1 /* 2 * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95 30 * $FreeBSD$ 31 */ 32 33 #include "opt_compat.h" 34 #include "opt_inet.h" 35 #include "opt_inet6.h" 36 #include "opt_ipsec.h" 37 #include "opt_mac.h" 38 #include "opt_tcpdebug.h" 39 #include "opt_tcp_sack.h" 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/callout.h> 44 #include <sys/kernel.h> 45 #include <sys/sysctl.h> 46 #include <sys/mac.h> 47 #include <sys/malloc.h> 48 #include <sys/mbuf.h> 49 #ifdef INET6 50 #include <sys/domain.h> 51 #endif 52 #include <sys/proc.h> 53 #include <sys/socket.h> 54 #include <sys/socketvar.h> 55 #include <sys/protosw.h> 56 #include <sys/random.h> 57 58 #include <vm/uma.h> 59 60 #include <net/route.h> 61 #include <net/if.h> 62 63 #include <netinet/in.h> 64 #include <netinet/in_systm.h> 65 #include <netinet/ip.h> 66 #ifdef INET6 67 #include <netinet/ip6.h> 68 #endif 69 #include <netinet/in_pcb.h> 70 #ifdef INET6 71 #include <netinet6/in6_pcb.h> 72 #endif 73 #include <netinet/in_var.h> 74 #include <netinet/ip_var.h> 75 #ifdef INET6 76 #include <netinet6/ip6_var.h> 77 #include <netinet6/nd6.h> 78 #endif 79 #include <netinet/tcp.h> 80 #include <netinet/tcp_fsm.h> 81 #include <netinet/tcp_seq.h> 82 #include <netinet/tcp_timer.h> 83 #include <netinet/tcp_var.h> 84 #ifdef INET6 85 #include <netinet6/tcp6_var.h> 86 #endif 87 #include <netinet/tcpip.h> 88 #ifdef TCPDEBUG 89 #include <netinet/tcp_debug.h> 90 #endif 91 #include <netinet6/ip6protosw.h> 92 93 #ifdef IPSEC 94 #include <netinet6/ipsec.h> 95 #ifdef INET6 96 #include <netinet6/ipsec6.h> 97 #endif 98 #endif /*IPSEC*/ 99 100 #ifdef FAST_IPSEC 101 #include <netipsec/ipsec.h> 102 #include <netipsec/xform.h> 103 #ifdef INET6 104 #include <netipsec/ipsec6.h> 105 #endif 106 #include <netipsec/key.h> 107 #define IPSEC 108 #endif /*FAST_IPSEC*/ 109 110 #include <machine/in_cksum.h> 111 #include <sys/md5.h> 112 113 int tcp_mssdflt = TCP_MSS; 114 SYSCTL_INT(_net_inet_tcp, TCPCTL_MSSDFLT, mssdflt, CTLFLAG_RW, 115 &tcp_mssdflt , 0, "Default TCP Maximum Segment Size"); 116 117 #ifdef INET6 118 int tcp_v6mssdflt = TCP6_MSS; 119 SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt, 120 CTLFLAG_RW, &tcp_v6mssdflt , 0, 121 "Default TCP Maximum Segment Size for IPv6"); 122 #endif 123 124 /* 125 * Minimum MSS we accept and use. This prevents DoS attacks where 126 * we are forced to a ridiculous low MSS like 20 and send hundreds 127 * of packets instead of one. The effect scales with the available 128 * bandwidth and quickly saturates the CPU and network interface 129 * with packet generation and sending. Set to zero to disable MINMSS 130 * checking. This setting prevents us from sending too small packets. 131 */ 132 int tcp_minmss = TCP_MINMSS; 133 SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW, 134 &tcp_minmss , 0, "Minmum TCP Maximum Segment Size"); 135 /* 136 * Number of TCP segments per second we accept from remote host 137 * before we start to calculate average segment size. If average 138 * segment size drops below the minimum TCP MSS we assume a DoS 139 * attack and reset+drop the connection. Care has to be taken not to 140 * set this value too small to not kill interactive type connections 141 * (telnet, SSH) which send many small packets. 142 */ 143 int tcp_minmssoverload = TCP_MINMSSOVERLOAD; 144 SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmssoverload, CTLFLAG_RW, 145 &tcp_minmssoverload , 0, "Number of TCP Segments per Second allowed to" 146 "be under the MINMSS Size"); 147 148 #if 0 149 static int tcp_rttdflt = TCPTV_SRTTDFLT / PR_SLOWHZ; 150 SYSCTL_INT(_net_inet_tcp, TCPCTL_RTTDFLT, rttdflt, CTLFLAG_RW, 151 &tcp_rttdflt , 0, "Default maximum TCP Round Trip Time"); 152 #endif 153 154 int tcp_do_rfc1323 = 1; 155 SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW, 156 &tcp_do_rfc1323 , 0, "Enable rfc1323 (high performance TCP) extensions"); 157 158 static int tcp_tcbhashsize = 0; 159 SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcbhashsize, CTLFLAG_RDTUN, 160 &tcp_tcbhashsize, 0, "Size of TCP control-block hashtable"); 161 162 static int do_tcpdrain = 1; 163 SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0, 164 "Enable tcp_drain routine for extra help when low on mbufs"); 165 166 SYSCTL_INT(_net_inet_tcp, OID_AUTO, pcbcount, CTLFLAG_RD, 167 &tcbinfo.ipi_count, 0, "Number of active PCBs"); 168 169 static int icmp_may_rst = 1; 170 SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, 171 "Certain ICMP unreachable messages may abort connections in SYN_SENT"); 172 173 static int tcp_isn_reseed_interval = 0; 174 SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW, 175 &tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret"); 176 177 /* 178 * TCP bandwidth limiting sysctls. Note that the default lower bound of 179 * 1024 exists only for debugging. A good production default would be 180 * something like 6100. 181 */ 182 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, inflight, CTLFLAG_RW, 0, 183 "TCP inflight data limiting"); 184 185 static int tcp_inflight_enable = 1; 186 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, enable, CTLFLAG_RW, 187 &tcp_inflight_enable, 0, "Enable automatic TCP inflight data limiting"); 188 189 static int tcp_inflight_debug = 0; 190 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW, 191 &tcp_inflight_debug, 0, "Debug TCP inflight calculations"); 192 193 static int tcp_inflight_min = 6144; 194 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, min, CTLFLAG_RW, 195 &tcp_inflight_min, 0, "Lower-bound for TCP inflight window"); 196 197 static int tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT; 198 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, max, CTLFLAG_RW, 199 &tcp_inflight_max, 0, "Upper-bound for TCP inflight window"); 200 201 static int tcp_inflight_stab = 20; 202 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, stab, CTLFLAG_RW, 203 &tcp_inflight_stab, 0, "Inflight Algorithm Stabilization 20 = 2 packets"); 204 205 uma_zone_t sack_hole_zone; 206 207 static struct inpcb *tcp_notify(struct inpcb *, int); 208 static void tcp_discardcb(struct tcpcb *); 209 static void tcp_isn_tick(void *); 210 211 /* 212 * Target size of TCP PCB hash tables. Must be a power of two. 213 * 214 * Note that this can be overridden by the kernel environment 215 * variable net.inet.tcp.tcbhashsize 216 */ 217 #ifndef TCBHASHSIZE 218 #define TCBHASHSIZE 512 219 #endif 220 221 /* 222 * XXX 223 * Callouts should be moved into struct tcp directly. They are currently 224 * separate because the tcpcb structure is exported to userland for sysctl 225 * parsing purposes, which do not know about callouts. 226 */ 227 struct tcpcb_mem { 228 struct tcpcb tcb; 229 struct callout tcpcb_mem_rexmt, tcpcb_mem_persist, tcpcb_mem_keep; 230 struct callout tcpcb_mem_2msl, tcpcb_mem_delack; 231 }; 232 233 static uma_zone_t tcpcb_zone; 234 static uma_zone_t tcptw_zone; 235 struct callout isn_callout; 236 237 /* 238 * Tcp initialization 239 */ 240 void 241 tcp_init() 242 { 243 int hashsize = TCBHASHSIZE; 244 245 tcp_delacktime = TCPTV_DELACK; 246 tcp_keepinit = TCPTV_KEEP_INIT; 247 tcp_keepidle = TCPTV_KEEP_IDLE; 248 tcp_keepintvl = TCPTV_KEEPINTVL; 249 tcp_maxpersistidle = TCPTV_KEEP_IDLE; 250 tcp_msl = TCPTV_MSL; 251 tcp_rexmit_min = TCPTV_MIN; 252 tcp_rexmit_slop = TCPTV_CPU_VAR; 253 254 INP_INFO_LOCK_INIT(&tcbinfo, "tcp"); 255 LIST_INIT(&tcb); 256 tcbinfo.listhead = &tcb; 257 TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize); 258 if (!powerof2(hashsize)) { 259 printf("WARNING: TCB hash size not a power of 2\n"); 260 hashsize = 512; /* safe default */ 261 } 262 tcp_tcbhashsize = hashsize; 263 tcbinfo.hashbase = hashinit(hashsize, M_PCB, &tcbinfo.hashmask); 264 tcbinfo.porthashbase = hashinit(hashsize, M_PCB, 265 &tcbinfo.porthashmask); 266 tcbinfo.ipi_zone = uma_zcreate("inpcb", sizeof(struct inpcb), 267 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 268 uma_zone_set_max(tcbinfo.ipi_zone, maxsockets); 269 #ifdef INET6 270 #define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr)) 271 #else /* INET6 */ 272 #define TCP_MINPROTOHDR (sizeof(struct tcpiphdr)) 273 #endif /* INET6 */ 274 if (max_protohdr < TCP_MINPROTOHDR) 275 max_protohdr = TCP_MINPROTOHDR; 276 if (max_linkhdr + TCP_MINPROTOHDR > MHLEN) 277 panic("tcp_init"); 278 #undef TCP_MINPROTOHDR 279 /* 280 * These have to be type stable for the benefit of the timers. 