Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

net: don't global ICMP rate limit packets originating from loopback

Florian Weimer seems to have a glibc test-case which requires that
loopback interfaces does not get ICMP ratelimited.  This was broken by
commit c0303efeab73 ("net: reduce cycles spend on ICMP replies that
gets rate limited").

An ICMP response will usually be routed back-out the same incoming
interface.  Thus, take advantage of this and skip global ICMP
ratelimit when the incoming device is loopback.  In the unlikely event
that the outgoing it not loopback, due to strange routing policy
rules, ICMP rate limiting still works via peer ratelimiting via
icmpv4_xrlim_allow().  Thus, we should still comply with RFC1812
(section 4.3.2.8 "Rate Limiting").

This seems to fix the reproducer given by Florian.  While still
avoiding to perform expensive and unneeded outgoing route lookup for
rate limited packets (in the non-loopback case).

Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited")
Reported-by: Florian Weimer <fweimer@redhat.com>
Reported-by: "H.J. Lu" <hjl.tools@gmail.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jesper Dangaard Brouer 8 years ago
parent
c4f65b09b4
commit
849a44de91
2 changed files with 7 additions and 3 deletions
Split View Show Diff Stats
  1. 6 2
      net/ipv4/icmp.c
  2. 1 1
      net/ipv6/icmp.c

+ 6 - 2
net/ipv4/icmp.c
View File 

@@ -657,8 +657,12 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
 
 	/* Needed by both icmp_global_allow and icmp_xmit_lock */
 
 	local_bh_disable();
 
 
-	/* Check global sysctl_icmp_msgs_per_sec ratelimit */
 
-	if (!icmpv4_global_allow(net, type, code))
 
+	/* Check global sysctl_icmp_msgs_per_sec ratelimit, unless
 
+	 * incoming dev is loopback.  If outgoing dev change to not be
 
+	 * loopback, then peer ratelimit still work (in icmpv4_xrlim_allow)
 
+	 */
 
+	if (!(skb_in->dev && (skb_in->dev->flags&IFF_LOOPBACK)) &&
 
+	      !icmpv4_global_allow(net, type, code))
 
 		goto out_bh_enable;
 
 
 	sk = icmp_xmit_lock(net);

+ 1 - 1
net/ipv6/icmp.c
View File 

@@ -491,7 +491,7 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
 
 	local_bh_disable();
 
 
 	/* Check global sysctl_icmp_msgs_per_sec ratelimit */
 
-	if (!icmpv6_global_allow(type))
 
+	if (!(skb->dev->flags&IFF_LOOPBACK) && !icmpv6_global_allow(type))
 
 		goto out_bh_enable;
 
 
 	mip6_addr_swap(skb);