From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=McrGASKe;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 3760C5A026F
	for <passt-dev@passt.top>; Thu, 16 Oct 2025 00:58:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202510; t=1760569098;
	bh=sKn2koxwrI0kSI/QGpuXDsTagWYQNTHow7SIIcJPwPs=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=McrGASKe2jVCJxlPA/417Yv/Vt+pMszozTeuiqETtA4WbrMEYl+UKzA5hugKoQHsY
	 P+sBMhsHqKGntlpbVAvezocK3S9PNchsP4IKeYkxLcsQ+MkLRQKPsr/eME7pg5tDbE
	 jG+J8BRuaj1WgHWdeCuSgdVLtUH0kcjih4pe+FnVoGsWPHncLvmoqX02FqVJSNSmIT
	 TXxeaRN6/xTxOicRuYiTgKA+IPzH+YfovKzonZJ9pu/LU2nzKiLje6ih5vRZNt7t1J
	 s2Dt8ZhgU/eZq54/jd8bI7sx6wD9AADHKXH3NQV8tmzQC3XaNux3loKH1PXxkEpleD
	 mJTQUN9rWGvEg==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4cn6226TLqz4wB4; Thu, 16 Oct 2025 09:58:18 +1100 (AEDT)
Date: Thu, 16 Oct 2025 09:54:25 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Yumei Huang <yuhuang@redhat.com>
Subject: Re: [PATCH v3 4/4] tcp: Update data retransmission timeout
Message-ID: <aPAmIX_ZqEPjuH7A@zatzit>
References: <20251014073836.18150-1-yuhuang@redhat.com>
 <20251014073836.18150-5-yuhuang@redhat.com>
 <aO7lMXUs9jWzBMO9@zatzit>
 <CANsz47kXgwXvbBR_=VTt2kjEy-ZZGDrqHDriP5LGv+-jM6VppQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="BCbZ1p8FKgM9fUsC"
Content-Disposition: inline
In-Reply-To: <CANsz47kXgwXvbBR_=VTt2kjEy-ZZGDrqHDriP5LGv+-jM6VppQ@mail.gmail.com>
Message-ID-Hash: 3ADSY6CIE6CQLUGHRDUVUJMCENHFJPQM
X-Message-ID-Hash: 3ADSY6CIE6CQLUGHRDUVUJMCENHFJPQM
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, sbrivio@redhat.com
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aPAmIX_ZqEPjuH7A@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/3ADSY6CIE6CQLUGHRDUVUJMCENHFJPQM/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--BCbZ1p8FKgM9fUsC
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 15, 2025 at 02:31:27PM +0800, Yumei Huang wrote:
> On Wed, Oct 15, 2025 at 8:05=E2=80=AFAM David Gibson
> <david@gibson.dropbear.id.au> wrote:
> >
> > On Tue, Oct 14, 2025 at 03:38:36PM +0800, Yumei Huang wrote:
> > > According to RFC 2988 and RFC 6298, we should use an exponential
> > > backoff timeout for data retransmission starting from one second
> > > (see Appendix A in RFC 6298), and limit it to about 60 seconds
> > > as allowed by the same RFC:
> > >
> > >    (2.5) A maximum value MAY be placed on RTO provided it is at
> > >          least 60 seconds.
> >
> > The interpretation of this isn't entirely clear to me.  Does it mean
> > if the total retransmit delay exceeds 60s we give up and RST (what
> > this patch implements)?  Or does it mean that if the retransmit delay
> > reaches 60s we keep retransmitting, but don't increase the delay any
> > further?
> >
> > Looking at tcp_bound_rto() and related code in the kernel suggests the
> > second interpretation.
> >
> > > Combine the macros defining the initial timeout for both SYN and ACK.
> > > And add a macro ACK_RETRIES to limit the total timeout to about 60s.
> > >
> > > Signed-off-by: Yumei Huang <yuhuang@redhat.com>
> > > ---
> > >  tcp.c | 32 ++++++++++++++++----------------
