From nobody Sat Aug 03 23:21:23 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WbzGq5VVzz5RXSn; Sat, 03 Aug 2024 23:21:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WbzGq4n5Bz4R7l; Sat, 3 Aug 2024 23:21:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722727283; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aUK3K5t8g1wnc/cE8rj9KXrHsvzKcASjhdtlwYTy95E=; b=JWqpwPN7WLaFwbSYDlmIFuHAhdWz9cQJguDTfTpyPjJ0aOVt/3Wnphk76wX/sDRDrpoCJj un+GU4a5LRGx5jEzN41nGNq6HTNCV3TO41+iXQBl0NIsAh7IF98Qkg9yAeMJCTk80P5y14 90NijU+6ffX4wavzHjppZffJYnkLORRZWFGGpO5JuvoPhgHm7iBppDnTyNUwqqntKb2Y/n bivRGWHicLCAF42BWwHNlhn3HJhEe/5JNd32KNqS/8dq7Q/tZnJU4UeXhj62MPYew8bNRc Uem68a9WTMlXHl5vkRIrU75Zi6x7vmojFAU8cx8/LeNTZaCwJF91bXdnPSGlxw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1722727283; a=rsa-sha256; cv=none; b=kroI3426vxHR2h0u3XZt1HOiNOyBxe1TXwJzeIq2dwMxlM8epkhbU3c0uxzfTgiGkPw3HV IMezFIDzlSvZEnp7pNIPZdgTecYfC+U9//kcEB0RU9wisfQoLrVJjesHu/+w+tKNSn3FPB /k8wcVV2WnzQFdrGDDAgJkx6K5oY4Qso7BR8CV4Vb52VTWVNg6im4MP4hUd2FZxkv6/YH1 DopGljWW1h2szjKG6SfLDF6czBgsh2FFoBNjjAXhVc0nUEMHKYwWRTAJ0HKnrQIIRPpm/W Vq3X0u25YaVcfNGe5x1kMI7yD1WdFjg2EdxCTPy2yDRah68qMgODqyvMoj8RTg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722727283; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aUK3K5t8g1wnc/cE8rj9KXrHsvzKcASjhdtlwYTy95E=; b=R39oNke+8tj7+axZUlJNXkNrnF2WEylQ96zNm/G9PHxaPUTNil3leEnYMbKCAKaHxgCCfl oKlZ0kxmVFrbqRIAHSfSK2TTxuezEWYVWp3MK6b+PBNr1DyXzBoudrFnsp7p2kT3bVAU9X xJj4y0VmNivGXtJjru0Jp3y59ndVLtbpPLyWjGfZI5QunaVXuUbizGJb84LnTAUoKVCrdu BvRvk92QY4k1wCIF/dIakBfK3/07aBDSmocxI78mrkuSxePpaMBmSRQ3X3WoMRkxGSMi8A RBzQ0wxc4pgCjX63o3JU3X+9r0koAzXKs7sn0mb83iGu1Ot5zY++UgJr9bt95Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WbzGq4LyqzXZP; Sat, 3 Aug 2024 23:21:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 473NLNkM024406; Sat, 3 Aug 2024 23:21:23 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 473NLNbp024403; Sat, 3 Aug 2024 23:21:23 GMT (envelope-from git) Date: Sat, 3 Aug 2024 23:21:23 GMT Message-Id: <202408032321.473NLNbp024403@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Michael Tuexen Subject: git: 4401d7b362b1 - stable/14 - tcp: vnetify sysctl variables ack_war_timewindow and ack_war_cnt List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tuexen X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 4401d7b362b18d867b50eefe1b6258760c8c9870 Auto-Submitted: auto-generated The branch stable/14 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=4401d7b362b18d867b50eefe1b6258760c8c9870 commit 4401d7b362b18d867b50eefe1b6258760c8c9870 Author: Michael Tuexen AuthorDate: 2024-07-28 20:36:34 +0000 Commit: Michael Tuexen CommitDate: 2024-08-03 23:19:29 +0000 tcp: vnetify sysctl variables ack_war_timewindow and ack_war_cnt As suggested by glebius@. While there, improve the documentation. Reviewed by: Peter Lei, cc Sponsored by: Netflix, Inc Differential Revision: https://reviews.freebsd.org/D46140 (cherry picked from commit 4036380e029708f5d6ad7aa599ce1bba9d7c067b) --- share/man/man4/tcp.4 | 20 +++++++++++++++++++- sys/netinet/tcp_stacks/rack_bbr_common.c | 16 ++++++++-------- sys/netinet/tcp_subr.c | 24 +++++++++++------------- sys/netinet/tcp_var.h | 4 ++++ 4 files changed, 42 insertions(+), 22 deletions(-) diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4 index 1f5cc7734bbf..da88a30bf86a 100644 --- a/share/man/man4/tcp.4 +++ b/share/man/man4/tcp.4 @@ -33,7 +33,7 @@ .