These sysctls were added in
4cdf507d5452 ("icmp: add a global rate
limitation") and their default values might be too small.
Some network tools send probes to closed UDP ports from many hosts
to estimate proportion of packet drops on a particular target.
This patch sets both sysctls to 10000.
Note the per-peer rate-limit (as described in RFC 4443 2.4 (f))
intent is still enforced.
This also increases security, see
b38e7819cae9
("icmp: randomize the global rate limiter") for reference.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260223161742.929830-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
controlled by this limit. For security reasons, the precise count
of messages per second is randomized.
- Default: 1000
+ Default: 10000
icmp_msgs_burst - INTEGER
icmp_msgs_per_sec controls number of ICMP packets sent per second,
- while icmp_msgs_burst controls the burst size of these packets.
+ while icmp_msgs_burst controls the token bucket size.
For security reasons, the precise burst size is randomized.
- Default: 50
+ Default: 10000
icmp_ratemask - INTEGER
Mask made of ICMP types for which rates are being limited.
net->ipv4.sysctl_icmp_ratemask = 0x1818;
net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr = 0;
net->ipv4.sysctl_icmp_errors_extension_mask = 0;
- net->ipv4.sysctl_icmp_msgs_per_sec = 1000;
- net->ipv4.sysctl_icmp_msgs_burst = 50;
+ net->ipv4.sysctl_icmp_msgs_per_sec = 10000;
+ net->ipv4.sysctl_icmp_msgs_burst = 10000;
return 0;
}
projects / thirdparty / linux.git / commitdiff
