xref: /titanic_52/usr/src/stand/lib/tcp/tcp.c (revision 1915be19b7a1f7c113b706bd54d6ca393e8d8107)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * tcp.c, Code implementing the TCP protocol.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

#include <sys/types.h>
#include <socket_impl.h>
#include <socket_inet.h>
#include <sys/sysmacros.h>
#include <sys/promif.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if_types.h>
#include <sys/salib.h>

#include "ipv4.h"
#include "ipv4_impl.h"
#include "mac.h"
#include "mac_impl.h"
#include "v4_sum_impl.h"
#include <sys/bootdebug.h>
#include "tcp_inet.h"
#include "tcp_sack.h"
#include <inet/common.h>
#include <inet/mib2.h>

/*
 * We need to redefine BUMP_MIB/UPDATE_MIB to not have DTrace probes.
 */
#undef BUMP_MIB
#define	BUMP_MIB(x) (x)++

#undef UPDATE_MIB
#define	UPDATE_MIB(x, y) x += y

/*
 * MIB-2 stuff for SNMP
 */
mib2_tcp_t	tcp_mib;	/* SNMP fixed size info */

/* The TCP mib does not include the following errors. */
static uint_t tcp_cksum_errors;
static uint_t tcp_drops;

/* Macros for timestamp comparisons */
#define	TSTMP_GEQ(a, b)	((int32_t)((a)-(b)) >= 0)
#define	TSTMP_LT(a, b)	((int32_t)((a)-(b)) < 0)

/*
 * Parameters for TCP Initial Send Sequence number (ISS) generation.
 * The ISS is calculated by adding three components: a time component
 * which grows by 1 every 4096 nanoseconds (versus every 4 microseconds
 * suggested by RFC 793, page 27);
 * a per-connection component which grows by 125000 for every new connection;
 * and an "extra" component that grows by a random amount centered
 * approximately on 64000.  This causes the the ISS generator to cycle every
 * 4.89 hours if no TCP connections are made, and faster if connections are
 * made.
 */
#define	ISS_INCR	250000
#define	ISS_NSEC_SHT	0

static uint32_t tcp_iss_incr_extra;	/* Incremented for each connection */

#define	TCP_XMIT_LOWATER	4096
#define	TCP_XMIT_HIWATER	49152
#define	TCP_RECV_LOWATER	2048
#define	TCP_RECV_HIWATER	49152

/*
 *  PAWS needs a timer for 24 days.  This is the number of ms in 24 days
 */
#define	PAWS_TIMEOUT	((uint32_t)(24*24*60*60*1000))

/*
 * TCP options struct returned from tcp_parse_options.
 */
typedef struct tcp_opt_s {
	uint32_t	tcp_opt_mss;
	uint32_t	tcp_opt_wscale;
	uint32_t	tcp_opt_ts_val;
	uint32_t	tcp_opt_ts_ecr;
	tcp_t		*tcp;
} tcp_opt_t;

/*
 * RFC1323-recommended phrasing of TSTAMP option, for easier parsing
 */

#ifdef _BIG_ENDIAN
#define	TCPOPT_NOP_NOP_TSTAMP ((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) | \
	(TCPOPT_TSTAMP << 8) | 10)
#else
#define	TCPOPT_NOP_NOP_TSTAMP ((10 << 24) | (TCPOPT_TSTAMP << 16) | \
	(TCPOPT_NOP << 8) | TCPOPT_NOP)
#endif

/*
 * Flags returned from tcp_parse_options.
 */
#define	TCP_OPT_MSS_PRESENT	1
#define	TCP_OPT_WSCALE_PRESENT	2
#define	TCP_OPT_TSTAMP_PRESENT	4
#define	TCP_OPT_SACK_OK_PRESENT	8
#define	TCP_OPT_SACK_PRESENT	16

/* TCP option length */
#define	TCPOPT_NOP_LEN		1
#define	TCPOPT_MAXSEG_LEN	4
#define	TCPOPT_WS_LEN		3
#define	TCPOPT_REAL_WS_LEN	(TCPOPT_WS_LEN+1)
#define	TCPOPT_TSTAMP_LEN	10
#define	TCPOPT_REAL_TS_LEN	(TCPOPT_TSTAMP_LEN+2)
#define	TCPOPT_SACK_OK_LEN	2
#define	TCPOPT_REAL_SACK_OK_LEN	(TCPOPT_SACK_OK_LEN+2)
#define	TCPOPT_REAL_SACK_LEN	4
#define	TCPOPT_MAX_SACK_LEN	36
#define	TCPOPT_HEADER_LEN	2

/* TCP cwnd burst factor. */
#define	TCP_CWND_INFINITE	65535
#define	TCP_CWND_SS		3
#define	TCP_CWND_NORMAL		5

/* Named Dispatch Parameter Management Structure */
typedef struct tcpparam_s {
	uint32_t	tcp_param_min;
	uint32_t	tcp_param_max;
	uint32_t	tcp_param_val;
	char		*tcp_param_name;
} tcpparam_t;

/* Max size IP datagram is 64k - 1 */
#define	TCP_MSS_MAX_IPV4 (IP_MAXPACKET - (sizeof (struct ip) + \
	sizeof (tcph_t)))

/* Max of the above */
#define	TCP_MSS_MAX	TCP_MSS_MAX_IPV4

/* Largest TCP port number */
#define	TCP_MAX_PORT	(64 * 1024 - 1)

/* Round up the value to the nearest mss. */
#define	MSS_ROUNDUP(value, mss)		((((value) - 1) / (mss) + 1) * (mss))

#define	MS	1L
#define	SECONDS	(1000 * MS)
#define	MINUTES	(60 * SECONDS)
#define	HOURS	(60 * MINUTES)
#define	DAYS	(24 * HOURS)

/* All NDD params in the core TCP became static variables. */
static int	tcp_time_wait_interval = 1 * MINUTES;
static int	tcp_conn_req_max_q = 128;
static int	tcp_conn_req_max_q0 = 1024;
static int	tcp_conn_req_min = 1;
static int	tcp_conn_grace_period = 0 * SECONDS;
static int	tcp_cwnd_max_ = 1024 * 1024;
static int	tcp_smallest_nonpriv_port = 1024;
static int	tcp_ip_abort_cinterval = 3 * MINUTES;
static int	tcp_ip_abort_linterval = 3 * MINUTES;
static int	tcp_ip_abort_interval = 8 * MINUTES;
static int	tcp_ip_notify_cinterval = 10 * SECONDS;
static int	tcp_ip_notify_interval = 10 * SECONDS;
static int	tcp_ipv4_ttl = 64;
static int	tcp_mss_def_ipv4 = 536;
static int	tcp_mss_max_ipv4 = TCP_MSS_MAX_IPV4;
static int	tcp_mss_min = 108;
static int	tcp_naglim_def = (4*1024)-1;
static int	tcp_rexmit_interval_initial = 3 * SECONDS;
static int	tcp_rexmit_interval_max = 60 * SECONDS;
static int	tcp_rexmit_interval_min = 400 * MS;
static int	tcp_dupack_fast_retransmit = 3;
static int	tcp_smallest_anon_port = 32 * 1024;
static int	tcp_largest_anon_port = TCP_MAX_PORT;
static int	tcp_xmit_lowat = TCP_XMIT_LOWATER;
static int	tcp_recv_hiwat_minmss = 4;
static int	tcp_fin_wait_2_flush_interval = 1 * MINUTES;
static int	tcp_max_buf = 1024 * 1024;
static int	tcp_wscale_always = 1;
static int	tcp_tstamp_always = 1;
static int	tcp_tstamp_if_wscale = 1;
static int	tcp_rexmit_interval_extra = 0;
static int	tcp_slow_start_after_idle = 2;
static int	tcp_slow_start_initial = 2;
static int	tcp_sack_permitted = 2;
static int	tcp_ecn_permitted = 2;

/* Extra room to fit in headers. */
static uint_t	tcp_wroff_xtra;

/* Hint for next port to try. */
static in_port_t	tcp_next_port_to_try = 32*1024;

/*
 * Figure out the value of window scale opton.  Note that the rwnd is
 * ASSUMED to be rounded up to the nearest MSS before the calculation.
 * We cannot find the scale value and then do a round up of tcp_rwnd
 * because the scale value may not be correct after that.
 */
#define	SET_WS_VALUE(tcp) \
{ \
	int i; \
	uint32_t rwnd = (tcp)->tcp_rwnd; \
	for (i = 0; rwnd > TCP_MAXWIN && i < TCP_MAX_WINSHIFT; \
	    i++, rwnd >>= 1) \
		; \
	(tcp)->tcp_rcv_ws = i; \
}

/*
 * Set ECN capable transport (ECT) code point in IP header.
 *
 * Note that there are 2 ECT code points '01' and '10', which are called
 * ECT(1) and ECT(0) respectively.  Here we follow the original ECT code
 * point ECT(0) for TCP as described in RFC 2481.
 */
#define	SET_ECT(tcp, iph) \
	if ((tcp)->tcp_ipversion == IPV4_VERSION) { \
		/* We need to clear the code point first. */ \
		((struct ip *)(iph))->ip_tos &= 0xFC; \
		((struct ip *)(iph))->ip_tos |= IPH_ECN_ECT0; \
	}

/*
 * The format argument to pass to tcp_display().
 * DISP_PORT_ONLY means that the returned string has only port info.
 * DISP_ADDR_AND_PORT means that the returned string also contains the
 * remote and local IP address.
 */
#define	DISP_PORT_ONLY		1
#define	DISP_ADDR_AND_PORT	2

/*
 * TCP reassembly macros.  We hide starting and ending sequence numbers in
 * b_next and b_prev of messages on the reassembly queue.  The messages are
 * chained using b_cont.  These macros are used in tcp_reass() so we don't
 * have to see the ugly casts and assignments.
 * Note. use uintptr_t to suppress the gcc warning.
 */
#define	TCP_REASS_SEQ(mp)		((uint32_t)(uintptr_t)((mp)->b_next))
#define	TCP_REASS_SET_SEQ(mp, u)	((mp)->b_next = \
					    (mblk_t *)((uintptr_t)(u)))
#define	TCP_REASS_END(mp)		((uint32_t)(uintptr_t)((mp)->b_prev))
#define	TCP_REASS_SET_END(mp, u)	((mp)->b_prev = \
					    (mblk_t *)((uintptr_t)(u)))

#define	TCP_TIMER_RESTART(tcp, intvl) \
	(tcp)->tcp_rto_timeout = prom_gettime() + intvl; \
	(tcp)->tcp_timer_running = B_TRUE;

static int tcp_accept_comm(tcp_t *, tcp_t *, mblk_t *, uint_t);
static mblk_t *tcp_ack_mp(tcp_t *);
static in_port_t tcp_bindi(in_port_t, in_addr_t *, boolean_t, boolean_t);
static uint16_t tcp_cksum(uint16_t *, uint32_t);
static void tcp_clean_death(int, tcp_t *, int err);
static tcp_t *tcp_conn_request(tcp_t *, mblk_t *mp, uint_t, uint_t);
static char *tcp_display(tcp_t *, char *, char);
static int tcp_drain_input(tcp_t *, int, int);
static void tcp_drain_needed(int, tcp_t *);
static boolean_t tcp_drop_q0(tcp_t *);
static mblk_t *tcp_get_seg_mp(tcp_t *, uint32_t, int32_t *);
static int tcp_header_len(struct inetgram *);
static in_port_t tcp_report_ports(uint16_t *, enum Ports);
static int tcp_input(int);
static void tcp_iss_init(tcp_t *);
static tcp_t *tcp_lookup_ipv4(struct ip *, tcpha_t *, int, int *);
static tcp_t *tcp_lookup_listener_ipv4(in_addr_t, in_port_t, int *);
static int tcp_conn_check(tcp_t *);
static int tcp_close(int);
static void tcp_close_detached(tcp_t *);
static void tcp_eager_cleanup(tcp_t *, boolean_t, int);
static void tcp_eager_unlink(tcp_t *);
static void tcp_free(tcp_t *);
static int tcp_header_init_ipv4(tcp_t *);
static void tcp_mss_set(tcp_t *, uint32_t);
static int tcp_parse_options(tcph_t *, tcp_opt_t *);
static boolean_t tcp_paws_check(tcp_t *, tcph_t *, tcp_opt_t *);
static void tcp_process_options(tcp_t *, tcph_t *);
static int tcp_random(void);
static void tcp_random_init(void);
static mblk_t *tcp_reass(tcp_t *, mblk_t *, uint32_t);
static void tcp_reass_elim_overlap(tcp_t *, mblk_t *);
static void tcp_rcv_drain(int sock_id, tcp_t *);
static void tcp_rcv_enqueue(tcp_t *, mblk_t *, uint_t);
static void tcp_rput_data(tcp_t *, mblk_t *, int);
static int tcp_rwnd_set(tcp_t *, uint32_t);
static int32_t tcp_sack_rxmit(tcp_t *, int);
static void tcp_set_cksum(mblk_t *);
static void tcp_set_rto(tcp_t *, int32_t);
static void tcp_ss_rexmit(tcp_t *, int);
static int tcp_state_wait(int, tcp_t *, int);
static void tcp_timer(tcp_t *, int);
static void tcp_time_wait_append(tcp_t *);
static void tcp_time_wait_collector(void);
static void tcp_time_wait_processing(tcp_t *, mblk_t *, uint32_t,
    uint32_t, int, tcph_t *, int sock_id);
static void tcp_time_wait_remove(tcp_t *);
static in_port_t tcp_update_next_port(in_port_t);
static int tcp_verify_cksum(mblk_t *);
static void tcp_wput_data(tcp_t *, mblk_t *, int);
static void tcp_xmit_ctl(char *, tcp_t *, mblk_t *, uint32_t, uint32_t,
    int, uint_t, int);
static void tcp_xmit_early_reset(char *, int, mblk_t *, uint32_t, uint32_t,
    int, uint_t);
static int tcp_xmit_end(tcp_t *, int);
static void tcp_xmit_listeners_reset(int, mblk_t *, uint_t);
static mblk_t *tcp_xmit_mp(tcp_t *, mblk_t *, int32_t, int32_t *,
    mblk_t **, uint32_t, boolean_t, uint32_t *, boolean_t);
static int tcp_init_values(tcp_t *, struct inetboot_socket *);

#if DEBUG > 1
#define	TCP_DUMP_PACKET(str, mp) \
{ \
	int len = (mp)->b_wptr - (mp)->b_rptr; \
\
	printf("%s: dump TCP(%d): \n", (str), len); \
	hexdump((char *)(mp)->b_rptr, len); \
}
#else
#define	TCP_DUMP_PACKET(str, mp)
#endif

#ifdef DEBUG
#define	DEBUG_1(str, arg)		printf(str, (arg))
#define	DEBUG_2(str, arg1, arg2)	printf(str, (arg1), (arg2))
#define	DEBUG_3(str, arg1, arg2, arg3)	printf(str, (arg1), (arg2), (arg3))
#else
#define	DEBUG_1(str, arg)
#define	DEBUG_2(str, arg1, arg2)
#define	DEBUG_3(str, arg1, arg2, arg3)
#endif

/* Whether it is the first time TCP is used. */
static boolean_t tcp_initialized = B_FALSE;

/* TCP time wait list. */
static tcp_t *tcp_time_wait_head;
static tcp_t *tcp_time_wait_tail;
static uint32_t tcp_cum_timewait;
/* When the tcp_time_wait_collector is run. */
static uint32_t tcp_time_wait_runtime;

#define	TCP_RUN_TIME_WAIT_COLLECTOR() \
	if (prom_gettime() > tcp_time_wait_runtime) \
		tcp_time_wait_collector();

/*
 * Accept will return with an error if there is no connection coming in
 * after this (in ms).
 */
static int tcp_accept_timeout = 60000;

/*
 * Initialize the TCP-specific parts of a socket.
 */
void
tcp_socket_init(struct inetboot_socket *isp)
{
	/* Do some initializations. */
	if (!tcp_initialized) {
		tcp_random_init();
		/* Extra head room for the MAC layer address. */
		if ((tcp_wroff_xtra = mac_get_hdr_len()) & 0x3) {
			tcp_wroff_xtra = (tcp_wroff_xtra & ~0x3) + 0x4;
		}
		/* Schedule the first time wait cleanup time */
		tcp_time_wait_runtime = prom_gettime() + tcp_time_wait_interval;
		tcp_initialized = B_TRUE;
	}
	TCP_RUN_TIME_WAIT_COLLECTOR();

	isp->proto = IPPROTO_TCP;
	isp->input[TRANSPORT_LVL] = tcp_input;
	/* Socket layer should call tcp_send() directly. */
	isp->output[TRANSPORT_LVL] = NULL;
	isp->close[TRANSPORT_LVL] = tcp_close;
	isp->headerlen[TRANSPORT_LVL] = tcp_header_len;
	isp->ports = tcp_report_ports;
	if ((isp->pcb = bkmem_alloc(sizeof (tcp_t))) == NULL) {
		errno = ENOBUFS;
		return;
	}
	if ((errno = tcp_init_values((tcp_t *)isp->pcb, isp)) != 0) {
		bkmem_free(isp->pcb, sizeof (tcp_t));
		return;
	}
	/*
	 * This is set last because this field is used to determine if
	 * a socket is in use or not.
	 */
	isp->type = INETBOOT_STREAM;
}

/*
 * Return the size of a TCP header including TCP option.
 */
static int
tcp_header_len(struct inetgram *igm)
{
	mblk_t *pkt;
	int ipvers;

	/* Just returns the standard TCP header without option */
	if (igm == NULL)
		return (sizeof (tcph_t));

	if ((pkt = igm->igm_mp) == NULL)
		return (0);

	ipvers = ((struct ip *)pkt->b_rptr)->ip_v;
	if (ipvers == IPV4_VERSION) {
		return (TCP_HDR_LENGTH((tcph_t *)(pkt + IPH_HDR_LENGTH(pkt))));
	} else {
		dprintf("tcp_header_len: non-IPv4 packet.\n");
		return (0);
	}
}

/*
 * Return the requested port number in network order.
 */
static in_port_t
tcp_report_ports(uint16_t *tcphp, enum Ports request)
{
	if (request == SOURCE)
		return (*(uint16_t *)(((tcph_t *)tcphp)->th_lport));
	return (*(uint16_t *)(((tcph_t *)tcphp)->th_fport));
}

/*
 * Because inetboot is not interrupt driven, TCP can only poll.  This
 * means that there can be packets stuck in the NIC buffer waiting to
 * be processed.  Thus we need to drain them before, for example, sending
 * anything because an ACK may actually be stuck there.
 *
 * The timeout arguments determine how long we should wait for draining.
 */
static int
tcp_drain_input(tcp_t *tcp, int sock_id, int timeout)
{
	struct inetgram *in_gram;
	struct inetgram *old_in_gram;
	int old_timeout;
	mblk_t *mp;
	int i;

	dprintf("tcp_drain_input(%d): %s\n", sock_id,
	    tcp_display(tcp, NULL, DISP_ADDR_AND_PORT));

	/*
	 * Since the driver uses the in_timeout value in the socket
	 * structure to determine the timeout value, we need to save
	 * the original one so that we can restore that after draining.
	 */
	old_timeout = sockets[sock_id].in_timeout;
	sockets[sock_id].in_timeout = timeout;

	/*
	 * We do this because the input queue may have some user
	 * data already.
	 */
	old_in_gram = sockets[sock_id].inq;
	sockets[sock_id].inq = NULL;