\" .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 .\" -.Dd July 21, 2024 +.Dd July 28, 2024 .Dt TCP 4 .Os .Sh NAME @@ -434,6 +434,17 @@ branch of the MIB, which can also be read or modified with .Xr sysctl 8 . .Bl -tag -width ".Va v6pmtud_blackhole_mss" +.It Va ack_war_timewindow , ack_war_cnt +The challenge ACK throttling algorithm defined in RFC 5961 limits +the number of challenge ACKs sent per TCP connection to +.Va ack_war_cnt +during the time interval specified in milliseconds by +.Va ack_war_timewindow . +Setting +.Va ack_war_timewindow +or +.Va ack_war_cnt +to zero disables challenge ACK throttling. .It Va always_keepalive Assume that .Dv SO_KEEPALIVE @@ -1080,6 +1091,13 @@ when trying to use a TCP function block that is not available; .%T "The Addition of Explicit Congestion Notification (ECN) to IP" .%O "RFC 3168" .Re +.Rs +.%A "A. Ramaiah" +.%A "R. Stewart" +.%A "M. Dalal" +.%T "Improving TCP's Robustness to Blind In-Window Attacks" +.%O "RFC 5961" +.Re .Sh HISTORY The .Tn TCP diff --git a/sys/netinet/tcp_stacks/rack_bbr_common.c b/sys/netinet/tcp_stacks/rack_bbr_common.c index 4a4a8af2bd78..b218f449475f 100644 --- a/sys/netinet/tcp_stacks/rack_bbr_common.c +++ b/sys/netinet/tcp_stacks/rack_bbr_common.c @@ -535,8 +535,8 @@ void ctf_ack_war_checks(struct tcpcb *tp, uint32_t *ts, uint32_t *cnt) { if ((ts != NULL) && (cnt != NULL) && - (tcp_ack_war_time_window > 0) && - (tcp_ack_war_cnt > 0)) { + (V_tcp_ack_war_time_window > 0) && + (V_tcp_ack_war_cnt > 0)) { /* We are possibly doing ack war prevention */ uint32_t cts; @@ -550,9 +550,9 @@ ctf_ack_war_checks(struct tcpcb *tp, uint32_t *ts, uint32_t *cnt) if (TSTMP_LT((*ts), cts)) { /* Timestamp is in the past */ *cnt = 0; - *ts = (cts + tcp_ack_war_time_window); + *ts = (cts + V_tcp_ack_war_time_window); } - if (*cnt < tcp_ack_war_cnt) { + if (*cnt < V_tcp_ack_war_cnt) { *cnt = (*cnt + 1); tp->t_flags |= TF_ACKNOW; } else @@ -772,8 +772,8 @@ __ctf_process_rst(struct mbuf *m, struct tcphdr *th, struct socket *so, KMOD_TCPSTAT_INC(tcps_badrst); if ((ts != NULL) && (cnt != NULL) && - (tcp_ack_war_time_window > 0) && - (tcp_ack_war_cnt > 0)) { + (V_tcp_ack_war_time_window > 0) && + (V_tcp_ack_war_cnt > 0)) { /* We are possibly preventing an ack-rst war prevention */ uint32_t cts; @@ -787,9 +787,9 @@ __ctf_process_rst(struct mbuf *m, struct tcphdr *th, struct socket *so, if (TSTMP_LT((*ts), cts)) { /* Timestamp is in the past */ *cnt = 0; - *ts = (cts + tcp_ack_war_time_window); + *ts = (cts + V_tcp_ack_war_time_window); } - if (*cnt < tcp_ack_war_cnt) { + if (*cnt < V_tcp_ack_war_cnt) { *cnt = (*cnt + 1); send_challenge = 1; } else diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index e2b120223bc0..a2424f2ab4d6 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -193,16 +193,14 @@ SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, sad_low_pps, &tcp_sad_low_pps, 100, "What is the input pps that below which we do not decay?"); #endif -uint32_t