linux/Documentation
Wei Wang cf1ef3f071 net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X     S
		[retry and timeout]

https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C?  X <- data ------ S
		[retry and timeout]

This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.

The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST

We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().

The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.

Also, add a debug sysctl:
  tcp_fastopen_blackhole_detect_timeout_sec:
    the initial timeout to use when firewall blackhole issue happens.
    This can be set and read.
    When setting it to 0, it means to disable the active disable logic.

Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 14:27:17 -04:00
..
ABI Documentation: ABI: testing: sysfs-class-net-qmi: add new qmap mux files description 2017-03-25 20:03:35 -07:00
accounting tools: move accounting tool from Documentation 2016-09-23 13:07:15 -06:00
acpi scripts/spelling.txt: add "followings" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
admin-guide kasan: report only the first error by default 2017-03-31 17:13:30 -07:00
aoe
arm arm: sunxi: add support for V3s SoC 2017-01-20 21:31:34 +01:00
arm64 irqchip/gicv3-its: Add workaround for QDF2400 ITS erratum 0065 2017-03-07 14:34:27 +00:00
auxdisplay samples: move auxdisplay example code from Documentation 2016-09-23 11:52:32 -06:00
backlight
blackfin samples: move blackfin gptimers-example from Documentation 2016-10-10 07:12:02 -06:00
block A slightly quieter cycle for documentation this time around. 2017-02-22 18:51:29 -08:00
blockdev scripts/spelling.txt: add "followings" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
bus-devices
cdrom cdrom: Make device operations read-only 2017-02-14 08:29:56 -07:00
cgroup-v1 Merge branch 'for-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup 2017-02-27 21:41:08 -08:00
cma
connector
console
core-api Documentation: Update CPU hotplug and move it to core-api 2017-01-13 10:32:32 -07:00
cpu-freq A slightly quieter cycle for documentation this time around. 2017-02-22 18:51:29 -08:00
cpuidle
cris
crypto crypto: doc - fix typo 2017-02-15 13:23:49 +08:00
dev-tools scripts/spelling.txt: add "disble(d)" pattern and fix typo instances 2017-03-09 17:01:09 -08:00
device-mapper scripts/spelling.txt: add "explictely" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
devicetree mdio_bus: Issue GPIO RESET to PHYs. 2017-04-24 12:40:24 -04:00
dmaengine dmaengine: Documentation: Fix typo in pxa_dma.txt 2016-11-14 08:14:24 +05:30
doc-guide docs-rst: parse-headers.pl: cleanup the documentation 2016-11-30 17:08:09 -07:00
DocBook A few fixes for the docs tree, including one for a 4.11 build regression. 2017-03-04 11:32:18 -08:00
driver-api cfg80211: add intro to documentation 2017-03-31 09:15:46 +02:00
driver-model irqdesc: Add a resource managed version of irq_alloc_descs() 2017-02-10 14:39:20 +01:00
early-userspace
EDID
extcon extcon: int3496: Add GPIO ACPI mapping table 2017-03-22 18:29:46 +09:00
fault-injection
fb
features 2nd round of ARC udpates for 4.10rc1 2016-12-23 10:22:47 -08:00
filesystems Documentation/filesystems: fix documentation for ->getattr() 2017-04-03 01:05:56 -04:00
firmware_class firmware: revamp firmware documentation 2017-01-11 09:42:59 +01:00
fmc
fpga fpga: Add scatterlist based programming 2017-02-10 15:20:44 +01:00
frv docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
gpio gpio: random documentation update 2017-01-31 15:43:05 +01:00
gpu Less anger inducing pull request for 4.11 2017-02-23 18:58:18 -08:00
hid
hwmon A slightly quieter cycle for documentation this time around. 2017-02-22 18:51:29 -08:00
i2c i2c: i801: Add support for Intel Gemini Lake 2017-02-09 17:39:16 +01:00
ia64 selftests: move ia64 tests from Documentation/ia64 2016-09-20 09:58:12 -06:00
ide
iio iio: Documentation: Correct the path used to create triggers. 2016-10-01 00:49:58 -06:00
infiniband IB/hfi1: Document new sysfs entries for hfi1 driver 2016-10-02 08:42:19 -04:00
