xref: /freebsd/share/man/man4/tcp.4 (revision cefe58791b0fc5243250b2449107540b03d64689)
1.\" Copyright (c) 1983, 1991, 1993
2.\"	The Regents of the University of California.
3.\" Copyright (c) 2010-2011 The FreeBSD Foundation
4.\" All rights reserved.
5.\"
6.\" Portions of this documentation were written at the Centre for Advanced
7.\" Internet Architectures, Swinburne University of Technology, Melbourne,
8.\" Australia by David Hayes under sponsorship from the FreeBSD Foundation.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\" 3. Neither the name of the University nor the names of its contributors
19.\"    may be used to endorse or promote products derived from this software
20.\"    without specific prior written permission.
21.\"
22.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32.\" SUCH DAMAGE.
33.\"
34.\"     From: @(#)tcp.4	8.1 (Berkeley) 6/5/93
35.\" $FreeBSD$
36.\"
37.Dd July 14, 2022
38.Dt TCP 4
39.Os
40.Sh NAME
41.Nm tcp
42.Nd Internet Transmission Control Protocol
43.Sh SYNOPSIS
44.In sys/types.h
45.In sys/socket.h
46.In netinet/in.h
47.In netinet/tcp.h
48.Ft int
49.Fn socket AF_INET SOCK_STREAM 0
50.Sh DESCRIPTION
51The
52.Tn TCP
53protocol provides reliable, flow-controlled, two-way
54transmission of data.
55It is a byte-stream protocol used to
56support the
57.Dv SOCK_STREAM
58abstraction.
59.Tn TCP
60uses the standard
61Internet address format and, in addition, provides a per-host
62collection of
63.Dq "port addresses" .
64Thus, each address is composed
65of an Internet address specifying the host and network,
66with a specific
67.Tn TCP
68port on the host identifying the peer entity.
69.Pp
70Sockets utilizing the
71.Tn TCP
72protocol are either
73.Dq active
74or
75.Dq passive .
76Active sockets initiate connections to passive
77sockets.
78By default,
79.Tn TCP
80sockets are created active; to create a
81passive socket, the
82.Xr listen 2
83system call must be used
84after binding the socket with the
85.Xr bind 2
86system call.
87Only passive sockets may use the
88.Xr accept 2
89call to accept incoming connections.
90Only active sockets may use the
91.Xr connect 2
92call to initiate connections.
93.Pp
94Passive sockets may
95.Dq underspecify
96their location to match
97incoming connection requests from multiple networks.
98This technique, termed
99.Dq "wildcard addressing" ,
100allows a single
101server to provide service to clients on multiple networks.
102To create a socket which listens on all networks, the Internet
103address
104.Dv INADDR_ANY
105must be bound.
106The
107.Tn TCP
108port may still be specified
109at this time; if the port is not specified, the system will assign one.
110Once a connection has been established, the socket's address is
111fixed by the peer entity's location.
112The address assigned to the
113socket is the address associated with the network interface
114through which packets are being transmitted and received.
115Normally, this address corresponds to the peer entity's network.
116.Pp
117.Tn TCP
118supports a number of socket options which can be set with
119.Xr setsockopt 2
120and tested with
121.Xr getsockopt 2 :
122.Bl -tag -width ".Dv TCP_FUNCTION_BLK"
123.It Dv TCP_INFO
124Information about a socket's underlying TCP session may be retrieved
125by passing the read-only option
126.Dv TCP_INFO
127to
128.Xr getsockopt 2 .
129It accepts a single argument: a pointer to an instance of
130.Vt "struct tcp_info" .
131.Pp
132This API is subject to change; consult the source to determine
133which fields are currently filled out by this option.
134.Fx
135specific additions include
136send window size,
137receive window size,
138and
139bandwidth-controlled window space.
140.It Dv TCP_CCALGOOPT
141Set or query congestion control algorithm specific parameters.
142See
143.Xr mod_cc 4
144for details.
145.It Dv TCP_CONGESTION
146Select or query the congestion control algorithm that TCP will use for the
147connection.
148See
149.Xr mod_cc 4
150for details.
151.It Dv TCP_FASTOPEN
152Enable or disable TCP Fast Open (TFO).
153To use this option, the kernel must be built with the
154.Dv TCP_RFC7413
155option.
156.Pp
157This option can be set on the socket either before or after the
158.Xr listen 2
159is invoked.
