1 /*- 2 * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95 30 * $FreeBSD$ 31 */ 32 33 #include "opt_compat.h" 34 #include "opt_inet.h" 35 #include "opt_inet6.h" 36 #include "opt_ipsec.h" 37 #include "opt_mac.h" 38 #include "opt_tcpdebug.h" 39 #include "opt_tcp_sack.h" 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/callout.h> 44 #include <sys/kernel.h> 45 #include <sys/sysctl.h> 46 #include <sys/mac.h> 47 #include <sys/malloc.h> 48 #include <sys/mbuf.h> 49 #ifdef INET6 50 #include <sys/domain.h> 51 #endif 52 #include <sys/proc.h> 53 #include <sys/socket.h> 54 #include <sys/socketvar.h> 55 #include <sys/protosw.h> 56 #include <sys/random.h> 57 58 #include <vm/uma.h> 59 60 #include <net/route.h> 61 #include <net/if.h> 62 63 #include <netinet/in.h> 64 #include <netinet/in_systm.h> 65 #include <netinet/ip.h> 66 #ifdef INET6 67 #include <netinet/ip6.h> 68 #endif 69 #include <netinet/in_pcb.h> 70 #ifdef INET6 71 #include <netinet6/in6_pcb.h> 72 #endif 73 #include <netinet/in_var.h> 74 #include <netinet/ip_var.h> 75 #ifdef INET6 76 #include <netinet6/ip6_var.h> 77 #include <netinet6/nd6.h> 78 #endif 79 #include <netinet/tcp.h> 80 #include <netinet/tcp_fsm.h> 81 #include <netinet/tcp_seq.h> 82 #include <netinet/tcp_timer.h> 83 #include <netinet/tcp_var.h> 84 #ifdef INET6 85 #include <netinet6/tcp6_var.h> 86 #endif 87 #include <netinet/tcpip.h> 88 #ifdef TCPDEBUG 89 #include <netinet/tcp_debug.h> 90 #endif 91 #include <netinet6/ip6protosw.h> 92 93 #ifdef IPSEC 94 #include <netinet6/ipsec.h> 95 #ifdef INET6 96 #include <netinet6/ipsec6.h> 97 #endif 98 #include <netkey/key.h> 99 #endif /*IPSEC*/ 100 101 #ifdef FAST_IPSEC 102 #include <netipsec/ipsec.h> 103 #include <netipsec/xform.h> 104 #ifdef INET6 105 #include <netipsec/ipsec6.h> 106 #endif 107 #include <netipsec/key.h> 108 #define IPSEC 109 #endif /*FAST_IPSEC*/ 110 111 #include <machine/in_cksum.h> 112 #include <sys/md5.h> 113 114 int tcp_mssdflt = TCP_MSS; 115 SYSCTL_INT(_net_inet_tcp, TCPCTL_MSSDFLT, mssdflt, CTLFLAG_RW, 116 &tcp_mssdflt , 0, "Default TCP Maximum Segment Size"); 117 118 #ifdef INET6 119 int tcp_v6mssdflt = TCP6_MSS; 120 SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt, 121 CTLFLAG_RW, &tcp_v6mssdflt , 0, 122 "Default TCP Maximum Segment Size for IPv6"); 123 #endif 124 125 /* 126 * Minimum MSS we accept and use. This prevents DoS attacks where 127 * we are forced to a ridiculous low MSS like 20 and send hundreds 128 * of packets instead of one. The effect scales with the available 129 * bandwidth and quickly saturates the CPU and network interface 130 * with packet generation and sending. Set to zero to disable MINMSS 131 * checking. This setting prevents us from sending too small packets. 132 */ 133 int tcp_minmss = TCP_MINMSS; 134 SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW, 135 &tcp_minmss , 0, "Minmum TCP Maximum Segment Size"); 136 /* 137 * Number of TCP segments per second we accept from remote host 138 * before we start to calculate average segment size. If average 139 * segment size drops below the minimum TCP MSS we assume a DoS 140 * attack and reset+drop the connection. Care has to be taken not to 141 * set this value too small to not kill interactive type connections 142 * (telnet, SSH) which send many small packets. 143 */ 144 int tcp_minmssoverload = TCP_MINMSSOVERLOAD; 145 SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmssoverload, CTLFLAG_RW, 146 &tcp_minmssoverload , 0, "Number of TCP Segments per Second allowed to" 147 "be under the MINMSS Size"); 148 149 #if 0 150 static int tcp_rttdflt = TCPTV_SRTTDFLT / PR_SLOWHZ; 151 SYSCTL_INT(_net_inet_tcp, TCPCTL_RTTDFLT, rttdflt, CTLFLAG_RW, 152 &tcp_rttdflt , 0, "Default maximum TCP Round Trip Time"); 153 #endif 154 155 int tcp_do_rfc1323 = 1; 156 SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW, 157 &tcp_do_rfc1323 , 0, "Enable rfc1323 (high performance TCP) extensions"); 158 159 static int tcp_tcbhashsize = 0; 160 SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcbhashsize, CTLFLAG_RDTUN, 161 &tcp_tcbhashsize, 0, "Size of TCP control-block hashtable"); 162 163 static int do_tcpdrain = 1; 164 SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0, 165 "Enable tcp_drain routine for extra help when low on mbufs"); 166 167 SYSCTL_INT(_net_inet_tcp, OID_AUTO, pcbcount, CTLFLAG_RD, 168 &tcbinfo.ipi_count, 0, "Number of active PCBs"); 169 170 static int icmp_may_rst = 1; 171 SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, 172 "Certain ICMP unreachable messages may abort connections in SYN_SENT"); 173 174 static int tcp_isn_reseed_interval = 0; 175 SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW, 176 &tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret"); 177 178 /* 179 * TCP bandwidth limiting sysctls. Note that the default lower bound of 180 * 1024 exists only for debugging. A good production default would be 181 * something like 6100. 182 */ 183 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, inflight, CTLFLAG_RW, 0, 184 "TCP inflight data limiting"); 185 186 static int tcp_inflight_enable = 1; 187 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, enable, CTLFLAG_RW, 188 &tcp_inflight_enable, 0, "Enable automatic TCP inflight data limiting"); 189 190 static int tcp_inflight_debug = 0; 191 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW, 192 &tcp_inflight_debug, 0, "Debug TCP inflight calculations"); 193 194 static int tcp_inflight_min = 6144; 195 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, min, CTLFLAG_RW, 196 &tcp_inflight_min, 0, "Lower-bound for TCP inflight window"); 197 198 static int tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT; 199 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, max, CTLFLAG_RW, 200 &tcp_inflight_max, 0, "Upper-bound for TCP inflight window"); 201 202 static int tcp_inflight_stab = 20; 203 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, stab, CTLFLAG_RW, 204 &tcp_inflight_stab, 0, "Inflight Algorithm Stabilization 20 = 2 packets"); 205 206 uma_zone_t sack_hole_zone; 207 208 static struct inpcb *tcp_notify(struct inpcb *, int); 209 static void tcp_discardcb(struct tcpcb *); 210 static void tcp_isn_tick(void *); 211 212 /* 213 * Target size of TCP PCB hash tables. Must be a power of two. 214 * 215 * Note that this can be overridden by the kernel environment 216 * variable net.inet.tcp.tcbhashsize 217 */ 218 #ifndef TCBHASHSIZE 219 #define TCBHASHSIZE 512 220 #endif 221 222 /* 223 * XXX 224 * Callouts should be moved into struct tcp directly. They are currently 225 * separate because the tcpcb structure is exported to userland for sysctl 226 * parsing purposes, which do not know about callouts. 227 */ 228 struct tcpcb_mem { 229 struct tcpcb tcb; 230 struct callout tcpcb_mem_rexmt, tcpcb_mem_persist, tcpcb_mem_keep; 231 struct callout tcpcb_mem_2msl, tcpcb_mem_delack; 232 }; 233 234 static uma_zone_t tcpcb_zone; 235 static uma_zone_t tcptw_zone; 236 struct callout isn_callout; 237 238 /* 239 * Tcp initialization 240 */ 241 void 242 tcp_init() 243 { 244 int hashsize = TCBHASHSIZE; 245 246 tcp_delacktime = TCPTV_DELACK; 247 tcp_keepinit = TCPTV_KEEP_INIT; 248 tcp_keepidle = TCPTV_KEEP_IDLE; 249 tcp_keepintvl = TCPTV_KEEPINTVL; 250 tcp_maxpersistidle = TCPTV_KEEP_IDLE; 251 tcp_msl = TCPTV_MSL; 252 tcp_rexmit_min = TCPTV_MIN; 253 tcp_rexmit_slop = TCPTV_CPU_VAR; 254 255 INP_INFO_LOCK_INIT(&tcbinfo, "tcp"); 256 LIST_INIT(&tcb); 257 tcbinfo.listhead = &tcb; 258 TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize); 259 if (!powerof2(hashsize)) { 260 printf("WARNING: TCB hash size not a power of 2\n"); 261 hashsize = 512; /* safe default */ 262 } 263 tcp_tcbhashsize = hashsize; 264 tcbinfo.hashbase = hashinit(hashsize, M_PCB, &tcbinfo.hashmask); 265 tcbinfo.porthashbase = hashinit(hashsize, M_PCB, 266 &tcbinfo.porthashmask); 267 tcbinfo.ipi_zone = uma_zcreate("inpcb", sizeof(struct inpcb), 268 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 269 uma_zone_set_max(tcbinfo.ipi_zone, maxsockets); 270 #ifdef INET6 271 #define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr)) 272 #else /* INET6 */ 273 #define TCP_MINPROTOHDR (sizeof(struct tcpiphdr)) 274 #endif /* INET6 */ 275 if (max_protohdr < TCP_MINPROTOHDR) 276 max_protohdr = TCP_MINPROTOHDR; 277 if (max_linkhdr + TCP_MINPROTOHDR > MHLEN) 278 panic("tcp_init"); 279 #undef TCP_MINPROTOHDR 280 /* 281 * These have to be type stable for the benefit of the timers. 