PR: 266477
Event: Aberdeen Hackathon 2022
Details
Details
- Reviewers
- None
- Group Reviewers
network - Commits
- rGa974702e274c: pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
No. pf_send_icmp() is called for both IPv4 and IPv6. So we would indeed end up adding IPv6 ICMP errors to the IPv4 rate limits.
We should probably use the IPv6 rate limit for v6 errors. That function wants the destination IP address, but happily doesn't actually use it, so we can just pass NULL.
I'll see if I can update the patch.
Comment Actions
That looks simple and good.
Relatedly BANDLIM_ICMP6_UNREACH is defined (sys/netinet/icmp_var.h) but never used (along with the associated struct icmp_rate entry in sys/netinet/ip_icmp.c)