diff options
| author |   Neale Ranns <neale@graphiant.com> | 2022-02-17 09:08:47 +0000 |
|---|---|---|
| committer |   Ole Tr�an <otroan@employees.org> | 2022-03-04 16:14:11 +0000 |
| commit | 5c6dd17a373a2c56e57f02426d66a79af7faa19c (patch) | |
| tree | 154930db914285fda1636eb47faef2b1275e0190 /src/vnet/ip/icmp6.c | |
| parent | bc91e86674d446e024a957318d42a3bbd3280bf1 (diff) | |
ip: rate-limit the sending of ICMP error messages
Type: improvement
For error conditions, such as TTL expired, dest unreach, etc, Rate limit the sending of ICMP error messages.
The rate limiting is done based on src,dst IP address of the received packet.
the rate limit has been chosen, somewhat arbitrarily, to be 1e-3. This is the same limit as the ARP throttling.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a0b791cde8c941a9bf37de6aa5da56779d3cef4
Diffstat (limited to 'src/vnet/ip/icmp6.c')
| -rw-r--r-- | src/vnet/ip/icmp6.c | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/src/vnet/ip/icmp6.c b/src/vnet/ip/icmp6.c index 3c8300ff014..f92f31c05cb 100644 --- a/src/vnet/ip/icmp6.c +++ b/src/vnet/ip/icmp6.c @@ -41,6 +41,10 @@ #include <vnet/ip/ip.h> #include <vnet/pg/pg.h> #include <vnet/ip/ip_sas.h> +#include <vnet/util/throttle.h> + +/** ICMP throttling */ +static throttle_t icmp_throttle; static u8 * format_ip6_icmp_type_and_code (u8 * s, va_list * args) @@ -296,11 +300,14 @@ ip6_icmp_error (vlib_main_t * vm, u32 *from, *to_next; uword n_left_from, n_left_to_next; ip6_icmp_error_next_t next_index; + u32 thread_index = vm->thread_index; from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; next_index = node->cached_next_index; + u64 seed = throttle_seed (&icmp_throttle, thread_index, vlib_time_now (vm)); + if (node->flags & VLIB_NODE_FLAG_TRACE) vlib_trace_frame_buffers_only (vm, node, from, frame->n_vectors, /* stride */ 1, @@ -330,6 +337,21 @@ ip6_icmp_error (vlib_main_t * vm, int bogus_length; org_p0 = vlib_get_buffer (vm, org_pi0); + ip0 = vlib_buffer_get_current (org_p0); + + /* Rate limit based on the src,dst addresses in the original packet + */ + u64 r0 = (ip6_address_hash_to_u64 (&ip0->dst_address) ^ + ip6_address_hash_to_u64 (&ip0->src_address)); + + if (throttle_check (&icmp_throttle, thread_index, r0, seed)) + { + vlib_error_count (vm, node->node_index, ICMP4_ERROR_DROP, 1); + from += 1; + n_left_from -= 1; + continue; + } + p0 = vlib_buffer_copy_no_chain (vm, org_p0, &pi0); if (!p0 || pi0 == ~0) /* Out of buffers */ continue; @@ -341,9 +363,10 @@ ip6_icmp_error (vlib_main_t * vm, n_left_from -= 1; n_left_to_next -= 1; - ip0 = vlib_buffer_get_current (p0); sw_if_index0 = vnet_buffer (p0)->sw_if_index[VLIB_RX]; + vlib_buffer_copy_trace_flag (vm, p0, pi0); + /* Add IP header and ICMPv6 header including a 4 byte data field */ vlib_buffer_advance (p0, -(sizeof (ip6_header_t) + @@ -624,6 +647,11 @@ icmp6_init (vlib_main_t * vm) cm->min_valid_length_by_type[ICMP6_redirect] = sizeof (icmp6_redirect_header_t); + vlib_thread_main_t *tm = &vlib_thread_main; + u32 n_vlib_mains = tm->n_vlib_mains; + + throttle_init (&icmp_throttle, n_vlib_mains, 1e-3); + return (NULL); } |