281 */ 282 tcpcb_zone = uma_zcreate("tcpcb", sizeof(struct tcpcb_mem), 283 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 284 uma_zone_set_max(tcpcb_zone, maxsockets); 285 tcptw_zone = uma_zcreate("tcptw", sizeof(struct tcptw), 286 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 287 uma_zone_set_max(tcptw_zone, maxsockets / 5); 288 tcp_timer_init(); 289 syncache_init(); 290 tcp_hc_init(); 291 tcp_reass_init(); 292 callout_init(&isn_callout, CALLOUT_MPSAFE); 293 tcp_isn_tick(NULL); 294 EVENTHANDLER_REGISTER(shutdown_pre_sync, tcp_fini, NULL, 295 SHUTDOWN_PRI_DEFAULT); 296 sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole), 297 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 298 } 299 300 void 301 tcp_fini(xtp) 302 void *xtp; 303 { 304 callout_stop(&isn_callout); 305 306 } 307 308 /* 309 * Fill in the IP and TCP headers for an outgoing packet, given the tcpcb. 310 * tcp_template used to store this data in mbufs, but we now recopy it out 311 * of the tcpcb each time to conserve mbufs. 312 */ 313 void 314 tcpip_fillheaders(inp, ip_ptr, tcp_ptr) 315 struct inpcb *inp; 316 void *ip_ptr; 317 void *tcp_ptr; 318 { 319 struct tcphdr *th = (struct tcphdr *)tcp_ptr; 320 321 #ifdef INET6 322 if ((inp->inp_vflag & INP_IPV6) != 0) { 323 struct ip6_hdr *ip6; 324 325 ip6 = (struct ip6_hdr *)ip_ptr; 326 ip6->ip6_flow = (ip6->ip6_flow & ~IPV6_FLOWINFO_MASK) | 327 (inp->in6p_flowinfo & IPV6_FLOWINFO_MASK); 328 ip6->ip6_vfc = (ip6->ip6_vfc & ~IPV6_VERSION_MASK) | 329 (IPV6_VERSION & IPV6_VERSION_MASK); 330 ip6->ip6_nxt = IPPROTO_TCP; 331 ip6->ip6_plen = sizeof(struct tcphdr); 332 ip6->ip6_src = inp->in6p_laddr; 333 ip6->ip6_dst = inp->in6p_faddr; 334 } else 335 #endif 336 { 337 struct ip *ip; 338 339 ip = (struct ip *)ip_ptr; 340 ip->ip_v = IPVERSION; 341 ip->ip_hl = 5; 342 ip->ip_tos = inp->inp_ip_tos; 343 ip->ip_len = 0; 344 ip->ip_id = 0; 345 ip->ip_off = 0; 346 ip->ip_ttl = inp->inp_ip_ttl; 347 ip->ip_sum = 0; 348 ip->ip_p = IPPROTO_TCP; 349 ip->ip_src = inp->inp_laddr; 350 ip->ip_dst = inp->inp_faddr; 351 } 352 th->th_sport = inp->inp_lport; 353 th->th_dport = inp->inp_fport; 354 th->th_seq = 0; 355 th->th_ack = 0; 356 th->th_x2 = 0; 357 th->th_off = 5; 358 th->th_flags = 0; 359 th->th_win = 0; 360 th->th_urp = 0; 361 th->th_sum = 0; /* in_pseudo() is called later for ipv4 */ 362 } 363 364 /* 365 * Create template to be used to send tcp packets on a connection. 366 * Allocates an mbuf and fills in a skeletal tcp/ip header. The only 367 * use for this function is in keepalives, which use tcp_respond. 368 */ 369 struct tcptemp * 370 tcpip_maketemplate(inp) 371 struct inpcb *inp; 372 { 373 struct mbuf *m; 374 struct tcptemp *n; 375 376 m = m_get(M_DONTWAIT, MT_HEADER); 377 if (m == NULL) 378 return (0); 379 m->m_len = sizeof(struct tcptemp); 380 n = mtod(m, struct tcptemp *); 381 382 tcpip_fillheaders(inp, (void *)&n->tt_ipgen, (void *)&n->tt_t); 383 return (n); 384 } 385 386 /* 387 * Send a single message to the TCP at address specified by 388 * the given TCP/IP header. If m == NULL, then we make a copy 389 * of the tcpiphdr at ti and send directly to the addressed host. 390 * This is used to force keep alive messages out using the TCP 391 * template for a connection. If flags are given then we send 392 * a message back to the TCP which originated the * segment ti, 393 * and discard the mbuf containing it and any other attached mbufs. 394 * 395 * In any case the ack and sequence number of the transmitted 396 * segment are as specified by the parameters. 397 * 398 * NOTE: If m != NULL, then ti must point to *inside* the mbuf. 399 */ 400 void 401 tcp_respond(tp, ipgen, th, m, ack, seq, flags) 402 struct tcpcb *tp; 403 void *ipgen; 404 register struct tcphdr *th; 405 register struct mbuf *m; 406 tcp_seq ack, seq; 407 int flags; 408 { 409 register int tlen; 410 int win = 0; 411 struct ip *ip; 412 struct tcphdr *nth; 413 #ifdef INET6 414 struct ip6_hdr *ip6; 415 int isipv6; 416 #endif /* INET6 */ 417 int ipflags = 0; 418 struct inpcb *inp; 419 420 KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL")); 421 422 #ifdef INET6 423 isipv6 = ((struct ip *)ipgen)->ip_v == 6; 424 ip6 = ipgen; 425 #endif /* INET6 */ 426 ip = ipgen; 427 428 if (tp != NULL) { 429 inp = tp->t_inpcb; 430 KASSERT(inp != NULL, ("tcp control block w/o inpcb")); 431 INP_INFO_WLOCK_ASSERT(&tcbinfo); 432 INP_LOCK_ASSERT(inp); 433 } else 434 inp = NULL; 435 436 if (tp != NULL) { 437 if (!(flags & TH_RST)) { 438 win = sbspace(&inp->inp_socket->so_rcv); 439 if (win > (long)TCP_MAXWIN << tp->rcv_scale) 440 win = (long)TCP_MAXWIN << tp->rcv_scale; 441 } 442 } 443 if (m == NULL) { 444 m = m_gethdr(M_DONTWAIT, MT_HEADER); 445 if (m == NULL) 446 return; 447 tlen = 0; 448 m->m_data += max_linkhdr; 449 #ifdef INET6 450 if (isipv6) { 451 bcopy((caddr_t)ip6, mtod(m, caddr_t), 452 sizeof(struct ip6_hdr)); 453 ip6 = mtod(m, struct ip6_hdr *); 454 nth = (struct tcphdr *)(ip6 + 1); 455 } else 456 #endif /* INET6 */ 457 { 458 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 459 ip = mtod(m, struct ip *); 460 nth = (struct tcphdr *)(ip + 1); 461 } 462 bcopy((caddr_t)th, (caddr_t)nth, sizeof(struct tcphdr)); 463 flags = TH_ACK; 464 } else { 465 m_freem(m->m_next); 466 m->m_next = NULL; 467 m->m_data = (caddr_t)ipgen; 468 /* m_len is set later */ 469 tlen = 0; 470 #define xchg(a,b,type) { type t; t=a; a=b; b=t; } 471 #ifdef INET6 472 if (isipv6) { 473 xchg(ip6->ip6_dst, ip6->ip6_src, struct in6_addr); 474 nth = (struct tcphdr *)(ip6 + 1); 475 } else 476 #endif /* INET6 */ 477 { 478 xchg(ip->ip_dst.s_addr, ip->ip_src.s_addr, n_long); 479 nth = (struct tcphdr *)(ip + 1); 480 } 481 if (th != nth) { 482 /* 483 * this is usually a case when an extension header 484 * exists between the IPv6 header and the 485 * TCP header. 486 */ 487 nth->th_sport = th->th_sport; 488 nth->th_dport = th->th_dport; 489 } 490 xchg(nth->th_dport, nth->th_sport, n_short); 491 #undef xchg 492 } 493 #ifdef INET6 494 if (isipv6) { 495 ip6->ip6_flow = 0; 496 ip6->ip6_vfc = IPV6_VERSION; 497 ip6->ip6_nxt = IPPROTO_TCP; 498 ip6->ip6_plen = htons((u_short)(sizeof (struct tcphdr) + 499 tlen)); 500 tlen += sizeof (struct ip6_hdr) + sizeof (struct tcphdr); 501 } else 502 #endif 503 { 504 tlen += sizeof (struct tcpiphdr); 505 ip->ip_len = tlen; 506 ip->ip_ttl = ip_defttl; 507 if (path_mtu_discovery) 508 ip->ip_off |= IP_DF; 509 } 510 m->m_len = tlen; 511 m->m_pkthdr.len = tlen; 512 m->m_pkthdr.rcvif = NULL; 513 #ifdef MAC 514 if (inp != NULL) { 515 /* 516 * Packet is associated with a socket, so allow the 517 * label of the response to reflect the socket label. 518 */ 519 INP_LOCK_ASSERT(inp); 520 mac_create_mbuf_from_inpcb(inp, m); 521 } else { 522 /* 523 * Packet is not associated with a socket, so possibly 524 * update the label in place. 