2 files changed, 38 insertions, 0 deletions

diff --git a/pkg/tcpip/stack/stack.go b/pkg/tcpip/stack/stack.go
index 57ad412a1..a51d758d0 100644
--- a/pkg/tcpip/stack/stack.go
+++ b/pkg/tcpip/stack/stack.go
@@ -458,6 +458,18 @@ type Stack struct {
 	// receiveBufferSize holds the min/default/max receive buffer sizes for
 	// endpoints other than TCP.
 	receiveBufferSize ReceiveBufferSizeOption
+
+	// tcpInvalidRateLimit is the maximal rate for sending duplicate
+	// acknowledgements in response to incoming TCP packets that are for an existing
+	// connection but that are invalid due to any of the following reasons:
+	//
+	//   a) out-of-window sequence number.
+	//   b) out-of-window acknowledgement number.
+	//   c) PAWS check failure (when implemented).
+	//
+	// This is required to prevent potential ACK loops.
+	// Setting this to 0 will disable all rate limiting.
+	tcpInvalidRateLimit time.Duration
 }
 
 // UniqueID is an abstract generator of unique identifiers.
@@ -668,6 +680,7 @@ func New(opts Options) *Stack {
 			Default: DefaultBufferSize,
 			Max:     DefaultMaxBufferSize,
 		},
+		tcpInvalidRateLimit: defaultTCPInvalidRateLimit,
 	}
 
 	// Add specified network protocols.
diff --git a/pkg/tcpip/stack/stack_options.go b/pkg/tcpip/stack/stack_options.go
index 8d9b20b7e..3066f4ffd 100644
--- a/pkg/tcpip/stack/stack_options.go
+++ b/pkg/tcpip/stack/stack_options.go
@@ -15,6 +15,8 @@
 package stack
 
 import (
+	"time"
+
 	"gvisor.dev/gvisor/pkg/tcpip"
 )
 
@@ -29,6 +31,10 @@ const (
 	// DefaultMaxBufferSize is the default maximum permitted size of a
 	// send/receive buffer.
 	DefaultMaxBufferSize = 4 << 20 // 4 MiB
+
+	// defaultTCPInvalidRateLimit is the default value for
+	// stack.TCPInvalidRateLimit.
+	defaultTCPInvalidRateLimit = 500 * time.Millisecond
 )
 
 // ReceiveBufferSizeOption is used by stack.(Stack*).Option/SetOption to
@@ -39,6 +45,10 @@ type ReceiveBufferSizeOption struct {
 	Max     int
 }
 
+// TCPInvalidRateLimitOption is used by stack.(Stack*).Option/SetOption to get/set
+// stack.tcpInvalidRateLimit.
+type TCPInvalidRateLimitOption time.Duration
+
 // SetOption allows setting stack wide options.
 func (s *Stack) SetOption(option interface{}) tcpip.Error {
 	switch v := option.(type) {
@@ -74,6 +84,15 @@ func (s *Stack) SetOption(option interface{}) tcpip.Error {
 		s.mu.Unlock()
 		return nil
 
+	case TCPInvalidRateLimitOption:
+		if v < 0 {
+			return &tcpip.ErrInvalidOptionValue{}
+		}
+		s.mu.Lock()
+		s.tcpInvalidRateLimit = time.Duration(v)
+		s.mu.Unlock()
+		return nil
+
 	default:
 		return &tcpip.ErrUnknownProtocolOption{}
 	}
@@ -94,6 +113,12 @@ func (s *Stack) Option(option interface{}) tcpip.Error {
 		s.mu.RUnlock()
 		return nil
 
+	case *TCPInvalidRateLimitOption:
+		s.mu.RLock()
+		*v = TCPInvalidRateLimitOption(s.tcpInvalidRateLimit)
+		s.mu.RUnlock()
+		return nil
+
 	default:
 		return &tcpip.ErrUnknownProtocolOption{}
 	}