xref: /freebsd/sys/netinet/tcp_output.c (revision 49b49cda41feabe3439f7318e8bf40e3896c7bf4)
1 /*-
2  * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 4. Neither the name of the University nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  *	@(#)tcp_output.c	8.4 (Berkeley) 5/24/95
30  */
31 
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
34 
35 #include "opt_inet.h"
36 #include "opt_inet6.h"
37 #include "opt_ipsec.h"
38 #include "opt_tcpdebug.h"
39 
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/domain.h>
43 #include <sys/hhook.h>
44 #include <sys/kernel.h>
45 #include <sys/lock.h>
46 #include <sys/mbuf.h>
47 #include <sys/mutex.h>
48 #include <sys/protosw.h>
49 #include <sys/sdt.h>
50 #include <sys/socket.h>
51 #include <sys/socketvar.h>
52 #include <sys/sysctl.h>
53 
54 #include <net/if.h>
55 #include <net/route.h>
56 #include <net/vnet.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/in_kdtrace.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/in_pcb.h>
63 #include <netinet/ip_var.h>
64 #include <netinet/ip_options.h>
65 #ifdef INET6
66 #include <netinet6/in6_pcb.h>
67 #include <netinet/ip6.h>
68 #include <netinet6/ip6_var.h>
69 #endif
70 #ifdef TCP_RFC7413
71 #include <netinet/tcp_fastopen.h>
72 #endif
73 #include <netinet/tcp.h>
74 #define	TCPOUTFLAGS
75 #include <netinet/tcp_fsm.h>
76 #include <netinet/tcp_seq.h>
77 #include <netinet/tcp_timer.h>
78 #include <netinet/tcp_var.h>
79 #include <netinet/tcpip.h>
80 #include <netinet/tcp_cc.h>
81 #ifdef TCPPCAP
82 #include <netinet/tcp_pcap.h>
83 #endif
84 #ifdef TCPDEBUG
85 #include <netinet/tcp_debug.h>
86 #endif
87 #ifdef TCP_OFFLOAD
88 #include <netinet/tcp_offload.h>
89 #endif
90 
91 #ifdef IPSEC
92 #include <netipsec/ipsec.h>
93 #endif /*IPSEC*/
94 
95 #include <machine/in_cksum.h>
96 
97 #include <security/mac/mac_framework.h>
98 
99 VNET_DEFINE(int, path_mtu_discovery) = 1;
100 SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_VNET | CTLFLAG_RW,
101 	&VNET_NAME(path_mtu_discovery), 1,
102 	"Enable Path MTU Discovery");
103 
104 VNET_DEFINE(int, tcp_do_tso) = 1;
105 #define	V_tcp_do_tso		VNET(tcp_do_tso)
106 SYSCTL_INT(_net_inet_tcp, OID_AUTO, tso, CTLFLAG_VNET | CTLFLAG_RW,
107 	&VNET_NAME(tcp_do_tso), 0,
108 	"Enable TCP Segmentation Offload");
109 
110 VNET_DEFINE(int, tcp_sendspace) = 1024*32;
111 #define	V_tcp_sendspace	VNET(tcp_sendspace)
112 SYSCTL_INT(_net_inet_tcp, TCPCTL_SENDSPACE, sendspace, CTLFLAG_VNET | CTLFLAG_RW,
113 	&VNET_NAME(tcp_sendspace), 0, "Initial send socket buffer size");
114 
115 VNET_DEFINE(int, tcp_do_autosndbuf) = 1;
116 #define	V_tcp_do_autosndbuf	VNET(tcp_do_autosndbuf)
117 SYSCTL_INT(_net_inet_tcp, OID_AUTO, sendbuf_auto, CTLFLAG_VNET | CTLFLAG_RW,
118 	&VNET_NAME(tcp_do_autosndbuf), 0,
119 	"Enable automatic send buffer sizing");
120 
121 VNET_DEFINE(int, tcp_autosndbuf_inc) = 8*1024;
122 #define	V_tcp_autosndbuf_inc	VNET(tcp_autosndbuf_inc)
123 SYSCTL_INT(_net_inet_tcp, OID_AUTO, sendbuf_inc, CTLFLAG_VNET | CTLFLAG_RW,
124 	&VNET_NAME(tcp_autosndbuf_inc), 0,
125 	"Incrementor step size of automatic send buffer");
126 
127 VNET_DEFINE(int, tcp_autosndbuf_max) = 2*1024*1024;
128 #define	V_tcp_autosndbuf_max	VNET(tcp_autosndbuf_max)
129 SYSCTL_INT(_net_inet_tcp, OID_AUTO, sendbuf_max, CTLFLAG_VNET | CTLFLAG_RW,
130 	&VNET_NAME(tcp_autosndbuf_max), 0,
131 	"Max size of automatic send buffer");
132 
133 static void inline	hhook_run_tcp_est_out(struct tcpcb *tp,
134 			    struct tcphdr *th, struct tcpopt *to,
135 			    long len, int tso);
136 static void inline	cc_after_idle(struct tcpcb *tp);
137 
138 /*
139  * Wrapper for the TCP established output helper hook.
140  */
141 static void inline
142 hhook_run_tcp_est_out(struct tcpcb *tp, struct tcphdr *th,
143     struct tcpopt *to, long len, int tso)
144 {
145 	struct tcp_hhook_data hhook_data;
146 
147 	if (V_tcp_hhh[HHOOK_TCP_EST_OUT]->hhh_nhooks > 0) {
148 		hhook_data.tp = tp;
149 		hhook_data.th = th;
150 		hhook_data.to = to;
151 		hhook_data.len = len;
152 		hhook_data.tso = tso;
153 
154 		hhook_run_hooks(V_tcp_hhh[HHOOK_TCP_EST_OUT], &hhook_data,
155 		    tp->osd);
156 	}
157 }
158 
159 /*
160  * CC wrapper hook functions
161  */
162 static void inline
163 cc_after_idle(struct tcpcb *tp)
164 {
165 	INP_WLOCK_ASSERT(tp->t_inpcb);
166 
167 	if (CC_ALGO(tp)->after_idle != NULL)
168 		CC_ALGO(tp)->after_idle(tp->ccv);
169 }
170 
171 /*
172  * Tcp output routine: figure out what should be sent and send it.
173  */
174 int
175 tcp_output(struct tcpcb *tp)
176 {
177 	struct socket *so = tp->t_inpcb->inp_socket;
178 	long len, recwin, sendwin;
179 	int off, flags, error = 0;	/* Keep compiler happy */
180 	struct mbuf *m;
181 	struct ip *ip = NULL;
182 	struct ipovly *ipov = NULL;
183 	struct tcphdr *th;
184 	u_char opt[TCP_MAXOLEN];
185 	unsigned ipoptlen, optlen, hdrlen;
186 #ifdef IPSEC
187 	unsigned ipsec_optlen = 0;
188 #endif
189 	int idle, sendalot;
190 	int sack_rxmit, sack_bytes_rxmt;
191 	struct sackhole *p;
192 	int tso, mtu;
193 	struct tcpopt to;
194 #if 0
195 	int maxburst = TCP_MAXBURST;
196 #endif
197 #ifdef INET6
198 	struct ip6_hdr *ip6 = NULL;
199 	int isipv6;
200 
201 	isipv6 = (tp->t_inpcb->inp_vflag & INP_IPV6) != 0;
202 #endif
203 
204 	INP_WLOCK_ASSERT(tp->t_inpcb);
205 
206 #ifdef TCP_OFFLOAD
207 	if (tp->t_flags & TF_TOE)
208 		return (tcp_offload_output(tp));
209 #endif
210 
211 #ifdef TCP_RFC7413
212 	/*
213 	 * For TFO connections in SYN_RECEIVED, only allow the initial
214 	 * SYN|ACK and those sent by the retransmit timer.
215 	 */
216 	if ((tp->t_flags & TF_FASTOPEN) &&
217 	    (tp->t_state == TCPS_SYN_RECEIVED) &&
218 	    SEQ_GT(tp->snd_max, tp->snd_una) &&    /* inital SYN|ACK sent */
219 	    (tp->snd_nxt != tp->snd_una))          /* not a retransmit */
220 		return (0);
221 #endif
222 	/*
223 	 * Determine length of data that should be transmitted,
224 	 * and flags that will be used.
225 	 * If there is some data or critical controls (SYN, RST)
226 	 * to send, then transmit; otherwise, investigate further.
227 	 */
228 	idle = (tp->t_flags & TF_LASTIDLE) || (tp->snd_max == tp->snd_una);
229 	if (idle && ticks - tp->t_rcvtime >= tp->t_rxtcur)
230 		cc_after_idle(tp);
231 	tp->t_flags &= ~TF_LASTIDLE;
232 	if (idle) {
233 		if (tp->t_flags & TF_MORETOCOME) {
234 			tp->t_flags |= TF_LASTIDLE;
235 			idle = 0;
236 		}
237 	}
238 again:
239 	/*
240 	 * If we've recently taken a timeout, snd_max will be greater than
241 	 * snd_nxt.  There may be SACK information that allows us to avoid
242 	 * resending already delivered data.  Adjust snd_nxt accordingly.
243 	 */
244 	if ((tp->t_flags & TF_SACK_PERMIT) &&
245 	    SEQ_LT(tp->snd_nxt, tp->snd_max))
246 		tcp_sack_adjust(tp);
247 	sendalot = 0;
248 	tso = 0;
249 	mtu = 0;
250 	off = tp->snd_nxt - tp->snd_una;
251 	sendwin = min(tp->snd_wnd, tp->snd_cwnd);
252 
253 	flags = tcp_outflags[tp->t_state];
254 	/*
255 	 * Send any SACK-generated retransmissions.  If we're explicitly trying
256 	 * to send out new data (when sendalot is 1), bypass this function.