525 */ 526 mac_reflect_mbuf_tcp(m); 527 } 528 #endif 529 nth->th_seq = htonl(seq); 530 nth->th_ack = htonl(ack); 531 nth->th_x2 = 0; 532 nth->th_off = sizeof (struct tcphdr) >> 2; 533 nth->th_flags = flags; 534 if (tp != NULL) 535 nth->th_win = htons((u_short) (win >> tp->rcv_scale)); 536 else 537 nth->th_win = htons((u_short)win); 538 nth->th_urp = 0; 539 #ifdef INET6 540 if (isipv6) { 541 nth->th_sum = 0; 542 nth->th_sum = in6_cksum(m, IPPROTO_TCP, 543 sizeof(struct ip6_hdr), 544 tlen - sizeof(struct ip6_hdr)); 545 ip6->ip6_hlim = in6_selecthlim(tp != NULL ? tp->t_inpcb : 546 NULL, NULL); 547 } else 548 #endif /* INET6 */ 549 { 550 nth->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, 551 htons((u_short)(tlen - sizeof(struct ip) + ip->ip_p))); 552 m->m_pkthdr.csum_flags = CSUM_TCP; 553 m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); 554 } 555 #ifdef TCPDEBUG 556 if (tp == NULL || (inp->inp_socket->so_options & SO_DEBUG)) 557 tcp_trace(TA_OUTPUT, 0, tp, mtod(m, void *), th, 0); 558 #endif 559 #ifdef INET6 560 if (isipv6) 561 (void) ip6_output(m, NULL, NULL, ipflags, NULL, NULL, inp); 562 else 563 #endif /* INET6 */ 564 (void) ip_output(m, NULL, NULL, ipflags, NULL, inp); 565 } 566 567 /* 568 * Create a new TCP control block, making an 569 * empty reassembly queue and hooking it to the argument 570 * protocol control block. The `inp' parameter must have 571 * come from the zone allocator set up in tcp_init(). 572 */ 573 struct tcpcb * 574 tcp_newtcpcb(inp) 575 struct inpcb *inp; 576 { 577 struct tcpcb_mem *tm; 578 struct tcpcb *tp; 579 #ifdef INET6 580 int isipv6 = (inp->inp_vflag & INP_IPV6) != 0; 581 #endif /* INET6 */ 582 int callout_flag; 583 584 tm = uma_zalloc(tcpcb_zone, M_NOWAIT | M_ZERO); 585 if (tm == NULL) 586 return (NULL); 587 tp = &tm->tcb; 588 /* LIST_INIT(&tp->t_segq); */ /* XXX covered by M_ZERO */ 589 tp->t_maxseg = tp->t_maxopd = 590 #ifdef INET6 591 isipv6 ? tcp_v6mssdflt : 592 #endif /* INET6 */ 593 tcp_mssdflt; 594 595 /* Set up our timeouts. */ 596 /* 597 * XXXRW: Are these actually MPSAFE? I think so, but need to 598 * review the timed wait code, as it has some list variables, 599 * etc, that are global. 600 */ 601 callout_flag = debug_mpsafenet ? CALLOUT_MPSAFE : 0; 602 callout_init(tp->tt_rexmt = &tm->tcpcb_mem_rexmt, callout_flag); 603 callout_init(tp->tt_persist = &tm->tcpcb_mem_persist, callout_flag); 604 callout_init(tp->tt_keep = &tm->tcpcb_mem_keep, callout_flag); 605 callout_init(tp->tt_2msl = &tm->tcpcb_mem_2msl, callout_flag); 606 callout_init(tp->tt_delack = &tm->tcpcb_mem_delack, callout_flag); 607 608 if (tcp_do_rfc1323) 609 tp->t_flags = (TF_REQ_SCALE|TF_REQ_TSTMP); 610 tp->sack_enable = tcp_do_sack; 611 tp->t_inpcb = inp; /* XXX */ 612 /* 613 * Init srtt to TCPTV_SRTTBASE (0), so we can tell that we have no 614 * rtt estimate. Set rttvar so that srtt + 4 * rttvar gives 615 * reasonable initial retransmit time. 616 */ 617 tp->t_srtt = TCPTV_SRTTBASE; 618 tp->t_rttvar = ((TCPTV_RTOBASE - TCPTV_SRTTBASE) << TCP_RTTVAR_SHIFT) / 4; 619 tp->t_rttmin = tcp_rexmit_min; 620 tp->t_rxtcur = TCPTV_RTOBASE; 621 tp->snd_cwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT; 622 tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT; 623 tp->snd_ssthresh = TCP_MAXWIN << TCP_MAX_WINSHIFT; 624 tp->t_rcvtime = ticks; 625 tp->t_bw_rtttime = ticks; 626 /* 627 * IPv4 TTL initialization is necessary for an IPv6 socket as well, 628 * because the socket may be bound to an IPv6 wildcard address, 629 * which may match an IPv4-mapped IPv6 address. 630 */ 631 inp->inp_ip_ttl = ip_defttl; 632 inp->inp_ppcb = (caddr_t)tp; 633 return (tp); /* XXX */ 634 } 635 636 /* 637 * Drop a TCP connection, reporting 638 * the specified error. If connection is synchronized, 639 * then send a RST to peer. 640 */ 641 struct tcpcb * 642 tcp_drop(tp, errno) 643 register struct tcpcb *tp; 644 int errno; 645 { 646 struct socket *so = tp->t_inpcb->inp_socket; 647 648 if (TCPS_HAVERCVDSYN(tp->t_state)) { 649 tp->t_state = TCPS_CLOSED; 650 (void) tcp_output(tp); 651 tcpstat.tcps_drops++; 652 } else 653 tcpstat.tcps_conndrops++; 654 if (errno == ETIMEDOUT && tp->t_softerror) 655 errno = tp->t_softerror; 656 so->so_error = errno; 657 return (tcp_close(tp)); 658 } 659 660 static void 661 tcp_discardcb(tp) 662 struct tcpcb *tp; 663 { 664 struct tseg_qent *q; 665 struct inpcb *inp = tp->t_inpcb; 666 struct socket *so = inp->inp_socket; 667 #ifdef INET6 668 int isipv6 = (inp->inp_vflag & INP_IPV6) != 0; 669 #endif /* INET6 */ 670 671 /* 672 * Make sure that all of our timers are stopped before we 673 * delete the PCB. 674 */ 675 callout_stop(tp->tt_rexmt); 676 callout_stop(tp->tt_persist); 677 callout_stop(tp->tt_keep); 678 callout_stop(tp->tt_2msl); 679 callout_stop(tp->tt_delack); 680 681 /* 682 * If we got enough samples through the srtt filter, 683 * save the rtt and rttvar in the routing entry. 684 * 'Enough' is arbitrarily defined as 4 rtt samples. 685 * 4 samples is enough for the srtt filter to converge 686 * to within enough % of the correct value; fewer samples 687 * and we could save a bogus rtt. The danger is not high 688 * as tcp quickly recovers from everything. 689 * XXX: Works very well but needs some more statistics! 690 */ 691 if (tp->t_rttupdated >= 4) { 692 struct hc_metrics_lite metrics; 693 u_long ssthresh; 694 695 bzero(&metrics, sizeof(metrics)); 696 /* 697 * Update the ssthresh always when the conditions below 698 * are satisfied. This gives us better new start value 699 * for the congestion avoidance for new connections. 700 * ssthresh is only set if packet loss occured on a session. 701 */ 702 ssthresh = tp->snd_ssthresh; 703 if (ssthresh != 0 && ssthresh < so->so_snd.sb_hiwat / 2) { 704 /* 705 * convert the limit from user data bytes to 706 * packets then to packet data bytes. 707 */ 708 ssthresh = (ssthresh + tp->t_maxseg / 2) / tp->t_maxseg; 709 if (ssthresh < 2) 710 ssthresh = 2; 711 ssthresh *= (u_long)(tp->t_maxseg + 712 #ifdef INET6 713 (isipv6 ? sizeof (struct ip6_hdr) + 714 sizeof (struct tcphdr) : 715 #endif 716 sizeof (struct tcpiphdr) 717 #ifdef INET6 718 ) 719 #endif 720 ); 721 } else 722 ssthresh = 0; 723 metrics.rmx_ssthresh = ssthresh; 724 725 metrics.rmx_rtt = tp->t_srtt; 726 metrics.rmx_rttvar = tp->t_rttvar; 727 /* XXX: This wraps if the pipe is more than 4 Gbit per second */ 728 metrics.rmx_bandwidth = tp->snd_bandwidth; 729 metrics.rmx_cwnd = tp->snd_cwnd; 730 metrics.rmx_sendpipe = 0; 731 metrics.rmx_recvpipe = 0; 732 733 tcp_hc_update(&inp->inp_inc, &metrics); 734 } 735 736 /* free the reassembly queue, if any */ 737 while ((q = LIST_FIRST(&tp->t_segq)) != NULL) { 738 LIST_REMOVE(q, tqe_q); 739 m_freem(q->tqe_m); 740 uma_zfree(tcp_reass_zone, q); 741 tp->t_segqlen--; 742 tcp_reass_qsize--; 743 } 744 tcp_free_sackholes(tp); 745 inp->inp_ppcb = NULL; 746 tp->t_inpcb = NULL; 747 uma_zfree(tcpcb_zone, tp); 748 soisdisconnected(so); 749 } 750 751 /* 752 * Close a TCP control block: 753 * discard all space held by the tcp 754 * discard internet protocol block 755 * wake up any sleepers 756 */ 757 struct tcpcb * 758 tcp_close(tp) 759 struct tcpcb *tp; 760 { 761 struct inpcb *inp = tp->t_inpcb; 762 #ifdef INET6 763 struct socket *so = inp->inp_socket; 764 #endif 765 766 tcp_discardcb(tp); 767 #ifdef INET6 768 if (INP_CHECK_SOCKAF(so, AF_INET6)) 769 in6_pcbdetach(inp); 770 else 771 #endif 772 in_pcbdetach(inp); 773 tcpstat.tcps_closed++; 774 return (NULL); 775 } 776 777 void 778 tcp_drain() 779 { 780 if (do_tcpdrain) 781 { 782 struct inpcb *inpb; 783 struct tcpcb *tcpb; 784 struct tseg_qent *te; 785 786 /* 787 * Walk the tcpbs, if existing, and flush the reassembly queue, 788 * if there is one... 789 * XXX: The "Net/3" implementation doesn't imply that the TCP 790 * reassembly queue should be flushed, but in a situation 791 * where we're really low on mbufs, this is potentially 792 * usefull. 793 */ 794 INP_INFO_RLOCK(&tcbinfo); 795 LIST_FOREACH(inpb, tcbinfo.listhead, inp_list) { 796 if (inpb->inp_vflag & INP_TIMEWAIT) 797 continue; 798 INP_LOCK(inpb); 799 if ((tcpb = intotcpcb(inpb)) != NULL) { 800 while ((te = LIST_FIRST(&tcpb->t_segq)) 801 != NULL) { 802 LIST_REMOVE(te, tqe_q); 803 m_freem(te->tqe_m); 804 uma_zfree(tcp_reass_zone, te); 805 tcpb->t_segqlen--; 806 tcp_reass_qsize--; 807 } 808 } 809 INP_UNLOCK(inpb); 810 } 811 INP_INFO_RUNLOCK(&tcbinfo); 812 } 813 } 814 815 /* 816 * Notify a tcp user of an asynchronous error; 817 * store error as soft error, but wake up user 818 * (for now, won't do anything until can select for soft error). 