	/* Go out and check the wire */
	for (i = MEDIA_LVL; i < TRANSPORT_LVL; i++) {
		if (sockets[sock_id].input[i] != NULL) {
			if (sockets[sock_id].input[i](sock_id) < 0) {
				sockets[sock_id].in_timeout = old_timeout;
				if (sockets[sock_id].inq != NULL)
					nuke_grams(&sockets[sock_id].inq);
				sockets[sock_id].inq = old_in_gram;
				return (-1);
			}
		}
	}
#if DEBUG
	printf("tcp_drain_input: done with checking packets\n");
#endif
	while ((in_gram = sockets[sock_id].inq) != NULL) {
		/* Remove unknown inetgrams from the head of inq. */
		if (in_gram->igm_level != TRANSPORT_LVL) {
#if DEBUG
			printf("tcp_drain_input: unexpected packet "
			    "level %d frame found\n", in_gram->igm_level);
#endif
			del_gram(&sockets[sock_id].inq, in_gram, B_TRUE);
			continue;
		}
		mp = in_gram->igm_mp;
		del_gram(&sockets[sock_id].inq, in_gram, B_FALSE);
		bkmem_free((caddr_t)in_gram, sizeof (struct inetgram));
		tcp_rput_data(tcp, mp, sock_id);
		sockets[sock_id].in_timeout = old_timeout;

		/*
		 * The other side may have closed this connection or
		 * RST us.  But we need to continue to process other
		 * packets in the socket's queue because they may be
		 * belong to another TCP connections.
		 */
		if (sockets[sock_id].pcb == NULL)
			tcp = NULL;
	}

	if (tcp == NULL || sockets[sock_id].pcb == NULL) {
		if (sockets[sock_id].so_error != 0)
			return (-1);
		else
			return (0);
	}
#if DEBUG
	printf("tcp_drain_input: done with processing packets\n");
#endif
	sockets[sock_id].in_timeout = old_timeout;
	sockets[sock_id].inq = old_in_gram;

	/*
	 * Data may have been received so indicate it is available
	 */
	tcp_drain_needed(sock_id, tcp);
	return (0);
}

/*
 * The receive entry point for upper layer to call to get data.  Note
 * that this follows the current architecture that lower layer receive
 * routines have been called already.  Thus if the inq of socket is
 * not NULL, the packets must be for us.
 */
static int
tcp_input(int sock_id)
{
	struct inetgram *in_gram;
	mblk_t *mp;
	tcp_t *tcp;

	TCP_RUN_TIME_WAIT_COLLECTOR();

	if ((tcp = sockets[sock_id].pcb) == NULL)
		return (-1);

	while ((in_gram = sockets[sock_id].inq) != NULL) {
		/* Remove unknown inetgrams from the head of inq. */
		if (in_gram->igm_level != TRANSPORT_LVL) {
#ifdef DEBUG
			printf("tcp_input: unexpected packet "
			    "level %d frame found\n", in_gram->igm_level);
#endif
			del_gram(&sockets[sock_id].inq, in_gram, B_TRUE);
			continue;
		}
		mp = in_gram->igm_mp;
		del_gram(&sockets[sock_id].inq, in_gram, B_FALSE);
		bkmem_free((caddr_t)in_gram, sizeof (struct inetgram));
		tcp_rput_data(tcp, mp, sock_id);
		/* The TCP may be gone because it gets a RST. */
		if (sockets[sock_id].pcb == NULL)
			return (-1);
	}

	/* Flush the receive list. */
	if (tcp->tcp_rcv_list != NULL) {
		tcp_rcv_drain(sock_id, tcp);
	} else {
		/* The other side has closed the connection, report this up. */
		if (tcp->tcp_state == TCPS_CLOSE_WAIT) {
			sockets[sock_id].so_state |= SS_CANTRCVMORE;
			return (0);
		}
	}
	return (0);
}

/*
 * The send entry point for upper layer to call to send data.  In order
 * to minimize changes to the core TCP code, we need to put the
 * data into mblks.
 */
int
tcp_send(int sock_id, tcp_t *tcp, const void *msg, int len)
{
	mblk_t *mp;
	mblk_t *head = NULL;
	mblk_t *tail;
	int mss = tcp->tcp_mss;
	int cnt = 0;
	int win_size;
	char *buf = (char *)msg;

	TCP_RUN_TIME_WAIT_COLLECTOR();

	/* We don't want to append 0 size mblk. */
	if (len == 0)
		return (0);
	while (len > 0) {
		if (len < mss) {
			mss = len;
		}
		/*
		 * If we cannot allocate more buffer, stop here and
		 * the number of bytes buffered will be returned.
		 *
		 * Note that we follow the core TCP optimization that
		 * each mblk contains only MSS bytes data.
		 */
		if ((mp = allocb(mss + tcp->tcp_ip_hdr_len +
		    TCP_MAX_HDR_LENGTH + tcp_wroff_xtra, 0)) == NULL) {
			break;
		}
		mp->b_rptr += tcp->tcp_hdr_len + tcp_wroff_xtra;
		bcopy(buf, mp->b_rptr, mss);
		mp->b_wptr = mp->b_rptr + mss;
		buf += mss;
		cnt += mss;
		len -= mss;

		if (head == NULL) {
			head = mp;
			tail = mp;
		} else {
			tail->b_cont = mp;
			tail = mp;
		}
	}

	/*
	 * Since inetboot is not interrupt driven, there may be
	 * some ACKs in the MAC's buffer.  Drain them first,
	 * otherwise, we may not be able to send.
	 *
	 * We expect an ACK in two cases:
	 *
	 * 1) We have un-ACK'ed data.
	 *
	 * 2) All ACK's have been received and the sender's window has been
	 * closed.  We need an ACK back to open the window so that we can
	 * send.  In this case, call tcp_drain_input() if the window size is
	 * less than 2 * MSS.
	 */

	/* window size = MIN(swnd, cwnd) - unacked bytes */
	win_size = (tcp->tcp_swnd > tcp->tcp_cwnd) ? tcp->tcp_cwnd :
		tcp->tcp_swnd;
	win_size -= tcp->tcp_snxt;
	win_size += tcp->tcp_suna;
	if (win_size < (2 * tcp->tcp_mss))
		if (tcp_drain_input(tcp, sock_id, 5) < 0)
			return (-1);

	tcp_wput_data(tcp, head, sock_id);
	/*
	 * errno should be reset here as it may be
	 * set to ETIMEDOUT. This may be set by
	 * the MAC driver in case it has timed out
	 * waiting for ARP reply. Any segment which
	 * was not transmitted because of ARP timeout
	 * will be retransmitted by TCP.
	 */
	if (errno == ETIMEDOUT)
		errno = 0;
	return (cnt);
}

/* Free up all TCP related stuff */
static void
tcp_free(tcp_t *tcp)
{
	if (tcp->tcp_iphc != NULL) {
		bkmem_free((caddr_t)tcp->tcp_iphc, tcp->tcp_iphc_len);
		tcp->tcp_iphc = NULL;
	}
	if (tcp->tcp_xmit_head != NULL) {
		freemsg(tcp->tcp_xmit_head);
		tcp->tcp_xmit_head = NULL;
	}
	if (tcp->tcp_rcv_list != NULL) {
		freemsg(tcp->tcp_rcv_list);
		tcp->tcp_rcv_list = NULL;
	}
	if (tcp->tcp_reass_head != NULL) {
		freemsg(tcp->tcp_reass_head);
		tcp->tcp_reass_head = NULL;
	}
	if (tcp->tcp_sack_info != NULL) {
		bkmem_free((caddr_t)tcp->tcp_sack_info,
		    sizeof (tcp_sack_info_t));
		tcp->tcp_sack_info = NULL;
	}
}

static void
tcp_close_detached(tcp_t *tcp)
{
	if (tcp->tcp_listener != NULL)
		tcp_eager_unlink(tcp);
	tcp_free(tcp);
	bkmem_free((caddr_t)tcp, sizeof (tcp_t));
}

/*
 * If we are an eager connection hanging off a listener that hasn't
 * formally accepted the connection yet, get off his list and blow off
 * any data that we have accumulated.
 */
static void
tcp_eager_unlink(tcp_t *tcp)
{
	tcp_t	*listener = tcp->tcp_listener;

	assert(listener != NULL);
	if (tcp->tcp_eager_next_q0 != NULL) {
		assert(tcp->tcp_eager_prev_q0 != NULL);

		/* Remove the eager tcp from q0 */
		tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
		    tcp->tcp_eager_prev_q0;
		tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
		    tcp->tcp_eager_next_q0;
		listener->tcp_conn_req_cnt_q0--;
	} else {
		tcp_t   **tcpp = &listener->tcp_eager_next_q;
		tcp_t	*prev = NULL;

		for (; tcpp[0]; tcpp = &tcpp[0]->tcp_eager_next_q) {
			if (tcpp[0] == tcp) {
				if (listener->tcp_eager_last_q == tcp) {
					/*
					 * If we are unlinking the last
					 * element on the list, adjust
					 * tail pointer. Set tail pointer
					 * to nil when list is empty.
					 */
					assert(tcp->tcp_eager_next_q == NULL);
					if (listener->tcp_eager_last_q ==
					    listener->tcp_eager_next_q) {
						listener->tcp_eager_last_q =
						NULL;
					} else {
						/*
						 * We won't get here if there
						 * is only one eager in the
						 * list.
						 */
						assert(prev != NULL);
						listener->tcp_eager_last_q =
						    prev;
					}
				}
				tcpp[0] = tcp->tcp_eager_next_q;
				tcp->tcp_eager_next_q = NULL;
				tcp->tcp_eager_last_q = NULL;
				listener->tcp_conn_req_cnt_q--;
				break;
			}
			prev = tcpp[0];
		}
	}
	tcp->tcp_listener = NULL;
}

/*
 * Reset any eager connection hanging off this listener
 * and then reclaim it's resources.
 */
static void
tcp_eager_cleanup(tcp_t *listener, boolean_t q0_only, int sock_id)
{
	tcp_t	*eager;

	if (!q0_only) {
		/* First cleanup q */
		while ((eager = listener->tcp_eager_next_q) != NULL) {
			assert(listener->tcp_eager_last_q != NULL);
			tcp_xmit_ctl("tcp_eager_cleanup, can't wait",
			    eager, NULL, eager->tcp_snxt, 0, TH_RST, 0,
			    sock_id);
			tcp_close_detached(eager);
		}
		assert(listener->tcp_eager_last_q == NULL);
	}
	/* Then cleanup q0 */
	while ((eager = listener->tcp_eager_next_q0) != listener) {
		tcp_xmit_ctl("tcp_eager_cleanup, can't wait",
		    eager, NULL, eager->tcp_snxt, 0, TH_RST, 0, sock_id);
		tcp_close_detached(eager);
	}
}

/*
 * To handle the shutdown request. Called from shutdown()
 */
int
tcp_shutdown(int sock_id)
{
	tcp_t	*tcp;

	DEBUG_1("tcp_shutdown: sock_id %x\n", sock_id);

	if ((tcp = sockets[sock_id].pcb) == NULL) {
		return (-1);
	}

	/*
	 * Since inetboot is not interrupt driven, there may be
	 * some ACKs in the MAC's buffer.  Drain them first,
	 * otherwise, we may not be able to send.
	 */
	if (tcp_drain_input(tcp, sock_id, 5) < 0) {
		/*
		 * If we return now without freeing TCP, there will be
		 * a memory leak.
		 */
		if (sockets[sock_id].pcb != NULL)
			tcp_clean_death(sock_id, tcp, 0);
		return (-1);
	}

	DEBUG_1("tcp_shutdown: tcp_state %x\n", tcp->tcp_state);
	switch (tcp->tcp_state) {

	case TCPS_SYN_RCVD:
		/*
		 * Shutdown during the connect 3-way handshake
		 */
	case TCPS_ESTABLISHED:
		/*
		 * Transmit the FIN
		 * wait for the FIN to be ACKed,
		 * then remain in FIN_WAIT_2
		 */
		dprintf("tcp_shutdown: sending fin\n");
		if (tcp_xmit_end(tcp, sock_id) == 0 &&
			tcp_state_wait(sock_id, tcp, TCPS_FIN_WAIT_2) < 0) {
			/* During the wait, TCP may be gone... */
			if (sockets[sock_id].pcb == NULL)
				return (-1);
		}
		dprintf("tcp_shutdown: done\n");
		break;

	default:
		break;

	}
	return (0);
}

/* To handle closing of the socket */
static int
tcp_close(int sock_id)
{
	char	*msg;
	tcp_t	*tcp;
	int	error = 0;

	if ((tcp = sockets[sock_id].pcb) == NULL) {
		return (-1);
	}

	TCP_RUN_TIME_WAIT_COLLECTOR();

	/*
	 * Since inetboot is not interrupt driven, there may be
	 * some ACKs in the MAC's buffer.  Drain them first,
	 * otherwise, we may not be able to send.
	 */
	if (tcp_drain_input(tcp, sock_id, 5) < 0) {
		/*
		 * If we return now without freeing TCP, there will be
		 * a memory leak.
		 */
		if (sockets[sock_id].pcb != NULL)
			tcp_clean_death(sock_id, tcp, 0);
		return (-1);
	}

	if (tcp->tcp_conn_req_cnt_q0 != 0 || tcp->tcp_conn_req_cnt_q != 0) {
		/* Cleanup for listener */
		tcp_eager_cleanup(tcp, 0, sock_id);
	}

	msg = NULL;
	switch (tcp->tcp_state) {
	case TCPS_CLOSED:
	case TCPS_IDLE:
	case TCPS_BOUND:
	case TCPS_LISTEN:
		break;
	case TCPS_SYN_SENT:
		msg = "tcp_close, during connect";
		break;
	case TCPS_SYN_RCVD:
		/*
		 * Close during the connect 3-way handshake
		 * but here there may or may not be pending data
		 * already on queue. Process almost same as in
		 * the ESTABLISHED state.
		 */
		/* FALLTHRU */
	default:
		/*
		 * If SO_LINGER has set a zero linger time, abort the
		 * connection with a reset.
		 */
		if (tcp->tcp_linger && tcp->tcp_lingertime == 0) {
			msg = "tcp_close, zero lingertime";
			break;
		}

		/*
		 * Abort connection if there is unread data queued.
		 */
		if (tcp->tcp_rcv_list != NULL ||
				tcp->tcp_reass_head != NULL) {
			msg = "tcp_close, unread data";
			break;
		}
		if (tcp->tcp_state <= TCPS_LISTEN)
			break;

		/*
		 * Transmit the FIN before detaching the tcp_t.
		 * After tcp_detach returns this queue/perimeter
		 * no longer owns the tcp_t thus others can modify it.
		 * The TCP could be closed in tcp_state_wait called by
		 * tcp_wput_data called by tcp_xmit_end.
		 */
		(void) tcp_xmit_end(tcp, sock_id);
		if (sockets[sock_id].pcb == NULL)
			return (0);

		/*
		 * If lingering on close then wait until the fin is acked,
		 * the SO_LINGER time passes, or a reset is sent/received.
		 */
		if (tcp->tcp_linger && tcp->tcp_lingertime > 0 &&
		    !(tcp->tcp_fin_acked) &&
		    tcp->tcp_state >= TCPS_ESTABLISHED) {
			uint32_t stoptime; /* in ms */

			tcp->tcp_client_errno = 0;
			stoptime = prom_gettime() +
			    (tcp->tcp_lingertime * 1000);
			while (!(tcp->tcp_fin_acked) &&
			    tcp->tcp_state >= TCPS_ESTABLISHED &&
			    tcp->tcp_client_errno == 0 &&
			    ((int32_t)(stoptime - prom_gettime()) > 0)) {
				if (tcp_drain_input(tcp, sock_id, 5) < 0) {
					if (sockets[sock_id].pcb != NULL) {
						tcp_clean_death(sock_id,
						    tcp, 0);
					}
					return (-1);
				}
			}
			tcp->tcp_client_errno = 0;
		}
		if (tcp_state_wait(sock_id, tcp, TCPS_TIME_WAIT) < 0) {
			/* During the wait, TCP may be gone... */
			if (sockets[sock_id].pcb == NULL)
				return (0);
			msg = "tcp_close, couldn't detach";
		} else {
			return (0);
		}
		break;
	}

	/* Something went wrong...  Send a RST and report the error */
	if (msg != NULL) {
		if (tcp->tcp_state == TCPS_ESTABLISHED ||
		    tcp->tcp_state == TCPS_CLOSE_WAIT)
			BUMP_MIB(tcp_mib.tcpEstabResets);
		if (tcp->tcp_state == TCPS_SYN_SENT ||
		    tcp->tcp_state == TCPS_SYN_RCVD)
			BUMP_MIB(tcp_mib.tcpAttemptFails);
		tcp_xmit_ctl(msg, tcp, NULL, tcp->tcp_snxt, 0, TH_RST, 0,
		    sock_id);
	}

	tcp_free(tcp);
	bkmem_free((caddr_t)tcp, sizeof (tcp_t));
	sockets[sock_id].pcb = NULL;
	return (error);
}

/* To make an endpoint a listener. */
int
tcp_listen(int sock_id, int backlog)
{
	tcp_t *tcp;

	if ((tcp = (tcp_t *)(sockets[sock_id].pcb)) == NULL) {
		errno = EINVAL;
		return (-1);
	}
	/* We allow calling listen() multiple times to change the backlog. */
	if (tcp->tcp_state > TCPS_LISTEN || tcp->tcp_state < TCPS_BOUND) {
		errno = EOPNOTSUPP;
		return (-1);
	}
	/* The following initialization should only be done once. */
	if (tcp->tcp_state != TCPS_LISTEN) {
		tcp->tcp_eager_next_q0 = tcp->tcp_eager_prev_q0 = tcp;
		tcp->tcp_eager_next_q = NULL;
		tcp->tcp_state = TCPS_LISTEN;
		tcp->tcp_second_ctimer_threshold = tcp_ip_abort_linterval;
	}
	if ((tcp->tcp_conn_req_max = backlog) > tcp_conn_req_max_q) {
		tcp->tcp_conn_req_max = tcp_conn_req_max_q;
	}
	if (tcp->tcp_conn_req_max < tcp_conn_req_min) {
		tcp->tcp_conn_req_max = tcp_conn_req_min;
	}
	return (0);
}

/* To accept connections. */
int
tcp_accept(int sock_id, struct sockaddr *addr, socklen_t *addr_len)
{
	tcp_t *listener;
	tcp_t *eager;
	int sd, new_sock_id;
	struct sockaddr_in *new_addr = (struct sockaddr_in *)addr;
	int timeout;

	/* Sanity check. */
	if ((listener = (tcp_t *)(sockets[sock_id].pcb)) == NULL ||
	    new_addr == NULL || addr_len == NULL ||
	    *addr_len < sizeof (struct sockaddr_in) ||
	    listener->tcp_state != TCPS_LISTEN) {
		errno = EINVAL;
		return (-1);
	}

	if (sockets[sock_id].in_timeout > tcp_accept_timeout)
		timeout = prom_gettime() + sockets[sock_id].in_timeout;
	else
		timeout = prom_gettime() + tcp_accept_timeout;
	while (listener->tcp_eager_next_q == NULL &&
	    timeout > prom_gettime()) {
#if DEBUG
		printf("tcp_accept: Waiting in tcp_accept()\n");
#endif
		if (tcp_drain_input(listener, sock_id, 5) < 0) {
			return (-1);
		}
	}
	/* If there is an eager, don't timeout... */
	if (timeout <= prom_gettime() && listener->tcp_eager_next_q == NULL) {
#if DEBUG
		printf("tcp_accept: timeout\n");
#endif
		errno = ETIMEDOUT;
		return (-1);
	}
#if DEBUG
	printf("tcp_accept: got a connection\n");
#endif

