Page MenuHomeFreeBSD

Add sysctl to use per end point pair TCP timestamp offsets instead of per connection based offsets
ClosedPublic

Authored by tuexen on Jul 17 2019, 6:16 PM.

Details

Summary

r338053 changed the way, the initial TCP timestamp is computed: It is based on the TCP connection (taking both IP addresses and port numbers into account). This is recommended in RFC 7323.

On the freebsd-net mailing list there were reports that this results in problems with some hosts. They can be reproduced by using:

  • curl -v http://88.99.60.171:80
  • curl -v http://163.172.71.252:80
  • curl -v http://5.9.242.150:80
  • curl -v https://vitagramma.com
  • curl -v https://185.134.205.105:443
  • curl -v https://136.243.1.231:443
  • curl -v https://144.76.196.4:443
  • curl -v http://94.127.191.194:80
  • curl -v https://volia.com
  • curl -v https://moemisto.ua
  • curl -v https://fotostrana.ru

By testing it seems:

  • The problem occurs when the server sends a FIN-segment first, which means it ends up in TIMEWAIT.
  • The SYN-segments with smaller TS.val than used before are dropped.
  • The comparison of the TS.val is performed even when the client and server port numbers change. This means that a connections to the ssh server might impact connections to the web server.

Therefore a new sysctl-variable ts_offset_per_conn is introduced which will allow to change the computation to a per host pair offset (taking only the IP addresses into account).

Diff Detail

Lint
Lint Skipped
Unit
Unit Tests Skipped
Build Status
Buildable 25384

Event Timeline

tuexen created this revision.Jul 17 2019, 6:16 PM
rrs accepted this revision.Jul 18 2019, 11:26 AM
This revision is now accepted and ready to land.Jul 18 2019, 11:26 AM