257 	 * If we retransmit in fast recovery mode, decrement snd_cwnd, since
258 	 * we're replacing a (future) new transmission with a retransmission
259 	 * now, and we previously incremented snd_cwnd in tcp_input().
260 	 */
261 	/*
262 	 * Still in sack recovery , reset rxmit flag to zero.
263 	 */
264 	sack_rxmit = 0;
265 	sack_bytes_rxmt = 0;
266 	len = 0;
267 	p = NULL;
268 	if ((tp->t_flags & TF_SACK_PERMIT) && IN_FASTRECOVERY(tp->t_flags) &&
269 	    (p = tcp_sack_output(tp, &sack_bytes_rxmt))) {
270 		long cwin;
271 
272 		cwin = min(tp->snd_wnd, tp->snd_cwnd) - sack_bytes_rxmt;
273 		if (cwin < 0)
274 			cwin = 0;
275 		/* Do not retransmit SACK segments beyond snd_recover */
276 		if (SEQ_GT(p->end, tp->snd_recover)) {
277 			/*
278 			 * (At least) part of sack hole extends beyond
279 			 * snd_recover. Check to see if we can rexmit data
280 			 * for this hole.
281 			 */
282 			if (SEQ_GEQ(p->rxmit, tp->snd_recover)) {
283 				/*
284 				 * Can't rexmit any more data for this hole.
285 				 * That data will be rexmitted in the next
286 				 * sack recovery episode, when snd_recover
287 				 * moves past p->rxmit.
288 				 */
289 				p = NULL;
290 				goto after_sack_rexmit;
291 			} else
292 				/* Can rexmit part of the current hole */
293 				len = ((long)ulmin(cwin,
294 						   tp->snd_recover - p->rxmit));
295 		} else
296 			len = ((long)ulmin(cwin, p->end - p->rxmit));
297 		off = p->rxmit - tp->snd_una;
298 		KASSERT(off >= 0,("%s: sack block to the left of una : %d",
299 		    __func__, off));
300 		if (len > 0) {
301 			sack_rxmit = 1;
302 			sendalot = 1;
303 			TCPSTAT_INC(tcps_sack_rexmits);
304 			TCPSTAT_ADD(tcps_sack_rexmit_bytes,
305 			    min(len, tp->t_maxseg));
306 		}
307 	}
308 after_sack_rexmit:
309 	/*
310 	 * Get standard flags, and add SYN or FIN if requested by 'hidden'
311 	 * state flags.
312 	 */
313 	if (tp->t_flags & TF_NEEDFIN)
314 		flags |= TH_FIN;
315 	if (tp->t_flags & TF_NEEDSYN)
316 		flags |= TH_SYN;
317 
318 	SOCKBUF_LOCK(&so->so_snd);
319 	/*
320 	 * If in persist timeout with window of 0, send 1 byte.
321 	 * Otherwise, if window is small but nonzero
322 	 * and timer expired, we will send what we can
323 	 * and go to transmit state.
324 	 */
325 	if (tp->t_flags & TF_FORCEDATA) {
326 		if (sendwin == 0) {
327 			/*
328 			 * If we still have some data to send, then
329 			 * clear the FIN bit.  Usually this would
330 			 * happen below when it realizes that we
331 			 * aren't sending all the data.  However,
332 			 * if we have exactly 1 byte of unsent data,
333 			 * then it won't clear the FIN bit below,
334 			 * and if we are in persist state, we wind
335 			 * up sending the packet without recording
336 			 * that we sent the FIN bit.
337 			 *
338 			 * We can't just blindly clear the FIN bit,
339 			 * because if we don't have any more data
340 			 * to send then the probe will be the FIN
341 			 * itself.
342 			 */
343 			if (off < sbused(&so->so_snd))
344 				flags &= ~TH_FIN;
345 			sendwin = 1;
346 		} else {
347 			tcp_timer_activate(tp, TT_PERSIST, 0);
348 			tp->t_rxtshift = 0;
349 		}
350 	}
351 
352 	/*
353 	 * If snd_nxt == snd_max and we have transmitted a FIN, the
354 	 * offset will be > 0 even if so_snd.sb_cc is 0, resulting in
355 	 * a negative length.  This can also occur when TCP opens up
356 	 * its congestion window while receiving additional duplicate
357 	 * acks after fast-retransmit because TCP will reset snd_nxt
358 	 * to snd_max after the fast-retransmit.
359 	 *
360 	 * In the normal retransmit-FIN-only case, however, snd_nxt will
361 	 * be set to snd_una, the offset will be 0, and the length may
362 	 * wind up 0.
363 	 *
364 	 * If sack_rxmit is true we are retransmitting from the scoreboard
365 	 * in which case len is already set.
366 	 */
367 	if (sack_rxmit == 0) {
368 		if (sack_bytes_rxmt == 0)
369 			len = ((long)ulmin(sbavail(&so->so_snd), sendwin) -
370 			    off);
371 		else {
372 			long cwin;
373 
374                         /*
375 			 * We are inside of a SACK recovery episode and are
376 			 * sending new data, having retransmitted all the
377 			 * data possible in the scoreboard.
378 			 */
379 			len = ((long)ulmin(sbavail(&so->so_snd), tp->snd_wnd) -
380 			    off);
381 			/*
382 			 * Don't remove this (len > 0) check !
383 			 * We explicitly check for len > 0 here (although it
384 			 * isn't really necessary), to work around a gcc
385 			 * optimization issue - to force gcc to compute
386 			 * len above. Without this check, the computation
387 			 * of len is bungled by the optimizer.
388 			 */
389 			if (len > 0) {
390 				cwin = tp->snd_cwnd -
391 					(tp->snd_nxt - tp->sack_newdata) -
392 					sack_bytes_rxmt;
393 				if (cwin < 0)
394 					cwin = 0;
395 				len = lmin(len, cwin);
396 			}
397 		}
398 	}
399 
400 	/*
401 	 * Lop off SYN bit if it has already been sent.  However, if this
402 	 * is SYN-SENT state and if segment contains data and if we don't
403 	 * know that foreign host supports TAO, suppress sending segment.
404 	 */
405 	if ((flags & TH_SYN) && SEQ_GT(tp->snd_nxt, tp->snd_una)) {
406 		if (tp->t_state != TCPS_SYN_RECEIVED)
407 			flags &= ~TH_SYN;
408 #ifdef TCP_RFC7413
409 		/*
410 		 * When sending additional segments following a TFO SYN|ACK,
411 		 * do not include the SYN bit.
412 		 */
413 		if ((tp->t_flags & TF_FASTOPEN) &&
414 		    (tp->t_state == TCPS_SYN_RECEIVED))
415 			flags &= ~TH_SYN;
416 #endif
417 		off--, len++;
418 	}
419 
420 	/*
421 	 * Be careful not to send data and/or FIN on SYN segments.
422 	 * This measure is needed to prevent interoperability problems
423 	 * with not fully conformant TCP implementations.
424 	 */
425 	if ((flags & TH_SYN) && (tp->t_flags & TF_NOOPT)) {
426 		len = 0;
427 		flags &= ~TH_FIN;
428 	}
429 
430 #ifdef TCP_RFC7413
431 	/*
432 	 * When retransmitting SYN|ACK on a passively-created TFO socket,
433 	 * don't include data, as the presence of data may have caused the
434 	 * original SYN|ACK to have been dropped by a middlebox.
435 	 */
436 	if ((tp->t_flags & TF_FASTOPEN) &&
437 	    (((tp->t_state == TCPS_SYN_RECEIVED) && (tp->t_rxtshift > 0)) ||
438 	     (flags & TH_RST)))
439 		len = 0;
440 #endif
441 	if (len <= 0) {
442 		/*
443 		 * If FIN has been sent but not acked,
444 		 * but we haven't been called to retransmit,
445 		 * len will be < 0.  Otherwise, window shrank
446 		 * after we sent into it.  If window shrank to 0,
447 		 * cancel pending retransmit, pull snd_nxt back
448 		 * to (closed) window, and set the persist timer
449 		 * if it isn't already going.  If the window didn't
450 		 * close completely, just wait for an ACK.
451 		 *
452 		 * We also do a general check here to ensure that
453 		 * we will set the persist timer when we have data
454 		 * to send, but a 0-byte window. This makes sure
455 		 * the persist timer is set even if the packet
456 		 * hits one of the "goto send" lines below.
457 		 */
458 		len = 0;
459 		if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
460 			(off < (int) sbavail(&so->so_snd))) {
461 			tcp_timer_activate(tp, TT_REXMT, 0);
462 			tp->t_rxtshift = 0;
463 			tp->snd_nxt = tp->snd_una;
464 			if (!tcp_timer_active(tp, TT_PERSIST))
465 				tcp_setpersist(tp);
466 		}
467 	}
468 
469 	/* len will be >= 0 after this point. */
470 	KASSERT(len >= 0, ("[%s:%d]: len < 0", __func__, __LINE__));
471 
472 	/*
473 	 * Automatic sizing of send socket buffer.  Often the send buffer
474 	 * size is not optimally adjusted to the actual network conditions
475 	 * at hand (delay bandwidth product).  Setting the buffer size too
476 	 * small limits throughput on links with high bandwidth and high
477 	 * delay (eg. trans-continental/oceanic links).  Setting the
478 	 * buffer size too big consumes too much real kernel memory,
479 	 * especially with many connections on busy servers.
480 	 *
481 	 * The criteria to step up the send buffer one notch are:
482 	 *  1. receive window of remote host is larger than send buffer
483 	 *     (with a fudge factor of 5/4th);
484 	 *  2. send buffer is filled to 7/8th with data (so we actually
485 	 *     have data to make use of it);
486 	 *  3. send buffer fill has not hit maximal automatic size;
487 	 *  4. our send window (slow start and cogestion controlled) is
488 	 *     larger than sent but unacknowledged data in send buffer.
