tcp: restrict flowtype copying to specific RSS TCP types

Reviewed by: gallatin, tuexen
Differential Revision: https://reviews.freebsd.org/D55196

sockets: let protocols be responsible for socket buffer mutexes

Sockets that implement their own socket buffers (marked with PR_SOCKBUF)
are now also responsible for initialization of socket buffer

sockets: let protocols be responsible for socket buffer mutexes

Sockets that implement their own socket buffers (marked with PR_SOCKBUF)
are now also responsible for initialization of socket buffer mutexes in
pr_attach and for destruction in pr_detach (or pr_close).

This removes a big bunch of reported LORs, as now WITNESS is able to see
that tcp(4) socket buffer mutex and netlink(4) socket buffer mutex are two
different things. Distinct names also improve diagnostics for blocked
threads.

This also removes a hack from unix(4), where we used to mtx_destroy().
Also removes an innocent bug from unix(4) where for accept(2)-ed socket
soreserve() was called twice. This one was innocent since first call to
soreserve() was asking for 0 bytes of space.

This slightly increased amount of pasted code in TCP's syncache_socket().
The problem is that while for sockets created with socket(2) it is
pr_attach responsible for call to soreserve() (including !PR_SOCKBUF
protocols), but for the sockets created with accept(2) it was
solisten_clone() doing soreserve(), combined with the fact that for
accept(2) TCP completely bypasses pr_attach. This all should improve once
TCP has its own socket buffers.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D54984

show more ...

tcp: Unifidef use of rss software hash in syncache

Ever since "d9c55b2e8cd6 rss: Enable portions of RSS globally.."
exposed the RSS software hashing functions, it has been possible
to use them witho

tcp: Unifidef use of rss software hash in syncache

Ever since "d9c55b2e8cd6 rss: Enable portions of RSS globally.."
exposed the RSS software hashing functions, it has been possible
to use them without "ifdef RSS". Do so now in the syncache
so as to get flowids recorded.

Note that the use of the rss hash functions is conditional on IP versions,
so we must ifdef INET to ensure rss_proto_software_hash_v4() is available.

Fixes 73fe85e486d2
Sponsored by: Netflix
Reviewed by: glebius, p.mousavizadeh_protonmail.com, nickbanks_netflix.com, tuexen
Differential Revision: https://reviews.freebsd.org/D54534

show more ...

tcp: fix build with RSS

PR: 291439
Fixes: 73fe85e486d297c9c976095854c1c84007e543f0

tcp: store flowid info in syncache

Now retransmissions by syncache would use correct flowid, same as
synchronous responds.

Reviewed by: tuexen, gallatin
Differential Revision: https://reviews.free

tcp: store flowid info in syncache

Now retransmissions by syncache would use correct flowid, same as
synchronous responds.

Reviewed by: tuexen, gallatin
Differential Revision: https://reviews.freebsd.org/D51792

show more ...

netinet: Remove left-over sys/cdefs.h

These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.

Sponsored by: Netflix
MFC After:

netinet: Remove left-over sys/cdefs.h

These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.

Sponsored by: Netflix
MFC After: 2 weeks

show more ...

tcp: improve comments in the syncache code

Add a comment explaining why syncache entries are dropped and fix a
typo in a comment.

Reviewed by: rrs, glebius
MFC after: 3 days
Sponsored by: Netfli

tcp: improve comments in the syncache code

Add a comment explaining why syncache entries are dropped and fix a
typo in a comment.

Reviewed by: rrs, glebius
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D53564

show more ...

tcp: drop SYN ACK segment for listening sockets

When a SYN ACK is received for a listening socket, just drop it
instead of killing the SYN-cache entry and send a RST.
This closes the possibility to

tcp: drop SYN ACK segment for listening sockets

When a SYN ACK is received for a listening socket, just drop it
instead of killing the SYN-cache entry and send a RST.
This closes the possibility to kill a TCP connection during its
handling in the SYN-cache.

Reviewed by: Nick Banks, Peter Lei
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D53540

show more ...

tcp: improve credential handling in syncache

When adding a syncache entry, take a reference count of the
credentials while the inp is still locked.
Thanks to markj@ for providing a hint regarding th

tcp: improve credential handling in syncache

When adding a syncache entry, take a reference count of the
credentials while the inp is still locked.
Thanks to markj@ for providing a hint regarding the root cause.

Reported by: David Marker
Reviewed by: glebius
Tested by: David Marker
Fixes: cbc9438f0505 ("tcp: improve ref count handling when processing SYN")
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D53380

show more ...

tcp: fix typo in comment

Reviewed by: tuexen
MFC after: 3 days
Sponsored by: Netflix, Inc.

tcp: cleanup of syncache_expand()

* Consistently free the string after unlocking the sch, if possible.
* Remove the failure handling in case of sc != NULL, since this is
not possible anymore.
* Re

tcp: cleanup of syncache_expand()

* Consistently free the string after unlocking the sch, if possible.
* Remove the failure handling in case of sc != NULL, since this is
not possible anymore.
* Remove the use of goto and instead return 0 in the three cases.
The only change in behavior is that in three out of the four cases,
where 0 is returned, *lsop is not set to NULL anymore. So the behavior
is now consistent and also documented in a comment. The current in
tree callers only look at *lsop, if and only if syncache_expand()
returns 1.

