The branch releng/13.5 has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a7ad6437193a563c60a52af3845649671f59a16b
commit a7ad6437193a563c60a52af3845649671f59a16b
Author: Gleb Smirnoff <gleb...@freebsd.org>
AuthorDate: 2024-03-24 16:13:23 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2025-02-13 14:00:57 +0000
icmp6: rate limit our echo replies
The generation of ICMP6_ECHO_REPLY bypasses icmp6_error(), thus rate
limit was not applied.
Reviewed by: tuexen, zlei
Differential Revision: https://reviews.freebsd.org/D44480
Approved by: re (cperciva)
(cherry picked from commit 32aeee8ce7e72738fff236ccd5629d55035458f8)
(cherry picked from commit 90ecc3fc679d1df50772327d80e0d28f59e584af)
---
sys/netinet6/icmp6.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index 258f4bed794e..09cb893b57fe 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -536,6 +536,8 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
icmp6_ifstat_inc(ifp, ifs6_in_echo);
if (code != 0)
goto badcode;
+ if (icmp6_ratelimit(&ip6->ip6_src, ICMP6_ECHO_REPLY, 0))
+ break;
if ((n = m_copym(m, 0, M_COPYALL, M_NOWAIT)) == NULL) {
/* Give up remote */
break;
