icmp: add a global rate limitation (4cdf507d) · Commits · 戴 / test

Documentation/networking/ip-sysctl.txt

+13 −0

Original line number	Diff line number	Diff line
		@@ -769,8 +769,21 @@ icmp_ratelimit - INTEGER
		icmp_ratemask (see below) to specific targets.
		0 to disable any limiting,
		otherwise the minimal space between responses in milliseconds.
		Note that another sysctl, icmp_msgs_per_sec limits the number
		of ICMP packets sent on all targets.
		Default: 1000

		icmp_msgs_per_sec - INTEGER
		Limit maximal number of ICMP packets sent per second from this host.
		Only messages whose type matches icmp_ratemask (see below) are
		controlled by this limit.
		Default: 1000

		icmp_msgs_burst - INTEGER
		icmp_msgs_per_sec controls number of ICMP packets sent per second,
		while icmp_msgs_burst controls the burst size of these packets.
		Default: 50

		icmp_ratemask - INTEGER
		Mask made of ICMP types for which rates are being limited.
		Significant bits: IHGFEDCBA9876543210

include/net/ip.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -548,6 +548,10 @@ void ip_icmp_error(struct sock sk, struct sk_buff skb, int err, __be16 port,
		void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport,
		u32 info);

		bool icmp_global_allow(void);
		extern int sysctl_icmp_msgs_per_sec;
		extern int sysctl_icmp_msgs_burst;

		#ifdef CONFIG_PROC_FS
		int ip_misc_proc_init(void);
		#endif

net/ipv4/icmp.c

+60 −4

Original line number	Diff line number	Diff line
		@@ -231,11 +231,61 @@ static inline void icmp_xmit_unlock(struct sock *sk)
		spin_unlock_bh(&sk->sk_lock.slock);
		}

		int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
		int sysctl_icmp_msgs_burst __read_mostly = 50;

		static struct {
		spinlock_t lock;
		u32 credit;
		u32 stamp;
		} icmp_global = {
		.lock = __SPIN_LOCK_UNLOCKED(icmp_global.lock),
		};

		/**
		* icmp_global_allow - Are we allowed to send one more ICMP message ?
		*
		* Uses a token bucket to limit our ICMP messages to sysctl_icmp_msgs_per_sec.
		* Returns false if we reached the limit and can not send another packet.
		* Note: called with BH disabled
		*/
		bool icmp_global_allow(void)
		{
		u32 credit, delta, incr = 0, now = (u32)jiffies;
		bool rc = false;

		/* Check if token bucket is empty and cannot be refilled
		* without taking the spinlock.
		*/
		if (!icmp_global.credit) {
		delta = min_t(u32, now - icmp_global.stamp, HZ);
		if (delta < HZ / 50)
		return false;
		}

		spin_lock(&icmp_global.lock);
		delta = min_t(u32, now - icmp_global.stamp, HZ);
		if (delta >= HZ / 50) {
		incr = sysctl_icmp_msgs_per_sec * delta / HZ ;
		if (incr)
		icmp_global.stamp = now;
		}
		credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst);
		if (credit) {
		credit--;
		rc = true;
		}
		icmp_global.credit = credit;
		spin_unlock(&icmp_global.lock);
		return rc;
		}
		EXPORT_SYMBOL(icmp_global_allow);

		/*
		* Send an ICMP frame.
		*/

		static inline bool icmpv4_xrlim_allow(struct net net, struct rtable rt,
		static bool icmpv4_xrlim_allow(struct net net, struct rtable rt,
		struct flowi4 *fl4, int type, int code)
		{
		struct dst_entry *dst = &rt->dst;
		@@ -253,8 +303,14 @@ static inline bool icmpv4_xrlim_allow(struct net net, struct rtable rt,
		goto out;

		/* Limit if icmp type is enabled in ratemask. */
		if ((1 << type) & net->ipv4.sysctl_icmp_ratemask) {
		struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1);
		if (!((1 << type) & net->ipv4.sysctl_icmp_ratemask))
		goto out;

		rc = false;
		if (icmp_global_allow()) {
		struct inet_peer *peer;

		peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1);
		rc = inet_peer_xrlim_allow(peer,
		net->ipv4.sysctl_icmp_ratelimit);
		if (peer)

net/ipv4/sysctl_net_ipv4.c

+16 −0

Original line number	Diff line number	Diff line
		@@ -730,6 +730,22 @@ static struct ctl_table ipv4_table[] = {
		.extra1 = &zero,
		.extra2 = &one,
		},
		{
		.procname = "icmp_msgs_per_sec",
		.data = &sysctl_icmp_msgs_per_sec,
		.maxlen = sizeof(int),
		.mode = 0644,
		.proc_handler = proc_dointvec_minmax,
		.extra1 = &zero,
		},
		{
		.procname = "icmp_msgs_burst",
		.data = &sysctl_icmp_msgs_burst,
		.maxlen = sizeof(int),
		.mode = 0644,
		.proc_handler = proc_dointvec_minmax,
		.extra1 = &zero,
		},
		{
		.procname = "udp_mem",
		.data = &sysctl_udp_mem,

net/ipv6/icmp.c

+12 −8

Original line number	Diff line number	Diff line
		@@ -170,11 +170,11 @@ static bool is_ineligible(const struct sk_buff *skb)
		/*
		* Check the ICMP output rate limit
		*/
		static inline bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
		static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
		struct flowi6 *fl6)
		{
		struct dst_entry *dst;
		struct net *net = sock_net(sk);
		struct dst_entry *dst;
		bool res = false;

		/* Informational messages are not limited. */
		@@ -199,17 +199,21 @@ static inline bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
		} else {
		struct rt6_info rt = (struct rt6_info )dst;
		int tmo = net->ipv6.sysctl.icmpv6_time;
		struct inet_peer *peer;

		/* Give more bandwidth to wider prefixes. */
		if (rt->rt6i_dst.plen < 128)
		tmo >>= ((128 - rt->rt6i_dst.plen)>>5);

		peer = inet_getpeer_v6(net->ipv6.peers, &rt->rt6i_dst.addr, 1);
		if (icmp_global_allow()) {
		struct inet_peer *peer;

		peer = inet_getpeer_v6(net->ipv6.peers,
		&rt->rt6i_dst.addr, 1);
		res = inet_peer_xrlim_allow(peer, tmo);
		if (peer)
		inet_putpeer(peer);
		}
		}
		dst_release(dst);
		return res;
		}

Admin message