Update ip_ecn to RFC 6040
Needs ReviewPublic
Actions

Authored by p.mousavizadeh_protonmail.com on Nov 1 2025, 3:58 PM.

Details

Reviewers

kp
glebius
tuexen
peter.lei_ieee.org
rscheff

Group Reviewers

transport
network

Summary

Update ecn tunneling functions to follow RFC 6040.
Add ECN_COMPLETE to support dangerous packet reporting
without causing extra cost to existing caller functions.

Update ECN_ALLOWED updated to follow the MUST requirements of RFC 6040.

Consumers can choose between ECN_COMPLETE and ECN_ALLOWED
based on their requirements.

Update IPv6 wrappers to use IPV6_FLOWLABEL_LEN to guide other developers.

Finally, return values are specified as macro to reduce
confusion, considering extra return values for ECN_WARN
and ECN_ALARM were added.

Note: these changes are necessary for the geneve (RFC 8926)
implementation.

Test Plan

I used scapy to verify expected results.
Below is a sample Scapy packet creation for ECN_DROP:

"IPv6(src='SRC_TUNNEL', dst='DST_TUNNEL', tc=3)/UDP(dport=6081,
    sport=54123)/GENEVE(proto=2048, vni=23)/IP(src='SRC_HOST',
    dst='DST_HOST', tos=0)/ICMP(type=8)"

You can test it with existing tunnel drivers that support ECN
such as gif(4) by applying IFF_LINK1 to make it ECN friendly.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 68774
Build 65657: arc lint + arc unit

Event Timeline

p.mousavizadeh_protonmail.com created this revision.Nov 1 2025, 3:58 PM

Herald added subscribers: melifaro, ae, imp. · View Herald TranscriptNov 1 2025, 3:59 PM

p.mousavizadeh_protonmail.com requested review of this revision.Nov 1 2025, 3:59 PM

Harbormaster completed remote builds in B68327: Diff 165637.Nov 1 2025, 3:59 PM

p.mousavizadeh_protonmail.com edited the summary of this revision. (Show Details)Nov 1 2025, 4:06 PM

p.mousavizadeh_protonmail.com edited the test plan for this revision. (Show Details)

p.mousavizadeh_protonmail.com added a child revision: D53517: Add ecn(9) manual.Nov 1 2025, 4:14 PM

glebius added inline comments.Nov 13 2025, 3:44 PM

sys/netinet/ip_ecn.h
47–51	Since these are return values for kernel function should be under _KERNEL. Also, I would suggest to make it a enum and function return type to also be this enum.

Update ip_ecn to RFC6040

Harbormaster completed remote builds in B68604: Diff 166369.Nov 13 2025, 4:14 PM

p.mousavizadeh_protonmail.com marked an inline comment as done.Nov 13 2025, 4:15 PM

p.mousavizadeh_protonmail.com added inline comments.Nov 13 2025, 4:18 PM

sys/netinet/ip_ecn.h
47–51	I would suggest to make it a enum and function return type to also be this enum. I prefer to do this in another revision since it may require changes to its consumers.

p.mousavizadeh_protonmail.com mentioned this in D53739: Update ip_ecn to use C standard types.Nov 13 2025, 4:31 PM

rscheff added inline comments.Nov 13 2025, 5:05 PM

sys/netinet/ip_ecn.c
201	While I like the removal of these magic numbers, and this only being tangential to the goal - I wonder if it is or ever was a good idea to move the flow label from inner to outer header, and expose this... If not in this Diff, IMHO only the ECN bits should be exposed, not the full flow label as a subsequent Diff.

Replace panic with KASSERT

Harbormaster completed remote builds in B68611: Diff 166379.Nov 13 2025, 5:27 PM

p.mousavizadeh_protonmail.com mentioned this in D53742: ip_ecn: don't touch the DSCP bits and flow_id.Nov 13 2025, 5:54 PM

p.mousavizadeh_protonmail.com added a child revision: D53742: ip_ecn: don't touch the DSCP bits and flow_id.Nov 13 2025, 5:55 PM

p.mousavizadeh_protonmail.com marked an inline comment as done.Nov 13 2025, 5:59 PM

p.mousavizadeh_protonmail.com added inline comments.

sys/netinet/ip_ecn.c
201	I wonder if it is or ever was a good idea to move the flow label from inner to outer header, and expose this... If not in this Diff, IMHO only the ECN bits should be exposed, not the full flow label as a subsequent Diff. Agree, I created a separate revision at D53742 for this because it affects if_stf, if_gif, and ipsec.