Merge: icmp: Add counters for rate limits

Herton R. Krzesinski · Herton R. Krzesinski · commit 9c262d7bd903 · 2023-02-22T15:13:10.000Z
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2044 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2155801 Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git commit d094113 Author: Jamie Bainbridge <jamie.bainbridge@gmail.com> Date: Wed Jan 25 11:16:52 2023 +1100 icmp: Add counters for rate limits There are multiple ICMP rate limiting mechanisms: * Global limits: net.ipv4.icmp_msgs_burst/icmp_msgs_per_sec * v4 per-host limits: net.ipv4.icmp_ratelimit/ratemask * v6 per-host limits: net.ipv6.icmp_ratelimit/ratemask However, when ICMP output is limited, there is no way to tell which limit has been hit or even if the limits are responsible for the lack of ICMP output. Add counters for each of the cases above. As we are within local_bh_disable(), use the __INC stats variant. Example output: IcmpOutRateLimitGlobal 134 0.0 IcmpOutRateLimitHost 770 0.0 Icmp6OutRateLimitHost 84 0.0 Signed-off-by: Jamie Bainbridge <jamie.bainbridge@gmail.com> Suggested-by: Abhishek Rawal <rawal.abhishek92@gmail.com> Link: https://lore.kernel.org/r/273b32241e6b7fdc5c609e6f5ebc68caf3994342.1674605770.git.jamie.bainbridge@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Jamie Bainbridge <jbainbri@redhat.com> Approved-by: Paolo Abeni <pabeni@redhat.com> Approved-by: Hangbin Liu <haliu@redhat.com> Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
@@ -95,6 +95,8 @@ enum
 	ICMP_MIB_OUTADDRMASKS,			/* OutAddrMasks */
 	ICMP_MIB_OUTADDRMASKREPS,		/* OutAddrMaskReps */
 	ICMP_MIB_CSUMERRORS,			/* InCsumErrors */
+	ICMP_MIB_RATELIMITGLOBAL,		/* OutRateLimitGlobal */
+	ICMP_MIB_RATELIMITHOST,			/* OutRateLimitHost */
 	__ICMP_MIB_MAX
 };
 
@@ -112,6 +114,7 @@ enum
 	ICMP6_MIB_OUTMSGS,			/* OutMsgs */
 	ICMP6_MIB_OUTERRORS,			/* OutErrors */
 	ICMP6_MIB_CSUMERRORS,			/* InCsumErrors */
+	ICMP6_MIB_RATELIMITHOST,		/* OutRateLimitHost */
 	__ICMP6_MIB_MAX
 };
 
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
@@ -296,6 +296,7 @@ static bool icmpv4_global_allow(struct net *net, int type, int code)
 	if (icmp_global_allow())
 		return true;
 
+	__ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL);
 	return false;
 }
 
@@ -325,6 +326,8 @@ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
 	if (peer)
 		inet_putpeer(peer);
 out:
+	if (!rc)
+		__ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST);
 	return rc;
 }
 
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
@@ -352,7 +352,7 @@ static void icmp_put(struct seq_file *seq)
 	seq_puts(seq, "\nIcmp: InMsgs InErrors InCsumErrors");
 	for (i = 0; icmpmibmap[i].name; i++)
 		seq_printf(seq, " In%s", icmpmibmap[i].name);
-	seq_puts(seq, " OutMsgs OutErrors");
+	seq_puts(seq, " OutMsgs OutErrors OutRateLimitGlobal OutRateLimitHost");
 	for (i = 0; icmpmibmap[i].name; i++)
 		seq_printf(seq, " Out%s", icmpmibmap[i].name);
 	seq_printf(seq, "\nIcmp: %lu %lu %lu",
@@ -362,9 +362,11 @@ static void icmp_put(struct seq_file *seq)
 	for (i = 0; icmpmibmap[i].name; i++)
 		seq_printf(seq, " %lu",
 			   atomic_long_read(ptr + icmpmibmap[i].index));
-	seq_printf(seq, " %lu %lu",
+	seq_printf(seq, " %lu %lu %lu %lu",
 		snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_OUTMSGS),
-		snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_OUTERRORS));
+		snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_OUTERRORS),
+		snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_RATELIMITGLOBAL),
+		snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_RATELIMITHOST));
 	for (i = 0; icmpmibmap[i].name; i++)
 		seq_printf(seq, " %lu",
 			   atomic_long_read(ptr + (icmpmibmap[i].index | 0x100)));
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
@@ -190,6 +190,7 @@ static bool icmpv6_global_allow(struct net *net, int type)
 	if (icmp_global_allow())
 		return true;
 
+	__ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL);
 	return false;
 }
 
@@ -231,6 +232,9 @@ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
 		if (peer)
 			inet_putpeer(peer);
 	}
+	if (!res)
+		__ICMP6_INC_STATS(net, ip6_dst_idev(dst),
+				  ICMP6_MIB_RATELIMITHOST);
 	dst_release(dst);
 	return res;
 }
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
@@ -94,6 +94,7 @@ static const struct snmp_mib snmp6_icmp6_list[] = {
 	SNMP_MIB_ITEM("Icmp6OutMsgs", ICMP6_MIB_OUTMSGS),
 	SNMP_MIB_ITEM("Icmp6OutErrors", ICMP6_MIB_OUTERRORS),
 	SNMP_MIB_ITEM("Icmp6InCsumErrors", ICMP6_MIB_CSUMERRORS),
+	SNMP_MIB_ITEM("Icmp6OutRateLimitHost", ICMP6_MIB_RATELIMITHOST),
 	SNMP_MIB_SENTINEL
 };
 

Original file line number	Diff line number	Diff line change
`@@ -296,6 +296,7 @@ static bool icmpv4_global_allow(struct net *net, int type, int code)`
`296`	`296`	`if (icmp_global_allow())`
`297`	`297`	`return true;`
`298`	`298`
	`299`	`+ __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL);`
`299`	`300`	`return false;`
`300`	`301`	`}`
`301`	`302`
`@@ -325,6 +326,8 @@ static bool icmpv4_xrlim_allow(struct net net, struct rtable rt,`
`325`	`326`	`if (peer)`
`326`	`327`	`inet_putpeer(peer);`
`327`	`328`	`out:`
	`329`	`+ if (!rc)`
	`330`	`+ __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST);`
`328`	`331`	`return rc;`
`329`	`332`	`}`
`330`	`333`
Original file line number	Diff line number	Diff line change
`@@ -190,6 +190,7 @@ static bool icmpv6_global_allow(struct net *net, int type)`
`190`	`190`	`if (icmp_global_allow())`
`191`	`191`	`return true;`
`192`	`192`
	`193`	`+ __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL);`
`193`	`194`	`return false;`
`194`	`195`	`}`
`195`	`196`
`@@ -231,6 +232,9 @@ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,`
`231`	`232`	`if (peer)`
`232`	`233`	`inet_putpeer(peer);`
`233`	`234`	`}`
	`235`	`+ if (!res)`
	`236`	`+ __ICMP6_INC_STATS(net, ip6_dst_idev(dst),`
	`237`	`+ ICMP6_MIB_RATELIMITHOST);`
`234`	`238`	`dst_release(dst);`
`235`	`239`	`return res;`
`236`	`240`	`}`