git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jesper Dangaard Brouer <brouer@redhat.com>
	Wed, 14 Jun 2017 11:27:37 +0000 (13:27 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 5 Jul 2017 12:41:36 +0000 (14:41 +0200)
commit	bdfae324ba1552520f711f9db8ee9c7e81061541
tree	cef339192635b9db9bbbfd01c1d5481d8755474f	tree
parent	487dd0ab72ed0fb8a0a1347b4bd140313aa858cc	commit \| diff

net: don't global ICMP rate limit packets originating from loopback

[ Upstream commit 849a44de91636c24cea799cb8ad8c36433feb913 ]

Florian Weimer seems to have a glibc test-case which requires that
loopback interfaces does not get ICMP ratelimited.  This was broken by
commit c0303efeab73 ("net: reduce cycles spend on ICMP replies that
gets rate limited").

An ICMP response will usually be routed back-out the same incoming
interface.  Thus, take advantage of this and skip global ICMP
ratelimit when the incoming device is loopback.  In the unlikely event
that the outgoing it not loopback, due to strange routing policy
rules, ICMP rate limiting still works via peer ratelimiting via
icmpv4_xrlim_allow().  Thus, we should still comply with RFC1812
(section 4.3.2.8 "Rate Limiting").

This seems to fix the reproducer given by Florian.  While still
avoiding to perform expensive and unneeded outgoing route lookup for
rate limited packets (in the non-loopback case).

Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited")
Reported-by: Florian Weimer <fweimer@redhat.com>
Reported-by: "H.J. Lu" <hjl.tools@gmail.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net/ipv4/icmp.c		diff \| blob \| blame \| history
net/ipv6/icmp.c		diff \| blob \| blame \| history