From nobody Sun Jul 28 20:40:22 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WXCzp3Jmcz5Rcs4; Sun, 28 Jul 2024 20:40:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WXCzp2lNdz4FsB; Sun, 28 Jul 2024 20:40:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722199222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kCN5tybBpgQfLkM4/2PYHYFCM9F4pzgkNAdRJOTiXDM=; b=Oz57f/yQw4fn3GtOkZ0hMtc5x5KPhUa8Wbf+ih72+JM+WzMj2Y7dsPuMJUYEghnQ5QeUxj QlEBnoL1GXiuOqMUT5cL3CddpcLmlHD1KsFF8XFBBadzU16mcfdLi9HvIi/GMVD5Xft/bU PDzZaVYXFNpkjVuJCLGkYG0CsYSYaqbgdpXv0uZcDtb+c4pz6oNMersYIrF57okllFTFtr Rx+WUxykFQP3mhocd5obyDGAD/KadshPOjQ553uNR96iOYycEt12j+ZxAGVGUNqTojvGju tmzcxYVwXVNxWAi4AUHwjZ5SWCq+mYBvd5muyQfAZpguSScfjhDZ0L+4mKPG/Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1722199222; a=rsa-sha256; cv=none; b=M54VpKuu2QaWFYPS+VzvhxKk3gQA+Q8LAw5YQjy3BPUz3BUKB+xwYgsmTEIGKmcpJwd5DC ixb671h0nalag5zRCDUyX6GowwxyWLCukJQUYW7Ro7HctmvU54jkiGs37QN8K5AvKNDMBZ ZY6KzLbgf9kyvYyce1aReNko2gyehXb7mC4WI4xHXsKLMhBQptQ1j2A9k2MsVmoPh9XtVC DpEPtsqNy1Yn1Ju/yKPv8aicYiK5TY/1UPVTg3KedHhadlv/U+F04xLu82SDDqCUwJwZ1m tB/hmm5KibAvsQjQZaND8rLkPYcWG6urwX+ayN+EJZG0kcpsTPyFkqAkIs0LVQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722199222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kCN5tybBpgQfLkM4/2PYHYFCM9F4pzgkNAdRJOTiXDM=; b=Yrw4NtrAeq9MTEHXi7OuZhIllbRXQuJt9ndJnenkRVzAAFCNt+UGJlKMVwPQbD3jx3fP1c f7SOiUh0PuCysaaGZht6TCv9596ppnU2tXfMsvRs6G3VpTizT6D5KeBWxTSZBLyk1lCPkX eJGq+8Y693RkDiAqGbjAxlocEhvp034d0XhrAm+ub2QlEQueF6Gdu/k6fkzldDNACvJfDS HrCOEqMIVKj/q19g6vaEoM7keezuoFgfxltYfa+wwbIauVgkXMfendALnlSJLPzAQE3L/9 dEuluH1ycwexUI0C4r8AZxnPzr4NiBqkp/cEREXoYluKy46RScpFbE3Tpjrgyg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WXCzp2LnVz14g8; Sun, 28 Jul 2024 20:40:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 46SKeMTB076288; Sun, 28 Jul 2024 20:40:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 46SKeM4G076285; Sun, 28 Jul 2024 20:40:22 GMT (envelope-from git) Date: Sun, 28 Jul 2024 20:40:22 GMT Message-Id: <202407282040.46SKeM4G076285@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Michael Tuexen Subject: git: 4036380e0297 - main - tcp: vnetify sysctl variables ack_war_timewindow and ack_war_cnt List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tuexen X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 4036380e029708f5d6ad7aa599ce1bba9d7c067b Auto-Submitted: auto-generated The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=4036380e029708f5d6ad7aa599ce1bba9d7c067b commit 4036380e029708f5d6ad7aa599ce1bba9d7c067b Author: Michael Tuexen AuthorDate: 2024-07-28 20:36:34 +0000 Commit: Michael Tuexen CommitDate: 2024-07-28 20:36:34 +0000 tcp: vnetify sysctl variables ack_war_timewindow and ack_war_cnt As suggested by glebius@. While there, improve the documentation. Reviewed by: Peter Lei, cc MFC after: 1 week Sponsored by: Netflix, Inc Differential Revision: https://reviews.freebsd.org/D46140 --- share/man/man4/tcp.4 | 20 +++++++++++++++++++- sys/netinet/tcp_stacks/rack.c | 2 +- sys/netinet/tcp_stacks/rack_bbr_common.c | 16 ++++++++-------- sys/netinet/tcp_subr.c | 24 +++++++++++------------- sys/netinet/tcp_var.h | 4 ++++ 5 files changed, 43 insertions(+), 23 deletions(-) diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4 index 3f5d87da0ffb..70356baa2145 100644 --- a/share/man/man4/tcp.4 +++ b/share/man/man4/tcp.4 @@ -31,7 +31,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 21, 2024 +.Dd July 28, 2024 .Dt TCP 4 .Os .Sh NAME @@ -432,6 +432,17 @@ branch of the MIB, which can also be read or modified with .Xr sysctl 8 . .Bl -tag -width ".Va v6pmtud_blackhole_mss" +.It Va ack_war_timewindow , ack_war_cnt +The challenge ACK throttling algorithm defined in RFC 5961 limits +the number of challenge ACKs sent per TCP connection to +.Va ack_war_cnt +during the time interval specified in milliseconds by +.Va ack_war_timewindow . +Setting +.Va ack_war_timewindow +or +.Va ack_war_cnt +to zero disables challenge ACK throttling. .It Va always_keepalive Assume that .Dv SO_KEEPALIVE @@ -1078,6 +1089,13 @@ when trying to use a TCP function block that is not available; .%T "The Addition of Explicit Congestion Notification (ECN) to IP" .%O "RFC 3168" .Re +.Rs +.%A "A. Ramaiah" +.%A "R. Stewart" +.%A "M. Dalal" +.%T "Improving TCP's Robustness to Blind In-Window Attacks" +.%O "RFC 5961" +.Re .Sh HISTORY The .Tn TCP diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c index 44ddfac2a6ca..ec0c6f500946 100644 --- a/sys/netinet/tcp_stacks/rack.c +++ b/sys/netinet/tcp_stacks/rack.c @@ -15547,7 +15547,7 @@ rack_init(struct tcpcb *tp, void **ptr) rack->r_ctl.rc_lower_rtt_us_cts = us_cts; rack->r_ctl.rc_time_of_last_probertt = us_cts; rack->r_ctl.rc_went_idle_time = us_cts; - rack->r_ctl.challenge_ack_ts = tcp_ts_getticks() - (tcp_ack_war_time_window + 1); + rack->r_ctl.challenge_ack_ts = tcp_ts_getticks() - (V_tcp_ack_war_time_window + 1); rack->r_ctl.rc_time_probertt_starts = 0; rack->r_ctl.gp_rnd_thresh = rack_rnd_cnt_req & 0xff; diff --git a/sys/netinet/tcp_stacks/rack_bbr_common.c b/sys/netinet/tcp_stacks/rack_bbr_common.c index 4a4a8af2bd78..b218f449475f 100644 --- a/sys/netinet/tcp_stacks/rack_bbr_common.c +++ b/sys/netinet/tcp_stacks/rack_bbr_common.c @@ -535,8 +535,8 @@ void ctf_ack_war_checks(struct tcpcb *tp, uint32_t *ts, uint32_t *cnt) { if ((ts != NULL) && (cnt != NULL) && - (tcp_ack_war_time_window > 0) && - (tcp_ack_war_cnt > 0)) { + (V_tcp_ack_war_time_window > 0) && + (V_tcp_ack_war_cnt > 0)) { /* We are possibly doing ack war prevention */ uint32_t cts; @@ -550,9 +550,9 @@ ctf_ack_war_checks(struct tcpcb *tp, uint32_t *ts, uint32_t *cnt) if (TSTMP_LT((*ts), cts)) { /* Timestamp is in the past */ *cnt = 0; - *ts = (cts + tcp_ack_war_time_window); + *ts = (cts + V_tcp_ack_war_time_window); } - if (*cnt < tcp_ack_war_cnt) { + if (*cnt < V_tcp_ack_war_cnt) { *cnt = (*cnt + 1); tp->t_flags |= TF_ACKNOW; } else @@ -772,8 +772,8 @@ __ctf_process_rst(struct mbuf *m, struct tcphdr *th, struct socket *so, KMOD_TCPSTAT_INC(tcps_badrst); if ((ts != NULL) && (cnt != NULL) && - (tcp_ack_war_time_window > 0) && - (tcp_ack_war_cnt > 0)) { + (V_tcp_ack_war_time_window > 0) && + (V_tcp_ack_war_cnt > 0)) { /* We are possibly preventing an ack-rst war prevention */ uint32_t cts; @@ -787,9 +787,9 @@ __ctf_process_rst(struct mbuf *m, struct tcphdr *th, struct socket *so, if (TSTMP_LT((*ts), cts)) { /* Timestamp is in the past */ *cnt = 0; - *ts = (cts + tcp_ack_war_time_window); + *ts = (cts + V_tcp_ack_war_time_window); } - if (*cnt < tcp_ack_war_cnt) { + if (*cnt < V_tcp_ack_war_cnt) { *cnt = (*cnt + 1); send_challenge = 1; } else diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index cc9020f89a3a..145496afa098 