diff options
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/icmp6.h | 3 | ||||
| -rw-r--r-- | sys/netinet/icmp_var.h | 1 | ||||
| -rw-r--r-- | sys/netinet/in_rss.c | 2 | ||||
| -rw-r--r-- | sys/netinet/ip_fw.h | 220 | ||||
| -rw-r--r-- | sys/netinet/ip_icmp.c | 2 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 59 | ||||
| -rw-r--r-- | sys/netinet/tcp_output.c | 2 | ||||
| -rw-r--r-- | sys/netinet/tcp_sack.c | 36 | ||||
| -rw-r--r-- | sys/netinet/tcp_stacks/bbr.c | 26 | ||||
| -rw-r--r-- | sys/netinet/tcp_stacks/rack.c | 26 | ||||
| -rw-r--r-- | sys/netinet/tcp_stacks/rack_bbr_common.c | 14 | ||||
| -rw-r--r-- | sys/netinet/tcp_stacks/rack_bbr_common.h | 4 | ||||
| -rw-r--r-- | sys/netinet/tcp_subr.c | 10 | ||||
| -rw-r--r-- | sys/netinet/tcp_var.h | 3 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 6 |
15 files changed, 203 insertions, 211 deletions
diff --git a/sys/netinet/icmp6.h b/sys/netinet/icmp6.h index 7845b682f3e4..2ca5b3433e47 100644 --- a/sys/netinet/icmp6.h +++ b/sys/netinet/icmp6.h @@ -713,9 +713,6 @@ void icmp6_redirect_input(struct mbuf *, int); void icmp6_redirect_output(struct mbuf *, struct nhop_object *); int icmp6_ratelimit(const struct in6_addr *, const int, const int); -struct ip6ctlparam; -void icmp6_mtudisc_update(struct ip6ctlparam *, int); - /* XXX: is this the right place for these macros? */ #define icmp6_ifstat_inc(ifp, tag) \ do { \ diff --git a/sys/netinet/icmp_var.h b/sys/netinet/icmp_var.h index d6b75e482e35..b39479565bd6 100644 --- a/sys/netinet/icmp_var.h +++ b/sys/netinet/icmp_var.h @@ -100,7 +100,6 @@ void kmod_icmpstat_inc(int statnum); SYSCTL_DECL(_net_inet_icmp); extern int badport_bandlim(int); -#define BANDLIM_UNLIMITED -1 #define BANDLIM_ICMP_UNREACH 0 #define BANDLIM_ICMP_ECHO 1 #define BANDLIM_ICMP_TSTAMP 2 diff --git a/sys/netinet/in_rss.c b/sys/netinet/in_rss.c index 698fd86dc7a5..f93a1d2bfd7b 100644 --- a/sys/netinet/in_rss.c +++ b/sys/netinet/in_rss.c @@ -285,7 +285,7 @@ rss_mbuf_software_hash_v4(const struct mbuf *m, int dir, uint32_t *hashval, } /* * Only allow 2-tuple for TCP frames if we don't also - * support 2-tuple for TCP. + * support 4-tuple for TCP. */ if ((rss_gethashconfig() & RSS_HASHTYPE_RSS_IPV4) && ((rss_gethashconfig() & RSS_HASHTYPE_RSS_TCP_IPV4) == 0) && diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index c440223b81f8..51e68c310915 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -167,149 +167,149 @@ typedef struct _ip_fw3_opheader { */ enum ipfw_opcodes { /* arguments (4 byte each) */ - O_NOP, - - O_IP_SRC, /* u32 = IP */ - O_IP_SRC_MASK, /* ip = IP/mask */ - O_IP_SRC_ME, /* none */ - O_IP_SRC_SET, /* u32=base, arg1=len, bitmap */ - - O_IP_DST, /* u32 = IP */ - O_IP_DST_MASK, /* ip = IP/mask */ - O_IP_DST_ME, /* none */ - O_IP_DST_SET, /* u32=base, arg1=len, bitmap */ - - O_IP_SRCPORT, /* (n)port list:mask 4 byte ea */ - O_IP_DSTPORT, /* (n)port list:mask 4 byte ea */ - O_PROTO, /* arg1=protocol */ - - O_MACADDR2, /* 2 mac addr:mask */ - O_MAC_TYPE, /* same as srcport */ - - O_LAYER2, /* none */ - O_IN, /* none */ - O_FRAG, /* none */ - - O_RECV, /* none */ - O_XMIT, /* none */ - O_VIA, /* none */ - - O_IPOPT, /* arg1 = 2*u8 bitmap */ - O_IPLEN, /* arg1 = len */ - O_IPID, /* arg1 = id */ - - O_IPTOS, /* arg1 = id */ - O_IPPRECEDENCE, /* arg1 = precedence << 5 */ - O_IPTTL, /* arg1 = TTL */ - - O_IPVER, /* arg1 = version */ - O_UID, /* u32 = id */ - O_GID, /* u32 = id */ - O_ESTAB, /* none (tcp established) */ - O_TCPFLAGS, /* arg1 = 2*u8 bitmap */ - O_TCPWIN, /* arg1 = desired win */ - O_TCPSEQ, /* u32 = desired seq. */ - O_TCPACK, /* u32 = desired seq. */ - O_ICMPTYPE, /* u32 = icmp bitmap */ - O_TCPOPTS, /* arg1 = 2*u8 bitmap */ - - O_VERREVPATH, /* none */ - O_VERSRCREACH, /* none */ - - O_PROBE_STATE, /* v0:arg1=kidx, v1:kidx=kidx */ - O_KEEP_STATE, /* v0:arg1=kidx, v1:kidx=kidx */ - O_LIMIT, /* ipfw_insn_limit */ - O_LIMIT_PARENT, /* dyn_type, not an opcode. */ + O_NOP = 0, + + O_IP_SRC = 1, /* u32 = IP */ + O_IP_SRC_MASK = 2, /* ip = IP/mask */ + O_IP_SRC_ME = 3, /* none */ + O_IP_SRC_SET = 4, /* u32=base, arg1=len, bitmap */ + + O_IP_DST = 5, /* u32 = IP */ + O_IP_DST_MASK = 6, /* ip = IP/mask */ + O_IP_DST_ME = 7, /* none */ + O_IP_DST_SET = 8, /* u32=base, arg1=len, bitmap */ + + O_IP_SRCPORT = 9, /* (n)port list:mask 4 byte ea */ + O_IP_DSTPORT = 10, /* (n)port list:mask 4 byte ea */ + O_PROTO = 11, /* arg1=protocol */ + + O_MACADDR2 = 12, /* 2 mac addr:mask */ + O_MAC_TYPE = 13, /* same as srcport */ + + O_LAYER2 = 14, /* none */ + O_IN = 15, /* none */ + O_FRAG = 16, /* none */ + + O_RECV = 17, /* none */ + O_XMIT = 18, /* none */ + O_VIA = 19, /* none */ + + O_IPOPT = 20, /* arg1 = 2*u8 bitmap */ + O_IPLEN = 21, /* arg1 = len */ + O_IPID = 22, /* arg1 = id */ + + O_IPTOS = 23, /* arg1 = id */ + O_IPPRECEDENCE = 24, /* arg1 = precedence << 5 */ + O_IPTTL = 25, /* arg1 = TTL */ + + O_IPVER = 26, /* arg1 = version */ + O_UID = 27, /* u32 = id */ + O_GID = 28, /* u32 = id */ + O_ESTAB = 29, /* none (tcp established) */ + O_TCPFLAGS = 30, /* arg1 = 2*u8 bitmap */ + O_TCPWIN = 31, /* arg1 = desired win */ + O_TCPSEQ = 32, /* u32 = desired seq. */ + O_TCPACK = 33, /* u32 = desired seq. */ + O_ICMPTYPE = 34, /* u32 = icmp bitmap */ + O_TCPOPTS = 35, /* arg1 = 2*u8 bitmap */ + + O_VERREVPATH = 36, /* none */ + O_VERSRCREACH = 37, /* none */ + + O_PROBE_STATE = 38, /* v0:arg1=kidx, v1:kidx=kidx */ + O_KEEP_STATE = 39, /* v0:arg1=kidx, v1:kidx=kidx */ + O_LIMIT = 40, /* ipfw_insn_limit */ + O_LIMIT_PARENT = 41, /* dyn_type, not an opcode. */ /* * These are really 'actions'. */ - O_LOG, /* ipfw_insn_log */ - O_PROB, /* u32 = match probability */ + O_LOG = 42, /* ipfw_insn_log */ + O_PROB = 43, /* u32 = match probability */ - O_CHECK_STATE, /* v0:arg1=kidx, v1:kidx=kidx */ - O_ACCEPT, /* none */ - O_DENY, /* none */ - O_REJECT, /* arg1=icmp arg (same as deny) */ - O_COUNT, /* none */ - O_SKIPTO, /* v0:arg1=next rule number */ + O_CHECK_STATE = 44, /* v0:arg1=kidx, v1:kidx=kidx */ + O_ACCEPT = 45, /* none */ + O_DENY = 46, /* none */ + O_REJECT = 47, /* arg1=icmp arg (same as deny) */ + O_COUNT = 48, /* none */ + O_SKIPTO = 49, /* v0:arg1=next rule number */ /* v1:kidx= next rule number */ - O_PIPE, /* arg1=pipe number */ - O_QUEUE, /* arg1=queue number */ - O_DIVERT, /* arg1=port number */ - O_TEE, /* arg1=port number */ - O_FORWARD_IP, /* fwd sockaddr */ - O_FORWARD_MAC, /* fwd mac */ - O_NAT, /* nope */ - O_REASS, /* none */ + O_PIPE = 50, /* arg1=pipe number */ + O_QUEUE = 51, /* arg1=queue number */ + O_DIVERT = 52, /* arg1=port number */ + O_TEE = 53, /* arg1=port number */ + O_FORWARD_IP = 54, /* fwd sockaddr */ + O_FORWARD_MAC = 55, /* fwd mac */ + O_NAT = 56, /* nope */ + O_REASS = 57, /* none */ /* * More opcodes. */ - O_IPSEC, /* has ipsec history */ - O_IP_SRC_LOOKUP, /* v0:arg1=table number, u32=value */ + O_IPSEC = 58, /* has ipsec history */ + O_IP_SRC_LOOKUP = 59, /* v0:arg1=table number, u32=value */ /* v1:kidx=name, u32=value, arg1=key */ - O_IP_DST_LOOKUP, /* arg1=table number, u32=value */ + O_IP_DST_LOOKUP = 60, /* arg1=table number, u32=value */ /* v1:kidx=name, u32=value, arg1=key */ - O_ANTISPOOF, /* none */ - O_JAIL, /* u32 = id */ - O_ALTQ, /* u32 = altq classif. qid */ - O_DIVERTED, /* arg1=bitmap (1:loop, 2:out) */ - O_TCPDATALEN, /* arg1 = tcp data len */ - O_IP6_SRC, /* address without mask */ - O_IP6_SRC_ME, /* my addresses */ - O_IP6_SRC_MASK, /* address with the mask */ - O_IP6_DST, - O_IP6_DST_ME, - O_IP6_DST_MASK, - O_FLOW6ID, /* for flow id tag in the ipv6 pkt */ - O_ICMP6TYPE, /* icmp6 packet type filtering */ - O_EXT_HDR, /* filtering for ipv6 extension header */ - O_IP6, + O_ANTISPOOF = 61, /* none */ + O_JAIL = 62, /* u32 = id */ + O_ALTQ = 63, /* u32 = altq classif. qid */ + O_DIVERTED = 64, /* arg1=bitmap (1:loop, 2:out) */ + O_TCPDATALEN = 65, /* arg1 = tcp data len */ + O_IP6_SRC = 66, /* address without mask */ + O_IP6_SRC_ME = 67, /* my addresses */ + O_IP6_SRC_MASK = 68, /* address with the mask */ + O_IP6_DST = 69, + O_IP6_DST_ME = 70, + O_IP6_DST_MASK = 71, + O_FLOW6ID = 72, /* for flow id tag in the ipv6 pkt */ + O_ICMP6TYPE = 73, /* icmp6 packet type filtering */ + O_EXT_HDR = 74, /* filtering for ipv6 extension header */ + O_IP6 = 75, /* * actions for ng_ipfw */ - O_NETGRAPH, /* send to ng_ipfw */ - O_NGTEE, /* copy to ng_ipfw */ + O_NETGRAPH = 76, /* send to ng_ipfw */ + O_NGTEE = 77, /* copy to ng_ipfw */ - O_IP4, + O_IP4 = 