HomeFreeBSD

icmp: improve ICMP limit jitter

Description

icmp: improve ICMP limit jitter

Instead of fixing up invalid values set by a user in badport_bandlim()
which is a fast path function, provide a sysctl handler
sysctl_icmplim_and_jitter(), that will check that jitter is less than the
limit.

Provide jitter initilization function icmplim_new_jitter() used at boot,
in the sysctl handler and when we actually hit the limit. This also fixes
no jitter on a fresh booted system until first limit hit.

Instead of CVE number provide link the the actual paper that explains what
and why we are doing here. The CVE number isn't very informative, it will
just tell you what RedHat version you need to upgrade to.

Reviewed by: kp, tuexen, zlei
Differential Revision: https://reviews.freebsd.org/D44478

(cherry picked from commit ac44739fd834f51cacb26485a4140fd482e20150)

Details

Provenance
glebiusAuthored on Mar 24 2024, 4:13 PM
zleiCommitted on Jun 26 2024, 4:48 AM
Reviewer
kp
Differential Revision
D44478: icmp: improve ICMP limit jitter
Parents
rG09a05224b04f: icmp: when logging ICMP ratelimiting message use correct jitter value
Branches
Unknown
Tags
Unknown