282 */ 283 tcpcb_zone = uma_zcreate("tcpcb", sizeof(struct tcpcb_mem), 284 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 285 uma_zone_set_max(tcpcb_zone, maxsockets); 286 tcptw_zone = uma_zcreate("tcptw", sizeof(struct tcptw), 287 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 288 uma_zone_set_max(tcptw_zone, maxsockets / 5); 289 tcp_timer_init(); 290 syncache_init(); 291 tcp_hc_init(); 292 tcp_reass_init(); 293 callout_init(&isn_callout, CALLOUT_MPSAFE); 294 tcp_isn_tick(NULL); 295 EVENTHANDLER_REGISTER(shutdown_pre_sync, tcp_fini, NULL, 296 SHUTDOWN_PRI_DEFAULT); 297 sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole), 298 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 299 } 300 301 void 302 tcp_fini(xtp) 303 void *xtp; 304 { 305 callout_stop(&isn_callout); 306 307 } 308 309 /* 310 * Fill in the IP and TCP headers for an outgoing packet, given the tcpcb. 311 * tcp_template used to store this data in mbufs, but we now recopy it out 312 * of the tcpcb each time to conserve mbufs. 313 */ 314 void 315 tcpip_fillheaders(inp, ip_ptr, tcp_ptr) 316 struct inpcb *inp; 317 void *ip_ptr; 318 void *tcp_ptr; 319 { 320 struct tcphdr *th = (struct tcphdr *)tcp_ptr; 321 322 INP_LOCK_ASSERT(inp); 323 324 #ifdef INET6 325 if ((inp->inp_vflag & INP_IPV6) != 0) { 326 struct ip6_hdr *ip6; 327 328 ip6 = (struct ip6_hdr *)ip_ptr; 329 ip6->ip6_flow = (ip6->ip6_flow & ~IPV6_FLOWINFO_MASK) | 330 (inp->in6p_flowinfo & IPV6_FLOWINFO_MASK); 331 ip6->ip6_vfc = (ip6->ip6_vfc & ~IPV6_VERSION_MASK) | 332 (IPV6_VERSION & IPV6_VERSION_MASK); 333 ip6->ip6_nxt = IPPROTO_TCP; 334 ip6->ip6_plen = sizeof(struct tcphdr); 335 ip6->ip6_src = inp->in6p_laddr; 336 ip6->ip6_dst = inp->in6p_faddr; 337 } else 338 #endif 339 { 340 struct ip *ip; 341 342 ip = (struct ip *)ip_ptr; 343 ip->ip_v = IPVERSION; 344 ip->ip_hl = 5; 345 ip->ip_tos = inp->inp_ip_tos; 346 ip->ip_len = 0; 347 ip->ip_id = 0; 348 ip->ip_off = 0; 349 ip->ip_ttl = inp->inp_ip_ttl; 350 ip->ip_sum = 0; 351 ip->ip_p = IPPROTO_TCP; 352 ip->ip_src = inp->inp_laddr; 353 ip->ip_dst = inp->inp_faddr; 354 } 355 th->th_sport = inp->inp_lport; 356 th->th_dport = inp->inp_fport; 357 th->th_seq = 0; 358 th->th_ack = 0; 359 th->th_x2 = 0; 360 th->th_off = 5; 361 th->th_flags = 0; 362 th->th_win = 0; 363 th->th_urp = 0; 364 th->th_sum = 0; /* in_pseudo() is called later for ipv4 */ 365 } 366 367 /* 368 * Create template to be used to send tcp packets on a connection. 369 * Allocates an mbuf and fills in a skeletal tcp/ip header. The only 370 * use for this function is in keepalives, which use tcp_respond. 371 */ 372 struct tcptemp * 373 tcpip_maketemplate(inp) 374 struct inpcb *inp; 375 { 376 struct mbuf *m; 377 struct tcptemp *n; 378 379 m = m_get(M_DONTWAIT, MT_HEADER); 380 if (m == NULL) 381 return (0); 382 m->m_len = sizeof(struct tcptemp); 383 n = mtod(m, struct tcptemp *); 384 385 tcpip_fillheaders(inp, (void *)&n->tt_ipgen, (void *)&n->tt_t); 386 return (n); 387 } 388 389 /* 390 * Send a single message to the TCP at address specified by 391 * the given TCP/IP header. If m == NULL, then we make a copy 392 * of the tcpiphdr at ti and send directly to the addressed host. 393 * This is used to force keep alive messages out using the TCP 394 * template for a connection. If flags are given then we send 395 * a message back to the TCP which originated the * segment ti, 396 * and discard the mbuf containing it and any other attached mbufs. 397 * 398 * In any case the ack and sequence number of the transmitted 399 * segment are as specified by the parameters. 400 * 401 * NOTE: If m != NULL, then ti must point to *inside* the mbuf. 402 */ 403 void 404 tcp_respond(tp, ipgen, th, m, ack, seq, flags) 405 struct tcpcb *tp; 406 void *ipgen; 407 register struct tcphdr *th; 408 register struct mbuf *m; 409 tcp_seq ack, seq; 410 int flags; 411 { 412 register int tlen; 413 int win = 0; 414 struct ip *ip; 415 struct tcphdr *nth; 416 #ifdef INET6 417 struct ip6_hdr *ip6; 418 int isipv6; 419 #endif /* INET6 */ 420 int ipflags = 0; 421 struct inpcb *inp; 422 423 KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL")); 424 425 #ifdef INET6 426 isipv6 = ((struct ip *)ipgen)->ip_v == 6; 427 ip6 = ipgen; 428 #endif /* INET6 */ 429 ip = ipgen; 430 431 if (tp != NULL) { 432 inp = tp->t_inpcb; 433 KASSERT(inp != NULL, ("tcp control block w/o inpcb")); 434 INP_INFO_WLOCK_ASSERT(&tcbinfo); 435 INP_LOCK_ASSERT(inp); 436 } else 437 inp = NULL; 438 439 if (tp != NULL) { 440 if (!(flags & TH_RST)) { 441 win = sbspace(&inp->inp_socket->so_rcv); 442 if (win > (long)TCP_MAXWIN << tp->rcv_scale) 443 win = (long)TCP_MAXWIN << tp->rcv_scale; 444 } 445 } 446 if (m == NULL) { 447 m = m_gethdr(M_DONTWAIT, MT_HEADER); 448 if (m == NULL) 449 return; 450 tlen = 0; 451 m->m_data += max_linkhdr; 452 #ifdef INET6 453 if (isipv6) { 454 bcopy((caddr_t)ip6, mtod(m, caddr_t), 455 sizeof(struct ip6_hdr)); 456 ip6 = mtod(m, struct ip6_hdr *); 457 nth = (struct tcphdr *)(ip6 + 1); 458 } else 459 #endif /* INET6 */ 460 { 461 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 462 ip = mtod(m, struct ip *); 463 nth = (struct tcphdr *)(ip + 1); 464 } 465 bcopy((caddr_t)th, (caddr_t)nth, sizeof(struct tcphdr)); 466 flags = TH_ACK; 467 } else { 468 m_freem(m->m_next); 469 m->m_next = NULL; 470 m->m_data = (caddr_t)ipgen; 471 /* m_len is set later */ 472 tlen = 0; 473 #define xchg(a,b,type) { type t; t=a; a=b; b=t; } 474 #ifdef INET6 475 if (isipv6) { 476 xchg(ip6->ip6_dst, ip6->ip6_src, struct in6_addr); 477 nth = (struct tcphdr *)(ip6 + 1); 478 } else 479 #endif /* INET6 */ 480 { 481 xchg(ip->ip_dst.s_addr, ip->ip_src.s_addr, n_long); 482 nth = (struct tcphdr *)(ip + 1); 483 } 484 if (th != nth) { 485 /* 486 * this is usually a case when an extension header 487 * exists between the IPv6 header and the 488 * TCP header. 489 */ 490 nth->th_sport = th->th_sport; 491 nth->th_dport = th->th_dport; 492 } 493 xchg(nth->th_dport, nth->th_sport, n_short); 494 #undef xchg 495 } 496 #ifdef INET6 497 if (isipv6) { 498 ip6->ip6_flow = 0; 499 ip6->ip6_vfc = IPV6_VERSION; 500 ip6->ip6_nxt = IPPROTO_TCP; 501 ip6->ip6_plen = htons((u_short)(sizeof (struct tcphdr) + 502 tlen)); 503 tlen += sizeof (struct ip6_hdr) + sizeof (struct tcphdr); 504 } else 505 #endif 506 { 507 tlen += sizeof (struct tcpiphdr); 508 ip->ip_len = tlen; 509 ip->ip_ttl = ip_defttl; 510 if (path_mtu_discovery) 511 ip->ip_off |= IP_DF; 512 } 513 m->m_len = tlen; 514 m->m_pkthdr.len = tlen; 515 m->m_pkthdr.rcvif = NULL; 516 #ifdef MAC 517 if (inp != NULL) { 518 /* 519 * Packet is associated with a socket, so allow the 520 * label of the response to reflect the socket label. 521 */ 522 INP_LOCK_ASSERT(inp); 523 mac_create_mbuf_from_inpcb(inp, m); 524 } else { 525 /* 526 * Packet is not associated with a socket, so possibly 527 * update the label in place. 528 */ 529 mac_reflect_mbuf_tcp(m); 530 } 531 #endif 532 nth->th_seq = htonl(seq); 533 nth->th_ack = htonl(ack); 534 nth->th_x2 = 0; 535 nth->th_off = sizeof (struct tcphdr) >> 2; 536 nth->th_flags = flags; 537 if (tp != NULL) 538 nth->th_win = htons((u_short) (win >> tp->rcv_scale)); 539 else 540 nth->th_win = htons((u_short)win); 541 nth->th_urp = 0; 542 #ifdef INET6 543 if (isipv6) { 544 nth->th_sum = 0; 545 nth->th_sum = in6_cksum(m, IPPROTO_TCP, 546 sizeof(struct ip6_hdr), 547 tlen - sizeof(struct ip6_hdr)); 548 ip6->ip6_hlim = in6_selecthlim(tp != NULL ? tp->t_inpcb : 549 NULL, NULL); 550 } else 551 #endif /* INET6 */ 552 { 553 nth->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, 554 htons((u_short)(tlen - sizeof(struct ip) + ip->ip_p))); 555 m->m_pkthdr.csum_flags = CSUM_TCP; 556 m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); 557 } 558 #ifdef TCPDEBUG 559 if (tp == NULL || (inp->inp_socket->so_options & SO_DEBUG)) 560 tcp_trace(TA_OUTPUT, 0, tp, mtod(m, void *), th, 0); 561 #endif 562 #ifdef INET6 563 if (isipv6) 564 (void) ip6_output(m, NULL, NULL, ipflags, NULL, NULL, inp); 565 else 566 #endif /* INET6 */ 567 (void) ip_output(m, NULL, NULL, ipflags, NULL, inp); 568 } 569 570 /* 571 * Create a new TCP control block, making an 572 * empty reassembly queue and hooking it to the argument 573 * protocol control block. The `inp' parameter must have 574 * come from the zone allocator set up in tcp_init(). 