2 * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95
37 #include "opt_ipfw.h" /* for ipfw_fwd */
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
40 #include "opt_tcpdebug.h"
41 #include "opt_tcp_input.h"
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/kernel.h>
46 #include <sys/sysctl.h>
47 #include <sys/malloc.h>
49 #include <sys/proc.h> /* for proc0 declaration */
50 #include <sys/protosw.h>
51 #include <sys/socket.h>
52 #include <sys/socketvar.h>
53 #include <sys/syslog.h>
55 #include <machine/cpu.h> /* before tcp_seq.h, for tcp_random18() */
58 #include <net/route.h>
60 #include <netinet/in.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_icmp.h> /* for ICMP_BANDLIM */
64 #include <netinet/in_var.h>
65 #include <netinet/icmp_var.h> /* for ICMP_BANDLIM */
66 #include <netinet/in_pcb.h>
67 #include <netinet/ip_var.h>
69 #include <netinet/ip6.h>
70 #include <netinet/icmp6.h>
71 #include <netinet6/nd6.h>
72 #include <netinet6/ip6_var.h>
73 #include <netinet6/in6_pcb.h>
75 #include <netinet/tcp.h>
76 #include <netinet/tcp_fsm.h>
77 #include <netinet/tcp_seq.h>
78 #include <netinet/tcp_timer.h>
79 #include <netinet/tcp_var.h>
81 #include <netinet6/tcp6_var.h>
83 #include <netinet/tcpip.h>
85 #include <netinet/tcp_debug.h>
87 u_char tcp_saveipgen[40]; /* the size must be of max ip header, now IPv6 */
88 struct tcphdr tcp_savetcp;
92 #include <netinet6/ipsec.h>
94 #include <netinet6/ipsec6.h>
96 #include <netkey/key.h>
99 #include <machine/in_cksum.h>
101 MALLOC_DEFINE(M_TSEGQ, "tseg_qent", "TCP segment queue entry");
103 static int tcprexmtthresh = 3;
107 struct tcpstat tcpstat;
108 SYSCTL_STRUCT(_net_inet_tcp, TCPCTL_STATS, stats, CTLFLAG_RD,
109 &tcpstat , tcpstat, "TCP statistics (struct tcpstat, netinet/tcp_var.h)");
111 static int log_in_vain = 0;
112 SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW,
113 &log_in_vain, 0, "Log all incoming TCP connections");
115 static int blackhole = 0;
116 SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
117 &blackhole, 0, "Do not send RST when dropping refused connections");
119 int tcp_delack_enabled = 1;
120 SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
121 &tcp_delack_enabled, 0,
122 "Delay ACK to try and piggyback it onto a data packet");
124 #ifdef TCP_DROP_SYNFIN
125 static int drop_synfin = 0;
126 SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
127 &drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
130 #ifdef TCP_RESTRICT_RST
131 static int restrict_rst = 0;
132 SYSCTL_INT(_net_inet_tcp, OID_AUTO, restrict_rst, CTLFLAG_RW,
133 &restrict_rst, 0, "Restrict RST emission");
136 struct inpcbhead tcb;
137 #define tcb6 tcb /* for KAME src sync over BSD*'s */
138 struct inpcbinfo tcbinfo;
140 static void tcp_dooptions __P((struct tcpcb *,
141 u_char *, int, struct tcphdr *, struct tcpopt *));
142 static void tcp_pulloutofband __P((struct socket *,
143 struct tcphdr *, struct mbuf *, int));
144 static int tcp_reass __P((struct tcpcb *, struct tcphdr *, int *,
146 static void tcp_xmit_timer __P((struct tcpcb *, int));
147 static int tcp_newreno __P((struct tcpcb *, struct tcphdr *));
149 /* Neighbor Discovery, Neighbor Unreachability Detection Upper layer hint. */
151 #define ND6_HINT(tp) \
153 if ((tp) && (tp)->t_inpcb && \
154 ((tp)->t_inpcb->inp_vflag & INP_IPV6) != 0 && \
155 (tp)->t_inpcb->in6p_route.ro_rt) \
156 nd6_nud_hint((tp)->t_inpcb->in6p_route.ro_rt, NULL, 0); \
163 * Insert segment which inludes th into reassembly queue of tcp with
164 * control block tp. Return TH_FIN if reassembly now includes
165 * a segment with FIN. The macro form does the common case inline
166 * (segment is the next to be received on an established connection,
167 * and the queue is empty), avoiding linkage into and removal
168 * from the queue and repetition of various conversions.
169 * Set DELACK for segments received in order, but ack immediately
170 * when segments are out of order (so fast retransmit can work).
172 #define TCP_REASS(tp, th, tlenp, m, so, flags) { \
173 if ((th)->th_seq == (tp)->rcv_nxt && \
174 LIST_EMPTY(&(tp)->t_segq) && \
175 (tp)->t_state == TCPS_ESTABLISHED) { \
176 if (tcp_delack_enabled) \
177 callout_reset(tp->tt_delack, tcp_delacktime, \
178 tcp_timer_delack, tp); \
180 tp->t_flags |= TF_ACKNOW; \
181 (tp)->rcv_nxt += *(tlenp); \
182 flags = (th)->th_flags & TH_FIN; \
183 tcpstat.tcps_rcvpack++;\
184 tcpstat.tcps_rcvbyte += *(tlenp);\
186 sbappend(&(so)->so_rcv, (m)); \
189 (flags) = tcp_reass((tp), (th), (tlenp), (m)); \
190 tp->t_flags |= TF_ACKNOW; \
195 tcp_reass(tp, th, tlenp, m)
196 register struct tcpcb *tp;
197 register struct tcphdr *th;
202 struct tseg_qent *p = NULL;
203 struct tseg_qent *nq;
204 struct tseg_qent *te;
205 struct socket *so = tp->t_inpcb->inp_socket;
209 * Call with th==0 after become established to
210 * force pre-ESTABLISHED data up to user socket.
215 /* Allocate a new queue entry. If we can't, just drop the pkt. XXX */
216 MALLOC(te, struct tseg_qent *, sizeof (struct tseg_qent), M_TSEGQ,
219 tcpstat.tcps_rcvmemdrop++;
225 * Find a segment which begins after this one does.
227 LIST_FOREACH(q, &tp->t_segq, tqe_q) {
228 if (SEQ_GT(q->tqe_th->th_seq, th->th_seq))
234 * If there is a preceding segment, it may provide some of
235 * our data already. If so, drop the data from the incoming
236 * segment. If it provides all of our data, drop us.
240 /* conversion to int (in i) handles seq wraparound */
241 i = p->tqe_th->th_seq + p->tqe_len - th->th_seq;
244 tcpstat.tcps_rcvduppack++;
245 tcpstat.tcps_rcvdupbyte += *tlenp;
249 * Try to present any queued data
250 * at the left window edge to the user.
251 * This is needed after the 3-WHS
254 goto present; /* ??? */
261 tcpstat.tcps_rcvoopack++;
262 tcpstat.tcps_rcvoobyte += *tlenp;
265 * While we overlap succeeding segments trim them or,
266 * if they are completely covered, dequeue them.
269 register int i = (th->th_seq + *tlenp) - q->tqe_th->th_seq;
272 if (i < q->tqe_len) {
273 q->tqe_th->th_seq += i;
279 nq = LIST_NEXT(q, tqe_q);
280 LIST_REMOVE(q, tqe_q);
286 /* Insert the new segment queue entry into place. */
289 te->tqe_len = *tlenp;
292 LIST_INSERT_HEAD(&tp->t_segq, te, tqe_q);
294 LIST_INSERT_AFTER(p, te, tqe_q);
299 * Present data to user, advancing rcv_nxt through
300 * completed sequence space.
302 if (!TCPS_HAVEESTABLISHED(tp->t_state))
304 q = LIST_FIRST(&tp->t_segq);
305 if (!q || q->tqe_th->th_seq != tp->rcv_nxt)
308 tp->rcv_nxt += q->tqe_len;
309 flags = q->tqe_th->th_flags & TH_FIN;
310 nq = LIST_NEXT(q, tqe_q);
311 LIST_REMOVE(q, tqe_q);
312 if (so->so_state & SS_CANTRCVMORE)
315 sbappend(&so->so_rcv, q->tqe_m);
318 } while (q && q->tqe_th->th_seq == tp->rcv_nxt);
325 * TCP input routine, follows pages 65-76 of the
326 * protocol specification dated September, 1981 very closely.
330 tcp6_input(mp, offp, proto)
334 register struct mbuf *m = *mp;
336 IP6_EXTHDR_CHECK(m, *offp, sizeof(struct tcphdr), IPPROTO_DONE);
339 * draft-itojun-ipv6-tcp-to-anycast
340 * better place to put this in?
342 if (m->m_flags & M_ANYCAST6) {
345 ip6 = mtod(m, struct ip6_hdr *);
346 icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR,
347 (caddr_t)&ip6->ip6_dst - (caddr_t)ip6);
351 tcp_input(m, *offp, proto);
357 tcp_input(m, off0, proto)
358 register struct mbuf *m;
361 register struct tcphdr *th;
362 register struct ip *ip = NULL;
363 register struct ipovly *ipov;
364 register struct inpcb *inp;
369 register struct tcpcb *tp = 0;
370 register int thflags;
371 struct socket *so = 0;
372 int todrop, acked, ourfinisacked, needoutput = 0;
373 struct in_addr laddr;
375 struct in6_addr laddr6;
380 struct tcpopt to; /* options in this segment */
381 struct rmxp_tao *taop; /* pointer to our TAO cache entry */
382 struct rmxp_tao tao_noncached; /* in case there's no cached entry */
387 struct ip6_hdr *ip6 = NULL;
392 isipv6 = (mtod(m, struct ip *)->ip_v == 6) ? 1 : 0;
394 bzero((char *)&to, sizeof(to));
396 tcpstat.tcps_rcvtotal++;
400 /* IP6_EXTHDR_CHECK() is already done at tcp6_input() */
401 ip6 = mtod(m, struct ip6_hdr *);
402 tlen = sizeof(*ip6) + ntohs(ip6->ip6_plen) - off0;
403 if (in6_cksum(m, IPPROTO_TCP, off0, tlen)) {
404 tcpstat.tcps_rcvbadsum++;
407 th = (struct tcphdr *)((caddr_t)ip6 + off0);
412 * Get IP and TCP header together in first mbuf.
413 * Note: IP leaves IP header in first mbuf.
