git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Dumazet <edumazet@google.com>
	Fri, 19 Sep 2014 14:38:40 +0000 (07:38 -0700)
committer	David S. Miller <davem@davemloft.net>
	Tue, 23 Sep 2014 16:47:38 +0000 (12:47 -0400)
commit	0fcdcc7c3da1bbcb9a1fe0730660bc584dfbdb1f
tree	3ea6c335251ee0b0bdb404df727ca307d55a9de9	tree \| snapshot
parent	9a86fe708eda92b18e4409ba59b70ef7f4a2f12e	commit \| diff

icmp: add a global rate limitation

Current ICMP rate limiting uses inetpeer cache, which is an RBL tree
protected by a lock, meaning that hosts can be stuck hard if all cpus
want to check ICMP limits.

When say a DNS or NTP server process is restarted, inetpeer tree grows
quick and machine comes to its knees.

iptables can not help because the bottleneck happens before ICMP
messages are even cooked and sent.

This patch adds a new global limitation, using a token bucket filter,
controlled by two new sysctl :

icmp_msgs_per_sec - INTEGER
    Limit maximal number of ICMP packets sent per second from this host.
    Only messages whose type matches icmp_ratemask are
    controlled by this limit.
    Default: 1000

icmp_msgs_burst - INTEGER
    icmp_msgs_per_sec controls number of ICMP packets sent per second,
    while icmp_msgs_burst controls the burst size of these packets.
    Default: 50

Note that if we really want to send millions of ICMP messages per
second, we might extend idea and infra added in commit 387cacb14201b
("ip: make IP identifiers less predictable") :
add a token bucket in the ip_idents hash and no longer rely on inetpeer.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Documentation/networking/ip-sysctl.txt		diff \| blob \| history
include/net/ip.h		diff \| blob \| history
net/ipv4/icmp.c		diff \| blob \| history
net/ipv4/sysctl_net_ipv4.c		diff \| blob \| history
net/ipv6/icmp.c		diff \| blob \| history