> > >  1 file changed, 16 insertions(+), 16 deletions(-)
> > >
> > > diff --git a/tcp.c b/tcp.c
> > > index 3ce3991..84da069 100644
> > > --- a/tcp.c
> > > +++ b/tcp.c
> > > @@ -179,16 +179,12 @@
> > >   *
> > >   * Timeouts are implemented by means of timerfd timers, set based on=
 flags:
> > >   *
> > > - * - SYN_TIMEOUT_INIT: if no ACK is received from tap/guest during h=
andshake
> > > - *   (flag ACK_FROM_TAP_DUE without ESTABLISHED event) within this t=
ime, resend
> > > - *   SYN. It's the starting timeout for the first SYN retry. If this=
 persists
> > > - *   for more than TCP_MAX_RETRIES or (tcp_syn_retries +
> > > - *   tcp_syn_linear_timeouts) times in a row, reset the connection
> > > - *
> > > - * - ACK_TIMEOUT: if no ACK segment was received from tap/guest, aft=
er sending
> > > - *   data (flag ACK_FROM_TAP_DUE with ESTABLISHED event), re-send da=
ta from the
> > > - *   socket and reset sequence to what was acknowledged. If this per=
sists for
> > > - *   more than TCP_MAX_RETRIES times in a row, reset the connection
> > > + * - ACK_TIMEOUT_INIT: if no ACK segment was received from tap/guest=
, eiher
> > > + *   during handshake(flag ACK_FROM_TAP_DUE without ESTABLISHED even=
t) or after
> > > + *   sending data (flag ACK_FROM_TAP_DUE with ESTABLISHED event), re=
-send data
> > > + *   from the socket and reset sequence to what was acknowledged. It=
's the
> > > + *   starting timeout for the first retry. If this persists for more=
 than
> > > + *   allowed times in a row, reset the connection
> > >   *
> > >   * - FIN_TIMEOUT: if a FIN segment was sent to tap/guest (flag ACK_F=
ROM_TAP_DUE
> > >   *   with TAP_FIN_SENT event), and no ACK is received within this ti=
me, reset
> > > @@ -342,8 +338,7 @@ enum {
> > >  #define WINDOW_DEFAULT                       14600           /* RFC =
6928 */
> > >
> > >  #define ACK_INTERVAL                 10              /* ms */
> > > -#define SYN_TIMEOUT_INIT             1               /* s */
> > > -#define ACK_TIMEOUT                  2
> > > +#define ACK_TIMEOUT_INIT             1               /* s, RFC 6298 =
*/
> >
> > I'd suggest calling this RTO_INIT to match the terminology used in the
> > RFCs.
>=20
> Sure.
> >
> > >  #define FIN_TIMEOUT                  60
> > >  #define ACT_TIMEOUT                  7200
> > >
> > > @@ -352,6 +347,11 @@ enum {
> > >
> > >  #define ACK_IF_NEEDED        0               /* See tcp_send_flag() =
*/
> > >
> > > +/* Number of retries calculated from the exponential backoff formula=
, limited
> > > + * by a total timeout of about 60 seconds.
> > > + */
> > > +#define ACK_RETRIES          5
> > > +
> >
> > As noted above, I think this is based on a misunderstanding of what
> > the RFC is saying.  TCP_MAX_RETRIES should be fine as it is, I think.
> > We could implement the clamping of the RTO, but it's a "MAY" in the
> > RFC, so we don't have to, and I don't really see a strong reason to do
> > so.
>=20
> If we use TCP_MAX_RETRIES and not clamping RTO, the total timeout
> could be 255 seconds.
>=20
> Stefano mentioned "Retransmitting data after 256 seconds doesn't make
> a lot of sense to me" in the previous comment.

