TCP RACK: don't log an uninitialized value

reduce is uninitialized, if the code path for logging is reached via
goto old_method;.

Reviewed by: rrs, Peter Lei
CID: 1557359
MFC after: 1 week
Spon

TCP RACK: don't log an uninitialized value

reduce is uninitialized, if the code path for logging is reached via
goto old_method;.

Reviewed by: rrs, Peter Lei
CID: 1557359
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48346

show more ...

TCP RACK: fix TCP_RACK_PACING_BETA socket option

Bring back the code, which was accidentally removed. While there,
indent a comment correctly.

Reviewed by: rrs
CID: 1540026
Fixes: e18b97bd63a8

TCP RACK: fix TCP_RACK_PACING_BETA socket option

Bring back the code, which was accidentally removed. While there,
indent a comment correctly.

Reviewed by: rrs
CID: 1540026
Fixes: e18b97bd63a8 ("Update to bring the rack stack with all its fixes in.")
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48340

show more ...

TCP RACK: fix TCP fast open

Do not jump to a place in the code, which requires several variables
to be set (segsize, minseg, idle, len, sb_offset), which is not true.
To avoid using these variables,

TCP RACK: fix TCP fast open

Do not jump to a place in the code, which requires several variables
to be set (segsize, minseg, idle, len, sb_offset), which is not true.
To avoid using these variables, start the HPTS timer explicitly.
This fix only applies to the client side using TCP fast open.

Approved by: rrs
CID: 1523766
CID: 1523770
CID: 1523786
CID: 1523801
CID: 1523809
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48322

show more ...

TCP RACK: remove variable with is only initialized and not changed

minslot is initialized to 0 and never changed. It is not clear to me
under which condition minslot should be set to which value.
Th

TCP RACK: remove variable with is only initialized and not changed

minslot is initialized to 0 and never changed. It is not clear to me
under which condition minslot should be set to which value.
Therefore, remove it and the code checking that it is not zero.
No functional change intended.

Reviewed by: rrs
CID: 1523812
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48321

show more ...

TCP RACK: remove code that cannot be reached

No functional change intended.

Reviewed by: rrs
CID: 1523797
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.f

TCP RACK: remove code that cannot be reached

No functional change intended.

Reviewed by: rrs
CID: 1523797
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48301

show more ...

TCP RACK: remove un-needed assignment

No functional change intended.

Reviewed by: rrs
CID: 1523768
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.

TCP RACK: remove un-needed assignment

No functional change intended.

Reviewed by: rrs
CID: 1523768
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48292

show more ...

TCP RACK: simplify condition

It is already known that rsm != NULL, so no need to check for it.

Reviewed by: rrs
CID: 1523815
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision

TCP RACK: simplify condition

It is already known that rsm != NULL, so no need to check for it.

Reviewed by: rrs
CID: 1523815
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48282

show more ...

TCP RACK: avoid using uninitialized tot_idle variable

Reviewed by: rrs
CID: 1540027
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48277

TCP RACK: add comment

Indicate that the missing of the break is intentionally.

Reviewed by: rrs
CID: 1523782
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://review

TCP RACK: add comment

Indicate that the missing of the break is intentionally.

Reviewed by: rrs
CID: 1523782
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48273

show more ...

TCP RACK: don't use an uninitialized variable

When storing the old beta values in rack_swap_beta_values(),
ensure that the newreno_flags field is initialized appropriately
instead of using an uninit

TCP RACK: don't use an uninitialized variable

When storing the old beta values in rack_swap_beta_values(),
ensure that the newreno_flags field is initialized appropriately
instead of using an uninitialized value.
Since the stored newreno_flags aren't actually used, this fix
should not have any functional change.

Reviewed by: rrs
CID: 1523796
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48260

show more ...

TCP RACK: remove redundant check

No functional change intended.

Reviewed by: rrs
CID: 1523811
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D

TCP RACK: remove redundant check

No functional change intended.

Reviewed by: rrs
CID: 1523811
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48216

show more ...

Change the SOCKBUF_LOCK calls to use the more refined SOCK_XXXBUF_LOCK/UNLOCK.

The socket buffer locking used to be standard on SOCKBUF_LOCK/UNLOCK. But we are now
moving to a more elegant SOCK_SEND

Change the SOCKBUF_LOCK calls to use the more refined SOCK_XXXBUF_LOCK/UNLOCK.

