xref: /freebsd/sys/netinet/tcp_syncache.c (revision 4a5216a6dc0c3ce4cf5f2d3ee8af0c3ff3402c4f)
1 /*-
2  * Copyright (c) 2001 McAfee, Inc.
3  * Copyright (c) 2006 Andre Oppermann, Internet Business Solutions AG
4  * All rights reserved.
5  *
6  * This software was developed for the FreeBSD Project by Jonathan Lemon
7  * and McAfee Research, the Security Research Division of McAfee, Inc. under
8  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9  * DARPA CHATS research program.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 #include "opt_inet.h"
37 #include "opt_inet6.h"
38 #include "opt_ipsec.h"
39 #include "opt_mac.h"
40 
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/kernel.h>
44 #include <sys/sysctl.h>
45 #include <sys/limits.h>
46 #include <sys/lock.h>
47 #include <sys/mutex.h>
48 #include <sys/malloc.h>
49 #include <sys/mbuf.h>
50 #include <sys/md5.h>
51 #include <sys/proc.h>		/* for proc0 declaration */
52 #include <sys/random.h>
53 #include <sys/socket.h>
54 #include <sys/socketvar.h>
55 #include <sys/syslog.h>
56 #include <sys/ucred.h>
57 #include <sys/vimage.h>
58 
59 #include <vm/uma.h>
60 
61 #include <net/if.h>
62 #include <net/route.h>
63 
64 #include <netinet/in.h>
65 #include <netinet/in_systm.h>
66 #include <netinet/ip.h>
67 #include <netinet/in_var.h>
68 #include <netinet/in_pcb.h>
69 #include <netinet/ip_var.h>
70 #include <netinet/ip_options.h>
71 #ifdef INET6
72 #include <netinet/ip6.h>
73 #include <netinet/icmp6.h>
74 #include <netinet6/nd6.h>
75 #include <netinet6/ip6_var.h>
76 #include <netinet6/in6_pcb.h>
77 #endif
78 #include <netinet/tcp.h>
79 #include <netinet/tcp_fsm.h>
80 #include <netinet/tcp_seq.h>
81 #include <netinet/tcp_timer.h>
82 #include <netinet/tcp_var.h>
83 #include <netinet/tcp_syncache.h>
84 #include <netinet/tcp_offload.h>
85 #ifdef INET6
86 #include <netinet6/tcp6_var.h>
87 #endif
88 
89 #ifdef IPSEC
90 #include <netipsec/ipsec.h>
91 #ifdef INET6
92 #include <netipsec/ipsec6.h>
93 #endif
94 #include <netipsec/key.h>
95 #endif /*IPSEC*/
96 
97 #include <machine/in_cksum.h>
98 
99 #include <security/mac/mac_framework.h>
100 
101 static int tcp_syncookies = 1;
102 SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies, CTLFLAG_RW,
103     &tcp_syncookies, 0,
104     "Use TCP SYN cookies if the syncache overflows");
105 
106 static int tcp_syncookiesonly = 0;
107 SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies_only, CTLFLAG_RW,
108     &tcp_syncookiesonly, 0,
109     "Use only TCP SYN cookies");
110 
111 #ifdef TCP_OFFLOAD_DISABLE
112 #define TOEPCB_ISSET(sc) (0)
113 #else
114 #define TOEPCB_ISSET(sc) ((sc)->sc_toepcb != NULL)
115 #endif
116 
117 static void	 syncache_drop(struct syncache *, struct syncache_head *);
118 static void	 syncache_free(struct syncache *);
119 static void	 syncache_insert(struct syncache *, struct syncache_head *);
120 struct syncache *syncache_lookup(struct in_conninfo *, struct syncache_head **);
121 static int	 syncache_respond(struct syncache *);
122 static struct	 socket *syncache_socket(struct syncache *, struct socket *,
123 		    struct mbuf *m);
124 static void	 syncache_timeout(struct syncache *sc, struct syncache_head *sch,
125 		    int docallout);
126 static void	 syncache_timer(void *);
127 static void	 syncookie_generate(struct syncache_head *, struct syncache *,
128 		    u_int32_t *);
129 static struct syncache
130 		*syncookie_lookup(struct in_conninfo *, struct syncache_head *,
131 		    struct syncache *, struct tcpopt *, struct tcphdr *,
132 		    struct socket *);
133 
134 /*
135  * Transmit the SYN,ACK fewer times than TCP_MAXRXTSHIFT specifies.
136  * 3 retransmits corresponds to a timeout of 3 * (1 + 2 + 4 + 8) == 45 seconds,
137  * the odds are that the user has given up attempting to connect by then.
138  */
139 #define SYNCACHE_MAXREXMTS		3
140 
141 /* Arbitrary values */
142 #define TCP_SYNCACHE_HASHSIZE		512
143 #define TCP_SYNCACHE_BUCKETLIMIT	30
144 
145 static struct tcp_syncache tcp_syncache;
146 
147 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, syncache, CTLFLAG_RW, 0, "TCP SYN cache");
148 
149 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
150     bucketlimit, CTLFLAG_RDTUN,
151     tcp_syncache.bucket_limit, 0, "Per-bucket hash limit for syncache");
152 
153 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
154     cachelimit, CTLFLAG_RDTUN,
155     tcp_syncache.cache_limit, 0, "Overall entry limit for syncache");
156 
157 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
158     count, CTLFLAG_RD,
159     tcp_syncache.cache_count, 0, "Current number of entries in syncache");
160 
161 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
162     hashsize, CTLFLAG_RDTUN,
163     tcp_syncache.hashsize, 0, "Size of TCP syncache hashtable");
164 
165 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
166     rexmtlimit, CTLFLAG_RW,
167     tcp_syncache.rexmt_limit, 0, "Limit on SYN/ACK retransmissions");
168 
169 int	tcp_sc_rst_sock_fail = 1;
170 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
171      rst_on_sock_fail, CTLFLAG_RW,
172      tcp_sc_rst_sock_fail, 0, "Send reset on socket allocation failure");
173 
174 static MALLOC_DEFINE(M_SYNCACHE, "syncache", "TCP syncache");
175 
176 #define SYNCACHE_HASH(inc, mask)					\
177 	((V_tcp_syncache.hash_secret ^					\
178 	  (inc)->inc_faddr.s_addr ^					\
179 	  ((inc)->inc_faddr.s_addr >> 16) ^				\
180 	  (inc)->inc_fport ^ (inc)->inc_lport) & mask)
181 
182 #define SYNCACHE_HASH6(inc, mask)					\
183 	((V_tcp_syncache.hash_secret ^					\
184 	  (inc)->inc6_faddr.s6_addr32[0] ^				\
185 	  (inc)->inc6_faddr.s6_addr32[3] ^				\
186 	  (inc)->inc_fport ^ (inc)->inc_lport) & mask)
187 
188 #define ENDPTS_EQ(a, b) (						\
189 	(a)->ie_fport == (b)->ie_fport &&				\
190 	(a)->ie_lport == (b)->ie_lport &&				\
191 	(a)->ie_faddr.s_addr == (b)->ie_faddr.s_addr &&			\
192 	(a)->ie_laddr.s_addr == (b)->ie_laddr.s_addr			\
193 )
194 
195 #define ENDPTS6_EQ(a, b) (memcmp(a, b, sizeof(*a)) == 0)
196 
197 #define	SCH_LOCK(sch)		mtx_lock(&(sch)->sch_mtx)
198 #define	SCH_UNLOCK(sch)		mtx_unlock(&(sch)->sch_mtx)
199 #define	SCH_LOCK_ASSERT(sch)	mtx_assert(&(sch)->sch_mtx, MA_OWNED)
200 
201 /*
202  * Requires the syncache entry to be already removed from the bucket list.
203  */
204 static void
205 syncache_free(struct syncache *sc)
206 {
207 	INIT_VNET_INET(curvnet);
208 
209 	if (sc->sc_ipopts)
210 		(void) m_free(sc->sc_ipopts);
211 	if (sc->sc_cred)
212 		crfree(sc->sc_cred);
213 #ifdef MAC
214 	mac_syncache_destroy(&sc->sc_label);
215 #endif
216 
217 	uma_zfree(V_tcp_syncache.zone, sc);
218 }
219 
220 void
221 syncache_init(void)
222 {
223 	INIT_VNET_INET(curvnet);
224 	int i;
225 
226 	V_tcp_syncache.cache_count = 0;
227 	V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE;
228 	V_tcp_syncache.bucket_limit = TCP_SYNCACHE_BUCKETLIMIT;
229 	V_tcp_syncache.rexmt_limit = SYNCACHE_MAXREXMTS;
230 	V_tcp_syncache.hash_secret = arc4random();
231 
232 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.hashsize",
233 	    &V_tcp_syncache.hashsize);
234 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.bucketlimit",
235 	    &V_tcp_syncache.bucket_limit);
236 	if (!powerof2(V_tcp_syncache.hashsize) ||
237 	    V_tcp_syncache.hashsize == 0) {
238 		printf("WARNING: syncache hash size is not a power of 2.\n");
239 		V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE;
240 	}
241 	V_tcp_syncache.hashmask = V_tcp_syncache.hashsize - 1;
242 
243 	/* Set limits. */
244 	V_tcp_syncache.cache_limit =
245 	    V_tcp_syncache.hashsize * V_tcp_syncache.bucket_limit;
246 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.cachelimit",
247 	    &V_tcp_syncache.cache_limit);
248 
249 	/* Allocate the hash table. */
250 	MALLOC(V_tcp_syncache.hashbase, struct syncache_head *,
251 	    V_tcp_syncache.hashsize * sizeof(struct syncache_head),
252 	    M_SYNCACHE, M_WAITOK | M_ZERO);
253 
254 	/* Initialize the hash buckets. */
255 	for (i = 0; i < V_tcp_syncache.hashsize; i++) {
256 		TAILQ_INIT(&V_tcp_syncache.hashbase[i].sch_bucket);
257 		mtx_init(&V_tcp_syncache.hashbase[i].sch_mtx, "tcp_sc_head",
258 			 NULL, MTX_DEF);
259 		callout_init_mtx(&V_tcp_syncache.hashbase[i].sch_timer,
260 			 &V_tcp_syncache.hashbase[i].sch_mtx, 0);
261 		V_tcp_syncache.hashbase[i].sch_length = 0;
262 	}
263 
264 	/* Create the syncache entry zone. */
265 	V_tcp_syncache.zone = uma_zcreate("syncache", sizeof(struct syncache),
266 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
267 	uma_zone_set_max(V_tcp_syncache.zone, V_tcp_syncache.cache_limit);
268 }
269 
270 /*
271  * Inserts a syncache entry into the specified bucket row.