160Clearing this option on a listen socket after it has been set has no effect on
161existing TFO connections or TFO connections in progress; it only prevents new
162TFO connections from being established.
163.Pp
164For passively-created sockets, the
165.Dv TCP_FASTOPEN
166socket option can be queried to determine whether the connection was established
167using TFO.
168Note that connections that are established via a TFO
169.Tn SYN ,
170but that fall back to using a non-TFO
171.Tn SYN|ACK
172will have the
173.Dv TCP_FASTOPEN
174socket option set.
175.Pp
176In addition to the facilities defined in RFC7413, this implementation supports a
177pre-shared key (PSK) mode of operation in which the TFO server requires the
178client to be in posession of a shared secret in order for the client to be able
179to successfully open TFO connections with the server.
180This is useful, for example, in environments where TFO servers are exposed to
181both internal and external clients and only wish to allow TFO connections from
182internal clients.
183.Pp
184In the PSK mode of operation, the server generates and sends TFO cookies to
185requesting clients as usual.
186However, when validating cookies received in TFO SYNs from clients, the server
187requires the client-supplied cookie to equal
188.Bd -literal -offset left
189SipHash24(key=\fI16-byte-psk\fP, msg=\fIcookie-sent-to-client\fP)
190.Ed
191.Pp
192Multiple concurrent valid pre-shared keys are supported so that time-based
193rolling PSK invalidation policies can be implemented in the system.
194The default number of concurrent pre-shared keys is 2.
195.Pp
196This can be adjusted with the
197.Dv TCP_RFC7413_MAX_PSKS
198kernel option.
199.It Dv TCP_FUNCTION_BLK
200Select or query the set of functions that TCP will use for this connection.
201This allows a user to select an alternate TCP stack.
202The alternate TCP stack must already be loaded in the kernel.
203To list the available TCP stacks, see
204.Va functions_available
205in the
206.Sx MIB Variables
207section further down.
208To list the default TCP stack, see
209.Va functions_default
210in the
211.Sx MIB Variables
212section.
213.It Dv TCP_KEEPINIT
214This
215.Xr setsockopt 2
216option accepts a per-socket timeout argument of
217.Vt "u_int"
218in seconds, for new, non-established
219.Tn TCP
220connections.
221For the global default in milliseconds see
222.Va keepinit
223in the
224.Sx MIB Variables
225section further down.
226.It Dv TCP_KEEPIDLE
227This
228.Xr setsockopt 2
229option accepts an argument of
230.Vt "u_int"
231for the amount of time, in seconds, that the connection must be idle
232before keepalive probes (if enabled) are sent for the connection of this
233socket.
234If set on a listening socket, the value is inherited by the newly created
235socket upon
236.Xr accept 2 .
237For the global default in milliseconds see
238.Va keepidle
239in the
240.Sx MIB Variables
241section further down.
242.It Dv TCP_KEEPINTVL
243This
244.Xr setsockopt 2
245option accepts an argument of
246.Vt "u_int"
247to set the per-socket interval, in seconds, between keepalive probes sent
248to a peer.
249If set on a listening socket, the value is inherited by the newly created
250socket upon
251.Xr accept 2 .
252For the global default in milliseconds see
253.Va keepintvl
254in the
255.Sx MIB Variables
256section further down.
257.It Dv TCP_KEEPCNT
258This
259.Xr setsockopt 2
260option accepts an argument of
261.Vt "u_int"
262and allows a per-socket tuning of the number of probes sent, with no response,
263before the connection will be dropped.
264If set on a listening socket, the value is inherited by the newly created
265socket upon
266.Xr accept 2 .
267For the global default see the
268.Va keepcnt
269in the
270.Sx MIB Variables
271section further down.
272.It Dv TCP_NODELAY
273Under most circumstances,
274.Tn TCP
275sends data when it is presented;
276when outstanding data has not yet been acknowledged, it gathers
277small amounts of output to be sent in a single packet once
278an acknowledgement is received.
279For a small number of clients, such as window systems
280that send a stream of mouse events which receive no replies,
281this packetization may cause significant delays.
282The boolean option
283.Dv TCP_NODELAY
284defeats this algorithm.
285.It Dv TCP_MAXSEG
286By default, a sender- and
287.No receiver- Ns Tn TCP
288will negotiate among themselves to determine the maximum segment size
289to be used for each connection.
