Giters

google / gvisor

Application Kernel for Containers

Home Page:https://gvisor.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Do not rate limit ICMP Echos by default

ghananigans opened this issue · comments

commented

gVisor rate limits ICMPv4 (but not ICMPv6) echo responses but linux does not. Linux only rate limits ICMP error responses, as per RFC requirements:

ICMPv4 rate limit errors: RFC 1812 section 4.3.2.8 https://datatracker.ietf.org/doc/html/rfc1812#section-4.3.2.8
ICMPv6 rate limit errors: RFC 4443 section 2.4.f https://datatracker.ietf.org/doc/html/rfc4443#section-2.4

ICMPv4 rate limited in gVisor:

gvisor/pkg/tcpip/network/ipv4/icmp.go

Line 244 in 979d6e7

if !e.protocol.stack.AllowICMPMessage() {

From https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt, Linux supports rate limiting different ICMP types (configurable at run time).

Linux rate limiting syscall options for ICMPv4:

icmp_ratelimit - INTEGER
	Limit the maximal rates for sending ICMP packets whose type matches
	icmp_ratemask (see below) to specific targets.
	0 to disable any limiting,
	otherwise the minimal space between responses in milliseconds.
	Note that another sysctl, icmp_msgs_per_sec limits the number
	of ICMP packets	sent on all targets.
	Default: 1000

icmp_ratemask - INTEGER
	Mask made of ICMP types for which rates are being limited.
	Significant bits: IHGFEDCBA9876543210
	Default mask:     0000001100000011000 (6168)

	Bit definitions (see include/linux/icmp.h):
		0 Echo Reply
		3 Destination Unreachable *
		4 Source Quench *
		5 Redirect
		8 Echo Request
		B Time Exceeded *
		C Parameter Problem *
		D Timestamp Request
		E Timestamp Reply
		F Info Request
		G Info Reply
		H Address Mask Request
		I Address Mask Reply

	* These are rate limited by default (see default mask above)

Linux rate limiting syscall options for ICMPv6:

icmp/*:
ratelimit - INTEGER
	Limit the maximal rates for sending ICMPv6 messages.
	0 to disable any limiting,
	otherwise the minimal space between responses in milliseconds.
	Default: 1000

ratemask - list of comma separated ranges
	For ICMPv6 message types matching the ranges in the ratemask, limit
	the sending of the message according to ratelimit parameter.

	The format used for both input and output is a comma separated
	list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and
	129). Writing to the file will clear all previous ranges of ICMPv6
	message types and update the current list with the input.

	Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
	for numerical values of ICMPv6 message types, e.g. echo request is 128
	and echo reply is 129.

	Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big)