Set TCP_NODELAY on TCP connections

mbuesch · Dec 29, 2024 · f043a2c · f043a2c
1 parent a8e208e
commit f043a2c
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 16 deletions.
diff --git a/letmein-proto/src/socket.rs b/letmein-proto/src/socket.rs
@@ -360,21 +360,28 @@ pub enum NetSocket<const MSG_SIZE: usize, const Q_SIZE: usize> {
 
 impl<const MSG_SIZE: usize, const Q_SIZE: usize> NetSocket<MSG_SIZE, Q_SIZE> {
     /// Create a new [NetSocket] from a [TcpStream] connection.
-    pub fn from_tcp(stream: TcpStream) -> Self {
-        Self::Tcp(NetSocketTcp {
+    pub fn from_tcp(stream: TcpStream) -> ah::Result<Self> {
+        // Disable Nagle's algorithm.
+        // We want to send our small packets as quickly as possible.
+        stream.set_nodelay(true).context("Set TCP_NODELAY")?;
+
+        Ok(Self::Tcp(NetSocketTcp {
             stream,
             closed: AtomicBool::new(false),
-        })
+        }))
     }
 
     /// Create a new [NetSocket] from a [UdpDispatcher]
     /// and the specified connected `peer_addr`.
-    pub fn from_udp(disp: Arc<UdpDispatcher<MSG_SIZE, Q_SIZE>>, peer_addr: SocketAddr) -> Self {
-        Self::Udp(NetSocketUdp {
+    pub fn from_udp(
+        disp: Arc<UdpDispatcher<MSG_SIZE, Q_SIZE>>,
+        peer_addr: SocketAddr,
+    ) -> ah::Result<Self> {
+        Ok(Self::Udp(NetSocketUdp {
             disp,
             peer_addr,
             closed: AtomicBool::new(false),
-        })
+        }))
     }
 
     /// Send a message to the connected peer.

diff --git a/letmein-seccomp/src/lib.rs b/letmein-seccomp/src/lib.rs
@@ -62,7 +62,7 @@ pub enum Allow {
     TcpAccept,
     TcpConnect,
     Netlink,
-    SetSockOpt,
+    SetSockOpt { level_optname: Option<(i32, i32)> },
     Access,
     Open,
     Read,
@@ -225,8 +225,16 @@ impl Filter {
                     add_sys_args_match(&mut map, sys!(SYS_socket), args!(0 == libc::AF_NETLINK));
                     add_sys(&mut map, sys!(SYS_getsockopt));
                 }
-                Allow::SetSockOpt => {
-                    add_sys(&mut map, sys!(SYS_setsockopt));
+                Allow::SetSockOpt { level_optname } => {
+                    if let Some((level, optname)) = level_optname {
+                        add_sys_args_match(
+                            &mut map,
+                            sys!(SYS_setsockopt),
+                            args!(1 == level, 2 == optname),
+                        );
+                    } else {
+                        add_sys(&mut map, sys!(SYS_setsockopt));
+                    }
                 }
                 Allow::Access => {
                     #[cfg(target_arch = "x86_64")]

diff --git a/letmein/src/client.rs b/letmein/src/client.rs
@@ -43,7 +43,7 @@ impl Client {
                 .await
                 .context("Connect to server")?;
 
-            MsgNetSocket::from_tcp(stream)
+            MsgNetSocket::from_tcp(stream)?
         } else {
             assert!(control_port.udp);
 
@@ -62,7 +62,7 @@ impl Client {
                 .context("Connect to server")?;
             let peer_addr = socket.peer_addr().context("Get peer address")?;
 
-            MsgNetSocket::from_udp(Arc::new(MsgUdpDispatcher::new(socket, 1)), peer_addr)
+            MsgNetSocket::from_udp(Arc::new(MsgUdpDispatcher::new(socket, 1)), peer_addr)?
         };
 
         Ok(Self {

diff --git a/letmein/src/seccomp.rs b/letmein/src/seccomp.rs
@@ -13,7 +13,7 @@ use letmein_conf::Seccomp;
 use letmein_seccomp::{seccomp_supported, Action, Allow, Filter};
 
 #[cfg(any(target_os = "linux", target_os = "android"))]
-const ALLOW_LIST: [Allow; 13] = [
+const ALLOW_LIST: [Allow; 14] = [
     Allow::Mmap,
     Allow::Mprotect,
     Allow::Open,
@@ -27,6 +27,9 @@ const ALLOW_LIST: [Allow; 13] = [
     Allow::Send,
     Allow::Listen,
     Allow::TcpConnect,
+    Allow::SetSockOpt {
+        level_optname: Some((libc::IPPROTO_TCP as _, libc::TCP_NODELAY as _)),
+    },
     Allow::Futex,
     Allow::Uname,
 ];

diff --git a/letmeind/src/seccomp.rs b/letmeind/src/seccomp.rs
@@ -10,7 +10,7 @@ use anyhow::{self as ah, Context as _};
 use letmein_conf::Seccomp;
 use letmein_seccomp::{seccomp_supported, Action, Allow, Filter};
 
-const ALLOW_LIST: [Allow; 12] = [
+const ALLOW_LIST: [Allow; 13] = [
     Allow::Mmap,
     Allow::Mprotect,
     Allow::Read,
@@ -23,6 +23,9 @@ const ALLOW_LIST: [Allow; 12] = [
     Allow::Listen,
     Allow::TcpAccept,
     Allow::UnixConnect,
+    Allow::SetSockOpt {
+        level_optname: Some((libc::IPPROTO_TCP as _, libc::TCP_NODELAY as _)),
+    },
     Allow::Signal,
     Allow::Futex,
 ];

diff --git a/letmeind/src/server.rs b/letmeind/src/server.rs
@@ -211,13 +211,13 @@ impl Server {
             result = &mut self.tcp_join => {
                 self.tcp_join = spawn_tcp_accept(Arc::clone(&self.tcp));
                 let (stream, peer_addr) = result??;
-                let ns = MsgNetSocket::from_tcp(stream);
+                let ns = MsgNetSocket::from_tcp(stream)?;
                 Ok(Connection::new(ns, peer_addr, "TCP")?)
             }
             result = &mut self.udp_join => {
                 self.udp_join = spawn_udp_accept(Arc::clone(&self.udp));
                 let (udp_disp, peer_addr) = result??;
-                let ns = MsgNetSocket::from_udp(udp_disp, peer_addr);
+                let ns = MsgNetSocket::from_udp(udp_disp, peer_addr)?;
                 Ok(Connection::new(ns, peer_addr, "UDP")?)
             }
         }

diff --git a/letmeinfwd/src/seccomp.rs b/letmeinfwd/src/seccomp.rs
@@ -29,7 +29,9 @@ const ALLOW_LIST: [Allow; 28] = [
     Allow::Listen,
     Allow::UnixAccept,
     Allow::Netlink,
-    Allow::SetSockOpt,
+    Allow::SetSockOpt {
+        level_optname: None,
+    },
     Allow::Signal,
     Allow::SigAction,
     Allow::Futex,