290The
291.Dv TCP_MAXSEG
292option allows the user to determine the result of this negotiation,
293and to reduce it if desired.
294.It Dv TCP_NOOPT
295.Tn TCP
296usually sends a number of options in each packet, corresponding to
297various
298.Tn TCP
299extensions which are provided in this implementation.
300The boolean option
301.Dv TCP_NOOPT
302is provided to disable
303.Tn TCP
304option use on a per-connection basis.
305.It Dv TCP_NOPUSH
306By convention, the
307.No sender- Ns Tn TCP
308will set the
309.Dq push
310bit, and begin transmission immediately (if permitted) at the end of
311every user call to
312.Xr write 2
313or
314.Xr writev 2 .
315When this option is set to a non-zero value,
316.Tn TCP
317will delay sending any data at all until either the socket is closed,
318or the internal send buffer is filled.
319.It Dv TCP_MD5SIG
320This option enables the use of MD5 digests (also known as TCP-MD5)
321on writes to the specified socket.
322Outgoing traffic is digested;
323digests on incoming traffic are verified.
324When this option is enabled on a socket, all inbound and outgoing
325TCP segments must be signed with MD5 digests.
326.Pp
327One common use for this in a
328.Fx
329router deployment is to enable
330based routers to interwork with Cisco equipment at peering points.
331Support for this feature conforms to RFC 2385.
332.Pp
333In order for this option to function correctly, it is necessary for the
334administrator to add a tcp-md5 key entry to the system's security
335associations database (SADB) using the
336.Xr setkey 8
337utility.
338This entry can only be specified on a per-host basis at this time.
339.Pp
340If an SADB entry cannot be found for the destination,
341the system does not send any outgoing segments and drops any inbound segments.
342However, during connection negotiation, a non-signed segment will be accepted if
343an SADB entry does not exist between hosts.
344When a non-signed segment is accepted, the established connection is not
345protected with MD5 digests.
346.It Dv TCP_STATS
347Manage collection of connection level statistics using the
348.Xr stats 3
349framework.
350.Pp
351Each dropped segment is taken into account in the TCP protocol statistics.
352.It Dv TCP_TXTLS_ENABLE
353Enable in-kernel Transport Layer Security (TLS) for data written to this
354socket.
355See
356.Xr ktls 4
357for more details.
358.It Dv TCP_TXTLS_MODE
359The integer argument can be used to get or set the current TLS transmit mode
360of a socket.
361See
362.Xr ktls 4
363for more details.
364.It Dv TCP_RXTLS_ENABLE
365Enable in-kernel TLS for data read from this socket.
366See
367.Xr ktls 4
368for more details.
369.It Dv TCP_REUSPORT_LB_NUMA
370Changes NUMA affinity filtering for an established TCP listen
371socket.
372This option takes a single integer argument which specifies
373the NUMA domain to filter on for this listen socket.
374The argument can also have the follwing special values:
375.Bl -tag -width "Dv TCP_REUSPORT_LB_NUMA"
376.It Dv TCP_REUSPORT_LB_NUMA_NODOM
377Remove NUMA filtering for this listen socket.
378.It Dv TCP_REUSPORT_LB_NUMA_CURDOM
379Filter traffic associated with the domain where the calling thread is
380currently executing.
381This is typically used after a process or thread inherits a listen
382socket from its parent, and sets its CPU affinity to a particular core.
383.El
384.It Dv TCP_REMOTE_UDP_ENCAPS_PORT
385Set and get the remote UDP encapsulation port.
386It can only be set on a closed TCP socket.
387.El
388.Pp
389The option level for the
390.Xr setsockopt 2
391call is the protocol number for
392.Tn TCP ,
393available from
394.Xr getprotobyname 3 ,
395or
396.Dv IPPROTO_TCP .
397All options are declared in
398.In netinet/tcp.h .
399.Pp
400Options at the
401.Tn IP
402transport level may be used with
403.Tn TCP ;
404see
405.Xr ip 4 .
406Incoming connection requests that are source-routed are noted,
407and the reverse source route is used in responding.
408.Pp
409The default congestion control algorithm for
410.Tn TCP
411is
412.Xr cc_newreno 4 .
413Other congestion control algorithms can be made available using the
414.Xr mod_cc 4
415framework.
416.Ss MIB Variables
417The
418.Tn TCP
419protocol implements a number of variables in the
420.Va net.inet.tcp
421branch of the
422.Xr sysctl 3
423MIB.
