[Bug 266477] PF does not obey ICMP rate limits

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266477] PF does not obey ICMP rate limits"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266477] PF does not obey ICMP rate limits"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 18 Sep 2022 07:27:49 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266477

            Bug ID: 266477
           Summary: PF does not obey ICMP rate limits
           Product: Base System
           Version: 13.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: darius@dons.net.au
                CC: kp@freebsd.org

PF emits ICMP messages for blocked connections (when return is set) but it does
not call the rate limit code (badport_bandlim) and hence will send them at an
unlimited rate. IMO this is a POLA violation.

Furthermore the IPv6 stack does not appear to call it either, badport_bandilm
has BANDLIM_ICMP6_UNREACH but it does not appear to be used.

I think it would make more sense to move the rate limiting code into
icmp_error/icmp6_error and perhaps also add some per-ICMP type stats exposed as
sysctls.

-- 
You are receiving this mail because:
You are the assignee for the bug.