415 if (off0 > sizeof (struct ip)) {
416 ip_stripoptions(m, (struct mbuf *)0);
417 off0 = sizeof(struct ip);
419 if (m->m_len < sizeof (struct tcpiphdr)) {
420 if ((m = m_pullup(m, sizeof (struct tcpiphdr))) == 0) {
421 tcpstat.tcps_rcvshort++;
425 ip = mtod(m, struct ip *);
426 ipov = (struct ipovly *)ip;
427 th = (struct tcphdr *)((caddr_t)ip + off0);
430 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
431 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
432 th->th_sum = m->m_pkthdr.csum_data;
434 th->th_sum = in_pseudo(ip->ip_src.s_addr,
435 ip->ip_dst.s_addr, htonl(m->m_pkthdr.csum_data +
436 ip->ip_len + IPPROTO_TCP));
437 th->th_sum ^= 0xffff;
440 * Checksum extended TCP header and data.
442 len = sizeof (struct ip) + tlen;
443 bzero(ipov->ih_x1, sizeof(ipov->ih_x1));
444 ipov->ih_len = (u_short)tlen;
446 th->th_sum = in_cksum(m, len);
449 tcpstat.tcps_rcvbadsum++;
453 /* Re-initialization for later version check */
454 ip->ip_v = IPVERSION;
459 * Check that TCP offset makes sense,
460 * pull out TCP options and adjust length. XXX
462 off = th->th_off << 2;
463 if (off < sizeof (struct tcphdr) || off > tlen) {
464 tcpstat.tcps_rcvbadoff++;
467 tlen -= off; /* tlen is used instead of ti->ti_len */
468 if (off > sizeof (struct tcphdr)) {
471 IP6_EXTHDR_CHECK(m, off0, off, );
472 ip6 = mtod(m, struct ip6_hdr *);
473 th = (struct tcphdr *)((caddr_t)ip6 + off0);
477 if (m->m_len < sizeof(struct ip) + off) {
478 if ((m = m_pullup(m, sizeof (struct ip) + off)) == 0) {
479 tcpstat.tcps_rcvshort++;
482 ip = mtod(m, struct ip *);
483 ipov = (struct ipovly *)ip;
484 th = (struct tcphdr *)((caddr_t)ip + off0);
487 optlen = off - sizeof (struct tcphdr);
488 optp = (u_char *)(th + 1);
490 thflags = th->th_flags;
492 #ifdef TCP_DROP_SYNFIN
494 * If the drop_synfin option is enabled, drop all packets with
495 * both the SYN and FIN bits set. This prevents e.g. nmap from
496 * identifying the TCP/IP stack.
498 * This is incompatible with RFC1644 extensions (T/TCP).
500 if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
505 * Convert TCP protocol specific fields to host format.
513 * Delay droping TCP, IP headers, IPv6 ext headers, and TCP options,
514 * until after ip6_savecontrol() is called and before other functions
515 * which don't want those proto headers.
516 * Because ip6_savecontrol() is going to parse the mbuf to
517 * search for data to be passed up to user-land, it wants mbuf
518 * parameters to be unchanged.
520 drop_hdrlen = off0 + off;
523 * Locate pcb for segment.
526 #ifdef IPFIREWALL_FORWARD
527 if (ip_fw_fwd_addr != NULL
529 && isipv6 == NULL /* IPv6 support is not yet */
533 * Diverted. Pretend to be the destination.
534 * already got one like this?
536 inp = in_pcblookup_hash(&tcbinfo, ip->ip_src, th->th_sport,
537 ip->ip_dst, th->th_dport, 0, m->m_pkthdr.rcvif);
540 * No, then it's new. Try find the ambushing socket
542 if (!ip_fw_fwd_addr->sin_port) {
543 inp = in_pcblookup_hash(&tcbinfo, ip->ip_src,
544 th->th_sport, ip_fw_fwd_addr->sin_addr,
545 th->th_dport, 1, m->m_pkthdr.rcvif);
547 inp = in_pcblookup_hash(&tcbinfo,
548 ip->ip_src, th->th_sport,
549 ip_fw_fwd_addr->sin_addr,
550 ntohs(ip_fw_fwd_addr->sin_port), 1,
554 ip_fw_fwd_addr = NULL;
556 #endif /* IPFIREWALL_FORWARD */
560 inp = in6_pcblookup_hash(&tcbinfo, &ip6->ip6_src, th->th_sport,
561 &ip6->ip6_dst, th->th_dport, 1,
565 inp = in_pcblookup_hash(&tcbinfo, ip->ip_src, th->th_sport,
566 ip->ip_dst, th->th_dport, 1, m->m_pkthdr.rcvif);
572 if (inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) {
573 ipsec6stat.in_polvio++;
578 if (inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) {
579 ipsecstat.in_polvio++;
585 * If the state is CLOSED (i.e., TCB does not exist) then
586 * all data in the incoming segment is discarded.
587 * If the TCB exists but is in CLOSED state, it is embryonic,
588 * but should either do a listen or a connect soon.
593 char dbuf[INET6_ADDRSTRLEN], sbuf[INET6_ADDRSTRLEN];
595 char dbuf[4*sizeof "123"], sbuf[4*sizeof "123"];
600 strcpy(dbuf, ip6_sprintf(&ip6->ip6_dst));
601 strcpy(sbuf, ip6_sprintf(&ip6->ip6_src));
605 strcpy(dbuf, inet_ntoa(ip->ip_dst));
606 strcpy(sbuf, inet_ntoa(ip->ip_src));
608 switch (log_in_vain) {
612 "Connection attempt to TCP %s:%d from %s:%d\n",
613 dbuf, ntohs(th->th_dport),
615 ntohs(th->th_sport));
619 "Connection attempt to TCP %s:%d from %s:%d flags:0x%x\n",
620 dbuf, ntohs(th->th_dport), sbuf,
621 ntohs(th->th_sport), thflags);
630 if (thflags & TH_SYN)
639 goto maybedropwithreset;
643 goto maybedropwithreset;
644 if (tp->t_state == TCPS_CLOSED)
647 /* Unscale the window into a 32-bit value. */
648 if ((thflags & TH_SYN) == 0)
649 tiwin = th->th_win << tp->snd_scale;
654 /* save packet options if user wanted */
655 if (isipv6 && inp->in6p_flags & INP_CONTROLOPTS) {
656 if (inp->in6p_options) {
657 m_freem(inp->in6p_options);
658 inp->in6p_options = 0;
660 ip6_savecontrol(inp, &inp->in6p_options, ip6, m);
662 /* else, should also do ip_srcroute() here? */
665 so = inp->inp_socket;
666 if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) {
668 if (so->so_options & SO_DEBUG) {
669 ostate = tp->t_state;
672 bcopy((char *)ip6, (char *)tcp_saveipgen,
676 bcopy((char *)ip, (char *)tcp_saveipgen, sizeof(*ip));
680 if (so->so_options & SO_ACCEPTCONN) {
681 register struct tcpcb *tp0 = tp;
687 struct inpcb *oinp = sotoinpcb(so);
692 * Current IPsec implementation makes incorrect IPsec
693 * cache if this check is done here.
694 * So delay this until duplicated socket is created.
696 if ((thflags & (TH_RST|TH_ACK|TH_SYN)) != TH_SYN) {
698 * Note: dropwithreset makes sure we don't
699 * send a RST in response to a RST.
701 if (thflags & TH_ACK) {
702 tcpstat.tcps_badsyn++;
703 goto maybedropwithreset;
708 so2 = sonewconn(so, 0);
710 tcpstat.tcps_listendrop++;
711 so2 = sodropablereq(so);
713 tcp_drop(sototcpcb(so2), ETIMEDOUT);
714 so2 = sonewconn(so, 0);
724 * This is ugly, but ....
726 * Mark socket as temporary until we're
727 * committed to keeping it. The code at
728 * ``drop'' and ``dropwithreset'' check the
729 * flag dropsocket to see if the temporary
730 * socket created here should be discarded.
731 * We mark the socket as discardable until
732 * we're committed to it below in TCPS_LISTEN.
735 inp = (struct inpcb *)so->so_pcb;
738 inp->in6p_laddr = ip6->ip6_dst;
740 if ((inp->inp_flags & IN6P_BINDV6ONLY) == 0) {
741 inp->inp_vflag &= ~INP_IPV6;
742 inp->inp_vflag |= INP_IPV4;
745 inp->inp_laddr = ip->ip_dst;
749 inp->inp_lport = th->th_dport;
750 if (in_pcbinshash(inp) != 0) {
752 * Undo the assignments above if we failed to
753 * put the PCB on the hash lists.
757 inp->in6p_laddr = in6addr_any;
760 inp->inp_laddr.s_addr = INADDR_ANY;
766 * To avoid creating incorrectly cached IPsec
767 * association, this is need to be done here.
769 * Subject: (KAME-snap 748)
770 * From: Wayne Knowles <w.knowles@niwa.cri.nz>
771 * ftp://ftp.kame.net/pub/mail-list/snap-users/748
773 if ((thflags & (TH_RST|TH_ACK|TH_SYN)) != TH_SYN) {
775 * Note: dropwithreset makes sure we don't
776 * send a RST in response to a RST.
778 if (thflags & TH_ACK) {
779 tcpstat.tcps_badsyn++;
780 goto maybedropwithreset;
788 * inherit socket options from the listening
792 oinp->inp_flags & INP_CONTROLOPTS;
793 if (inp->inp_flags & INP_CONTROLOPTS) {
794 if (inp->in6p_options) {
795 m_freem(inp->in6p_options);
796 inp->in6p_options = 0;
804 inp->inp_options = ip_srcroute();
806 /* copy old policy into new socket's */
807 if (ipsec_copy_policy(sotoinpcb(oso)->inp_sp,
809 printf("tcp_input: could not copy policy\n");
812 tp->t_state = TCPS_LISTEN;
813 tp->t_flags |= tp0->t_flags & (TF_NOPUSH|TF_NOOPT);
815 /* Compute proper scaling value from buffer space */
816 while (tp->request_r_scale < TCP_MAX_WINSHIFT &&
817 TCP_MAXWIN << tp->request_r_scale <
819 tp->request_r_scale++;
824 * Segment received on connection.
825 * Reset idle time and keep-alive timer.
827 tp->t_rcvtime = ticks;
828 if (TCPS_HAVEESTABLISHED(tp->t_state))
829 callout_reset(tp->tt_keep, tcp_keepidle, tcp_timer_keep, tp);
832 * Process options if not in LISTEN state,
833 * else do it below (after getting remote address).
835 if (tp->t_state != TCPS_LISTEN)
836 tcp_dooptions(tp, optp, optlen, th, &to);
839 * Header prediction: check for the two common cases
840 * of a uni-directional data xfer. If the packet has
841 * no control flags, is in-sequence, the window didn't
842 * change and we're not retransmitting, it's a
843 * candidate. If the length is zero and the ack moved
844 * forward, we're the sender side of the xfer. Just
845 * free the data acked & wake any higher level process
846 * that was blocked waiting for space. If the length
847 * is non-zero and the ack didn't move, we're the
848 * receiver side. If we're getting packets in-order
849 * (the reassembly queue is empty), add the data to
850 * the socket buffer and note that we need a delayed ack.
