1.\" Copyright (c) 1983, 1991, 1993 2.\" The Regents of the University of California. 3.\" Copyright (c) 2010-2011 The FreeBSD Foundation 4.\" All rights reserved. 5.\" 6.\" Portions of this documentation were written at the Centre for Advanced 7.\" Internet Architectures, Swinburne University of Technology, Melbourne, 8.\" Australia by David Hayes under sponsorship from the FreeBSD Foundation. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 3. Neither the name of the University nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 35.\" $FreeBSD$ 36.\" 37.Dd July 14, 2022 38.Dt TCP 4 39.Os 40.Sh NAME 41.Nm tcp 42.Nd Internet Transmission Control Protocol 43.Sh SYNOPSIS 44.In sys/types.h 45.In sys/socket.h 46.In netinet/in.h 47.In netinet/tcp.h 48.Ft int 49.Fn socket AF_INET SOCK_STREAM 0 50.Sh DESCRIPTION 51The 52.Tn TCP 53protocol provides reliable, flow-controlled, two-way 54transmission of data. 55It is a byte-stream protocol used to 56support the 57.Dv SOCK_STREAM 58abstraction. 59.Tn TCP 60uses the standard 61Internet address format and, in addition, provides a per-host 62collection of 63.Dq "port addresses" . 64Thus, each address is composed 65of an Internet address specifying the host and network, 66with a specific 67.Tn TCP 68port on the host identifying the peer entity. 69.Pp 70Sockets utilizing the 71.Tn TCP 72protocol are either 73.Dq active 74or 75.Dq passive . 76Active sockets initiate connections to passive 77sockets. 78By default, 79.Tn TCP 80sockets are created active; to create a 81passive socket, the 82.Xr listen 2 83system call must be used 84after binding the socket with the 85.Xr bind 2 86system call. 87Only passive sockets may use the 88.Xr accept 2 89call to accept incoming connections. 90Only active sockets may use the 91.Xr connect 2 92call to initiate connections. 93.Pp 94Passive sockets may 95.Dq underspecify 96their location to match 97incoming connection requests from multiple networks. 98This technique, termed 99.Dq "wildcard addressing" , 100allows a single 101server to provide service to clients on multiple networks. 102To create a socket which listens on all networks, the Internet 103address 104.Dv INADDR_ANY 105must be bound. 106The 107.Tn TCP 108port may still be specified 109at this time; if the port is not specified, the system will assign one. 110Once a connection has been established, the socket's address is 111fixed by the peer entity's location. 112The address assigned to the 113socket is the address associated with the network interface 114through which packets are being transmitted and received. 115Normally, this address corresponds to the peer entity's network. 116.Pp 117.Tn TCP 118supports a number of socket options which can be set with 119.Xr setsockopt 2 120and tested with 121.Xr getsockopt 2 : 122.Bl -tag -width ".Dv TCP_FUNCTION_BLK" 123.It Dv TCP_INFO 124Information about a socket's underlying TCP session may be retrieved 125by passing the read-only option 126.Dv TCP_INFO 127to 128.Xr getsockopt 2 . 129It accepts a single argument: a pointer to an instance of 130.Vt "struct tcp_info" . 131.Pp 132This API is subject to change; consult the source to determine 133which fields are currently filled out by this option. 134.Fx 135specific additions include 136send window size, 137receive window size, 138and 139bandwidth-controlled window space. 140.It Dv TCP_CCALGOOPT 141Set or query congestion control algorithm specific parameters. 142See 143.Xr mod_cc 4 144for details. 145.It Dv TCP_CONGESTION 146Select or query the congestion control algorithm that TCP will use for the 147connection. 148See 149.Xr mod_cc 4 150for details. 151.It Dv TCP_FASTOPEN 152Enable or disable TCP Fast Open (TFO). 153To use this option, the kernel must be built with the 154.Dv TCP_RFC7413 155option. 156.Pp 157This option can be set on the socket either before or after the 158.Xr listen 2 159is invoked. 160Clearing this option on a listen socket after it has been set has no effect on 161existing TFO connections or TFO connections in progress; it only prevents new 162TFO connections from being established. 