	/* Now create the socket for this new TCP. */
	if ((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		return (-1);
	}
	if ((new_sock_id = so_check_fd(sd, &errno)) == -1)
		/* This should not happen! */
		prom_panic("so_check_fd() fails in tcp_accept()");
	/* Free the TCP PCB in the original socket. */
	bkmem_free((caddr_t)(sockets[new_sock_id].pcb), sizeof (tcp_t));
	/* Dequeue the eager and attach it to the socket. */
	eager = listener->tcp_eager_next_q;
	listener->tcp_eager_next_q = eager->tcp_eager_next_q;
	if (listener->tcp_eager_last_q == eager)
		listener->tcp_eager_last_q = NULL;
	eager->tcp_eager_next_q = NULL;
	sockets[new_sock_id].pcb = eager;
	listener->tcp_conn_req_cnt_q--;

	/* Copy in the address info. */
	bcopy(&eager->tcp_remote, &new_addr->sin_addr.s_addr,
	    sizeof (in_addr_t));
	bcopy(&eager->tcp_fport, &new_addr->sin_port, sizeof (in_port_t));
	new_addr->sin_family = AF_INET;

#ifdef DEBUG
	printf("tcp_accept(), new sock_id: %d\n", sd);
#endif
	return (sd);
}

/* Update the next anonymous port to use.  */
static in_port_t
tcp_update_next_port(in_port_t port)
{
	/* Don't allow the port to fall out of the anonymous port range. */
	if (port < tcp_smallest_anon_port || port > tcp_largest_anon_port)
		port = (in_port_t)tcp_smallest_anon_port;

	if (port < tcp_smallest_nonpriv_port)
		port = (in_port_t)tcp_smallest_nonpriv_port;
	return (port);
}

/* To check whether a bind to a port is allowed. */
static in_port_t
tcp_bindi(in_port_t port, in_addr_t *addr, boolean_t reuseaddr,
    boolean_t bind_to_req_port_only)
{
	int i, count;
	tcp_t *tcp;

	count = tcp_largest_anon_port - tcp_smallest_anon_port;
try_again:
	for (i = 0; i < MAXSOCKET; i++) {
		if (sockets[i].type != INETBOOT_STREAM ||
		    ((tcp = (tcp_t *)sockets[i].pcb) == NULL) ||
		    ntohs(tcp->tcp_lport) != port) {
			continue;
		}
		/*
		 * Both TCPs have the same port.  If SO_REUSEDADDR is
		 * set and the bound TCP has a state greater than
		 * TCPS_LISTEN, it is fine.
		 */
		if (reuseaddr && tcp->tcp_state > TCPS_LISTEN) {
			continue;
		}
		if (tcp->tcp_bound_source != INADDR_ANY &&
		    *addr != INADDR_ANY &&
		    tcp->tcp_bound_source != *addr) {
			continue;
		}
		if (bind_to_req_port_only) {
			return (0);
		}
		if (--count > 0) {
			port = tcp_update_next_port(++port);
			goto try_again;
		} else {
			return (0);
		}
	}
	return (port);
}

/* To handle the bind request. */
int
tcp_bind(int sock_id)
{
	tcp_t *tcp;
	in_port_t requested_port, allocated_port;
	boolean_t bind_to_req_port_only;
	boolean_t reuseaddr;

	if ((tcp = (tcp_t *)sockets[sock_id].pcb) == NULL) {
		errno = EINVAL;
		return (-1);
	}

	if (tcp->tcp_state >= TCPS_BOUND) {
		/* We don't allow multiple bind(). */
		errno = EPROTO;
		return (-1);
	}

	requested_port = ntohs(sockets[sock_id].bind.sin_port);

	/* The bound source can be INADDR_ANY. */
	tcp->tcp_bound_source = sockets[sock_id].bind.sin_addr.s_addr;

	tcp->tcp_ipha->ip_src.s_addr = tcp->tcp_bound_source;

	/* Verify the port is available. */
	if (requested_port == 0)
		bind_to_req_port_only = B_FALSE;
	else			/* T_BIND_REQ and requested_port != 0 */
		bind_to_req_port_only = B_TRUE;

	if (requested_port == 0) {
		requested_port = tcp_update_next_port(++tcp_next_port_to_try);
	}
	reuseaddr = sockets[sock_id].so_opt & SO_REUSEADDR;
	allocated_port = tcp_bindi(requested_port, &(tcp->tcp_bound_source),
	    reuseaddr, bind_to_req_port_only);

	if (allocated_port == 0) {
		errno = EADDRINUSE;
		return (-1);
	}
	tcp->tcp_lport = htons(allocated_port);
	*(uint16_t *)tcp->tcp_tcph->th_lport = tcp->tcp_lport;
	sockets[sock_id].bind.sin_port = tcp->tcp_lport;
	tcp->tcp_state = TCPS_BOUND;
	return (0);
}

/*
 * Check for duplicate TCP connections.
 */
static int
tcp_conn_check(tcp_t *tcp)
{
	int i;
	tcp_t *tmp_tcp;

	for (i = 0; i < MAXSOCKET; i++) {
		if (sockets[i].type != INETBOOT_STREAM)
			continue;
		/* Socket may not be closed but the TCP can be gone. */
		if ((tmp_tcp = (tcp_t *)sockets[i].pcb) == NULL)
			continue;
		/* We only care about TCP in states later than SYN_SENT. */
		if (tmp_tcp->tcp_state < TCPS_SYN_SENT)
			continue;
		if (tmp_tcp->tcp_lport != tcp->tcp_lport ||
		    tmp_tcp->tcp_fport != tcp->tcp_fport ||
		    tmp_tcp->tcp_bound_source != tcp->tcp_bound_source ||
		    tmp_tcp->tcp_remote != tcp->tcp_remote) {
			continue;
		} else {
			return (-1);
		}
	}
	return (0);
}

/* To handle a connect request. */
int
tcp_connect(int sock_id)
{
	tcp_t *tcp;
	in_addr_t dstaddr;
	in_port_t dstport;
	tcph_t	*tcph;
	int mss;
	mblk_t *syn_mp;

	if ((tcp = (tcp_t *)(sockets[sock_id].pcb)) == NULL) {
		errno = EINVAL;
		return (-1);
	}

	TCP_RUN_TIME_WAIT_COLLECTOR();

	dstaddr = sockets[sock_id].remote.sin_addr.s_addr;
	dstport = sockets[sock_id].remote.sin_port;

	/*
	 * Check for attempt to connect to INADDR_ANY or non-unicast addrress.
	 * We don't have enough info to check for broadcast addr, except
	 * for the all 1 broadcast.
	 */
	if (dstaddr == INADDR_ANY || IN_CLASSD(ntohl(dstaddr)) ||
	    dstaddr == INADDR_BROADCAST)  {
		/*
		 * SunOS 4.x and 4.3 BSD allow an application
		 * to connect a TCP socket to INADDR_ANY.
		 * When they do this, the kernel picks the
		 * address of one interface and uses it
		 * instead.  The kernel usually ends up
		 * picking the address of the loopback
		 * interface.  This is an undocumented feature.
		 * However, we provide the same thing here
		 * in order to have source and binary
		 * compatibility with SunOS 4.x.
		 * Update the T_CONN_REQ (sin/sin6) since it is used to
		 * generate the T_CONN_CON.
		 *
		 * Fail this for inetboot TCP.
		 */
		errno = EINVAL;
		return (-1);
	}

	/* It is not bound to any address yet... */
	if (tcp->tcp_bound_source == INADDR_ANY) {
		ipv4_getipaddr(&(sockets[sock_id].bind.sin_addr));
		/* We don't have an address! */
		if (ntohl(sockets[sock_id].bind.sin_addr.s_addr) ==
		    INADDR_ANY) {
			errno = EPROTO;
			return (-1);
		}
		tcp->tcp_bound_source = sockets[sock_id].bind.sin_addr.s_addr;
		tcp->tcp_ipha->ip_src.s_addr = tcp->tcp_bound_source;
	}

	/*
	 * Don't let an endpoint connect to itself.
	 */
	if (dstaddr == tcp->tcp_ipha->ip_src.s_addr &&
	    dstport == tcp->tcp_lport) {
		errno = EINVAL;
		return (-1);
	}

	tcp->tcp_ipha->ip_dst.s_addr = dstaddr;
	tcp->tcp_remote = dstaddr;
	tcph = tcp->tcp_tcph;
	*(uint16_t *)tcph->th_fport = dstport;
	tcp->tcp_fport = dstport;

	/*
	 * Don't allow this connection to completely duplicate
	 * an existing connection.
	 */
	if (tcp_conn_check(tcp) < 0) {
		errno = EADDRINUSE;
		return (-1);
	}

	/*
	 * Just make sure our rwnd is at
	 * least tcp_recv_hiwat_mss * MSS
	 * large, and round up to the nearest
	 * MSS.
	 *
	 * We do the round up here because
	 * we need to get the interface
	 * MTU first before we can do the
	 * round up.
	 */
	mss = tcp->tcp_mss - tcp->tcp_hdr_len;
	tcp->tcp_rwnd = MAX(MSS_ROUNDUP(tcp->tcp_rwnd, mss),
	    tcp_recv_hiwat_minmss * mss);
	tcp->tcp_rwnd_max = tcp->tcp_rwnd;
	SET_WS_VALUE(tcp);
	U32_TO_ABE16((tcp->tcp_rwnd >> tcp->tcp_rcv_ws),
	    tcp->tcp_tcph->th_win);
	if (tcp->tcp_rcv_ws > 0 || tcp_wscale_always)
		tcp->tcp_snd_ws_ok = B_TRUE;

	/*
	 * Set tcp_snd_ts_ok to true
	 * so that tcp_xmit_mp will
	 * include the timestamp
	 * option in the SYN segment.
	 */
	if (tcp_tstamp_always ||
	    (tcp->tcp_rcv_ws && tcp_tstamp_if_wscale)) {
		tcp->tcp_snd_ts_ok = B_TRUE;
	}

	if (tcp_sack_permitted == 2 ||
	    tcp->tcp_snd_sack_ok) {
		assert(tcp->tcp_sack_info == NULL);
		if ((tcp->tcp_sack_info = (tcp_sack_info_t *)bkmem_zalloc(
		    sizeof (tcp_sack_info_t))) == NULL) {
			tcp->tcp_snd_sack_ok = B_FALSE;
		} else {
			tcp->tcp_snd_sack_ok = B_TRUE;
		}
	}
	/*
	 * Should we use ECN?  Note that the current
	 * default value (SunOS 5.9) of tcp_ecn_permitted
	 * is 2.  The reason for doing this is that there
	 * are equipments out there that will drop ECN
	 * enabled IP packets.  Setting it to 1 avoids
	 * compatibility problems.
	 */
	if (tcp_ecn_permitted == 2)
		tcp->tcp_ecn_ok = B_TRUE;

	tcp_iss_init(tcp);
	TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
	tcp->tcp_active_open = B_TRUE;

	tcp->tcp_state = TCPS_SYN_SENT;
	syn_mp = tcp_xmit_mp(tcp, NULL, 0, NULL, NULL, tcp->tcp_iss, B_FALSE,
	    NULL, B_FALSE);
	if (syn_mp != NULL) {
		int ret;

		/* Dump the packet when debugging. */
		TCP_DUMP_PACKET("tcp_connect", syn_mp);
		/* Send out the SYN packet. */
		ret = ipv4_tcp_output(sock_id, syn_mp);
		freeb(syn_mp);
		/*
		 * errno ETIMEDOUT is set by the mac driver
		 * in case it is not able to receive ARP reply.
		 * TCP will retransmit this segment so we can
		 * ignore the ARP timeout.
		 */
		if ((ret < 0) && (errno != ETIMEDOUT)) {
			return (-1);
		}
		/* tcp_state_wait() will finish the 3 way handshake. */
		return (tcp_state_wait(sock_id, tcp, TCPS_ESTABLISHED));
	} else {
		errno = ENOBUFS;
		return (-1);
	}
}

/*
 * Common accept code.  Called by tcp_conn_request.
 * cr_pkt is the SYN packet.
 */
static int
tcp_accept_comm(tcp_t *listener, tcp_t *acceptor, mblk_t *cr_pkt,
    uint_t ip_hdr_len)
{
	tcph_t		*tcph;

#ifdef DEBUG
	printf("tcp_accept_comm #######################\n");
#endif

	/*
	 * When we get here, we know that the acceptor header template
	 * has already been initialized.
	 * However, it may not match the listener if the listener
	 * includes options...
	 * It may also not match the listener if the listener is v6 and
	 * and the acceptor is v4
	 */
	acceptor->tcp_lport = listener->tcp_lport;

	if (listener->tcp_ipversion == acceptor->tcp_ipversion) {
		if (acceptor->tcp_iphc_len != listener->tcp_iphc_len) {
			/*
			 * Listener had options of some sort; acceptor inherits.
			 * Free up the acceptor template and allocate one
			 * of the right size.
			 */
			bkmem_free(acceptor->tcp_iphc, acceptor->tcp_iphc_len);
			acceptor->tcp_iphc = bkmem_zalloc(
			    listener->tcp_iphc_len);
			if (acceptor->tcp_iphc == NULL) {
				acceptor->tcp_iphc_len = 0;
				return (ENOMEM);
			}
			acceptor->tcp_iphc_len = listener->tcp_iphc_len;
		}
		acceptor->tcp_hdr_len = listener->tcp_hdr_len;
		acceptor->tcp_ip_hdr_len = listener->tcp_ip_hdr_len;
		acceptor->tcp_tcp_hdr_len = listener->tcp_tcp_hdr_len;

		/*
		 * Copy the IP+TCP header template from listener to acceptor
		 */
		bcopy(listener->tcp_iphc, acceptor->tcp_iphc,
		    listener->tcp_hdr_len);
		acceptor->tcp_ipha = (struct ip *)acceptor->tcp_iphc;
		acceptor->tcp_tcph = (tcph_t *)(acceptor->tcp_iphc +
		    acceptor->tcp_ip_hdr_len);
	} else {
		prom_panic("tcp_accept_comm: version not equal");
	}

	/* Copy our new dest and fport from the connection request packet */
	if (acceptor->tcp_ipversion == IPV4_VERSION) {
		struct ip *ipha;

		ipha = (struct ip *)cr_pkt->b_rptr;
		acceptor->tcp_ipha->ip_dst = ipha->ip_src;
		acceptor->tcp_remote = ipha->ip_src.s_addr;
		acceptor->tcp_ipha->ip_src = ipha->ip_dst;
		acceptor->tcp_bound_source = ipha->ip_dst.s_addr;
		tcph = (tcph_t *)&cr_pkt->b_rptr[ip_hdr_len];
	} else {
		prom_panic("tcp_accept_comm: not IPv4");
	}
	bcopy(tcph->th_lport, acceptor->tcp_tcph->th_fport, sizeof (in_port_t));
	bcopy(acceptor->tcp_tcph->th_fport, &acceptor->tcp_fport,
	    sizeof (in_port_t));
	/*
	 * For an all-port proxy listener, the local port is determined by
	 * the port number field in the SYN packet.
	 */
	if (listener->tcp_lport == 0) {
		acceptor->tcp_lport = *(in_port_t *)tcph->th_fport;
		bcopy(tcph->th_fport, acceptor->tcp_tcph->th_lport,
		    sizeof (in_port_t));
	}
	/* Inherit various TCP parameters from the listener */
	acceptor->tcp_naglim = listener->tcp_naglim;
	acceptor->tcp_first_timer_threshold =
	    listener->tcp_first_timer_threshold;
	acceptor->tcp_second_timer_threshold =
	    listener->tcp_second_timer_threshold;

	acceptor->tcp_first_ctimer_threshold =
	    listener->tcp_first_ctimer_threshold;
	acceptor->tcp_second_ctimer_threshold =
	    listener->tcp_second_ctimer_threshold;

	acceptor->tcp_xmit_hiwater = listener->tcp_xmit_hiwater;

	acceptor->tcp_state = TCPS_LISTEN;
	tcp_iss_init(acceptor);

	/* Process all TCP options. */
	tcp_process_options(acceptor, tcph);

	/* Is the other end ECN capable? */
	if (tcp_ecn_permitted >= 1 &&
	    (tcph->th_flags[0] & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) {
		acceptor->tcp_ecn_ok = B_TRUE;
	}

	/*
	 * listener->tcp_rq->q_hiwat should be the default window size or a
	 * window size changed via SO_RCVBUF option.  First round up the
	 * acceptor's tcp_rwnd to the nearest MSS.  Then find out the window
	 * scale option value if needed.  Call tcp_rwnd_set() to finish the
	 * setting.
	 *
	 * Note if there is a rpipe metric associated with the remote host,
	 * we should not inherit receive window size from listener.
	 */
	acceptor->tcp_rwnd = MSS_ROUNDUP(
	    (acceptor->tcp_rwnd == 0 ? listener->tcp_rwnd_max :
	    acceptor->tcp_rwnd), acceptor->tcp_mss);
	if (acceptor->tcp_snd_ws_ok)
		SET_WS_VALUE(acceptor);
	/*
	 * Note that this is the only place tcp_rwnd_set() is called for
	 * accepting a connection.  We need to call it here instead of
	 * after the 3-way handshake because we need to tell the other
	 * side our rwnd in the SYN-ACK segment.
	 */
	(void) tcp_rwnd_set(acceptor, acceptor->tcp_rwnd);

	return (0);
}

/*
 * Defense for the SYN attack -
 * 1. When q0 is full, drop from the tail (tcp_eager_prev_q0) the oldest
 *    one that doesn't have the dontdrop bit set.
 * 2. Don't drop a SYN request before its first timeout. This gives every
 *    request at least til the first timeout to complete its 3-way handshake.
 * 3. The current threshold is - # of timeout > q0len/4 => SYN alert on
 *    # of timeout drops back to <= q0len/32 => SYN alert off
 */
static boolean_t
tcp_drop_q0(tcp_t *tcp)
{
	tcp_t	*eager;

	assert(tcp->tcp_eager_next_q0 != tcp->tcp_eager_prev_q0);
	/*
	 * New one is added after next_q0 so prev_q0 points to the oldest
	 * Also do not drop any established connections that are deferred on
	 * q0 due to q being full
	 */

	eager = tcp->tcp_eager_prev_q0;
	while (eager->tcp_dontdrop || eager->tcp_conn_def_q0) {
		/* XXX should move the eager to the head */
		eager = eager->tcp_eager_prev_q0;
		if (eager == tcp) {
			eager = tcp->tcp_eager_prev_q0;
			break;
		}
	}
	dprintf("tcp_drop_q0: listen half-open queue (max=%d) overflow"
	    " (%d pending) on %s, drop one", tcp_conn_req_max_q0,
	    tcp->tcp_conn_req_cnt_q0,
	    tcp_display(tcp, NULL, DISP_PORT_ONLY));

	BUMP_MIB(tcp_mib.tcpHalfOpenDrop);
	bkmem_free((caddr_t)eager, sizeof (tcp_t));
	return (B_TRUE);
}

/* ARGSUSED */
static tcp_t *
tcp_conn_request(tcp_t *tcp, mblk_t *mp, uint_t sock_id, uint_t ip_hdr_len)
{
	tcp_t	*eager;
	struct ip *ipha;
	int	err;