575 */ 576 struct tcpcb * 577 tcp_newtcpcb(inp) 578 struct inpcb *inp; 579 { 580 struct tcpcb_mem *tm; 581 struct tcpcb *tp; 582 #ifdef INET6 583 int isipv6 = (inp->inp_vflag & INP_IPV6) != 0; 584 #endif /* INET6 */ 585 int callout_flag; 586 587 tm = uma_zalloc(tcpcb_zone, M_NOWAIT | M_ZERO); 588 if (tm == NULL) 589 return (NULL); 590 tp = &tm->tcb; 591 /* LIST_INIT(&tp->t_segq); */ /* XXX covered by M_ZERO */ 592 tp->t_maxseg = tp->t_maxopd = 593 #ifdef INET6 594 isipv6 ? tcp_v6mssdflt : 595 #endif /* INET6 */ 596 tcp_mssdflt; 597 598 /* Set up our timeouts. */ 599 callout_flag = debug_mpsafenet ? CALLOUT_MPSAFE : 0; 600 callout_init(tp->tt_rexmt = &tm->tcpcb_mem_rexmt, callout_flag); 601 callout_init(tp->tt_persist = &tm->tcpcb_mem_persist, callout_flag); 602 callout_init(tp->tt_keep = &tm->tcpcb_mem_keep, callout_flag); 603 callout_init(tp->tt_2msl = &tm->tcpcb_mem_2msl, callout_flag); 604 callout_init(tp->tt_delack = &tm->tcpcb_mem_delack, callout_flag); 605 606 if (tcp_do_rfc1323) 607 tp->t_flags = (TF_REQ_SCALE|TF_REQ_TSTMP); 608 tp->sack_enable = tcp_do_sack; 609 tp->t_inpcb = inp; /* XXX */ 610 /* 611 * Init srtt to TCPTV_SRTTBASE (0), so we can tell that we have no 612 * rtt estimate. Set rttvar so that srtt + 4 * rttvar gives 613 * reasonable initial retransmit time. 614 */ 615 tp->t_srtt = TCPTV_SRTTBASE; 616 tp->t_rttvar = ((TCPTV_RTOBASE - TCPTV_SRTTBASE) << TCP_RTTVAR_SHIFT) / 4; 617 tp->t_rttmin = tcp_rexmit_min; 618 tp->t_rxtcur = TCPTV_RTOBASE; 619 tp->snd_cwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT; 620 tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT; 621 tp->snd_ssthresh = TCP_MAXWIN << TCP_MAX_WINSHIFT; 622 tp->t_rcvtime = ticks; 623 tp->t_bw_rtttime = ticks; 624 /* 625 * IPv4 TTL initialization is necessary for an IPv6 socket as well, 626 * because the socket may be bound to an IPv6 wildcard address, 627 * which may match an IPv4-mapped IPv6 address. 628 */ 629 inp->inp_ip_ttl = ip_defttl; 630 inp->inp_ppcb = (caddr_t)tp; 631 return (tp); /* XXX */ 632 } 633 634 /* 635 * Drop a TCP connection, reporting 636 * the specified error. If connection is synchronized, 637 * then send a RST to peer. 638 */ 639 struct tcpcb * 640 tcp_drop(tp, errno) 641 register struct tcpcb *tp; 642 int errno; 643 { 644 struct socket *so = tp->t_inpcb->inp_socket; 645 646 INP_LOCK_ASSERT(tp->t_inpcb); 647 if (TCPS_HAVERCVDSYN(tp->t_state)) { 648 tp->t_state = TCPS_CLOSED; 649 (void) tcp_output(tp); 650 tcpstat.tcps_drops++; 651 } else 652 tcpstat.tcps_conndrops++; 653 if (errno == ETIMEDOUT && tp->t_softerror) 654 errno = tp->t_softerror; 655 so->so_error = errno; 656 return (tcp_close(tp)); 657 } 658 659 static void 660 tcp_discardcb(tp) 661 struct tcpcb *tp; 662 { 663 struct tseg_qent *q; 664 struct inpcb *inp = tp->t_inpcb; 665 struct socket *so = inp->inp_socket; 666 #ifdef INET6 667 int isipv6 = (inp->inp_vflag & INP_IPV6) != 0; 668 #endif /* INET6 */ 669 670 INP_LOCK_ASSERT(inp); 671 672 /* 673 * Make sure that all of our timers are stopped before we 674 * delete the PCB. 675 */ 676 callout_stop(tp->tt_rexmt); 677 callout_stop(tp->tt_persist); 678 callout_stop(tp->tt_keep); 679 callout_stop(tp->tt_2msl); 680 callout_stop(tp->tt_delack); 681 682 /* 683 * If we got enough samples through the srtt filter, 684 * save the rtt and rttvar in the routing entry. 685 * 'Enough' is arbitrarily defined as 4 rtt samples. 686 * 4 samples is enough for the srtt filter to converge 687 * to within enough % of the correct value; fewer samples 688 * and we could save a bogus rtt. The danger is not high 689 * as tcp quickly recovers from everything. 690 * XXX: Works very well but needs some more statistics! 691 */ 692 if (tp->t_rttupdated >= 4) { 693 struct hc_metrics_lite metrics; 694 u_long ssthresh; 695 696 bzero(&metrics, sizeof(metrics)); 697 /* 698 * Update the ssthresh always when the conditions below 699 * are satisfied. This gives us better new start value 700 * for the congestion avoidance for new connections. 701 * ssthresh is only set if packet loss occured on a session. 702 */ 703 ssthresh = tp->snd_ssthresh; 704 if (ssthresh != 0 && ssthresh < so->so_snd.sb_hiwat / 2) { 705 /* 706 * convert the limit from user data bytes to 707 * packets then to packet data bytes. 708 */ 709 ssthresh = (ssthresh + tp->t_maxseg / 2) / tp->t_maxseg; 710 if (ssthresh < 2) 711 ssthresh = 2; 712 ssthresh *= (u_long)(tp->t_maxseg + 713 #ifdef INET6 714 (isipv6 ? sizeof (struct ip6_hdr) + 715 sizeof (struct tcphdr) : 716 #endif 717 sizeof (struct tcpiphdr) 718 #ifdef INET6 719 ) 720 #endif 721 ); 722 } else 723 ssthresh = 0; 724 metrics.rmx_ssthresh = ssthresh; 725 726 metrics.rmx_rtt = tp->t_srtt; 727 metrics.rmx_rttvar = tp->t_rttvar; 728 /* XXX: This wraps if the pipe is more than 4 Gbit per second */ 729 metrics.rmx_bandwidth = tp->snd_bandwidth; 730 metrics.rmx_cwnd = tp->snd_cwnd; 731 metrics.rmx_sendpipe = 0; 732 metrics.rmx_recvpipe = 0; 733 734 tcp_hc_update(&inp->inp_inc, &metrics); 735 } 736 737 /* free the reassembly queue, if any */ 738 while ((q = LIST_FIRST(&tp->t_segq)) != NULL) { 739 LIST_REMOVE(q, tqe_q); 740 m_freem(q->tqe_m); 741 uma_zfree(tcp_reass_zone, q); 742 tp->t_segqlen--; 743 tcp_reass_qsize--; 744 } 745 tcp_free_sackholes(tp); 746 inp->inp_ppcb = NULL; 747 tp->t_inpcb = NULL; 748 uma_zfree(tcpcb_zone, tp); 749 soisdisconnected(so); 750 } 751 752 /* 753 * Close a TCP control block: 754 * discard all space held by the tcp 755 * discard internet protocol block 756 * wake up any sleepers 757 */ 758 struct tcpcb * 759 tcp_close(tp) 760 struct tcpcb *tp; 761 { 762 struct inpcb *inp = tp->t_inpcb; 763 #ifdef INET6 764 struct socket *so = inp->inp_socket; 765 #endif 766 767 INP_LOCK_ASSERT(inp); 768 769 tcp_discardcb(tp); 770 #ifdef INET6 771 if (INP_CHECK_SOCKAF(so, AF_INET6)) 772 in6_pcbdetach(inp); 773 else 774 #endif 775 in_pcbdetach(inp); 776 tcpstat.tcps_closed++; 777 return (NULL); 778 } 779 780 void 781 tcp_drain() 782 { 783 if (do_tcpdrain) 784 { 785 struct inpcb *inpb; 786 struct tcpcb *tcpb; 787 struct tseg_qent *te; 788 789 /* 790 * Walk the tcpbs, if existing, and flush the reassembly queue, 791 * if there is one... 792 * XXX: The "Net/3" implementation doesn't imply that the TCP 793 * reassembly queue should be flushed, but in a situation 794 * where we're really low on mbufs, this is potentially 795 * usefull. 796 */ 797 INP_INFO_RLOCK(&tcbinfo); 798 LIST_FOREACH(inpb, tcbinfo.listhead, inp_list) { 799 if (inpb->inp_vflag & INP_TIMEWAIT) 800 continue; 801 INP_LOCK(inpb); 802 if ((tcpb = intotcpcb(inpb)) != NULL) { 803 while ((te = LIST_FIRST(&tcpb->t_segq)) 804 != NULL) { 805 LIST_REMOVE(te, tqe_q); 806 m_freem(te->tqe_m); 807 uma_zfree(tcp_reass_zone, te); 808 tcpb->t_segqlen--; 809 tcp_reass_qsize--; 810 } 811 } 812 INP_UNLOCK(inpb); 813 } 814 INP_INFO_RUNLOCK(&tcbinfo); 815 } 816 } 817 818 /* 819 * Notify a tcp user of an asynchronous error; 820 * store error as soft error, but wake up user 821 * (for now, won't do anything until can select for soft error). 822 * 823 * Do not wake up user since there currently is no mechanism for 824 * reporting soft errors (yet - a kqueue filter may be added). 825 */ 826 static struct inpcb * 827 tcp_notify(inp, error) 828 struct inpcb *inp; 829 int error; 830 { 831 struct tcpcb *tp = (struct tcpcb *)inp->inp_ppcb; 832 833 INP_LOCK_ASSERT(inp); 834 835 /* 836 * Ignore some errors if we are hooked up. 837 * If connection hasn't completed, has retransmitted several times, 838 * and receives a second error, give up now. This is better 839 * than waiting a long time to establish a connection that 840 * can never complete. 