armbian/linux-rockchip
0
0
Fork 0
mirror of https://github.com/armbian/linux-rockchip.git synced 2026-01-06 11:08:10 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6fddf325fa41cd4b2cbab6174ef293e867d54a57
linux-rockchip/include/net
History
Eric Dumazet 997ba88896 icmp: change the order of rate limits 
commit 8c2bd38b95f75f3d2a08c93e35303e26d480d24e upstream.

ICMP messages are ratelimited :

After the blamed commits, the two rate limiters are applied in this order:

1) host wide ratelimit (icmp_global_allow())

2) Per destination ratelimit (inetpeer based)

In order to avoid side-channels attacks, we need to apply
the per destination check first.

This patch makes the following change :

1) icmp_global_allow() checks if the host wide limit is reached.
   But credits are not yet consumed. This is deferred to 3)

2) The per destination limit is checked/updated.
   This might add a new node in inetpeer tree.

3) icmp_global_consume() consumes tokens if prior operations succeeded.

This means that host wide ratelimit is still effective
in keeping inetpeer tree small even under DDOS.

As a bonus, I removed icmp_global.lock as the fast path
can use a lock-free operation.

Fixes: c0303efeab ("net: reduce cycles spend on ICMP replies that gets rate limited")
Fixes: 4cdf507d54 ("icmp: add a global rate limitation")
Reported-by: Keyu Man <keyu.man@email.ucr.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Cc: Jesper Dangaard Brouer <hawk@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20240829144641.3880376-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:21:27 +02:00
..
9p
bluetooth
caif
iucv
netfilter
netns
nfc
phonet
sctp
tc_act
6lowpan.h
act_api.h
addrconf.h
af_ieee802154.h
af_rxrpc.h
af_unix.h
af_vsock.h
ah.h
amt.h
arp.h
atmclip.h
ax25.h
ax88796.h
bareudp.h
bond_3ad.h
bond_alb.h
bond_options.h
bonding.h
bpf_sk_storage.h
busy_poll.h
calipso.h
cfg80211-wext.h
cfg80211.h
cfg802154.h
checksum.h
cipso_ipv4.h
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h
dropreason.h
dsa.h
dsfield.h
dst_cache.h
dst_metadata.h
dst_ops.h
dst.h
erspan.h
esp.h
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h
firewire.h
flow_dissector.h
flow_offload.h
flow.h
fou.h
fq_impl.h
fq.h
garp.h
gen_stats.h
genetlink.h
geneve.h
gre.h
gro_cells.h
gro.h
gtp.h
gue.h
hwbm.h
icmp.h
ieee80211_radiotap.h
ieee802154_netdev.h
if_inet6.h
ife.h
ila.h
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h
inet_connection_sock.h
inet_dscp.h
inet_ecn.h
inet_frag.h
inet_hashtables.h
inet_sock.h
inet_timewait_sock.h
inetpeer.h
ioam6.h
ip6_checksum.h
ip6_fib.h
ip6_route.h
ip6_tunnel.h
ip_fib.h
ip_tunnels.h
ip_vs.h
ip.h
ipcomp.h
ipconfig.h
ipv6_frag.h
ipv6_stubs.h
ipv6.h
iw_handler.h
kcm.h
l3mdev.h
lag.h
lapb.h
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
lwtunnel.h
mac80211.h
mac802154.h
macsec.h
mctp.h
mctpdevice.h
mip6.h
mld.h
mpls_iptunnel.h
mpls.h
mptcp.h
mrp.h
ncsi.h
ndisc.h
neighbour.h
net_debug.h
net_failover.h
net_namespace.h
net_ratelimit.h
net_trackers.h
netevent.h
netlabel.h
netlink.h
netprio_cgroup.h
netrom.h
nexthop.h
nl802154.h
nsh.h
p8022.h
page_pool.h
pie.h
ping.h
pkt_cls.h
pkt_sched.h
pptp.h
protocol.h
psample.h
psnap.h
raw.h
rawv6.h
red.h
regulatory.h
request_sock.h
rose.h
route.h
rpl.h
rsi_91x.h
rtnetlink.h
rtnh.h
sch_generic.h
scm.h
secure_seq.h
seg6_hmac.h
seg6_local.h
seg6.h
selftests.h
slhc_vj.h
smc.h
snmp.h
sock_reuseport.h
sock.h
Space.h
stp.h
strparser.h
switchdev.h
tcp_states.h
tcp.h
timewait_sock.h
tipc.h
tls_toe.h
tls.h
transp_v6.h
tso.h
tun_proto.h
udp_tunnel.h
udp.h
udplite.h
vsock_addr.h
vxlan.h
wext.h
x25.h
x25device.h
xdp_priv.h
xdp_sock_drv.h
xdp_sock.h
xdp.h
xfrm.h
xsk_buff_pool.h