Commit 0bc19985 authored by Stephen Suryaputra's avatar Stephen Suryaputra Committed by David S. Miller
Browse files

ipv6: Add rate limit mask for ICMPv6 messages 



To make ICMPv6 closer to ICMPv4, add ratemask parameter. Since the ICMP
message types use larger numeric values, a simple bitmask doesn't fit.
I use large bitmap. The input and output are the in form of list of
ranges. Set the default to rate limit all error messages but Packet Too
Big. For Packet Too Big, use ratemask instead of hard-coded.

There are functions where icmpv6_xrlim_allow() and icmpv6_global_allow()
aren't called. This patch only adds them to icmpv6_echo_reply().

Rate limiting error messages is mandated by RFC 4443 but RFC 4890 says
that it is also acceptable to rate limit informational messages. Thus,
I removed the current hard-coded behavior of icmpv6_mask_allow() that
doesn't rate limit informational messages.

v2: Add dummy function proc_do_large_bitmap() if CONFIG_PROC_SYSCTL
    isn't defined, expand the description in ip-sysctl.txt and remove
    unnecessary conditional before kfree().
v3: Inline the bitmap instead of dynamically allocated. Still is a
    pointer to it is needed because of the way proc_do_large_bitmap work.

Signed-off-by: default avatarStephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 4cf2d206

Documentation/networking/ip-sysctl.txt

+16 −1
Original line number Diff line number Diff line
@@ -1913,11 +1913,26 @@ enhanced_dad - BOOLEAN 


icmp/*:

ratelimit - INTEGER

	Limit the maximal rates for sending ICMPv6 packets.

	Limit the maximal rates for sending ICMPv6 messages.

	0 to disable any limiting,

	otherwise the minimal space between responses in milliseconds.

	Default: 1000



ratemask - list of comma separated ranges

	For ICMPv6 message types matching the ranges in the ratemask, limit

	the sending of the message according to ratelimit parameter.



	The format used for both input and output is a comma separated

	list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and

	129). Writing to the file will clear all previous ranges of ICMPv6

	message types and update the current list with the input.



	Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml

	for numerical values of ICMPv6 message types, e.g. echo request is 128

	and echo reply is 129.



	Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big)



echo_ignore_all - BOOLEAN

	If set non-zero, then the kernel will ignore all ICMP ECHO

	requests sent to it over the IPv6 protocol.

include/net/netns/ipv6.h

+3 −0
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 
#ifndef __NETNS_IPV6_H__

#define __NETNS_IPV6_H__

#include <net/dst_ops.h>

#include <uapi/linux/icmpv6.h>



struct ctl_table_header;
@@ -35,6 +36,8 @@ struct netns_sysctl_ipv6 { 
	int icmpv6_echo_ignore_all;

	int icmpv6_echo_ignore_multicast;

	int icmpv6_echo_ignore_anycast;

	DECLARE_BITMAP(icmpv6_ratemask, ICMPV6_MSG_MAX + 1);

	unsigned long *icmpv6_ratemask_ptr;

	int anycast_src_echo_reply;

	int ip_nonlocal_bind;

	int fwmark_reflect;

include/uapi/linux/icmpv6.h

+4 −0
Original line number Diff line number Diff line
@@ -90,6 +90,8 @@ struct icmp6hdr { 
#define ICMPV6_TIME_EXCEED		3

#define ICMPV6_PARAMPROB		4



#define ICMPV6_ERRMSG_MAX       127



#define ICMPV6_INFOMSG_MASK		0x80



#define ICMPV6_ECHO_REQUEST		128
@@ -110,6 +112,8 @@ struct icmp6hdr { 


#define ICMPV6_MRDISC_ADV		151



#define ICMPV6_MSG_MAX          255



/*

 *	Codes for Destination Unreachable

 */

kernel/sysctl.c

+6 −0
Original line number Diff line number Diff line
@@ -3326,6 +3326,11 @@ int proc_doulongvec_ms_jiffies_minmax(struct ctl_table *table, int write, 
    return -ENOSYS;

}



int proc_do_large_bitmap(struct ctl_table *table, int write,

			 void __user *buffer, size_t *lenp, loff_t *ppos)

{

	return -ENOSYS;

}



#endif /* CONFIG_PROC_SYSCTL */
@@ -3366,3 +3371,4 @@ EXPORT_SYMBOL(proc_dointvec_ms_jiffies); 
EXPORT_SYMBOL(proc_dostring);

EXPORT_SYMBOL(proc_doulongvec_minmax);

EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);

EXPORT_SYMBOL(proc_do_large_bitmap);

net/ipv6/af_inet6.c

+9 −0
Original line number Diff line number Diff line
@@ -850,6 +850,15 @@ static int __net_init inet6_net_init(struct net *net) 
	net->ipv6.sysctl.icmpv6_echo_ignore_all = 0;

	net->ipv6.sysctl.icmpv6_echo_ignore_multicast = 0;

	net->ipv6.sysctl.icmpv6_echo_ignore_anycast = 0;



	/* By default, rate limit error messages.

	 * Except for pmtu discovery, it would break it.

	 * proc_do_large_bitmap needs pointer to the bitmap.

	 */

	bitmap_set(net->ipv6.sysctl.icmpv6_ratemask, 0, ICMPV6_ERRMSG_MAX + 1);

	bitmap_clear(net->ipv6.sysctl.icmpv6_ratemask, ICMPV6_PKT_TOOBIG, 1);

	net->ipv6.sysctl.icmpv6_ratemask_ptr = net->ipv6.sysctl.icmpv6_ratemask;



	net->ipv6.sysctl.flowlabel_consistency = 1;

	net->ipv6.sysctl.auto_flowlabels = IP6_DEFAULT_AUTO_FLOW_LABELS;

	net->ipv6.sysctl.idgen_retries = 3;

CRA Git | Maintained and supported by SUSTech CRA and CCSE