272  * Locks and unlocks the syncache_head autonomously.
273  */
274 static void
275 syncache_insert(struct syncache *sc, struct syncache_head *sch)
276 {
277 	INIT_VNET_INET(sch->sch_vnet);
278 	struct syncache *sc2;
279 
280 	SCH_LOCK(sch);
281 
282 	/*
283 	 * Make sure that we don't overflow the per-bucket limit.
284 	 * If the bucket is full, toss the oldest element.
285 	 */
286 	if (sch->sch_length >= V_tcp_syncache.bucket_limit) {
287 		KASSERT(!TAILQ_EMPTY(&sch->sch_bucket),
288 			("sch->sch_length incorrect"));
289 		sc2 = TAILQ_LAST(&sch->sch_bucket, sch_head);
290 		syncache_drop(sc2, sch);
291 		V_tcpstat.tcps_sc_bucketoverflow++;
292 	}
293 
294 	/* Put it into the bucket. */
295 	TAILQ_INSERT_HEAD(&sch->sch_bucket, sc, sc_hash);
296 	sch->sch_length++;
297 
298 	/* Reinitialize the bucket row's timer. */
299 	if (sch->sch_length == 1)
300 		sch->sch_nextc = ticks + INT_MAX;
301 	syncache_timeout(sc, sch, 1);
302 
303 	SCH_UNLOCK(sch);
304 
305 	V_tcp_syncache.cache_count++;
306 	V_tcpstat.tcps_sc_added++;
307 }
308 
309 /*
310  * Remove and free entry from syncache bucket row.
311  * Expects locked syncache head.
312  */
313 static void
314 syncache_drop(struct syncache *sc, struct syncache_head *sch)
315 {
316 	INIT_VNET_INET(sch->sch_vnet);
317 
318 	SCH_LOCK_ASSERT(sch);
319 
320 	TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);
321 	sch->sch_length--;
322 
323 #ifndef TCP_OFFLOAD_DISABLE
324 	if (sc->sc_tu)
325 		sc->sc_tu->tu_syncache_event(TOE_SC_DROP, sc->sc_toepcb);
326 #endif
327 	syncache_free(sc);
328 	V_tcp_syncache.cache_count--;
329 }
330 
331 /*
332  * Engage/reengage time on bucket row.
333  */
334 static void
335 syncache_timeout(struct syncache *sc, struct syncache_head *sch, int docallout)
336 {
337 	sc->sc_rxttime = ticks +
338 		TCPTV_RTOBASE * (tcp_backoff[sc->sc_rxmits]);
339 	sc->sc_rxmits++;
340 	if (TSTMP_LT(sc->sc_rxttime, sch->sch_nextc)) {
341 		sch->sch_nextc = sc->sc_rxttime;
342 		if (docallout)
343 			callout_reset(&sch->sch_timer, sch->sch_nextc - ticks,
344 			    syncache_timer, (void *)sch);
345 	}
346 }
347 
348 /*
349  * Walk the timer queues, looking for SYN,ACKs that need to be retransmitted.
350  * If we have retransmitted an entry the maximum number of times, expire it.
351  * One separate timer for each bucket row.
352  */
353 static void
354 syncache_timer(void *xsch)
355 {
356 	struct syncache_head *sch = (struct syncache_head *)xsch;
357 	INIT_VNET_INET(sch->sch_vnet);
358 	struct syncache *sc, *nsc;
359 	int tick = ticks;
360 	char *s;
361 
362 	/* NB: syncache_head has already been locked by the callout. */
363 	SCH_LOCK_ASSERT(sch);
364 
365 	/*
366 	 * In the following cycle we may remove some entries and/or
367 	 * advance some timeouts, so re-initialize the bucket timer.
368 	 */
369 	sch->sch_nextc = tick + INT_MAX;
370 
371 	TAILQ_FOREACH_SAFE(sc, &sch->sch_bucket, sc_hash, nsc) {
372 		/*
373 		 * We do not check if the listen socket still exists
374 		 * and accept the case where the listen socket may be
375 		 * gone by the time we resend the SYN/ACK.  We do
376 		 * not expect this to happens often. If it does,
377 		 * then the RST will be sent by the time the remote
378 		 * host does the SYN/ACK->ACK.
379 		 */
380 		if (TSTMP_GT(sc->sc_rxttime, tick)) {
381 			if (TSTMP_LT(sc->sc_rxttime, sch->sch_nextc))
382 				sch->sch_nextc = sc->sc_rxttime;
383 			continue;
384 		}
385 		if (sc->sc_rxmits > V_tcp_syncache.rexmt_limit) {
386 			if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
387 				log(LOG_DEBUG, "%s; %s: Retransmits exhausted, "
388 				    "giving up and removing syncache entry\n",
389 				    s, __func__);
390 				free(s, M_TCPLOG);
391 			}
392 			syncache_drop(sc, sch);
393 			V_tcpstat.tcps_sc_stale++;
394 			continue;
395 		}
396 		if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
397 			log(LOG_DEBUG, "%s; %s: Response timeout, "
398 			    "retransmitting (%u) SYN|ACK\n",
399 			    s, __func__, sc->sc_rxmits);
400 			free(s, M_TCPLOG);
401 		}
402 
403 		(void) syncache_respond(sc);
404 		V_tcpstat.tcps_sc_retransmitted++;
405 		syncache_timeout(sc, sch, 0);
406 	}
407 	if (!TAILQ_EMPTY(&(sch)->sch_bucket))
408 		callout_reset(&(sch)->sch_timer, (sch)->sch_nextc - tick,
409 			syncache_timer, (void *)(sch));
410 }
411 
412 /*
413  * Find an entry in the syncache.
414  * Returns always with locked syncache_head plus a matching entry or NULL.
415  */
416 struct syncache *
417 syncache_lookup(struct in_conninfo *inc, struct syncache_head **schp)
418 {
419 	INIT_VNET_INET(curvnet);
420 	struct syncache *sc;
421 	struct syncache_head *sch;
422 
423 #ifdef INET6
424 	if (inc->inc_isipv6) {
425 		sch = &V_tcp_syncache.hashbase[
426 		    SYNCACHE_HASH6(inc, V_tcp_syncache.hashmask)];
427 		*schp = sch;
428 
429 		SCH_LOCK(sch);
430 
431 		/* Circle through bucket row to find matching entry. */
432 		TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) {
433 			if (ENDPTS6_EQ(&inc->inc_ie, &sc->sc_inc.inc_ie))
434 				return (sc);
435 		}
436 	} else
437 #endif
438 	{
439 		sch = &V_tcp_syncache.hashbase[
440 		    SYNCACHE_HASH(inc, V_tcp_syncache.hashmask)];
441 		*schp = sch;
442 
443 		SCH_LOCK(sch);
444 
445 		/* Circle through bucket row to find matching entry. */
446 		TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) {
447 #ifdef INET6
448 			if (sc->sc_inc.inc_isipv6)
449 				continue;
450 #endif
451 			if (ENDPTS_EQ(&inc->inc_ie, &sc->sc_inc.inc_ie))
452 				return (sc);
453 		}
454 	}
455 	SCH_LOCK_ASSERT(*schp);
456 	return (NULL);			/* always returns with locked sch */
457 }
458 
459 /*
460  * This function is called when we get a RST for a
461  * non-existent connection, so that we can see if the
462  * connection is in the syn cache.  If it is, zap it.
463  */
464 void
465 syncache_chkrst(struct in_conninfo *inc, struct tcphdr *th)
466 {
467 	INIT_VNET_INET(curvnet);
468 	struct syncache *sc;
469 	struct syncache_head *sch;
470 	char *s = NULL;
471 
472 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
473 	SCH_LOCK_ASSERT(sch);
474 
475 	/*
476 	 * Any RST to our SYN|ACK must not carry ACK, SYN or FIN flags.
477 	 * See RFC 793 page 65, section SEGMENT ARRIVES.
