xref: /illumos-gate/usr/src/stand/lib/tcp/tcp.c (revision c73799dd86c25c27f5183e83584212d06d1ecebc)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  * Copyright (c) 2016 by Delphix. All rights reserved.
26  *
27  * tcp.c, Code implementing the TCP protocol.
28  */
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #include <sys/types.h>
33 #include <socket_impl.h>
34 #include <socket_inet.h>
35 #include <sys/sysmacros.h>
36 #include <sys/promif.h>
37 #include <sys/socket.h>
38 #include <netinet/in_systm.h>
39 #include <netinet/in.h>
40 #include <netinet/ip.h>
41 #include <netinet/tcp.h>
42 #include <net/if_types.h>
43 #include <sys/salib.h>
44 
45 #include "ipv4.h"
46 #include "ipv4_impl.h"
47 #include "mac.h"
48 #include "mac_impl.h"
49 #include "v4_sum_impl.h"
50 #include <sys/bootdebug.h>
51 #include "tcp_inet.h"
52 #include "tcp_sack.h"
53 #include <inet/common.h>
54 #include <inet/mib2.h>
55 
56 /*
57  * We need to redefine BUMP_MIB/UPDATE_MIB to not have DTrace probes.
58  */
59 #undef BUMP_MIB
60 #define	BUMP_MIB(x) (x)++
61 
62 #undef UPDATE_MIB
63 #define	UPDATE_MIB(x, y) x += y
64 
65 /*
66  * MIB-2 stuff for SNMP
67  */
68 mib2_tcp_t	tcp_mib;	/* SNMP fixed size info */
69 
70 /* The TCP mib does not include the following errors. */
71 static uint_t tcp_cksum_errors;
72 static uint_t tcp_drops;
73 
74 /* Macros for timestamp comparisons */
75 #define	TSTMP_GEQ(a, b)	((int32_t)((a)-(b)) >= 0)
76 #define	TSTMP_LT(a, b)	((int32_t)((a)-(b)) < 0)
77 
78 /*
79  * Parameters for TCP Initial Send Sequence number (ISS) generation.
80  * The ISS is calculated by adding three components: a time component
81  * which grows by 1 every 4096 nanoseconds (versus every 4 microseconds
82  * suggested by RFC 793, page 27);
83  * a per-connection component which grows by 125000 for every new connection;
84  * and an "extra" component that grows by a random amount centered
85  * approximately on 64000.  This causes the the ISS generator to cycle every
86  * 4.89 hours if no TCP connections are made, and faster if connections are
87  * made.
88  */
89 #define	ISS_INCR	250000
90 #define	ISS_NSEC_SHT	0
91 
92 static uint32_t tcp_iss_incr_extra;	/* Incremented for each connection */
93 
94 #define	TCP_XMIT_LOWATER	4096
95 #define	TCP_XMIT_HIWATER	49152
96 #define	TCP_RECV_LOWATER	2048
97 #define	TCP_RECV_HIWATER	49152
98 
99 /*
100  *  PAWS needs a timer for 24 days.  This is the number of ms in 24 days
101  */
102 #define	PAWS_TIMEOUT	((uint32_t)(24*24*60*60*1000))
103 
104 /*
105  * TCP options struct returned from tcp_parse_options.
106  */
107 typedef struct tcp_opt_s {
108 	uint32_t	tcp_opt_mss;
109 	uint32_t	tcp_opt_wscale;
110 	uint32_t	tcp_opt_ts_val;
111 	uint32_t	tcp_opt_ts_ecr;
112 	tcp_t		*tcp;
113 } tcp_opt_t;
114 
115 /*
116  * RFC1323-recommended phrasing of TSTAMP option, for easier parsing
117  */
118 
119 #ifdef _BIG_ENDIAN
120 #define	TCPOPT_NOP_NOP_TSTAMP ((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) | \
121 	(TCPOPT_TSTAMP << 8) | 10)
122 #else
123 #define	TCPOPT_NOP_NOP_TSTAMP ((10 << 24) | (TCPOPT_TSTAMP << 16) | \
124 	(TCPOPT_NOP << 8) | TCPOPT_NOP)
125 #endif
126 
127 /*
128  * Flags returned from tcp_parse_options.
129  */
130 #define	TCP_OPT_MSS_PRESENT	1
131 #define	TCP_OPT_WSCALE_PRESENT	2
132 #define	TCP_OPT_TSTAMP_PRESENT	4
133 #define	TCP_OPT_SACK_OK_PRESENT	8
134 #define	TCP_OPT_SACK_PRESENT	16
135 
136 /* TCP option length */
137 #define	TCPOPT_NOP_LEN		1
138 #define	TCPOPT_MAXSEG_LEN	4
139 #define	TCPOPT_WS_LEN		3
140 #define	TCPOPT_REAL_WS_LEN	(TCPOPT_WS_LEN+1)
141 #define	TCPOPT_TSTAMP_LEN	10
142 #define	TCPOPT_REAL_TS_LEN	(TCPOPT_TSTAMP_LEN+2)
143 #define	TCPOPT_SACK_OK_LEN	2
144 #define	TCPOPT_REAL_SACK_OK_LEN	(TCPOPT_SACK_OK_LEN+2)
145 #define	TCPOPT_REAL_SACK_LEN	4
146 #define	TCPOPT_MAX_SACK_LEN	36
147 #define	TCPOPT_HEADER_LEN	2
148 
149 /* TCP cwnd burst factor. */
150 #define	TCP_CWND_INFINITE	65535
151 #define	TCP_CWND_SS		3
152 #define	TCP_CWND_NORMAL		5
153 
154 /* Named Dispatch Parameter Management Structure */
155 typedef struct tcpparam_s {
156 	uint32_t	tcp_param_min;
157 	uint32_t	tcp_param_max;
158 	uint32_t	tcp_param_val;
159 	char		*tcp_param_name;
160 } tcpparam_t;
161 
162 /* Max size IP datagram is 64k - 1 */
163 #define	TCP_MSS_MAX_IPV4 (IP_MAXPACKET - (sizeof (struct ip) + \
164 	sizeof (tcph_t)))
165 
166 /* Max of the above */
167 #define	TCP_MSS_MAX	TCP_MSS_MAX_IPV4
168 
169 /* Largest TCP port number */
170 #define	TCP_MAX_PORT	(64 * 1024 - 1)
171 
172 /* Round up the value to the nearest mss. */
173 #define	MSS_ROUNDUP(value, mss)		((((value) - 1) / (mss) + 1) * (mss))
174 
175 #define	MS	1L
176 #define	SECONDS	(1000 * MS)
177 #define	MINUTES	(60 * SECONDS)
178 #define	HOURS	(60 * MINUTES)
179 #define	DAYS	(24 * HOURS)
180 
181 /* All NDD params in the core TCP became static variables. */
182 static int	tcp_time_wait_interval = 1 * MINUTES;
183 static int	tcp_conn_req_max_q = 128;
184 static int	tcp_conn_req_max_q0 = 1024;
185 static int	tcp_conn_req_min = 1;
186 static int	tcp_conn_grace_period = 0 * SECONDS;
187 static int	tcp_cwnd_max_ = 1024 * 1024;
188 static int	tcp_smallest_nonpriv_port = 1024;
189 static int	tcp_ip_abort_cinterval = 3 * MINUTES;
190 static int	tcp_ip_abort_linterval = 3 * MINUTES;
191 static int	tcp_ip_abort_interval = 8 * MINUTES;
192 static int	tcp_ip_notify_cinterval = 10 * SECONDS;
193 static int	tcp_ip_notify_interval = 10 * SECONDS;
194 static int	tcp_ipv4_ttl = 64;
195 static int	tcp_mss_def_ipv4 = 536;
196 static int	tcp_mss_max_ipv4 = TCP_MSS_MAX_IPV4;
197 static int	tcp_mss_min = 108;
198 static int	tcp_naglim_def = (4*1024)-1;
199 static int	tcp_rexmit_interval_initial = 3 * SECONDS;
200 static int	tcp_rexmit_interval_max = 60 * SECONDS;
201 static int	tcp_rexmit_interval_min = 400 * MS;
202 static int	tcp_dupack_fast_retransmit = 3;
203 static int	tcp_smallest_anon_port = 32 * 1024;
204 static int	tcp_largest_anon_port = TCP_MAX_PORT;
205 static int	tcp_xmit_lowat = TCP_XMIT_LOWATER;
206 static int	tcp_recv_hiwat_minmss = 4;
207 static int	tcp_fin_wait_2_flush_interval = 1 * MINUTES;
208 static int	tcp_max_buf = 1024 * 1024;
209 static int	tcp_wscale_always = 1;
210 static int	tcp_tstamp_always = 1;
211 static int	tcp_tstamp_if_wscale = 1;
212 static int	tcp_rexmit_interval_extra = 0;
213 static int	tcp_slow_start_after_idle = 2;
214 static int	tcp_slow_start_initial = 2;
215 static int	tcp_sack_permitted = 2;
216 static int	tcp_ecn_permitted = 2;
217 
218 /* Extra room to fit in headers. */
219 static uint_t	tcp_wroff_xtra;
220 
221 /* Hint for next port to try. */
222 static in_port_t	tcp_next_port_to_try = 32*1024;
223 
224 /*
225  * Figure out the value of window scale opton.  Note that the rwnd is
226  * ASSUMED to be rounded up to the nearest MSS before the calculation.
227  * We cannot find the scale value and then do a round up of tcp_rwnd
228  * because the scale value may not be correct after that.
229  */
230 #define	SET_WS_VALUE(tcp) \
231 { \
232 	int i; \
233 	uint32_t rwnd = (tcp)->tcp_rwnd; \
234 	for (i = 0; rwnd > TCP_MAXWIN && i < TCP_MAX_WINSHIFT; \
235 	    i++, rwnd >>= 1) \
236 		; \
237 	(tcp)->tcp_rcv_ws = i; \
238 }
239 
240 /*
241  * Set ECN capable transport (ECT) code point in IP header.
242  *
243  * Note that there are 2 ECT code points '01' and '10', which are called
244  * ECT(1) and ECT(0) respectively.  Here we follow the original ECT code
245  * point ECT(0) for TCP as described in RFC 2481.
246  */
247 #define	SET_ECT(tcp, iph) \
248 	if ((tcp)->tcp_ipversion == IPV4_VERSION) { \
249 		/* We need to clear the code point first. */ \
250 		((struct ip *)(iph))->ip_tos &= 0xFC; \
251 		((struct ip *)(iph))->ip_tos |= IPH_ECN_ECT0; \
252 	}
253 
254 /*
255  * The format argument to pass to tcp_display().
256  * DISP_PORT_ONLY means that the returned string has only port info.
257  * DISP_ADDR_AND_PORT means that the returned string also contains the
258  * remote and local IP address.
259  */
260 #define	DISP_PORT_ONLY		1
261 #define	DISP_ADDR_AND_PORT	2
262 
263 /*
264  * TCP reassembly macros.  We hide starting and ending sequence numbers in
265  * b_next and b_prev of messages on the reassembly queue.  The messages are
266  * chained using b_cont.  These macros are used in tcp_reass() so we don't
267  * have to see the ugly casts and assignments.
268  * Note. use uintptr_t to suppress the gcc warning.
269  */
270 #define	TCP_REASS_SEQ(mp)		((uint32_t)(uintptr_t)((mp)->b_next))
271 #define	TCP_REASS_SET_SEQ(mp, u)	((mp)->b_next = \
272 					    (mblk_t *)((uintptr_t)(u)))
273 #define	TCP_REASS_END(mp)		((uint32_t)(uintptr_t)((mp)->b_prev))
274 #define	TCP_REASS_SET_END(mp, u)	((mp)->b_prev = \
275 					    (mblk_t *)((uintptr_t)(u)))
276 
277 #define	TCP_TIMER_RESTART(tcp, intvl) \
278 	(tcp)->tcp_rto_timeout = prom_gettime() + intvl; \
279 	(tcp)->tcp_timer_running = B_TRUE;
280 
281 static int tcp_accept_comm(tcp_t *, tcp_t *, mblk_t *, uint_t);
282 static mblk_t *tcp_ack_mp(tcp_t *);
283 static in_port_t tcp_bindi(in_port_t, in_addr_t *, boolean_t, boolean_t);
284 static uint16_t tcp_cksum(uint16_t *, uint32_t);
285 static void tcp_clean_death(int, tcp_t *, int err);
286 static tcp_t *tcp_conn_request(tcp_t *, mblk_t *mp, uint_t, uint_t);
287 static char *tcp_display(tcp_t *, char *, char);
288 static int tcp_drain_input(tcp_t *, int, int);
289 static void tcp_drain_needed(int, tcp_t *);
290 static boolean_t tcp_drop_q0(tcp_t *);
291 static mblk_t *tcp_get_seg_mp(tcp_t *, uint32_t, int32_t *);
292 static int tcp_header_len(struct inetgram *);
293 static in_port_t tcp_report_ports(uint16_t *, enum Ports);
294 static int tcp_input(int);
295 static void tcp_iss_init(tcp_t *);
296 static tcp_t *tcp_lookup_ipv4(struct ip *, tcpha_t *, int, int *);
297 static tcp_t *tcp_lookup_listener_ipv4(in_addr_t, in_port_t, int *);
298 static int tcp_conn_check(tcp_t *);
299 static int tcp_close(int);
300 static void tcp_close_detached(tcp_t *);
301 static void tcp_eager_cleanup(tcp_t *, boolean_t, int);
302 static void tcp_eager_unlink(tcp_t *);
303 static void tcp_free(tcp_t *);
304 static int tcp_header_init_ipv4(tcp_t *);
305 static void tcp_mss_set(tcp_t *, uint32_t);
306 static int tcp_parse_options(tcph_t *, tcp_opt_t *);
307 static boolean_t tcp_paws_check(tcp_t *, tcph_t *, tcp_opt_t *);
308 static void tcp_process_options(tcp_t *, tcph_t *);
309 static int tcp_random(void);
310 static void tcp_random_init(void);
311 static mblk_t *tcp_reass(tcp_t *, mblk_t *, uint32_t);
312 static void tcp_reass_elim_overlap(tcp_t *, mblk_t *);
313 static void tcp_rcv_drain(int sock_id, tcp_t *);
314 static void tcp_rcv_enqueue(tcp_t *, mblk_t *, uint_t);
315 static void tcp_rput_data(tcp_t *, mblk_t *, int);
316 static int tcp_rwnd_set(tcp_t *, uint32_t);
317 static int32_t tcp_sack_rxmit(tcp_t *, int);
318 static void tcp_set_cksum(mblk_t *);
319 static void tcp_set_rto(tcp_t *, int32_t);
320 static void tcp_ss_rexmit(tcp_t *, int);
321 static int tcp_state_wait(int, tcp_t *, int);
322 static void tcp_timer(tcp_t *, int);
323 static void tcp_time_wait_append(tcp_t *);
324 static void tcp_time_wait_collector(void);
325 static void tcp_time_wait_processing(tcp_t *, mblk_t *, uint32_t,
326     uint32_t, int, tcph_t *, int sock_id);
327 static void tcp_time_wait_remove(tcp_t *);
328 static in_port_t tcp_update_next_port(in_port_t);
329 static int tcp_verify_cksum(mblk_t *);
330 static void tcp_wput_data(tcp_t *, mblk_t *, int);
331 static void tcp_xmit_ctl(char *, tcp_t *, mblk_t *, uint32_t, uint32_t,
332     int, uint_t, int);
333 static void tcp_xmit_early_reset(char *, int, mblk_t *, uint32_t, uint32_t,
334     int, uint_t);
335 static int tcp_xmit_end(tcp_t *, int);
336 static void tcp_xmit_listeners_reset(int, mblk_t *, uint_t);
337 static mblk_t *tcp_xmit_mp(tcp_t *, mblk_t *, int32_t, int32_t *,
338     mblk_t **, uint32_t, boolean_t, uint32_t *, boolean_t);
339 static int tcp_init_values(tcp_t *, struct inetboot_socket *);
340 
341 #if DEBUG > 1
342 #define	TCP_DUMP_PACKET(str, mp) \
343 { \
344 	int len = (mp)->b_wptr - (mp)->b_rptr; \
345 \
346 	printf("%s: dump TCP(%d): \n", (str), len); \
347 	hexdump((char *)(mp)->b_rptr, len); \
348 }
349 #else
350 #define	TCP_DUMP_PACKET(str, mp)
351 #endif
352 
353 #ifdef DEBUG
354 #define	DEBUG_1(str, arg)		printf(str, (arg))
355 #define	DEBUG_2(str, arg1, arg2)	printf(str, (arg1), (arg2))
356 #define	DEBUG_3(str, arg1, arg2, arg3)	printf(str, (arg1), (arg2), (arg3))
357 #else
358 #define	DEBUG_1(str, arg)
359 #define	DEBUG_2(str, arg1, arg2)
360 #define	DEBUG_3(str, arg1, arg2, arg3)
361 #endif
362 
363 /* Whether it is the first time TCP is used. */
364 static boolean_t tcp_initialized = B_FALSE;
365 
366 /* TCP time wait list. */
367 static tcp_t *tcp_time_wait_head;
368 static tcp_t *tcp_time_wait_tail;
369 static uint32_t tcp_cum_timewait;
370 /* When the tcp_time_wait_collector is run. */
371 static uint32_t tcp_time_wait_runtime;
372 
373 #define	TCP_RUN_TIME_WAIT_COLLECTOR() \
374 	if (prom_gettime() > tcp_time_wait_runtime) \
375 		tcp_time_wait_collector();
376 
377 /*
378  * Accept will return with an error if there is no connection coming in
379  * after this (in ms).
380  */
381 static int tcp_accept_timeout = 60000;
382 
383 /*
384  * Initialize the TCP-specific parts of a socket.
385  */
386 void
387 tcp_socket_init(struct inetboot_socket *isp)
388 {
389 	/* Do some initializations. */
390 	if (!tcp_initialized) {
391 		tcp_random_init();
392 		/* Extra head room for the MAC layer address. */
393 		if ((tcp_wroff_xtra = mac_get_hdr_len()) & 0x3) {
394 			tcp_wroff_xtra = (tcp_wroff_xtra & ~0x3) + 0x4;
395 		}
396 		/* Schedule the first time wait cleanup time */
397 		tcp_time_wait_runtime = prom_gettime() + tcp_time_wait_interval;
398 		tcp_initialized = B_TRUE;
399 	}
400 	TCP_RUN_TIME_WAIT_COLLECTOR();
401 
402 	isp->proto = IPPROTO_TCP;
403 	isp->input[TRANSPORT_LVL] = tcp_input;
404 	/* Socket layer should call tcp_send() directly. */
405 	isp->output[TRANSPORT_LVL] = NULL;
406 	isp->close[TRANSPORT_LVL] = tcp_close;
407 	isp->headerlen[TRANSPORT_LVL] = tcp_header_len;
408 	isp->ports = tcp_report_ports;
409 	if ((isp->pcb = bkmem_alloc(sizeof (tcp_t))) == NULL) {
410 		errno = ENOBUFS;
411 		return;
412 	}
413 	if ((errno = tcp_init_values((tcp_t *)isp->pcb, isp)) != 0) {
414 		bkmem_free(isp->pcb, sizeof (tcp_t));
415 		return;
416 	}
417 	/*
418 	 * This is set last because this field is used to determine if
419 	 * a socket is in use or not.
420 	 */
421 	isp->type = INETBOOT_STREAM;
422 }
423 
424 /*
425  * Return the size of a TCP header including TCP option.
426  */
427 static int
428 tcp_header_len(struct inetgram *igm)
429 {
430 	mblk_t *pkt;
431 	int ipvers;
432 
433 	/* Just returns the standard TCP header without option */
434 	if (igm == NULL)
435 		return (sizeof (tcph_t));
436 
437 	if ((pkt = igm->igm_mp) == NULL)
438 		return (0);
439 
440 	ipvers = ((struct ip *)pkt->b_rptr)->ip_v;
441 	if (ipvers == IPV4_VERSION) {
442 		return (TCP_HDR_LENGTH((tcph_t *)(pkt + IPH_HDR_LENGTH(pkt))));
443 	} else {
444 		dprintf("tcp_header_len: non-IPv4 packet.\n");
445 		return (0);
446 	}
447 }
448 
449 /*
450  * Return the requested port number in network order.
451  */
452 static in_port_t
453 tcp_report_ports(uint16_t *tcphp, enum Ports request)
454 {
455 	if (request == SOURCE)
456 		return (*(uint16_t *)(((tcph_t *)tcphp)->th_lport));
457 	return (*(uint16_t *)(((tcph_t *)tcphp)->th_fport));
458 }
459 
460 /*
461  * Because inetboot is not interrupt driven, TCP can only poll.  This
462  * means that there can be packets stuck in the NIC buffer waiting to
463  * be processed.  Thus we need to drain them before, for example, sending
464  * anything because an ACK may actually be stuck there.
465  *
466  * The timeout arguments determine how long we should wait for draining.
467  */
468 static int
469 tcp_drain_input(tcp_t *tcp, int sock_id, int timeout)
470 {
471 	struct inetgram *in_gram;
472 	struct inetgram *old_in_gram;
473 	int old_timeout;
474 	mblk_t *mp;
475 	int i;
476 
477 	dprintf("tcp_drain_input(%d): %s\n", sock_id,
478 	    tcp_display(tcp, NULL, DISP_ADDR_AND_PORT));
479 
480 	/*
481 	 * Since the driver uses the in_timeout value in the socket
482 	 * structure to determine the timeout value, we need to save
483 	 * the original one so that we can restore that after draining.
484 	 */
485 	old_timeout = sockets[sock_id].in_timeout;
486 	sockets[sock_id].in_timeout = timeout;
487 
488 	/*
489 	 * We do this because the input queue may have some user
490 	 * data already.
491 	 */
492 	old_in_gram = sockets[sock_id].inq;
493 	sockets[sock_id].inq = NULL;
494 
495 	/* Go out and check the wire */
496 	for (i = MEDIA_LVL; i < TRANSPORT_LVL; i++) {
497 		if (sockets[sock_id].input[i] != NULL) {
498 			if (sockets[sock_id].input[i](sock_id) < 0) {
499 				sockets[sock_id].in_timeout = old_timeout;
500 				if (sockets[sock_id].inq != NULL)
501 					nuke_grams(&sockets[sock_id].inq);
502 				sockets[sock_id].inq = old_in_gram;
503 				return (-1);
504 			}
505 		}
506 	}
507 #if DEBUG
508 	printf("tcp_drain_input: done with checking packets\n");
509 #endif
510 	while ((in_gram = sockets[sock_id].inq) != NULL) {
511 		/* Remove unknown inetgrams from the head of inq. */
512 		if (in_gram->igm_level != TRANSPORT_LVL) {
513 #if DEBUG
514 			printf("tcp_drain_input: unexpected packet "
515 			    "level %d frame found\n", in_gram->igm_level);
516 #endif
517 			del_gram(&sockets[sock_id].inq, in_gram, B_TRUE);
518 			continue;
519 		}
520 		mp = in_gram->igm_mp;
521 		del_gram(&sockets[sock_id].inq, in_gram, B_FALSE);
522 		bkmem_free((caddr_t)in_gram, sizeof (struct inetgram));
523 		tcp_rput_data(tcp, mp, sock_id);
524 		sockets[sock_id].in_timeout = old_timeout;
525 
526 		/*
527 		 * The other side may have closed this connection or
528 		 * RST us.  But we need to continue to process other
529 		 * packets in the socket's queue because they may be
530 		 * belong to another TCP connections.
531 		 */
532 		if (sockets[sock_id].pcb == NULL)
533 			tcp = NULL;
534 	}
535 
536 	if (tcp == NULL || sockets[sock_id].pcb == NULL) {
537 		if (sockets[sock_id].so_error != 0)
538 			return (-1);
539 		else
540 			return (0);
541 	}
542 #if DEBUG
543 	printf("tcp_drain_input: done with processing packets\n");
544 #endif
545 	sockets[sock_id].in_timeout = old_timeout;
546 	sockets[sock_id].inq = old_in_gram;
547 
548 	/*
549 	 * Data may have been received so indicate it is available
550 	 */
551 	tcp_drain_needed(sock_id, tcp);
552 	return (0);
553 }
554 
555 /*
556  * The receive entry point for upper layer to call to get data.  Note
557  * that this follows the current architecture that lower layer receive
558  * routines have been called already.  Thus if the inq of socket is
559  * not NULL, the packets must be for us.
560  */
561 static int
562 tcp_input(int sock_id)
563 {
564 	struct inetgram *in_gram;
565 	mblk_t *mp;
566 	tcp_t *tcp;
567 
568 	TCP_RUN_TIME_WAIT_COLLECTOR();
569 
570 	if ((tcp = sockets[sock_id].pcb) == NULL)
571 		return (-1);
572 
573 	while ((in_gram = sockets[sock_id].inq) != NULL) {
574 		/* Remove unknown inetgrams from the head of inq. */
575 		if (in_gram->igm_level != TRANSPORT_LVL) {
576 #ifdef DEBUG
577 			printf("tcp_input: unexpected packet "
578 			    "level %d frame found\n", in_gram->igm_level);
579 #endif
580 			del_gram(&sockets[sock_id].inq, in_gram, B_TRUE);
581 			continue;
582 		}
583 		mp = in_gram->igm_mp;
584 		del_gram(&sockets[sock_id].inq, in_gram, B_FALSE);
585 		bkmem_free((caddr_t)in_gram, sizeof (struct inetgram));
586 		tcp_rput_data(tcp, mp, sock_id);
587 		/* The TCP may be gone because it gets a RST. */
588 		if (sockets[sock_id].pcb == NULL)
589 			return (-1);
590 	}
591 
592 	/* Flush the receive list. */
593 	if (tcp->tcp_rcv_list != NULL) {
594 		tcp_rcv_drain(sock_id, tcp);
595 	} else {
596 		/* The other side has closed the connection, report this up. */
597 		if (tcp->tcp_state == TCPS_CLOSE_WAIT) {
598 			sockets[sock_id].so_state |= SS_CANTRCVMORE;
599 			return (0);
600 		}
601 	}
602 	return (0);
603 }
604 
605 /*
606  * The send entry point for upper layer to call to send data.  In order
607  * to minimize changes to the core TCP code, we need to put the
608  * data into mblks.
609  */
610 int
611 tcp_send(int sock_id, tcp_t *tcp, const void *msg, int len)
612 {
613 	mblk_t *mp;
614 	mblk_t *head = NULL;
615 	mblk_t *tail;
616 	int mss = tcp->tcp_mss;
617 	int cnt = 0;
618 	int win_size;
619 	char *buf = (char *)msg;
620 
621 	TCP_RUN_TIME_WAIT_COLLECTOR();
622 
623 	/* We don't want to append 0 size mblk. */
624 	if (len == 0)
625 		return (0);
626 	while (len > 0) {
627 		if (len < mss) {
628 			mss = len;
629 		}
630 		/*
631 		 * If we cannot allocate more buffer, stop here and
632 		 * the number of bytes buffered will be returned.
633 		 *
634 		 * Note that we follow the core TCP optimization that
635 		 * each mblk contains only MSS bytes data.
636 		 */
637 		if ((mp = allocb(mss + tcp->tcp_ip_hdr_len +
638 		    TCP_MAX_HDR_LENGTH + tcp_wroff_xtra, 0)) == NULL) {
639 			break;
640 		}
641 		mp->b_rptr += tcp->tcp_hdr_len + tcp_wroff_xtra;
642 		bcopy(buf, mp->b_rptr, mss);
643 		mp->b_wptr = mp->b_rptr + mss;
644 		buf += mss;
645 		cnt += mss;
646 		len -= mss;
647 
648 		if (head == NULL) {
649 			head = mp;
650 			tail = mp;
651 		} else {
652 			tail->b_cont = mp;
653 			tail = mp;
654 		}
655 	}
656 
657 	/*
658 	 * Since inetboot is not interrupt driven, there may be
659 	 * some ACKs in the MAC's buffer.  Drain them first,
660 	 * otherwise, we may not be able to send.
661 	 *
662 	 * We expect an ACK in two cases:
663 	 *
664 	 * 1) We have un-ACK'ed data.
665 	 *
666 	 * 2) All ACK's have been received and the sender's window has been
667 	 * closed.  We need an ACK back to open the window so that we can
668 	 * send.  In this case, call tcp_drain_input() if the window size is
669 	 * less than 2 * MSS.
670 	 */
671 
672 	/* window size = MIN(swnd, cwnd) - unacked bytes */
673 	win_size = (tcp->tcp_swnd > tcp->tcp_cwnd) ? tcp->tcp_cwnd :
674 		tcp->tcp_swnd;
675 	win_size -= tcp->tcp_snxt;
676 	win_size += tcp->tcp_suna;
677 	if (win_size < (2 * tcp->tcp_mss))
678 		if (tcp_drain_input(tcp, sock_id, 5) < 0)
679 			return (-1);
680 
681 	tcp_wput_data(tcp, head, sock_id);
682 	/*
683 	 * errno should be reset here as it may be
684 	 * set to ETIMEDOUT. This may be set by
685 	 * the MAC driver in case it has timed out
686 	 * waiting for ARP reply. Any segment which
687 	 * was not transmitted because of ARP timeout
688 	 * will be retransmitted by TCP.
689 	 */
690 	if (errno == ETIMEDOUT)
691 		errno = 0;
692 	return (cnt);
693 }
694 
695 /* Free up all TCP related stuff */
696 static void
697 tcp_free(tcp_t *tcp)
698 {
699 	if (tcp->tcp_iphc != NULL) {
700 		bkmem_free((caddr_t)tcp->tcp_iphc, tcp->tcp_iphc_len);
701 		tcp->tcp_iphc = NULL;
702 	}
703 	if (tcp->tcp_xmit_head != NULL) {
704 		freemsg(tcp->tcp_xmit_head);
705 		tcp->tcp_xmit_head = NULL;
706 	}
707 	if (tcp->tcp_rcv_list != NULL) {
708 		freemsg(tcp->tcp_rcv_list);
709 		tcp->tcp_rcv_list = NULL;
710 	}
711 	if (tcp->tcp_reass_head != NULL) {
712 		freemsg(tcp->tcp_reass_head);
713 		tcp->tcp_reass_head = NULL;
714 	}
715 	if (tcp->tcp_sack_info != NULL) {
716 		bkmem_free((caddr_t)tcp->tcp_sack_info,
717 		    sizeof (tcp_sack_info_t));
718 		tcp->tcp_sack_info = NULL;
719 	}
720 }
721 
722 static void
723 tcp_close_detached(tcp_t *tcp)
724 {
725 	if (tcp->tcp_listener != NULL)
726 		tcp_eager_unlink(tcp);
727 	tcp_free(tcp);
728 	bkmem_free((caddr_t)tcp, sizeof (tcp_t));
729 }
730 
731 /*
732  * If we are an eager connection hanging off a listener that hasn't
733  * formally accepted the connection yet, get off its list and blow off
734  * any data that we have accumulated.
735  */
736 static void
737 tcp_eager_unlink(tcp_t *tcp)
738 {
739 	tcp_t	*listener = tcp->tcp_listener;
740 
741 	assert(listener != NULL);
742 	if (tcp->tcp_eager_next_q0 != NULL) {
743 		assert(tcp->tcp_eager_prev_q0 != NULL);
744 
745 		/* Remove the eager tcp from q0 */
746 		tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
747 		    tcp->tcp_eager_prev_q0;
748 		tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
749 		    tcp->tcp_eager_next_q0;
750 		listener->tcp_conn_req_cnt_q0--;
751 	} else {
752 		tcp_t   **tcpp = &listener->tcp_eager_next_q;
753 		tcp_t	*prev = NULL;
754 
755 		for (; tcpp[0]; tcpp = &tcpp[0]->tcp_eager_next_q) {
756 			if (tcpp[0] == tcp) {
757 				if (listener->tcp_eager_last_q == tcp) {
758 					/*
759 					 * If we are unlinking the last
760 					 * element on the list, adjust
761 					 * tail pointer. Set tail pointer
762 					 * to nil when list is empty.
763 					 */
764 					assert(tcp->tcp_eager_next_q == NULL);
765 					if (listener->tcp_eager_last_q ==
766 					    listener->tcp_eager_next_q) {
767 						listener->tcp_eager_last_q =
768 						NULL;
769 					} else {
770 						/*
771 						 * We won't get here if there
772 						 * is only one eager in the
773 						 * list.
774 						 */
775 						assert(prev != NULL);
776 						listener->tcp_eager_last_q =
777 						    prev;
778 					}
779 				}
780 				tcpp[0] = tcp->tcp_eager_next_q;
781 				tcp->tcp_eager_next_q = NULL;
782 				tcp->tcp_eager_last_q = NULL;
783 				listener->tcp_conn_req_cnt_q--;
784 				break;
785 			}
786 			prev = tcpp[0];
787 		}
788 	}
789 	tcp->tcp_listener = NULL;
790 }
791 
792 /*
793  * Reset any eager connection hanging off this listener
794  * and then reclaim it's resources.
795  */
796 static void
797 tcp_eager_cleanup(tcp_t *listener, boolean_t q0_only, int sock_id)
798 {
799 	tcp_t	*eager;
800 
801 	if (!q0_only) {
802 		/* First cleanup q */
803 		while ((eager = listener->tcp_eager_next_q) != NULL) {
804 			assert(listener->tcp_eager_last_q != NULL);
805 			tcp_xmit_ctl("tcp_eager_cleanup, can't wait",
806 			    eager, NULL, eager->tcp_snxt, 0, TH_RST, 0,
807 			    sock_id);
808 			tcp_close_detached(eager);
809 		}
810 		assert(listener->tcp_eager_last_q == NULL);
811 	}
812 	/* Then cleanup q0 */
813 	while ((eager = listener->tcp_eager_next_q0) != listener) {
814 		tcp_xmit_ctl("tcp_eager_cleanup, can't wait",
815 		    eager, NULL, eager->tcp_snxt, 0, TH_RST, 0, sock_id);
816 		tcp_close_detached(eager);
817 	}
818 }
819 
820 /*
821  * To handle the shutdown request. Called from shutdown()
822  */
823 int
824 tcp_shutdown(int sock_id)
825 {
826 	tcp_t	*tcp;
827 
828 	DEBUG_1("tcp_shutdown: sock_id %x\n", sock_id);
829 
830 	if ((tcp = sockets[sock_id].pcb) == NULL) {
831 		return (-1);
832 	}
833 
834 	/*
835 	 * Since inetboot is not interrupt driven, there may be
836 	 * some ACKs in the MAC's buffer.  Drain them first,
837 	 * otherwise, we may not be able to send.
838 	 */
839 	if (tcp_drain_input(tcp, sock_id, 5) < 0) {
840 		/*
841 		 * If we return now without freeing TCP, there will be
842 		 * a memory leak.
843 		 */
844 		if (sockets[sock_id].pcb != NULL)
845 			tcp_clean_death(sock_id, tcp, 0);
846 		return (-1);
847 	}
848 
849 	DEBUG_1("tcp_shutdown: tcp_state %x\n", tcp->tcp_state);
850 	switch (tcp->tcp_state) {
851 
852 	case TCPS_SYN_RCVD:
853 		/*
854 		 * Shutdown during the connect 3-way handshake
855 		 */
856 	case TCPS_ESTABLISHED:
857 		/*
858 		 * Transmit the FIN
859 		 * wait for the FIN to be ACKed,
860 		 * then remain in FIN_WAIT_2
861 		 */
862 		dprintf("tcp_shutdown: sending fin\n");
863 		if (tcp_xmit_end(tcp, sock_id) == 0 &&
864 			tcp_state_wait(sock_id, tcp, TCPS_FIN_WAIT_2) < 0) {
865 			/* During the wait, TCP may be gone... */
866 			if (sockets[sock_id].pcb == NULL)
867 				return (-1);
868 		}
869 		dprintf("tcp_shutdown: done\n");
870 		break;
871 
872 	default:
873 		break;
874 
875 	}
876 	return (0);
877 }
878 
879 /* To handle closing of the socket */
880 static int
881 tcp_close(int sock_id)
882 {
883 	char	*msg;
884 	tcp_t	*tcp;
885 	int	error = 0;
886 
887 	if ((tcp = sockets[sock_id].pcb) == NULL) {
888 		return (-1);
889 	}
890 
891 	TCP_RUN_TIME_WAIT_COLLECTOR();
892 
893 	/*
894 	 * Since inetboot is not interrupt driven, there may be
895 	 * some ACKs in the MAC's buffer.  Drain them first,
896 	 * otherwise, we may not be able to send.
897 	 */
898 	if (tcp_drain_input(tcp, sock_id, 5) < 0) {
899 		/*
900 		 * If we return now without freeing TCP, there will be
901 		 * a memory leak.
902 		 */
903 		if (sockets[sock_id].pcb != NULL)
904 			tcp_clean_death(sock_id, tcp, 0);
905 		return (-1);
906 	}
907 
908 	if (tcp->tcp_conn_req_cnt_q0 != 0 || tcp->tcp_conn_req_cnt_q != 0) {
909 		/* Cleanup for listener */
910 		tcp_eager_cleanup(tcp, 0, sock_id);
911 	}
912 
913 	msg = NULL;
914 	switch (tcp->tcp_state) {
915 	case TCPS_CLOSED:
916 	case TCPS_IDLE:
917 	case TCPS_BOUND:
918 	case TCPS_LISTEN:
919 		break;
920 	case TCPS_SYN_SENT:
921 		msg = "tcp_close, during connect";
922 		break;
923 	case TCPS_SYN_RCVD:
924 		/*
925 		 * Close during the connect 3-way handshake
926 		 * but here there may or may not be pending data
927 		 * already on queue. Process almost same as in
928 		 * the ESTABLISHED state.
929 		 */
930 		/* FALLTHRU */
931 	default:
932 		/*
933 		 * If SO_LINGER has set a zero linger time, abort the
934 		 * connection with a reset.
935 		 */
936 		if (tcp->tcp_linger && tcp->tcp_lingertime == 0) {
937 			msg = "tcp_close, zero lingertime";
938 			break;
939 		}
940 
941 		/*
942 		 * Abort connection if there is unread data queued.
