From: Eric Dumazet <edumazet@google.com>
To: "David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
Willem de Bruijn <willemb@google.com>,
David Ahern <dsahern@kernel.org>,
netdev@vger.kernel.org, eric.dumazet@gmail.com,
Eric Dumazet <edumazet@google.com>
Subject: [PATCH v2 net 4/5] ipv4: icmp: icmpv4_xrlim_allow() optimization if net.ipv4.icmp_ratelimit is zero
Date: Mon, 16 Feb 2026 14:28:31 +0000 [thread overview]
Message-ID: <20260216142832.3834174-5-edumazet@google.com> (raw)
In-Reply-To: <20260216142832.3834174-1-edumazet@google.com>
If net.ipv4.icmp_ratelimit is zero, we do not have to call
inet_getpeer_v4() and inet_peer_xrlim_allow().
Both can be very expensive under DDOS.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
---
net/ipv4/icmp.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index eff8487c0aba8df0d1e515b9ac6ff7f9ac1de436..a62b4c4033ccbaa5f6de1345ab33f89b4096b691 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -316,23 +316,29 @@ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
struct dst_entry *dst = &rt->dst;
struct inet_peer *peer;
struct net_device *dev;
+ int peer_timeout;
bool rc = true;
if (!apply_ratelimit)
return true;
+ peer_timeout = READ_ONCE(net->ipv4.sysctl_icmp_ratelimit);
+ if (!peer_timeout)
+ goto out;
+
/* No rate limit on loopback */
rcu_read_lock();
dev = dst_dev_rcu(dst);
if (dev && (dev->flags & IFF_LOOPBACK))
- goto out;
+ goto out_unlock;
peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr,
l3mdev_master_ifindex_rcu(dev));
- rc = inet_peer_xrlim_allow(peer,
- READ_ONCE(net->ipv4.sysctl_icmp_ratelimit));
-out:
+ rc = inet_peer_xrlim_allow(peer, peer_timeout);
+
+out_unlock:
rcu_read_unlock();
+out:
if (!rc)
__ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST);
else
--
2.53.0.310.g728cabbaf7-goog
next prev parent reply other threads:[~2026-02-16 14:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-16 14:28 [PATCH v2 net 0/5] icmp: better deal with DDOS Eric Dumazet
2026-02-16 14:28 ` [PATCH v2 net 1/5] icmp: prevent possible overflow in icmp_global_allow() Eric Dumazet
2026-02-16 14:28 ` [PATCH v2 net 2/5] inet: move icmp_global_{credit,stamp} to a separate cache line Eric Dumazet
2026-02-16 14:28 ` [PATCH v2 net 3/5] ipv6: icmp: remove obsolete code in icmpv6_xrlim_allow() Eric Dumazet
2026-02-16 14:28 ` Eric Dumazet [this message]
2026-02-16 14:28 ` [PATCH v2 net 5/5] ipv6: icmp: icmpv6_xrlim_allow() optimization if net.ipv6.icmp.ratelimit is zero Eric Dumazet
2026-02-19 1:10 ` [PATCH v2 net 0/5] icmp: better deal with DDOS patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260216142832.3834174-5-edumazet@google.com \
--to=edumazet@google.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=eric.dumazet@gmail.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox