Lines Matching +full:crypto +full:- +full:rst
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
59 #include <crypto/siphash/siphash.h>
118 #define ADDED_BY_TOE(sc) ((sc)->sc_tod != NULL)
174 "Per-bucket hash limit for syncache");
200 if ((error == 0) && (req->newptr != NULL)) { in sysctl_net_inet_tcp_syncache_rexmtlimit_check()
222 #define SCH_LOCK(sch) mtx_lock(&(sch)->sch_mtx)
223 #define SCH_UNLOCK(sch) mtx_unlock(&(sch)->sch_mtx)
224 #define SCH_LOCK_ASSERT(sch) mtx_assert(&(sch)->sch_mtx, MA_OWNED)
233 if (sc->sc_ipopts) in syncache_free()
234 (void)m_free(sc->sc_ipopts); in syncache_free()
235 if (sc->sc_cred) in syncache_free()
236 crfree(sc->sc_cred); in syncache_free()
238 mac_syncache_destroy(&sc->sc_label); in syncache_free()
263 V_tcp_syncache.hashmask = V_tcp_syncache.hashsize - 1; in syncache_init()
289 -(SYNCOOKIE_LIFETIME + 1); in syncache_init()
309 V_tcp_syncache.pause_until = time_uptime - TCP_SYNCACHE_PAUSE_TIME; in syncache_init()
323 * Stop the re-seed timer before freeing resources. No need to in syncache_destroy()
339 callout_drain(&sch->sch_timer); in syncache_destroy()
342 TAILQ_FOREACH_SAFE(sc, &sch->sch_bucket, sc_hash, nsc) in syncache_destroy()
345 KASSERT(TAILQ_EMPTY(&sch->sch_bucket), in syncache_destroy()
346 ("%s: sch->sch_bucket not empty", __func__)); in syncache_destroy()
347 KASSERT(sch->sch_length == 0, ("%s: sch->sch_length %d not 0", in syncache_destroy()
348 __func__, sch->sch_length)); in syncache_destroy()
349 mtx_destroy(&sch->sch_mtx); in syncache_destroy()
374 * Make sure that we don't overflow the per-bucket limit. in syncache_insert()
377 if (sch->sch_length >= V_tcp_syncache.bucket_limit) { in syncache_insert()
378 KASSERT(!TAILQ_EMPTY(&sch->sch_bucket), in syncache_insert()
379 ("sch->sch_length incorrect")); in syncache_insert()
380 syncache_pause(&sc->sc_inc); in syncache_insert()
381 sc2 = TAILQ_LAST(&sch->sch_bucket, sch_head); in syncache_insert()
382 sch->sch_last_overflow = time_uptime; in syncache_insert()
387 TAILQ_INSERT_HEAD(&sch->sch_bucket, sc, sc_hash); in syncache_insert()
388 sch->sch_length++; in syncache_insert()
392 struct toedev *tod = sc->sc_tod; in syncache_insert()
394 tod->tod_syncache_added(tod, sc->sc_todctx); in syncache_insert()
399 if (sch->sch_length == 1) in syncache_insert()
400 sch->sch_nextc = ticks + INT_MAX; in syncache_insert()
420 TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash); in syncache_drop()
421 sch->sch_length--; in syncache_drop()
425 struct toedev *tod = sc->sc_tod; in syncache_drop()
427 tod->tod_syncache_removed(tod, sc->sc_todctx); in syncache_drop()
442 if (sc->sc_rxmits == 0) in syncache_timeout()
446 tcp_rexmit_initial * tcp_backoff[sc->sc_rxmits], in syncache_timeout()
448 sc->sc_rxttime = ticks + rexmt; in syncache_timeout()
449 sc->sc_rxmits++; in syncache_timeout()
450 if (TSTMP_LT(sc->sc_rxttime, sch->sch_nextc)) { in syncache_timeout()
451 sch->sch_nextc = sc->sc_rxttime; in syncache_timeout()
453 callout_reset(&sch->sch_timer, sch->sch_nextc - ticks, in syncache_timeout()
473 CURVNET_SET(sch->sch_sc->vnet); in syncache_timer()
480 * advance some timeouts, so re-initialize the bucket timer. in syncache_timer()
482 sch->sch_nextc = tick + INT_MAX; in syncache_timer()
492 TAILQ_FOREACH_SAFE(sc, &sch->sch_bucket, sc_hash, nsc) { in syncache_timer()
502 * then the RST will be sent by the time the remote in syncache_timer()
503 * host does the SYN/ACK->ACK. in syncache_timer()
505 if (TSTMP_GT(sc->sc_rxttime, tick)) { in syncache_timer()
506 if (TSTMP_LT(sc->sc_rxttime, sch->sch_nextc)) in syncache_timer()
507 sch->sch_nextc = sc->sc_rxttime; in syncache_timer()
510 if (sc->sc_rxmits > V_tcp_ecn_maxretries) { in syncache_timer()
511 sc->sc_flags &= ~SCF_ECN_MASK; in syncache_timer()
513 if (sc->sc_rxmits > V_tcp_syncache.rexmt_limit) { in syncache_timer()