478 	 */
479 	if (th->th_flags & (TH_ACK|TH_SYN|TH_FIN)) {
480 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
481 			log(LOG_DEBUG, "%s; %s: Spurious RST with ACK, SYN or "
482 			    "FIN flag set, segment ignored\n", s, __func__);
483 		V_tcpstat.tcps_badrst++;
484 		goto done;
485 	}
486 
487 	/*
488 	 * No corresponding connection was found in syncache.
489 	 * If syncookies are enabled and possibly exclusively
490 	 * used, or we are under memory pressure, a valid RST
491 	 * may not find a syncache entry.  In that case we're
492 	 * done and no SYN|ACK retransmissions will happen.
493 	 * Otherwise the the RST was misdirected or spoofed.
494 	 */
495 	if (sc == NULL) {
496 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
497 			log(LOG_DEBUG, "%s; %s: Spurious RST without matching "
498 			    "syncache entry (possibly syncookie only), "
499 			    "segment ignored\n", s, __func__);
500 		V_tcpstat.tcps_badrst++;
501 		goto done;
502 	}
503 
504 	/*
505 	 * If the RST bit is set, check the sequence number to see
506 	 * if this is a valid reset segment.
507 	 * RFC 793 page 37:
508 	 *   In all states except SYN-SENT, all reset (RST) segments
509 	 *   are validated by checking their SEQ-fields.  A reset is
510 	 *   valid if its sequence number is in the window.
511 	 *
512 	 *   The sequence number in the reset segment is normally an
513 	 *   echo of our outgoing acknowlegement numbers, but some hosts
514 	 *   send a reset with the sequence number at the rightmost edge
515 	 *   of our receive window, and we have to handle this case.
516 	 */
517 	if (SEQ_GEQ(th->th_seq, sc->sc_irs) &&
518 	    SEQ_LEQ(th->th_seq, sc->sc_irs + sc->sc_wnd)) {
519 		syncache_drop(sc, sch);
520 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
521 			log(LOG_DEBUG, "%s; %s: Our SYN|ACK was rejected, "
522 			    "connection attempt aborted by remote endpoint\n",
523 			    s, __func__);
524 		V_tcpstat.tcps_sc_reset++;
525 	} else {
526 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
527 			log(LOG_DEBUG, "%s; %s: RST with invalid SEQ %u != "
528 			    "IRS %u (+WND %u), segment ignored\n",
529 			    s, __func__, th->th_seq, sc->sc_irs, sc->sc_wnd);
530 		V_tcpstat.tcps_badrst++;
531 	}
532 
533 done:
534 	if (s != NULL)
535 		free(s, M_TCPLOG);
536 	SCH_UNLOCK(sch);
537 }
538 
539 void
540 syncache_badack(struct in_conninfo *inc)
541 {
542 	INIT_VNET_INET(curvnet);
543 	struct syncache *sc;
544 	struct syncache_head *sch;
545 
546 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
547 	SCH_LOCK_ASSERT(sch);
548 	if (sc != NULL) {
549 		syncache_drop(sc, sch);
550 		V_tcpstat.tcps_sc_badack++;
551 	}
552 	SCH_UNLOCK(sch);
553 }
554 
555 void
556 syncache_unreach(struct in_conninfo *inc, struct tcphdr *th)
557 {
558 	INIT_VNET_INET(curvnet);
559 	struct syncache *sc;
560 	struct syncache_head *sch;
561 
562 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
563 	SCH_LOCK_ASSERT(sch);
564 	if (sc == NULL)
565 		goto done;
566 
567 	/* If the sequence number != sc_iss, then it's a bogus ICMP msg */
568 	if (ntohl(th->th_seq) != sc->sc_iss)
569 		goto done;
570 
571 	/*
572 	 * If we've rertransmitted 3 times and this is our second error,
573 	 * we remove the entry.  Otherwise, we allow it to continue on.
574 	 * This prevents us from incorrectly nuking an entry during a
575 	 * spurious network outage.
576 	 *
577 	 * See tcp_notify().
578 	 */
579 	if ((sc->sc_flags & SCF_UNREACH) == 0 || sc->sc_rxmits < 3 + 1) {
580 		sc->sc_flags |= SCF_UNREACH;
581 		goto done;
582 	}
583 	syncache_drop(sc, sch);
584 	V_tcpstat.tcps_sc_unreach++;
585 done:
586 	SCH_UNLOCK(sch);
587 }
588 
589 /*
590  * Build a new TCP socket structure from a syncache entry.
591  */
592 static struct socket *
593 syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
594 {
595 	INIT_VNET_INET(lso->so_vnet);
596 	struct inpcb *inp = NULL;
597 	struct socket *so;
598 	struct tcpcb *tp;
599 	char *s;
600 
601 	INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
602 
603 	/*
604 	 * Ok, create the full blown connection, and set things up
605 	 * as they would have been set up if we had created the
606 	 * connection when the SYN arrived.  If we can't create
607 	 * the connection, abort it.
608 	 */
609 	so = sonewconn(lso, SS_ISCONNECTED);
610 	if (so == NULL) {
611 		/*
612 		 * Drop the connection; we will either send a RST or
613 		 * have the peer retransmit its SYN again after its
614 		 * RTO and try again.
615 		 */
616 		V_tcpstat.tcps_listendrop++;
617 		if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
618 			log(LOG_DEBUG, "%s; %s: Socket create failed "
619 			    "due to limits or memory shortage\n",
620 			    s, __func__);
621 			free(s, M_TCPLOG);
622 		}
623 		goto abort2;
624 	}
625 #ifdef MAC
626 	SOCK_LOCK(so);
627 	mac_socketpeer_set_from_mbuf(m, so);
628 	SOCK_UNLOCK(so);
629 #endif
630 
631 	inp = sotoinpcb(so);
632 	inp->inp_inc.inc_fibnum = sc->sc_inc.inc_fibnum;
633 	so->so_fibnum = sc->sc_inc.inc_fibnum;
634 	INP_WLOCK(inp);
635 
636 	/* Insert new socket into PCB hash list. */
637 	inp->inp_inc.inc_isipv6 = sc->sc_inc.inc_isipv6;
638 #ifdef INET6
639 	if (sc->sc_inc.inc_isipv6) {
640 		inp->in6p_laddr = sc->sc_inc.inc6_laddr;
641 	} else {
642 		inp->inp_vflag &= ~INP_IPV6;
643 		inp->inp_vflag |= INP_IPV4;
644 #endif
645 		inp->inp_laddr = sc->sc_inc.inc_laddr;
646 #ifdef INET6
647 	}
648 #endif
649 	inp->inp_lport = sc->sc_inc.inc_lport;
650 	if (in_pcbinshash(inp) != 0) {
651 		/*
652 		 * Undo the assignments above if we failed to
653 		 * put the PCB on the hash lists.
654 		 */
655 #ifdef INET6
656 		if (sc->sc_inc.inc_isipv6)
657 			inp->in6p_laddr = in6addr_any;
658 		else
659 #endif
660 			inp->inp_laddr.s_addr = INADDR_ANY;
661 		inp->inp_lport = 0;
662 		goto abort;
663 	}
664 #ifdef IPSEC
665 	/* Copy old policy into new socket's. */
666 	if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
667 		printf("syncache_socket: could not copy policy\n");
668 #endif
669 #ifdef INET6
670 	if (sc->sc_inc.inc_isipv6) {
671 		struct inpcb *oinp = sotoinpcb(lso);
672 		struct in6_addr laddr6;
673 		struct sockaddr_in6 sin6;
674 		/*
675 		 * Inherit socket options from the listening socket.
676 		 * Note that in6p_inputopts are not (and should not be)
677 		 * copied, since it stores previously received options and is
678 		 * used to detect if each new option is different than the
679 		 * previous one and hence should be passed to a user.
680 		 * If we copied in6p_inputopts, a user would not be able to
681 		 * receive options just after calling the accept system call.
