Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Jun 2024 04:50:21 GMT
From:      Zhenlei Huang <zlei@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 09a05224b04f - stable/14 - icmp: when logging ICMP ratelimiting message use correct jitter value
Message-ID:  <202406260450.45Q4oLov063672@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/14 has been updated by zlei:

URL: https://cgit.FreeBSD.org/src/commit/?id=09a05224b04f4c67e1ebd8367788dc0068a47fc6

commit 09a05224b04f4c67e1ebd8367788dc0068a47fc6
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2024-03-24 16:13:23 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2024-06-26 04:48:43 +0000

    icmp: when logging ICMP ratelimiting message use correct jitter value
    
    The limiting of the very last second has been done using certain jitter
    value.  We update the jitter for the next second.  But the logging should
    report the jitter before the change.
    
    Reviewed by:            kp, tuexen, zlei
    Differential Revision:  https://reviews.freebsd.org/D44477
    
    (cherry picked from commit b508545ce044dbfdd83da772e73f969a3713d59d)
---
 sys/netinet/ip_icmp.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 39eb46fd2d90..83034f9d9dd4 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1147,6 +1147,11 @@ badport_bandlim(int which)
 	pps = counter_ratecheck(&V_icmp_rates[which], V_icmplim +
 	    V_icmplim_curr_jitter);
 	if (pps > 0) {
+		if (V_icmplim_output)
+			log(LOG_NOTICE,
+			    "Limiting %s response from %jd to %d packets/sec\n",
+			    icmp_rate_descrs[which], (intmax_t )pps,
+			    V_icmplim + V_icmplim_curr_jitter);
 		/*
 		 * Adjust limit +/- to jitter the measurement to deny a
 		 * side-channel port scan as in CVE-2020-25705
@@ -1161,10 +1166,5 @@ badport_bandlim(int which)
 	}
 	if (pps == -1)
 		return (-1);
-	if (pps > 0 && V_icmplim_output)
-		log(LOG_NOTICE,
-		    "Limiting %s response from %jd to %d packets/sec\n",
-		    icmp_rate_descrs[which], (intmax_t )pps, V_icmplim +
-		    V_icmplim_curr_jitter);
 	return (0);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406260450.45Q4oLov063672>