851 * Make sure that the hidden state-flags are also off.
852 * Since we check for TCPS_ESTABLISHED above, it can only
855 if (tp->t_state == TCPS_ESTABLISHED &&
856 (thflags & (TH_SYN|TH_FIN|TH_RST|TH_URG|TH_ACK)) == TH_ACK &&
857 ((tp->t_flags & (TF_NEEDSYN|TF_NEEDFIN)) == 0) &&
858 ((to.to_flag & TOF_TS) == 0 ||
859 TSTMP_GEQ(to.to_tsval, tp->ts_recent)) &&
861 * Using the CC option is compulsory if once started:
862 * the segment is OK if no T/TCP was negotiated or
863 * if the segment has a CC option equal to CCrecv
865 ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) != (TF_REQ_CC|TF_RCVD_CC) ||
866 ((to.to_flag & TOF_CC) != 0 && to.to_cc == tp->cc_recv)) &&
867 th->th_seq == tp->rcv_nxt &&
868 tiwin && tiwin == tp->snd_wnd &&
869 tp->snd_nxt == tp->snd_max) {
872 * If last ACK falls within this segment's sequence numbers,
873 * record the timestamp.
874 * NOTE that the test is modified according to the latest
875 * proposal of the tcplw@cray.com list (Braden 1993/04/26).
877 if ((to.to_flag & TOF_TS) != 0 &&
878 SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
879 tp->ts_recent_age = ticks;
880 tp->ts_recent = to.to_tsval;
884 if (SEQ_GT(th->th_ack, tp->snd_una) &&
885 SEQ_LEQ(th->th_ack, tp->snd_max) &&
886 tp->snd_cwnd >= tp->snd_wnd &&
887 tp->t_dupacks < tcprexmtthresh) {
889 * this is a pure ack for outstanding data.
891 ++tcpstat.tcps_predack;
893 * "bad retransmit" recovery
895 if (tp->t_rxtshift == 1 &&
896 ticks < tp->t_badrxtwin) {
897 tp->snd_cwnd = tp->snd_cwnd_prev;
899 tp->snd_ssthresh_prev;
900 tp->snd_nxt = tp->snd_max;
903 if ((to.to_flag & TOF_TS) != 0)
905 ticks - to.to_tsecr + 1);
906 else if (tp->t_rtttime &&
907 SEQ_GT(th->th_ack, tp->t_rtseq))
908 tcp_xmit_timer(tp, ticks - tp->t_rtttime);
909 acked = th->th_ack - tp->snd_una;
910 tcpstat.tcps_rcvackpack++;
911 tcpstat.tcps_rcvackbyte += acked;
912 sbdrop(&so->so_snd, acked);
913 tp->snd_una = th->th_ack;
915 ND6_HINT(tp); /* some progress has been done */
918 * If all outstanding data are acked, stop
919 * retransmit timer, otherwise restart timer
920 * using current (possibly backed-off) value.
921 * If process is waiting for space,
922 * wakeup/selwakeup/signal. If data
923 * are ready to send, let tcp_output
924 * decide between more output or persist.
926 if (tp->snd_una == tp->snd_max)
927 callout_stop(tp->tt_rexmt);
928 else if (!callout_active(tp->tt_persist))
929 callout_reset(tp->tt_rexmt,
931 tcp_timer_rexmt, tp);
934 if (so->so_snd.sb_cc)
935 (void) tcp_output(tp);
938 } else if (th->th_ack == tp->snd_una &&
939 LIST_EMPTY(&tp->t_segq) &&
940 tlen <= sbspace(&so->so_rcv)) {
942 * this is a pure, in-sequence data packet
943 * with nothing on the reassembly queue and
944 * we have enough buffer space to take it.
946 ++tcpstat.tcps_preddat;
948 tcpstat.tcps_rcvpack++;
949 tcpstat.tcps_rcvbyte += tlen;
950 ND6_HINT(tp); /* some progress has been done */
952 * Add data to socket buffer.
954 m_adj(m, drop_hdrlen); /* delayed header drop */
955 sbappend(&so->so_rcv, m);
957 if (tcp_delack_enabled) {
958 callout_reset(tp->tt_delack, tcp_delacktime,
959 tcp_timer_delack, tp);
961 tp->t_flags |= TF_ACKNOW;
969 * Calculate amount of space in receive window,
970 * and then do TCP input processing.
971 * Receive window is amount of space in rcv queue,
972 * but not less than advertised window.
976 win = sbspace(&so->so_rcv);
979 tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
982 switch (tp->t_state) {
985 * If the state is LISTEN then ignore segment if it contains an RST.
986 * If the segment contains an ACK then it is bad and send a RST.
987 * If it does not contain a SYN then it is not interesting; drop it.
988 * If it is from this socket, drop it, it must be forged.
989 * Don't bother responding if the destination was a broadcast.
990 * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial
991 * tp->iss, and send a segment:
992 * <SEQ=ISS><ACK=RCV_NXT><CTL=SYN,ACK>
993 * Also initialize tp->snd_nxt to tp->iss+1 and tp->snd_una to tp->iss.
994 * Fill in remote peer address fields if not previously specified.
995 * Enter SYN_RECEIVED state, and process any other fields of this
996 * segment in this state.
999 register struct sockaddr_in *sin;
1001 register struct sockaddr_in6 *sin6;
1004 if (thflags & TH_RST)
1006 if (thflags & TH_ACK)
1007 goto maybedropwithreset;
1008 if ((thflags & TH_SYN) == 0)
1010 if (th->th_dport == th->th_sport) {
1013 if (IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
1018 if (ip->ip_dst.s_addr == ip->ip_src.s_addr)
1022 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
1023 * in_broadcast() should never return true on a received
1024 * packet with M_BCAST not set.
1026 * Packets with a multicast source address should also
1029 if (m->m_flags & (M_BCAST|M_MCAST))
1033 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
1034 IN6_IS_ADDR_MULTICAST(&ip6->ip6_src))
1038 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
1039 IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
1040 ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
1044 MALLOC(sin6, struct sockaddr_in6 *, sizeof *sin6,
1045 M_SONAME, M_NOWAIT);
1048 bzero(sin6, sizeof(*sin6));
1049 sin6->sin6_family = AF_INET6;
1050 sin6->sin6_len = sizeof(*sin6);
1051 sin6->sin6_addr = ip6->ip6_src;
1052 sin6->sin6_port = th->th_sport;
1053 laddr6 = inp->in6p_laddr;
1054 if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr))
1055 inp->in6p_laddr = ip6->ip6_dst;
1056 if (in6_pcbconnect(inp, (struct sockaddr *)sin6,
1058 inp->in6p_laddr = laddr6;
1059 FREE(sin6, M_SONAME);
1062 FREE(sin6, M_SONAME);
1066 MALLOC(sin, struct sockaddr_in *, sizeof *sin, M_SONAME,
1070 sin->sin_family = AF_INET;
1071 sin->sin_len = sizeof(*sin);
1072 sin->sin_addr = ip->ip_src;
1073 sin->sin_port = th->th_sport;
1074 bzero((caddr_t)sin->sin_zero, sizeof(sin->sin_zero));
1075 laddr = inp->inp_laddr;
1076 if (inp->inp_laddr.s_addr == INADDR_ANY)
1077 inp->inp_laddr = ip->ip_dst;
1078 if (in_pcbconnect(inp, (struct sockaddr *)sin, &proc0)) {
1079 inp->inp_laddr = laddr;
1080 FREE(sin, M_SONAME);
1083 FREE(sin, M_SONAME);
1085 tp->t_template = tcp_template(tp);
1086 if (tp->t_template == 0) {
1087 tp = tcp_drop(tp, ENOBUFS);
1088 dropsocket = 0; /* socket is already gone */
1091 if ((taop = tcp_gettaocache(inp)) == NULL) {
1092 taop = &tao_noncached;
1093 bzero(taop, sizeof(*taop));
1095 tcp_dooptions(tp, optp, optlen, th, &to);
1100 tcp_iss += TCP_ISSINCR/4;
1101 tp->irs = th->th_seq;
1102 tcp_sendseqinit(tp);
1104 tp->snd_recover = tp->snd_una;
1106 * Initialization of the tcpcb for transaction;
1107 * set SND.WND = SEG.WND,
1108 * initialize CCsend and CCrecv.
1110 tp->snd_wnd = tiwin; /* initial send-window */
1111 tp->cc_send = CC_INC(tcp_ccgen);
1112 tp->cc_recv = to.to_cc;
1114 * Perform TAO test on incoming CC (SEG.CC) option, if any.
1115 * - compare SEG.CC against cached CC from the same host,
1117 * - if SEG.CC > chached value, SYN must be new and is accepted
1118 * immediately: save new CC in the cache, mark the socket
1119 * connected, enter ESTABLISHED state, turn on flag to
1120 * send a SYN in the next segment.
1121 * A virtual advertised window is set in rcv_adv to
1122 * initialize SWS prevention. Then enter normal segment
1123 * processing: drop SYN, process data and FIN.
1124 * - otherwise do a normal 3-way handshake.
1126 if ((to.to_flag & TOF_CC) != 0) {
1127 if (((tp->t_flags & TF_NOPUSH) != 0) &&
1128 taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) {
1130 taop->tao_cc = to.to_cc;
1131 tp->t_starttime = ticks;
1132 tp->t_state = TCPS_ESTABLISHED;
1135 * If there is a FIN, or if there is data and the
1136 * connection is local, then delay SYN,ACK(SYN) in
1137 * the hope of piggy-backing it on a response
1138 * segment. Otherwise must send ACK now in case
1139 * the other side is slow starting.
1141 if (tcp_delack_enabled && ((thflags & TH_FIN) ||
1144 ((isipv6 && in6_localaddr(&inp->in6p_faddr))
1148 in_localaddr(inp->inp_faddr)
1153 callout_reset(tp->tt_delack, tcp_delacktime,
1154 tcp_timer_delack, tp);
1155 tp->t_flags |= TF_NEEDSYN;
1157 tp->t_flags |= (TF_ACKNOW | TF_NEEDSYN);
1160 * Limit the `virtual advertised window' to TCP_MAXWIN
1161 * here. Even if we requested window scaling, it will
1162 * become effective only later when our SYN is acked.