489 	 *
490 	 * The remote host receive window scaling factor may limit the
491 	 * growing of the send buffer before it reaches its allowed
492 	 * maximum.
493 	 *
494 	 * It scales directly with slow start or congestion window
495 	 * and does at most one step per received ACK.  This fast
496 	 * scaling has the drawback of growing the send buffer beyond
497 	 * what is strictly necessary to make full use of a given
498 	 * delay*bandwith product.  However testing has shown this not
499 	 * to be much of an problem.  At worst we are trading wasting
500 	 * of available bandwith (the non-use of it) for wasting some
501 	 * socket buffer memory.
502 	 *
503 	 * TODO: Shrink send buffer during idle periods together
504 	 * with congestion window.  Requires another timer.  Has to
505 	 * wait for upcoming tcp timer rewrite.
506 	 *
507 	 * XXXGL: should there be used sbused() or sbavail()?
508 	 */
509 	if (V_tcp_do_autosndbuf && so->so_snd.sb_flags & SB_AUTOSIZE) {
510 		if ((tp->snd_wnd / 4 * 5) >= so->so_snd.sb_hiwat &&
511 		    sbused(&so->so_snd) >= (so->so_snd.sb_hiwat / 8 * 7) &&
512 		    sbused(&so->so_snd) < V_tcp_autosndbuf_max &&
513 		    sendwin >= (sbused(&so->so_snd) -
514 		    (tp->snd_nxt - tp->snd_una))) {
515 			if (!sbreserve_locked(&so->so_snd,
516 			    min(so->so_snd.sb_hiwat + V_tcp_autosndbuf_inc,
517 			     V_tcp_autosndbuf_max), so, curthread))
518 				so->so_snd.sb_flags &= ~SB_AUTOSIZE;
519 		}
520 	}
521 
522 	/*
523 	 * Decide if we can use TCP Segmentation Offloading (if supported by
524 	 * hardware).
525 	 *
526 	 * TSO may only be used if we are in a pure bulk sending state.  The
527 	 * presence of TCP-MD5, SACK retransmits, SACK advertizements and
528 	 * IP options prevent using TSO.  With TSO the TCP header is the same
529 	 * (except for the sequence number) for all generated packets.  This
530 	 * makes it impossible to transmit any options which vary per generated
531 	 * segment or packet.
532 	 */
533 #ifdef IPSEC
534 	/*
535 	 * Pre-calculate here as we save another lookup into the darknesses
536 	 * of IPsec that way and can actually decide if TSO is ok.
537 	 */
538 	ipsec_optlen = ipsec_hdrsiz_tcp(tp);
539 #endif
540 	if ((tp->t_flags & TF_TSO) && V_tcp_do_tso && len > tp->t_maxseg &&
541 	    ((tp->t_flags & TF_SIGNATURE) == 0) &&
542 	    tp->rcv_numsacks == 0 && sack_rxmit == 0 &&
543 #ifdef IPSEC
544 	    ipsec_optlen == 0 &&
545 #endif
546 	    tp->t_inpcb->inp_options == NULL &&
547 	    tp->t_inpcb->in6p_options == NULL)
548 		tso = 1;
549 
550 	if (sack_rxmit) {
551 		if (SEQ_LT(p->rxmit + len, tp->snd_una + sbused(&so->so_snd)))
552 			flags &= ~TH_FIN;
553 	} else {
554 		if (SEQ_LT(tp->snd_nxt + len, tp->snd_una +
555 		    sbused(&so->so_snd)))
556 			flags &= ~TH_FIN;
557 	}
558 
559 	recwin = sbspace(&so->so_rcv);
560 
561 	/*
562 	 * Sender silly window avoidance.   We transmit under the following
563 	 * conditions when len is non-zero:
564 	 *
565 	 *	- We have a full segment (or more with TSO)
566 	 *	- This is the last buffer in a write()/send() and we are
567 	 *	  either idle or running NODELAY
568 	 *	- we've timed out (e.g. persist timer)
569 	 *	- we have more then 1/2 the maximum send window's worth of
570 	 *	  data (receiver may be limited the window size)
571 	 *	- we need to retransmit
572 	 */
573 	if (len) {
574 		if (len >= tp->t_maxseg)
575 			goto send;
576 		/*
577 		 * NOTE! on localhost connections an 'ack' from the remote
578 		 * end may occur synchronously with the output and cause
579 		 * us to flush a buffer queued with moretocome.  XXX
580 		 *
581 		 * note: the len + off check is almost certainly unnecessary.
582 		 */
583 		if (!(tp->t_flags & TF_MORETOCOME) &&	/* normal case */
584 		    (idle || (tp->t_flags & TF_NODELAY)) &&
585 		    len + off >= sbavail(&so->so_snd) &&
586 		    (tp->t_flags & TF_NOPUSH) == 0) {
587 			goto send;
588 		}
589 		if (tp->t_flags & TF_FORCEDATA)		/* typ. timeout case */
590 			goto send;
591 		if (len >= tp->max_sndwnd / 2 && tp->max_sndwnd > 0)
592 			goto send;
593 		if (SEQ_LT(tp->snd_nxt, tp->snd_max))	/* retransmit case */
594 			goto send;
595 		if (sack_rxmit)
596 			goto send;
597 	}
598 
599 	/*
600 	 * Sending of standalone window updates.
601 	 *
602 	 * Window updates are important when we close our window due to a
603 	 * full socket buffer and are opening it again after the application
604 	 * reads data from it.  Once the window has opened again and the
605 	 * remote end starts to send again the ACK clock takes over and
606 	 * provides the most current window information.
607 	 *
608 	 * We must avoid the silly window syndrome whereas every read
609 	 * from the receive buffer, no matter how small, causes a window
610 	 * update to be sent.  We also should avoid sending a flurry of
611 	 * window updates when the socket buffer had queued a lot of data
612 	 * and the application is doing small reads.
613 	 *
614 	 * Prevent a flurry of pointless window updates by only sending
615 	 * an update when we can increase the advertized window by more
616 	 * than 1/4th of the socket buffer capacity.  When the buffer is
617 	 * getting full or is very small be more aggressive and send an
618 	 * update whenever we can increase by two mss sized segments.
619 	 * In all other situations the ACK's to new incoming data will
620 	 * carry further window increases.
621 	 *
622 	 * Don't send an independent window update if a delayed
623 	 * ACK is pending (it will get piggy-backed on it) or the
624 	 * remote side already has done a half-close and won't send
625 	 * more data.  Skip this if the connection is in T/TCP
626 	 * half-open state.
627 	 */
628 	if (recwin > 0 && !(tp->t_flags & TF_NEEDSYN) &&
629 	    !(tp->t_flags & TF_DELACK) &&
630 	    !TCPS_HAVERCVDFIN(tp->t_state)) {
631 		/*
632 		 * "adv" is the amount we could increase the window,
633 		 * taking into account that we are limited by
634 		 * TCP_MAXWIN << tp->rcv_scale.
635 		 */
636 		long adv;
637 		int oldwin;
638 
639 		adv = min(recwin, (long)TCP_MAXWIN << tp->rcv_scale);
640 		if (SEQ_GT(tp->rcv_adv, tp->rcv_nxt)) {
641 			oldwin = (tp->rcv_adv - tp->rcv_nxt);
642 			adv -= oldwin;
643 		} else
644 			oldwin = 0;
645 
646 		/*
647 		 * If the new window size ends up being the same as the old
648 		 * size when it is scaled, then don't force a window update.
649 		 */
650 		if (oldwin >> tp->rcv_scale == (adv + oldwin) >> tp->rcv_scale)
651 			goto dontupdate;
652 
653 		if (adv >= (long)(2 * tp->t_maxseg) &&
654 		    (adv >= (long)(so->so_rcv.sb_hiwat / 4) ||
655 		     recwin <= (long)(so->so_rcv.sb_hiwat / 8) ||
656 		     so->so_rcv.sb_hiwat <= 8 * tp->t_maxseg))
657 			goto send;
658 	}
659 dontupdate:
660 
661 	/*
662 	 * Send if we owe the peer an ACK, RST, SYN, or urgent data.  ACKNOW
663 	 * is also a catch-all for the retransmit timer timeout case.
664 	 */
665 	if (tp->t_flags & TF_ACKNOW)
666 		goto send;
667 	if ((flags & TH_RST) ||
668 	    ((flags & TH_SYN) && (tp->t_flags & TF_NEEDSYN) == 0))
669 		goto send;
670 	if (SEQ_GT(tp->snd_up, tp->snd_una))
671 		goto send;
672 	/*
673 	 * If our state indicates that FIN should be sent
674 	 * and we have not yet done so, then we need to send.
675 	 */
676 	if (flags & TH_FIN &&
677 	    ((tp->t_flags & TF_SENTFIN) == 0 || tp->snd_nxt == tp->snd_una))
678 		goto send;
679 	/*
680 	 * In SACK, it is possible for tcp_output to fail to send a segment
681 	 * after the retransmission timer has been turned off.  Make sure
682 	 * that the retransmission timer is set.
683 	 */
684 	if ((tp->t_flags & TF_SACK_PERMIT) &&
685 	    SEQ_GT(tp->snd_max, tp->snd_una) &&
686 	    !tcp_timer_active(tp, TT_REXMT) &&
687 	    !tcp_timer_active(tp, TT_PERSIST)) {
688 		tcp_timer_activate(tp, TT_REXMT, tp->t_rxtcur);
689 		goto just_return;
690 	}
691 	/*
692 	 * TCP window updates are not reliable, rather a polling protocol
693 	 * using ``persist'' packets is used to insure receipt of window
694 	 * updates.  The three ``states'' for the output side are:
695 	 *	idle			not doing retransmits or persists
696 	 *	persisting		to move a small or zero window
697 	 *	(re)transmitting	and thereby not persisting
698 	 *
699 	 * tcp_timer_active(tp, TT_PERSIST)
700 	 *	is true when we are in persist state.
