tls: fix connection failures/interrupts at scale (VPP-1464)

[vpp.git] / src / vnet / tcp / tcp_input.c

diff --git a/src/vnet/tcp/tcp_input.c b/src/vnet/tcp/tcp_input.c
index 10f50fe..d03388e 100644 (file)
--- a/src/vnet/tcp/tcp_input.c
+++ b/src/vnet/tcp/tcp_input.c
@@ -135,7 +135,8 @@ tcp_options_parse (tcp_header_t * th, tcp_options_t * to)
   data = (const u8 *) (th + 1);
 
   /* Zero out all flags but those set in SYN */
-  to->flags &= (TCP_OPTS_FLAG_SACK_PERMITTED | TCP_OPTS_FLAG_WSCALE);
+  to->flags &= (TCP_OPTS_FLAG_SACK_PERMITTED | TCP_OPTS_FLAG_WSCALE
+               | TCP_OPTS_FLAG_SACK);
 
   for (; opts_len > 0; opts_len -= opt_len, data += opt_len)
     {
@@ -2674,9 +2675,12 @@ tcp46_rcv_process_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
              tc0->state = TCP_STATE_CLOSED;
              TCP_EVT_DBG (TCP_EVT_STATE_CHANGE, tc0);
-             /* Delete the connection/session since the pipes should be
-              * clear by now */
-             tcp_connection_del (tc0);
+
+             /* Don't free the connection from the data path since
+              * we can't ensure that we have no packets already enqueued
+              * to output. Rely instead on the waitclose timer */
+             tcp_connection_timers_reset (tc0);
+             tcp_timer_update (tc0, TCP_TIMER_WAITCLOSE, 1);
 
              goto drop;
 
@@ -3488,6 +3492,7 @@ do {                                                              \
   _(LAST_ACK, TCP_FLAG_FIN | TCP_FLAG_ACK, TCP_INPUT_NEXT_RCV_PROCESS,
     TCP_ERROR_NONE);
   _(LAST_ACK, TCP_FLAG_RST, TCP_INPUT_NEXT_RCV_PROCESS, TCP_ERROR_NONE);
+  _(LAST_ACK, TCP_FLAG_SYN, TCP_INPUT_NEXT_RCV_PROCESS, TCP_ERROR_NONE);
   _(TIME_WAIT, TCP_FLAG_FIN, TCP_INPUT_NEXT_RCV_PROCESS, TCP_ERROR_NONE);
   _(TIME_WAIT, TCP_FLAG_FIN | TCP_FLAG_ACK, TCP_INPUT_NEXT_RCV_PROCESS,
     TCP_ERROR_NONE);