When TCP ECN decides it wants to assure an ACK is sent it needs to do it correctly and with some limits.

So in testing I have found two interesting cases where ECN is going
to make it so that an ack

When TCP ECN decides it wants to assure an ACK is sent it needs to do it correctly and with some limits.

So in testing I have found two interesting cases where ECN is going
to make it so that an ack will be sent right away. These cases need
to be limited to being in the ESTABLISHED state. You don't want ECN
sending ACK's when we are transitioning in front or end states.
Also we don't start a delayed ack timer <and> at the same time set
the ACKNOW flag, thats just plain wrong.

Reviewed by: tuexen, rscheff
Differential Revision:<https://reviews.freebsd.org/D55460>

show more ...

tcp: retire do_newsack - always adhere to RFC6675 SACK

Depreciation notice for net.inet.tcp.newsack is in 15.0.
Remove this tunable for HEAD, streamlining the code slightly.

Reviewed by: tuexen,

tcp: retire do_newsack - always adhere to RFC6675 SACK

Depreciation notice for net.inet.tcp.newsack is in 15.0.
Remove this tunable for HEAD, streamlining the code slightly.

Reviewed by: tuexen, cc, nickbanks_netflix.com, #transport
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D54072

show more ...

tcp: don't set flowid in tcp_input()

With dd0e6bb996dc setting it always on connect(2) and syncache always
picking up the flowid from the incoming packet, any ESTABLISHED connection
shall have the f

tcp: don't set flowid in tcp_input()

With dd0e6bb996dc setting it always on connect(2) and syncache always
picking up the flowid from the incoming packet, any ESTABLISHED connection
shall have the flowid already set.

Reviewed by: tuexen, gallatin
Differential Revision: https://reviews.freebsd.org/D53886

show more ...

tcp: store flowid info in syncache

Now retransmissions by syncache would use correct flowid, same as
synchronous responds.

Reviewed by: tuexen, gallatin
Differential Revision: https://reviews.free

tcp: store flowid info in syncache

Now retransmissions by syncache would use correct flowid, same as
synchronous responds.

Reviewed by: tuexen, gallatin
Differential Revision: https://reviews.freebsd.org/D51792

show more ...

netinet: Remove left-over sys/cdefs.h

These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.

Sponsored by: Netflix
MFC After:

netinet: Remove left-over sys/cdefs.h

These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.

Sponsored by: Netflix
MFC After: 2 weeks

show more ...

tcp: drop SYN ACK segment for listening sockets

When a SYN ACK is received for a listening socket, just drop it
instead of killing the SYN-cache entry and send a RST.
This closes the possibility to

tcp: drop SYN ACK segment for listening sockets

When a SYN ACK is received for a listening socket, just drop it
instead of killing the SYN-cache entry and send a RST.
This closes the possibility to kill a TCP connection during its
handling in the SYN-cache.

Reviewed by: Nick Banks, Peter Lei
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D53540

show more ...

tcp: bump max rcv buffer size for autoscaling

This allows in higher throughput values with default settings.
In the review I was proposing using 16 MB, but in the transport
call today we settled on

tcp: bump max rcv buffer size for autoscaling

This allows in higher throughput values with default settings.
In the review I was proposing using 16 MB, but in the transport
call today we settled on a more conservative value of 8.
Bumping it further will be done in combination with mitigations
for mbuf exhaustion attacks.

Reviewed by: rscheff, Peter Lei, jtl, thj
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52871

show more ...

tcp: fix sending of RST segments

Take endpoint parameters into account when available.

Fixes: 463b5aed0d62 ("tcp: retire rstreason")
MFC after: 3 days
Sponsored by: Netflix, Inc.

tcp: improve inflating cwnd in limited transmit

Don't subtract tcp_sack_adjust() sometimes twice, just once in all
cases.

Reviewed by: rscheff
Sponsored by: Netflix, Inc.
Differential Revision: h

tcp: improve inflating cwnd in limited transmit

Don't subtract tcp_sack_adjust() sometimes twice, just once in all
cases.

Reviewed by: rscheff
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52140

show more ...

tcp: improve the condition for detecting dup ACKs

Take the condition of RFC 6675 into account.
While there, remove stale comments.