514 if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) { in syncache_timer()
524 if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) { in syncache_timer()
527 s, __func__, sc->sc_rxmits); in syncache_timer()
547 if (!TAILQ_EMPTY(&(sch)->sch_bucket)) in syncache_timer()
548 callout_reset(&(sch)->sch_timer, (sch)->sch_nextc - tick, in syncache_timer()
578 * 32-bit words of the address always are zeroes. in syncache_hashbucket()
580 hash = jenkins_hash32((uint32_t *)&inc->inc_ie, 5, in syncache_hashbucket()
600 TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) in syncache_lookup()
601 if (bcmp(&inc->inc_ie, &sc->sc_inc.inc_ie, in syncache_lookup()
609 * This function is called when we get a RST for a
610 * non-existent connection, so that we can see if the
630 * used, or we are under memory pressure, a valid RST in syncache_chkrst()
633 * Otherwise the RST was misdirected or spoofed. in syncache_chkrst()
637 log(LOG_DEBUG, "%s; %s: Spurious RST without matching " in syncache_chkrst()
645 if (sc->sc_port != port) { in syncache_chkrst()
647 log(LOG_DEBUG, "%s; %s: Spurious RST with matching " in syncache_chkrst()
648 "syncache entry but non-matching UDP encaps port, " in syncache_chkrst()
655 * If the RST bit is set, check the sequence number to see in syncache_chkrst()
659 * In all states except SYN-SENT, all reset (RST) segments in syncache_chkrst()
660 * are validated by checking their SEQ-fields. A reset is in syncache_chkrst()
669 * ------- ------- ------------------------------------------- in syncache_chkrst()
674 * or RCV.NXT =< SEG.SEQ+SEG.LEN-1 < RCV.NXT+RCV.WND in syncache_chkrst()
680 if ((SEQ_GEQ(th->th_seq, sc->sc_irs + 1) && in syncache_chkrst()
681 SEQ_LT(th->th_seq, sc->sc_irs + 1 + sc->sc_wnd)) || in syncache_chkrst()
682 (sc->sc_wnd == 0 && th->th_seq == sc->sc_irs + 1)) { in syncache_chkrst()
684 th->th_seq == sc->sc_irs + 1) { in syncache_chkrst()
697 log(LOG_DEBUG, "%s; %s: RST with invalid " in syncache_chkrst()
701 th->th_seq, sc->sc_irs + 1, sc->sc_wnd); in syncache_chkrst()
706 log(LOG_DEBUG, "%s; %s: RST with invalid SEQ %u != " in syncache_chkrst()
709 th->th_seq, sc->sc_irs + 1, sc->sc_wnd); in syncache_chkrst()
733 if (port != sc->sc_port) in syncache_unreach()
737 if (ntohl(th_seq) != sc->sc_iss) in syncache_unreach()
748 if ((sc->sc_flags & SCF_UNREACH) == 0 || sc->sc_rxmits < 3 + 1) { in syncache_unreach()
749 sc->sc_flags |= SCF_UNREACH; in syncache_unreach()
795 inp->inp_inc.inc_flags = sc->sc_inc.inc_flags; in syncache_socket()
797 if (sc->sc_inc.inc_flags & INC_ISIPV6) { in syncache_socket()
798 inp->inp_vflag &= ~INP_IPV4; in syncache_socket()
799 inp->inp_vflag |= INP_IPV6; in syncache_socket()
800 inp->in6p_laddr = sc->sc_inc.inc6_laddr; in syncache_socket()
802 inp->inp_vflag &= ~INP_IPV6; in syncache_socket()
803 inp->inp_vflag |= INP_IPV4; in syncache_socket()
805 inp->inp_ip_ttl = sc->sc_ip_ttl; in syncache_socket()
806 inp->inp_ip_tos = sc->sc_ip_tos; in syncache_socket()
807 inp->inp_laddr = sc->sc_inc.inc_laddr; in syncache_socket()
817 inp->inp_flowid = m->m_pkthdr.flowid; in syncache_socket()
818 inp->inp_flowtype = M_HASHTYPE_GET(m); in syncache_socket()
820 inp->inp_numa_domain = m->m_pkthdr.numa_domain; in syncache_socket()
824 inp->inp_lport = sc->sc_inc.inc_lport; in syncache_socket()
826 if (inp->inp_vflag & INP_IPV6PROTO) { in syncache_socket()
838 inp->inp_flags |= oinp->inp_flags & INP_CONTROLOPTS; in syncache_socket()
839 if (oinp->in6p_outputopts) in syncache_socket()
840 inp->in6p_outputopts = in syncache_socket()
841 ip6_copypktopts(oinp->in6p_outputopts, M_NOWAIT); in syncache_socket()
842 inp->in6p_hops = oinp->in6p_hops; in syncache_socket()
845 if (sc->sc_inc.inc_flags & INC_ISIPV6) { in syncache_socket()
850 sin6.sin6_addr = sc->sc_inc.inc6_faddr; in syncache_socket()
851 sin6.sin6_port = sc->sc_inc.inc_fport; in syncache_socket()