tcp_ack_war_time_window = 1000; +VNET_DEFINE(uint32_t, tcp_ack_war_time_window) = 1000; SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_timewindow, - CTLFLAG_RW, - &tcp_ack_war_time_window, 1000, - "If the tcp_stack does ack-war prevention how many milliseconds are in its time window?"); -uint32_t tcp_ack_war_cnt = 5; -SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_cnt, - CTLFLAG_RW, - &tcp_ack_war_cnt, 5, - "If the tcp_stack does ack-war prevention how many acks can be sent in its time window?"); + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_ack_war_time_window), 0, + "Time interval in ms used to limit the number (ack_war_cnt) of challenge ACKs sent per TCP connection"); +VNET_DEFINE(uint32_t, tcp_ack_war_cnt) = 5; +SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_cnt, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(tcp_ack_war_cnt), 0, + "Maximum number of challenge ACKs sent per TCP connection during the time interval (ack_war_timewindow)"); struct rwlock tcp_function_lock; @@ -2224,7 +2222,7 @@ tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m, /* * Send a challenge ack (no data, no SACK option), but not more than - * tcp_ack_war_cnt per tcp_ack_war_time_window (per TCP connection). + * V_tcp_ack_war_cnt per V_tcp_ack_war_time_window (per TCP connection). */ void tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) @@ -2232,7 +2230,7 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) sbintime_t now; bool send_challenge_ack; - if (tcp_ack_war_time_window == 0 || tcp_ack_war_cnt == 0) { + if (V_tcp_ack_war_time_window == 0 || V_tcp_ack_war_cnt == 0) { /* ACK war protection is disabled. */ send_challenge_ack = true; } else { @@ -2241,13 +2239,13 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) if (tp->t_challenge_ack_end < now) { tp->t_challenge_ack_cnt = 0; tp->t_challenge_ack_end = now + - tcp_ack_war_time_window * SBT_1MS; + V_tcp_ack_war_time_window * SBT_1MS; } /* * Send a challenge ACK, if less than tcp_ack_war_cnt have been * sent in the current epoch. */ - if (tp->t_challenge_ack_cnt < tcp_ack_war_cnt) { + if (tp->t_challenge_ack_cnt < V_tcp_ack_war_cnt) { send_challenge_ack = true; tp->t_challenge_ack_cnt++; } else { diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index f41fdaca13ac..9ba13b779616 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -1278,6 +1278,8 @@ VNET_DECLARE(int, tcp_log_in_vain); VNET_DECLARE(int, drop_synfin); VNET_DECLARE(int, path_mtu_discovery); VNET_DECLARE(int, tcp_abc_l_var); +VNET_DECLARE(uint32_t, tcp_ack_war_cnt); +VNET_DECLARE(uint32_t, tcp_ack_war_time_window); VNET_DECLARE(int, tcp_autorcvbuf_max); VNET_DECLARE(int, tcp_autosndbuf_inc); VNET_DECLARE(int, tcp_autosndbuf_max); @@ -1328,6 +1330,8 @@ VNET_DECLARE(struct inpcbinfo, tcbinfo); #define V_path_mtu_discovery VNET(path_mtu_discovery) #define V_tcbinfo VNET(tcbinfo) #define V_tcp_abc_l_var VNET(tcp_abc_l_var) +#define V_tcp_ack_war_cnt VNET(tcp_ack_war_cnt) +#define V_tcp_ack_war_time_window VNET(tcp_ack_war_time_window) #define V_tcp_autorcvbuf_max VNET(tcp_autorcvbuf_max) #define V_tcp_autosndbuf_inc VNET(tcp_autosndbuf_inc) #define V_tcp_autosndbuf_max VNET(tcp_autosndbuf_max)