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -139,16 +139,14 @@ VNET_DEFINE(int, tcp_mssdflt) = TCP_MSS; VNET_DEFINE(int, tcp_v6mssdflt) = TCP6_MSS; #endif -uint32_t tcp_ack_war_time_window = 1000; +VNET_DEFINE(uint32_t, tcp_ack_war_time_window) = 1000; SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_timewindow, - CTLFLAG_RW, - &tcp_ack_war_time_window, 1000, - "If the tcp_stack does ack-war prevention how many milliseconds are in its time window?"); -uint32_t tcp_ack_war_cnt = 5; -SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_cnt, - CTLFLAG_RW, - &tcp_ack_war_cnt, 5, - "If the tcp_stack does ack-war prevention how many acks can be sent in its time window?"); + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_ack_war_time_window), 0, + "Time interval in ms used to limit the number (ack_war_cnt) of challenge ACKs sent per TCP connection"); +VNET_DEFINE(uint32_t, tcp_ack_war_cnt) = 5; +SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_cnt, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(tcp_ack_war_cnt), 0, + "Maximum number of challenge ACKs sent per TCP connection during the time interval (ack_war_timewindow)"); struct rwlock tcp_function_lock; @@ -2183,7 +2181,7 @@ tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m, /* * Send a challenge ack (no data, no SACK option), but not more than - * tcp_ack_war_cnt per tcp_ack_war_time_window (per TCP connection). + * V_tcp_ack_war_cnt per V_tcp_ack_war_time_window (per TCP connection). */ void tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) @@ -2191,7 +2189,7 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) sbintime_t now; bool send_challenge_ack; - if (tcp_ack_war_time_window == 0 || tcp_ack_war_cnt == 0) { + if (V_tcp_ack_war_time_window == 0 || V_tcp_ack_war_cnt == 0) { /* ACK war protection is disabled. */ send_challenge_ack = true; } else { @@ -2200,13 +2198,13 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) if (tp->t_challenge_ack_end < now) { tp->t_challenge_ack_cnt = 0; tp->t_challenge_ack_end = now + - tcp_ack_war_time_window * SBT_1MS; + V_tcp_ack_war_time_window * SBT_1MS; } /* * Send a challenge ACK, if less than tcp_ack_war_cnt have been * sent in the current epoch. */ - if (tp->t_challenge_ack_cnt < tcp_ack_war_cnt) { + if (tp->t_challenge_ack_cnt < V_tcp_ack_war_cnt) { send_challenge_ack = true; tp->t_challenge_ack_cnt++; } else { diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index af82d0bfeaaa..cc982e321709 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -1268,6 +1268,8 @@ VNET_DECLARE(int, tcp_log_in_vain); VNET_DECLARE(int, drop_synfin); VNET_DECLARE(int, path_mtu_discovery); VNET_DECLARE(int, tcp_abc_l_var); +VNET_DECLARE(uint32_t, tcp_ack_war_cnt); +VNET_DECLARE(uint32_t, tcp_ack_war_time_window); VNET_DECLARE(int, tcp_autorcvbuf_max); VNET_DECLARE(int, tcp_autosndbuf_inc); VNET_DECLARE(int, tcp_autosndbuf_max); @@ -1319,6 +1321,8 @@ VNET_DECLARE(struct inpcbinfo, tcbinfo); #define V_path_mtu_discovery VNET(path_mtu_discovery) #define V_tcbinfo VNET(tcbinfo) #define V_tcp_abc_l_var VNET(tcp_abc_l_var) +#define V_tcp_ack_war_cnt VNET(tcp_ack_war_cnt) +#define V_tcp_ack_war_time_window VNET(tcp_ack_war_time_window) #define V_tcp_autorcvbuf_max VNET(tcp_autorcvbuf_max) #define V_tcp_autosndbuf_inc VNET(tcp_autosndbuf_inc) #define V_tcp_autosndbuf_max VNET(tcp_autosndbuf_max)