2 * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 4. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
35 #include "opt_compat.h"
37 #include "opt_inet6.h"
38 #include "opt_ipsec.h"
40 #include "opt_tcpdebug.h"
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/callout.h>
45 #include <sys/kernel.h>
46 #include <sys/sysctl.h>
47 #include <sys/malloc.h>
50 #include <sys/domain.h>
54 #include <sys/socket.h>
55 #include <sys/socketvar.h>
56 #include <sys/protosw.h>
57 #include <sys/random.h>
61 #include <net/route.h>
64 #include <netinet/in.h>
65 #include <netinet/in_systm.h>
66 #include <netinet/ip.h>
68 #include <netinet/ip6.h>
70 #include <netinet/in_pcb.h>
72 #include <netinet6/in6_pcb.h>
74 #include <netinet/in_var.h>
75 #include <netinet/ip_var.h>
77 #include <netinet6/ip6_var.h>
78 #include <netinet6/scope6_var.h>
79 #include <netinet6/nd6.h>
81 #include <netinet/ip_icmp.h>
82 #include <netinet/tcp.h>
83 #include <netinet/tcp_fsm.h>
84 #include <netinet/tcp_seq.h>
85 #include <netinet/tcp_timer.h>
86 #include <netinet/tcp_var.h>
87 #include <netinet/tcp_syncache.h>
88 #include <netinet/tcp_offload.h>
90 #include <netinet6/tcp6_var.h>
92 #include <netinet/tcpip.h>
94 #include <netinet/tcp_debug.h>
96 #include <netinet6/ip6protosw.h>
99 #include <netipsec/ipsec.h>
100 #include <netipsec/xform.h>
102 #include <netipsec/ipsec6.h>
104 #include <netipsec/key.h>
105 #include <sys/syslog.h>
108 #include <machine/in_cksum.h>
111 #include <security/mac/mac_framework.h>
113 int tcp_mssdflt = TCP_MSS;
114 SYSCTL_INT(_net_inet_tcp, TCPCTL_MSSDFLT, mssdflt, CTLFLAG_RW,
115 &tcp_mssdflt, 0, "Default TCP Maximum Segment Size");
118 int tcp_v6mssdflt = TCP6_MSS;
119 SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt,
120 CTLFLAG_RW, &tcp_v6mssdflt , 0,
121 "Default TCP Maximum Segment Size for IPv6");
125 * Minimum MSS we accept and use. This prevents DoS attacks where
126 * we are forced to a ridiculous low MSS like 20 and send hundreds
127 * of packets instead of one. The effect scales with the available
128 * bandwidth and quickly saturates the CPU and network interface
129 * with packet generation and sending. Set to zero to disable MINMSS
130 * checking. This setting prevents us from sending too small packets.
132 int tcp_minmss = TCP_MINMSS;
133 SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW,
134 &tcp_minmss , 0, "Minmum TCP Maximum Segment Size");
136 int tcp_do_rfc1323 = 1;
137 SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW,
138 &tcp_do_rfc1323, 0, "Enable rfc1323 (high performance TCP) extensions");
140 static int tcp_log_debug = 0;
141 SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_debug, CTLFLAG_RW,
142 &tcp_log_debug, 0, "Log errors caused by incoming TCP segments");
144 static int tcp_tcbhashsize = 0;
145 SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcbhashsize, CTLFLAG_RDTUN,
146 &tcp_tcbhashsize, 0, "Size of TCP control-block hashtable");
148 static int do_tcpdrain = 1;
149 SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW,
151 "Enable tcp_drain routine for extra help when low on mbufs");
153 SYSCTL_INT(_net_inet_tcp, OID_AUTO, pcbcount, CTLFLAG_RD,
154 &tcbinfo.ipi_count, 0, "Number of active PCBs");
156 static int icmp_may_rst = 1;
157 SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW,
159 "Certain ICMP unreachable messages may abort connections in SYN_SENT");
161 static int tcp_isn_reseed_interval = 0;
162 SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW,
163 &tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret");
166 * TCP bandwidth limiting sysctls. Note that the default lower bound of
167 * 1024 exists only for debugging. A good production default would be
168 * something like 6100.
170 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, inflight, CTLFLAG_RW, 0,
171 "TCP inflight data limiting");
173 static int tcp_inflight_enable = 1;
174 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, enable, CTLFLAG_RW,
175 &tcp_inflight_enable, 0, "Enable automatic TCP inflight data limiting");
177 static int tcp_inflight_debug = 0;
178 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW,
179 &tcp_inflight_debug, 0, "Debug TCP inflight calculations");
181 static int tcp_inflight_rttthresh;
182 SYSCTL_PROC(_net_inet_tcp_inflight, OID_AUTO, rttthresh, CTLTYPE_INT|CTLFLAG_RW,
183 &tcp_inflight_rttthresh, 0, sysctl_msec_to_ticks, "I",
184 "RTT threshold below which inflight will deactivate itself");
186 static int tcp_inflight_min = 6144;
187 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, min, CTLFLAG_RW,
188 &tcp_inflight_min, 0, "Lower-bound for TCP inflight window");
190 static int tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT;
191 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, max, CTLFLAG_RW,
192 &tcp_inflight_max, 0, "Upper-bound for TCP inflight window");
194 static int tcp_inflight_stab = 20;
195 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, stab, CTLFLAG_RW,
196 &tcp_inflight_stab, 0, "Inflight Algorithm Stabilization 20 = 2 packets");
198 uma_zone_t sack_hole_zone;
200 static struct inpcb *tcp_notify(struct inpcb *, int);
201 static void tcp_isn_tick(void *);
204 * Target size of TCP PCB hash tables. Must be a power of two.
206 * Note that this can be overridden by the kernel environment
207 * variable net.inet.tcp.tcbhashsize
210 #define TCBHASHSIZE 512
215 * Callouts should be moved into struct tcp directly. They are currently
216 * separate because the tcpcb structure is exported to userland for sysctl
217 * parsing purposes, which do not know about callouts.
224 static uma_zone_t tcpcb_zone;
225 MALLOC_DEFINE(M_TCPLOG, "tcplog", "TCP address and flags print buffers");
226 struct callout isn_callout;
227 static struct mtx isn_mtx;
229 #define ISN_LOCK_INIT() mtx_init(&isn_mtx, "isn_mtx", NULL, MTX_DEF)
230 #define ISN_LOCK() mtx_lock(&isn_mtx)
231 #define ISN_UNLOCK() mtx_unlock(&isn_mtx)
234 * TCP initialization.
237 tcp_zone_change(void *tag)
240 uma_zone_set_max(tcbinfo.ipi_zone, maxsockets);
241 uma_zone_set_max(tcpcb_zone, maxsockets);
242 tcp_tw_zone_change();
246 tcp_inpcb_init(void *mem, int size, int flags)
248 struct inpcb *inp = mem;
250 INP_LOCK_INIT(inp, "inp", "tcpinp");
258 int hashsize = TCBHASHSIZE;
259 tcp_delacktime = TCPTV_DELACK;
260 tcp_keepinit = TCPTV_KEEP_INIT;
261 tcp_keepidle = TCPTV_KEEP_IDLE;
262 tcp_keepintvl = TCPTV_KEEPINTVL;
263 tcp_maxpersistidle = TCPTV_KEEP_IDLE;
265 tcp_rexmit_min = TCPTV_MIN;
266 if (tcp_rexmit_min < 1)
268 tcp_rexmit_slop = TCPTV_CPU_VAR;
269 tcp_inflight_rttthresh = TCPTV_INFLIGHT_RTTTHRESH;
270 tcp_finwait2_timeout = TCPTV_FINWAIT2_TIMEOUT;
272 INP_INFO_LOCK_INIT(&tcbinfo, "tcp");
274 tcbinfo.ipi_listhead = &tcb;
275 TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize);
276 if (!powerof2(hashsize)) {
277 printf("WARNING: TCB hash size not a power of 2\n");
278 hashsize = 512; /* safe default */
280 tcp_tcbhashsize = hashsize;
281 tcbinfo.ipi_hashbase = hashinit(hashsize, M_PCB,
282 &tcbinfo.ipi_hashmask);
283 tcbinfo.ipi_porthashbase = hashinit(hashsize, M_PCB,
284 &tcbinfo.ipi_porthashmask);
285 tcbinfo.ipi_zone = uma_zcreate("inpcb", sizeof(struct inpcb),
286 NULL, NULL, tcp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
287 uma_zone_set_max(tcbinfo.ipi_zone, maxsockets);
289 #define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr))
291 #define TCP_MINPROTOHDR (sizeof(struct tcpiphdr))
293 if (max_protohdr < TCP_MINPROTOHDR)
294 max_protohdr = TCP_MINPROTOHDR;
295 if (max_linkhdr + TCP_MINPROTOHDR > MHLEN)
297 #undef TCP_MINPROTOHDR
299 * These have to be type stable for the benefit of the timers.