1164 tp->rcv_adv += min(tp->rcv_wnd, TCP_MAXWIN);
1165 tcpstat.tcps_connects++;
1167 callout_reset(tp->tt_keep, tcp_keepinit,
1168 tcp_timer_keep, tp);
1169 dropsocket = 0; /* committed to socket */
1170 tcpstat.tcps_accepts++;
1173 /* else do standard 3-way handshake */
1176 * No CC option, but maybe CC.NEW:
1177 * invalidate cached value.
1182 * TAO test failed or there was no CC option,
1183 * do a standard 3-way handshake.
1185 tp->t_flags |= TF_ACKNOW;
1186 tp->t_state = TCPS_SYN_RECEIVED;
1187 callout_reset(tp->tt_keep, tcp_keepinit, tcp_timer_keep, tp);
1188 dropsocket = 0; /* committed to socket */
1189 tcpstat.tcps_accepts++;
1194 * If the state is SYN_RECEIVED:
1195 * if seg contains an ACK, but not for our SYN/ACK, send a RST.
1197 case TCPS_SYN_RECEIVED:
1198 if ((thflags & TH_ACK) &&
1199 (SEQ_LEQ(th->th_ack, tp->snd_una) ||
1200 SEQ_GT(th->th_ack, tp->snd_max)))
1201 goto maybedropwithreset;
1205 * If the state is SYN_SENT:
1206 * if seg contains an ACK, but not for our SYN, drop the input.
1207 * if seg contains a RST, then drop the connection.
1208 * if seg does not contain SYN, then drop it.
1209 * Otherwise this is an acceptable SYN segment
1210 * initialize tp->rcv_nxt and tp->irs
1211 * if seg contains ack then advance tp->snd_una
1212 * if SYN has been acked change to ESTABLISHED else SYN_RCVD state
1213 * arrange for segment to be acked (eventually)
1214 * continue processing rest of data/controls, beginning with URG
1217 if ((taop = tcp_gettaocache(inp)) == NULL) {
1218 taop = &tao_noncached;
1219 bzero(taop, sizeof(*taop));
1222 if ((thflags & TH_ACK) &&
1223 (SEQ_LEQ(th->th_ack, tp->iss) ||
1224 SEQ_GT(th->th_ack, tp->snd_max))) {
1226 * If we have a cached CCsent for the remote host,
1227 * hence we haven't just crashed and restarted,
1228 * do not send a RST. This may be a retransmission
1229 * from the other side after our earlier ACK was lost.
1230 * Our new SYN, when it arrives, will serve as the
1233 if (taop->tao_ccsent != 0)
1238 if (thflags & TH_RST) {
1239 if (thflags & TH_ACK)
1240 tp = tcp_drop(tp, ECONNREFUSED);
1243 if ((thflags & TH_SYN) == 0)
1245 tp->snd_wnd = th->th_win; /* initial send window */
1246 tp->cc_recv = to.to_cc; /* foreign CC */
1248 tp->irs = th->th_seq;
1250 if (thflags & TH_ACK) {
1252 * Our SYN was acked. If segment contains CC.ECHO
1253 * option, check it to make sure this segment really
1254 * matches our SYN. If not, just drop it as old
1255 * duplicate, but send an RST if we're still playing
1256 * by the old rules. If no CC.ECHO option, make sure
1257 * we don't get fooled into using T/TCP.
1259 if (to.to_flag & TOF_CCECHO) {
1260 if (tp->cc_send != to.to_ccecho) {
1261 if (taop->tao_ccsent != 0)
1267 tp->t_flags &= ~TF_RCVD_CC;
1268 tcpstat.tcps_connects++;
1270 /* Do window scaling on this connection? */
1271 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) ==
1272 (TF_RCVD_SCALE|TF_REQ_SCALE)) {
1273 tp->snd_scale = tp->requested_s_scale;
1274 tp->rcv_scale = tp->request_r_scale;
1276 /* Segment is acceptable, update cache if undefined. */
1277 if (taop->tao_ccsent == 0)
1278 taop->tao_ccsent = to.to_ccecho;
1280 tp->rcv_adv += tp->rcv_wnd;
1281 tp->snd_una++; /* SYN is acked */
1283 * If there's data, delay ACK; if there's also a FIN
1284 * ACKNOW will be turned on later.
1286 if (tcp_delack_enabled && tlen != 0)
1287 callout_reset(tp->tt_delack, tcp_delacktime,
1288 tcp_timer_delack, tp);
1290 tp->t_flags |= TF_ACKNOW;
1292 * Received <SYN,ACK> in SYN_SENT[*] state.
1294 * SYN_SENT --> ESTABLISHED
1295 * SYN_SENT* --> FIN_WAIT_1
1297 tp->t_starttime = ticks;
1298 if (tp->t_flags & TF_NEEDFIN) {
1299 tp->t_state = TCPS_FIN_WAIT_1;
1300 tp->t_flags &= ~TF_NEEDFIN;
1303 tp->t_state = TCPS_ESTABLISHED;
1304 callout_reset(tp->tt_keep, tcp_keepidle,
1305 tcp_timer_keep, tp);
1309 * Received initial SYN in SYN-SENT[*] state => simul-
1310 * taneous open. If segment contains CC option and there is
1311 * a cached CC, apply TAO test; if it succeeds, connection is
1312 * half-synchronized. Otherwise, do 3-way handshake:
1313 * SYN-SENT -> SYN-RECEIVED
1314 * SYN-SENT* -> SYN-RECEIVED*
1315 * If there was no CC option, clear cached CC value.
1317 tp->t_flags |= TF_ACKNOW;
1318 callout_stop(tp->tt_rexmt);
1319 if (to.to_flag & TOF_CC) {
1320 if (taop->tao_cc != 0 &&
1321 CC_GT(to.to_cc, taop->tao_cc)) {
1323 * update cache and make transition:
1324 * SYN-SENT -> ESTABLISHED*
1325 * SYN-SENT* -> FIN-WAIT-1*
1327 taop->tao_cc = to.to_cc;
1328 tp->t_starttime = ticks;
1329 if (tp->t_flags & TF_NEEDFIN) {
1330 tp->t_state = TCPS_FIN_WAIT_1;
1331 tp->t_flags &= ~TF_NEEDFIN;
1333 tp->t_state = TCPS_ESTABLISHED;
1334 callout_reset(tp->tt_keep,
1339 tp->t_flags |= TF_NEEDSYN;
1341 tp->t_state = TCPS_SYN_RECEIVED;
1343 /* CC.NEW or no option => invalidate cache */
1345 tp->t_state = TCPS_SYN_RECEIVED;
1351 * Advance th->th_seq to correspond to first data byte.
1352 * If data, trim to stay within window,
1353 * dropping FIN if necessary.
1356 if (tlen > tp->rcv_wnd) {
1357 todrop = tlen - tp->rcv_wnd;
1361 tcpstat.tcps_rcvpackafterwin++;
1362 tcpstat.tcps_rcvbyteafterwin += todrop;
1364 tp->snd_wl1 = th->th_seq - 1;
1365 tp->rcv_up = th->th_seq;
1367 * Client side of transaction: already sent SYN and data.
1368 * If the remote host used T/TCP to validate the SYN,
1369 * our data will be ACK'd; if so, enter normal data segment
1370 * processing in the middle of step 5, ack processing.
1371 * Otherwise, goto step 6.
1373 if (thflags & TH_ACK)
1377 * If the state is LAST_ACK or CLOSING or TIME_WAIT:
1378 * if segment contains a SYN and CC [not CC.NEW] option:
1379 * if state == TIME_WAIT and connection duration > MSL,
1380 * drop packet and send RST;
1382 * if SEG.CC > CCrecv then is new SYN, and can implicitly
1383 * ack the FIN (and data) in retransmission queue.
1384 * Complete close and delete TCPCB. Then reprocess
1385 * segment, hoping to find new TCPCB in LISTEN state;
1387 * else must be old SYN; drop it.
1388 * else do normal processing.
1392 case TCPS_TIME_WAIT:
1393 if ((thflags & TH_SYN) &&
1394 (to.to_flag & TOF_CC) && tp->cc_recv != 0) {
1395 if (tp->t_state == TCPS_TIME_WAIT &&
1396 (ticks - tp->t_starttime) > tcp_msl)
1398 if (CC_GT(to.to_cc, tp->cc_recv)) {
1405 break; /* continue normal processing */
1409 * States other than LISTEN or SYN_SENT.
1410 * First check the RST flag and sequence number since reset segments
1411 * are exempt from the timestamp and connection count tests. This
1412 * fixes a bug introduced by the Stevens, vol. 2, p. 960 bugfix
1413 * below which allowed reset segments in half the sequence space
1414 * to fall though and be processed (which gives forged reset
1415 * segments with a random sequence number a 50 percent chance of
1416 * killing a connection).
1417 * Then check timestamp, if present.
1418 * Then check the connection count, if present.
1419 * Then check that at least some bytes of segment are within
1420 * receive window. If segment begins before rcv_nxt,
1421 * drop leading data (and SYN); if nothing left, just ack.
1424 * If the RST bit is set, check the sequence number to see
1425 * if this is a valid reset segment.
1427 * In all states except SYN-SENT, all reset (RST) segments
1428 * are validated by checking their SEQ-fields. A reset is
1429 * valid if its sequence number is in the window.
1430 * Note: this does not take into account delayed ACKs, so
1431 * we should test against last_ack_sent instead of rcv_nxt.
1432 * The sequence number in the reset segment is normally an
1433 * echo of our outgoing acknowlegement numbers, but some hosts
1434 * send a reset with the sequence number at the rightmost edge
1435 * of our receive window, and we have to handle this case.
1436 * If we have multiple segments in flight, the intial reset
1437 * segment sequence numbers will be to the left of last_ack_sent,
1438 * but they will eventually catch up.
1439 * In any case, it never made sense to trim reset segments to
1440 * fit the receive window since RFC 1122 says:
1441 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
1443 * A TCP SHOULD allow a received RST segment to include data.
1446 * It has been suggested that a RST segment could contain
1447 * ASCII text that encoded and explained the cause of the
1448 * RST. No standard has yet been established for such
1451 * If the reset segment passes the sequence number test examine
1453 * SYN_RECEIVED STATE:
1454 * If passive open, return to LISTEN state.
1455 * If active open, inform user that connection was refused.
1456 * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES:
1457 * Inform user that connection was reset, and close tcb.