701 	 * (tp->t_flags & TF_FORCEDATA)
702 	 *	is set when we are called to send a persist packet.
703 	 * tcp_timer_active(tp, TT_REXMT)
704 	 *	is set when we are retransmitting
705 	 * The output side is idle when both timers are zero.
706 	 *
707 	 * If send window is too small, there is data to transmit, and no
708 	 * retransmit or persist is pending, then go to persist state.
709 	 * If nothing happens soon, send when timer expires:
710 	 * if window is nonzero, transmit what we can,
711 	 * otherwise force out a byte.
712 	 */
713 	if (sbavail(&so->so_snd) && !tcp_timer_active(tp, TT_REXMT) &&
714 	    !tcp_timer_active(tp, TT_PERSIST)) {
715 		tp->t_rxtshift = 0;
716 		tcp_setpersist(tp);
717 	}
718 
719 	/*
720 	 * No reason to send a segment, just return.
721 	 */
722 just_return:
723 	SOCKBUF_UNLOCK(&so->so_snd);
724 	return (0);
725 
726 send:
727 	SOCKBUF_LOCK_ASSERT(&so->so_snd);
728 	if (len > 0) {
729 		if (len >= tp->t_maxseg)
730 			tp->t_flags2 |= TF2_PLPMTU_MAXSEGSNT;
731 		else
732 			tp->t_flags2 &= ~TF2_PLPMTU_MAXSEGSNT;
733 	}
734 	/*
735 	 * Before ESTABLISHED, force sending of initial options
736 	 * unless TCP set not to do any options.
737 	 * NOTE: we assume that the IP/TCP header plus TCP options
738 	 * always fit in a single mbuf, leaving room for a maximum
739 	 * link header, i.e.
740 	 *	max_linkhdr + sizeof (struct tcpiphdr) + optlen <= MCLBYTES
741 	 */
742 	optlen = 0;
743 #ifdef INET6
744 	if (isipv6)
745 		hdrlen = sizeof (struct ip6_hdr) + sizeof (struct tcphdr);
746 	else
747 #endif
748 		hdrlen = sizeof (struct tcpiphdr);
749 
750 	/*
751 	 * Compute options for segment.
752 	 * We only have to care about SYN and established connection
753 	 * segments.  Options for SYN-ACK segments are handled in TCP
754 	 * syncache.
755 	 */
756 	to.to_flags = 0;
757 	if ((tp->t_flags & TF_NOOPT) == 0) {
758 		/* Maximum segment size. */
759 		if (flags & TH_SYN) {
760 			tp->snd_nxt = tp->iss;
761 			to.to_mss = tcp_mssopt(&tp->t_inpcb->inp_inc);
762 			to.to_flags |= TOF_MSS;
763 #ifdef TCP_RFC7413
764 			/*
765 			 * Only include the TFO option on the first
766 			 * transmission of the SYN|ACK on a
767 			 * passively-created TFO socket, as the presence of
768 			 * the TFO option may have caused the original
769 			 * SYN|ACK to have been dropped by a middlebox.
770 			 */
771 			if ((tp->t_flags & TF_FASTOPEN) &&
772 			    (tp->t_state == TCPS_SYN_RECEIVED) &&
773 			    (tp->t_rxtshift == 0)) {
774 				to.to_tfo_len = TCP_FASTOPEN_COOKIE_LEN;
775 				to.to_tfo_cookie = (u_char *)&tp->t_tfo_cookie;
776 				to.to_flags |= TOF_FASTOPEN;
777 			}
778 #endif
779 		}
780 		/* Window scaling. */
781 		if ((flags & TH_SYN) && (tp->t_flags & TF_REQ_SCALE)) {
782 			to.to_wscale = tp->request_r_scale;
783 			to.to_flags |= TOF_SCALE;
784 		}
785 		/* Timestamps. */
786 		if ((tp->t_flags & TF_RCVD_TSTMP) ||
787 		    ((flags & TH_SYN) && (tp->t_flags & TF_REQ_TSTMP))) {
788 			to.to_tsval = tcp_ts_getticks() + tp->ts_offset;
789 			to.to_tsecr = tp->ts_recent;
790 			to.to_flags |= TOF_TS;
791 			/* Set receive buffer autosizing timestamp. */
792 			if (tp->rfbuf_ts == 0 &&
793 			    (so->so_rcv.sb_flags & SB_AUTOSIZE))
794 				tp->rfbuf_ts = tcp_ts_getticks();
795 		}
796 		/* Selective ACK's. */
797 		if (tp->t_flags & TF_SACK_PERMIT) {
798 			if (flags & TH_SYN)
799 				to.to_flags |= TOF_SACKPERM;
800 			else if (TCPS_HAVEESTABLISHED(tp->t_state) &&
801 			    (tp->t_flags & TF_SACK_PERMIT) &&
802 			    tp->rcv_numsacks > 0) {
803 				to.to_flags |= TOF_SACK;
804 				to.to_nsacks = tp->rcv_numsacks;
805 				to.to_sacks = (u_char *)tp->sackblks;
806 			}
807 		}
808 #ifdef TCP_SIGNATURE
809 		/* TCP-MD5 (RFC2385). */
810 		if (tp->t_flags & TF_SIGNATURE)
811 			to.to_flags |= TOF_SIGNATURE;
812 #endif /* TCP_SIGNATURE */
813 
814 		/* Processing the options. */
815 		hdrlen += optlen = tcp_addoptions(&to, opt);
816 	}
817 
818 #ifdef INET6
819 	if (isipv6)
820 		ipoptlen = ip6_optlen(tp->t_inpcb);
821 	else
822 #endif
823 	if (tp->t_inpcb->inp_options)
824 		ipoptlen = tp->t_inpcb->inp_options->m_len -
825 				offsetof(struct ipoption, ipopt_list);
826 	else
827 		ipoptlen = 0;
828 #ifdef IPSEC
829 	ipoptlen += ipsec_optlen;
830 #endif
831 
832 	/*
833 	 * Adjust data length if insertion of options will
834 	 * bump the packet length beyond the t_maxseg length.
835 	 * Clear the FIN bit because we cut off the tail of
836 	 * the segment.
837 	 */
838 	if (len + optlen + ipoptlen > tp->t_maxseg) {
839 		flags &= ~TH_FIN;
840 
841 		if (tso) {
842 			u_int if_hw_tsomax;
843 			u_int if_hw_tsomaxsegcount;
844 			u_int if_hw_tsomaxsegsize;
845 			struct mbuf *mb;
846 			u_int moff;
847 			int max_len;
848 
849 			/* extract TSO information */
850 			if_hw_tsomax = tp->t_tsomax;
851 			if_hw_tsomaxsegcount = tp->t_tsomaxsegcount;
852 			if_hw_tsomaxsegsize = tp->t_tsomaxsegsize;
853 
854 			/*
855 			 * Limit a TSO burst to prevent it from
856 			 * overflowing or exceeding the maximum length
857 			 * allowed by the network interface:
858 			 */
859 			KASSERT(ipoptlen == 0,
860 			    ("%s: TSO can't do IP options", __func__));
861 
862 			/*
863 			 * Check if we should limit by maximum payload
864 			 * length:
865 			 */
866 			if (if_hw_tsomax != 0) {
867 				/* compute maximum TSO length */
868 				max_len = (if_hw_tsomax - hdrlen -
869 				    max_linkhdr);
870 				if (max_len <= 0) {
871 					len = 0;
872 				} else if (len > max_len) {
873 					sendalot = 1;
874 					len = max_len;
875 				}
876 			}
877 
878 			/*
879 			 * Check if we should limit by maximum segment
880 			 * size and count:
881 			 */
882 			if (if_hw_tsomaxsegcount != 0 &&
883 			    if_hw_tsomaxsegsize != 0) {
884 				/*
885 				 * Subtract one segment for the LINK
886 				 * and TCP/IP headers mbuf that will
887 				 * be prepended to this mbuf chain
888 				 * after the code in this section
889 				 * limits the number of mbufs in the
890 				 * chain to if_hw_tsomaxsegcount.
891 				 */
892 				if_hw_tsomaxsegcount -= 1;
893 				max_len = 0;
894 				mb = sbsndmbuf(&so->so_snd, off, &moff);
895 
896 				while (mb != NULL && max_len < len) {
897 					u_int mlen;
898 					u_int frags;
899 
900 					/*
901 					 * Get length of mbuf fragment
902 					 * and how many hardware frags,
903 					 * rounded up, it would use:
904 					 */
905 					mlen = (mb->m_len - moff);
906 					frags = howmany(mlen,
907 					    if_hw_tsomaxsegsize);
908 
909 					/* Handle special case: Zero Length Mbuf */
910 					if (frags == 0)
911 						frags = 1;
912 
913 					/*
914 					 * Check if the fragment limit
915 					 * will be reached or exceeded:
916 					 */
917 					if (frags >= if_hw_tsomaxsegcount) {
918 						max_len += min(mlen,
919 						    if_hw_tsomaxsegcount *
920 						    if_hw_tsomaxsegsize);
921 						break;
922 					}
923 					max_len += mlen;
924 					if_hw_tsomaxsegcount -= frags;
925 					moff = 0;
926 					mb = mb->m_next;
927 				}
928 				if (max_len <= 0) {
929 					len = 0;
930 				} else if (len > max_len) {
931 					sendalot = 1;
932 					len = max_len;
933 				}
934 			}
935 
936 			/*
937 			 * Prevent the last segment from being
938 			 * fractional unless the send sockbuf can be
939 			 * emptied:
940 			 */
941 			max_len = (tp->t_maxseg - optlen);
942 			if ((off + len) < sbavail(&so->so_snd)) {
943 				moff = len % max_len;
944 				if (moff != 0) {
945 					len -= moff;
946 					sendalot = 1;
947 				}
948 			}
949 
950 			/*
951 			 * In case there are too many small fragments
952 			 * don't use TSO:
953 			 */
954 			if (len <= max_len) {
955 				len = max_len;
956 				sendalot = 1;
957 				tso = 0;
958 			}
959 
960 			/*
961 			 * Send the FIN in a separate segment
962 			 * after the bulk sending is done.
