Enforce the limit on ICMP messages before doing work to formulate the

response.

Delete an unneeded rate limit for UDP under IPv6. Because ICMP6
messages have their own rate limit, it is unnecessary to apply a
second rate limit to UDP messages.

Reviewed by:	glebius
MFC after:	2 weeks
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D10387

sys/netinet/ip_icmp.c

@@ -540,11 +540,10 @@ icmp_input(struct mbuf **mp, int *offp, int proto)
 			ICMPSTAT_INC(icps_bmcastecho);
 			break;
 		}
-		icp->icmp_type = ICMP_ECHOREPLY;
 		if (badport_bandlim(BANDLIM_ICMP_ECHO) < 0)
 			goto freeit;
-		else
-			goto reflect;
+		icp->icmp_type = ICMP_ECHOREPLY;
+		goto reflect;
 
 	case ICMP_TSTAMP:
 		if (V_icmptstamprepl == 0)
@@ -558,13 +557,12 @@ icmp_input(struct mbuf **mp, int *offp, int proto)
 			ICMPSTAT_INC(icps_badlen);
 			break;
 		}
+		if (badport_bandlim(BANDLIM_ICMP_TSTAMP) < 0)
+			goto freeit;
 		icp->icmp_type = ICMP_TSTAMPREPLY;
 		icp->icmp_rtime = iptime();
 		icp->icmp_ttime = icp->icmp_rtime;	/* bogus, do later! */
-		if (badport_bandlim(BANDLIM_ICMP_TSTAMP) < 0)
-			goto freeit;
-		else
-			goto reflect;
+		goto reflect;
 
 	case ICMP_MASKREQ:
 		if (V_icmpmaskrepl == 0)

sys/netinet6/udp6_usrreq.c

@@ -104,9 +104,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in_systm.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
-#include <netinet/ip_icmp.h>
 #include <netinet/ip6.h>
-#include <netinet/icmp_var.h>
 #include <netinet/icmp6.h>
 #include <netinet/ip_var.h>
 #include <netinet/udp.h>
@@ -481,8 +479,6 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
 		}
 		if (V_udp_blackhole)
 			goto badunlocked;
-		if (badport_bandlim(BANDLIM_ICMP6_UNREACH) < 0)
-			goto badunlocked;
 		icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0);
 		return (IPPROTO_DONE);
 	}