1458 * CLOSING, LAST_ACK STATES:
1461 * Drop the segment - see Stevens, vol. 2, p. 964 and
1464 if (thflags & TH_RST) {
1465 if (SEQ_GEQ(th->th_seq, tp->last_ack_sent) &&
1466 SEQ_LT(th->th_seq, tp->last_ack_sent + tp->rcv_wnd)) {
1467 switch (tp->t_state) {
1469 case TCPS_SYN_RECEIVED:
1470 so->so_error = ECONNREFUSED;
1473 case TCPS_ESTABLISHED:
1474 case TCPS_FIN_WAIT_1:
1475 case TCPS_FIN_WAIT_2:
1476 case TCPS_CLOSE_WAIT:
1477 so->so_error = ECONNRESET;
1479 tp->t_state = TCPS_CLOSED;
1480 tcpstat.tcps_drops++;
1489 case TCPS_TIME_WAIT:
1497 * RFC 1323 PAWS: If we have a timestamp reply on this segment
1498 * and it's less than ts_recent, drop it.
1500 if ((to.to_flag & TOF_TS) != 0 && tp->ts_recent &&
1501 TSTMP_LT(to.to_tsval, tp->ts_recent)) {
1503 /* Check to see if ts_recent is over 24 days old. */
1504 if ((int)(ticks - tp->ts_recent_age) > TCP_PAWS_IDLE) {
1506 * Invalidate ts_recent. If this segment updates
1507 * ts_recent, the age will be reset later and ts_recent
1508 * will get a valid value. If it does not, setting
1509 * ts_recent to zero will at least satisfy the
1510 * requirement that zero be placed in the timestamp
1511 * echo reply when ts_recent isn't valid. The
1512 * age isn't reset until we get a valid ts_recent
1513 * because we don't want out-of-order segments to be
1514 * dropped when ts_recent is old.
1518 tcpstat.tcps_rcvduppack++;
1519 tcpstat.tcps_rcvdupbyte += tlen;
1520 tcpstat.tcps_pawsdrop++;
1527 * If T/TCP was negotiated and the segment doesn't have CC,
1528 * or if its CC is wrong then drop the segment.
1529 * RST segments do not have to comply with this.
1531 if ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) == (TF_REQ_CC|TF_RCVD_CC) &&
1532 ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc))
1536 * In the SYN-RECEIVED state, validate that the packet belongs to
1537 * this connection before trimming the data to fit the receive
1538 * window. Check the sequence number versus IRS since we know
1539 * the sequence numbers haven't wrapped. This is a partial fix
1540 * for the "LAND" DoS attack.
1542 if (tp->t_state == TCPS_SYN_RECEIVED && SEQ_LT(th->th_seq, tp->irs))
1543 goto maybedropwithreset;
1545 todrop = tp->rcv_nxt - th->th_seq;
1547 if (thflags & TH_SYN) {
1557 * Following if statement from Stevens, vol. 2, p. 960.
1560 || (todrop == tlen && (thflags & TH_FIN) == 0)) {
1562 * Any valid FIN must be to the left of the window.
1563 * At this point the FIN must be a duplicate or out
1564 * of sequence; drop it.
1569 * Send an ACK to resynchronize and drop any data.
1570 * But keep on processing for RST or ACK.
1572 tp->t_flags |= TF_ACKNOW;
1574 tcpstat.tcps_rcvduppack++;
1575 tcpstat.tcps_rcvdupbyte += todrop;
1577 tcpstat.tcps_rcvpartduppack++;
1578 tcpstat.tcps_rcvpartdupbyte += todrop;
1580 drop_hdrlen += todrop; /* drop from the top afterwards */
1581 th->th_seq += todrop;
1583 if (th->th_urp > todrop)
1584 th->th_urp -= todrop;
1592 * If new data are received on a connection after the
1593 * user processes are gone, then RST the other end.
1595 if ((so->so_state & SS_NOFDREF) &&
1596 tp->t_state > TCPS_CLOSE_WAIT && tlen) {
1598 tcpstat.tcps_rcvafterclose++;
1603 * If segment ends after window, drop trailing data
1604 * (and PUSH and FIN); if nothing left, just ACK.
1606 todrop = (th->th_seq+tlen) - (tp->rcv_nxt+tp->rcv_wnd);
1608 tcpstat.tcps_rcvpackafterwin++;
1609 if (todrop >= tlen) {
1610 tcpstat.tcps_rcvbyteafterwin += tlen;
1612 * If a new connection request is received
1613 * while in TIME_WAIT, drop the old connection
1614 * and start over if the sequence numbers
1615 * are above the previous ones.
1617 if (thflags & TH_SYN &&
1618 tp->t_state == TCPS_TIME_WAIT &&
1619 SEQ_GT(th->th_seq, tp->rcv_nxt)) {
1620 iss = tp->snd_nxt + TCP_ISSINCR;
1625 * If window is closed can only take segments at
1626 * window edge, and have to drop data and PUSH from
1627 * incoming segments. Continue processing, but
1628 * remember to ack. Otherwise, drop segment
1631 if (tp->rcv_wnd == 0 && th->th_seq == tp->rcv_nxt) {
1632 tp->t_flags |= TF_ACKNOW;
1633 tcpstat.tcps_rcvwinprobe++;
1637 tcpstat.tcps_rcvbyteafterwin += todrop;
1640 thflags &= ~(TH_PUSH|TH_FIN);
1644 * If last ACK falls within this segment's sequence numbers,
1645 * record its timestamp.
1646 * NOTE that the test is modified according to the latest
1647 * proposal of the tcplw@cray.com list (Braden 1993/04/26).
1649 if ((to.to_flag & TOF_TS) != 0 &&
1650 SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
1651 tp->ts_recent_age = ticks;
1652 tp->ts_recent = to.to_tsval;
1656 * If a SYN is in the window, then this is an
1657 * error and we send an RST and drop the connection.
1659 if (thflags & TH_SYN) {
1660 tp = tcp_drop(tp, ECONNRESET);
1665 * If the ACK bit is off: if in SYN-RECEIVED state or SENDSYN
1666 * flag is on (half-synchronized state), then queue data for
1667 * later processing; else drop segment and return.
1669 if ((thflags & TH_ACK) == 0) {
1670 if (tp->t_state == TCPS_SYN_RECEIVED ||
1671 (tp->t_flags & TF_NEEDSYN))
1680 switch (tp->t_state) {
1683 * In SYN_RECEIVED state, the ack ACKs our SYN, so enter
1684 * ESTABLISHED state and continue processing.
1685 * The ACK was checked above.
1687 case TCPS_SYN_RECEIVED:
1689 tcpstat.tcps_connects++;
1691 /* Do window scaling? */
1692 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) ==
1693 (TF_RCVD_SCALE|TF_REQ_SCALE)) {
1694 tp->snd_scale = tp->requested_s_scale;
1695 tp->rcv_scale = tp->request_r_scale;
1698 * Upon successful completion of 3-way handshake,
1699 * update cache.CC if it was undefined, pass any queued
1700 * data to the user, and advance state appropriately.
1702 if ((taop = tcp_gettaocache(inp)) != NULL &&
1704 taop->tao_cc = tp->cc_recv;
1708 * SYN-RECEIVED -> ESTABLISHED
1709 * SYN-RECEIVED* -> FIN-WAIT-1
1711 tp->t_starttime = ticks;
1712 if (tp->t_flags & TF_NEEDFIN) {
1713 tp->t_state = TCPS_FIN_WAIT_1;
1714 tp->t_flags &= ~TF_NEEDFIN;
1716 tp->t_state = TCPS_ESTABLISHED;
1717 callout_reset(tp->tt_keep, tcp_keepidle,
1718 tcp_timer_keep, tp);
1721 * If segment contains data or ACK, will call tcp_reass()
1722 * later; if not, do so now to pass queued data to user.
1724 if (tlen == 0 && (thflags & TH_FIN) == 0)
1725 (void) tcp_reass(tp, (struct tcphdr *)0, 0,
1727 tp->snd_wl1 = th->th_seq - 1;
1731 * In ESTABLISHED state: drop duplicate ACKs; ACK out of range
1732 * ACKs. If the ack is in the range
1733 * tp->snd_una < th->th_ack <= tp->snd_max
1734 * then advance tp->snd_una to th->th_ack and drop
1735 * data from the retransmission queue. If this ACK reflects
1736 * more up to date window information we update our window information.
1738 case TCPS_ESTABLISHED:
1739 case TCPS_FIN_WAIT_1:
1740 case TCPS_FIN_WAIT_2:
1741 case TCPS_CLOSE_WAIT:
1744 case TCPS_TIME_WAIT:
1746 if (SEQ_LEQ(th->th_ack, tp->snd_una)) {
1747 if (tlen == 0 && tiwin == tp->snd_wnd) {
1748 tcpstat.tcps_rcvdupack++;
1750 * If we have outstanding data (other than
1751 * a window probe), this is a completely
1752 * duplicate ack (ie, window info didn't
1753 * change), the ack is the biggest we've
1754 * seen and we've seen exactly our rexmt
1755 * threshhold of them, assume a packet
1756 * has been dropped and retransmit it.
1757 * Kludge snd_nxt & the congestion
1758 * window so we send only this one
1761 * We know we're losing at the current
1762 * window size so do congestion avoidance
1763 * (set ssthresh to half the current window
1764 * and pull our congestion window back to
1765 * the new ssthresh).
1767 * Dup acks mean that packets have left the
1768 * network (they're now cached at the receiver)
1769 * so bump cwnd by the amount in the receiver
1770 * to keep a constant cwnd packets in the
1773 if (!callout_active(tp->tt_rexmt) ||
1774 th->th_ack != tp->snd_una)
1776 else if (++tp->t_dupacks == tcprexmtthresh) {
1777 tcp_seq onxt = tp->snd_nxt;
1779 min(tp->snd_wnd, tp->snd_cwnd) / 2 /
1781 if (tcp_do_newreno && SEQ_LT(th->th_ack,
1783 /* False retransmit, should not
1786 tp->snd_cwnd += tp->t_maxseg;
1788 (void) tcp_output(tp);
1793 tp->snd_ssthresh = win * tp->t_maxseg;
1794 tp->snd_recover = tp->snd_max;
1795 callout_stop(tp->tt_rexmt);
1797 tp->snd_nxt = th->th_ack;
1798 tp->snd_cwnd = tp->t_maxseg;
1799 (void) tcp_output(tp);
1800 tp->snd_cwnd = tp->snd_ssthresh +
1801 tp->t_maxseg * tp->t_dupacks;
1802 if (SEQ_GT(onxt, tp->snd_nxt))
1805 } else if (tp->t_dupacks > tcprexmtthresh) {
1806 tp->snd_cwnd += tp->t_maxseg;
1807 (void) tcp_output(tp);
1815 * If the congestion window was inflated to account
1816 * for the other side's cached packets, retract it.