943 		 */
944 		if (tcp->tcp_rcv_list != NULL ||
945 				tcp->tcp_reass_head != NULL) {
946 			msg = "tcp_close, unread data";
947 			break;
948 		}
949 		if (tcp->tcp_state <= TCPS_LISTEN)
950 			break;
951 
952 		/*
953 		 * Transmit the FIN before detaching the tcp_t.
954 		 * After tcp_detach returns this queue/perimeter
955 		 * no longer owns the tcp_t thus others can modify it.
956 		 * The TCP could be closed in tcp_state_wait called by
957 		 * tcp_wput_data called by tcp_xmit_end.
958 		 */
959 		(void) tcp_xmit_end(tcp, sock_id);
960 		if (sockets[sock_id].pcb == NULL)
961 			return (0);
962 
963 		/*
964 		 * If lingering on close then wait until the fin is acked,
965 		 * the SO_LINGER time passes, or a reset is sent/received.
966 		 */
967 		if (tcp->tcp_linger && tcp->tcp_lingertime > 0 &&
968 		    !(tcp->tcp_fin_acked) &&
969 		    tcp->tcp_state >= TCPS_ESTABLISHED) {
970 			uint32_t stoptime; /* in ms */
971 
972 			tcp->tcp_client_errno = 0;
973 			stoptime = prom_gettime() +
974 			    (tcp->tcp_lingertime * 1000);
975 			while (!(tcp->tcp_fin_acked) &&
976 			    tcp->tcp_state >= TCPS_ESTABLISHED &&
977 			    tcp->tcp_client_errno == 0 &&
978 			    ((int32_t)(stoptime - prom_gettime()) > 0)) {
979 				if (tcp_drain_input(tcp, sock_id, 5) < 0) {
980 					if (sockets[sock_id].pcb != NULL) {
981 						tcp_clean_death(sock_id,
982 						    tcp, 0);
983 					}
984 					return (-1);
985 				}
986 			}
987 			tcp->tcp_client_errno = 0;
988 		}
989 		if (tcp_state_wait(sock_id, tcp, TCPS_TIME_WAIT) < 0) {
990 			/* During the wait, TCP may be gone... */
991 			if (sockets[sock_id].pcb == NULL)
992 				return (0);
993 			msg = "tcp_close, couldn't detach";
994 		} else {
995 			return (0);
996 		}
997 		break;
998 	}
999 
1000 	/* Something went wrong...  Send a RST and report the error */
1001 	if (msg != NULL) {
1002 		if (tcp->tcp_state == TCPS_ESTABLISHED ||
1003 		    tcp->tcp_state == TCPS_CLOSE_WAIT)
1004 			BUMP_MIB(tcp_mib.tcpEstabResets);
1005 		if (tcp->tcp_state == TCPS_SYN_SENT ||
1006 		    tcp->tcp_state == TCPS_SYN_RCVD)
1007 			BUMP_MIB(tcp_mib.tcpAttemptFails);
1008 		tcp_xmit_ctl(msg, tcp, NULL, tcp->tcp_snxt, 0, TH_RST, 0,
1009 		    sock_id);
1010 	}
1011 
1012 	tcp_free(tcp);
1013 	bkmem_free((caddr_t)tcp, sizeof (tcp_t));
1014 	sockets[sock_id].pcb = NULL;
1015 	return (error);
1016 }
1017 
1018 /* To make an endpoint a listener. */
1019 int
1020 tcp_listen(int sock_id, int backlog)
1021 {
1022 	tcp_t *tcp;
1023 
1024 	if ((tcp = (tcp_t *)(sockets[sock_id].pcb)) == NULL) {
1025 		errno = EINVAL;
1026 		return (-1);
1027 	}
1028 	/* We allow calling listen() multiple times to change the backlog. */
1029 	if (tcp->tcp_state > TCPS_LISTEN || tcp->tcp_state < TCPS_BOUND) {
1030 		errno = EOPNOTSUPP;
1031 		return (-1);
1032 	}
1033 	/* The following initialization should only be done once. */
1034 	if (tcp->tcp_state != TCPS_LISTEN) {
1035 		tcp->tcp_eager_next_q0 = tcp->tcp_eager_prev_q0 = tcp;
1036 		tcp->tcp_eager_next_q = NULL;
1037 		tcp->tcp_state = TCPS_LISTEN;
1038 		tcp->tcp_second_ctimer_threshold = tcp_ip_abort_linterval;
1039 	}
1040 	if ((tcp->tcp_conn_req_max = backlog) > tcp_conn_req_max_q) {
1041 		tcp->tcp_conn_req_max = tcp_conn_req_max_q;
1042 	}
1043 	if (tcp->tcp_conn_req_max < tcp_conn_req_min) {
1044 		tcp->tcp_conn_req_max = tcp_conn_req_min;
1045 	}
1046 	return (0);
1047 }
1048 
1049 /* To accept connections. */
1050 int
1051 tcp_accept(int sock_id, struct sockaddr *addr, socklen_t *addr_len)
1052 {
1053 	tcp_t *listener;
1054 	tcp_t *eager;
1055 	int sd, new_sock_id;
1056 	struct sockaddr_in *new_addr = (struct sockaddr_in *)addr;
1057 	int timeout;
1058 
1059 	/* Sanity check. */
1060 	if ((listener = (tcp_t *)(sockets[sock_id].pcb)) == NULL ||
1061 	    new_addr == NULL || addr_len == NULL ||
1062 	    *addr_len < sizeof (struct sockaddr_in) ||
1063 	    listener->tcp_state != TCPS_LISTEN) {
1064 		errno = EINVAL;
1065 		return (-1);
1066 	}
1067 
1068 	if (sockets[sock_id].in_timeout > tcp_accept_timeout)
1069 		timeout = prom_gettime() + sockets[sock_id].in_timeout;
1070 	else
1071 		timeout = prom_gettime() + tcp_accept_timeout;
1072 	while (listener->tcp_eager_next_q == NULL &&
1073 	    timeout > prom_gettime()) {
1074 #if DEBUG
1075 		printf("tcp_accept: Waiting in tcp_accept()\n");
1076 #endif
1077 		if (tcp_drain_input(listener, sock_id, 5) < 0) {
1078 			return (-1);
1079 		}
1080 	}
1081 	/* If there is an eager, don't timeout... */
1082 	if (timeout <= prom_gettime() && listener->tcp_eager_next_q == NULL) {
1083 #if DEBUG
1084 		printf("tcp_accept: timeout\n");
1085 #endif
1086 		errno = ETIMEDOUT;
1087 		return (-1);
1088 	}
1089 #if DEBUG
1090 	printf("tcp_accept: got a connection\n");
1091 #endif
1092 
1093 	/* Now create the socket for this new TCP. */
1094 	if ((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
1095 		return (-1);
1096 	}
1097 	if ((new_sock_id = so_check_fd(sd, &errno)) == -1)
1098 		/* This should not happen! */
1099 		prom_panic("so_check_fd() fails in tcp_accept()");
1100 	/* Free the TCP PCB in the original socket. */
1101 	bkmem_free((caddr_t)(sockets[new_sock_id].pcb), sizeof (tcp_t));
1102 	/* Dequeue the eager and attach it to the socket. */
1103 	eager = listener->tcp_eager_next_q;
1104 	listener->tcp_eager_next_q = eager->tcp_eager_next_q;
1105 	if (listener->tcp_eager_last_q == eager)
1106 		listener->tcp_eager_last_q = NULL;
1107 	eager->tcp_eager_next_q = NULL;
1108 	sockets[new_sock_id].pcb = eager;
1109 	listener->tcp_conn_req_cnt_q--;
1110 
1111 	/* Copy in the address info. */
1112 	bcopy(&eager->tcp_remote, &new_addr->sin_addr.s_addr,
1113 	    sizeof (in_addr_t));
1114 	bcopy(&eager->tcp_fport, &new_addr->sin_port, sizeof (in_port_t));
1115 	new_addr->sin_family = AF_INET;
1116 
1117 #ifdef DEBUG
1118 	printf("tcp_accept(), new sock_id: %d\n", sd);
1119 #endif
1120 	return (sd);
1121 }
1122 
1123 /* Update the next anonymous port to use.  */
1124 static in_port_t
1125 tcp_update_next_port(in_port_t port)
1126 {
1127 	/* Don't allow the port to fall out of the anonymous port range. */
1128 	if (port < tcp_smallest_anon_port || port > tcp_largest_anon_port)
1129 		port = (in_port_t)tcp_smallest_anon_port;
1130 
1131 	if (port < tcp_smallest_nonpriv_port)
1132 		port = (in_port_t)tcp_smallest_nonpriv_port;
1133 	return (port);
1134 }
1135 
1136 /* To check whether a bind to a port is allowed. */
1137 static in_port_t
1138 tcp_bindi(in_port_t port, in_addr_t *addr, boolean_t reuseaddr,
1139     boolean_t bind_to_req_port_only)
1140 {
1141 	int i, count;
1142 	tcp_t *tcp;
1143 
1144 	count = tcp_largest_anon_port - tcp_smallest_anon_port;
1145 try_again:
1146 	for (i = 0; i < MAXSOCKET; i++) {
1147 		if (sockets[i].type != INETBOOT_STREAM ||
1148 		    ((tcp = (tcp_t *)sockets[i].pcb) == NULL) ||
1149 		    ntohs(tcp->tcp_lport) != port) {
1150 			continue;
1151 		}
1152 		/*
1153 		 * Both TCPs have the same port.  If SO_REUSEDADDR is
1154 		 * set and the bound TCP has a state greater than
1155 		 * TCPS_LISTEN, it is fine.
1156 		 */
1157 		if (reuseaddr && tcp->tcp_state > TCPS_LISTEN) {
1158 			continue;
1159 		}
1160 		if (tcp->tcp_bound_source != INADDR_ANY &&
1161 		    *addr != INADDR_ANY &&
1162 		    tcp->tcp_bound_source != *addr) {
1163 			continue;
1164 		}
1165 		if (bind_to_req_port_only) {
1166 			return (0);
1167 		}
1168 		if (--count > 0) {
1169 			port = tcp_update_next_port(++port);
1170 			goto try_again;
1171 		} else {
1172 			return (0);
1173 		}
1174 	}
1175 	return (port);
1176 }
1177 
1178 /* To handle the bind request. */
1179 int
1180 tcp_bind(int sock_id)
1181 {
1182 	tcp_t *tcp;
1183 	in_port_t requested_port, allocated_port;
1184 	boolean_t bind_to_req_port_only;
1185 	boolean_t reuseaddr;
1186 
1187 	if ((tcp = (tcp_t *)sockets[sock_id].pcb) == NULL) {
1188 		errno = EINVAL;
1189 		return (-1);
1190 	}
1191 
1192 	if (tcp->tcp_state >= TCPS_BOUND) {
1193 		/* We don't allow multiple bind(). */
1194 		errno = EPROTO;
1195 		return (-1);
1196 	}
1197 
1198 	requested_port = ntohs(sockets[sock_id].bind.sin_port);
1199 
1200 	/* The bound source can be INADDR_ANY. */
1201 	tcp->tcp_bound_source = sockets[sock_id].bind.sin_addr.s_addr;
1202 
1203 	tcp->tcp_ipha->ip_src.s_addr = tcp->tcp_bound_source;
1204 
1205 	/* Verify the port is available. */
1206 	if (requested_port == 0)
1207 		bind_to_req_port_only = B_FALSE;
1208 	else			/* T_BIND_REQ and requested_port != 0 */
1209 		bind_to_req_port_only = B_TRUE;
1210 
1211 	if (requested_port == 0) {
1212 		requested_port = tcp_update_next_port(++tcp_next_port_to_try);
1213 	}
1214 	reuseaddr = sockets[sock_id].so_opt & SO_REUSEADDR;
1215 	allocated_port = tcp_bindi(requested_port, &(tcp->tcp_bound_source),
1216 	    reuseaddr, bind_to_req_port_only);
1217 
1218 	if (allocated_port == 0) {
1219 		errno = EADDRINUSE;
1220 		return (-1);
1221 	}
1222 	tcp->tcp_lport = htons(allocated_port);
1223 	*(uint16_t *)tcp->tcp_tcph->th_lport = tcp->tcp_lport;
1224 	sockets[sock_id].bind.sin_port = tcp->tcp_lport;
1225 	tcp->tcp_state = TCPS_BOUND;
1226 	return (0);
1227 }
1228 
1229 /*
1230  * Check for duplicate TCP connections.
1231  */
1232 static int
1233 tcp_conn_check(tcp_t *tcp)
1234 {
1235 	int i;
1236 	tcp_t *tmp_tcp;
1237 
1238 	for (i = 0; i < MAXSOCKET; i++) {
1239 		if (sockets[i].type != INETBOOT_STREAM)
1240 			continue;
1241 		/* Socket may not be closed but the TCP can be gone. */
1242 		if ((tmp_tcp = (tcp_t *)sockets[i].pcb) == NULL)
1243 			continue;
1244 		/* We only care about TCP in states later than SYN_SENT. */
1245 		if (tmp_tcp->tcp_state < TCPS_SYN_SENT)
1246 			continue;
1247 		if (tmp_tcp->tcp_lport != tcp->tcp_lport ||
1248 		    tmp_tcp->tcp_fport != tcp->tcp_fport ||
1249 		    tmp_tcp->tcp_bound_source != tcp->tcp_bound_source ||
1250 		    tmp_tcp->tcp_remote != tcp->tcp_remote) {
1251 			continue;
1252 		} else {
1253 			return (-1);
1254 		}
1255 	}
1256 	return (0);
1257 }
1258 
1259 /* To handle a connect request. */
1260 int
1261 tcp_connect(int sock_id)
1262 {
1263 	tcp_t *tcp;
1264 	in_addr_t dstaddr;
1265 	in_port_t dstport;
1266 	tcph_t	*tcph;
1267 	int mss;
1268 	mblk_t *syn_mp;
1269 
1270 	if ((tcp = (tcp_t *)(sockets[sock_id].pcb)) == NULL) {
1271 		errno = EINVAL;
1272 		return (-1);
1273 	}
1274 
1275 	TCP_RUN_TIME_WAIT_COLLECTOR();
1276 
1277 	dstaddr = sockets[sock_id].remote.sin_addr.s_addr;
1278 	dstport = sockets[sock_id].remote.sin_port;
1279 
1280 	/*
1281 	 * Check for attempt to connect to INADDR_ANY or non-unicast addrress.
1282 	 * We don't have enough info to check for broadcast addr, except
1283 	 * for the all 1 broadcast.
1284 	 */
1285 	if (dstaddr == INADDR_ANY || IN_CLASSD(ntohl(dstaddr)) ||
1286 	    dstaddr == INADDR_BROADCAST)  {
1287 		/*
1288 		 * SunOS 4.x and 4.3 BSD allow an application
1289 		 * to connect a TCP socket to INADDR_ANY.
1290 		 * When they do this, the kernel picks the
1291 		 * address of one interface and uses it
1292 		 * instead.  The kernel usually ends up
1293 		 * picking the address of the loopback
1294 		 * interface.  This is an undocumented feature.
1295 		 * However, we provide the same thing here
1296 		 * in order to have source and binary
1297 		 * compatibility with SunOS 4.x.
1298 		 * Update the T_CONN_REQ (sin/sin6) since it is used to
1299 		 * generate the T_CONN_CON.
1300 		 *
1301 		 * Fail this for inetboot TCP.
1302 		 */
1303 		errno = EINVAL;
1304 		return (-1);
1305 	}
1306 
1307 	/* It is not bound to any address yet... */
1308 	if (tcp->tcp_bound_source == INADDR_ANY) {
1309 		ipv4_getipaddr(&(sockets[sock_id].bind.sin_addr));
1310 		/* We don't have an address! */
1311 		if (ntohl(sockets[sock_id].bind.sin_addr.s_addr) ==
1312 		    INADDR_ANY) {
1313 			errno = EPROTO;
1314 			return (-1);
1315 		}
1316 		tcp->tcp_bound_source = sockets[sock_id].bind.sin_addr.s_addr;
1317 		tcp->tcp_ipha->ip_src.s_addr = tcp->tcp_bound_source;
1318 	}
1319 
1320 	/*
1321 	 * Don't let an endpoint connect to itself.
1322 	 */
1323 	if (dstaddr == tcp->tcp_ipha->ip_src.s_addr &&
1324 	    dstport == tcp->tcp_lport) {
1325 		errno = EINVAL;
1326 		return (-1);
1327 	}
1328 
1329 	tcp->tcp_ipha->ip_dst.s_addr = dstaddr;
1330 	tcp->tcp_remote = dstaddr;
1331 	tcph = tcp->tcp_tcph;
1332 	*(uint16_t *)tcph->th_fport = dstport;
1333 	tcp->tcp_fport = dstport;
1334 
1335 	/*
1336 	 * Don't allow this connection to completely duplicate
1337 	 * an existing connection.
1338 	 */
1339 	if (tcp_conn_check(tcp) < 0) {
1340 		errno = EADDRINUSE;
1341 		return (-1);
1342 	}
1343 
1344 	/*
1345 	 * Just make sure our rwnd is at
1346 	 * least tcp_recv_hiwat_mss * MSS
1347 	 * large, and round up to the nearest
1348 	 * MSS.
1349 	 *
1350 	 * We do the round up here because
1351 	 * we need to get the interface
1352 	 * MTU first before we can do the
1353 	 * round up.
1354 	 */
1355 	mss = tcp->tcp_mss - tcp->tcp_hdr_len;
1356 	tcp->tcp_rwnd = MAX(MSS_ROUNDUP(tcp->tcp_rwnd, mss),
1357 	    tcp_recv_hiwat_minmss * mss);
1358 	tcp->tcp_rwnd_max = tcp->tcp_rwnd;
1359 	SET_WS_VALUE(tcp);
1360 	U32_TO_ABE16((tcp->tcp_rwnd >> tcp->tcp_rcv_ws),
1361 	    tcp->tcp_tcph->th_win);
1362 	if (tcp->tcp_rcv_ws > 0 || tcp_wscale_always)
1363 		tcp->tcp_snd_ws_ok = B_TRUE;
1364 
1365 	/*
1366 	 * Set tcp_snd_ts_ok to true
1367 	 * so that tcp_xmit_mp will
1368 	 * include the timestamp
1369 	 * option in the SYN segment.
1370 	 */
1371 	if (tcp_tstamp_always ||
1372 	    (tcp->tcp_rcv_ws && tcp_tstamp_if_wscale)) {
1373 		tcp->tcp_snd_ts_ok = B_TRUE;
1374 	}
1375 
1376 	if (tcp_sack_permitted == 2 ||
1377 	    tcp->tcp_snd_sack_ok) {
1378 		assert(tcp->tcp_sack_info == NULL);
1379 		if ((tcp->tcp_sack_info = (tcp_sack_info_t *)bkmem_zalloc(
1380 		    sizeof (tcp_sack_info_t))) == NULL) {
1381 			tcp->tcp_snd_sack_ok = B_FALSE;
1382 		} else {
1383 			tcp->tcp_snd_sack_ok = B_TRUE;
1384 		}
1385 	}
1386 	/*
1387 	 * Should we use ECN?  Note that the current
1388 	 * default value (SunOS 5.9) of tcp_ecn_permitted
1389 	 * is 2.  The reason for doing this is that there
1390 	 * are equipments out there that will drop ECN
1391 	 * enabled IP packets.  Setting it to 1 avoids
1392 	 * compatibility problems.
1393 	 */
1394 	if (tcp_ecn_permitted == 2)
1395 		tcp->tcp_ecn_ok = B_TRUE;
1396 
1397 	tcp_iss_init(tcp);
1398 	TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
1399 	tcp->tcp_active_open = B_TRUE;
1400 
1401 	tcp->tcp_state = TCPS_SYN_SENT;
1402 	syn_mp = tcp_xmit_mp(tcp, NULL, 0, NULL, NULL, tcp->tcp_iss, B_FALSE,
1403 	    NULL, B_FALSE);
1404 	if (syn_mp != NULL) {
1405 		int ret;
1406 
1407 		/* Dump the packet when debugging. */
1408 		TCP_DUMP_PACKET("tcp_connect", syn_mp);
1409 		/* Send out the SYN packet. */
1410 		ret = ipv4_tcp_output(sock_id, syn_mp);
1411 		freeb(syn_mp);
1412 		/*
1413 		 * errno ETIMEDOUT is set by the mac driver
1414 		 * in case it is not able to receive ARP reply.
1415 		 * TCP will retransmit this segment so we can
1416 		 * ignore the ARP timeout.
1417 		 */
1418 		if ((ret < 0) && (errno != ETIMEDOUT)) {
1419 			return (-1);
1420 		}
1421 		/* tcp_state_wait() will finish the 3 way handshake. */
1422 		return (tcp_state_wait(sock_id, tcp, TCPS_ESTABLISHED));
1423 	} else {
1424 		errno = ENOBUFS;
1425 		return (-1);
1426 	}
1427 }
1428 
1429 /*
1430  * Common accept code.  Called by tcp_conn_request.
1431  * cr_pkt is the SYN packet.
1432  */
1433 static int
1434 tcp_accept_comm(tcp_t *listener, tcp_t *acceptor, mblk_t *cr_pkt,
1435     uint_t ip_hdr_len)
1436 {
1437 	tcph_t		*tcph;
1438 
1439 #ifdef DEBUG
1440 	printf("tcp_accept_comm #######################\n");
1441 #endif
1442 
1443 	/*
1444 	 * When we get here, we know that the acceptor header template
1445 	 * has already been initialized.
1446 	 * However, it may not match the listener if the listener
1447 	 * includes options...
1448 	 * It may also not match the listener if the listener is v6 and
1449 	 * and the acceptor is v4
1450 	 */
1451 	acceptor->tcp_lport = listener->tcp_lport;
1452 
1453 	if (listener->tcp_ipversion == acceptor->tcp_ipversion) {
1454 		if (acceptor->tcp_iphc_len != listener->tcp_iphc_len) {
1455 			/*
1456 			 * Listener had options of some sort; acceptor inherits.
1457 			 * Free up the acceptor template and allocate one
1458 			 * of the right size.
1459 			 */
1460 			bkmem_free(acceptor->tcp_iphc, acceptor->tcp_iphc_len);
1461 			acceptor->tcp_iphc = bkmem_zalloc(
1462 			    listener->tcp_iphc_len);
1463 			if (acceptor->tcp_iphc == NULL) {
1464 				acceptor->tcp_iphc_len = 0;
1465 				return (ENOMEM);
1466 			}
1467 			acceptor->tcp_iphc_len = listener->tcp_iphc_len;
1468 		}
1469 		acceptor->tcp_hdr_len = listener->tcp_hdr_len;
1470 		acceptor->tcp_ip_hdr_len = listener->tcp_ip_hdr_len;
1471 		acceptor->tcp_tcp_hdr_len = listener->tcp_tcp_hdr_len;
1472 
1473 		/*
1474 		 * Copy the IP+TCP header template from listener to acceptor
1475 		 */
1476 		bcopy(listener->tcp_iphc, acceptor->tcp_iphc,
1477 		    listener->tcp_hdr_len);
1478 		acceptor->tcp_ipha = (struct ip *)acceptor->tcp_iphc;
1479 		acceptor->tcp_tcph = (tcph_t *)(acceptor->tcp_iphc +
1480 		    acceptor->tcp_ip_hdr_len);
1481 	} else {
1482 		prom_panic("tcp_accept_comm: version not equal");
1483 	}
1484 
1485 	/* Copy our new dest and fport from the connection request packet */
1486 	if (acceptor->tcp_ipversion == IPV4_VERSION) {
1487 		struct ip *ipha;
1488 
1489 		ipha = (struct ip *)cr_pkt->b_rptr;
1490 		acceptor->tcp_ipha->ip_dst = ipha->ip_src;
1491 		acceptor->tcp_remote = ipha->ip_src.s_addr;
1492 		acceptor->tcp_ipha->ip_src = ipha->ip_dst;
1493 		acceptor->tcp_bound_source = ipha->ip_dst.s_addr;
1494 		tcph = (tcph_t *)&cr_pkt->b_rptr[ip_hdr_len];
1495 	} else {
1496 		prom_panic("tcp_accept_comm: not IPv4");
1497 	}
1498 	bcopy(tcph->th_lport, acceptor->tcp_tcph->th_fport, sizeof (in_port_t));
1499 	bcopy(acceptor->tcp_tcph->th_fport, &acceptor->tcp_fport,
1500 	    sizeof (in_port_t));
1501 	/*
1502 	 * For an all-port proxy listener, the local port is determined by
1503 	 * the port number field in the SYN packet.
1504 	 */
1505 	if (listener->tcp_lport == 0) {
1506 		acceptor->tcp_lport = *(in_port_t *)tcph->th_fport;
1507 		bcopy(tcph->th_fport, acceptor->tcp_tcph->th_lport,
1508 		    sizeof (in_port_t));
1509 	}
1510 	/* Inherit various TCP parameters from the listener */
1511 	acceptor->tcp_naglim = listener->tcp_naglim;
1512 	acceptor->tcp_first_timer_threshold =
1513 	    listener->tcp_first_timer_threshold;
1514 	acceptor->tcp_second_timer_threshold =
1515 	    listener->tcp_second_timer_threshold;
1516 
1517 	acceptor->tcp_first_ctimer_threshold =
1518 	    listener->tcp_first_ctimer_threshold;
1519 	acceptor->tcp_second_ctimer_threshold =
1520 	    listener->tcp_second_ctimer_threshold;
1521 
1522 	acceptor->tcp_xmit_hiwater = listener->tcp_xmit_hiwater;
1523 
1524 	acceptor->tcp_state = TCPS_LISTEN;
1525 	tcp_iss_init(acceptor);
1526 
1527 	/* Process all TCP options. */
1528 	tcp_process_options(acceptor, tcph);
1529 
1530 	/* Is the other end ECN capable? */
1531 	if (tcp_ecn_permitted >= 1 &&
1532 	    (tcph->th_flags[0] & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) {
1533 		acceptor->tcp_ecn_ok = B_TRUE;
1534 	}
1535 
1536 	/*
1537 	 * listener->tcp_rq->q_hiwat should be the default window size or a
1538 	 * window size changed via SO_RCVBUF option.  First round up the
1539 	 * acceptor's tcp_rwnd to the nearest MSS.  Then find out the window
1540 	 * scale option value if needed.  Call tcp_rwnd_set() to finish the
1541 	 * setting.
1542 	 *
1543 	 * Note if there is a rpipe metric associated with the remote host,
1544 	 * we should not inherit receive window size from listener.
1545 	 */
1546 	acceptor->tcp_rwnd = MSS_ROUNDUP(
1547 	    (acceptor->tcp_rwnd == 0 ? listener->tcp_rwnd_max :
1548 	    acceptor->tcp_rwnd), acceptor->tcp_mss);
1549 	if (acceptor->tcp_snd_ws_ok)
1550 		SET_WS_VALUE(acceptor);
1551 	/*
1552 	 * Note that this is the only place tcp_rwnd_set() is called for
1553 	 * accepting a connection.  We need to call it here instead of
1554 	 * after the 3-way handshake because we need to tell the other
1555 	 * side our rwnd in the SYN-ACK segment.
1556 	 */
1557 	(void) tcp_rwnd_set(acceptor, acceptor->tcp_rwnd);
1558 
1559 	return (0);
1560 }
1561 
1562 /*
1563  * Defense for the SYN attack -
1564  * 1. When q0 is full, drop from the tail (tcp_eager_prev_q0) the oldest
1565  *    one that doesn't have the dontdrop bit set.
1566  * 2. Don't drop a SYN request before its first timeout. This gives every
1567  *    request at least til the first timeout to complete its 3-way handshake.
1568  * 3. The current threshold is - # of timeout > q0len/4 => SYN alert on
1569  *    # of timeout drops back to <= q0len/32 => SYN alert off
1570  */
1571 static boolean_t
1572 tcp_drop_q0(tcp_t *tcp)
1573 {
1574 	tcp_t	*eager;
1575 
1576 	assert(tcp->tcp_eager_next_q0 != tcp->tcp_eager_prev_q0);
1577 	/*
1578 	 * New one is added after next_q0 so prev_q0 points to the oldest
1579 	 * Also do not drop any established connections that are deferred on
1580 	 * q0 due to q being full
1581 	 */
1582 
1583 	eager = tcp->tcp_eager_prev_q0;
1584 	while (eager->tcp_dontdrop || eager->tcp_conn_def_q0) {
1585 		/* XXX should move the eager to the head */
1586 		eager = eager->tcp_eager_prev_q0;
1587 		if (eager == tcp) {
1588 			eager = tcp->tcp_eager_prev_q0;
1589 			break;
1590 		}
1591 	}
1592 	dprintf("tcp_drop_q0: listen half-open queue (max=%d) overflow"
1593 	    " (%d pending) on %s, drop one", tcp_conn_req_max_q0,
1594 	    tcp->tcp_conn_req_cnt_q0,
1595 	    tcp_display(tcp, NULL, DISP_PORT_ONLY));
1596 
1597 	BUMP_MIB(tcp_mib.tcpHalfOpenDrop);
1598 	bkmem_free((caddr_t)eager, sizeof (tcp_t));
1599 	return (B_TRUE);
1600 }
1601 
1602 /* ARGSUSED */
1603 static tcp_t *
1604 tcp_conn_request(tcp_t *tcp, mblk_t *mp, uint_t sock_id, uint_t ip_hdr_len)
1605 {
1606 	tcp_t	*eager;
1607 	struct ip *ipha;
1608 	int	err;
1609 
1610 #ifdef DEBUG
1611 	printf("tcp_conn_request ###################\n");
1612 #endif
1613 
1614 	if (tcp->tcp_conn_req_cnt_q >= tcp->tcp_conn_req_max) {
1615 		BUMP_MIB(tcp_mib.tcpListenDrop);
1616 		dprintf("tcp_conn_request: listen backlog (max=%d) "
1617 		    "overflow (%d pending) on %s",
1618 		    tcp->tcp_conn_req_max, tcp->tcp_conn_req_cnt_q,
1619 		    tcp_display(tcp, NULL, DISP_PORT_ONLY));
1620 		return (NULL);
1621 	}
1622 
1623 	assert(OK_32PTR(mp->b_rptr));
1624 
1625 	if (tcp->tcp_conn_req_cnt_q0 >=
1626 	    tcp->tcp_conn_req_max + tcp_conn_req_max_q0) {
1627 		/*
1628 		 * Q0 is full. Drop a pending half-open req from the queue
1629 		 * to make room for the new SYN req. Also mark the time we
1630 		 * drop a SYN.
1631 		 */
1632 		tcp->tcp_last_rcv_lbolt = prom_gettime();
1633 		if (!tcp_drop_q0(tcp)) {
1634 			freemsg(mp);
1635 			BUMP_MIB(tcp_mib.tcpListenDropQ0);
1636 			dprintf("tcp_conn_request: listen half-open queue "
1637 			    "(max=%d) full (%d pending) on %s",
1638 			    tcp_conn_req_max_q0,
1639 			    tcp->tcp_conn_req_cnt_q0,
1640 			    tcp_display(tcp, NULL, DISP_PORT_ONLY));
1641 			return (NULL);
1642 		}
1643 	}
1644 
1645 	ipha = (struct ip *)mp->b_rptr;
1646 	if (IN_CLASSD(ntohl(ipha->ip_src.s_addr)) ||
1647 	    ipha->ip_src.s_addr == INADDR_BROADCAST ||
1648 	    ipha->ip_src.s_addr == INADDR_ANY ||
1649 	    ipha->ip_dst.s_addr == INADDR_BROADCAST) {
1650 		freemsg(mp);
1651 		return (NULL);
1652 	}
1653 	/*
1654 	 * We allow the connection to proceed
1655 	 * by generating a detached tcp state vector and put it in
1656 	 * the eager queue.  When an accept happens, it will be
1657 	 * dequeued sequentially.
1658 	 */
1659 	if ((eager = (tcp_t *)bkmem_alloc(sizeof (tcp_t))) == NULL) {
1660 		freemsg(mp);
1661 		errno = ENOBUFS;
1662 		return (NULL);
1663 	}
1664 	if ((errno = tcp_init_values(eager, NULL)) != 0) {
1665 		freemsg(mp);
1666 		bkmem_free((caddr_t)eager, sizeof (tcp_t));
1667 		return (NULL);
1668 	}
1669 
1670 	/*
1671 	 * Eager connection inherits address form from its listener,
1672 	 * but its packet form comes from the version of the received
1673 	 * SYN segment.
1674 	 */
1675 	eager->tcp_family = tcp->tcp_family;
1676 
1677 	err = tcp_accept_comm(tcp, eager, mp, ip_hdr_len);
1678 	if (err) {
1679 		bkmem_free((caddr_t)eager, sizeof (tcp_t));
1680 		return (NULL);
1681 	}
1682 
1683 	tcp->tcp_eager_next_q0->tcp_eager_prev_q0 = eager;
1684 	eager->tcp_eager_next_q0 = tcp->tcp_eager_next_q0;
1685 	tcp->tcp_eager_next_q0 = eager;
1686 	eager->tcp_eager_prev_q0 = tcp;
1687 
1688 	/* Set tcp_listener before adding it to tcp_conn_fanout */
1689 	eager->tcp_listener = tcp;
1690 	tcp->tcp_conn_req_cnt_q0++;
1691 
1692 	return (eager);
1693 }
1694 
1695 /*
1696  * To get around the non-interrupt problem of inetboot.
1697  * Keep on processing packets until a certain state is reached or the
1698  * TCP is destroyed because of getting a RST packet.
1699  */
1700 static int
1701 tcp_state_wait(int sock_id, tcp_t *tcp, int state)
1702 {
1703 	int i;
1704 	struct inetgram *in_gram;
1705 	mblk_t *mp;
1706 	int timeout;
1707 	boolean_t changed = B_FALSE;
1708 
1709 	/*
1710 	 * We need to make sure that the MAC does not wait longer
1711 	 * than RTO for any packet so that TCP can do retransmission.
1712 	 * But if the MAC timeout is less than tcp_rto, we are fine
1713 	 * and do not need to change it.
1714 	 */
1715 	timeout = sockets[sock_id].in_timeout;
1716 	if (timeout > tcp->tcp_rto) {
1717 		sockets[sock_id].in_timeout = tcp->tcp_rto;
1718 		changed = B_TRUE;
1719 	}
1720 retry:
1721 	if (sockets[sock_id].inq == NULL) {
1722 		/* Go out and check the wire */
1723 		for (i = MEDIA_LVL; i < TRANSPORT_LVL; i++) {
1724 			if (sockets[sock_id].input[i] != NULL) {
1725 				if (sockets[sock_id].input[i](sock_id) < 0) {
1726 					if (changed) {
1727 						sockets[sock_id].in_timeout =
1728 						    timeout;
1729 					}
1730 					return (-1);
1731 				}
1732 			}
1733 		}
1734 	}
1735 
1736 	while ((in_gram = sockets[sock_id].inq) != NULL) {
1737 		if (tcp != NULL && tcp->tcp_state == state)
1738 			break;
1739 
1740 		/* Remove unknown inetgrams from the head of inq. */
1741 		if (in_gram->igm_level != TRANSPORT_LVL) {
1742 #ifdef DEBUG
1743 			printf("tcp_state_wait for state %d: unexpected "
1744 			    "packet level %d frame found\n", state,
1745 			    in_gram->igm_level);
1746 #endif
1747 			del_gram(&sockets[sock_id].inq, in_gram, B_TRUE);
1748 			continue;
1749 		}
1750 		mp = in_gram->igm_mp;
1751 		del_gram(&sockets[sock_id].inq, in_gram, B_FALSE);
1752 		bkmem_free((caddr_t)in_gram, sizeof (struct inetgram));
1753 		tcp_rput_data(tcp, mp, sock_id);
1754 
1755 		/*
1756 		 * The other side may have closed this connection or
1757 		 * RST us.  But we need to continue to process other
1758 		 * packets in the socket's queue because they may be
1759 		 * belong to another TCP connections.
1760 		 */
1761 		if (sockets[sock_id].pcb == NULL) {
1762 			tcp = NULL;
1763 		}
1764 	}
1765 
1766 	/* If the other side has closed the connection, just return. */
1767 	if (tcp == NULL || sockets[sock_id].pcb == NULL) {
1768 #ifdef DEBUG
1769 		printf("tcp_state_wait other side dead: state %d "
1770 		    "error %d\n", state, sockets[sock_id].so_error);
1771 #endif
1772 		if (sockets[sock_id].so_error != 0)
1773 			return (-1);
1774 		else
1775 			return (0);
1776 	}
1777 	/*
1778 	 * TCPS_ALL_ACKED is not a valid TCP state, it is just used as an
1779 	 * indicator to tcp_state_wait to mean that it is being called
1780 	 * to wait till we have received acks for all the new segments sent.
1781 	 */
1782 	if ((state == TCPS_ALL_ACKED) && (tcp->tcp_suna == tcp->tcp_snxt)) {
1783 		goto done;
1784 	}
1785 	if (tcp->tcp_state != state) {
1786 		if (prom_gettime() > tcp->tcp_rto_timeout)
1787 			tcp_timer(tcp, sock_id);
1788 		goto retry;
1789 	}
1790 done:
1791 	if (changed)
1792 		sockets[sock_id].in_timeout = timeout;
1793 
1794 	tcp_drain_needed(sock_id, tcp);
1795 	return (0);
1796 }
1797 
1798 /* Verify the checksum of a segment. */
1799 static int
1800 tcp_verify_cksum(mblk_t *mp)
1801 {
1802 	struct ip *iph;
1803 	tcpha_t *tcph;
1804 	int len;
1805 	uint16_t old_sum;
1806 
1807 	iph = (struct ip *)mp->b_rptr;
1808 	tcph = (tcpha_t *)(iph + 1);
1809 	len = ntohs(iph->ip_len);
1810 
1811 	/*
1812 	 * Calculate the TCP checksum.  Need to include the psuedo header,
1813 	 * which is similar to the real IP header starting at the TTL field.
