tcp: filter small SACK blocks
ClosedPublic
Actions

Authored by rscheff on Fri, May 3, 10:48 AM.

Details

Reviewers

tuexen
rrs
cc
glebius
thj

Group Reviewers

transport

Commits

rGcbf3575aa3c2: tcp: filter small SACK blocks

Summary

While the SACK Scoreboard in the base stack limits
the number of holes by default to only 128 per connection
in order to prevent CPU load attacks by splitting SACKs,
filtering out SACK blocks of unusually small size can
further improve the actual processing of SACK loss recovery.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

rscheff created this revision.Fri, May 3, 10:48 AM

Herald added a reviewer: transport. · View Herald TranscriptFri, May 3, 10:48 AM

Herald added subscribers: melifaro, imp. · View Herald Transcript

Harbormaster completed remote builds in B57563: Diff 138095.Fri, May 3, 10:48 AM

rscheff requested review of this revision.Fri, May 3, 10:48 AM

I'm wondering if it would be better to require that the sack block covers at least mss - 40 bytes. We don't know if we sent a SACK or AccECN option and it doesn't make sense to ignore the SACK blocks corresponding to such packets we sent not performing an attack.