From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202412 header.b=njx6jiF3; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 619035A061C for ; Wed, 22 Jan 2025 04:23:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202412; t=1737516194; bh=fYpg0D0GZgU22bOpRcTtU4jUEat5+tkfygaGBEnK/xA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=njx6jiF3rRXxX/1beJkO5mJoMzhuzvBVMby1iUUev/t2tdy4BMSg7NM1bJ5BC9WyI Vn+0kDp5DY0UX59FHRfuXRGjwXPQkq803iG2mLBckmG9YM4eH5ZkKTfyJehFnxU5pX C19nPNu26WfM3vsoS1FAC8u+mo5DXZ4/7VTPFjTZmdUHRvlaDQryHe3jdli45NIvPJ CGuGddCBVTsjuSfn+YSLfhHcdjnu2INdObf6tnu5jAyQvSYDtfSjSjQO7uweV9qIqN 5KHx8iezqHvP4A17LfgSaM2FdgkFx5ItnCtqQ+Cq6TeiNK4TrDHlpNiVrUJGmpemzi 3xl0D9LtR16EQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Yd8Xy5JVYz4x8w; Wed, 22 Jan 2025 14:23:14 +1100 (AEDT) Date: Wed, 22 Jan 2025 13:51:37 +1030 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] tcp: Set ACK flag on *all* RST segments, even for client in SYN-SENT state Message-ID: References: <20250120181520.2122873-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="oGnWvGqbjUQqxtBs" Content-Disposition: inline In-Reply-To: <20250120181520.2122873-1-sbrivio@redhat.com> Message-ID-Hash: SAHSGX3VOCNQISBGR4TGWOZBUDZ3D6OT X-Message-ID-Hash: SAHSGX3VOCNQISBGR4TGWOZBUDZ3D6OT X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --oGnWvGqbjUQqxtBs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 20, 2025 at 07:15:20PM +0100, Stefano Brivio wrote: > Somewhat curiously, RFC 9293, section 3.10.7.3, states: >=20 > If the state is SYN-SENT, then > [...] >=20 > Second, check the RST bit: > - If the RST bit is set, > [...] >=20 > o If the ACK was acceptable, then signal to the user "error: > connection reset", drop the segment, enter CLOSED state, > delete TCB, and return. Otherwise (no ACK), drop the > segment and return. >=20 > which matches verbatim RFC 793, pages 66-67, and is implemented as-is > by tcp_rcv_synsent_state_process() in the Linux kernel, that is: >=20 > /* No ACK in the segment */ >=20 > if (th->rst) { > /* rfc793: > * "If the RST bit is set > * > * Otherwise (no ACK) drop the segment and return." > */ >=20 > goto discard_and_undo; > } >=20 > meaning that if a client is in SYN-SENT state, and we send a RST > segment once we realise that we can't establish the outbound > connection, the client will ignore our segment and will need to > pointlessly wait until the connection times out instead of aborting > it right away. >=20 > The ACK flag on a RST, in this case, doesn't really seem to have any > function, but we must set it nevertheless. The ACK sequence number is > already correct because we always set it before calling > tcp_prepare_flags(), whenever relevant. >=20 > This leaves us with no cases where we should *not* set the ACK flag > on non-SYN segments, so always set the ACK flag for RST segments. >=20 > Note that non-SYN, non-RST segments were already covered by commit > 4988e2b40631 ("tcp: Unconditionally force ACK for all !SYN, !RST > packets"). >=20 > Reported-by: Dirk Janssen > Reported-by: Roeland van de Pol > Reported-by: Robert Floor > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson > --- > tcp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/tcp.c b/tcp.c > index 4d6a6b3..c89f323 100644 > --- a/tcp.c > +++ b/tcp.c > @@ -1147,7 +1147,7 @@ int tcp_prepare_flags(const struct ctx *c, struct t= cp_tap_conn *conn, > =20 > *opts =3D TCP_SYN_OPTS(mss, conn->ws_to_tap); > *optlen =3D sizeof(*opts); > - } else if (!(flags & RST)) { > + } else { > flags |=3D ACK; > } > =20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --oGnWvGqbjUQqxtBs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmeQZCkACgkQzQJF27ox 2Ge9bQ//QFSaxfhvWLFfbwzF7NisjW4JIbDAdQqxA7l4zXn5mWJaUha72crixqkU lLv1ql3fl3LKaHNxiPe1b4lxPaQdGxpwtbrjJaQEwnf6tx7UgTaNAOYI1XlQ97tF ThxK9ROhRjiAZBhE/rnpVXe8mZSgul3VdbUALwkbZfGXTc8Qo9UMtooWgveQ/olM +BB0gnmjIUgK852gi085lNbf/t+cG7e5l4aGDLpfCzGwf5Ay5ECh8TiaEd5VS/I8 CyRHbv3KFeujKTYtU5/olT0b09o5/rpuoUUPVEYfbABo59sOEx46H+BBQeSw0saJ T5vjoEigWQ5Cmc+Bl6dQCEqmS3hGKK6dZoDI7YnRfPCGEHBn5fDa6Igr8a002clP LXBpUyM8sv1CHiH7QFgAArU3B3Vz8xEPShHovCsqMtPsg/hSWq8mEuKdPp6C+FtO ZIc+KAEkj6rQMEaVip6wk2J6G8mZciHIJhHPjCQ/1CiZCIFrpQqBDSHIckC3rTiv X2UQwZVQzekkwy3Dk+NReN7SJpRB2YWzl+riJnl9vJZ5Egi7qO5b3uSH77ggUKX8 QeIEeyAJRRSI9wZ3lo5S2zrEqX6P1peG6p0qvO2DsQ3Z1lO5AQ92mJMpBX63Ct++ M9nAeY5rSAcbExJLsh/+Ln4Htg0ODNqnliV6zq2wFsWfU92gEJ4= =iz7C -----END PGP SIGNATURE----- --oGnWvGqbjUQqxtBs--