1814 	 */
1815 	iph->ip_sum = htons(len - IP_SIMPLE_HDR_LENGTH);
1816 	old_sum = tcph->tha_sum;
1817 	tcph->tha_sum = 0;
1818 	iph->ip_ttl = 0;
1819 	if (old_sum == tcp_cksum((uint16_t *)&(iph->ip_ttl),
1820 	    len - IP_SIMPLE_HDR_LENGTH + 12)) {
1821 		return (0);
1822 	} else {
1823 		tcp_cksum_errors++;
1824 		return (-1);
1825 	}
1826 }
1827 
1828 /* To find a TCP connection matching the incoming segment. */
1829 static tcp_t *
1830 tcp_lookup_ipv4(struct ip *iph, tcpha_t *tcph, int min_state, int *sock_id)
1831 {
1832 	int i;
1833 	tcp_t *tcp;
1834 
1835 	for (i = 0; i < MAXSOCKET; i++) {
1836 		if (sockets[i].type == INETBOOT_STREAM &&
1837 		    (tcp = (tcp_t *)sockets[i].pcb) != NULL) {
1838 			if (tcph->tha_lport == tcp->tcp_fport &&
1839 			    tcph->tha_fport == tcp->tcp_lport &&
1840 			    iph->ip_src.s_addr == tcp->tcp_remote &&
1841 			    iph->ip_dst.s_addr == tcp->tcp_bound_source &&
1842 			    tcp->tcp_state >= min_state) {
1843 				*sock_id = i;
1844 				return (tcp);
1845 			}
1846 		}
1847 	}
1848 	/* Find it in the time wait list. */
1849 	for (tcp = tcp_time_wait_head; tcp != NULL;
1850 	    tcp = tcp->tcp_time_wait_next) {
1851 		if (tcph->tha_lport == tcp->tcp_fport &&
1852 		    tcph->tha_fport == tcp->tcp_lport &&
1853 		    iph->ip_src.s_addr == tcp->tcp_remote &&
1854 		    iph->ip_dst.s_addr == tcp->tcp_bound_source &&
1855 		    tcp->tcp_state >= min_state) {
1856 			*sock_id = -1;
1857 			return (tcp);
1858 		}
1859 	}
1860 	return (NULL);
1861 }
1862 
1863 /* To find a TCP listening connection matching the incoming segment. */
1864 static tcp_t *
1865 tcp_lookup_listener_ipv4(in_addr_t addr, in_port_t port, int *sock_id)
1866 {
1867 	int i;
1868 	tcp_t *tcp;
1869 
1870 	for (i = 0; i < MAXSOCKET; i++) {
1871 		if (sockets[i].type == INETBOOT_STREAM &&
1872 		    (tcp = (tcp_t *)sockets[i].pcb) != NULL) {
1873 			if (tcp->tcp_lport == port &&
1874 			    (tcp->tcp_bound_source == addr ||
1875 			    tcp->tcp_bound_source == INADDR_ANY)) {
1876 				*sock_id = i;
1877 				return (tcp);
1878 			}
1879 		}
1880 	}
1881 
1882 	return (NULL);
1883 }
1884 
1885 /* To find a TCP eager matching the incoming segment. */
1886 static tcp_t *
1887 tcp_lookup_eager_ipv4(tcp_t *listener, struct ip *iph, tcpha_t *tcph)
1888 {
1889 	tcp_t *tcp;
1890 
1891 #ifdef DEBUG
1892 	printf("tcp_lookup_eager_ipv4 ###############\n");
1893 #endif
1894 	for (tcp = listener->tcp_eager_next_q; tcp != NULL;
1895 	    tcp = tcp->tcp_eager_next_q) {
1896 		if (tcph->tha_lport == tcp->tcp_fport &&
1897 		    tcph->tha_fport == tcp->tcp_lport &&
1898 		    iph->ip_src.s_addr == tcp->tcp_remote &&
1899 		    iph->ip_dst.s_addr == tcp->tcp_bound_source) {
1900 			return (tcp);
1901 		}
1902 	}
1903 
1904 	for (tcp = listener->tcp_eager_next_q0; tcp != listener;
1905 	    tcp = tcp->tcp_eager_next_q0) {
1906 		if (tcph->tha_lport == tcp->tcp_fport &&
1907 		    tcph->tha_fport == tcp->tcp_lport &&
1908 		    iph->ip_src.s_addr == tcp->tcp_remote &&
1909 		    iph->ip_dst.s_addr == tcp->tcp_bound_source) {
1910 			return (tcp);
1911 		}
1912 	}
1913 #ifdef DEBUG
1914 	printf("No eager found\n");
1915 #endif
1916 	return (NULL);
1917 }
1918 
1919 /* To destroy a TCP control block. */
1920 static void
1921 tcp_clean_death(int sock_id, tcp_t *tcp, int err)
1922 {
1923 	tcp_free(tcp);
1924 	if (tcp->tcp_state == TCPS_TIME_WAIT)
1925 		tcp_time_wait_remove(tcp);
1926 
1927 	if (sock_id >= 0) {
1928 		sockets[sock_id].pcb = NULL;
1929 		if (err != 0)
1930 			sockets[sock_id].so_error = err;
1931 	}
1932 	bkmem_free((caddr_t)tcp, sizeof (tcp_t));
1933 }
1934 
1935 /*
1936  * tcp_rwnd_set() is called to adjust the receive window to a desired value.
1937  * We do not allow the receive window to shrink.  After setting rwnd,
1938  * set the flow control hiwat of the stream.
1939  *
1940  * This function is called in 2 cases:
1941  *
1942  * 1) Before data transfer begins, in tcp_accept_comm() for accepting a
1943  *    connection (passive open) and in tcp_rput_data() for active connect.
1944  *    This is called after tcp_mss_set() when the desired MSS value is known.
1945  *    This makes sure that our window size is a mutiple of the other side's
1946  *    MSS.
1947  * 2) Handling SO_RCVBUF option.
1948  *
1949  * It is ASSUMED that the requested size is a multiple of the current MSS.
1950  *
1951  * XXX - Should allow a lower rwnd than tcp_recv_hiwat_minmss * mss if the
1952  * user requests so.
1953  */
1954 static int
1955 tcp_rwnd_set(tcp_t *tcp, uint32_t rwnd)
1956 {
1957 	uint32_t	mss = tcp->tcp_mss;
1958 	uint32_t	old_max_rwnd;
1959 	uint32_t	max_transmittable_rwnd;
1960 
1961 	if (tcp->tcp_rwnd_max != 0)
1962 		old_max_rwnd = tcp->tcp_rwnd_max;
1963 	else
1964 		old_max_rwnd = tcp->tcp_rwnd;
1965 
1966 	/*
1967 	 * Insist on a receive window that is at least
1968 	 * tcp_recv_hiwat_minmss * MSS (default 4 * MSS) to avoid
1969 	 * funny TCP interactions of Nagle algorithm, SWS avoidance
1970 	 * and delayed acknowledgement.
1971 	 */
1972 	rwnd = MAX(rwnd, tcp_recv_hiwat_minmss * mss);
1973 
1974 	/*
1975 	 * If window size info has already been exchanged, TCP should not
1976 	 * shrink the window.  Shrinking window is doable if done carefully.
1977 	 * We may add that support later.  But so far there is not a real
1978 	 * need to do that.
1979 	 */
1980 	if (rwnd < old_max_rwnd && tcp->tcp_state > TCPS_SYN_SENT) {
1981 		/* MSS may have changed, do a round up again. */
1982 		rwnd = MSS_ROUNDUP(old_max_rwnd, mss);
1983 	}
1984 
1985 	/*
1986 	 * tcp_rcv_ws starts with TCP_MAX_WINSHIFT so the following check
1987 	 * can be applied even before the window scale option is decided.
1988 	 */
1989 	max_transmittable_rwnd = TCP_MAXWIN << tcp->tcp_rcv_ws;
1990 	if (rwnd > max_transmittable_rwnd) {
1991 		rwnd = max_transmittable_rwnd -
1992 		    (max_transmittable_rwnd % mss);
1993 		if (rwnd < mss)
1994 			rwnd = max_transmittable_rwnd;
1995 		/*
1996 		 * If we're over the limit we may have to back down tcp_rwnd.
1997 		 * The increment below won't work for us. So we set all three
1998 		 * here and the increment below will have no effect.
1999 		 */
2000 		tcp->tcp_rwnd = old_max_rwnd = rwnd;
2001 	}
2002 
2003 	/*
2004 	 * Increment the current rwnd by the amount the maximum grew (we
2005 	 * can not overwrite it since we might be in the middle of a
2006 	 * connection.)
2007 	 */
2008 	tcp->tcp_rwnd += rwnd - old_max_rwnd;
2009 	U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws, tcp->tcp_tcph->th_win);
2010 	if ((tcp->tcp_rcv_ws > 0) && rwnd > tcp->tcp_cwnd_max)
2011 		tcp->tcp_cwnd_max = rwnd;
2012 	tcp->tcp_rwnd_max = rwnd;
2013 
2014 	return (rwnd);
2015 }
2016 
2017 /*
2018  * Extract option values from a tcp header.  We put any found values into the
2019  * tcpopt struct and return a bitmask saying which options were found.
2020  */
2021 static int
2022 tcp_parse_options(tcph_t *tcph, tcp_opt_t *tcpopt)
2023 {
2024 	uchar_t		*endp;
2025 	int		len;
2026 	uint32_t	mss;
2027 	uchar_t		*up = (uchar_t *)tcph;
2028 	int		found = 0;
2029 	int32_t		sack_len;
2030 	tcp_seq		sack_begin, sack_end;
2031 	tcp_t		*tcp;
2032 
2033 	endp = up + TCP_HDR_LENGTH(tcph);
2034 	up += TCP_MIN_HEADER_LENGTH;
2035 	while (up < endp) {
2036 		len = endp - up;
2037 		switch (*up) {
2038 		case TCPOPT_EOL:
2039 			break;
2040 
2041 		case TCPOPT_NOP:
2042 			up++;
2043 			continue;
2044 
2045 		case TCPOPT_MAXSEG:
2046 			if (len < TCPOPT_MAXSEG_LEN ||
2047 			    up[1] != TCPOPT_MAXSEG_LEN)
2048 				break;
2049 
2050 			mss = BE16_TO_U16(up+2);
2051 			/* Caller must handle tcp_mss_min and tcp_mss_max_* */
2052 			tcpopt->tcp_opt_mss = mss;
2053 			found |= TCP_OPT_MSS_PRESENT;
2054 
2055 			up += TCPOPT_MAXSEG_LEN;
2056 			continue;
2057 
2058 		case TCPOPT_WSCALE:
2059 			if (len < TCPOPT_WS_LEN || up[1] != TCPOPT_WS_LEN)
2060 				break;
2061 
2062 			if (up[2] > TCP_MAX_WINSHIFT)
2063 				tcpopt->tcp_opt_wscale = TCP_MAX_WINSHIFT;
2064 			else
2065 				tcpopt->tcp_opt_wscale = up[2];
2066 			found |= TCP_OPT_WSCALE_PRESENT;
2067 
2068 			up += TCPOPT_WS_LEN;
2069 			continue;
2070 
2071 		case TCPOPT_SACK_PERMITTED:
2072 			if (len < TCPOPT_SACK_OK_LEN ||
2073 			    up[1] != TCPOPT_SACK_OK_LEN)
2074 				break;
2075 			found |= TCP_OPT_SACK_OK_PRESENT;
2076 			up += TCPOPT_SACK_OK_LEN;
2077 			continue;
2078 
2079 		case TCPOPT_SACK:
2080 			if (len <= 2 || up[1] <= 2 || len < up[1])
2081 				break;
2082 
2083 			/* If TCP is not interested in SACK blks... */
2084 			if ((tcp = tcpopt->tcp) == NULL) {
2085 				up += up[1];
2086 				continue;
2087 			}
2088 			sack_len = up[1] - TCPOPT_HEADER_LEN;
2089 			up += TCPOPT_HEADER_LEN;
2090 
2091 			/*
2092 			 * If the list is empty, allocate one and assume
2093 			 * nothing is sack'ed.
2094 			 */
2095 			assert(tcp->tcp_sack_info != NULL);
2096 			if (tcp->tcp_notsack_list == NULL) {
2097 				tcp_notsack_update(&(tcp->tcp_notsack_list),
2098 				    tcp->tcp_suna, tcp->tcp_snxt,
2099 				    &(tcp->tcp_num_notsack_blk),
2100 				    &(tcp->tcp_cnt_notsack_list));
2101 
2102 				/*
2103 				 * Make sure tcp_notsack_list is not NULL.
2104 				 * This happens when kmem_alloc(KM_NOSLEEP)
2105 				 * returns NULL.
2106 				 */
2107 				if (tcp->tcp_notsack_list == NULL) {
2108 					up += sack_len;
2109 					continue;
2110 				}
2111 				tcp->tcp_fack = tcp->tcp_suna;
2112 			}
2113 
2114 			while (sack_len > 0) {
2115 				if (up + 8 > endp) {
2116 					up = endp;
2117 					break;
2118 				}
2119 				sack_begin = BE32_TO_U32(up);
2120 				up += 4;
2121 				sack_end = BE32_TO_U32(up);
2122 				up += 4;
2123 				sack_len -= 8;
2124 				/*
2125 				 * Bounds checking.  Make sure the SACK
2126 				 * info is within tcp_suna and tcp_snxt.
2127 				 * If this SACK blk is out of bound, ignore
2128 				 * it but continue to parse the following
2129 				 * blks.
2130 				 */
2131 				if (SEQ_LEQ(sack_end, sack_begin) ||
2132 				    SEQ_LT(sack_begin, tcp->tcp_suna) ||
2133 				    SEQ_GT(sack_end, tcp->tcp_snxt)) {
2134 					continue;
2135 				}
2136 				tcp_notsack_insert(&(tcp->tcp_notsack_list),
2137 				    sack_begin, sack_end,
2138 				    &(tcp->tcp_num_notsack_blk),
2139 				    &(tcp->tcp_cnt_notsack_list));
2140 				if (SEQ_GT(sack_end, tcp->tcp_fack)) {
2141 					tcp->tcp_fack = sack_end;
2142 				}
2143 			}
2144 			found |= TCP_OPT_SACK_PRESENT;
2145 			continue;
2146 
2147 		case TCPOPT_TSTAMP:
2148 			if (len < TCPOPT_TSTAMP_LEN ||
2149 			    up[1] != TCPOPT_TSTAMP_LEN)
2150 				break;
2151 
2152 			tcpopt->tcp_opt_ts_val = BE32_TO_U32(up+2);
2153 			tcpopt->tcp_opt_ts_ecr = BE32_TO_U32(up+6);
2154 
2155 			found |= TCP_OPT_TSTAMP_PRESENT;
2156 
2157 			up += TCPOPT_TSTAMP_LEN;
2158 			continue;
2159 
2160 		default:
2161 			if (len <= 1 || len < (int)up[1] || up[1] == 0)
2162 				break;
2163 			up += up[1];
2164 			continue;
2165 		}
2166 		break;
2167 	}
2168 	return (found);
2169 }
2170 
2171 /*
2172  * Set the mss associated with a particular tcp based on its current value,
2173  * and a new one passed in. Observe minimums and maximums, and reset
2174  * other state variables that we want to view as multiples of mss.
2175  *
2176  * This function is called in various places mainly because
2177  * 1) Various stuffs, tcp_mss, tcp_cwnd, ... need to be adjusted when the
2178  *    other side's SYN/SYN-ACK packet arrives.
2179  * 2) PMTUd may get us a new MSS.
2180  * 3) If the other side stops sending us timestamp option, we need to
2181  *    increase the MSS size to use the extra bytes available.
2182  */
2183 static void
2184 tcp_mss_set(tcp_t *tcp, uint32_t mss)
2185 {
2186 	uint32_t	mss_max;
2187 
2188 	mss_max = tcp_mss_max_ipv4;
2189 
2190 	if (mss < tcp_mss_min)
2191 		mss = tcp_mss_min;
2192 	if (mss > mss_max)
2193 		mss = mss_max;
2194 	/*
2195 	 * Unless naglim has been set by our client to
2196 	 * a non-mss value, force naglim to track mss.
2197 	 * This can help to aggregate small writes.
2198 	 */
2199 	if (mss < tcp->tcp_naglim || tcp->tcp_mss == tcp->tcp_naglim)
2200 		tcp->tcp_naglim = mss;
2201 	/*
2202 	 * TCP should be able to buffer at least 4 MSS data for obvious
2203 	 * performance reason.
2204 	 */
2205 	if ((mss << 2) > tcp->tcp_xmit_hiwater)
2206 		tcp->tcp_xmit_hiwater = mss << 2;
2207 	tcp->tcp_mss = mss;
2208 	/*
2209 	 * Initialize cwnd according to draft-floyd-incr-init-win-01.txt.
2210 	 * Previously, we use tcp_slow_start_initial to control the size
2211 	 * of the initial cwnd.  Now, when tcp_slow_start_initial * mss
2212 	 * is smaller than the cwnd calculated from the formula suggested in
2213 	 * the draft, we use tcp_slow_start_initial * mss as the cwnd.
2214 	 * Otherwise, use the cwnd from the draft's formula.  The default
2215 	 * of tcp_slow_start_initial is 2.
2216 	 */
2217 	tcp->tcp_cwnd = MIN(tcp_slow_start_initial * mss,
2218 	    MIN(4 * mss, MAX(2 * mss, 4380 / mss * mss)));
2219 	tcp->tcp_cwnd_cnt = 0;
2220 }
2221 
2222 /*
2223  * Process all TCP option in SYN segment.
2224  *
2225  * This function sets up the correct tcp_mss value according to the
2226  * MSS option value and our header size.  It also sets up the window scale
2227  * and timestamp values, and initialize SACK info blocks.  But it does not
2228  * change receive window size after setting the tcp_mss value.  The caller
2229  * should do the appropriate change.
2230  */
2231 void
2232 tcp_process_options(tcp_t *tcp, tcph_t *tcph)
2233 {
2234 	int options;
2235 	tcp_opt_t tcpopt;
2236 	uint32_t mss_max;
2237 	char *tmp_tcph;
2238 
2239 	tcpopt.tcp = NULL;
2240 	options = tcp_parse_options(tcph, &tcpopt);
2241 
2242 	/*
2243 	 * Process MSS option.  Note that MSS option value does not account
2244 	 * for IP or TCP options.  This means that it is equal to MTU - minimum
2245 	 * IP+TCP header size, which is 40 bytes for IPv4 and 60 bytes for
2246 	 * IPv6.
2247 	 */
2248 	if (!(options & TCP_OPT_MSS_PRESENT)) {
2249 		tcpopt.tcp_opt_mss = tcp_mss_def_ipv4;
2250 	} else {
2251 		if (tcp->tcp_ipversion == IPV4_VERSION)
2252 			mss_max = tcp_mss_max_ipv4;
2253 		if (tcpopt.tcp_opt_mss < tcp_mss_min)
2254 			tcpopt.tcp_opt_mss = tcp_mss_min;
2255 		else if (tcpopt.tcp_opt_mss > mss_max)
2256 			tcpopt.tcp_opt_mss = mss_max;
2257 	}
2258 
2259 	/* Process Window Scale option. */
2260 	if (options & TCP_OPT_WSCALE_PRESENT) {
2261 		tcp->tcp_snd_ws = tcpopt.tcp_opt_wscale;
2262 		tcp->tcp_snd_ws_ok = B_TRUE;
2263 	} else {
2264 		tcp->tcp_snd_ws = B_FALSE;
2265 		tcp->tcp_snd_ws_ok = B_FALSE;
2266 		tcp->tcp_rcv_ws = B_FALSE;
2267 	}
2268 
2269 	/* Process Timestamp option. */
2270 	if ((options & TCP_OPT_TSTAMP_PRESENT) &&
2271 	    (tcp->tcp_snd_ts_ok || !tcp->tcp_active_open)) {
2272 		tmp_tcph = (char *)tcp->tcp_tcph;
2273 
2274 		tcp->tcp_snd_ts_ok = B_TRUE;
2275 		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
2276 		tcp->tcp_last_rcv_lbolt = prom_gettime();
2277 		assert(OK_32PTR(tmp_tcph));
2278 		assert(tcp->tcp_tcp_hdr_len == TCP_MIN_HEADER_LENGTH);
2279 
2280 		/* Fill in our template header with basic timestamp option. */
2281 		tmp_tcph += tcp->tcp_tcp_hdr_len;
2282 		tmp_tcph[0] = TCPOPT_NOP;
2283 		tmp_tcph[1] = TCPOPT_NOP;
2284 		tmp_tcph[2] = TCPOPT_TSTAMP;
2285 		tmp_tcph[3] = TCPOPT_TSTAMP_LEN;
2286 		tcp->tcp_hdr_len += TCPOPT_REAL_TS_LEN;
2287 		tcp->tcp_tcp_hdr_len += TCPOPT_REAL_TS_LEN;
2288 		tcp->tcp_tcph->th_offset_and_rsrvd[0] += (3 << 4);
2289 	} else {
2290 		tcp->tcp_snd_ts_ok = B_FALSE;
2291 	}
2292 
2293 	/*
2294 	 * Process SACK options.  If SACK is enabled for this connection,
2295 	 * then allocate the SACK info structure.
2296 	 */
2297 	if ((options & TCP_OPT_SACK_OK_PRESENT) &&
2298 	    (tcp->tcp_snd_sack_ok ||
2299 	    (tcp_sack_permitted != 0 && !tcp->tcp_active_open))) {
2300 		/* This should be true only in the passive case. */
2301 		if (tcp->tcp_sack_info == NULL) {
2302 			tcp->tcp_sack_info = (tcp_sack_info_t *)bkmem_zalloc(
2303 			    sizeof (tcp_sack_info_t));
2304 		}
2305 		if (tcp->tcp_sack_info == NULL) {
2306 			tcp->tcp_snd_sack_ok = B_FALSE;
2307 		} else {
2308 			tcp->tcp_snd_sack_ok = B_TRUE;
2309 			if (tcp->tcp_snd_ts_ok) {
2310 				tcp->tcp_max_sack_blk = 3;
2311 			} else {
2312 				tcp->tcp_max_sack_blk = 4;
2313 			}
2314 		}
2315 	} else {
2316 		/*
2317 		 * Resetting tcp_snd_sack_ok to B_FALSE so that
2318 		 * no SACK info will be used for this
2319 		 * connection.  This assumes that SACK usage
2320 		 * permission is negotiated.  This may need
2321 		 * to be changed once this is clarified.
2322 		 */
2323 		if (tcp->tcp_sack_info != NULL) {
2324 			bkmem_free((caddr_t)tcp->tcp_sack_info,
2325 			    sizeof (tcp_sack_info_t));
2326 			tcp->tcp_sack_info = NULL;
2327 		}
2328 		tcp->tcp_snd_sack_ok = B_FALSE;
2329 	}
2330 
2331 	/*
2332 	 * Now we know the exact TCP/IP header length, subtract
2333 	 * that from tcp_mss to get our side's MSS.
2334 	 */
2335 	tcp->tcp_mss -= tcp->tcp_hdr_len;
2336 	/*
2337 	 * Here we assume that the other side's header size will be equal to
2338 	 * our header size.  We calculate the real MSS accordingly.  Need to
2339 	 * take into additional stuffs IPsec puts in.
2340 	 *
2341 	 * Real MSS = Opt.MSS - (our TCP/IP header - min TCP/IP header)
2342 	 */
2343 	tcpopt.tcp_opt_mss -= tcp->tcp_hdr_len -
2344 	    (IP_SIMPLE_HDR_LENGTH + TCP_MIN_HEADER_LENGTH);
2345 
2346 	/*
2347 	 * Set MSS to the smaller one of both ends of the connection.
2348 	 * We should not have called tcp_mss_set() before, but our
2349 	 * side of the MSS should have been set to a proper value
2350 	 * by tcp_adapt_ire().  tcp_mss_set() will also set up the
2351 	 * STREAM head parameters properly.
2352 	 *
2353 	 * If we have a larger-than-16-bit window but the other side
2354 	 * didn't want to do window scale, tcp_rwnd_set() will take
2355 	 * care of that.
2356 	 */
2357 	tcp_mss_set(tcp, MIN(tcpopt.tcp_opt_mss, tcp->tcp_mss));
2358 }
2359 
2360 /*
2361  * This function does PAWS protection check.  Returns B_TRUE if the
2362  * segment passes the PAWS test, else returns B_FALSE.
2363  */
2364 boolean_t
2365 tcp_paws_check(tcp_t *tcp, tcph_t *tcph, tcp_opt_t *tcpoptp)
2366 {
2367 	uint8_t	flags;
2368 	int	options;
2369 	uint8_t *up;
2370 
2371 	flags = (unsigned int)tcph->th_flags[0] & 0xFF;
2372 	/*
2373 	 * If timestamp option is aligned nicely, get values inline,
2374 	 * otherwise call general routine to parse.  Only do that
2375 	 * if timestamp is the only option.
2376 	 */
2377 	if (TCP_HDR_LENGTH(tcph) == (uint32_t)TCP_MIN_HEADER_LENGTH +
2378 	    TCPOPT_REAL_TS_LEN &&
2379 	    OK_32PTR((up = ((uint8_t *)tcph) +
2380 	    TCP_MIN_HEADER_LENGTH)) &&
2381 	    *(uint32_t *)up == TCPOPT_NOP_NOP_TSTAMP) {
2382 		tcpoptp->tcp_opt_ts_val = ABE32_TO_U32((up+4));
2383 		tcpoptp->tcp_opt_ts_ecr = ABE32_TO_U32((up+8));
2384 
2385 		options = TCP_OPT_TSTAMP_PRESENT;
2386 	} else {
2387 		if (tcp->tcp_snd_sack_ok) {
2388 			tcpoptp->tcp = tcp;
2389 		} else {
2390 			tcpoptp->tcp = NULL;
2391 		}
2392 		options = tcp_parse_options(tcph, tcpoptp);
2393 	}
2394 
2395 	if (options & TCP_OPT_TSTAMP_PRESENT) {
2396 		/*
2397 		 * Do PAWS per RFC 1323 section 4.2.  Accept RST
2398 		 * regardless of the timestamp, page 18 RFC 1323.bis.
2399 		 */
2400 		if ((flags & TH_RST) == 0 &&
2401 		    TSTMP_LT(tcpoptp->tcp_opt_ts_val,
2402 		    tcp->tcp_ts_recent)) {
2403 			if (TSTMP_LT(prom_gettime(),
2404 			    tcp->tcp_last_rcv_lbolt + PAWS_TIMEOUT)) {
2405 				/* This segment is not acceptable. */
2406 				return (B_FALSE);
2407 			} else {
2408 				/*
2409 				 * Connection has been idle for
2410 				 * too long.  Reset the timestamp
2411 				 * and assume the segment is valid.
2412 				 */
2413 				tcp->tcp_ts_recent =
2414 				    tcpoptp->tcp_opt_ts_val;
2415 			}
2416 		}
2417 	} else {
2418 		/*
2419 		 * If we don't get a timestamp on every packet, we
2420 		 * figure we can't really trust 'em, so we stop sending
2421 		 * and parsing them.
2422 		 */
2423 		tcp->tcp_snd_ts_ok = B_FALSE;
2424 
2425 		tcp->tcp_hdr_len -= TCPOPT_REAL_TS_LEN;
2426 		tcp->tcp_tcp_hdr_len -= TCPOPT_REAL_TS_LEN;
2427 		tcp->tcp_tcph->th_offset_and_rsrvd[0] -= (3 << 4);
2428 		tcp_mss_set(tcp, tcp->tcp_mss + TCPOPT_REAL_TS_LEN);
2429 		if (tcp->tcp_snd_sack_ok) {
2430 			assert(tcp->tcp_sack_info != NULL);
2431 			tcp->tcp_max_sack_blk = 4;
2432 		}
2433 	}
2434 	return (B_TRUE);
2435 }
2436 
2437 /*
2438  * tcp_get_seg_mp() is called to get the pointer to a segment in the
2439  * send queue which starts at the given seq. no.
2440  *
2441  * Parameters:
2442  *	tcp_t *tcp: the tcp instance pointer.
2443  *	uint32_t seq: the starting seq. no of the requested segment.
2444  *	int32_t *off: after the execution, *off will be the offset to
2445  *		the returned mblk which points to the requested seq no.
2446  *
2447  * Return:
2448  *	A mblk_t pointer pointing to the requested segment in send queue.
2449  */
2450 static mblk_t *
2451 tcp_get_seg_mp(tcp_t *tcp, uint32_t seq, int32_t *off)
2452 {
2453 	int32_t	cnt;
2454 	mblk_t	*mp;
2455 
2456 	/* Defensive coding.  Make sure we don't send incorrect data. */
2457 	if (SEQ_LT(seq, tcp->tcp_suna) || SEQ_GEQ(seq, tcp->tcp_snxt) ||
2458 	    off == NULL) {
2459 		return (NULL);
2460 	}
2461 	cnt = seq - tcp->tcp_suna;
2462 	mp = tcp->tcp_xmit_head;
2463 	while (cnt > 0 && mp) {
2464 		cnt -= mp->b_wptr - mp->b_rptr;
2465 		if (cnt < 0) {
2466 			cnt += mp->b_wptr - mp->b_rptr;
2467 			break;
2468 		}
2469 		mp = mp->b_cont;
2470 	}
2471 	assert(mp != NULL);
2472 	*off = cnt;
2473 	return (mp);
2474 }
2475 
2476 /*
2477  * This function handles all retransmissions if SACK is enabled for this
2478  * connection.  First it calculates how many segments can be retransmitted
2479  * based on tcp_pipe.  Then it goes thru the notsack list to find eligible
2480  * segments.  A segment is eligible if sack_cnt for that segment is greater
2481  * than or equal tcp_dupack_fast_retransmit.  After it has retransmitted
2482  * all eligible segments, it checks to see if TCP can send some new segments
2483  * (fast recovery).  If it can, it returns 1.  Otherwise it returns 0.
2484  *
2485  * Parameters:
2486  *	tcp_t *tcp: the tcp structure of the connection.
2487  *
2488  * Return:
2489  *	1 if the pipe is not full (new data can be sent), 0 otherwise
2490  */
2491 static int32_t
2492 tcp_sack_rxmit(tcp_t *tcp, int sock_id)
2493 {
2494 	notsack_blk_t	*notsack_blk;
2495 	int32_t		usable_swnd;
2496 	int32_t		mss;
2497 	uint32_t	seg_len;
2498 	mblk_t		*xmit_mp;
2499 
2500 	assert(tcp->tcp_sack_info != NULL);
2501 	assert(tcp->tcp_notsack_list != NULL);
2502 	assert(tcp->tcp_rexmit == B_FALSE);
2503 
2504 	/* Defensive coding in case there is a bug... */
2505 	if (tcp->tcp_notsack_list == NULL) {
2506 		return (0);
2507 	}
2508 	notsack_blk = tcp->tcp_notsack_list;
2509 	mss = tcp->tcp_mss;
2510 
2511 	/*
2512 	 * Limit the num of outstanding data in the network to be
2513 	 * tcp_cwnd_ssthresh, which is half of the original congestion wnd.
2514 	 */
2515 	usable_swnd = tcp->tcp_cwnd_ssthresh - tcp->tcp_pipe;
2516 
2517 	/* At least retransmit 1 MSS of data. */
2518 	if (usable_swnd <= 0) {
2519 		usable_swnd = mss;
2520 	}
2521 
2522 	/* Make sure no new RTT samples will be taken. */
2523 	tcp->tcp_csuna = tcp->tcp_snxt;
2524 
2525 	notsack_blk = tcp->tcp_notsack_list;
2526 	while (usable_swnd > 0) {
2527 		mblk_t		*snxt_mp, *tmp_mp;
2528 		tcp_seq		begin = tcp->tcp_sack_snxt;
2529 		tcp_seq		end;
2530 		int32_t		off;
2531 
2532 		for (; notsack_blk != NULL; notsack_blk = notsack_blk->next) {
2533 			if (SEQ_GT(notsack_blk->end, begin) &&
2534 			    (notsack_blk->sack_cnt >=
2535 			    tcp_dupack_fast_retransmit)) {
2536 				end = notsack_blk->end;
2537 				if (SEQ_LT(begin, notsack_blk->begin)) {
2538 					begin = notsack_blk->begin;
2539 				}
2540 				break;
2541 			}
2542 		}
2543 		/*
2544 		 * All holes are filled.  Manipulate tcp_cwnd to send more
2545 		 * if we can.  Note that after the SACK recovery, tcp_cwnd is
2546 		 * set to tcp_cwnd_ssthresh.
2547 		 */
2548 		if (notsack_blk == NULL) {
2549 			usable_swnd = tcp->tcp_cwnd_ssthresh - tcp->tcp_pipe;
2550 			if (usable_swnd <= 0) {
2551 				tcp->tcp_cwnd = tcp->tcp_snxt - tcp->tcp_suna;
2552 				assert(tcp->tcp_cwnd > 0);
2553 				return (0);
2554 			} else {
2555 				usable_swnd = usable_swnd / mss;
2556 				tcp->tcp_cwnd = tcp->tcp_snxt - tcp->tcp_suna +
2557 				    MAX(usable_swnd * mss, mss);
2558 				return (1);
2559 			}
2560 		}
2561 
2562 		/*
2563 		 * Note that we may send more than usable_swnd allows here
2564 		 * because of round off, but no more than 1 MSS of data.
2565 		 */
2566 		seg_len = end - begin;
2567 		if (seg_len > mss)
2568 			seg_len = mss;
2569 		snxt_mp = tcp_get_seg_mp(tcp, begin, &off);
2570 		assert(snxt_mp != NULL);
2571 		/* This should not happen.  Defensive coding again... */
2572 		if (snxt_mp == NULL) {
2573 			return (0);
2574 		}
2575 
2576 		xmit_mp = tcp_xmit_mp(tcp, snxt_mp, seg_len, &off,
2577 		    &tmp_mp, begin, B_TRUE, &seg_len, B_TRUE);
2578 
2579 		if (xmit_mp == NULL)
2580 			return (0);
2581 
2582 		usable_swnd -= seg_len;
2583 		tcp->tcp_pipe += seg_len;
2584 		tcp->tcp_sack_snxt = begin + seg_len;
2585 		TCP_DUMP_PACKET("tcp_sack_rxmit", xmit_mp);
2586 		(void) ipv4_tcp_output(sock_id, xmit_mp);
2587 		freeb(xmit_mp);
2588 
2589 		/*
2590 		 * Update the send timestamp to avoid false retransmission.
2591 		 * Note. use uintptr_t to suppress the gcc warning.
2592 		 */
2593 		snxt_mp->b_prev = (mblk_t *)(uintptr_t)prom_gettime();
2594 
2595 		BUMP_MIB(tcp_mib.tcpRetransSegs);
2596 		UPDATE_MIB(tcp_mib.tcpRetransBytes, seg_len);
2597 		BUMP_MIB(tcp_mib.tcpOutSackRetransSegs);
2598 		/*
2599 		 * Update tcp_rexmit_max to extend this SACK recovery phase.
2600 		 * This happens when new data sent during fast recovery is
2601 		 * also lost.  If TCP retransmits those new data, it needs
2602 		 * to extend SACK recover phase to avoid starting another
2603 		 * fast retransmit/recovery unnecessarily.
2604 		 */
2605 		if (SEQ_GT(tcp->tcp_sack_snxt, tcp->tcp_rexmit_max)) {
2606 			tcp->tcp_rexmit_max = tcp->tcp_sack_snxt;
2607 		}
2608 	}
2609 	return (0);
2610 }
2611 
2612 static void
2613 tcp_rput_data(tcp_t *tcp, mblk_t *mp, int sock_id)
2614 {
2615 	uchar_t		*rptr;
2616 	struct ip	*iph;
2617 	tcp_t		*tcp1;
2618 	tcpha_t		*tcph;
2619 	uint32_t	seg_ack;
2620 	int		seg_len;
2621 	uint_t		ip_hdr_len;
2622 	uint32_t	seg_seq;
2623 	mblk_t		*mp1;
2624 	uint_t		flags;
2625 	uint32_t	new_swnd = 0;
2626 	int		mss;
2627 	boolean_t	ofo_seg = B_FALSE; /* Out of order segment */
2628 	int32_t		gap;
2629 	int32_t		rgap;
2630 	tcp_opt_t	tcpopt;
2631 	int32_t		bytes_acked;
2632 	int		npkt;
2633 	uint32_t	cwnd;
2634 	uint32_t	add;
2635 
2636 #ifdef DEBUG
2637 	printf("tcp_rput_data sock %d mp %x mp_datap %x #################\n",
2638 	    sock_id, mp, mp->b_datap);
2639 #endif
2640 
2641 	/* Dump the packet when debugging. */
2642 	TCP_DUMP_PACKET("tcp_rput_data", mp);
2643 
2644 	assert(OK_32PTR(mp->b_rptr));
2645 
2646 	rptr = mp->b_rptr;
2647 	iph = (struct ip *)rptr;
2648 	ip_hdr_len = IPH_HDR_LENGTH(rptr);
2649 	if (ip_hdr_len != IP_SIMPLE_HDR_LENGTH) {
2650 #ifdef DEBUG
2651 		printf("Not simple IP header\n");
2652 #endif
2653 		/* We cannot handle IP option yet... */
2654 		tcp_drops++;
2655 		freeb(mp);
2656 		return;
2657 	}
2658 	/* The TCP header must be aligned. */
2659 	tcph = (tcpha_t *)&rptr[ip_hdr_len];
2660 	seg_seq = ntohl(tcph->tha_seq);
2661 	seg_ack = ntohl(tcph->tha_ack);
2662 	assert((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
2663 	seg_len = (int)(mp->b_wptr - rptr) -
2664 	    (ip_hdr_len + TCP_HDR_LENGTH(((tcph_t *)tcph)));
2665 	/* In inetboot, b_cont should always be NULL. */
2666 	assert(mp->b_cont == NULL);
2667 
2668 	/* Verify the checksum. */
2669 	if (tcp_verify_cksum(mp) < 0) {
2670 #ifdef DEBUG
2671 		printf("tcp_rput_data: wrong cksum\n");
2672 #endif
2673 		freemsg(mp);
2674 		return;
2675 	}
2676 
2677 	/*
2678 	 * This segment is not for us, try to find its
2679 	 * intended receiver.