163.Pp 164For passively-created sockets, the 165.Dv TCP_FASTOPEN 166socket option can be queried to determine whether the connection was established 167using TFO. 168Note that connections that are established via a TFO 169.Tn SYN , 170but that fall back to using a non-TFO 171.Tn SYN|ACK 172will have the 173.Dv TCP_FASTOPEN 174socket option set. 175.Pp 176In addition to the facilities defined in RFC7413, this implementation supports a 177pre-shared key (PSK) mode of operation in which the TFO server requires the 178client to be in posession of a shared secret in order for the client to be able 179to successfully open TFO connections with the server. 180This is useful, for example, in environments where TFO servers are exposed to 181both internal and external clients and only wish to allow TFO connections from 182internal clients. 183.Pp 184In the PSK mode of operation, the server generates and sends TFO cookies to 185requesting clients as usual. 186However, when validating cookies received in TFO SYNs from clients, the server 187requires the client-supplied cookie to equal 188.Bd -literal -offset left 189SipHash24(key=\fI16-byte-psk\fP, msg=\fIcookie-sent-to-client\fP) 190.Ed 191.Pp 192Multiple concurrent valid pre-shared keys are supported so that time-based 193rolling PSK invalidation policies can be implemented in the system. 194The default number of concurrent pre-shared keys is 2. 195.Pp 196This can be adjusted with the 197.Dv TCP_RFC7413_MAX_PSKS 198kernel option. 199.It Dv TCP_FUNCTION_BLK 200Select or query the set of functions that TCP will use for this connection. 201This allows a user to select an alternate TCP stack. 202The alternate TCP stack must already be loaded in the kernel. 203To list the available TCP stacks, see 204.Va functions_available 205in the 206.Sx MIB Variables 207section further down. 208To list the default TCP stack, see 209.Va functions_default 210in the 211.Sx MIB Variables 212section. 213.It Dv TCP_KEEPINIT 214This 215.Xr setsockopt 2 216option accepts a per-socket timeout argument of 217.Vt "u_int" 218in seconds, for new, non-established 219.Tn TCP 220connections. 221For the global default in milliseconds see 222.Va keepinit 223in the 224.Sx MIB Variables 225section further down. 226.It Dv TCP_KEEPIDLE 227This 228.Xr setsockopt 2 229option accepts an argument of 230.Vt "u_int" 231for the amount of time, in seconds, that the connection must be idle 232before keepalive probes (if enabled) are sent for the connection of this 233socket. 234If set on a listening socket, the value is inherited by the newly created 235socket upon 236.Xr accept 2 . 237For the global default in milliseconds see 238.Va keepidle 239in the 240.Sx MIB Variables 241section further down. 242.It Dv TCP_KEEPINTVL 243This 244.Xr setsockopt 2 245option accepts an argument of 246.Vt "u_int" 247to set the per-socket interval, in seconds, between keepalive probes sent 248to a peer. 249If set on a listening socket, the value is inherited by the newly created 250socket upon 251.Xr accept 2 . 252For the global default in milliseconds see 253.Va keepintvl 254in the 255.Sx MIB Variables 256section further down. 257.It Dv TCP_KEEPCNT 258This 259.Xr setsockopt 2 260option accepts an argument of 261.Vt "u_int" 262and allows a per-socket tuning of the number of probes sent, with no response, 263before the connection will be dropped. 264If set on a listening socket, the value is inherited by the newly created 265socket upon 266.Xr accept 2 . 267For the global default see the 268.Va keepcnt 269in the 270.Sx MIB Variables 271section further down. 272.It Dv TCP_NODELAY 273Under most circumstances, 274.Tn TCP 275sends data when it is presented; 276when outstanding data has not yet been acknowledged, it gathers 277small amounts of output to be sent in a single packet once 278an acknowledgement is received. 279For a small number of clients, such as window systems 280that send a stream of mouse events which receive no replies, 281this packetization may cause significant delays. 282The boolean option 283.Dv TCP_NODELAY 284defeats this algorithm. 285.It Dv TCP_MAXSEG 286By default, a sender- and 287.No receiver- Ns Tn TCP 288will negotiate among themselves to determine the maximum segment size 289to be used for each connection. 290The 291.Dv TCP_MAXSEG 292option allows the user to determine the result of this negotiation, 293and to reduce it if desired. 294.It Dv TCP_NOOPT 295.Tn TCP 296usually sends a number of options in each packet, corresponding to 297various 298.Tn TCP 299extensions which are provided in this implementation. 300The boolean option 301.Dv TCP_NOOPT 302is provided to disable 303.Tn TCP 304option use on a per-connection basis. 305.It Dv TCP_NOPUSH 306By convention, the 307.No sender- Ns Tn TCP 308will set the 309.Dq push 310bit, and begin transmission immediately (if permitted) at the end of 311every user call to 312.Xr write 2 313or 314.Xr writev 2 . 315When this option is set to a non-zero value, 316.Tn TCP 317will delay sending any data at all until either the socket is closed, 318or the internal send buffer is filled. 319.It Dv TCP_MD5SIG 320This option enables the use of MD5 digests (also known as TCP-MD5) 321on writes to the specified socket. 322Outgoing traffic is digested; 323digests on incoming traffic are verified. 324When this option is enabled on a socket, all inbound and outgoing 325TCP segments must be signed with MD5 digests. 326.Pp 327One common use for this in a 328.Fx 329router deployment is to enable 330based routers to interwork with Cisco equipment at peering points. 331Support for this feature conforms to RFC 2385. 332.Pp 333In order for this option to function correctly, it is necessary for the 334administrator to add a tcp-md5 key entry to the system's security 335associations database (SADB) using the 336.Xr setkey 8 337utility. 338This entry can only be specified on a per-host basis at this time. 339.Pp 340If an SADB entry cannot be found for the destination, 341the system does not send any outgoing segments and drops any inbound segments. 342However, during connection negotiation, a non-signed segment will be accepted if 343an SADB entry does not exist between hosts. 344When a non-signed segment is accepted, the established connection is not 345protected with MD5 digests. 346.It Dv TCP_STATS 347Manage collection of connection level statistics using the 348.Xr stats 3 349framework. 350.Pp 351Each dropped segment is taken into account in the TCP protocol statistics. 352.It Dv TCP_TXTLS_ENABLE 353Enable in-kernel Transport Layer Security (TLS) for data written to this 354socket. 355See 356.Xr ktls 4 357for more details. 358.It Dv TCP_TXTLS_MODE 359The integer argument can be used to get or set the current TLS transmit mode 360of a socket. 361See 362.Xr ktls 4 363for more details. 364.It Dv TCP_RXTLS_ENABLE 365Enable in-kernel TLS for data read from this socket. 366See 367.Xr ktls 4 368for more details. 369.It Dv TCP_REUSPORT_LB_NUMA 370Changes NUMA affinity filtering for an established TCP listen 371socket. 372This option takes a single integer argument which specifies 373the NUMA domain to filter on for this listen socket. 374The argument can also have the follwing special values: 375.Bl -tag -width "Dv TCP_REUSPORT_LB_NUMA" 376.It Dv TCP_REUSPORT_LB_NUMA_NODOM 377Remove NUMA filtering for this listen socket. 378.It Dv TCP_REUSPORT_LB_NUMA_CURDOM 379Filter traffic associated with the domain where the calling thread is 380currently executing. 381This is typically used after a process or thread inherits a listen 382socket from its parent, and sets its CPU affinity to a particular core. 383.El 384.It Dv TCP_REMOTE_UDP_ENCAPS_PORT 385Set and get the remote UDP encapsulation port. 386It can only be set on a closed TCP socket. 387.El 388.Pp 389The option level for the 390.Xr setsockopt 2 391call is the protocol number for 392.Tn TCP , 393available from 394.Xr getprotobyname 3 , 395or 396.Dv IPPROTO_TCP . 397All options are declared in 398.In netinet/tcp.h . 399.Pp 400Options at the 401.Tn IP 402transport level may be used with 403.Tn TCP ; 404see 405.Xr ip 4 . 406Incoming connection requests that are source-routed are noted, 407and the reverse source route is used in responding. 408.Pp 409The default congestion control algorithm for 410.Tn TCP 411is 412.Xr cc_newreno 4 . 413Other congestion control algorithms can be made available using the 414.Xr mod_cc 4 415framework. 416.Ss MIB Variables 417The 418.Tn TCP 419protocol implements a number of variables in the 420.Va net.inet.tcp 421branch of the 422.Xr sysctl 3 423MIB. 424.Bl -tag -width ".Va v6pmtud_blackhole_mss" 425.It Va rfc1323 426Implement the window scaling and timestamp options of RFC 1323/RFC 7323 427(default is true). 