NetFlow harderning: RNG, config limit of DATA cached in SYN_RCVD state, configurable listen backlog, corner-case bug fix x 2. / GitHub CI tweaks. / Comment and/or doc changes.

[ygoldfeld]

fixes #112
fixes #113

Context regarding NetFlow

• NetFlow is a "niche" (per flow/README.md) TCP-like-over-UDP custom protocol/implementation, originally from 2011, residing in flow::net_flow. Unlike the other Flow modules such as flow::async and flow::log, which are of mainstream interest, NetFlow is a demo and test-surface by its nature at this time. It is not, for example, an implementation of QUIC or HTTP/3.
• We have made several hardening changes, as well as corner-case bug fixes. While there are no API changes per se, we list changes with new socket-options under "API notes."

Summary

• NetFlow (flow::net_flow):
  • Use a CSPRNG (a-la /dev/urandom) for three classic cryptographically-sensitive RNG call sites in this TCP-like-over-UDP protocol impl: ephemeral ports, initial sequence numbers (ISN), and 3-way-handshake security tokens. Remove outdated clock-based ISN-generation scheme from RFC 793 (1981).
  • Bug fix: Sending RSTs in response to weird behaviors, when a socket could not be established, hits a null pointer dereference assertion trip while trying to charge stats.
  • Bug fix: Typo in an assert() when retransmitting SYN_ACK after not getting SYN_ACK_ACK for some time. With assertions enabled (as in many debug builds and sometimes release builds), then, instead of proceeding the application would abort at that stage.
  • Comment and/or doc changes.
  • Plus: changes as explained under "API notes."

API notes

• New config + related changes:
  • NetFlow:
    • Add socket-option-configurable backlog limit such that a net_flow::Server_socket will reject (with RST) any SYN, when the number of half-opened plus not-user-accepted connection reaches that limit for that Server_socket. The limit defaults to 64 and is configurable via a new Node-level socket-option. This option can be changed at will and will affect subsequent Server_sockets; but for an already-listening Server_socket the limit cannot be changed.
      • This is a standard TCP-stack feature, useful against SYN-flood attempts, akin to the int backlog parameter to Berkeley socket API listen().
    • Add socket-option (default: defaults to 64Ki bytes) limiting the cumulative size of cached data carried in DATA packets received (potentially legitimately due to loss or reordering of SYN_ACK_ACK packet) to a half-opened connection (state SYN_RCVD). These were previously limited by a more general (and much more typically generous) buffer-size limit.
      • Relatedly, upon dropping a DATA packet on reaching the limit, issue TRACE-level log message instead of INFO-level as before.
      • These changes help limit the effect of SYN-flood-like activities.

Impl notes

• Test suite:
  • Add unit-test cases for the new backlog-limit feature; and the random number generation for ISNs, ephemeral ports, security tokens.
  • Add unit_test case for the now-separately-configurable NetFlow DATA-in-SYN_RCVD-state queue. Uses class Net_env_simulator to simulate losing the SYN_ACK_ACK and receiving a bunch of DATAs and saving them until hitting the limit, then dropping the rest.
• GitHub CI pipeline:
  • Update the SCS-checkout tool version to avoid a soon-deprecated older such version.
  • Ditto the artifact-upload tool version.
• Internal comment and/or doc changes.

To code reviewer

• The changes are all in NetFlow and are reasonably straightforward and short.
• The bulky/voluminous additions are tests.