424.Bl -tag -width ".Va v6pmtud_blackhole_mss"
425.It Va rfc1323
426Implement the window scaling and timestamp options of RFC 1323/RFC 7323
427(default is true).
428.It Va tolerate_missing_ts
429Tolerate the missing of timestamps (RFC 1323/RFC 7323) for
430.Tn TCP
431segments belonging to
432.Tn TCP
433connections for which support of
434.Tn TCP
435timestamps has been negotiated.
436As of June 2021, several TCP stacks are known to violate RFC 7323, including
437modern widely deployed ones.
438Therefore the default is 1, i.e., the missing of timestamps is tolerated.
439.It Va mssdflt
440The default value used for the maximum segment size
441.Pq Dq MSS
442when no advice to the contrary is received from MSS negotiation.
443.It Va sendspace
444Maximum
445.Tn TCP
446send window.
447.It Va recvspace
448Maximum
449.Tn TCP
450receive window.
451.It Va log_in_vain
452Log any connection attempts to ports where there is not a socket
453accepting connections.
454The value of 1 limits the logging to
455.Tn SYN
456(connection establishment) packets only.
457That of 2 results in any
458.Tn TCP
459packets to closed ports being logged.
460Any value unlisted above disables the logging
461(default is 0, i.e., the logging is disabled).
462.It Va msl
463The Maximum Segment Lifetime, in milliseconds, for a packet.
464.It Va keepinit
465Timeout, in milliseconds, for new, non-established
466.Tn TCP
467connections.
468The default is 75000 msec.
469.It Va keepidle
470Amount of time, in milliseconds, that the connection must be idle
471before keepalive probes (if enabled) are sent.
472The default is 7200000 msec (2 hours).
473.It Va keepintvl
474The interval, in milliseconds, between keepalive probes sent to remote
475machines, when no response is received on a
476.Va keepidle
477probe.
478The default is 75000 msec.
479.It Va keepcnt
480Number of probes sent, with no response, before a connection
481is dropped.
482The default is 8 packets.
483.It Va always_keepalive
484Assume that
485.Dv SO_KEEPALIVE
486is set on all
487.Tn TCP
488connections, the kernel will
489periodically send a packet to the remote host to verify the connection
490is still up.
491.It Va icmp_may_rst
492Certain
493.Tn ICMP
494unreachable messages may abort connections in
495.Tn SYN-SENT
496state.
497.It Va do_tcpdrain
498Flush packets in the
499.Tn TCP
500reassembly queue if the system is low on mbufs.
501.It Va blackhole
502If enabled, disable sending of RST when a connection is attempted
503to a port where there is not a socket accepting connections.
504See
505.Xr blackhole 4 .
506.It Va delayed_ack
507Delay ACK to try and piggyback it onto a data packet.
508.It Va delacktime
509Maximum amount of time, in milliseconds, before a delayed ACK is sent.
510.It Va path_mtu_discovery
511Enable Path MTU Discovery.
512.It Va tcbhashsize
513Size of the
514.Tn TCP
515control-block hash table
516(read-only).
517This may be tuned using the kernel option
518.Dv TCBHASHSIZE
519or by setting
520.Va net.inet.tcp.tcbhashsize
521in the
522.Xr loader 8 .
523.It Va pcbcount
524Number of active process control blocks
525(read-only).
526.It Va syncookies
527Determines whether or not
528.Tn SYN
529cookies should be generated for outbound
530.Tn SYN-ACK
531packets.
532.Tn SYN
533cookies are a great help during
534.Tn SYN
535flood attacks, and are enabled by default.
536(See
537.Xr syncookies 4 . )
538.It Va isn_reseed_interval
539The interval (in seconds) specifying how often the secret data used in
540RFC 1948 initial sequence number calculations should be reseeded.
541By default, this variable is set to zero, indicating that
542no reseeding will occur.
543Reseeding should not be necessary, and will break
544.Dv TIME_WAIT
545recycling for a few minutes.
546.It Va reass.cursegments
547The current total number of segments present in all reassembly queues.
548.It Va reass.maxsegments
549The maximum limit on the total number of segments across all reassembly
550queues.
551The limit can be adjusted as a tunable.
552.It Va reass.maxqueuelen
553The maximum number of segments allowed in each reassembly queue.
554By default, the system chooses a limit based on each TCP connection's
555receive buffer size and maximum segment size (MSS).