#ifdef DEBUG
	printf("tcp_conn_request ###################\n");
#endif

	if (tcp->tcp_conn_req_cnt_q >= tcp->tcp_conn_req_max) {
		BUMP_MIB(tcp_mib.tcpListenDrop);
		dprintf("tcp_conn_request: listen backlog (max=%d) "
		    "overflow (%d pending) on %s",
		    tcp->tcp_conn_req_max, tcp->tcp_conn_req_cnt_q,
		    tcp_display(tcp, NULL, DISP_PORT_ONLY));
		return (NULL);
	}

	assert(OK_32PTR(mp->b_rptr));

	if (tcp->tcp_conn_req_cnt_q0 >=
	    tcp->tcp_conn_req_max + tcp_conn_req_max_q0) {
		/*
		 * Q0 is full. Drop a pending half-open req from the queue
		 * to make room for the new SYN req. Also mark the time we
		 * drop a SYN.
		 */
		tcp->tcp_last_rcv_lbolt = prom_gettime();
		if (!tcp_drop_q0(tcp)) {
			freemsg(mp);
			BUMP_MIB(tcp_mib.tcpListenDropQ0);
			dprintf("tcp_conn_request: listen half-open queue "
			    "(max=%d) full (%d pending) on %s",
			    tcp_conn_req_max_q0,
			    tcp->tcp_conn_req_cnt_q0,
			    tcp_display(tcp, NULL, DISP_PORT_ONLY));
			return (NULL);
		}
	}

	ipha = (struct ip *)mp->b_rptr;
	if (IN_CLASSD(ntohl(ipha->ip_src.s_addr)) ||
	    ipha->ip_src.s_addr == INADDR_BROADCAST ||
	    ipha->ip_src.s_addr == INADDR_ANY ||
	    ipha->ip_dst.s_addr == INADDR_BROADCAST) {
		freemsg(mp);
		return (NULL);
	}
	/*
	 * We allow the connection to proceed
	 * by generating a detached tcp state vector and put it in
	 * the eager queue.  When an accept happens, it will be
	 * dequeued sequentially.
	 */
	if ((eager = (tcp_t *)bkmem_alloc(sizeof (tcp_t))) == NULL) {
		freemsg(mp);
		errno = ENOBUFS;
		return (NULL);
	}
	if ((errno = tcp_init_values(eager, NULL)) != 0) {
		freemsg(mp);
		bkmem_free((caddr_t)eager, sizeof (tcp_t));
		return (NULL);
	}

	/*
	 * Eager connection inherits address form from its listener,
	 * but its packet form comes from the version of the received
	 * SYN segment.
	 */
	eager->tcp_family = tcp->tcp_family;

	err = tcp_accept_comm(tcp, eager, mp, ip_hdr_len);
	if (err) {
		bkmem_free((caddr_t)eager, sizeof (tcp_t));
		return (NULL);
	}

	tcp->tcp_eager_next_q0->tcp_eager_prev_q0 = eager;
	eager->tcp_eager_next_q0 = tcp->tcp_eager_next_q0;
	tcp->tcp_eager_next_q0 = eager;
	eager->tcp_eager_prev_q0 = tcp;

	/* Set tcp_listener before adding it to tcp_conn_fanout */
	eager->tcp_listener = tcp;
	tcp->tcp_conn_req_cnt_q0++;

	return (eager);
}

/*
 * To get around the non-interrupt problem of inetboot.
 * Keep on processing packets until a certain state is reached or the
 * TCP is destroyed because of getting a RST packet.
 */
static int
tcp_state_wait(int sock_id, tcp_t *tcp, int state)
{
	int i;
	struct inetgram *in_gram;
	mblk_t *mp;
	int timeout;
	boolean_t changed = B_FALSE;

	/*
	 * We need to make sure that the MAC does not wait longer
	 * than RTO for any packet so that TCP can do retransmission.
	 * But if the MAC timeout is less than tcp_rto, we are fine
	 * and do not need to change it.
	 */
	timeout = sockets[sock_id].in_timeout;
	if (timeout > tcp->tcp_rto) {
		sockets[sock_id].in_timeout = tcp->tcp_rto;
		changed = B_TRUE;
	}
retry:
	if (sockets[sock_id].inq == NULL) {
		/* Go out and check the wire */
		for (i = MEDIA_LVL; i < TRANSPORT_LVL; i++) {
			if (sockets[sock_id].input[i] != NULL) {
				if (sockets[sock_id].input[i](sock_id) < 0) {
					if (changed) {
						sockets[sock_id].in_timeout =
						    timeout;
					}
					return (-1);
				}
			}
		}
	}

	while ((in_gram = sockets[sock_id].inq) != NULL) {
		if (tcp != NULL && tcp->tcp_state == state)
			break;

		/* Remove unknown inetgrams from the head of inq. */
		if (in_gram->igm_level != TRANSPORT_LVL) {
#ifdef DEBUG
			printf("tcp_state_wait for state %d: unexpected "
			    "packet level %d frame found\n", state,
			    in_gram->igm_level);
#endif
			del_gram(&sockets[sock_id].inq, in_gram, B_TRUE);
			continue;
		}
		mp = in_gram->igm_mp;
		del_gram(&sockets[sock_id].inq, in_gram, B_FALSE);
		bkmem_free((caddr_t)in_gram, sizeof (struct inetgram));
		tcp_rput_data(tcp, mp, sock_id);

		/*
		 * The other side may have closed this connection or
		 * RST us.  But we need to continue to process other
		 * packets in the socket's queue because they may be
		 * belong to another TCP connections.
		 */
		if (sockets[sock_id].pcb == NULL) {
			tcp = NULL;
		}
	}

	/* If the other side has closed the connection, just return. */
	if (tcp == NULL || sockets[sock_id].pcb == NULL) {
#ifdef DEBUG
		printf("tcp_state_wait other side dead: state %d "
		    "error %d\n", state, sockets[sock_id].so_error);
#endif
		if (sockets[sock_id].so_error != 0)
			return (-1);
		else
			return (0);
	}
	/*
	 * TCPS_ALL_ACKED is not a valid TCP state, it is just used as an
	 * indicator to tcp_state_wait to mean that it is being called
	 * to wait till we have received acks for all the new segments sent.
	 */
	if ((state == TCPS_ALL_ACKED) && (tcp->tcp_suna == tcp->tcp_snxt)) {
		goto done;
	}
	if (tcp->tcp_state != state) {
		if (prom_gettime() > tcp->tcp_rto_timeout)
			tcp_timer(tcp, sock_id);
		goto retry;
	}
done:
	if (changed)
		sockets[sock_id].in_timeout = timeout;

	tcp_drain_needed(sock_id, tcp);
	return (0);
}

/* Verify the checksum of a segment. */
static int
tcp_verify_cksum(mblk_t *mp)
{
	struct ip *iph;
	tcpha_t *tcph;
	int len;
	uint16_t old_sum;

	iph = (struct ip *)mp->b_rptr;
	tcph = (tcpha_t *)(iph + 1);
	len = ntohs(iph->ip_len);

	/*
	 * Calculate the TCP checksum.  Need to include the psuedo header,
	 * which is similar to the real IP header starting at the TTL field.
	 */
	iph->ip_sum = htons(len - IP_SIMPLE_HDR_LENGTH);
	old_sum = tcph->tha_sum;
	tcph->tha_sum = 0;
	iph->ip_ttl = 0;
	if (old_sum == tcp_cksum((uint16_t *)&(iph->ip_ttl),
	    len - IP_SIMPLE_HDR_LENGTH + 12)) {
		return (0);
	} else {
		tcp_cksum_errors++;
		return (-1);
	}
}

/* To find a TCP connection matching the incoming segment. */
static tcp_t *
tcp_lookup_ipv4(struct ip *iph, tcpha_t *tcph, int min_state, int *sock_id)
{
	int i;
	tcp_t *tcp;

	for (i = 0; i < MAXSOCKET; i++) {
		if (sockets[i].type == INETBOOT_STREAM &&
		    (tcp = (tcp_t *)sockets[i].pcb) != NULL) {
			if (tcph->tha_lport == tcp->tcp_fport &&
			    tcph->tha_fport == tcp->tcp_lport &&
			    iph->ip_src.s_addr == tcp->tcp_remote &&
			    iph->ip_dst.s_addr == tcp->tcp_bound_source &&
			    tcp->tcp_state >= min_state) {
				*sock_id = i;
				return (tcp);
			}
		}
	}
	/* Find it in the time wait list. */
	for (tcp = tcp_time_wait_head; tcp != NULL;
	    tcp = tcp->tcp_time_wait_next) {
		if (tcph->tha_lport == tcp->tcp_fport &&
		    tcph->tha_fport == tcp->tcp_lport &&
		    iph->ip_src.s_addr == tcp->tcp_remote &&
		    iph->ip_dst.s_addr == tcp->tcp_bound_source &&
		    tcp->tcp_state >= min_state) {
			*sock_id = -1;
			return (tcp);
		}
	}
	return (NULL);
}

/* To find a TCP listening connection matching the incoming segment. */
static tcp_t *
tcp_lookup_listener_ipv4(in_addr_t addr, in_port_t port, int *sock_id)
{
	int i;
	tcp_t *tcp;

	for (i = 0; i < MAXSOCKET; i++) {
		if (sockets[i].type == INETBOOT_STREAM &&
		    (tcp = (tcp_t *)sockets[i].pcb) != NULL) {
			if (tcp->tcp_lport == port &&
			    (tcp->tcp_bound_source == addr ||
			    tcp->tcp_bound_source == INADDR_ANY)) {
				*sock_id = i;
				return (tcp);
			}
		}
	}

	return (NULL);
}

/* To find a TCP eager matching the incoming segment. */
static tcp_t *
tcp_lookup_eager_ipv4(tcp_t *listener, struct ip *iph, tcpha_t *tcph)
{
	tcp_t *tcp;

#ifdef DEBUG
	printf("tcp_lookup_eager_ipv4 ###############\n");
#endif
	for (tcp = listener->tcp_eager_next_q; tcp != NULL;
	    tcp = tcp->tcp_eager_next_q) {
		if (tcph->tha_lport == tcp->tcp_fport &&
		    tcph->tha_fport == tcp->tcp_lport &&
		    iph->ip_src.s_addr == tcp->tcp_remote &&
		    iph->ip_dst.s_addr == tcp->tcp_bound_source) {
			return (tcp);
		}
	}

	for (tcp = listener->tcp_eager_next_q0; tcp != listener;
	    tcp = tcp->tcp_eager_next_q0) {
		if (tcph->tha_lport == tcp->tcp_fport &&
		    tcph->tha_fport == tcp->tcp_lport &&
		    iph->ip_src.s_addr == tcp->tcp_remote &&
		    iph->ip_dst.s_addr == tcp->tcp_bound_source) {
			return (tcp);
		}
	}
#ifdef DEBUG
	printf("No eager found\n");
#endif
	return (NULL);
}

/* To destroy a TCP control block. */
static void
tcp_clean_death(int sock_id, tcp_t *tcp, int err)
{
	tcp_free(tcp);
	if (tcp->tcp_state == TCPS_TIME_WAIT)
		tcp_time_wait_remove(tcp);

	if (sock_id >= 0) {
		sockets[sock_id].pcb = NULL;
		if (err != 0)
			sockets[sock_id].so_error = err;
	}
	bkmem_free((caddr_t)tcp, sizeof (tcp_t));
}

/*
 * tcp_rwnd_set() is called to adjust the receive window to a desired value.
 * We do not allow the receive window to shrink.  After setting rwnd,
 * set the flow control hiwat of the stream.
 *
 * This function is called in 2 cases:
 *
 * 1) Before data transfer begins, in tcp_accept_comm() for accepting a
 *    connection (passive open) and in tcp_rput_data() for active connect.
 *    This is called after tcp_mss_set() when the desired MSS value is known.
 *    This makes sure that our window size is a mutiple of the other side's
 *    MSS.
 * 2) Handling SO_RCVBUF option.
 *
 * It is ASSUMED that the requested size is a multiple of the current MSS.
 *
 * XXX - Should allow a lower rwnd than tcp_recv_hiwat_minmss * mss if the
 * user requests so.
 */
static int
tcp_rwnd_set(tcp_t *tcp, uint32_t rwnd)
{
	uint32_t	mss = tcp->tcp_mss;
	uint32_t	old_max_rwnd;
	uint32_t	max_transmittable_rwnd;

	if (tcp->tcp_rwnd_max != 0)
		old_max_rwnd = tcp->tcp_rwnd_max;
	else
		old_max_rwnd = tcp->tcp_rwnd;

	/*
	 * Insist on a receive window that is at least
	 * tcp_recv_hiwat_minmss * MSS (default 4 * MSS) to avoid
	 * funny TCP interactions of Nagle algorithm, SWS avoidance
	 * and delayed acknowledgement.
	 */
	rwnd = MAX(rwnd, tcp_recv_hiwat_minmss * mss);

	/*
	 * If window size info has already been exchanged, TCP should not
	 * shrink the window.  Shrinking window is doable if done carefully.
	 * We may add that support later.  But so far there is not a real
	 * need to do that.
	 */
	if (rwnd < old_max_rwnd && tcp->tcp_state > TCPS_SYN_SENT) {
		/* MSS may have changed, do a round up again. */
		rwnd = MSS_ROUNDUP(old_max_rwnd, mss);
	}

	/*
	 * tcp_rcv_ws starts with TCP_MAX_WINSHIFT so the following check
	 * can be applied even before the window scale option is decided.
	 */
	max_transmittable_rwnd = TCP_MAXWIN << tcp->tcp_rcv_ws;
	if (rwnd > max_transmittable_rwnd) {
		rwnd = max_transmittable_rwnd -
		    (max_transmittable_rwnd % mss);
		if (rwnd < mss)
			rwnd = max_transmittable_rwnd;
		/*
		 * If we're over the limit we may have to back down tcp_rwnd.
		 * The increment below won't work for us. So we set all three
		 * here and the increment below will have no effect.
		 */
		tcp->tcp_rwnd = old_max_rwnd = rwnd;
	}

	/*
	 * Increment the current rwnd by the amount the maximum grew (we
	 * can not overwrite it since we might be in the middle of a
	 * connection.)
	 */
	tcp->tcp_rwnd += rwnd - old_max_rwnd;
	U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws, tcp->tcp_tcph->th_win);
	if ((tcp->tcp_rcv_ws > 0) && rwnd > tcp->tcp_cwnd_max)
		tcp->tcp_cwnd_max = rwnd;
	tcp->tcp_rwnd_max = rwnd;

	return (rwnd);
}

/*
 * Extract option values from a tcp header.  We put any found values into the
 * tcpopt struct and return a bitmask saying which options were found.
 */
static int
tcp_parse_options(tcph_t *tcph, tcp_opt_t *tcpopt)
{
	uchar_t		*endp;
	int		len;
	uint32_t	mss;
	uchar_t		*up = (uchar_t *)tcph;
	int		found = 0;
	int32_t		sack_len;
	tcp_seq		sack_begin, sack_end;
	tcp_t		*tcp;

	endp = up + TCP_HDR_LENGTH(tcph);
	up += TCP_MIN_HEADER_LENGTH;
	while (up < endp) {
		len = endp - up;
		switch (*up) {
		case TCPOPT_EOL:
			break;

		case TCPOPT_NOP:
			up++;
			continue;

		case TCPOPT_MAXSEG:
			if (len < TCPOPT_MAXSEG_LEN ||
			    up[1] != TCPOPT_MAXSEG_LEN)
				break;

			mss = BE16_TO_U16(up+2);
			/* Caller must handle tcp_mss_min and tcp_mss_max_* */
			tcpopt->tcp_opt_mss = mss;
			found |= TCP_OPT_MSS_PRESENT;

			up += TCPOPT_MAXSEG_LEN;
			continue;

		case TCPOPT_WSCALE:
			if (len < TCPOPT_WS_LEN || up[1] != TCPOPT_WS_LEN)
				break;

			if (up[2] > TCP_MAX_WINSHIFT)
				tcpopt->tcp_opt_wscale = TCP_MAX_WINSHIFT;
			else
				tcpopt->tcp_opt_wscale = up[2];
			found |= TCP_OPT_WSCALE_PRESENT;

			up += TCPOPT_WS_LEN;
			continue;

		case TCPOPT_SACK_PERMITTED:
			if (len < TCPOPT_SACK_OK_LEN ||
			    up[1] != TCPOPT_SACK_OK_LEN)
				break;
			found |= TCP_OPT_SACK_OK_PRESENT;
			up += TCPOPT_SACK_OK_LEN;
			continue;

		case TCPOPT_SACK:
			if (len <= 2 || up[1] <= 2 || len < up[1])
				break;

			/* If TCP is not interested in SACK blks... */
			if ((tcp = tcpopt->tcp) == NULL) {
				up += up[1];
				continue;
			}
			sack_len = up[1] - TCPOPT_HEADER_LEN;
			up += TCPOPT_HEADER_LEN;

			/*
			 * If the list is empty, allocate one and assume
			 * nothing is sack'ed.
			 */
			assert(tcp->tcp_sack_info != NULL);
			if (tcp->tcp_notsack_list == NULL) {
				tcp_notsack_update(&(tcp->tcp_notsack_list),
				    tcp->tcp_suna, tcp->tcp_snxt,
				    &(tcp->tcp_num_notsack_blk),
				    &(tcp->tcp_cnt_notsack_list));

				/*
				 * Make sure tcp_notsack_list is not NULL.
				 * This happens when kmem_alloc(KM_NOSLEEP)
				 * returns NULL.
				 */
				if (tcp->tcp_notsack_list == NULL) {
					up += sack_len;
					continue;
				}
				tcp->tcp_fack = tcp->tcp_suna;
			}

			while (sack_len > 0) {
				if (up + 8 > endp) {
					up = endp;
					break;
				}
				sack_begin = BE32_TO_U32(up);
				up += 4;
				sack_end = BE32_TO_U32(up);
				up += 4;
				sack_len -= 8;
				/*
				 * Bounds checking.  Make sure the SACK
				 * info is within tcp_suna and tcp_snxt.
				 * If this SACK blk is out of bound, ignore
				 * it but continue to parse the following
				 * blks.
				 */
				if (SEQ_LEQ(sack_end, sack_begin) ||
				    SEQ_LT(sack_begin, tcp->tcp_suna) ||
				    SEQ_GT(sack_end, tcp->tcp_snxt)) {
					continue;
				}
				tcp_notsack_insert(&(tcp->tcp_notsack_list),
				    sack_begin, sack_end,
				    &(tcp->tcp_num_notsack_blk),
				    &(tcp->tcp_cnt_notsack_list));
				if (SEQ_GT(sack_end, tcp->tcp_fack)) {
					tcp->tcp_fack = sack_end;
				}
			}
			found |= TCP_OPT_SACK_PRESENT;
			continue;

		case TCPOPT_TSTAMP:
			if (len < TCPOPT_TSTAMP_LEN ||
			    up[1] != TCPOPT_TSTAMP_LEN)
				break;

			tcpopt->tcp_opt_ts_val = BE32_TO_U32(up+2);
			tcpopt->tcp_opt_ts_ecr = BE32_TO_U32(up+6);

			found |= TCP_OPT_TSTAMP_PRESENT;

			up += TCPOPT_TSTAMP_LEN;
			continue;

		default:
			if (len <= 1 || len < (int)up[1] || up[1] == 0)
				break;
			up += up[1];
			continue;
		}
		break;
	}
	return (found);
}

/*
 * Set the mss associated with a particular tcp based on its current value,
 * and a new one passed in. Observe minimums and maximums, and reset
 * other state variables that we want to view as multiples of mss.
 *
 * This function is called in various places mainly because
 * 1) Various stuffs, tcp_mss, tcp_cwnd, ... need to be adjusted when the
 *    other side's SYN/SYN-ACK packet arrives.
 * 2) PMTUd may get us a new MSS.
 * 3) If the other side stops sending us timestamp option, we need to
 *    increase the MSS size to use the extra bytes available.
 */
static void
tcp_mss_set(tcp_t *tcp, uint32_t mss)
{
	uint32_t	mss_max;

	mss_max = tcp_mss_max_ipv4;

	if (mss < tcp_mss_min)
		mss = tcp_mss_min;
	if (mss > mss_max)
		mss = mss_max;
	/*
	 * Unless naglim has been set by our client to
	 * a non-mss value, force naglim to track mss.
	 * This can help to aggregate small writes.
	 */
	if (mss < tcp->tcp_naglim || tcp->tcp_mss == tcp->tcp_naglim)
		tcp->tcp_naglim = mss;
	/*
	 * TCP should be able to buffer at least 4 MSS data for obvious
	 * performance reason.
	 */
	if ((mss << 2) > tcp->tcp_xmit_hiwater)
		tcp->tcp_xmit_hiwater = mss << 2;
	tcp->tcp_mss = mss;
	/*
	 * Initialize cwnd according to draft-floyd-incr-init-win-01.txt.
	 * Previously, we use tcp_slow_start_initial to control the size
	 * of the initial cwnd.  Now, when tcp_slow_start_initial * mss
	 * is smaller than the cwnd calculated from the formula suggested in
	 * the draft, we use tcp_slow_start_initial * mss as the cwnd.
	 * Otherwise, use the cwnd from the draft's formula.  The default
	 * of tcp_slow_start_initial is 2.
	 */
	tcp->tcp_cwnd = MIN(tcp_slow_start_initial * mss,
	    MIN(4 * mss, MAX(2 * mss, 4380 / mss * mss)));
	tcp->tcp_cwnd_cnt = 0;
}

