From 32aeee8ce7e72738fff236ccd5629d55035458f8 Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Sun, 24 Mar 2024 09:13:23 -0700
Subject: [PATCH] icmp6: rate limit our echo replies

The generation of ICMP6_ECHO_REPLY bypasses icmp6_error(), thus rate
limit was not applied.

Reviewed by:		tuexen, zlei
Differential Revision:	https://reviews.freebsd.org/D44480
---
 sys/netinet6/icmp6.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index 260f5c7e246..321622bcf7e 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -546,6 +546,8 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
 		icmp6_ifstat_inc(ifp, ifs6_in_echo);
 		if (code != 0)
 			goto badcode;
+		if (icmp6_ratelimit(&ip6->ip6_src, ICMP6_ECHO_REPLY, 0))
+			break;
 		if ((n = m_copym(m, 0, M_COPYALL, M_NOWAIT)) == NULL) {
 			/* Give up remote */
 			break;