docs/150917: icmp.4, wrong description of icmplim and icmplim_output sysctls

Nikos Vassiliadis nvass at gmx.com
Tue Feb 15 12:30:15 UTC 2011 

The following reply was made to PR docs/150917; it has been noted by GNATS.

From: Nikos Vassiliadis <nvass at gmx.com>
To: Giorgos Keramidas <keramida at ceid.upatras.gr>
Cc: bug-followup at freebsd.org
Subject: Re: docs/150917: icmp.4, wrong description of icmplim and icmplim_output
 sysctls
Date: Tue, 15 Feb 2011 14:27:47 +0200

 On 2/15/2011 9:47 AM, Giorgos Keramidas wrote:
 > On 2010-09-24 13:42, Nikos Vassiliadis<nvass9573 at gmx.com>  wrote:
 >> The icmp manual page describes icmplim and icmplim_output wrongly.
 >>
 >>       icmplim	     (integer) Bandwidth limit for ICMP replies in pack-
 >> 		     ets/second.  Used when icmplim_output is non-zero.
 >> 		     Defaults to 200.
 >>
 >>       icmplim_output  (boolean) Enable/disable bandwidth limiting of ICMP
 >> 		     replies.  Defaults to true.
 >>
 >> The correct description [1] is this:
 >>
 >> If you do not want to see messages about this in your log files, but
 >> you still want the kernel to do response limiting, you can use the
 >> net.inet.icmp.icmplim_output sysctl variable to disable the output
 >> like this:
 >>
 >> # sysctl -w net.inet.icmp.icmplim_output=0
 >>
 >> Finally, if you want to disable response limiting, you can set the
 >> net.inet.icmp.icmplim sysctl variable (see above for an example) to
 >> 0. Disabling response limiting is discouraged for the reasons listed
 >> above.
 >
 >> Index: src/share/man/man4/icmp.4
 >> ===================================================================
 >> --- src/share/man/man4/icmp.4   (revision 213086)
 >> +++ src/share/man/man4/icmp.4   (working copy)
 >> @@ -179,15 +179,16 @@
 >>   the system replies to an ICMP Address Mask Request packet.
 >>   Defaults to 0.
 >>   .It Va icmplim
 >> -.Pq Vt integer
 >> -Bandwidth limit for ICMP replies in packets/second.
 >> -Used when
 >> -.Va icmplim_output
 >> -is non-zero.
 >> +.Pq Vt "unsigned integer"
 >> +Limit for ICMP or TCP RST responses in packets per second.
 >> +Response limiting is disabled by setting
 >> +.Va icmplim
 >> +to 0.
 >
 > I am not sure I like the idea of mentioning all the other protocols that
 > may send ICMP replies too, so this probably needs a bit of reworking.
 > For instance, UDP may send ICMP unreachable errors too.  SCTP also.
 >
 > Are we going to list *all* the possible protocols by name?
 
 We don't list the protocols that initiated the response.
 As you mentioned, TCP|UDP|SCTP can initiate this rate-limiting function.
 Yet, all possible replies that this code handles are either ICMP or TCP.
 For example the current code does not handle SCTP ABORT, it *does* handle
 the case of an ICMP response generated by SCTP.
 
 The replies are defined here:
 http://fxr.watson.org/fxr/source/netinet/icmp_var.h#L99
 
 >
 >>   Defaults to 200.
 >>   .It Va icmplim_output
 >>   .Pq Vt boolean
 >> -Enable/disable bandwidth limiting of ICMP replies.
 >> +Enable/disable logging of
 >> +.Va icmplim .
 >
 > "logging of rate-limiting messages from icmplim" ?
 
 Yes, that's better.
 
 >
 >>   Index: src/sys/netinet/ip_icmp.c
 >>   ===================================================================
 >>   --- src/sys/netinet/ip_icmp.c	(revision 213086)
 >>   +++ src/sys/netinet/ip_icmp.c	(working copy)
 >>   @@ -106,15 +106,15 @@
 >>
 >>    static VNET_DEFINE(int, icmplim) = 200;
 >>    #define	V_icmplim			VNET(icmplim)
 >>   -SYSCTL_VNET_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 >>   +SYSCTL_VNET_UINT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 >>    	&VNET_NAME(icmplim), 0,
 >>   -	"Maximum number of ICMP responses per second");
 >>   +	"Maximum number of ICMP or TCP RST responses per second");
 >>
 >>    static VNET_DEFINE(int, icmplim_output) = 1;
 >>    #define	V_icmplim_output		VNET(icmplim_output)
 >>   -SYSCTL_VNET_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 >>   +SYSCTL_VNET_UINT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 >>    	&VNET_NAME(icmplim_output), 0,
 >>   -	"Enable rate limiting of ICMP responses");
 >>   +	"Enable logging of enforced limit on ICMP or TCP RST responses");
 >
 > This also has the problem that it does not mention UDP or SCTP replies
 > for port-unreachable, host-unreachable, etc.
 
 These are ICMP messages generated by UDP|SCTP. But... the sysctl's 
 description
 doesn't have to be that accurate, if you ask me. I would like the manual 
 page
 to be as accurate as possible. I find particularly unattractive the term
 bandwidth there!
 
 Thanks for handling this, Nikos

More information about the freebsd-doc mailing list