556The actual limit applied to a session's reassembly queue will be the lower of
557the system-calculated automatic limit and the user-specified
558.Va reass.maxqueuelen
559limit.
560.It Va rexmit_initial , rexmit_min , rexmit_slop
561Adjust the retransmit timer calculation for
562.Tn TCP .
563The slop is
564typically added to the raw calculation to take into account
565occasional variances that the
566.Tn SRTT
567(smoothed round-trip time)
568is unable to accommodate, while the minimum specifies an
569absolute minimum.
570While a number of
571.Tn TCP
572RFCs suggest a 1
573second minimum, these RFCs tend to focus on streaming behavior,
574and fail to deal with the fact that a 1 second minimum has severe
575detrimental effects over lossy interactive connections, such
576as a 802.11b wireless link, and over very fast but lossy
577connections for those cases not covered by the fast retransmit
578code.
579For this reason, we use 200ms of slop and a near-0
580minimum, which gives us an effective minimum of 200ms (similar to
581.Tn Linux ) .
582The initial value is used before an RTT measurement has been performed.
583.It Va initcwnd_segments
584Enable the ability to specify initial congestion window in number of segments.
585The default value is 10 as suggested by RFC 6928.
586Changing the value on fly would not affect connections using congestion window
587from the hostcache.
588Caution:
589This regulates the burst of packets allowed to be sent in the first RTT.
590The value should be relative to the link capacity.
591Start with small values for lower-capacity links.
592Large bursts can cause buffer overruns and packet drops if routers have small
593buffers or the link is experiencing congestion.
594.It Va newcwd
595Enable the New Congestion Window Validation mechanism as described in RFC 7661.
596This gently reduces the congestion window during periods, where TCP is
597application limited and the network bandwidth is not utilized completely.
598That prevents self-inflicted packet losses once the application starts to
599transmit data at a higher speed.
600.It Va do_lrd
601Enable Lost Retransmission Detection for SACK-enabled sessions, disabled by
602default.
603Under severe congestion, a retransmission can be lost which then leads to a
604mandatory Retransmission Timeout (RTO), followed by slow-start.
605LRD will try to resend the repeatedly lost packet, preventing the time-consuming
606RTO and performance reducing slow-start.
607.It Va do_prr
608Perform SACK loss recovery using the Proportional Rate Reduction (PRR) algorithm
609described in RFC6937.
610This improves the effectiveness of retransmissions particular in environments
611with ACK thinning or burst loss events, as chances to run out of the ACK clock
612are reduced, preventing lengthy and performance reducing RTO based loss recovery
613(default is true).
614.It Va do_prr_conservative
615While doing Proportional Rate Reduction, remain strictly in a packet conserving
616mode, sending only one new packet for each ACK received.
617Helpful when a misconfigured token bucket traffic policer causes persistent
618high losses leading to RTO, but reduces PRR effectiveness in more common settings
619(default is false).
620.It Va rfc6675_pipe
621Deprecated and superseded by
622.Va sack.revised
623.It Va rfc3042
624Enable the Limited Transmit algorithm as described in RFC 3042.
625It helps avoid timeouts on lossy links and also when the congestion window
626is small, as happens on short transfers.
627.It Va rfc3390
628Enable support for RFC 3390, which allows for a variable-sized
629starting congestion window on new connections, depending on the
630maximum segment size.
631This helps throughput in general, but
632particularly affects short transfers and high-bandwidth large
633propagation-delay connections.
634.It Va sack.enable
635Enable support for RFC 2018, TCP Selective Acknowledgment option,
636which allows the receiver to inform the sender about all successfully
637arrived segments, allowing the sender to retransmit the missing segments
638only.
639.It Va sack.revised
640Enables three updated mechanisms from RFC6675 (default is true).
641Calculate the bytes in flight using the algorithm described in RFC 6675, and
642is also an improvement when Proportional Rate Reduction is enabled.
643Next, Rescue Retransmission helps timely loss recovery, when the trailing segments
644of a transmission are lost, while no additional data is ready to be sent.
645In case a partial ACK without a SACK block is received during SACK loss
646recovery, the trailing segment is immediately resent, rather than waiting
647for a Retransmission timeout.
648Finally, SACK loss recovery is also engaged, once two segments plus one byte are
649SACKed - even if no traditional duplicate ACKs were observed.
650.It Va sack.maxholes
651Maximum number of SACK holes per connection.
652Defaults to 128.