301 tcpcb_zone = uma_zcreate("tcpcb", sizeof(struct tcpcb_mem),
302 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
303 uma_zone_set_max(tcpcb_zone, maxsockets);
309 callout_init(&isn_callout, CALLOUT_MPSAFE);
311 EVENTHANDLER_REGISTER(shutdown_pre_sync, tcp_fini, NULL,
312 SHUTDOWN_PRI_DEFAULT);
313 sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
314 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
315 EVENTHANDLER_REGISTER(maxsockets_change, tcp_zone_change, NULL,
316 EVENTHANDLER_PRI_ANY);
323 callout_stop(&isn_callout);
327 * Fill in the IP and TCP headers for an outgoing packet, given the tcpcb.
328 * tcp_template used to store this data in mbufs, but we now recopy it out
329 * of the tcpcb each time to conserve mbufs.
332 tcpip_fillheaders(struct inpcb *inp, void *ip_ptr, void *tcp_ptr)
334 struct tcphdr *th = (struct tcphdr *)tcp_ptr;
336 INP_WLOCK_ASSERT(inp);
339 if ((inp->inp_vflag & INP_IPV6) != 0) {
342 ip6 = (struct ip6_hdr *)ip_ptr;
343 ip6->ip6_flow = (ip6->ip6_flow & ~IPV6_FLOWINFO_MASK) |
344 (inp->inp_flow & IPV6_FLOWINFO_MASK);
345 ip6->ip6_vfc = (ip6->ip6_vfc & ~IPV6_VERSION_MASK) |
346 (IPV6_VERSION & IPV6_VERSION_MASK);
347 ip6->ip6_nxt = IPPROTO_TCP;
348 ip6->ip6_plen = htons(sizeof(struct tcphdr));
349 ip6->ip6_src = inp->in6p_laddr;
350 ip6->ip6_dst = inp->in6p_faddr;
356 ip = (struct ip *)ip_ptr;
357 ip->ip_v = IPVERSION;
359 ip->ip_tos = inp->inp_ip_tos;
363 ip->ip_ttl = inp->inp_ip_ttl;
365 ip->ip_p = IPPROTO_TCP;
366 ip->ip_src = inp->inp_laddr;
367 ip->ip_dst = inp->inp_faddr;
369 th->th_sport = inp->inp_lport;
370 th->th_dport = inp->inp_fport;
378 th->th_sum = 0; /* in_pseudo() is called later for ipv4 */
382 * Create template to be used to send tcp packets on a connection.
383 * Allocates an mbuf and fills in a skeletal tcp/ip header. The only
384 * use for this function is in keepalives, which use tcp_respond.
387 tcpip_maketemplate(struct inpcb *inp)
391 t = malloc(sizeof(*t), M_TEMP, M_NOWAIT);
394 tcpip_fillheaders(inp, (void *)&t->tt_ipgen, (void *)&t->tt_t);
399 * Send a single message to the TCP at address specified by
400 * the given TCP/IP header. If m == NULL, then we make a copy
401 * of the tcpiphdr at ti and send directly to the addressed host.
402 * This is used to force keep alive messages out using the TCP
403 * template for a connection. If flags are given then we send
404 * a message back to the TCP which originated the * segment ti,
405 * and discard the mbuf containing it and any other attached mbufs.
407 * In any case the ack and sequence number of the transmitted
408 * segment are as specified by the parameters.
410 * NOTE: If m != NULL, then ti must point to *inside* the mbuf.
413 tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m,
414 tcp_seq ack, tcp_seq seq, int flags)
427 KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL"));
430 isipv6 = ((struct ip *)ipgen)->ip_v == 6;
437 KASSERT(inp != NULL, ("tcp control block w/o inpcb"));
438 INP_WLOCK_ASSERT(inp);
443 if (!(flags & TH_RST)) {
444 win = sbspace(&inp->inp_socket->so_rcv);
445 if (win > (long)TCP_MAXWIN << tp->rcv_scale)
446 win = (long)TCP_MAXWIN << tp->rcv_scale;
450 m = m_gethdr(M_DONTWAIT, MT_DATA);
454 m->m_data += max_linkhdr;
457 bcopy((caddr_t)ip6, mtod(m, caddr_t),
458 sizeof(struct ip6_hdr));
459 ip6 = mtod(m, struct ip6_hdr *);
460 nth = (struct tcphdr *)(ip6 + 1);
464 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
465 ip = mtod(m, struct ip *);
466 nth = (struct tcphdr *)(ip + 1);
468 bcopy((caddr_t)th, (caddr_t)nth, sizeof(struct tcphdr));
473 * XXX MRT We inherrit the FIB, which is lucky.
477 m->m_data = (caddr_t)ipgen;
478 /* m_len is set later */
480 #define xchg(a,b,type) { type t; t=a; a=b; b=t; }
483 xchg(ip6->ip6_dst, ip6->ip6_src, struct in6_addr);
484 nth = (struct tcphdr *)(ip6 + 1);
488 xchg(ip->ip_dst.s_addr, ip->ip_src.s_addr, uint32_t);
489 nth = (struct tcphdr *)(ip + 1);
493 * this is usually a case when an extension header
494 * exists between the IPv6 header and the
497 nth->th_sport = th->th_sport;
498 nth->th_dport = th->th_dport;
500 xchg(nth->th_dport, nth->th_sport, uint16_t);
506 ip6->ip6_vfc = IPV6_VERSION;
507 ip6->ip6_nxt = IPPROTO_TCP;
508 ip6->ip6_plen = htons((u_short)(sizeof (struct tcphdr) +
510 tlen += sizeof (struct ip6_hdr) + sizeof (struct tcphdr);
514 tlen += sizeof (struct tcpiphdr);
516 ip->ip_ttl = ip_defttl;
517 if (path_mtu_discovery)
521 m->m_pkthdr.len = tlen;
522 m->m_pkthdr.rcvif = NULL;
526 * Packet is associated with a socket, so allow the
527 * label of the response to reflect the socket label.
529 INP_WLOCK_ASSERT(inp);
530 mac_create_mbuf_from_inpcb(inp, m);
533 * Packet is not associated with a socket, so possibly
534 * update the label in place.
536 mac_reflect_mbuf_tcp(m);
539 nth->th_seq = htonl(seq);
540 nth->th_ack = htonl(ack);
542 nth->th_off = sizeof (struct tcphdr) >> 2;
543 nth->th_flags = flags;
545 nth->th_win = htons((u_short) (win >> tp->rcv_scale));
547 nth->th_win = htons((u_short)win);
552 nth->th_sum = in6_cksum(m, IPPROTO_TCP,
553 sizeof(struct ip6_hdr),
554 tlen - sizeof(struct ip6_hdr));
555 ip6->ip6_hlim = in6_selecthlim(tp != NULL ? tp->t_inpcb :
560 nth->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
561 htons((u_short)(tlen - sizeof(struct ip) + ip->ip_p)));
562 m->m_pkthdr.csum_flags = CSUM_TCP;
563 m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
566 if (tp == NULL || (inp->inp_socket->so_options & SO_DEBUG))
567 tcp_trace(TA_OUTPUT, 0, tp, mtod(m, void *), th, 0);
571 (void) ip6_output(m, NULL, NULL, ipflags, NULL, NULL, inp);
574 (void) ip_output(m, NULL, NULL, ipflags, NULL, inp);
578 * Create a new TCP control block, making an
579 * empty reassembly queue and hooking it to the argument
580 * protocol control block. The `inp' parameter must have
581 * come from the zone allocator set up in tcp_init().
