Wei Wang cf1ef3f071 net/tcp_fastopen: Disable active side TFO in certain scenarios ... Middlebox firewall issues can potentially cause server's data being blackholed after a successful 3WHS using TFO. Following are the related reports from Apple: https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf Slide 31 identifies an issue where the client ACK to the server's data sent during a TFO'd handshake is dropped. C ---> syn-data ---> S C <--- syn/ack ----- S C (accept & write) C <---- data ------- S C ----- ACK -> X S [retry and timeout] https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf Slide 5 shows a similar situation that the server's data gets dropped after 3WHS. C ---- syn-data ---> S C <--- syn/ack ----- S C ---- ack --------> S S (accept & write) C? X <- data ------ S [retry and timeout] This is the worst failure b/c the client can not detect such behavior to mitigate the situation (such as disabling TFO). Failing to proceed, the application (e.g., SSL library) may simply timeout and retry with TFO again, and the process repeats indefinitely. The proposed solution is to disable active TFO globally under the following circumstances: 1. client side TFO socket detects out of order FIN 2. client side TFO socket receives out of order RST We disable active side TFO globally for 1hr at first. Then if it happens again, we disable it for 2h, then 4h, 8h, ... And we reset the timeout to 1hr if a client side TFO sockets not opened on loopback has successfully received data segs from server. And we examine this condition during close(). The rational behind it is that when such firewall issue happens, application running on the client should eventually close the socket as it is not able to get the data it is expecting. Or application running on the server should close the socket as it is not able to receive any response from client. In both cases, out of order FIN or RST will get received on the client given that the firewall will not block them as no data are in those frames. And we want to disable active TFO globally as it helps if the middle box is very close to the client and most of the connections are likely to fail. Also, add a debug sysctl: tcp_fastopen_blackhole_detect_timeout_sec: the initial timeout to use when firewall blackhole issue happens. This can be set and read. When setting it to 0, it means to disable the active disable logic. Signed-off-by: Wei Wang <weiwan@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2017-04-24 14:27:17 -04:00
..
ABI	Documentation: ABI: testing: sysfs-class-net-qmi: add new qmap mux files description	2017-03-25 20:03:35 -07:00
accounting
acpi
admin-guide	kasan: report only the first error by default	2017-03-31 17:13:30 -07:00
aoe
arm
arm64
auxdisplay
backlight
blackfin
block
blockdev
bus-devices
cdrom
cgroup-v1
cma
connector
console
core-api
cpu-freq
cpuidle
cris
crypto
dev-tools
device-mapper
devicetree	mdio_bus: Issue GPIO RESET to PHYs.	2017-04-24 12:40:24 -04:00
dmaengine
doc-guide
DocBook
driver-api	cfg80211: add intro to documentation	2017-03-31 09:15:46 +02:00
driver-model
early-userspace
EDID
extcon
fault-injection
fb
features
filesystems	Documentation/filesystems: fix documentation for ->getattr()	2017-04-03 01:05:56 -04:00
firmware_class
fmc
fpga
frv
gpio
gpu
hid
hwmon
i2c
ia64
ide
iio
infiniband
input
ioctl
isdn
kbuild
kdump
laptops
leds
livepatch
locking
m68k
md
media
memory-devices
metag
mic
mips
misc-devices
mmc
mn10300
mtd
namespaces
netlabel
networking	net/tcp_fastopen: Disable active side TFO in certain scenarios	2017-04-24 14:27:17 -04:00
nfc
nios2
nvdimm
nvmem
parisc
PCI
pcmcia
perf
phy
platform
power
powerpc
pps
prctl
process	Documentation: stable-kernel-rules: fix stable-tag format	2017-04-08 17:33:31 +02:00
pti
ptp
rapidio
RCU
s390
scheduler
scsi
security
serial
sh
sound
sparc
sphinx
sphinx-static
spi
sysctl	Replace 2 jiffies with sysctl netdev_budget_usecs to enable softirq tuning	2017-04-21 13:22:34 -04:00
target
thermal
timers
trace
translations
usb
virtual	KVM/ARM Fixes for v4.11-rc6	2017-04-05 16:27:47 +02:00
vm
w1
watchdog
wimax
x86
xtensa
.gitignore
00-INDEX
bcache.txt
bt8xxgpio.txt
btmrvl.txt
bus-virt-phys-mapping.txt
cachetlb.txt
cgroup-v2.txt
Changes
circular-buffers.txt
clk.txt
CodingStyle
conf.py
cpu-load.txt
cputopology.txt
crc32.txt
dcdbas.txt
debugging-modules.txt
debugging-via-ohci1394.txt
dell_rbu.txt
digsig.txt
DMA-API-HOWTO.txt
DMA-API.txt
DMA-attributes.txt
DMA-ISA-LPC.txt
docutils.conf
dontdiff
efi-stub.txt
eisa.txt
flexible-arrays.txt
futex-requeue-pi.txt
gcc-plugins.txt
highuid.txt
hw_random.txt
hwspinlock.txt
index.rst
intel_txt.txt
Intel-IOMMU.txt
io_ordering.txt
io-mapping.txt
iostats.txt
IPMI.txt
IRQ-affinity.txt
IRQ-domain.txt
IRQ.txt
irqflags-tracing.txt
isa.txt
isapnp.txt
kernel-doc-nano-HOWTO.txt
kernel-per-CPU-kthreads.txt
kobject.txt
kprobes.txt
kref.txt
kselftest.txt
ldm.txt
lockup-watchdogs.txt
logo.gif
logo.txt
lzo.txt
mailbox.txt
Makefile
Makefile.sphinx
memory-barriers.txt
memory-hotplug.txt
men-chameleon-bus.txt
nommu-mmap.txt
ntb.txt
numastat.txt
padata.txt
parport-lowlevel.txt
percpu-rw-semaphore.txt
phy.txt
pi-futex.txt
pinctrl.txt	pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()	2017-04-07 01:08:08 +02:00
pnp.txt
preempt-locking.txt
printk-formats.txt
pwm.txt
rbtree.txt
remoteproc.txt
rfkill.txt
robust-futex-ABI.txt
robust-futexes.txt
rpmsg.txt
rtc.txt
SAK.txt
sgi-ioc4.txt
siphash.txt
SM501.txt
smsc_ece1099.txt
static-keys.txt
SubmittingPatches
svga.txt
sync_file.txt
this_cpu_ops.txt
unaligned-memory-access.txt
unshare.txt
vfio-mediated-device.txt
vfio.txt
video-output.txt
xillybus.txt
xz.txt
zorro.txt