tcp_ratelimit: Handle some edge cases with TLS + RL send tags.

- After a connection has fallen back from NIC TLS to SW TLS, any pacing rate changes should modify the inpcb send tag even though SB_TLS_IFNET is set. - If a connection tries to modify the pacing rate before the send tag has been converted from plain TLS to TLS + RL, don't fail the rate request set but let it fall through to setting the rate on the non-TLS inpcb RL tag. Reviewed by: gallatin, rrs, hselasky Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D34085
2022-01-31 16:40:04 -08:00 · 2022-01-31 16:40:04 -08:00 · d782385e9b
commit d782385e9b
parent d958bc7963
1 changed files with 21 additions and 9 deletions
--- a/sys/netinet/tcp_ratelimit.c
+++ b/sys/netinet/tcp_ratelimit.c
@ -1403,18 +1403,30 @@ tcp_chg_pacing_rate(const struct tcp_hwrate_limit_table *crte,
 #ifdef KERN_TLS
 	if (tp->t_inpcb->inp_socket->so_snd.sb_flags & SB_TLS_IFNET) {
 		tls = tp->t_inpcb->inp_socket->so_snd.sb_tls_info;
-		MPASS(tls->mode == TCP_TLS_MODE_IFNET);
-		if (tls->snd_tag != NULL &&
+		if (tls->mode != TCP_TLS_MODE_IFNET)
+			tls = NULL;
+		else if (tls->snd_tag != NULL &&
 		    tls->snd_tag->sw->type != IF_SND_TAG_TYPE_TLS_RATE_LIMIT) {
+			if (!tls->reset_pending) {
+				/*
+				 * NIC probably doesn't support
+				 * ratelimit TLS tags if it didn't
+				 * allocate one when an existing rate
+				 * was present, so ignore.
+				 */
+				tcp_rel_pacing_rate(crte, tp);
+				if (error)
+					*error = EOPNOTSUPP;
+				return (NULL);
+			}
+
 			/*
-			 * NIC probably doesn't support ratelimit TLS
-			 * tags if it didn't allocate one when an
-			 * existing rate was present, so ignore.
+			 * The send tag is being converted, so set the
+			 * rate limit on the inpcb tag.  There is a
+			 * race that the new NIC send tag might use
+			 * the current rate instead of this one.
 			 */
-			tcp_rel_pacing_rate(crte, tp);
-			if (error)
-				*error = EOPNOTSUPP;
-			return (NULL);
+			tls = NULL;
 		}
 	}
 #endif