From owner-dev-commits-src-all@freebsd.org Thu Apr 15 22:27:57 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 899895DABA7; Thu, 15 Apr 2021 22:27:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FLv9n3T9Vz4wlf; Thu, 15 Apr 2021 22:27:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6A1B819916; Thu, 15 Apr 2021 22:27:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 13FMRvCQ084773; Thu, 15 Apr 2021 22:27:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 13FMRv8L084772; Thu, 15 Apr 2021 22:27:57 GMT (envelope-from git) Date: Thu, 15 Apr 2021 22:27:57 GMT Message-Id: <202104152227.13FMRv8L084772@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Gleb Smirnoff Subject: git: cb8d7c44d6ac - main - tcp_syncache: add net.inet.tcp.syncache.see_other sysctl MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: glebius X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: cb8d7c44d6acd4f7f6be7f8b762315260f70d896 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2021 22:27:57 -0000 The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=cb8d7c44d6acd4f7f6be7f8b762315260f70d896 commit cb8d7c44d6acd4f7f6be7f8b762315260f70d896 Author: Gleb Smirnoff AuthorDate: 2021-03-19 07:22:36 +0000 Commit: Gleb Smirnoff CommitDate: 2021-04-15 22:26:48 +0000 tcp_syncache: add net.inet.tcp.syncache.see_other sysctl A security feature from c06f087ccb12 appeared to be a huge bottleneck under SYN flood. To mitigate that add a sysctl that would make syncache(4) globally visible, ignoring UID/GID, jail(2) and mac(4) checks. When turned on, we won't need to call crhold() on the listening socket credential for every incoming SYN packet. Reviewed by: bz --- share/man/man4/syncache.4 | 29 +++++++++++++++++++++++++++-- sys/netinet/tcp_syncache.c | 10 ++++++++-- sys/netinet/tcp_syncache.h | 1 + 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/share/man/man4/syncache.4 b/share/man/man4/syncache.4 index b212b12cde95..26ed225bcce8 100644 --- a/share/man/man4/syncache.4 +++ b/share/man/man4/syncache.4 @@ -12,7 +12,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 22, 2008 +.Dd April 12, 2021 .Dt SYNCACHE 4 .Os .Sh NAME @@ -39,6 +39,8 @@ MIBs for controlling TCP SYN caching .Nm sysctl Cm net.inet.tcp.syncache.rexmtlimit .It .Nm sysctl Cm net.inet.tcp.syncache.count +.It +.Nm sysctl Cm net.inet.tcp.syncache.see_other .El .Sh DESCRIPTION The @@ -150,6 +152,25 @@ Tunable via Number of entries present in the .Nm (read-only). +.It Va see_other +If set to true value, all +.Nm +entries will be visible via +.Va net.inet.tcp.pcblist +sysctl, or via +.Xr netstat 1 , +ignoring all of +.Xr security 7 +UID/GID, +.Xr jail 2 +and +.Xr mac 4 +checks. +If turned off, the visibility checks are enforced. +However, extra +.Xr ucred 9 +referencing is required on every incoming SYN packet processed. +The default is off. .El .Pp Statistics on the performance of the @@ -192,9 +213,13 @@ Connections created from segment containing ACK. .El .Sh SEE ALSO .Xr netstat 1 , +.Xr jail 2 , +.Xr mac , .Xr tcp 4 , +.Xr security 7, .Xr loader 8 , -.Xr sysctl 8 +.Xr sysctl 8 , +.Xr ucred 9 .Sh HISTORY The existing .Nm diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 7c6bad415d7d..4cd8411af8d5 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -191,6 +191,11 @@ SYSCTL_UINT(_net_inet_tcp_syncache, OID_AUTO, hashsize, CTLFLAG_VNET | CTLFLAG_R &VNET_NAME(tcp_syncache.hashsize), 0, "Size of TCP syncache hashtable"); +SYSCTL_BOOL(_net_inet_tcp_syncache, OID_AUTO, see_other, CTLFLAG_VNET | + CTLFLAG_RW, &VNET_NAME(tcp_syncache.see_other), 0, + "All syncache(4) entries are visible, ignoring UID/GID, jail(2) " + "and mac(4) checks"); + static int sysctl_net_inet_tcp_syncache_rexmtlimit_check(SYSCTL_HANDLER_ARGS) { @@ -1409,7 +1414,7 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, */ KASSERT(SOLISTENING(so), ("%s: %p not listening", __func__, so)); tp = sototcpcb(so); - cred = crhold(so->so_cred); + cred = V_tcp_syncache.see_other ? NULL : crhold(so->so_cred); #ifdef INET6 if (inc->inc_flags & INC_ISIPV6) { @@ -2498,7 +2503,8 @@ syncache_pcblist(struct sysctl_req *req) sch = &V_tcp_syncache.hashbase[i]; SCH_LOCK(sch); TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) { - if (cr_cansee(req->td->td_ucred, sc->sc_cred) != 0) + if (sc->sc_cred != NULL && + cr_cansee(req->td->td_ucred, sc->sc_cred) != 0) continue; if (sc->sc_inc.inc_flags & INC_ISIPV6) xt.xt_inp.inp_vflag = INP_IPV6; diff --git a/sys/netinet/tcp_syncache.h b/sys/netinet/tcp_syncache.h index c56dce55f1c1..03e34a89c112 100644 --- a/sys/netinet/tcp_syncache.h +++ b/sys/netinet/tcp_syncache.h @@ -134,6 +134,7 @@ struct tcp_syncache { time_t pause_until; uint8_t pause_backoff; volatile bool paused; + bool see_other; }; /* Internal use for the syncookie functions. */