428.It Va tolerate_missing_ts 429Tolerate the missing of timestamps (RFC 1323/RFC 7323) for 430.Tn TCP 431segments belonging to 432.Tn TCP 433connections for which support of 434.Tn TCP 435timestamps has been negotiated. 436As of June 2021, several TCP stacks are known to violate RFC 7323, including 437modern widely deployed ones. 438Therefore the default is 1, i.e., the missing of timestamps is tolerated. 439.It Va mssdflt 440The default value used for the maximum segment size 441.Pq Dq MSS 442when no advice to the contrary is received from MSS negotiation. 443.It Va sendspace 444Maximum 445.Tn TCP 446send window. 447.It Va recvspace 448Maximum 449.Tn TCP 450receive window. 451.It Va log_in_vain 452Log any connection attempts to ports where there is not a socket 453accepting connections. 454The value of 1 limits the logging to 455.Tn SYN 456(connection establishment) packets only. 457That of 2 results in any 458.Tn TCP 459packets to closed ports being logged. 460Any value unlisted above disables the logging 461(default is 0, i.e., the logging is disabled). 462.It Va msl 463The Maximum Segment Lifetime, in milliseconds, for a packet. 464.It Va keepinit 465Timeout, in milliseconds, for new, non-established 466.Tn TCP 467connections. 468The default is 75000 msec. 469.It Va keepidle 470Amount of time, in milliseconds, that the connection must be idle 471before keepalive probes (if enabled) are sent. 472The default is 7200000 msec (2 hours). 473.It Va keepintvl 474The interval, in milliseconds, between keepalive probes sent to remote 475machines, when no response is received on a 476.Va keepidle 477probe. 478The default is 75000 msec. 479.It Va keepcnt 480Number of probes sent, with no response, before a connection 481is dropped. 482The default is 8 packets. 483.It Va always_keepalive 484Assume that 485.Dv SO_KEEPALIVE 486is set on all 487.Tn TCP 488connections, the kernel will 489periodically send a packet to the remote host to verify the connection 490is still up. 491.It Va icmp_may_rst 492Certain 493.Tn ICMP 494unreachable messages may abort connections in 495.Tn SYN-SENT 496state. 497.It Va do_tcpdrain 498Flush packets in the 499.Tn TCP 500reassembly queue if the system is low on mbufs. 501.It Va blackhole 502If enabled, disable sending of RST when a connection is attempted 503to a port where there is not a socket accepting connections. 504See 505.Xr blackhole 4 . 506.It Va delayed_ack 507Delay ACK to try and piggyback it onto a data packet. 508.It Va delacktime 509Maximum amount of time, in milliseconds, before a delayed ACK is sent. 510.It Va path_mtu_discovery 511Enable Path MTU Discovery. 512.It Va tcbhashsize 513Size of the 514.Tn TCP 515control-block hash table 516(read-only). 517This may be tuned using the kernel option 518.Dv TCBHASHSIZE 519or by setting 520.Va net.inet.tcp.tcbhashsize 521in the 522.Xr loader 8 . 523.It Va pcbcount 524Number of active process control blocks 525(read-only). 526.It Va syncookies 527Determines whether or not 528.Tn SYN 529cookies should be generated for outbound 530.Tn SYN-ACK 531packets. 532.Tn SYN 533cookies are a great help during 534.Tn SYN 535flood attacks, and are enabled by default. 536(See 537.Xr syncookies 4 . ) 538.It Va isn_reseed_interval 539The interval (in seconds) specifying how often the secret data used in 540RFC 1948 initial sequence number calculations should be reseeded. 541By default, this variable is set to zero, indicating that 542no reseeding will occur. 543Reseeding should not be necessary, and will break 544.Dv TIME_WAIT 545recycling for a few minutes. 546.It Va reass.cursegments 547The current total number of segments present in all reassembly queues. 548.It Va reass.maxsegments 549The maximum limit on the total number of segments across all reassembly 550queues. 551The limit can be adjusted as a tunable. 552.It Va reass.maxqueuelen 553The maximum number of segments allowed in each reassembly queue. 554By default, the system chooses a limit based on each TCP connection's 555receive buffer size and maximum segment size (MSS). 556The actual limit applied to a session's reassembly queue will be the lower of 557the system-calculated automatic limit and the user-specified 558.Va reass.maxqueuelen 559limit. 