The branch main has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=2eb786d96e97a953d0256d1d622c4853964be2dc
commit 2eb786d96e97a953d0256d1d622c4853964be2dc
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2025-08-07 20:23:54 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2025-08-07 20:23:54 +0000
tcp: rate limit the sending of all RST segments
Also rate limit the sending of RST segments in the following cases:
* when receiving data on a closed socket.
* when a socket can not be created at the end of the handshake and
the sysctl-variable net.inet.tcp.syncache.rst_on_sock_fail is 1.
* when an ACK segment is received in SYN SENT state and it does not
acknowledge the SYN segment.
After this change, there is no need anymore to provide a rstreason
to tcp_dropwithreset(), since it is always BANDLIM_TCP_RST.
This will be a follow-up commit, since it will change the code in a
couple of places, but will not change the functionality.
Reviewed by: rrs, Nick Banks, Peter Lei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51815
---
sys/netinet/tcp_input.c | 6 +++---
sys/netinet/tcp_stacks/bbr.c | 4 ++--
sys/netinet/tcp_stacks/rack.c | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index fa0a1661e37d..d392cbe09950 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1134,7 +1134,7 @@ tfo_socket_result:
V_tcp_sc_rst_sock_fail ?
"sending RST" : "try again");
if (V_tcp_sc_rst_sock_fail) {
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
goto dropwithreset;
} else
goto dropunlock;
@@ -1568,7 +1568,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct
tcphdr *th,
*/
if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) &&
(SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) {
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT);
goto dropwithreset;
}
@@ -2346,7 +2346,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct
tcphdr *th,
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
TCPSTAT_INC(tcps_rcvafterclose);
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
goto dropwithreset;
}
diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c
index ce4e9f30020c..f2960ab9c636 100644
--- a/sys/netinet/tcp_stacks/bbr.c
+++ b/sys/netinet/tcp_stacks/bbr.c
@@ -7863,7 +7863,7 @@ nothing_left:
/* tcp_close will kill the inp pre-log the Reset */
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED,
tlen);
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
BBR_STAT_INC(bbr_dropped_af_data);
return (1);
}
@@ -9405,7 +9405,7 @@ close_now:
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
KMOD_TCPSTAT_INC(tcps_rcvafterclose);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
return (1);
}
if (sbavail(&so->so_snd) == 0)
diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index d6bbfeb886d9..2dfcad84ad99 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -12038,7 +12038,7 @@ rack_process_ack(struct mbuf *m, struct tcphdr *th,
struct socket *so,
/* tcp_close will kill the inp pre-log the Reset */
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED,
tlen);
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
return (1);
}
}
@@ -13518,7 +13518,7 @@ rack_check_data_after_close(struct mbuf *m,
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
KMOD_TCPSTAT_INC(tcps_rcvafterclose);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
return (1);
}
if (sbavail(&so->so_snd) == 0)