963 			 * We don't trust the TSO implementations
964 			 * to clear the FIN flag on all but the
965 			 * last segment.
966 			 */
967 			if (tp->t_flags & TF_NEEDFIN)
968 				sendalot = 1;
969 
970 		} else {
971 			len = tp->t_maxseg - optlen - ipoptlen;
972 			sendalot = 1;
973 		}
974 	} else
975 		tso = 0;
976 
977 	KASSERT(len + hdrlen + ipoptlen <= IP_MAXPACKET,
978 	    ("%s: len > IP_MAXPACKET", __func__));
979 
980 /*#ifdef DIAGNOSTIC*/
981 #ifdef INET6
982 	if (max_linkhdr + hdrlen > MCLBYTES)
983 #else
984 	if (max_linkhdr + hdrlen > MHLEN)
985 #endif
986 		panic("tcphdr too big");
987 /*#endif*/
988 
989 	/*
990 	 * This KASSERT is here to catch edge cases at a well defined place.
991 	 * Before, those had triggered (random) panic conditions further down.
992 	 */
993 	KASSERT(len >= 0, ("[%s:%d]: len < 0", __func__, __LINE__));
994 
995 	/*
996 	 * Grab a header mbuf, attaching a copy of data to
997 	 * be transmitted, and initialize the header from
998 	 * the template for sends on this connection.
999 	 */
1000 	if (len) {
1001 		struct mbuf *mb;
1002 		u_int moff;
1003 
1004 		if ((tp->t_flags & TF_FORCEDATA) && len == 1)
1005 			TCPSTAT_INC(tcps_sndprobe);
1006 		else if (SEQ_LT(tp->snd_nxt, tp->snd_max) || sack_rxmit) {
1007 			tp->t_sndrexmitpack++;
1008 			TCPSTAT_INC(tcps_sndrexmitpack);
1009 			TCPSTAT_ADD(tcps_sndrexmitbyte, len);
1010 		} else {
1011 			TCPSTAT_INC(tcps_sndpack);
1012 			TCPSTAT_ADD(tcps_sndbyte, len);
1013 		}
1014 #ifdef INET6
1015 		if (MHLEN < hdrlen + max_linkhdr)
1016 			m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
1017 		else
1018 #endif
1019 			m = m_gethdr(M_NOWAIT, MT_DATA);
1020 
1021 		if (m == NULL) {
1022 			SOCKBUF_UNLOCK(&so->so_snd);
1023 			error = ENOBUFS;
1024 			sack_rxmit = 0;
1025 			goto out;
1026 		}
1027 
1028 		m->m_data += max_linkhdr;
1029 		m->m_len = hdrlen;
1030 
1031 		/*
1032 		 * Start the m_copy functions from the closest mbuf
1033 		 * to the offset in the socket buffer chain.
1034 		 */
1035 		mb = sbsndptr(&so->so_snd, off, len, &moff);
1036 
1037 		if (len <= MHLEN - hdrlen - max_linkhdr) {
1038 			m_copydata(mb, moff, (int)len,
1039 			    mtod(m, caddr_t) + hdrlen);
1040 			m->m_len += len;
1041 		} else {
1042 			m->m_next = m_copy(mb, moff, (int)len);
1043 			if (m->m_next == NULL) {
1044 				SOCKBUF_UNLOCK(&so->so_snd);
1045 				(void) m_free(m);
1046 				error = ENOBUFS;
1047 				sack_rxmit = 0;
1048 				goto out;
1049 			}
1050 		}
1051 
1052 		/*
1053 		 * If we're sending everything we've got, set PUSH.
1054 		 * (This will keep happy those implementations which only
1055 		 * give data to the user when a buffer fills or
1056 		 * a PUSH comes in.)
1057 		 */
1058 		if ((off + len == sbused(&so->so_snd)) && !(flags & TH_SYN))
1059 			flags |= TH_PUSH;
1060 		SOCKBUF_UNLOCK(&so->so_snd);
1061 	} else {
1062 		SOCKBUF_UNLOCK(&so->so_snd);
1063 		if (tp->t_flags & TF_ACKNOW)
1064 			TCPSTAT_INC(tcps_sndacks);
1065 		else if (flags & (TH_SYN|TH_FIN|TH_RST))
1066 			TCPSTAT_INC(tcps_sndctrl);
1067 		else if (SEQ_GT(tp->snd_up, tp->snd_una))
1068 			TCPSTAT_INC(tcps_sndurg);
1069 		else
1070 			TCPSTAT_INC(tcps_sndwinup);
1071 
1072 		m = m_gethdr(M_NOWAIT, MT_DATA);
1073 		if (m == NULL) {
1074 			error = ENOBUFS;
1075 			sack_rxmit = 0;
1076 			goto out;
1077 		}
1078 #ifdef INET6
1079 		if (isipv6 && (MHLEN < hdrlen + max_linkhdr) &&
1080 		    MHLEN >= hdrlen) {
1081 			M_ALIGN(m, hdrlen);
1082 		} else
1083 #endif
1084 		m->m_data += max_linkhdr;
1085 		m->m_len = hdrlen;
1086 	}
1087 	SOCKBUF_UNLOCK_ASSERT(&so->so_snd);
1088 	m->m_pkthdr.rcvif = (struct ifnet *)0;
1089 #ifdef MAC
1090 	mac_inpcb_create_mbuf(tp->t_inpcb, m);
1091 #endif
1092 #ifdef INET6
1093 	if (isipv6) {
1094 		ip6 = mtod(m, struct ip6_hdr *);
1095 		th = (struct tcphdr *)(ip6 + 1);
1096 		tcpip_fillheaders(tp->t_inpcb, ip6, th);
1097 	} else
1098 #endif /* INET6 */
1099 	{
1100 		ip = mtod(m, struct ip *);
1101 		ipov = (struct ipovly *)ip;
1102 		th = (struct tcphdr *)(ip + 1);
1103 		tcpip_fillheaders(tp->t_inpcb, ip, th);
1104 	}
1105 
1106 	/*
1107 	 * Fill in fields, remembering maximum advertised
1108 	 * window for use in delaying messages about window sizes.
1109 	 * If resending a FIN, be sure not to use a new sequence number.
1110 	 */
1111 	if (flags & TH_FIN && tp->t_flags & TF_SENTFIN &&
1112 	    tp->snd_nxt == tp->snd_max)
1113 		tp->snd_nxt--;
1114 	/*
1115 	 * If we are starting a connection, send ECN setup
1116 	 * SYN packet. If we are on a retransmit, we may
1117 	 * resend those bits a number of times as per
1118 	 * RFC 3168.
1119 	 */
1120 	if (tp->t_state == TCPS_SYN_SENT && V_tcp_do_ecn) {
1121 		if (tp->t_rxtshift >= 1) {
1122 			if (tp->t_rxtshift <= V_tcp_ecn_maxretries)
1123 				flags |= TH_ECE|TH_CWR;
1124 		} else
1125 			flags |= TH_ECE|TH_CWR;
1126 	}
1127 
1128 	if (tp->t_state == TCPS_ESTABLISHED &&
1129 	    (tp->t_flags & TF_ECN_PERMIT)) {
1130 		/*
1131 		 * If the peer has ECN, mark data packets with
1132 		 * ECN capable transmission (ECT).
1133 		 * Ignore pure ack packets, retransmissions and window probes.
1134 		 */
1135 		if (len > 0 && SEQ_GEQ(tp->snd_nxt, tp->snd_max) &&
1136 		    !((tp->t_flags & TF_FORCEDATA) && len == 1)) {
1137 #ifdef INET6
1138 			if (isipv6)
1139 				ip6->ip6_flow |= htonl(IPTOS_ECN_ECT0 << 20);
1140 			else
1141 #endif
1142 				ip->ip_tos |= IPTOS_ECN_ECT0;
1143 			TCPSTAT_INC(tcps_ecn_ect0);
1144 		}
1145 
1146 		/*
1147 		 * Reply with proper ECN notifications.
1148 		 */
1149 		if (tp->t_flags & TF_ECN_SND_CWR) {
1150 			flags |= TH_CWR;
1151 			tp->t_flags &= ~TF_ECN_SND_CWR;
1152 		}
1153 		if (tp->t_flags & TF_ECN_SND_ECE)
1154 			flags |= TH_ECE;
1155 	}
1156 
1157 	/*
1158 	 * If we are doing retransmissions, then snd_nxt will
1159 	 * not reflect the first unsent octet.  For ACK only
1160 	 * packets, we do not want the sequence number of the
1161 	 * retransmitted packet, we want the sequence number
1162 	 * of the next unsent octet.  So, if there is no data
1163 	 * (and no SYN or FIN), use snd_max instead of snd_nxt
1164 	 * when filling in ti_seq.  But if we are in persist
1165 	 * state, snd_max might reflect one byte beyond the
1166 	 * right edge of the window, so use snd_nxt in that
1167 	 * case, since we know we aren't doing a retransmission.
