git.baikalelectronics.ru Git - kernel.git/commit

author	Jesper Dangaard Brouer <brouer@redhat.com>
	Wed, 14 Jun 2017 11:27:37 +0000 (13:27 +0200)
committer	David S. Miller <davem@davemloft.net>
	Wed, 14 Jun 2017 19:33:58 +0000 (15:33 -0400)
commit	1084f1fc80e35cf3e5adb6f4d09b7006c6c6c685
tree	401229e174fa94ffe0234295777b5c4df181fafd	tree \| snapshot
parent	955909de34df269ffcaff7c1249cd6b417c2c7ef	commit \| diff

net: don't global ICMP rate limit packets originating from loopback

Florian Weimer seems to have a glibc test-case which requires that
loopback interfaces does not get ICMP ratelimited.  This was broken by
commit 59808e60b6f1 ("net: reduce cycles spend on ICMP replies that
gets rate limited").

An ICMP response will usually be routed back-out the same incoming
interface.  Thus, take advantage of this and skip global ICMP
ratelimit when the incoming device is loopback.  In the unlikely event
that the outgoing it not loopback, due to strange routing policy
rules, ICMP rate limiting still works via peer ratelimiting via
icmpv4_xrlim_allow().  Thus, we should still comply with RFC1812
(section 4.3.2.8 "Rate Limiting").

This seems to fix the reproducer given by Florian.  While still
avoiding to perform expensive and unneeded outgoing route lookup for
rate limited packets (in the non-loopback case).

Fixes: 59808e60b6f1 ("net: reduce cycles spend on ICMP replies that gets rate limited")
Reported-by: Florian Weimer <fweimer@redhat.com>
Reported-by: "H.J. Lu" <hjl.tools@gmail.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv4/icmp.c		diff \| blob \| history
net/ipv6/icmp.c		diff \| blob \| history