| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170614.153427.2166855120464478061.davem@davemloft.net>
Date: Wed, 14 Jun 2017 15:34:27 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: brouer@...hat.com
Cc: netdev@...r.kernel.org, fweimer@...hat.com, hjl.tools@...il.com
Subject: Re: [PATCH net] net: don't global ICMP rate limit packets
originating from loopback
From: Jesper Dangaard Brouer <brouer@...hat.com>
Date: Wed, 14 Jun 2017 13:27:37 +0200
> Florian Weimer seems to have a glibc test-case which requires that
> loopback interfaces does not get ICMP ratelimited. This was broken by
> commit c0303efeab73 ("net: reduce cycles spend on ICMP replies that
> gets rate limited").
>
> An ICMP response will usually be routed back-out the same incoming
> interface. Thus, take advantage of this and skip global ICMP
> ratelimit when the incoming device is loopback. In the unlikely event
> that the outgoing it not loopback, due to strange routing policy
> rules, ICMP rate limiting still works via peer ratelimiting via
> icmpv4_xrlim_allow(). Thus, we should still comply with RFC1812
> (section 4.3.2.8 "Rate Limiting").
>
> This seems to fix the reproducer given by Florian. While still
> avoiding to perform expensive and unneeded outgoing route lookup for
> rate limited packets (in the non-loopback case).
>
> Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited")
> Reported-by: Florian Weimer <fweimer@...hat.com>
> Reported-by: "H.J. Lu" <hjl.tools@...il.com>
> Signed-off-by: Jesper Dangaard Brouer <brouer@...hat.com>
Applied and queued up for -stable, thanks Jesper.
Powered by blists - more mailing lists