https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266477
Bug ID: 266477
Summary: PF does not obey ICMP rate limits
Product: Base System
Version: 13.1-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
PF emits ICMP messages for blocked connections (when return is set) but it does
not call the rate limit code (badport_bandlim) and hence will send them at an
unlimited rate. IMO this is a POLA violation.
Furthermore the IPv6 stack does not appear to call it either, badport_bandilm
has BANDLIM_ICMP6_UNREACH but it does not appear to be used.
I think it would make more sense to move the rate limiting code into
icmp_error/icmp6_error and perhaps also add some per-ICMP type stats exposed as
sysctls.
--
You are receiving this mail because:
You are the assignee for the bug.
