freebsd-skq/sys/security
Gleb Smirnoff 08d9c92027 tcp_input/syncache: acquire only read lock on PCB for SYN,!ACK packets
When packet is a SYN packet, we don't need to modify any existing PCB.
Normally SYN arrives on a listening socket, we either create a syncache
entry or generate syncookie, but we don't modify anything with the
listening socket or associated PCB. Thus create a new PCB lookup
mode - rlock if listening. This removes the primary contention point
under SYN flood - the listening socket PCB.

Sidenote: when SYN arrives on a synchronized connection, we still
don't need write access to PCB to send a challenge ACK or just to
drop. There is only one exclusion - tcptw recycling. However,
existing entanglement of tcp_input + stacks doesn't allow to make
this change small. Consider this patch as first approach to the problem.

Reviewed by:	rrs
Differential revision:	https://reviews.freebsd.org/D29576
2021-04-12 08:25:31 -07:00
..
audit close_range: add audit support 2021-02-23 17:47:07 +00:00
mac tcp_input/syncache: acquire only read lock on PCB for SYN,!ACK packets 2021-04-12 08:25:31 -07:00
mac_biba security: clean up empty lines in .c and .h files 2020-09-01 21:26:00 +00:00
mac_bsdextended Deduplicate fsid comparisons 2020-05-21 01:55:35 +00:00
mac_ifoff Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) 2020-02-26 14:26:36 +00:00
mac_lomac security: clean up empty lines in .c and .h files 2020-09-01 21:26:00 +00:00
mac_mls security: clean up empty lines in .c and .h files 2020-09-01 21:26:00 +00:00
mac_none
mac_ntpd Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) 2020-02-26 14:26:36 +00:00
mac_partition Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) 2020-02-26 14:26:36 +00:00
mac_portacl Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) 2020-02-26 14:26:36 +00:00
mac_seeotheruids Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) 2020-02-26 14:26:36 +00:00
mac_stub security: clean up empty lines in .c and .h files 2020-09-01 21:26:00 +00:00
mac_test Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) 2020-02-26 14:26:36 +00:00
mac_veriexec Convert remaining cap_rights_init users to cap_rights_init_one 2021-01-12 13:16:10 +00:00
mac_veriexec_parser security: clean up empty lines in .c and .h files 2020-09-01 21:26:00 +00:00