TWSD-1571 ICMP packets restricted by the system tune icmp replylimit command
Review Request #1464 — Created March 25, 2026 and submitted
| Information | |
|---|---|
| williamkuan | |
| APV10 | |
| rel_apv_10_7_4 | |
| TWSD-1571 | |
| Reviewers | |
| kevin.poh, mingji, weikai | |
Root Cause:
VIMAGE is enabled (#define VIMAGE 1), making V_icmplim per-VNET. When the user runs system tune icmp replylimit 1:sysctlbyname sets icmplim=1 only in uinet_instance_default()'s VNET
ICMP packets are dispatched to ATCP threads that run in different VNETs
badport_bandlim() reads V_icmplim=1000 (default, never updated) from the ATCP thread's VNET
Rate limiting is effectively disabled — allows 1000/sec instead of 1/secSolution:
Introduced icmplim_global — a plain (non-VNET) global variable with its own sysctl net.inet.icmp.icmplim_global, bypassing the VNET isolation entirely.
Fast path: inline rate limiter using icmplim_global/ticks/hz before ATCP dispatch.
Slow path: badport_bandlim() check before KNI, send to KNI only (skip BSD to prevent double reply)
login as array // port0 IP address : 192.168.97.191
system tune icmp replylimit 1
write mem
use another host to ping
ping -i 0.001 192.168.97.191 // expect only one packet received per one second
