git: 003f1ebcbce1 - stable/14 - tcp: improve consistency of syncache_respond() failure handling

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Thu, 31 Oct 2024 13:39:35 UTC
The branch stable/14 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=003f1ebcbce10775ae7d4dd631946f9bfec983ab

commit 003f1ebcbce10775ae7d4dd631946f9bfec983ab
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-09-05 01:33:13 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-10-31 11:17:53 +0000

    tcp: improve consistency of syncache_respond() failure handling
    
    When the initial sending of the SYN ACK segment using
    syncache_respond() fails, it is handled as a permanent error.
    To improve consistency, apply this policy in all cases, where
    syncache_respond() is called. These include
    * timer based retransmissions of the SYN ACK
    * retransmitting a SYN ACK in response to a SYN retransmission
    * sending of challenge ACKs in response to received RST segments
    In these cases, fall back to SYN cookies, if enabled.
    While there, also improve consistency of the TCP stats counters.
    
    Reviewed by:            cc, glebius (earlier version)
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D46428
    
    (cherry picked from commit ef438f7706be48f1cf7fd4c8a60329e1619cfe30)
---
 sys/netinet/tcp_syncache.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 6e71d14196f5..b6318ec23556 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -535,10 +535,16 @@ syncache_timer(void *xsch)
 		}
 
 		NET_EPOCH_ENTER(et);
-		syncache_respond(sc, NULL, TH_SYN|TH_ACK);
+		if (syncache_respond(sc, NULL, TH_SYN|TH_ACK) == 0) {
+			syncache_timeout(sc, sch, 0);
+			TCPSTAT_INC(tcps_sndacks);
+			TCPSTAT_INC(tcps_sndtotal);
+			TCPSTAT_INC(tcps_sc_retransmitted);
+		} else {
+			syncache_drop(sc, sch);
+			TCPSTAT_INC(tcps_sc_dropped);
+		}
 		NET_EPOCH_EXIT(et);
-		TCPSTAT_INC(tcps_sc_retransmitted);
-		syncache_timeout(sc, sch, 0);
 	}
 	if (!TAILQ_EMPTY(&(sch)->sch_bucket))
 		callout_reset(&(sch)->sch_timer, (sch)->sch_nextc - tick,
@@ -696,7 +702,13 @@ syncache_chkrst(struct in_conninfo *inc, struct tcphdr *th, struct mbuf *m,
 				    "sending challenge ACK\n",
 				    s, __func__,
 				    th->th_seq, sc->sc_irs + 1, sc->sc_wnd);
-			syncache_respond(sc, m, TH_ACK);
+			if (syncache_respond(sc, m, TH_ACK) == 0) {
+				TCPSTAT_INC(tcps_sndacks);
+				TCPSTAT_INC(tcps_sndtotal);
+			} else {
+				syncache_drop(sc, sch);
+				TCPSTAT_INC(tcps_sc_dropped);
+			}
 		}
 	} else {
 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
@@ -1559,6 +1571,9 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 			syncache_timeout(sc, sch, 1);
 			TCPSTAT_INC(tcps_sndacks);
 			TCPSTAT_INC(tcps_sndtotal);
+		} else {
+			syncache_drop(sc, sch);
+			TCPSTAT_INC(tcps_sc_dropped);
 		}
 		SCH_UNLOCK(sch);
 		goto donenoprobe;