841 */ 842 if (tp->t_state == TCPS_ESTABLISHED && 843 (error == EHOSTUNREACH || error == ENETUNREACH || 844 error == EHOSTDOWN)) { 845 return (inp); 846 } else if (tp->t_state < TCPS_ESTABLISHED && tp->t_rxtshift > 3 && 847 tp->t_softerror) { 848 tcp_drop(tp, error); 849 return (struct inpcb *)0; 850 } else { 851 tp->t_softerror = error; 852 return (inp); 853 } 854 #if 0 855 wakeup( &so->so_timeo); 856 sorwakeup(so); 857 sowwakeup(so); 858 #endif 859 } 860 861 static int 862 tcp_pcblist(SYSCTL_HANDLER_ARGS) 863 { 864 int error, i, n, s; 865 struct inpcb *inp, **inp_list; 866 inp_gen_t gencnt; 867 struct xinpgen xig; 868 869 /* 870 * The process of preparing the TCB list is too time-consuming and 871 * resource-intensive to repeat twice on every request. 872 */ 873 if (req->oldptr == NULL) { 874 n = tcbinfo.ipi_count; 875 req->oldidx = 2 * (sizeof xig) 876 + (n + n/8) * sizeof(struct xtcpcb); 877 return (0); 878 } 879 880 if (req->newptr != NULL) 881 return (EPERM); 882 883 /* 884 * OK, now we're committed to doing something. 885 */ 886 s = splnet(); 887 INP_INFO_RLOCK(&tcbinfo); 888 gencnt = tcbinfo.ipi_gencnt; 889 n = tcbinfo.ipi_count; 890 INP_INFO_RUNLOCK(&tcbinfo); 891 splx(s); 892 893 error = sysctl_wire_old_buffer(req, 2 * (sizeof xig) 894 + n * sizeof(struct xtcpcb)); 895 if (error != 0) 896 return (error); 897 898 xig.xig_len = sizeof xig; 899 xig.xig_count = n; 900 xig.xig_gen = gencnt; 901 xig.xig_sogen = so_gencnt; 902 error = SYSCTL_OUT(req, &xig, sizeof xig); 903 if (error) 904 return (error); 905 906 inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK); 907 if (inp_list == NULL) 908 return (ENOMEM); 909 910 s = splnet(); 911 INP_INFO_RLOCK(&tcbinfo); 912 for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp != NULL && i < n; 913 inp = LIST_NEXT(inp, inp_list)) { 914 INP_LOCK(inp); 915 if (inp->inp_gencnt <= gencnt) { 916 /* 917 * XXX: This use of cr_cansee(), introduced with 918 * TCP state changes, is not quite right, but for 919 * now, better than nothing. 920 */ 921 if (inp->inp_vflag & INP_TIMEWAIT) 922 error = cr_cansee(req->td->td_ucred, 923 intotw(inp)->tw_cred); 924 else 925 error = cr_canseesocket(req->td->td_ucred, 926 inp->inp_socket); 927 if (error == 0) 928 inp_list[i++] = inp; 929 } 930 INP_UNLOCK(inp); 931 } 932 INP_INFO_RUNLOCK(&tcbinfo); 933 splx(s); 934 n = i; 935 936 error = 0; 937 for (i = 0; i < n; i++) { 938 inp = inp_list[i]; 939 if (inp->inp_gencnt <= gencnt) { 940 struct xtcpcb xt; 941 caddr_t inp_ppcb; 942 xt.xt_len = sizeof xt; 943 /* XXX should avoid extra copy */ 944 bcopy(inp, &xt.xt_inp, sizeof *inp); 945 inp_ppcb = inp->inp_ppcb; 946 if (inp_ppcb == NULL) 947 bzero((char *) &xt.xt_tp, sizeof xt.xt_tp); 948 else if (inp->inp_vflag & INP_TIMEWAIT) { 949 bzero((char *) &xt.xt_tp, sizeof xt.xt_tp); 950 xt.xt_tp.t_state = TCPS_TIME_WAIT; 951 } else 952 bcopy(inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp); 953 if (inp->inp_socket != NULL) 954 sotoxsocket(inp->inp_socket, &xt.xt_socket); 955 else { 956 bzero(&xt.xt_socket, sizeof xt.xt_socket); 957 xt.xt_socket.xso_protocol = IPPROTO_TCP; 958 } 959 xt.xt_inp.inp_gencnt = inp->inp_gencnt; 960 error = SYSCTL_OUT(req, &xt, sizeof xt); 961 } 962 } 963 if (!error) { 964 /* 965 * Give the user an updated idea of our state. 966 * If the generation differs from what we told 967 * her before, she knows that something happened 968 * while we were processing this request, and it 969 * might be necessary to retry. 970 */ 971 s = splnet(); 972 INP_INFO_RLOCK(&tcbinfo); 973 xig.xig_gen = tcbinfo.ipi_gencnt; 974 xig.xig_sogen = so_gencnt; 975 xig.xig_count = tcbinfo.ipi_count; 976 INP_INFO_RUNLOCK(&tcbinfo); 977 splx(s); 978 error = SYSCTL_OUT(req, &xig, sizeof xig); 979 } 980 free(inp_list, M_TEMP); 981 return (error); 982 } 983 984 SYSCTL_PROC(_net_inet_tcp, TCPCTL_PCBLIST, pcblist, CTLFLAG_RD, 0, 0, 985 tcp_pcblist, "S,xtcpcb", "List of active TCP connections"); 986 987 static int 988 tcp_getcred(SYSCTL_HANDLER_ARGS) 989 { 990 struct xucred xuc; 991 struct sockaddr_in addrs[2]; 992 struct inpcb *inp; 993 int error, s; 994 995 error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL); 996 if (error) 997 return (error); 998 error = SYSCTL_IN(req, addrs, sizeof(addrs)); 999 if (error) 1000 return (error); 1001 s = splnet(); 1002 INP_INFO_RLOCK(&tcbinfo); 1003 inp = in_pcblookup_hash(&tcbinfo, addrs[1].sin_addr, addrs[1].sin_port, 1004 addrs[0].sin_addr, addrs[0].sin_port, 0, NULL); 1005 if (inp == NULL) { 1006 error = ENOENT; 1007 goto outunlocked; 1008 } 1009 INP_LOCK(inp); 1010 if (inp->inp_socket == NULL) { 1011 error = ENOENT; 1012 goto out; 1013 } 1014 error = cr_canseesocket(req->td->td_ucred, inp->inp_socket); 1015 if (error) 1016 goto out; 1017 cru2x(inp->inp_socket->so_cred, &xuc); 1018 out: 1019 INP_UNLOCK(inp); 1020 outunlocked: 1021 INP_INFO_RUNLOCK(&tcbinfo); 1022 splx(s); 1023 if (error == 0) 1024 error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred)); 1025 return (error); 1026 } 1027 1028 SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, 1029 CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, 1030 tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); 1031 1032 #ifdef INET6 1033 static int 1034 tcp6_getcred(SYSCTL_HANDLER_ARGS) 1035 { 1036 struct xucred xuc; 1037 struct sockaddr_in6 addrs[2]; 1038 struct in6_addr a6[2]; 1039 struct inpcb *inp; 1040 int error, s, mapped = 0; 1041 1042 error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL); 1043 if (error) 1044 return (error); 1045 error = SYSCTL_IN(req, addrs, sizeof(addrs)); 1046 if (error) 1047 return (error); 1048 if (IN6_IS_ADDR_V4MAPPED(&addrs[0].sin6_addr)) { 1049 if (IN6_IS_ADDR_V4MAPPED(&addrs[1].sin6_addr)) 1050 mapped = 1; 1051 else 1052 return (EINVAL); 1053 } else { 1054 error = in6_embedscope(&a6[0], &addrs[0], NULL, NULL); 1055 if (error) 1056 return (EINVAL); 1057 error = in6_embedscope(&a6[1], &addrs[1], NULL, NULL); 1058 if (error) 1059 return (EINVAL); 1060 } 1061 s = splnet(); 1062 INP_INFO_RLOCK(&tcbinfo); 1063 if (mapped == 1) 1064 inp = in_pcblookup_hash(&tcbinfo, 1065 *(struct in_addr *)&addrs[1].sin6_addr.s6_addr[12], 1066 addrs[1].sin6_port, 1067 *(struct in_addr *)&addrs[0].sin6_addr.s6_addr[12], 1068 addrs[0].sin6_port, 1069 0, NULL); 1070 else 1071 inp = in6_pcblookup_hash(&tcbinfo, &a6[1], addrs[1].sin6_port, 1072 &a6[0], addrs[0].sin6_port, 0, NULL); 1073 if (inp == NULL) { 1074 error = ENOENT; 1075 goto outunlocked; 1076 } 1077 INP_LOCK(inp); 1078 if (inp->inp_socket == NULL) { 1079 error = ENOENT; 1080 goto out; 1081 } 1082 error = cr_canseesocket(req->td->td_ucred, inp->inp_socket); 1083 if (error) 1084 goto out; 1085 cru2x(inp->inp_socket->so_cred, &xuc); 1086 out: 1087 INP_UNLOCK(inp); 1088 outunlocked: 1089 INP_INFO_RUNLOCK(&tcbinfo); 1090 splx(s); 1091 if (error == 0) 1092 error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred)); 1093 return (error); 1094 } 1095 1096 SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, 1097 CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, 1098 tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); 1099 #endif 1100 1101 1102 void 1103 tcp_ctlinput(cmd, sa, vip) 1104 int cmd; 1105 struct sockaddr *sa; 1106 void *vip; 1107 { 1108 struct ip *ip = vip; 1109 struct tcphdr *th; 1110 struct in_addr faddr; 1111 struct inpcb *inp; 1112 struct tcpcb *tp; 1113 struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify; 1114 tcp_seq icmp_seq; 1115 int s; 1116 1117 faddr = ((struct sockaddr_in *)sa)->sin_addr; 1118 if (sa->sa_family != AF_INET || faddr.s_addr == INADDR_ANY) 1119 return; 1120 1121 if (cmd == PRC_QUENCH) 1122 notify = tcp_quench; 1123 else if (icmp_may_rst && (cmd == PRC_UNREACH_ADMIN_PROHIB || 1124 cmd == PRC_UNREACH_PORT || cmd == PRC_TIMXCEED_INTRANS) && ip) 1125 notify = tcp_drop_syn_sent; 1126 else if (cmd == PRC_MSGSIZE) 1127 notify = tcp_mtudisc; 1128 /* 1129 * Redirects don't need to be handled up here. 1130 */ 1131 else if (PRC_IS_REDIRECT(cmd)) 1132 return; 1133 /* 1134 * Hostdead is ugly because it goes linearly through all PCBs. 1135 * XXX: We never get this from ICMP, otherwise it makes an 1136 * excellent DoS attack on machines with many connections. 