diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2022-10-07 14:22:57 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-10-14 08:36:16 +0000 |
| commit | a974702e274cbed52ae9ad9ecef8501e267b822d (patch) | |
| tree | 41b3fe6977778863761b9690a8eca026e886ea75 /sys/netpfil/pf | |
| parent | 12b92f3ed82aa71c0eba246ce3053ef225724570 (diff) | |
| download | src-a974702e274cbed52ae9ad9ecef8501e267b822d.tar.gz src-a974702e274cbed52ae9ad9ecef8501e267b822d.zip | |
pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf
PR: 266477
Event: Aberdeen Hackathon 2022
Differential Revision: https://reviews.freebsd.org/D36903
Diffstat (limited to 'sys/netpfil/pf')
| -rw-r--r-- | sys/netpfil/pf/pf.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2a6efbfe6e7d..d0139dc6bd15 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -3048,6 +3048,22 @@ pf_match_ieee8021q_pcp(u_int8_t prio, struct mbuf *m) return (mpcp == prio); } +static int +pf_icmp_to_bandlim(uint8_t type) +{ + switch (type) { + case ICMP_ECHO: + case ICMP_ECHOREPLY: + return (BANDLIM_ICMP_ECHO); + case ICMP_TSTAMP: + case ICMP_TSTAMPREPLY: + return (BANDLIM_ICMP_TSTAMP); + case ICMP_UNREACH: + default: + return (BANDLIM_ICMP_UNREACH); + } +} + static void pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, struct pf_krule *r) @@ -3056,6 +3072,16 @@ pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, struct mbuf *m0; struct pf_mtag *pf_mtag; + /* ICMP packet rate limitation. */ + if (af == AF_INET6) { + if (icmp6_ratelimit(NULL, type, code)) + return; + } else { + MPASS(af == AF_INET); + if (badport_bandlim(pf_icmp_to_bandlim(type)) != 0) + return; + } + /* Allocate outgoing queue entry, mbuf and mbuf tag. */ pfse = malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT); if (pfse == NULL) |