560.It Va rexmit_initial , rexmit_min , rexmit_slop 561Adjust the retransmit timer calculation for 562.Tn TCP . 563The slop is 564typically added to the raw calculation to take into account 565occasional variances that the 566.Tn SRTT 567(smoothed round-trip time) 568is unable to accommodate, while the minimum specifies an 569absolute minimum. 570While a number of 571.Tn TCP 572RFCs suggest a 1 573second minimum, these RFCs tend to focus on streaming behavior, 574and fail to deal with the fact that a 1 second minimum has severe 575detrimental effects over lossy interactive connections, such 576as a 802.11b wireless link, and over very fast but lossy 577connections for those cases not covered by the fast retransmit 578code. 579For this reason, we use 200ms of slop and a near-0 580minimum, which gives us an effective minimum of 200ms (similar to 581.Tn Linux ) . 582The initial value is used before an RTT measurement has been performed. 583.It Va initcwnd_segments 584Enable the ability to specify initial congestion window in number of segments. 585The default value is 10 as suggested by RFC 6928. 586Changing the value on fly would not affect connections using congestion window 587from the hostcache. 588Caution: 589This regulates the burst of packets allowed to be sent in the first RTT. 590The value should be relative to the link capacity. 591Start with small values for lower-capacity links. 592Large bursts can cause buffer overruns and packet drops if routers have small 593buffers or the link is experiencing congestion. 594.It Va newcwd 595Enable the New Congestion Window Validation mechanism as described in RFC 7661. 596This gently reduces the congestion window during periods, where TCP is 597application limited and the network bandwidth is not utilized completely. 598That prevents self-inflicted packet losses once the application starts to 599transmit data at a higher speed. 600.It Va do_lrd 601Enable Lost Retransmission Detection for SACK-enabled sessions, disabled by 602default. 603Under severe congestion, a retransmission can be lost which then leads to a 604mandatory Retransmission Timeout (RTO), followed by slow-start. 605LRD will try to resend the repeatedly lost packet, preventing the time-consuming 606RTO and performance reducing slow-start. 607.It Va do_prr 608Perform SACK loss recovery using the Proportional Rate Reduction (PRR) algorithm 609described in RFC6937. 610This improves the effectiveness of retransmissions particular in environments 611with ACK thinning or burst loss events, as chances to run out of the ACK clock 612are reduced, preventing lengthy and performance reducing RTO based loss recovery 613(default is true). 614.It Va do_prr_conservative 615While doing Proportional Rate Reduction, remain strictly in a packet conserving 616mode, sending only one new packet for each ACK received. 617Helpful when a misconfigured token bucket traffic policer causes persistent 618high losses leading to RTO, but reduces PRR effectiveness in more common settings 619(default is false). 620.It Va rfc6675_pipe 621Deprecated and superseded by 622.Va sack.revised 623.It Va rfc3042 624Enable the Limited Transmit algorithm as described in RFC 3042. 625It helps avoid timeouts on lossy links and also when the congestion window 626is small, as happens on short transfers. 627.It Va rfc3390 628Enable support for RFC 3390, which allows for a variable-sized 629starting congestion window on new connections, depending on the 630maximum segment size. 631This helps throughput in general, but 632particularly affects short transfers and high-bandwidth large 633propagation-delay connections. 634.It Va sack.enable 635Enable support for RFC 2018, TCP Selective Acknowledgment option, 636which allows the receiver to inform the sender about all successfully 637arrived segments, allowing the sender to retransmit the missing segments 638only. 639.It Va sack.revised 640Enables three updated mechanisms from RFC6675 (default is true). 641Calculate the bytes in flight using the algorithm described in RFC 6675, and 642is also an improvement when Proportional Rate Reduction is enabled. 