1137 */ 1138 else if (cmd == PRC_HOSTDEAD) 1139 ip = NULL; 1140 else if ((unsigned)cmd >= PRC_NCMDS || inetctlerrmap[cmd] == 0) 1141 return; 1142 if (ip != NULL) { 1143 s = splnet(); 1144 th = (struct tcphdr *)((caddr_t)ip 1145 + (ip->ip_hl << 2)); 1146 INP_INFO_WLOCK(&tcbinfo); 1147 inp = in_pcblookup_hash(&tcbinfo, faddr, th->th_dport, 1148 ip->ip_src, th->th_sport, 0, NULL); 1149 if (inp != NULL) { 1150 INP_LOCK(inp); 1151 if (inp->inp_socket != NULL) { 1152 icmp_seq = htonl(th->th_seq); 1153 tp = intotcpcb(inp); 1154 if (SEQ_GEQ(icmp_seq, tp->snd_una) && 1155 SEQ_LT(icmp_seq, tp->snd_max)) 1156 inp = (*notify)(inp, inetctlerrmap[cmd]); 1157 } 1158 if (inp != NULL) 1159 INP_UNLOCK(inp); 1160 } else { 1161 struct in_conninfo inc; 1162 1163 inc.inc_fport = th->th_dport; 1164 inc.inc_lport = th->th_sport; 1165 inc.inc_faddr = faddr; 1166 inc.inc_laddr = ip->ip_src; 1167 #ifdef INET6 1168 inc.inc_isipv6 = 0; 1169 #endif 1170 syncache_unreach(&inc, th); 1171 } 1172 INP_INFO_WUNLOCK(&tcbinfo); 1173 splx(s); 1174 } else 1175 in_pcbnotifyall(&tcbinfo, faddr, inetctlerrmap[cmd], notify); 1176 } 1177 1178 #ifdef INET6 1179 void 1180 tcp6_ctlinput(cmd, sa, d) 1181 int cmd; 1182 struct sockaddr *sa; 1183 void *d; 1184 { 1185 struct tcphdr th; 1186 struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify; 1187 struct ip6_hdr *ip6; 1188 struct mbuf *m; 1189 struct ip6ctlparam *ip6cp = NULL; 1190 const struct sockaddr_in6 *sa6_src = NULL; 1191 int off; 1192 struct tcp_portonly { 1193 u_int16_t th_sport; 1194 u_int16_t th_dport; 1195 } *thp; 1196 1197 if (sa->sa_family != AF_INET6 || 1198 sa->sa_len != sizeof(struct sockaddr_in6)) 1199 return; 1200 1201 if (cmd == PRC_QUENCH) 1202 notify = tcp_quench; 1203 else if (cmd == PRC_MSGSIZE) 1204 notify = tcp_mtudisc; 1205 else if (!PRC_IS_REDIRECT(cmd) && 1206 ((unsigned)cmd >= PRC_NCMDS || inet6ctlerrmap[cmd] == 0)) 1207 return; 1208 1209 /* if the parameter is from icmp6, decode it. */ 1210 if (d != NULL) { 1211 ip6cp = (struct ip6ctlparam *)d; 1212 m = ip6cp->ip6c_m; 1213 ip6 = ip6cp->ip6c_ip6; 1214 off = ip6cp->ip6c_off; 1215 sa6_src = ip6cp->ip6c_src; 1216 } else { 1217 m = NULL; 1218 ip6 = NULL; 1219 off = 0; /* fool gcc */ 1220 sa6_src = &sa6_any; 1221 } 1222 1223 if (ip6 != NULL) { 1224 struct in_conninfo inc; 1225 /* 1226 * XXX: We assume that when IPV6 is non NULL, 1227 * M and OFF are valid. 1228 */ 1229 1230 /* check if we can safely examine src and dst ports */ 1231 if (m->m_pkthdr.len < off + sizeof(*thp)) 1232 return; 1233 1234 bzero(&th, sizeof(th)); 1235 m_copydata(m, off, sizeof(*thp), (caddr_t)&th); 1236 1237 in6_pcbnotify(&tcbinfo, sa, th.th_dport, 1238 (struct sockaddr *)ip6cp->ip6c_src, 1239 th.th_sport, cmd, NULL, notify); 1240 1241 inc.inc_fport = th.th_dport; 1242 inc.inc_lport = th.th_sport; 1243 inc.inc6_faddr = ((struct sockaddr_in6 *)sa)->sin6_addr; 1244 inc.inc6_laddr = ip6cp->ip6c_src->sin6_addr; 1245 inc.inc_isipv6 = 1; 1246 INP_INFO_WLOCK(&tcbinfo); 1247 syncache_unreach(&inc, &th); 1248 INP_INFO_WUNLOCK(&tcbinfo); 1249 } else 1250 in6_pcbnotify(&tcbinfo, sa, 0, (const struct sockaddr *)sa6_src, 1251 0, cmd, NULL, notify); 1252 } 1253 #endif /* INET6 */ 1254 1255 1256 /* 1257 * Following is where TCP initial sequence number generation occurs. 1258 * 1259 * There are two places where we must use initial sequence numbers: 1260 * 1. In SYN-ACK packets. 1261 * 2. In SYN packets. 1262 * 1263 * All ISNs for SYN-ACK packets are generated by the syncache. See 1264 * tcp_syncache.c for details. 1265 * 1266 * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling 1267 * depends on this property. In addition, these ISNs should be 1268 * unguessable so as to prevent connection hijacking. To satisfy 1269 * the requirements of this situation, the algorithm outlined in 1270 * RFC 1948 is used, with only small modifications. 1271 * 1272 * Implementation details: 1273 * 1274 * Time is based off the system timer, and is corrected so that it 1275 * increases by one megabyte per second. This allows for proper 1276 * recycling on high speed LANs while still leaving over an hour 1277 * before rollover. 1278 * 1279 * As reading the *exact* system time is too expensive to be done 1280 * whenever setting up a TCP connection, we increment the time 1281 * offset in two ways. First, a small random positive increment 1282 * is added to isn_offset for each connection that is set up. 1283 * Second, the function tcp_isn_tick fires once per clock tick 1284 * and increments isn_offset as necessary so that sequence numbers 1285 * are incremented at approximately ISN_BYTES_PER_SECOND. The 1286 * random positive increments serve only to ensure that the same 1287 * exact sequence number is never sent out twice (as could otherwise 1288 * happen when a port is recycled in less than the system tick 1289 * interval.) 1290 * 1291 * net.inet.tcp.isn_reseed_interval controls the number of seconds 1292 * between seeding of isn_secret. This is normally set to zero, 1293 * as reseeding should not be necessary. 1294 * 1295 * Locking of the global variables isn_secret, isn_last_reseed, isn_offset, 1296 * isn_offset_old, and isn_ctx is performed using the TCP pcbinfo lock. In 1297 * general, this means holding an exclusive (write) lock. 1298 */ 1299 1300 #define ISN_BYTES_PER_SECOND 1048576 1301 #define ISN_STATIC_INCREMENT 4096 1302 #define ISN_RANDOM_INCREMENT (4096 - 1) 1303 1304 static u_char isn_secret[32]; 1305 static int isn_last_reseed; 1306 static u_int32_t isn_offset, isn_offset_old; 1307 static MD5_CTX isn_ctx; 1308 1309 tcp_seq 1310 tcp_new_isn(tp) 1311 struct tcpcb *tp; 1312 { 1313 u_int32_t md5_buffer[4]; 1314 tcp_seq new_isn; 1315 1316 INP_INFO_WLOCK_ASSERT(&tcbinfo); 1317 INP_LOCK_ASSERT(tp->t_inpcb); 1318 1319 /* Seed if this is the first use, reseed if requested. */ 1320 if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) && 1321 (((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz) 1322 < (u_int)ticks))) { 1323 read_random(&isn_secret, sizeof(isn_secret)); 1324 isn_last_reseed = ticks; 1325 } 1326 1327 /* Compute the md5 hash and return the ISN. */ 1328 MD5Init(&isn_ctx); 1329 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_fport, sizeof(u_short)); 1330 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_lport, sizeof(u_short)); 1331 #ifdef INET6 1332 if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0) { 1333 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_faddr, 1334 sizeof(struct in6_addr)); 1335 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_laddr, 1336 sizeof(struct in6_addr)); 1337 } else 1338 #endif 1339 { 1340 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_faddr, 1341 sizeof(struct in_addr)); 1342 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_laddr, 1343 sizeof(struct in_addr)); 1344 } 1345 MD5Update(&isn_ctx, (u_char *) &isn_secret, sizeof(isn_secret)); 1346 MD5Final((u_char *) &md5_buffer, &isn_ctx); 1347 new_isn = (tcp_seq) md5_buffer[0]; 1348 isn_offset += ISN_STATIC_INCREMENT + 1349 (arc4random() & ISN_RANDOM_INCREMENT); 1350 new_isn += isn_offset; 1351 return (new_isn); 1352 } 1353 1354 /* 1355 * Increment the offset to the next ISN_BYTES_PER_SECOND / hz boundary 1356 * to keep time flowing at a relatively constant rate. If the random 1357 * increments have already pushed us past the projected offset, do nothing. 1358 */ 1359 static void 1360 tcp_isn_tick(xtp) 1361 void *xtp; 1362 { 1363 u_int32_t projected_offset; 1364 1365 INP_INFO_WLOCK(&tcbinfo); 1366 projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND / 100; 1367 1368 if (projected_offset > isn_offset) 1369 isn_offset = projected_offset; 1370 1371 isn_offset_old = isn_offset; 1372 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL); 1373 INP_INFO_WUNLOCK(&tcbinfo); 1374 } 1375 1376 /* 1377 * When a source quench is received, close congestion window 1378 * to one segment. We will gradually open it again as we proceed. 