2680 	 */
2681 	if (tcp == NULL ||
2682 	    tcph->tha_lport != tcp->tcp_fport ||
2683 	    tcph->tha_fport != tcp->tcp_lport ||
2684 	    iph->ip_src.s_addr != tcp->tcp_remote ||
2685 	    iph->ip_dst.s_addr != tcp->tcp_bound_source) {
2686 #ifdef DEBUG
2687 		printf("tcp_rput_data: not for us, state %d\n",
2688 		    tcp->tcp_state);
2689 #endif
2690 		/*
2691 		 * First try to find a established connection.  If none
2692 		 * is found, look for a listener.
2693 		 *
2694 		 * If a listener is found, we need to check to see if the
2695 		 * incoming segment is for one of its eagers.  If it is,
2696 		 * give it to the eager.  If not, listener should take care
2697 		 * of it.
2698 		 */
2699 		if ((tcp1 = tcp_lookup_ipv4(iph, tcph, TCPS_SYN_SENT,
2700 		    &sock_id)) != NULL ||
2701 		    (tcp1 = tcp_lookup_listener_ipv4(iph->ip_dst.s_addr,
2702 		    tcph->tha_fport, &sock_id)) != NULL) {
2703 			if (tcp1->tcp_state == TCPS_LISTEN) {
2704 				if ((tcp = tcp_lookup_eager_ipv4(tcp1,
2705 				    iph, tcph)) == NULL) {
2706 					/* No eager... sent to listener */
2707 #ifdef DEBUG
2708 					printf("found the listener: %s\n",
2709 					    tcp_display(tcp1, NULL,
2710 					    DISP_ADDR_AND_PORT));
2711 #endif
2712 					tcp = tcp1;
2713 				}
2714 #ifdef DEBUG
2715 				else {
2716 					printf("found the eager: %s\n",
2717 					    tcp_display(tcp, NULL,
2718 					    DISP_ADDR_AND_PORT));
2719 				}
2720 #endif
2721 			} else {
2722 				/* Non listener found... */
2723 #ifdef DEBUG
2724 				printf("found the connection: %s\n",
2725 				    tcp_display(tcp1, NULL,
2726 				    DISP_ADDR_AND_PORT));
2727 #endif
2728 				tcp = tcp1;
2729 			}
2730 		} else {
2731 			/*
2732 			 * No connection for this segment...
2733 			 * Send a RST to the other side.
2734 			 */
2735 			tcp_xmit_listeners_reset(sock_id, mp, ip_hdr_len);
2736 			return;
2737 		}
2738 	}
2739 
2740 	flags = tcph->tha_flags & 0xFF;
2741 	BUMP_MIB(tcp_mib.tcpInSegs);
2742 	if (tcp->tcp_state == TCPS_TIME_WAIT) {
2743 		tcp_time_wait_processing(tcp, mp, seg_seq, seg_ack,
2744 		    seg_len, (tcph_t *)tcph, sock_id);
2745 		return;
2746 	}
2747 	/*
2748 	 * From this point we can assume that the tcp is not compressed,
2749 	 * since we would have branched off to tcp_time_wait_processing()
2750 	 * in such a case.
2751 	 */
2752 	assert(tcp != NULL && tcp->tcp_state != TCPS_TIME_WAIT);
2753 
2754 	/*
2755 	 * After this point, we know we have the correct TCP, so update
2756 	 * the receive time.
2757 	 */
2758 	tcp->tcp_last_recv_time = prom_gettime();
2759 
2760 	/* In inetboot, we do not handle urgent pointer... */
2761 	if (flags & TH_URG) {
2762 		freemsg(mp);
2763 		DEBUG_1("tcp_rput_data(%d): received segment with urgent "
2764 		    "pointer\n", sock_id);
2765 		tcp_drops++;
2766 		return;
2767 	}
2768 
2769 	switch (tcp->tcp_state) {
2770 	case TCPS_LISTEN:
2771 		if ((flags & (TH_RST | TH_ACK | TH_SYN)) != TH_SYN) {
2772 			if (flags & TH_RST) {
2773 				freemsg(mp);
2774 				return;
2775 			}
2776 			if (flags & TH_ACK) {
2777 				tcp_xmit_early_reset("TCPS_LISTEN-TH_ACK",
2778 				    sock_id, mp, seg_ack, 0, TH_RST,
2779 				    ip_hdr_len);
2780 				return;
2781 			}
2782 			if (!(flags & TH_SYN)) {
2783 				freemsg(mp);
2784 				return;
2785 			}
2786 			printf("tcp_rput_data: %d\n", __LINE__);
2787 			prom_panic("inetboot");
2788 		}
2789 		if (tcp->tcp_conn_req_max > 0) {
2790 			tcp = tcp_conn_request(tcp, mp, sock_id, ip_hdr_len);
2791 			if (tcp == NULL) {
2792 				freemsg(mp);
2793 				return;
2794 			}
2795 #ifdef DEBUG
2796 			printf("tcp_rput_data: new tcp created\n");
2797 #endif
2798 		}
2799 		tcp->tcp_irs = seg_seq;
2800 		tcp->tcp_rack = seg_seq;
2801 		tcp->tcp_rnxt = seg_seq + 1;
2802 		U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);
2803 		BUMP_MIB(tcp_mib.tcpPassiveOpens);
2804 		goto syn_rcvd;
2805 	case TCPS_SYN_SENT:
2806 		if (flags & TH_ACK) {
2807 			/*
2808 			 * Note that our stack cannot send data before a
2809 			 * connection is established, therefore the
2810 			 * following check is valid.  Otherwise, it has
2811 			 * to be changed.
2812 			 */
2813 			if (SEQ_LEQ(seg_ack, tcp->tcp_iss) ||
2814 			    SEQ_GT(seg_ack, tcp->tcp_snxt)) {
2815 				if (flags & TH_RST) {
2816 					freemsg(mp);
2817 					return;
2818 				}
2819 				tcp_xmit_ctl("TCPS_SYN_SENT-Bad_seq",
2820 				    tcp, mp, seg_ack, 0, TH_RST,
2821 				    ip_hdr_len, sock_id);
2822 				return;
2823 			}
2824 			assert(tcp->tcp_suna + 1 == seg_ack);
2825 		}
2826 		if (flags & TH_RST) {
2827 			freemsg(mp);
2828 			if (flags & TH_ACK) {
2829 				tcp_clean_death(sock_id, tcp, ECONNREFUSED);
2830 			}
2831 			return;
2832 		}
2833 		if (!(flags & TH_SYN)) {
2834 			freemsg(mp);
2835 			return;
2836 		}
2837 
2838 		/* Process all TCP options. */
2839 		tcp_process_options(tcp, (tcph_t *)tcph);
2840 		/*
2841 		 * The following changes our rwnd to be a multiple of the
2842 		 * MIN(peer MSS, our MSS) for performance reason.
2843 		 */
2844 		(void) tcp_rwnd_set(tcp, MSS_ROUNDUP(tcp->tcp_rwnd,
2845 		    tcp->tcp_mss));
2846 
2847 		/* Is the other end ECN capable? */
2848 		if (tcp->tcp_ecn_ok) {
2849 			if ((flags & (TH_ECE|TH_CWR)) != TH_ECE) {
2850 				tcp->tcp_ecn_ok = B_FALSE;
2851 			}
2852 		}
2853 		/*
2854 		 * Clear ECN flags because it may interfere with later
2855 		 * processing.
2856 		 */
2857 		flags &= ~(TH_ECE|TH_CWR);
2858 
2859 		tcp->tcp_irs = seg_seq;
2860 		tcp->tcp_rack = seg_seq;
2861 		tcp->tcp_rnxt = seg_seq + 1;
2862 		U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);
2863 
2864 		if (flags & TH_ACK) {
2865 			/* One for the SYN */
2866 			tcp->tcp_suna = tcp->tcp_iss + 1;
2867 			tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
2868 			tcp->tcp_state = TCPS_ESTABLISHED;
2869 
2870 			/*
2871 			 * If SYN was retransmitted, need to reset all
2872 			 * retransmission info.  This is because this
2873 			 * segment will be treated as a dup ACK.
2874 			 */
2875 			if (tcp->tcp_rexmit) {
2876 				tcp->tcp_rexmit = B_FALSE;
2877 				tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
2878 				tcp->tcp_rexmit_max = tcp->tcp_snxt;
2879 				tcp->tcp_snd_burst = TCP_CWND_NORMAL;
2880 
2881 				/*
2882 				 * Set tcp_cwnd back to 1 MSS, per
2883 				 * recommendation from
2884 				 * draft-floyd-incr-init-win-01.txt,
2885 				 * Increasing TCP's Initial Window.
2886 				 */
2887 				tcp->tcp_cwnd = tcp->tcp_mss;
2888 			}
2889 
2890 			tcp->tcp_swl1 = seg_seq;
2891 			tcp->tcp_swl2 = seg_ack;
2892 
2893 			new_swnd = BE16_TO_U16(((tcph_t *)tcph)->th_win);
2894 			tcp->tcp_swnd = new_swnd;
2895 			if (new_swnd > tcp->tcp_max_swnd)
2896 				tcp->tcp_max_swnd = new_swnd;
2897 
2898 			/*
2899 			 * Always send the three-way handshake ack immediately
2900 			 * in order to make the connection complete as soon as
2901 			 * possible on the accepting host.
2902 			 */
2903 			flags |= TH_ACK_NEEDED;
2904 			/*
2905 			 * Check to see if there is data to be sent.  If
2906 			 * yes, set the transmit flag.  Then check to see
2907 			 * if received data processing needs to be done.
2908 			 * If not, go straight to xmit_check.  This short
2909 			 * cut is OK as we don't support T/TCP.
2910 			 */
2911 			if (tcp->tcp_unsent)
2912 				flags |= TH_XMIT_NEEDED;
2913 
2914 			if (seg_len == 0) {
2915 				freemsg(mp);
2916 				goto xmit_check;
2917 			}
2918 
2919 			flags &= ~TH_SYN;
2920 			seg_seq++;
2921 			break;
2922 		}
2923 		syn_rcvd:
2924 		tcp->tcp_state = TCPS_SYN_RCVD;
2925 		mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, tcp->tcp_mss,
2926 		    NULL, NULL, tcp->tcp_iss, B_FALSE, NULL, B_FALSE);
2927 		if (mp1 != NULL) {
2928 			TCP_DUMP_PACKET("tcp_rput_data replying SYN", mp1);
2929 			(void) ipv4_tcp_output(sock_id, mp1);
2930 			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
2931 			freeb(mp1);
2932 			/*
2933 			 * Let's wait till our SYN has been ACKED since we
2934 			 * don't have a timer.
2935 			 */
2936 			if (tcp_state_wait(sock_id, tcp, TCPS_ALL_ACKED) < 0) {
2937 				freemsg(mp);
2938 				return;
2939 			}
2940 		}
2941 		freemsg(mp);
2942 		return;
2943 	default:
2944 		break;
2945 	}
2946 	mp->b_rptr = (uchar_t *)tcph + TCP_HDR_LENGTH((tcph_t *)tcph);
2947 	new_swnd = ntohs(tcph->tha_win) <<
2948 	    ((flags & TH_SYN) ? 0 : tcp->tcp_snd_ws);
2949 	mss = tcp->tcp_mss;
2950 
2951 	if (tcp->tcp_snd_ts_ok) {
2952 		if (!tcp_paws_check(tcp, (tcph_t *)tcph, &tcpopt)) {
2953 			/*
2954 			 * This segment is not acceptable.
2955 			 * Drop it and send back an ACK.
2956 			 */
2957 			freemsg(mp);
2958 			flags |= TH_ACK_NEEDED;
2959 			goto ack_check;
2960 		}
2961 	} else if (tcp->tcp_snd_sack_ok) {
2962 		assert(tcp->tcp_sack_info != NULL);
2963 		tcpopt.tcp = tcp;
2964 		/*
2965 		 * SACK info in already updated in tcp_parse_options.  Ignore
2966 		 * all other TCP options...
2967 		 */
2968 		(void) tcp_parse_options((tcph_t *)tcph, &tcpopt);
2969 	}
2970 try_again:;
2971 	gap = seg_seq - tcp->tcp_rnxt;
2972 	rgap = tcp->tcp_rwnd - (gap + seg_len);
2973 	/*
2974 	 * gap is the amount of sequence space between what we expect to see
2975 	 * and what we got for seg_seq.  A positive value for gap means
2976 	 * something got lost.  A negative value means we got some old stuff.
2977 	 */
2978 	if (gap < 0) {
2979 		/* Old stuff present.  Is the SYN in there? */
2980 		if (seg_seq == tcp->tcp_irs && (flags & TH_SYN) &&
2981 		    (seg_len != 0)) {
2982 			flags &= ~TH_SYN;
2983 			seg_seq++;
2984 			/* Recompute the gaps after noting the SYN. */
2985 			goto try_again;
2986 		}
2987 		BUMP_MIB(tcp_mib.tcpInDataDupSegs);
2988 		UPDATE_MIB(tcp_mib.tcpInDataDupBytes,
2989 		    (seg_len > -gap ? -gap : seg_len));
2990 		/* Remove the old stuff from seg_len. */
2991 		seg_len += gap;
2992 		/*
2993 		 * Anything left?
2994 		 * Make sure to check for unack'd FIN when rest of data
2995 		 * has been previously ack'd.
2996 		 */
2997 		if (seg_len < 0 || (seg_len == 0 && !(flags & TH_FIN))) {
2998 			/*
2999 			 * Resets are only valid if they lie within our offered
3000 			 * window.  If the RST bit is set, we just ignore this
3001 			 * segment.
3002 			 */
3003 			if (flags & TH_RST) {
3004 				freemsg(mp);
3005 				return;
3006 			}
3007 
3008 			/*
3009 			 * This segment is "unacceptable".  None of its
3010 			 * sequence space lies within our advertized window.
3011 			 *
3012 			 * Adjust seg_len to the original value for tracing.
3013 			 */
3014 			seg_len -= gap;
3015 #ifdef DEBUG
3016 			printf("tcp_rput: unacceptable, gap %d, rgap "
3017 			    "%d, flags 0x%x, seg_seq %u, seg_ack %u, "
3018 			    "seg_len %d, rnxt %u, snxt %u, %s",
3019 			    gap, rgap, flags, seg_seq, seg_ack,
3020 			    seg_len, tcp->tcp_rnxt, tcp->tcp_snxt,
3021 			    tcp_display(tcp, NULL, DISP_ADDR_AND_PORT));
3022 #endif
3023 
3024 			/*
3025 			 * Arrange to send an ACK in response to the
3026 			 * unacceptable segment per RFC 793 page 69. There
3027 			 * is only one small difference between ours and the
3028 			 * acceptability test in the RFC - we accept ACK-only
3029 			 * packet with SEG.SEQ = RCV.NXT+RCV.WND and no ACK
3030 			 * will be generated.
3031 			 *
3032 			 * Note that we have to ACK an ACK-only packet at least
3033 			 * for stacks that send 0-length keep-alives with
3034 			 * SEG.SEQ = SND.NXT-1 as recommended by RFC1122,
3035 			 * section 4.2.3.6. As long as we don't ever generate
3036 			 * an unacceptable packet in response to an incoming
3037 			 * packet that is unacceptable, it should not cause
3038 			 * "ACK wars".
3039 			 */
3040 			flags |=  TH_ACK_NEEDED;
3041 
3042 			/*
3043 			 * Continue processing this segment in order to use the
3044 			 * ACK information it contains, but skip all other
3045 			 * sequence-number processing.	Processing the ACK
3046 			 * information is necessary in order to
3047 			 * re-synchronize connections that may have lost
3048 			 * synchronization.
3049 			 *
3050 			 * We clear seg_len and flag fields related to
3051 			 * sequence number processing as they are not
3052 			 * to be trusted for an unacceptable segment.
3053 			 */
3054 			seg_len = 0;
3055 			flags &= ~(TH_SYN | TH_FIN | TH_URG);
3056 			goto process_ack;
3057 		}
3058 
3059 		/* Fix seg_seq, and chew the gap off the front. */
3060 		seg_seq = tcp->tcp_rnxt;
3061 		do {
3062 			mblk_t	*mp2;
3063 			assert((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
3064 			    (uintptr_t)UINT_MAX);
3065 			gap += (uint_t)(mp->b_wptr - mp->b_rptr);
3066 			if (gap > 0) {
3067 				mp->b_rptr = mp->b_wptr - gap;
3068 				break;
3069 			}
3070 			mp2 = mp;
3071 			mp = mp->b_cont;
3072 			freeb(mp2);
3073 		} while (gap < 0);
3074 	}
3075 	/*
3076 	 * rgap is the amount of stuff received out of window.  A negative
3077 	 * value is the amount out of window.
3078 	 */
3079 	if (rgap < 0) {
3080 		mblk_t	*mp2;
3081 
3082 		if (tcp->tcp_rwnd == 0)
3083 			BUMP_MIB(tcp_mib.tcpInWinProbe);
3084 		else {
3085 			BUMP_MIB(tcp_mib.tcpInDataPastWinSegs);
3086 			UPDATE_MIB(tcp_mib.tcpInDataPastWinBytes, -rgap);
3087 		}
3088 
3089 		/*
3090 		 * seg_len does not include the FIN, so if more than
3091 		 * just the FIN is out of window, we act like we don't
3092 		 * see it.  (If just the FIN is out of window, rgap
3093 		 * will be zero and we will go ahead and acknowledge
3094 		 * the FIN.)
3095 		 */
3096 		flags &= ~TH_FIN;
3097 
3098 		/* Fix seg_len and make sure there is something left. */
3099 		seg_len += rgap;
3100 		if (seg_len <= 0) {
3101 			/*
3102 			 * Resets are only valid if they lie within our offered
3103 			 * window.  If the RST bit is set, we just ignore this
3104 			 * segment.
3105 			 */
3106 			if (flags & TH_RST) {
3107 				freemsg(mp);
3108 				return;
3109 			}
3110 
3111 			/* Per RFC 793, we need to send back an ACK. */
3112 			flags |= TH_ACK_NEEDED;
3113 
3114 			/*
3115 			 * If this is a zero window probe, continue to
3116 			 * process the ACK part.  But we need to set seg_len
3117 			 * to 0 to avoid data processing.  Otherwise just
3118 			 * drop the segment and send back an ACK.
3119 			 */
3120 			if (tcp->tcp_rwnd == 0 && seg_seq == tcp->tcp_rnxt) {
3121 				flags &= ~(TH_SYN | TH_URG);
3122 				seg_len = 0;
3123 				/* Let's see if we can update our rwnd */
3124 				tcp_rcv_drain(sock_id, tcp);
3125 				goto process_ack;
3126 			} else {
3127 				freemsg(mp);
3128 				goto ack_check;
3129 			}
3130 		}
3131 		/* Pitch out of window stuff off the end. */
3132 		rgap = seg_len;
3133 		mp2 = mp;
3134 		do {
3135 			assert((uintptr_t)(mp2->b_wptr -
3136 			    mp2->b_rptr) <= (uintptr_t)INT_MAX);
3137 			rgap -= (int)(mp2->b_wptr - mp2->b_rptr);
3138 			if (rgap < 0) {
3139 				mp2->b_wptr += rgap;
3140 				if ((mp1 = mp2->b_cont) != NULL) {
3141 					mp2->b_cont = NULL;
3142 					freemsg(mp1);
3143 				}
3144 				break;
3145 			}
3146 		} while ((mp2 = mp2->b_cont) != NULL);
3147 	}
3148 ok:;
3149 	/*
3150 	 * TCP should check ECN info for segments inside the window only.
3151 	 * Therefore the check should be done here.
3152 	 */
3153 	if (tcp->tcp_ecn_ok) {
3154 		uchar_t tos = ((struct ip *)rptr)->ip_tos;
3155 
3156 		if (flags & TH_CWR) {
3157 			tcp->tcp_ecn_echo_on = B_FALSE;
3158 		}
3159 		/*
3160 		 * Note that both ECN_CE and CWR can be set in the
3161 		 * same segment.  In this case, we once again turn
3162 		 * on ECN_ECHO.
3163 		 */
3164 		if ((tos & IPH_ECN_CE) == IPH_ECN_CE) {
3165 			tcp->tcp_ecn_echo_on = B_TRUE;
3166 		}
3167 	}
3168 
3169 	/*
3170 	 * Check whether we can update tcp_ts_recent.  This test is
3171 	 * NOT the one in RFC 1323 3.4.  It is from Braden, 1993, "TCP
3172 	 * Extensions for High Performance: An Update", Internet Draft.
3173 	 */
3174 	if (tcp->tcp_snd_ts_ok &&
3175 	    TSTMP_GEQ(tcpopt.tcp_opt_ts_val, tcp->tcp_ts_recent) &&
3176 	    SEQ_LEQ(seg_seq, tcp->tcp_rack)) {
3177 		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
3178 		tcp->tcp_last_rcv_lbolt = prom_gettime();
3179 	}
3180 
3181 	if (seg_seq != tcp->tcp_rnxt || tcp->tcp_reass_head) {
3182 		/*
3183 		 * FIN in an out of order segment.  We record this in
3184 		 * tcp_valid_bits and the seq num of FIN in tcp_ofo_fin_seq.
3185 		 * Clear the FIN so that any check on FIN flag will fail.
3186 		 * Remember that FIN also counts in the sequence number
3187 		 * space.  So we need to ack out of order FIN only segments.
3188 		 */
3189 		if (flags & TH_FIN) {
3190 			tcp->tcp_valid_bits |= TCP_OFO_FIN_VALID;
3191 			tcp->tcp_ofo_fin_seq = seg_seq + seg_len;
3192 			flags &= ~TH_FIN;
3193 			flags |= TH_ACK_NEEDED;
3194 		}
3195 		if (seg_len > 0) {
3196 			/* Fill in the SACK blk list. */
3197 			if (tcp->tcp_snd_sack_ok) {
3198 				assert(tcp->tcp_sack_info != NULL);
3199 				tcp_sack_insert(tcp->tcp_sack_list,
3200 				    seg_seq, seg_seq + seg_len,
3201 				    &(tcp->tcp_num_sack_blk));
3202 			}
3203 
3204 			/*
3205 			 * Attempt reassembly and see if we have something
3206 			 * ready to go.
3207 			 */
3208 			mp = tcp_reass(tcp, mp, seg_seq);
3209 			/* Always ack out of order packets */
3210 			flags |= TH_ACK_NEEDED | TH_PUSH;
3211 			if (mp != NULL) {
3212 				assert((uintptr_t)(mp->b_wptr -
3213 				    mp->b_rptr) <= (uintptr_t)INT_MAX);
3214 				seg_len = mp->b_cont ? msgdsize(mp) :
3215 					(int)(mp->b_wptr - mp->b_rptr);
3216 				seg_seq = tcp->tcp_rnxt;
3217 				/*
3218 				 * A gap is filled and the seq num and len
3219 				 * of the gap match that of a previously
3220 				 * received FIN, put the FIN flag back in.
3221 				 */
3222 				if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
3223 				    seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
3224 					flags |= TH_FIN;
3225 					tcp->tcp_valid_bits &=
3226 					    ~TCP_OFO_FIN_VALID;
3227 				}
3228 			} else {
3229 				/*
3230 				 * Keep going even with NULL mp.
3231 				 * There may be a useful ACK or something else
3232 				 * we don't want to miss.
3233 				 *
3234 				 * But TCP should not perform fast retransmit
3235 				 * because of the ack number.  TCP uses
3236 				 * seg_len == 0 to determine if it is a pure
3237 				 * ACK.  And this is not a pure ACK.
3238 				 */
3239 				seg_len = 0;
3240 				ofo_seg = B_TRUE;
3241 			}
3242 		}
3243 	} else if (seg_len > 0) {
3244 		BUMP_MIB(tcp_mib.tcpInDataInorderSegs);
3245 		UPDATE_MIB(tcp_mib.tcpInDataInorderBytes, seg_len);
3246 		/*
3247 		 * If an out of order FIN was received before, and the seq
3248 		 * num and len of the new segment match that of the FIN,
3249 		 * put the FIN flag back in.
3250 		 */
3251 		if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
3252 		    seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
3253 			flags |= TH_FIN;
3254 			tcp->tcp_valid_bits &= ~TCP_OFO_FIN_VALID;
3255 		}
3256 	}
3257 	if ((flags & (TH_RST | TH_SYN | TH_URG | TH_ACK)) != TH_ACK) {
3258 	if (flags & TH_RST) {
3259 		freemsg(mp);
3260 		switch (tcp->tcp_state) {
3261 		case TCPS_SYN_RCVD:
3262 			(void) tcp_clean_death(sock_id, tcp, ECONNREFUSED);
3263 			break;
3264 		case TCPS_ESTABLISHED:
3265 		case TCPS_FIN_WAIT_1:
3266 		case TCPS_FIN_WAIT_2:
3267 		case TCPS_CLOSE_WAIT:
3268 			(void) tcp_clean_death(sock_id, tcp, ECONNRESET);
3269 			break;
3270 		case TCPS_CLOSING:
3271 		case TCPS_LAST_ACK:
3272 			(void) tcp_clean_death(sock_id, tcp, 0);
3273 			break;
3274 		default:
3275 			assert(tcp->tcp_state != TCPS_TIME_WAIT);
3276 			(void) tcp_clean_death(sock_id, tcp, ENXIO);
3277 			break;
3278 		}
3279 		return;
3280 	}
3281 	if (flags & TH_SYN) {
3282 		/*
3283 		 * See RFC 793, Page 71
3284 		 *
3285 		 * The seq number must be in the window as it should
3286 		 * be "fixed" above.  If it is outside window, it should
3287 		 * be already rejected.  Note that we allow seg_seq to be
3288 		 * rnxt + rwnd because we want to accept 0 window probe.
3289 		 */
3290 		assert(SEQ_GEQ(seg_seq, tcp->tcp_rnxt) &&
3291 		    SEQ_LEQ(seg_seq, tcp->tcp_rnxt + tcp->tcp_rwnd));
3292 		freemsg(mp);
3293 		/*
3294 		 * If the ACK flag is not set, just use our snxt as the
3295 		 * seq number of the RST segment.
3296 		 */
3297 		if (!(flags & TH_ACK)) {
3298 			seg_ack = tcp->tcp_snxt;
3299 		}
3300 		tcp_xmit_ctl("TH_SYN", tcp, NULL, seg_ack,
3301 		    seg_seq + 1, TH_RST|TH_ACK, 0, sock_id);
3302 		assert(tcp->tcp_state != TCPS_TIME_WAIT);
3303 		(void) tcp_clean_death(sock_id, tcp, ECONNRESET);
3304 		return;
3305 	}
3306 
3307 process_ack:
3308 	if (!(flags & TH_ACK)) {
3309 #ifdef DEBUG
3310 		printf("No ack in segment, dropped it, seq:%x\n", seg_seq);
3311 #endif
3312 		freemsg(mp);
3313 		goto xmit_check;
3314 	}
3315 	}
3316 	bytes_acked = (int)(seg_ack - tcp->tcp_suna);
3317 
3318 	if (tcp->tcp_state == TCPS_SYN_RCVD) {
3319 		tcp_t	*listener = tcp->tcp_listener;
3320 #ifdef DEBUG
3321 		printf("Done with eager 3-way handshake\n");
3322 #endif
3323 		/*
3324 		 * NOTE: RFC 793 pg. 72 says this should be 'bytes_acked < 0'
3325 		 * but that would mean we have an ack that ignored our SYN.
3326 		 */
3327 		if (bytes_acked < 1 || SEQ_GT(seg_ack, tcp->tcp_snxt)) {
3328 			freemsg(mp);
3329 			tcp_xmit_ctl("TCPS_SYN_RCVD-bad_ack",
3330 			    tcp, NULL, seg_ack, 0, TH_RST, 0, sock_id);
3331 			return;
3332 		}
3333 
3334 		/*
3335 		 * if the conn_req_q is full defer processing
3336 		 * until space is availabe after accept()
3337 		 * processing
3338 		 */
3339 		if (listener->tcp_conn_req_cnt_q <
3340 		    listener->tcp_conn_req_max) {
3341 			tcp_t *tail;
3342 
3343 			listener->tcp_conn_req_cnt_q0--;
3344 			listener->tcp_conn_req_cnt_q++;
3345 
3346 			/* Move from SYN_RCVD to ESTABLISHED list  */
3347 			tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
3348 				tcp->tcp_eager_prev_q0;
3349 			tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
3350 				tcp->tcp_eager_next_q0;
3351 			tcp->tcp_eager_prev_q0 = NULL;
3352 			tcp->tcp_eager_next_q0 = NULL;
3353 
3354 			/*
3355 			 * Insert at end of the queue because sockfs
3356 			 * sends down T_CONN_RES in chronological
3357 			 * order. Leaving the older conn indications
3358 			 * at front of the queue helps reducing search
3359 			 * time.
3360 			 */
3361 			tail = listener->tcp_eager_last_q;
3362 			if (tail != NULL) {
3363 				tail->tcp_eager_next_q = tcp;
3364 			} else {
3365 				listener->tcp_eager_next_q = tcp;
3366 			}
3367 			listener->tcp_eager_last_q = tcp;
3368 			tcp->tcp_eager_next_q = NULL;
3369 		} else {
3370 			/*
3371 			 * Defer connection on q0 and set deferred
3372 			 * connection bit true
3373 			 */
3374 			tcp->tcp_conn_def_q0 = B_TRUE;
3375 
3376 			/* take tcp out of q0 ... */
3377 			tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
3378 			    tcp->tcp_eager_next_q0;
3379 			tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
3380 			    tcp->tcp_eager_prev_q0;
3381 
3382 			/* ... and place it at the end of q0 */
3383 			tcp->tcp_eager_prev_q0 = listener->tcp_eager_prev_q0;
3384 			tcp->tcp_eager_next_q0 = listener;
3385 			listener->tcp_eager_prev_q0->tcp_eager_next_q0 = tcp;
3386 			listener->tcp_eager_prev_q0 = tcp;
3387 		}
3388 
3389 		tcp->tcp_suna = tcp->tcp_iss + 1;	/* One for the SYN */
3390 		bytes_acked--;
3391 
3392 		/*
3393 		 * If SYN was retransmitted, need to reset all
3394 		 * retransmission info as this segment will be
3395 		 * treated as a dup ACK.
3396 		 */
3397 		if (tcp->tcp_rexmit) {
3398 			tcp->tcp_rexmit = B_FALSE;
3399 			tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
3400 			tcp->tcp_rexmit_max = tcp->tcp_snxt;
3401 			tcp->tcp_snd_burst = TCP_CWND_NORMAL;
3402 			tcp->tcp_ms_we_have_waited = 0;
3403 			tcp->tcp_cwnd = mss;
3404 		}
3405 
3406 		/*
3407 		 * We set the send window to zero here.
3408 		 * This is needed if there is data to be
3409 		 * processed already on the queue.
3410 		 * Later (at swnd_update label), the
3411 		 * "new_swnd > tcp_swnd" condition is satisfied
3412 		 * the XMIT_NEEDED flag is set in the current
3413 		 * (SYN_RCVD) state. This ensures tcp_wput_data() is
3414 		 * called if there is already data on queue in
3415 		 * this state.
3416 		 */
3417 		tcp->tcp_swnd = 0;
3418 
3419 		if (new_swnd > tcp->tcp_max_swnd)
3420 			tcp->tcp_max_swnd = new_swnd;
3421 		tcp->tcp_swl1 = seg_seq;
3422 		tcp->tcp_swl2 = seg_ack;
3423 		tcp->tcp_state = TCPS_ESTABLISHED;
3424 		tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
3425 	}
3426 	/* This code follows 4.4BSD-Lite2 mostly. */
3427 	if (bytes_acked < 0)
3428 		goto est;
3429 
3430 	/*
3431 	 * If TCP is ECN capable and the congestion experience bit is
3432 	 * set, reduce tcp_cwnd and tcp_ssthresh.  But this should only be
3433 	 * done once per window (or more loosely, per RTT).
3434 	 */
3435 	if (tcp->tcp_cwr && SEQ_GT(seg_ack, tcp->tcp_cwr_snd_max))
3436 		tcp->tcp_cwr = B_FALSE;
3437 	if (tcp->tcp_ecn_ok && (flags & TH_ECE)) {
3438 		if (!tcp->tcp_cwr) {
3439 			npkt = (MIN(tcp->tcp_cwnd, tcp->tcp_swnd) >> 1) / mss;
3440 			tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) * mss;
3441 			tcp->tcp_cwnd = npkt * mss;
3442 			/*
3443 			 * If the cwnd is 0, use the timer to clock out
3444 			 * new segments.  This is required by the ECN spec.
3445 			 */
3446 			if (npkt == 0) {
3447 				TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
3448 				/*
3449 				 * This makes sure that when the ACK comes
3450 				 * back, we will increase tcp_cwnd by 1 MSS.
3451 				 */
3452 				tcp->tcp_cwnd_cnt = 0;
3453 			}
3454 			tcp->tcp_cwr = B_TRUE;
3455 			/*
3456 			 * This marks the end of the current window of in
3457 			 * flight data.  That is why we don't use
3458 			 * tcp_suna + tcp_swnd.  Only data in flight can
3459 			 * provide ECN info.
3460 			 */
3461 			tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
3462 			tcp->tcp_ecn_cwr_sent = B_FALSE;
3463 		}
3464 	}
3465 
3466 	mp1 = tcp->tcp_xmit_head;
3467 	if (bytes_acked == 0) {
3468 		if (!ofo_seg && seg_len == 0 && new_swnd == tcp->tcp_swnd) {
3469 			int dupack_cnt;
3470 
3471 			BUMP_MIB(tcp_mib.tcpInDupAck);
3472 			/*
3473 			 * Fast retransmit.  When we have seen exactly three
3474 			 * identical ACKs while we have unacked data
3475 			 * outstanding we take it as a hint that our peer
3476 			 * dropped something.
3477 			 *
3478 			 * If TCP is retransmitting, don't do fast retransmit.
3479 			 */
3480 			if (mp1 != NULL && tcp->tcp_suna != tcp->tcp_snxt &&
3481 			    ! tcp->tcp_rexmit) {
3482 				/* Do Limited Transmit */
3483 				if ((dupack_cnt = ++tcp->tcp_dupack_cnt) <
3484 				    tcp_dupack_fast_retransmit) {
3485 					/*
3486 					 * RFC 3042
3487 					 *
3488 					 * What we need to do is temporarily
3489 					 * increase tcp_cwnd so that new
3490 					 * data can be sent if it is allowed
3491 					 * by the receive window (tcp_rwnd).
3492 					 * tcp_wput_data() will take care of
3493 					 * the rest.
3494 					 *
3495 					 * If the connection is SACK capable,
3496 					 * only do limited xmit when there
3497 					 * is SACK info.
3498 					 *
3499 					 * Note how tcp_cwnd is incremented.
3500 					 * The first dup ACK will increase
3501 					 * it by 1 MSS.  The second dup ACK
3502 					 * will increase it by 2 MSS.  This
3503 					 * means that only 1 new segment will
3504 					 * be sent for each dup ACK.
3505 					 */
3506 					if (tcp->tcp_unsent > 0 &&
3507 					    (!tcp->tcp_snd_sack_ok ||
3508 					    (tcp->tcp_snd_sack_ok &&
3509 					    tcp->tcp_notsack_list != NULL))) {
3510 						tcp->tcp_cwnd += mss <<
3511 						    (tcp->tcp_dupack_cnt - 1);
3512 						flags |= TH_LIMIT_XMIT;
3513 					}
3514 				} else if (dupack_cnt ==
3515 				    tcp_dupack_fast_retransmit) {
3516 
3517 				BUMP_MIB(tcp_mib.tcpOutFastRetrans);
3518 				/*
3519 				 * If we have reduced tcp_ssthresh
3520 				 * because of ECN, do not reduce it again
3521 				 * unless it is already one window of data
3522 				 * away.  After one window of data, tcp_cwr
3523 				 * should then be cleared.  Note that
3524 				 * for non ECN capable connection, tcp_cwr
3525 				 * should always be false.
3526 				 *
3527 				 * Adjust cwnd since the duplicate
3528 				 * ack indicates that a packet was
3529 				 * dropped (due to congestion.)
3530 				 */
3531 				if (!tcp->tcp_cwr) {
3532 					npkt = (MIN(tcp->tcp_cwnd,
3533 					    tcp->tcp_swnd) >> 1) / mss;
3534 					if (npkt < 2)
3535 						npkt = 2;
3536 					tcp->tcp_cwnd_ssthresh = npkt * mss;
3537 					tcp->tcp_cwnd = (npkt +
3538 					    tcp->tcp_dupack_cnt) * mss;
3539 				}
3540 				if (tcp->tcp_ecn_ok) {
3541 					tcp->tcp_cwr = B_TRUE;
3542 					tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
3543 					tcp->tcp_ecn_cwr_sent = B_FALSE;
3544 				}
3545 
3546 				/*
3547 				 * We do Hoe's algorithm.  Refer to her
3548 				 * paper "Improving the Start-up Behavior
3549 				 * of a Congestion Control Scheme for TCP,"
3550 				 * appeared in SIGCOMM'96.
3551 				 *
3552 				 * Save highest seq no we have sent so far.
3553 				 * Be careful about the invisible FIN byte.
3554 				 */
3555 				if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
3556 				    (tcp->tcp_unsent == 0)) {
3557 					tcp->tcp_rexmit_max = tcp->tcp_fss;
3558 				} else {
3559 					tcp->tcp_rexmit_max = tcp->tcp_snxt;
3560 				}
3561 
3562 				/*
3563 				 * Do not allow bursty traffic during.
3564 				 * fast recovery.  Refer to Fall and Floyd's
3565 				 * paper "Simulation-based Comparisons of
3566 				 * Tahoe, Reno and SACK TCP" (in CCR ??)
3567 				 * This is a best current practise.
3568 				 */
3569 				tcp->tcp_snd_burst = TCP_CWND_SS;
3570 
3571 				/*
3572 				 * For SACK:
3573 				 * Calculate tcp_pipe, which is the
3574 				 * estimated number of bytes in
3575 				 * network.
3576 				 *
3577 				 * tcp_fack is the highest sack'ed seq num
3578 				 * TCP has received.
3579 				 *
3580 				 * tcp_pipe is explained in the above quoted
3581 				 * Fall and Floyd's paper.  tcp_fack is
3582 				 * explained in Mathis and Mahdavi's
3583 				 * "Forward Acknowledgment: Refining TCP
3584 				 * Congestion Control" in SIGCOMM '96.
