upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-08 16:22:46 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

icmp: when logging ICMP ratelimiting message use correct jitter value

Browse source 
The limiting of the very last second has been done using certain jitter
value.  We update the jitter for the next second.  But the logging should
report the jitter before the change.

Reviewed by:		kp, tuexen, zlei
Differential Revision:	https://reviews.freebsd.org/D44477
This commit is contained in:
Gleb Smirnoff 2024-03-24 09:13:23 -07:00
parent 9d7f17d746
commit b508545ce0
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
sys/netinet/ip_icmp.c
View file

@ -1145,6 +1145,11 @@ badport_bandlim(int which)
pps = counter_ratecheck(&V_icmp_rates[which], V_icmplim +
V_icmplim_curr_jitter);
if (pps > 0) {
if (V_icmplim_output)
log(LOG_NOTICE,
"Limiting %s response from %jd to %d packets/sec\n",
icmp_rate_descrs[which], (intmax_t )pps,
V_icmplim + V_icmplim_curr_jitter);
/*
* Adjust limit +/- to jitter the measurement to deny a
* side-channel port scan as in CVE-2020-25705
@ -1159,10 +1164,5 @@ badport_bandlim(int which)
}
if (pps == -1)
return (-1);
if (pps > 0 && V_icmplim_output)
log(LOG_NOTICE,
"Limiting %s response from %jd to %d packets/sec\n",
icmp_rate_descrs[which], (intmax_t )pps, V_icmplim +
V_icmplim_curr_jitter);
return (0);
}