From b508545ce044dbfdd83da772e73f969a3713d59d Mon Sep 17 00:00:00 2001 From: Gleb Smirnoff Date: Sun, 24 Mar 2024 09:13:23 -0700 Subject: [PATCH] icmp: when logging ICMP ratelimiting message use correct jitter value The limiting of the very last second has been done using certain jitter value. We update the jitter for the next second. But the logging should report the jitter before the change. Reviewed by: kp, tuexen, zlei Differential Revision: https://reviews.freebsd.org/D44477 --- sys/netinet/ip_icmp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index fd9342831e4..245e1c8040a 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1145,6 +1145,11 @@ badport_bandlim(int which) pps = counter_ratecheck(&V_icmp_rates[which], V_icmplim + V_icmplim_curr_jitter); if (pps > 0) { + if (V_icmplim_output) + log(LOG_NOTICE, + "Limiting %s response from %jd to %d packets/sec\n", + icmp_rate_descrs[which], (intmax_t )pps, + V_icmplim + V_icmplim_curr_jitter); /* * Adjust limit +/- to jitter the measurement to deny a * side-channel port scan as in CVE-2020-25705 @@ -1159,10 +1164,5 @@ badport_bandlim(int which) } if (pps == -1) return (-1); - if (pps > 0 && V_icmplim_output) - log(LOG_NOTICE, - "Limiting %s response from %jd to %d packets/sec\n", - icmp_rate_descrs[which], (intmax_t )pps, V_icmplim + - V_icmplim_curr_jitter); return (0); }