819 * 820 * Do not wake up user since there currently is no mechanism for 821 * reporting soft errors (yet - a kqueue filter may be added). 822 */ 823 static struct inpcb * 824 tcp_notify(inp, error) 825 struct inpcb *inp; 826 int error; 827 { 828 struct tcpcb *tp = (struct tcpcb *)inp->inp_ppcb; 829 830 /* 831 * Ignore some errors if we are hooked up. 832 * If connection hasn't completed, has retransmitted several times, 833 * and receives a second error, give up now. This is better 834 * than waiting a long time to establish a connection that 835 * can never complete. 836 */ 837 if (tp->t_state == TCPS_ESTABLISHED && 838 (error == EHOSTUNREACH || error == ENETUNREACH || 839 error == EHOSTDOWN)) { 840 return inp; 841 } else if (tp->t_state < TCPS_ESTABLISHED && tp->t_rxtshift > 3 && 842 tp->t_softerror) { 843 tcp_drop(tp, error); 844 return (struct inpcb *)0; 845 } else { 846 tp->t_softerror = error; 847 return inp; 848 } 849 #if 0 850 wakeup( &so->so_timeo); 851 sorwakeup(so); 852 sowwakeup(so); 853 #endif 854 } 855 856 static int 857 tcp_pcblist(SYSCTL_HANDLER_ARGS) 858 { 859 int error, i, n, s; 860 struct inpcb *inp, **inp_list; 861 inp_gen_t gencnt; 862 struct xinpgen xig; 863 864 /* 865 * The process of preparing the TCB list is too time-consuming and 866 * resource-intensive to repeat twice on every request. 867 */ 868 if (req->oldptr == NULL) { 869 n = tcbinfo.ipi_count; 870 req->oldidx = 2 * (sizeof xig) 871 + (n + n/8) * sizeof(struct xtcpcb); 872 return 0; 873 } 874 875 if (req->newptr != NULL) 876 return EPERM; 877 878 /* 879 * OK, now we're committed to doing something. 880 */ 881 s = splnet(); 882 INP_INFO_RLOCK(&tcbinfo); 883 gencnt = tcbinfo.ipi_gencnt; 884 n = tcbinfo.ipi_count; 885 INP_INFO_RUNLOCK(&tcbinfo); 886 splx(s); 887 888 error = sysctl_wire_old_buffer(req, 2 * (sizeof xig) 889 + n * sizeof(struct xtcpcb)); 890 if (error != 0) 891 return (error); 892 893 xig.xig_len = sizeof xig; 894 xig.xig_count = n; 895 xig.xig_gen = gencnt; 896 xig.xig_sogen = so_gencnt; 897 error = SYSCTL_OUT(req, &xig, sizeof xig); 898 if (error) 899 return error; 900 901 inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK); 902 if (inp_list == NULL) 903 return ENOMEM; 904 905 s = splnet(); 906 INP_INFO_RLOCK(&tcbinfo); 907 for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp != NULL && i < n; 908 inp = LIST_NEXT(inp, inp_list)) { 909 INP_LOCK(inp); 910 if (inp->inp_gencnt <= gencnt) { 911 /* 912 * XXX: This use of cr_cansee(), introduced with 913 * TCP state changes, is not quite right, but for 914 * now, better than nothing. 915 */ 916 if (inp->inp_vflag & INP_TIMEWAIT) 917 error = cr_cansee(req->td->td_ucred, 918 intotw(inp)->tw_cred); 919 else 920 error = cr_canseesocket(req->td->td_ucred, 921 inp->inp_socket); 922 if (error == 0) 923 inp_list[i++] = inp; 924 } 925 INP_UNLOCK(inp); 926 } 927 INP_INFO_RUNLOCK(&tcbinfo); 928 splx(s); 929 n = i; 930 931 error = 0; 932 for (i = 0; i < n; i++) { 933 inp = inp_list[i]; 934 if (inp->inp_gencnt <= gencnt) { 935 struct xtcpcb xt; 936 caddr_t inp_ppcb; 937 xt.xt_len = sizeof xt; 938 /* XXX should avoid extra copy */ 939 bcopy(inp, &xt.xt_inp, sizeof *inp); 940 inp_ppcb = inp->inp_ppcb; 941 if (inp_ppcb == NULL) 942 bzero((char *) &xt.xt_tp, sizeof xt.xt_tp); 943 else if (inp->inp_vflag & INP_TIMEWAIT) { 944 bzero((char *) &xt.xt_tp, sizeof xt.xt_tp); 945 xt.xt_tp.t_state = TCPS_TIME_WAIT; 946 } else 947 bcopy(inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp); 948 if (inp->inp_socket != NULL) 949 sotoxsocket(inp->inp_socket, &xt.xt_socket); 950 else { 951 bzero(&xt.xt_socket, sizeof xt.xt_socket); 952 xt.xt_socket.xso_protocol = IPPROTO_TCP; 953 } 954 xt.xt_inp.inp_gencnt = inp->inp_gencnt; 955 error = SYSCTL_OUT(req, &xt, sizeof xt); 956 } 957 } 958 if (!error) { 959 /* 960 * Give the user an updated idea of our state. 961 * If the generation differs from what we told 962 * her before, she knows that something happened 963 * while we were processing this request, and it 964 * might be necessary to retry. 965 */ 966 s = splnet(); 967 INP_INFO_RLOCK(&tcbinfo); 968 xig.xig_gen = tcbinfo.ipi_gencnt; 969 xig.xig_sogen = so_gencnt; 970 xig.xig_count = tcbinfo.ipi_count; 971 INP_INFO_RUNLOCK(&tcbinfo); 972 splx(s); 973 error = SYSCTL_OUT(req, &xig, sizeof xig); 974 } 975 free(inp_list, M_TEMP); 976 return error; 977 } 978 979 SYSCTL_PROC(_net_inet_tcp, TCPCTL_PCBLIST, pcblist, CTLFLAG_RD, 0, 0, 980 tcp_pcblist, "S,xtcpcb", "List of active TCP connections"); 981 982 static int 983 tcp_getcred(SYSCTL_HANDLER_ARGS) 984 { 985 struct xucred xuc; 986 struct sockaddr_in addrs[2]; 987 struct inpcb *inp; 988 int error, s; 989 990 error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL); 991 if (error) 992 return (error); 993 error = SYSCTL_IN(req, addrs, sizeof(addrs)); 994 if (error) 995 return (error); 996 s = splnet(); 997 INP_INFO_RLOCK(&tcbinfo); 998 inp = in_pcblookup_hash(&tcbinfo, addrs[1].sin_addr, addrs[1].sin_port, 999 addrs[0].sin_addr, addrs[0].sin_port, 0, NULL); 1000 if (inp == NULL) { 1001 error = ENOENT; 1002 goto outunlocked; 1003 } 1004 INP_LOCK(inp); 1005 if (inp->inp_socket == NULL) { 1006 error = ENOENT; 1007 goto out; 1008 } 1009 error = cr_canseesocket(req->td->td_ucred, inp->inp_socket); 1010 if (error) 1011 goto out; 1012 cru2x(inp->inp_socket->so_cred, &xuc); 1013 out: 1014 INP_UNLOCK(inp); 1015 outunlocked: 1016 INP_INFO_RUNLOCK(&tcbinfo); 1017 splx(s); 1018 if (error == 0) 1019 error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred)); 1020 return (error); 1021 } 1022 1023 SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, 1024 CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, 1025 tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); 1026 1027 #ifdef INET6 1028 static int 1029 tcp6_getcred(SYSCTL_HANDLER_ARGS) 1030 { 1031 struct xucred xuc; 1032 struct sockaddr_in6 addrs[2]; 1033 struct inpcb *inp; 1034 int error, s, mapped = 0; 1035 1036 error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL); 1037 if (error) 1038 return (error); 1039 error = SYSCTL_IN(req, addrs, sizeof(addrs)); 1040 if (error) 1041 return (error); 1042 if (IN6_IS_ADDR_V4MAPPED(&addrs[0].sin6_addr)) { 1043 if (IN6_IS_ADDR_V4MAPPED(&addrs[1].sin6_addr)) 1044 mapped = 1; 1045 else 1046 return (EINVAL); 1047 } 1048 s = splnet(); 1049 INP_INFO_RLOCK(&tcbinfo); 1050 if (mapped == 1) 1051 inp = in_pcblookup_hash(&tcbinfo, 1052 *(struct in_addr *)&addrs[1].sin6_addr.s6_addr[12], 1053 addrs[1].sin6_port, 1054 *(struct in_addr *)&addrs[0].sin6_addr.s6_addr[12], 1055 addrs[0].sin6_port, 1056 0, NULL); 1057 else 1058 inp = in6_pcblookup_hash(&tcbinfo, &addrs[1].sin6_addr, 1059 addrs[1].sin6_port, 1060 &addrs[0].sin6_addr, addrs[0].sin6_port, 1061 0, NULL); 1062 if (inp == NULL) { 1063 error = ENOENT; 1064 goto outunlocked; 1065 } 1066 INP_LOCK(inp); 1067 if (inp->inp_socket == NULL) { 1068 error = ENOENT; 1069 goto out; 1070 } 1071 error = cr_canseesocket(req->td->td_ucred, inp->inp_socket); 1072 if (error) 1073 goto out; 1074 cru2x(inp->inp_socket->so_cred, &xuc); 1075 out: 1076 INP_UNLOCK(inp); 1077 outunlocked: 1078 INP_INFO_RUNLOCK(&tcbinfo); 1079 splx(s); 1080 if (error == 0) 1081 error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred)); 1082 return (error); 1083 } 1084 1085 SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, 1086 CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, 1087 tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); 1088 #endif 1089 1090 1091 void 1092 tcp_ctlinput(cmd, sa, vip) 1093 int cmd; 1094 struct sockaddr *sa; 1095 void *vip; 1096 { 1097 struct ip *ip = vip; 1098 struct tcphdr *th; 1099 struct in_addr faddr; 1100 struct inpcb *inp; 1101 struct tcpcb *tp; 1102 struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify; 1103 tcp_seq icmp_seq; 1104 int s; 1105 1106 faddr = ((struct sockaddr_in *)sa)->sin_addr; 1107 if (sa->sa_family != AF_INET || faddr.s_addr == INADDR_ANY) 1108 return; 1109 1110 if (cmd == PRC_QUENCH) 1111 notify = tcp_quench; 1112 else if (icmp_may_rst && (cmd == PRC_UNREACH_ADMIN_PROHIB || 1113 cmd == PRC_UNREACH_PORT || cmd == PRC_TIMXCEED_INTRANS) && ip) 1114 notify = tcp_drop_syn_sent; 1115 else if (cmd == PRC_MSGSIZE) 1116 notify = tcp_mtudisc; 1117 /* 1118 * Redirects don't need to be handled up here. 1119 */ 1120 else if (PRC_IS_REDIRECT(cmd)) 1121 return; 1122 /* 1123 * Hostdead is ugly because it goes linearly through all PCBs. 1124 * XXX: We never get this from ICMP, otherwise it makes an 1125 * excellent DoS attack on machines with many connections. 