859 inp->inp_flow &= ~IPV6_FLOWLABEL_MASK; in syncache_socket()
860 inp->inp_flow |= sc->sc_flowlabel; in syncache_socket()
870 inp->inp_options = (m) ? ip_srcroute(m) : NULL; in syncache_socket()
872 if (inp->inp_options == NULL) { in syncache_socket()
873 inp->inp_options = sc->sc_ipopts; in syncache_socket()
874 sc->sc_ipopts = NULL; in syncache_socket()
879 sin.sin_addr = sc->sc_inc.inc_faddr; in syncache_socket()
880 sin.sin_port = sc->sc_inc.inc_fport; in syncache_socket()
894 tp->t_state = TCPS_SYN_RECEIVED; in syncache_socket()
895 tp->iss = sc->sc_iss; in syncache_socket()
896 tp->irs = sc->sc_irs; in syncache_socket()
897 tp->t_port = sc->sc_port; in syncache_socket()
900 tp->snd_wl1 = sc->sc_irs; in syncache_socket()
901 tp->snd_max = tp->iss + 1; in syncache_socket()
902 tp->snd_nxt = tp->iss + 1; in syncache_socket()
903 tp->rcv_up = sc->sc_irs + 1; in syncache_socket()
904 tp->rcv_wnd = sc->sc_wnd; in syncache_socket()
905 tp->rcv_adv += tp->rcv_wnd; in syncache_socket()
906 tp->last_ack_sent = tp->rcv_nxt; in syncache_socket()
908 tp->t_flags = sototcpcb(lso)->t_flags & in syncache_socket()
910 if (sc->sc_flags & SCF_NOOPT) in syncache_socket()
911 tp->t_flags |= TF_NOOPT; in syncache_socket()
913 if (sc->sc_flags & SCF_WINSCALE) { in syncache_socket()
914 tp->t_flags |= TF_REQ_SCALE|TF_RCVD_SCALE; in syncache_socket()
915 tp->snd_scale = sc->sc_requested_s_scale; in syncache_socket()
916 tp->request_r_scale = sc->sc_requested_r_scale; in syncache_socket()
918 if (sc->sc_flags & SCF_TIMESTAMP) { in syncache_socket()
919 tp->t_flags |= TF_REQ_TSTMP|TF_RCVD_TSTMP; in syncache_socket()
920 tp->ts_recent = sc->sc_tsreflect; in syncache_socket()
921 tp->ts_recent_age = tcp_ts_getticks(); in syncache_socket()
922 tp->ts_offset = sc->sc_tsoff; in syncache_socket()
925 if (sc->sc_flags & SCF_SIGNATURE) in syncache_socket()
926 tp->t_flags |= TF_SIGNATURE; in syncache_socket()
928 if (sc->sc_flags & SCF_SACK) in syncache_socket()
929 tp->t_flags |= TF_SACK_PERMIT; in syncache_socket()
938 tcp_mss(tp, sc->sc_peer_mss); in syncache_socket()
945 if (sc->sc_rxmits > 1) in syncache_socket()
946 tp->snd_cwnd = 1; in syncache_socket()
949 tp->t_challenge_ack_end = sc->sc_challenge_ack_end; in syncache_socket()
950 tp->t_challenge_ack_cnt = sc->sc_challenge_ack_cnt; in syncache_socket()
959 struct toedev *tod = sc->sc_tod; in syncache_socket()
961 tod->tod_offload_socket(tod, sc->sc_todctx, so); in syncache_socket()
967 * - the log state of the listening socket is not off and in syncache_socket()
968 * - the listening socket was not auto selected from all sessions and in syncache_socket()
969 * - a log id is not set on the listening socket. in syncache_socket()
973 ((sototcpcb(lso)->t_flags2 & TF2_LOG_AUTO) == 0) && in syncache_socket()
974 (sototcpcb(lso)->t_lib == NULL)) { in syncache_socket()
981 tp->t_maxunacktime = sototcpcb(lso)->t_maxunacktime; in syncache_socket()
982 tp->t_keepinit = sototcpcb(lso)->t_keepinit; in syncache_socket()
983 tp->t_keepidle = sototcpcb(lso)->t_keepidle; in syncache_socket()
984 tp->t_keepintvl = sototcpcb(lso)->t_keepintvl; in syncache_socket()
985 tp->t_keepcnt = sototcpcb(lso)->t_keepcnt; in syncache_socket()
992 tp->t_flags |= TF_SONOTCONN; in syncache_socket()
994 if (tp->t_fb->tfb_inherit != NULL) { in syncache_socket()
995 (*tp->t_fb->tfb_inherit)(tp, sotoinpcb(lso)); in syncache_socket()
1001 * Drop the connection; we will either send a RST or have the peer in syncache_socket()
1004 if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) { in syncache_socket()
1017 if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) { in syncache_socket()
1019 s, __func__, (sc->sc_inc.inc_flags & INC_ISIPV6) ? "6" : "", in syncache_socket()
1031 * the cache and turn it into a full-blown connection in
1032 * the SYN-RECEIVED state.