682 		 */
683 		inp->inp_flags |= oinp->inp_flags & INP_CONTROLOPTS;
684 		if (oinp->in6p_outputopts)
685 			inp->in6p_outputopts =
686 			    ip6_copypktopts(oinp->in6p_outputopts, M_NOWAIT);
687 
688 		sin6.sin6_family = AF_INET6;
689 		sin6.sin6_len = sizeof(sin6);
690 		sin6.sin6_addr = sc->sc_inc.inc6_faddr;
691 		sin6.sin6_port = sc->sc_inc.inc_fport;
692 		sin6.sin6_flowinfo = sin6.sin6_scope_id = 0;
693 		laddr6 = inp->in6p_laddr;
694 		if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr))
695 			inp->in6p_laddr = sc->sc_inc.inc6_laddr;
696 		if (in6_pcbconnect(inp, (struct sockaddr *)&sin6,
697 		    thread0.td_ucred)) {
698 			inp->in6p_laddr = laddr6;
699 			goto abort;
700 		}
701 		/* Override flowlabel from in6_pcbconnect. */
702 		inp->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK;
703 		inp->in6p_flowinfo |= sc->sc_flowlabel;
704 	} else
705 #endif
706 	{
707 		struct in_addr laddr;
708 		struct sockaddr_in sin;
709 
710 		inp->inp_options = (m) ? ip_srcroute(m) : NULL;
711 
712 		if (inp->inp_options == NULL) {
713 			inp->inp_options = sc->sc_ipopts;
714 			sc->sc_ipopts = NULL;
715 		}
716 
717 		sin.sin_family = AF_INET;
718 		sin.sin_len = sizeof(sin);
719 		sin.sin_addr = sc->sc_inc.inc_faddr;
720 		sin.sin_port = sc->sc_inc.inc_fport;
721 		bzero((caddr_t)sin.sin_zero, sizeof(sin.sin_zero));
722 		laddr = inp->inp_laddr;
723 		if (inp->inp_laddr.s_addr == INADDR_ANY)
724 			inp->inp_laddr = sc->sc_inc.inc_laddr;
725 		if (in_pcbconnect(inp, (struct sockaddr *)&sin,
726 		    thread0.td_ucred)) {
727 			inp->inp_laddr = laddr;
728 			goto abort;
729 		}
730 	}
731 	tp = intotcpcb(inp);
732 	tp->t_state = TCPS_SYN_RECEIVED;
733 	tp->iss = sc->sc_iss;
734 	tp->irs = sc->sc_irs;
735 	tcp_rcvseqinit(tp);
736 	tcp_sendseqinit(tp);
737 	tp->snd_wl1 = sc->sc_irs;
738 	tp->snd_max = tp->iss + 1;
739 	tp->snd_nxt = tp->iss + 1;
740 	tp->rcv_up = sc->sc_irs + 1;
741 	tp->rcv_wnd = sc->sc_wnd;
742 	tp->rcv_adv += tp->rcv_wnd;
743 	tp->last_ack_sent = tp->rcv_nxt;
744 
745 	tp->t_flags = sototcpcb(lso)->t_flags & (TF_NOPUSH|TF_NODELAY);
746 	if (sc->sc_flags & SCF_NOOPT)
747 		tp->t_flags |= TF_NOOPT;
748 	else {
749 		if (sc->sc_flags & SCF_WINSCALE) {
750 			tp->t_flags |= TF_REQ_SCALE|TF_RCVD_SCALE;
751 			tp->snd_scale = sc->sc_requested_s_scale;
752 			tp->request_r_scale = sc->sc_requested_r_scale;
753 		}
754 		if (sc->sc_flags & SCF_TIMESTAMP) {
755 			tp->t_flags |= TF_REQ_TSTMP|TF_RCVD_TSTMP;
756 			tp->ts_recent = sc->sc_tsreflect;
757 			tp->ts_recent_age = ticks;
758 			tp->ts_offset = sc->sc_tsoff;
759 		}
760 #ifdef TCP_SIGNATURE
761 		if (sc->sc_flags & SCF_SIGNATURE)
762 			tp->t_flags |= TF_SIGNATURE;
763 #endif
764 		if (sc->sc_flags & SCF_SACK)
765 			tp->t_flags |= TF_SACK_PERMIT;
766 	}
767 
768 	if (sc->sc_flags & SCF_ECN)
769 		tp->t_flags |= TF_ECN_PERMIT;
770 
771 	/*
772 	 * Set up MSS and get cached values from tcp_hostcache.
773 	 * This might overwrite some of the defaults we just set.
774 	 */
775 	tcp_mss(tp, sc->sc_peer_mss);
776 
777 	/*
778 	 * If the SYN,ACK was retransmitted, reset cwnd to 1 segment.
779 	 */
780 	if (sc->sc_rxmits)
781 		tp->snd_cwnd = tp->t_maxseg;
782 	tcp_timer_activate(tp, TT_KEEP, tcp_keepinit);
783 
784 	INP_WUNLOCK(inp);
785 
786 	V_tcpstat.tcps_accepts++;
787 	return (so);
788 
789 abort:
790 	INP_WUNLOCK(inp);
791 abort2:
792 	if (so != NULL)
793 		soabort(so);
794 	return (NULL);
795 }
796 
797 /*
798  * This function gets called when we receive an ACK for a
799  * socket in the LISTEN state.  We look up the connection
800  * in the syncache, and if its there, we pull it out of
801  * the cache and turn it into a full-blown connection in
802  * the SYN-RECEIVED state.
803  */
804 int
805 syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
806     struct socket **lsop, struct mbuf *m)
807 {
808 	INIT_VNET_INET(curvnet);
809 	struct syncache *sc;
810 	struct syncache_head *sch;
811 	struct syncache scs;
812 	char *s;
813 
814 	/*
815 	 * Global TCP locks are held because we manipulate the PCB lists
816 	 * and create a new socket.
817 	 */
818 	INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
819 	KASSERT((th->th_flags & (TH_RST|TH_ACK|TH_SYN)) == TH_ACK,
820 	    ("%s: can handle only ACK", __func__));
821 
822 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
823 	SCH_LOCK_ASSERT(sch);
824 	if (sc == NULL) {
825 		/*
826 		 * There is no syncache entry, so see if this ACK is
827 		 * a returning syncookie.  To do this, first:
828 		 *  A. See if this socket has had a syncache entry dropped in
829 		 *     the past.  We don't want to accept a bogus syncookie
830 		 *     if we've never received a SYN.
831 		 *  B. check that the syncookie is valid.  If it is, then
832 		 *     cobble up a fake syncache entry, and return.
833 		 */
834 		if (!tcp_syncookies) {
835 			SCH_UNLOCK(sch);
836 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
837 				log(LOG_DEBUG, "%s; %s: Spurious ACK, "
838 				    "segment rejected (syncookies disabled)\n",
839 				    s, __func__);
840 			goto failed;
841 		}
842 		bzero(&scs, sizeof(scs));
843 		sc = syncookie_lookup(inc, sch, &scs, to, th, *lsop);
844 		SCH_UNLOCK(sch);
845 		if (sc == NULL) {
846 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
847 				log(LOG_DEBUG, "%s; %s: Segment failed "
848 				    "SYNCOOKIE authentication, segment rejected "
849 				    "(probably spoofed)\n", s, __func__);
850 			goto failed;
851 		}
852 	} else {
853 		/* Pull out the entry to unlock the bucket row. */
854 		TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);
855 		sch->sch_length--;
856 		V_tcp_syncache.cache_count--;
857 		SCH_UNLOCK(sch);
858 	}
859 
860 	/*
861 	 * Segment validation:
862 	 * ACK must match our initial sequence number + 1 (the SYN|ACK).
863 	 */
864 	if (th->th_ack != sc->sc_iss + 1 && !TOEPCB_ISSET(sc)) {
865 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
866 			log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, segment "
867 			    "rejected\n", s, __func__, th->th_ack, sc->sc_iss);
868 		goto failed;
869 	}
870 
871 	/*
872 	 * The SEQ must fall in the window starting at the received
873 	 * initial receive sequence number + 1 (the SYN).
874 	 */
875 	if ((SEQ_LEQ(th->th_seq, sc->sc_irs) ||
876 	    SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) &&
877 	    !TOEPCB_ISSET(sc)) {
878 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
879 			log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, segment "
880 			    "rejected\n", s, __func__, th->th_seq, sc->sc_irs);
881 		goto failed;
882 	}
883 
884 	if (!(sc->sc_flags & SCF_TIMESTAMP) && (to->to_flags & TOF_TS)) {
885 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
886 			log(LOG_DEBUG, "%s; %s: Timestamp not expected, "
887 			    "segment rejected\n", s, __func__);
888 		goto failed;
889 	}
890 	/*
891 	 * If timestamps were negotiated the reflected timestamp
892 	 * must be equal to what we actually sent in the SYN|ACK.
893 	 */
894 	if ((to->to_flags & TOF_TS) && to->to_tsecr != sc->sc_ts &&
895 	    !TOEPCB_ISSET(sc)) {
896 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
897 			log(LOG_DEBUG, "%s; %s: TSECR %u != TS %u, "
898 			    "segment rejected\n",
899 			    s, __func__, to->to_tsecr, sc->sc_ts);
900 		goto failed;
901 	}
902 
903 	*lsop = syncache_socket(sc, *lsop, m);
904 
905 	if (*lsop == NULL)
906 		V_tcpstat.tcps_sc_aborted++;
907 	else
908 		V_tcpstat.tcps_sc_completed++;
909 
910 /* how do we find the inp for the new socket? */
911 	if (sc != &scs)
912 		syncache_free(sc);
913 	return (1);
914 failed:
915 	if (sc != NULL && sc != &scs)
916 		syncache_free(sc);
917 	if (s != NULL)
918 		free(s, M_TCPLOG);
919 	*lsop = NULL;
920 	return (0);
921 }
922 
923 int
924 tcp_offload_syncache_expand(struct in_conninfo *inc, struct tcpopt *to,
925     struct tcphdr *th, struct socket **lsop, struct mbuf *m)
926 {
927 	int rc;
928 
929 	INP_INFO_WLOCK(&V_tcbinfo);
930 	rc = syncache_expand(inc, to, th, lsop, m);
931 	INP_INFO_WUNLOCK(&V_tcbinfo);
932 
933 	return (rc);
934 }
935 
936 /*
937  * Given a LISTEN socket and an inbound SYN request, add
938  * this to the syn cache, and send back a segment:
939  *	<SEQ=ISS><ACK=RCV_NXT><CTL=SYN,ACK>
940  * to the source.
941  *
942  * IMPORTANT NOTE: We do _NOT_ ACK data that might accompany the SYN.