584 tcp_newtcpcb(struct inpcb *inp)
586 struct tcpcb_mem *tm;
589 int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
592 tm = uma_zalloc(tcpcb_zone, M_NOWAIT | M_ZERO);
596 tp->t_timers = &tm->tt;
597 /* LIST_INIT(&tp->t_segq); */ /* XXX covered by M_ZERO */
598 tp->t_maxseg = tp->t_maxopd =
600 isipv6 ? tcp_v6mssdflt :
604 /* Set up our timeouts. */
605 callout_init(&tp->t_timers->tt_rexmt, CALLOUT_MPSAFE);
606 callout_init(&tp->t_timers->tt_persist, CALLOUT_MPSAFE);
607 callout_init(&tp->t_timers->tt_keep, CALLOUT_MPSAFE);
608 callout_init(&tp->t_timers->tt_2msl, CALLOUT_MPSAFE);
609 callout_init(&tp->t_timers->tt_delack, CALLOUT_MPSAFE);
612 tp->t_flags = (TF_REQ_SCALE|TF_REQ_TSTMP);
614 tp->t_flags |= TF_SACK_PERMIT;
615 TAILQ_INIT(&tp->snd_holes);
616 tp->t_inpcb = inp; /* XXX */
618 * Init srtt to TCPTV_SRTTBASE (0), so we can tell that we have no
619 * rtt estimate. Set rttvar so that srtt + 4 * rttvar gives
620 * reasonable initial retransmit time.
622 tp->t_srtt = TCPTV_SRTTBASE;
623 tp->t_rttvar = ((TCPTV_RTOBASE - TCPTV_SRTTBASE) << TCP_RTTVAR_SHIFT) / 4;
624 tp->t_rttmin = tcp_rexmit_min;
625 tp->t_rxtcur = TCPTV_RTOBASE;
626 tp->snd_cwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
627 tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
628 tp->snd_ssthresh = TCP_MAXWIN << TCP_MAX_WINSHIFT;
629 tp->t_rcvtime = ticks;
630 tp->t_bw_rtttime = ticks;
632 * IPv4 TTL initialization is necessary for an IPv6 socket as well,
633 * because the socket may be bound to an IPv6 wildcard address,
634 * which may match an IPv4-mapped IPv6 address.
636 inp->inp_ip_ttl = ip_defttl;
638 return (tp); /* XXX */
642 * Drop a TCP connection, reporting
643 * the specified error. If connection is synchronized,
644 * then send a RST to peer.
647 tcp_drop(struct tcpcb *tp, int errno)
649 struct socket *so = tp->t_inpcb->inp_socket;
651 INP_INFO_WLOCK_ASSERT(&tcbinfo);
652 INP_WLOCK_ASSERT(tp->t_inpcb);
654 if (TCPS_HAVERCVDSYN(tp->t_state)) {
655 tp->t_state = TCPS_CLOSED;
656 (void) tcp_output_reset(tp);
657 tcpstat.tcps_drops++;
659 tcpstat.tcps_conndrops++;
660 if (errno == ETIMEDOUT && tp->t_softerror)
661 errno = tp->t_softerror;
662 so->so_error = errno;
663 return (tcp_close(tp));
667 tcp_discardcb(struct tcpcb *tp)
670 struct inpcb *inp = tp->t_inpcb;
671 struct socket *so = inp->inp_socket;
673 int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
676 INP_WLOCK_ASSERT(inp);
679 * Make sure that all of our timers are stopped before we
682 callout_stop(&tp->t_timers->tt_rexmt);
683 callout_stop(&tp->t_timers->tt_persist);
684 callout_stop(&tp->t_timers->tt_keep);
685 callout_stop(&tp->t_timers->tt_2msl);
686 callout_stop(&tp->t_timers->tt_delack);
689 * If we got enough samples through the srtt filter,
690 * save the rtt and rttvar in the routing entry.
691 * 'Enough' is arbitrarily defined as 4 rtt samples.
692 * 4 samples is enough for the srtt filter to converge
693 * to within enough % of the correct value; fewer samples
694 * and we could save a bogus rtt. The danger is not high
695 * as tcp quickly recovers from everything.
696 * XXX: Works very well but needs some more statistics!
698 if (tp->t_rttupdated >= 4) {
699 struct hc_metrics_lite metrics;
702 bzero(&metrics, sizeof(metrics));
704 * Update the ssthresh always when the conditions below
705 * are satisfied. This gives us better new start value
706 * for the congestion avoidance for new connections.
707 * ssthresh is only set if packet loss occured on a session.
709 * XXXRW: 'so' may be NULL here, and/or socket buffer may be
710 * being torn down. Ideally this code would not use 'so'.
712 ssthresh = tp->snd_ssthresh;
713 if (ssthresh != 0 && ssthresh < so->so_snd.sb_hiwat / 2) {
715 * convert the limit from user data bytes to
716 * packets then to packet data bytes.
718 ssthresh = (ssthresh + tp->t_maxseg / 2) / tp->t_maxseg;
721 ssthresh *= (u_long)(tp->t_maxseg +
723 (isipv6 ? sizeof (struct ip6_hdr) +
724 sizeof (struct tcphdr) :
726 sizeof (struct tcpiphdr)
733 metrics.rmx_ssthresh = ssthresh;
735 metrics.rmx_rtt = tp->t_srtt;
736 metrics.rmx_rttvar = tp->t_rttvar;
737 /* XXX: This wraps if the pipe is more than 4 Gbit per second */
738 metrics.rmx_bandwidth = tp->snd_bandwidth;
739 metrics.rmx_cwnd = tp->snd_cwnd;
740 metrics.rmx_sendpipe = 0;
741 metrics.rmx_recvpipe = 0;
743 tcp_hc_update(&inp->inp_inc, &metrics);
746 /* free the reassembly queue, if any */
747 while ((q = LIST_FIRST(&tp->t_segq)) != NULL) {
748 LIST_REMOVE(q, tqe_q);
750 uma_zfree(tcp_reass_zone, q);
754 /* Disconnect offload device, if any. */
755 tcp_offload_detach(tp);
757 tcp_free_sackholes(tp);
758 inp->inp_ppcb = NULL;
760 uma_zfree(tcpcb_zone, tp);
764 * Attempt to close a TCP control block, marking it as dropped, and freeing
765 * the socket if we hold the only reference.
768 tcp_close(struct tcpcb *tp)
770 struct inpcb *inp = tp->t_inpcb;
773 INP_INFO_WLOCK_ASSERT(&tcbinfo);
774 INP_WLOCK_ASSERT(inp);
776 /* Notify any offload devices of listener close */
777 if (tp->t_state == TCPS_LISTEN)
778 tcp_offload_listen_close(tp);
780 tcpstat.tcps_closed++;
781 KASSERT(inp->inp_socket != NULL, ("tcp_close: inp_socket NULL"));
782 so = inp->inp_socket;
783 soisdisconnected(so);
784 if (inp->inp_flags & INP_SOCKREF) {
785 KASSERT(so->so_state & SS_PROTOREF,
786 ("tcp_close: !SS_PROTOREF"));
787 inp->inp_flags &= ~INP_SOCKREF;
791 so->so_state &= ~SS_PROTOREF;
805 struct tseg_qent *te;
808 * Walk the tcpbs, if existing, and flush the reassembly queue,
810 * XXX: The "Net/3" implementation doesn't imply that the TCP
811 * reassembly queue should be flushed, but in a situation
812 * where we're really low on mbufs, this is potentially
815 INP_INFO_RLOCK(&tcbinfo);
816 LIST_FOREACH(inpb, tcbinfo.ipi_listhead, inp_list) {
817 if (inpb->inp_flags & INP_TIMEWAIT)
820 if ((tcpb = intotcpcb(inpb)) != NULL) {
821 while ((te = LIST_FIRST(&tcpb->t_segq))
823 LIST_REMOVE(te, tqe_q);
825 uma_zfree(tcp_reass_zone, te);
829 tcp_clean_sackreport(tcpb);
833 INP_INFO_RUNLOCK(&tcbinfo);
838 * Notify a tcp user of an asynchronous error;
839 * store error as soft error, but wake up user
840 * (for now, won't do anything until can select for soft error).
842 * Do not wake up user since there currently is no mechanism for
843 * reporting soft errors (yet - a kqueue filter may be added).
845 static struct inpcb *
846 tcp_notify(struct inpcb *inp, int error)
850 INP_INFO_WLOCK_ASSERT(&tcbinfo);
851 INP_WLOCK_ASSERT(inp);
853 if ((inp->inp_flags & INP_TIMEWAIT) ||
854 (inp->inp_flags & INP_DROPPED))
858 KASSERT(tp != NULL, ("tcp_notify: tp == NULL"));
861 * Ignore some errors if we are hooked up.
862 * If connection hasn't completed, has retransmitted several times,
863 * and receives a second error, give up now. This is better
864 * than waiting a long time to establish a connection that
865 * can never complete.
