git: cbf3575aa3c2 - main - tcp: filter small SACK blocks

The branch main has been updated by rscheff:

URL: https://cgit.FreeBSD.org/src/commit/?id=cbf3575aa3c2e3d0d9eb7fafb445c783489ab9d9

commit cbf3575aa3c2e3d0d9eb7fafb445c783489ab9d9
Author:     Richard Scheffenegger <rscheff@FreeBSD.org>
AuthorDate: 2024-05-04 19:47:29 +0000
Commit:     Richard Scheffenegger <rscheff@FreeBSD.org>
CommitDate: 2024-05-08 12:00:10 +0000

    tcp: filter small SACK blocks
    
    While the SACK Scoreboard in the base stack limits
    the number of holes by default to only 128 per connection
    in order to prevent CPU load attacks by splitting SACKs,
    filtering out SACK blocks of unusually small size can
    further improve the actual processing of SACK loss recovery.
    
    Reviewed By:            tuexen, #transport
    Sponsored by:           NetApp, Inc.
    Differential Revision:  https://reviews.freebsd.org/D45075
---
 sys/netinet/tcp_sack.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c
index f59cc5fe0d0b..a8cc84397d34 100644
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@@ -558,6 +558,7 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack)
 	int i, j, num_sack_blks;
 	sackstatus_t sack_changed;
 	int delivered_data, left_edge_delta;
+	int maxseg = tp->t_maxseg - MAX_TCPOPTLEN;
 
 	tcp_seq loss_hiack = 0;
 	int loss_thresh = 0;
@@ -604,7 +605,9 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack)
 			    SEQ_GT(sack.start, th_ack) &&
 			    SEQ_LT(sack.start, tp->snd_max) &&
 			    SEQ_GT(sack.end, tp->snd_una) &&
-			    SEQ_LEQ(sack.end, tp->snd_max)) {
+			    SEQ_LEQ(sack.end, tp->snd_max) &&
+			    ((sack.end - sack.start) >= maxseg ||
+			     SEQ_GEQ(sack.end, tp->snd_max))) {
 				sack_blocks[num_sack_blks++] = sack;
 			} else if (SEQ_LEQ(sack.start, th_ack) &&
 			    SEQ_LEQ(sack.end, th_ack)) {