

PR: 266477
Event: Aberdeen Hackathon 2022

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 47737
Build 44624: arc lint + arc unit

Event Timeline

kp requested review of this revision.Oct 7 2022, 2:29 PM

Is this for IPv4 ICMP only ?

In D36903#838094, @zlei.huang_gmail.com wrote:

Is this for IPv4 ICMP only ?

No. pf_send_icmp() is called for both IPv4 and IPv6. So we would indeed end up adding IPv6 ICMP errors to the IPv4 rate limits.
We should probably use the IPv6 rate limit for v6 errors. That function wants the destination IP address, but happily doesn't actually use it, so we can just pass NULL.

I'll see if I can update the patch.

Use the IPv6 rate limit check for IPv6 icmp errors

That looks simple and good.

Relatedly BANDLIM_ICMP6_UNREACH is defined (sys/netinet/icmp_var.h) but never used (along with the associated struct icmp_rate entry in sys/netinet/ip_icmp.c)

This revision was not accepted when it landed; it landed in state Needs Review.Oct 14 2022, 9:26 AM
This revision was automatically updated to reflect the committed changes.