tcp: rate limit the sending of all RST segments

Also rate limit the sending of RST segments in the following cases:
* when receiving data on a closed socket.
* when a socket can not be created at the end of the handshake and
  the sysctl-variable net.inet.tcp.syncache.rst_on_sock_fail is 1.
* when an ACK segment is received in SYN SENT state and it does not
  acknowledge the SYN segment.
After this change, there is no need anymore to provide a rstreason
to tcp_dropwithreset(), since it is always BANDLIM_TCP_RST.
This will be a follow-up commit, since it will change the code in a
couple of places, but will not change the functionality.

Reviewed by:		rrs, Nick Banks, Peter Lei
MFC after:		1 week
Sponsored by:		Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D51815

Author: tuexen

sys/netinet/tcp_input.c

@@ -1134,7 +1134,7 @@ tcp_input_with_port(struct mbuf **mp, int *offp, int proto, uint16_t port)
 					    V_tcp_sc_rst_sock_fail ?
 					    "sending RST" : "try again");
 				if (V_tcp_sc_rst_sock_fail) {
-					rstreason = BANDLIM_UNLIMITED;
+					rstreason = BANDLIM_TCP_RST;
 					goto dropwithreset;
 				} else
 					goto dropunlock;
@@ -1568,7 +1568,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th,
 	 */
 	if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) &&
 	    (SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) {
-		rstreason = BANDLIM_UNLIMITED;
+		rstreason = BANDLIM_TCP_RST;
 		tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT);
 		goto dropwithreset;
 	}
@@ -2346,7 +2346,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th,
 		tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 		tp = tcp_close(tp);
 		TCPSTAT_INC(tcps_rcvafterclose);
-		rstreason = BANDLIM_UNLIMITED;
+		rstreason = BANDLIM_TCP_RST;
 		goto dropwithreset;
 	}
 

sys/netinet/tcp_stacks/bbr.c

@@ -7863,7 +7863,7 @@ bbr_process_ack(struct mbuf *m, struct tcphdr *th, struct socket *so,
 			/* tcp_close will kill the inp pre-log the Reset */
 			tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 			tp = tcp_close(tp);
-			ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen);
+			ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
 			BBR_STAT_INC(bbr_dropped_af_data);
 			return (1);
 		}
@@ -9405,7 +9405,7 @@ bbr_check_data_after_close(struct mbuf *m, struct tcp_bbr *bbr,
 		tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 		tp = tcp_close(tp);
 		KMOD_TCPSTAT_INC(tcps_rcvafterclose);
-		ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+		ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
 		return (1);
 	}
 	if (sbavail(&so->so_snd) == 0)

sys/netinet/tcp_stacks/rack.c

@@ -12038,7 +12038,7 @@ rack_process_ack(struct mbuf *m, struct tcphdr *th, struct socket *so,
 			/* tcp_close will kill the inp pre-log the Reset */
 			tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 			tp = tcp_close(tp);
-			ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen);
+			ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
 			return (1);
 		}
 	}
@@ -13518,7 +13518,7 @@ rack_check_data_after_close(struct mbuf *m,
 		tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
 		tp = tcp_close(tp);
 		KMOD_TCPSTAT_INC(tcps_rcvafterclose);
-		ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+		ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
 		return (1);
 	}
 	if (sbavail(&so->so_snd) == 0)