docs/150917: icmp.4, wrong description of icmplim and icmplim_output sysctls

Giorgos Keramidas keramida at ceid.upatras.gr
Tue Feb 15 08:10:15 UTC 2011


The following reply was made to PR docs/150917; it has been noted by GNATS.

From: Giorgos Keramidas <keramida at ceid.upatras.gr>
To: Nikos Vassiliadis <nvass9573 at gmx.com>
Cc: bug-followup at freebsd.org
Subject: Re: docs/150917: icmp.4, wrong description of icmplim and icmplim_output sysctls
Date: Tue, 15 Feb 2011 08:47:18 +0100

 On 2010-09-24 13:42, Nikos Vassiliadis <nvass9573 at gmx.com> wrote:
 > The icmp manual page describes icmplim and icmplim_output wrongly.
 >
 >      icmplim	     (integer) Bandwidth limit for ICMP replies in pack-
 > 		     ets/second.  Used when icmplim_output is non-zero.
 > 		     Defaults to 200.
 >
 >      icmplim_output  (boolean) Enable/disable bandwidth limiting of ICMP
 > 		     replies.  Defaults to true.
 >
 > The correct description [1] is this:
 >
 > If you do not want to see messages about this in your log files, but
 > you still want the kernel to do response limiting, you can use the
 > net.inet.icmp.icmplim_output sysctl variable to disable the output
 > like this:
 >
 > # sysctl -w net.inet.icmp.icmplim_output=0
 >
 > Finally, if you want to disable response limiting, you can set the
 > net.inet.icmp.icmplim sysctl variable (see above for an example) to
 > 0. Disabling response limiting is discouraged for the reasons listed
 > above.
 
 > Index: src/share/man/man4/icmp.4
 > ===================================================================
 > --- src/share/man/man4/icmp.4   (revision 213086)
 > +++ src/share/man/man4/icmp.4   (working copy)
 > @@ -179,15 +179,16 @@
 >  the system replies to an ICMP Address Mask Request packet.
 >  Defaults to 0.
 >  .It Va icmplim
 > -.Pq Vt integer
 > -Bandwidth limit for ICMP replies in packets/second.
 > -Used when
 > -.Va icmplim_output
 > -is non-zero.
 > +.Pq Vt "unsigned integer"
 > +Limit for ICMP or TCP RST responses in packets per second.
 > +Response limiting is disabled by setting
 > +.Va icmplim
 > +to 0.
 
 I am not sure I like the idea of mentioning all the other protocols that
 may send ICMP replies too, so this probably needs a bit of reworking.
 For instance, UDP may send ICMP unreachable errors too.  SCTP also.
 
 Are we going to list *all* the possible protocols by name?
 
 >  Defaults to 200.
 >  .It Va icmplim_output
 >  .Pq Vt boolean
 > -Enable/disable bandwidth limiting of ICMP replies.
 > +Enable/disable logging of
 > +.Va icmplim .
 
 "logging of rate-limiting messages from icmplim" ?
 
 >  Index: src/sys/netinet/ip_icmp.c
 >  ===================================================================
 >  --- src/sys/netinet/ip_icmp.c	(revision 213086)
 >  +++ src/sys/netinet/ip_icmp.c	(working copy)
 >  @@ -106,15 +106,15 @@
 >
 >   static VNET_DEFINE(int, icmplim) = 200;
 >   #define	V_icmplim			VNET(icmplim)
 >  -SYSCTL_VNET_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 >  +SYSCTL_VNET_UINT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 >   	&VNET_NAME(icmplim), 0,
 >  -	"Maximum number of ICMP responses per second");
 >  +	"Maximum number of ICMP or TCP RST responses per second");
 >
 >   static VNET_DEFINE(int, icmplim_output) = 1;
 >   #define	V_icmplim_output		VNET(icmplim_output)
 >  -SYSCTL_VNET_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 >  +SYSCTL_VNET_UINT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 >   	&VNET_NAME(icmplim_output), 0,
 >  -	"Enable rate limiting of ICMP responses");
 >  +	"Enable logging of enforced limit on ICMP or TCP RST responses");
 
 This also has the problem that it does not mention UDP or SCTP replies
 for port-unreachable, host-unreachable, etc.



More information about the freebsd-doc mailing list