Date: Sun, 18 Sep 2022 07:27:49 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 266477] PF does not obey ICMP rate limits Message-ID: <bug-266477-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266477 Bug ID: 266477 Summary: PF does not obey ICMP rate limits Product: Base System Version: 13.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: darius@dons.net.au CC: kp@freebsd.org PF emits ICMP messages for blocked connections (when return is set) but it = does not call the rate limit code (badport_bandlim) and hence will send them at = an unlimited rate. IMO this is a POLA violation. Furthermore the IPv6 stack does not appear to call it either, badport_bandi= lm has BANDLIM_ICMP6_UNREACH but it does not appear to be used. I think it would make more sense to move the rate limiting code into icmp_error/icmp6_error and perhaps also add some per-ICMP type stats expose= d as sysctls. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-266477-227>