Remove TCP_SAD optional code now that the sack filter performs this function.
With the commit of D44903 we no longer need the SAD option. Instead all stacks that use the sack filter inherit its protection against sack-attack. Reviewed by: tuexen@ Differential Revision:https://reviews.freebsd.org/D45216
This commit is contained in:
@@ -242,7 +242,6 @@ TCP_RACK opt_inet.h
|
||||
# algorithm that uses "normal" behaviour with SACK's to detect
|
||||
# a possible attack. It is strictly experimental at this point.
|
||||
#
|
||||
TCP_SAD_DETECTION opt_inet.h
|
||||
TURNSTILE_PROFILING
|
||||
UMTX_PROFILING
|
||||
UMTX_CHAINS opt_global.h
|
||||
|
||||
+15
-694
File diff suppressed because it is too large
Load Diff
@@ -199,7 +199,6 @@ struct rack_opts_stats {
|
||||
uint64_t tcp_rack_min_pace_seg;
|
||||
uint64_t tcp_rack_pace_rate_ca;
|
||||
uint64_t tcp_rack_rr;
|
||||
uint64_t tcp_rack_do_detection;
|
||||
uint64_t tcp_rack_rrr_no_conf_rate;
|
||||
uint64_t tcp_initial_rate;
|
||||
uint64_t tcp_initial_win;
|
||||
@@ -458,10 +457,6 @@ struct rack_control {
|
||||
uint16_t rack_per_of_gp_rec; /* 100 = 100%, so from 65536 = 655 x bw, 0=off */
|
||||
uint16_t rack_per_of_gp_probertt; /* 100 = 100%, so from 65536 = 655 x bw, 0=off */
|
||||
uint32_t rc_high_rwnd;
|
||||
uint32_t ack_count;
|
||||
uint32_t sack_count;
|
||||
uint32_t sack_noextra_move;
|
||||
uint32_t sack_moved_extra;
|
||||
struct rack_rtt_sample rack_rs;
|
||||
const struct tcp_hwrate_limit_table *crte;
|
||||
uint32_t rc_agg_early;
|
||||
@@ -563,7 +558,6 @@ struct rack_control {
|
||||
uint32_t rc_min_to; /* Socket option value Lock(a) */
|
||||
uint32_t rc_pkt_delay; /* Socket option value Lock(a) */
|
||||
uint32_t persist_lost_ends;
|
||||
uint32_t ack_during_sd;
|
||||
uint32_t input_pkt;
|
||||
uint32_t saved_input_pkt;
|
||||
uint32_t saved_policer_val; /* The encoded value we used to setup policer detection */
|
||||
@@ -790,8 +784,7 @@ struct tcp_rack {
|
||||
set_pacing_done_a_iw : 1,
|
||||
use_rack_rr : 1,
|
||||
alloc_limit_reported : 1,
|
||||
sack_attack_disable : 1,
|
||||
do_detection : 1,
|
||||
rack_avail : 2,
|
||||
rc_force_max_seg : 1;
|
||||
uint8_t r_early : 1,
|
||||
r_late : 1,
|
||||
|
||||
@@ -139,58 +139,6 @@ VNET_DEFINE(int, tcp_mssdflt) = TCP_MSS;
|
||||
VNET_DEFINE(int, tcp_v6mssdflt) = TCP6_MSS;
|
||||
#endif
|
||||
|
||||
#ifdef TCP_SAD_DETECTION
|
||||
/* Sack attack detection thresholds and such */
|
||||
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, sack_attack,
|
||||
CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
|
||||
"Sack Attack detection thresholds");
|
||||
int32_t tcp_force_detection = 0;
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, force_detection,
|
||||
CTLFLAG_RW,
|
||||
&tcp_force_detection, 0,
|
||||
"Do we force detection even if the INP has it off?");
|
||||
int32_t tcp_sad_limit = 10000;
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, limit,
|
||||
CTLFLAG_RW,
|
||||
&tcp_sad_limit, 10000,
|
||||
"If SaD is enabled, what is the limit to sendmap entries (0 = unlimited)?");
|
||||
int32_t tcp_sack_to_ack_thresh = 700; /* 70 % */
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, sack_to_ack_thresh,
|
||||
CTLFLAG_RW,
|
||||
&tcp_sack_to_ack_thresh, 700,
|
||||
"Percentage of sacks to acks we must see above (10.1 percent is 101)?");
|
||||
int32_t tcp_sack_to_move_thresh = 600; /* 60 % */
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, move_thresh,
|
||||
CTLFLAG_RW,
|
||||
&tcp_sack_to_move_thresh, 600,
|
||||
"Percentage of sack moves we must see above (10.1 percent is 101)");
|
||||
int32_t tcp_restoral_thresh = 450; /* 45 % (sack:2:ack -25%) (mv:ratio -15%) **/
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, restore_thresh,
|
||||
CTLFLAG_RW,
|
||||
&tcp_restoral_thresh, 450,
|
||||
"Percentage of sack to ack percentage we must see below to restore(10.1 percent is 101)");
|
||||
int32_t tcp_sad_decay_val = 800;
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, decay_per,
|
||||
CTLFLAG_RW,
|
||||
&tcp_sad_decay_val, 800,
|
||||
"The decay percentage (10.1 percent equals 101 )");
|
||||
int32_t tcp_map_minimum = 500;
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, nummaps,
|
||||
CTLFLAG_RW,
|
||||
&tcp_map_minimum, 500,
|
||||
"Number of Map enteries before we start detection");
|
||||
int32_t tcp_sad_pacing_interval = 2000;
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, sad_pacing_int,
|
||||
CTLFLAG_RW,
|
||||
&tcp_sad_pacing_interval, 2000,
|
||||
"What is the minimum pacing interval for a classified attacker?");
|
||||
|
||||
int32_t tcp_sad_low_pps = 100;
|
||||
SYSCTL_INT(_net_inet_tcp_sack_attack, OID_AUTO, sad_low_pps,
|
||||
CTLFLAG_RW,
|
||||
&tcp_sad_low_pps, 100,
|
||||
"What is the input pps that below which we do not decay?");
|
||||
#endif
|
||||
uint32_t tcp_ack_war_time_window = 1000;
|
||||
SYSCTL_UINT(_net_inet_tcp, OID_AUTO, ack_war_timewindow,
|
||||
CTLFLAG_RW,
|
||||
|
||||
@@ -1421,19 +1421,6 @@ extern counter_u64_t tcp_comp_total;
|
||||
extern counter_u64_t tcp_uncomp_total;
|
||||
extern counter_u64_t tcp_bad_csums;
|
||||
|
||||
#ifdef TCP_SAD_DETECTION
|
||||
/* Various SACK attack thresholds */
|
||||
extern int32_t tcp_force_detection;
|
||||
extern int32_t tcp_sad_limit;
|
||||
extern int32_t tcp_sack_to_ack_thresh;
|
||||
extern int32_t tcp_sack_to_move_thresh;
|
||||
extern int32_t tcp_restoral_thresh;
|
||||
extern int32_t tcp_sad_decay_val;
|
||||
extern int32_t tcp_sad_pacing_interval;
|
||||
extern int32_t tcp_sad_low_pps;
|
||||
extern int32_t tcp_map_minimum;
|
||||
extern int32_t tcp_attack_on_turns_on_logging;
|
||||
#endif
|
||||
extern uint32_t tcp_ack_war_time_window;
|
||||
extern uint32_t tcp_ack_war_cnt;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user