Date: Fri, 5 Sep 2025 18:57:31 GMT From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: e7331da314b5 - stable/14 - tcp: rate limit the sending of all RST segments Message-ID: <202509051857.585IvVeV018038@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=e7331da314b57c39cf5c3fb5f20a2963b2485ce6 commit e7331da314b57c39cf5c3fb5f20a2963b2485ce6 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2025-08-07 20:23:54 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2025-09-05 18:57:10 +0000 tcp: rate limit the sending of all RST segments Also rate limit the sending of RST segments in the following cases: * when receiving data on a closed socket. * when a socket can not be created at the end of the handshake and the sysctl-variable net.inet.tcp.syncache.rst_on_sock_fail is 1. * when an ACK segment is received in SYN SENT state and it does not acknowledge the SYN segment. After this change, there is no need anymore to provide a rstreason to tcp_dropwithreset(), since it is always BANDLIM_TCP_RST. This will be a follow-up commit, since it will change the code in a couple of places, but will not change the functionality. Reviewed by: rrs, Nick Banks, Peter Lei Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D51815 (cherry picked from commit 2eb786d96e97a953d0256d1d622c4853964be2dc) --- sys/netinet/tcp_input.c | 6 +++--- sys/netinet/tcp_stacks/bbr.c | 4 ++-- sys/netinet/tcp_stacks/rack.c | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 18b489f2e605..93d2e94bcff0 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1151,7 +1151,7 @@ tfo_socket_result: V_tcp_sc_rst_sock_fail ? "sending RST" : "try again"); if (V_tcp_sc_rst_sock_fail) { - rstreason = BANDLIM_UNLIMITED; + rstreason = BANDLIM_TCP_RST; goto dropwithreset; } else goto dropunlock; @@ -1598,7 +1598,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, */ if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) && (SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) { - rstreason = BANDLIM_UNLIMITED; + rstreason = BANDLIM_TCP_RST; tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); goto dropwithreset; } @@ -2359,7 +2359,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); TCPSTAT_INC(tcps_rcvafterclose); - rstreason = BANDLIM_UNLIMITED; + rstreason = BANDLIM_TCP_RST; goto dropwithreset; } diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c index 65230bbd953f..c1053e90d6da 100644 --- a/sys/netinet/tcp_stacks/bbr.c +++ b/sys/netinet/tcp_stacks/bbr.c @@ -7852,7 +7852,7 @@ nothing_left: /* tcp_close will kill the inp pre-log the Reset */ tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); - ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen); + ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); BBR_STAT_INC(bbr_dropped_af_data); return (1); } @@ -9394,7 +9394,7 @@ close_now: tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); KMOD_TCPSTAT_INC(tcps_rcvafterclose); - ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen)); + ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen)); return (1); } if (sbavail(&so->so_snd) == 0) diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c index 10fc55bb2088..9a4ec0546b95 100644 --- a/sys/netinet/tcp_stacks/rack.c +++ b/sys/netinet/tcp_stacks/rack.c @@ -12428,7 +12428,7 @@ rack_process_ack(struct mbuf *m, struct tcphdr *th, struct socket *so, /* tcp_close will kill the inp pre-log the Reset */ tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); - ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen); + ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); return (1); } } @@ -13899,7 +13899,7 @@ rack_check_data_after_close(struct mbuf *m, tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); KMOD_TCPSTAT_INC(tcps_rcvafterclose); - ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen)); + ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen)); return (1); } if (sbavail(&so->so_snd) == 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509051857.585IvVeV018038>