/*
 * Process all TCP option in SYN segment.
 *
 * This function sets up the correct tcp_mss value according to the
 * MSS option value and our header size.  It also sets up the window scale
 * and timestamp values, and initialize SACK info blocks.  But it does not
 * change receive window size after setting the tcp_mss value.  The caller
 * should do the appropriate change.
 */
void
tcp_process_options(tcp_t *tcp, tcph_t *tcph)
{
	int options;
	tcp_opt_t tcpopt;
	uint32_t mss_max;
	char *tmp_tcph;

	tcpopt.tcp = NULL;
	options = tcp_parse_options(tcph, &tcpopt);

	/*
	 * Process MSS option.  Note that MSS option value does not account
	 * for IP or TCP options.  This means that it is equal to MTU - minimum
	 * IP+TCP header size, which is 40 bytes for IPv4 and 60 bytes for
	 * IPv6.
	 */
	if (!(options & TCP_OPT_MSS_PRESENT)) {
		tcpopt.tcp_opt_mss = tcp_mss_def_ipv4;
	} else {
		if (tcp->tcp_ipversion == IPV4_VERSION)
			mss_max = tcp_mss_max_ipv4;
		if (tcpopt.tcp_opt_mss < tcp_mss_min)
			tcpopt.tcp_opt_mss = tcp_mss_min;
		else if (tcpopt.tcp_opt_mss > mss_max)
			tcpopt.tcp_opt_mss = mss_max;
	}

	/* Process Window Scale option. */
	if (options & TCP_OPT_WSCALE_PRESENT) {
		tcp->tcp_snd_ws = tcpopt.tcp_opt_wscale;
		tcp->tcp_snd_ws_ok = B_TRUE;
	} else {
		tcp->tcp_snd_ws = B_FALSE;
		tcp->tcp_snd_ws_ok = B_FALSE;
		tcp->tcp_rcv_ws = B_FALSE;
	}

	/* Process Timestamp option. */
	if ((options & TCP_OPT_TSTAMP_PRESENT) &&
	    (tcp->tcp_snd_ts_ok || !tcp->tcp_active_open)) {
		tmp_tcph = (char *)tcp->tcp_tcph;

		tcp->tcp_snd_ts_ok = B_TRUE;
		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
		tcp->tcp_last_rcv_lbolt = prom_gettime();
		assert(OK_32PTR(tmp_tcph));
		assert(tcp->tcp_tcp_hdr_len == TCP_MIN_HEADER_LENGTH);

		/* Fill in our template header with basic timestamp option. */
		tmp_tcph += tcp->tcp_tcp_hdr_len;
		tmp_tcph[0] = TCPOPT_NOP;
		tmp_tcph[1] = TCPOPT_NOP;
		tmp_tcph[2] = TCPOPT_TSTAMP;
		tmp_tcph[3] = TCPOPT_TSTAMP_LEN;
		tcp->tcp_hdr_len += TCPOPT_REAL_TS_LEN;
		tcp->tcp_tcp_hdr_len += TCPOPT_REAL_TS_LEN;
		tcp->tcp_tcph->th_offset_and_rsrvd[0] += (3 << 4);
	} else {
		tcp->tcp_snd_ts_ok = B_FALSE;
	}

	/*
	 * Process SACK options.  If SACK is enabled for this connection,
	 * then allocate the SACK info structure.
	 */
	if ((options & TCP_OPT_SACK_OK_PRESENT) &&
	    (tcp->tcp_snd_sack_ok ||
	    (tcp_sack_permitted != 0 && !tcp->tcp_active_open))) {
		/* This should be true only in the passive case. */
		if (tcp->tcp_sack_info == NULL) {
			tcp->tcp_sack_info = (tcp_sack_info_t *)bkmem_zalloc(
			    sizeof (tcp_sack_info_t));
		}
		if (tcp->tcp_sack_info == NULL) {
			tcp->tcp_snd_sack_ok = B_FALSE;
		} else {
			tcp->tcp_snd_sack_ok = B_TRUE;
			if (tcp->tcp_snd_ts_ok) {
				tcp->tcp_max_sack_blk = 3;
			} else {
				tcp->tcp_max_sack_blk = 4;
			}
		}
	} else {
		/*
		 * Resetting tcp_snd_sack_ok to B_FALSE so that
		 * no SACK info will be used for this
		 * connection.  This assumes that SACK usage
		 * permission is negotiated.  This may need
		 * to be changed once this is clarified.
		 */
		if (tcp->tcp_sack_info != NULL) {
			bkmem_free((caddr_t)tcp->tcp_sack_info,
			    sizeof (tcp_sack_info_t));
			tcp->tcp_sack_info = NULL;
		}
		tcp->tcp_snd_sack_ok = B_FALSE;
	}

	/*
	 * Now we know the exact TCP/IP header length, subtract
	 * that from tcp_mss to get our side's MSS.
	 */
	tcp->tcp_mss -= tcp->tcp_hdr_len;
	/*
	 * Here we assume that the other side's header size will be equal to
	 * our header size.  We calculate the real MSS accordingly.  Need to
	 * take into additional stuffs IPsec puts in.
	 *
	 * Real MSS = Opt.MSS - (our TCP/IP header - min TCP/IP header)
	 */
	tcpopt.tcp_opt_mss -= tcp->tcp_hdr_len -
	    (IP_SIMPLE_HDR_LENGTH + TCP_MIN_HEADER_LENGTH);

	/*
	 * Set MSS to the smaller one of both ends of the connection.
	 * We should not have called tcp_mss_set() before, but our
	 * side of the MSS should have been set to a proper value
	 * by tcp_adapt_ire().  tcp_mss_set() will also set up the
	 * STREAM head parameters properly.
	 *
	 * If we have a larger-than-16-bit window but the other side
	 * didn't want to do window scale, tcp_rwnd_set() will take
	 * care of that.
	 */
	tcp_mss_set(tcp, MIN(tcpopt.tcp_opt_mss, tcp->tcp_mss));
}

/*
 * This function does PAWS protection check.  Returns B_TRUE if the
 * segment passes the PAWS test, else returns B_FALSE.
 */
boolean_t
tcp_paws_check(tcp_t *tcp, tcph_t *tcph, tcp_opt_t *tcpoptp)
{
	uint8_t	flags;
	int	options;
	uint8_t *up;

	flags = (unsigned int)tcph->th_flags[0] & 0xFF;
	/*
	 * If timestamp option is aligned nicely, get values inline,
	 * otherwise call general routine to parse.  Only do that
	 * if timestamp is the only option.
	 */
	if (TCP_HDR_LENGTH(tcph) == (uint32_t)TCP_MIN_HEADER_LENGTH +
	    TCPOPT_REAL_TS_LEN &&
	    OK_32PTR((up = ((uint8_t *)tcph) +
	    TCP_MIN_HEADER_LENGTH)) &&
	    *(uint32_t *)up == TCPOPT_NOP_NOP_TSTAMP) {
		tcpoptp->tcp_opt_ts_val = ABE32_TO_U32((up+4));
		tcpoptp->tcp_opt_ts_ecr = ABE32_TO_U32((up+8));

		options = TCP_OPT_TSTAMP_PRESENT;
	} else {
		if (tcp->tcp_snd_sack_ok) {
			tcpoptp->tcp = tcp;
		} else {
			tcpoptp->tcp = NULL;
		}
		options = tcp_parse_options(tcph, tcpoptp);
	}

	if (options & TCP_OPT_TSTAMP_PRESENT) {
		/*
		 * Do PAWS per RFC 1323 section 4.2.  Accept RST
		 * regardless of the timestamp, page 18 RFC 1323.bis.
		 */
		if ((flags & TH_RST) == 0 &&
		    TSTMP_LT(tcpoptp->tcp_opt_ts_val,
		    tcp->tcp_ts_recent)) {
			if (TSTMP_LT(prom_gettime(),
			    tcp->tcp_last_rcv_lbolt + PAWS_TIMEOUT)) {
				/* This segment is not acceptable. */
				return (B_FALSE);
			} else {
				/*
				 * Connection has been idle for
				 * too long.  Reset the timestamp
				 * and assume the segment is valid.
				 */
				tcp->tcp_ts_recent =
				    tcpoptp->tcp_opt_ts_val;
			}
		}
	} else {
		/*
		 * If we don't get a timestamp on every packet, we
		 * figure we can't really trust 'em, so we stop sending
		 * and parsing them.
		 */
		tcp->tcp_snd_ts_ok = B_FALSE;

		tcp->tcp_hdr_len -= TCPOPT_REAL_TS_LEN;
		tcp->tcp_tcp_hdr_len -= TCPOPT_REAL_TS_LEN;
		tcp->tcp_tcph->th_offset_and_rsrvd[0] -= (3 << 4);
		tcp_mss_set(tcp, tcp->tcp_mss + TCPOPT_REAL_TS_LEN);
		if (tcp->tcp_snd_sack_ok) {
			assert(tcp->tcp_sack_info != NULL);
			tcp->tcp_max_sack_blk = 4;
		}
	}
	return (B_TRUE);
}

/*
 * tcp_get_seg_mp() is called to get the pointer to a segment in the
 * send queue which starts at the given seq. no.
 *
 * Parameters:
 *	tcp_t *tcp: the tcp instance pointer.
 *	uint32_t seq: the starting seq. no of the requested segment.
 *	int32_t *off: after the execution, *off will be the offset to
 *		the returned mblk which points to the requested seq no.
 *
 * Return:
 *	A mblk_t pointer pointing to the requested segment in send queue.
 */
static mblk_t *
tcp_get_seg_mp(tcp_t *tcp, uint32_t seq, int32_t *off)
{
	int32_t	cnt;
	mblk_t	*mp;

	/* Defensive coding.  Make sure we don't send incorrect data. */
	if (SEQ_LT(seq, tcp->tcp_suna) || SEQ_GEQ(seq, tcp->tcp_snxt) ||
	    off == NULL) {
		return (NULL);
	}
	cnt = seq - tcp->tcp_suna;
	mp = tcp->tcp_xmit_head;
	while (cnt > 0 && mp) {
		cnt -= mp->b_wptr - mp->b_rptr;
		if (cnt < 0) {
			cnt += mp->b_wptr - mp->b_rptr;
			break;
		}
		mp = mp->b_cont;
	}
	assert(mp != NULL);
	*off = cnt;
	return (mp);
}

/*
 * This function handles all retransmissions if SACK is enabled for this
 * connection.  First it calculates how many segments can be retransmitted
 * based on tcp_pipe.  Then it goes thru the notsack list to find eligible
 * segments.  A segment is eligible if sack_cnt for that segment is greater
 * than or equal tcp_dupack_fast_retransmit.  After it has retransmitted
 * all eligible segments, it checks to see if TCP can send some new segments
 * (fast recovery).  If it can, it returns 1.  Otherwise it returns 0.
 *
 * Parameters:
 *	tcp_t *tcp: the tcp structure of the connection.
 *
 * Return:
 *	1 if the pipe is not full (new data can be sent), 0 otherwise
 */
static int32_t
tcp_sack_rxmit(tcp_t *tcp, int sock_id)
{
	notsack_blk_t	*notsack_blk;
	int32_t		usable_swnd;
	int32_t		mss;
	uint32_t	seg_len;
	mblk_t		*xmit_mp;

	assert(tcp->tcp_sack_info != NULL);
	assert(tcp->tcp_notsack_list != NULL);
	assert(tcp->tcp_rexmit == B_FALSE);

	/* Defensive coding in case there is a bug... */
	if (tcp->tcp_notsack_list == NULL) {
		return (0);
	}
	notsack_blk = tcp->tcp_notsack_list;
	mss = tcp->tcp_mss;

	/*
	 * Limit the num of outstanding data in the network to be
	 * tcp_cwnd_ssthresh, which is half of the original congestion wnd.
	 */
	usable_swnd = tcp->tcp_cwnd_ssthresh - tcp->tcp_pipe;

	/* At least retransmit 1 MSS of data. */
	if (usable_swnd <= 0) {
		usable_swnd = mss;
	}

	/* Make sure no new RTT samples will be taken. */
	tcp->tcp_csuna = tcp->tcp_snxt;

	notsack_blk = tcp->tcp_notsack_list;
	while (usable_swnd > 0) {
		mblk_t		*snxt_mp, *tmp_mp;
		tcp_seq		begin = tcp->tcp_sack_snxt;
		tcp_seq		end;
		int32_t		off;

		for (; notsack_blk != NULL; notsack_blk = notsack_blk->next) {
			if (SEQ_GT(notsack_blk->end, begin) &&
			    (notsack_blk->sack_cnt >=
			    tcp_dupack_fast_retransmit)) {
				end = notsack_blk->end;
				if (SEQ_LT(begin, notsack_blk->begin)) {
					begin = notsack_blk->begin;
				}
				break;
			}
		}
		/*
		 * All holes are filled.  Manipulate tcp_cwnd to send more
		 * if we can.  Note that after the SACK recovery, tcp_cwnd is
		 * set to tcp_cwnd_ssthresh.
		 */
		if (notsack_blk == NULL) {
			usable_swnd = tcp->tcp_cwnd_ssthresh - tcp->tcp_pipe;
			if (usable_swnd <= 0) {
				tcp->tcp_cwnd = tcp->tcp_snxt - tcp->tcp_suna;
				assert(tcp->tcp_cwnd > 0);
				return (0);
			} else {
				usable_swnd = usable_swnd / mss;
				tcp->tcp_cwnd = tcp->tcp_snxt - tcp->tcp_suna +
				    MAX(usable_swnd * mss, mss);
				return (1);
			}
		}

		/*
		 * Note that we may send more than usable_swnd allows here
		 * because of round off, but no more than 1 MSS of data.
		 */
		seg_len = end - begin;
		if (seg_len > mss)
			seg_len = mss;
		snxt_mp = tcp_get_seg_mp(tcp, begin, &off);
		assert(snxt_mp != NULL);
		/* This should not happen.  Defensive coding again... */
		if (snxt_mp == NULL) {
			return (0);
		}

		xmit_mp = tcp_xmit_mp(tcp, snxt_mp, seg_len, &off,
		    &tmp_mp, begin, B_TRUE, &seg_len, B_TRUE);

		if (xmit_mp == NULL)
			return (0);

		usable_swnd -= seg_len;
		tcp->tcp_pipe += seg_len;
		tcp->tcp_sack_snxt = begin + seg_len;
		TCP_DUMP_PACKET("tcp_sack_rxmit", xmit_mp);
		(void) ipv4_tcp_output(sock_id, xmit_mp);
		freeb(xmit_mp);

		/*
		 * Update the send timestamp to avoid false retransmission.
		 * Note. use uintptr_t to suppress the gcc warning.
		 */
		snxt_mp->b_prev = (mblk_t *)(uintptr_t)prom_gettime();

		BUMP_MIB(tcp_mib.tcpRetransSegs);
		UPDATE_MIB(tcp_mib.tcpRetransBytes, seg_len);
		BUMP_MIB(tcp_mib.tcpOutSackRetransSegs);
		/*
		 * Update tcp_rexmit_max to extend this SACK recovery phase.
		 * This happens when new data sent during fast recovery is
		 * also lost.  If TCP retransmits those new data, it needs
		 * to extend SACK recover phase to avoid starting another
		 * fast retransmit/recovery unnecessarily.
		 */
		if (SEQ_GT(tcp->tcp_sack_snxt, tcp->tcp_rexmit_max)) {
			tcp->tcp_rexmit_max = tcp->tcp_sack_snxt;
		}
	}
	return (0);
}

static void
tcp_rput_data(tcp_t *tcp, mblk_t *mp, int sock_id)
{
	uchar_t		*rptr;
	struct ip	*iph;
	tcp_t		*tcp1;
	tcpha_t		*tcph;
	uint32_t	seg_ack;
	int		seg_len;
	uint_t		ip_hdr_len;
	uint32_t	seg_seq;
	mblk_t		*mp1;
	uint_t		flags;
	uint32_t	new_swnd = 0;
	int		mss;
	boolean_t	ofo_seg = B_FALSE; /* Out of order segment */
	int32_t		gap;
	int32_t		rgap;
	tcp_opt_t	tcpopt;
	int32_t		bytes_acked;
	int		npkt;
	uint32_t	cwnd;
	uint32_t	add;

#ifdef DEBUG
	printf("tcp_rput_data sock %d mp %x mp_datap %x #################\n",
	    sock_id, mp, mp->b_datap);
#endif

	/* Dump the packet when debugging. */
	TCP_DUMP_PACKET("tcp_rput_data", mp);

	assert(OK_32PTR(mp->b_rptr));

	rptr = mp->b_rptr;
	iph = (struct ip *)rptr;
	ip_hdr_len = IPH_HDR_LENGTH(rptr);
	if (ip_hdr_len != IP_SIMPLE_HDR_LENGTH) {
#ifdef DEBUG
		printf("Not simple IP header\n");
#endif
		/* We cannot handle IP option yet... */
		tcp_drops++;
		freeb(mp);
		return;
	}
	/* The TCP header must be aligned. */
	tcph = (tcpha_t *)&rptr[ip_hdr_len];
	seg_seq = ntohl(tcph->tha_seq);
	seg_ack = ntohl(tcph->tha_ack);
	assert((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
	seg_len = (int)(mp->b_wptr - rptr) -
	    (ip_hdr_len + TCP_HDR_LENGTH(((tcph_t *)tcph)));
	/* In inetboot, b_cont should always be NULL. */
	assert(mp->b_cont == NULL);

	/* Verify the checksum. */
	if (tcp_verify_cksum(mp) < 0) {
#ifdef DEBUG
		printf("tcp_rput_data: wrong cksum\n");
#endif
		freemsg(mp);
		return;
	}