input Documentation: input: fix path to input code definitions 2017-02-12 15:19:00 -07:00
ioctl rpmsg updates for v4.11 2017-02-23 09:41:03 -08:00
isdn docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
kbuild Kconfig: Introduce the "imply" keyword 2016-11-16 09:26:33 +01:00
kdump Documentation: kdump: Add description of enable multi-cpus support 2016-09-20 18:02:54 -06:00
laptops platform/x86: thinkpad_acpi: Add support for X1 Yoga (2016) Tablet Mode 2016-12-13 09:29:06 -08:00
leds leds: class: Add new optional brightness_hw_changed attribute 2017-01-29 19:59:42 +01:00
livepatch A slightly quieter cycle for documentation this time around. 2017-02-22 18:51:29 -08:00
locking locking/ww_mutex/Documentation: Update the design document 2017-01-14 11:14:55 +01:00
m68k docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
md MD: add doc for raid5-cache 2017-02-13 09:17:54 -08:00
media A few fixes for the docs tree, including one for a 4.11 build regression. 2017-03-04 11:32:18 -08:00
memory-devices
metag
mic samples: move mic/mpssd example code from Documentation 2016-09-20 12:38:48 -06:00
mips
misc-devices samples: move misc-devices/mei example code from Documentation 2016-09-23 11:51:43 -06:00
mmc
mn10300
mtd spi-nor: Add support for Intel SPI serial flash controller 2017-01-03 17:33:36 +00:00
namespaces
netlabel
networking net/tcp_fastopen: Disable active side TFO in certain scenarios 2017-04-24 14:27:17 -04:00
nfc
nios2
nvdimm
nvmem
parisc
PCI A few fixes for the docs tree, including one for a 4.11 build regression. 2017-03-04 11:32:18 -08:00
pcmcia tools: move pcmcia crc32hash tool from Documentation 2016-09-23 13:07:27 -06:00
perf perf: add qcom l2 cache perf events driver 2017-02-08 19:32:24 +00:00
phy
platform
power More power management updates for v4.11-rc1 2017-03-02 17:33:52 -08:00
powerpc powerpc updates for 4.9 2016-10-07 20:19:31 -07:00
pps Doc: clarify source of jitter in USB1.1, and USB2.0 2017-01-04 14:40:52 -07:00
prctl selftests: move prctl tests from Documentation/prctl 2016-09-20 09:09:09 -06:00
process Documentation: stable-kernel-rules: fix stable-tag format 2017-04-08 17:33:31 +02:00
pti
ptp selftests: move ptp tests from Documentation/ptp 2016-09-20 09:54:38 -06:00
rapidio rapidio/documentation/mport_cdev: add missing parameter description 2016-09-01 17:52:02 -07:00
RCU Merge branches 'doc.2017.01.15b', 'dyntick.2017.01.23a', 'fixes.2017.01.23a', 'srcu.2017.01.25a' and 'torture.2017.01.15b' into HEAD 2017-01-25 12:56:05 -08:00
s390 Documentation: Update path to sysrq.txt 2017-03-03 15:48:38 -07:00
scheduler sched/Documentation/sched-rt-group: Fix incorrect example 2017-01-22 10:34:17 +01:00
scsi scripts/spelling.txt: add "varible" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
security KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload() 2017-03-02 10:09:00 +11:00
serial
sh
sound scripts/spelling.txt: add "followings" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
sparc Documentation/sparc: Steps for sending break on sunhv console 2017-02-23 08:27:25 -08:00
sphinx docs: sphinx-extensions: make rstFlatTable work with docutils 0.13 2016-12-18 13:30:29 -07:00
sphinx-static This is the documentation update pull for the 4.9 merge window. 2016-10-04 13:54:07 -07:00
spi spi: spi-ep93xx: simplify GPIO chip selects 2017-02-16 20:10:26 +00:00
sysctl Replace 2 jiffies with sysctl netdev_budget_usecs to enable softirq tuning 2017-04-21 13:22:34 -04:00
target
thermal Documentation: fix spelling mistakes of "Celcius" -- > "Celsius" 2017-01-04 14:36:17 -07:00
timers time: Remove CONFIG_TIMER_STATS 2017-02-10 11:15:08 +01:00
trace perf/core: Rename CONFIG_[UK]PROBE_EVENT to CONFIG_[UK]PROBE_EVENTS 2017-03-01 10:26:39 +01:00
translations doc/ko_KR/memory-barriers: Update control-dependencies section 2017-03-03 15:54:55 -07:00
usb A slightly quieter cycle for documentation this time around. 2017-02-22 18:51:29 -08:00
virtual KVM/ARM Fixes for v4.11-rc6 2017-04-05 16:27:47 +02:00
vm userfaultfd: non-cooperative: rollback userfaultfd_exit 2017-03-09 17:01:09 -08:00
