Do not rate limit ICMP Echos by default

As per https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
linux does not limit ICMP Echos by default.

icmp_ratemask - INTEGER
	Mask made of ICMP types for which rates are being limited.
	Significant bits: IHGFEDCBA9876543210
	Default mask:     0000001100000011000 (6168)

	Bit definitions (see include/linux/icmp.h):
		0 Echo Reply
		3 Destination Unreachable *
		4 Source Quench *
		5 Redirect
		8 Echo Request
		B Time Exceeded *
		C Parameter Problem *
		D Timestamp Request
		E Timestamp Reply
		F Info Request
		G Info Reply
		H Address Mask Request
		I Address Mask Reply

	* These are rate limited by default (see default mask above)

Equivalently for ICMPv6.

Lay out foundation for ICMP rate masks, exposing that configuration will be
addressed later when the need arises (#6521).

Fixes #6519

PiperOrigin-RevId: 398337963

1 files changed, 38 insertions, 51 deletions

diff --git a/pkg/tcpip/network/ipv4/icmp.go b/pkg/tcpip/network/ipv4/icmp.go
index 2aa38eb98..d51c36f19 100644
--- a/pkg/tcpip/network/ipv4/icmp.go
+++ b/pkg/tcpip/network/ipv4/icmp.go
@@ -240,12 +240,6 @@ func (e *endpoint) handleICMP(pkt *stack.PacketBuffer) {
 	case header.ICMPv4Echo:
 		received.echoRequest.Increment()
 
-		sent := e.stats.icmp.packetsSent
-		if !e.protocol.stack.AllowICMPMessage() {
-			sent.rateLimited.Increment()
-			return
-		}
-
 		// DeliverTransportPacket will take ownership of pkt so don't use it beyond
 		// this point. Make a deep copy of the data before pkt gets sent as we will
 		// be modifying fields.
@@ -281,6 +275,12 @@ func (e *endpoint) handleICMP(pkt *stack.PacketBuffer) {
 		}
 		defer r.Release()
 
+		sent := e.stats.icmp.packetsSent
+		if !e.protocol.allowICMPReply(header.ICMPv4EchoReply, header.ICMPv4UnusedCode) {
+			sent.rateLimited.Increment()
+			return
+		}
+
 		// TODO(gvisor.dev/issue/3810:) When adding protocol numbers into the
 		// header information, we may have to change this code to handle the
 		// ICMP header no longer being in the data buffer.
@@ -562,13 +562,6 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip
 		return &tcpip.ErrNotConnected{}
 	}
 
-	sent := netEP.stats.icmp.packetsSent
-
-	if !p.stack.AllowICMPMessage() {
-		sent.rateLimited.Increment()
-		return nil
-	}
-
 	transportHeader := pkt.TransportHeader().View()
 
 	// Don't respond to icmp error packets.
@@ -606,6 +599,35 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip
 		}
 	}
 
+	sent := netEP.stats.icmp.packetsSent
+	icmpType, icmpCode, counter, pointer := func() (header.ICMPv4Type, header.ICMPv4Code, tcpip.MultiCounterStat, byte) {
+		switch reason := reason.(type) {
+		case *icmpReasonPortUnreachable:
+			return header.ICMPv4DstUnreachable, header.ICMPv4PortUnreachable, sent.dstUnreachable, 0
+		case *icmpReasonProtoUnreachable:
+			return header.ICMPv4DstUnreachable, header.ICMPv4ProtoUnreachable, sent.dstUnreachable, 0
+		case *icmpReasonNetworkUnreachable:
+			return header.ICMPv4DstUnreachable, header.ICMPv4NetUnreachable, sent.dstUnreachable, 0
+		case *icmpReasonHostUnreachable:
+			return header.ICMPv4DstUnreachable, header.ICMPv4HostUnreachable, sent.dstUnreachable, 0
+		case *icmpReasonFragmentationNeeded:
+			return header.ICMPv4DstUnreachable, header.ICMPv4FragmentationNeeded, sent.dstUnreachable, 0
+		case *icmpReasonTTLExceeded:
+			return header.ICMPv4TimeExceeded, header.ICMPv4TTLExceeded, sent.timeExceeded, 0
+		case *icmpReasonReassemblyTimeout:
+			return header.ICMPv4TimeExceeded, header.ICMPv4ReassemblyTimeout, sent.timeExceeded, 0
+		case *icmpReasonParamProblem:
+			return header.ICMPv4ParamProblem, header.ICMPv4UnusedCode, sent.paramProblem, reason.pointer
+		default:
+			panic(fmt.Sprintf("unsupported ICMP type %T", reason))
+		}
+	}()
+
+	if !p.allowICMPReply(icmpType, icmpCode) {
+		sent.rateLimited.Increment()
+		return nil
+	}
+
 	// Now work out how much of the triggering packet we should return.
 	// As per RFC 1812 Section 4.3.2.3
 	//
@@ -658,44 +680,9 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip
 	icmpPkt.TransportProtocolNumber = header.ICMPv4ProtocolNumber
 
 	icmpHdr := header.ICMPv4(icmpPkt.TransportHeader().Push(header.ICMPv4MinimumSize))
-	var counter tcpip.MultiCounterStat
-	switch reason := reason.(type) {
-	case *icmpReasonPortUnreachable:
-		icmpHdr.SetType(header.ICMPv4DstUnreachable)
-		icmpHdr.SetCode(header.ICMPv4PortUnreachable)
-		counter = sent.dstUnreachable
-	case *icmpReasonProtoUnreachable:
-		icmpHdr.SetType(header.ICMPv4DstUnreachable)
-		icmpHdr.SetCode(header.ICMPv4ProtoUnreachable)
-		counter = sent.dstUnreachable
-	case *icmpReasonNetworkUnreachable:
-		icmpHdr.SetType(header.ICMPv4DstUnreachable)
-		icmpHdr.SetCode(header.ICMPv4NetUnreachable)
-		counter = sent.dstUnreachable
-	case *icmpReasonHostUnreachable:
-		icmpHdr.SetType(header.ICMPv4DstUnreachable)
-		icmpHdr.SetCode(header.ICMPv4HostUnreachable)
-		counter = sent.dstUnreachable
-	case *icmpReasonFragmentationNeeded:
-		icmpHdr.SetType(header.ICMPv4DstUnreachable)
-		icmpHdr.SetCode(header.ICMPv4FragmentationNeeded)
-		counter = sent.dstUnreachable
-	case *icmpReasonTTLExceeded:
-		icmpHdr.SetType(header.ICMPv4TimeExceeded)
-		icmpHdr.SetCode(header.ICMPv4TTLExceeded)
-		counter = sent.timeExceeded
-	case *icmpReasonReassemblyTimeout:
-		icmpHdr.SetType(header.ICMPv4TimeExceeded)
-		icmpHdr.SetCode(header.ICMPv4ReassemblyTimeout)
-		counter = sent.timeExceeded
-	case *icmpReasonParamProblem:
-		icmpHdr.SetType(header.ICMPv4ParamProblem)
-		icmpHdr.SetCode(header.ICMPv4UnusedCode)
-		icmpHdr.SetPointer(reason.pointer)
-		counter = sent.paramProblem
-	default:
-		panic(fmt.Sprintf("unsupported ICMP type %T", reason))
-	}
+	icmpHdr.SetCode(icmpCode)
+	icmpHdr.SetType(icmpType)
+	icmpHdr.SetPointer(pointer)
 	icmpHdr.SetChecksum(header.ICMPv4Checksum(icmpHdr, icmpPkt.Data().AsRange().Checksum()))
 
 	if err := route.WritePacket(