ipv6: icmp: icmpv6_xrlim_allow() optimization if net.ipv6.icmp.ratelimit is zero

If net.ipv6.icmp.ratelimit is zero we do not have to call
inet_getpeer_v6() and inet_peer_xrlim_allow().

Both can be very expensive under DDOS.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260216142832.3834174-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 0f41ca6f3d83e86ce97ce5a30613f58f4dc22dad..813d2e9edb8bed7c1649e279cea9229806af4132 100644 (file)
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -220,8 +220,12 @@ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
                int tmo = READ_ONCE(net->ipv6.sysctl.icmpv6_time);
                struct inet_peer *peer;
 
-               peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr);
-               res = inet_peer_xrlim_allow(peer, tmo);
+               if (!tmo) {
+                       res = true;
+               } else {
+                       peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr);
+                       res = inet_peer_xrlim_allow(peer, tmo);
+               }
        }
        rcu_read_unlock();
        if (!res)