	/*
	 * This segment is not for us, try to find its
	 * intended receiver.
	 */
	if (tcp == NULL ||
	    tcph->tha_lport != tcp->tcp_fport ||
	    tcph->tha_fport != tcp->tcp_lport ||
	    iph->ip_src.s_addr != tcp->tcp_remote ||
	    iph->ip_dst.s_addr != tcp->tcp_bound_source) {
#ifdef DEBUG
		printf("tcp_rput_data: not for us, state %d\n",
		    tcp->tcp_state);
#endif
		/*
		 * First try to find a established connection.  If none
		 * is found, look for a listener.
		 *
		 * If a listener is found, we need to check to see if the
		 * incoming segment is for one of its eagers.  If it is,
		 * give it to the eager.  If not, listener should take care
		 * of it.
		 */
		if ((tcp1 = tcp_lookup_ipv4(iph, tcph, TCPS_SYN_SENT,
		    &sock_id)) != NULL ||
		    (tcp1 = tcp_lookup_listener_ipv4(iph->ip_dst.s_addr,
		    tcph->tha_fport, &sock_id)) != NULL) {
			if (tcp1->tcp_state == TCPS_LISTEN) {
				if ((tcp = tcp_lookup_eager_ipv4(tcp1,
				    iph, tcph)) == NULL) {
					/* No eager... sent to listener */
#ifdef DEBUG
					printf("found the listener: %s\n",
					    tcp_display(tcp1, NULL,
					    DISP_ADDR_AND_PORT));
#endif
					tcp = tcp1;
				}
#ifdef DEBUG
				else {
					printf("found the eager: %s\n",
					    tcp_display(tcp, NULL,
					    DISP_ADDR_AND_PORT));
				}
#endif
			} else {
				/* Non listener found... */
#ifdef DEBUG
				printf("found the connection: %s\n",
				    tcp_display(tcp1, NULL,
				    DISP_ADDR_AND_PORT));
#endif
				tcp = tcp1;
			}
		} else {
			/*
			 * No connection for this segment...
			 * Send a RST to the other side.
			 */
			tcp_xmit_listeners_reset(sock_id, mp, ip_hdr_len);
			return;
		}
	}

	flags = tcph->tha_flags & 0xFF;
	BUMP_MIB(tcp_mib.tcpInSegs);
	if (tcp->tcp_state == TCPS_TIME_WAIT) {
		tcp_time_wait_processing(tcp, mp, seg_seq, seg_ack,
		    seg_len, (tcph_t *)tcph, sock_id);
		return;
	}
	/*
	 * From this point we can assume that the tcp is not compressed,
	 * since we would have branched off to tcp_time_wait_processing()
	 * in such a case.
	 */
	assert(tcp != NULL && tcp->tcp_state != TCPS_TIME_WAIT);

	/*
	 * After this point, we know we have the correct TCP, so update
	 * the receive time.
	 */
	tcp->tcp_last_recv_time = prom_gettime();

	/* In inetboot, we do not handle urgent pointer... */
	if (flags & TH_URG) {
		freemsg(mp);
		DEBUG_1("tcp_rput_data(%d): received segment with urgent "
		    "pointer\n", sock_id);
		tcp_drops++;
		return;
	}

	switch (tcp->tcp_state) {
	case TCPS_LISTEN:
		if ((flags & (TH_RST | TH_ACK | TH_SYN)) != TH_SYN) {
			if (flags & TH_RST) {
				freemsg(mp);
				return;
			}
			if (flags & TH_ACK) {
				tcp_xmit_early_reset("TCPS_LISTEN-TH_ACK",
				    sock_id, mp, seg_ack, 0, TH_RST,
				    ip_hdr_len);
				return;
			}
			if (!(flags & TH_SYN)) {
				freemsg(mp);
				return;
			}
			printf("tcp_rput_data: %d\n", __LINE__);
			prom_panic("inetboot");
		}
		if (tcp->tcp_conn_req_max > 0) {
			tcp = tcp_conn_request(tcp, mp, sock_id, ip_hdr_len);
			if (tcp == NULL) {
				freemsg(mp);
				return;
			}
#ifdef DEBUG
			printf("tcp_rput_data: new tcp created\n");
#endif
		}
		tcp->tcp_irs = seg_seq;
		tcp->tcp_rack = seg_seq;
		tcp->tcp_rnxt = seg_seq + 1;
		U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);
		BUMP_MIB(tcp_mib.tcpPassiveOpens);
		goto syn_rcvd;
	case TCPS_SYN_SENT:
		if (flags & TH_ACK) {
			/*
			 * Note that our stack cannot send data before a
			 * connection is established, therefore the
			 * following check is valid.  Otherwise, it has
			 * to be changed.
			 */
			if (SEQ_LEQ(seg_ack, tcp->tcp_iss) ||
			    SEQ_GT(seg_ack, tcp->tcp_snxt)) {
				if (flags & TH_RST) {
					freemsg(mp);
					return;
				}
				tcp_xmit_ctl("TCPS_SYN_SENT-Bad_seq",
				    tcp, mp, seg_ack, 0, TH_RST,
				    ip_hdr_len, sock_id);
				return;
			}
			assert(tcp->tcp_suna + 1 == seg_ack);
		}
		if (flags & TH_RST) {
			freemsg(mp);
			if (flags & TH_ACK) {
				tcp_clean_death(sock_id, tcp, ECONNREFUSED);
			}
			return;
		}
		if (!(flags & TH_SYN)) {
			freemsg(mp);
			return;
		}

		/* Process all TCP options. */
		tcp_process_options(tcp, (tcph_t *)tcph);
		/*
		 * The following changes our rwnd to be a multiple of the
		 * MIN(peer MSS, our MSS) for performance reason.
		 */
		(void) tcp_rwnd_set(tcp, MSS_ROUNDUP(tcp->tcp_rwnd,
		    tcp->tcp_mss));

		/* Is the other end ECN capable? */
		if (tcp->tcp_ecn_ok) {
			if ((flags & (TH_ECE|TH_CWR)) != TH_ECE) {
				tcp->tcp_ecn_ok = B_FALSE;
			}
		}
		/*
		 * Clear ECN flags because it may interfere with later
		 * processing.
		 */
		flags &= ~(TH_ECE|TH_CWR);

		tcp->tcp_irs = seg_seq;
		tcp->tcp_rack = seg_seq;
		tcp->tcp_rnxt = seg_seq + 1;
		U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);

		if (flags & TH_ACK) {
			/* One for the SYN */
			tcp->tcp_suna = tcp->tcp_iss + 1;
			tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
			tcp->tcp_state = TCPS_ESTABLISHED;

			/*
			 * If SYN was retransmitted, need to reset all
			 * retransmission info.  This is because this
			 * segment will be treated as a dup ACK.
			 */
			if (tcp->tcp_rexmit) {
				tcp->tcp_rexmit = B_FALSE;
				tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
				tcp->tcp_rexmit_max = tcp->tcp_snxt;
				tcp->tcp_snd_burst = TCP_CWND_NORMAL;

				/*
				 * Set tcp_cwnd back to 1 MSS, per
				 * recommendation from
				 * draft-floyd-incr-init-win-01.txt,
				 * Increasing TCP's Initial Window.
				 */
				tcp->tcp_cwnd = tcp->tcp_mss;
			}

			tcp->tcp_swl1 = seg_seq;
			tcp->tcp_swl2 = seg_ack;

			new_swnd = BE16_TO_U16(((tcph_t *)tcph)->th_win);
			tcp->tcp_swnd = new_swnd;
			if (new_swnd > tcp->tcp_max_swnd)
				tcp->tcp_max_swnd = new_swnd;

			/*
			 * Always send the three-way handshake ack immediately
			 * in order to make the connection complete as soon as
			 * possible on the accepting host.
			 */
			flags |= TH_ACK_NEEDED;
			/*
			 * Check to see if there is data to be sent.  If
			 * yes, set the transmit flag.  Then check to see
			 * if received data processing needs to be done.
			 * If not, go straight to xmit_check.  This short
			 * cut is OK as we don't support T/TCP.
			 */
			if (tcp->tcp_unsent)
				flags |= TH_XMIT_NEEDED;

			if (seg_len == 0) {
				freemsg(mp);
				goto xmit_check;
			}

			flags &= ~TH_SYN;
			seg_seq++;
			break;
		}
		syn_rcvd:
		tcp->tcp_state = TCPS_SYN_RCVD;
		mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, tcp->tcp_mss,
		    NULL, NULL, tcp->tcp_iss, B_FALSE, NULL, B_FALSE);
		if (mp1 != NULL) {
			TCP_DUMP_PACKET("tcp_rput_data replying SYN", mp1);
			(void) ipv4_tcp_output(sock_id, mp1);
			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
			freeb(mp1);
			/*
			 * Let's wait till our SYN has been ACKED since we
			 * don't have a timer.
			 */
			if (tcp_state_wait(sock_id, tcp, TCPS_ALL_ACKED) < 0) {
				freemsg(mp);
				return;
			}
		}
		freemsg(mp);
		return;
	default:
		break;
	}
	mp->b_rptr = (uchar_t *)tcph + TCP_HDR_LENGTH((tcph_t *)tcph);
	new_swnd = ntohs(tcph->tha_win) <<
	    ((flags & TH_SYN) ? 0 : tcp->tcp_snd_ws);
	mss = tcp->tcp_mss;

	if (tcp->tcp_snd_ts_ok) {
		if (!tcp_paws_check(tcp, (tcph_t *)tcph, &tcpopt)) {
			/*
			 * This segment is not acceptable.
			 * Drop it and send back an ACK.
			 */
			freemsg(mp);
			flags |= TH_ACK_NEEDED;
			goto ack_check;
		}
	} else if (tcp->tcp_snd_sack_ok) {
		assert(tcp->tcp_sack_info != NULL);
		tcpopt.tcp = tcp;
		/*
		 * SACK info in already updated in tcp_parse_options.  Ignore
		 * all other TCP options...
		 */
		(void) tcp_parse_options((tcph_t *)tcph, &tcpopt);
	}
try_again:;
	gap = seg_seq - tcp->tcp_rnxt;
	rgap = tcp->tcp_rwnd - (gap + seg_len);
	/*
	 * gap is the amount of sequence space between what we expect to see
	 * and what we got for seg_seq.  A positive value for gap means
	 * something got lost.  A negative value means we got some old stuff.
	 */
	if (gap < 0) {
		/* Old stuff present.  Is the SYN in there? */
		if (seg_seq == tcp->tcp_irs && (flags & TH_SYN) &&
		    (seg_len != 0)) {
			flags &= ~TH_SYN;
			seg_seq++;
			/* Recompute the gaps after noting the SYN. */
			goto try_again;
		}
		BUMP_MIB(tcp_mib.tcpInDataDupSegs);
		UPDATE_MIB(tcp_mib.tcpInDataDupBytes,
		    (seg_len > -gap ? -gap : seg_len));
		/* Remove the old stuff from seg_len. */
		seg_len += gap;
		/*
		 * Anything left?
		 * Make sure to check for unack'd FIN when rest of data
		 * has been previously ack'd.
		 */
		if (seg_len < 0 || (seg_len == 0 && !(flags & TH_FIN))) {
			/*
			 * Resets are only valid if they lie within our offered
			 * window.  If the RST bit is set, we just ignore this
			 * segment.
			 */
			if (flags & TH_RST) {
				freemsg(mp);
				return;
			}

			/*
			 * This segment is "unacceptable".  None of its
			 * sequence space lies within our advertized window.
			 *
			 * Adjust seg_len to the original value for tracing.
			 */
			seg_len -= gap;
#ifdef DEBUG
			printf("tcp_rput: unacceptable, gap %d, rgap "
			    "%d, flags 0x%x, seg_seq %u, seg_ack %u, "
			    "seg_len %d, rnxt %u, snxt %u, %s",
			    gap, rgap, flags, seg_seq, seg_ack,
			    seg_len, tcp->tcp_rnxt, tcp->tcp_snxt,
			    tcp_display(tcp, NULL, DISP_ADDR_AND_PORT));
#endif

			/*
			 * Arrange to send an ACK in response to the
			 * unacceptable segment per RFC 793 page 69. There
			 * is only one small difference between ours and the
			 * acceptability test in the RFC - we accept ACK-only
			 * packet with SEG.SEQ = RCV.NXT+RCV.WND and no ACK
			 * will be generated.
			 *
			 * Note that we have to ACK an ACK-only packet at least
			 * for stacks that send 0-length keep-alives with
			 * SEG.SEQ = SND.NXT-1 as recommended by RFC1122,
			 * section 4.2.3.6. As long as we don't ever generate
			 * an unacceptable packet in response to an incoming
			 * packet that is unacceptable, it should not cause
			 * "ACK wars".
			 */
			flags |=  TH_ACK_NEEDED;

			/*
			 * Continue processing this segment in order to use the
			 * ACK information it contains, but skip all other
			 * sequence-number processing.	Processing the ACK
			 * information is necessary in order to
			 * re-synchronize connections that may have lost
			 * synchronization.
			 *
			 * We clear seg_len and flag fields related to
			 * sequence number processing as they are not
			 * to be trusted for an unacceptable segment.
			 */
			seg_len = 0;
			flags &= ~(TH_SYN | TH_FIN | TH_URG);
			goto process_ack;
		}

		/* Fix seg_seq, and chew the gap off the front. */
		seg_seq = tcp->tcp_rnxt;
		do {
			mblk_t	*mp2;
			assert((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
			    (uintptr_t)UINT_MAX);
			gap += (uint_t)(mp->b_wptr - mp->b_rptr);
			if (gap > 0) {
				mp->b_rptr = mp->b_wptr - gap;
				break;
			}
			mp2 = mp;
			mp = mp->b_cont;
			freeb(mp2);
		} while (gap < 0);
	}
	/*
	 * rgap is the amount of stuff received out of window.  A negative
	 * value is the amount out of window.
	 */
	if (rgap < 0) {
		mblk_t	*mp2;

		if (tcp->tcp_rwnd == 0)
			BUMP_MIB(tcp_mib.tcpInWinProbe);
		else {
			BUMP_MIB(tcp_mib.tcpInDataPastWinSegs);
			UPDATE_MIB(tcp_mib.tcpInDataPastWinBytes, -rgap);
		}

		/*
		 * seg_len does not include the FIN, so if more than
		 * just the FIN is out of window, we act like we don't
		 * see it.  (If just the FIN is out of window, rgap
		 * will be zero and we will go ahead and acknowledge
		 * the FIN.)
		 */
		flags &= ~TH_FIN;

		/* Fix seg_len and make sure there is something left. */
		seg_len += rgap;
		if (seg_len <= 0) {
			/*
			 * Resets are only valid if they lie within our offered
			 * window.  If the RST bit is set, we just ignore this
			 * segment.
			 */
			if (flags & TH_RST) {
				freemsg(mp);
				return;
			}

			/* Per RFC 793, we need to send back an ACK. */
			flags |= TH_ACK_NEEDED;

			/*
			 * If this is a zero window probe, continue to
			 * process the ACK part.  But we need to set seg_len
			 * to 0 to avoid data processing.  Otherwise just
			 * drop the segment and send back an ACK.
			 */
			if (tcp->tcp_rwnd == 0 && seg_seq == tcp->tcp_rnxt) {
				flags &= ~(TH_SYN | TH_URG);
				seg_len = 0;
				/* Let's see if we can update our rwnd */
				tcp_rcv_drain(sock_id, tcp);
				goto process_ack;
			} else {
				freemsg(mp);
				goto ack_check;
			}
		}
		/* Pitch out of window stuff off the end. */
		rgap = seg_len;
		mp2 = mp;
		do {
			assert((uintptr_t)(mp2->b_wptr -
			    mp2->b_rptr) <= (uintptr_t)INT_MAX);
			rgap -= (int)(mp2->b_wptr - mp2->b_rptr);
			if (rgap < 0) {
				mp2->b_wptr += rgap;
				if ((mp1 = mp2->b_cont) != NULL) {
					mp2->b_cont = NULL;
					freemsg(mp1);
				}
				break;
			}
		} while ((mp2 = mp2->b_cont) != NULL);
	}
ok:;
	/*
	 * TCP should check ECN info for segments inside the window only.
	 * Therefore the check should be done here.
	 */
	if (tcp->tcp_ecn_ok) {
		uchar_t tos = ((struct ip *)rptr)->ip_tos;

		if (flags & TH_CWR) {
			tcp->tcp_ecn_echo_on = B_FALSE;
		}
		/*
		 * Note that both ECN_CE and CWR can be set in the
		 * same segment.  In this case, we once again turn
		 * on ECN_ECHO.
		 */
		if ((tos & IPH_ECN_CE) == IPH_ECN_CE) {
			tcp->tcp_ecn_echo_on = B_TRUE;
		}
	}

	/*
	 * Check whether we can update tcp_ts_recent.  This test is
	 * NOT the one in RFC 1323 3.4.  It is from Braden, 1993, "TCP
	 * Extensions for High Performance: An Update", Internet Draft.
	 */
	if (tcp->tcp_snd_ts_ok &&
	    TSTMP_GEQ(tcpopt.tcp_opt_ts_val, tcp->tcp_ts_recent) &&
	    SEQ_LEQ(seg_seq, tcp->tcp_rack)) {
		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
		tcp->tcp_last_rcv_lbolt = prom_gettime();
	}

	if (seg_seq != tcp->tcp_rnxt || tcp->tcp_reass_head) {
		/*
		 * FIN in an out of order segment.  We record this in
		 * tcp_valid_bits and the seq num of FIN in tcp_ofo_fin_seq.
		 * Clear the FIN so that any check on FIN flag will fail.
		 * Remember that FIN also counts in the sequence number
		 * space.  So we need to ack out of order FIN only segments.
		 */
		if (flags & TH_FIN) {
			tcp->tcp_valid_bits |= TCP_OFO_FIN_VALID;
			tcp->tcp_ofo_fin_seq = seg_seq + seg_len;
			flags &= ~TH_FIN;
			flags |= TH_ACK_NEEDED;
		}
		if (seg_len > 0) {
			/* Fill in the SACK blk list. */
			if (tcp->tcp_snd_sack_ok) {
				assert(tcp->tcp_sack_info != NULL);
				tcp_sack_insert(tcp->tcp_sack_list,
				    seg_seq, seg_seq + seg_len,
				    &(tcp->tcp_num_sack_blk));
			}

			/*
			 * Attempt reassembly and see if we have something
			 * ready to go.
			 */
			mp = tcp_reass(tcp, mp, seg_seq);
			/* Always ack out of order packets */
			flags |= TH_ACK_NEEDED | TH_PUSH;
			if (mp != NULL) {
				assert((uintptr_t)(mp->b_wptr -
				    mp->b_rptr) <= (uintptr_t)INT_MAX);
				seg_len = mp->b_cont ? msgdsize(mp) :
					(int)(mp->b_wptr - mp->b_rptr);
				seg_seq = tcp->tcp_rnxt;
				/*
				 * A gap is filled and the seq num and len
				 * of the gap match that of a previously
				 * received FIN, put the FIN flag back in.
				 */
				if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
				    seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
					flags |= TH_FIN;
					tcp->tcp_valid_bits &=
					    ~TCP_OFO_FIN_VALID;
				}
			} else {
				/*
				 * Keep going even with NULL mp.
				 * There may be a useful ACK or something else
				 * we don't want to miss.
				 *
				 * But TCP should not perform fast retransmit
				 * because of the ack number.  TCP uses
				 * seg_len == 0 to determine if it is a pure
				 * ACK.  And this is not a pure ACK.
				 */
				seg_len = 0;
				ofo_seg = B_TRUE;
			}
		}
	} else if (seg_len > 0) {
		BUMP_MIB(tcp_mib.tcpInDataInorderSegs);
		UPDATE_MIB(tcp_mib.tcpInDataInorderBytes, seg_len);
		/*
		 * If an out of order FIN was received before, and the seq
		 * num and len of the new segment match that of the FIN,
		 * put the FIN flag back in.
		 */
		if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
		    seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
			flags |= TH_FIN;
			tcp->tcp_valid_bits &= ~TCP_OFO_FIN_VALID;
		}
	}
	if ((flags & (TH_RST | TH_SYN | TH_URG | TH_ACK)) != TH_ACK) {
	if (flags & TH_RST) {
		freemsg(mp);
		switch (tcp->tcp_state) {
		case TCPS_SYN_RCVD:
			(void) tcp_clean_death(sock_id, tcp, ECONNREFUSED);
			break;
		case TCPS_ESTABLISHED:
		case TCPS_FIN_WAIT_1:
		case TCPS_FIN_WAIT_2:
		case TCPS_CLOSE_WAIT:
			(void) tcp_clean_death(sock_id, tcp, ECONNRESET);
			break;
		case TCPS_CLOSING:
		case TCPS_LAST_ACK:
			(void) tcp_clean_death(sock_id, tcp, 0);
			break;
		default:
			assert(tcp->tcp_state != TCPS_TIME_WAIT);
			(void) tcp_clean_death(sock_id, tcp, ENXIO);
			break;
		}
		return;
	}
	if (flags & TH_SYN) {
		/*
		 * See RFC 793, Page 71
		 *
		 * The seq number must be in the window as it should
		 * be "fixed" above.  If it is outside window, it should
		 * be already rejected.  Note that we allow seg_seq to be
		 * rnxt + rwnd because we want to accept 0 window probe.
		 */
		assert(SEQ_GEQ(seg_seq, tcp->tcp_rnxt) &&
		    SEQ_LEQ(seg_seq, tcp->tcp_rnxt + tcp->tcp_rwnd));
		freemsg(mp);
		/*
		 * If the ACK flag is not set, just use our snxt as the
		 * seq number of the RST segment.
		 */
		if (!(flags & TH_ACK)) {
			seg_ack = tcp->tcp_snxt;
		}
		tcp_xmit_ctl("TH_SYN", tcp, NULL, seg_ack,
		    seg_seq + 1, TH_RST|TH_ACK, 0, sock_id);
		assert(tcp->tcp_state != TCPS_TIME_WAIT);
		(void) tcp_clean_death(sock_id, tcp, ECONNRESET);
		return;
	}

process_ack:
	if (!(flags & TH_ACK)) {
#ifdef DEBUG
		printf("No ack in segment, dropped it, seq:%x\n", seg_seq);
#endif
		freemsg(mp);
		goto xmit_check;
	}
	}
	bytes_acked = (int)(seg_ack - tcp->tcp_suna);

	if (tcp->tcp_state == TCPS_SYN_RCVD) {
		tcp_t	*listener = tcp->tcp_listener;
#ifdef DEBUG
		printf("Done with eager 3-way handshake\n");
#endif
		/*
		 * NOTE: RFC 793 pg. 72 says this should be 'bytes_acked < 0'
		 * but that would mean we have an ack that ignored our SYN.
		 */
		if (bytes_acked < 1 || SEQ_GT(seg_ack, tcp->tcp_snxt)) {
			freemsg(mp);
			tcp_xmit_ctl("TCPS_SYN_RCVD-bad_ack",
			    tcp, NULL, seg_ack, 0, TH_RST, 0, sock_id);
			return;
		}