1095 if (sch->sch_last_overflow < in syncache_expand()
1096 time_uptime - SYNCOOKIE_LIFETIME) { in syncache_expand()
1134 if ((to->to_flags & TOF_SIGNATURE) != 0 && in syncache_expand()
1136 TCPMD5_INPUT(m, th, to->to_signature) != 0)) { in syncache_expand()
1145 return (-1); /* Do not send RST */ in syncache_expand()
1150 if (sc->sc_port != port) { in syncache_expand()
1161 if (sc->sc_flags & SCF_SIGNATURE) { in syncache_expand()
1162 if ((to->to_flags & TOF_SIGNATURE) == 0) { in syncache_expand()
1172 return (-1); /* Do not send RST */ in syncache_expand()
1175 TCPMD5_INPUT(m, th, to->to_signature) != 0) { in syncache_expand()
1184 return (-1); /* Do not send RST */ in syncache_expand()
1197 if (sc->sc_flags & SCF_TIMESTAMP && to->to_flags & TOF_TS && in syncache_expand()
1198 TSTMP_LT(to->to_tsval, sc->sc_tsreflect)) { in syncache_expand()
1203 to->to_tsval, sc->sc_tsreflect); in syncache_expand()
1207 return (-1); /* Do not send RST */ in syncache_expand()
1216 if (!(sc->sc_flags & SCF_TIMESTAMP) && in syncache_expand()
1217 (to->to_flags & TOF_TS)) { in syncache_expand()
1232 if ((sc->sc_flags & SCF_TIMESTAMP) && in syncache_expand()
1233 !(to->to_flags & TOF_TS)) { in syncache_expand()
1251 return (-1); /* Do not send RST */ in syncache_expand()
1260 if (SEQ_LEQ(th->th_seq, sc->sc_irs) || in syncache_expand()
1261 SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) { in syncache_expand()
1265 s, __func__, th->th_seq, sc->sc_irs + 1); in syncache_expand()
1269 return (-1); /* Do not send RST */ in syncache_expand()
1276 if (th->th_ack != sc->sc_iss + 1) { in syncache_expand()
1280 s, __func__, th->th_ack, sc->sc_iss + 1); in syncache_expand()
1283 return (0); /* Do send RST, do not free sc. */ in syncache_expand()
1286 TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash); in syncache_expand()
1287 sch->sch_length--; in syncache_expand()
1290 struct toedev *tod = sc->sc_tod; in syncache_expand()
1292 tod->tod_syncache_removed(tod, sc->sc_todctx); in syncache_expand()
1322 pending_counter = intotcpcb(sotoinpcb(lso))->t_tfo_pending; in syncache_tfo_expand()
1331 tp->t_flags |= TF_FASTOPEN; in syncache_tfo_expand()
1332 tp->t_tfo_cookie.server = response_cookie; in syncache_tfo_expand()
1333 tp->snd_max = tp->iss; in syncache_tfo_expand()
1334 tp->snd_nxt = tp->iss; in syncache_tfo_expand()
1335 tp->t_tfo_pending = pending_counter; in syncache_tfo_expand()
1351 * to the application. However, if we are the target of a SYN-flood
1399 cred = V_tcp_syncache.see_other ? NULL : crhold(so->so_cred); in syncache_add()
1402 if (inc->inc_flags & INC_ISIPV6) { in syncache_add()
1403 if (inp->inp_flags & IN6P_AUTOFLOWLABEL) { in syncache_add()
1407 if ((inp->in6p_outputopts == NULL) || in syncache_add()
1408 (inp->in6p_outputopts->ip6po_tclass == -1)) { in syncache_add()
1411 ip_tos = inp->in6p_outputopts->ip6po_tclass; in syncache_add()
1420 ip_ttl = inp->inp_ip_ttl; in syncache_add()
1421 ip_tos = inp->inp_ip_tos; in syncache_add()
1424 win = so->sol_sbrcv_hiwat; in syncache_add()
1425 ltflags = (tp->t_flags & (TF_NOOPT | TF_SIGNATURE)); in syncache_add()
1427 if (V_tcp_fastopen_server_enable && (tp->t_flags & TF_FASTOPEN) && in syncache_add()
1428 (tp->t_tfo_pending != NULL) && in syncache_add()
1429 (to->to_flags & TOF_FASTOPEN)) { in syncache_add()
1436 if (atomic_fetchadd_int(tp->t_tfo_pending, 1) <= in syncache_add()
1437 (so->sol_qlimit / 2)) { in syncache_add()
1441 to->to_tfo_cookie, to->to_tfo_len, in syncache_add()
1451 tfo_pending = tp->t_tfo_pending; in syncache_add()
1468 if (!(inc->inc_flags & INC_ISIPV6)) in syncache_add()
1478 * When the socket is TCP-MD5 enabled check that, in syncache_add()
1479 * - a signed packet is valid in syncache_add()
1480 * - a non-signed packet does not have a security association in syncache_add()
1482 * If a signed packet fails validation or a non-signed packet has a in syncache_add()
