From d2e6258258cf2492d36cf1d359e6c87e68180f28 Mon Sep 17 00:00:00 2001 From: Andrew Gallatin Date: Wed, 11 Sep 2019 18:48:26 +0000 Subject: [PATCH] Avoid unneeded call to arc4random() in syncache_add() Don't call arc4random() unconditionally to initialize sc_iss, and then when syncookies are enabled, just overwrite it with the return value from from syncookie_generate(). Instead, only call arc4random() to initialize sc_iss when syncookies are not enabled. Note that on a system under a syn flood attack, arc4random() becomes quite expensive, and the chacha_poly crypto that it calls is one of the more expensive things happening on the system. Removing this unneeded arc4random() call reduces CPU from about 40% to about 35% in my test scenario (Broadwell Xeon, 6Mpps syn flood attack). Reviewed by: rrs, tuxen, bz Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D21591 --- sys/netinet/tcp_syncache.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 7e50c9ded6ac..fd88e69b25a2 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -1543,7 +1543,6 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, sc->sc_todctx = todctx; #endif sc->sc_irs = th->th_seq; - sc->sc_iss = arc4random(); sc->sc_flags = 0; sc->sc_flowlabel = 0; @@ -1617,6 +1616,8 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, if (V_tcp_syncookies) sc->sc_iss = syncookie_generate(sch, sc); + else + sc->sc_iss = arc4random(); #ifdef INET6 if (autoflowlabel) { if (V_tcp_syncookies)