		/*
		 * if the conn_req_q is full defer processing
		 * until space is availabe after accept()
		 * processing
		 */
		if (listener->tcp_conn_req_cnt_q <
		    listener->tcp_conn_req_max) {
			tcp_t *tail;

			listener->tcp_conn_req_cnt_q0--;
			listener->tcp_conn_req_cnt_q++;

			/* Move from SYN_RCVD to ESTABLISHED list  */
			tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
				tcp->tcp_eager_prev_q0;
			tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
				tcp->tcp_eager_next_q0;
			tcp->tcp_eager_prev_q0 = NULL;
			tcp->tcp_eager_next_q0 = NULL;

			/*
			 * Insert at end of the queue because sockfs
			 * sends down T_CONN_RES in chronological
			 * order. Leaving the older conn indications
			 * at front of the queue helps reducing search
			 * time.
			 */
			tail = listener->tcp_eager_last_q;
			if (tail != NULL) {
				tail->tcp_eager_next_q = tcp;
			} else {
				listener->tcp_eager_next_q = tcp;
			}
			listener->tcp_eager_last_q = tcp;
			tcp->tcp_eager_next_q = NULL;
		} else {
			/*
			 * Defer connection on q0 and set deferred
			 * connection bit true
			 */
			tcp->tcp_conn_def_q0 = B_TRUE;

			/* take tcp out of q0 ... */
			tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
			    tcp->tcp_eager_next_q0;
			tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
			    tcp->tcp_eager_prev_q0;

			/* ... and place it at the end of q0 */
			tcp->tcp_eager_prev_q0 = listener->tcp_eager_prev_q0;
			tcp->tcp_eager_next_q0 = listener;
			listener->tcp_eager_prev_q0->tcp_eager_next_q0 = tcp;
			listener->tcp_eager_prev_q0 = tcp;
		}

		tcp->tcp_suna = tcp->tcp_iss + 1;	/* One for the SYN */
		bytes_acked--;

		/*
		 * If SYN was retransmitted, need to reset all
		 * retransmission info as this segment will be
		 * treated as a dup ACK.
		 */
		if (tcp->tcp_rexmit) {
			tcp->tcp_rexmit = B_FALSE;
			tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
			tcp->tcp_rexmit_max = tcp->tcp_snxt;
			tcp->tcp_snd_burst = TCP_CWND_NORMAL;
			tcp->tcp_ms_we_have_waited = 0;
			tcp->tcp_cwnd = mss;
		}

		/*
		 * We set the send window to zero here.
		 * This is needed if there is data to be
		 * processed already on the queue.
		 * Later (at swnd_update label), the
		 * "new_swnd > tcp_swnd" condition is satisfied
		 * the XMIT_NEEDED flag is set in the current
		 * (SYN_RCVD) state. This ensures tcp_wput_data() is
		 * called if there is already data on queue in
		 * this state.
		 */
		tcp->tcp_swnd = 0;

		if (new_swnd > tcp->tcp_max_swnd)
			tcp->tcp_max_swnd = new_swnd;
		tcp->tcp_swl1 = seg_seq;
		tcp->tcp_swl2 = seg_ack;
		tcp->tcp_state = TCPS_ESTABLISHED;
		tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
	}
	/* This code follows 4.4BSD-Lite2 mostly. */
	if (bytes_acked < 0)
		goto est;

	/*
	 * If TCP is ECN capable and the congestion experience bit is
	 * set, reduce tcp_cwnd and tcp_ssthresh.  But this should only be
	 * done once per window (or more loosely, per RTT).
	 */
	if (tcp->tcp_cwr && SEQ_GT(seg_ack, tcp->tcp_cwr_snd_max))
		tcp->tcp_cwr = B_FALSE;
	if (tcp->tcp_ecn_ok && (flags & TH_ECE)) {
		if (!tcp->tcp_cwr) {
			npkt = (MIN(tcp->tcp_cwnd, tcp->tcp_swnd) >> 1) / mss;
			tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) * mss;
			tcp->tcp_cwnd = npkt * mss;
			/*
			 * If the cwnd is 0, use the timer to clock out
			 * new segments.  This is required by the ECN spec.
			 */
			if (npkt == 0) {
				TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
				/*
				 * This makes sure that when the ACK comes
				 * back, we will increase tcp_cwnd by 1 MSS.
				 */
				tcp->tcp_cwnd_cnt = 0;
			}
			tcp->tcp_cwr = B_TRUE;
			/*
			 * This marks the end of the current window of in
			 * flight data.  That is why we don't use
			 * tcp_suna + tcp_swnd.  Only data in flight can
			 * provide ECN info.
			 */
			tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
			tcp->tcp_ecn_cwr_sent = B_FALSE;
		}
	}

	mp1 = tcp->tcp_xmit_head;
	if (bytes_acked == 0) {
		if (!ofo_seg && seg_len == 0 && new_swnd == tcp->tcp_swnd) {
			int dupack_cnt;

			BUMP_MIB(tcp_mib.tcpInDupAck);
			/*
			 * Fast retransmit.  When we have seen exactly three
			 * identical ACKs while we have unacked data
			 * outstanding we take it as a hint that our peer
			 * dropped something.
			 *
			 * If TCP is retransmitting, don't do fast retransmit.
			 */
			if (mp1 != NULL && tcp->tcp_suna != tcp->tcp_snxt &&
			    ! tcp->tcp_rexmit) {
				/* Do Limited Transmit */
				if ((dupack_cnt = ++tcp->tcp_dupack_cnt) <
				    tcp_dupack_fast_retransmit) {
					/*
					 * RFC 3042
					 *
					 * What we need to do is temporarily
					 * increase tcp_cwnd so that new
					 * data can be sent if it is allowed
					 * by the receive window (tcp_rwnd).
					 * tcp_wput_data() will take care of
					 * the rest.
					 *
					 * If the connection is SACK capable,
					 * only do limited xmit when there
					 * is SACK info.
					 *
					 * Note how tcp_cwnd is incremented.
					 * The first dup ACK will increase
					 * it by 1 MSS.  The second dup ACK
					 * will increase it by 2 MSS.  This
					 * means that only 1 new segment will
					 * be sent for each dup ACK.
					 */
					if (tcp->tcp_unsent > 0 &&
					    (!tcp->tcp_snd_sack_ok ||
					    (tcp->tcp_snd_sack_ok &&
					    tcp->tcp_notsack_list != NULL))) {
						tcp->tcp_cwnd += mss <<
						    (tcp->tcp_dupack_cnt - 1);
						flags |= TH_LIMIT_XMIT;
					}
				} else if (dupack_cnt ==
				    tcp_dupack_fast_retransmit) {

				BUMP_MIB(tcp_mib.tcpOutFastRetrans);
				/*
				 * If we have reduced tcp_ssthresh
				 * because of ECN, do not reduce it again
				 * unless it is already one window of data
				 * away.  After one window of data, tcp_cwr
				 * should then be cleared.  Note that
				 * for non ECN capable connection, tcp_cwr
				 * should always be false.
				 *
				 * Adjust cwnd since the duplicate
				 * ack indicates that a packet was
				 * dropped (due to congestion.)
				 */
				if (!tcp->tcp_cwr) {
					npkt = (MIN(tcp->tcp_cwnd,
					    tcp->tcp_swnd) >> 1) / mss;
					if (npkt < 2)
						npkt = 2;
					tcp->tcp_cwnd_ssthresh = npkt * mss;
					tcp->tcp_cwnd = (npkt +
					    tcp->tcp_dupack_cnt) * mss;
				}
				if (tcp->tcp_ecn_ok) {
					tcp->tcp_cwr = B_TRUE;
					tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
					tcp->tcp_ecn_cwr_sent = B_FALSE;
				}

				/*
				 * We do Hoe's algorithm.  Refer to her
				 * paper "Improving the Start-up Behavior
				 * of a Congestion Control Scheme for TCP,"
				 * appeared in SIGCOMM'96.
				 *
				 * Save highest seq no we have sent so far.
				 * Be careful about the invisible FIN byte.
				 */
				if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
				    (tcp->tcp_unsent == 0)) {
					tcp->tcp_rexmit_max = tcp->tcp_fss;
				} else {
					tcp->tcp_rexmit_max = tcp->tcp_snxt;
				}

				/*
				 * Do not allow bursty traffic during.
				 * fast recovery.  Refer to Fall and Floyd's
				 * paper "Simulation-based Comparisons of
				 * Tahoe, Reno and SACK TCP" (in CCR ??)
				 * This is a best current practise.
				 */
				tcp->tcp_snd_burst = TCP_CWND_SS;

				/*
				 * For SACK:
				 * Calculate tcp_pipe, which is the
				 * estimated number of bytes in
				 * network.
				 *
				 * tcp_fack is the highest sack'ed seq num
				 * TCP has received.
				 *
				 * tcp_pipe is explained in the above quoted
				 * Fall and Floyd's paper.  tcp_fack is
				 * explained in Mathis and Mahdavi's
				 * "Forward Acknowledgment: Refining TCP
				 * Congestion Control" in SIGCOMM '96.
				 */
				if (tcp->tcp_snd_sack_ok) {
					assert(tcp->tcp_sack_info != NULL);
					if (tcp->tcp_notsack_list != NULL) {
						tcp->tcp_pipe = tcp->tcp_snxt -
						    tcp->tcp_fack;
						tcp->tcp_sack_snxt = seg_ack;
						flags |= TH_NEED_SACK_REXMIT;
					} else {
						/*
						 * Always initialize tcp_pipe
						 * even though we don't have
						 * any SACK info.  If later
						 * we get SACK info and
						 * tcp_pipe is not initialized,
						 * funny things will happen.
						 */
						tcp->tcp_pipe =
						    tcp->tcp_cwnd_ssthresh;
					}
				} else {
					flags |= TH_REXMIT_NEEDED;
				} /* tcp_snd_sack_ok */

				} else {
					/*
					 * Here we perform congestion
					 * avoidance, but NOT slow start.
					 * This is known as the Fast
					 * Recovery Algorithm.
					 */
					if (tcp->tcp_snd_sack_ok &&
					    tcp->tcp_notsack_list != NULL) {
						flags |= TH_NEED_SACK_REXMIT;
						tcp->tcp_pipe -= mss;
						if (tcp->tcp_pipe < 0)
							tcp->tcp_pipe = 0;
					} else {
					/*
					 * We know that one more packet has
					 * left the pipe thus we can update
					 * cwnd.
					 */
					cwnd = tcp->tcp_cwnd + mss;
					if (cwnd > tcp->tcp_cwnd_max)
						cwnd = tcp->tcp_cwnd_max;
					tcp->tcp_cwnd = cwnd;
					flags |= TH_XMIT_NEEDED;
					}
				}
			}
		} else if (tcp->tcp_zero_win_probe) {
			/*
			 * If the window has opened, need to arrange
			 * to send additional data.
			 */
			if (new_swnd != 0) {
				/* tcp_suna != tcp_snxt */
				/* Packet contains a window update */
				BUMP_MIB(tcp_mib.tcpInWinUpdate);
				tcp->tcp_zero_win_probe = 0;
				tcp->tcp_timer_backoff = 0;
				tcp->tcp_ms_we_have_waited = 0;

				/*
				 * Transmit starting with tcp_suna since
				 * the one byte probe is not ack'ed.
				 * If TCP has sent more than one identical
				 * probe, tcp_rexmit will be set.  That means
				 * tcp_ss_rexmit() will send out the one
				 * byte along with new data.  Otherwise,
				 * fake the retransmission.
				 */
				flags |= TH_XMIT_NEEDED;
				if (!tcp->tcp_rexmit) {
					tcp->tcp_rexmit = B_TRUE;
					tcp->tcp_dupack_cnt = 0;
					tcp->tcp_rexmit_nxt = tcp->tcp_suna;
					tcp->tcp_rexmit_max = tcp->tcp_suna + 1;
				}
			}
		}
		goto swnd_update;
	}

	/*
	 * Check for "acceptability" of ACK value per RFC 793, pages 72 - 73.
	 * If the ACK value acks something that we have not yet sent, it might
	 * be an old duplicate segment.  Send an ACK to re-synchronize the
	 * other side.
	 * Note: reset in response to unacceptable ACK in SYN_RECEIVE
	 * state is handled above, so we can always just drop the segment and
	 * send an ACK here.
	 *
	 * Should we send ACKs in response to ACK only segments?
	 */
	if (SEQ_GT(seg_ack, tcp->tcp_snxt)) {
		BUMP_MIB(tcp_mib.tcpInAckUnsent);
		/* drop the received segment */
		freemsg(mp);

		/* Send back an ACK. */
		mp = tcp_ack_mp(tcp);

		if (mp == NULL) {
			return;
		}
		BUMP_MIB(tcp_mib.tcpOutAck);
		(void) ipv4_tcp_output(sock_id, mp);
		freeb(mp);
		return;
	}

	/*
	 * TCP gets a new ACK, update the notsack'ed list to delete those
	 * blocks that are covered by this ACK.
	 */
	if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
		tcp_notsack_remove(&(tcp->tcp_notsack_list), seg_ack,
		    &(tcp->tcp_num_notsack_blk), &(tcp->tcp_cnt_notsack_list));
	}

	/*
	 * If we got an ACK after fast retransmit, check to see
	 * if it is a partial ACK.  If it is not and the congestion
	 * window was inflated to account for the other side's
	 * cached packets, retract it.  If it is, do Hoe's algorithm.
	 */
	if (tcp->tcp_dupack_cnt >= tcp_dupack_fast_retransmit) {
		assert(tcp->tcp_rexmit == B_FALSE);
		if (SEQ_GEQ(seg_ack, tcp->tcp_rexmit_max)) {
			tcp->tcp_dupack_cnt = 0;
			/*
			 * Restore the orig tcp_cwnd_ssthresh after
			 * fast retransmit phase.
			 */
			if (tcp->tcp_cwnd > tcp->tcp_cwnd_ssthresh) {
				tcp->tcp_cwnd = tcp->tcp_cwnd_ssthresh;
			}
			tcp->tcp_rexmit_max = seg_ack;
			tcp->tcp_cwnd_cnt = 0;
			tcp->tcp_snd_burst = TCP_CWND_NORMAL;

			/*
			 * Remove all notsack info to avoid confusion with
			 * the next fast retrasnmit/recovery phase.
			 */
			if (tcp->tcp_snd_sack_ok &&
			    tcp->tcp_notsack_list != NULL) {
				TCP_NOTSACK_REMOVE_ALL(tcp->tcp_notsack_list);
			}
		} else {
			if (tcp->tcp_snd_sack_ok &&
			    tcp->tcp_notsack_list != NULL) {
				flags |= TH_NEED_SACK_REXMIT;
				tcp->tcp_pipe -= mss;
				if (tcp->tcp_pipe < 0)
					tcp->tcp_pipe = 0;
			} else {
				/*
				 * Hoe's algorithm:
				 *
				 * Retransmit the unack'ed segment and
				 * restart fast recovery.  Note that we
				 * need to scale back tcp_cwnd to the
				 * original value when we started fast
				 * recovery.  This is to prevent overly
				 * aggressive behaviour in sending new
				 * segments.
				 */
				tcp->tcp_cwnd = tcp->tcp_cwnd_ssthresh +
					tcp_dupack_fast_retransmit * mss;
				tcp->tcp_cwnd_cnt = tcp->tcp_cwnd;
				BUMP_MIB(tcp_mib.tcpOutFastRetrans);
				flags |= TH_REXMIT_NEEDED;
			}
		}
	} else {
		tcp->tcp_dupack_cnt = 0;
		if (tcp->tcp_rexmit) {
			/*
			 * TCP is retranmitting.  If the ACK ack's all
			 * outstanding data, update tcp_rexmit_max and
			 * tcp_rexmit_nxt.  Otherwise, update tcp_rexmit_nxt
			 * to the correct value.
			 *
			 * Note that SEQ_LEQ() is used.  This is to avoid
			 * unnecessary fast retransmit caused by dup ACKs
			 * received when TCP does slow start retransmission
			 * after a time out.  During this phase, TCP may
			 * send out segments which are already received.
			 * This causes dup ACKs to be sent back.
			 */
			if (SEQ_LEQ(seg_ack, tcp->tcp_rexmit_max)) {
				if (SEQ_GT(seg_ack, tcp->tcp_rexmit_nxt)) {
					tcp->tcp_rexmit_nxt = seg_ack;
				}
				if (seg_ack != tcp->tcp_rexmit_max) {
					flags |= TH_XMIT_NEEDED;
				}
			} else {
				tcp->tcp_rexmit = B_FALSE;
				tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
				tcp->tcp_snd_burst = TCP_CWND_NORMAL;
			}
			tcp->tcp_ms_we_have_waited = 0;
		}
	}

	BUMP_MIB(tcp_mib.tcpInAckSegs);
	UPDATE_MIB(tcp_mib.tcpInAckBytes, bytes_acked);
	tcp->tcp_suna = seg_ack;
	if (tcp->tcp_zero_win_probe != 0) {
		tcp->tcp_zero_win_probe = 0;
		tcp->tcp_timer_backoff = 0;
	}

	/*
	 * If tcp_xmit_head is NULL, then it must be the FIN being ack'ed.
	 * Note that it cannot be the SYN being ack'ed.  The code flow
	 * will not reach here.
	 */
	if (mp1 == NULL) {
		goto fin_acked;
	}

