From nobody@FreeBSD.org  Fri Sep 24 13:42:38 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6E3A71065670
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 24 Sep 2010 13:42:38 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 425E48FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 24 Sep 2010 13:42:38 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o8ODgbi4048657
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 24 Sep 2010 13:42:37 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o8ODgbIH048656;
	Fri, 24 Sep 2010 13:42:37 GMT
	(envelope-from nobody)
Message-Id: <201009241342.o8ODgbIH048656@www.freebsd.org>
Date: Fri, 24 Sep 2010 13:42:37 GMT
From: Nikos Vassiliadis <nvass9573@gmx.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: icmp.4, wrong description of icmplim and icmplim_output sysctls
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         150917
>Category:       docs
>Synopsis:       [patch] icmp.4, wrong description of icmplim and icmplim_output sysctls
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 24 13:50:01 UTC 2010
>Closed-Date:    
>Last-Modified:  Tue Feb 15 12:30:11 UTC 2011
>Originator:     Nikos Vassiliadis
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD lab.local 9.0-CURRENT FreeBSD 9.0-CURRENT #1 r213086M: Fri Sep 24 15:52:57 EEST 2010     root@lab.local:/usr/obj/usr/src/sys/LAB  i386

>Description:
The icmp manual page describes icmplim and icmplim_output wrongly.

     icmplim	     (integer) Bandwidth limit for ICMP replies in pack-
		     ets/second.  Used when icmplim_output is non-zero.
		     Defaults to 200.

     icmplim_output  (boolean) Enable/disable bandwidth limiting of ICMP
		     replies.  Defaults to true.

The correct description [1] is this:
If you do not want to see messages about this in your log files, but you still want the kernel to do response limiting, you can use the net.inet.icmp.icmplim_output sysctl variable to disable the output like this:
# sysctl -w net.inet.icmp.icmplim_output=0

Finally, if you want to disable response limiting, you can set the net.inet.icmp.icmplim sysctl variable (see above for an example) to 0. Disabling response limiting is discouraged for the reasons listed above.

[1] http://www.freebsd.org/doc/en/books/faq/networking.html#ICMP-RESPONSE-BW-LIMIT
>How-To-Repeat:
n/a
>Fix:
Use the attached patch

Patch attached with submission follows:

Index: src/share/man/man4/icmp.4
===================================================================
--- src/share/man/man4/icmp.4   (revision 213086)
+++ src/share/man/man4/icmp.4   (working copy)
@@ -179,15 +179,16 @@
 the system replies to an ICMP Address Mask Request packet.
 Defaults to 0.
 .It Va icmplim
-.Pq Vt integer
-Bandwidth limit for ICMP replies in packets/second.
-Used when
-.Va icmplim_output
-is non-zero.
+.Pq Vt "unsigned integer"
+Limit for ICMP or TCP RST responses in packets per second.
+Response limiting is disabled by setting
+.Va icmplim
+to 0.
 Defaults to 200.
 .It Va icmplim_output
 .Pq Vt boolean
-Enable/disable bandwidth limiting of ICMP replies.
+Enable/disable logging of
+.Va icmplim .
 Defaults to true.
 .It Va drop_redirect
 .Pq Vt boolean

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->gjb 
Responsible-Changed-By: gjb 
Responsible-Changed-When: Fri Sep 24 13:58:14 UTC 2010 
Responsible-Changed-Why:  
I'll take this. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=150917 

From: Nikos Vassiliadis <nvass9573@gmx.com>
To: bug-followup@FreeBSD.org, nvass9573@gmx.com
Cc:  
Subject: Re: docs/150917: [patch] icmp.4, wrong description of icmplim and
 icmplim_output sysctls
Date: Fri, 24 Sep 2010 18:32:18 +0300

 This is a multi-part message in MIME format.
 --------------030906000201010908030505
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Consider the following patch as well
 
 --------------030906000201010908030505
 Content-Type: text/plain;
  name="ip_icmp.c.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="ip_icmp.c.patch"
 
 Index: src/sys/netinet/ip_icmp.c
 ===================================================================
 --- src/sys/netinet/ip_icmp.c	(revision 213086)
 +++ src/sys/netinet/ip_icmp.c	(working copy)
 @@ -106,15 +106,15 @@
  
  static VNET_DEFINE(int, icmplim) = 200;
  #define	V_icmplim			VNET(icmplim)
 -SYSCTL_VNET_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 +SYSCTL_VNET_UINT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
  	&VNET_NAME(icmplim), 0,
 -	"Maximum number of ICMP responses per second");
 +	"Maximum number of ICMP or TCP RST responses per second");
  
  static VNET_DEFINE(int, icmplim_output) = 1;
  #define	V_icmplim_output		VNET(icmplim_output)
 -SYSCTL_VNET_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 +SYSCTL_VNET_UINT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
  	&VNET_NAME(icmplim_output), 0,
 -	"Enable rate limiting of ICMP responses");
 +	"Enable logging of enforced limit on ICMP or TCP RST responses");
  
  static VNET_DEFINE(char, reply_src[IFNAMSIZ]);
  #define	V_reply_src			VNET(reply_src)
 