653.It Va sack.globalmaxholes
654Maximum number of SACK holes per system, across all connections.
655Defaults to 65536.
656.It Va maxtcptw
657When a TCP connection enters the
658.Dv TIME_WAIT
659state, its associated socket structure is freed, since it is of
660negligible size and use, and a new structure is allocated to contain a
661minimal amount of information necessary for sustaining a connection in
662this state, called the compressed TCP TIME_WAIT state.
663Since this structure is smaller than a socket structure, it can save
664a significant amount of system memory.
665The
666.Va net.inet.tcp.maxtcptw
667MIB variable controls the maximum number of these structures allocated.
668By default, it is initialized to
669.Va kern.ipc.maxsockets
670/ 5.
671.It Va nolocaltimewait
672Suppress creating of compressed TCP TIME_WAIT states for connections in
673which both endpoints are local.
674.It Va fast_finwait2_recycle
675Recycle
676.Tn TCP
677.Dv FIN_WAIT_2
678connections faster when the socket is marked as
679.Dv SBS_CANTRCVMORE
680(no user process has the socket open, data received on
681the socket cannot be read).
682The timeout used here is
683.Va finwait2_timeout .
684.It Va finwait2_timeout
685Timeout to use for fast recycling of
686.Tn TCP
687.Dv FIN_WAIT_2
688connections.
689Defaults to 60 seconds.
690.It Va ecn.enable
691Enable support for TCP Explicit Congestion Notification (ECN).
692ECN allows a TCP sender to reduce the transmission rate in order to
693avoid packet drops.
694.Bl -tag -compact
695.It 0
696Disable ECN.
697.It 1
698Allow incoming connections to request ECN.
699Outgoing connections will request ECN.
700.It 2
701Allow incoming connections to request ECN.
702Outgoing connections will not request ECN.
703(default)
704.El
705.It Va ecn.maxretries
706Number of retries (SYN or SYN/ACK retransmits) before disabling ECN on a
707specific connection.
708This is needed to help with connection establishment
709when a broken firewall is in the network path.
710.It Va pmtud_blackhole_detection
711Enable automatic path MTU blackhole detection.
712In case of retransmits of MSS sized segments,
713the OS will lower the MSS to check if it's an MTU problem.
714If the current MSS is greater than the configured value to try
715.Po Va net.inet.tcp.pmtud_blackhole_mss
716and
717.Va net.inet.tcp.v6pmtud_blackhole_mss
718.Pc ,
719it will be set to this value, otherwise,
720the MSS will be set to the default values
721.Po Va net.inet.tcp.mssdflt
722and
723.Va net.inet.tcp.v6mssdflt
724.Pc .
725Settings:
726.Bl -tag -compact
727.It 0
728Disable path MTU blackhole detection.
729.It 1
730Enable path MTU blackhole detection for IPv4 and IPv6.
731.It 2
732Enable path MTU blackhole detection only for IPv4.
733.It 3
734Enable path MTU blackhole detection only for IPv6.
735.El
736.It Va pmtud_blackhole_mss
737MSS to try for IPv4 if PMTU blackhole detection is turned on.
738.It Va v6pmtud_blackhole_mss
739MSS to try for IPv6 if PMTU blackhole detection is turned on.
740.It Va fastopen.acceptany
741When non-zero, all client-supplied TFO cookies will be considered to be valid.
742The default is 0.
743.It Va fastopen.autokey
744When this and
745.Va net.inet.tcp.fastopen.server_enable
746are non-zero, a new key will be automatically generated after this specified
747seconds.
748The default is 120.
749.It Va fastopen.ccache_bucket_limit
750The maximum number of entries in a client cookie cache bucket.
751The default value can be tuned with the
752.Dv TCP_FASTOPEN_CCACHE_BUCKET_LIMIT_DEFAULT
753kernel option or by setting
754.Va net.inet.tcp.fastopen_ccache_bucket_limit
755in the
756.Xr loader 8 .
757.It Va fastopen.ccache_buckets
758The number of client cookie cache buckets.
759Read-only.
760The value can be tuned with the
761.Dv TCP_FASTOPEN_CCACHE_BUCKETS_DEFAULT
762kernel option or by setting
763.Va fastopen.ccache_buckets
764in the
765.Xr loader 8 .
766.It Va fastopen.ccache_list
767Print the client cookie cache.
768Read-only.
