git: a974702e274c - main - pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 14 Oct 2022 09:25:19 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a974702e274cbed52ae9ad9ecef8501e267b822d commit a974702e274cbed52ae9ad9ecef8501e267b822d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2022-10-07 14:22:57 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-10-14 08:36:16 +0000 pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf PR: 266477 Event: Aberdeen Hackathon 2022 Differential Revision: https://reviews.freebsd.org/D36903 --- sys/netinet/icmp6.h | 1 + sys/netinet6/icmp6.c | 3 +-- sys/netpfil/pf/pf.c | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/sys/netinet/icmp6.h b/sys/netinet/icmp6.h index 7429b8173b6a..45a8b8ec0ce8 100644 --- a/sys/netinet/icmp6.h +++ b/sys/netinet/icmp6.h @@ -708,6 +708,7 @@ int icmp6_input(struct mbuf **, int *, int); void icmp6_prepare(struct mbuf *); void icmp6_redirect_input(struct mbuf *, int); void icmp6_redirect_output(struct mbuf *, struct nhop_object *); +int icmp6_ratelimit(const struct in6_addr *, const int, const int); struct ip6ctlparam; void icmp6_mtudisc_update(struct ip6ctlparam *, int); diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 4497041f0330..2cd54abbb76e 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -137,7 +137,6 @@ VNET_DECLARE(int, icmp6_nodeinfo); static void icmp6_errcount(int, int); static int icmp6_rip6_input(struct mbuf **, int); static void icmp6_reflect(struct mbuf *, size_t); -static int icmp6_ratelimit(const struct in6_addr *, const int, const int); static const char *icmp6_redirect_diag(struct in6_addr *, struct in6_addr *, struct in6_addr *); static struct mbuf *ni6_input(struct mbuf *, int, struct prison *); @@ -2727,7 +2726,7 @@ icmp6_ctloutput(struct socket *so, struct sockopt *sopt) * type - not used at this moment * code - not used at this moment */ -static int +int icmp6_ratelimit(const struct in6_addr *dst, const int type, const int code) { diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2a6efbfe6e7d..d0139dc6bd15 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -3048,6 +3048,22 @@ pf_match_ieee8021q_pcp(u_int8_t prio, struct mbuf *m) return (mpcp == prio); } +static int +pf_icmp_to_bandlim(uint8_t type) +{ + switch (type) { + case ICMP_ECHO: + case ICMP_ECHOREPLY: + return (BANDLIM_ICMP_ECHO); + case ICMP_TSTAMP: + case ICMP_TSTAMPREPLY: + return (BANDLIM_ICMP_TSTAMP); + case ICMP_UNREACH: + default: + return (BANDLIM_ICMP_UNREACH); + } +} + static void pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, struct pf_krule *r) @@ -3056,6 +3072,16 @@ pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, struct mbuf *m0; struct pf_mtag *pf_mtag; + /* ICMP packet rate limitation. */ + if (af == AF_INET6) { + if (icmp6_ratelimit(NULL, type, code)) + return; + } else { + MPASS(af == AF_INET); + if (badport_bandlim(pf_icmp_to_bandlim(type)) != 0) + return; + } + /* Allocate outgoing queue entry, mbuf and mbuf tag. */ pfse = malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT); if (pfse == NULL)