867 if (tp->t_state == TCPS_ESTABLISHED &&
868 (error == EHOSTUNREACH || error == ENETUNREACH ||
869 error == EHOSTDOWN)) {
871 } else if (tp->t_state < TCPS_ESTABLISHED && tp->t_rxtshift > 3 &&
873 tp = tcp_drop(tp, error);
879 tp->t_softerror = error;
883 wakeup( &so->so_timeo);
890 tcp_pcblist(SYSCTL_HANDLER_ARGS)
892 int error, i, m, n, pcb_count;
893 struct inpcb *inp, **inp_list;
898 * The process of preparing the TCB list is too time-consuming and
899 * resource-intensive to repeat twice on every request.
901 if (req->oldptr == NULL) {
902 m = syncache_pcbcount();
903 n = tcbinfo.ipi_count;
904 req->oldidx = 2 * (sizeof xig)
905 + ((m + n) + n/8) * sizeof(struct xtcpcb);
909 if (req->newptr != NULL)
913 * OK, now we're committed to doing something.
915 INP_INFO_RLOCK(&tcbinfo);
916 gencnt = tcbinfo.ipi_gencnt;
917 n = tcbinfo.ipi_count;
918 INP_INFO_RUNLOCK(&tcbinfo);
920 m = syncache_pcbcount();
922 error = sysctl_wire_old_buffer(req, 2 * (sizeof xig)
923 + (n + m) * sizeof(struct xtcpcb));
927 xig.xig_len = sizeof xig;
928 xig.xig_count = n + m;
929 xig.xig_gen = gencnt;
930 xig.xig_sogen = so_gencnt;
931 error = SYSCTL_OUT(req, &xig, sizeof xig);
935 error = syncache_pcblist(req, m, &pcb_count);
939 inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK);
940 if (inp_list == NULL)
943 INP_INFO_RLOCK(&tcbinfo);
944 for (inp = LIST_FIRST(tcbinfo.ipi_listhead), i = 0; inp != NULL && i
945 < n; inp = LIST_NEXT(inp, inp_list)) {
947 if (inp->inp_gencnt <= gencnt) {
949 * XXX: This use of cr_cansee(), introduced with
950 * TCP state changes, is not quite right, but for
951 * now, better than nothing.
953 if (inp->inp_flags & INP_TIMEWAIT) {
954 if (intotw(inp) != NULL)
955 error = cr_cansee(req->td->td_ucred,
956 intotw(inp)->tw_cred);
958 error = EINVAL; /* Skip this inp. */
960 error = cr_canseeinpcb(req->td->td_ucred, inp);
966 INP_INFO_RUNLOCK(&tcbinfo);
970 for (i = 0; i < n; i++) {
973 if (inp->inp_gencnt <= gencnt) {
977 bzero(&xt, sizeof(xt));
978 xt.xt_len = sizeof xt;
979 /* XXX should avoid extra copy */
980 bcopy(inp, &xt.xt_inp, sizeof *inp);
981 inp_ppcb = inp->inp_ppcb;
982 if (inp_ppcb == NULL)
983 bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
984 else if (inp->inp_flags & INP_TIMEWAIT) {
985 bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
986 xt.xt_tp.t_state = TCPS_TIME_WAIT;
988 bcopy(inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp);
989 if (inp->inp_socket != NULL)
990 sotoxsocket(inp->inp_socket, &xt.xt_socket);
992 bzero(&xt.xt_socket, sizeof xt.xt_socket);
993 xt.xt_socket.xso_protocol = IPPROTO_TCP;
995 xt.xt_inp.inp_gencnt = inp->inp_gencnt;
997 error = SYSCTL_OUT(req, &xt, sizeof xt);
1004 * Give the user an updated idea of our state.
1005 * If the generation differs from what we told
1006 * her before, she knows that something happened
1007 * while we were processing this request, and it
1008 * might be necessary to retry.
1010 INP_INFO_RLOCK(&tcbinfo);
1011 xig.xig_gen = tcbinfo.ipi_gencnt;
1012 xig.xig_sogen = so_gencnt;
1013 xig.xig_count = tcbinfo.ipi_count + pcb_count;
1014 INP_INFO_RUNLOCK(&tcbinfo);
1015 error = SYSCTL_OUT(req, &xig, sizeof xig);
1017 free(inp_list, M_TEMP);
1021 SYSCTL_PROC(_net_inet_tcp, TCPCTL_PCBLIST, pcblist, CTLFLAG_RD, 0, 0,
1022 tcp_pcblist, "S,xtcpcb", "List of active TCP connections");
1025 tcp_getcred(SYSCTL_HANDLER_ARGS)
1028 struct sockaddr_in addrs[2];
1032 error = priv_check(req->td, PRIV_NETINET_GETCRED);
1035 error = SYSCTL_IN(req, addrs, sizeof(addrs));
1038 INP_INFO_RLOCK(&tcbinfo);
1039 inp = in_pcblookup_hash(&tcbinfo, addrs[1].sin_addr, addrs[1].sin_port,
1040 addrs[0].sin_addr, addrs[0].sin_port, 0, NULL);
1043 INP_INFO_RUNLOCK(&tcbinfo);
1044 if (inp->inp_socket == NULL)
1047 error = cr_canseeinpcb(req->td->td_ucred, inp);
1049 cru2x(inp->inp_cred, &xuc);
1052 INP_INFO_RUNLOCK(&tcbinfo);
1056 error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
1060 SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred,
1061 CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
1062 tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
1066 tcp6_getcred(SYSCTL_HANDLER_ARGS)
1069 struct sockaddr_in6 addrs[2];
1071 int error, mapped = 0;
1073 error = priv_check(req->td, PRIV_NETINET_GETCRED);
1076 error = SYSCTL_IN(req, addrs, sizeof(addrs));
1079 if ((error = sa6_embedscope(&addrs[0], ip6_use_defzone)) != 0 ||
1080 (error = sa6_embedscope(&addrs[1], ip6_use_defzone)) != 0) {
1083 if (IN6_IS_ADDR_V4MAPPED(&addrs[0].sin6_addr)) {
1084 if (IN6_IS_ADDR_V4MAPPED(&addrs[1].sin6_addr))
1090 INP_INFO_RLOCK(&tcbinfo);
1092 inp = in_pcblookup_hash(&tcbinfo,
1093 *(struct in_addr *)&addrs[1].sin6_addr.s6_addr[12],
1095 *(struct in_addr *)&addrs[0].sin6_addr.s6_addr[12],
1099 inp = in6_pcblookup_hash(&tcbinfo,
1100 &addrs[1].sin6_addr, addrs[1].sin6_port,
1101 &addrs[0].sin6_addr, addrs[0].sin6_port, 0, NULL);
1104 INP_INFO_RUNLOCK(&tcbinfo);
1105 if (inp->inp_socket == NULL)
1108 error = cr_canseeinpcb(req->td->td_ucred, inp);
1110 cru2x(inp->inp_cred, &xuc);
1113 INP_INFO_RUNLOCK(&tcbinfo);
1117 error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
1121 SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred,
1122 CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
1123 tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
1128 tcp_ctlinput(int cmd, struct sockaddr *sa, void *vip)
1130 struct ip *ip = vip;
1132 struct in_addr faddr;
1135 struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify;
1137 struct in_conninfo inc;
1138 tcp_seq icmp_tcp_seq;
1141 faddr = ((struct sockaddr_in *)sa)->sin_addr;
1142 if (sa->sa_family != AF_INET || faddr.s_addr == INADDR_ANY)
1145 if (cmd == PRC_MSGSIZE)
1146 notify = tcp_mtudisc;
1147 else if (icmp_may_rst && (cmd == PRC_UNREACH_ADMIN_PROHIB ||
1148 cmd == PRC_UNREACH_PORT || cmd == PRC_TIMXCEED_INTRANS) && ip)
1149 notify = tcp_drop_syn_sent;
1151 * Redirects don't need to be handled up here.
1153 else if (PRC_IS_REDIRECT(cmd))
1156 * Source quench is depreciated.
1158 else if (cmd == PRC_QUENCH)
1161 * Hostdead is ugly because it goes linearly through all PCBs.
1162 * XXX: We never get this from ICMP, otherwise it makes an
1163 * excellent DoS attack on machines with many connections.