PR: 282605
Reviewed by: cc (earlier version)
MFC after: 1 week

tcp: improve the condition for detecting dup ACKs

Take the condition of RFC 6675 into account.
While there, remove stale comments.

PR: 282605
Reviewed by: cc (earlier version)
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51426

show more ...

tcp: retire rstreason

With the latest changes, this variable and parameter for
tcp_dropwithreset() is not needed anymore.
It also makes it harder to introduce the usage of multiple counters
for TCP

tcp: retire rstreason

With the latest changes, this variable and parameter for
tcp_dropwithreset() is not needed anymore.
It also makes it harder to introduce the usage of multiple counters
for TCP again, which might open side channel attacks.
No funtional changes intended.

Reviewed by: rrs
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51872

show more ...

tcp: minor cleanup

Don't use the rstreason variable as a hint that a second lookup is
performed, since the rstreason variable will be removed.
Use the INPLOOKUP_WILDCARD flag in the lookupflag varia

tcp: minor cleanup

Don't use the rstreason variable as a hint that a second lookup is
performed, since the rstreason variable will be removed.
Use the INPLOOKUP_WILDCARD flag in the lookupflag variable instead.
No functional change intended.

Reviewed by: rrs
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51847

show more ...

tcp: rate limit the sending of all RST segments

Also rate limit the sending of RST segments in the following cases:
* when receiving data on a closed socket.
* when a socket can not be created at th

tcp: rate limit the sending of all RST segments

Also rate limit the sending of RST segments in the following cases:
* when receiving data on a closed socket.
* when a socket can not be created at the end of the handshake and
the sysctl-variable net.inet.tcp.syncache.rst_on_sock_fail is 1.
* when an ACK segment is received in SYN SENT state and it does not
acknowledge the SYN segment.
After this change, there is no need anymore to provide a rstreason
to tcp_dropwithreset(), since it is always BANDLIM_TCP_RST.
This will be a follow-up commit, since it will change the code in a
couple of places, but will not change the functionality.

Reviewed by: rrs, Nick Banks, Peter Lei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51815

show more ...

tcp : remove assignment without effect

rstreason is only relevant in the code paths with the label
'dropwithreset', but not in the one with the label 'drop'.
No functional change intended.

Reviewed

tcp : remove assignment without effect

rstreason is only relevant in the code paths with the label
'dropwithreset', but not in the one with the label 'drop'.
No functional change intended.

Reviewed by: Nick Banks, rrs, Peter Lei, imp
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51814

show more ...

sctp, tcp, udp: improve deferred computation of checksums

When the SCTP, TCP, or UDP implementation send a packet, it does not
compute the corresponding checksum but defers that. The network layer
w

sctp, tcp, udp: improve deferred computation of checksums

When the SCTP, TCP, or UDP implementation send a packet, it does not
compute the corresponding checksum but defers that. The network layer
will determine whether the network interface selected for the packet
has the requested capability and computes the checksum in software,
if the selected network interface doesn't have the requested
capability.
Do this not only for packets being sent by the local SCTP, TCP,
and UDP stack, but also when forwarding packets. Furthermore, when
such packets are delivered to a local SCTP, TCP, or UDP stack, do not
compute or validate the checksum, since such packets never have been on
the wire.
This allows to support checksum offloading also in the case of local
virtual machines or jails.
Support for epair, vtnet, and tap interfaces will be added in
separate commits.

Reviewed by: kp, rgrimes, tuexen, manpages
MFC after: 4 weeks
Differential Revision: https://reviews.freebsd.org/D51475

show more ...

tcp: use a single counter for limiting the RST rate

Using two counters does not provide any benefit, but it provides an
externally observable signal whether there is a listening port.

Reviewed by:

tcp: use a single counter for limiting the RST rate

Using two counters does not provide any benefit, but it provides an
externally observable signal whether there is a listening port.

Reviewed by: Nick Banks, Peter Lei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51440

show more ...

tcp: cleanup

Don't use the variable rstreason temporarily with a different semantic.
No functional change intended.

Reviewed by: Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differen

tcp: cleanup

Don't use the variable rstreason temporarily with a different semantic.
No functional change intended.