769.It Va fastopen.client_enable
770When zero, no new active (i.e., client) TFO connections can be created.
771On the transition from enabled to disabled, the client cookie cache is cleared
772and disabled.
773The transition from enabled to disabled does not affect any active TFO
774connections in progress; it only prevents new ones from being established.
775The default is 0.
776.It Va fastopen.keylen
777The key length in bytes.
778Read-only.
779.It Va fastopen.maxkeys
780The maximum number of keys supported.
781Read-only,
782.It Va fastopen.maxpsks
783The maximum number of pre-shared keys supported.
784Read-only.
785.It Va fastopen.numkeys
786The current number of keys installed.
787Read-only.
788.It Va fastopen.numpsks
789The current number of pre-shared keys installed.
790Read-only.
791.It Va fastopen.path_disable_time
792When a failure occurs while trying to create a new active (i.e., client) TFO
793connection, new active connections on the same path, as determined by the tuple
794.Brq client_ip, server_ip, server_port ,
795will be forced to be non-TFO for this many seconds.
796Note that the path disable mechanism relies on state stored in client cookie
797cache entries, so it is possible for the disable time for a given path to be
798reduced if the corresponding client cookie cache entry is reused due to resource
799pressure before the disable period has elapsed.
800The default is
801.Dv TCP_FASTOPEN_PATH_DISABLE_TIME_DEFAULT .
802.It Va fastopen.psk_enable
803When non-zero, pre-shared key (PSK) mode is enabled for all TFO servers.
804On the transition from enabled to disabled, all installed pre-shared keys are
805removed.
806The default is 0.
807.It Va fastopen.server_enable
808When zero, no new passive (i.e., server) TFO connections can be created.
809On the transition from enabled to disabled, all installed keys and pre-shared
810keys are removed.
811On the transition from disabled to enabled, if
812.Va fastopen.autokey
813is non-zero and there are no keys installed, a new key will be generated
814immediately.
815The transition from enabled to disabled does not affect any passive TFO
816connections in progress; it only prevents new ones from being established.
817The default is 0.
818.It Va fastopen.setkey
819Install a new key by writing
820.Va net.inet.tcp.fastopen.keylen
821bytes to this sysctl.
822.It Va fastopen.setpsk
823Install a new pre-shared key by writing
824.Va net.inet.tcp.fastopen.keylen
825bytes to this sysctl.
826.It Va hostcache.enable
827The TCP host cache is used to cache connection details and metrics to
828improve future performance of connections between the same hosts.
829At the completion of a TCP connection, a host will cache information
830for the connection for some defined period of time.
831.Bl -tag -compact
832.It 0
833Disable the host cache.
834.It 1
835Enable the host cache. (default)
836.El
837.It Va hostcache.purgenow
838Immediately purge all entries once set to any value.
839Setting this to 2 will also reseed the hash salt.
840.It Va hostcache.purge
841Expire all entires on next pruning of host cache entries.
842Any non-zero setting will be reset to zero, once the pruge
843is running.
844.Bl -tag -compact
845.It 0
846Do not purge all entries when pruning the host cache. (default)
847.It 1
848Purge all entries when doing the next pruning.
849.It 2
850Purge all entries, and also reseed the hash salt.
851.El
852.It Va hostcache.prune
853Time in seconds between pruning expired host cache entries.
854Defaults to 300 (5 minutes).
855.It Va hostcache.expire
856Time in seconds, how long a entry should be kept in the
857host cache since last accessed.
858Defaults to 3600 (1 hour).
859.It Va hostcache.count
860The current number of entries in the host cache.
861.It Va hostcache.bucketlimit
862The maximum number of entries for the same hash.
863Defaults to 30.
864.It Va hostcache.hashsize
865Size of TCP hostcache hashtable.
866This number has to be a power of two, or will be rejected.
867Defaults to 512.
868.It Va hostcache.cachelimit
869Overall entry limit for hostcache.
870Defaults to hashsize * bucketlimit.
871.It Va hostcache.histo
872Provide a Histogram of the hostcache hash utilization.
873.It Va hostcache.list
874Provide a complete list of all current entries in the host
875cache.
876.It Va functions_available
877List of available TCP function blocks (TCP stacks).
878.It Va functions_default
879The default TCP function block (TCP stack).
880.It Va functions_inherit_listen_socket_stack
881Determines whether to inherit listen socket's tcp stack or use the current
882system default tcp stack, as defined by
883.Va functions_default .
