git: 4401d7b362b1 - stable/14 - tcp: vnetify sysctl variables ack_war_timewindow and ack_war_cnt
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 03 Aug 2024 23:21:23 UTC
The branch stable/14 has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=4401d7b362b18d867b50eefe1b6258760c8c9870
commit 4401d7b362b18d867b50eefe1b6258760c8c9870
Author: Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-07-28 20:36:34 +0000
Commit: Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-08-03 23:19:29 +0000
tcp: vnetify sysctl variables ack_war_timewindow and ack_war_cnt
As suggested by glebius@. While there, improve the documentation.
Reviewed by: Peter Lei, cc
Sponsored by: Netflix, Inc
Differential Revision: https://reviews.freebsd.org/D46140
(cherry picked from commit 4036380e029708f5d6ad7aa599ce1bba9d7c067b)
---
share/man/man4/tcp.4 | 20 +++++++++++++++++++-
sys/netinet/tcp_stacks/rack_bbr_common.c | 16 ++++++++--------
sys/netinet/tcp_subr.c | 24 +++++++++++-------------
sys/netinet/tcp_var.h | 4 ++++
4 files changed, 42 insertions(+), 22 deletions(-)
diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4
index 1f5cc7734bbf..da88a30bf86a 100644
--- a/share/man/man4/tcp.4
+++ b/share/man/man4/tcp.4
@@ -33,7 +33,7 @@
.\"
.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
.\"
-.Dd July 21, 2024
+.Dd July 28, 2024
.Dt TCP 4
.Os
.Sh NAME
@@ -434,6 +434,17 @@ branch of the
MIB, which can also be read or modified with
.Xr sysctl 8 .
.Bl -tag -width ".Va v6pmtud_blackhole_mss"
+.It Va ack_war_timewindow , ack_war_cnt
+The challenge ACK throttling algorithm defined in RFC 5961 limits
+the number of challenge ACKs sent per TCP connection to
+.Va ack_war_cnt
+during the time interval specified in milliseconds by
+.Va ack_war_timewindow .
+Setting
+.Va ack_war_timewindow
+or
+.Va ack_war_cnt
+to zero disables challenge ACK throttling.
.It Va always_keepalive
Assume that
.Dv SO_KEEPALIVE
@@ -1080,6 +1091,13 @@ when trying to use a TCP function block that is not available;
.%T "The Addition of Explicit Congestion Notification (ECN) to IP"
.%O "RFC 3168"
.Re
+.Rs
+.%A "A. Ramaiah"
+.%A "R. Stewart"
+.%A "M. Dalal"
+.%T "Improving TCP's Robustness to Blind In-Window Attacks"
+.%O "RFC 5961"
+.Re
.Sh HISTORY
The
.Tn TCP
diff --git a/sys/netinet/tcp_stacks/rack_bbr_common.c b/sys/netinet/tcp_stacks/rack_bbr_common.c
index 4a4a8af2bd78..b218f449475f 100644
--- a/sys/netinet/tcp_stacks/rack_bbr_common.c
+++ b/sys/netinet/tcp_stacks/rack_bbr_common.c
@@ -535,8 +535,8 @@ void
ctf_ack_war_checks(struct tcpcb *tp, uint32_t *ts, uint32_t *cnt)
{
if ((ts != NULL) && (cnt != NULL) &&
- (tcp_ack_war_time_window > 0) &&
- (tcp_ack_war_cnt > 0)) {
+ (V_tcp_ack_war_time_window > 0) &&
+ (V_tcp_ack_war_cnt > 0)) {
/* We are possibly doing ack war prevention */
uint32_t cts;
@@ -550,9 +550,9 @@ ctf_ack_war_checks(struct tcpcb *tp, uint32_t *ts, uint32_t *cnt)
if (TSTMP_LT((*ts), cts)) {
/* Timestamp is in the past */
*cnt = 0;
- *ts = (cts + tcp_ack_war_time_window);
+ *ts = (cts + V_tcp_ack_war_time_window);
}
- if (*cnt < tcp_ack_war_cnt) {
+ if (*cnt < V_tcp_ack_war_cnt) {
*cnt = (*cnt + 1);
tp->t_flags |= TF_ACKNOW;
} else
@@ -772,8 +772,8 @@ __ctf_process_rst(struct mbuf *m, struct tcphdr *th, struct socket *so,
KMOD_TCPSTAT_INC(tcps_badrst);
if ((ts != NULL) && (cnt != NULL) &&
- (tcp_ack_war_time_window > 0) &&
- (tcp_ack_war_cnt > 0)) {
+ (V_tcp_ack_war_time_window > 0) &&
+ (V_tcp_ack_war_cnt > 0)) {
/* We are possibly preventing an ack-rst war prevention */
uint32_t cts;
@@ -787,9 +787,9 @@ __ctf_process_rst(struct mbuf *m, struct tcphdr *th, struct socket *so,
if (TSTMP_LT((*ts), cts)) {
/* Timestamp is in the past */
*cnt = 0;