1486 if (to->to_flags & TOF_SIGNATURE) { in syncache_add()
1488 TCPMD5_INPUT(m, th, to->to_signature) != 0) in syncache_add()
1495 } else if (to->to_flags & TOF_SIGNATURE) in syncache_add()
1502 * XXX: should the syncache be re-initialized with the contents in syncache_add()
1528 if (sc->sc_ipopts) in syncache_add()
1529 (void)m_free(sc->sc_ipopts); in syncache_add()
1530 sc->sc_ipopts = ipopts; in syncache_add()
1535 if ((sc->sc_flags & SCF_TIMESTAMP) && (to->to_flags & TOF_TS)) in syncache_add()
1536 sc->sc_tsreflect = to->to_tsval; in syncache_add()
1538 sc->sc_flags &= ~SCF_TIMESTAMP; in syncache_add()
1543 if (sc->sc_flags & SCF_ECN_MASK) { in syncache_add()
1544 sc->sc_flags &= ~SCF_ECN_MASK; in syncache_add()
1545 sc->sc_flags |= tcp_ecn_syncache_add(tcp_get_flags(th), iptos); in syncache_add()
1557 if ((s = tcp_log_addrs(&sc->sc_inc, th, NULL, NULL))) { in syncache_add()
1564 sc->sc_rxmits = 0; in syncache_add()
1597 sc = TAILQ_LAST(&sch->sch_bucket, sch_head); in syncache_add()
1599 sch->sch_last_overflow = time_uptime; in syncache_add()
1621 sc->sc_tfo_cookie = &tfo_response_cookie; in syncache_add()
1627 sc->sc_label = maclabel; in syncache_add()
1633 * - sc is allocated from the zone and not using the on stack instance. in syncache_add()
1634 * - the sysctl variable net.inet.tcp.syncache.see_other is false. in syncache_add()
1639 sc->sc_cred = cred; in syncache_add()
1642 sc->sc_cred = NULL; in syncache_add()
1643 sc->sc_port = port; in syncache_add()
1644 sc->sc_ipopts = ipopts; in syncache_add()
1645 bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo)); in syncache_add()
1646 sc->sc_ip_tos = ip_tos; in syncache_add()
1647 sc->sc_ip_ttl = ip_ttl; in syncache_add()
1649 sc->sc_tod = tod; in syncache_add()
1650 sc->sc_todctx = todctx; in syncache_add()
1652 sc->sc_irs = th->th_seq; in syncache_add()
1653 sc->sc_flags = 0; in syncache_add()
1654 sc->sc_flowlabel = 0; in syncache_add()
1662 sc->sc_wnd = win; in syncache_add()
1670 if ((to->to_flags & TOF_TS) && (V_tcp_do_rfc1323 != 2)) { in syncache_add()
1671 sc->sc_tsreflect = to->to_tsval; in syncache_add()
1672 sc->sc_flags |= SCF_TIMESTAMP; in syncache_add()
1673 sc->sc_tsoff = tcp_new_ts_offset(inc); in syncache_add()
1675 if ((to->to_flags & TOF_SCALE) && (V_tcp_do_rfc1323 != 3)) { in syncache_add()
1702 sc->sc_requested_r_scale = wscale; in syncache_add()
1703 sc->sc_requested_s_scale = to->to_wscale; in syncache_add()
1704 sc->sc_flags |= SCF_WINSCALE; in syncache_add()
1713 if (to->to_flags & TOF_SIGNATURE) in syncache_add()
1714 sc->sc_flags |= SCF_SIGNATURE; in syncache_add()
1716 if (to->to_flags & TOF_SACKPERM) in syncache_add()
1717 sc->sc_flags |= SCF_SACK; in syncache_add()
1718 if (to->to_flags & TOF_MSS) in syncache_add()
1719 sc->sc_peer_mss = to->to_mss; /* peer mss may be zero */ in syncache_add()
1721 sc->sc_flags |= SCF_NOOPT; in syncache_add()
1723 if (V_tcp_do_ecn && (tp->t_flags2 & TF2_CANNOT_DO_ECN) == 0) in syncache_add()
1724 sc->sc_flags |= tcp_ecn_syncache_add(tcp_get_flags(th), iptos); in syncache_add()
1727 sc->sc_iss = syncookie_generate(sch, sc); in syncache_add()
1729 sc->sc_iss = arc4random(); in syncache_add()
1733 sc->sc_flowlabel = sc->sc_iss; in syncache_add()
1735 sc->sc_flowlabel = ip6_randomflowlabel(); in syncache_add()
1736 sc->sc_flowlabel = htonl(sc->sc_flowlabel) & IPV6_FLOWLABEL_MASK; in syncache_add()
1750 * Do a standard 3-way handshake. in syncache_add()
1816 (sc->sc_inc.inc_flags & INC_ISIPV6) ? sizeof(struct ip6_hdr) : in syncache_respond()
1820 if (sc->sc_port) { in syncache_respond()
1824 mssopt = tcp_mssopt(&sc->sc_inc); in syncache_respond()
1825 if (sc->sc_port) in syncache_respond()
1826 mssopt -= V_tcp_udp_tunneling_overhead; in syncache_respond()
1832 "tlen %d + TCP_MAXOLEN %ju <= MHLEN %d", hlen, sc->sc_port, in syncache_respond()