78, - O_UNREACH6, /* arg1=icmpv6 code arg (deny) */ + O_UNREACH6 = 79, /* arg1=icmpv6 code arg (deny) */ - O_TAG, /* arg1=tag number */ - O_TAGGED, /* arg1=tag number */ + O_TAG = 80, /* arg1=tag number */ + O_TAGGED = 81, /* arg1=tag number */ - O_SETFIB, /* arg1=FIB number */ - O_FIB, /* arg1=FIB desired fib number */ + O_SETFIB = 82, /* arg1=FIB number */ + O_FIB = 83, /* arg1=FIB desired fib number */ - O_SOCKARG, /* socket argument */ + O_SOCKARG = 84, /* socket argument */ - O_CALLRETURN, /* v0:arg1=called rule number */ + O_CALLRETURN = 85, /* v0:arg1=called rule number */ /* v1:kidx=called rule number */ - O_FORWARD_IP6, /* fwd sockaddr_in6 */ + O_FORWARD_IP6 = 86, /* fwd sockaddr_in6 */ - O_DSCP, /* 2 u32 = DSCP mask */ - O_SETDSCP, /* arg1=DSCP value */ - O_IP_FLOW_LOOKUP, /* v0:arg1=table number, u32=value */ + O_DSCP = 87, /* 2 u32 = DSCP mask */ + O_SETDSCP = 88, /* arg1=DSCP value */ + O_IP_FLOW_LOOKUP = 89, /* v0:arg1=table number, u32=value */ /* v1:kidx=name, u32=value */ - O_EXTERNAL_ACTION, /* v0:arg1=id of external action handler */ + O_EXTERNAL_ACTION = 90, /* v0:arg1=id of external action handler */ /* v1:kidx=id of external action handler */ - O_EXTERNAL_INSTANCE, /* v0:arg1=id of eaction handler instance */ + O_EXTERNAL_INSTANCE = 91, /* v0:arg1=id of eaction handler instance */ /* v1:kidx=id of eaction handler instance */ - O_EXTERNAL_DATA, /* variable length data */ + O_EXTERNAL_DATA = 92, /* variable length data */ - O_SKIP_ACTION, /* none */ - O_TCPMSS, /* arg1=MSS value */ + O_SKIP_ACTION = 93, /* none */ + O_TCPMSS = 94, /* arg1=MSS value */ - O_MAC_SRC_LOOKUP, /* kidx=name, u32=value, arg1=key */ - O_MAC_DST_LOOKUP, /* kidx=name, u32=value, arg1=key */ + O_MAC_SRC_LOOKUP = 95, /* kidx=name, u32=value, arg1=key */ + O_MAC_DST_LOOKUP = 96, /* kidx=name, u32=value, arg1=key */ - O_SETMARK, /* u32 = value */ - O_MARK, /* 2 u32 = value, bitmask */ + O_SETMARK = 97, /* u32 = value */ + O_MARK = 98, /* 2 u32 = value, bitmask */ O_LAST_OPCODE /* not an opcode! */ }; diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 71b75d18efd0..543b846fbba5 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1181,7 +1181,7 @@ badport_bandlim(int which) { int64_t pps; - if (V_icmplim == 0 || which == BANDLIM_UNLIMITED) + if (V_icmplim == 0) return (0); KASSERT(which >= 0 && which < BANDLIM_MAX, diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index d58cc69b7625..6492495dc583 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -609,7 +609,6 @@ tcp_input_with_port(struct mbuf **mp, int *offp, int proto, uint16_t port) int tlen = 0, off; int drop_hdrlen; int thflags; - int rstreason = 0; /* For badport_bandlim accounting purposes */ int lookupflag; uint8_t iptos; struct m_tag *fwd_tag = NULL; @@ -905,23 +904,22 @@ findpcb: * XXX MRT Send RST using which routing table? */ if (inp == NULL) { - if (rstreason != 0) { + if ((lookupflag & INPLOOKUP_WILDCARD) == 0) { /* We came here after second (safety) lookup. */ - MPASS((lookupflag & INPLOOKUP_WILDCARD) == 0); - goto dropwithreset; - } - /* - * Log communication attempts to ports that are not - * in use. - */ - if ((V_tcp_log_in_vain == 1 && (thflags & TH_SYN)) || - V_tcp_log_in_vain == 2) { - if ((s = tcp_log_vain(NULL, th, (void *)ip, ip6))) + MPASS(!closed_port); + } else { + /* + * Log communication attempts to ports that are not + * in use. + */ + if (((V_tcp_log_in_vain == 1 && (thflags & TH_SYN)) || + V_tcp_log_in_vain == 2) && + (s = tcp_log_vain(NULL, th, (void *)ip, ip6))) { log(LOG_INFO, "%s; %s: Connection attempt " "to closed port\n", s, __func__); + } + closed_port = true; } - rstreason = BANDLIM_TCP_RST; - closed_port = true; goto dropwithreset; } INP_LOCK_ASSERT(inp); @@ -1012,13 +1010,11 @@ findpcb: * down or it is in the CLOSED state. Either way we drop the * segment and send an appropriate response. */ - rstreason = BANDLIM_TCP_RST; closed_port = true; goto dropwithreset; } if ((tp->t_port != port) && (tp->t_state > TCPS_LISTEN)) { - rstreason = BANDLIM_TCP_RST; closed_port = true; goto dropwithreset; } @@ -1102,7 +1098,8 @@ findpcb: * don't want to sent RST for the second ACK, * so we perform second lookup without wildcard * match, hoping to find the new socket. If - * the ACK is stray indeed, rstreason would + * the ACK is stray indeed, the missing + * INPLOOKUP_WILDCARD flag in lookupflag would * hint the above code that the lookup was a * second attempt. * @@ -1110,7 +1107,6 @@ findpcb: * of the failure cause. */ INP_WUNLOCK(inp); - rstreason = BANDLIM_TCP_RST; lookupflag &= ~INPLOOKUP_WILDCARD; goto findpcb; } @@ -1134,7 +1130,6 @@ tfo_socket_result: V_tcp_sc_rst_sock_fail ? "sending RST" : "try again"); if (V_tcp_sc_rst_sock_fail) { - rstreason = BANDLIM_UNLIMITED; goto dropwithreset; } else goto dropunlock; @@ -1201,7 +1196,6 @@ tfo_socket_result: s, __func__); syncache_badack(&inc, port); /* XXX: Not needed! */ TCPSTAT_INC(tcps_badsyn); - rstreason = BANDLIM_TCP_RST; goto dropwithreset; } /* @@ -1277,7 +1271,6 @@ tfo_socket_result: "Connection attempt to deprecated " "IPv6 address rejected\n", s, __func__); - rstreason = BANDLIM_TCP_RST; goto dropwithreset; } } @@ -1398,8 +1391,7 @@ dropwithreset: * When blackholing do not respond with a RST but * completely ignore the segment and drop it. */ - if (rstreason == BANDLIM_TCP_RST && - ((!closed_port && V_blackhole == 3) || + if (((!closed_port && V_blackhole == 3) || (closed_port && ((V_blackhole == 1 && (thflags & TH_SYN)) || V_blackhole > 1))) && (V_blackhole_local || ( @@ -1414,7 +1406,7 @@ dropwithreset: ))) goto dropunlock; TCP_PROBE5(receive, NULL, tp, m, tp, th); - tcp_dropwithreset(m, th, tp, tlen, rstreason); + tcp_dropwithreset(m, th, tp, tlen); m = NULL; /* mbuf chain got consumed. */ dropunlock: @@ -1523,7 +1515,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, uint16_t thflags; int acked, ourfinisacked, needoutput = 0; sackstatus_t sack_changed; - int rstreason, todrop, win, incforsyn = 0; + int todrop, win, incforsyn = 0; uint32_t tiwin; uint16_t nsegs; char *s; @@ -1568,7 +1560,6 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, */ if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) && (SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) { - rstreason = BANDLIM_UNLIMITED; tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); goto dropwithreset; } @@ -1984,7 +1975,6 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, if ((thflags & TH_ACK) && (SEQ_LEQ(th->th_ack, tp->snd_una) || SEQ_GT(th->th_ack, tp->snd_max))) { - rstreason = BANDLIM_TCP_RST; tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); goto dropwithreset; } @@ -1997,7 +1987,6 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, * FIN, or a RST. */ if ((thflags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) { - rstreason = BANDLIM_TCP_RST; tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); goto dropwithreset; } else if (thflags & TH_SYN) { @@ -2218,7 +2207,6 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, SEQ_LT(th->th_seq, tp->last_ack_sent + tp->rcv_wnd)) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); tp = tcp_drop(tp, ECONNRESET); - rstreason = BANDLIM_UNLIMITED; } else { tcp_ecn_input_syn_sent(tp, thflags, iptos); tcp_send_challenge_ack(tp, th, m); @@ -2265,7 +2253,6 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, * for the "LAND" DoS attack. */ if (tp->t_state == TCPS_SYN_RECEIVED && SEQ_LT(th->th_seq, tp->irs)) { - rstreason = BANDLIM_TCP_RST; tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); goto dropwithreset; } @@ -2347,7 +2334,6 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); TCPSTAT_INC(tcps_rcvafterclose); - rstreason = BANDLIM_UNLIMITED; goto dropwithreset; } @@ -3444,7 +3430,6 @@ dropafterack: if (tp->t_state == TCPS_SYN_RECEIVED && (thflags & TH_ACK) && (SEQ_GT(tp->snd_una, th->th_ack) || SEQ_GT(th->th_ack, tp->snd_max)) ) { - rstreason = BANDLIM_TCP_RST; tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); goto dropwithreset; } @@ -3456,11 +3441,10 @@ dropafterack: return; dropwithreset: + tcp_dropwithreset(m, th, NULL, tlen); if (tp != NULL) { - tcp_dropwithreset(m, th, tp, tlen, rstreason); INP_WUNLOCK(inp); - } else - tcp_dropwithreset(m, th, NULL, tlen, rstreason); + } return; drop: @@ -3480,8 +3464,7 @@ drop: * tp may be NULL. */ void -tcp_dropwithreset(struct mbuf *m, struct tcphdr *th, struct tcpcb *tp, - int tlen, int rstreason) +tcp_dropwithreset(struct mbuf *m, struct