Page MenuHomeFreeBSD
Differential D46066

tcp: implement throttling of challenge ACKs
ClosedPublic
Actions

Authored by tuexen on Jul 22 2024, 7:02 PM.
Tags
None
Referenced Files
F137290706: D46066.id.diff
Sat, Nov 22, 2:57 AM
F137290519: D46066.id141401.diff
Sat, Nov 22, 2:54 AM
F137290126: D46066.id141236.diff
Sat, Nov 22, 2:48 AM
F137290012: D46066.id141290.diff
Sat, Nov 22, 2:47 AM
F137289964: D46066.diff
Sat, Nov 22, 2:46 AM
Unknown Object (File)
Fri, Nov 21, 9:06 AM
Unknown Object (File)
Wed, Nov 19, 4:47 AM
Unknown Object (File)
Tue, Nov 18, 8:44 AM
View All 95 Files
Subscribers
cc
glebius
imp
melifaro

Details

Reviewers
rrs
peter.lei_ieee.org
lstewart
rscheff
cc
Group Reviewers
transport
Commits
rG25d9ade9aa50: tcp: implement challenge ACK throttling for the base stack
rG40299c55a05f: tcp: implement challenge ACK throttling for the base stack
Summary

Implement ACK throttling of challenge ACKs as described in RFC 5961.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

tuexen created this revision.Jul 22 2024, 7:02 PM
Herald added a reviewer: transport. · View Herald TranscriptJul 22 2024, 7:02 PM
Herald added subscribers: glebius, melifaro, imp. · View Herald Transcript
tuexen requested review of this revision.Jul 22 2024, 7:02 PM
peter.lei_ieee.org accepted this revision.Jul 23 2024, 2:55 PM
cc requested changes to this revision.Jul 23 2024, 6:18 PM
cc added a subscriber: cc.
cc added inline comments.
sys/netinet/tcp_subr.c
2186

typo: per TCP connections ==> per TCP connection

2194–2196

If ACK war protection is disabled, are we going to send challenge ACK or not?

I thought if ACK war protection is disabled, we should send unlimited challenge ACKs.

reference:
ctf_ack_war_checks()

This revision now requires changes to proceed.Jul 23 2024, 6:18 PM
tuexen updated this revision to Diff 141290.Jul 23 2024, 7:39 PM
tuexen marked 2 inline comments as done.

Address issues raised by cc@.

sys/netinet/tcp_subr.c
2186

Fixed.

2194–2196

Fixed.

cc added inline comments.Jul 23 2024, 7:58 PM
sys/netinet/tcp_subr.c
2194

A little bit less than perfect, I think. For example, tcp_ack_war_time_window requires a zero check within the epoch check. It can be like this:

	if (tcp_ack_war_time_window > 0 && tcp_ack_war_cnt > 0) {
		// check rate limit
		// if under limit, pass through; else, just return
	} 
	// send challenge ACK
tuexen added inline comments.Jul 23 2024, 10:09 PM
sys/netinet/tcp_subr.c
2194

I am using the negation of your condition. So were is the difference?

tuexen marked an inline comment as done.Jul 23 2024, 11:19 PM
cc accepted this revision.Jul 24 2024, 1:24 PM
cc added inline comments.
sys/netinet/tcp_subr.c
2194

I am using the negation of your condition. So were is the difference?

On a second thought, you are right.

This revision is now accepted and ready to land.Jul 24 2024, 1:24 PM
cc added inline comments.Jul 24 2024, 1:53 PM
sys/netinet/tcp_subr.c
2194

Still, I recommend the cleaner approach, which saves the local variable send_challenge_ack and the else branch.

peter.lei_ieee.org accepted this revision.Jul 24 2024, 2:01 PM
cc added a comment.EditedJul 24 2024, 6:43 PM

Just saw https://reviews.freebsd.org/D46068. If this patch has not been committed, we can still further revise it, so that D46068 can be cleaner on function re-use.

I think the logic here can be split into two functions, such that the refined logic 1 on checking if we should send ACK can be re-used across multiple places.

logic 1:

bool
is_ack_unlimited(struct tcpcb *tp)
{
    /* focus on checking the epoch and
     * if should send ACK, return true; else return false
     */ 
}

logic 2:

void
tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
{
    if (is_ack_unlimited(tp)) {.
       tcp_respond();
    ....
    }
}
tuexen added a comment.Jul 25 2024, 12:56 AM
In D46066#1050919, @cc wrote:

Just saw https://reviews.freebsd.org/D46068. If this patch has not been committed, we can still further revise it, so that D46068 can be cleaner on function re-use.

I think the logic here can be split into two functions, such that the refined logic 1 on checking if we should send ACK can be re-used across multiple places.

logic 1:

bool
is_ack_unlimited(struct tcpcb *tp)
{
    /* focus on checking the epoch and
     * if should send ACK, return true; else return false
     */ 
}

logic 2:

void
tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
{
    if (is_ack_unlimited(tp)) {.
       tcp_respond();
    ....
    }
}

I don't get the point. Eventually, all places should use tcp_send_challenge_ack(), I think. But that is multiple commits away.

cc added a comment.Jul 25 2024, 2:03 PM
In D46066#1051183, @tuexen wrote:
In D46066#1050919, @cc wrote:

Just saw https://reviews.freebsd.org/D46068. If this patch has not been committed, we can still further revise it, so that D46068 can be cleaner on function re-use.

I think the logic here can be split into two functions, such that the refined logic 1 on checking if we should send ACK can be re-used across multiple places.

logic 1:

bool
is_ack_unlimited(struct tcpcb *tp)
{
    /* focus on checking the epoch and
     * if should send ACK, return true; else return false
     */ 
}

logic 2:

void
tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
{
    if (is_ack_unlimited(tp)) {.
       tcp_respond();
    ....
    }
}

I don't get the point. Eventually, all places should use tcp_send_challenge_ack(), I think. But that is multiple commits away.

For example, ctf_ack_war_checks() can be simply refined as this:

ctf_ack_war_checks()
{
    if (is_ack_unlimited(tp)) {
        tp->t_flags |= TF_ACKNOW;
    } else {
        tp->t_flags &= ~TF_ACKNOW;
    }
}
rscheff accepted this revision.Jul 25 2024, 3:36 PM
tuexen marked 2 inline comments as done.Jul 25 2024, 8:48 PM
Closed by commit rG40299c55a05f: tcp: implement challenge ACK throttling for the base stack (authored by tuexen). · Explain WhyJul 25 2024, 8:57 PM
This revision was automatically updated to reflect the committed changes.
tuexen added a commit: rG40299c55a05f: tcp: implement challenge ACK throttling for the base stack.
tuexen added a commit: rG25d9ade9aa50: tcp: implement challenge ACK throttling for the base stack.Aug 3 2024, 11:13 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
15 lines
39 lines
6 lines

Diff 141401

View Options

sys/netinet/tcp_input.c

Loading...
View Options

sys/netinet/tcp_subr.c

Loading...
View Options

sys/netinet/tcp_var.h

Loading...