git: 2eb786d96e97 - main - tcp: rate limit the sending of all RST segments

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Sat, 09 Aug 2025 12:11:37 UTC
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=2eb786d96e97a953d0256d1d622c4853964be2dc

commit 2eb786d96e97a953d0256d1d622c4853964be2dc
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2025-08-07 20:23:54 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2025-08-07 20:23:54 +0000

    tcp: rate limit the sending of all RST segments
    
    Also rate limit the sending of RST segments in the following cases:
    * when receiving data on a closed socket.
    * when a socket can not be created at the end of the handshake and
      the sysctl-variable net.inet.tcp.syncache.rst_on_sock_fail is 1.
    * when an ACK segment is received in SYN SENT state and it does not
      acknowledge the SYN segment.
    After this change, there is no need anymore to provide a rstreason
    to tcp_dropwithreset(), since it is always BANDLIM_TCP_RST.
    This will be a follow-up commit, since it will change the code in a
    couple of places, but will not change the functionality.
    
    Reviewed by:            rrs, Nick Banks, Peter Lei
    MFC after:              1 week
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D51815
---
 sys/netinet/tcp_input.c       | 6 +++---
 sys/netinet/tcp_stacks/bbr.c  | 4 ++--
 sys/netinet/tcp_stacks/rack.c | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index fa0a1661e37d..d392cbe09950 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1134,7 +1134,7 @@ tfo_socket_result:
 					    V_tcp_sc_rst_sock_fail ?
 					    "sending RST" : "try again");
 				if (V_tcp_sc_rst_sock_fail) {
-					rstreason = BANDLIM_UNLIMITED;
+					rstreason = BANDLIM_TCP_RST;
 					goto dropwithreset;
 				} else
 					goto dropunlock;
@@ -1568,7 +1568,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th,
 	 */
 	if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) &&
 	    (SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) {
-		rstreason = BANDLIM_UNLIMITED;
+		rstreason = BANDLIM_TCP_RST;
 		tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT);
 		goto dropwithreset;
 	}
@@ -2346,7 +2346,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th,
 		tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 		tp = tcp_close(tp);
 		TCPSTAT_INC(tcps_rcvafterclose);
-		rstreason = BANDLIM_UNLIMITED;
+		rstreason = BANDLIM_TCP_RST;
 		goto dropwithreset;
 	}
 
diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c
index ce4e9f30020c..f2960ab9c636 100644
--- a/sys/netinet/tcp_stacks/bbr.c
+++ b/sys/netinet/tcp_stacks/bbr.c
@@ -7863,7 +7863,7 @@ nothing_left:
 			/* tcp_close will kill the inp pre-log the Reset */
 			tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 			tp = tcp_close(tp);
-			ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen);
+			ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
 			BBR_STAT_INC(bbr_dropped_af_data);
 			return (1);
 		}
@@ -9405,7 +9405,7 @@ close_now:
 		tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 		tp = tcp_close(tp);
 		KMOD_TCPSTAT_INC(tcps_rcvafterclose);
-		ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+		ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
 		return (1);
 	}
 	if (sbavail(&so->so_snd) == 0)
diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index d6bbfeb886d9..2dfcad84ad99 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -12038,7 +12038,7 @@ rack_process_ack(struct mbuf *m, struct tcphdr *th, struct socket *so,
 			/* tcp_close will kill the inp pre-log the Reset */
 			tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 			tp = tcp_close(tp);
-			ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen);
+			ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
 			return (1);
 		}
 	}
@@ -13518,7 +13518,7 @@ rack_check_data_after_close(struct mbuf *m,
 		tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 		tp = tcp_close(tp);
 		KMOD_TCPSTAT_INC(tcps_rcvafterclose);
-		ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+		ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
 		return (1);
 	}
 	if (sbavail(&so->so_snd) == 0)