3585 				 */
3586 				if (tcp->tcp_snd_sack_ok) {
3587 					assert(tcp->tcp_sack_info != NULL);
3588 					if (tcp->tcp_notsack_list != NULL) {
3589 						tcp->tcp_pipe = tcp->tcp_snxt -
3590 						    tcp->tcp_fack;
3591 						tcp->tcp_sack_snxt = seg_ack;
3592 						flags |= TH_NEED_SACK_REXMIT;
3593 					} else {
3594 						/*
3595 						 * Always initialize tcp_pipe
3596 						 * even though we don't have
3597 						 * any SACK info.  If later
3598 						 * we get SACK info and
3599 						 * tcp_pipe is not initialized,
3600 						 * funny things will happen.
3601 						 */
3602 						tcp->tcp_pipe =
3603 						    tcp->tcp_cwnd_ssthresh;
3604 					}
3605 				} else {
3606 					flags |= TH_REXMIT_NEEDED;
3607 				} /* tcp_snd_sack_ok */
3608 
3609 				} else {
3610 					/*
3611 					 * Here we perform congestion
3612 					 * avoidance, but NOT slow start.
3613 					 * This is known as the Fast
3614 					 * Recovery Algorithm.
3615 					 */
3616 					if (tcp->tcp_snd_sack_ok &&
3617 					    tcp->tcp_notsack_list != NULL) {
3618 						flags |= TH_NEED_SACK_REXMIT;
3619 						tcp->tcp_pipe -= mss;
3620 						if (tcp->tcp_pipe < 0)
3621 							tcp->tcp_pipe = 0;
3622 					} else {
3623 					/*
3624 					 * We know that one more packet has
3625 					 * left the pipe thus we can update
3626 					 * cwnd.
3627 					 */
3628 					cwnd = tcp->tcp_cwnd + mss;
3629 					if (cwnd > tcp->tcp_cwnd_max)
3630 						cwnd = tcp->tcp_cwnd_max;
3631 					tcp->tcp_cwnd = cwnd;
3632 					flags |= TH_XMIT_NEEDED;
3633 					}
3634 				}
3635 			}
3636 		} else if (tcp->tcp_zero_win_probe) {
3637 			/*
3638 			 * If the window has opened, need to arrange
3639 			 * to send additional data.
3640 			 */
3641 			if (new_swnd != 0) {
3642 				/* tcp_suna != tcp_snxt */
3643 				/* Packet contains a window update */
3644 				BUMP_MIB(tcp_mib.tcpInWinUpdate);
3645 				tcp->tcp_zero_win_probe = 0;
3646 				tcp->tcp_timer_backoff = 0;
3647 				tcp->tcp_ms_we_have_waited = 0;
3648 
3649 				/*
3650 				 * Transmit starting with tcp_suna since
3651 				 * the one byte probe is not ack'ed.
3652 				 * If TCP has sent more than one identical
3653 				 * probe, tcp_rexmit will be set.  That means
3654 				 * tcp_ss_rexmit() will send out the one
3655 				 * byte along with new data.  Otherwise,
3656 				 * fake the retransmission.
3657 				 */
3658 				flags |= TH_XMIT_NEEDED;
3659 				if (!tcp->tcp_rexmit) {
3660 					tcp->tcp_rexmit = B_TRUE;
3661 					tcp->tcp_dupack_cnt = 0;
3662 					tcp->tcp_rexmit_nxt = tcp->tcp_suna;
3663 					tcp->tcp_rexmit_max = tcp->tcp_suna + 1;
3664 				}
3665 			}
3666 		}
3667 		goto swnd_update;
3668 	}
3669 
3670 	/*
3671 	 * Check for "acceptability" of ACK value per RFC 793, pages 72 - 73.
3672 	 * If the ACK value acks something that we have not yet sent, it might
3673 	 * be an old duplicate segment.  Send an ACK to re-synchronize the
3674 	 * other side.
3675 	 * Note: reset in response to unacceptable ACK in SYN_RECEIVE
3676 	 * state is handled above, so we can always just drop the segment and
3677 	 * send an ACK here.
3678 	 *
3679 	 * Should we send ACKs in response to ACK only segments?
3680 	 */
3681 	if (SEQ_GT(seg_ack, tcp->tcp_snxt)) {
3682 		BUMP_MIB(tcp_mib.tcpInAckUnsent);
3683 		/* drop the received segment */
3684 		freemsg(mp);
3685 
3686 		/* Send back an ACK. */
3687 		mp = tcp_ack_mp(tcp);
3688 
3689 		if (mp == NULL) {
3690 			return;
3691 		}
3692 		BUMP_MIB(tcp_mib.tcpOutAck);
3693 		(void) ipv4_tcp_output(sock_id, mp);
3694 		freeb(mp);
3695 		return;
3696 	}
3697 
3698 	/*
3699 	 * TCP gets a new ACK, update the notsack'ed list to delete those
3700 	 * blocks that are covered by this ACK.
3701 	 */
3702 	if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
3703 		tcp_notsack_remove(&(tcp->tcp_notsack_list), seg_ack,
3704 		    &(tcp->tcp_num_notsack_blk), &(tcp->tcp_cnt_notsack_list));
3705 	}
3706 
3707 	/*
3708 	 * If we got an ACK after fast retransmit, check to see
3709 	 * if it is a partial ACK.  If it is not and the congestion
3710 	 * window was inflated to account for the other side's
3711 	 * cached packets, retract it.  If it is, do Hoe's algorithm.
3712 	 */
3713 	if (tcp->tcp_dupack_cnt >= tcp_dupack_fast_retransmit) {
3714 		assert(tcp->tcp_rexmit == B_FALSE);
3715 		if (SEQ_GEQ(seg_ack, tcp->tcp_rexmit_max)) {
3716 			tcp->tcp_dupack_cnt = 0;
3717 			/*
3718 			 * Restore the orig tcp_cwnd_ssthresh after
3719 			 * fast retransmit phase.
3720 			 */
3721 			if (tcp->tcp_cwnd > tcp->tcp_cwnd_ssthresh) {
3722 				tcp->tcp_cwnd = tcp->tcp_cwnd_ssthresh;
3723 			}
3724 			tcp->tcp_rexmit_max = seg_ack;
3725 			tcp->tcp_cwnd_cnt = 0;
3726 			tcp->tcp_snd_burst = TCP_CWND_NORMAL;
3727 
3728 			/*
3729 			 * Remove all notsack info to avoid confusion with
3730 			 * the next fast retrasnmit/recovery phase.
3731 			 */
3732 			if (tcp->tcp_snd_sack_ok &&
3733 			    tcp->tcp_notsack_list != NULL) {
3734 				TCP_NOTSACK_REMOVE_ALL(tcp->tcp_notsack_list);
3735 			}
3736 		} else {
3737 			if (tcp->tcp_snd_sack_ok &&
3738 			    tcp->tcp_notsack_list != NULL) {
3739 				flags |= TH_NEED_SACK_REXMIT;
3740 				tcp->tcp_pipe -= mss;
3741 				if (tcp->tcp_pipe < 0)
3742 					tcp->tcp_pipe = 0;
3743 			} else {
3744 				/*
3745 				 * Hoe's algorithm:
3746 				 *
3747 				 * Retransmit the unack'ed segment and
3748 				 * restart fast recovery.  Note that we
3749 				 * need to scale back tcp_cwnd to the
3750 				 * original value when we started fast
3751 				 * recovery.  This is to prevent overly
3752 				 * aggressive behaviour in sending new
3753 				 * segments.
3754 				 */
3755 				tcp->tcp_cwnd = tcp->tcp_cwnd_ssthresh +
3756 					tcp_dupack_fast_retransmit * mss;
3757 				tcp->tcp_cwnd_cnt = tcp->tcp_cwnd;
3758 				BUMP_MIB(tcp_mib.tcpOutFastRetrans);
3759 				flags |= TH_REXMIT_NEEDED;
3760 			}
3761 		}
3762 	} else {
3763 		tcp->tcp_dupack_cnt = 0;
3764 		if (tcp->tcp_rexmit) {
3765 			/*
3766 			 * TCP is retranmitting.  If the ACK ack's all
3767 			 * outstanding data, update tcp_rexmit_max and
3768 			 * tcp_rexmit_nxt.  Otherwise, update tcp_rexmit_nxt
3769 			 * to the correct value.
3770 			 *
3771 			 * Note that SEQ_LEQ() is used.  This is to avoid
3772 			 * unnecessary fast retransmit caused by dup ACKs
3773 			 * received when TCP does slow start retransmission
3774 			 * after a time out.  During this phase, TCP may
3775 			 * send out segments which are already received.
3776 			 * This causes dup ACKs to be sent back.
3777 			 */
3778 			if (SEQ_LEQ(seg_ack, tcp->tcp_rexmit_max)) {
3779 				if (SEQ_GT(seg_ack, tcp->tcp_rexmit_nxt)) {
3780 					tcp->tcp_rexmit_nxt = seg_ack;
3781 				}
3782 				if (seg_ack != tcp->tcp_rexmit_max) {
3783 					flags |= TH_XMIT_NEEDED;
3784 				}
3785 			} else {
3786 				tcp->tcp_rexmit = B_FALSE;
3787 				tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
3788 				tcp->tcp_snd_burst = TCP_CWND_NORMAL;
3789 			}
3790 			tcp->tcp_ms_we_have_waited = 0;
3791 		}
3792 	}
3793 
3794 	BUMP_MIB(tcp_mib.tcpInAckSegs);
3795 	UPDATE_MIB(tcp_mib.tcpInAckBytes, bytes_acked);
3796 	tcp->tcp_suna = seg_ack;
3797 	if (tcp->tcp_zero_win_probe != 0) {
3798 		tcp->tcp_zero_win_probe = 0;
3799 		tcp->tcp_timer_backoff = 0;
3800 	}
3801 
3802 	/*
3803 	 * If tcp_xmit_head is NULL, then it must be the FIN being ack'ed.
3804 	 * Note that it cannot be the SYN being ack'ed.  The code flow
3805 	 * will not reach here.
3806 	 */
3807 	if (mp1 == NULL) {
3808 		goto fin_acked;
3809 	}
3810 
3811 	/*
3812 	 * Update the congestion window.
3813 	 *
3814 	 * If TCP is not ECN capable or TCP is ECN capable but the
3815 	 * congestion experience bit is not set, increase the tcp_cwnd as
3816 	 * usual.
3817 	 */
3818 	if (!tcp->tcp_ecn_ok || !(flags & TH_ECE)) {
3819 		cwnd = tcp->tcp_cwnd;
3820 		add = mss;
3821 
3822 		if (cwnd >= tcp->tcp_cwnd_ssthresh) {
3823 			/*
3824 			 * This is to prevent an increase of less than 1 MSS of
3825 			 * tcp_cwnd.  With partial increase, tcp_wput_data()
3826 			 * may send out tinygrams in order to preserve mblk
3827 			 * boundaries.
3828 			 *
3829 			 * By initializing tcp_cwnd_cnt to new tcp_cwnd and
3830 			 * decrementing it by 1 MSS for every ACKs, tcp_cwnd is
3831 			 * increased by 1 MSS for every RTTs.
3832 			 */
3833 			if (tcp->tcp_cwnd_cnt <= 0) {
3834 				tcp->tcp_cwnd_cnt = cwnd + add;
3835 			} else {
3836 				tcp->tcp_cwnd_cnt -= add;
3837 				add = 0;
3838 			}
3839 		}
3840 		tcp->tcp_cwnd = MIN(cwnd + add, tcp->tcp_cwnd_max);
3841 	}
3842 
3843 	/* Can we update the RTT estimates? */
3844 	if (tcp->tcp_snd_ts_ok) {
3845 		/* Ignore zero timestamp echo-reply. */
3846 		if (tcpopt.tcp_opt_ts_ecr != 0) {
3847 			tcp_set_rto(tcp, (int32_t)(prom_gettime() -
3848 			    tcpopt.tcp_opt_ts_ecr));
3849 		}
3850 
3851 		/* If needed, restart the timer. */
3852 		if (tcp->tcp_set_timer == 1) {
3853 			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
3854 			tcp->tcp_set_timer = 0;
3855 		}
3856 		/*
3857 		 * Update tcp_csuna in case the other side stops sending
3858 		 * us timestamps.
3859 		 */
3860 		tcp->tcp_csuna = tcp->tcp_snxt;
3861 	} else if (SEQ_GT(seg_ack, tcp->tcp_csuna)) {
3862 		/*
3863 		 * An ACK sequence we haven't seen before, so get the RTT
3864 		 * and update the RTO.
3865 		 * Note. use uintptr_t to suppress the gcc warning.
3866 		 */
3867 		tcp_set_rto(tcp, (int32_t)(prom_gettime() -
3868 		    (uint32_t)(uintptr_t)mp1->b_prev));
3869 
3870 		/* Remeber the last sequence to be ACKed */
3871 		tcp->tcp_csuna = seg_ack;
3872 		if (tcp->tcp_set_timer == 1) {
3873 			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
3874 			tcp->tcp_set_timer = 0;
3875 		}
3876 	} else {
3877 		BUMP_MIB(tcp_mib.tcpRttNoUpdate);
3878 	}
3879 
3880 	/* Eat acknowledged bytes off the xmit queue. */
3881 	for (;;) {
3882 		mblk_t	*mp2;
3883 		uchar_t	*wptr;
3884 
3885 		wptr = mp1->b_wptr;
3886 		assert((uintptr_t)(wptr - mp1->b_rptr) <= (uintptr_t)INT_MAX);
3887 		bytes_acked -= (int)(wptr - mp1->b_rptr);
3888 		if (bytes_acked < 0) {
3889 			mp1->b_rptr = wptr + bytes_acked;
3890 			break;
3891 		}
3892 		mp1->b_prev = NULL;
3893 		mp2 = mp1;
3894 		mp1 = mp1->b_cont;
3895 		freeb(mp2);
3896 		if (bytes_acked == 0) {
3897 			if (mp1 == NULL) {
3898 				/* Everything is ack'ed, clear the tail. */
3899 				tcp->tcp_xmit_tail = NULL;
3900 				goto pre_swnd_update;
3901 			}
3902 			if (mp2 != tcp->tcp_xmit_tail)
3903 				break;
3904 			tcp->tcp_xmit_tail = mp1;
3905 			assert((uintptr_t)(mp1->b_wptr -
3906 			    mp1->b_rptr) <= (uintptr_t)INT_MAX);
3907 			tcp->tcp_xmit_tail_unsent = (int)(mp1->b_wptr -
3908 			    mp1->b_rptr);
3909 			break;
3910 		}
3911 		if (mp1 == NULL) {
3912 			/*
3913 			 * More was acked but there is nothing more
3914 			 * outstanding.  This means that the FIN was
3915 			 * just acked or that we're talking to a clown.
3916 			 */
3917 fin_acked:
3918 			assert(tcp->tcp_fin_sent);
3919 			tcp->tcp_xmit_tail = NULL;
3920 			if (tcp->tcp_fin_sent) {
3921 				tcp->tcp_fin_acked = B_TRUE;
3922 			} else {
3923 				/*
3924 				 * We should never got here because
3925 				 * we have already checked that the
3926 				 * number of bytes ack'ed should be
3927 				 * smaller than or equal to what we
3928 				 * have sent so far (it is the
3929 				 * acceptability check of the ACK).
3930 				 * We can only get here if the send
3931 				 * queue is corrupted.
3932 				 *
3933 				 * Terminate the connection and
3934 				 * panic the system.  It is better
3935 				 * for us to panic instead of
3936 				 * continuing to avoid other disaster.
3937 				 */
3938 				tcp_xmit_ctl(NULL, tcp, NULL, tcp->tcp_snxt,
3939 				    tcp->tcp_rnxt, TH_RST|TH_ACK, 0, sock_id);
3940 				printf("Memory corruption "
3941 				    "detected for connection %s.\n",
3942 				    tcp_display(tcp, NULL,
3943 					DISP_ADDR_AND_PORT));
3944 				/* We should never get here... */
3945 				prom_panic("tcp_rput_data");
3946 				return;
3947 			}
3948 			goto pre_swnd_update;
3949 		}
3950 		assert(mp2 != tcp->tcp_xmit_tail);
3951 	}
3952 	if (tcp->tcp_unsent) {
3953 		flags |= TH_XMIT_NEEDED;
3954 	}
3955 pre_swnd_update:
3956 	tcp->tcp_xmit_head = mp1;
3957 swnd_update:
3958 	/*
3959 	 * The following check is different from most other implementations.
3960 	 * For bi-directional transfer, when segments are dropped, the
3961 	 * "normal" check will not accept a window update in those
3962 	 * retransmitted segemnts.  Failing to do that, TCP may send out
3963 	 * segments which are outside receiver's window.  As TCP accepts
3964 	 * the ack in those retransmitted segments, if the window update in
3965 	 * the same segment is not accepted, TCP will incorrectly calculates
3966 	 * that it can send more segments.  This can create a deadlock
3967 	 * with the receiver if its window becomes zero.
3968 	 */
3969 	if (SEQ_LT(tcp->tcp_swl2, seg_ack) ||
3970 	    SEQ_LT(tcp->tcp_swl1, seg_seq) ||
3971 	    (tcp->tcp_swl1 == seg_seq && new_swnd > tcp->tcp_swnd)) {
3972 		/*
3973 		 * The criteria for update is:
3974 		 *
3975 		 * 1. the segment acknowledges some data.  Or
3976 		 * 2. the segment is new, i.e. it has a higher seq num. Or
3977 		 * 3. the segment is not old and the advertised window is
3978 		 * larger than the previous advertised window.
3979 		 */
3980 		if (tcp->tcp_unsent && new_swnd > tcp->tcp_swnd)
3981 			flags |= TH_XMIT_NEEDED;
3982 		tcp->tcp_swnd = new_swnd;
3983 		if (new_swnd > tcp->tcp_max_swnd)
3984 			tcp->tcp_max_swnd = new_swnd;
3985 		tcp->tcp_swl1 = seg_seq;
3986 		tcp->tcp_swl2 = seg_ack;
3987 	}
3988 est:
3989 	if (tcp->tcp_state > TCPS_ESTABLISHED) {
3990 		switch (tcp->tcp_state) {
3991 		case TCPS_FIN_WAIT_1:
3992 			if (tcp->tcp_fin_acked) {
3993 				tcp->tcp_state = TCPS_FIN_WAIT_2;
3994 				/*
3995 				 * We implement the non-standard BSD/SunOS
3996 				 * FIN_WAIT_2 flushing algorithm.
3997 				 * If there is no user attached to this
3998 				 * TCP endpoint, then this TCP struct
3999 				 * could hang around forever in FIN_WAIT_2
4000 				 * state if the peer forgets to send us
4001 				 * a FIN.  To prevent this, we wait only
4002 				 * 2*MSL (a convenient time value) for
4003 				 * the FIN to arrive.  If it doesn't show up,
4004 				 * we flush the TCP endpoint.  This algorithm,
4005 				 * though a violation of RFC-793, has worked
4006 				 * for over 10 years in BSD systems.
4007 				 * Note: SunOS 4.x waits 675 seconds before
4008 				 * flushing the FIN_WAIT_2 connection.
4009 				 */
4010 				TCP_TIMER_RESTART(tcp,
4011 				    tcp_fin_wait_2_flush_interval);
4012 			}
4013 			break;
4014 		case TCPS_FIN_WAIT_2:
4015 			break;	/* Shutdown hook? */
4016 		case TCPS_LAST_ACK:
4017 			freemsg(mp);
4018 			if (tcp->tcp_fin_acked) {
4019 				(void) tcp_clean_death(sock_id, tcp, 0);
4020 				return;
4021 			}
4022 			goto xmit_check;
4023 		case TCPS_CLOSING:
4024 			if (tcp->tcp_fin_acked) {
4025 				tcp->tcp_state = TCPS_TIME_WAIT;
4026 				tcp_time_wait_append(tcp);
4027 				TCP_TIMER_RESTART(tcp, tcp_time_wait_interval);
4028 			}
4029 			/*FALLTHRU*/
4030 		case TCPS_CLOSE_WAIT:
4031 			freemsg(mp);
4032 			goto xmit_check;
4033 		default:
4034 			assert(tcp->tcp_state != TCPS_TIME_WAIT);
4035 			break;
4036 		}
4037 	}
4038 	if (flags & TH_FIN) {
4039 		/* Make sure we ack the fin */
4040 		flags |= TH_ACK_NEEDED;
4041 		if (!tcp->tcp_fin_rcvd) {
4042 			tcp->tcp_fin_rcvd = B_TRUE;
4043 			tcp->tcp_rnxt++;
4044 			U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);
4045 
4046 			switch (tcp->tcp_state) {
4047 			case TCPS_SYN_RCVD:
4048 			case TCPS_ESTABLISHED:
4049 				tcp->tcp_state = TCPS_CLOSE_WAIT;
4050 				/* Keepalive? */
4051 				break;
4052 			case TCPS_FIN_WAIT_1:
4053 				if (!tcp->tcp_fin_acked) {
4054 					tcp->tcp_state = TCPS_CLOSING;
4055 					break;
4056 				}
4057 				/* FALLTHRU */
4058 			case TCPS_FIN_WAIT_2:
4059 				tcp->tcp_state = TCPS_TIME_WAIT;
4060 				tcp_time_wait_append(tcp);
4061 				TCP_TIMER_RESTART(tcp, tcp_time_wait_interval);
4062 				if (seg_len) {
4063 					/*
4064 					 * implies data piggybacked on FIN.
4065 					 * break to handle data.
4066 					 */
4067 					break;
4068 				}
4069 				freemsg(mp);
4070 				goto ack_check;
4071 			}
4072 		}
4073 	}
4074 	if (mp == NULL)
4075 		goto xmit_check;
4076 	if (seg_len == 0) {
4077 		freemsg(mp);
4078 		goto xmit_check;
4079 	}
4080 	if (mp->b_rptr == mp->b_wptr) {
4081 		/*
4082 		 * The header has been consumed, so we remove the
4083 		 * zero-length mblk here.
4084 		 */
4085 		mp1 = mp;
4086 		mp = mp->b_cont;
4087 		freeb(mp1);
4088 	}
4089 	/*
4090 	 * ACK every other segments, unless the input queue is empty
4091 	 * as we don't have a timer available.
4092 	 */
4093 	if (++tcp->tcp_rack_cnt == 2 || sockets[sock_id].inq == NULL) {
4094 		flags |= TH_ACK_NEEDED;
4095 		tcp->tcp_rack_cnt = 0;
4096 	}
4097 	tcp->tcp_rnxt += seg_len;
4098 	U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);
4099 
4100 	/* Update SACK list */
4101 	if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
4102 		tcp_sack_remove(tcp->tcp_sack_list, tcp->tcp_rnxt,
4103 		    &(tcp->tcp_num_sack_blk));
4104 	}
4105 
4106 	if (tcp->tcp_listener) {
4107 		/*
4108 		 * Side queue inbound data until the accept happens.
4109 		 * tcp_accept/tcp_rput drains this when the accept happens.
4110 		 */
4111 		tcp_rcv_enqueue(tcp, mp, seg_len);
4112 	} else {
4113 		/* Just queue the data until the app calls read. */
4114 		tcp_rcv_enqueue(tcp, mp, seg_len);
4115 		/*
4116 		 * Make sure the timer is running if we have data waiting
4117 		 * for a push bit. This provides resiliency against
4118 		 * implementations that do not correctly generate push bits.
4119 		 */
4120 		if (tcp->tcp_rcv_list != NULL)
4121 			flags |= TH_TIMER_NEEDED;
4122 	}
4123 
4124 xmit_check:
4125 	/* Is there anything left to do? */
4126 	if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_ACK_NEEDED|
4127 	    TH_NEED_SACK_REXMIT|TH_LIMIT_XMIT|TH_TIMER_NEEDED)) == 0)
4128 		return;
4129 
4130 	/* Any transmit work to do and a non-zero window? */
4131 	if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_NEED_SACK_REXMIT|
4132 	    TH_LIMIT_XMIT)) && tcp->tcp_swnd != 0) {
4133 		if (flags & TH_REXMIT_NEEDED) {
4134 			uint32_t snd_size = tcp->tcp_snxt - tcp->tcp_suna;
4135 
4136 			if (snd_size > mss)
4137 				snd_size = mss;
4138 			if (snd_size > tcp->tcp_swnd)
4139 				snd_size = tcp->tcp_swnd;
4140 			mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, snd_size,
4141 			    NULL, NULL, tcp->tcp_suna, B_TRUE, &snd_size,
4142 			    B_TRUE);
4143 
4144 			if (mp1 != NULL) {
4145 				/* use uintptr_t to suppress the gcc warning */
4146 				tcp->tcp_xmit_head->b_prev =
4147 				    (mblk_t *)(uintptr_t)prom_gettime();
4148 				tcp->tcp_csuna = tcp->tcp_snxt;
4149 				BUMP_MIB(tcp_mib.tcpRetransSegs);
4150 				UPDATE_MIB(tcp_mib.tcpRetransBytes, snd_size);
4151 				(void) ipv4_tcp_output(sock_id, mp1);
4152 				freeb(mp1);
4153 			}
4154 		}
4155 		if (flags & TH_NEED_SACK_REXMIT) {
4156 			if (tcp_sack_rxmit(tcp, sock_id) != 0) {
4157 				flags |= TH_XMIT_NEEDED;
4158 			}
4159 		}
4160 		/*
4161 		 * For TH_LIMIT_XMIT, tcp_wput_data() is called to send
4162 		 * out new segment.  Note that tcp_rexmit should not be
4163 		 * set, otherwise TH_LIMIT_XMIT should not be set.
4164 		 */
4165 		if (flags & (TH_XMIT_NEEDED|TH_LIMIT_XMIT)) {
4166 			if (!tcp->tcp_rexmit) {
4167 				tcp_wput_data(tcp, NULL, sock_id);
4168 			} else {
4169 				tcp_ss_rexmit(tcp, sock_id);
4170 			}
4171 			/*
4172 			 * The TCP could be closed in tcp_state_wait via
4173 			 * tcp_wput_data (tcp_ss_rexmit could call
4174 			 * tcp_wput_data as well).
4175 			 */
4176 			if (sockets[sock_id].pcb == NULL)
4177 				return;
4178 		}
4179 		/*
4180 		 * Adjust tcp_cwnd back to normal value after sending
4181 		 * new data segments.
4182 		 */
4183 		if (flags & TH_LIMIT_XMIT) {
4184 			tcp->tcp_cwnd -= mss << (tcp->tcp_dupack_cnt - 1);
4185 		}
4186 
4187 		/* Anything more to do? */
4188 		if ((flags & (TH_ACK_NEEDED|TH_TIMER_NEEDED)) == 0)
4189 			return;
4190 	}
4191 ack_check:
4192 	if (flags & TH_ACK_NEEDED) {
4193 		/*
4194 		 * Time to send an ack for some reason.
4195 		 */
4196 		if ((mp1 = tcp_ack_mp(tcp)) != NULL) {
4197 			TCP_DUMP_PACKET("tcp_rput_data: ack mp", mp1);
4198 			(void) ipv4_tcp_output(sock_id, mp1);
4199 			BUMP_MIB(tcp_mib.tcpOutAck);
4200 			freeb(mp1);
4201 		}
4202 	}
4203 }
4204 
4205 /*
4206  * tcp_ss_rexmit() is called in tcp_rput_data() to do slow start
4207  * retransmission after a timeout.
4208  *
4209  * To limit the number of duplicate segments, we limit the number of segment
4210  * to be sent in one time to tcp_snd_burst, the burst variable.
4211  */
4212 static void
4213 tcp_ss_rexmit(tcp_t *tcp, int sock_id)
4214 {
4215 	uint32_t	snxt;
4216 	uint32_t	smax;
4217 	int32_t		win;
4218 	int32_t		mss;
4219 	int32_t		off;
4220 	int32_t		burst = tcp->tcp_snd_burst;
4221 	mblk_t		*snxt_mp;
4222 
4223 	/*
4224 	 * Note that tcp_rexmit can be set even though TCP has retransmitted
4225 	 * all unack'ed segments.
4226 	 */
4227 	if (SEQ_LT(tcp->tcp_rexmit_nxt, tcp->tcp_rexmit_max)) {
4228 		smax = tcp->tcp_rexmit_max;
4229 		snxt = tcp->tcp_rexmit_nxt;
4230 		if (SEQ_LT(snxt, tcp->tcp_suna)) {
4231 			snxt = tcp->tcp_suna;
4232 		}
4233 		win = MIN(tcp->tcp_cwnd, tcp->tcp_swnd);
4234 		win -= snxt - tcp->tcp_suna;
4235 		mss = tcp->tcp_mss;
4236 		snxt_mp = tcp_get_seg_mp(tcp, snxt, &off);
4237 
4238 		while (SEQ_LT(snxt, smax) && (win > 0) &&
4239 		    (burst > 0) && (snxt_mp != NULL)) {
4240 			mblk_t	*xmit_mp;
4241 			mblk_t	*old_snxt_mp = snxt_mp;
4242 			uint32_t cnt = mss;
4243 
4244 			if (win < cnt) {
4245 				cnt = win;
4246 			}
4247 			if (SEQ_GT(snxt + cnt, smax)) {
4248 				cnt = smax - snxt;
4249 			}
4250 			xmit_mp = tcp_xmit_mp(tcp, snxt_mp, cnt, &off,
4251 			    &snxt_mp, snxt, B_TRUE, &cnt, B_TRUE);
4252 
4253 			if (xmit_mp == NULL)
4254 				return;
4255 
4256 			(void) ipv4_tcp_output(sock_id, xmit_mp);
4257 			freeb(xmit_mp);
4258 
4259 			snxt += cnt;
4260 			win -= cnt;
4261 			/*
4262 			 * Update the send timestamp to avoid false
4263 			 * retransmission.
4264 			 * Note. use uintptr_t to suppress the gcc warning.
4265 			 */
4266 			old_snxt_mp->b_prev =
4267 			    (mblk_t *)(uintptr_t)prom_gettime();
4268 			BUMP_MIB(tcp_mib.tcpRetransSegs);
4269 			UPDATE_MIB(tcp_mib.tcpRetransBytes, cnt);
4270 
4271 			tcp->tcp_rexmit_nxt = snxt;
4272 			burst--;
4273 		}
4274 		/*
4275 		 * If we have transmitted all we have at the time
4276 		 * we started the retranmission, we can leave
4277 		 * the rest of the job to tcp_wput_data().  But we
4278 		 * need to check the send window first.  If the
4279 		 * win is not 0, go on with tcp_wput_data().
4280 		 */
4281 		if (SEQ_LT(snxt, smax) || win == 0) {
4282 			return;
4283 		}
4284 	}
4285 	/* Only call tcp_wput_data() if there is data to be sent. */
4286 	if (tcp->tcp_unsent) {
4287 		tcp_wput_data(tcp, NULL, sock_id);
4288 	}
4289 }
4290 
4291 /*
4292  * tcp_timer is the timer service routine.  It handles all timer events for
4293  * a tcp instance except keepalives.  It figures out from the state of the
4294  * tcp instance what kind of action needs to be done at the time it is called.
4295  */
4296 static void
4297 tcp_timer(tcp_t	*tcp, int sock_id)
4298 {
4299 	mblk_t		*mp;
4300 	uint32_t	first_threshold;
4301 	uint32_t	second_threshold;
4302 	uint32_t	ms;
4303 	uint32_t	mss;
4304 
4305 	first_threshold =  tcp->tcp_first_timer_threshold;
4306 	second_threshold = tcp->tcp_second_timer_threshold;
4307 	switch (tcp->tcp_state) {
4308 	case TCPS_IDLE:
4309 	case TCPS_BOUND:
4310 	case TCPS_LISTEN:
4311 		return;
4312 	case TCPS_SYN_RCVD:
4313 	case TCPS_SYN_SENT:
4314 		first_threshold =  tcp->tcp_first_ctimer_threshold;
4315 		second_threshold = tcp->tcp_second_ctimer_threshold;
4316 		break;
4317 	case TCPS_ESTABLISHED:
4318 	case TCPS_FIN_WAIT_1:
4319 	case TCPS_CLOSING:
4320 	case TCPS_CLOSE_WAIT:
4321 	case TCPS_LAST_ACK:
4322 		/* If we have data to rexmit */
4323 		if (tcp->tcp_suna != tcp->tcp_snxt) {
4324 			int32_t time_to_wait;
4325 
4326 			BUMP_MIB(tcp_mib.tcpTimRetrans);
4327 			if (tcp->tcp_xmit_head == NULL)
4328 				break;
4329 			/* use uintptr_t to suppress the gcc warning */
4330 			time_to_wait = (int32_t)(prom_gettime() -
4331 			    (uint32_t)(uintptr_t)tcp->tcp_xmit_head->b_prev);
4332 			time_to_wait = tcp->tcp_rto - time_to_wait;
4333 			if (time_to_wait > 0) {
4334 				/*
4335 				 * Timer fired too early, so restart it.
4336 				 */
4337 				TCP_TIMER_RESTART(tcp, time_to_wait);
4338 				return;
4339 			}
4340 			/*
4341 			 * When we probe zero windows, we force the swnd open.
4342 			 * If our peer acks with a closed window swnd will be
4343 			 * set to zero by tcp_rput(). As long as we are
4344 			 * receiving acks tcp_rput will
4345 			 * reset 'tcp_ms_we_have_waited' so as not to trip the
4346 			 * first and second interval actions.  NOTE: the timer
4347 			 * interval is allowed to continue its exponential
4348 			 * backoff.
4349 			 */
4350 			if (tcp->tcp_swnd == 0 || tcp->tcp_zero_win_probe) {
4351 				DEBUG_1("tcp_timer (%d): zero win", sock_id);
4352 				break;
4353 			} else {
4354 				/*
4355 				 * After retransmission, we need to do
4356 				 * slow start.  Set the ssthresh to one
4357 				 * half of current effective window and
4358 				 * cwnd to one MSS.  Also reset
4359 				 * tcp_cwnd_cnt.
4360 				 *
4361 				 * Note that if tcp_ssthresh is reduced because
4362 				 * of ECN, do not reduce it again unless it is
4363 				 * already one window of data away (tcp_cwr
4364 				 * should then be cleared) or this is a
4365 				 * timeout for a retransmitted segment.
4366 				 */
4367 				uint32_t npkt;
4368 
4369 				if (!tcp->tcp_cwr || tcp->tcp_rexmit) {
4370 					npkt = (MIN((tcp->tcp_timer_backoff ?
4371 					    tcp->tcp_cwnd_ssthresh :
4372 					    tcp->tcp_cwnd),
4373 					    tcp->tcp_swnd) >> 1) /
4374 					    tcp->tcp_mss;
4375 					if (npkt < 2)
4376 						npkt = 2;
4377 					tcp->tcp_cwnd_ssthresh = npkt *
4378 					    tcp->tcp_mss;
4379 				}
4380 				tcp->tcp_cwnd = tcp->tcp_mss;
4381 				tcp->tcp_cwnd_cnt = 0;
4382 				if (tcp->tcp_ecn_ok) {
4383 					tcp->tcp_cwr = B_TRUE;
4384 					tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
4385 					tcp->tcp_ecn_cwr_sent = B_FALSE;
4386 				}
4387 			}
4388 			break;
4389 		}
4390 		/*
4391 		 * We have something to send yet we cannot send.  The
4392 		 * reason can be:
4393 		 *
4394 		 * 1. Zero send window: we need to do zero window probe.
4395 		 * 2. Zero cwnd: because of ECN, we need to "clock out
4396 		 * segments.
4397 		 * 3. SWS avoidance: receiver may have shrunk window,
4398 		 * reset our knowledge.
4399 		 *
4400 		 * Note that condition 2 can happen with either 1 or
4401 		 * 3.  But 1 and 3 are exclusive.
4402 		 */
4403 		if (tcp->tcp_unsent != 0) {
4404 			if (tcp->tcp_cwnd == 0) {
4405 				/*
4406 				 * Set tcp_cwnd to 1 MSS so that a
4407 				 * new segment can be sent out.  We
4408 				 * are "clocking out" new data when
4409 				 * the network is really congested.
4410 				 */
4411 				assert(tcp->tcp_ecn_ok);
4412 				tcp->tcp_cwnd = tcp->tcp_mss;
4413 			}
4414 			if (tcp->tcp_swnd == 0) {
4415 				/* Extend window for zero window probe */
4416 				tcp->tcp_swnd++;
4417 				tcp->tcp_zero_win_probe = B_TRUE;
4418 				BUMP_MIB(tcp_mib.tcpOutWinProbe);
4419 			} else {
4420 				/*
4421 				 * Handle timeout from sender SWS avoidance.
4422 				 * Reset our knowledge of the max send window
4423 				 * since the receiver might have reduced its
4424 				 * receive buffer.  Avoid setting tcp_max_swnd
4425 				 * to one since that will essentially disable
4426 				 * the SWS checks.
4427 				 *
4428 				 * Note that since we don't have a SWS
4429 				 * state variable, if the timeout is set
4430 				 * for ECN but not for SWS, this
4431 				 * code will also be executed.  This is
4432 				 * fine as tcp_max_swnd is updated
4433 				 * constantly and it will not affect
4434 				 * anything.
4435 				 */
4436 				tcp->tcp_max_swnd = MAX(tcp->tcp_swnd, 2);
4437 			}
4438 			tcp_wput_data(tcp, NULL, sock_id);
4439 			return;
4440 		}
4441 		/* Is there a FIN that needs to be to re retransmitted? */
4442 		if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
4443 		    !tcp->tcp_fin_acked)
4444 			break;
4445 		/* Nothing to do, return without restarting timer. */
4446 		return;
4447 	case TCPS_FIN_WAIT_2:
4448 		/*
4449 		 * User closed the TCP endpoint and peer ACK'ed our FIN.
4450 		 * We waited some time for for peer's FIN, but it hasn't
4451 		 * arrived.  We flush the connection now to avoid
4452 		 * case where the peer has rebooted.
