diff options
| author | Eric Dumazet <[email protected]> | 2024-08-29 14:46:39 +0000 |
|---|---|---|
| committer | Jakub Kicinski <[email protected]> | 2024-08-30 11:14:06 -0700 |
| commit | 8c2bd38b95f75f3d2a08c93e35303e26d480d24e (patch) | |
| tree | 76e4e48e5fe7d64b56eb5cc25f4dac1c03a653e3 /lib/find_bit.c | |
| parent | b26b64493343659cce8bbffa358bf39e4f68bdec (diff) | |
icmp: change the order of rate limits
ICMP messages are ratelimited :
After the blamed commits, the two rate limiters are applied in this order:
1) host wide ratelimit (icmp_global_allow())
2) Per destination ratelimit (inetpeer based)
In order to avoid side-channels attacks, we need to apply
the per destination check first.
This patch makes the following change :
1) icmp_global_allow() checks if the host wide limit is reached.
But credits are not yet consumed. This is deferred to 3)
2) The per destination limit is checked/updated.
This might add a new node in inetpeer tree.
3) icmp_global_consume() consumes tokens if prior operations succeeded.
This means that host wide ratelimit is still effective
in keeping inetpeer tree small even under DDOS.
As a bonus, I removed icmp_global.lock as the fast path
can use a lock-free operation.
Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited")
Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
Reported-by: Keyu Man <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Reviewed-by: David Ahern <[email protected]>
Cc: Jesper Dangaard Brouer <[email protected]>
Cc: [email protected]
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Diffstat (limited to 'lib/find_bit.c')
0 files changed, 0 insertions, 0 deletions