1379 */ 1380 struct inpcb * 1381 tcp_quench(inp, errno) 1382 struct inpcb *inp; 1383 int errno; 1384 { 1385 struct tcpcb *tp = intotcpcb(inp); 1386 1387 INP_LOCK_ASSERT(inp); 1388 if (tp != NULL) 1389 tp->snd_cwnd = tp->t_maxseg; 1390 return (inp); 1391 } 1392 1393 /* 1394 * When a specific ICMP unreachable message is received and the 1395 * connection state is SYN-SENT, drop the connection. This behavior 1396 * is controlled by the icmp_may_rst sysctl. 1397 */ 1398 struct inpcb * 1399 tcp_drop_syn_sent(inp, errno) 1400 struct inpcb *inp; 1401 int errno; 1402 { 1403 struct tcpcb *tp = intotcpcb(inp); 1404 1405 INP_LOCK_ASSERT(inp); 1406 if (tp != NULL && tp->t_state == TCPS_SYN_SENT) { 1407 tcp_drop(tp, errno); 1408 return (NULL); 1409 } 1410 return (inp); 1411 } 1412 1413 /* 1414 * When `need fragmentation' ICMP is received, update our idea of the MSS 1415 * based on the new value in the route. Also nudge TCP to send something, 1416 * since we know the packet we just sent was dropped. 1417 * This duplicates some code in the tcp_mss() function in tcp_input.c. 1418 */ 1419 struct inpcb * 1420 tcp_mtudisc(inp, errno) 1421 struct inpcb *inp; 1422 int errno; 1423 { 1424 struct tcpcb *tp = intotcpcb(inp); 1425 struct socket *so = inp->inp_socket; 1426 u_int maxmtu; 1427 u_int romtu; 1428 int mss; 1429 #ifdef INET6 1430 int isipv6; 1431 #endif /* INET6 */ 1432 1433 INP_LOCK_ASSERT(inp); 1434 if (tp != NULL) { 1435 #ifdef INET6 1436 isipv6 = (tp->t_inpcb->inp_vflag & INP_IPV6) != 0; 1437 #endif 1438 maxmtu = tcp_hc_getmtu(&inp->inp_inc); /* IPv4 and IPv6 */ 1439 romtu = 1440 #ifdef INET6 1441 isipv6 ? tcp_maxmtu6(&inp->inp_inc) : 1442 #endif /* INET6 */ 1443 tcp_maxmtu(&inp->inp_inc); 1444 if (!maxmtu) 1445 maxmtu = romtu; 1446 else 1447 maxmtu = min(maxmtu, romtu); 1448 if (!maxmtu) { 1449 tp->t_maxopd = tp->t_maxseg = 1450 #ifdef INET6 1451 isipv6 ? tcp_v6mssdflt : 1452 #endif /* INET6 */ 1453 tcp_mssdflt; 1454 return (inp); 1455 } 1456 mss = maxmtu - 1457 #ifdef INET6 1458 (isipv6 ? 1459 sizeof(struct ip6_hdr) + sizeof(struct tcphdr) : 1460 #endif /* INET6 */ 1461 sizeof(struct tcpiphdr) 1462 #ifdef INET6 1463 ) 1464 #endif /* INET6 */ 1465 ; 1466 1467 /* 1468 * XXX - The above conditional probably violates the TCP 1469 * spec. The problem is that, since we don't know the 1470 * other end's MSS, we are supposed to use a conservative 1471 * default. But, if we do that, then MTU discovery will 1472 * never actually take place, because the conservative 1473 * default is much less than the MTUs typically seen 1474 * on the Internet today. For the moment, we'll sweep 1475 * this under the carpet. 1476 * 1477 * The conservative default might not actually be a problem 1478 * if the only case this occurs is when sending an initial 1479 * SYN with options and data to a host we've never talked 1480 * to before. Then, they will reply with an MSS value which 1481 * will get recorded and the new parameters should get 1482 * recomputed. For Further Study. 1483 */ 1484 if (tp->t_maxopd <= mss) 1485 return (inp); 1486 tp->t_maxopd = mss; 1487 1488 if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP && 1489 (tp->t_flags & TF_RCVD_TSTMP) == TF_RCVD_TSTMP) 1490 mss -= TCPOLEN_TSTAMP_APPA; 1491 #if (MCLBYTES & (MCLBYTES - 1)) == 0 1492 if (mss > MCLBYTES) 1493 mss &= ~(MCLBYTES-1); 1494 #else 1495 if (mss > MCLBYTES) 1496 mss = mss / MCLBYTES * MCLBYTES; 1497 #endif 1498 if (so->so_snd.sb_hiwat < mss) 1499 mss = so->so_snd.sb_hiwat; 1500 1501 tp->t_maxseg = mss; 1502 1503 tcpstat.tcps_mturesent++; 1504 tp->t_rtttime = 0; 1505 tp->snd_nxt = tp->snd_una; 1506 tcp_output(tp); 1507 } 1508 return (inp); 1509 } 1510 1511 /* 1512 * Look-up the routing entry to the peer of this inpcb. If no route 1513 * is found and it cannot be allocated, then return NULL. This routine 1514 * is called by TCP routines that access the rmx structure and by tcp_mss 1515 * to get the interface MTU. 1516 */ 1517 u_long 1518 tcp_maxmtu(inc) 1519 struct in_conninfo *inc; 1520 { 1521 struct route sro; 1522 struct sockaddr_in *dst; 1523 struct ifnet *ifp; 1524 u_long maxmtu = 0; 1525 1526 KASSERT(inc != NULL, ("tcp_maxmtu with NULL in_conninfo pointer")); 1527 1528 bzero(&sro, sizeof(sro)); 1529 if (inc->inc_faddr.s_addr != INADDR_ANY) { 1530 dst = (struct sockaddr_in *)&sro.ro_dst; 1531 dst->sin_family = AF_INET; 1532 dst->sin_len = sizeof(*dst); 1533 dst->sin_addr = inc->inc_faddr; 1534 rtalloc_ign(&sro, RTF_CLONING); 1535 } 1536 if (sro.ro_rt != NULL) { 1537 ifp = sro.ro_rt->rt_ifp; 1538 if (sro.ro_rt->rt_rmx.rmx_mtu == 0) 1539 maxmtu = ifp->if_mtu; 1540 else 1541 maxmtu = min(sro.ro_rt->rt_rmx.rmx_mtu, ifp->if_mtu); 1542 RTFREE(sro.ro_rt); 1543 } 1544 return (maxmtu); 1545 } 1546 1547 #ifdef INET6 1548 u_long 1549 tcp_maxmtu6(inc) 1550 struct in_conninfo *inc; 1551 { 1552 struct route_in6 sro6; 1553 struct ifnet *ifp; 1554 u_long maxmtu = 0; 1555 1556 KASSERT(inc != NULL, ("tcp_maxmtu6 with NULL in_conninfo pointer")); 1557 1558 bzero(&sro6, sizeof(sro6)); 1559 if (!IN6_IS_ADDR_UNSPECIFIED(&inc->inc6_faddr)) { 1560 sro6.ro_dst.sin6_family = AF_INET6; 1561 sro6.ro_dst.sin6_len = sizeof(struct sockaddr_in6); 1562 sro6.ro_dst.sin6_addr = inc->inc6_faddr; 1563 rtalloc_ign((struct route *)&sro6, RTF_CLONING); 1564 } 1565 if (sro6.ro_rt != NULL) { 1566 ifp = sro6.ro_rt->rt_ifp; 1567 if (sro6.ro_rt->rt_rmx.rmx_mtu == 0) 1568 maxmtu = IN6_LINKMTU(sro6.ro_rt->rt_ifp); 1569 else 1570 maxmtu = min(sro6.ro_rt->rt_rmx.rmx_mtu, 1571 IN6_LINKMTU(sro6.ro_rt->rt_ifp)); 1572 RTFREE(sro6.ro_rt); 1573 } 1574 1575 return (maxmtu); 1576 } 1577 #endif /* INET6 */ 1578 1579 #ifdef IPSEC 1580 /* compute ESP/AH header size for TCP, including outer IP header. */ 1581 size_t 1582 ipsec_hdrsiz_tcp(tp) 1583 struct tcpcb *tp; 1584 { 1585 struct inpcb *inp; 1586 struct mbuf *m; 1587 size_t hdrsiz; 1588 struct ip *ip; 1589 #ifdef INET6 1590 struct ip6_hdr *ip6; 1591 #endif 1592 struct tcphdr *th; 1593 1594 if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL)) 1595 return (0); 1596 MGETHDR(m, M_DONTWAIT, MT_DATA); 1597 if (!m) 1598 return (0); 1599 1600 #ifdef INET6 1601 if ((inp->inp_vflag & INP_IPV6) != 0) { 1602 ip6 = mtod(m, struct ip6_hdr *); 1603 th = (struct tcphdr *)(ip6 + 1); 1604 m->m_pkthdr.len = m->m_len = 1605 sizeof(struct ip6_hdr) + sizeof(struct tcphdr); 1606 tcpip_fillheaders(inp, ip6, th); 1607 hdrsiz = ipsec6_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp); 1608 } else 1609 #endif /* INET6 */ 1610 { 1611 ip = mtod(m, struct ip *); 1612 th = (struct tcphdr *)(ip + 1); 1613 m->m_pkthdr.len = m->m_len = sizeof(struct tcpiphdr); 1614 tcpip_fillheaders(inp, ip, th); 1615 hdrsiz = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp); 1616 } 1617 1618 m_free(m); 1619 return (hdrsiz); 1620 } 1621 #endif /*IPSEC*/ 1622 1623 /* 1624 * Move a TCP connection into TIME_WAIT state. 1625 * tcbinfo is locked. 1626 * inp is locked, and is unlocked before returning. 1627 */ 1628 void 1629 tcp_twstart(tp) 1630 struct tcpcb *tp; 1631 { 1632 struct tcptw *tw; 1633 struct inpcb *inp; 1634 int tw_time, acknow; 1635 struct socket *so; 1636 1637 INP_INFO_WLOCK_ASSERT(&tcbinfo); /* tcp_timer_2msl_reset(). */ 1638 INP_LOCK_ASSERT(tp->t_inpcb); 1639 1640 tw = uma_zalloc(tcptw_zone, M_NOWAIT); 1641 if (tw == NULL) { 1642 tw = tcp_timer_2msl_tw(1); 1643 if (tw == NULL) { 1644 tcp_close(tp); 1645 return; 1646 } 1647 } 1648 inp = tp->t_inpcb; 1649 tw->tw_inpcb = inp; 1650 1651 /* 1652 * Recover last window size sent. 1653 */ 1654 tw->last_win = (tp->rcv_adv - tp->rcv_nxt) >> tp->rcv_scale; 1655 1656 /* 1657 * Set t_recent if timestamps are used on the connection. 