PF emits ICMP messages for blocked connections (when return is set) but it does not call the rate limit code (badport_bandlim) and hence will send them at an unlimited rate. IMO this is a POLA violation. Furthermore the IPv6 stack does not appear to call it either, badport_bandilm has BANDLIM_ICMP6_UNREACH but it does not appear to be used. I think it would make more sense to move the rate limiting code into icmp_error/icmp6_error and perhaps also add some per-ICMP type stats exposed as sysctls.
Also, there is net.inet6.icmp6.errppslimit however it does not appear to be connected to anything..
Proposed patch: https://reviews.freebsd.org/D36903
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=a974702e274cbed52ae9ad9ecef8501e267b822d commit a974702e274cbed52ae9ad9ecef8501e267b822d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2022-10-07 14:22:57 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-10-14 08:36:16 +0000 pf: apply the network stack's ICMP rate limiting to ICMP errors sent by pf PR: 266477 Event: Aberdeen Hackathon 2022 Differential Revision: https://reviews.freebsd.org/D36903 sys/netinet/icmp6.h | 1 + sys/netinet6/icmp6.c | 3 +-- sys/netpfil/pf/pf.c | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-)