 --------------030906000201010908030505--
Responsible-Changed-From-To: gjb->freebsd-doc 
Responsible-Changed-By: gjb 
Responsible-Changed-When: Fri Oct 1 11:51:59 UTC 2010 
Responsible-Changed-Why:  
Back to the pool for now due to lack of time. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=150917 

From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Nikos Vassiliadis <nvass9573@gmx.com>
Cc: bug-followup@freebsd.org
Subject: Re: docs/150917: icmp.4, wrong description of icmplim and icmplim_output sysctls
Date: Tue, 15 Feb 2011 08:47:18 +0100

 On 2010-09-24 13:42, Nikos Vassiliadis <nvass9573@gmx.com> wrote:
 > The icmp manual page describes icmplim and icmplim_output wrongly.
 >
 >      icmplim	     (integer) Bandwidth limit for ICMP replies in pack-
 > 		     ets/second.  Used when icmplim_output is non-zero.
 > 		     Defaults to 200.
 >
 >      icmplim_output  (boolean) Enable/disable bandwidth limiting of ICMP
 > 		     replies.  Defaults to true.
 >
 > The correct description [1] is this:
 >
 > If you do not want to see messages about this in your log files, but
 > you still want the kernel to do response limiting, you can use the
 > net.inet.icmp.icmplim_output sysctl variable to disable the output
 > like this:
 >
 > # sysctl -w net.inet.icmp.icmplim_output=0
 >
 > Finally, if you want to disable response limiting, you can set the
 > net.inet.icmp.icmplim sysctl variable (see above for an example) to
 > 0. Disabling response limiting is discouraged for the reasons listed
 > above.
 
 > Index: src/share/man/man4/icmp.4
 > ===================================================================
 > --- src/share/man/man4/icmp.4   (revision 213086)
 > +++ src/share/man/man4/icmp.4   (working copy)
 > @@ -179,15 +179,16 @@
 >  the system replies to an ICMP Address Mask Request packet.
 >  Defaults to 0.
 >  .It Va icmplim
 > -.Pq Vt integer
 > -Bandwidth limit for ICMP replies in packets/second.
 > -Used when
 > -.Va icmplim_output
 > -is non-zero.
 > +.Pq Vt "unsigned integer"
 > +Limit for ICMP or TCP RST responses in packets per second.
 > +Response limiting is disabled by setting
 > +.Va icmplim
 > +to 0.
 
 I am not sure I like the idea of mentioning all the other protocols that
 may send ICMP replies too, so this probably needs a bit of reworking.
 For instance, UDP may send ICMP unreachable errors too.  SCTP also.
 
 Are we going to list *all* the possible protocols by name?
 
 >  Defaults to 200.
 >  .It Va icmplim_output
 >  .Pq Vt boolean
 > -Enable/disable bandwidth limiting of ICMP replies.
 > +Enable/disable logging of
 > +.Va icmplim .
 
 "logging of rate-limiting messages from icmplim" ?
 
 >  Index: src/sys/netinet/ip_icmp.c
 >  ===================================================================
 >  --- src/sys/netinet/ip_icmp.c	(revision 213086)
 >  +++ src/sys/netinet/ip_icmp.c	(working copy)
 >  @@ -106,15 +106,15 @@
 >
 >   static VNET_DEFINE(int, icmplim) = 200;
 >   #define	V_icmplim			VNET(icmplim)
 >  -SYSCTL_VNET_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 >  +SYSCTL_VNET_UINT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 >   	&VNET_NAME(icmplim), 0,
 >  -	"Maximum number of ICMP responses per second");
 >  +	"Maximum number of ICMP or TCP RST responses per second");
 >
 >   static VNET_DEFINE(int, icmplim_output) = 1;
 >   #define	V_icmplim_output		VNET(icmplim_output)
 >  -SYSCTL_VNET_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 >  +SYSCTL_VNET_UINT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 >   	&VNET_NAME(icmplim_output), 0,
 >  -	"Enable rate limiting of ICMP responses");
 >  +	"Enable logging of enforced limit on ICMP or TCP RST responses");
 
 This also has the problem that it does not mention UDP or SCTP replies
 for port-unreachable, host-unreachable, etc.