1818 if (tcp_do_newreno == 0) {
1819 if (tp->t_dupacks >= tcprexmtthresh &&
1820 tp->snd_cwnd > tp->snd_ssthresh)
1821 tp->snd_cwnd = tp->snd_ssthresh;
1823 } else if (tp->t_dupacks >= tcprexmtthresh &&
1824 !tcp_newreno(tp, th)) {
1826 * Window inflation should have left us with approx.
1827 * snd_ssthresh outstanding data. But in case we
1828 * would be inclined to send a burst, better to do
1829 * it via the slow start mechanism.
1831 if (SEQ_GT(th->th_ack + tp->snd_ssthresh, tp->snd_max))
1833 tp->snd_max - th->th_ack + tp->t_maxseg;
1835 tp->snd_cwnd = tp->snd_ssthresh;
1838 if (SEQ_GT(th->th_ack, tp->snd_max)) {
1839 tcpstat.tcps_rcvacktoomuch++;
1843 * If we reach this point, ACK is not a duplicate,
1844 * i.e., it ACKs something we sent.
1846 if (tp->t_flags & TF_NEEDSYN) {
1848 * T/TCP: Connection was half-synchronized, and our
1849 * SYN has been ACK'd (so connection is now fully
1850 * synchronized). Go to non-starred state,
1851 * increment snd_una for ACK of SYN, and check if
1852 * we can do window scaling.
1854 tp->t_flags &= ~TF_NEEDSYN;
1856 /* Do window scaling? */
1857 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) ==
1858 (TF_RCVD_SCALE|TF_REQ_SCALE)) {
1859 tp->snd_scale = tp->requested_s_scale;
1860 tp->rcv_scale = tp->request_r_scale;
1865 acked = th->th_ack - tp->snd_una;
1866 tcpstat.tcps_rcvackpack++;
1867 tcpstat.tcps_rcvackbyte += acked;
1870 * If we just performed our first retransmit, and the ACK
1871 * arrives within our recovery window, then it was a mistake
1872 * to do the retransmit in the first place. Recover our
1873 * original cwnd and ssthresh, and proceed to transmit where
1876 if (tp->t_rxtshift == 1 && ticks < tp->t_badrxtwin) {
1877 tp->snd_cwnd = tp->snd_cwnd_prev;
1878 tp->snd_ssthresh = tp->snd_ssthresh_prev;
1879 tp->snd_nxt = tp->snd_max;
1880 tp->t_badrxtwin = 0; /* XXX probably not required */
1884 * If we have a timestamp reply, update smoothed
1885 * round trip time. If no timestamp is present but
1886 * transmit timer is running and timed sequence
1887 * number was acked, update smoothed round trip time.
1888 * Since we now have an rtt measurement, cancel the
1889 * timer backoff (cf., Phil Karn's retransmit alg.).
1890 * Recompute the initial retransmit timer.
1892 if (to.to_flag & TOF_TS)
1893 tcp_xmit_timer(tp, ticks - to.to_tsecr + 1);
1894 else if (tp->t_rtttime && SEQ_GT(th->th_ack, tp->t_rtseq))
1895 tcp_xmit_timer(tp, ticks - tp->t_rtttime);
1898 * If all outstanding data is acked, stop retransmit
1899 * timer and remember to restart (more output or persist).
1900 * If there is more data to be acked, restart retransmit
1901 * timer, using current (possibly backed-off) value.
1903 if (th->th_ack == tp->snd_max) {
1904 callout_stop(tp->tt_rexmt);
1906 } else if (!callout_active(tp->tt_persist))
1907 callout_reset(tp->tt_rexmt, tp->t_rxtcur,
1908 tcp_timer_rexmt, tp);
1911 * If no data (only SYN) was ACK'd,
1912 * skip rest of ACK processing.
1918 * When new data is acked, open the congestion window.
1919 * If the window gives us less than ssthresh packets
1920 * in flight, open exponentially (maxseg per packet).
1921 * Otherwise open linearly: maxseg per window
1922 * (maxseg^2 / cwnd per packet).
1925 register u_int cw = tp->snd_cwnd;
1926 register u_int incr = tp->t_maxseg;
1928 if (cw > tp->snd_ssthresh)
1929 incr = incr * incr / cw;
1930 if (tcp_do_newreno == 0 || SEQ_GEQ(th->th_ack, tp->snd_recover))
1931 tp->snd_cwnd = min(cw + incr,TCP_MAXWIN<<tp->snd_scale);
1933 if (acked > so->so_snd.sb_cc) {
1934 tp->snd_wnd -= so->so_snd.sb_cc;
1935 sbdrop(&so->so_snd, (int)so->so_snd.sb_cc);
1938 sbdrop(&so->so_snd, acked);
1939 tp->snd_wnd -= acked;
1943 tp->snd_una = th->th_ack;
1944 if (SEQ_LT(tp->snd_nxt, tp->snd_una))
1945 tp->snd_nxt = tp->snd_una;
1947 switch (tp->t_state) {
1950 * In FIN_WAIT_1 STATE in addition to the processing
1951 * for the ESTABLISHED state if our FIN is now acknowledged
1952 * then enter FIN_WAIT_2.
1954 case TCPS_FIN_WAIT_1:
1955 if (ourfinisacked) {
1957 * If we can't receive any more
1958 * data, then closing user can proceed.
1959 * Starting the timer is contrary to the
1960 * specification, but if we don't get a FIN
1961 * we'll hang forever.
1963 if (so->so_state & SS_CANTRCVMORE) {
1964 soisdisconnected(so);
1965 callout_reset(tp->tt_2msl, tcp_maxidle,
1966 tcp_timer_2msl, tp);
1968 tp->t_state = TCPS_FIN_WAIT_2;
1973 * In CLOSING STATE in addition to the processing for
1974 * the ESTABLISHED state if the ACK acknowledges our FIN
1975 * then enter the TIME-WAIT state, otherwise ignore
1979 if (ourfinisacked) {
1980 tp->t_state = TCPS_TIME_WAIT;
1981 tcp_canceltimers(tp);
1982 /* Shorten TIME_WAIT [RFC-1644, p.28] */
1983 if (tp->cc_recv != 0 &&
1984 (ticks - tp->t_starttime) < tcp_msl)
1985 callout_reset(tp->tt_2msl,
1988 tcp_timer_2msl, tp);
1990 callout_reset(tp->tt_2msl, 2 * tcp_msl,
1991 tcp_timer_2msl, tp);
1992 soisdisconnected(so);
1997 * In LAST_ACK, we may still be waiting for data to drain
1998 * and/or to be acked, as well as for the ack of our FIN.
1999 * If our FIN is now acknowledged, delete the TCB,
2000 * enter the closed state and return.
2003 if (ourfinisacked) {
2010 * In TIME_WAIT state the only thing that should arrive
2011 * is a retransmission of the remote FIN. Acknowledge
2012 * it and restart the finack timer.
2014 case TCPS_TIME_WAIT:
2015 callout_reset(tp->tt_2msl, 2 * tcp_msl,
2016 tcp_timer_2msl, tp);
2023 * Update window information.
2024 * Don't look at window if no ACK: TAC's send garbage on first SYN.
2026 if ((thflags & TH_ACK) &&
2027 (SEQ_LT(tp->snd_wl1, th->th_seq) ||
2028 (tp->snd_wl1 == th->th_seq && (SEQ_LT(tp->snd_wl2, th->th_ack) ||
2029 (tp->snd_wl2 == th->th_ack && tiwin > tp->snd_wnd))))) {
2030 /* keep track of pure window updates */
2032 tp->snd_wl2 == th->th_ack && tiwin > tp->snd_wnd)
2033 tcpstat.tcps_rcvwinupd++;
2034 tp->snd_wnd = tiwin;
2035 tp->snd_wl1 = th->th_seq;
2036 tp->snd_wl2 = th->th_ack;
2037 if (tp->snd_wnd > tp->max_sndwnd)
2038 tp->max_sndwnd = tp->snd_wnd;
2043 * Process segments with URG.
2045 if ((thflags & TH_URG) && th->th_urp &&
2046 TCPS_HAVERCVDFIN(tp->t_state) == 0) {
2048 * This is a kludge, but if we receive and accept
2049 * random urgent pointers, we'll crash in
2050 * soreceive. It's hard to imagine someone
2051 * actually wanting to send this much urgent data.
2053 if (th->th_urp + so->so_rcv.sb_cc > sb_max) {
2054 th->th_urp = 0; /* XXX */
2055 thflags &= ~TH_URG; /* XXX */
2056 goto dodata; /* XXX */
2059 * If this segment advances the known urgent pointer,
2060 * then mark the data stream. This should not happen
2061 * in CLOSE_WAIT, CLOSING, LAST_ACK or TIME_WAIT STATES since
2062 * a FIN has been received from the remote side.
2063 * In these states we ignore the URG.
2065 * According to RFC961 (Assigned Protocols),
2066 * the urgent pointer points to the last octet
2067 * of urgent data. We continue, however,
2068 * to consider it to indicate the first octet
2069 * of data past the urgent section as the original
2070 * spec states (in one of two places).
2072 if (SEQ_GT(th->th_seq+th->th_urp, tp->rcv_up)) {
2073 tp->rcv_up = th->th_seq + th->th_urp;
2074 so->so_oobmark = so->so_rcv.sb_cc +
2075 (tp->rcv_up - tp->rcv_nxt) - 1;
2076 if (so->so_oobmark == 0)
2077 so->so_state |= SS_RCVATMARK;
2079 tp->t_oobflags &= ~(TCPOOB_HAVEDATA | TCPOOB_HADDATA);
2082 * Remove out of band data so doesn't get presented to user.
2083 * This can happen independent of advancing the URG pointer,
2084 * but if two URG's are pending at once, some out-of-band
2085 * data may creep in... ick.
2087 if (th->th_urp <= (u_long)tlen
2089 && (so->so_options & SO_OOBINLINE) == 0
2092 tcp_pulloutofband(so, th, m,
2093 drop_hdrlen); /* hdr drop is delayed */
2096 * If no out of band data is expected,
2097 * pull receive urgent pointer along
2098 * with the receive window.
2100 if (SEQ_GT(tp->rcv_nxt, tp->rcv_up))
2101 tp->rcv_up = tp->rcv_nxt;
2105 * Process the segment text, merging it into the TCP sequencing queue,
2106 * and arranging for acknowledgment of receipt if necessary.
2107 * This process logically involves adjusting tp->rcv_wnd as data
2108 * is presented to the user (this happens in tcp_usrreq.c,
2109 * case PRU_RCVD). If a FIN has already been received on this
2110 * connection then we just ignore the text.
