| From foo@baz Fri Aug 12 09:33:59 CEST 2016 |
| From: Jason Baron <jbaron@akamai.com> |
| Date: Thu, 14 Jul 2016 11:38:40 -0400 |
| Subject: tcp: enable per-socket rate limiting of all 'challenge acks' |
| |
| From: Jason Baron <jbaron@akamai.com> |
| |
| [ Upstream commit 083ae308280d13d187512b9babe3454342a7987e ] |
| |
| The per-socket rate limit for 'challenge acks' was introduced in the |
| context of limiting ack loops: |
| |
| commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock") |
| |
| And I think it can be extended to rate limit all 'challenge acks' on a |
| per-socket basis. |
| |
| Since we have the global tcp_challenge_ack_limit, this patch allows for |
| tcp_challenge_ack_limit to be set to a large value and effectively rely on |
| the per-socket limit, or set tcp_challenge_ack_limit to a lower value and |
| still prevents a single connections from consuming the entire challenge ack |
| quota. |
| |
| It further moves in the direction of eliminating the global limit at some |
| point, as Eric Dumazet has suggested. This a follow-up to: |
| Subject: tcp: make challenge acks less predictable |
| |
| Cc: Eric Dumazet <edumazet@google.com> |
| Cc: David S. Miller <davem@davemloft.net> |
| Cc: Neal Cardwell <ncardwell@google.com> |
| Cc: Yuchung Cheng <ycheng@google.com> |
| Cc: Yue Cao <ycao009@ucr.edu> |
| Signed-off-by: Jason Baron <jbaron@akamai.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++----------------- |
| 1 file changed, 22 insertions(+), 17 deletions(-) |
| |
| --- a/net/ipv4/tcp_input.c |
| +++ b/net/ipv4/tcp_input.c |
| @@ -3390,6 +3390,23 @@ static int tcp_ack_update_window(struct |
| return flag; |
| } |
| |
| +static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, |
| + u32 *last_oow_ack_time) |
| +{ |
| + if (*last_oow_ack_time) { |
| + s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); |
| + |
| + if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { |
| + NET_INC_STATS_BH(net, mib_idx); |
| + return true; /* rate-limited: don't send yet! */ |
| + } |
| + } |
| + |
| + *last_oow_ack_time = tcp_time_stamp; |
| + |
| + return false; /* not rate-limited: go ahead, send dupack now! */ |
| +} |
| + |
| /* Return true if we're currently rate-limiting out-of-window ACKs and |
| * thus shouldn't send a dupack right now. We rate-limit dupacks in |
| * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS |
| @@ -3403,21 +3420,9 @@ bool tcp_oow_rate_limited(struct net *ne |
| /* Data packets without SYNs are not likely part of an ACK loop. */ |
| if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) && |
| !tcp_hdr(skb)->syn) |
| - goto not_rate_limited; |
| - |
| - if (*last_oow_ack_time) { |
| - s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); |
| + return false; |
| |
| - if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { |
| - NET_INC_STATS_BH(net, mib_idx); |
| - return true; /* rate-limited: don't send yet! */ |
| - } |
| - } |
| - |
| - *last_oow_ack_time = tcp_time_stamp; |
| - |
| -not_rate_limited: |
| - return false; /* not rate-limited: go ahead, send dupack now! */ |
| + return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time); |
| } |
| |
| /* RFC 5961 7 [ACK Throttling] */ |
| @@ -3430,9 +3435,9 @@ static void tcp_send_challenge_ack(struc |
| u32 count, now; |
| |
| /* First check our per-socket dupack rate limit. */ |
| - if (tcp_oow_rate_limited(sock_net(sk), skb, |
| - LINUX_MIB_TCPACKSKIPPEDCHALLENGE, |
| - &tp->last_oow_ack_time)) |
| + if (__tcp_oow_rate_limited(sock_net(sk), |
| + LINUX_MIB_TCPACKSKIPPEDCHALLENGE, |
| + &tp->last_oow_ack_time)) |
| return; |
| |
| /* Then check host-wide RFC 5961 rate limit. */ |