4453 		 */
4454 		/* FALLTHRU */
4455 	case TCPS_TIME_WAIT:
4456 		(void) tcp_clean_death(sock_id, tcp, 0);
4457 		return;
4458 	default:
4459 		DEBUG_3("tcp_timer (%d): strange state (%d) %s", sock_id,
4460 		    tcp->tcp_state, tcp_display(tcp, NULL,
4461 		    DISP_PORT_ONLY));
4462 		return;
4463 	}
4464 	if ((ms = tcp->tcp_ms_we_have_waited) > second_threshold) {
4465 		/*
4466 		 * For zero window probe, we need to send indefinitely,
4467 		 * unless we have not heard from the other side for some
4468 		 * time...
4469 		 */
4470 		if ((tcp->tcp_zero_win_probe == 0) ||
4471 		    ((prom_gettime() - tcp->tcp_last_recv_time) >
4472 		    second_threshold)) {
4473 			BUMP_MIB(tcp_mib.tcpTimRetransDrop);
4474 			/*
4475 			 * If TCP is in SYN_RCVD state, send back a
4476 			 * RST|ACK as BSD does.  Note that tcp_zero_win_probe
4477 			 * should be zero in TCPS_SYN_RCVD state.
4478 			 */
4479 			if (tcp->tcp_state == TCPS_SYN_RCVD) {
4480 				tcp_xmit_ctl("tcp_timer: RST sent on timeout "
4481 				    "in SYN_RCVD",
4482 				    tcp, NULL, tcp->tcp_snxt,
4483 				    tcp->tcp_rnxt, TH_RST | TH_ACK, 0, sock_id);
4484 			}
4485 			(void) tcp_clean_death(sock_id, tcp,
4486 			    tcp->tcp_client_errno ?
4487 			    tcp->tcp_client_errno : ETIMEDOUT);
4488 			return;
4489 		} else {
4490 			/*
4491 			 * Set tcp_ms_we_have_waited to second_threshold
4492 			 * so that in next timeout, we will do the above
4493 			 * check (lbolt - tcp_last_recv_time).  This is
4494 			 * also to avoid overflow.
4495 			 *
4496 			 * We don't need to decrement tcp_timer_backoff
4497 			 * to avoid overflow because it will be decremented
4498 			 * later if new timeout value is greater than
4499 			 * tcp_rexmit_interval_max.  In the case when
4500 			 * tcp_rexmit_interval_max is greater than
4501 			 * second_threshold, it means that we will wait
4502 			 * longer than second_threshold to send the next
4503 			 * window probe.
4504 			 */
4505 			tcp->tcp_ms_we_have_waited = second_threshold;
4506 		}
4507 	} else if (ms > first_threshold && tcp->tcp_rtt_sa != 0) {
4508 		/*
4509 		 * We have been retransmitting for too long...  The RTT
4510 		 * we calculated is probably incorrect.  Reinitialize it.
4511 		 * Need to compensate for 0 tcp_rtt_sa.  Reset
4512 		 * tcp_rtt_update so that we won't accidentally cache a
4513 		 * bad value.  But only do this if this is not a zero
4514 		 * window probe.
4515 		 */
4516 		if (tcp->tcp_zero_win_probe == 0) {
4517 			tcp->tcp_rtt_sd += (tcp->tcp_rtt_sa >> 3) +
4518 			    (tcp->tcp_rtt_sa >> 5);
4519 			tcp->tcp_rtt_sa = 0;
4520 			tcp->tcp_rtt_update = 0;
4521 		}
4522 	}
4523 	tcp->tcp_timer_backoff++;
4524 	if ((ms = (tcp->tcp_rtt_sa >> 3) + tcp->tcp_rtt_sd +
4525 	    tcp_rexmit_interval_extra + (tcp->tcp_rtt_sa >> 5)) <
4526 	    tcp_rexmit_interval_min) {
4527 		/*
4528 		 * This means the original RTO is tcp_rexmit_interval_min.
4529 		 * So we will use tcp_rexmit_interval_min as the RTO value
4530 		 * and do the backoff.
4531 		 */
4532 		ms = tcp_rexmit_interval_min << tcp->tcp_timer_backoff;
4533 	} else {
4534 		ms <<= tcp->tcp_timer_backoff;
4535 	}
4536 	if (ms > tcp_rexmit_interval_max) {
4537 		ms = tcp_rexmit_interval_max;
4538 		/*
4539 		 * ms is at max, decrement tcp_timer_backoff to avoid
4540 		 * overflow.
4541 		 */
4542 		tcp->tcp_timer_backoff--;
4543 	}
4544 	tcp->tcp_ms_we_have_waited += ms;
4545 	if (tcp->tcp_zero_win_probe == 0) {
4546 		tcp->tcp_rto = ms;
4547 	}
4548 	TCP_TIMER_RESTART(tcp, ms);
4549 	/*
4550 	 * This is after a timeout and tcp_rto is backed off.  Set
4551 	 * tcp_set_timer to 1 so that next time RTO is updated, we will
4552 	 * restart the timer with a correct value.
4553 	 */
4554 	tcp->tcp_set_timer = 1;
4555 	mss = tcp->tcp_snxt - tcp->tcp_suna;
4556 	if (mss > tcp->tcp_mss)
4557 		mss = tcp->tcp_mss;
4558 	if (mss > tcp->tcp_swnd && tcp->tcp_swnd != 0)
4559 		mss = tcp->tcp_swnd;
4560 
4561 	if ((mp = tcp->tcp_xmit_head) != NULL) {
4562 		/* use uintptr_t to suppress the gcc warning */
4563 		mp->b_prev = (mblk_t *)(uintptr_t)prom_gettime();
4564 	}
4565 	mp = tcp_xmit_mp(tcp, mp, mss, NULL, NULL, tcp->tcp_suna, B_TRUE, &mss,
4566 	    B_TRUE);
4567 	if (mp == NULL)
4568 		return;
4569 	tcp->tcp_csuna = tcp->tcp_snxt;
4570 	BUMP_MIB(tcp_mib.tcpRetransSegs);
4571 	UPDATE_MIB(tcp_mib.tcpRetransBytes, mss);
4572 	/* Dump the packet when debugging. */
4573 	TCP_DUMP_PACKET("tcp_timer", mp);
4574 
4575 	(void) ipv4_tcp_output(sock_id, mp);
4576 	freeb(mp);
4577 
4578 	/*
4579 	 * When slow start after retransmission begins, start with
4580 	 * this seq no.  tcp_rexmit_max marks the end of special slow
4581 	 * start phase.  tcp_snd_burst controls how many segments
4582 	 * can be sent because of an ack.
4583 	 */
4584 	tcp->tcp_rexmit_nxt = tcp->tcp_suna;
4585 	tcp->tcp_snd_burst = TCP_CWND_SS;
4586 	if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
4587 	    (tcp->tcp_unsent == 0)) {
4588 		tcp->tcp_rexmit_max = tcp->tcp_fss;
4589 	} else {
4590 		tcp->tcp_rexmit_max = tcp->tcp_snxt;
4591 	}
4592 	tcp->tcp_rexmit = B_TRUE;
4593 	tcp->tcp_dupack_cnt = 0;
4594 
4595 	/*
4596 	 * Remove all rexmit SACK blk to start from fresh.
4597 	 */
4598 	if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
4599 		TCP_NOTSACK_REMOVE_ALL(tcp->tcp_notsack_list);
4600 		tcp->tcp_num_notsack_blk = 0;
4601 		tcp->tcp_cnt_notsack_list = 0;
4602 	}
4603 }
4604 
4605 /*
4606  * The TCP normal data output path.
4607  * NOTE: the logic of the fast path is duplicated from this function.
4608  */
4609 static void
4610 tcp_wput_data(tcp_t *tcp, mblk_t *mp, int sock_id)
4611 {
4612 	int		len;
4613 	mblk_t		*local_time;
4614 	mblk_t		*mp1;
4615 	uchar_t		*rptr;
4616 	uint32_t	snxt;
4617 	int		tail_unsent;
4618 	int		tcpstate;
4619 	int		usable = 0;
4620 	mblk_t		*xmit_tail;
4621 	int32_t		num_burst_seg;
4622 	int32_t		mss;
4623 	int32_t		num_sack_blk = 0;
4624 	int32_t		tcp_hdr_len;
4625 	ipaddr_t	*dst;
4626 	ipaddr_t	*src;
4627 
4628 #ifdef DEBUG
4629 	printf("tcp_wput_data(%d) ##############################\n", sock_id);
4630 #endif
4631 	tcpstate = tcp->tcp_state;
4632 	if (mp == NULL) {
4633 		/* Really tacky... but we need this for detached closes. */
4634 		len = tcp->tcp_unsent;
4635 		goto data_null;
4636 	}
4637 
4638 	/*
4639 	 * Don't allow data after T_ORDREL_REQ or T_DISCON_REQ,
4640 	 * or before a connection attempt has begun.
4641 	 *
4642 	 * The following should not happen in inetboot....
4643 	 */
4644 	if (tcpstate < TCPS_SYN_SENT || tcpstate > TCPS_CLOSE_WAIT ||
4645 	    (tcp->tcp_valid_bits & TCP_FSS_VALID) != 0) {
4646 		if ((tcp->tcp_valid_bits & TCP_FSS_VALID) != 0) {
4647 			printf("tcp_wput_data: data after ordrel, %s\n",
4648 			    tcp_display(tcp, NULL, DISP_ADDR_AND_PORT));
4649 		}
4650 		freemsg(mp);
4651 		return;
4652 	}
4653 
4654 	/* Strip empties */
4655 	for (;;) {
4656 		assert((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
4657 		    (uintptr_t)INT_MAX);
4658 		len = (int)(mp->b_wptr - mp->b_rptr);
4659 		if (len > 0)
4660 			break;
4661 		mp1 = mp;
4662 		mp = mp->b_cont;
4663 		freeb(mp1);
4664 		if (mp == NULL) {
4665 			return;
4666 		}
4667 	}
4668 
4669 	/* If we are the first on the list ... */
4670 	if (tcp->tcp_xmit_head == NULL) {
4671 		tcp->tcp_xmit_head = mp;
4672 		tcp->tcp_xmit_tail = mp;
4673 		tcp->tcp_xmit_tail_unsent = len;
4674 	} else {
4675 		tcp->tcp_xmit_last->b_cont = mp;
4676 		len += tcp->tcp_unsent;
4677 	}
4678 
4679 	/* Tack on however many more positive length mblks we have */
4680 	if ((mp1 = mp->b_cont) != NULL) {
4681 		do {
4682 			int tlen;
4683 			assert((uintptr_t)(mp1->b_wptr -
4684 			    mp1->b_rptr) <= (uintptr_t)INT_MAX);
4685 			tlen = (int)(mp1->b_wptr - mp1->b_rptr);
4686 			if (tlen <= 0) {
4687 				mp->b_cont = mp1->b_cont;
4688 				freeb(mp1);
4689 			} else {
4690 				len += tlen;
4691 				mp = mp1;
4692 			}
4693 		} while ((mp1 = mp->b_cont) != NULL);
4694 	}
4695 	tcp->tcp_xmit_last = mp;
4696 	tcp->tcp_unsent = len;
4697 
4698 data_null:
4699 	snxt = tcp->tcp_snxt;
4700 	xmit_tail = tcp->tcp_xmit_tail;
4701 	tail_unsent = tcp->tcp_xmit_tail_unsent;
4702 
4703 	/*
4704 	 * Note that tcp_mss has been adjusted to take into account the
4705 	 * timestamp option if applicable.  Because SACK options do not
4706 	 * appear in every TCP segments and they are of variable lengths,
4707 	 * they cannot be included in tcp_mss.  Thus we need to calculate
4708 	 * the actual segment length when we need to send a segment which
4709 	 * includes SACK options.
4710 	 */
4711 	if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
4712 		int32_t	opt_len;
4713 
4714 		num_sack_blk = MIN(tcp->tcp_max_sack_blk,
4715 		    tcp->tcp_num_sack_blk);
4716 		opt_len = num_sack_blk * sizeof (sack_blk_t) + TCPOPT_NOP_LEN *
4717 		    2 + TCPOPT_HEADER_LEN;
4718 		mss = tcp->tcp_mss - opt_len;
4719 		tcp_hdr_len = tcp->tcp_hdr_len + opt_len;
4720 	} else {
4721 		mss = tcp->tcp_mss;
4722 		tcp_hdr_len = tcp->tcp_hdr_len;
4723 	}
4724 
4725 	if ((tcp->tcp_suna == snxt) &&
4726 	    (prom_gettime() - tcp->tcp_last_recv_time) >= tcp->tcp_rto) {
4727 		tcp->tcp_cwnd = MIN(tcp_slow_start_after_idle * mss,
4728 		    MIN(4 * mss, MAX(2 * mss, 4380 / mss * mss)));
4729 	}
4730 	if (tcpstate == TCPS_SYN_RCVD) {
4731 		/*
4732 		 * The three-way connection establishment handshake is not
4733 		 * complete yet. We want to queue the data for transmission
4734 		 * after entering ESTABLISHED state (RFC793). Setting usable to
4735 		 * zero cause a jump to "done" label effectively leaving data
4736 		 * on the queue.
4737 		 */
4738 
4739 		usable = 0;
4740 	} else {
4741 		int usable_r = tcp->tcp_swnd;
4742 
4743 		/*
4744 		 * In the special case when cwnd is zero, which can only
4745 		 * happen if the connection is ECN capable, return now.
4746 		 * New segments is sent using tcp_timer().  The timer
4747 		 * is set in tcp_rput_data().
4748 		 */
4749 		if (tcp->tcp_cwnd == 0) {
4750 			/*
4751 			 * Note that tcp_cwnd is 0 before 3-way handshake is
4752 			 * finished.
4753 			 */
4754 			assert(tcp->tcp_ecn_ok ||
4755 			    tcp->tcp_state < TCPS_ESTABLISHED);
4756 			return;
4757 		}
4758 
4759 		/* usable = MIN(swnd, cwnd) - unacked_bytes */
4760 		if (usable_r > tcp->tcp_cwnd)
4761 			usable_r = tcp->tcp_cwnd;
4762 
4763 		/* NOTE: trouble if xmitting while SYN not acked? */
4764 		usable_r -= snxt;
4765 		usable_r += tcp->tcp_suna;
4766 
4767 		/* usable = MIN(usable, unsent) */
4768 		if (usable_r > len)
4769 			usable_r = len;
4770 
4771 		/* usable = MAX(usable, {1 for urgent, 0 for data}) */
4772 		if (usable_r != 0)
4773 			usable = usable_r;
4774 	}
4775 
4776 	/* use uintptr_t to suppress the gcc warning */
4777 	local_time = (mblk_t *)(uintptr_t)prom_gettime();
4778 
4779 	/*
4780 	 * "Our" Nagle Algorithm.  This is not the same as in the old
4781 	 * BSD.  This is more in line with the true intent of Nagle.
4782 	 *
4783 	 * The conditions are:
4784 	 * 1. The amount of unsent data (or amount of data which can be
4785 	 *    sent, whichever is smaller) is less than Nagle limit.
4786 	 * 2. The last sent size is also less than Nagle limit.
4787 	 * 3. There is unack'ed data.
4788 	 * 4. Urgent pointer is not set.  Send urgent data ignoring the
4789 	 *    Nagle algorithm.  This reduces the probability that urgent
4790 	 *    bytes get "merged" together.
4791 	 * 5. The app has not closed the connection.  This eliminates the
4792 	 *    wait time of the receiving side waiting for the last piece of
4793 	 *    (small) data.
4794 	 *
4795 	 * If all are satisified, exit without sending anything.  Note
4796 	 * that Nagle limit can be smaller than 1 MSS.  Nagle limit is
4797 	 * the smaller of 1 MSS and global tcp_naglim_def (default to be
4798 	 * 4095).
4799 	 */
4800 	if (usable < (int)tcp->tcp_naglim &&
4801 	    tcp->tcp_naglim > tcp->tcp_last_sent_len &&
4802 	    snxt != tcp->tcp_suna &&
4803 	    !(tcp->tcp_valid_bits & TCP_URG_VALID))
4804 		goto done;
4805 
4806 	num_burst_seg = tcp->tcp_snd_burst;
4807 	for (;;) {
4808 		tcph_t		*tcph;
4809 		mblk_t		*new_mp;
4810 
4811 		if (num_burst_seg-- == 0)
4812 			goto done;
4813 
4814 		len = mss;
4815 		if (len > usable) {
4816 			len = usable;
4817 			if (len <= 0) {
4818 				/* Terminate the loop */
4819 				goto done;
4820 			}
4821 			/*
4822 			 * Sender silly-window avoidance.
4823 			 * Ignore this if we are going to send a
4824 			 * zero window probe out.
4825 			 *
4826 			 * TODO: force data into microscopic window ??
4827 			 *	==> (!pushed || (unsent > usable))
4828 			 */
4829 			if (len < (tcp->tcp_max_swnd >> 1) &&
4830 			    (tcp->tcp_unsent - (snxt - tcp->tcp_snxt)) > len &&
4831 			    !((tcp->tcp_valid_bits & TCP_URG_VALID) &&
4832 			    len == 1) && (! tcp->tcp_zero_win_probe)) {
4833 				/*
4834 				 * If the retransmit timer is not running
4835 				 * we start it so that we will retransmit
4836 				 * in the case when the the receiver has
4837 				 * decremented the window.
4838 				 */
4839 				if (snxt == tcp->tcp_snxt &&
4840 				    snxt == tcp->tcp_suna) {
4841 					/*
4842 					 * We are not supposed to send
4843 					 * anything.  So let's wait a little
4844 					 * bit longer before breaking SWS
4845 					 * avoidance.
4846 					 *
4847 					 * What should the value be?
4848 					 * Suggestion: MAX(init rexmit time,
4849 					 * tcp->tcp_rto)
4850 					 */
4851 					TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
4852 				}
4853 				goto done;
4854 			}
4855 		}
4856 
4857 		tcph = tcp->tcp_tcph;
4858 
4859 		usable -= len;	/* Approximate - can be adjusted later */
4860 		if (usable > 0)
4861 			tcph->th_flags[0] = TH_ACK;
4862 		else
4863 			tcph->th_flags[0] = (TH_ACK | TH_PUSH);
4864 
4865 		U32_TO_ABE32(snxt, tcph->th_seq);
4866 
4867 		if (tcp->tcp_valid_bits) {
4868 			uchar_t		*prev_rptr = xmit_tail->b_rptr;
4869 			uint32_t	prev_snxt = tcp->tcp_snxt;
4870 
4871 			if (tail_unsent == 0) {
4872 				assert(xmit_tail->b_cont != NULL);
4873 				xmit_tail = xmit_tail->b_cont;
4874 				prev_rptr = xmit_tail->b_rptr;
4875 				tail_unsent = (int)(xmit_tail->b_wptr -
4876 				    xmit_tail->b_rptr);
4877 			} else {
4878 				xmit_tail->b_rptr = xmit_tail->b_wptr -
4879 				    tail_unsent;
4880 			}
4881 			mp = tcp_xmit_mp(tcp, xmit_tail, len, NULL, NULL,
4882 			    snxt, B_FALSE, (uint32_t *)&len, B_FALSE);
4883 			/* Restore tcp_snxt so we get amount sent right. */
4884 			tcp->tcp_snxt = prev_snxt;
4885 			if (prev_rptr == xmit_tail->b_rptr)
4886 				xmit_tail->b_prev = local_time;
4887 			else
4888 				xmit_tail->b_rptr = prev_rptr;
4889 
4890 			if (mp == NULL)
4891 				break;
4892 
4893 			mp1 = mp->b_cont;
4894 
4895 			snxt += len;
4896 			tcp->tcp_last_sent_len = (ushort_t)len;
4897 			while (mp1->b_cont) {
4898 				xmit_tail = xmit_tail->b_cont;
4899 				xmit_tail->b_prev = local_time;
4900 				mp1 = mp1->b_cont;
4901 			}
4902 			tail_unsent = xmit_tail->b_wptr - mp1->b_wptr;
4903 			BUMP_MIB(tcp_mib.tcpOutDataSegs);
4904 			UPDATE_MIB(tcp_mib.tcpOutDataBytes, len);
4905 			/* Dump the packet when debugging. */
4906 			TCP_DUMP_PACKET("tcp_wput_data (valid bits)", mp);
4907 			(void) ipv4_tcp_output(sock_id, mp);
4908 			freeb(mp);
4909 			continue;
4910 		}
4911 
4912 		snxt += len;	/* Adjust later if we don't send all of len */
4913 		BUMP_MIB(tcp_mib.tcpOutDataSegs);
4914 		UPDATE_MIB(tcp_mib.tcpOutDataBytes, len);
4915 
4916 		if (tail_unsent) {
4917 			/* Are the bytes above us in flight? */
4918 			rptr = xmit_tail->b_wptr - tail_unsent;
4919 			if (rptr != xmit_tail->b_rptr) {
4920 				tail_unsent -= len;
4921 				len += tcp_hdr_len;
4922 				tcp->tcp_ipha->ip_len = htons(len);
4923 				mp = dupb(xmit_tail);
4924 				if (!mp)
4925 					break;
4926 				mp->b_rptr = rptr;
4927 				goto must_alloc;
4928 			}
4929 		} else {
4930 			xmit_tail = xmit_tail->b_cont;
4931 			assert((uintptr_t)(xmit_tail->b_wptr -
4932 			    xmit_tail->b_rptr) <= (uintptr_t)INT_MAX);
4933 			tail_unsent = (int)(xmit_tail->b_wptr -
4934 			    xmit_tail->b_rptr);
4935 		}
4936 
4937 		tail_unsent -= len;
4938 		tcp->tcp_last_sent_len = (ushort_t)len;
4939 
4940 		len += tcp_hdr_len;
4941 		if (tcp->tcp_ipversion == IPV4_VERSION)
4942 			tcp->tcp_ipha->ip_len = htons(len);
4943 
4944 		xmit_tail->b_prev = local_time;
4945 
4946 		mp = dupb(xmit_tail);
4947 		if (mp == NULL)
4948 			goto out_of_mem;
4949 
4950 		len = tcp_hdr_len;
4951 		/*
4952 		 * There are four reasons to allocate a new hdr mblk:
4953 		 *  1) The bytes above us are in use by another packet
4954 		 *  2) We don't have good alignment
4955 		 *  3) The mblk is being shared
4956 		 *  4) We don't have enough room for a header
4957 		 */
4958 		rptr = mp->b_rptr - len;
4959 		if (!OK_32PTR(rptr) ||
4960 		    rptr < mp->b_datap) {
4961 			/* NOTE: we assume allocb returns an OK_32PTR */
4962 
4963 		must_alloc:;
4964 			mp1 = allocb(tcp->tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH +
4965 			    tcp_wroff_xtra, 0);
4966 			if (mp1 == NULL) {
4967 				freemsg(mp);
4968 				goto out_of_mem;
4969 			}
4970 			mp1->b_cont = mp;
4971 			mp = mp1;
4972 			/* Leave room for Link Level header */
4973 			len = tcp_hdr_len;
4974 			rptr = &mp->b_rptr[tcp_wroff_xtra];
4975 			mp->b_wptr = &rptr[len];
4976 		}
4977 
4978 		if (tcp->tcp_snd_ts_ok) {
4979 			/* use uintptr_t to suppress the gcc warning */
4980 			U32_TO_BE32((uint32_t)(uintptr_t)local_time,
4981 				(char *)tcph+TCP_MIN_HEADER_LENGTH+4);
4982 			U32_TO_BE32(tcp->tcp_ts_recent,
4983 			    (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
4984 		} else {
4985 			assert(tcp->tcp_tcp_hdr_len == TCP_MIN_HEADER_LENGTH);
4986 		}
4987 
4988 		mp->b_rptr = rptr;
4989 
4990 		/* Copy the template header. */
4991 		dst = (ipaddr_t *)rptr;
4992 		src = (ipaddr_t *)tcp->tcp_iphc;
4993 		dst[0] = src[0];
4994 		dst[1] = src[1];
4995 		dst[2] = src[2];
4996 		dst[3] = src[3];
4997 		dst[4] = src[4];
4998 		dst[5] = src[5];
4999 		dst[6] = src[6];
5000 		dst[7] = src[7];
5001 		dst[8] = src[8];
5002 		dst[9] = src[9];
5003 		len = tcp->tcp_hdr_len;
5004 		if (len -= 40) {
5005 			len >>= 2;
5006 			dst += 10;
5007 			src += 10;
5008 			do {
5009 				*dst++ = *src++;
5010 			} while (--len);
5011 		}
5012 
5013 		/*
5014 		 * Set tcph to point to the header of the outgoing packet,
5015 		 * not to the template header.
5016 		 */
5017 		tcph = (tcph_t *)(rptr + tcp->tcp_ip_hdr_len);
5018 
5019 		/*
5020 		 * Set the ECN info in the TCP header if it is not a zero
5021 		 * window probe.  Zero window probe is only sent in
5022 		 * tcp_wput_data() and tcp_timer().
5023 		 */
5024 		if (tcp->tcp_ecn_ok && !tcp->tcp_zero_win_probe) {
5025 			SET_ECT(tcp, rptr);
5026 
5027 			if (tcp->tcp_ecn_echo_on)
5028 				tcph->th_flags[0] |= TH_ECE;
5029 			if (tcp->tcp_cwr && !tcp->tcp_ecn_cwr_sent) {
5030 				tcph->th_flags[0] |= TH_CWR;
5031 				tcp->tcp_ecn_cwr_sent = B_TRUE;
5032 			}
5033 		}
5034 
5035 		/* Fill in SACK options */
5036 		if (num_sack_blk > 0) {
5037 			uchar_t *wptr = rptr + tcp->tcp_hdr_len;
5038 			sack_blk_t *tmp;
5039 			int32_t	i;
5040 
5041 			wptr[0] = TCPOPT_NOP;
5042 			wptr[1] = TCPOPT_NOP;
5043 			wptr[2] = TCPOPT_SACK;
5044 			wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
5045 			    sizeof (sack_blk_t);
5046 			wptr += TCPOPT_REAL_SACK_LEN;
5047 
5048 			tmp = tcp->tcp_sack_list;
5049 			for (i = 0; i < num_sack_blk; i++) {
5050 				U32_TO_BE32(tmp[i].begin, wptr);
5051 				wptr += sizeof (tcp_seq);
5052 				U32_TO_BE32(tmp[i].end, wptr);
5053 				wptr += sizeof (tcp_seq);
5054 			}
5055 			tcph->th_offset_and_rsrvd[0] += ((num_sack_blk * 2 + 1)
5056 			    << 4);
5057 		}
5058 
5059 		if (tail_unsent) {
5060 			mp1 = mp->b_cont;
5061 			if (mp1 == NULL)
5062 				mp1 = mp;
5063 			/*
5064 			 * If we're a little short, tack on more mblks
5065 			 * as long as we don't need to split an mblk.
5066 			 */
5067 			while (tail_unsent < 0 &&
5068 			    tail_unsent + (int)(xmit_tail->b_cont->b_wptr -
5069 			    xmit_tail->b_cont->b_rptr) <= 0) {
5070 				xmit_tail = xmit_tail->b_cont;
5071 				/* Stash for rtt use later */
5072 				xmit_tail->b_prev = local_time;
5073 				mp1->b_cont = dupb(xmit_tail);
5074 				mp1 = mp1->b_cont;
5075 				assert((uintptr_t)(xmit_tail->b_wptr -
5076 				    xmit_tail->b_rptr) <= (uintptr_t)INT_MAX);
5077 				tail_unsent += (int)(xmit_tail->b_wptr -
5078 				    xmit_tail->b_rptr);
5079 				if (mp1 == NULL) {
5080 					freemsg(mp);
5081 					goto out_of_mem;
5082 				}
5083 			}
5084 			/* Trim back any surplus on the last mblk */
5085 			if (tail_unsent > 0)
5086 				mp1->b_wptr -= tail_unsent;
5087 			if (tail_unsent < 0) {
5088 				uint32_t ip_len;
5089 
5090 				/*
5091 				 * We did not send everything we could in
5092 				 * order to preserve mblk boundaries.
5093 				 */
5094 				usable -= tail_unsent;
5095 				snxt += tail_unsent;
5096 				tcp->tcp_last_sent_len += tail_unsent;
5097 				UPDATE_MIB(tcp_mib.tcpOutDataBytes,
5098 				    tail_unsent);
5099 				/* Adjust the IP length field. */
5100 				ip_len = ntohs(((struct ip *)rptr)->ip_len) +
5101 				    tail_unsent;
5102 				((struct ip *)rptr)->ip_len = htons(ip_len);
5103 				tail_unsent = 0;
5104 			}
5105 		}
5106 
5107 		if (mp == NULL)
5108 			goto out_of_mem;
5109 
5110 		/*
5111 		 * Performance hit!  We need to pullup the whole message
5112 		 * in order to do checksum and for the MAC output routine.
5113 		 */
5114 		if (mp->b_cont != NULL) {
5115 			int mp_size;
5116 #ifdef	DEBUG
5117 			printf("Multiple mblk %d\n", msgdsize(mp));
5118 #endif
5119 			new_mp = allocb(msgdsize(mp) + tcp_wroff_xtra, 0);
5120 			new_mp->b_rptr += tcp_wroff_xtra;
5121 			new_mp->b_wptr = new_mp->b_rptr;
5122 			while (mp != NULL) {
5123 				mp_size = mp->b_wptr - mp->b_rptr;
5124 				bcopy(mp->b_rptr, new_mp->b_wptr, mp_size);
5125 				new_mp->b_wptr += mp_size;
5126 				mp = mp->b_cont;
5127 			}
5128 			freemsg(mp);
5129 			mp = new_mp;
5130 		}
5131 		tcp_set_cksum(mp);
5132 		((struct ip *)mp->b_rptr)->ip_ttl = (uint8_t)tcp_ipv4_ttl;
5133 		TCP_DUMP_PACKET("tcp_wput_data", mp);
5134 		(void) ipv4_tcp_output(sock_id, mp);
5135 		freemsg(mp);
5136 	}
5137 out_of_mem:;
5138 	/* Pretend that all we were trying to send really got sent */
5139 	if (tail_unsent < 0) {
5140 		do {
5141 			xmit_tail = xmit_tail->b_cont;
5142 			xmit_tail->b_prev = local_time;
5143 			assert((uintptr_t)(xmit_tail->b_wptr -
5144 			    xmit_tail->b_rptr) <= (uintptr_t)INT_MAX);
5145 			tail_unsent += (int)(xmit_tail->b_wptr -
5146 			    xmit_tail->b_rptr);
5147 		} while (tail_unsent < 0);
5148 	}
5149 done:;
5150 	tcp->tcp_xmit_tail = xmit_tail;
5151 	tcp->tcp_xmit_tail_unsent = tail_unsent;
5152 	len = tcp->tcp_snxt - snxt;
5153 	if (len) {
5154 		/*
5155 		 * If new data was sent, need to update the notsack
5156 		 * list, which is, afterall, data blocks that have
5157 		 * not been sack'ed by the receiver.  New data is
5158 		 * not sack'ed.
5159 		 */
5160 		if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
5161 			/* len is a negative value. */
5162 			tcp->tcp_pipe -= len;
5163 			tcp_notsack_update(&(tcp->tcp_notsack_list),
5164 			    tcp->tcp_snxt, snxt,
5165 			    &(tcp->tcp_num_notsack_blk),
5166 			    &(tcp->tcp_cnt_notsack_list));
5167 		}
5168 		tcp->tcp_snxt = snxt + tcp->tcp_fin_sent;
5169 		tcp->tcp_rack = tcp->tcp_rnxt;
5170 		tcp->tcp_rack_cnt = 0;
5171 		if ((snxt + len) == tcp->tcp_suna) {
5172 			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
5173 		}
5174 		/*
5175 		 * Note that len is the amount we just sent but with a negative
5176 		 * sign. We update tcp_unsent here since we may come back to
5177 		 * tcp_wput_data from tcp_state_wait.
5178 		 */
5179 		len += tcp->tcp_unsent;
5180 		tcp->tcp_unsent = len;
5181 
5182 		/*
5183 		 * Let's wait till all the segments have been acked, since we
5184 		 * don't have a timer.
5185 		 */
5186 		(void) tcp_state_wait(sock_id, tcp, TCPS_ALL_ACKED);
5187 		return;
5188 	} else if (snxt == tcp->tcp_suna && tcp->tcp_swnd == 0) {
5189 		/*
5190 		 * Didn't send anything. Make sure the timer is running
5191 		 * so that we will probe a zero window.
5192 		 */
5193 		TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
5194 	}
5195 
5196 	/* Note that len is the amount we just sent but with a negative sign */
5197 	len += tcp->tcp_unsent;
5198 	tcp->tcp_unsent = len;
5199 
5200 }
5201 
5202 static void
5203 tcp_time_wait_processing(tcp_t *tcp, mblk_t *mp,
5204     uint32_t seg_seq, uint32_t seg_ack, int seg_len, tcph_t *tcph,
5205     int sock_id)
5206 {
5207 	int32_t		bytes_acked;
5208 	int32_t		gap;
5209 	int32_t		rgap;
5210 	tcp_opt_t	tcpopt;
5211 	uint_t		flags;
5212 	uint32_t	new_swnd = 0;
5213 
5214 #ifdef DEBUG
5215 	printf("Time wait processing called ###############3\n");
5216 #endif
5217 
5218 	/* Just make sure we send the right sock_id to tcp_clean_death */
5219 	if ((sockets[sock_id].pcb == NULL) || (sockets[sock_id].pcb != tcp))
5220 		sock_id = -1;
5221 
5222 	flags = (unsigned int)tcph->th_flags[0] & 0xFF;
5223 	new_swnd = BE16_TO_U16(tcph->th_win) <<
5224 	    ((tcph->th_flags[0] & TH_SYN) ? 0 : tcp->tcp_snd_ws);
5225 	if (tcp->tcp_snd_ts_ok) {
5226 		if (!tcp_paws_check(tcp, tcph, &tcpopt)) {
5227 			freemsg(mp);
5228 			tcp_xmit_ctl(NULL, tcp, NULL, tcp->tcp_snxt,
5229 			    tcp->tcp_rnxt, TH_ACK, 0, -1);
5230 			return;
5231 		}
5232 	}
5233 	gap = seg_seq - tcp->tcp_rnxt;
5234 	rgap = tcp->tcp_rwnd - (gap + seg_len);
5235 	if (gap < 0) {
5236 		BUMP_MIB(tcp_mib.tcpInDataDupSegs);
5237 		UPDATE_MIB(tcp_mib.tcpInDataDupBytes,
5238 		    (seg_len > -gap ? -gap : seg_len));
5239 		seg_len += gap;
5240 		if (seg_len < 0 || (seg_len == 0 && !(flags & TH_FIN))) {
5241 			if (flags & TH_RST) {
5242 				freemsg(mp);
5243 				return;
5244 			}
5245 			if ((flags & TH_FIN) && seg_len == -1) {
5246 				/*
5247 				 * When TCP receives a duplicate FIN in
5248 				 * TIME_WAIT state, restart the 2 MSL timer.
5249 				 * See page 73 in RFC 793. Make sure this TCP
5250 				 * is already on the TIME_WAIT list. If not,
5251 				 * just restart the timer.
5252 				 */
5253 				tcp_time_wait_remove(tcp);
5254 				tcp_time_wait_append(tcp);
5255 				TCP_TIMER_RESTART(tcp, tcp_time_wait_interval);
5256 				tcp_xmit_ctl(NULL, tcp, NULL, tcp->tcp_snxt,
5257 				    tcp->tcp_rnxt, TH_ACK, 0, -1);
5258 				freemsg(mp);
5259 				return;
5260 			}
5261 			flags |=  TH_ACK_NEEDED;
5262 			seg_len = 0;
5263 			goto process_ack;
5264 		}
5265 
5266 		/* Fix seg_seq, and chew the gap off the front. */
5267 		seg_seq = tcp->tcp_rnxt;
5268 	}
5269 
5270 	if ((flags & TH_SYN) && gap > 0 && rgap < 0) {
5271 		/*
5272 		 * Make sure that when we accept the connection, pick
5273 		 * an ISS greater than (tcp_snxt + ISS_INCR/2) for the
5274 		 * old connection.
5275 		 *
5276 		 * The next ISS generated is equal to tcp_iss_incr_extra
5277 		 * + ISS_INCR/2 + other components depending on the
5278 		 * value of tcp_strong_iss.  We pre-calculate the new
5279 		 * ISS here and compare with tcp_snxt to determine if
5280 		 * we need to make adjustment to tcp_iss_incr_extra.
5281 		 *
5282 		 * Note that since we are now in the global queue
5283 		 * perimeter and need to do a lateral_put() to the
5284 		 * listener queue, there can be other connection requests/
5285 		 * attempts while the lateral_put() is going on.  That
5286 		 * means what we calculate here may not be correct.  This
5287 		 * is extremely difficult to solve unless TCP and IP
5288 		 * modules are merged and there is no perimeter, but just
5289 		 * locks.  The above calculation is ugly and is a
5290 		 * waste of CPU cycles...
5291 		 */
5292 		uint32_t new_iss = tcp_iss_incr_extra;
5293 		int32_t adj;
5294 
5295 		/* Add time component and min random (i.e. 1). */
5296 		new_iss += (prom_gettime() >> ISS_NSEC_SHT) + 1;
5297 		if ((adj = (int32_t)(tcp->tcp_snxt - new_iss)) > 0) {
5298 			/*
5299 			 * New ISS not guaranteed to be ISS_INCR/2
5300 			 * ahead of the current tcp_snxt, so add the
5301 			 * difference to tcp_iss_incr_extra.
5302 			 */
5303 			tcp_iss_incr_extra += adj;
5304 		}
5305 		tcp_clean_death(sock_id, tcp, 0);
5306 
5307 		/*
5308 		 * This is a passive open.  Right now we do not
5309 		 * do anything...
5310 		 */
5311 		freemsg(mp);
5312 		return;
5313 	}
5314 
5315 	/*
5316 	 * rgap is the amount of stuff received out of window.  A negative
5317 	 * value is the amount out of window.