2112 if ((tlen || (thflags&TH_FIN)) &&
2113 TCPS_HAVERCVDFIN(tp->t_state) == 0) {
2114 m_adj(m, drop_hdrlen); /* delayed header drop */
2115 TCP_REASS(tp, th, &tlen, m, so, thflags);
2117 * Note the amount of data that peer has sent into
2118 * our window, in order to estimate the sender's
2121 len = so->so_rcv.sb_hiwat - (tp->rcv_adv - tp->rcv_nxt);
2128 * If FIN is received ACK the FIN and let the user know
2129 * that the connection is closing.
2131 if (thflags & TH_FIN) {
2132 if (TCPS_HAVERCVDFIN(tp->t_state) == 0) {
2135 * If connection is half-synchronized
2136 * (ie NEEDSYN flag on) then delay ACK,
2137 * so it may be piggybacked when SYN is sent.
2138 * Otherwise, since we received a FIN then no
2139 * more input can be expected, send ACK now.
2141 if (tcp_delack_enabled && (tp->t_flags & TF_NEEDSYN))
2142 callout_reset(tp->tt_delack, tcp_delacktime,
2143 tcp_timer_delack, tp);
2145 tp->t_flags |= TF_ACKNOW;
2148 switch (tp->t_state) {
2151 * In SYN_RECEIVED and ESTABLISHED STATES
2152 * enter the CLOSE_WAIT state.
2154 case TCPS_SYN_RECEIVED:
2155 tp->t_starttime = ticks;
2157 case TCPS_ESTABLISHED:
2158 tp->t_state = TCPS_CLOSE_WAIT;
2162 * If still in FIN_WAIT_1 STATE FIN has not been acked so
2163 * enter the CLOSING state.
2165 case TCPS_FIN_WAIT_1:
2166 tp->t_state = TCPS_CLOSING;
2170 * In FIN_WAIT_2 state enter the TIME_WAIT state,
2171 * starting the time-wait timer, turning off the other
2174 case TCPS_FIN_WAIT_2:
2175 tp->t_state = TCPS_TIME_WAIT;
2176 tcp_canceltimers(tp);
2177 /* Shorten TIME_WAIT [RFC-1644, p.28] */
2178 if (tp->cc_recv != 0 &&
2179 (ticks - tp->t_starttime) < tcp_msl) {
2180 callout_reset(tp->tt_2msl,
2181 tp->t_rxtcur * TCPTV_TWTRUNC,
2182 tcp_timer_2msl, tp);
2183 /* For transaction client, force ACK now. */
2184 tp->t_flags |= TF_ACKNOW;
2187 callout_reset(tp->tt_2msl, 2 * tcp_msl,
2188 tcp_timer_2msl, tp);
2189 soisdisconnected(so);
2193 * In TIME_WAIT state restart the 2 MSL time_wait timer.
2195 case TCPS_TIME_WAIT:
2196 callout_reset(tp->tt_2msl, 2 * tcp_msl,
2197 tcp_timer_2msl, tp);
2202 if (so->so_options & SO_DEBUG)
2203 tcp_trace(TA_INPUT, ostate, tp, (void *)tcp_saveipgen,
2208 * Return any desired output.
2210 if (needoutput || (tp->t_flags & TF_ACKNOW))
2211 (void) tcp_output(tp);
2216 * Generate an ACK dropping incoming segment if it occupies
2217 * sequence space, where the ACK reflects our state.
2219 * We can now skip the test for the RST flag since all
2220 * paths to this code happen after packets containing
2221 * RST have been dropped.
2223 * In the SYN-RECEIVED state, don't send an ACK unless the
2224 * segment we received passes the SYN-RECEIVED ACK test.
2225 * If it fails send a RST. This breaks the loop in the
2226 * "LAND" DoS attack, and also prevents an ACK storm
2227 * between two listening ports that have been sent forged
2228 * SYN segments, each with the source address of the other.
2230 if (tp->t_state == TCPS_SYN_RECEIVED && (thflags & TH_ACK) &&
2231 (SEQ_GT(tp->snd_una, th->th_ack) ||
2232 SEQ_GT(th->th_ack, tp->snd_max)) )
2233 goto maybedropwithreset;
2235 if (so->so_options & SO_DEBUG)
2236 tcp_trace(TA_DROP, ostate, tp, (void *)tcp_saveipgen,
2240 tp->t_flags |= TF_ACKNOW;
2241 (void) tcp_output(tp);
2246 * Conditionally drop with reset or just drop depending on whether
2247 * we think we are under attack or not.
2250 if (badport_bandlim(1) < 0)
2254 #ifdef TCP_RESTRICT_RST
2259 * Generate a RST, dropping incoming segment.
2260 * Make ACK acceptable to originator of segment.
2261 * Don't bother to respond if destination was broadcast/multicast.
2263 if ((thflags & TH_RST) || m->m_flags & (M_BCAST|M_MCAST))
2267 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
2268 IN6_IS_ADDR_MULTICAST(&ip6->ip6_src))
2272 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
2273 IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
2274 ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
2276 /* IPv6 anycast check is done at tcp6_input() */
2278 if (tp == 0 || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG))
2279 tcp_trace(TA_DROP, ostate, tp, (void *)tcp_saveipgen,
2282 if (thflags & TH_ACK)
2283 /* mtod() below is safe as long as hdr dropping is delayed */
2284 tcp_respond(tp, mtod(m, void *), th, m, (tcp_seq)0, th->th_ack,
2287 if (thflags & TH_SYN)
2289 /* mtod() below is safe as long as hdr dropping is delayed */
2290 tcp_respond(tp, mtod(m, void *), th, m, th->th_seq+tlen,
2291 (tcp_seq)0, TH_RST|TH_ACK);
2293 /* destroy temporarily created socket */
2300 * Drop space held by incoming segment and return.
2303 if (tp == 0 || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG))
2304 tcp_trace(TA_DROP, ostate, tp, (void *)tcp_saveipgen,
2308 /* destroy temporarily created socket */
2315 tcp_dooptions(tp, cp, cnt, th, to)
2325 for (; cnt > 0; cnt -= optlen, cp += optlen) {
2327 if (opt == TCPOPT_EOL)
2329 if (opt == TCPOPT_NOP)
2335 if (optlen < 2 || optlen > cnt)
2344 if (optlen != TCPOLEN_MAXSEG)
2346 if (!(th->th_flags & TH_SYN))
2348 bcopy((char *) cp + 2, (char *) &mss, sizeof(mss));
2353 if (optlen != TCPOLEN_WINDOW)
2355 if (!(th->th_flags & TH_SYN))
2357 tp->t_flags |= TF_RCVD_SCALE;
2358 tp->requested_s_scale = min(cp[2], TCP_MAX_WINSHIFT);
2361 case TCPOPT_TIMESTAMP:
2362 if (optlen != TCPOLEN_TIMESTAMP)
2364 to->to_flag |= TOF_TS;
2365 bcopy((char *)cp + 2,
2366 (char *)&to->to_tsval, sizeof(to->to_tsval));
2367 NTOHL(to->to_tsval);
2368 bcopy((char *)cp + 6,
2369 (char *)&to->to_tsecr, sizeof(to->to_tsecr));
2370 NTOHL(to->to_tsecr);
2373 * A timestamp received in a SYN makes
2374 * it ok to send timestamp requests and replies.
2376 if (th->th_flags & TH_SYN) {
2377 tp->t_flags |= TF_RCVD_TSTMP;
2378 tp->ts_recent = to->to_tsval;
2379 tp->ts_recent_age = ticks;
2383 if (optlen != TCPOLEN_CC)
2385 to->to_flag |= TOF_CC;
2386 bcopy((char *)cp + 2,
2387 (char *)&to->to_cc, sizeof(to->to_cc));
2390 * A CC or CC.new option received in a SYN makes
2391 * it ok to send CC in subsequent segments.
2393 if (th->th_flags & TH_SYN)
2394 tp->t_flags |= TF_RCVD_CC;
2397 if (optlen != TCPOLEN_CC)
2399 if (!(th->th_flags & TH_SYN))
2401 to->to_flag |= TOF_CCNEW;
2402 bcopy((char *)cp + 2,
2403 (char *)&to->to_cc, sizeof(to->to_cc));
2406 * A CC or CC.new option received in a SYN makes
2407 * it ok to send CC in subsequent segments.
2409 tp->t_flags |= TF_RCVD_CC;
2412 if (optlen != TCPOLEN_CC)
2414 if (!(th->th_flags & TH_SYN))
2416 to->to_flag |= TOF_CCECHO;
2417 bcopy((char *)cp + 2,
2418 (char *)&to->to_ccecho, sizeof(to->to_ccecho));
2419 NTOHL(to->to_ccecho);
2423 if (th->th_flags & TH_SYN)
2424 tcp_mss(tp, mss); /* sets t_maxseg */
2428 * Pull out of band byte out of a segment so
2429 * it doesn't appear in the user's data queue.
2430 * It is still reflected in the segment length for
2431 * sequencing purposes.
2434 tcp_pulloutofband(so, th, m, off)
2437 register struct mbuf *m;
2438 int off; /* delayed to be droped hdrlen */
2440 int cnt = off + th->th_urp - 1;
2443 if (m->m_len > cnt) {
2444 char *cp = mtod(m, caddr_t) + cnt;
2445 struct tcpcb *tp = sototcpcb(so);
2448 tp->t_oobflags |= TCPOOB_HAVEDATA;
2449 bcopy(cp+1, cp, (unsigned)(m->m_len - cnt - 1));
2451 if (m->m_flags & M_PKTHDR)
2460 panic("tcp_pulloutofband");
2464 * Collect new round-trip time estimate
2465 * and update averages and current timeout.
2468 tcp_xmit_timer(tp, rtt)
2469 register struct tcpcb *tp;
2474 tcpstat.tcps_rttupdated++;
2476 if (tp->t_srtt != 0) {
2478 * srtt is stored as fixed point with 5 bits after the
2479 * binary point (i.e., scaled by 8). The following magic
2480 * is equivalent to the smoothing algorithm in rfc793 with
2481 * an alpha of .875 (srtt = rtt/8 + srtt*7/8 in fixed
2482 * point). Adjust rtt to origin 0.
2484 delta = ((rtt - 1) << TCP_DELTA_SHIFT)
2485 - (tp->t_srtt >> (TCP_RTT_SHIFT - TCP_DELTA_SHIFT));
2487 if ((tp->t_srtt += delta) <= 0)
2491 * We accumulate a smoothed rtt variance (actually, a
2492 * smoothed mean difference), then set the retransmit
2493 * timer to smoothed rtt + 4 times the smoothed variance.
2494 * rttvar is stored as fixed point with 4 bits after the
2495 * binary point (scaled by 16). The following is
2496 * equivalent to rfc793 smoothing with an alpha of .75
2497 * (rttvar = rttvar*3/4 + |delta| / 4). This replaces
2498 * rfc793's wired-in beta.