1840 mac_syncache_create_mbuf(sc->sc_label, m); in syncache_respond()
1842 m->m_data += max_linkhdr; in syncache_respond()
1843 m->m_len = tlen; in syncache_respond()
1844 m->m_pkthdr.len = tlen; in syncache_respond()
1845 m->m_pkthdr.rcvif = NULL; in syncache_respond()
1848 if (sc->sc_inc.inc_flags & INC_ISIPV6) { in syncache_respond()
1850 ip6->ip6_vfc = IPV6_VERSION; in syncache_respond()
1851 ip6->ip6_src = sc->sc_inc.inc6_laddr; in syncache_respond()
1852 ip6->ip6_dst = sc->sc_inc.inc6_faddr; in syncache_respond()
1853 ip6->ip6_plen = htons(tlen - hlen); in syncache_respond()
1856 ip6->ip6_flow &= ~IPV6_FLOWINFO_MASK; in syncache_respond()
1857 ip6->ip6_flow |= sc->sc_flowlabel; in syncache_respond()
1858 if (sc->sc_port != 0) { in syncache_respond()
1859 ip6->ip6_nxt = IPPROTO_UDP; in syncache_respond()
1861 udp->uh_sport = htons(V_tcp_udp_tunneling_port); in syncache_respond()
1862 udp->uh_dport = sc->sc_port; in syncache_respond()
1863 ulen = (tlen - sizeof(struct ip6_hdr)); in syncache_respond()
1866 ip6->ip6_nxt = IPPROTO_TCP; in syncache_respond()
1869 ip6->ip6_flow |= htonl(sc->sc_ip_tos << IPV6_FLOWLABEL_LEN); in syncache_respond()
1878 ip->ip_v = IPVERSION; in syncache_respond()
1879 ip->ip_hl = sizeof(struct ip) >> 2; in syncache_respond()
1880 ip->ip_len = htons(tlen); in syncache_respond()
1881 ip->ip_id = 0; in syncache_respond()
1882 ip->ip_off = 0; in syncache_respond()
1883 ip->ip_sum = 0; in syncache_respond()
1884 ip->ip_src = sc->sc_inc.inc_laddr; in syncache_respond()
1885 ip->ip_dst = sc->sc_inc.inc_faddr; in syncache_respond()
1886 ip->ip_ttl = sc->sc_ip_ttl; in syncache_respond()
1887 ip->ip_tos = sc->sc_ip_tos; in syncache_respond()
1896 if (V_path_mtu_discovery && ((sc->sc_flags & SCF_UNREACH) == 0)) in syncache_respond()
1897 ip->ip_off |= htons(IP_DF); in syncache_respond()
1898 if (sc->sc_port == 0) { in syncache_respond()
1899 ip->ip_p = IPPROTO_TCP; in syncache_respond()
1902 ip->ip_p = IPPROTO_UDP; in syncache_respond()
1904 udp->uh_sport = htons(V_tcp_udp_tunneling_port); in syncache_respond()
1905 udp->uh_dport = sc->sc_port; in syncache_respond()
1906 ulen = (tlen - sizeof(struct ip)); in syncache_respond()
1911 th->th_sport = sc->sc_inc.inc_lport; in syncache_respond()
1912 th->th_dport = sc->sc_inc.inc_fport; in syncache_respond()
1915 th->th_seq = htonl(sc->sc_iss); in syncache_respond()
1917 th->th_seq = htonl(sc->sc_iss + 1); in syncache_respond()
1918 th->th_ack = htonl(sc->sc_irs + 1); in syncache_respond()
1919 th->th_off = sizeof(struct tcphdr) >> 2; in syncache_respond()
1920 th->th_win = htons(sc->sc_wnd); in syncache_respond()
1921 th->th_urp = 0; in syncache_respond()
1927 if ((sc->sc_flags & SCF_NOOPT) == 0) { in syncache_respond()
1933 if (sc->sc_flags & SCF_WINSCALE) { in syncache_respond()
1934 to.to_wscale = sc->sc_requested_r_scale; in syncache_respond()
1937 if (sc->sc_flags & SCF_SACK) in syncache_respond()
1940 if (sc->sc_flags & SCF_SIGNATURE) in syncache_respond()
1943 if (sc->sc_tfo_cookie) { in syncache_respond()
1946 to.to_tfo_cookie = sc->sc_tfo_cookie; in syncache_respond()
1948 sc->sc_tfo_cookie = NULL; in syncache_respond()
1951 if (sc->sc_flags & SCF_TIMESTAMP) { in syncache_respond()
1952 to.to_tsval = sc->sc_tsoff + tcp_ts_getticks(); in syncache_respond()
1953 to.to_tsecr = sc->sc_tsreflect; in syncache_respond()
1959 th->th_off = (sizeof(struct tcphdr) + optlen) >> 2; in syncache_respond()
1960 m->m_len += optlen; in syncache_respond()
1961 m->m_pkthdr.len += optlen; in syncache_respond()
1963 if (sc->sc_inc.inc_flags & INC_ISIPV6) in syncache_respond()
1964 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) + optlen); in syncache_respond()
1967 ip->ip_len = htons(ntohs(ip->ip_len) + optlen); in syncache_respond()
1969 if (sc->sc_flags & SCF_SIGNATURE) { in syncache_respond()
1986 udp->uh_ulen = htons(ulen); in syncache_respond()