1126 */ 1127 else if (cmd == PRC_HOSTDEAD) 1128 ip = NULL; 1129 else if ((unsigned)cmd >= PRC_NCMDS || inetctlerrmap[cmd] == 0) 1130 return; 1131 if (ip != NULL) { 1132 s = splnet(); 1133 th = (struct tcphdr *)((caddr_t)ip 1134 + (ip->ip_hl << 2)); 1135 INP_INFO_WLOCK(&tcbinfo); 1136 inp = in_pcblookup_hash(&tcbinfo, faddr, th->th_dport, 1137 ip->ip_src, th->th_sport, 0, NULL); 1138 if (inp != NULL) { 1139 INP_LOCK(inp); 1140 if (inp->inp_socket != NULL) { 1141 icmp_seq = htonl(th->th_seq); 1142 tp = intotcpcb(inp); 1143 if (SEQ_GEQ(icmp_seq, tp->snd_una) && 1144 SEQ_LT(icmp_seq, tp->snd_max)) 1145 inp = (*notify)(inp, inetctlerrmap[cmd]); 1146 } 1147 if (inp != NULL) 1148 INP_UNLOCK(inp); 1149 } else { 1150 struct in_conninfo inc; 1151 1152 inc.inc_fport = th->th_dport; 1153 inc.inc_lport = th->th_sport; 1154 inc.inc_faddr = faddr; 1155 inc.inc_laddr = ip->ip_src; 1156 #ifdef INET6 1157 inc.inc_isipv6 = 0; 1158 #endif 1159 syncache_unreach(&inc, th); 1160 } 1161 INP_INFO_WUNLOCK(&tcbinfo); 1162 splx(s); 1163 } else 1164 in_pcbnotifyall(&tcbinfo, faddr, inetctlerrmap[cmd], notify); 1165 } 1166 1167 #ifdef INET6 1168 void 1169 tcp6_ctlinput(cmd, sa, d) 1170 int cmd; 1171 struct sockaddr *sa; 1172 void *d; 1173 { 1174 struct tcphdr th; 1175 struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify; 1176 struct ip6_hdr *ip6; 1177 struct mbuf *m; 1178 struct ip6ctlparam *ip6cp = NULL; 1179 const struct sockaddr_in6 *sa6_src = NULL; 1180 int off; 1181 struct tcp_portonly { 1182 u_int16_t th_sport; 1183 u_int16_t th_dport; 1184 } *thp; 1185 1186 if (sa->sa_family != AF_INET6 || 1187 sa->sa_len != sizeof(struct sockaddr_in6)) 1188 return; 1189 1190 if (cmd == PRC_QUENCH) 1191 notify = tcp_quench; 1192 else if (cmd == PRC_MSGSIZE) 1193 notify = tcp_mtudisc; 1194 else if (!PRC_IS_REDIRECT(cmd) && 1195 ((unsigned)cmd >= PRC_NCMDS || inet6ctlerrmap[cmd] == 0)) 1196 return; 1197 1198 /* if the parameter is from icmp6, decode it. */ 1199 if (d != NULL) { 1200 ip6cp = (struct ip6ctlparam *)d; 1201 m = ip6cp->ip6c_m; 1202 ip6 = ip6cp->ip6c_ip6; 1203 off = ip6cp->ip6c_off; 1204 sa6_src = ip6cp->ip6c_src; 1205 } else { 1206 m = NULL; 1207 ip6 = NULL; 1208 off = 0; /* fool gcc */ 1209 sa6_src = &sa6_any; 1210 } 1211 1212 if (ip6 != NULL) { 1213 struct in_conninfo inc; 1214 /* 1215 * XXX: We assume that when IPV6 is non NULL, 1216 * M and OFF are valid. 1217 */ 1218 1219 /* check if we can safely examine src and dst ports */ 1220 if (m->m_pkthdr.len < off + sizeof(*thp)) 1221 return; 1222 1223 bzero(&th, sizeof(th)); 1224 m_copydata(m, off, sizeof(*thp), (caddr_t)&th); 1225 1226 in6_pcbnotify(&tcbinfo, sa, th.th_dport, 1227 (struct sockaddr *)ip6cp->ip6c_src, 1228 th.th_sport, cmd, NULL, notify); 1229 1230 inc.inc_fport = th.th_dport; 1231 inc.inc_lport = th.th_sport; 1232 inc.inc6_faddr = ((struct sockaddr_in6 *)sa)->sin6_addr; 1233 inc.inc6_laddr = ip6cp->ip6c_src->sin6_addr; 1234 inc.inc_isipv6 = 1; 1235 INP_INFO_WLOCK(&tcbinfo); 1236 syncache_unreach(&inc, &th); 1237 INP_INFO_WUNLOCK(&tcbinfo); 1238 } else 1239 in6_pcbnotify(&tcbinfo, sa, 0, (const struct sockaddr *)sa6_src, 1240 0, cmd, NULL, notify); 1241 } 1242 #endif /* INET6 */ 1243 1244 1245 /* 1246 * Following is where TCP initial sequence number generation occurs. 1247 * 1248 * There are two places where we must use initial sequence numbers: 1249 * 1. In SYN-ACK packets. 1250 * 2. In SYN packets. 1251 * 1252 * All ISNs for SYN-ACK packets are generated by the syncache. See 1253 * tcp_syncache.c for details. 1254 * 1255 * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling 1256 * depends on this property. In addition, these ISNs should be 1257 * unguessable so as to prevent connection hijacking. To satisfy 1258 * the requirements of this situation, the algorithm outlined in 1259 * RFC 1948 is used, with only small modifications. 1260 * 1261 * Implementation details: 1262 * 1263 * Time is based off the system timer, and is corrected so that it 1264 * increases by one megabyte per second. This allows for proper 1265 * recycling on high speed LANs while still leaving over an hour 1266 * before rollover. 1267 * 1268 * As reading the *exact* system time is too expensive to be done 1269 * whenever setting up a TCP connection, we increment the time 1270 * offset in two ways. First, a small random positive increment 1271 * is added to isn_offset for each connection that is set up. 1272 * Second, the function tcp_isn_tick fires once per clock tick 1273 * and increments isn_offset as necessary so that sequence numbers 1274 * are incremented at approximately ISN_BYTES_PER_SECOND. The 1275 * random positive increments serve only to ensure that the same 1276 * exact sequence number is never sent out twice (as could otherwise 1277 * happen when a port is recycled in less than the system tick 1278 * interval.) 1279 * 1280 * net.inet.tcp.isn_reseed_interval controls the number of seconds 1281 * between seeding of isn_secret. This is normally set to zero, 1282 * as reseeding should not be necessary. 1283 * 1284 */ 1285 1286 #define ISN_BYTES_PER_SECOND 1048576 1287 #define ISN_STATIC_INCREMENT 4096 1288 #define ISN_RANDOM_INCREMENT (4096 - 1) 1289 1290 u_char isn_secret[32]; 1291 int isn_last_reseed; 1292 u_int32_t isn_offset, isn_offset_old; 1293 MD5_CTX isn_ctx; 1294 1295 tcp_seq 1296 tcp_new_isn(tp) 1297 struct tcpcb *tp; 1298 { 1299 u_int32_t md5_buffer[4]; 1300 tcp_seq new_isn; 1301 1302 /* Seed if this is the first use, reseed if requested. */ 1303 if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) && 1304 (((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz) 1305 < (u_int)ticks))) { 1306 read_random(&isn_secret, sizeof(isn_secret)); 1307 isn_last_reseed = ticks; 1308 } 1309 1310 /* Compute the md5 hash and return the ISN. */ 1311 MD5Init(&isn_ctx); 1312 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_fport, sizeof(u_short)); 1313 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_lport, sizeof(u_short)); 1314 #ifdef INET6 1315 if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0) { 1316 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_faddr, 1317 sizeof(struct in6_addr)); 1318 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_laddr, 1319 sizeof(struct in6_addr)); 1320 } else 1321 #endif 1322 { 1323 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_faddr, 1324 sizeof(struct in_addr)); 1325 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_laddr, 1326 sizeof(struct in_addr)); 1327 } 1328 MD5Update(&isn_ctx, (u_char *) &isn_secret, sizeof(isn_secret)); 1329 MD5Final((u_char *) &md5_buffer, &isn_ctx); 1330 new_isn = (tcp_seq) md5_buffer[0]; 1331 isn_offset += ISN_STATIC_INCREMENT + 1332 (arc4random() & ISN_RANDOM_INCREMENT); 1333 new_isn += isn_offset; 1334 return new_isn; 1335 } 1336 1337 /* 1338 * Increment the offset to the next ISN_BYTES_PER_SECOND / hz boundary 1339 * to keep time flowing at a relatively constant rate. If the random 1340 * increments have already pushed us past the projected offset, do nothing. 