HomeFreeBSD
Diffusion FreeBSD src repository 97e28f0f58cd

tcp: Rack ack war with a mis-behaving firewall or nat with resets.
97e28f0f58cd
Actions

Description

tcp: Rack ack war with a mis-behaving firewall or nat with resets.

Previously we added ack-war prevention for misbehaving firewalls. This is
where the f/w or nat messes up its sequence numbers and causes an ack-war.
There is yet another type of ack war that we have found in the wild that is
like unto this. Basically the f/w or nat gets a ack (keep-alive probe or such)
and instead of turning the ack/seq around and adding a TH_RST it does something
real stupid and sends a new packet with seq=0. This of course triggers the challenge
ack in the reset processing which then sends in a challenge ack (if the seq=0 is within
the range of possible sequence numbers allowed by the challenge) and then we rinse-repeat.

This will add the needed tweaks (similar to the last ack-war prevention using the same sysctls and counters)
to prevent it and allow say 5 per second by default.

Reviewed by: Michael Tuexen
Sponsored by: Netflix Inc.
Differential Revision: https://reviews.freebsd.org/D32938

Details

Provenance
rrsAuthored on Nov 17 2021, 2:45 PM
Reviewer
tuexen
Differential Revision
D32938: tcp: Rack ack war with a mis-behaving firewall or nat with resets.
Parents
rG09cd63416051: zfs: fix commit dae1713419a6 merge openzfs/zfs@269b5dadc into main
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
sys/
netinet/
tcp_stacks/

rG97e28f0f58cd

View Options

sys/netinet/tcp_stacks/rack.c

Loading...
View Options

sys/netinet/tcp_stacks/rack_bbr_common.c

Loading...
View Options

sys/netinet/tcp_stacks/rack_bbr_common.h

Loading...