1988 M_SETFIB(m, sc->sc_inc.inc_fibnum); in syncache_respond()
1995 m->m_pkthdr.flowid = m0->m_pkthdr.flowid; in syncache_respond()
1999 if (sc->sc_inc.inc_flags & INC_ISIPV6) { in syncache_respond()
2000 if (sc->sc_port) { in syncache_respond()
2001 m->m_pkthdr.csum_flags = CSUM_UDP_IPV6; in syncache_respond()
2002 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); in syncache_respond()
2003 udp->uh_sum = in6_cksum_pseudo(ip6, ulen, in syncache_respond()
2005 th->th_sum = htons(0); in syncache_respond()
2007 m->m_pkthdr.csum_flags = CSUM_TCP_IPV6; in syncache_respond()
2008 m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); in syncache_respond()
2009 th->th_sum = in6_cksum_pseudo(ip6, tlen + optlen - hlen, in syncache_respond()
2012 ip6->ip6_hlim = sc->sc_ip_ttl; in syncache_respond()
2015 struct toedev *tod = sc->sc_tod; in syncache_respond()
2017 error = tod->tod_syncache_respond(tod, sc->sc_todctx, m); in syncache_respond()
2031 if (sc->sc_port) { in syncache_respond()
2032 m->m_pkthdr.csum_flags = CSUM_UDP; in syncache_respond()
2033 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); in syncache_respond()
2034 udp->uh_sum = in_pseudo(ip->ip_src.s_addr, in syncache_respond()
2035 ip->ip_dst.s_addr, htons(ulen + IPPROTO_UDP)); in syncache_respond()
2036 th->th_sum = htons(0); in syncache_respond()
2038 m->m_pkthdr.csum_flags = CSUM_TCP; in syncache_respond()
2039 m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); in syncache_respond()
2040 th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, in syncache_respond()
2041 htons(tlen + optlen - hlen + IPPROTO_TCP)); in syncache_respond()
2045 struct toedev *tod = sc->sc_tod; in syncache_respond()
2047 error = tod->tod_syncache_respond(tod, sc->sc_todctx, m); in syncache_respond()
2053 error = ip_output(m, sc->sc_ipopts, NULL, 0, NULL, NULL); in syncache_respond()
2062 if (tcp_challenge_ack_check(&sc->sc_challenge_ack_end, in syncache_send_challenge_ack()
2063 &sc->sc_challenge_ack_cnt)) { in syncache_send_challenge_ack()
2097 * in a 3-bit table. Uncommon values are captured by the next lower value
2099 * WSCALE: is necessary to allow large windows to be used for high delay-
2104 * time. The common WSCALE values can be encoded in a 3-bit table.
2106 * making us under-estimate the available window size halving our
2122 * new random value every 15 seconds. The life-time of a syncookie is thus
2123 * 15-30 seconds.
2176 * (send) window scale (shift) option with a range of 0-14 from 4 bits into 3
2178 * match for are rounded down to the next lower one letting us under-estimate
2190 * Compute the MAC for the SYN cookie. SIPHASH-2-4 is chosen for its speed
2202 switch (inc->inc_flags & INC_ISIPV6) { in syncookie_mac()
2205 SipHash_Update(&ctx, &inc->inc_faddr, sizeof(inc->inc_faddr)); in syncookie_mac()
2206 SipHash_Update(&ctx, &inc->inc_laddr, sizeof(inc->inc_laddr)); in syncookie_mac()
2211 SipHash_Update(&ctx, &inc->inc6_faddr, sizeof(inc->inc6_faddr)); in syncookie_mac()
2212 SipHash_Update(&ctx, &inc->inc6_laddr, sizeof(inc->inc6_laddr)); in syncookie_mac()
2216 SipHash_Update(&ctx, &inc->inc_fport, sizeof(inc->inc_fport)); in syncookie_mac()
2217 SipHash_Update(&ctx, &inc->inc_lport, sizeof(inc->inc_lport)); in syncookie_mac()
2236 /* Map our computed MSS into the 3-bit index. */ in syncookie_generate()
2237 for (i = nitems(tcp_sc_msstab) - 1; in syncookie_generate()
2238 tcp_sc_msstab[i] > sc->sc_peer_mss && i > 0; in syncookie_generate()
2239 i--) in syncookie_generate()
2244 * Map the send window scale into the 3-bit index but only if in syncookie_generate()
2247 if (sc->sc_flags & SCF_WINSCALE) { in syncookie_generate()
2248 wscale = sc->sc_requested_s_scale; in syncookie_generate()
2249 for (i = nitems(tcp_sc_wstab) - 1; in syncookie_generate()
2251 i--) in syncookie_generate()
2257 if (sc->sc_flags & SCF_SACK) in syncookie_generate()