Reviewed by: Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51438

show more ...

tcp: fix the test that a duplicate ACK has no data

When processing a TCP segment, data is removed from the head or
the tail. The test whether a segment has no data on it should
depend on the TCP seg

tcp: fix the test that a duplicate ACK has no data

When processing a TCP segment, data is removed from the head or
the tail. The test whether a segment has no data on it should
depend on the TCP segment before the removal. Without this,
received segments might trigger a fast retransmit even when they
should not.

Reported by: syzbot+fc97a2b5a0f7ea161161@syzkaller.appspotmail.com
Reviewed by: Peter Lei
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51425

show more ...

tcp: provide sysctl for the maximum retransmission timeout

Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D50891

tcp: fix local blackholing

The sysctl-variable net.inet.tcp.blackhole_local should affect
TCP segments from an IPv6 address of the local host, not of a host
on the local area network.
Thanks to cc@

tcp: fix local blackholing

The sysctl-variable net.inet.tcp.blackhole_local should affect
TCP segments from an IPv6 address of the local host, not of a host
on the local area network.
Thanks to cc@ for pointing me to the issue.

Reviewed by: cc
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D50828

show more ...

tcp: allow connections to IPv6 anycast address

currently, we reject incoming TCP connections to an IPv6 anycast address
based on IETF I-D "draft-itojun-ipv6-tcp-to-anycast-01"[0]. the
rationale is

tcp: allow connections to IPv6 anycast address

currently, we reject incoming TCP connections to an IPv6 anycast address
based on IETF I-D "draft-itojun-ipv6-tcp-to-anycast-01"[0]. the
rationale is that since RFC2373 prohibits sending IPv6 packets with an
anycast address as the source address, it would be impossible to
establish a TCP connection to such an address since the destination host
could not send any replies.

however, this restriction was lifted in RFC4291 and it is no longer
forbidden to send packets from an anycast address; therefore, it's both
possible and permitted to establish a TCP connection using an anycast
address as src or dst address (or both).

based on the above, delete this restriction and allow people to do this.

while there are certain operational reasons to avoid TCP anycast (such
as the risk of the route changing while the connection is open), these
also apply to IPv4 anycast and are specific to the local environment;
for example, it's perfectly valid to have an anycast address which is
only ever assigned to one node.

[0] https://www.ietf.org/archive/id/draft-itojun-ipv6-tcp-to-anycast-01.txt

Reviewed by: tuexen, kevans, adrian
Approved by: kevans (mentor), des (mentor)
Differential Revision: https://reviews.freebsd.org/D50019

show more ...

tcp: improve KASSERT in limited retransmit

When doing a limited retransmit, allow up to 2 * MSS - 1 if the
Nagle algorithm has been disabled.

PR: 282605
Reviewed by: cc, Peter Lei
MFC after: 3

tcp: improve KASSERT in limited retransmit

When doing a limited retransmit, allow up to 2 * MSS - 1 if the
Nagle algorithm has been disabled.

PR: 282605
Reviewed by: cc, Peter Lei
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D49922

show more ...

tcp: fix typos in comment

Reviewed by: tuexen
MFC after: 3 days
Sponsored by: Netflix, Inc.

tcp: remove support for TCPPCAP

This feature could be used to store the last sent and received TCP
packets for a TCP endpoint. There was no utility to get these packets
from a live system or core.
T

tcp: remove support for TCPPCAP

This feature could be used to store the last sent and received TCP
packets for a TCP endpoint. There was no utility to get these packets
from a live system or core.
This functionality is now provided by TCP Black Box Logging, which also
stores additional events. There are tools to get these traces from a
live system or a core.
Therefore remove TCPPCAP to avoid maintaining it, when it is not
used anymore.

Reviewed by: rrs, rscheff, Peter Lei, glebiu
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D49589

show more ...

tcp: fix reverting of spurious timeouts (RTO)

One variable that became critical to correctly calculate
the cwnd during limited transmit was not properly reverted
on detection of spurious timeouts.

tcp: fix reverting of spurious timeouts (RTO)

One variable that became critical to correctly calculate
the cwnd during limited transmit was not properly reverted
on detection of spurious timeouts.

PR: 282605
Reviewed By: cc, tuexen, #transport
MFC after: 3 days
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D48652

show more ...