The socket buffer locking used to be standard on SOCKBUF_LOCK/UNLOCK. But we are now
moving to a more elegant SOCK_SENDBUF_LOCK/UNLOCK and SOCK_RECVBUF_LOCK/UNLOCK.
Lets get BBR and Rack to use these updated macros.

Reviewed by:glebius, tuexen, rscheff
Differential Revision:https://reviews.freebsd.org/D47542

show more ...

tcp: allow TSO even while RX path is unordered

Over IP networks, forward and return path largely
act independently from each other. Do not disable LRO
on the TX side, when reordering/loss is happeni

tcp: allow TSO even while RX path is unordered

Over IP networks, forward and return path largely
act independently from each other. Do not disable LRO
on the TX side, when reordering/loss is happening
on the RX half-connection.

Reviewed By: rrs, #transport, peter.lei_ieee.org
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D47056

show more ...

tcp rack, bbr: improve handling of soft errors

Do not report an error, if it is stored as a soft error. This avoids,
for example, the dropping of TCP connections using an interface,
while enabling o

tcp rack, bbr: improve handling of soft errors

Do not report an error, if it is stored as a soft error. This avoids,
for example, the dropping of TCP connections using an interface,
while enabling or disabling LRO on that interface.

Reviewed by: cc
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D46427

show more ...

Non-tested experimental code removal.

There is a new feature that came in with the last sync to the rack stack that should not have
been released. It is untested and may not well work. It currently

Non-tested experimental code removal.

There is a new feature that came in with the last sync to the rack stack that should not have
been released. It is untested and may not well work. It currently is off by default, which is good
but it is best to remove it until such time that it can be vetted and tuned to actually work :)

This change removes just the experimental feature for now. It can make a appearance in the future
when it is proofed out.

Reviewed by: tuexen
Differential Revision:https://reviews.freebsd.org/D45410

show more ...

rack, bbr: cleanup ack throttling

Use the variable in the TCPCB, not the one in the stack specific
data structure. This simplifies the code and brings the functionality
to BBR without any change.

R

rack, bbr: cleanup ack throttling

Use the variable in the TCPCB, not the one in the stack specific
data structure. This simplifies the code and brings the functionality
to BBR without any change.

Reviewed by: Peter Lei, cc
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D46068

show more ...

tcp: vnetify sysctl variables ack_war_timewindow and ack_war_cnt

As suggested by glebius@. While there, improve the documentation.

Reviewed by: Peter Lei, cc
MFC after: 1 week
Sponsored by: Netf

tcp: vnetify sysctl variables ack_war_timewindow and ack_war_cnt

As suggested by glebius@. While there, improve the documentation.

Reviewed by: Peter Lei, cc
MFC after: 1 week
Sponsored by: Netflix, Inc
Differential Revision: https://reviews.freebsd.org/D46140

show more ...

tcp: mark TCP stacks which can serve as a default stack

Allow a TCP function block (tfb) to become the default stack only if
tfb->tfb_flags has the TCP_FUNC_DEFAULT_OK flags set. This allows a
TCP f

tcp: mark TCP stacks which can serve as a default stack

Allow a TCP function block (tfb) to become the default stack only if
tfb->tfb_flags has the TCP_FUNC_DEFAULT_OK flags set. This allows a
TCP function block, that is not suitable as a default function block
to ensure that it is not set as the default via sysctl. In this case
sysctl would return EINVAL.

Reviewed by: gallatin, Peter Lei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D45419

show more ...

tcp: improve SEG.ACK validation

Implement the improved SEG.ACK validation described in RFC 5961.
In addition to that, also detect ghost ACKs, which are ACKs for data
that has never been sent.
The ad

tcp: improve SEG.ACK validation

Implement the improved SEG.ACK validation described in RFC 5961.
In addition to that, also detect ghost ACKs, which are ACKs for data
that has never been sent.
The additional checks are enabled by default, but can be disabled
by setting the sysctl-variable net.inet.tcp.insecure_ack to a
non-zero value.

PR: 250357
Reviewed by: Peter Lei, rscheff (older version)
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D45894

show more ...

tcp_rack: avoid gcc -Werror=pointer-to-int-cast on 32-bit arch

Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D45752

Remove TCP_SAD optional code now that the sack filter performs this function.