1341 */ 1342 static void 1343 tcp_isn_tick(xtp) 1344 void *xtp; 1345 { 1346 u_int32_t projected_offset; 1347 1348 projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND / hz; 1349 1350 if (projected_offset > isn_offset) 1351 isn_offset = projected_offset; 1352 1353 isn_offset_old = isn_offset; 1354 callout_reset(&isn_callout, 1, tcp_isn_tick, NULL); 1355 } 1356 1357 /* 1358 * When a source quench is received, close congestion window 1359 * to one segment. We will gradually open it again as we proceed. 1360 */ 1361 struct inpcb * 1362 tcp_quench(inp, errno) 1363 struct inpcb *inp; 1364 int errno; 1365 { 1366 struct tcpcb *tp = intotcpcb(inp); 1367 1368 if (tp != NULL) 1369 tp->snd_cwnd = tp->t_maxseg; 1370 return (inp); 1371 } 1372 1373 /* 1374 * When a specific ICMP unreachable message is received and the 1375 * connection state is SYN-SENT, drop the connection. This behavior 1376 * is controlled by the icmp_may_rst sysctl. 1377 */ 1378 struct inpcb * 1379 tcp_drop_syn_sent(inp, errno) 1380 struct inpcb *inp; 1381 int errno; 1382 { 1383 struct tcpcb *tp = intotcpcb(inp); 1384 1385 if (tp != NULL && tp->t_state == TCPS_SYN_SENT) { 1386 tcp_drop(tp, errno); 1387 return (struct inpcb *)0; 1388 } 1389 return inp; 1390 } 1391 1392 /* 1393 * When `need fragmentation' ICMP is received, update our idea of the MSS 1394 * based on the new value in the route. Also nudge TCP to send something, 1395 * since we know the packet we just sent was dropped. 1396 * This duplicates some code in the tcp_mss() function in tcp_input.c. 1397 */ 1398 struct inpcb * 1399 tcp_mtudisc(inp, errno) 1400 struct inpcb *inp; 1401 int errno; 1402 { 1403 struct tcpcb *tp = intotcpcb(inp); 1404 struct socket *so = inp->inp_socket; 1405 u_int maxmtu; 1406 u_int romtu; 1407 int mss; 1408 #ifdef INET6 1409 int isipv6; 1410 #endif /* INET6 */ 1411 1412 if (tp != NULL) { 1413 #ifdef INET6 1414 isipv6 = (tp->t_inpcb->inp_vflag & INP_IPV6) != 0; 1415 #endif 1416 maxmtu = tcp_hc_getmtu(&inp->inp_inc); /* IPv4 and IPv6 */ 1417 romtu = 1418 #ifdef INET6 1419 isipv6 ? tcp_maxmtu6(&inp->inp_inc) : 1420 #endif /* INET6 */ 1421 tcp_maxmtu(&inp->inp_inc); 1422 if (!maxmtu) 1423 maxmtu = romtu; 1424 else 1425 maxmtu = min(maxmtu, romtu); 1426 if (!maxmtu) { 1427 tp->t_maxopd = tp->t_maxseg = 1428 #ifdef INET6 1429 isipv6 ? tcp_v6mssdflt : 1430 #endif /* INET6 */ 1431 tcp_mssdflt; 1432 return inp; 1433 } 1434 mss = maxmtu - 1435 #ifdef INET6 1436 (isipv6 ? 1437 sizeof(struct ip6_hdr) + sizeof(struct tcphdr) : 1438 #endif /* INET6 */ 1439 sizeof(struct tcpiphdr) 1440 #ifdef INET6 1441 ) 1442 #endif /* INET6 */ 1443 ; 1444 1445 /* 1446 * XXX - The above conditional probably violates the TCP 1447 * spec. The problem is that, since we don't know the 1448 * other end's MSS, we are supposed to use a conservative 1449 * default. But, if we do that, then MTU discovery will 1450 * never actually take place, because the conservative 1451 * default is much less than the MTUs typically seen 1452 * on the Internet today. For the moment, we'll sweep 1453 * this under the carpet. 1454 * 1455 * The conservative default might not actually be a problem 1456 * if the only case this occurs is when sending an initial 1457 * SYN with options and data to a host we've never talked 1458 * to before. Then, they will reply with an MSS value which 1459 * will get recorded and the new parameters should get 1460 * recomputed. For Further Study. 1461 */ 1462 if (tp->t_maxopd <= mss) 1463 return inp; 1464 tp->t_maxopd = mss; 1465 1466 if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP && 1467 (tp->t_flags & TF_RCVD_TSTMP) == TF_RCVD_TSTMP) 1468 mss -= TCPOLEN_TSTAMP_APPA; 1469 #if (MCLBYTES & (MCLBYTES - 1)) == 0 1470 if (mss > MCLBYTES) 1471 mss &= ~(MCLBYTES-1); 1472 #else 1473 if (mss > MCLBYTES) 1474 mss = mss / MCLBYTES * MCLBYTES; 1475 #endif 1476 if (so->so_snd.sb_hiwat < mss) 1477 mss = so->so_snd.sb_hiwat; 1478 1479 tp->t_maxseg = mss; 1480 1481 tcpstat.tcps_mturesent++; 1482 tp->t_rtttime = 0; 1483 tp->snd_nxt = tp->snd_una; 1484 tcp_output(tp); 1485 } 1486 return inp; 1487 } 1488 1489 /* 1490 * Look-up the routing entry to the peer of this inpcb. If no route 1491 * is found and it cannot be allocated, then return NULL. This routine 1492 * is called by TCP routines that access the rmx structure and by tcp_mss 1493 * to get the interface MTU. 1494 */ 1495 u_long 1496 tcp_maxmtu(inc) 1497 struct in_conninfo *inc; 1498 { 1499 struct route sro; 1500 struct sockaddr_in *dst; 1501 struct ifnet *ifp; 1502 u_long maxmtu = 0; 1503 1504 KASSERT(inc != NULL, ("tcp_maxmtu with NULL in_conninfo pointer")); 1505 1506 bzero(&sro, sizeof(sro)); 1507 if (inc->inc_faddr.s_addr != INADDR_ANY) { 1508 dst = (struct sockaddr_in *)&sro.ro_dst; 1509 dst->sin_family = AF_INET; 1510 dst->sin_len = sizeof(*dst); 1511 dst->sin_addr = inc->inc_faddr; 1512 rtalloc_ign(&sro, RTF_CLONING); 1513 } 1514 if (sro.ro_rt != NULL) { 1515 ifp = sro.ro_rt->rt_ifp; 1516 if (sro.ro_rt->rt_rmx.rmx_mtu == 0) 1517 maxmtu = ifp->if_mtu; 1518 else 1519 maxmtu = min(sro.ro_rt->rt_rmx.rmx_mtu, ifp->if_mtu); 1520 RTFREE(sro.ro_rt); 1521 } 1522 return (maxmtu); 1523 } 1524 1525 #ifdef INET6 1526 u_long 1527 tcp_maxmtu6(inc) 1528 struct in_conninfo *inc; 1529 { 1530 struct route_in6 sro6; 1531 struct ifnet *ifp; 1532 u_long maxmtu = 0; 1533 1534 KASSERT(inc != NULL, ("tcp_maxmtu6 with NULL in_conninfo pointer")); 1535 1536 bzero(&sro6, sizeof(sro6)); 1537 if (!IN6_IS_ADDR_UNSPECIFIED(&inc->inc6_faddr)) { 1538 sro6.ro_dst.sin6_family = AF_INET6; 1539 sro6.ro_dst.sin6_len = sizeof(struct sockaddr_in6); 1540 sro6.ro_dst.sin6_addr = inc->inc6_faddr; 1541 rtalloc_ign((struct route *)&sro6, RTF_CLONING); 1542 } 1543 if (sro6.ro_rt != NULL) { 1544 ifp = sro6.ro_rt->rt_ifp; 1545 if (sro6.ro_rt->rt_rmx.rmx_mtu == 0) 1546 maxmtu = IN6_LINKMTU(sro6.ro_rt->rt_ifp); 1547 else 1548 maxmtu = min(sro6.ro_rt->rt_rmx.rmx_mtu, 1549 IN6_LINKMTU(sro6.ro_rt->rt_ifp)); 1550 RTFREE(sro6.ro_rt); 1551 } 1552 1553 return (maxmtu); 1554 } 1555 #endif /* INET6 */ 1556 1557 #ifdef IPSEC 1558 /* compute ESP/AH header size for TCP, including outer IP header. */ 1559 size_t 1560 ipsec_hdrsiz_tcp(tp) 1561 struct tcpcb *tp; 1562 { 1563 struct inpcb *inp; 1564 struct mbuf *m; 1565 size_t hdrsiz; 1566 struct ip *ip; 1567 #ifdef INET6 1568 struct ip6_hdr *ip6; 1569 #endif 1570 struct tcphdr *th; 1571 1572 if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL)) 1573 return 0; 1574 MGETHDR(m, M_DONTWAIT, MT_DATA); 1575 if (!m) 1576 return 0; 1577 1578 #ifdef INET6 1579 if ((inp->inp_vflag & INP_IPV6) != 0) { 1580 ip6 = mtod(m, struct ip6_hdr *); 1581 th = (struct tcphdr *)(ip6 + 1); 1582 m->m_pkthdr.len = m->m_len = 1583 sizeof(struct ip6_hdr) + sizeof(struct tcphdr); 1584 tcpip_fillheaders(inp, ip6, th); 1585 hdrsiz = ipsec6_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp); 1586 } else 1587 #endif /* INET6 */ 1588 { 1589 ip = mtod(m, struct ip *); 1590 th = (struct tcphdr *)(ip + 1); 1591 m->m_pkthdr.len = m->m_len = sizeof(struct tcpiphdr); 1592 tcpip_fillheaders(inp, ip, th); 1593 hdrsiz = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp); 1594 } 1595 1596 m_free(m); 1597 return hdrsiz; 1598 } 1599 #endif /*IPSEC*/ 1600 1601 /* 1602 * Move a TCP connection into TIME_WAIT state. 1603 * tcbinfo is unlocked. 1604 * inp is locked, and is unlocked before returning. 1605 */ 1606 void 1607 tcp_twstart(tp) 1608 struct tcpcb *tp; 1609 { 1610 struct tcptw *tw; 1611 struct inpcb *inp; 1612 int tw_time, acknow; 1613 struct socket *so; 1614 1615 tw = uma_zalloc(tcptw_zone, M_NOWAIT); 1616 if (tw == NULL) { 1617 tw = tcp_timer_2msl_tw(1); 1618 if (tw == NULL) { 1619 tcp_close(tp); 1620 return; 1621 } 1622 } 1623 inp = tp->t_inpcb; 1624 tw->tw_inpcb = inp; 1625 1626 /* 1627 * Recover last window size sent. 1628 */ 1629 tw->last_win = (tp->rcv_adv - tp->rcv_nxt) >> tp->rcv_scale; 1630 1631 /* 1632 * Set t_recent if timestamps are used on the connection. 