643Next, Rescue Retransmission helps timely loss recovery, when the trailing segments 644of a transmission are lost, while no additional data is ready to be sent. 645In case a partial ACK without a SACK block is received during SACK loss 646recovery, the trailing segment is immediately resent, rather than waiting 647for a Retransmission timeout. 648Finally, SACK loss recovery is also engaged, once two segments plus one byte are 649SACKed - even if no traditional duplicate ACKs were observed. 650.It Va sack.maxholes 651Maximum number of SACK holes per connection. 652Defaults to 128. 653.It Va sack.globalmaxholes 654Maximum number of SACK holes per system, across all connections. 655Defaults to 65536. 656.It Va maxtcptw 657When a TCP connection enters the 658.Dv TIME_WAIT 659state, its associated socket structure is freed, since it is of 660negligible size and use, and a new structure is allocated to contain a 661minimal amount of information necessary for sustaining a connection in 662this state, called the compressed TCP TIME_WAIT state. 663Since this structure is smaller than a socket structure, it can save 664a significant amount of system memory. 665The 666.Va net.inet.tcp.maxtcptw 667MIB variable controls the maximum number of these structures allocated. 668By default, it is initialized to 669.Va kern.ipc.maxsockets 670/ 5. 671.It Va nolocaltimewait 672Suppress creating of compressed TCP TIME_WAIT states for connections in 673which both endpoints are local. 674.It Va fast_finwait2_recycle 675Recycle 676.Tn TCP 677.Dv FIN_WAIT_2 678connections faster when the socket is marked as 679.Dv SBS_CANTRCVMORE 680(no user process has the socket open, data received on 681the socket cannot be read). 682The timeout used here is 683.Va finwait2_timeout . 684.It Va finwait2_timeout 685Timeout to use for fast recycling of 686.Tn TCP 687.Dv FIN_WAIT_2 688connections. 689Defaults to 60 seconds. 690.It Va ecn.enable 691Enable support for TCP Explicit Congestion Notification (ECN). 692ECN allows a TCP sender to reduce the transmission rate in order to 693avoid packet drops. 694.Bl -tag -compact 695.It 0 696Disable ECN. 697.It 1 698Allow incoming connections to request ECN. 699Outgoing connections will request ECN. 700.It 2 701Allow incoming connections to request ECN. 702Outgoing connections will not request ECN. 703(default) 704.El 705.It Va ecn.maxretries 706Number of retries (SYN or SYN/ACK retransmits) before disabling ECN on a 707specific connection. 708This is needed to help with connection establishment 709when a broken firewall is in the network path. 710.It Va pmtud_blackhole_detection 711Enable automatic path MTU blackhole detection. 712In case of retransmits of MSS sized segments, 713the OS will lower the MSS to check if it's an MTU problem. 714If the current MSS is greater than the configured value to try 715.Po Va net.inet.tcp.pmtud_blackhole_mss 716and 717.Va net.inet.tcp.v6pmtud_blackhole_mss 718.Pc , 719it will be set to this value, otherwise, 720the MSS will be set to the default values 721.Po Va net.inet.tcp.mssdflt 722and 723.Va net.inet.tcp.v6mssdflt 724.Pc . 725Settings: 726.Bl -tag -compact 727.It 0 728Disable path MTU blackhole detection. 729.It 1 730Enable path MTU blackhole detection for IPv4 and IPv6. 731.It 2 732Enable path MTU blackhole detection only for IPv4. 733.It 3 734Enable path MTU blackhole detection only for IPv6. 735.El 736.It Va pmtud_blackhole_mss 737MSS to try for IPv4 if PMTU blackhole detection is turned on. 738.It Va v6pmtud_blackhole_mss 739MSS to try for IPv6 if PMTU blackhole detection is turned on. 740.It Va fastopen.acceptany 741When non-zero, all client-supplied TFO cookies will be considered to be valid. 742The default is 0. 743.It Va fastopen.autokey 744When this and 745.Va net.inet.tcp.fastopen.server_enable 746are non-zero, a new key will be automatically generated after this specified 747seconds. 748The default is 120. 749.It Va fastopen.ccache_bucket_limit 750The maximum number of entries in a client cookie cache bucket. 751The default value can be tuned with the 752.Dv TCP_FASTOPEN_CCACHE_BUCKET_LIMIT_DEFAULT 753kernel option or by setting 754.Va net.inet.tcp.fastopen_ccache_bucket_limit 755in the 756.Xr loader 8 . 757.It Va fastopen.ccache_buckets 758The number of client cookie cache buckets. 759Read-only. 760The value can be tuned with the 761.Dv TCP_FASTOPEN_CCACHE_BUCKETS_DEFAULT 762kernel option or by setting 763.Va fastopen.ccache_buckets 764in the 765.Xr loader 8 . 