943  * Doing so would require that we hold onto the data and deliver it
944  * to the application.  However, if we are the target of a SYN-flood
945  * DoS attack, an attacker could send data which would eventually
946  * consume all available buffer space if it were ACKed.  By not ACKing
947  * the data, we avoid this DoS scenario.
948  */
949 static void
950 _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
951     struct inpcb *inp, struct socket **lsop, struct mbuf *m,
952     struct toe_usrreqs *tu, void *toepcb)
953 {
954 	INIT_VNET_INET(inp->inp_vnet);
955 	struct tcpcb *tp;
956 	struct socket *so;
957 	struct syncache *sc = NULL;
958 	struct syncache_head *sch;
959 	struct mbuf *ipopts = NULL;
960 	u_int32_t flowtmp;
961 	int win, sb_hiwat, ip_ttl, ip_tos, noopt;
962 	char *s;
963 #ifdef INET6
964 	int autoflowlabel = 0;
965 #endif
966 #ifdef MAC
967 	struct label *maclabel;
968 #endif
969 	struct syncache scs;
970 	struct ucred *cred;
971 
972 	INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
973 	INP_WLOCK_ASSERT(inp);			/* listen socket */
974 	KASSERT((th->th_flags & (TH_RST|TH_ACK|TH_SYN)) == TH_SYN,
975 	    ("%s: unexpected tcp flags", __func__));
976 
977 	/*
978 	 * Combine all so/tp operations very early to drop the INP lock as
979 	 * soon as possible.
980 	 */
981 	so = *lsop;
982 	tp = sototcpcb(so);
983 	cred = crhold(so->so_cred);
984 
985 #ifdef INET6
986 	if (inc->inc_isipv6 &&
987 	    (inp->in6p_flags & IN6P_AUTOFLOWLABEL))
988 		autoflowlabel = 1;
989 #endif
990 	ip_ttl = inp->inp_ip_ttl;
991 	ip_tos = inp->inp_ip_tos;
992 	win = sbspace(&so->so_rcv);
993 	sb_hiwat = so->so_rcv.sb_hiwat;
994 	noopt = (tp->t_flags & TF_NOOPT);
995 
996 	/* By the time we drop the lock these should no longer be used. */
997 	so = NULL;
998 	tp = NULL;
999 
1000 #ifdef MAC
1001 	if (mac_syncache_init(&maclabel) != 0) {
1002 		INP_WUNLOCK(inp);
1003 		INP_INFO_WUNLOCK(&V_tcbinfo);
1004 		goto done;
1005 	} else
1006 		mac_syncache_create(maclabel, inp);
1007 #endif
1008 	INP_WUNLOCK(inp);
1009 	INP_INFO_WUNLOCK(&V_tcbinfo);
1010 
1011 	/*
1012 	 * Remember the IP options, if any.
1013 	 */
1014 #ifdef INET6
1015 	if (!inc->inc_isipv6)
1016 #endif
1017 		ipopts = (m) ? ip_srcroute(m) : NULL;
1018 
1019 	/*
1020 	 * See if we already have an entry for this connection.
1021 	 * If we do, resend the SYN,ACK, and reset the retransmit timer.
1022 	 *
1023 	 * XXX: should the syncache be re-initialized with the contents
1024 	 * of the new SYN here (which may have different options?)
1025 	 *
1026 	 * XXX: We do not check the sequence number to see if this is a
1027 	 * real retransmit or a new connection attempt.  The question is
1028 	 * how to handle such a case; either ignore it as spoofed, or
1029 	 * drop the current entry and create a new one?
1030 	 */
1031 	sc = syncache_lookup(inc, &sch);	/* returns locked entry */
1032 	SCH_LOCK_ASSERT(sch);
1033 	if (sc != NULL) {
1034 #ifndef TCP_OFFLOAD_DISABLE
1035 		if (sc->sc_tu)
1036 			sc->sc_tu->tu_syncache_event(TOE_SC_ENTRY_PRESENT,
1037 			    sc->sc_toepcb);
1038 #endif
1039 		V_tcpstat.tcps_sc_dupsyn++;
1040 		if (ipopts) {
1041 			/*
1042 			 * If we were remembering a previous source route,
1043 			 * forget it and use the new one we've been given.
1044 			 */
1045 			if (sc->sc_ipopts)
1046 				(void) m_free(sc->sc_ipopts);
1047 			sc->sc_ipopts = ipopts;
1048 		}
1049 		/*
1050 		 * Update timestamp if present.
1051 		 */
1052 		if ((sc->sc_flags & SCF_TIMESTAMP) && (to->to_flags & TOF_TS))
1053 			sc->sc_tsreflect = to->to_tsval;
1054 		else
1055 			sc->sc_flags &= ~SCF_TIMESTAMP;
1056 #ifdef MAC
1057 		/*
1058 		 * Since we have already unconditionally allocated label
1059 		 * storage, free it up.  The syncache entry will already
1060 		 * have an initialized label we can use.
1061 		 */
1062 		mac_syncache_destroy(&maclabel);
1063 		KASSERT(sc->sc_label != NULL,
1064 		    ("%s: label not initialized", __func__));
1065 #endif
1066 		/* Retransmit SYN|ACK and reset retransmit count. */
1067 		if ((s = tcp_log_addrs(&sc->sc_inc, th, NULL, NULL))) {
1068 			log(LOG_DEBUG, "%s; %s: Received duplicate SYN, "
1069 			    "resetting timer and retransmitting SYN|ACK\n",
1070 			    s, __func__);
1071 			free(s, M_TCPLOG);
1072 		}
1073 		if (!TOEPCB_ISSET(sc) && syncache_respond(sc) == 0) {
1074 			sc->sc_rxmits = 0;
1075 			syncache_timeout(sc, sch, 1);
1076 			V_tcpstat.tcps_sndacks++;
1077 			V_tcpstat.tcps_sndtotal++;
1078 		}
1079 		SCH_UNLOCK(sch);
1080 		goto done;
1081 	}
1082 
1083 	sc = uma_zalloc(V_tcp_syncache.zone, M_NOWAIT | M_ZERO);
1084 	if (sc == NULL) {
1085 		/*
1086 		 * The zone allocator couldn't provide more entries.
1087 		 * Treat this as if the cache was full; drop the oldest
1088 		 * entry and insert the new one.
1089 		 */
1090 		V_tcpstat.tcps_sc_zonefail++;
1091 		if ((sc = TAILQ_LAST(&sch->sch_bucket, sch_head)) != NULL)
1092 			syncache_drop(sc, sch);
1093 		sc = uma_zalloc(V_tcp_syncache.zone, M_NOWAIT | M_ZERO);
1094 		if (sc == NULL) {
1095 			if (tcp_syncookies) {
1096 				bzero(&scs, sizeof(scs));
1097 				sc = &scs;
1098 			} else {
1099 				SCH_UNLOCK(sch);
1100 				if (ipopts)
1101 					(void) m_free(ipopts);
1102 				goto done;
1103 			}
1104 		}
1105 	}
1106 
1107 	/*
1108 	 * Fill in the syncache values.
1109 	 */
1110 #ifdef MAC
1111 	sc->sc_label = maclabel;
1112 #endif
1113 	sc->sc_cred = cred;
1114 	cred = NULL;
1115 	sc->sc_ipopts = ipopts;
1116 	sc->sc_inc.inc_fibnum = inp->inp_inc.inc_fibnum;
1117 	bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo));
1118 #ifdef INET6
1119 	if (!inc->inc_isipv6)
1120 #endif
1121 	{
1122 		sc->sc_ip_tos = ip_tos;
1123 		sc->sc_ip_ttl = ip_ttl;
1124 	}
1125 #ifndef TCP_OFFLOAD_DISABLE
1126 	sc->sc_tu = tu;
1127 	sc->sc_toepcb = toepcb;
1128 #endif
1129 	sc->sc_irs = th->th_seq;
1130 	sc->sc_iss = arc4random();
1131 	sc->sc_flags = 0;
1132 	sc->sc_flowlabel = 0;
1133 
1134 	/*
1135 	 * Initial receive window: clip sbspace to [0 .. TCP_MAXWIN].
1136 	 * win was derived from socket earlier in the function.
1137 	 */
1138 	win = imax(win, 0);
1139 	win = imin(win, TCP_MAXWIN);
1140 	sc->sc_wnd = win;
1141 
1142 	if (V_tcp_do_rfc1323) {
1143 		/*
1144 		 * A timestamp received in a SYN makes
1145 		 * it ok to send timestamp requests and replies.
1146 		 */
1147 		if (to->to_flags & TOF_TS) {
1148 			sc->sc_tsreflect = to->to_tsval;
1149 			sc->sc_ts = ticks;
1150 			sc->sc_flags |= SCF_TIMESTAMP;
1151 		}
1152 		if (to->to_flags & TOF_SCALE) {
1153 			int wscale = 0;
1154 
1155 			/*
1156 			 * Pick the smallest possible scaling factor that
1157 			 * will still allow us to scale up to sb_max, aka
1158 			 * kern.ipc.maxsockbuf.
1159 			 *
1160 			 * We do this because there are broken firewalls that
1161 			 * will corrupt the window scale option, leading to
1162 			 * the other endpoint believing that our advertised
1163 			 * window is unscaled.  At scale factors larger than
1164 			 * 5 the unscaled window will drop below 1500 bytes,
1165 			 * leading to serious problems when traversing these
1166 			 * broken firewalls.