From: Nikos Vassiliadis <nvass@gmx.com>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc: bug-followup@freebsd.org
Subject: Re: docs/150917: icmp.4, wrong description of icmplim and icmplim_output
 sysctls
Date: Tue, 15 Feb 2011 14:27:47 +0200

 On 2/15/2011 9:47 AM, Giorgos Keramidas wrote:
 > On 2010-09-24 13:42, Nikos Vassiliadis<nvass9573@gmx.com>  wrote:
 >> The icmp manual page describes icmplim and icmplim_output wrongly.
 >>
 >>       icmplim	     (integer) Bandwidth limit for ICMP replies in pack-
 >> 		     ets/second.  Used when icmplim_output is non-zero.
 >> 		     Defaults to 200.
 >>
 >>       icmplim_output  (boolean) Enable/disable bandwidth limiting of ICMP
 >> 		     replies.  Defaults to true.
 >>
 >> The correct description [1] is this:
 >>
 >> If you do not want to see messages about this in your log files, but
 >> you still want the kernel to do response limiting, you can use the
 >> net.inet.icmp.icmplim_output sysctl variable to disable the output
 >> like this:
 >>
 >> # sysctl -w net.inet.icmp.icmplim_output=0
 >>
 >> Finally, if you want to disable response limiting, you can set the
 >> net.inet.icmp.icmplim sysctl variable (see above for an example) to
 >> 0. Disabling response limiting is discouraged for the reasons listed
 >> above.
 >
 >> Index: src/share/man/man4/icmp.4
 >> ===================================================================
 >> --- src/share/man/man4/icmp.4   (revision 213086)
 >> +++ src/share/man/man4/icmp.4   (working copy)
 >> @@ -179,15 +179,16 @@
 >>   the system replies to an ICMP Address Mask Request packet.
 >>   Defaults to 0.
 >>   .It Va icmplim
 >> -.Pq Vt integer
 >> -Bandwidth limit for ICMP replies in packets/second.
 >> -Used when
 >> -.Va icmplim_output
 >> -is non-zero.
 >> +.Pq Vt "unsigned integer"
 >> +Limit for ICMP or TCP RST responses in packets per second.
 >> +Response limiting is disabled by setting
 >> +.Va icmplim
 >> +to 0.
 >
 > I am not sure I like the idea of mentioning all the other protocols that
 > may send ICMP replies too, so this probably needs a bit of reworking.
 > For instance, UDP may send ICMP unreachable errors too.  SCTP also.
 >
 > Are we going to list *all* the possible protocols by name?
 
 We don't list the protocols that initiated the response.
 As you mentioned, TCP|UDP|SCTP can initiate this rate-limiting function.
 Yet, all possible replies that this code handles are either ICMP or TCP.
 For example the current code does not handle SCTP ABORT, it *does* handle
 the case of an ICMP response generated by SCTP.
 
 The replies are defined here:
 http://fxr.watson.org/fxr/source/netinet/icmp_var.h#L99
 
 >
 >>   Defaults to 200.
 >>   .It Va icmplim_output
 >>   .Pq Vt boolean
 >> -Enable/disable bandwidth limiting of ICMP replies.
 >> +Enable/disable logging of
 >> +.Va icmplim .
 >
 > "logging of rate-limiting messages from icmplim" ?
 
 Yes, that's better.
 
 >
 >>   Index: src/sys/netinet/ip_icmp.c
 >>   ===================================================================
 >>   --- src/sys/netinet/ip_icmp.c	(revision 213086)
 >>   +++ src/sys/netinet/ip_icmp.c	(working copy)
 >>   @@ -106,15 +106,15 @@
 >>
 >>    static VNET_DEFINE(int, icmplim) = 200;
 >>    #define	V_icmplim			VNET(icmplim)
 >>   -SYSCTL_VNET_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 >>   +SYSCTL_VNET_UINT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 >>    	&VNET_NAME(icmplim), 0,
 >>   -	"Maximum number of ICMP responses per second");
 >>   +	"Maximum number of ICMP or TCP RST responses per second");
 >>
 >>    static VNET_DEFINE(int, icmplim_output) = 1;
 >>    #define	V_icmplim_output		VNET(icmplim_output)
 >>   -SYSCTL_VNET_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 >>   +SYSCTL_VNET_UINT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
 >>    	&VNET_NAME(icmplim_output), 0,
 >>   -	"Enable rate limiting of ICMP responses");
 >>   +	"Enable logging of enforced limit on ICMP or TCP RST responses");
 >
 > This also has the problem that it does not mention UDP or SCTP replies
 > for port-unreachable, host-unreachable, etc.
 
 These are ICMP messages generated by UDP|SCTP. But... the sysctl's 
 description
 doesn't have to be that accurate, if you ask me. I would like the manual 
 page
 to be as accurate as possible. I find particularly unattractive the term
 bandwidth there!
 
 Thanks for handling this, Nikos
>Unformatted:
