Page MenuHomeFreeBSD
Differential D45075

tcp: filter small SACK blocks
ClosedPublic
Actions

Authored by rscheff on May 3 2024, 10:48 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 18, 10:16 AM
Unknown Object (File)
Mon, Nov 18, 10:10 AM
Unknown Object (File)
Oct 19 2024, 3:38 PM
Unknown Object (File)
Oct 1 2024, 4:01 PM
Unknown Object (File)
Oct 1 2024, 3:42 AM
Unknown Object (File)
Sep 30 2024, 3:17 AM
Unknown Object (File)
Sep 27 2024, 4:48 PM
Unknown Object (File)
Sep 22 2024, 7:34 PM
View All 34 Files
Subscribers
imp
melifaro

Details

Reviewers
tuexen
rrs
cc
glebius
thj
Group Reviewers
transport
Commits
rGcbf3575aa3c2: tcp: filter small SACK blocks
Summary

While the SACK Scoreboard in the base stack limits
the number of holes by default to only 128 per connection
in order to prevent CPU load attacks by splitting SACKs,
filtering out SACK blocks of unusually small size can
further improve the actual processing of SACK loss recovery.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

rscheff created this revision.May 3 2024, 10:48 AM
Herald added a reviewer: transport. · View Herald TranscriptMay 3 2024, 10:48 AM
Herald added subscribers: melifaro, imp. · View Herald Transcript
Harbormaster completed remote builds in B57563: Diff 138095.May 3 2024, 10:48 AM
rscheff requested review of this revision.May 3 2024, 10:48 AM
tuexen added a comment.EditedMay 3 2024, 1:19 PM

I'm wondering if it would be better to require that the sack block covers at least mss - 40 bytes. We don't know if we sent a SACK or AccECN option and it doesn't make sense to ignore the SACK blocks corresponding to such packets we sent not performing an attack.

rscheff updated this revision to Diff 138118.May 3 2024, 4:47 PM
  • filter out any segments smaller than the current maxseg size minus maximum tcp header options
Harbormaster completed remote builds in B57577: Diff 138118.May 3 2024, 4:47 PM
tuexen accepted this revision.May 7 2024, 5:55 PM
This revision is now accepted and ready to land.May 7 2024, 5:55 PM
Closed by commit rGcbf3575aa3c2: tcp: filter small SACK blocks (authored by rscheff). · Explain WhyMay 8 2024, 12:31 PM
This revision was automatically updated to reflect the committed changes.
rscheff added a commit: rGcbf3575aa3c2: tcp: filter small SACK blocks.

Revision Contents
Changeset List

PathSize
sys/
netinet/
5 lines

Diff 138239

View Options

sys/netinet/tcp_sack.c

Loading...