1168 	 * (retransmit and persist are mutually exclusive...)
1169 	 */
1170 	if (sack_rxmit == 0) {
1171 		if (len || (flags & (TH_SYN|TH_FIN)) ||
1172 		    tcp_timer_active(tp, TT_PERSIST))
1173 			th->th_seq = htonl(tp->snd_nxt);
1174 		else
1175 			th->th_seq = htonl(tp->snd_max);
1176 	} else {
1177 		th->th_seq = htonl(p->rxmit);
1178 		p->rxmit += len;
1179 		tp->sackhint.sack_bytes_rexmit += len;
1180 	}
1181 	th->th_ack = htonl(tp->rcv_nxt);
1182 	if (optlen) {
1183 		bcopy(opt, th + 1, optlen);
1184 		th->th_off = (sizeof (struct tcphdr) + optlen) >> 2;
1185 	}
1186 	th->th_flags = flags;
1187 	/*
1188 	 * Calculate receive window.  Don't shrink window,
1189 	 * but avoid silly window syndrome.
1190 	 */
1191 	if (recwin < (long)(so->so_rcv.sb_hiwat / 4) &&
1192 	    recwin < (long)tp->t_maxseg)
1193 		recwin = 0;
1194 	if (SEQ_GT(tp->rcv_adv, tp->rcv_nxt) &&
1195 	    recwin < (long)(tp->rcv_adv - tp->rcv_nxt))
1196 		recwin = (long)(tp->rcv_adv - tp->rcv_nxt);
1197 	if (recwin > (long)TCP_MAXWIN << tp->rcv_scale)
1198 		recwin = (long)TCP_MAXWIN << tp->rcv_scale;
1199 
1200 	/*
1201 	 * According to RFC1323 the window field in a SYN (i.e., a <SYN>
1202 	 * or <SYN,ACK>) segment itself is never scaled.  The <SYN,ACK>
1203 	 * case is handled in syncache.
1204 	 */
1205 	if (flags & TH_SYN)
1206 		th->th_win = htons((u_short)
1207 				(min(sbspace(&so->so_rcv), TCP_MAXWIN)));
1208 	else
1209 		th->th_win = htons((u_short)(recwin >> tp->rcv_scale));
1210 
1211 	/*
1212 	 * Adjust the RXWIN0SENT flag - indicate that we have advertised
1213 	 * a 0 window.  This may cause the remote transmitter to stall.  This
1214 	 * flag tells soreceive() to disable delayed acknowledgements when
1215 	 * draining the buffer.  This can occur if the receiver is attempting
1216 	 * to read more data than can be buffered prior to transmitting on
1217 	 * the connection.
1218 	 */
1219 	if (th->th_win == 0) {
1220 		tp->t_sndzerowin++;
1221 		tp->t_flags |= TF_RXWIN0SENT;
1222 	} else
1223 		tp->t_flags &= ~TF_RXWIN0SENT;
1224 	if (SEQ_GT(tp->snd_up, tp->snd_nxt)) {
1225 		th->th_urp = htons((u_short)(tp->snd_up - tp->snd_nxt));
1226 		th->th_flags |= TH_URG;
1227 	} else
1228 		/*
1229 		 * If no urgent pointer to send, then we pull
1230 		 * the urgent pointer to the left edge of the send window
1231 		 * so that it doesn't drift into the send window on sequence
1232 		 * number wraparound.
1233 		 */
1234 		tp->snd_up = tp->snd_una;		/* drag it along */
1235 
1236 #ifdef TCP_SIGNATURE
1237 	if (to.to_flags & TOF_SIGNATURE) {
1238 		int sigoff = to.to_signature - opt;
1239 		tcp_signature_compute(m, 0, len, optlen,
1240 		    (u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
1241 	}
1242 #endif
1243 
1244 	/*
1245 	 * Put TCP length in extended header, and then
1246 	 * checksum extended header and data.
1247 	 */
1248 	m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */
1249 	m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
1250 #ifdef INET6
1251 	if (isipv6) {
1252 		/*
1253 		 * ip6_plen is not need to be filled now, and will be filled
1254 		 * in ip6_output.
1255 		 */
1256 		m->m_pkthdr.csum_flags = CSUM_TCP_IPV6;
1257 		th->th_sum = in6_cksum_pseudo(ip6, sizeof(struct tcphdr) +
1258 		    optlen + len, IPPROTO_TCP, 0);
1259 	}
1260 #endif
1261 #if defined(INET6) && defined(INET)
1262 	else
1263 #endif
1264 #ifdef INET
1265 	{
1266 		m->m_pkthdr.csum_flags = CSUM_TCP;
1267 		th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1268 		    htons(sizeof(struct tcphdr) + IPPROTO_TCP + len + optlen));
1269 
1270 		/* IP version must be set here for ipv4/ipv6 checking later */
1271 		KASSERT(ip->ip_v == IPVERSION,
1272 		    ("%s: IP version incorrect: %d", __func__, ip->ip_v));
1273 	}
1274 #endif
1275 
1276 	/*
1277 	 * Enable TSO and specify the size of the segments.
1278 	 * The TCP pseudo header checksum is always provided.
1279 	 */
1280 	if (tso) {
1281 		KASSERT(len > tp->t_maxseg - optlen,
1282 		    ("%s: len <= tso_segsz", __func__));
1283 		m->m_pkthdr.csum_flags |= CSUM_TSO;
1284 		m->m_pkthdr.tso_segsz = tp->t_maxseg - optlen;
1285 	}
1286 
1287 #ifdef IPSEC
1288 	KASSERT(len + hdrlen + ipoptlen - ipsec_optlen == m_length(m, NULL),
1289 	    ("%s: mbuf chain shorter than expected: %ld + %u + %u - %u != %u",
1290 	    __func__, len, hdrlen, ipoptlen, ipsec_optlen, m_length(m, NULL)));
1291 #else
1292 	KASSERT(len + hdrlen + ipoptlen == m_length(m, NULL),
1293 	    ("%s: mbuf chain shorter than expected: %ld + %u + %u != %u",
1294 	    __func__, len, hdrlen, ipoptlen, m_length(m, NULL)));
1295 #endif
1296 
1297 	/* Run HHOOK_TCP_ESTABLISHED_OUT helper hooks. */
1298 	hhook_run_tcp_est_out(tp, th, &to, len, tso);
1299 
1300 #ifdef TCPDEBUG
1301 	/*
1302 	 * Trace.
1303 	 */
1304 	if (so->so_options & SO_DEBUG) {
1305 		u_short save = 0;
1306 #ifdef INET6
1307 		if (!isipv6)
1308 #endif
1309 		{
1310 			save = ipov->ih_len;
1311 			ipov->ih_len = htons(m->m_pkthdr.len /* - hdrlen + (th->th_off << 2) */);
1312 		}
1313 		tcp_trace(TA_OUTPUT, tp->t_state, tp, mtod(m, void *), th, 0);
1314 #ifdef INET6
1315 		if (!isipv6)
1316 #endif
1317 		ipov->ih_len = save;
1318 	}
1319 #endif /* TCPDEBUG */
1320 	TCP_PROBE3(debug__input, tp, th, mtod(m, const char *));
1321 
1322 	/*
1323 	 * Fill in IP length and desired time to live and
1324 	 * send to IP level.  There should be a better way
1325 	 * to handle ttl and tos; we could keep them in
1326 	 * the template, but need a way to checksum without them.
1327 	 */
1328 	/*
1329 	 * m->m_pkthdr.len should have been set before checksum calculation,
1330 	 * because in6_cksum() need it.
1331 	 */
1332 #ifdef INET6
1333 	if (isipv6) {
1334 		struct route_in6 ro;
1335 
1336 		bzero(&ro, sizeof(ro));
1337 		/*
1338 		 * we separately set hoplimit for every segment, since the
1339 		 * user might want to change the value via setsockopt.
1340 		 * Also, desired default hop limit might be changed via
1341 		 * Neighbor Discovery.
1342 		 */
1343 		ip6->ip6_hlim = in6_selecthlim(tp->t_inpcb, NULL);
1344 
1345 		/*
1346 		 * Set the packet size here for the benefit of DTrace probes.
1347 		 * ip6_output() will set it properly; it's supposed to include
1348 		 * the option header lengths as well.
1349 		 */
1350 		ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
1351 
1352 		if (V_path_mtu_discovery && tp->t_maxseg > V_tcp_minmss)
1353 			tp->t_flags2 |= TF2_PLPMTU_PMTUD;
1354 		else
1355 			tp->t_flags2 &= ~TF2_PLPMTU_PMTUD;
1356 
1357 		if (tp->t_state == TCPS_SYN_SENT)
1358 			TCP_PROBE5(connect__request, NULL, tp, ip6, tp, th);
1359 
1360 		TCP_PROBE5(send, NULL, tp, ip6, tp, th);
1361 
1362 #ifdef TCPPCAP
1363 		/* Save packet, if requested. */
1364 		tcp_pcap_add(th, m, &(tp->t_outpkts));
1365 #endif
1366 
1367 		/* TODO: IPv6 IP6TOS_ECT bit on */
1368 		error = ip6_output(m, tp->t_inpcb->in6p_outputopts, &ro,
1369 		    ((so->so_options & SO_DONTROUTE) ?  IP_ROUTETOIF : 0),
1370 		    NULL, NULL, tp->t_inpcb);
1371 
1372 		if (error == EMSGSIZE && ro.ro_rt != NULL)
1373 			mtu = ro.ro_rt->rt_mtu;
1374 		RO_RTFREE(&ro);
1375 	}
1376 #endif /* INET6 */
1377 #if defined(INET) && defined(INET6)
1378 	else
1379 #endif
1380 #ifdef INET
1381     {
1382 	struct route ro;
1383 
1384 	bzero(&ro, sizeof(ro));
1385 	ip->ip_len = htons(m->m_pkthdr.len);
1386 #ifdef INET6
1387 	if (tp->t_inpcb->inp_vflag & INP_IPV6PROTO)
1388 		ip->ip_ttl = in6_selecthlim(tp->t_inpcb, NULL);
1389 #endif /* INET6 */
1390 	/*
1391 	 * If we do path MTU discovery, then we set DF on every packet.
