Do not rate limit ICMP Echos by default
ghananigans opened this issue · comments
gVisor rate limits ICMPv4 (but not ICMPv6) echo responses but linux does not. Linux only rate limits ICMP error responses, as per RFC requirements:
ICMPv4 rate limit errors: RFC 1812 section 4.3.2.8 https://datatracker.ietf.org/doc/html/rfc1812#section-4.3.2.8
ICMPv6 rate limit errors: RFC 4443 section 2.4.f https://datatracker.ietf.org/doc/html/rfc4443#section-2.4
ICMPv4 rate limited in gVisor:
gvisor/pkg/tcpip/network/ipv4/icmp.go
Line 244 in 979d6e7
From https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt, Linux supports rate limiting different ICMP types (configurable at run time).
Linux rate limiting syscall options for ICMPv4:
icmp_ratelimit - INTEGER
Limit the maximal rates for sending ICMP packets whose type matches
icmp_ratemask (see below) to specific targets.
0 to disable any limiting,
otherwise the minimal space between responses in milliseconds.
Note that another sysctl, icmp_msgs_per_sec limits the number
of ICMP packets sent on all targets.
Default: 1000
icmp_ratemask - INTEGER
Mask made of ICMP types for which rates are being limited.
Significant bits: IHGFEDCBA9876543210
Default mask: 0000001100000011000 (6168)
Bit definitions (see include/linux/icmp.h):
0 Echo Reply
3 Destination Unreachable *
4 Source Quench *
5 Redirect
8 Echo Request
B Time Exceeded *
C Parameter Problem *
D Timestamp Request
E Timestamp Reply
F Info Request
G Info Reply
H Address Mask Request
I Address Mask Reply
* These are rate limited by default (see default mask above)
Linux rate limiting syscall options for ICMPv6:
icmp/*:
ratelimit - INTEGER
Limit the maximal rates for sending ICMPv6 messages.
0 to disable any limiting,
otherwise the minimal space between responses in milliseconds.
Default: 1000
ratemask - list of comma separated ranges
For ICMPv6 message types matching the ranges in the ratemask, limit
the sending of the message according to ratelimit parameter.
The format used for both input and output is a comma separated
list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and
129). Writing to the file will clear all previous ranges of ICMPv6
message types and update the current list with the input.
Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
for numerical values of ICMPv6 message types, e.g. echo request is 128
and echo reply is 129.
Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big)
cc: @brunowonka