1633 */ 1634 if ((tp->t_flags & (TF_REQ_TSTMP|TF_RCVD_TSTMP|TF_NOOPT)) == 1635 (TF_REQ_TSTMP|TF_RCVD_TSTMP)) 1636 tw->t_recent = tp->ts_recent; 1637 else 1638 tw->t_recent = 0; 1639 1640 tw->snd_nxt = tp->snd_nxt; 1641 tw->rcv_nxt = tp->rcv_nxt; 1642 tw->iss = tp->iss; 1643 tw->irs = tp->irs; 1644 tw->t_starttime = tp->t_starttime; 1645 tw->tw_time = 0; 1646 1647 /* XXX 1648 * If this code will 1649 * be used for fin-wait-2 state also, then we may need 1650 * a ts_recent from the last segment. 1651 */ 1652 tw_time = 2 * tcp_msl; 1653 acknow = tp->t_flags & TF_ACKNOW; 1654 tcp_discardcb(tp); 1655 so = inp->inp_socket; 1656 ACCEPT_LOCK(); 1657 SOCK_LOCK(so); 1658 so->so_pcb = NULL; 1659 tw->tw_cred = crhold(so->so_cred); 1660 tw->tw_so_options = so->so_options; 1661 sotryfree(so); 1662 inp->inp_socket = NULL; 1663 if (acknow) 1664 tcp_twrespond(tw, TH_ACK); 1665 inp->inp_ppcb = (caddr_t)tw; 1666 inp->inp_vflag |= INP_TIMEWAIT; 1667 tcp_timer_2msl_reset(tw, tw_time); 1668 INP_UNLOCK(inp); 1669 } 1670 1671 /* 1672 * The appromixate rate of ISN increase of Microsoft TCP stacks; 1673 * the actual rate is slightly higher due to the addition of 1674 * random positive increments. 1675 * 1676 * Most other new OSes use semi-randomized ISN values, so we 1677 * do not need to worry about them. 1678 */ 1679 #define MS_ISN_BYTES_PER_SECOND 250000 1680 1681 /* 1682 * Determine if the ISN we will generate has advanced beyond the last 1683 * sequence number used by the previous connection. If so, indicate 1684 * that it is safe to recycle this tw socket by returning 1. 1685 */ 1686 int 1687 tcp_twrecycleable(struct tcptw *tw) 1688 { 1689 tcp_seq new_iss = tw->iss; 1690 tcp_seq new_irs = tw->irs; 1691 1692 new_iss += (ticks - tw->t_starttime) * (ISN_BYTES_PER_SECOND / hz); 1693 new_irs += (ticks - tw->t_starttime) * (MS_ISN_BYTES_PER_SECOND / hz); 1694 1695 if (SEQ_GT(new_iss, tw->snd_nxt) && SEQ_GT(new_irs, tw->rcv_nxt)) 1696 return 1; 1697 else 1698 return 0; 1699 } 1700 1701 struct tcptw * 1702 tcp_twclose(struct tcptw *tw, int reuse) 1703 { 1704 struct inpcb *inp; 1705 1706 inp = tw->tw_inpcb; 1707 tw->tw_inpcb = NULL; 1708 tcp_timer_2msl_stop(tw); 1709 inp->inp_ppcb = NULL; 1710 #ifdef INET6 1711 if (inp->inp_vflag & INP_IPV6PROTO) 1712 in6_pcbdetach(inp); 1713 else 1714 #endif 1715 in_pcbdetach(inp); 1716 tcpstat.tcps_closed++; 1717 crfree(tw->tw_cred); 1718 tw->tw_cred = NULL; 1719 if (reuse) 1720 return (tw); 1721 uma_zfree(tcptw_zone, tw); 1722 return (NULL); 1723 } 1724 1725 int 1726 tcp_twrespond(struct tcptw *tw, int flags) 1727 { 1728 struct inpcb *inp = tw->tw_inpcb; 1729 struct tcphdr *th; 1730 struct mbuf *m; 1731 struct ip *ip = NULL; 1732 u_int8_t *optp; 1733 u_int hdrlen, optlen; 1734 int error; 1735 #ifdef INET6 1736 struct ip6_hdr *ip6 = NULL; 1737 int isipv6 = inp->inp_inc.inc_isipv6; 1738 #endif 1739 1740 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1741 if (m == NULL) 1742 return (ENOBUFS); 1743 m->m_data += max_linkhdr; 1744 1745 #ifdef MAC 1746 mac_create_mbuf_from_inpcb(inp, m); 1747 #endif 1748 1749 #ifdef INET6 1750 if (isipv6) { 1751 hdrlen = sizeof(struct ip6_hdr) + sizeof(struct tcphdr); 1752 ip6 = mtod(m, struct ip6_hdr *); 1753 th = (struct tcphdr *)(ip6 + 1); 1754 tcpip_fillheaders(inp, ip6, th); 1755 } else 1756 #endif 1757 { 1758 hdrlen = sizeof(struct tcpiphdr); 1759 ip = mtod(m, struct ip *); 1760 th = (struct tcphdr *)(ip + 1); 1761 tcpip_fillheaders(inp, ip, th); 1762 } 1763 optp = (u_int8_t *)(th + 1); 1764 1765 /* 1766 * Send a timestamp and echo-reply if both our side and our peer 1767 * have sent timestamps in our SYN's and this is not a RST. 1768 */ 1769 if (tw->t_recent && flags == TH_ACK) { 1770 u_int32_t *lp = (u_int32_t *)optp; 1771 1772 /* Form timestamp option as shown in appendix A of RFC 1323. */ 1773 *lp++ = htonl(TCPOPT_TSTAMP_HDR); 1774 *lp++ = htonl(ticks); 1775 *lp = htonl(tw->t_recent); 1776 optp += TCPOLEN_TSTAMP_APPA; 1777 } 1778 1779 optlen = optp - (u_int8_t *)(th + 1); 1780 1781 m->m_len = hdrlen + optlen; 1782 m->m_pkthdr.len = m->m_len; 1783 1784 KASSERT(max_linkhdr + m->m_len <= MHLEN, ("tcptw: mbuf too small")); 1785 1786 th->th_seq = htonl(tw->snd_nxt); 1787 th->th_ack = htonl(tw->rcv_nxt); 1788 th->th_off = (sizeof(struct tcphdr) + optlen) >> 2; 1789 th->th_flags = flags; 1790 th->th_win = htons(tw->last_win); 1791 1792 #ifdef INET6 1793 if (isipv6) { 1794 th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr), 1795 sizeof(struct tcphdr) + optlen); 1796 ip6->ip6_hlim = in6_selecthlim(inp, NULL); 1797 error = ip6_output(m, inp->in6p_outputopts, NULL, 1798 (tw->tw_so_options & SO_DONTROUTE), NULL, NULL, inp); 1799 } else 1800 #endif 1801 { 1802 th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, 1803 htons(sizeof(struct tcphdr) + optlen + IPPROTO_TCP)); 1804 m->m_pkthdr.csum_flags = CSUM_TCP; 1805 m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); 1806 ip->ip_len = m->m_pkthdr.len; 1807 if (path_mtu_discovery) 1808 ip->ip_off |= IP_DF; 1809 error = ip_output(m, inp->inp_options, NULL, 1810 ((tw->tw_so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0), 1811 NULL, inp); 1812 } 1813 if (flags & TH_ACK) 1814 tcpstat.tcps_sndacks++; 1815 else 1816 tcpstat.tcps_sndctrl++; 1817 tcpstat.tcps_sndtotal++; 1818 return (error); 1819 } 1820 1821 /* 1822 * TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING 1823 * 1824 * This code attempts to calculate the bandwidth-delay product as a 1825 * means of determining the optimal window size to maximize bandwidth, 1826 * minimize RTT, and avoid the over-allocation of buffers on interfaces and 1827 * routers. This code also does a fairly good job keeping RTTs in check 1828 * across slow links like modems. We implement an algorithm which is very 1829 * similar (but not meant to be) TCP/Vegas. The code operates on the 1830 * transmitter side of a TCP connection and so only effects the transmit 1831 * side of the connection. 1832 * 1833 * BACKGROUND: TCP makes no provision for the management of buffer space 1834 * at the end points or at the intermediate routers and switches. A TCP 1835 * stream, whether using NewReno or not, will eventually buffer as 1836 * many packets as it is able and the only reason this typically works is 1837 * due to the fairly small default buffers made available for a connection 1838 * (typicaly 16K or 32K). As machines use larger windows and/or window 1839 * scaling it is now fairly easy for even a single TCP connection to blow-out 1840 * all available buffer space not only on the local interface, but on 1841 * intermediate routers and switches as well. NewReno makes a misguided 1842 * attempt to 'solve' this problem by waiting for an actual failure to occur, 1843 * then backing off, then steadily increasing the window again until another 1844 * failure occurs, ad-infinitum. This results in terrible oscillation that 1845 * is only made worse as network loads increase and the idea of intentionally 1846 * blowing out network buffers is, frankly, a terrible way to manage network 1847 * resources. 1848 * 1849 * It is far better to limit the transmit window prior to the failure 1850 * condition being achieved. There are two general ways to do this: First 1851 * you can 'scan' through different transmit window sizes and locate the 1852 * point where the RTT stops increasing, indicating that you have filled the 1853 * pipe, then scan backwards until you note that RTT stops decreasing, then 1854 * repeat ad-infinitum. This method works in principle but has severe 1855 * implementation issues due to RTT variances, timer granularity, and 1856 * instability in the algorithm which can lead to many false positives and 1857 * create oscillations as well as interact badly with other TCP streams 1858 * implementing the same algorithm. 