1165 else if (cmd == PRC_HOSTDEAD)
1167 else if ((unsigned)cmd >= PRC_NCMDS || inetctlerrmap[cmd] == 0)
1170 icp = (struct icmp *)((caddr_t)ip
1171 - offsetof(struct icmp, icmp_ip));
1172 th = (struct tcphdr *)((caddr_t)ip
1173 + (ip->ip_hl << 2));
1174 INP_INFO_WLOCK(&tcbinfo);
1175 inp = in_pcblookup_hash(&tcbinfo, faddr, th->th_dport,
1176 ip->ip_src, th->th_sport, 0, NULL);
1179 if (!(inp->inp_flags & INP_TIMEWAIT) &&
1180 !(inp->inp_flags & INP_DROPPED) &&
1181 !(inp->inp_socket == NULL)) {
1182 icmp_tcp_seq = htonl(th->th_seq);
1183 tp = intotcpcb(inp);
1184 if (SEQ_GEQ(icmp_tcp_seq, tp->snd_una) &&
1185 SEQ_LT(icmp_tcp_seq, tp->snd_max)) {
1186 if (cmd == PRC_MSGSIZE) {
1189 * If we got a needfrag set the MTU
1190 * in the route to the suggested new
1191 * value (if given) and then notify.
1193 bzero(&inc, sizeof(inc));
1194 inc.inc_faddr = faddr;
1196 inp->inp_inc.inc_fibnum;
1198 mtu = ntohs(icp->icmp_nextmtu);
1200 * If no alternative MTU was
1201 * proposed, try the next smaller
1202 * one. ip->ip_len has already
1203 * been swapped in icmp_input().
1206 mtu = ip_next_mtu(ip->ip_len,
1208 if (mtu < max(296, (tcp_minmss)
1209 + sizeof(struct tcpiphdr)))
1213 + sizeof(struct tcpiphdr);
1215 * Only cache the the MTU if it
1216 * is smaller than the interface
1217 * or route MTU. tcp_mtudisc()
1218 * will do right thing by itself.
1220 if (mtu <= tcp_maxmtu(&inc, NULL))
1221 tcp_hc_updatemtu(&inc, mtu);
1224 inp = (*notify)(inp, inetctlerrmap[cmd]);
1230 bzero(&inc, sizeof(inc));
1231 inc.inc_fport = th->th_dport;
1232 inc.inc_lport = th->th_sport;
1233 inc.inc_faddr = faddr;
1234 inc.inc_laddr = ip->ip_src;
1235 syncache_unreach(&inc, th);
1237 INP_INFO_WUNLOCK(&tcbinfo);
1239 in_pcbnotifyall(&tcbinfo, faddr, inetctlerrmap[cmd], notify);
1244 tcp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
1247 struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify;
1248 struct ip6_hdr *ip6;
1250 struct ip6ctlparam *ip6cp = NULL;
1251 const struct sockaddr_in6 *sa6_src = NULL;
1253 struct tcp_portonly {
1258 if (sa->sa_family != AF_INET6 ||
1259 sa->sa_len != sizeof(struct sockaddr_in6))
1262 if (cmd == PRC_MSGSIZE)
1263 notify = tcp_mtudisc;
1264 else if (!PRC_IS_REDIRECT(cmd) &&
1265 ((unsigned)cmd >= PRC_NCMDS || inet6ctlerrmap[cmd] == 0))
1267 /* Source quench is depreciated. */
1268 else if (cmd == PRC_QUENCH)
1271 /* if the parameter is from icmp6, decode it. */
1273 ip6cp = (struct ip6ctlparam *)d;
1275 ip6 = ip6cp->ip6c_ip6;
1276 off = ip6cp->ip6c_off;
1277 sa6_src = ip6cp->ip6c_src;
1281 off = 0; /* fool gcc */
1286 struct in_conninfo inc;
1288 * XXX: We assume that when IPV6 is non NULL,
1289 * M and OFF are valid.
1292 /* check if we can safely examine src and dst ports */
1293 if (m->m_pkthdr.len < off + sizeof(*thp))
1296 bzero(&th, sizeof(th));
1297 m_copydata(m, off, sizeof(*thp), (caddr_t)&th);
1299 in6_pcbnotify(&tcbinfo, sa, th.th_dport,
1300 (struct sockaddr *)ip6cp->ip6c_src,
1301 th.th_sport, cmd, NULL, notify);
1303 bzero(&inc, sizeof(inc));
1304 inc.inc_fport = th.th_dport;
1305 inc.inc_lport = th.th_sport;
1306 inc.inc6_faddr = ((struct sockaddr_in6 *)sa)->sin6_addr;
1307 inc.inc6_laddr = ip6cp->ip6c_src->sin6_addr;
1308 inc.inc_flags |= INC_ISIPV6;
1309 INP_INFO_WLOCK(&tcbinfo);
1310 syncache_unreach(&inc, &th);
1311 INP_INFO_WUNLOCK(&tcbinfo);
1313 in6_pcbnotify(&tcbinfo, sa, 0, (const struct sockaddr *)sa6_src,
1314 0, cmd, NULL, notify);
1320 * Following is where TCP initial sequence number generation occurs.
1322 * There are two places where we must use initial sequence numbers:
1323 * 1. In SYN-ACK packets.
1324 * 2. In SYN packets.
1326 * All ISNs for SYN-ACK packets are generated by the syncache. See
1327 * tcp_syncache.c for details.
1329 * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
1330 * depends on this property. In addition, these ISNs should be
1331 * unguessable so as to prevent connection hijacking. To satisfy
1332 * the requirements of this situation, the algorithm outlined in
1333 * RFC 1948 is used, with only small modifications.
1335 * Implementation details:
1337 * Time is based off the system timer, and is corrected so that it
1338 * increases by one megabyte per second. This allows for proper
1339 * recycling on high speed LANs while still leaving over an hour
1342 * As reading the *exact* system time is too expensive to be done
1343 * whenever setting up a TCP connection, we increment the time
1344 * offset in two ways. First, a small random positive increment
1345 * is added to isn_offset for each connection that is set up.
1346 * Second, the function tcp_isn_tick fires once per clock tick
1347 * and increments isn_offset as necessary so that sequence numbers
1348 * are incremented at approximately ISN_BYTES_PER_SECOND. The
1349 * random positive increments serve only to ensure that the same
1350 * exact sequence number is never sent out twice (as could otherwise
1351 * happen when a port is recycled in less than the system tick
1354 * net.inet.tcp.isn_reseed_interval controls the number of seconds
1355 * between seeding of isn_secret. This is normally set to zero,
1356 * as reseeding should not be necessary.
1358 * Locking of the global variables isn_secret, isn_last_reseed, isn_offset,
1359 * isn_offset_old, and isn_ctx is performed using the TCP pcbinfo lock. In
1360 * general, this means holding an exclusive (write) lock.
1363 #define ISN_BYTES_PER_SECOND 1048576
1364 #define ISN_STATIC_INCREMENT 4096
1365 #define ISN_RANDOM_INCREMENT (4096 - 1)
1367 static u_char isn_secret[32];
1368 static int isn_last_reseed;
1369 static u_int32_t isn_offset, isn_offset_old;
1370 static MD5_CTX isn_ctx;
1373 tcp_new_isn(struct tcpcb *tp)
1375 u_int32_t md5_buffer[4];
1378 INP_WLOCK_ASSERT(tp->t_inpcb);
1381 /* Seed if this is the first use, reseed if requested. */
1382 if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) &&
1383 (((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz)
1385 read_random(&isn_secret, sizeof(isn_secret));
1386 isn_last_reseed = ticks;
1389 /* Compute the md5 hash and return the ISN. */
1391 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_fport, sizeof(u_short));
1392 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_lport, sizeof(u_short));
1394 if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0) {
1395 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_faddr,
1396 sizeof(struct in6_addr));
1397 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_laddr,
1398 sizeof(struct in6_addr));
1402 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_faddr,
1403 sizeof(struct in_addr));
1404 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_laddr,
1405 sizeof(struct in_addr));
1407 MD5Update(&isn_ctx, (u_char *) &isn_secret, sizeof(isn_secret));
1408 MD5Final((u_char *) &md5_buffer, &isn_ctx);
1409 new_isn = (tcp_seq) md5_buffer[0];
1410 isn_offset += ISN_STATIC_INCREMENT +
1411 (arc4random() & ISN_RANDOM_INCREMENT);
1412 new_isn += isn_offset;
1418 * Increment the offset to the next ISN_BYTES_PER_SECOND / 100 boundary
1419 * to keep time flowing at a relatively constant rate. If the random
1420 * increments have already pushed us past the projected offset, do nothing.