1167 			 *
1168 			 * With the default maxsockbuf of 256K, a scale factor
1169 			 * of 3 will be chosen by this algorithm.  Those who
1170 			 * choose a larger maxsockbuf should watch out
1171 			 * for the compatiblity problems mentioned above.
1172 			 *
1173 			 * RFC1323: The Window field in a SYN (i.e., a <SYN>
1174 			 * or <SYN,ACK>) segment itself is never scaled.
1175 			 */
1176 			while (wscale < TCP_MAX_WINSHIFT &&
1177 			    (TCP_MAXWIN << wscale) < sb_max)
1178 				wscale++;
1179 			sc->sc_requested_r_scale = wscale;
1180 			sc->sc_requested_s_scale = to->to_wscale;
1181 			sc->sc_flags |= SCF_WINSCALE;
1182 		}
1183 	}
1184 #ifdef TCP_SIGNATURE
1185 	/*
1186 	 * If listening socket requested TCP digests, and received SYN
1187 	 * contains the option, flag this in the syncache so that
1188 	 * syncache_respond() will do the right thing with the SYN+ACK.
1189 	 * XXX: Currently we always record the option by default and will
1190 	 * attempt to use it in syncache_respond().
1191 	 */
1192 	if (to->to_flags & TOF_SIGNATURE)
1193 		sc->sc_flags |= SCF_SIGNATURE;
1194 #endif
1195 	if (to->to_flags & TOF_SACKPERM)
1196 		sc->sc_flags |= SCF_SACK;
1197 	if (to->to_flags & TOF_MSS)
1198 		sc->sc_peer_mss = to->to_mss;	/* peer mss may be zero */
1199 	if (noopt)
1200 		sc->sc_flags |= SCF_NOOPT;
1201 	if ((th->th_flags & (TH_ECE|TH_CWR)) && V_tcp_do_ecn)
1202 		sc->sc_flags |= SCF_ECN;
1203 
1204 	if (tcp_syncookies) {
1205 		syncookie_generate(sch, sc, &flowtmp);
1206 #ifdef INET6
1207 		if (autoflowlabel)
1208 			sc->sc_flowlabel = flowtmp;
1209 #endif
1210 	} else {
1211 #ifdef INET6
1212 		if (autoflowlabel)
1213 			sc->sc_flowlabel =
1214 			    (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
1215 #endif
1216 	}
1217 	SCH_UNLOCK(sch);
1218 
1219 	/*
1220 	 * Do a standard 3-way handshake.
1221 	 */
1222 	if (TOEPCB_ISSET(sc) || syncache_respond(sc) == 0) {
1223 		if (tcp_syncookies && tcp_syncookiesonly && sc != &scs)
1224 			syncache_free(sc);
1225 		else if (sc != &scs)
1226 			syncache_insert(sc, sch);   /* locks and unlocks sch */
1227 		V_tcpstat.tcps_sndacks++;
1228 		V_tcpstat.tcps_sndtotal++;
1229 	} else {
1230 		if (sc != &scs)
1231 			syncache_free(sc);
1232 		V_tcpstat.tcps_sc_dropped++;
1233 	}
1234 
1235 done:
1236 	if (cred != NULL)
1237 		crfree(cred);
1238 #ifdef MAC
1239 	if (sc == &scs)
1240 		mac_syncache_destroy(&maclabel);
1241 #endif
1242 	if (m) {
1243 
1244 		*lsop = NULL;
1245 		m_freem(m);
1246 	}
1247 	return;
1248 }
1249 
1250 static int
1251 syncache_respond(struct syncache *sc)
1252 {
1253 	INIT_VNET_INET(curvnet);
1254 	struct ip *ip = NULL;
1255 	struct mbuf *m;
1256 	struct tcphdr *th;
1257 	int optlen, error;
1258 	u_int16_t hlen, tlen, mssopt;
1259 	struct tcpopt to;
1260 #ifdef INET6
1261 	struct ip6_hdr *ip6 = NULL;
1262 #endif
1263 
1264 	hlen =
1265 #ifdef INET6
1266 	       (sc->sc_inc.inc_isipv6) ? sizeof(struct ip6_hdr) :
1267 #endif
1268 		sizeof(struct ip);
1269 	tlen = hlen + sizeof(struct tcphdr);
1270 
1271 	/* Determine MSS we advertize to other end of connection. */
1272 	mssopt = tcp_mssopt(&sc->sc_inc);
1273 	if (sc->sc_peer_mss)
1274 		mssopt = max( min(sc->sc_peer_mss, mssopt), V_tcp_minmss);
1275 
1276 	/* XXX: Assume that the entire packet will fit in a header mbuf. */
1277 	KASSERT(max_linkhdr + tlen + TCP_MAXOLEN <= MHLEN,
1278 	    ("syncache: mbuf too small"));
1279 
1280 	/* Create the IP+TCP header from scratch. */
1281 	m = m_gethdr(M_DONTWAIT, MT_DATA);
1282 	if (m == NULL)
1283 		return (ENOBUFS);
1284 #ifdef MAC
1285 	mac_syncache_create_mbuf(sc->sc_label, m);
1286 #endif
1287 	m->m_data += max_linkhdr;
1288 	m->m_len = tlen;
1289 	m->m_pkthdr.len = tlen;
1290 	m->m_pkthdr.rcvif = NULL;
1291 
1292 #ifdef INET6
1293 	if (sc->sc_inc.inc_isipv6) {
1294 		ip6 = mtod(m, struct ip6_hdr *);
1295 		ip6->ip6_vfc = IPV6_VERSION;
1296 		ip6->ip6_nxt = IPPROTO_TCP;
1297 		ip6->ip6_src = sc->sc_inc.inc6_laddr;
1298 		ip6->ip6_dst = sc->sc_inc.inc6_faddr;
1299 		ip6->ip6_plen = htons(tlen - hlen);
1300 		/* ip6_hlim is set after checksum */
1301 		ip6->ip6_flow &= ~IPV6_FLOWLABEL_MASK;
1302 		ip6->ip6_flow |= sc->sc_flowlabel;
1303 
1304 		th = (struct tcphdr *)(ip6 + 1);
1305 	} else
1306 #endif
1307 	{
1308 		ip = mtod(m, struct ip *);
1309 		ip->ip_v = IPVERSION;
1310 		ip->ip_hl = sizeof(struct ip) >> 2;
1311 		ip->ip_len = tlen;
1312 		ip->ip_id = 0;
1313 		ip->ip_off = 0;
1314 		ip->ip_sum = 0;
1315 		ip->ip_p = IPPROTO_TCP;
1316 		ip->ip_src = sc->sc_inc.inc_laddr;
1317 		ip->ip_dst = sc->sc_inc.inc_faddr;
1318 		ip->ip_ttl = sc->sc_ip_ttl;
1319 		ip->ip_tos = sc->sc_ip_tos;
1320 
1321 		/*
1322 		 * See if we should do MTU discovery.  Route lookups are
1323 		 * expensive, so we will only unset the DF bit if:
1324 		 *
1325 		 *	1) path_mtu_discovery is disabled
1326 		 *	2) the SCF_UNREACH flag has been set
1327 		 */
1328 		if (V_path_mtu_discovery && ((sc->sc_flags & SCF_UNREACH) == 0))
1329 		       ip->ip_off |= IP_DF;
1330 
1331 		th = (struct tcphdr *)(ip + 1);
1332 	}
1333 	th->th_sport = sc->sc_inc.inc_lport;
1334 	th->th_dport = sc->sc_inc.inc_fport;
1335 
1336 	th->th_seq = htonl(sc->sc_iss);
1337 	th->th_ack = htonl(sc->sc_irs + 1);
1338 	th->th_off = sizeof(struct tcphdr) >> 2;
1339 	th->th_x2 = 0;
1340 	th->th_flags = TH_SYN|TH_ACK;
1341 	th->th_win = htons(sc->sc_wnd);
1342 	th->th_urp = 0;
1343 
1344 	if (sc->sc_flags & SCF_ECN) {
1345 		th->th_flags |= TH_ECE;
1346 		V_tcpstat.tcps_ecn_shs++;
1347 	}
1348 
1349 	/* Tack on the TCP options. */
1350 	if ((sc->sc_flags & SCF_NOOPT) == 0) {
1351 		to.to_flags = 0;
1352 
1353 		to.to_mss = mssopt;
1354 		to.to_flags = TOF_MSS;
1355 		if (sc->sc_flags & SCF_WINSCALE) {
1356 			to.to_wscale = sc->sc_requested_r_scale;
1357 			to.to_flags |= TOF_SCALE;
1358 		}
1359 		if (sc->sc_flags & SCF_TIMESTAMP) {
1360 			/* Virgin timestamp or TCP cookie enhanced one. */
1361 			to.to_tsval = sc->sc_ts;
1362 			to.to_tsecr = sc->sc_tsreflect;
1363 			to.to_flags |= TOF_TS;
1364 		}
1365 		if (sc->sc_flags & SCF_SACK)
1366 			to.to_flags |= TOF_SACKPERM;
1367 #ifdef TCP_SIGNATURE
1368 		if (sc->sc_flags & SCF_SIGNATURE)
1369 			to.to_flags |= TOF_SIGNATURE;
1370 #endif
1371 		optlen = tcp_addoptions(&to, (u_char *)(th + 1));
1372 
1373 		/* Adjust headers by option size. */
1374 		th->th_off = (sizeof(struct tcphdr) + optlen) >> 2;
1375 		m->m_len += optlen;
1376 		m->m_pkthdr.len += optlen;
1377 
1378 #ifdef TCP_SIGNATURE
1379 		if (sc->sc_flags & SCF_SIGNATURE)
1380 			tcp_signature_compute(m, 0, 0, optlen,
1381 			    to.to_signature, IPSEC_DIR_OUTBOUND);
1382 #endif
1383 #ifdef INET6
1384 		if (sc->sc_inc.inc_isipv6)
1385 			ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) + optlen);
1386 		else
1387 #endif
1388 			ip->ip_len += optlen;
1389 	} else
1390 		optlen = 0;
1391 
1392 #ifdef INET6
1393 	if (sc->sc_inc.inc_isipv6) {
1394 		th->th_sum = 0;
1395 		th->th_sum = in6_cksum(m, IPPROTO_TCP, hlen,
1396 				       tlen + optlen - hlen);
1397 		ip6->ip6_hlim = in6_selecthlim(NULL, NULL);
1398 		error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
1399 	} else
1400 #endif
1401 	{
1402 		th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1403 		    htons(tlen + optlen - hlen + IPPROTO_TCP));
1404 		m->m_pkthdr.csum_flags = CSUM_TCP;
1405 		m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
1406 		error = ip_output(m, sc->sc_ipopts, NULL, 0, NULL, NULL);
1407 	}
1408 	return (error);
1409 }
1410 
1411 void
1412 syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
1413     struct inpcb *inp, struct socket **lsop, struct mbuf *m)
1414 {
1415 	_syncache_add(inc, to, th, inp, lsop, m, NULL, NULL);
1416 }
1417 
1418 void
1419 tcp_offload_syncache_add(struct in_conninfo *inc, struct tcpopt *to,
1420     struct tcphdr *th, struct inpcb *inp, struct socket **lsop,
1421     struct toe_usrreqs *tu, void *toepcb)
1422 {
1423 	INIT_VNET_INET(curvnet);
1424 
1425 	INP_INFO_WLOCK(&V_tcbinfo);
1426 	INP_WLOCK(inp);
1427 	_syncache_add(inc, to, th, inp, lsop, NULL, tu, toepcb);
1428 }
1429 
1430 /*
1431  * The purpose of SYN cookies is to avoid keeping track of all SYN's we
1432  * receive and to be able to handle SYN floods from bogus source addresses
1433  * (where we will never receive any reply).  SYN floods try to exhaust all
1434  * our memory and available slots in the SYN cache table to cause a denial
1435  * of service to legitimate users of the local host.
