Re: Enable TCP ECN by default (for inbound)

[David Hill]

On Fri, Oct 07, 2016 at 11:05:28PM -0400, David Hill wrote:
> Hello -
> 
> Many operating systems out there are starting to enable TCP ECN by
> default, most inbound-only.  Linux, FreeBSD, Apple MacOS and iOS.
> 
> This diff mimicks the FreeBSD diff found at
> http://marc.info/?l=freebsd-commits-all&m=146369644516347&w=2
> 
> It modifies the net.inet.tcp.ecn from an off and on switch to a 
> three-way setting: off, on, and inbound-only (0, 1, 2, respectively).
> 
> It also enables TCP ECN by default for inbound connections that request
> it.
> 
> My home router has TCP ECN enabled. With 36 hours of uptime, netstat -s
> shows:
>       16165 ECN connections accepted
>       1 ECE packet received
>       6 ECE packets sent
>       589 CWR packets received
>       109 CWR packets sent
> 
> This diff is just to see if there is interest in such a change.  If
> people seem to like the idea, perhaps I could update the diff to also:
>       - Remove TCP_ECN kernel option and always compile in support?
>       - Only allow 0, 1, or 2 via the sysctl net.inet.tcp.ecn knob.
>       - Update pf.os
> 
> Thoughts?
>  - David
>  

Here is a diff that doesn't change the default.

Index: netinet/tcp_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_output.c,v
retrieving revision 1.119
diff -u -p -r1.119 tcp_output.c
--- netinet/tcp_output.c        9 Feb 2017 15:19:32 -0000       1.119
+++ netinet/tcp_output.c        4 Mar 2017 21:26:02 -0000
@@ -843,10 +843,12 @@ send:
                }
                if (!(tp->t_flags & TF_DISABLE_ECN)) {
                        /*
-                        * if this is a SYN seg, set ECE and CWR.
-                        * set only ECE for SYN-ACK if peer supports ECN.
+                        * If net.inet.tcp.ecn is set to 1 and this is a
+                        * SYN seg, set both ECE and CWR.
+                        * Set only ECE for SYN-ACK if peer supports ECN.
                         */
-                       if ((flags & (TH_SYN|TH_ACK)) == TH_SYN)
+                       if (tcp_do_ecn == 1 &&
+                           (flags & (TH_SYN|TH_ACK)) == TH_SYN)
                                flags |= (TH_ECE|TH_CWR);
                        else if ((tp->t_flags & TF_ECN_PERMIT) &&
                                 (flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK))
Index: netinet/tcp_subr.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_subr.c,v
retrieving revision 1.160
diff -u -p -r1.160 tcp_subr.c
--- netinet/tcp_subr.c  9 Feb 2017 15:19:32 -0000       1.160
+++ netinet/tcp_subr.c  4 Mar 2017 21:26:02 -0000
@@ -110,7 +110,7 @@ int tcp_do_sack = 1;        /* RFC 2018 selecti
 #endif
 int    tcp_ack_on_push = 0;    /* set to enable immediate ACK-on-PUSH */
 #ifdef TCP_ECN
-int    tcp_do_ecn = 0;         /* RFC3168 ECN enabled/disabled? */
+int    tcp_do_ecn = 0;         /* RFC3168 TCP ECN 0:off 1:on 2:inbound-only */
 #endif
 int    tcp_do_rfc3390 = 2;     /* Increase TCP's Initial Window to 10*mss */
 
Index: netinet/tcp_var.h
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_var.h,v
retrieving revision 1.122
diff -u -p -r1.122 tcp_var.h
--- netinet/tcp_var.h   9 Feb 2017 15:19:32 -0000       1.122
+++ netinet/tcp_var.h   4 Mar 2017 21:26:02 -0000
@@ -703,7 +703,7 @@ extern      int tcp_do_sack;        /* SACK enabled/
 extern struct pool sackhl_pool;
 extern int tcp_sackhole_limit; /* max entries for tcp sack queues */
 #endif
-extern int tcp_do_ecn;         /* RFC3168 ECN enabled/disabled? */
+extern int tcp_do_ecn;         /* RFC3168 ECN: 0:off 1:on 2:inbound-only */
 extern int tcp_do_rfc3390;     /* RFC3390 Increasing TCP's Initial Window */
 
 extern struct pool tcpqe_pool;