1423 tcp_isn_tick(void *xtp)
1425 u_int32_t projected_offset;
1428 projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND / 100;
1430 if (SEQ_GT(projected_offset, isn_offset))
1431 isn_offset = projected_offset;
1433 isn_offset_old = isn_offset;
1434 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);
1439 * When a specific ICMP unreachable message is received and the
1440 * connection state is SYN-SENT, drop the connection. This behavior
1441 * is controlled by the icmp_may_rst sysctl.
1444 tcp_drop_syn_sent(struct inpcb *inp, int errno)
1448 INP_INFO_WLOCK_ASSERT(&tcbinfo);
1449 INP_WLOCK_ASSERT(inp);
1451 if ((inp->inp_flags & INP_TIMEWAIT) ||
1452 (inp->inp_flags & INP_DROPPED))
1455 tp = intotcpcb(inp);
1456 if (tp->t_state != TCPS_SYN_SENT)
1459 tp = tcp_drop(tp, errno);
1467 * When `need fragmentation' ICMP is received, update our idea of the MSS
1468 * based on the new value in the route. Also nudge TCP to send something,
1469 * since we know the packet we just sent was dropped.
1470 * This duplicates some code in the tcp_mss() function in tcp_input.c.
1473 tcp_mtudisc(struct inpcb *inp, int errno)
1476 struct socket *so = inp->inp_socket;
1484 INP_WLOCK_ASSERT(inp);
1485 if ((inp->inp_flags & INP_TIMEWAIT) ||
1486 (inp->inp_flags & INP_DROPPED))
1489 tp = intotcpcb(inp);
1490 KASSERT(tp != NULL, ("tcp_mtudisc: tp == NULL"));
1493 isipv6 = (tp->t_inpcb->inp_vflag & INP_IPV6) != 0;
1495 maxmtu = tcp_hc_getmtu(&inp->inp_inc); /* IPv4 and IPv6 */
1498 isipv6 ? tcp_maxmtu6(&inp->inp_inc, NULL) :
1500 tcp_maxmtu(&inp->inp_inc, NULL);
1504 maxmtu = min(maxmtu, romtu);
1506 tp->t_maxopd = tp->t_maxseg =
1508 isipv6 ? tcp_v6mssdflt :
1515 (isipv6 ? sizeof(struct ip6_hdr) + sizeof(struct tcphdr) :
1517 sizeof(struct tcpiphdr)
1524 * XXX - The above conditional probably violates the TCP
1525 * spec. The problem is that, since we don't know the
1526 * other end's MSS, we are supposed to use a conservative
1527 * default. But, if we do that, then MTU discovery will
1528 * never actually take place, because the conservative
1529 * default is much less than the MTUs typically seen
1530 * on the Internet today. For the moment, we'll sweep
1531 * this under the carpet.
1533 * The conservative default might not actually be a problem
1534 * if the only case this occurs is when sending an initial
1535 * SYN with options and data to a host we've never talked
1536 * to before. Then, they will reply with an MSS value which
1537 * will get recorded and the new parameters should get
1538 * recomputed. For Further Study.
1540 if (tp->t_maxopd <= mss)
1544 if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP &&
1545 (tp->t_flags & TF_RCVD_TSTMP) == TF_RCVD_TSTMP)
1546 mss -= TCPOLEN_TSTAMP_APPA;
1547 #if (MCLBYTES & (MCLBYTES - 1)) == 0
1549 mss &= ~(MCLBYTES-1);
1552 mss = mss / MCLBYTES * MCLBYTES;
1554 if (so->so_snd.sb_hiwat < mss)
1555 mss = so->so_snd.sb_hiwat;
1559 tcpstat.tcps_mturesent++;
1561 tp->snd_nxt = tp->snd_una;
1562 tcp_free_sackholes(tp);
1563 tp->snd_recover = tp->snd_max;
1564 if (tp->t_flags & TF_SACK_PERMIT)
1565 EXIT_FASTRECOVERY(tp);
1566 tcp_output_send(tp);
1571 * Look-up the routing entry to the peer of this inpcb. If no route
1572 * is found and it cannot be allocated, then return NULL. This routine
1573 * is called by TCP routines that access the rmx structure and by tcp_mss
1574 * to get the interface MTU.
1577 tcp_maxmtu(struct in_conninfo *inc, int *flags)
1580 struct sockaddr_in *dst;
1584 KASSERT(inc != NULL, ("tcp_maxmtu with NULL in_conninfo pointer"));
1586 bzero(&sro, sizeof(sro));
1587 if (inc->inc_faddr.s_addr != INADDR_ANY) {
1588 dst = (struct sockaddr_in *)&sro.ro_dst;
1589 dst->sin_family = AF_INET;
1590 dst->sin_len = sizeof(*dst);
1591 dst->sin_addr = inc->inc_faddr;
1592 in_rtalloc_ign(&sro, RTF_CLONING, inc->inc_fibnum);
1594 if (sro.ro_rt != NULL) {
1595 ifp = sro.ro_rt->rt_ifp;
1596 if (sro.ro_rt->rt_rmx.rmx_mtu == 0)
1597 maxmtu = ifp->if_mtu;
1599 maxmtu = min(sro.ro_rt->rt_rmx.rmx_mtu, ifp->if_mtu);
1601 /* Report additional interface capabilities. */
1602 if (flags != NULL) {
1603 if (ifp->if_capenable & IFCAP_TSO4 &&
1604 ifp->if_hwassist & CSUM_TSO)
1614 tcp_maxmtu6(struct in_conninfo *inc, int *flags)
1616 struct route_in6 sro6;
1620 KASSERT(inc != NULL, ("tcp_maxmtu6 with NULL in_conninfo pointer"));
1622 bzero(&sro6, sizeof(sro6));
1623 if (!IN6_IS_ADDR_UNSPECIFIED(&inc->inc6_faddr)) {
1624 sro6.ro_dst.sin6_family = AF_INET6;
1625 sro6.ro_dst.sin6_len = sizeof(struct sockaddr_in6);
1626 sro6.ro_dst.sin6_addr = inc->inc6_faddr;
1627 rtalloc_ign((struct route *)&sro6, RTF_CLONING);
1629 if (sro6.ro_rt != NULL) {
1630 ifp = sro6.ro_rt->rt_ifp;
1631 if (sro6.ro_rt->rt_rmx.rmx_mtu == 0)
1632 maxmtu = IN6_LINKMTU(sro6.ro_rt->rt_ifp);
1634 maxmtu = min(sro6.ro_rt->rt_rmx.rmx_mtu,
1635 IN6_LINKMTU(sro6.ro_rt->rt_ifp));
1637 /* Report additional interface capabilities. */
1638 if (flags != NULL) {
1639 if (ifp->if_capenable & IFCAP_TSO6 &&
1640 ifp->if_hwassist & CSUM_TSO)
1651 /* compute ESP/AH header size for TCP, including outer IP header. */
1653 ipsec_hdrsiz_tcp(struct tcpcb *tp)
1660 struct ip6_hdr *ip6;
1664 if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL))
1666 MGETHDR(m, M_DONTWAIT, MT_DATA);
1671 if ((inp->inp_vflag & INP_IPV6) != 0) {
1672 ip6 = mtod(m, struct ip6_hdr *);
1673 th = (struct tcphdr *)(ip6 + 1);
1674 m->m_pkthdr.len = m->m_len =
1675 sizeof(struct ip6_hdr) + sizeof(struct tcphdr);
1676 tcpip_fillheaders(inp, ip6, th);
1677 hdrsiz = ipsec6_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp);
1681 ip = mtod(m, struct ip *);
1682 th = (struct tcphdr *)(ip + 1);
1683 m->m_pkthdr.len = m->m_len = sizeof(struct tcpiphdr);
1684 tcpip_fillheaders(inp, ip, th);
1685 hdrsiz = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp);
1694 * TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING
1696 * This code attempts to calculate the bandwidth-delay product as a
1697 * means of determining the optimal window size to maximize bandwidth,
1698 * minimize RTT, and avoid the over-allocation of buffers on interfaces and
1699 * routers. This code also does a fairly good job keeping RTTs in check
1700 * across slow links like modems. We implement an algorithm which is very
1701 * similar (but not meant to be) TCP/Vegas. The code operates on the
1702 * transmitter side of a TCP connection and so only effects the transmit
1703 * side of the connection.
