Date: Thu, 1 Jun 2017 08:29:08 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r319399 - in stable/11/sys/netinet: . tcp_stacks Message-ID: <201706010829.v518T8Ze022964@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Thu Jun 1 08:29:08 2017 New Revision: 319399 URL: https://svnweb.freebsd.org/changeset/base/319399 Log: MFC r316743: The sysctl variable net.inet.tcp.drop_synfin is not honored in all states, for example not in SYN-SENT. This patch adds code to check the sysctl variable in other states than LISTEN. Thanks to ae and gnn for providing comments. Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D9894 Modified: stable/11/sys/netinet/tcp_input.c stable/11/sys/netinet/tcp_stacks/fastpath.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/tcp_input.c ============================================================================== --- stable/11/sys/netinet/tcp_input.c Thu Jun 1 08:25:45 2017 (r319398) +++ stable/11/sys/netinet/tcp_input.c Thu Jun 1 08:29:08 2017 (r319399) @@ -1596,6 +1596,16 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, stru tcp_pcap_add(th, m, &(tp->t_inpkts)); #endif + if ((thflags & TH_SYN) && (thflags & TH_FIN) && V_drop_synfin) { + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { + log(LOG_DEBUG, "%s; %s: " + "SYN|FIN segment ignored (based on " + "sysctl setting)\n", s, __func__); + free(s, M_TCPLOG); + } + goto drop; + } + /* * Segment received on connection. * Reset idle time and keep-alive timer. Modified: stable/11/sys/netinet/tcp_stacks/fastpath.c ============================================================================== --- stable/11/sys/netinet/tcp_stacks/fastpath.c Thu Jun 1 08:25:45 2017 (r319398) +++ stable/11/sys/netinet/tcp_stacks/fastpath.c Thu Jun 1 08:29:08 2017 (r319399) @@ -128,6 +128,8 @@ VNET_DECLARE(int, tcp_insecure_rst); #define V_tcp_insecure_rst VNET(tcp_insecure_rst) VNET_DECLARE(int, tcp_insecure_syn); #define V_tcp_insecure_syn VNET(tcp_insecure_syn) +VNET_DECLARE(int, drop_synfin); +#define V_drop_synfin VNET(drop_synfin) static void tcp_do_segment_fastslow(struct mbuf *, struct tcphdr *, struct socket *, struct tcpcb *, int, int, uint8_t, @@ -1699,7 +1701,6 @@ tcp_do_segment_fastslow(struct mbuf *m, struct tcphdr struct tcpopt to; thflags = th->th_flags; - tp->sackhint.last_sack_ack = 0; inc = &tp->t_inpcb->inp_inc; /* * If this is either a state-changing packet or current state isn't @@ -1729,6 +1730,23 @@ tcp_do_segment_fastslow(struct mbuf *m, struct tcphdr KASSERT(tp->t_state != TCPS_TIME_WAIT, ("%s: TCPS_TIME_WAIT", __func__)); + if ((thflags & TH_SYN) && (thflags & TH_FIN) && V_drop_synfin) { + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { + log(LOG_DEBUG, "%s; %s: " + "SYN|FIN segment ignored (based on " + "sysctl setting)\n", s, __func__); + free(s, M_TCPLOG); + } + if (ti_locked == TI_RLOCKED) { + INP_INFO_RUNLOCK(&V_tcbinfo); + } + INP_WUNLOCK(tp->t_inpcb); + m_freem(m); + return; + } + + tp->sackhint.last_sack_ack = 0; + /* * Segment received on connection. * Reset idle time and keep-alive timer. @@ -2141,7 +2159,6 @@ tcp_do_segment_fastack(struct mbuf *m, struct tcphdr * struct tcpopt to; thflags = th->th_flags; - tp->sackhint.last_sack_ack = 0; inc = &tp->t_inpcb->inp_inc; /* * If this is either a state-changing packet or current state isn't @@ -2170,6 +2187,23 @@ tcp_do_segment_fastack(struct mbuf *m, struct tcphdr * __func__)); KASSERT(tp->t_state != TCPS_TIME_WAIT, ("%s: TCPS_TIME_WAIT", __func__)); + + if ((thflags & TH_SYN) && (thflags & TH_FIN) && V_drop_synfin) { + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { + log(LOG_DEBUG, "%s; %s: " + "SYN|FIN segment ignored (based on " + "sysctl setting)\n", s, __func__); + free(s, M_TCPLOG); + } + if (ti_locked == TI_RLOCKED) { + INP_INFO_RUNLOCK(&V_tcbinfo); + } + INP_WUNLOCK(tp->t_inpcb); + m_freem(m); + return; + } + + tp->sackhint.last_sack_ack = 0; /* * Segment received on connection.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706010829.v518T8Ze022964>