1436  *
1437  * The idea of SYN cookies is to encode and include all necessary information
1438  * about the connection setup state within the SYN-ACK we send back and thus
1439  * to get along without keeping any local state until the ACK to the SYN-ACK
1440  * arrives (if ever).  Everything we need to know should be available from
1441  * the information we encoded in the SYN-ACK.
1442  *
1443  * More information about the theory behind SYN cookies and its first
1444  * discussion and specification can be found at:
1445  *  http://cr.yp.to/syncookies.html    (overview)
1446  *  http://cr.yp.to/syncookies/archive (gory details)
1447  *
1448  * This implementation extends the orginal idea and first implementation
1449  * of FreeBSD by using not only the initial sequence number field to store
1450  * information but also the timestamp field if present.  This way we can
1451  * keep track of the entire state we need to know to recreate the session in
1452  * its original form.  Almost all TCP speakers implement RFC1323 timestamps
1453  * these days.  For those that do not we still have to live with the known
1454  * shortcomings of the ISN only SYN cookies.
1455  *
1456  * Cookie layers:
1457  *
1458  * Initial sequence number we send:
1459  * 31|................................|0
1460  *    DDDDDDDDDDDDDDDDDDDDDDDDDMMMRRRP
1461  *    D = MD5 Digest (first dword)
1462  *    M = MSS index
1463  *    R = Rotation of secret
1464  *    P = Odd or Even secret
1465  *
1466  * The MD5 Digest is computed with over following parameters:
1467  *  a) randomly rotated secret
1468  *  b) struct in_conninfo containing the remote/local ip/port (IPv4&IPv6)
1469  *  c) the received initial sequence number from remote host
1470  *  d) the rotation offset and odd/even bit
1471  *
1472  * Timestamp we send:
1473  * 31|................................|0
1474  *    DDDDDDDDDDDDDDDDDDDDDDSSSSRRRRA5
1475  *    D = MD5 Digest (third dword) (only as filler)
1476  *    S = Requested send window scale
1477  *    R = Requested receive window scale
1478  *    A = SACK allowed
1479  *    5 = TCP-MD5 enabled (not implemented yet)
1480  *    XORed with MD5 Digest (forth dword)
1481  *
1482  * The timestamp isn't cryptographically secure and doesn't need to be.
1483  * The double use of the MD5 digest dwords ties it to a specific remote/
1484  * local host/port, remote initial sequence number and our local time
1485  * limited secret.  A received timestamp is reverted (XORed) and then
1486  * the contained MD5 dword is compared to the computed one to ensure the
1487  * timestamp belongs to the SYN-ACK we sent.  The other parameters may
1488  * have been tampered with but this isn't different from supplying bogus
1489  * values in the SYN in the first place.
1490  *
1491  * Some problems with SYN cookies remain however:
1492  * Consider the problem of a recreated (and retransmitted) cookie.  If the
1493  * original SYN was accepted, the connection is established.  The second
1494  * SYN is inflight, and if it arrives with an ISN that falls within the
1495  * receive window, the connection is killed.
1496  *
1497  * Notes:
1498  * A heuristic to determine when to accept syn cookies is not necessary.
1499  * An ACK flood would cause the syncookie verification to be attempted,
1500  * but a SYN flood causes syncookies to be generated.  Both are of equal
1501  * cost, so there's no point in trying to optimize the ACK flood case.
1502  * Also, if you don't process certain ACKs for some reason, then all someone
1503  * would have to do is launch a SYN and ACK flood at the same time, which
1504  * would stop cookie verification and defeat the entire purpose of syncookies.
1505  */
1506 static int tcp_sc_msstab[] = { 0, 256, 468, 536, 996, 1452, 1460, 8960 };
1507 
1508 static void
1509 syncookie_generate(struct syncache_head *sch, struct syncache *sc,
1510     u_int32_t *flowlabel)
1511 {
1512 	INIT_VNET_INET(curvnet);
1513 	MD5_CTX ctx;
1514 	u_int32_t md5_buffer[MD5_DIGEST_LENGTH / sizeof(u_int32_t)];
1515 	u_int32_t data;
1516 	u_int32_t *secbits;
1517 	u_int off, pmss, mss;
1518 	int i;
1519 
1520 	SCH_LOCK_ASSERT(sch);
1521 
1522 	/* Which of the two secrets to use. */
1523 	secbits = sch->sch_oddeven ?
1524 			sch->sch_secbits_odd : sch->sch_secbits_even;
1525 
1526 	/* Reseed secret if too old. */
1527 	if (sch->sch_reseed < time_uptime) {
1528 		sch->sch_oddeven = sch->sch_oddeven ? 0 : 1;	/* toggle */
1529 		secbits = sch->sch_oddeven ?
