Commit 9395b1bb authored Feb 16, 2026 by Eric Dumazet Committed by Jakub Kicinski Feb 18, 2026

ipv6: icmp: icmpv6_xrlim_allow() optimization if net.ipv6.icmp.ratelimit is zero



If net.ipv6.icmp.ratelimit is zero we do not have to call
inet_getpeer_v6() and inet_peer_xrlim_allow().

Both can be very expensive under DDOS.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260216142832.3834174-6-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent d8d9ef29

net/ipv6/icmp.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -220,9 +220,13 @@ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
		int tmo = READ_ONCE(net->ipv6.sysctl.icmpv6_time);
		struct inet_peer *peer;

		if (!tmo) {
		res = true;
		} else {
		peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr);
		res = inet_peer_xrlim_allow(peer, tmo);
		}
		}
		rcu_read_unlock();
		if (!res)
		__ICMP6_INC_STATS(net, NULL, ICMP6_MIB_RATELIMITHOST);