tcphdr *th, struct tcpcb *tp, int tlen) { #ifdef INET struct ip *ip; @@ -3521,7 +3504,7 @@ tcp_dropwithreset(struct mbuf *m, struct tcphdr *th, struct tcpcb *tp, #endif /* Perform bandwidth limiting. */ - if (badport_bandlim(rstreason) < 0) + if (badport_bandlim(BANDLIM_TCP_RST) < 0) goto drop; /* tcp_respond consumes the mbuf chain. */ diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index bc5b42ee6f2c..2dfb7faf56e3 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -1250,7 +1250,7 @@ send: * fack acks recoverypoint. */ if ((tp->t_flags & TF_LRD) && SEQ_GEQ(p->rxmit, p->end)) - p->rxmit = tp->snd_recover; + p->rxmit = SEQ_MAX(p->rxmit, tp->snd_recover); tp->sackhint.sack_bytes_rexmit += len; } if (IN_RECOVERY(tp->t_flags)) { diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c index 4405098a8620..b6c55fac50b3 100644 --- a/sys/netinet/tcp_sack.c +++ b/sys/netinet/tcp_sack.c @@ -283,7 +283,7 @@ tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end) INP_WLOCK_ASSERT(tptoinpcb(tp)); /* Check arguments. */ - KASSERT(SEQ_LEQ(rcv_start, rcv_end), ("rcv_start <= rcv_end")); + KASSERT(SEQ_LEQ(rcv_start, rcv_end), ("SEG_GT(rcv_start, rcv_end)")); if ((rcv_start == rcv_end) && (tp->rcv_numsacks >= 1) && @@ -498,8 +498,8 @@ tcp_sackhole_free(struct tcpcb *tp, struct sackhole *hole) tp->snd_numholes--; atomic_subtract_int(&V_tcp_sack_globalholes, 1); - KASSERT(tp->snd_numholes >= 0, ("tp->snd_numholes >= 0")); - KASSERT(V_tcp_sack_globalholes >= 0, ("tcp_sack_globalholes >= 0")); + KASSERT(tp->snd_numholes >= 0, ("tp->snd_numholes < 0")); + KASSERT(V_tcp_sack_globalholes >= 0, ("tcp_sack_globalholes < 0")); } /* @@ -583,6 +583,7 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack) */ if (SEQ_LT(tp->snd_una, th_ack) && !TAILQ_EMPTY(&tp->snd_holes)) { left_edge_delta = th_ack - tp->snd_una; + delivered_data += left_edge_delta; sack_blocks[num_sack_blks].start = tp->snd_una; sack_blocks[num_sack_blks++].end = th_ack; /* @@ -590,7 +591,6 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack) * due to DSACK blocks */ if (SEQ_LT(tp->snd_fack, th_ack)) { - delivered_data += th_ack - tp->snd_una; tp->snd_fack = th_ack; sack_changed = SACK_CHANGE; } @@ -684,7 +684,7 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack) delivered_data += sblkp->end - sblkp->start; tp->sackhint.hole_bytes += temp->end - temp->start; KASSERT(tp->sackhint.hole_bytes >= 0, - ("sackhint hole bytes >= 0")); + ("sackhint hole bytes < 0")); tp->snd_fack = sblkp->end; sblkp--; sack_changed = SACK_NEWLOSS; @@ -783,7 +783,7 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack) tp->sackhint.sack_bytes_rexmit -= (SEQ_MIN(cur->rxmit, cur->end) - cur->start); KASSERT(tp->sackhint.sack_bytes_rexmit >= 0, - ("sackhint bytes rtx >= 0")); + ("sackhint bytes rtx < 0")); sack_changed = SACK_CHANGE; if (SEQ_LEQ(sblkp->start, cur->start)) { /* Data acks at least the beginning of hole. */ @@ -816,7 +816,7 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack) cur->end = sblkp->start; cur->rxmit = SEQ_MIN(cur->rxmit, cur->end); if ((tp->t_flags & TF_LRD) && SEQ_GEQ(cur->rxmit, cur->end)) - cur->rxmit = tp->snd_recover; + cur->rxmit = SEQ_MAX(cur->rxmit, tp->snd_recover); } else { /* * ACKs some data in middle of a hole; need @@ -843,7 +843,7 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack) cur->rxmit = SEQ_MIN(cur->rxmit, cur->end); if ((tp->t_flags & TF_LRD) && SEQ_GEQ(cur->rxmit, cur->end)) - cur->rxmit = tp->snd_recover; + cur->rxmit = SEQ_MAX(cur->rxmit, tp->snd_recover); delivered_data += (sblkp->end - sblkp->start); } } @@ -874,13 +874,13 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack) if (TAILQ_EMPTY(&tp->snd_holes)) { KASSERT(tp->sackhint.hole_bytes == 0, - ("SACK scoreboard empty, but accounting non-zero\n")); + ("SACK scoreboard empty, but sackhint hole bytes != 0")); tp->sackhint.sack_bytes_rexmit = 0; tp->sackhint.sacked_bytes = 0; tp->sackhint.lost_bytes = 0; } else { KASSERT(tp->sackhint.hole_bytes > 0, - ("SACK scoreboard not empty, but has no bytes\n")); + ("SACK scoreboard not empty, but sackhint hole bytes <= 0")); tp->sackhint.delivered_data = delivered_data; tp->sackhint.sacked_bytes += delivered_data - left_edge_delta; KASSERT((tp->sackhint.sacked_bytes >= 0), ("sacked_bytes < 0")); @@ -918,9 +918,9 @@ tcp_free_sackholes(struct tcpcb *tp) tp->sackhint.hole_bytes = 0; tp->sackhint.lost_bytes = 0; - KASSERT(tp->snd_numholes == 0, ("tp->snd_numholes == 0")); + KASSERT(tp->snd_numholes == 0, ("tp->snd_numholes != 0")); KASSERT(tp->sackhint.nexthole == NULL, - ("tp->sackhint.nexthole == NULL")); + ("tp->sackhint.nexthole != NULL")); } /* @@ -1061,11 +1061,15 @@ tcp_sack_output(struct tcpcb *tp, int *sack_bytes_rexmt) } } } - KASSERT(SEQ_LT(hole->start, hole->end), ("%s: hole.start >= hole.end", __func__)); + KASSERT(SEQ_LT(hole->start, hole->end), + ("%s: SEQ_GEQ(hole.start, hole.end)", __func__)); if (!(V_tcp_do_newsack)) { - KASSERT(SEQ_LT(hole->start, tp->snd_fack), ("%s: hole.start >= snd.fack", __func__)); - KASSERT(SEQ_LT(hole->end, tp->snd_fack), ("%s: hole.end >= snd.fack", __func__)); - KASSERT(SEQ_LT(hole->rxmit, tp->snd_fack), ("%s: hole.rxmit >= snd.fack", __func__)); + KASSERT(SEQ_LT(hole->start, tp->snd_fack), + ("%s: SEG_GEQ(hole.start, snd.fack)", __func__)); + KASSERT(SEQ_LT(hole->end, tp->snd_fack), + ("%s: SEG_GEQ(hole.end, snd.fack)", __func__)); + KASSERT(SEQ_LT(hole->rxmit, tp->snd_fack), + ("%s: SEQ_GEQ(hole.rxmit, snd.fack)", __func__)); if (SEQ_GEQ(hole->start, hole->end) || SEQ_GEQ(hole->start, tp->snd_fack) || SEQ_GEQ(hole->end, tp->snd_fack) || diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c index ce4e9f30020c..fed259f4d8e1 100644 --- a/sys/netinet/tcp_stacks/bbr.c +++ b/sys/netinet/tcp_stacks/bbr.c @@ -7863,7 +7863,7 @@ nothing_left: /* tcp_close will kill the inp pre-log the Reset */ tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); - ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); BBR_STAT_INC(bbr_dropped_af_data); return (1); } @@ -8763,7 +8763,7 @@ bbr_do_syn_sent(struct mbuf *m, struct tcphdr *th, struct socket *so, (SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } if ((thflags & (TH_ACK | TH_RST)) == (TH_ACK | TH_RST)) { @@ -8965,7 +8965,7 @@ bbr_do_syn_recv(struct mbuf *m, struct tcphdr *th, struct socket *so, (SEQ_LEQ(th->th_ack, tp->snd_una) || SEQ_GT(th->th_ack, tp->snd_max))) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } if (tp->t_flags & TF_FASTOPEN) { @@ -8977,7 +8977,7 @@ bbr_do_syn_recv(struct mbuf *m, struct tcphdr *th, struct socket *so, */ if ((thflags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } else if (thflags & TH_SYN) { /* non-initial SYN is ignored */ @@ -9010,7 +9010,7 @@ bbr_do_syn_recv(struct mbuf *m, struct tcphdr *th, struct socket *so, */ if (SEQ_LT(th->th_seq, tp->irs)) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } if (ctf_drop_checks(to, m, th, tp, &tlen, &thflags, &drop_hdrlen, &ret_val)) { @@ -9288,7 +9288,7 @@ bbr_do_established(struct mbuf *m, struct tcphdr *th, struct socket *so, if (sbavail(&so->so_snd)) { if (ctf_progress_timeout_check(tp, true)) { bbr_log_progress_event(bbr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -9385,7 +9385,7 @@ bbr_do_close_wait(struct mbuf *m, struct tcphdr *th, struct socket *so, if (sbavail(&so->so_snd)) { if (ctf_progress_timeout_check(tp, true)) { bbr_log_progress_event(bbr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -9405,7 +9405,7 @@ close_now: tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); KMOD_TCPSTAT_INC(tcps_rcvafterclose); - ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen)); + ctf_do_dropwithreset(m, tp, th, *tlen); return (1); } if (sbavail(&so->so_snd) == 0) @@ -9535,7 +9535,7 @@ bbr_do_fin_wait_1(struct mbuf *m, struct tcphdr *th, struct socket *so, if (sbavail(&so->so_snd)) { if (ctf_progress_timeout_check(tp, true)) { bbr_log_progress_event(bbr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -9637,7 +9637,7 @@ bbr_do_closing(struct mbuf *m, struct tcphdr *th, struct socket *so, if (sbavail(&so->so_snd)) { if (ctf_progress_timeout_check(tp, true)) { bbr_log_progress_event(bbr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -9739,7 +9739,7 @@ bbr_do_lastack(struct mbuf *m, struct tcphdr *th, struct socket *so, if (sbavail(&so->so_snd)) { if (ctf_progress_timeout_check(tp, true)) { bbr_log_progress_event(bbr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -9848,7 +9848,7 @@ bbr_do_fin_wait_2(struct mbuf *m, struct tcphdr *th, struct socket *so, if (sbavail(&so->so_snd)) { if (ctf_progress_timeout_check(tp, true)) { bbr_log_progress_event(bbr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -11510,7 +11510,7 @@ bbr_do_segment_nounlock(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) && (SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } if (tiwin > bbr->r_ctl.rc_high_rwnd) diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c index d6bbfeb886d9..71dd4de6baf9 100644 --- a/sys/netinet/tcp_stacks/rack.c +++ b/sys/netinet/tcp_stacks/rack.c @@ -12038,7 +12038,7 @@ rack_process_ack(struct mbuf *m, struct tcphdr *th, struct socket *so, /* tcp_close will kill the inp pre-log the Reset */ tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); - ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } } @@ -12876,7 +12876,7 @@ rack_do_syn_sent(struct mbuf *m, struct tcphdr *th, struct socket *so, (SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } if ((thflags & (TH_ACK | TH_RST)) == (TH_ACK | TH_RST)) { @@ -13090,7 +13090,7 @@ rack_do_syn_recv(struct mbuf *m, struct tcphdr *th, struct socket *so, (SEQ_LEQ(th->th_ack, tp->snd_una) || SEQ_GT(th->th_ack, tp->snd_max))) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } if (tp->t_flags & TF_FASTOPEN) { @@ -13103,7 +13103,7 @@ rack_do_syn_recv(struct mbuf *m, struct tcphdr *th, struct socket *so, */ if ((thflags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } else if (thflags & TH_SYN) { /* non-initial SYN is ignored */ @@ -13137,7 +13137,7 @@ rack_do_syn_recv(struct mbuf *m, struct tcphdr *th, struct socket *so, */ if (SEQ_LT(th->th_seq, tp->irs)) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return (1); } if (ctf_drop_checks(to, m, th, tp, &tlen, &thflags, &drop_hdrlen, &ret_val)) { @@ -13400,7 +13400,7 @@ rack_do_established(struct mbuf *m, struct tcphdr *th, struct socket *so, if (sbavail(&so->so_snd)) { if (ctf_progress_timeout_check(tp, true)) { rack_log_progress_event(rack, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -13496,7 +13496,7 @@ rack_do_close_wait(struct mbuf *m, struct tcphdr *th, struct socket *so, if (ctf_progress_timeout_check(tp, true)) { rack_log_progress_event((struct tcp_rack *)tp->t_fb_ptr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -13518,7 +13518,7 @@ rack_check_data_after_close(struct mbuf *m, tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST); tp = tcp_close(tp); KMOD_TCPSTAT_INC(tcps_rcvafterclose); - ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen)); + ctf_do_dropwithreset(m, tp, th, *tlen); return (1); } if (sbavail(&so->so_snd) == 0) @@ -13646,7 +13646,7 @@ rack_do_fin_wait_1(struct mbuf *m, struct tcphdr *th, struct socket *so, if (ctf_progress_timeout_check(tp, true)) { rack_log_progress_event((struct tcp_rack *)tp->t_fb_ptr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -13747,7 +13747,7 @@ rack_do_closing(struct mbuf *m, struct tcphdr *th, struct socket *so, if (ctf_progress_timeout_check(tp, true)) { rack_log_progress_event((struct tcp_rack *)tp->t_fb_ptr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -13849,7 +13849,7 @@ rack_do_lastack(struct mbuf *m, struct tcphdr *th, struct socket *so, if (ctf_progress_timeout_check(tp, true)) { rack_log_progress_event((struct tcp_rack *)tp->t_fb_ptr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -13953,7 +13953,7 @@ rack_do_fin_wait_2(struct mbuf *m, struct tcphdr *th, struct socket *so, if (ctf_progress_timeout_check(tp, true)) { rack_log_progress_event((struct tcp_rack *)tp->t_fb_ptr, tp, tick, PROGRESS_DROP, __LINE__); - ctf_do_dropwithreset_conn(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset_conn(m, tp, th, tlen); return (1); } } @@ -16653,7 +16653,7 @@ rack_do_segment_nounlock(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th, if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) && (SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) { tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT); - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); #ifdef TCP_ACCOUNTING sched_unpin(); #endif diff --git a/sys/netinet/tcp_stacks/rack_bbr_common.c b/sys/netinet/tcp_stacks/rack_bbr_common.c