1705 * BACKGROUND: TCP makes no provision for the management of buffer space
1706 * at the end points or at the intermediate routers and switches. A TCP
1707 * stream, whether using NewReno or not, will eventually buffer as
1708 * many packets as it is able and the only reason this typically works is
1709 * due to the fairly small default buffers made available for a connection
1710 * (typicaly 16K or 32K). As machines use larger windows and/or window
1711 * scaling it is now fairly easy for even a single TCP connection to blow-out
1712 * all available buffer space not only on the local interface, but on
1713 * intermediate routers and switches as well. NewReno makes a misguided
1714 * attempt to 'solve' this problem by waiting for an actual failure to occur,
1715 * then backing off, then steadily increasing the window again until another
1716 * failure occurs, ad-infinitum. This results in terrible oscillation that
1717 * is only made worse as network loads increase and the idea of intentionally
1718 * blowing out network buffers is, frankly, a terrible way to manage network
1721 * It is far better to limit the transmit window prior to the failure
1722 * condition being achieved. There are two general ways to do this: First
1723 * you can 'scan' through different transmit window sizes and locate the
1724 * point where the RTT stops increasing, indicating that you have filled the
1725 * pipe, then scan backwards until you note that RTT stops decreasing, then
1726 * repeat ad-infinitum. This method works in principle but has severe
1727 * implementation issues due to RTT variances, timer granularity, and
1728 * instability in the algorithm which can lead to many false positives and
1729 * create oscillations as well as interact badly with other TCP streams
1730 * implementing the same algorithm.
1732 * The second method is to limit the window to the bandwidth delay product
1733 * of the link. This is the method we implement. RTT variances and our
1734 * own manipulation of the congestion window, bwnd, can potentially
1735 * destabilize the algorithm. For this reason we have to stabilize the
1736 * elements used to calculate the window. We do this by using the minimum
1737 * observed RTT, the long term average of the observed bandwidth, and
1738 * by adding two segments worth of slop. It isn't perfect but it is able
1739 * to react to changing conditions and gives us a very stable basis on
1740 * which to extend the algorithm.
1743 tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq)
1749 INP_WLOCK_ASSERT(tp->t_inpcb);
1752 * If inflight_enable is disabled in the middle of a tcp connection,
1753 * make sure snd_bwnd is effectively disabled.
1755 if (tcp_inflight_enable == 0 || tp->t_rttlow < tcp_inflight_rttthresh) {
1756 tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
1757 tp->snd_bandwidth = 0;
1762 * Figure out the bandwidth. Due to the tick granularity this
1763 * is a very rough number and it MUST be averaged over a fairly
1764 * long period of time. XXX we need to take into account a link
1765 * that is not using all available bandwidth, but for now our
1766 * slop will ramp us up if this case occurs and the bandwidth later
1769 * Note: if ticks rollover 'bw' may wind up negative. We must
1770 * effectively reset t_bw_rtttime for this case.
1773 if ((u_int)(save_ticks - tp->t_bw_rtttime) < 1)
1776 bw = (int64_t)(ack_seq - tp->t_bw_rtseq) * hz /
1777 (save_ticks - tp->t_bw_rtttime);
1778 tp->t_bw_rtttime = save_ticks;
1779 tp->t_bw_rtseq = ack_seq;
1780 if (tp->t_bw_rtttime == 0 || (int)bw < 0)
1782 bw = ((int64_t)tp->snd_bandwidth * 15 + bw) >> 4;
1784 tp->snd_bandwidth = bw;
1787 * Calculate the semi-static bandwidth delay product, plus two maximal
1788 * segments. The additional slop puts us squarely in the sweet
1789 * spot and also handles the bandwidth run-up case and stabilization.
1790 * Without the slop we could be locking ourselves into a lower
1793 * Situations Handled:
1794 * (1) Prevents over-queueing of packets on LANs, especially on
1795 * high speed LANs, allowing larger TCP buffers to be
1796 * specified, and also does a good job preventing
1797 * over-queueing of packets over choke points like modems
1798 * (at least for the transmit side).
1800 * (2) Is able to handle changing network loads (bandwidth
1801 * drops so bwnd drops, bandwidth increases so bwnd
1804 * (3) Theoretically should stabilize in the face of multiple
1805 * connections implementing the same algorithm (this may need
1808 * (4) Stability value (defaults to 20 = 2 maximal packets) can
1809 * be adjusted with a sysctl but typically only needs to be
1810 * on very slow connections. A value no smaller then 5
1811 * should be used, but only reduce this default if you have
1814 #define USERTT ((tp->t_srtt + tp->t_rttbest) / 2)
1815 bwnd = (int64_t)bw * USERTT / (hz << TCP_RTT_SHIFT) + tcp_inflight_stab * tp->t_maxseg / 10;
1818 if (tcp_inflight_debug > 0) {
1820 if ((u_int)(ticks - ltime) >= hz / tcp_inflight_debug) {
1822 printf("%p bw %ld rttbest %d srtt %d bwnd %ld\n",
1831 if ((long)bwnd < tcp_inflight_min)
1832 bwnd = tcp_inflight_min;
1833 if (bwnd > tcp_inflight_max)
1834 bwnd = tcp_inflight_max;
1835 if ((long)bwnd < tp->t_maxseg * 2)
1836 bwnd = tp->t_maxseg * 2;
1837 tp->snd_bwnd = bwnd;
1840 #ifdef TCP_SIGNATURE
1842 * Callback function invoked by m_apply() to digest TCP segment data
1843 * contained within an mbuf chain.
1846 tcp_signature_apply(void *fstate, void *data, u_int len)
1849 MD5Update(fstate, (u_char *)data, len);
1854 * Compute TCP-MD5 hash of a TCP segment. (RFC2385)
1857 * m pointer to head of mbuf chain
1859 * len length of TCP segment data, excluding options
1860 * optlen length of TCP segment options
1861 * buf pointer to storage for computed MD5 digest
1862 * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND)
1864 * We do this over ip, tcphdr, segment data, and the key in the SADB.
1865 * When called from tcp_input(), we can be sure that th_sum has been
1866 * zeroed out and verified already.
1868 * Return 0 if successful, otherwise return -1.
1870 * XXX The key is retrieved from the system's PF_KEY SADB, by keying a
1871 * search with the destination IP address, and a 'magic SPI' to be
1872 * determined by the application. This is hardcoded elsewhere to 1179
1873 * right now. Another branch of this code exists which uses the SPD to
1874 * specify per-application flows but it is unstable.
1877 tcp_signature_compute(struct mbuf *m, int _unused, int len, int optlen,
1878 u_char *buf, u_int direction)
1880 union sockaddr_union dst;
1881 struct ippseudo ippseudo;
1885 struct ipovly *ipovly;
1886 struct secasvar *sav;
1889 struct ip6_hdr *ip6;
1890 struct in6_addr in6;
1891 char ip6buf[INET6_ADDRSTRLEN];
1897 KASSERT(m != NULL, ("NULL mbuf chain"));
1898 KASSERT(buf != NULL, ("NULL signature pointer"));
1900 /* Extract the destination from the IP header in the mbuf. */
1901 bzero(&dst, sizeof(union sockaddr_union));
1902 ip = mtod(m, struct ip *);
1904 ip6 = NULL; /* Make the compiler happy. */
1908 dst.sa.sa_len = sizeof(struct sockaddr_in);
1909 dst.sa.sa_family = AF_INET;
1910 dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ?
1911 ip->ip_src : ip->ip_dst;
1914 case (IPV6_VERSION >> 4):
1915 ip6 = mtod(m, struct ip6_hdr *);
1916 dst.sa.sa_len = sizeof(struct sockaddr_in6);
1917 dst.sa.sa_family = AF_INET6;
1918 dst.sin6.sin6_addr = (direction == IPSEC_DIR_INBOUND) ?
1919 ip6->ip6_src : ip6->ip6_dst;
1928 /* Look up an SADB entry which matches the address of the peer. */
1929 sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI));
1931 ipseclog((LOG_ERR, "%s: SADB lookup failed for %s\n", __func__,
1932 (ip->ip_v == IPVERSION) ? inet_ntoa(dst.sin.sin_addr) :
1934 (ip->ip_v == (IPV6_VERSION >> 4)) ?
1935 ip6_sprintf(ip6buf, &dst.sin6.sin6_addr) :
1943 * Step 1: Update MD5 hash with IP(v6) pseudo-header.
1945 * XXX The ippseudo header MUST be digested in network byte order,
1946 * or else we'll fail the regression test. Assume all fields we've
1947 * been doing arithmetic on have been in host byte order.