2502 delta -= tp->t_rttvar >> (TCP_RTTVAR_SHIFT - TCP_DELTA_SHIFT);
2503 if ((tp->t_rttvar += delta) <= 0)
2507 * No rtt measurement yet - use the unsmoothed rtt.
2508 * Set the variance to half the rtt (so our first
2509 * retransmit happens at 3*rtt).
2511 tp->t_srtt = rtt << TCP_RTT_SHIFT;
2512 tp->t_rttvar = rtt << (TCP_RTTVAR_SHIFT - 1);
2518 * the retransmit should happen at rtt + 4 * rttvar.
2519 * Because of the way we do the smoothing, srtt and rttvar
2520 * will each average +1/2 tick of bias. When we compute
2521 * the retransmit timer, we want 1/2 tick of rounding and
2522 * 1 extra tick because of +-1/2 tick uncertainty in the
2523 * firing of the timer. The bias will give us exactly the
2524 * 1.5 tick we need. But, because the bias is
2525 * statistical, we have to test that we don't drop below
2526 * the minimum feasible timer (which is 2 ticks).
2528 TCPT_RANGESET(tp->t_rxtcur, TCP_REXMTVAL(tp),
2529 max(tp->t_rttmin, rtt + 2), TCPTV_REXMTMAX);
2532 * We received an ack for a packet that wasn't retransmitted;
2533 * it is probably safe to discard any error indications we've
2534 * received recently. This isn't quite right, but close enough
2535 * for now (a route might have failed after we sent a segment,
2536 * and the return path might not be symmetrical).
2538 tp->t_softerror = 0;
2542 * Determine a reasonable value for maxseg size.
2543 * If the route is known, check route for mtu.
2544 * If none, use an mss that can be handled on the outgoing
2545 * interface without forcing IP to fragment; if bigger than
2546 * an mbuf cluster (MCLBYTES), round down to nearest multiple of MCLBYTES
2547 * to utilize large mbufs. If no route is found, route has no mtu,
2548 * or the destination isn't local, use a default, hopefully conservative
2549 * size (usually 512 or the default IP max size, but no more than the mtu
2550 * of the interface), as we can't discover anything about intervening
2551 * gateways or networks. We also initialize the congestion/slow start
2552 * window to be a single segment if the destination isn't local.
2553 * While looking at the routing entry, we also initialize other path-dependent
2554 * parameters from pre-set or cached values in the routing entry.
2556 * Also take into account the space needed for options that we
2557 * send regularly. Make maxseg shorter by that amount to assure
2558 * that we can send maxseg amount of data even when the options
2559 * are present. Store the upper limit of the length of options plus
2562 * NOTE that this routine is only called when we process an incoming
2563 * segment, for outgoing segments only tcp_mssopt is called.
2565 * In case of T/TCP, we call this routine during implicit connection
2566 * setup as well (offer = -1), to initialize maxseg from the cached
2574 register struct rtentry *rt;
2576 register int rtt, mss;
2580 struct rmxp_tao *taop;
2581 int origoffer = offer;
2589 isipv6 = ((inp->inp_vflag & INP_IPV6) != 0) ? 1 : 0;
2590 min_protoh = isipv6 ? sizeof (struct ip6_hdr) + sizeof (struct tcphdr)
2591 : sizeof (struct tcpiphdr);
2593 #define min_protoh (sizeof (struct tcpiphdr))
2597 rt = tcp_rtlookup6(inp);
2600 rt = tcp_rtlookup(inp);
2602 tp->t_maxopd = tp->t_maxseg =
2604 isipv6 ? tcp_v6mssdflt :
2610 so = inp->inp_socket;
2612 taop = rmx_taop(rt->rt_rmx);
2614 * Offer == -1 means that we didn't receive SYN yet,
2615 * use cached value in that case;
2618 offer = taop->tao_mssopt;
2620 * Offer == 0 means that there was no MSS on the SYN segment,
2621 * in this case we use tcp_mssdflt.
2626 isipv6 ? tcp_v6mssdflt :
2631 * Sanity check: make sure that maxopd will be large
2632 * enough to allow some data on segments even is the
2633 * all the option space is used (40bytes). Otherwise
2634 * funny things may happen in tcp_output.
2636 offer = max(offer, 64);
2637 taop->tao_mssopt = offer;
2640 * While we're here, check if there's an initial rtt
2641 * or rttvar. Convert from the route-table units
2642 * to scaled multiples of the slow timeout timer.
2644 if (tp->t_srtt == 0 && (rtt = rt->rt_rmx.rmx_rtt)) {
2646 * XXX the lock bit for RTT indicates that the value
2647 * is also a minimum value; this is subject to time.
2649 if (rt->rt_rmx.rmx_locks & RTV_RTT)
2650 tp->t_rttmin = rtt / (RTM_RTTUNIT / hz);
2651 tp->t_srtt = rtt / (RTM_RTTUNIT / (hz * TCP_RTT_SCALE));
2652 tcpstat.tcps_usedrtt++;
2653 if (rt->rt_rmx.rmx_rttvar) {
2654 tp->t_rttvar = rt->rt_rmx.rmx_rttvar /
2655 (RTM_RTTUNIT / (hz * TCP_RTTVAR_SCALE));
2656 tcpstat.tcps_usedrttvar++;
2658 /* default variation is +- 1 rtt */
2660 tp->t_srtt * TCP_RTTVAR_SCALE / TCP_RTT_SCALE;
2662 TCPT_RANGESET(tp->t_rxtcur,
2663 ((tp->t_srtt >> 2) + tp->t_rttvar) >> 1,
2664 tp->t_rttmin, TCPTV_REXMTMAX);
2667 * if there's an mtu associated with the route, use it
2668 * else, use the link mtu.
2670 if (rt->rt_rmx.rmx_mtu)
2671 mss = rt->rt_rmx.rmx_mtu - min_protoh;
2676 (isipv6 ? nd_ifinfo[rt->rt_ifp->if_index].linkmtu :
2685 if (!in6_localaddr(&inp->in6p_faddr))
2686 mss = min(mss, tcp_v6mssdflt);
2689 if (!in_localaddr(inp->inp_faddr))
2690 mss = min(mss, tcp_mssdflt);
2692 mss = min(mss, offer);
2694 * maxopd stores the maximum length of data AND options
2695 * in a segment; maxseg is the amount of data in a normal
2696 * segment. We need to store this value (maxopd) apart
2697 * from maxseg, because now every segment carries options
2698 * and thus we normally have somewhat less data in segments.
2703 * In case of T/TCP, origoffer==-1 indicates, that no segments
2704 * were received yet. In this case we just guess, otherwise
2705 * we do the same as before T/TCP.
2707 if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP &&
2709 (tp->t_flags & TF_RCVD_TSTMP) == TF_RCVD_TSTMP))
2710 mss -= TCPOLEN_TSTAMP_APPA;
2711 if ((tp->t_flags & (TF_REQ_CC|TF_NOOPT)) == TF_REQ_CC &&
2713 (tp->t_flags & TF_RCVD_CC) == TF_RCVD_CC))
2714 mss -= TCPOLEN_CC_APPA;
2716 #if (MCLBYTES & (MCLBYTES - 1)) == 0
2718 mss &= ~(MCLBYTES-1);
2721 mss = mss / MCLBYTES * MCLBYTES;
2724 * If there's a pipesize, change the socket buffer
2725 * to that size. Make the socket buffers an integral
2726 * number of mss units; if the mss is larger than
2727 * the socket buffer, decrease the mss.
2730 if ((bufsize = rt->rt_rmx.rmx_sendpipe) == 0)
2732 bufsize = so->so_snd.sb_hiwat;
2736 bufsize = roundup(bufsize, mss);
2737 if (bufsize > sb_max)
2739 (void)sbreserve(&so->so_snd, bufsize, so, NULL);
2744 if ((bufsize = rt->rt_rmx.rmx_recvpipe) == 0)
2746 bufsize = so->so_rcv.sb_hiwat;
2747 if (bufsize > mss) {
2748 bufsize = roundup(bufsize, mss);
2749 if (bufsize > sb_max)
2751 (void)sbreserve(&so->so_rcv, bufsize, so, NULL);
2755 * Set the slow-start flight size depending on whether this
2756 * is a local network or not.
2760 (isipv6 && in6_localaddr(&inp->in6p_faddr)) ||
2763 in_localaddr(inp->inp_faddr)
2768 tp->snd_cwnd = mss * ss_fltsz_local;
2770 tp->snd_cwnd = mss * ss_fltsz;
2772 if (rt->rt_rmx.rmx_ssthresh) {
2774 * There's some sort of gateway or interface
2775 * buffer limit on the path. Use this to set
2776 * the slow start threshhold, but set the
2777 * threshold to no less than 2*mss.
2779 tp->snd_ssthresh = max(2 * mss, rt->rt_rmx.rmx_ssthresh);
2780 tcpstat.tcps_usedssthresh++;
2785 * Determine the MSS option to send on an outgoing SYN.
2798 isipv6 = ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0) ? 1 : 0;
2799 min_protoh = isipv6 ? sizeof (struct ip6_hdr) + sizeof (struct tcphdr)
2800 : sizeof (struct tcpiphdr);
2802 #define min_protoh (sizeof (struct tcpiphdr))
2806 rt = tcp_rtlookup6(tp->t_inpcb);
2809 rt = tcp_rtlookup(tp->t_inpcb);
2813 isipv6 ? tcp_v6mssdflt :
2817 return rt->rt_ifp->if_mtu - min_protoh;
2822 * Checks for partial ack. If partial ack arrives, force the retransmission
2823 * of the next unacknowledged segment, do not clear tp->t_dupacks, and return
2824 * 1. By setting snd_nxt to ti_ack, this forces retransmission timer to
2825 * be started again. If the ack advances at least to tp->snd_recover, return 0.
2832 if (SEQ_LT(th->th_ack, tp->snd_recover)) {
2833 tcp_seq onxt = tp->snd_nxt;
2834 u_long ocwnd = tp->snd_cwnd;
2836 callout_stop(tp->tt_rexmt);
2838 tp->snd_nxt = th->th_ack;
2840 * Set snd_cwnd to one segment beyond acknowledged offset
2841 * (tp->snd_una has not yet been updated when this function
2844 tp->snd_cwnd = tp->t_maxseg + (th->th_ack - tp->snd_una);
2845 (void) tcp_output(tp);
2846 tp->snd_cwnd = ocwnd;
2847 if (SEQ_GT(onxt, tp->snd_nxt))
2850 * Partial window deflation. Relies on fact that tp->snd_una
2853 tp->snd_cwnd -= (th->th_ack - tp->snd_una - tp->t_maxseg);