Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Feb 2025 16:46:12 GMT
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: b6dc6601559b - releng/13.5 - icmp: when logging ICMP ratelimiting message use correct jitter value
Message-ID:  <202502131646.51DGkC9R041544@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch releng/13.5 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=b6dc6601559b44348507df9dd8cce7e438bec4c9

commit b6dc6601559b44348507df9dd8cce7e438bec4c9
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2024-03-24 16:13:23 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2025-02-13 13:59:09 +0000

    icmp: when logging ICMP ratelimiting message use correct jitter value
    
    The limiting of the very last second has been done using certain jitter
    value.  We update the jitter for the next second.  But the logging should
    report the jitter before the change.
    
    Reviewed by:            kp, tuexen, zlei
    Differential Revision:  https://reviews.freebsd.org/D44477
    Approved by:            re (cperciva)
    
    (cherry picked from commit b508545ce044dbfdd83da772e73f969a3713d59d)
    (cherry picked from commit a71eee300ba7d94a1621c7b31eaaa79243db84ec)
---
 sys/netinet/ip_icmp.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 5c8c17cba049..199b76aa9ad6 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1139,6 +1139,11 @@ badport_bandlim(int which)
 	pps = counter_ratecheck(&V_icmp_rates[which], V_icmplim +
 	    V_icmplim_curr_jitter);
 	if (pps > 0) {
+		if (V_icmplim_output)
+			log(LOG_NOTICE,
+			    "Limiting %s response from %jd to %d packets/sec\n",
+			    icmp_rate_descrs[which], (intmax_t )pps,
+			    V_icmplim + V_icmplim_curr_jitter);
 		/*
 		 * Adjust limit +/- to jitter the measurement to deny a
 		 * side-channel port scan as in CVE-2020-25705
@@ -1153,10 +1158,5 @@ badport_bandlim(int which)
 	}
 	if (pps == -1)
 		return (-1);
-	if (pps > 0 && V_icmplim_output)
-		log(LOG_NOTICE,
-		    "Limiting %s response from %jd to %d packets/sec\n",
-		    icmp_rate_descrs[which], (intmax_t )pps, V_icmplim +
-		    V_icmplim_curr_jitter);
 	return (0);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502131646.51DGkC9R041544>