index d1c4ba58bf55..fc12672a45f7 100644 --- a/sys/netinet/tcp_stacks/rack_bbr_common.c +++ b/sys/netinet/tcp_stacks/rack_bbr_common.c @@ -507,13 +507,11 @@ ctf_flight_size(struct tcpcb *tp, uint32_t rc_sacked) void ctf_do_dropwithreset(struct mbuf *m, struct tcpcb *tp, struct tcphdr *th, - int32_t rstreason, int32_t tlen) + int32_t tlen) { - if (tp != NULL) { - tcp_dropwithreset(m, th, tp, tlen, rstreason); + tcp_dropwithreset(m, th, tp, tlen); + if (tp != NULL) INP_WUNLOCK(tptoinpcb(tp)); - } else - tcp_dropwithreset(m, th, NULL, tlen, rstreason); } void @@ -672,7 +670,7 @@ ctf_do_dropafterack(struct mbuf *m, struct tcpcb *tp, struct tcphdr *th, int32_t (SEQ_GT(tp->snd_una, th->th_ack) || SEQ_GT(th->th_ack, tp->snd_max))) { *ret_val = 1; - ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen); + ctf_do_dropwithreset(m, tp, th, tlen); return; } else *ret_val = 0; @@ -866,10 +864,10 @@ ctf_calc_rwin(struct socket *so, struct tcpcb *tp) void ctf_do_dropwithreset_conn(struct mbuf *m, struct tcpcb *tp, struct tcphdr *th, - int32_t rstreason, int32_t tlen) + int32_t tlen) { - tcp_dropwithreset(m, th, tp, tlen, rstreason); + tcp_dropwithreset(m, th, tp, tlen); tp = tcp_drop(tp, ETIMEDOUT); if (tp) INP_WUNLOCK(tptoinpcb(tp)); diff --git a/sys/netinet/tcp_stacks/rack_bbr_common.h b/sys/netinet/tcp_stacks/rack_bbr_common.h index 6a8a056d89b0..cd33cb8ce50b 100644 --- a/sys/netinet/tcp_stacks/rack_bbr_common.h +++ b/sys/netinet/tcp_stacks/rack_bbr_common.h @@ -101,7 +101,7 @@ ctf_do_dropafterack(struct mbuf *m, struct tcpcb *tp, void ctf_do_dropwithreset(struct mbuf *m, struct tcpcb *tp, - struct tcphdr *th, int32_t rstreason, int32_t tlen); + struct tcphdr *th, int32_t tlen); void ctf_do_drop(struct mbuf *m, struct tcpcb *tp); @@ -125,7 +125,7 @@ ctf_calc_rwin(struct socket *so, struct tcpcb *tp); void ctf_do_dropwithreset_conn(struct mbuf *m, struct tcpcb *tp, struct tcphdr *th, - int32_t rstreason, int32_t tlen); + int32_t tlen); uint32_t ctf_fixed_maxseg(struct tcpcb *tp); diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 26e7e53d540c..2e039ebbfdd2 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -82,6 +82,7 @@ #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/ip_var.h> +#include <netinet/icmp_var.h> #ifdef INET6 #include <netinet/icmp6.h> #include <netinet/ip6.h> @@ -2156,6 +2157,13 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) sbintime_t now; bool send_challenge_ack; + /* + * The sending of a challenge ACK could be triggered by a blind attacker + * to detect an existing TCP connection. To mitigate that, increment + * also the global counter which would be incremented if the attacker + * would have guessed wrongly. + */ + (void)badport_bandlim(BANDLIM_TCP_RST); if (V_tcp_ack_war_time_window == 0 || V_tcp_ack_war_cnt == 0) { /* ACK war protection is disabled. */ send_challenge_ack = true; @@ -3197,7 +3205,7 @@ tcp6_next_pmtu(const struct icmp6_hdr *icmp6) * small, set to the min. */ if (mtu < IPV6_MMTU) - mtu = IPV6_MMTU - 8; /* XXXNP: what is the adjustment for? */ + mtu = IPV6_MMTU; return (mtu); } diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index b90f65e83cb1..53856bae9a66 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -1379,8 +1379,7 @@ int tcp_reass(struct tcpcb *, struct tcphdr *, tcp_seq *, int *, void tcp_reass_global_init(void); void tcp_reass_flush(struct tcpcb *); void tcp_dooptions(struct tcpopt *, u_char *, int, int); -void tcp_dropwithreset(struct mbuf *, struct tcphdr *, - struct tcpcb *, int, int); +void tcp_dropwithreset(struct mbuf *, struct tcphdr *, struct tcpcb *, int); void tcp_pulloutofband(struct socket *, struct tcphdr *, struct mbuf *, int); void tcp_xmit_timer(struct tcpcb *, int); diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index df8f293f9426..2f2f9abf1c83 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -654,7 +654,11 @@ udp_input(struct mbuf **mp, int *offp, int proto) else UDP_PROBE(receive, NULL, NULL, ip, NULL, uh); UDPSTAT_INC(udps_noport); - if (m->m_flags & (M_BCAST | M_MCAST)) { + if (m->m_flags & M_MCAST) { + UDPSTAT_INC(udps_noportmcast); + goto badunlocked; + } + if (m->m_flags & M_BCAST) { UDPSTAT_INC(udps_noportbcast); goto badunlocked; } |