766.It Va fastopen.ccache_list 767Print the client cookie cache. 768Read-only. 769.It Va fastopen.client_enable 770When zero, no new active (i.e., client) TFO connections can be created. 771On the transition from enabled to disabled, the client cookie cache is cleared 772and disabled. 773The transition from enabled to disabled does not affect any active TFO 774connections in progress; it only prevents new ones from being established. 775The default is 0. 776.It Va fastopen.keylen 777The key length in bytes. 778Read-only. 779.It Va fastopen.maxkeys 780The maximum number of keys supported. 781Read-only, 782.It Va fastopen.maxpsks 783The maximum number of pre-shared keys supported. 784Read-only. 785.It Va fastopen.numkeys 786The current number of keys installed. 787Read-only. 788.It Va fastopen.numpsks 789The current number of pre-shared keys installed. 790Read-only. 791.It Va fastopen.path_disable_time 792When a failure occurs while trying to create a new active (i.e., client) TFO 793connection, new active connections on the same path, as determined by the tuple 794.Brq client_ip, server_ip, server_port , 795will be forced to be non-TFO for this many seconds. 796Note that the path disable mechanism relies on state stored in client cookie 797cache entries, so it is possible for the disable time for a given path to be 798reduced if the corresponding client cookie cache entry is reused due to resource 799pressure before the disable period has elapsed. 800The default is 801.Dv TCP_FASTOPEN_PATH_DISABLE_TIME_DEFAULT . 802.It Va fastopen.psk_enable 803When non-zero, pre-shared key (PSK) mode is enabled for all TFO servers. 804On the transition from enabled to disabled, all installed pre-shared keys are 805removed. 806The default is 0. 807.It Va fastopen.server_enable 808When zero, no new passive (i.e., server) TFO connections can be created. 809On the transition from enabled to disabled, all installed keys and pre-shared 810keys are removed. 811On the transition from disabled to enabled, if 812.Va fastopen.autokey 813is non-zero and there are no keys installed, a new key will be generated 814immediately. 815The transition from enabled to disabled does not affect any passive TFO 816connections in progress; it only prevents new ones from being established. 817The default is 0. 818.It Va fastopen.setkey 819Install a new key by writing 820.Va net.inet.tcp.fastopen.keylen 821bytes to this sysctl. 822.It Va fastopen.setpsk 823Install a new pre-shared key by writing 824.Va net.inet.tcp.fastopen.keylen 825bytes to this sysctl. 826.It Va hostcache.enable 827The TCP host cache is used to cache connection details and metrics to 828improve future performance of connections between the same hosts. 829At the completion of a TCP connection, a host will cache information 830for the connection for some defined period of time. 831.Bl -tag -compact 832.It 0 833Disable the host cache. 834.It 1 835Enable the host cache. (default) 836.El 837.It Va hostcache.purgenow 838Immediately purge all entries once set to any value. 839Setting this to 2 will also reseed the hash salt. 840.It Va hostcache.purge 841Expire all entires on next pruning of host cache entries. 842Any non-zero setting will be reset to zero, once the pruge 843is running. 844.Bl -tag -compact 845.It 0 846Do not purge all entries when pruning the host cache. (default) 847.It 1 848Purge all entries when doing the next pruning. 849.It 2 850Purge all entries, and also reseed the hash salt. 851.El 852.It Va hostcache.prune 853Time in seconds between pruning expired host cache entries. 854Defaults to 300 (5 minutes). 855.It Va hostcache.expire 856Time in seconds, how long a entry should be kept in the 857host cache since last accessed. 858Defaults to 3600 (1 hour). 859.It Va hostcache.count 860The current number of entries in the host cache. 861.It Va hostcache.bucketlimit 862The maximum number of entries for the same hash. 863Defaults to 30. 864.It Va hostcache.hashsize 865Size of TCP hostcache hashtable. 866This number has to be a power of two, or will be rejected. 867Defaults to 512. 868.It Va hostcache.cachelimit 869Overall entry limit for hostcache. 870Defaults to hashsize * bucketlimit. 