5318 	 */
5319 	if (rgap < 0) {
5320 		BUMP_MIB(tcp_mib.tcpInDataPastWinSegs);
5321 		UPDATE_MIB(tcp_mib.tcpInDataPastWinBytes, -rgap);
5322 		/* Fix seg_len and make sure there is something left. */
5323 		seg_len += rgap;
5324 		if (seg_len <= 0) {
5325 			if (flags & TH_RST) {
5326 				freemsg(mp);
5327 				return;
5328 			}
5329 			flags |=  TH_ACK_NEEDED;
5330 			seg_len = 0;
5331 			goto process_ack;
5332 		}
5333 	}
5334 	/*
5335 	 * Check whether we can update tcp_ts_recent.  This test is
5336 	 * NOT the one in RFC 1323 3.4.  It is from Braden, 1993, "TCP
5337 	 * Extensions for High Performance: An Update", Internet Draft.
5338 	 */
5339 	if (tcp->tcp_snd_ts_ok &&
5340 	    TSTMP_GEQ(tcpopt.tcp_opt_ts_val, tcp->tcp_ts_recent) &&
5341 	    SEQ_LEQ(seg_seq, tcp->tcp_rack)) {
5342 		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
5343 		tcp->tcp_last_rcv_lbolt = prom_gettime();
5344 	}
5345 
5346 	if (seg_seq != tcp->tcp_rnxt && seg_len > 0) {
5347 		/* Always ack out of order packets */
5348 		flags |= TH_ACK_NEEDED;
5349 		seg_len = 0;
5350 	} else if (seg_len > 0) {
5351 		BUMP_MIB(tcp_mib.tcpInDataInorderSegs);
5352 		UPDATE_MIB(tcp_mib.tcpInDataInorderBytes, seg_len);
5353 	}
5354 	if (flags & TH_RST) {
5355 		freemsg(mp);
5356 		(void) tcp_clean_death(sock_id, tcp, 0);
5357 		return;
5358 	}
5359 	if (flags & TH_SYN) {
5360 		freemsg(mp);
5361 		tcp_xmit_ctl("TH_SYN", tcp, NULL, seg_ack, seg_seq + 1,
5362 		    TH_RST|TH_ACK, 0, -1);
5363 		/*
5364 		 * Do not delete the TCP structure if it is in
5365 		 * TIME_WAIT state.  Refer to RFC 1122, 4.2.2.13.
5366 		 */
5367 		return;
5368 	}
5369 process_ack:
5370 	if (flags & TH_ACK) {
5371 		bytes_acked = (int)(seg_ack - tcp->tcp_suna);
5372 		if (bytes_acked <= 0) {
5373 			if (bytes_acked == 0 && seg_len == 0 &&
5374 			    new_swnd == tcp->tcp_swnd)
5375 				BUMP_MIB(tcp_mib.tcpInDupAck);
5376 		} else {
5377 			/* Acks something not sent */
5378 			flags |= TH_ACK_NEEDED;
5379 		}
5380 	}
5381 	freemsg(mp);
5382 	if (flags & TH_ACK_NEEDED) {
5383 		/*
5384 		 * Time to send an ack for some reason.
5385 		 */
5386 		tcp_xmit_ctl(NULL, tcp, NULL, tcp->tcp_snxt,
5387 		    tcp->tcp_rnxt, TH_ACK, 0, -1);
5388 	}
5389 }
5390 
5391 static int
5392 tcp_init_values(tcp_t *tcp, struct inetboot_socket *isp)
5393 {
5394 	int	err;
5395 
5396 	tcp->tcp_family = AF_INET;
5397 	tcp->tcp_ipversion = IPV4_VERSION;
5398 
5399 	/*
5400 	 * Initialize tcp_rtt_sa and tcp_rtt_sd so that the calculated RTO
5401 	 * will be close to tcp_rexmit_interval_initial.  By doing this, we
5402 	 * allow the algorithm to adjust slowly to large fluctuations of RTT
5403 	 * during first few transmissions of a connection as seen in slow
5404 	 * links.
5405 	 */
5406 	tcp->tcp_rtt_sa = tcp_rexmit_interval_initial << 2;
5407 	tcp->tcp_rtt_sd = tcp_rexmit_interval_initial >> 1;
5408 	tcp->tcp_rto = (tcp->tcp_rtt_sa >> 3) + tcp->tcp_rtt_sd +
5409 	    tcp_rexmit_interval_extra + (tcp->tcp_rtt_sa >> 5) +
5410 	    tcp_conn_grace_period;
5411 	if (tcp->tcp_rto < tcp_rexmit_interval_min)
5412 		tcp->tcp_rto = tcp_rexmit_interval_min;
5413 	tcp->tcp_timer_backoff = 0;
5414 	tcp->tcp_ms_we_have_waited = 0;
5415 	tcp->tcp_last_recv_time = prom_gettime();
5416 	tcp->tcp_cwnd_max = tcp_cwnd_max_;
5417 	tcp->tcp_snd_burst = TCP_CWND_INFINITE;
5418 	tcp->tcp_cwnd_ssthresh = TCP_MAX_LARGEWIN;
5419 	/* For Ethernet, the mtu returned is actually 1550... */
5420 	if (mac_get_type() == IFT_ETHER) {
5421 		tcp->tcp_if_mtu = mac_get_mtu() - 50;
5422 	} else {
5423 		tcp->tcp_if_mtu = mac_get_mtu();
5424 	}
5425 	tcp->tcp_mss = tcp->tcp_if_mtu;
5426 
5427 	tcp->tcp_first_timer_threshold = tcp_ip_notify_interval;
5428 	tcp->tcp_first_ctimer_threshold = tcp_ip_notify_cinterval;
5429 	tcp->tcp_second_timer_threshold = tcp_ip_abort_interval;
5430 	/*
5431 	 * Fix it to tcp_ip_abort_linterval later if it turns out to be a
5432 	 * passive open.
5433 	 */
5434 	tcp->tcp_second_ctimer_threshold = tcp_ip_abort_cinterval;
5435 
5436 	tcp->tcp_naglim = tcp_naglim_def;
5437 
5438 	/* NOTE:  ISS is now set in tcp_adapt_ire(). */
5439 
5440 	/* Initialize the header template */
5441 	if (tcp->tcp_ipversion == IPV4_VERSION) {
5442 		err = tcp_header_init_ipv4(tcp);
5443 	}
5444 	if (err)
5445 		return (err);
5446 
5447 	/*
5448 	 * Init the window scale to the max so tcp_rwnd_set() won't pare
5449 	 * down tcp_rwnd. tcp_adapt_ire() will set the right value later.
5450 	 */
5451 	tcp->tcp_rcv_ws = TCP_MAX_WINSHIFT;
5452 	tcp->tcp_xmit_lowater = tcp_xmit_lowat;
5453 	if (isp != NULL) {
5454 		tcp->tcp_xmit_hiwater = isp->so_sndbuf;
5455 		tcp->tcp_rwnd = isp->so_rcvbuf;
5456 		tcp->tcp_rwnd_max = isp->so_rcvbuf;
5457 	}
5458 	tcp->tcp_state = TCPS_IDLE;
5459 	return (0);
5460 }
5461 
5462 /*
5463  * Initialize the IPv4 header. Loses any record of any IP options.
5464  */
5465 static int
5466 tcp_header_init_ipv4(tcp_t *tcp)
5467 {
5468 	tcph_t		*tcph;
5469 
5470 	/*
5471 	 * This is a simple initialization. If there's
5472 	 * already a template, it should never be too small,
5473 	 * so reuse it.  Otherwise, allocate space for the new one.
5474 	 */
5475 	if (tcp->tcp_iphc != NULL) {
5476 		assert(tcp->tcp_iphc_len >= TCP_MAX_COMBINED_HEADER_LENGTH);
5477 		bzero(tcp->tcp_iphc, tcp->tcp_iphc_len);
5478 	} else {
5479 		tcp->tcp_iphc_len = TCP_MAX_COMBINED_HEADER_LENGTH;
5480 		tcp->tcp_iphc = bkmem_zalloc(tcp->tcp_iphc_len);
5481 		if (tcp->tcp_iphc == NULL) {
5482 			tcp->tcp_iphc_len = 0;
5483 			return (ENOMEM);
5484 		}
5485 	}
5486 	tcp->tcp_ipha = (struct ip *)tcp->tcp_iphc;
5487 	tcp->tcp_ipversion = IPV4_VERSION;
5488 
5489 	/*
5490 	 * Note that it does not include TCP options yet.  It will
5491 	 * after the connection is established.
5492 	 */
5493 	tcp->tcp_hdr_len = sizeof (struct ip) + sizeof (tcph_t);
5494 	tcp->tcp_tcp_hdr_len = sizeof (tcph_t);
5495 	tcp->tcp_ip_hdr_len = sizeof (struct ip);
5496 	tcp->tcp_ipha->ip_v = IP_VERSION;
5497 	/* We don't support IP options... */
5498 	tcp->tcp_ipha->ip_hl = IP_SIMPLE_HDR_LENGTH_IN_WORDS;
5499 	tcp->tcp_ipha->ip_p = IPPROTO_TCP;
5500 	/* We are not supposed to do PMTU discovery... */
5501 	tcp->tcp_ipha->ip_sum = 0;
5502 
5503 	tcph = (tcph_t *)(tcp->tcp_iphc + sizeof (struct ip));
5504 	tcp->tcp_tcph = tcph;
5505 	tcph->th_offset_and_rsrvd[0] = (5 << 4);
5506 	return (0);
5507 }
5508 
5509 /*
5510  * Send out a control packet on the tcp connection specified.  This routine
5511  * is typically called where we need a simple ACK or RST generated.
5512  *
5513  * This function is called with or without a mp.
5514  */
5515 static void
5516 tcp_xmit_ctl(char *str, tcp_t *tcp, mblk_t *mp, uint32_t seq,
5517     uint32_t ack, int ctl, uint_t ip_hdr_len, int sock_id)
5518 {
5519 	uchar_t		*rptr;
5520 	tcph_t		*tcph;
5521 	struct ip	*iph = NULL;
5522 	int		tcp_hdr_len;
5523 	int		tcp_ip_hdr_len;
5524 
5525 	tcp_hdr_len = tcp->tcp_hdr_len;
5526 	tcp_ip_hdr_len = tcp->tcp_ip_hdr_len;
5527 
5528 	if (mp) {
5529 		assert(ip_hdr_len != 0);
5530 		rptr = mp->b_rptr;
5531 		tcph = (tcph_t *)(rptr + ip_hdr_len);
5532 		/* Don't reply to a RST segment. */
5533 		if (tcph->th_flags[0] & TH_RST) {
5534 			freeb(mp);
5535 			return;
5536 		}
5537 		freemsg(mp);
5538 		rptr = NULL;
5539 	} else {
5540 		assert(ip_hdr_len == 0);
5541 	}
5542 	/* If a text string is passed in with the request, print it out. */
5543 	if (str != NULL) {
5544 		dprintf("tcp_xmit_ctl(%d): '%s', seq 0x%x, ack 0x%x, "
5545 		    "ctl 0x%x\n", sock_id, str, seq, ack, ctl);
5546 	}
5547 	mp = allocb(tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH + tcp_wroff_xtra, 0);
5548 	if (mp == NULL) {
5549 		dprintf("tcp_xmit_ctl(%d): Cannot allocate memory\n", sock_id);
5550 		return;
5551 	}
5552 	rptr = &mp->b_rptr[tcp_wroff_xtra];
5553 	mp->b_rptr = rptr;
5554 	mp->b_wptr = &rptr[tcp_hdr_len];
5555 	bcopy(tcp->tcp_iphc, rptr, tcp_hdr_len);
5556 
5557 	iph = (struct ip *)rptr;
5558 	iph->ip_len = htons(tcp_hdr_len);
5559 
5560 	tcph = (tcph_t *)&rptr[tcp_ip_hdr_len];
5561 	tcph->th_flags[0] = (uint8_t)ctl;
5562 	if (ctl & TH_RST) {
5563 		BUMP_MIB(tcp_mib.tcpOutRsts);
5564 		BUMP_MIB(tcp_mib.tcpOutControl);
5565 		/*
5566 		 * Don't send TSopt w/ TH_RST packets per RFC 1323.
5567 		 */
5568 		if (tcp->tcp_snd_ts_ok && tcp->tcp_state > TCPS_SYN_SENT) {
5569 			mp->b_wptr = &rptr[tcp_hdr_len - TCPOPT_REAL_TS_LEN];
5570 			*(mp->b_wptr) = TCPOPT_EOL;
5571 			iph->ip_len = htons(tcp_hdr_len -
5572 			    TCPOPT_REAL_TS_LEN);
5573 			tcph->th_offset_and_rsrvd[0] -= (3 << 4);
5574 		}
5575 	}
5576 	if (ctl & TH_ACK) {
5577 		uint32_t now = prom_gettime();
5578 
5579 		if (tcp->tcp_snd_ts_ok) {
5580 			U32_TO_BE32(now,
5581 			    (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
5582 			U32_TO_BE32(tcp->tcp_ts_recent,
5583 			    (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
5584 		}
5585 		tcp->tcp_rack = ack;
5586 		tcp->tcp_rack_cnt = 0;
5587 		BUMP_MIB(tcp_mib.tcpOutAck);
5588 	}
5589 	BUMP_MIB(tcp_mib.tcpOutSegs);
5590 	U32_TO_BE32(seq, tcph->th_seq);
5591 	U32_TO_BE32(ack, tcph->th_ack);
5592 
5593 	tcp_set_cksum(mp);
5594 	iph->ip_ttl = (uint8_t)tcp_ipv4_ttl;
5595 	TCP_DUMP_PACKET("tcp_xmit_ctl", mp);
5596 	(void) ipv4_tcp_output(sock_id, mp);
5597 	freeb(mp);
5598 }
5599 
5600 /* Generate an ACK-only (no data) segment for a TCP endpoint */
5601 static mblk_t *
5602 tcp_ack_mp(tcp_t *tcp)
5603 {
5604 	if (tcp->tcp_valid_bits) {
5605 		/*
5606 		 * For the complex case where we have to send some
5607 		 * controls (FIN or SYN), let tcp_xmit_mp do it.
5608 		 * When sending an ACK-only segment (no data)
5609 		 * into a zero window, always set the seq number to
5610 		 * suna, since snxt will be extended past the window.
5611 		 * If we used snxt, the receiver might consider the ACK
5612 		 * unacceptable.
5613 		 */
5614 		return (tcp_xmit_mp(tcp, NULL, 0, NULL, NULL,
5615 		    (tcp->tcp_zero_win_probe) ?
5616 		    tcp->tcp_suna :
5617 		    tcp->tcp_snxt, B_FALSE, NULL, B_FALSE));
5618 	} else {
5619 		/* Generate a simple ACK */
5620 		uchar_t	*rptr;
5621 		tcph_t	*tcph;
5622 		mblk_t	*mp1;
5623 		int32_t	tcp_hdr_len;
5624 		int32_t	num_sack_blk = 0;
5625 		int32_t sack_opt_len;
5626 
5627 		/*
5628 		 * Allocate space for TCP + IP headers
5629 		 * and link-level header
5630 		 */
5631 		if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
5632 			num_sack_blk = MIN(tcp->tcp_max_sack_blk,
5633 			    tcp->tcp_num_sack_blk);
5634 			sack_opt_len = num_sack_blk * sizeof (sack_blk_t) +
5635 			    TCPOPT_NOP_LEN * 2 + TCPOPT_HEADER_LEN;
5636 			tcp_hdr_len = tcp->tcp_hdr_len + sack_opt_len;
5637 		} else {
5638 			tcp_hdr_len = tcp->tcp_hdr_len;
5639 		}
5640 		mp1 = allocb(tcp_hdr_len + tcp_wroff_xtra, 0);
5641 		if (mp1 == NULL)
5642 			return (NULL);
5643 
5644 		/* copy in prototype TCP + IP header */
5645 		rptr = mp1->b_rptr + tcp_wroff_xtra;
5646 		mp1->b_rptr = rptr;
5647 		mp1->b_wptr = rptr + tcp_hdr_len;
5648 		bcopy(tcp->tcp_iphc, rptr, tcp->tcp_hdr_len);
5649 
5650 		tcph = (tcph_t *)&rptr[tcp->tcp_ip_hdr_len];
5651 
5652 		/*
5653 		 * Set the TCP sequence number.
5654 		 * When sending an ACK-only segment (no data)
5655 		 * into a zero window, always set the seq number to
5656 		 * suna, since snxt will be extended past the window.
5657 		 * If we used snxt, the receiver might consider the ACK
5658 		 * unacceptable.
5659 		 */
5660 		U32_TO_ABE32((tcp->tcp_zero_win_probe) ?
5661 		    tcp->tcp_suna : tcp->tcp_snxt, tcph->th_seq);
5662 
5663 		/* Set up the TCP flag field. */
5664 		tcph->th_flags[0] = (uchar_t)TH_ACK;
5665 		if (tcp->tcp_ecn_echo_on)
5666 			tcph->th_flags[0] |= TH_ECE;
5667 
5668 		tcp->tcp_rack = tcp->tcp_rnxt;
5669 		tcp->tcp_rack_cnt = 0;
5670 
5671 		/* fill in timestamp option if in use */
5672 		if (tcp->tcp_snd_ts_ok) {
5673 			uint32_t llbolt = (uint32_t)prom_gettime();
5674 
5675 			U32_TO_BE32(llbolt,
5676 			    (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
5677 			U32_TO_BE32(tcp->tcp_ts_recent,
5678 			    (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
5679 		}
5680 
5681 		/* Fill in SACK options */
5682 		if (num_sack_blk > 0) {
5683 			uchar_t *wptr = (uchar_t *)tcph + tcp->tcp_tcp_hdr_len;
5684 			sack_blk_t *tmp;
5685 			int32_t	i;
5686 
5687 			wptr[0] = TCPOPT_NOP;
5688 			wptr[1] = TCPOPT_NOP;
5689 			wptr[2] = TCPOPT_SACK;
5690 			wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
5691 			    sizeof (sack_blk_t);
5692 			wptr += TCPOPT_REAL_SACK_LEN;
5693 
5694 			tmp = tcp->tcp_sack_list;
5695 			for (i = 0; i < num_sack_blk; i++) {
5696 				U32_TO_BE32(tmp[i].begin, wptr);
5697 				wptr += sizeof (tcp_seq);
5698 				U32_TO_BE32(tmp[i].end, wptr);
5699 				wptr += sizeof (tcp_seq);
5700 			}
5701 			tcph->th_offset_and_rsrvd[0] += ((num_sack_blk * 2 + 1)
5702 			    << 4);
5703 		}
5704 
5705 		((struct ip *)rptr)->ip_len = htons(tcp_hdr_len);
5706 		tcp_set_cksum(mp1);
5707 		((struct ip *)rptr)->ip_ttl = (uint8_t)tcp_ipv4_ttl;
5708 		return (mp1);
5709 	}
5710 }
5711 
5712 /*
5713  * tcp_xmit_mp is called to return a pointer to an mblk chain complete with
5714  * ip and tcp header ready to pass down to IP.  If the mp passed in is
5715  * non-NULL, then up to max_to_send bytes of data will be dup'ed off that
5716  * mblk. (If sendall is not set the dup'ing will stop at an mblk boundary
5717  * otherwise it will dup partial mblks.)
5718  * Otherwise, an appropriate ACK packet will be generated.  This
5719  * routine is not usually called to send new data for the first time.  It
5720  * is mostly called out of the timer for retransmits, and to generate ACKs.
5721  *
5722  * If offset is not NULL, the returned mblk chain's first mblk's b_rptr will
5723  * be adjusted by *offset.  And after dupb(), the offset and the ending mblk
5724  * of the original mblk chain will be returned in *offset and *end_mp.
5725  */
5726 static mblk_t *
5727 tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
5728     mblk_t **end_mp, uint32_t seq, boolean_t sendall, uint32_t *seg_len,
5729     boolean_t rexmit)
5730 {
5731 	int	data_length;
5732 	int32_t	off = 0;
5733 	uint_t	flags;
5734 	mblk_t	*mp1;
5735 	mblk_t	*mp2;
5736 	mblk_t	*new_mp;
5737 	uchar_t	*rptr;
5738 	tcph_t	*tcph;
5739 	int32_t	num_sack_blk = 0;
5740 	int32_t	sack_opt_len = 0;
5741 
5742 	/* Allocate for our maximum TCP header + link-level */
5743 	mp1 = allocb(tcp->tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH +
5744 	    tcp_wroff_xtra, 0);
5745 	if (mp1 == NULL)
5746 		return (NULL);
5747 	data_length = 0;
5748 
5749 	/*
5750 	 * Note that tcp_mss has been adjusted to take into account the
5751 	 * timestamp option if applicable.  Because SACK options do not
5752 	 * appear in every TCP segments and they are of variable lengths,
5753 	 * they cannot be included in tcp_mss.  Thus we need to calculate
5754 	 * the actual segment length when we need to send a segment which
5755 	 * includes SACK options.
5756 	 */
5757 	if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
5758 		num_sack_blk = MIN(tcp->tcp_max_sack_blk,
5759 		    tcp->tcp_num_sack_blk);
5760 		sack_opt_len = num_sack_blk * sizeof (sack_blk_t) +
5761 		    TCPOPT_NOP_LEN * 2 + TCPOPT_HEADER_LEN;
5762 		if (max_to_send + sack_opt_len > tcp->tcp_mss)
5763 			max_to_send -= sack_opt_len;
5764 	}
5765 
5766 	if (offset != NULL) {
5767 		off = *offset;
5768 		/* We use offset as an indicator that end_mp is not NULL. */
5769 		*end_mp = NULL;
5770 	}
5771 	for (mp2 = mp1; mp && data_length != max_to_send; mp = mp->b_cont) {
5772 		/* This could be faster with cooperation from downstream */
5773 		if (mp2 != mp1 && !sendall &&
5774 		    data_length + (int)(mp->b_wptr - mp->b_rptr) >
5775 		    max_to_send)
5776 			/*
5777 			 * Don't send the next mblk since the whole mblk
5778 			 * does not fit.
5779 			 */
5780 			break;
5781 		mp2->b_cont = dupb(mp);
5782 		mp2 = mp2->b_cont;
5783 		if (mp2 == NULL) {
5784 			freemsg(mp1);
5785 			return (NULL);
5786 		}
5787 		mp2->b_rptr += off;
5788 		assert((uintptr_t)(mp2->b_wptr - mp2->b_rptr) <=
5789 		    (uintptr_t)INT_MAX);
5790 
5791 		data_length += (int)(mp2->b_wptr - mp2->b_rptr);
5792 		if (data_length > max_to_send) {
5793 			mp2->b_wptr -= data_length - max_to_send;
5794 			data_length = max_to_send;
5795 			off = mp2->b_wptr - mp->b_rptr;
5796 			break;
5797 		} else {
5798 			off = 0;
5799 		}
5800 	}
5801 	if (offset != NULL) {
5802 		*offset = off;
5803 		*end_mp = mp;
5804 	}
5805 	if (seg_len != NULL) {
5806 		*seg_len = data_length;
5807 	}
5808 
5809 	rptr = mp1->b_rptr + tcp_wroff_xtra;
5810 	mp1->b_rptr = rptr;
5811 	mp1->b_wptr = rptr + tcp->tcp_hdr_len + sack_opt_len;
5812 	bcopy(tcp->tcp_iphc, rptr, tcp->tcp_hdr_len);
5813 	tcph = (tcph_t *)&rptr[tcp->tcp_ip_hdr_len];
5814 	U32_TO_ABE32(seq, tcph->th_seq);
5815 
5816 	/*
5817 	 * Use tcp_unsent to determine if the PUSH bit should be used assumes
5818 	 * that this function was called from tcp_wput_data. Thus, when called
5819 	 * to retransmit data the setting of the PUSH bit may appear some
5820 	 * what random in that it might get set when it should not. This
5821 	 * should not pose any performance issues.
5822 	 */
5823 	if (data_length != 0 && (tcp->tcp_unsent == 0 ||
5824 	    tcp->tcp_unsent == data_length)) {
5825 		flags = TH_ACK | TH_PUSH;
5826 	} else {
5827 		flags = TH_ACK;
5828 	}
5829 
5830 	if (tcp->tcp_ecn_ok) {
5831 		if (tcp->tcp_ecn_echo_on)
5832 			flags |= TH_ECE;
5833 
5834 		/*
5835 		 * Only set ECT bit and ECN_CWR if a segment contains new data.
5836 		 * There is no TCP flow control for non-data segments, and
5837 		 * only data segment is transmitted reliably.
5838 		 */
5839 		if (data_length > 0 && !rexmit) {
5840 			SET_ECT(tcp, rptr);
5841 			if (tcp->tcp_cwr && !tcp->tcp_ecn_cwr_sent) {
5842 				flags |= TH_CWR;
5843 				tcp->tcp_ecn_cwr_sent = B_TRUE;
5844 			}
5845 		}
5846 	}
5847 
5848 	if (tcp->tcp_valid_bits) {
5849 		uint32_t u1;
5850 
5851 		if ((tcp->tcp_valid_bits & TCP_ISS_VALID) &&
5852 		    seq == tcp->tcp_iss) {
5853 			uchar_t	*wptr;
5854 
5855 			/*
5856 			 * Tack on the MSS option.  It is always needed
5857 			 * for both active and passive open.
5858 			 */
5859 			wptr = mp1->b_wptr;
5860 			wptr[0] = TCPOPT_MAXSEG;
5861 			wptr[1] = TCPOPT_MAXSEG_LEN;
5862 			wptr += 2;
5863 			/*
5864 			 * MSS option value should be interface MTU - MIN
5865 			 * TCP/IP header.
5866 			 */
5867 			u1 = tcp->tcp_if_mtu - IP_SIMPLE_HDR_LENGTH -
5868 			    TCP_MIN_HEADER_LENGTH;
5869 			U16_TO_BE16(u1, wptr);
5870 			mp1->b_wptr = wptr + 2;
5871 			/* Update the offset to cover the additional word */
5872 			tcph->th_offset_and_rsrvd[0] += (1 << 4);
5873 
5874 			/*
5875 			 * Note that the following way of filling in
5876 			 * TCP options are not optimal.  Some NOPs can
5877 			 * be saved.  But there is no need at this time
5878 			 * to optimize it.  When it is needed, we will
5879 			 * do it.
5880 			 */
5881 			switch (tcp->tcp_state) {
5882 			case TCPS_SYN_SENT:
5883 				flags = TH_SYN;
5884 
5885 				if (tcp->tcp_snd_ws_ok) {
5886 					wptr = mp1->b_wptr;
5887 					wptr[0] =  TCPOPT_NOP;
5888 					wptr[1] =  TCPOPT_WSCALE;
5889 					wptr[2] =  TCPOPT_WS_LEN;
5890 					wptr[3] = (uchar_t)tcp->tcp_rcv_ws;
5891 					mp1->b_wptr += TCPOPT_REAL_WS_LEN;
5892 					tcph->th_offset_and_rsrvd[0] +=
5893 					    (1 << 4);
5894 				}
5895 
5896 				if (tcp->tcp_snd_ts_ok) {
5897 					uint32_t llbolt;
5898 
5899 					llbolt = prom_gettime();
5900 					wptr = mp1->b_wptr;
5901 					wptr[0] = TCPOPT_NOP;
5902 					wptr[1] = TCPOPT_NOP;
5903 					wptr[2] = TCPOPT_TSTAMP;
5904 					wptr[3] = TCPOPT_TSTAMP_LEN;
5905 					wptr += 4;
5906 					U32_TO_BE32(llbolt, wptr);
5907 					wptr += 4;
5908 					assert(tcp->tcp_ts_recent == 0);
5909 					U32_TO_BE32(0L, wptr);
5910 					mp1->b_wptr += TCPOPT_REAL_TS_LEN;
5911 					tcph->th_offset_and_rsrvd[0] +=
5912 					    (3 << 4);
5913 				}
5914 
5915 				if (tcp->tcp_snd_sack_ok) {
5916 					wptr = mp1->b_wptr;
5917 					wptr[0] = TCPOPT_NOP;
5918 					wptr[1] = TCPOPT_NOP;
5919 					wptr[2] = TCPOPT_SACK_PERMITTED;
5920 					wptr[3] = TCPOPT_SACK_OK_LEN;
5921 					mp1->b_wptr += TCPOPT_REAL_SACK_OK_LEN;
5922 					tcph->th_offset_and_rsrvd[0] +=
5923 					    (1 << 4);
5924 				}
5925 
5926 				/*
5927 				 * Set up all the bits to tell other side
5928 				 * we are ECN capable.
5929 				 */
5930 				if (tcp->tcp_ecn_ok) {
5931 					flags |= (TH_ECE | TH_CWR);
5932 				}
5933 				break;
5934 			case TCPS_SYN_RCVD:
5935 				flags |= TH_SYN;
5936 
5937 				if (tcp->tcp_snd_ws_ok) {
5938 				    wptr = mp1->b_wptr;
5939 				    wptr[0] =  TCPOPT_NOP;
5940 				    wptr[1] =  TCPOPT_WSCALE;
5941 				    wptr[2] =  TCPOPT_WS_LEN;
5942 				    wptr[3] = (uchar_t)tcp->tcp_rcv_ws;
5943 				    mp1->b_wptr += TCPOPT_REAL_WS_LEN;
5944 				    tcph->th_offset_and_rsrvd[0] += (1 << 4);
5945 				}
5946 
5947 				if (tcp->tcp_snd_sack_ok) {
5948 					wptr = mp1->b_wptr;
5949 					wptr[0] = TCPOPT_NOP;
5950 					wptr[1] = TCPOPT_NOP;
5951 					wptr[2] = TCPOPT_SACK_PERMITTED;
5952 					wptr[3] = TCPOPT_SACK_OK_LEN;
5953 					mp1->b_wptr += TCPOPT_REAL_SACK_OK_LEN;
5954 					tcph->th_offset_and_rsrvd[0] +=
5955 					    (1 << 4);
5956 				}
5957 
5958 				/*
5959 				 * If the other side is ECN capable, reply
5960 				 * that we are also ECN capable.
5961 				 */
5962 				if (tcp->tcp_ecn_ok) {
5963 					flags |= TH_ECE;
5964 				}
5965 				break;
5966 			default:
5967 				break;
5968 			}
5969 			/* allocb() of adequate mblk assures space */
5970 			assert((uintptr_t)(mp1->b_wptr -
5971 			    mp1->b_rptr) <= (uintptr_t)INT_MAX);
5972 			if (flags & TH_SYN)
5973 				BUMP_MIB(tcp_mib.tcpOutControl);
5974 		}
5975 		if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
5976 		    (seq + data_length) == tcp->tcp_fss) {
5977 			if (!tcp->tcp_fin_acked) {
5978 				flags |= TH_FIN;
5979 				BUMP_MIB(tcp_mib.tcpOutControl);
5980 			}
5981 			if (!tcp->tcp_fin_sent) {
5982 				tcp->tcp_fin_sent = B_TRUE;
5983 				switch (tcp->tcp_state) {
5984 				case TCPS_SYN_RCVD:
5985 				case TCPS_ESTABLISHED:
5986 					tcp->tcp_state = TCPS_FIN_WAIT_1;
5987 					break;
5988 				case TCPS_CLOSE_WAIT:
5989 					tcp->tcp_state = TCPS_LAST_ACK;
5990 					break;
5991 				}
5992 				if (tcp->tcp_suna == tcp->tcp_snxt)
5993 					TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
5994 				tcp->tcp_snxt = tcp->tcp_fss + 1;
5995 			}
5996 		}
5997 	}
5998 	tcph->th_flags[0] = (uchar_t)flags;
5999 	tcp->tcp_rack = tcp->tcp_rnxt;
6000 	tcp->tcp_rack_cnt = 0;
6001 
6002 	if (tcp->tcp_snd_ts_ok) {
6003 		if (tcp->tcp_state != TCPS_SYN_SENT) {
6004 			uint32_t llbolt = prom_gettime();
6005 
6006 			U32_TO_BE32(llbolt,
6007 			    (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
6008 			U32_TO_BE32(tcp->tcp_ts_recent,
6009 			    (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
6010 		}
6011 	}
6012 
6013 	if (num_sack_blk > 0) {
6014 		uchar_t *wptr = (uchar_t *)tcph + tcp->tcp_tcp_hdr_len;
6015 		sack_blk_t *tmp;
6016 		int32_t	i;
6017 
6018 		wptr[0] = TCPOPT_NOP;
6019 		wptr[1] = TCPOPT_NOP;
6020 		wptr[2] = TCPOPT_SACK;
6021 		wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
6022 		    sizeof (sack_blk_t);
6023 		wptr += TCPOPT_REAL_SACK_LEN;
6024 
6025 		tmp = tcp->tcp_sack_list;
6026 		for (i = 0; i < num_sack_blk; i++) {
6027 			U32_TO_BE32(tmp[i].begin, wptr);
6028 			wptr += sizeof (tcp_seq);
6029 			U32_TO_BE32(tmp[i].end, wptr);
6030 			wptr += sizeof (tcp_seq);
6031 		}
6032 		tcph->th_offset_and_rsrvd[0] += ((num_sack_blk * 2 + 1) << 4);
6033 	}
6034 	assert((uintptr_t)(mp1->b_wptr - rptr) <= (uintptr_t)INT_MAX);
6035 	data_length += (int)(mp1->b_wptr - rptr);
6036 	if (tcp->tcp_ipversion == IPV4_VERSION)
6037 		((struct ip *)rptr)->ip_len = htons(data_length);
6038 
6039 	/*
6040 	 * Performance hit!  We need to pullup the whole message
6041 	 * in order to do checksum and for the MAC output routine.
6042 	 */
6043 	if (mp1->b_cont != NULL) {
6044 		int mp_size;
6045 #ifdef DEBUG
6046 		printf("Multiple mblk %d\n", msgdsize(mp1));
6047 #endif
6048 		mp2 = mp1;
6049 		new_mp = allocb(msgdsize(mp1) + tcp_wroff_xtra, 0);
6050 		new_mp->b_rptr += tcp_wroff_xtra;
6051 		new_mp->b_wptr = new_mp->b_rptr;
6052 		while (mp1 != NULL) {
6053 			mp_size = mp1->b_wptr - mp1->b_rptr;
6054 			bcopy(mp1->b_rptr, new_mp->b_wptr, mp_size);
6055 			new_mp->b_wptr += mp_size;
6056 			mp1 = mp1->b_cont;
6057 		}
6058 		freemsg(mp2);
6059 		mp1 = new_mp;
6060 	}
6061 	tcp_set_cksum(mp1);
6062 	/* Fill in the TTL field as it is 0 in the header template. */
6063 	((struct ip *)mp1->b_rptr)->ip_ttl = (uint8_t)tcp_ipv4_ttl;
6064 
6065 	return (mp1);
6066 }
6067 
6068 /*
6069  * Generate a "no listener here" reset in response to the
6070  * connection request contained within 'mp'
6071  */
6072 static void
6073 tcp_xmit_listeners_reset(int sock_id, mblk_t *mp, uint_t ip_hdr_len)
6074 {
6075 	uchar_t		*rptr;
6076 	uint32_t	seg_len;
6077 	tcph_t		*tcph;
6078 	uint32_t	seg_seq;
6079 	uint32_t	seg_ack;
6080 	uint_t		flags;
6081 
6082 	rptr = mp->b_rptr;
6083 
6084 	tcph = (tcph_t *)&rptr[ip_hdr_len];
6085 	seg_seq = BE32_TO_U32(tcph->th_seq);
6086 	seg_ack = BE32_TO_U32(tcph->th_ack);
6087 	flags = tcph->th_flags[0];
6088 
6089 	seg_len = msgdsize(mp) - (TCP_HDR_LENGTH(tcph) + ip_hdr_len);
6090 	if (flags & TH_RST) {
6091 		freeb(mp);
6092 	} else if (flags & TH_ACK) {
6093 		tcp_xmit_early_reset("no tcp, reset",
6094 		    sock_id, mp, seg_ack, 0, TH_RST, ip_hdr_len);
6095 	} else {
6096 		if (flags & TH_SYN)
6097 			seg_len++;
6098 		tcp_xmit_early_reset("no tcp, reset/ack", sock_id,
6099 		    mp, 0, seg_seq + seg_len,
6100 		    TH_RST | TH_ACK, ip_hdr_len);
6101 	}
6102 }
6103 
6104 /* Non overlapping byte exchanger */
6105 static void
6106 tcp_xchg(uchar_t *a, uchar_t *b, int len)
6107 {
6108 	uchar_t	uch;
6109 
6110 	while (len-- > 0) {
6111 		uch = a[len];
6112 		a[len] = b[len];
6113 		b[len] = uch;
6114 	}
6115 }
6116 
6117 /*
6118  * Generate a reset based on an inbound packet for which there is no active
6119  * tcp state that we can find.
6120  */
6121 static void
6122 tcp_xmit_early_reset(char *str, int sock_id, mblk_t *mp, uint32_t seq,
6123     uint32_t ack, int ctl, uint_t ip_hdr_len)
6124 {
6125 	struct ip	*iph = NULL;
6126 	ushort_t	len;
6127 	tcph_t		*tcph;
6128 	int		i;
6129 	ipaddr_t	addr;
6130 	mblk_t		*new_mp;
6131 
6132 	if (str != NULL) {
6133 		dprintf("tcp_xmit_early_reset: '%s', seq 0x%x, ack 0x%x, "
6134 		    "flags 0x%x\n", str, seq, ack, ctl);
6135 	}
6136 
6137 	/*
6138 	 * We skip reversing source route here.
6139 	 * (for now we replace all IP options with EOL)
6140 	 */
6141 	iph = (struct ip *)mp->b_rptr;
6142 	for (i = IP_SIMPLE_HDR_LENGTH; i < (int)ip_hdr_len; i++)
6143 		mp->b_rptr[i] = IPOPT_EOL;
6144 	/*
6145 	 * Make sure that src address is not a limited broadcast
6146 	 * address. Not all broadcast address checking for the
6147 	 * src address is possible, since we don't know the
6148 	 * netmask of the src addr.
6149 	 * No check for destination address is done, since
6150 	 * IP will not pass up a packet with a broadcast dest address
6151 	 * to TCP.