2265 hash = syncookie_mac(&sc->sc_inc, sc->sc_irs, cookie.cookie, secbits, in syncookie_generate()
2293 * Pull information out of SYN-ACK/ACK and revert sequence number in syncookie_expand()
2296 ack = th->th_ack - 1; in syncookie_expand()
2297 seq = th->th_seq - 1; in syncookie_expand()
2315 sc->sc_flags = 0; in syncookie_expand()
2316 bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo)); in syncookie_expand()
2317 sc->sc_ipopts = NULL; in syncookie_expand()
2319 sc->sc_irs = seq; in syncookie_expand()
2320 sc->sc_iss = ack; in syncookie_expand()
2322 switch (inc->inc_flags & INC_ISIPV6) { in syncookie_expand()
2325 sc->sc_ip_ttl = sotoinpcb(lso)->inp_ip_ttl; in syncookie_expand()
2326 sc->sc_ip_tos = sotoinpcb(lso)->inp_ip_tos; in syncookie_expand()
2331 if (sotoinpcb(lso)->inp_flags & IN6P_AUTOFLOWLABEL) in syncookie_expand()
2332 sc->sc_flowlabel = in syncookie_expand()
2333 htonl(sc->sc_iss) & IPV6_FLOWLABEL_MASK; in syncookie_expand()
2338 sc->sc_peer_mss = tcp_sc_msstab[cookie.flags.mss_idx]; in syncookie_expand()
2348 sc->sc_requested_r_scale = wscale; in syncookie_expand()
2349 sc->sc_requested_s_scale = tcp_sc_wstab[cookie.flags.wscale_idx]; in syncookie_expand()
2350 sc->sc_flags |= SCF_WINSCALE; in syncookie_expand()
2353 wnd = lso->sol_sbrcv_hiwat; in syncookie_expand()
2356 sc->sc_wnd = wnd; in syncookie_expand()
2359 sc->sc_flags |= SCF_SACK; in syncookie_expand()
2361 if (to->to_flags & TOF_TS) { in syncookie_expand()
2362 sc->sc_flags |= SCF_TIMESTAMP; in syncookie_expand()
2363 sc->sc_tsreflect = to->to_tsval; in syncookie_expand()
2364 sc->sc_tsoff = tcp_new_ts_offset(inc); in syncookie_expand()
2367 if (to->to_flags & TOF_SIGNATURE) in syncookie_expand()
2368 sc->sc_flags |= SCF_SIGNATURE; in syncookie_expand()
2370 sc->sc_rxmits = 0; in syncookie_expand()
2372 sc->sc_port = port; in syncookie_expand()
2388 (sc->sc_peer_mss != scs.sc_peer_mss || in syncookie_cmp()
2389 sc->sc_requested_r_scale != scs.sc_requested_r_scale || in syncookie_cmp()
2390 sc->sc_requested_s_scale != scs.sc_requested_s_scale || in syncookie_cmp()
2391 (sc->sc_flags & SCF_SACK) != (scs.sc_flags & SCF_SACK))) { in syncookie_cmp()
2396 if (sc->sc_peer_mss != scs.sc_peer_mss) in syncookie_cmp()
2398 s, __func__, sc->sc_peer_mss, scs.sc_peer_mss); in syncookie_cmp()
2400 if (sc->sc_requested_r_scale != scs.sc_requested_r_scale) in syncookie_cmp()
2402 s, __func__, sc->sc_requested_r_scale, in syncookie_cmp()
2405 if (sc->sc_requested_s_scale != scs.sc_requested_s_scale) in syncookie_cmp()
2407 s, __func__, sc->sc_requested_s_scale, in syncookie_cmp()
2410 if ((sc->sc_flags & SCF_SACK) != (scs.sc_flags & SCF_SACK)) in syncookie_cmp()
2431 secbit = (sc->secret.oddeven & 0x1) ? 0 : 1; in syncookie_reseed()
2432 secbits = sc->secret.key[secbit]; in syncookie_reseed()
2434 atomic_add_rel_int(&sc->secret.oddeven, 1); in syncookie_reseed()
2437 callout_schedule(&sc->secret.reseed, SYNCOOKIE_LIFETIME * hz); in syncookie_reseed()
2484 * Determine the last backoff time. If we are seeing a re-newed in syncache_pause()
2489 if (V_tcp_syncache.pause_until + delta - time_uptime > 0) { in syncache_pause()
2525 mtx_assert(&sc->pause_mtx, MA_OWNED | MA_NOTRECURSED); in syncache_unpause()
2526 callout_deactivate(&sc->pause_co); in syncache_unpause()
2532 if ((delta = sc->pause_until - time_uptime) > 0) in syncache_unpause()
2533 callout_schedule(&sc->pause_co, delta * hz); in syncache_unpause()
2535 sc->paused = false; in syncache_unpause()
2566 TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) { in syncache_pcblist()
2567 if (sc->sc_cred != NULL && in syncache_pcblist()
2568 cr_cansee(req->td->td_ucred, sc->sc_cred) != 0) in syncache_pcblist()
2570 if (sc->sc_inc.inc_flags & INC_ISIPV6) in syncache_pcblist()
2574 xt.xt_encaps_port = sc->sc_port; in syncache_pcblist()
2575 bcopy(&sc->sc_inc, &xt.xt_inp.inp_inc, in syncache_pcblist()