871.It Va hostcache.histo 872Provide a Histogram of the hostcache hash utilization. 873.It Va hostcache.list 874Provide a complete list of all current entries in the host 875cache. 876.It Va functions_available 877List of available TCP function blocks (TCP stacks). 878.It Va functions_default 879The default TCP function block (TCP stack). 880.It Va functions_inherit_listen_socket_stack 881Determines whether to inherit listen socket's tcp stack or use the current 882system default tcp stack, as defined by 883.Va functions_default . 884Default is true. 885.It Va insecure_rst 886Use criteria defined in RFC793 instead of RFC5961 for accepting RST segments. 887Default is false. 888.It Va insecure_syn 889Use criteria defined in RFC793 instead of RFC5961 for accepting SYN segments. 890Default is false. 891.It Va ts_offset_per_conn 892When initializing the TCP timestamps, use a per connection offset instead of a 893per host pair offset. 894Default is to use per connection offsets as recommended in RFC 7323. 895.It Va perconn_stats_enable 896Controls the default collection of statistics for all connections using the 897.Xr stats 3 898framework. 8990 disables, 1 enables, 2 enables random sampling across log id connection 900groups with all connections in a group receiving the same setting. 901.It Va perconn_stats_sample_rates 902A CSV list of template_spec=percent key-value pairs which controls the per 903template sampling rates when 904.Xr stats 3 905sampling is enabled. 906.It Va udp_tunneling_port 907The local UDP encapsulation port. 908A value of 0 indicates that UDP encapsulation is disabled. 909The default is 0. 910.It Va udp_tunneling_overhead 911The overhead taken into account when using UDP encapsulation. 912Since MSS clamping by middleboxes will most likely not work, values larger than 9138 (the size of the UDP header) are also supported. 914Supported values are between 8 and 1024. 915The default is 8. 916.El 917.Sh ERRORS 918A socket operation may fail with one of the following errors returned: 919.Bl -tag -width Er 920.It Bq Er EISCONN 921when trying to establish a connection on a socket which 922already has one; 923.It Bo Er ENOBUFS Bc or Bo Er ENOMEM Bc 924when the system runs out of memory for 925an internal data structure; 926.It Bq Er ETIMEDOUT 927when a connection was dropped 928due to excessive retransmissions; 929.It Bq Er ECONNRESET 930when the remote peer 931forces the connection to be closed; 932.It Bq Er ECONNREFUSED 933when the remote 934peer actively refuses connection establishment (usually because 935no process is listening to the port); 936.It Bq Er EADDRINUSE 937when an attempt 938is made to create a socket with a port which has already been 939allocated; 940.It Bq Er EADDRNOTAVAIL 941when an attempt is made to create a 942socket with a network address for which no network interface 943exists; 944.It Bq Er EAFNOSUPPORT 945when an attempt is made to bind or connect a socket to a multicast 946address. 947.It Bq Er EINVAL 948when trying to change TCP function blocks at an invalid point in the session; 949.It Bq Er ENOENT 950when trying to use a TCP function block that is not available; 951.El 952.Sh SEE ALSO 953.Xr getsockopt 2 , 954.Xr socket 2 , 955.Xr stats 3 , 956.Xr sysctl 3 , 957.Xr blackhole 4 , 958.Xr inet 4 , 959.Xr intro 4 , 960.Xr ip 4 , 961.Xr ktls 4 , 962.Xr mod_cc 4 , 963.Xr siftr 4 , 964.Xr syncache 4 , 965.Xr tcp_bbr 4 , 966.Xr setkey 8 , 967.Xr tcp_functions 9 968.Rs 969.%A "V. Jacobson" 970.%A "B. Braden" 971.%A "D. Borman" 972.%T "TCP Extensions for High Performance" 973.%O "RFC 1323" 974.Re 975.Rs 976.%A "D. Borman" 977.%A "B. Braden" 978.%A "V. Jacobson" 979.%A "R. Scheffenegger" 980.%T "TCP Extensions for High Performance" 981.%O "RFC 7323" 982.Re 983.Rs 984.%A "A. Heffernan" 985.%T "Protection of BGP Sessions via the TCP MD5 Signature Option" 986.%O "RFC 2385" 987.Re 988.Rs 989.%A "K. Ramakrishnan" 990.%A "S. Floyd" 991.%A "D. Black" 992.%T "The Addition of Explicit Congestion Notification (ECN) to IP" 993.%O "RFC 3168" 994.Re 995.Sh HISTORY 996The 997.Tn TCP 998protocol appeared in 999.Bx 4.2 . 1000The RFC 1323 extensions for window scaling and timestamps were added 1001in 1002.Bx 4.4 . 1003The 1004.Dv TCP_INFO 1005option was introduced in 1006.Tn Linux 2.6 1007and is 1008.Em subject to change . 1009