Reviewed by: Peter Lei
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52948

show more ...

tcp: remove stray ;

MFC after: 3 days
Sponsored by: Netflix, Inc.

tcp: improve SEG.ACK validation in SYN-RECEIVED

According to the fifth step in SEGMENT ARRIVES, send a RST segment in
response to an ACK segment which fails the SEG.ACK check, but leave
the endpoint

tcp: improve SEG.ACK validation in SYN-RECEIVED

According to the fifth step in SEGMENT ARRIVES, send a RST segment in
response to an ACK segment which fails the SEG.ACK check, but leave
the endpoint state unchanged.
FreeBSD handles this correctly when entering the SYN-RECEIVED state via
the SYN-SENT state, but not in the SYN-cache code, which handles the
SYN-RECEIVED state via the LISTEN state.

This also fixes a panic reported by Alexander Leidinger.

Reviewed by: jtl, glebius
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52934

show more ...

tcp: remove stray ;

No functional change intended.

MFC after: 3 days
Sponsored by: Netflix, Inc.

tcp: close two minor races with debug messages

The syncache entry is locked by the hash bucket lock. After running
SCH_UNLOCK(), we have no guarantee that the syncache entry still
exists.

Resolve t

tcp: close two minor races with debug messages

The syncache entry is locked by the hash bucket lock. After running
SCH_UNLOCK(), we have no guarantee that the syncache entry still
exists.

Resolve the race by moving SCH_UNLOCK() after the log() call which
reads variables from the syncache entry.

Reviewed by: rrs, tuexen, Nick Banks
Sponsored by: Netflix
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D52868

show more ...

tcp: improve segment validation in SYN-RECEIVED

The validation of SEG.SEQ (first step in SEGMENT ARRIVES of RFC 9293)
should be done before the validation of SEG.ACK (fifth step in
SEGMENT ARRIVES i

tcp: improve segment validation in SYN-RECEIVED

The validation of SEG.SEQ (first step in SEGMENT ARRIVES of RFC 9293)
should be done before the validation of SEG.ACK (fifth step in
SEGMENT ARRIVES in RFC 9293).
Furthermore, when the SEG.SEQ validation fails, a challenge ACK
should be sent instead of sending a RST-segment and moving the
endpoint to CLOSED.

Reported by: Tilnel on freebsd-net
Reviewed by: Nick Banks
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52849

show more ...

tcp: keep SYN-cache entry when sending of challenge ACK fails

Don't drop a SYN-cache entry just because a challenge ACK couldn't
be sent. This might only be a temporary failure.

Reviewed by: Nick

tcp: keep SYN-cache entry when sending of challenge ACK fails

Don't drop a SYN-cache entry just because a challenge ACK couldn't
be sent. This might only be a temporary failure.

Reviewed by: Nick Banks, glebius, jtl
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52840

show more ...

tcp: cleanup syncache_expand()

Only validate SEG.SEQ and SEG.ACK when processing a real SYN-cache
entry. In the SYN-cookie case, these conditions are always true, since
the SYN-cache entry on the st

tcp: cleanup syncache_expand()

Only validate SEG.SEQ and SEG.ACK when processing a real SYN-cache
entry. In the SYN-cookie case, these conditions are always true, since
the SYN-cache entry on the stack is constructed from the incoming
TCP segment.
While there, fix the logging messages.

Reviewed by: Nick Banks
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52816

show more ...

tcp: apply rate limits to challenge ACKs

When sending challenge ACKs from the SYN-cache, apply the same rate
limiting as in other states.

Reviewed by: cc, rrs
MFC after: 3 days
Sponsored by: Net

tcp: apply rate limits to challenge ACKs

When sending challenge ACKs from the SYN-cache, apply the same rate
limiting as in other states.

Reviewed by: cc, rrs
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52754

show more ...

tcp: micro-optimize SYN-cookie expansion

Only compute wscale when it is actually used. While there, change the
type of wscale to u_int as suggested by glebius.
No functional change intended.

Review

tcp: micro-optimize SYN-cookie expansion

Only compute wscale when it is actually used. While there, change the
type of wscale to u_int as suggested by glebius.
No functional change intended.

Reviewed by: glebius, rscheff (older version)
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52296

show more ...

tcp: improve sending of SYN-cookies

Ensure that when the sysctl-variable net.inet.tcp.syncookies_only is
non zero, SYN-cookies are sent and no SYN-cache entry is added to the
SYN-cache. In particula

tcp: improve sending of SYN-cookies

Ensure that when the sysctl-variable net.inet.tcp.syncookies_only is
non zero, SYN-cookies are sent and no SYN-cache entry is added to the
SYN-cache. In particular, this behavior should not depend on the value
of the sysctl-variable net.inet.tcp.syncookies, which controls whether
SYN cookies are used in combination with the SYN-cache to deal with
bucket overflows.
Also ensure that tcps_sc_completed does not include TCP connections
established via a SYN-cookie.
While there, make V_tcp_syncookies and V_tcp_syncookiesonly bool
instead of int, since they are used as boolean variables.

Reviewed by: rscheff, cc, Peter Lei, Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52225

show more ...

tcp: remove stale comment

MFC after: 3 days
Sponsored by: Netflix, Inc.

tcp: provide sysctl for the maximum retransmission timeout

Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D50891

tcp: count two previously ignored kinds of syncookie failures

Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D50899

tcp: unlock before syncookie_expand()

The function doesn't need a lock on sch. It uses the pointer as value for
the SipHash calculation.

Reviewed by: tuexen
Differential Revision: https://reviews

tcp: unlock before syncookie_expand()

The function doesn't need a lock on sch. It uses the pointer as value for
the SipHash calculation.

Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D50898

show more ...