Add support for rate limiting out of window ACKs.

Netstack today will send dupACK's with no rate limit for incoming out of
window segments. This can result in ACK loops for example if a TCP socket
connects to itself (actually permitted by TCP). Where the ACK sent in
response to packets being out of order itself gets considered as an out
of window segment resulting in another ACK being generated.

PiperOrigin-RevId: 355206877

1 files changed, 20 insertions, 0 deletions

diff --git a/pkg/tcpip/transport/tcp/endpoint.go b/pkg/tcpip/transport/tcp/endpoint.go
index e645aa194..4e5a6089f 100644
--- a/pkg/tcpip/transport/tcp/endpoint.go
+++ b/pkg/tcpip/transport/tcp/endpoint.go
@@ -688,6 +688,10 @@ type endpoint struct {
 
 	// ops is used to get socket level options.
 	ops tcpip.SocketOptions
+
+	// lastOutOfWindowAckTime is the time at which the an ACK was sent in response
+	// to an out of window segment being received by this endpoint.
+	lastOutOfWindowAckTime time.Time `state:".(unixTime)"`
 }
 
 // UniqueID implements stack.TransportEndpoint.UniqueID.
@@ -3125,3 +3129,19 @@ func GetTCPSendBufferLimits(s tcpip.StackHandler) tcpip.SendBufferSizeOption {
 		Max:     ss.Max,
 	}
 }
+
+// allowOutOfWindowAck returns true if an out-of-window ACK can be sent now.
+func (e *endpoint) allowOutOfWindowAck() bool {
+	var limit stack.TCPInvalidRateLimitOption
+	if err := e.stack.Option(&limit); err != nil {
+		panic(fmt.Sprintf("e.stack.Option(%+v) failed with error: %s", limit, err))
+	}
+
+	now := time.Now()
+	if now.Sub(e.lastOutOfWindowAckTime) < time.Duration(limit) {
+		return false
+	}
+
+	e.lastOutOfWindowAckTime = now
+	return true
+}