1658 */ 1659 if ((tp->t_flags & (TF_REQ_TSTMP|TF_RCVD_TSTMP|TF_NOOPT)) == 1660 (TF_REQ_TSTMP|TF_RCVD_TSTMP)) 1661 tw->t_recent = tp->ts_recent; 1662 else 1663 tw->t_recent = 0; 1664 1665 tw->snd_nxt = tp->snd_nxt; 1666 tw->rcv_nxt = tp->rcv_nxt; 1667 tw->iss = tp->iss; 1668 tw->irs = tp->irs; 1669 tw->t_starttime = tp->t_starttime; 1670 tw->tw_time = 0; 1671 1672 /* XXX 1673 * If this code will 1674 * be used for fin-wait-2 state also, then we may need 1675 * a ts_recent from the last segment. 1676 */ 1677 tw_time = 2 * tcp_msl; 1678 acknow = tp->t_flags & TF_ACKNOW; 1679 tcp_discardcb(tp); 1680 so = inp->inp_socket; 1681 ACCEPT_LOCK(); 1682 SOCK_LOCK(so); 1683 so->so_pcb = NULL; 1684 tw->tw_cred = crhold(so->so_cred); 1685 tw->tw_so_options = so->so_options; 1686 sotryfree(so); 1687 inp->inp_socket = NULL; 1688 if (acknow) 1689 tcp_twrespond(tw, TH_ACK); 1690 inp->inp_ppcb = (caddr_t)tw; 1691 inp->inp_vflag |= INP_TIMEWAIT; 1692 tcp_timer_2msl_reset(tw, tw_time); 1693 INP_UNLOCK(inp); 1694 } 1695 1696 /* 1697 * The appromixate rate of ISN increase of Microsoft TCP stacks; 1698 * the actual rate is slightly higher due to the addition of 1699 * random positive increments. 1700 * 1701 * Most other new OSes use semi-randomized ISN values, so we 1702 * do not need to worry about them. 1703 */ 1704 #define MS_ISN_BYTES_PER_SECOND 250000 1705 1706 /* 1707 * Determine if the ISN we will generate has advanced beyond the last 1708 * sequence number used by the previous connection. If so, indicate 1709 * that it is safe to recycle this tw socket by returning 1. 1710 * 1711 * XXXRW: This function should assert the inpcb lock as it does multiple 1712 * non-atomic reads from the tcptw, but is currently called without it from 1713 * in_pcb.c:in_pcblookup_local(). 1714 */ 1715 int 1716 tcp_twrecycleable(struct tcptw *tw) 1717 { 1718 tcp_seq new_iss = tw->iss; 1719 tcp_seq new_irs = tw->irs; 1720 1721 new_iss += (ticks - tw->t_starttime) * (ISN_BYTES_PER_SECOND / hz); 1722 new_irs += (ticks - tw->t_starttime) * (MS_ISN_BYTES_PER_SECOND / hz); 1723 1724 if (SEQ_GT(new_iss, tw->snd_nxt) && SEQ_GT(new_irs, tw->rcv_nxt)) 1725 return (1); 1726 else 1727 return (0); 1728 } 1729 1730 struct tcptw * 1731 tcp_twclose(struct tcptw *tw, int reuse) 1732 { 1733 struct inpcb *inp; 1734 1735 inp = tw->tw_inpcb; 1736 INP_INFO_WLOCK_ASSERT(&tcbinfo); /* tcp_timer_2msl_stop(). */ 1737 INP_LOCK_ASSERT(inp); 1738 1739 tw->tw_inpcb = NULL; 1740 tcp_timer_2msl_stop(tw); 1741 inp->inp_ppcb = NULL; 1742 #ifdef INET6 1743 if (inp->inp_vflag & INP_IPV6PROTO) 1744 in6_pcbdetach(inp); 1745 else 1746 #endif 1747 in_pcbdetach(inp); 1748 tcpstat.tcps_closed++; 1749 crfree(tw->tw_cred); 1750 tw->tw_cred = NULL; 1751 if (reuse) 1752 return (tw); 1753 uma_zfree(tcptw_zone, tw); 1754 return (NULL); 1755 } 1756 1757 int 1758 tcp_twrespond(struct tcptw *tw, int flags) 1759 { 1760 struct inpcb *inp = tw->tw_inpcb; 1761 struct tcphdr *th; 1762 struct mbuf *m; 1763 struct ip *ip = NULL; 1764 u_int8_t *optp; 1765 u_int hdrlen, optlen; 1766 int error; 1767 #ifdef INET6 1768 struct ip6_hdr *ip6 = NULL; 1769 int isipv6 = inp->inp_inc.inc_isipv6; 1770 #endif 1771 1772 INP_LOCK_ASSERT(inp); 1773 1774 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1775 if (m == NULL) 1776 return (ENOBUFS); 1777 m->m_data += max_linkhdr; 1778 1779 #ifdef MAC 1780 mac_create_mbuf_from_inpcb(inp, m); 1781 #endif 1782 1783 #ifdef INET6 1784 if (isipv6) { 1785 hdrlen = sizeof(struct ip6_hdr) + sizeof(struct tcphdr); 1786 ip6 = mtod(m, struct ip6_hdr *); 1787 th = (struct tcphdr *)(ip6 + 1); 1788 tcpip_fillheaders(inp, ip6, th); 1789 } else 1790 #endif 1791 { 1792 hdrlen = sizeof(struct tcpiphdr); 1793 ip = mtod(m, struct ip *); 1794 th = (struct tcphdr *)(ip + 1); 1795 tcpip_fillheaders(inp, ip, th); 1796 } 1797 optp = (u_int8_t *)(th + 1); 1798 1799 /* 1800 * Send a timestamp and echo-reply if both our side and our peer 1801 * have sent timestamps in our SYN's and this is not a RST. 1802 */ 1803 if (tw->t_recent && flags == TH_ACK) { 1804 u_int32_t *lp = (u_int32_t *)optp; 1805 1806 /* Form timestamp option as shown in appendix A of RFC 1323. */ 1807 *lp++ = htonl(TCPOPT_TSTAMP_HDR); 1808 *lp++ = htonl(ticks); 1809 *lp = htonl(tw->t_recent); 1810 optp += TCPOLEN_TSTAMP_APPA; 1811 } 1812 1813 optlen = optp - (u_int8_t *)(th + 1); 1814 1815 m->m_len = hdrlen + optlen; 1816 m->m_pkthdr.len = m->m_len; 1817 1818 KASSERT(max_linkhdr + m->m_len <= MHLEN, ("tcptw: mbuf too small")); 1819 1820 th->th_seq = htonl(tw->snd_nxt); 1821 th->th_ack = htonl(tw->rcv_nxt); 1822 th->th_off = (sizeof(struct tcphdr) + optlen) >> 2; 1823 th->th_flags = flags; 1824 th->th_win = htons(tw->last_win); 1825 1826 #ifdef INET6 1827 if (isipv6) { 1828 th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr), 1829 sizeof(struct tcphdr) + optlen); 1830 ip6->ip6_hlim = in6_selecthlim(inp, NULL); 1831 error = ip6_output(m, inp->in6p_outputopts, NULL, 1832 (tw->tw_so_options & SO_DONTROUTE), NULL, NULL, inp); 1833 } else 1834 #endif 1835 { 1836 th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, 1837 htons(sizeof(struct tcphdr) + optlen + IPPROTO_TCP)); 1838 m->m_pkthdr.csum_flags = CSUM_TCP; 1839 m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); 1840 ip->ip_len = m->m_pkthdr.len; 1841 if (path_mtu_discovery) 1842 ip->ip_off |= IP_DF; 1843 error = ip_output(m, inp->inp_options, NULL, 1844 ((tw->tw_so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0), 1845 NULL, inp); 1846 } 1847 if (flags & TH_ACK) 1848 tcpstat.tcps_sndacks++; 1849 else 1850 tcpstat.tcps_sndctrl++; 1851 tcpstat.tcps_sndtotal++; 1852 return (error); 1853 } 1854 1855 /* 1856 * TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING 1857 * 1858 * This code attempts to calculate the bandwidth-delay product as a 1859 * means of determining the optimal window size to maximize bandwidth, 1860 * minimize RTT, and avoid the over-allocation of buffers on interfaces and 1861 * routers. This code also does a fairly good job keeping RTTs in check 1862 * across slow links like modems. We implement an algorithm which is very 1863 * similar (but not meant to be) TCP/Vegas. The code operates on the 1864 * transmitter side of a TCP connection and so only effects the transmit 1865 * side of the connection. 1866 * 1867 * BACKGROUND: TCP makes no provision for the management of buffer space 1868 * at the end points or at the intermediate routers and switches. A TCP 1869 * stream, whether using NewReno or not, will eventually buffer as 1870 * many packets as it is able and the only reason this typically works is 1871 * due to the fairly small default buffers made available for a connection 1872 * (typicaly 16K or 32K). As machines use larger windows and/or window 1873 * scaling it is now fairly easy for even a single TCP connection to blow-out 1874 * all available buffer space not only on the local interface, but on 1875 * intermediate routers and switches as well. NewReno makes a misguided 1876 * attempt to 'solve' this problem by waiting for an actual failure to occur, 1877 * then backing off, then steadily increasing the window again until another 1878 * failure occurs, ad-infinitum. This results in terrible oscillation that 1879 * is only made worse as network loads increase and the idea of intentionally 1880 * blowing out network buffers is, frankly, a terrible way to manage network 1881 * resources. 1882 * 1883 * It is far better to limit the transmit window prior to the failure 1884 * condition being achieved. There are two general ways to do this: First 1885 * you can 'scan' through different transmit window sizes and locate the 1886 * point where the RTT stops increasing, indicating that you have filled the 1887 * pipe, then scan backwards until you note that RTT stops decreasing, then 1888 * repeat ad-infinitum. This method works in principle but has severe 1889 * implementation issues due to RTT variances, timer granularity, and 1890 * instability in the algorithm which can lead to many false positives and 1891 * create oscillations as well as interact badly with other TCP streams 1892 * implementing the same algorithm. 