With the commit of D44903 we no longer need the SAD option. Instead all stacks that
use the sack filter inherit its prot

Remove TCP_SAD optional code now that the sack filter performs this function.

With the commit of D44903 we no longer need the SAD option. Instead all stacks that
use the sack filter inherit its protection against sack-attack.

Reviewed by: tuexen@
Differential Revision:https://reviews.freebsd.org/D45216

show more ...

tcp rack: improve handling of front states

When the RACK stack wants to send a FIN, but still has outstanding
or unsent data, it sends a challenge ack. Don't do this when the
TCP endpoint is still i

tcp rack: improve handling of front states

When the RACK stack wants to send a FIN, but still has outstanding
or unsent data, it sends a challenge ack. Don't do this when the
TCP endpoint is still in the front states, since it does not
make sense.
Reviewed by: rrs
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D45122

show more ...

TCP can be subject to Sack Attacks lets fix this issue.

There is a type of attack that a TCP peer can launch on a connection. This is for sure in Rack or BBR and probably even the default stack if i

TCP can be subject to Sack Attacks lets fix this issue.

There is a type of attack that a TCP peer can launch on a connection. This is for sure in Rack or BBR and probably even the default stack if it uses lists in sack processing. The idea of the attack is that the attacker is driving you to look at 100's of sack blocks that only update 1 byte. So for example if you have 1 - 10,000 bytes outstanding the attacker sends in something like:

ACK 0 SACK(1-512) SACK(1024 - 1536), SACK(2048-2536), SACK(4096 - 4608), SACK(8192-8704)
This first sack looks fine but then the attacker sends

ACK 0 SACK(1-512) SACK(1025 - 1537), SACK(2049-2537), SACK(4097 - 4609), SACK(8193-8705)
ACK 0 SACK(1-512) SACK(1027 - 1539), SACK(2051-2539), SACK(4099 - 4611), SACK(8195-8707)
...
These blocks are making you hunt across your linked list and split things up so that you have an entry for every other byte. Has your list grows you spend more and more CPU running through the lists. The idea here is the attacker chooses entries as far apart as possible that make you run through the list. This example is small but in theory if the window is open to say 1Meg you could end up with 100's of thousands link list entries.

To combat this we introduce three things.

when the peer requests a very small MSS we stop processing SACK's from them. This prevents a malicious peer from just using a small MSS to do the same thing.
Any time we get a sack block, we use the sack-filter to remove sacks that are smaller than the smallest v4 mss (minus 40 for max TCP options) unless it ties up to snd_max (since that is legal). All other sacks in theory should be at least an MSS. If we get such an attacker that means we basically start skipping all but MSS sized Sacked blocks.
The sack filter used to throw away data when its bounds were exceeded, instead now we increase its size to 15 and then throw away sack's if the filter gets over-run to prevent the malicious attacker from over-running the sack filter and thus we start to process things anyway.
The default stack will need to start using the sack-filter which we have talked about in past conference calls to take full advantage of the protections offered by it (and reduce cpu consumption when processing sacks).

After this set of changes is in rack can drop its SAD detection completely

Reviewed by:tuexen@, rscheff@
Differential Revision: <https://reviews.freebsd.org/D44903>

show more ...

tcp rack: improve BBR_LOG_CWND event

Fix a typo, which resulted in missing r_ctl.gate_to_fs in the BBLog
event.

Reported by: Coverity Scan
CID: 1540024
Reviewed by: rrs, rscheff
Sponsored by:

tcp rack: improve BBR_LOG_CWND event

Fix a typo, which resulted in missing r_ctl.gate_to_fs in the BBLog
event.

Reported by: Coverity Scan
CID: 1540024
Reviewed by: rrs, rscheff
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D44648

show more ...

tcp: drop data received after a FIN has been processed

RFC 9293 describes the handling of data in the CLOSE-WAIT, CLOSING,
LAST-ACK, and TIME-WAIT states:
This should not occur since a FIN has been

tcp: drop data received after a FIN has been processed

RFC 9293 describes the handling of data in the CLOSE-WAIT, CLOSING,
LAST-ACK, and TIME-WAIT states:
This should not occur since a FIN has been received from the remote
side. Ignore the segment text.
Therefore, implement this handling.

Reviewed by: rrs, rscheff
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D44746

show more ...