Page MenuHomeFreeBSD
Files F145248542

D48804.id150387.diff
No OneTemporary
Actions

D48804.id150387.diff
View Options

diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -88,7 +88,7 @@
&sysctl_icmplim_and_jitter, "IU",
"Maximum number of ICMP responses per second");
-VNET_DEFINE_STATIC(int, icmplim_curr_jitter) = 0;
+VNET_DEFINE_STATIC(int, icmplim_curr_jitter[BANDLIM_MAX]) = {0};
#define V_icmplim_curr_jitter VNET(icmplim_curr_jitter)
VNET_DEFINE_STATIC(u_int, icmplim_jitter) = 16;
#define V_icmplim_jitter VNET(icmplim_jitter)
@@ -1108,14 +1108,14 @@
};
static void
-icmplim_new_jitter(void)
+icmplim_new_jitter(int which)
{
/*
* Adjust limit +/- to jitter the measurement to deny a side-channel
* port scan as in https://dl.acm.org/doi/10.1145/3372297.3417280
*/
if (V_icmplim_jitter > 0)
- V_icmplim_curr_jitter =
+ V_icmplim_curr_jitter[which] =
arc4random_uniform(V_icmplim_jitter * 2 + 1) -
V_icmplim_jitter;
}
@@ -1144,7 +1144,9 @@
error = EINVAL;
else {
V_icmplim_jitter = new;
- icmplim_new_jitter();
+ for (int i = 0; i < BANDLIM_MAX; i++) {
+ icmplim_new_jitter(i);
+ }
}
}
}
@@ -1160,8 +1162,8 @@
for (int i = 0; i < BANDLIM_MAX; i++) {
V_icmp_rates[i].cr_rate = counter_u64_alloc(M_WAITOK);
V_icmp_rates[i].cr_ticks = ticks;
+ icmplim_new_jitter(i);
}
- icmplim_new_jitter();
}
VNET_SYSINIT(icmp_bandlimit, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY,
icmp_bandlimit_init, NULL);
@@ -1190,14 +1192,14 @@
("%s: which %d", __func__, which));
pps = counter_ratecheck(&V_icmp_rates[which], V_icmplim +
- V_icmplim_curr_jitter);
+ V_icmplim_curr_jitter[which]);
if (pps > 0) {
if (V_icmplim_output)
log(LOG_NOTICE,
"Limiting %s response from %jd to %d packets/sec\n",
icmp_rate_descrs[which], (intmax_t )pps,
- V_icmplim + V_icmplim_curr_jitter);
- icmplim_new_jitter();
+ V_icmplim + V_icmplim_curr_jitter[which]);
+ icmplim_new_jitter(which);
}
if (pps == -1)
return (-1);
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -2739,22 +2739,6 @@
&sysctl_icmp6lim_and_jitter, "IU",
"Maximum number of ICMPv6 error/reply messages per second");
-VNET_DEFINE_STATIC(int, icmp6lim_curr_jitter) = 0;
-#define V_icmp6lim_curr_jitter VNET(icmp6lim_curr_jitter)
-
-VNET_DEFINE_STATIC(u_int, icmp6lim_jitter) = 8;
-#define V_icmp6lim_jitter VNET(icmp6lim_jitter)
-SYSCTL_PROC(_net_inet6_icmp6, OID_AUTO, icmp6lim_jitter, CTLTYPE_UINT |
- CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(icmp6lim_jitter), 0,
- &sysctl_icmp6lim_and_jitter, "IU",
- "Random errppslimit jitter adjustment limit");
-
-VNET_DEFINE_STATIC(int, icmp6lim_output) = 1;
-#define V_icmp6lim_output VNET(icmp6lim_output)
-SYSCTL_INT(_net_inet6_icmp6, OID_AUTO, icmp6lim_output,
- CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(icmp6lim_output), 0,
- "Enable logging of ICMPv6 response rate limiting");
-
typedef enum {
RATELIM_PARAM_PROB = 0,
RATELIM_TOO_BIG,
@@ -2776,15 +2760,31 @@
[RATELIM_OTHER] = "(other)",
};
+VNET_DEFINE_STATIC(int, icmp6lim_curr_jitter[RATELIM_MAX]) = {0};
+#define V_icmp6lim_curr_jitter VNET(icmp6lim_curr_jitter)
+
+VNET_DEFINE_STATIC(u_int, icmp6lim_jitter) = 8;
+#define V_icmp6lim_jitter VNET(icmp6lim_jitter)
+SYSCTL_PROC(_net_inet6_icmp6, OID_AUTO, icmp6lim_jitter, CTLTYPE_UINT |
+ CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(icmp6lim_jitter), 0,
+ &sysctl_icmp6lim_and_jitter, "IU",
+ "Random errppslimit jitter adjustment limit");
+
+VNET_DEFINE_STATIC(int, icmp6lim_output) = 1;
+#define V_icmp6lim_output VNET(icmp6lim_output)
+SYSCTL_INT(_net_inet6_icmp6, OID_AUTO, icmp6lim_output,
+ CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(icmp6lim_output), 0,
+ "Enable logging of ICMPv6 response rate limiting");
+
static void
-icmp6lim_new_jitter(void)
+icmp6lim_new_jitter(int which)
{
/*
* Adjust limit +/- to jitter the measurement to deny a side-channel
* port scan as in https://dl.acm.org/doi/10.1145/3372297.3417280
*/
if (V_icmp6lim_jitter > 0)
- V_icmp6lim_curr_jitter =
+ V_icmp6lim_curr_jitter[which] =
arc4random_uniform(V_icmp6lim_jitter * 2 + 1) -
V_icmp6lim_jitter;
}
@@ -2813,7 +2813,9 @@
error = EINVAL;
else {
V_icmp6lim_jitter = new;
- icmp6lim_new_jitter();
+ for (int i = 0; i < RATELIM_MAX; i++) {
+ icmp6lim_new_jitter(i);
+ }
}
}
}
@@ -2833,8 +2835,8 @@
for (int i = 0; i < RATELIM_MAX; i++) {
V_icmp6_rates[i].cr_rate = counter_u64_alloc(M_WAITOK);
V_icmp6_rates[i].cr_ticks = ticks;
+ icmp6lim_new_jitter(i);
}
- icmp6lim_new_jitter();
}
VNET_SYSINIT(icmp6_ratelimit, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY,
icmp6_ratelimit_init, NULL);
@@ -2896,14 +2898,14 @@
};
pps = counter_ratecheck(&V_icmp6_rates[which], V_icmp6errppslim +
- V_icmp6lim_curr_jitter);
+ V_icmp6lim_curr_jitter[which]);
if (pps > 0) {
if (V_icmp6lim_output)
log(LOG_NOTICE, "Limiting ICMPv6 %s output from %jd "
"to %d packets/sec\n", icmp6_rate_descrs[which],
(intmax_t )pps, V_icmp6errppslim +
- V_icmp6lim_curr_jitter);
- icmp6lim_new_jitter();
+ V_icmp6lim_curr_jitter[which]);
+ icmp6lim_new_jitter(which);
}
if (pps == -1) {
ICMP6STAT_INC(icp6s_toofreq);

File Metadata

Mime Type
text/plain
Expires
Wed, Feb 18, 2:25 PM (7 h, 12 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28847844
Default Alt Text
D48804.id150387.diff (5 KB)

Event Timeline