That's true, but it's pretty much true for 60s as well.  For the local
link we usually have between passt and guest, even 1s is an eternity.

Basically I see no harm, but also no advantage to clamping or limiting
the RTO, so I'm suggesting going with the simplest code.

Note that there are (rare) situations where we could get a response
after minutes.
 - The interface on the guest was disabled for a while
 - An error in guest firewall configuration blocked packets for a while
 - A bug on the guest cause the kernel to wedge for a while
 - The user manually suspended the guest for a while (VM/passt only)

These generally indicate something has gone fairly badly wrong, but a
long RTO gives the user a bit more time to realise their mistake and
fix things.  These are niche cases, but given the cost of implementing
it is "do nothing"...

> Not sure what the reasonable timeout should be.
>=20
> BTW, clamping the RTO to limit the delay to 60s should be easy to
> implement, and it leads to 183s for the total timeout.
>=20
> I'm okay with either approach. Please let me know your thoughts. Thanks.
>=20
> >
> > >  #define CONN_IS_CLOSING(conn)                                       =
         \
> > >       (((conn)->events & ESTABLISHED) &&                             =
 \
> > >        ((conn)->events & (SOCK_FIN_RCVD | TAP_FIN_RCVD)))
> > > @@ -589,13 +589,13 @@ static void tcp_timer_ctl(const struct ctx *c, =
struct tcp_tap_conn *conn)
> > >       } else if (conn->flags & ACK_FROM_TAP_DUE) {
> > >               if (!(conn->events & ESTABLISHED)) {
> > >                       if (conn->retries < c->tcp.syn_linear_timeouts)
> > > -                             it.it_value.tv_sec =3D SYN_TIMEOUT_INIT;
> > > +                             it.it_value.tv_sec =3D ACK_TIMEOUT_INIT;
> > >                       else
> > > -                             it.it_value.tv_sec =3D SYN_TIMEOUT_INIT=
 <<
> > > +                             it.it_value.tv_sec =3D ACK_TIMEOUT_INIT=
 <<
> > >                                       (conn->retries - c->tcp.syn_lin=
ear_timeouts);
> > >               }
> > >               else
> > > -                     it.it_value.tv_sec =3D ACK_TIMEOUT;
> > > +                     it.it_value.tv_sec =3D ACK_TIMEOUT_INIT << conn=
->retries;
> > >       } else if (CONN_HAS(conn, SOCK_FIN_SENT | TAP_FIN_ACKED)) {
> > >               it.it_value.tv_sec =3D FIN_TIMEOUT;
> > >       } else {
> > > @@ -2433,7 +2433,7 @@ void tcp_timer_handler(const struct ctx *c, uni=
on epoll_ref ref)
> > >               } else if (CONN_HAS(conn, SOCK_FIN_SENT | TAP_FIN_ACKED=
)) {
> > >                       flow_dbg(conn, "FIN timeout");
> > >                       tcp_rst(c, conn);
> > > -             } else if (conn->retries =3D=3D TCP_MAX_RETRIES) {
> > > +             } else if (conn->retries >=3D ACK_RETRIES) {
> > >                       flow_dbg(conn, "retransmissions count exceeded"=
);
> > >                       tcp_rst(c, conn);
> > >               } else {
> > > --
> > > 2.47.0
> > >
> >
> > --
> > David Gibson (he or they)       | I'll have my music baroque, and my co=
de
> > david AT gibson.dropbear.id.au  | minimalist, thank you, not the other =
way
> >                                 | around.
> > http://www.ozlabs.org/~dgibson
>=20
>=20
>=20
> --=20
> Thanks,
>=20
> Yumei Huang
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--BCbZ1p8FKgM9fUsC
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmjwJhEACgkQzQJF27ox
2Gc4mRAArOpE5KO6yuzNBH7wK+MBIp/1CSxIyHnn0ylKg0GGKZlShFiCuARNdFkK
41bfDr9aos/ZpDfqxAJmD2rwCjRS2WvSODGwwPHaxXrOVlgNEVQwLx33MxNcECF+
2XS/v0ih3i16Z0I+uu8UbBkeylrtupamq397HLX8paN+2w+efoCzrawbSmXhZ9CS
rouE+6qbakgdd8nw/xbp8ZxhcRS/6VTxslKQk8QS1r1XrHaZ+lJ/JVAl4uCSSIG+
n9VJvHDmlwk5w0BlLXVcevzO7t0kah0SpS9LfwjDOrIgEzmeW9wXNEseL5OjO3ZD
/pG2tWK5JNb+wLP7CP1uJ/6j0f+5iYNxGZweXoMNG/F36Wcuea9HaN9HNzhPQkoQ
ZYEc5MfXVlFQXLw9vtHev5LrJ9RT5FA8Oi//iOyx7lkd5KmSKZku2lXRZkmeXkbH
RtOSRfZCi7Kd/VXlIqbaLJDD9GgPjgEDYC3FwqMnzH/sv0jhMMblnfe3jHd9VR/L
3J0G88eqpeCNg9wW9at5Lj1l+RL+q83yHQsMwTZMeHPhApjY+rBgCXabEJF1klSN
A+/UIXCwT7asTG3OiW264f0yqK/VdphnVgZEBjR5xDCfVV5NBi6Mia5pcIEqDMcd
yAh3i+8rtXrU9pqnj3b0UM6wBBI24xHTd1ACLOaixmoWinjEBfk=
=eP/x
-----END PGP SIGNATURE-----

--BCbZ1p8FKgM9fUsC--