1948 * XXX One cannot depend on ipovly->ih_len here. When called from
1949 * tcp_output(), the underlying ip_len member has not yet been set.
1953 ipovly = (struct ipovly *)ip;
1954 ippseudo.ippseudo_src = ipovly->ih_src;
1955 ippseudo.ippseudo_dst = ipovly->ih_dst;
1956 ippseudo.ippseudo_pad = 0;
1957 ippseudo.ippseudo_p = IPPROTO_TCP;
1958 ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) +
1960 MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo));
1962 th = (struct tcphdr *)((u_char *)ip + sizeof(struct ip));
1963 doff = sizeof(struct ip) + sizeof(struct tcphdr) + optlen;
1967 * RFC 2385, 2.0 Proposal
1968 * For IPv6, the pseudo-header is as described in RFC 2460, namely the
1969 * 128-bit source IPv6 address, 128-bit destination IPv6 address, zero-
1970 * extended next header value (to form 32 bits), and 32-bit segment
1972 * Note: Upper-Layer Packet Length comes before Next Header.
1974 case (IPV6_VERSION >> 4):
1976 in6_clearscope(&in6);
1977 MD5Update(&ctx, (char *)&in6, sizeof(struct in6_addr));
1979 in6_clearscope(&in6);
1980 MD5Update(&ctx, (char *)&in6, sizeof(struct in6_addr));
1981 plen = htonl(len + sizeof(struct tcphdr) + optlen);
1982 MD5Update(&ctx, (char *)&plen, sizeof(uint32_t));
1984 MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t));
1985 MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t));
1986 MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t));
1988 MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t));
1990 th = (struct tcphdr *)((u_char *)ip6 + sizeof(struct ip6_hdr));
1991 doff = sizeof(struct ip6_hdr) + sizeof(struct tcphdr) + optlen;
2002 * Step 2: Update MD5 hash with TCP header, excluding options.
2003 * The TCP checksum must be set to zero.
2005 savecsum = th->th_sum;
2007 MD5Update(&ctx, (char *)th, sizeof(struct tcphdr));
2008 th->th_sum = savecsum;
2011 * Step 3: Update MD5 hash with TCP segment data.
2012 * Use m_apply() to avoid an early m_pullup().
2015 m_apply(m, doff, len, tcp_signature_apply, &ctx);
2018 * Step 4: Update MD5 hash with shared secret.
2020 MD5Update(&ctx, sav->key_auth->key_data, _KEYLEN(sav->key_auth));
2021 MD5Final(buf, &ctx);
2023 key_sa_recordxfer(sav, m);
2027 #endif /* TCP_SIGNATURE */
2030 sysctl_drop(SYSCTL_HANDLER_ARGS)
2032 /* addrs[0] is a foreign socket, addrs[1] is a local one. */
2033 struct sockaddr_storage addrs[2];
2037 struct sockaddr_in *fin, *lin;
2039 struct sockaddr_in6 *fin6, *lin6;
2040 struct in6_addr f6, l6;
2051 if (req->oldptr != NULL || req->oldlen != 0)
2053 if (req->newptr == NULL)
2055 if (req->newlen < sizeof(addrs))
2057 error = SYSCTL_IN(req, &addrs, sizeof(addrs));
2061 switch (addrs[0].ss_family) {
2064 fin6 = (struct sockaddr_in6 *)&addrs[0];
2065 lin6 = (struct sockaddr_in6 *)&addrs[1];
2066 if (fin6->sin6_len != sizeof(struct sockaddr_in6) ||
2067 lin6->sin6_len != sizeof(struct sockaddr_in6))
2069 if (IN6_IS_ADDR_V4MAPPED(&fin6->sin6_addr)) {
2070 if (!IN6_IS_ADDR_V4MAPPED(&lin6->sin6_addr))
2072 in6_sin6_2_sin_in_sock((struct sockaddr *)&addrs[0]);
2073 in6_sin6_2_sin_in_sock((struct sockaddr *)&addrs[1]);
2074 fin = (struct sockaddr_in *)&addrs[0];
2075 lin = (struct sockaddr_in *)&addrs[1];
2078 error = sa6_embedscope(fin6, ip6_use_defzone);
2081 error = sa6_embedscope(lin6, ip6_use_defzone);
2087 fin = (struct sockaddr_in *)&addrs[0];
2088 lin = (struct sockaddr_in *)&addrs[1];
2089 if (fin->sin_len != sizeof(struct sockaddr_in) ||
2090 lin->sin_len != sizeof(struct sockaddr_in))
2096 INP_INFO_WLOCK(&tcbinfo);
2097 switch (addrs[0].ss_family) {
2100 inp = in6_pcblookup_hash(&tcbinfo, &f6, fin6->sin6_port,
2101 &l6, lin6->sin6_port, 0, NULL);
2105 inp = in_pcblookup_hash(&tcbinfo, fin->sin_addr, fin->sin_port,
2106 lin->sin_addr, lin->sin_port, 0, NULL);
2111 if (inp->inp_flags & INP_TIMEWAIT) {
2113 * XXXRW: There currently exists a state where an
2114 * inpcb is present, but its timewait state has been
2115 * discarded. For now, don't allow dropping of this
2123 } else if (!(inp->inp_flags & INP_DROPPED) &&
2124 !(inp->inp_socket->so_options & SO_ACCEPTCONN)) {
2125 tp = intotcpcb(inp);
2126 tp = tcp_drop(tp, ECONNABORTED);
2133 INP_INFO_WUNLOCK(&tcbinfo);
2137 SYSCTL_PROC(_net_inet_tcp, TCPCTL_DROP, drop,
2138 CTLTYPE_STRUCT|CTLFLAG_WR|CTLFLAG_SKIP, NULL,
2139 0, sysctl_drop, "", "Drop TCP connection");
2142 * Generate a standardized TCP log line for use throughout the
2143 * tcp subsystem. Memory allocation is done with M_NOWAIT to
2144 * allow use in the interrupt context.
2146 * NB: The caller MUST free(s, M_TCPLOG) the returned string.
2147 * NB: The function may return NULL if memory allocation failed.
2149 * Due to header inclusion and ordering limitations the struct ip
2150 * and ip6_hdr pointers have to be passed as void pointers.
2153 tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
2160 const struct ip6_hdr *ip6;
2162 ip6 = (const struct ip6_hdr *)ip6hdr;
2164 ip = (struct ip *)ip4hdr;
2167 * The log line looks like this:
2168 * "TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags 0x2<SYN>"
2170 size = sizeof("TCP: []:12345 to []:12345 tcpflags 0x2<>") +
2171 sizeof(PRINT_TH_FLAGS) + 1 +
2173 2 * INET6_ADDRSTRLEN;
2175 2 * INET_ADDRSTRLEN;
2178 /* Is logging enabled? */
2179 if (tcp_log_debug == 0 && tcp_log_in_vain == 0)
2182 s = malloc(size, M_TCPLOG, M_ZERO|M_NOWAIT);
2186 strcat(s, "TCP: [");
2189 if (inc && ((inc->inc_flags & INC_ISIPV6) == 0)) {
2190 inet_ntoa_r(inc->inc_faddr, sp);
2192 sprintf(sp, "]:%i to [", ntohs(inc->inc_fport));
2194 inet_ntoa_r(inc->inc_laddr, sp);
2196 sprintf(sp, "]:%i", ntohs(inc->inc_lport));
2199 ip6_sprintf(sp, &inc->inc6_faddr);
2201 sprintf(sp, "]:%i to [", ntohs(inc->inc_fport));
2203 ip6_sprintf(sp, &inc->inc6_laddr);
2205 sprintf(sp, "]:%i", ntohs(inc->inc_lport));
2206 } else if (ip6 && th) {
2207 ip6_sprintf(sp, &ip6->ip6_src);
2209 sprintf(sp, "]:%i to [", ntohs(th->th_sport));
2211 ip6_sprintf(sp, &ip6->ip6_dst);
2213 sprintf(sp, "]:%i", ntohs(th->th_dport));
2215 } else if (ip && th) {
2216 inet_ntoa_r(ip->ip_src, sp);
2218 sprintf(sp, "]:%i to [", ntohs(th->th_sport));
2220 inet_ntoa_r(ip->ip_dst, sp);
2222 sprintf(sp, "]:%i", ntohs(th->th_dport));
2229 sprintf(sp, " tcpflags 0x%b", th->th_flags, PRINT_TH_FLAGS);
2230 if (*(s + size - 1) != '\0')
2231 panic("%s: string too long", __func__);