1392 	 * This might not be the best thing to do according to RFC3390
1393 	 * Section 2. However the tcp hostcache migitates the problem
1394 	 * so it affects only the first tcp connection with a host.
1395 	 *
1396 	 * NB: Don't set DF on small MTU/MSS to have a safe fallback.
1397 	 */
1398 	if (V_path_mtu_discovery && tp->t_maxseg > V_tcp_minmss) {
1399 		ip->ip_off |= htons(IP_DF);
1400 		tp->t_flags2 |= TF2_PLPMTU_PMTUD;
1401 	} else {
1402 		tp->t_flags2 &= ~TF2_PLPMTU_PMTUD;
1403 	}
1404 
1405 	if (tp->t_state == TCPS_SYN_SENT)
1406 		TCP_PROBE5(connect__request, NULL, tp, ip, tp, th);
1407 
1408 	TCP_PROBE5(send, NULL, tp, ip, tp, th);
1409 
1410 #ifdef TCPPCAP
1411 	/* Save packet, if requested. */
1412 	tcp_pcap_add(th, m, &(tp->t_outpkts));
1413 #endif
1414 
1415 	error = ip_output(m, tp->t_inpcb->inp_options, &ro,
1416 	    ((so->so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0), 0,
1417 	    tp->t_inpcb);
1418 
1419 	if (error == EMSGSIZE && ro.ro_rt != NULL)
1420 		mtu = ro.ro_rt->rt_mtu;
1421 	RO_RTFREE(&ro);
1422     }
1423 #endif /* INET */
1424 
1425 out:
1426 	/*
1427 	 * In transmit state, time the transmission and arrange for
1428 	 * the retransmit.  In persist state, just set snd_max.
1429 	 */
1430 	if ((tp->t_flags & TF_FORCEDATA) == 0 ||
1431 	    !tcp_timer_active(tp, TT_PERSIST)) {
1432 		tcp_seq startseq = tp->snd_nxt;
1433 
1434 		/*
1435 		 * Advance snd_nxt over sequence space of this segment.
1436 		 */
1437 		if (flags & (TH_SYN|TH_FIN)) {
1438 			if (flags & TH_SYN)
1439 				tp->snd_nxt++;
1440 			if (flags & TH_FIN) {
1441 				tp->snd_nxt++;
1442 				tp->t_flags |= TF_SENTFIN;
1443 			}
1444 		}
1445 		if (sack_rxmit)
1446 			goto timer;
1447 		tp->snd_nxt += len;
1448 		if (SEQ_GT(tp->snd_nxt, tp->snd_max)) {
1449 			tp->snd_max = tp->snd_nxt;
1450 			/*
1451 			 * Time this transmission if not a retransmission and
1452 			 * not currently timing anything.
1453 			 */
1454 			if (tp->t_rtttime == 0) {
1455 				tp->t_rtttime = ticks;
1456 				tp->t_rtseq = startseq;
1457 				TCPSTAT_INC(tcps_segstimed);
1458 			}
1459 		}
1460 
1461 		/*
1462 		 * Set retransmit timer if not currently set,
1463 		 * and not doing a pure ack or a keep-alive probe.
1464 		 * Initial value for retransmit timer is smoothed
1465 		 * round-trip time + 2 * round-trip time variance.
1466 		 * Initialize shift counter which is used for backoff
1467 		 * of retransmit time.
1468 		 */
1469 timer:
1470 		if (!tcp_timer_active(tp, TT_REXMT) &&
1471 		    ((sack_rxmit && tp->snd_nxt != tp->snd_max) ||
1472 		     (tp->snd_nxt != tp->snd_una))) {
1473 			if (tcp_timer_active(tp, TT_PERSIST)) {
1474 				tcp_timer_activate(tp, TT_PERSIST, 0);
1475 				tp->t_rxtshift = 0;
1476 			}
1477 			tcp_timer_activate(tp, TT_REXMT, tp->t_rxtcur);
1478 		} else if (len == 0 && sbavail(&so->so_snd) &&
1479 		    !tcp_timer_active(tp, TT_REXMT) &&
1480 		    !tcp_timer_active(tp, TT_PERSIST)) {
1481 			/*
1482 			 * Avoid a situation where we do not set persist timer
1483 			 * after a zero window condition. For example:
1484 			 * 1) A -> B: packet with enough data to fill the window
1485 			 * 2) B -> A: ACK for #1 + new data (0 window
1486 			 *    advertisement)
1487 			 * 3) A -> B: ACK for #2, 0 len packet
1488 			 *
1489 			 * In this case, A will not activate the persist timer,
1490 			 * because it chose to send a packet. Unless tcp_output
1491 			 * is called for some other reason (delayed ack timer,
1492 			 * another input packet from B, socket syscall), A will
1493 			 * not send zero window probes.
1494 			 *
1495 			 * So, if you send a 0-length packet, but there is data
1496 			 * in the socket buffer, and neither the rexmt or
1497 			 * persist timer is already set, then activate the
1498 			 * persist timer.
1499 			 */
1500 			tp->t_rxtshift = 0;
1501 			tcp_setpersist(tp);
1502 		}
1503 	} else {
1504 		/*
1505 		 * Persist case, update snd_max but since we are in
1506 		 * persist mode (no window) we do not update snd_nxt.
1507 		 */
1508 		int xlen = len;
1509 		if (flags & TH_SYN)
1510 			++xlen;
1511 		if (flags & TH_FIN) {
1512 			++xlen;
1513 			tp->t_flags |= TF_SENTFIN;
1514 		}
1515 		if (SEQ_GT(tp->snd_nxt + xlen, tp->snd_max))
1516 			tp->snd_max = tp->snd_nxt + len;
1517 	}
1518 
1519 	if (error) {
1520 
1521 		/*
1522 		 * We know that the packet was lost, so back out the
1523 		 * sequence number advance, if any.
1524 		 *
1525 		 * If the error is EPERM the packet got blocked by the
1526 		 * local firewall.  Normally we should terminate the
1527 		 * connection but the blocking may have been spurious
1528 		 * due to a firewall reconfiguration cycle.  So we treat
1529 		 * it like a packet loss and let the retransmit timer and
1530 		 * timeouts do their work over time.
1531 		 * XXX: It is a POLA question whether calling tcp_drop right
1532 		 * away would be the really correct behavior instead.
1533 		 */
1534 		if (((tp->t_flags & TF_FORCEDATA) == 0 ||
1535 		    !tcp_timer_active(tp, TT_PERSIST)) &&
1536 		    ((flags & TH_SYN) == 0) &&
1537 		    (error != EPERM)) {
1538 			if (sack_rxmit) {
1539 				p->rxmit -= len;
1540 				tp->sackhint.sack_bytes_rexmit -= len;
1541 				KASSERT(tp->sackhint.sack_bytes_rexmit >= 0,
1542 				    ("sackhint bytes rtx >= 0"));
1543 			} else
1544 				tp->snd_nxt -= len;
1545 		}
1546 		SOCKBUF_UNLOCK_ASSERT(&so->so_snd);	/* Check gotos. */
1547 		switch (error) {
1548 		case EPERM:
1549 			tp->t_softerror = error;
1550 			return (error);
1551 		case ENOBUFS:
1552 	                if (!tcp_timer_active(tp, TT_REXMT) &&
1553 			    !tcp_timer_active(tp, TT_PERSIST))
1554 	                        tcp_timer_activate(tp, TT_REXMT, tp->t_rxtcur);
1555 			tp->snd_cwnd = tp->t_maxseg;
1556 			return (0);
1557 		case EMSGSIZE:
1558 			/*
1559 			 * For some reason the interface we used initially
1560 			 * to send segments changed to another or lowered
1561 			 * its MTU.
1562 			 * If TSO was active we either got an interface
1563 			 * without TSO capabilits or TSO was turned off.
1564 			 * If we obtained mtu from ip_output() then update
1565 			 * it and try again.
1566 			 */
1567 			if (tso)
1568 				tp->t_flags &= ~TF_TSO;
1569 			if (mtu != 0) {
1570 				tcp_mss_update(tp, -1, mtu, NULL, NULL);
1571 				goto again;
1572 			}
1573 			return (error);
1574 		case EHOSTDOWN:
1575 		case EHOSTUNREACH:
1576 		case ENETDOWN:
1577 		case ENETUNREACH:
1578 			if (TCPS_HAVERCVDSYN(tp->t_state)) {
1579 				tp->t_softerror = error;
1580 				return (0);
1581 			}
1582 			/* FALLTHROUGH */
1583 		default:
1584 			return (error);
1585 		}
1586 	}
1587 	TCPSTAT_INC(tcps_sndtotal);
1588 
1589 	/*
1590 	 * Data sent (as far as we can tell).
1591 	 * If this advertises a larger window than any other segment,
1592 	 * then remember the size of the advertised window.
1593 	 * Any pending ACK has now been sent.
1594 	 */
1595 	if (recwin >= 0 && SEQ_GT(tp->rcv_nxt + recwin, tp->rcv_adv))
1596 		tp->rcv_adv = tp->rcv_nxt + recwin;
1597 	tp->last_ack_sent = tp->rcv_nxt;
1598 	tp->t_flags &= ~(TF_ACKNOW | TF_DELACK);
1599 	if (tcp_timer_active(tp, TT_DELACK))
1600 		tcp_timer_activate(tp, TT_DELACK, 0);
1601 #if 0
1602 	/*
1603 	 * This completely breaks TCP if newreno is turned on.  What happens
1604 	 * is that if delayed-acks are turned on on the receiver, this code
1605 	 * on the transmitter effectively destroys the TCP window, forcing
1606 	 * it to four packets (1.5Kx4 = 6K window).