6152 	 */
6153 	if (iph->ip_src.s_addr == INADDR_ANY ||
6154 	    iph->ip_src.s_addr == INADDR_BROADCAST) {
6155 		freemsg(mp);
6156 		return;
6157 	}
6158 
6159 	tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
6160 	if (tcph->th_flags[0] & TH_RST) {
6161 		freemsg(mp);
6162 		return;
6163 	}
6164 	/*
6165 	 * Now copy the original header to a new buffer.  The reason
6166 	 * for doing this is that we need to put extra room before
6167 	 * the header for the MAC layer address.  The original mblk
6168 	 * does not have this extra head room.
6169 	 */
6170 	len = ip_hdr_len + sizeof (tcph_t);
6171 	if ((new_mp = allocb(len + tcp_wroff_xtra, 0)) == NULL) {
6172 		freemsg(mp);
6173 		return;
6174 	}
6175 	new_mp->b_rptr += tcp_wroff_xtra;
6176 	bcopy(mp->b_rptr, new_mp->b_rptr, len);
6177 	new_mp->b_wptr = new_mp->b_rptr + len;
6178 	freemsg(mp);
6179 	mp = new_mp;
6180 	iph = (struct ip *)mp->b_rptr;
6181 	tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
6182 
6183 	tcph->th_offset_and_rsrvd[0] = (5 << 4);
6184 	tcp_xchg(tcph->th_fport, tcph->th_lport, 2);
6185 	U32_TO_BE32(ack, tcph->th_ack);
6186 	U32_TO_BE32(seq, tcph->th_seq);
6187 	U16_TO_BE16(0, tcph->th_win);
6188 	bzero(tcph->th_sum, sizeof (int16_t));
6189 	tcph->th_flags[0] = (uint8_t)ctl;
6190 	if (ctl & TH_RST) {
6191 		BUMP_MIB(tcp_mib.tcpOutRsts);
6192 		BUMP_MIB(tcp_mib.tcpOutControl);
6193 	}
6194 
6195 	iph->ip_len = htons(len);
6196 	/* Swap addresses */
6197 	addr = iph->ip_src.s_addr;
6198 	iph->ip_src = iph->ip_dst;
6199 	iph->ip_dst.s_addr = addr;
6200 	iph->ip_id = 0;
6201 	iph->ip_ttl = 0;
6202 	tcp_set_cksum(mp);
6203 	iph->ip_ttl = (uint8_t)tcp_ipv4_ttl;
6204 
6205 	/* Dump the packet when debugging. */
6206 	TCP_DUMP_PACKET("tcp_xmit_early_reset", mp);
6207 	(void) ipv4_tcp_output(sock_id, mp);
6208 	freemsg(mp);
6209 }
6210 
6211 static void
6212 tcp_set_cksum(mblk_t *mp)
6213 {
6214 	struct ip *iph;
6215 	tcpha_t *tcph;
6216 	int len;
6217 
6218 	iph = (struct ip *)mp->b_rptr;
6219 	tcph = (tcpha_t *)(iph + 1);
6220 	len = ntohs(iph->ip_len);
6221 	/*
6222 	 * Calculate the TCP checksum.  Need to include the psuedo header,
6223 	 * which is similar to the real IP header starting at the TTL field.
6224 	 */
6225 	iph->ip_sum = htons(len - IP_SIMPLE_HDR_LENGTH);
6226 	tcph->tha_sum = 0;
6227 	tcph->tha_sum = tcp_cksum((uint16_t *)&(iph->ip_ttl),
6228 	    len - IP_SIMPLE_HDR_LENGTH + 12);
6229 	iph->ip_sum = 0;
6230 }
6231 
6232 static uint16_t
6233 tcp_cksum(uint16_t *buf, uint32_t len)
6234 {
6235 	/*
6236 	 * Compute Internet Checksum for "count" bytes
6237 	 * beginning at location "addr".
6238 	 */
6239 	int32_t sum = 0;
6240 
6241 	while (len > 1) {
6242 		/*  This is the inner loop */
6243 		sum += *buf++;
6244 		len -= 2;
6245 	}
6246 
6247 	/*  Add left-over byte, if any */
6248 	if (len > 0)
6249 		sum += *(unsigned char *)buf * 256;
6250 
6251 	/*  Fold 32-bit sum to 16 bits */
6252 	while (sum >> 16)
6253 		sum = (sum & 0xffff) + (sum >> 16);
6254 
6255 	return ((uint16_t)~sum);
6256 }
6257 
6258 /*
6259  * Type three generator adapted from the random() function in 4.4 BSD:
6260  */
6261 
6262 /*
6263  * Copyright (c) 1983, 1993
6264  *	The Regents of the University of California.  All rights reserved.
6265  *
6266  * Redistribution and use in source and binary forms, with or without
6267  * modification, are permitted provided that the following conditions
6268  * are met:
6269  * 1. Redistributions of source code must retain the above copyright
6270  *    notice, this list of conditions and the following disclaimer.
6271  * 2. Redistributions in binary form must reproduce the above copyright
6272  *    notice, this list of conditions and the following disclaimer in the
6273  *    documentation and/or other materials provided with the distribution.
6274  * 3. All advertising materials mentioning features or use of this software
6275  *    must display the following acknowledgement:
6276  *	This product includes software developed by the University of
6277  *	California, Berkeley and its contributors.
6278  * 4. Neither the name of the University nor the names of its contributors
6279  *    may be used to endorse or promote products derived from this software
6280  *    without specific prior written permission.
6281  *
6282  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
6283  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
6284  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
6285  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
6286  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
6287  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
6288  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
6289  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
6290  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
6291  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
6292  * SUCH DAMAGE.
6293  */
6294 
6295 /* Type 3 -- x**31 + x**3 + 1 */
6296 #define	DEG_3		31
6297 #define	SEP_3		3
6298 
6299 
6300 /* Protected by tcp_random_lock */
6301 static int tcp_randtbl[DEG_3 + 1];
6302 
6303 static int *tcp_random_fptr = &tcp_randtbl[SEP_3 + 1];
6304 static int *tcp_random_rptr = &tcp_randtbl[1];
6305 
6306 static int *tcp_random_state = &tcp_randtbl[1];
6307 static int *tcp_random_end_ptr = &tcp_randtbl[DEG_3 + 1];
6308 
6309 static void
6310 tcp_random_init(void)
6311 {
6312 	int i;
6313 	uint32_t hrt;
6314 	uint32_t wallclock;
6315 	uint32_t result;
6316 
6317 	/*
6318 	 *
6319 	 * XXX We don't have high resolution time in standalone...  The
6320 	 * following is just some approximation on the comment below.
6321 	 *
6322 	 * Use high-res timer and current time for seed.  Gethrtime() returns
6323 	 * a longlong, which may contain resolution down to nanoseconds.
6324 	 * The current time will either be a 32-bit or a 64-bit quantity.
6325 	 * XOR the two together in a 64-bit result variable.
6326 	 * Convert the result to a 32-bit value by multiplying the high-order
6327 	 * 32-bits by the low-order 32-bits.
6328 	 *
6329 	 * XXX We don't have gethrtime() in prom and the wallclock....
6330 	 */
6331 
6332 	hrt = prom_gettime();
6333 	wallclock = (uint32_t)time(NULL);
6334 	result = wallclock ^ hrt;
6335 	tcp_random_state[0] = result;
6336 
6337 	for (i = 1; i < DEG_3; i++)
6338 		tcp_random_state[i] = 1103515245 * tcp_random_state[i - 1]
6339 			+ 12345;
6340 	tcp_random_fptr = &tcp_random_state[SEP_3];
6341 	tcp_random_rptr = &tcp_random_state[0];
6342 	for (i = 0; i < 10 * DEG_3; i++)
6343 		(void) tcp_random();
6344 }
6345 
6346 /*
6347  * tcp_random: Return a random number in the range [1 - (128K + 1)].
6348  * This range is selected to be approximately centered on TCP_ISS / 2,
6349  * and easy to compute. We get this value by generating a 32-bit random
6350  * number, selecting out the high-order 17 bits, and then adding one so
6351  * that we never return zero.
6352  */
6353 static int
6354 tcp_random(void)
6355 {
6356 	int i;
6357 
6358 	*tcp_random_fptr += *tcp_random_rptr;
6359 
6360 	/*
6361 	 * The high-order bits are more random than the low-order bits,
6362 	 * so we select out the high-order 17 bits and add one so that
6363 	 * we never return zero.
6364 	 */
6365 	i = ((*tcp_random_fptr >> 15) & 0x1ffff) + 1;
6366 	if (++tcp_random_fptr >= tcp_random_end_ptr) {
6367 		tcp_random_fptr = tcp_random_state;
6368 		++tcp_random_rptr;
6369 	} else if (++tcp_random_rptr >= tcp_random_end_ptr)
6370 		tcp_random_rptr = tcp_random_state;
6371 
6372 	return (i);
6373 }
6374 
6375 /*
6376  * Generate ISS, taking into account NDD changes may happen halfway through.
6377  * (If the iss is not zero, set it.)
6378  */
6379 static void
6380 tcp_iss_init(tcp_t *tcp)
6381 {
6382 	tcp_iss_incr_extra += (ISS_INCR >> 1);
6383 	tcp->tcp_iss = tcp_iss_incr_extra;
6384 	tcp->tcp_iss += (prom_gettime() >> ISS_NSEC_SHT) + tcp_random();
6385 	tcp->tcp_valid_bits = TCP_ISS_VALID;
6386 	tcp->tcp_fss = tcp->tcp_iss - 1;
6387 	tcp->tcp_suna = tcp->tcp_iss;
6388 	tcp->tcp_snxt = tcp->tcp_iss + 1;
6389 	tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
6390 	tcp->tcp_csuna = tcp->tcp_snxt;
6391 }
6392 
6393 /*
6394  * Diagnostic routine used to return a string associated with the tcp state.
6395  * Note that if the caller does not supply a buffer, it will use an internal
6396  * static string.  This means that if multiple threads call this function at
6397  * the same time, output can be corrupted...  Note also that this function
6398  * does not check the size of the supplied buffer.  The caller has to make
6399  * sure that it is big enough.
6400  */
6401 static char *
6402 tcp_display(tcp_t *tcp, char *sup_buf, char format)
6403 {
6404 	char		buf1[30];
6405 	static char	priv_buf[INET_ADDRSTRLEN * 2 + 80];
6406 	char		*buf;
6407 	char		*cp;
6408 	char		local_addrbuf[INET_ADDRSTRLEN];
6409 	char		remote_addrbuf[INET_ADDRSTRLEN];
6410 	struct in_addr	addr;
6411 
6412 	if (sup_buf != NULL)
6413 		buf = sup_buf;
6414 	else
6415 		buf = priv_buf;
6416 
6417 	if (tcp == NULL)
6418 		return ("NULL_TCP");
6419 	switch (tcp->tcp_state) {
6420 	case TCPS_CLOSED:
6421 		cp = "TCP_CLOSED";
6422 		break;
6423 	case TCPS_IDLE:
6424 		cp = "TCP_IDLE";
6425 		break;
6426 	case TCPS_BOUND:
6427 		cp = "TCP_BOUND";
6428 		break;
6429 	case TCPS_LISTEN:
6430 		cp = "TCP_LISTEN";
6431 		break;
6432 	case TCPS_SYN_SENT:
6433 		cp = "TCP_SYN_SENT";
6434 		break;
6435 	case TCPS_SYN_RCVD:
6436 		cp = "TCP_SYN_RCVD";
6437 		break;
6438 	case TCPS_ESTABLISHED:
6439 		cp = "TCP_ESTABLISHED";
6440 		break;
6441 	case TCPS_CLOSE_WAIT:
6442 		cp = "TCP_CLOSE_WAIT";
6443 		break;
6444 	case TCPS_FIN_WAIT_1:
6445 		cp = "TCP_FIN_WAIT_1";
6446 		break;
6447 	case TCPS_CLOSING:
6448 		cp = "TCP_CLOSING";
6449 		break;
6450 	case TCPS_LAST_ACK:
6451 		cp = "TCP_LAST_ACK";
6452 		break;
6453 	case TCPS_FIN_WAIT_2:
6454 		cp = "TCP_FIN_WAIT_2";
6455 		break;
6456 	case TCPS_TIME_WAIT:
6457 		cp = "TCP_TIME_WAIT";
6458 		break;
6459 	default:
6460 		(void) sprintf(buf1, "TCPUnkState(%d)", tcp->tcp_state);
6461 		cp = buf1;
6462 		break;
6463 	}
6464 	switch (format) {
6465 	case DISP_ADDR_AND_PORT:
6466 		/*
6467 		 * Note that we use the remote address in the tcp_b
6468 		 * structure.  This means that it will print out
6469 		 * the real destination address, not the next hop's
6470 		 * address if source routing is used.
6471 		 */
6472 		addr.s_addr = tcp->tcp_bound_source;
6473 		bcopy(inet_ntoa(addr), local_addrbuf, sizeof (local_addrbuf));
6474 		addr.s_addr = tcp->tcp_remote;
6475 		bcopy(inet_ntoa(addr), remote_addrbuf, sizeof (remote_addrbuf));
6476 		(void) snprintf(buf, sizeof (priv_buf), "[%s.%u, %s.%u] %s",
6477 		    local_addrbuf, ntohs(tcp->tcp_lport), remote_addrbuf,
6478 		    ntohs(tcp->tcp_fport), cp);
6479 		break;
6480 	case DISP_PORT_ONLY:
6481 	default:
6482 		(void) snprintf(buf, sizeof (priv_buf), "[%u, %u] %s",
6483 		    ntohs(tcp->tcp_lport), ntohs(tcp->tcp_fport), cp);
6484 		break;
6485 	}
6486 
6487 	return (buf);
6488 }
6489 
6490 /*
6491  * Add a new piece to the tcp reassembly queue.  If the gap at the beginning
6492  * is filled, return as much as we can.  The message passed in may be
6493  * multi-part, chained using b_cont.  "start" is the starting sequence
6494  * number for this piece.
6495  */
6496 static mblk_t *
6497 tcp_reass(tcp_t *tcp, mblk_t *mp, uint32_t start)
6498 {
6499 	uint32_t	end;
6500 	mblk_t		*mp1;
6501 	mblk_t		*mp2;
6502 	mblk_t		*next_mp;
6503 	uint32_t	u1;
6504 
6505 	/* Walk through all the new pieces. */
6506 	do {
6507 		assert((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
6508 		    (uintptr_t)INT_MAX);
6509 		end = start + (int)(mp->b_wptr - mp->b_rptr);
6510 		next_mp = mp->b_cont;
6511 		if (start == end) {
6512 			/* Empty.  Blast it. */
6513 			freeb(mp);
6514 			continue;
6515 		}
6516 		mp->b_cont = NULL;
6517 		TCP_REASS_SET_SEQ(mp, start);
6518 		TCP_REASS_SET_END(mp, end);
6519 		mp1 = tcp->tcp_reass_tail;
6520 		if (!mp1) {
6521 			tcp->tcp_reass_tail = mp;
6522 			tcp->tcp_reass_head = mp;
6523 			BUMP_MIB(tcp_mib.tcpInDataUnorderSegs);
6524 			UPDATE_MIB(tcp_mib.tcpInDataUnorderBytes, end - start);
6525 			continue;
6526 		}
6527 		/* New stuff completely beyond tail? */
6528 		if (SEQ_GEQ(start, TCP_REASS_END(mp1))) {
6529 			/* Link it on end. */
6530 			mp1->b_cont = mp;
6531 			tcp->tcp_reass_tail = mp;
6532 			BUMP_MIB(tcp_mib.tcpInDataUnorderSegs);
6533 			UPDATE_MIB(tcp_mib.tcpInDataUnorderBytes, end - start);
6534 			continue;
6535 		}
6536 		mp1 = tcp->tcp_reass_head;
6537 		u1 = TCP_REASS_SEQ(mp1);
6538 		/* New stuff at the front? */
6539 		if (SEQ_LT(start, u1)) {
6540 			/* Yes... Check for overlap. */
6541 			mp->b_cont = mp1;
6542 			tcp->tcp_reass_head = mp;
6543 			tcp_reass_elim_overlap(tcp, mp);
6544 			continue;
6545 		}
6546 		/*
6547 		 * The new piece fits somewhere between the head and tail.
6548 		 * We find our slot, where mp1 precedes us and mp2 trails.
6549 		 */
6550 		for (; (mp2 = mp1->b_cont) != NULL; mp1 = mp2) {
6551 			u1 = TCP_REASS_SEQ(mp2);
6552 			if (SEQ_LEQ(start, u1))
6553 				break;
6554 		}
6555 		/* Link ourselves in */
6556 		mp->b_cont = mp2;
6557 		mp1->b_cont = mp;
6558 
6559 		/* Trim overlap with following mblk(s) first */
6560 		tcp_reass_elim_overlap(tcp, mp);
6561 
6562 		/* Trim overlap with preceding mblk */
6563 		tcp_reass_elim_overlap(tcp, mp1);
6564 
6565 	} while (start = end, mp = next_mp);
6566 	mp1 = tcp->tcp_reass_head;
6567 	/* Anything ready to go? */
6568 	if (TCP_REASS_SEQ(mp1) != tcp->tcp_rnxt)
6569 		return (NULL);
6570 	/* Eat what we can off the queue */
6571 	for (;;) {
6572 		mp = mp1->b_cont;
6573 		end = TCP_REASS_END(mp1);
6574 		TCP_REASS_SET_SEQ(mp1, 0);
6575 		TCP_REASS_SET_END(mp1, 0);
6576 		if (!mp) {
6577 			tcp->tcp_reass_tail = NULL;
6578 			break;
6579 		}
6580 		if (end != TCP_REASS_SEQ(mp)) {
6581 			mp1->b_cont = NULL;
6582 			break;
6583 		}
6584 		mp1 = mp;
6585 	}
6586 	mp1 = tcp->tcp_reass_head;
6587 	tcp->tcp_reass_head = mp;
6588 	return (mp1);
6589 }
6590 
6591 /* Eliminate any overlap that mp may have over later mblks */
6592 static void
6593 tcp_reass_elim_overlap(tcp_t *tcp, mblk_t *mp)
6594 {
6595 	uint32_t	end;
6596 	mblk_t		*mp1;
6597 	uint32_t	u1;
6598 
6599 	end = TCP_REASS_END(mp);
6600 	while ((mp1 = mp->b_cont) != NULL) {
6601 		u1 = TCP_REASS_SEQ(mp1);
6602 		if (!SEQ_GT(end, u1))
6603 			break;
6604 		if (!SEQ_GEQ(end, TCP_REASS_END(mp1))) {
6605 			mp->b_wptr -= end - u1;
6606 			TCP_REASS_SET_END(mp, u1);
6607 			BUMP_MIB(tcp_mib.tcpInDataPartDupSegs);
6608 			UPDATE_MIB(tcp_mib.tcpInDataPartDupBytes, end - u1);
6609 			break;
6610 		}
6611 		mp->b_cont = mp1->b_cont;
6612 		freeb(mp1);
6613 		BUMP_MIB(tcp_mib.tcpInDataDupSegs);
6614 		UPDATE_MIB(tcp_mib.tcpInDataDupBytes, end - u1);
6615 	}
6616 	if (!mp1)
6617 		tcp->tcp_reass_tail = mp;
6618 }
6619 
6620 /*
6621  * Remove a connection from the list of detached TIME_WAIT connections.
6622  */
6623 static void
6624 tcp_time_wait_remove(tcp_t *tcp)
6625 {
6626 	if (tcp->tcp_time_wait_expire == 0) {
6627 		assert(tcp->tcp_time_wait_next == NULL);
6628 		assert(tcp->tcp_time_wait_prev == NULL);
6629 		return;
6630 	}
6631 	assert(tcp->tcp_state == TCPS_TIME_WAIT);
6632 	if (tcp == tcp_time_wait_head) {
6633 		assert(tcp->tcp_time_wait_prev == NULL);
6634 		tcp_time_wait_head = tcp->tcp_time_wait_next;
6635 		if (tcp_time_wait_head != NULL) {
6636 			tcp_time_wait_head->tcp_time_wait_prev = NULL;
6637 		} else {
6638 			tcp_time_wait_tail = NULL;
6639 		}
6640 	} else if (tcp == tcp_time_wait_tail) {
6641 		assert(tcp != tcp_time_wait_head);
6642 		assert(tcp->tcp_time_wait_next == NULL);
6643 		tcp_time_wait_tail = tcp->tcp_time_wait_prev;
6644 		assert(tcp_time_wait_tail != NULL);
6645 		tcp_time_wait_tail->tcp_time_wait_next = NULL;
6646 	} else {
6647 		assert(tcp->tcp_time_wait_prev->tcp_time_wait_next == tcp);
6648 		assert(tcp->tcp_time_wait_next->tcp_time_wait_prev == tcp);
6649 		tcp->tcp_time_wait_prev->tcp_time_wait_next =
6650 		    tcp->tcp_time_wait_next;
6651 		tcp->tcp_time_wait_next->tcp_time_wait_prev =
6652 		    tcp->tcp_time_wait_prev;
6653 	}
6654 	tcp->tcp_time_wait_next = NULL;
6655 	tcp->tcp_time_wait_prev = NULL;
6656 	tcp->tcp_time_wait_expire = 0;
6657 }
6658 
6659 /*
6660  * Add a connection to the list of detached TIME_WAIT connections
6661  * and set its time to expire ...
6662  */
6663 static void
6664 tcp_time_wait_append(tcp_t *tcp)
6665 {
6666 	tcp->tcp_time_wait_expire = prom_gettime() + tcp_time_wait_interval;
6667 	if (tcp->tcp_time_wait_expire == 0)
6668 		tcp->tcp_time_wait_expire = 1;
6669 
6670 	if (tcp_time_wait_head == NULL) {
6671 		assert(tcp_time_wait_tail == NULL);
6672 		tcp_time_wait_head = tcp;
6673 	} else {
6674 		assert(tcp_time_wait_tail != NULL);
6675 		assert(tcp_time_wait_tail->tcp_state == TCPS_TIME_WAIT);
6676 		tcp_time_wait_tail->tcp_time_wait_next = tcp;
6677 		tcp->tcp_time_wait_prev = tcp_time_wait_tail;
6678 	}
6679 	tcp_time_wait_tail = tcp;
6680 
6681 	/* for ndd stats about compression */
6682 	tcp_cum_timewait++;
6683 }
6684 
6685 /*
6686  * Periodic qtimeout routine run on the default queue.
6687  * Performs 2 functions.
6688  * 	1.  Does TIME_WAIT compression on all recently added tcps. List
6689  *	    traversal is done backwards from the tail.
6690  *	2.  Blows away all tcps whose TIME_WAIT has expired. List traversal
6691  *	    is done forwards from the head.
6692  */
6693 void
6694 tcp_time_wait_collector(void)
6695 {
6696 	tcp_t *tcp;
6697 	uint32_t now;
6698 
6699 	/*
6700 	 * In order to reap time waits reliably, we should use a
6701 	 * source of time that is not adjustable by the user
6702 	 */
6703 	now = prom_gettime();
6704 	while ((tcp = tcp_time_wait_head) != NULL) {
6705 		/*
6706 		 * Compare times using modular arithmetic, since
6707 		 * lbolt can wrapover.
6708 		 */
6709 		if ((int32_t)(now - tcp->tcp_time_wait_expire) < 0) {
6710 			break;
6711 		}
6712 		/*
6713 		 * Note that the err must be 0 as there is no socket
6714 		 * associated with this TCP...
6715 		 */
6716 		(void) tcp_clean_death(-1, tcp, 0);
6717 	}
6718 	/* Schedule next run time. */
6719 	tcp_time_wait_runtime = prom_gettime() + 10000;
6720 }
6721 
6722 void
6723 tcp_time_wait_report(void)
6724 {
6725 	tcp_t *tcp;
6726 
6727 	printf("Current time %u\n", prom_gettime());
6728 	for (tcp = tcp_time_wait_head; tcp != NULL;
6729 	    tcp = tcp->tcp_time_wait_next) {
6730 		printf("%s expires at %u\n", tcp_display(tcp, NULL,
6731 		    DISP_ADDR_AND_PORT), tcp->tcp_time_wait_expire);
6732 	}
6733 }
6734 
6735 /*
6736  * Send up all messages queued on tcp_rcv_list.
6737  * Have to set tcp_co_norm since we use putnext.
6738  */
6739 static void
6740 tcp_rcv_drain(int sock_id, tcp_t *tcp)
6741 {
6742 	mblk_t *mp;
6743 	struct inetgram *in_gram;
6744 	mblk_t *in_mp;
6745 	int len;
6746 
6747 	/* Don't drain if the app has not finished reading all the data. */
6748 	if (sockets[sock_id].so_rcvbuf <= 0)
6749 		return;
6750 
6751 	/* We might have come here just to updated the rwnd */
6752 	if (tcp->tcp_rcv_list == NULL)
6753 		goto win_update;
6754 
6755 	if ((in_gram = (struct inetgram *)bkmem_zalloc(
6756 	    sizeof (struct inetgram))) == NULL) {
6757 		return;
6758 	}
6759 	if ((in_mp = allocb(tcp->tcp_rcv_cnt, 0)) == NULL) {
6760 		bkmem_free((caddr_t)in_gram, sizeof (struct inetgram));
6761 		return;
6762 	}
6763 	in_gram->igm_level = APP_LVL;
6764 	in_gram->igm_mp = in_mp;
6765 	in_gram->igm_id = 0;
6766 
6767 	while ((mp = tcp->tcp_rcv_list) != NULL) {
6768 		tcp->tcp_rcv_list = mp->b_cont;
6769 		len = mp->b_wptr - mp->b_rptr;
6770 		bcopy(mp->b_rptr, in_mp->b_wptr, len);
6771 		in_mp->b_wptr += len;
6772 		freeb(mp);
6773 	}
6774 
6775 	tcp->tcp_rcv_last_tail = NULL;
6776 	tcp->tcp_rcv_cnt = 0;
6777 	add_grams(&sockets[sock_id].inq, in_gram);
6778 
6779 	/* This means that so_rcvbuf can be less than 0. */
6780 	sockets[sock_id].so_rcvbuf -= in_mp->b_wptr - in_mp->b_rptr;
6781 win_update:
6782 	/*
6783 	 * Increase the receive window to max.  But we need to do receiver
6784 	 * SWS avoidance.  This means that we need to check the increase of
6785 	 * of receive window is at least 1 MSS.
6786 	 */
6787 	if (sockets[sock_id].so_rcvbuf > 0 &&
6788 	    (tcp->tcp_rwnd_max - tcp->tcp_rwnd >= tcp->tcp_mss)) {
6789 		tcp->tcp_rwnd = tcp->tcp_rwnd_max;
6790 		U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws,
6791 		    tcp->tcp_tcph->th_win);
6792 	}
6793 }
6794 
6795 /*
6796  * Wrapper for recvfrom to call
6797  */
6798 void
6799 tcp_rcv_drain_sock(int sock_id)
6800 {
6801 	tcp_t *tcp;
6802 	if ((tcp = sockets[sock_id].pcb) == NULL)
6803 		return;
6804 	tcp_rcv_drain(sock_id, tcp);
6805 }
6806 
6807 /*
6808  * If the inq == NULL and the tcp_rcv_list != NULL, we have data that
6809  * recvfrom could read. Place a magic message in the inq to let recvfrom
6810  * know that it needs to call tcp_rcv_drain_sock to pullup the data.
6811  */
6812 static void
6813 tcp_drain_needed(int sock_id, tcp_t *tcp)
6814 {
6815 	struct inetgram *in_gram;
6816 #ifdef DEBUG
6817 	printf("tcp_drain_needed: inq %x, tcp_rcv_list %x\n",
6818 		sockets[sock_id].inq, tcp->tcp_rcv_list);
6819 #endif
6820 	if ((sockets[sock_id].inq != NULL) ||
6821 		(tcp->tcp_rcv_list == NULL))
6822 		return;
6823 
6824 	if ((in_gram = (struct inetgram *)bkmem_zalloc(
6825 		sizeof (struct inetgram))) == NULL)
6826 		return;
6827 
6828 	in_gram->igm_level = APP_LVL;
6829 	in_gram->igm_mp = NULL;
6830 	in_gram->igm_id = TCP_CALLB_MAGIC_ID;
6831 
6832 	add_grams(&sockets[sock_id].inq, in_gram);
6833 }
6834 
6835 /*
6836  * Queue data on tcp_rcv_list which is a b_next chain.
6837  * Each element of the chain is a b_cont chain.
6838  *
6839  * M_DATA messages are added to the current element.
6840  * Other messages are added as new (b_next) elements.
6841  */
6842 static void
6843 tcp_rcv_enqueue(tcp_t *tcp, mblk_t *mp, uint_t seg_len)
6844 {
6845 	assert(seg_len == msgdsize(mp));
6846 	if (tcp->tcp_rcv_list == NULL) {
6847 		tcp->tcp_rcv_list = mp;
6848 	} else {
6849 		tcp->tcp_rcv_last_tail->b_cont = mp;
6850 	}
6851 	while (mp->b_cont)
6852 		mp = mp->b_cont;
6853 	tcp->tcp_rcv_last_tail = mp;
6854 	tcp->tcp_rcv_cnt += seg_len;
6855 	tcp->tcp_rwnd -= seg_len;
6856 #ifdef DEBUG
6857 	printf("tcp_rcv_enqueue rwnd %d\n", tcp->tcp_rwnd);
6858 #endif
6859 	U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws, tcp->tcp_tcph->th_win);
6860 }
6861 
6862 /* The minimum of smoothed mean deviation in RTO calculation. */
6863 #define	TCP_SD_MIN	400
6864 
6865 /*
6866  * Set RTO for this connection.  The formula is from Jacobson and Karels'
6867  * "Congestion Avoidance and Control" in SIGCOMM '88.  The variable names
6868  * are the same as those in Appendix A.2 of that paper.
6869  *
6870  * m = new measurement
6871  * sa = smoothed RTT average (8 * average estimates).
6872  * sv = smoothed mean deviation (mdev) of RTT (4 * deviation estimates).
6873  */
6874 static void
6875 tcp_set_rto(tcp_t *tcp, int32_t rtt)
6876 {
6877 	int32_t m = rtt;
6878 	uint32_t sa = tcp->tcp_rtt_sa;
6879 	uint32_t sv = tcp->tcp_rtt_sd;
6880 	uint32_t rto;
6881 
6882 	BUMP_MIB(tcp_mib.tcpRttUpdate);
6883 	tcp->tcp_rtt_update++;
6884 
6885 	/* tcp_rtt_sa is not 0 means this is a new sample. */
6886 	if (sa != 0) {
6887 		/*
6888 		 * Update average estimator:
6889 		 *	new rtt = 7/8 old rtt + 1/8 Error
6890 		 */
6891 
6892 		/* m is now Error in estimate. */
6893 		m -= sa >> 3;
6894 		if ((int32_t)(sa += m) <= 0) {
6895 			/*
6896 			 * Don't allow the smoothed average to be negative.
6897 			 * We use 0 to denote reinitialization of the
6898 			 * variables.
6899 			 */
6900 			sa = 1;
6901 		}
6902 
6903 		/*
6904 		 * Update deviation estimator:
6905 		 *	new mdev = 3/4 old mdev + 1/4 (abs(Error) - old mdev)
6906 		 */
6907 		if (m < 0)
6908 			m = -m;
6909 		m -= sv >> 2;
6910 		sv += m;
6911 	} else {
6912 		/*
6913 		 * This follows BSD's implementation.  So the reinitialized
6914 		 * RTO is 3 * m.  We cannot go less than 2 because if the
6915 		 * link is bandwidth dominated, doubling the window size
6916 		 * during slow start means doubling the RTT.  We want to be
6917 		 * more conservative when we reinitialize our estimates.  3
6918 		 * is just a convenient number.
6919 		 */
6920 		sa = m << 3;
6921 		sv = m << 1;
6922 	}
6923 	if (sv < TCP_SD_MIN) {
6924 		/*
6925 		 * We do not know that if sa captures the delay ACK
6926 		 * effect as in a long train of segments, a receiver
6927 		 * does not delay its ACKs.  So set the minimum of sv
6928 		 * to be TCP_SD_MIN, which is default to 400 ms, twice
6929 		 * of BSD DATO.  That means the minimum of mean
6930 		 * deviation is 100 ms.
6931 		 *
6932 		 */
6933 		sv = TCP_SD_MIN;
6934 	}
6935 	tcp->tcp_rtt_sa = sa;
6936 	tcp->tcp_rtt_sd = sv;
6937 	/*
6938 	 * RTO = average estimates (sa / 8) + 4 * deviation estimates (sv)
6939 	 *
6940 	 * Add tcp_rexmit_interval extra in case of extreme environment
6941 	 * where the algorithm fails to work.  The default value of
6942 	 * tcp_rexmit_interval_extra should be 0.
6943 	 *
6944 	 * As we use a finer grained clock than BSD and update
6945 	 * RTO for every ACKs, add in another .25 of RTT to the
6946 	 * deviation of RTO to accomodate burstiness of 1/4 of
6947 	 * window size.
6948 	 */
6949 	rto = (sa >> 3) + sv + tcp_rexmit_interval_extra + (sa >> 5);
6950 
6951 	if (rto > tcp_rexmit_interval_max) {
6952 		tcp->tcp_rto = tcp_rexmit_interval_max;
6953 	} else if (rto < tcp_rexmit_interval_min) {
6954 		tcp->tcp_rto = tcp_rexmit_interval_min;
6955 	} else {
6956 		tcp->tcp_rto = rto;
6957 	}
6958 
6959 	/* Now, we can reset tcp_timer_backoff to use the new RTO... */
6960 	tcp->tcp_timer_backoff = 0;
6961 }
6962 
6963 /*
6964  * Initiate closedown sequence on an active connection.
6965  * Return value zero for OK return, non-zero for error return.
6966  */
6967 static int
6968 tcp_xmit_end(tcp_t *tcp, int sock_id)
6969 {
6970 	mblk_t	*mp;
6971 
6972 	if (tcp->tcp_state < TCPS_SYN_RCVD ||
6973 	    tcp->tcp_state > TCPS_CLOSE_WAIT) {
6974 		/*
6975 		 * Invalid state, only states TCPS_SYN_RCVD,
6976 		 * TCPS_ESTABLISHED and TCPS_CLOSE_WAIT are valid
6977 		 */
6978 		return (-1);
6979 	}
6980 
6981 	tcp->tcp_fss = tcp->tcp_snxt + tcp->tcp_unsent;
6982 	tcp->tcp_valid_bits |= TCP_FSS_VALID;
6983 	/*
6984 	 * If there is nothing more unsent, send the FIN now.
6985 	 * Otherwise, it will go out with the last segment.
6986 	 */
6987 	if (tcp->tcp_unsent == 0) {
6988 		mp = tcp_xmit_mp(tcp, NULL, 0, NULL, NULL,
6989 		    tcp->tcp_fss, B_FALSE, NULL, B_FALSE);
6990 
6991 		if (mp != NULL) {
6992 			/* Dump the packet when debugging. */
6993 			TCP_DUMP_PACKET("tcp_xmit_end", mp);
6994 			(void) ipv4_tcp_output(sock_id, mp);
6995 			freeb(mp);
6996 		} else {
6997 			/*
6998 			 * Couldn't allocate msg.  Pretend we got it out.
6999 			 * Wait for rexmit timeout.
7000 			 */
7001 			tcp->tcp_snxt = tcp->tcp_fss + 1;
7002 			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
7003 		}
7004 
7005 		/*
7006 		 * If needed, update tcp_rexmit_snxt as tcp_snxt is
7007 		 * changed.
7008 		 */
7009 		if (tcp->tcp_rexmit && tcp->tcp_rexmit_nxt == tcp->tcp_fss) {
7010 			tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
7011 		}
7012 	} else {
7013 		tcp_wput_data(tcp, NULL, B_FALSE);
7014 	}
7015 
7016 	return (0);
7017 }
7018 
7019 int
7020 tcp_opt_set(tcp_t *tcp, int level, int option, const void *optval,
7021     socklen_t optlen)
7022 {
7023 	switch (level) {
7024 	case SOL_SOCKET: {
7025 		switch (option) {
7026 		case SO_RCVBUF:
7027 			if (optlen == sizeof (int)) {
7028 				int val = *(int *)optval;
7029 
7030 				if (val > tcp_max_buf) {
7031 					errno = ENOBUFS;
7032 					break;
7033 				}
7034 				/* Silently ignore zero */
7035 				if (val != 0) {
7036 					val = MSS_ROUNDUP(val, tcp->tcp_mss);
7037 					(void) tcp_rwnd_set(tcp, val);
7038 				}
7039 			} else {
7040 				errno = EINVAL;
7041 			}
7042 			break;
7043 		case SO_SNDBUF:
7044 			if (optlen == sizeof (int)) {
7045 				tcp->tcp_xmit_hiwater = *(int *)optval;
7046 				if (tcp->tcp_xmit_hiwater > tcp_max_buf)
7047 					tcp->tcp_xmit_hiwater = tcp_max_buf;
7048 			} else {
7049 				errno = EINVAL;
7050 			}
7051 			break;
7052 		case SO_LINGER:
7053 			if (optlen == sizeof (struct linger)) {
7054 				struct linger *lgr = (struct linger *)optval;
7055 
7056 				if (lgr->l_onoff) {
7057 					tcp->tcp_linger = 1;
7058 					tcp->tcp_lingertime = lgr->l_linger;
7059 				} else {
7060 					tcp->tcp_linger = 0;
7061 					tcp->tcp_lingertime = 0;
7062 				}
7063 			} else {
7064 				errno = EINVAL;
7065 			}
7066 			break;
7067 		default:
7068 			errno = ENOPROTOOPT;
7069 			break;
7070 		}
7071 		break;
7072 	} /* case SOL_SOCKET */
7073 	case IPPROTO_TCP: {
7074 		switch (option) {
7075 		default:
7076 			errno = ENOPROTOOPT;
7077 			break;
7078 		}
7079 		break;
7080 	} /* case IPPROTO_TCP */
7081 	case IPPROTO_IP: {
7082 		switch (option) {
7083 		default:
7084 			errno = ENOPROTOOPT;
7085 			break;
7086 		}
7087 		break;
7088 	} /* case IPPROTO_IP */
7089 	default:
7090 		errno = ENOPROTOOPT;
7091 		break;
7092 	} /* switch (level) */
7093 
7094 	if (errno != 0)
7095 		return (-1);
7096 	else
7097 		return (0);
7098 }
7099