From owner-freebsd-net@FreeBSD.ORG  Mon Jan 10 09:13:11 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BC8CC16A4CE
	for <net@FreeBSD.org>; Mon, 10 Jan 2005 09:13:11 +0000 (GMT)
Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7873643D2D
	for <net@FreeBSD.org>; Mon, 10 Jan 2005 09:13:11 +0000 (GMT)
	(envelope-from truckman@FreeBSD.org)
Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2])
	by gw.catspoiler.org (8.13.1/8.13.1) with ESMTP id j0A9D4ji019676;
	Mon, 10 Jan 2005 01:13:08 -0800 (PST)
	(envelope-from truckman@FreeBSD.org)
Message-Id: <200501100913.j0A9D4ji019676@gw.catspoiler.org>
Date: Mon, 10 Jan 2005 01:13:04 -0800 (PST)
From: Don Lewis <truckman@FreeBSD.org>
To: silby@silby.com
In-Reply-To: <200501100850.j0A8o6FY019623@gw.catspoiler.org>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
cc: net@FreeBSD.org
Subject: Re: Slipping in the window update
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2005 09:13:11 -0000

After a bit more thinking ...

On 10 Jan, Don Lewis wrote:

> and then after the dropafterack label add the code:
> 
> +	if (thflags & TH_SYN) {
> +		if (tp->t_state == TCPS_ESTABLISHED &&
> +		    tcp_insecure_syn == 0) {
> +			if (badport_bandlim(BANDLIM_SYN_ESTABLISHED) < 0)
> +				goto drop;
> +			tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
> +				tp->snd_una, TH_ACK);
> 		[snip]
> 
> I don't think this fix would be complete from the response rate limiting
> point of view because this chunk of code in the block that trims to the
> left window edge tosses the TH_SYN flag.
> 
>         todrop = tp->rcv_nxt - th->th_seq;
>         if (todrop > 0) {
>                 if (thflags & TH_SYN) {
>                         thflags &= ~TH_SYN;
>                         th->th_seq++;
>                         if (th->th_urp > 1)
>                                 th->th_urp--;
>                         else
>                                 thflags &= ~TH_URG;
>                         todrop--;
>                 }
> 
> and this block of code doesn't jump to dropafterack, even in the case
> where the entire segment is to the left of the window.  Something else
> would have to be done to implement rate limiting for this half of the
> sequence space.

I think this problem could be solved by a minor addition to the above
block of code.  If the SYN flag is set and the sequence number of the
segment doesn't match the initial received sequence number of the
connection, then we know this is not a duplicate SYN.

        todrop = tp->rcv_nxt - th->th_seq;
        if (todrop > 0) {
                if (thflags & TH_SYN) {
+                	if (th->th_seq != tp->irs)
+                		goto dropafterack;
                        thflags &= ~TH_SYN;
                        th->th_seq++;
                        if (th->th_urp > 1)
                                th->th_urp--;
                        else
                                thflags &= ~TH_URG;
                        todrop--;
                }