The branch stable/14 has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e7331da314b57c39cf5c3fb5f20a2963b2485ce6
commit e7331da314b57c39cf5c3fb5f20a2963b2485ce6
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2025-08-07 20:23:54 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2025-09-05 18:57:10 +0000
tcp: rate limit the sending of all RST segments
Also rate limit the sending of RST segments in the following cases:
* when receiving data on a closed socket.
* when a socket can not be created at the end of the handshake and
the sysctl-variable net.inet.tcp.syncache.rst_on_sock_fail is 1.
* when an ACK segment is received in SYN SENT state and it does not
acknowledge the SYN segment.
After this change, there is no need anymore to provide a rstreason
to tcp_dropwithreset(), since it is always BANDLIM_TCP_RST.
This will be a follow-up commit, since it will change the code in a
couple of places, but will not change the functionality.
Reviewed by: rrs, Nick Banks, Peter Lei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51815
(cherry picked from commit 2eb786d96e97a953d0256d1d622c4853964be2dc)
---
sys/netinet/tcp_input.c | 6 +++---
sys/netinet/tcp_stacks/bbr.c | 4 ++--
sys/netinet/tcp_stacks/rack.c | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 18b489f2e605..93d2e94bcff0 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1151,7 +1151,7 @@ tfo_socket_result:
V_tcp_sc_rst_sock_fail ?
"sending RST" : "try again");
if (V_tcp_sc_rst_sock_fail) {
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
goto dropwithreset;
} else
goto dropunlock;
@@ -1598,7 +1598,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct
tcphdr *th,
*/
if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) &&
(SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) {
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT);
goto dropwithreset;
}
@@ -2359,7 +2359,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct
tcphdr *th,
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
TCPSTAT_INC(tcps_rcvafterclose);
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
goto dropwithreset;
}
diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c
index 65230bbd953f..c1053e90d6da 100644
--- a/sys/netinet/tcp_stacks/bbr.c
+++ b/sys/netinet/tcp_stacks/bbr.c
@@ -7852,7 +7852,7 @@ nothing_left:
/* tcp_close will kill the inp pre-log the Reset */
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED,
tlen);
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
BBR_STAT_INC(bbr_dropped_af_data);
return (1);
}
@@ -9394,7 +9394,7 @@ close_now:
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
KMOD_TCPSTAT_INC(tcps_rcvafterclose);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
return (1);
}
if (sbavail(&so->so_snd) == 0)
diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index 10fc55bb2088..9a4ec0546b95 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -12428,7 +12428,7 @@ rack_process_ack(struct mbuf *m, struct tcphdr *th,
struct socket *so,
/* tcp_close will kill the inp pre-log the Reset */
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED,
tlen);
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
return (1);
}
}
@@ -13899,7 +13899,7 @@ rack_check_data_after_close(struct mbuf *m,
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
KMOD_TCPSTAT_INC(tcps_rcvafterclose);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
return (1);
}
if (sbavail(&so->so_snd) == 0)