w1
watchdog watchdog: Introduce watchdog_stop_on_unregister helper 2017-02-24 14:00:23 -08:00
wimax
x86 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-02-28 11:46:00 -08:00
xtensa
.gitignore
00-INDEX Documentation: move MD related doc into a separate dir 2017-02-13 09:17:53 -08:00
bcache.txt
bt8xxgpio.txt
btmrvl.txt
bus-virt-phys-mapping.txt
cachetlb.txt
cgroup-v2.txt cgroup: Fix indenting in PID controller documentation 2017-03-06 14:46:27 -05:00
Changes docs: add back 'Documentation/Changes' file (as symlink) 2016-12-14 16:30:12 -08:00
circular-buffers.txt Documentation: circular-buffers: use READ_ONCE() 2016-11-16 16:17:45 -07:00
clk.txt
CodingStyle doc: re-add CodingStyle and SubmittingPatches 2016-10-24 08:12:35 -02:00
conf.py Documentation/sphinx: fix primary_domain configuration 2017-03-03 16:12:30 -07:00
cpu-load.txt
cputopology.txt
crc32.txt
dcdbas.txt
debugging-modules.txt
debugging-via-ohci1394.txt
dell_rbu.txt
digsig.txt
DMA-API-HOWTO.txt Documentation: DMA-API-HOWTO: Fix a typo 2016-09-20 17:58:46 -06:00
DMA-API.txt dma-mapping: add dma_{map,unmap}_resource 2016-09-26 22:16:41 +05:30
DMA-attributes.txt common: DMA-mapping: add DMA_ATTR_PRIVILEGED attribute 2017-01-19 15:56:19 +00:00
DMA-ISA-LPC.txt Documentation: DMA-ISA-LPC.txt 2017-02-12 15:20:07 -07:00
docutils.conf
dontdiff Documentation: dontdiff: Update with additional entries 2017-01-26 15:08:06 -07:00
efi-stub.txt
eisa.txt
flexible-arrays.txt
futex-requeue-pi.txt
gcc-plugins.txt gcc-plugins: update architecture list in documentation 2017-03-21 22:20:05 +11:00
highuid.txt
hw_random.txt
hwspinlock.txt
index.rst docs/zh_CN: Add coding-style into docs build system 2017-01-26 15:30:34 -07:00
intel_txt.txt
Intel-IOMMU.txt
io_ordering.txt
io-mapping.txt
iostats.txt
IPMI.txt Documentation: Fix a typo in IPMI.txt. 2017-01-05 15:01:54 -06:00
IRQ-affinity.txt
IRQ-domain.txt
IRQ.txt
irqflags-tracing.txt
isa.txt
isapnp.txt
kernel-doc-nano-HOWTO.txt docs-rst: doc-guide: split the kernel-documentation.rst contents 2016-11-19 10:22:04 -07:00
kernel-per-CPU-kthreads.txt docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
kobject.txt
kprobes.txt
kref.txt
kselftest.txt scripts/spelling.txt: add "an user" pattern and fix typo instances 2017-02-27 18:43:46 -08:00
ldm.txt
lockup-watchdogs.txt docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
logo.gif
logo.txt
lzo.txt
mailbox.txt
Makefile samples: move blackfin gptimers-example from Documentation 2016-10-10 07:12:02 -06:00
Makefile.sphinx Add a target to check broken external links in the Documentation 2017-02-15 15:22:47 -07:00
memory-barriers.txt doc: Update control-dependencies section of memory-barriers.txt 2017-01-14 21:29:15 -08:00
memory-hotplug.txt scripts/spelling.txt: add "followings" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
men-chameleon-bus.txt
nommu-mmap.txt
ntb.txt
numastat.txt
padata.txt
parport-lowlevel.txt
percpu-rw-semaphore.txt
phy.txt
pi-futex.txt
pinctrl.txt pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable() 2017-04-07 01:08:08 +02:00
pnp.txt
preempt-locking.txt
printk-formats.txt
pwm.txt
rbtree.txt
remoteproc.txt remoteproc: Split driver and consumer dereferencing 2016-10-02 22:50:21 -07:00
rfkill.txt docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
robust-futex-ABI.txt
robust-futexes.txt
rpmsg.txt
rtc.txt
SAK.txt
sgi-ioc4.txt
siphash.txt siphash: implement HalfSipHash1-3 for hash tables 2017-01-09 13:58:57 -05:00
SM501.txt
smsc_ece1099.txt
static-keys.txt jump_label: Reduce the size of struct static_key 2017-02-15 09:02:26 -05:00
SubmittingPatches doc: re-add CodingStyle and SubmittingPatches 2016-10-24 08:12:35 -02:00
svga.txt
sync_file.txt dma-buf: Rename struct fence to dma_fence 2016-10-25 14:40:39 +02:00
this_cpu_ops.txt
unaligned-memory-access.txt Documentation/unaligned-memory-access.txt: fix incorrect comparison operator 2016-12-27 13:08:42 -07:00
unshare.txt
vfio-mediated-device.txt vfio-mdev: Make mdev_parent private 2016-12-30 08:13:41 -07:00
vfio.txt
video-output.txt
xillybus.txt
xz.txt
zorro.txt