diff options
| author | Eric Dumazet <edumazet@google.com> | 2026-02-23 19:17:42 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-02-25 04:50:12 +0300 |
| commit | 64db5933c7adcdc4dd8f5ef6506cc998ecbe63ac (patch) | |
| tree | b73a1f2e25d449658de0e3814b7cb8795b387827 /net | |
| parent | 539a6cf0844da56c32513b86305a7327760f9932 (diff) | |
| download | linux-64db5933c7adcdc4dd8f5ef6506cc998ecbe63ac.tar.xz | |
icmp: increase net.ipv4.icmp_msgs_{per_sec,burst}
These sysctls were added in 4cdf507d5452 ("icmp: add a global rate
limitation") and their default values might be too small.
Some network tools send probes to closed UDP ports from many hosts
to estimate proportion of packet drops on a particular target.
This patch sets both sysctls to 10000.
Note the per-peer rate-limit (as described in RFC 4443 2.4 (f))
intent is still enforced.
This also increases security, see b38e7819cae9
("icmp: randomize the global rate limiter") for reference.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260223161742.929830-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/icmp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index a62b4c4033cc..1cf9e391aa0c 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -1727,8 +1727,8 @@ static int __net_init icmp_sk_init(struct net *net) net->ipv4.sysctl_icmp_ratemask = 0x1818; net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr = 0; net->ipv4.sysctl_icmp_errors_extension_mask = 0; - net->ipv4.sysctl_icmp_msgs_per_sec = 1000; - net->ipv4.sysctl_icmp_msgs_burst = 50; + net->ipv4.sysctl_icmp_msgs_per_sec = 10000; + net->ipv4.sysctl_icmp_msgs_burst = 10000; return 0; } |