884Default is true.
885.It Va insecure_rst
886Use criteria defined in RFC793 instead of RFC5961 for accepting RST segments.
887Default is false.
888.It Va insecure_syn
889Use criteria defined in RFC793 instead of RFC5961 for accepting SYN segments.
890Default is false.
891.It Va ts_offset_per_conn
892When initializing the TCP timestamps, use a per connection offset instead of a
893per host pair offset.
894Default is to use per connection offsets as recommended in RFC 7323.
895.It Va perconn_stats_enable
896Controls the default collection of statistics for all connections using the
897.Xr stats 3
898framework.
8990 disables, 1 enables, 2 enables random sampling across log id connection
900groups with all connections in a group receiving the same setting.
901.It Va perconn_stats_sample_rates
902A CSV list of template_spec=percent key-value pairs which controls the per
903template sampling rates when
904.Xr stats 3
905sampling is enabled.
906.It Va udp_tunneling_port
907The local UDP encapsulation port.
908A value of 0 indicates that UDP encapsulation is disabled.
909The default is 0.
910.It Va udp_tunneling_overhead
911The overhead taken into account when using UDP encapsulation.
912Since MSS clamping by middleboxes will most likely not work, values larger than
9138 (the size of the UDP header) are also supported.
914Supported values are between 8 and 1024.
915The default is 8.
916.El
917.Sh ERRORS
918A socket operation may fail with one of the following errors returned:
919.Bl -tag -width Er
920.It Bq Er EISCONN
921when trying to establish a connection on a socket which
922already has one;
923.It Bo Er ENOBUFS Bc or Bo Er ENOMEM Bc
924when the system runs out of memory for
925an internal data structure;
926.It Bq Er ETIMEDOUT
927when a connection was dropped
928due to excessive retransmissions;
929.It Bq Er ECONNRESET
930when the remote peer
931forces the connection to be closed;
932.It Bq Er ECONNREFUSED
933when the remote
934peer actively refuses connection establishment (usually because
935no process is listening to the port);
936.It Bq Er EADDRINUSE
937when an attempt
938is made to create a socket with a port which has already been
939allocated;
940.It Bq Er EADDRNOTAVAIL
941when an attempt is made to create a
942socket with a network address for which no network interface
943exists;
944.It Bq Er EAFNOSUPPORT
945when an attempt is made to bind or connect a socket to a multicast
946address.
947.It Bq Er EINVAL
948when trying to change TCP function blocks at an invalid point in the session;
949.It Bq Er ENOENT
950when trying to use a TCP function block that is not available;
951.El
952.Sh SEE ALSO
953.Xr getsockopt 2 ,
954.Xr socket 2 ,
955.Xr stats 3 ,
956.Xr sysctl 3 ,
957.Xr blackhole 4 ,
958.Xr inet 4 ,
959.Xr intro 4 ,
960.Xr ip 4 ,
961.Xr ktls 4 ,
962.Xr mod_cc 4 ,
963.Xr siftr 4 ,
964.Xr syncache 4 ,
965.Xr tcp_bbr 4 ,
966.Xr setkey 8 ,
967.Xr tcp_functions 9
968.Rs
969.%A "V. Jacobson"
970.%A "B. Braden"
971.%A "D. Borman"
972.%T "TCP Extensions for High Performance"
973.%O "RFC 1323"
974.Re
975.Rs
976.%A "D. Borman"
977.%A "B. Braden"
978.%A "V. Jacobson"
979.%A "R. Scheffenegger"
980.%T "TCP Extensions for High Performance"
981.%O "RFC 7323"
982.Re
983.Rs
984.%A "A. Heffernan"
985.%T "Protection of BGP Sessions via the TCP MD5 Signature Option"
986.%O "RFC 2385"
987.Re
988.Rs
989.%A "K. Ramakrishnan"
990.%A "S. Floyd"
991.%A "D. Black"
992.%T "The Addition of Explicit Congestion Notification (ECN) to IP"
993.%O "RFC 3168"
994.Re
995.Sh HISTORY
996The
997.Tn TCP
998protocol appeared in
999.Bx 4.2 .
1000The RFC 1323 extensions for window scaling and timestamps were added
1001in
1002.Bx 4.4 .
1003The
1004.Dv TCP_INFO
1005option was introduced in
1006.Tn Linux 2.6
1007and is
1008.Em subject to change .
1009