Author: tuexen Date: Wed Apr 12 20:27:15 2017 New Revision: 316743 URL: https://svnweb.freebsd.org/changeset/base/316743
Log: The sysctl variable net.inet.tcp.drop_synfin is not honored in all states, for example not in SYN-SENT. This patch adds code to check the sysctl variable in other states than LISTEN. Thanks to ae and gnn for providing comments. Reviewed by: gnn MFC after: 1 week Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D9894 Modified: head/sys/netinet/tcp_input.c head/sys/netinet/tcp_stacks/fastpath.c Modified: head/sys/netinet/tcp_input.c ============================================================================== --- head/sys/netinet/tcp_input.c Wed Apr 12 20:20:04 2017 (r316742) +++ head/sys/netinet/tcp_input.c Wed Apr 12 20:27:15 2017 (r316743) @@ -1613,6 +1613,16 @@ tcp_do_segment(struct mbuf *m, struct tc tcp_pcap_add(th, m, &(tp->t_inpkts)); #endif + if ((thflags & TH_SYN) && (thflags & TH_FIN) && V_drop_synfin) { + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { + log(LOG_DEBUG, "%s; %s: " + "SYN|FIN segment ignored (based on " + "sysctl setting)\n", s, __func__); + free(s, M_TCPLOG); + } + goto drop; + } + /* * Segment received on connection. * Reset idle time and keep-alive timer. Modified: head/sys/netinet/tcp_stacks/fastpath.c ============================================================================== --- head/sys/netinet/tcp_stacks/fastpath.c Wed Apr 12 20:20:04 2017 (r316742) +++ head/sys/netinet/tcp_stacks/fastpath.c Wed Apr 12 20:27:15 2017 (r316743) @@ -132,6 +132,8 @@ VNET_DECLARE(int, tcp_insecure_rst); #define V_tcp_insecure_rst VNET(tcp_insecure_rst) VNET_DECLARE(int, tcp_insecure_syn); #define V_tcp_insecure_syn VNET(tcp_insecure_syn) +VNET_DECLARE(int, drop_synfin); +#define V_drop_synfin VNET(drop_synfin) static void tcp_do_segment_fastslow(struct mbuf *, struct tcphdr *, struct socket *, struct tcpcb *, int, int, uint8_t, @@ -1729,7 +1731,6 @@ tcp_do_segment_fastslow(struct mbuf *m, struct tcpopt to; thflags = th->th_flags; - tp->sackhint.last_sack_ack = 0; inc = &tp->t_inpcb->inp_inc; nsegs = max(1, m->m_pkthdr.lro_nsegs); /* @@ -1760,6 +1761,23 @@ tcp_do_segment_fastslow(struct mbuf *m, KASSERT(tp->t_state != TCPS_TIME_WAIT, ("%s: TCPS_TIME_WAIT", __func__)); + if ((thflags & TH_SYN) && (thflags & TH_FIN) && V_drop_synfin) { + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { + log(LOG_DEBUG, "%s; %s: " + "SYN|FIN segment ignored (based on " + "sysctl setting)\n", s, __func__); + free(s, M_TCPLOG); + } + if (ti_locked == TI_RLOCKED) { + INP_INFO_RUNLOCK(&V_tcbinfo); + } + INP_WUNLOCK(tp->t_inpcb); + m_freem(m); + return; + } + + tp->sackhint.last_sack_ack = 0; + /* * Segment received on connection. * Reset idle time and keep-alive timer. @@ -2175,7 +2193,6 @@ tcp_do_segment_fastack(struct mbuf *m, s struct tcpopt to; thflags = th->th_flags; - tp->sackhint.last_sack_ack = 0; inc = &tp->t_inpcb->inp_inc; /* * If this is either a state-changing packet or current state isn't @@ -2205,6 +2222,23 @@ tcp_do_segment_fastack(struct mbuf *m, s KASSERT(tp->t_state != TCPS_TIME_WAIT, ("%s: TCPS_TIME_WAIT", __func__)); + if ((thflags & TH_SYN) && (thflags & TH_FIN) && V_drop_synfin) { + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { + log(LOG_DEBUG, "%s; %s: " + "SYN|FIN segment ignored (based on " + "sysctl setting)\n", s, __func__); + free(s, M_TCPLOG); + } + if (ti_locked == TI_RLOCKED) { + INP_INFO_RUNLOCK(&V_tcbinfo); + } + INP_WUNLOCK(tp->t_inpcb); + m_freem(m); + return; + } + + tp->sackhint.last_sack_ack = 0; + /* * Segment received on connection. * Reset idle time and keep-alive timer. _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