- *ts = (cts + tcp_ack_war_time_window);
+ *ts = (cts + V_tcp_ack_war_time_window);
}
- if (*cnt < tcp_ack_war_cnt) {
+ if (*cnt < V_tcp_ack_war_cnt) {
*cnt = (*cnt + 1);
send_challenge = 1;
} else
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index e2b120223bc0..a2424f2ab4d6 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -193,16 +193,14 @@ SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, sad_low_pps,
&tcp_sad_low_pps, 100,
"What is the input pps that below which we do not decay?");
#endif
-uint32_t tcp_ack_war_time_window = 1000;
+VNET_DEFINE(uint32_t, tcp_ack_war_time_window) = 1000;
SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_timewindow,
- CTLFLAG_RW,
- &tcp_ack_war_time_window, 1000,
- "If the tcp_stack does ack-war prevention how many milliseconds are in its time window?");
-uint32_t tcp_ack_war_cnt = 5;
-SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_cnt,
- CTLFLAG_RW,
- &tcp_ack_war_cnt, 5,
- "If the tcp_stack does ack-war prevention how many acks can be sent in its time window?");
+ CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_ack_war_time_window), 0,
+ "Time interval in ms used to limit the number (ack_war_cnt) of challenge ACKs sent per TCP connection");
+VNET_DEFINE(uint32_t, tcp_ack_war_cnt) = 5;
+SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_cnt, CTLFLAG_VNET | CTLFLAG_RW,
+ &VNET_NAME(tcp_ack_war_cnt), 0,
+ "Maximum number of challenge ACKs sent per TCP connection during the time interval (ack_war_timewindow)");
struct rwlock tcp_function_lock;
@@ -2224,7 +2222,7 @@ tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m,
/*
* Send a challenge ack (no data, no SACK option), but not more than
- * tcp_ack_war_cnt per tcp_ack_war_time_window (per TCP connection).
+ * V_tcp_ack_war_cnt per V_tcp_ack_war_time_window (per TCP connection).
*/
void
tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
@@ -2232,7 +2230,7 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
sbintime_t now;
bool send_challenge_ack;
- if (tcp_ack_war_time_window == 0 || tcp_ack_war_cnt == 0) {
+ if (V_tcp_ack_war_time_window == 0 || V_tcp_ack_war_cnt == 0) {
/* ACK war protection is disabled. */
send_challenge_ack = true;
} else {
@@ -2241,13 +2239,13 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
if (tp->t_challenge_ack_end < now) {
tp->t_challenge_ack_cnt = 0;
tp->t_challenge_ack_end = now +
- tcp_ack_war_time_window * SBT_1MS;
+ V_tcp_ack_war_time_window * SBT_1MS;
}
/*
* Send a challenge ACK, if less than tcp_ack_war_cnt have been
* sent in the current epoch.
*/
- if (tp->t_challenge_ack_cnt < tcp_ack_war_cnt) {
+ if (tp->t_challenge_ack_cnt < V_tcp_ack_war_cnt) {
send_challenge_ack = true;
tp->t_challenge_ack_cnt++;
} else {
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h
index f41fdaca13ac..9ba13b779616 100644
--- a/sys/netinet/tcp_var.h
+++ b/sys/netinet/tcp_var.h
@@ -1278,6 +1278,8 @@ VNET_DECLARE(int, tcp_log_in_vain);
VNET_DECLARE(int, drop_synfin);
VNET_DECLARE(int, path_mtu_discovery);
VNET_DECLARE(int, tcp_abc_l_var);
+VNET_DECLARE(uint32_t, tcp_ack_war_cnt);
+VNET_DECLARE(uint32_t, tcp_ack_war_time_window);
VNET_DECLARE(int, tcp_autorcvbuf_max);
VNET_DECLARE(int, tcp_autosndbuf_inc);
VNET_DECLARE(int, tcp_autosndbuf_max);
@@ -1328,6 +1330,8 @@ VNET_DECLARE(struct inpcbinfo, tcbinfo);
#define V_path_mtu_discovery VNET(path_mtu_discovery)
#define V_tcbinfo VNET(tcbinfo)
#define V_tcp_abc_l_var VNET(tcp_abc_l_var)
+#define V_tcp_ack_war_cnt VNET(tcp_ack_war_cnt)
+#define V_tcp_ack_war_time_window VNET(tcp_ack_war_time_window)
#define V_tcp_autorcvbuf_max VNET(tcp_autorcvbuf_max)
#define V_tcp_autosndbuf_inc VNET(tcp_autosndbuf_inc)
#define V_tcp_autosndbuf_max VNET(tcp_autosndbuf_max)