1859 * 1860 * The second method is to limit the window to the bandwidth delay product 1861 * of the link. This is the method we implement. RTT variances and our 1862 * own manipulation of the congestion window, bwnd, can potentially 1863 * destabilize the algorithm. For this reason we have to stabilize the 1864 * elements used to calculate the window. We do this by using the minimum 1865 * observed RTT, the long term average of the observed bandwidth, and 1866 * by adding two segments worth of slop. It isn't perfect but it is able 1867 * to react to changing conditions and gives us a very stable basis on 1868 * which to extend the algorithm. 1869 */ 1870 void 1871 tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq) 1872 { 1873 u_long bw; 1874 u_long bwnd; 1875 int save_ticks; 1876 1877 /* 1878 * If inflight_enable is disabled in the middle of a tcp connection, 1879 * make sure snd_bwnd is effectively disabled. 1880 */ 1881 if (tcp_inflight_enable == 0) { 1882 tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT; 1883 tp->snd_bandwidth = 0; 1884 return; 1885 } 1886 1887 /* 1888 * Figure out the bandwidth. Due to the tick granularity this 1889 * is a very rough number and it MUST be averaged over a fairly 1890 * long period of time. XXX we need to take into account a link 1891 * that is not using all available bandwidth, but for now our 1892 * slop will ramp us up if this case occurs and the bandwidth later 1893 * increases. 1894 * 1895 * Note: if ticks rollover 'bw' may wind up negative. We must 1896 * effectively reset t_bw_rtttime for this case. 1897 */ 1898 save_ticks = ticks; 1899 if ((u_int)(save_ticks - tp->t_bw_rtttime) < 1) 1900 return; 1901 1902 bw = (int64_t)(ack_seq - tp->t_bw_rtseq) * hz / 1903 (save_ticks - tp->t_bw_rtttime); 1904 tp->t_bw_rtttime = save_ticks; 1905 tp->t_bw_rtseq = ack_seq; 1906 if (tp->t_bw_rtttime == 0 || (int)bw < 0) 1907 return; 1908 bw = ((int64_t)tp->snd_bandwidth * 15 + bw) >> 4; 1909 1910 tp->snd_bandwidth = bw; 1911 1912 /* 1913 * Calculate the semi-static bandwidth delay product, plus two maximal 1914 * segments. The additional slop puts us squarely in the sweet 1915 * spot and also handles the bandwidth run-up case and stabilization. 1916 * Without the slop we could be locking ourselves into a lower 1917 * bandwidth. 1918 * 1919 * Situations Handled: 1920 * (1) Prevents over-queueing of packets on LANs, especially on 1921 * high speed LANs, allowing larger TCP buffers to be 1922 * specified, and also does a good job preventing 1923 * over-queueing of packets over choke points like modems 1924 * (at least for the transmit side). 1925 * 1926 * (2) Is able to handle changing network loads (bandwidth 1927 * drops so bwnd drops, bandwidth increases so bwnd 1928 * increases). 1929 * 1930 * (3) Theoretically should stabilize in the face of multiple 1931 * connections implementing the same algorithm (this may need 1932 * a little work). 1933 * 1934 * (4) Stability value (defaults to 20 = 2 maximal packets) can 1935 * be adjusted with a sysctl but typically only needs to be 1936 * on very slow connections. A value no smaller then 5 1937 * should be used, but only reduce this default if you have 1938 * no other choice. 1939 */ 1940 #define USERTT ((tp->t_srtt + tp->t_rttbest) / 2) 1941 bwnd = (int64_t)bw * USERTT / (hz << TCP_RTT_SHIFT) + tcp_inflight_stab * tp->t_maxseg / 10; 1942 #undef USERTT 1943 1944 if (tcp_inflight_debug > 0) { 1945 static int ltime; 1946 if ((u_int)(ticks - ltime) >= hz / tcp_inflight_debug) { 1947 ltime = ticks; 1948 printf("%p bw %ld rttbest %d srtt %d bwnd %ld\n", 1949 tp, 1950 bw, 1951 tp->t_rttbest, 1952 tp->t_srtt, 1953 bwnd 1954 ); 1955 } 1956 } 1957 if ((long)bwnd < tcp_inflight_min) 1958 bwnd = tcp_inflight_min; 1959 if (bwnd > tcp_inflight_max) 1960 bwnd = tcp_inflight_max; 1961 if ((long)bwnd < tp->t_maxseg * 2) 1962 bwnd = tp->t_maxseg * 2; 1963 tp->snd_bwnd = bwnd; 1964 } 1965 1966 #ifdef TCP_SIGNATURE 1967 /* 1968 * Callback function invoked by m_apply() to digest TCP segment data 1969 * contained within an mbuf chain. 1970 */ 1971 static int 1972 tcp_signature_apply(void *fstate, void *data, u_int len) 1973 { 1974 1975 MD5Update(fstate, (u_char *)data, len); 1976 return (0); 1977 } 1978 1979 /* 1980 * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385) 1981 * 1982 * Parameters: 1983 * m pointer to head of mbuf chain 1984 * off0 offset to TCP header within the mbuf chain 1985 * len length of TCP segment data, excluding options 1986 * optlen length of TCP segment options 1987 * buf pointer to storage for computed MD5 digest 1988 * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND) 1989 * 1990 * We do this over ip, tcphdr, segment data, and the key in the SADB. 1991 * When called from tcp_input(), we can be sure that th_sum has been 1992 * zeroed out and verified already. 1993 * 1994 * This function is for IPv4 use only. Calling this function with an 1995 * IPv6 packet in the mbuf chain will yield undefined results. 1996 * 1997 * Return 0 if successful, otherwise return -1. 1998 * 1999 * XXX The key is retrieved from the system's PF_KEY SADB, by keying a 2000 * search with the destination IP address, and a 'magic SPI' to be 2001 * determined by the application. This is hardcoded elsewhere to 1179 2002 * right now. Another branch of this code exists which uses the SPD to 2003 * specify per-application flows but it is unstable. 2004 */ 2005 int 2006 tcp_signature_compute(struct mbuf *m, int off0, int len, int optlen, 2007 u_char *buf, u_int direction) 2008 { 2009 union sockaddr_union dst; 2010 struct ippseudo ippseudo; 2011 MD5_CTX ctx; 2012 int doff; 2013 struct ip *ip; 2014 struct ipovly *ipovly; 2015 struct secasvar *sav; 2016 struct tcphdr *th; 2017 u_short savecsum; 2018 2019 KASSERT(m != NULL, ("NULL mbuf chain")); 2020 KASSERT(buf != NULL, ("NULL signature pointer")); 2021 2022 /* Extract the destination from the IP header in the mbuf. */ 2023 ip = mtod(m, struct ip *); 2024 bzero(&dst, sizeof(union sockaddr_union)); 2025 dst.sa.sa_len = sizeof(struct sockaddr_in); 2026 dst.sa.sa_family = AF_INET; 2027 dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ? 2028 ip->ip_src : ip->ip_dst; 2029 2030 /* Look up an SADB entry which matches the address of the peer. */ 2031 sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); 2032 if (sav == NULL) { 2033 printf("%s: SADB lookup failed for %s\n", __func__, 2034 inet_ntoa(dst.sin.sin_addr)); 2035 return (EINVAL); 2036 } 2037 2038 MD5Init(&ctx); 2039 ipovly = (struct ipovly *)ip; 2040 th = (struct tcphdr *)((u_char *)ip + off0); 2041 doff = off0 + sizeof(struct tcphdr) + optlen; 2042 2043 /* 2044 * Step 1: Update MD5 hash with IP pseudo-header. 2045 * 2046 * XXX The ippseudo header MUST be digested in network byte order, 2047 * or else we'll fail the regression test. Assume all fields we've 2048 * been doing arithmetic on have been in host byte order. 2049 * XXX One cannot depend on ipovly->ih_len here. When called from 2050 * tcp_output(), the underlying ip_len member has not yet been set. 2051 */ 2052 ippseudo.ippseudo_src = ipovly->ih_src; 2053 ippseudo.ippseudo_dst = ipovly->ih_dst; 2054 ippseudo.ippseudo_pad = 0; 2055 ippseudo.ippseudo_p = IPPROTO_TCP; 2056 ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen); 2057 MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo)); 2058 2059 /* 2060 * Step 2: Update MD5 hash with TCP header, excluding options. 2061 * The TCP checksum must be set to zero. 2062 */ 2063 savecsum = th->th_sum; 2064 th->th_sum = 0; 2065 MD5Update(&ctx, (char *)th, sizeof(struct tcphdr)); 2066 th->th_sum = savecsum; 2067 2068 /* 2069 * Step 3: Update MD5 hash with TCP segment data. 2070 * Use m_apply() to avoid an early m_pullup(). 2071 */ 2072 if (len > 0) 2073 m_apply(m, doff, len, tcp_signature_apply, &ctx); 2074 2075 /* 2076 * Step 4: Update MD5 hash with shared secret. 2077 */ 2078 MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); 2079 MD5Final(buf, &ctx); 2080 2081 key_sa_recordxfer(sav, m); 2082 KEY_FREESAV(&sav); 2083 return (0); 2084 } 2085 #endif /* TCP_SIGNATURE */ 2086