aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/networking
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2014-09-19 10:38:40 -0400
committerDavid S. Miller <davem@davemloft.net>2014-09-23 12:47:38 -0400
commit4cdf507d54525842dfd9f6313fdafba039084046 (patch)
tree3ea6c335251ee0b0bdb404df727ca307d55a9de9 /Documentation/networking
parente8b56d55a30afe588d905913d011678235dda437 (diff)
icmp: add a global rate limitation
Current ICMP rate limiting uses inetpeer cache, which is an RBL tree protected by a lock, meaning that hosts can be stuck hard if all cpus want to check ICMP limits. When say a DNS or NTP server process is restarted, inetpeer tree grows quick and machine comes to its knees. iptables can not help because the bottleneck happens before ICMP messages are even cooked and sent. This patch adds a new global limitation, using a token bucket filter, controlled by two new sysctl : icmp_msgs_per_sec - INTEGER Limit maximal number of ICMP packets sent per second from this host. Only messages whose type matches icmp_ratemask are controlled by this limit. Default: 1000 icmp_msgs_burst - INTEGER icmp_msgs_per_sec controls number of ICMP packets sent per second, while icmp_msgs_burst controls the burst size of these packets. Default: 50 Note that if we really want to send millions of ICMP messages per second, we might extend idea and infra added in commit 04ca6973f7c1a ("ip: make IP identifiers less predictable") : add a token bucket in the ip_idents hash and no longer rely on inetpeer. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation/networking')
-rw-r--r--Documentation/networking/ip-sysctl.txt13
1 files changed, 13 insertions, 0 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 1b5581a30d77..c7a81ace35d0 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -769,8 +769,21 @@ icmp_ratelimit - INTEGER
769 icmp_ratemask (see below) to specific targets. 769 icmp_ratemask (see below) to specific targets.
770 0 to disable any limiting, 770 0 to disable any limiting,
771 otherwise the minimal space between responses in milliseconds. 771 otherwise the minimal space between responses in milliseconds.
772 Note that another sysctl, icmp_msgs_per_sec limits the number
773 of ICMP packets sent on all targets.
772 Default: 1000 774 Default: 1000
773 775
776icmp_msgs_per_sec - INTEGER
777 Limit maximal number of ICMP packets sent per second from this host.
778 Only messages whose type matches icmp_ratemask (see below) are
779 controlled by this limit.
780 Default: 1000
781
782icmp_msgs_burst - INTEGER
783 icmp_msgs_per_sec controls number of ICMP packets sent per second,
784 while icmp_msgs_burst controls the burst size of these packets.
785 Default: 50
786
774icmp_ratemask - INTEGER 787icmp_ratemask - INTEGER
775 Mask made of ICMP types for which rates are being limited. 788 Mask made of ICMP types for which rates are being limited.
776 Significant bits: IHGFEDCBA9876543210 789 Significant bits: IHGFEDCBA9876543210