On 8/28/24 1:39 PM, Eric Dumazet wrote:
ICMP messages are ratelimited :
After the blamed commits, the two rate limiters are applied in this order:
host wide ratelimit (icmp_global_allow())
Per destination ratelimit (inetpeer based)
In order to avoid side-channels attacks, we need to apply the per destination check first.
This patch makes the following change :
icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3)
The per destination limit is checked/updated. This might add a new node in inetpeer tree.
icmp_global_consume() consumes tokens if prior operations succeeded.
This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS.
As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation.
Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited") Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") Reported-by: Keyu Man keyu.man@email.ucr.edu Signed-off-by: Eric Dumazet edumazet@google.com Cc: Jesper Dangaard Brouer hawk@kernel.org Cc: stable@vger.kernel.org
include/net/ip.h | 2 + net/ipv4/icmp.c | 103 ++++++++++++++++++++++++++--------------------- net/ipv6/icmp.c | 28 ++++++++----- 3 files changed, 76 insertions(+), 57 deletions(-)
Reviewed-by: David Ahern dsahern@kernel.org