upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

tcp: improve consistency of syncache_respond() failure handling

Browse source 
When the initial sending of the SYN ACK segment using
syncache_respond() fails, it is handled as a permanent error.
To improve consistency, apply this policy in all cases, where
syncache_respond() is called. These include
* timer based retransmissions of the SYN ACK
* retransmitting a SYN ACK in response to a SYN retransmission
* sending of challenge ACKs in response to received RST segments
In these cases, fall back to SYN cookies, if enabled.
While there, also improve consistency of the TCP stats counters.

Reviewed by:		cc, glebius (earlier version)
Sponsored by:		Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D46428

(cherry picked from commit ef438f7706be48f1cf7fd4c8a60329e1619cfe30)
This commit is contained in:
Michael Tuexen 2024-09-05 03:33:13 +02:00
parent 2e45166856
commit 003f1ebcbc
1 changed files with 19 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
sys/netinet/tcp_syncache.c
View file

@ -535,10 +535,16 @@ syncache_timer(void *xsch)
}
NET_EPOCH_ENTER(et);
syncache_respond(sc, NULL, TH_SYN|TH_ACK);
if (syncache_respond(sc, NULL, TH_SYN|TH_ACK) == 0) {
syncache_timeout(sc, sch, 0);
TCPSTAT_INC(tcps_sndacks);
TCPSTAT_INC(tcps_sndtotal);
TCPSTAT_INC(tcps_sc_retransmitted);
} else {
syncache_drop(sc, sch);
TCPSTAT_INC(tcps_sc_dropped);
}
NET_EPOCH_EXIT(et);
TCPSTAT_INC(tcps_sc_retransmitted);
syncache_timeout(sc, sch, 0);
}
if (!TAILQ_EMPTY(&(sch)->sch_bucket))
callout_reset(&(sch)->sch_timer, (sch)->sch_nextc - tick,
@ -696,7 +702,13 @@ syncache_chkrst(struct in_conninfo *inc, struct tcphdr *th, struct mbuf *m,
"sending challenge ACK\n",
s, __func__,
th->th_seq, sc->sc_irs + 1, sc->sc_wnd);
syncache_respond(sc, m, TH_ACK);
if (syncache_respond(sc, m, TH_ACK) == 0) {
TCPSTAT_INC(tcps_sndacks);
TCPSTAT_INC(tcps_sndtotal);
} else {
syncache_drop(sc, sch);
TCPSTAT_INC(tcps_sc_dropped);
}
}
} else {
if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
@ -1559,6 +1571,9 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
syncache_timeout(sc, sch, 1);
TCPSTAT_INC(tcps_sndacks);
TCPSTAT_INC(tcps_sndtotal);
} else {
syncache_drop(sc, sch);
TCPSTAT_INC(tcps_sc_dropped);
}
SCH_UNLOCK(sch);
goto donenoprobe;