1530 				sch->sch_secbits_odd : sch->sch_secbits_even;
1531 		for (i = 0; i < SYNCOOKIE_SECRET_SIZE; i++)
1532 			secbits[i] = arc4random();
1533 		sch->sch_reseed = time_uptime + SYNCOOKIE_LIFETIME;
1534 	}
1535 
1536 	/* Secret rotation offset. */
1537 	off = sc->sc_iss & 0x7;			/* iss was randomized before */
1538 
1539 	/* Maximum segment size calculation. */
1540 	pmss =
1541 	    max( min(sc->sc_peer_mss, tcp_mssopt(&sc->sc_inc)),	V_tcp_minmss);
1542 	for (mss = sizeof(tcp_sc_msstab) / sizeof(int) - 1; mss > 0; mss--)
1543 		if (tcp_sc_msstab[mss] <= pmss)
1544 			break;
1545 
1546 	/* Fold parameters and MD5 digest into the ISN we will send. */
1547 	data = sch->sch_oddeven;/* odd or even secret, 1 bit */
1548 	data |= off << 1;	/* secret offset, derived from iss, 3 bits */
1549 	data |= mss << 4;	/* mss, 3 bits */
1550 
1551 	MD5Init(&ctx);
1552 	MD5Update(&ctx, ((u_int8_t *)secbits) + off,
1553 	    SYNCOOKIE_SECRET_SIZE * sizeof(*secbits) - off);
1554 	MD5Update(&ctx, secbits, off);
1555 	MD5Update(&ctx, &sc->sc_inc, sizeof(sc->sc_inc));
1556 	MD5Update(&ctx, &sc->sc_irs, sizeof(sc->sc_irs));
1557 	MD5Update(&ctx, &data, sizeof(data));
1558 	MD5Final((u_int8_t *)&md5_buffer, &ctx);
1559 
1560 	data |= (md5_buffer[0] << 7);
1561 	sc->sc_iss = data;
1562 
1563 #ifdef INET6
1564 	*flowlabel = md5_buffer[1] & IPV6_FLOWLABEL_MASK;
1565 #endif
1566 
1567 	/* Additional parameters are stored in the timestamp if present. */
1568 	if (sc->sc_flags & SCF_TIMESTAMP) {
1569 		data =  ((sc->sc_flags & SCF_SIGNATURE) ? 1 : 0); /* TCP-MD5, 1 bit */
1570 		data |= ((sc->sc_flags & SCF_SACK) ? 1 : 0) << 1; /* SACK, 1 bit */
1571 		data |= sc->sc_requested_s_scale << 2;  /* SWIN scale, 4 bits */
1572 		data |= sc->sc_requested_r_scale << 6;  /* RWIN scale, 4 bits */
1573 		data |= md5_buffer[2] << 10;		/* more digest bits */
1574 		data ^= md5_buffer[3];
1575 		sc->sc_ts = data;
1576 		sc->sc_tsoff = data - ticks;		/* after XOR */
1577 	}
1578 
1579 	V_tcpstat.tcps_sc_sendcookie++;
1580 	return;
1581 }
1582 
1583 static struct syncache *
1584 syncookie_lookup(struct in_conninfo *inc, struct syncache_head *sch,
1585     struct syncache *sc, struct tcpopt *to, struct tcphdr *th,
1586     struct socket *so)
1587 {
1588 	INIT_VNET_INET(curvnet);
1589 	MD5_CTX ctx;
1590 	u_int32_t md5_buffer[MD5_DIGEST_LENGTH / sizeof(u_int32_t)];
1591 	u_int32_t data = 0;
1592 	u_int32_t *secbits;
1593 	tcp_seq ack, seq;
1594 	int off, mss, wnd, flags;
1595 
1596 	SCH_LOCK_ASSERT(sch);
1597 
1598 	/*
1599 	 * Pull information out of SYN-ACK/ACK and
1600 	 * revert sequence number advances.
1601 	 */
1602 	ack = th->th_ack - 1;
1603 	seq = th->th_seq - 1;
1604 	off = (ack >> 1) & 0x7;
1605 	mss = (ack >> 4) & 0x7;
1606 	flags = ack & 0x7f;
1607 
1608 	/* Which of the two secrets to use. */
1609 	secbits = (flags & 0x1) ? sch->sch_secbits_odd : sch->sch_secbits_even;
1610 
1611 	/*
1612 	 * The secret wasn't updated for the lifetime of a syncookie,
1613 	 * so this SYN-ACK/ACK is either too old (replay) or totally bogus.
1614 	 */
1615 	if (sch->sch_reseed + SYNCOOKIE_LIFETIME < time_uptime) {
1616 		return (NULL);
1617 	}
1618 
1619 	/* Recompute the digest so we can compare it. */
1620 	MD5Init(&ctx);
1621 	MD5Update(&ctx, ((u_int8_t *)secbits) + off,
1622 	    SYNCOOKIE_SECRET_SIZE * sizeof(*secbits) - off);
1623 	MD5Update(&ctx, secbits, off);
1624 	MD5Update(&ctx, inc, sizeof(*inc));
1625 	MD5Update(&ctx, &seq, sizeof(seq));
1626 	MD5Update(&ctx, &flags, sizeof(flags));
1627 	MD5Final((u_int8_t *)&md5_buffer, &ctx);
1628 
1629 	/* Does the digest part of or ACK'ed ISS match? */
1630 	if ((ack & (~0x7f)) != (md5_buffer[0] << 7))
1631 		return (NULL);
1632 
1633 	/* Does the digest part of our reflected timestamp match? */
1634 	if (to->to_flags & TOF_TS) {
1635 		data = md5_buffer[3] ^ to->to_tsecr;
1636 		if ((data & (~0x3ff)) != (md5_buffer[2] << 10))
1637 			return (NULL);
1638 	}
1639 
1640 	/* Fill in the syncache values. */
1641 	bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo));
1642 	sc->sc_ipopts = NULL;
1643 
1644 	sc->sc_irs = seq;
1645 	sc->sc_iss = ack;
1646 
1647 #ifdef INET6
1648 	if (inc->inc_isipv6) {
1649 		if (sotoinpcb(so)->in6p_flags & IN6P_AUTOFLOWLABEL)
1650 			sc->sc_flowlabel = md5_buffer[1] & IPV6_FLOWLABEL_MASK;
1651 	} else
1652 #endif
1653 	{
1654 		sc->sc_ip_ttl = sotoinpcb(so)->inp_ip_ttl;
1655 		sc->sc_ip_tos = sotoinpcb(so)->inp_ip_tos;
1656 	}
1657 
1658 	/* Additional parameters that were encoded in the timestamp. */
1659 	if (data) {
1660 		sc->sc_flags |= SCF_TIMESTAMP;
1661 		sc->sc_tsreflect = to->to_tsval;
1662 		sc->sc_ts = to->to_tsecr;
1663 		sc->sc_tsoff = to->to_tsecr - ticks;
1664 		sc->sc_flags |= (data & 0x1) ? SCF_SIGNATURE : 0;
1665 		sc->sc_flags |= ((data >> 1) & 0x1) ? SCF_SACK : 0;
1666 		sc->sc_requested_s_scale = min((data >> 2) & 0xf,
1667 		    TCP_MAX_WINSHIFT);
1668 		sc->sc_requested_r_scale = min((data >> 6) & 0xf,
1669 		    TCP_MAX_WINSHIFT);
1670 		if (sc->sc_requested_s_scale || sc->sc_requested_r_scale)
1671 			sc->sc_flags |= SCF_WINSCALE;
1672 	} else
1673 		sc->sc_flags |= SCF_NOOPT;
1674 
1675 	wnd = sbspace(&so->so_rcv);
1676 	wnd = imax(wnd, 0);
1677 	wnd = imin(wnd, TCP_MAXWIN);
1678 	sc->sc_wnd = wnd;
1679 
1680 	sc->sc_rxmits = 0;
1681 	sc->sc_peer_mss = tcp_sc_msstab[mss];
1682 
1683 	V_tcpstat.tcps_sc_recvcookie++;
1684 	return (sc);
1685 }
1686 
1687 /*
1688  * Returns the current number of syncache entries.  This number
1689  * will probably change before you get around to calling
1690  * syncache_pcblist.
1691  */
1692 
1693 int
1694 syncache_pcbcount(void)
1695 {
1696 	INIT_VNET_INET(curvnet);
1697 	struct syncache_head *sch;
1698 	int count, i;
1699 
1700 	for (count = 0, i = 0; i < V_tcp_syncache.hashsize; i++) {
1701 		/* No need to lock for a read. */
1702 		sch = &V_tcp_syncache.hashbase[i];
1703 		count += sch->sch_length;
1704 	}
1705 	return count;
1706 }
1707 
1708 /*
1709  * Exports the syncache entries to userland so that netstat can display
1710  * them alongside the other sockets.  This function is intended to be
1711  * called only from tcp_pcblist.
1712  *
1713  * Due to concurrency on an active system, the number of pcbs exported
1714  * may have no relation to max_pcbs.  max_pcbs merely indicates the
1715  * amount of space the caller allocated for this function to use.
1716  */
1717 int
1718 syncache_pcblist(struct sysctl_req *req, int max_pcbs, int *pcbs_exported)
1719 {
1720 	INIT_VNET_INET(curvnet);
1721 	struct xtcpcb xt;
1722 	struct syncache *sc;
1723 	struct syncache_head *sch;
1724 	int count, error, i;
1725 
1726 	for (count = 0, error = 0, i = 0; i < V_tcp_syncache.hashsize; i++) {
1727 		sch = &V_tcp_syncache.hashbase[i];
1728 		SCH_LOCK(sch);
1729 		TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) {
1730 			if (count >= max_pcbs) {
1731 				SCH_UNLOCK(sch);
1732 				goto exit;
1733 			}
1734 			if (cr_cansee(req->td->td_ucred, sc->sc_cred) != 0)
1735 				continue;
1736 			bzero(&xt, sizeof(xt));
1737 			xt.xt_len = sizeof(xt);
1738 			if (sc->sc_inc.inc_isipv6)
1739 				xt.xt_inp.inp_vflag = INP_IPV6;
1740 			else
1741 				xt.xt_inp.inp_vflag = INP_IPV4;
1742 			bcopy(&sc->sc_inc, &xt.xt_inp.inp_inc, sizeof (struct in_conninfo));
1743 			xt.xt_tp.t_inpcb = &xt.xt_inp;
1744 			xt.xt_tp.t_state = TCPS_SYN_RECEIVED;
1745 			xt.xt_socket.xso_protocol = IPPROTO_TCP;
1746 			xt.xt_socket.xso_len = sizeof (struct xsocket);
1747 			xt.xt_socket.so_type = SOCK_STREAM;
1748 			xt.xt_socket.so_state = SS_ISCONNECTING;
1749 			error = SYSCTL_OUT(req, &xt, sizeof xt);
1750 			if (error) {
1751 				SCH_UNLOCK(sch);
1752 				goto exit;
1753 			}
1754 			count++;
1755 		}
1756 		SCH_UNLOCK(sch);
1757 	}
1758 exit:
1759 	*pcbs_exported = count;
1760 	return error;
1761 }
1762