1607 	 */
1608 	if (sendalot && --maxburst)
1609 		goto again;
1610 #endif
1611 	if (sendalot)
1612 		goto again;
1613 	return (0);
1614 }
1615 
1616 void
1617 tcp_setpersist(struct tcpcb *tp)
1618 {
1619 	int t = ((tp->t_srtt >> 2) + tp->t_rttvar) >> 1;
1620 	int tt;
1621 
1622 	tp->t_flags &= ~TF_PREVVALID;
1623 	if (tcp_timer_active(tp, TT_REXMT))
1624 		panic("tcp_setpersist: retransmit pending");
1625 	/*
1626 	 * Start/restart persistance timer.
1627 	 */
1628 	TCPT_RANGESET(tt, t * tcp_backoff[tp->t_rxtshift],
1629 		      TCPTV_PERSMIN, TCPTV_PERSMAX);
1630 	tcp_timer_activate(tp, TT_PERSIST, tt);
1631 	if (tp->t_rxtshift < TCP_MAXRXTSHIFT)
1632 		tp->t_rxtshift++;
1633 }
1634 
1635 /*
1636  * Insert TCP options according to the supplied parameters to the place
1637  * optp in a consistent way.  Can handle unaligned destinations.
1638  *
1639  * The order of the option processing is crucial for optimal packing and
1640  * alignment for the scarce option space.
1641  *
1642  * The optimal order for a SYN/SYN-ACK segment is:
1643  *   MSS (4) + NOP (1) + Window scale (3) + SACK permitted (2) +
1644  *   Timestamp (10) + Signature (18) = 38 bytes out of a maximum of 40.
1645  *
1646  * The SACK options should be last.  SACK blocks consume 8*n+2 bytes.
1647  * So a full size SACK blocks option is 34 bytes (with 4 SACK blocks).
1648  * At minimum we need 10 bytes (to generate 1 SACK block).  If both
1649  * TCP Timestamps (12 bytes) and TCP Signatures (18 bytes) are present,
1650  * we only have 10 bytes for SACK options (40 - (12 + 18)).
1651  */
1652 int
1653 tcp_addoptions(struct tcpopt *to, u_char *optp)
1654 {
1655 	u_int mask, optlen = 0;
1656 
1657 	for (mask = 1; mask < TOF_MAXOPT; mask <<= 1) {
1658 		if ((to->to_flags & mask) != mask)
1659 			continue;
1660 		if (optlen == TCP_MAXOLEN)
1661 			break;
1662 		switch (to->to_flags & mask) {
1663 		case TOF_MSS:
1664 			while (optlen % 4) {
1665 				optlen += TCPOLEN_NOP;
1666 				*optp++ = TCPOPT_NOP;
1667 			}
1668 			if (TCP_MAXOLEN - optlen < TCPOLEN_MAXSEG)
1669 				continue;
1670 			optlen += TCPOLEN_MAXSEG;
1671 			*optp++ = TCPOPT_MAXSEG;
1672 			*optp++ = TCPOLEN_MAXSEG;
1673 			to->to_mss = htons(to->to_mss);
1674 			bcopy((u_char *)&to->to_mss, optp, sizeof(to->to_mss));
1675 			optp += sizeof(to->to_mss);
1676 			break;
1677 		case TOF_SCALE:
1678 			while (!optlen || optlen % 2 != 1) {
1679 				optlen += TCPOLEN_NOP;
1680 				*optp++ = TCPOPT_NOP;
1681 			}
1682 			if (TCP_MAXOLEN - optlen < TCPOLEN_WINDOW)
1683 				continue;
1684 			optlen += TCPOLEN_WINDOW;
1685 			*optp++ = TCPOPT_WINDOW;
1686 			*optp++ = TCPOLEN_WINDOW;
1687 			*optp++ = to->to_wscale;
1688 			break;
1689 		case TOF_SACKPERM:
1690 			while (optlen % 2) {
1691 				optlen += TCPOLEN_NOP;
1692 				*optp++ = TCPOPT_NOP;
1693 			}
1694 			if (TCP_MAXOLEN - optlen < TCPOLEN_SACK_PERMITTED)
1695 				continue;
1696 			optlen += TCPOLEN_SACK_PERMITTED;
1697 			*optp++ = TCPOPT_SACK_PERMITTED;
1698 			*optp++ = TCPOLEN_SACK_PERMITTED;
1699 			break;
1700 		case TOF_TS:
1701 			while (!optlen || optlen % 4 != 2) {
1702 				optlen += TCPOLEN_NOP;
1703 				*optp++ = TCPOPT_NOP;
1704 			}
1705 			if (TCP_MAXOLEN - optlen < TCPOLEN_TIMESTAMP)
1706 				continue;
1707 			optlen += TCPOLEN_TIMESTAMP;
1708 			*optp++ = TCPOPT_TIMESTAMP;
1709 			*optp++ = TCPOLEN_TIMESTAMP;
1710 			to->to_tsval = htonl(to->to_tsval);
1711 			to->to_tsecr = htonl(to->to_tsecr);
1712 			bcopy((u_char *)&to->to_tsval, optp, sizeof(to->to_tsval));
1713 			optp += sizeof(to->to_tsval);
1714 			bcopy((u_char *)&to->to_tsecr, optp, sizeof(to->to_tsecr));
1715 			optp += sizeof(to->to_tsecr);
1716 			break;
1717 #ifdef TCP_SIGNATURE
1718 		case TOF_SIGNATURE:
1719 			{
1720 			int siglen = TCPOLEN_SIGNATURE - 2;
1721 
1722 			while (!optlen || optlen % 4 != 2) {
1723 				optlen += TCPOLEN_NOP;
1724 				*optp++ = TCPOPT_NOP;
1725 			}
1726 			if (TCP_MAXOLEN - optlen < TCPOLEN_SIGNATURE)
1727 				continue;
1728 			optlen += TCPOLEN_SIGNATURE;
1729 			*optp++ = TCPOPT_SIGNATURE;
1730 			*optp++ = TCPOLEN_SIGNATURE;
1731 			to->to_signature = optp;
1732 			while (siglen--)
1733 				 *optp++ = 0;
1734 			break;
1735 			}
1736 #endif
1737 		case TOF_SACK:
1738 			{
1739 			int sackblks = 0;
1740 			struct sackblk *sack = (struct sackblk *)to->to_sacks;
1741 			tcp_seq sack_seq;
1742 
1743 			while (!optlen || optlen % 4 != 2) {
1744 				optlen += TCPOLEN_NOP;
1745 				*optp++ = TCPOPT_NOP;
1746 			}
1747 			if (TCP_MAXOLEN - optlen < TCPOLEN_SACKHDR + TCPOLEN_SACK)
1748 				continue;
1749 			optlen += TCPOLEN_SACKHDR;
1750 			*optp++ = TCPOPT_SACK;
1751 			sackblks = min(to->to_nsacks,
1752 					(TCP_MAXOLEN - optlen) / TCPOLEN_SACK);
1753 			*optp++ = TCPOLEN_SACKHDR + sackblks * TCPOLEN_SACK;
1754 			while (sackblks--) {
1755 				sack_seq = htonl(sack->start);
1756 				bcopy((u_char *)&sack_seq, optp, sizeof(sack_seq));
1757 				optp += sizeof(sack_seq);
1758 				sack_seq = htonl(sack->end);
1759 				bcopy((u_char *)&sack_seq, optp, sizeof(sack_seq));
1760 				optp += sizeof(sack_seq);
1761 				optlen += TCPOLEN_SACK;
1762 				sack++;
1763 			}
1764 			TCPSTAT_INC(tcps_sack_send_blocks);
1765 			break;
1766 			}
1767 #ifdef TCP_RFC7413
1768 		case TOF_FASTOPEN:
1769 			{
1770 			int total_len;
1771 
1772 			/* XXX is there any point to aligning this option? */
1773 			total_len = TCPOLEN_FAST_OPEN_EMPTY + to->to_tfo_len;
1774 			if (TCP_MAXOLEN - optlen < total_len)
1775 				continue;
1776 			*optp++ = TCPOPT_FAST_OPEN;
1777 			*optp++ = total_len;
1778 			if (to->to_tfo_len > 0) {
1779 				bcopy(to->to_tfo_cookie, optp, to->to_tfo_len);
1780 				optp += to->to_tfo_len;
1781 			}
1782 			optlen += total_len;
1783 			break;
1784 			}
1785 #endif
1786 		default:
1787 			panic("%s: unknown TCP option type", __func__);
1788 			break;
1789 		}
1790 	}
1791 
1792 	/* Terminate and pad TCP options to a 4 byte boundary. */
1793 	if (optlen % 4) {
1794 		optlen += TCPOLEN_EOL;
1795 		*optp++ = TCPOPT_EOL;
1796 	}
1797 	/*
1798 	 * According to RFC 793 (STD0007):
1799 	 *   "The content of the header beyond the End-of-Option option
1800 	 *    must be header padding (i.e., zero)."
1801 	 *   and later: "The padding is composed of zeros."
1802 	 */
1803 	while (optlen % 4) {
1804 		optlen += TCPOLEN_PAD;
1805 		*optp++ = TCPOPT_PAD;
1806 	}
1807 
1808 	KASSERT(optlen <= TCP_MAXOLEN, ("%s: TCP options too long", __func__));
1809 	return (optlen);
1810 }
1811