1893 * 1894 * The second method is to limit the window to the bandwidth delay product 1895 * of the link. This is the method we implement. RTT variances and our 1896 * own manipulation of the congestion window, bwnd, can potentially 1897 * destabilize the algorithm. For this reason we have to stabilize the 1898 * elements used to calculate the window. We do this by using the minimum 1899 * observed RTT, the long term average of the observed bandwidth, and 1900 * by adding two segments worth of slop. It isn't perfect but it is able 1901 * to react to changing conditions and gives us a very stable basis on 1902 * which to extend the algorithm. 1903 */ 1904 void 1905 tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq) 1906 { 1907 u_long bw; 1908 u_long bwnd; 1909 int save_ticks; 1910 1911 INP_LOCK_ASSERT(tp->t_inpcb); 1912 1913 /* 1914 * If inflight_enable is disabled in the middle of a tcp connection, 1915 * make sure snd_bwnd is effectively disabled. 1916 */ 1917 if (tcp_inflight_enable == 0) { 1918 tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT; 1919 tp->snd_bandwidth = 0; 1920 return; 1921 } 1922 1923 /* 1924 * Figure out the bandwidth. Due to the tick granularity this 1925 * is a very rough number and it MUST be averaged over a fairly 1926 * long period of time. XXX we need to take into account a link 1927 * that is not using all available bandwidth, but for now our 1928 * slop will ramp us up if this case occurs and the bandwidth later 1929 * increases. 1930 * 1931 * Note: if ticks rollover 'bw' may wind up negative. We must 1932 * effectively reset t_bw_rtttime for this case. 1933 */ 1934 save_ticks = ticks; 1935 if ((u_int)(save_ticks - tp->t_bw_rtttime) < 1) 1936 return; 1937 1938 bw = (int64_t)(ack_seq - tp->t_bw_rtseq) * hz / 1939 (save_ticks - tp->t_bw_rtttime); 1940 tp->t_bw_rtttime = save_ticks; 1941 tp->t_bw_rtseq = ack_seq; 1942 if (tp->t_bw_rtttime == 0 || (int)bw < 0) 1943 return; 1944 bw = ((int64_t)tp->snd_bandwidth * 15 + bw) >> 4; 1945 1946 tp->snd_bandwidth = bw; 1947 1948 /* 1949 * Calculate the semi-static bandwidth delay product, plus two maximal 1950 * segments. The additional slop puts us squarely in the sweet 1951 * spot and also handles the bandwidth run-up case and stabilization. 1952 * Without the slop we could be locking ourselves into a lower 1953 * bandwidth. 1954 * 1955 * Situations Handled: 1956 * (1) Prevents over-queueing of packets on LANs, especially on 1957 * high speed LANs, allowing larger TCP buffers to be 1958 * specified, and also does a good job preventing 1959 * over-queueing of packets over choke points like modems 1960 * (at least for the transmit side). 1961 * 1962 * (2) Is able to handle changing network loads (bandwidth 1963 * drops so bwnd drops, bandwidth increases so bwnd 1964 * increases). 1965 * 1966 * (3) Theoretically should stabilize in the face of multiple 1967 * connections implementing the same algorithm (this may need 1968 * a little work). 1969 * 1970 * (4) Stability value (defaults to 20 = 2 maximal packets) can 1971 * be adjusted with a sysctl but typically only needs to be 1972 * on very slow connections. A value no smaller then 5 1973 * should be used, but only reduce this default if you have 1974 * no other choice. 1975 */ 1976 #define USERTT ((tp->t_srtt + tp->t_rttbest) / 2) 1977 bwnd = (int64_t)bw * USERTT / (hz << TCP_RTT_SHIFT) + tcp_inflight_stab * tp->t_maxseg / 10; 1978 #undef USERTT 1979 1980 if (tcp_inflight_debug > 0) { 1981 static int ltime; 1982 if ((u_int)(ticks - ltime) >= hz / tcp_inflight_debug) { 1983 ltime = ticks; 1984 printf("%p bw %ld rttbest %d srtt %d bwnd %ld\n", 1985 tp, 1986 bw, 1987 tp->t_rttbest, 1988 tp->t_srtt, 1989 bwnd 1990 ); 1991 } 1992 } 1993 if ((long)bwnd < tcp_inflight_min) 1994 bwnd = tcp_inflight_min; 1995 if (bwnd > tcp_inflight_max) 1996 bwnd = tcp_inflight_max; 1997 if ((long)bwnd < tp->t_maxseg * 2) 1998 bwnd = tp->t_maxseg * 2; 1999 tp->snd_bwnd = bwnd; 2000 } 2001 2002 #ifdef TCP_SIGNATURE 2003 /* 2004 * Callback function invoked by m_apply() to digest TCP segment data 2005 * contained within an mbuf chain. 2006 */ 2007 static int 2008 tcp_signature_apply(void *fstate, void *data, u_int len) 2009 { 2010 2011 MD5Update(fstate, (u_char *)data, len); 2012 return (0); 2013 } 2014 2015 /* 2016 * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385) 2017 * 2018 * Parameters: 2019 * m pointer to head of mbuf chain 2020 * off0 offset to TCP header within the mbuf chain 2021 * len length of TCP segment data, excluding options 2022 * optlen length of TCP segment options 2023 * buf pointer to storage for computed MD5 digest 2024 * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND) 2025 * 2026 * We do this over ip, tcphdr, segment data, and the key in the SADB. 2027 * When called from tcp_input(), we can be sure that th_sum has been 2028 * zeroed out and verified already. 2029 * 2030 * This function is for IPv4 use only. Calling this function with an 2031 * IPv6 packet in the mbuf chain will yield undefined results. 2032 * 2033 * Return 0 if successful, otherwise return -1. 2034 * 2035 * XXX The key is retrieved from the system's PF_KEY SADB, by keying a 2036 * search with the destination IP address, and a 'magic SPI' to be 2037 * determined by the application. This is hardcoded elsewhere to 1179 2038 * right now. Another branch of this code exists which uses the SPD to 2039 * specify per-application flows but it is unstable. 2040 */ 2041 int 2042 tcp_signature_compute(struct mbuf *m, int off0, int len, int optlen, 2043 u_char *buf, u_int direction) 2044 { 2045 union sockaddr_union dst; 2046 struct ippseudo ippseudo; 2047 MD5_CTX ctx; 2048 int doff; 2049 struct ip *ip; 2050 struct ipovly *ipovly; 2051 struct secasvar *sav; 2052 struct tcphdr *th; 2053 u_short savecsum; 2054 2055 KASSERT(m != NULL, ("NULL mbuf chain")); 2056 KASSERT(buf != NULL, ("NULL signature pointer")); 2057 2058 /* Extract the destination from the IP header in the mbuf. */ 2059 ip = mtod(m, struct ip *); 2060 bzero(&dst, sizeof(union sockaddr_union)); 2061 dst.sa.sa_len = sizeof(struct sockaddr_in); 2062 dst.sa.sa_family = AF_INET; 2063 dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ? 2064 ip->ip_src : ip->ip_dst; 2065 2066 /* Look up an SADB entry which matches the address of the peer. */ 2067 sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); 2068 if (sav == NULL) { 2069 printf("%s: SADB lookup failed for %s\n", __func__, 2070 inet_ntoa(dst.sin.sin_addr)); 2071 return (EINVAL); 2072 } 2073 2074 MD5Init(&ctx); 2075 ipovly = (struct ipovly *)ip; 2076 th = (struct tcphdr *)((u_char *)ip + off0); 2077 doff = off0 + sizeof(struct tcphdr) + optlen; 2078 2079 /* 2080 * Step 1: Update MD5 hash with IP pseudo-header. 2081 * 2082 * XXX The ippseudo header MUST be digested in network byte order, 2083 * or else we'll fail the regression test. Assume all fields we've 2084 * been doing arithmetic on have been in host byte order. 2085 * XXX One cannot depend on ipovly->ih_len here. When called from 2086 * tcp_output(), the underlying ip_len member has not yet been set. 2087 */ 2088 ippseudo.ippseudo_src = ipovly->ih_src; 2089 ippseudo.ippseudo_dst = ipovly->ih_dst; 2090 ippseudo.ippseudo_pad = 0; 2091 ippseudo.ippseudo_p = IPPROTO_TCP; 2092 ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen); 2093 MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo)); 2094 2095 /* 2096 * Step 2: Update MD5 hash with TCP header, excluding options. 2097 * The TCP checksum must be set to zero. 2098 */ 2099 savecsum = th->th_sum; 2100 th->th_sum = 0; 2101 MD5Update(&ctx, (char *)th, sizeof(struct tcphdr)); 2102 th->th_sum = savecsum; 2103 2104 /* 2105 * Step 3: Update MD5 hash with TCP segment data. 2106 * Use m_apply() to avoid an early m_pullup(). 2107 */ 2108 if (len > 0) 2109 m_apply(m, doff, len, tcp_signature_apply, &ctx); 2110 2111 /* 2112 * Step 4: Update MD5 hash with shared secret. 2113 */ 2114 MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); 2115 MD5Final(buf, &ctx); 2116 2117 key_sa_recordxfer(sav, m); 2118 KEY_FREESAV(&sav); 2119 return (0); 2120 } 2121 #endif /* TCP_SIGNATURE */ 2122