	/*
	 * Update the congestion window.
	 *
	 * If TCP is not ECN capable or TCP is ECN capable but the
	 * congestion experience bit is not set, increase the tcp_cwnd as
	 * usual.
	 */
	if (!tcp->tcp_ecn_ok || !(flags & TH_ECE)) {
		cwnd = tcp->tcp_cwnd;
		add = mss;

		if (cwnd >= tcp->tcp_cwnd_ssthresh) {
			/*
			 * This is to prevent an increase of less than 1 MSS of
			 * tcp_cwnd.  With partial increase, tcp_wput_data()
			 * may send out tinygrams in order to preserve mblk
			 * boundaries.
			 *
			 * By initializing tcp_cwnd_cnt to new tcp_cwnd and
			 * decrementing it by 1 MSS for every ACKs, tcp_cwnd is
			 * increased by 1 MSS for every RTTs.
			 */
			if (tcp->tcp_cwnd_cnt <= 0) {
				tcp->tcp_cwnd_cnt = cwnd + add;
			} else {
				tcp->tcp_cwnd_cnt -= add;
				add = 0;
			}
		}
		tcp->tcp_cwnd = MIN(cwnd + add, tcp->tcp_cwnd_max);
	}

	/* Can we update the RTT estimates? */
	if (tcp->tcp_snd_ts_ok) {
		/* Ignore zero timestamp echo-reply. */
		if (tcpopt.tcp_opt_ts_ecr != 0) {
			tcp_set_rto(tcp, (int32_t)(prom_gettime() -
			    tcpopt.tcp_opt_ts_ecr));
		}

		/* If needed, restart the timer. */
		if (tcp->tcp_set_timer == 1) {
			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
			tcp->tcp_set_timer = 0;
		}
		/*
		 * Update tcp_csuna in case the other side stops sending
		 * us timestamps.
		 */
		tcp->tcp_csuna = tcp->tcp_snxt;
	} else if (SEQ_GT(seg_ack, tcp->tcp_csuna)) {
		/*
		 * An ACK sequence we haven't seen before, so get the RTT
		 * and update the RTO.
		 * Note. use uintptr_t to suppress the gcc warning.
		 */
		tcp_set_rto(tcp, (int32_t)(prom_gettime() -
		    (uint32_t)(uintptr_t)mp1->b_prev));

		/* Remeber the last sequence to be ACKed */
		tcp->tcp_csuna = seg_ack;
		if (tcp->tcp_set_timer == 1) {
			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
			tcp->tcp_set_timer = 0;
		}
	} else {
		BUMP_MIB(tcp_mib.tcpRttNoUpdate);
	}

	/* Eat acknowledged bytes off the xmit queue. */
	for (;;) {
		mblk_t	*mp2;
		uchar_t	*wptr;

		wptr = mp1->b_wptr;
		assert((uintptr_t)(wptr - mp1->b_rptr) <= (uintptr_t)INT_MAX);
		bytes_acked -= (int)(wptr - mp1->b_rptr);
		if (bytes_acked < 0) {
			mp1->b_rptr = wptr + bytes_acked;
			break;
		}
		mp1->b_prev = NULL;
		mp2 = mp1;
		mp1 = mp1->b_cont;
		freeb(mp2);
		if (bytes_acked == 0) {
			if (mp1 == NULL) {
				/* Everything is ack'ed, clear the tail. */
				tcp->tcp_xmit_tail = NULL;
				goto pre_swnd_update;
			}
			if (mp2 != tcp->tcp_xmit_tail)
				break;
			tcp->tcp_xmit_tail = mp1;
			assert((uintptr_t)(mp1->b_wptr -
			    mp1->b_rptr) <= (uintptr_t)INT_MAX);
			tcp->tcp_xmit_tail_unsent = (int)(mp1->b_wptr -
			    mp1->b_rptr);
			break;
		}
		if (mp1 == NULL) {
			/*
			 * More was acked but there is nothing more
			 * outstanding.  This means that the FIN was
			 * just acked or that we're talking to a clown.
			 */
fin_acked:
			assert(tcp->tcp_fin_sent);
			tcp->tcp_xmit_tail = NULL;
			if (tcp->tcp_fin_sent) {
				tcp->tcp_fin_acked = B_TRUE;
			} else {
				/*
				 * We should never got here because
				 * we have already checked that the
				 * number of bytes ack'ed should be
				 * smaller than or equal to what we
				 * have sent so far (it is the
				 * acceptability check of the ACK).
				 * We can only get here if the send
				 * queue is corrupted.
				 *
				 * Terminate the connection and
				 * panic the system.  It is better
				 * for us to panic instead of
				 * continuing to avoid other disaster.
				 */
				tcp_xmit_ctl(NULL, tcp, NULL, tcp->tcp_snxt,
				    tcp->tcp_rnxt, TH_RST|TH_ACK, 0, sock_id);
				printf("Memory corruption "
				    "detected for connection %s.\n",
				    tcp_display(tcp, NULL,
					DISP_ADDR_AND_PORT));
				/* We should never get here... */
				prom_panic("tcp_rput_data");
				return;
			}
			goto pre_swnd_update;
		}
		assert(mp2 != tcp->tcp_xmit_tail);
	}
	if (tcp->tcp_unsent) {
		flags |= TH_XMIT_NEEDED;
	}
pre_swnd_update:
	tcp->tcp_xmit_head = mp1;
swnd_update:
	/*
	 * The following check is different from most other implementations.
	 * For bi-directional transfer, when segments are dropped, the
	 * "normal" check will not accept a window update in those
	 * retransmitted segemnts.  Failing to do that, TCP may send out
	 * segments which are outside receiver's window.  As TCP accepts
	 * the ack in those retransmitted segments, if the window update in
	 * the same segment is not accepted, TCP will incorrectly calculates
	 * that it can send more segments.  This can create a deadlock
	 * with the receiver if its window becomes zero.
	 */
	if (SEQ_LT(tcp->tcp_swl2, seg_ack) ||
	    SEQ_LT(tcp->tcp_swl1, seg_seq) ||
	    (tcp->tcp_swl1 == seg_seq && new_swnd > tcp->tcp_swnd)) {
		/*
		 * The criteria for update is:
		 *
		 * 1. the segment acknowledges some data.  Or
		 * 2. the segment is new, i.e. it has a higher seq num. Or
		 * 3. the segment is not old and the advertised window is
		 * larger than the previous advertised window.
		 */
		if (tcp->tcp_unsent && new_swnd > tcp->tcp_swnd)
			flags |= TH_XMIT_NEEDED;
		tcp->tcp_swnd = new_swnd;
		if (new_swnd > tcp->tcp_max_swnd)
			tcp->tcp_max_swnd = new_swnd;
		tcp->tcp_swl1 = seg_seq;
		tcp->tcp_swl2 = seg_ack;
	}
est:
	if (tcp->tcp_state > TCPS_ESTABLISHED) {
		switch (tcp->tcp_state) {
		case TCPS_FIN_WAIT_1:
			if (tcp->tcp_fin_acked) {
				tcp->tcp_state = TCPS_FIN_WAIT_2;
				/*
				 * We implement the non-standard BSD/SunOS
				 * FIN_WAIT_2 flushing algorithm.
				 * If there is no user attached to this
				 * TCP endpoint, then this TCP struct
				 * could hang around forever in FIN_WAIT_2
				 * state if the peer forgets to send us
				 * a FIN.  To prevent this, we wait only
				 * 2*MSL (a convenient time value) for
				 * the FIN to arrive.  If it doesn't show up,
				 * we flush the TCP endpoint.  This algorithm,
				 * though a violation of RFC-793, has worked
				 * for over 10 years in BSD systems.
				 * Note: SunOS 4.x waits 675 seconds before
				 * flushing the FIN_WAIT_2 connection.
				 */
				TCP_TIMER_RESTART(tcp,
				    tcp_fin_wait_2_flush_interval);
			}
			break;
		case TCPS_FIN_WAIT_2:
			break;	/* Shutdown hook? */
		case TCPS_LAST_ACK:
			freemsg(mp);
			if (tcp->tcp_fin_acked) {
				(void) tcp_clean_death(sock_id, tcp, 0);
				return;
			}
			goto xmit_check;
		case TCPS_CLOSING:
			if (tcp->tcp_fin_acked) {
				tcp->tcp_state = TCPS_TIME_WAIT;
				tcp_time_wait_append(tcp);
				TCP_TIMER_RESTART(tcp, tcp_time_wait_interval);
			}
			/*FALLTHRU*/
		case TCPS_CLOSE_WAIT:
			freemsg(mp);
			goto xmit_check;
		default:
			assert(tcp->tcp_state != TCPS_TIME_WAIT);
			break;
		}
	}
	if (flags & TH_FIN) {
		/* Make sure we ack the fin */
		flags |= TH_ACK_NEEDED;
		if (!tcp->tcp_fin_rcvd) {
			tcp->tcp_fin_rcvd = B_TRUE;
			tcp->tcp_rnxt++;
			U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);

			switch (tcp->tcp_state) {
			case TCPS_SYN_RCVD:
			case TCPS_ESTABLISHED:
				tcp->tcp_state = TCPS_CLOSE_WAIT;
				/* Keepalive? */
				break;
			case TCPS_FIN_WAIT_1:
				if (!tcp->tcp_fin_acked) {
					tcp->tcp_state = TCPS_CLOSING;
					break;
				}
				/* FALLTHRU */
			case TCPS_FIN_WAIT_2:
				tcp->tcp_state = TCPS_TIME_WAIT;
				tcp_time_wait_append(tcp);
				TCP_TIMER_RESTART(tcp, tcp_time_wait_interval);
				if (seg_len) {
					/*
					 * implies data piggybacked on FIN.
					 * break to handle data.
					 */
					break;
				}
				freemsg(mp);
				goto ack_check;
			}
		}
	}
	if (mp == NULL)
		goto xmit_check;
	if (seg_len == 0) {
		freemsg(mp);
		goto xmit_check;
	}
	if (mp->b_rptr == mp->b_wptr) {
		/*
		 * The header has been consumed, so we remove the
		 * zero-length mblk here.
		 */
		mp1 = mp;
		mp = mp->b_cont;
		freeb(mp1);
	}
	/*
	 * ACK every other segments, unless the input queue is empty
	 * as we don't have a timer available.
	 */
	if (++tcp->tcp_rack_cnt == 2 || sockets[sock_id].inq == NULL) {
		flags |= TH_ACK_NEEDED;
		tcp->tcp_rack_cnt = 0;
	}
	tcp->tcp_rnxt += seg_len;
	U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);

	/* Update SACK list */
	if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
		tcp_sack_remove(tcp->tcp_sack_list, tcp->tcp_rnxt,
		    &(tcp->tcp_num_sack_blk));
	}

	if (tcp->tcp_listener) {
		/*
		 * Side queue inbound data until the accept happens.
		 * tcp_accept/tcp_rput drains this when the accept happens.
		 */
		tcp_rcv_enqueue(tcp, mp, seg_len);
	} else {
		/* Just queue the data until the app calls read. */
		tcp_rcv_enqueue(tcp, mp, seg_len);
		/*
		 * Make sure the timer is running if we have data waiting
		 * for a push bit. This provides resiliency against
		 * implementations that do not correctly generate push bits.
		 */
		if (tcp->tcp_rcv_list != NULL)
			flags |= TH_TIMER_NEEDED;
	}

xmit_check:
	/* Is there anything left to do? */
	if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_ACK_NEEDED|
	    TH_NEED_SACK_REXMIT|TH_LIMIT_XMIT|TH_TIMER_NEEDED)) == 0)
		return;

	/* Any transmit work to do and a non-zero window? */
	if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_NEED_SACK_REXMIT|
	    TH_LIMIT_XMIT)) && tcp->tcp_swnd != 0) {
		if (flags & TH_REXMIT_NEEDED) {
			uint32_t snd_size = tcp->tcp_snxt - tcp->tcp_suna;

			if (snd_size > mss)
				snd_size = mss;
			if (snd_size > tcp->tcp_swnd)
				snd_size = tcp->tcp_swnd;
			mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, snd_size,
			    NULL, NULL, tcp->tcp_suna, B_TRUE, &snd_size,
			    B_TRUE);

			if (mp1 != NULL) {
				/* use uintptr_t to suppress the gcc warning */
				tcp->tcp_xmit_head->b_prev =
				    (mblk_t *)(uintptr_t)prom_gettime();
				tcp->tcp_csuna = tcp->tcp_snxt;
				BUMP_MIB(tcp_mib.tcpRetransSegs);
				UPDATE_MIB(tcp_mib.tcpRetransBytes, snd_size);
				(void) ipv4_tcp_output(sock_id, mp1);
				freeb(mp1);
			}
		}
		if (flags & TH_NEED_SACK_REXMIT) {
			if (tcp_sack_rxmit(tcp, sock_id) != 0) {
				flags |= TH_XMIT_NEEDED;
			}
		}
		/*
		 * For TH_LIMIT_XMIT, tcp_wput_data() is called to send
		 * out new segment.  Note that tcp_rexmit should not be
		 * set, otherwise TH_LIMIT_XMIT should not be set.
		 */
		if (flags & (TH_XMIT_NEEDED|TH_LIMIT_XMIT)) {
			if (!tcp->tcp_rexmit) {
				tcp_wput_data(tcp, NULL, sock_id);
			} else {
				tcp_ss_rexmit(tcp, sock_id);
			}
			/*
			 * The TCP could be closed in tcp_state_wait via
			 * tcp_wput_data (tcp_ss_rexmit could call
			 * tcp_wput_data as well).
			 */
			if (sockets[sock_id].pcb == NULL)
				return;
		}
		/*
		 * Adjust tcp_cwnd back to normal value after sending
		 * new data segments.
		 */
		if (flags & TH_LIMIT_XMIT) {
			tcp->tcp_cwnd -= mss << (tcp->tcp_dupack_cnt - 1);
		}

		/* Anything more to do? */
		if ((flags & (TH_ACK_NEEDED|TH_TIMER_NEEDED)) == 0)
			return;
	}
ack_check:
	if (flags & TH_ACK_NEEDED) {
		/*
		 * Time to send an ack for some reason.
		 */
		if ((mp1 = tcp_ack_mp(tcp)) != NULL) {
			TCP_DUMP_PACKET("tcp_rput_data: ack mp", mp1);
			(void) ipv4_tcp_output(sock_id, mp1);
			BUMP_MIB(tcp_mib.tcpOutAck);
			freeb(mp1);
		}
	}
}

/*
 * tcp_ss_rexmit() is called in tcp_rput_data() to do slow start
 * retransmission after a timeout.
 *
 * To limit the number of duplicate segments, we limit the number of segment
 * to be sent in one time to tcp_snd_burst, the burst variable.
 */
static void
tcp_ss_rexmit(tcp_t *tcp, int sock_id)
{
	uint32_t	snxt;
	uint32_t	smax;
	int32_t		win;
	int32_t		mss;
	int32_t		off;
	int32_t		burst = tcp->tcp_snd_burst;
	mblk_t		*snxt_mp;

	/*
	 * Note that tcp_rexmit can be set even though TCP has retransmitted
	 * all unack'ed segments.
	 */
	if (SEQ_LT(tcp->tcp_rexmit_nxt, tcp->tcp_rexmit_max)) {
		smax = tcp->tcp_rexmit_max;
		snxt = tcp->tcp_rexmit_nxt;
		if (SEQ_LT(snxt, tcp->tcp_suna)) {
			snxt = tcp->tcp_suna;
		}
		win = MIN(tcp->tcp_cwnd, tcp->tcp_swnd);
		win -= snxt - tcp->tcp_suna;
		mss = tcp->tcp_mss;
		snxt_mp = tcp_get_seg_mp(tcp, snxt, &off);

		while (SEQ_LT(snxt, smax) && (win > 0) &&
		    (burst > 0) && (snxt_mp != NULL)) {
			mblk_t	*xmit_mp;
			mblk_t	*old_snxt_mp = snxt_mp;
			uint32_t cnt = mss;

			if (win < cnt) {
				cnt = win;
			}
			if (SEQ_GT(snxt + cnt, smax)) {
				cnt = smax - snxt;
			}
			xmit_mp = tcp_xmit_mp(tcp, snxt_mp, cnt, &off,
			    &snxt_mp, snxt, B_TRUE, &cnt, B_TRUE);

			if (xmit_mp == NULL)
				return;

			(void) ipv4_tcp_output(sock_id, xmit_mp);
			freeb(xmit_mp);

			snxt += cnt;
			win -= cnt;
			/*
			 * Update the send timestamp to avoid false
			 * retransmission.
			 * Note. use uintptr_t to suppress the gcc warning.
			 */
			old_snxt_mp->b_prev =
			    (mblk_t *)(uintptr_t)prom_gettime();
			BUMP_MIB(tcp_mib.tcpRetransSegs);
			UPDATE_MIB(tcp_mib.tcpRetransBytes, cnt);

			tcp->tcp_rexmit_nxt = snxt;
			burst--;
		}
		/*
		 * If we have transmitted all we have at the time
		 * we started the retranmission, we can leave
		 * the rest of the job to tcp_wput_data().  But we
		 * need to check the send window first.  If the
		 * win is not 0, go on with tcp_wput_data().
		 */
		if (SEQ_LT(snxt, smax) || win == 0) {
			return;
		}
	}
	/* Only call tcp_wput_data() if there is data to be sent. */
	if (tcp->tcp_unsent) {
		tcp_wput_data(tcp, NULL, sock_id);
	}
}

/*
 * tcp_timer is the timer service routine.  It handles all timer events for
 * a tcp instance except keepalives.  It figures out from the state of the
 * tcp instance what kind of action needs to be done at the time it is called.
 */
static void
tcp_timer(tcp_t	*tcp, int sock_id)
{
	mblk_t		*mp;
	uint32_t	first_threshold;
	uint32_t	second_threshold;
	uint32_t	ms;
	uint32_t	mss;

	first_threshold =  tcp->tcp_first_timer_threshold;
	second_threshold = tcp->tcp_second_timer_threshold;
	switch (tcp->tcp_state) {
	case TCPS_IDLE:
	case TCPS_BOUND:
	case TCPS_LISTEN:
		return;
	case TCPS_SYN_RCVD:
	case TCPS_SYN_SENT:
		first_threshold =  tcp->tcp_first_ctimer_threshold;
		second_threshold = tcp->tcp_second_ctimer_threshold;
		break;
	case TCPS_ESTABLISHED:
	case TCPS_FIN_WAIT_1:
	case TCPS_CLOSING:
	case TCPS_CLOSE_WAIT:
	case TCPS_LAST_ACK:
		/* If we have data to rexmit */
		if (tcp->tcp_suna != tcp->tcp_snxt) {
			int32_t time_to_wait;

			BUMP_MIB(tcp_mib.tcpTimRetrans);
			if (tcp->tcp_xmit_head == NULL)
				break;
			/* use uintptr_t to suppress the gcc warning */
			time_to_wait = (int32_t)(prom_gettime() -
			    (uint32_t)(uintptr_t)tcp->tcp_xmit_head->b_prev);
			time_to_wait = tcp->tcp_rto - time_to_wait;
			if (time_to_wait > 0) {
				/*
				 * Timer fired too early, so restart it.
				 */
				TCP_TIMER_RESTART(tcp, time_to_wait);
				return;
			}
			/*
			 * When we probe zero windows, we force the swnd open.
			 * If our peer acks with a closed window swnd will be
			 * set to zero by tcp_rput(). As long as we are
			 * receiving acks tcp_rput will
			 * reset 'tcp_ms_we_have_waited' so as not to trip the
			 * first and second interval actions.  NOTE: the timer
			 * interval is allowed to continue its exponential
			 * backoff.
			 */
			if (tcp->tcp_swnd == 0 || tcp->tcp_zero_win_probe) {
				DEBUG_1("tcp_timer (%d): zero win", sock_id);
				break;
			} else {
				/*
				 * After retransmission, we need to do
				 * slow start.  Set the ssthresh to one
				 * half of current effective window and
				 * cwnd to one MSS.  Also reset
				 * tcp_cwnd_cnt.
				 *
				 * Note that if tcp_ssthresh is reduced because
				 * of ECN, do not reduce it again unless it is
				 * already one window of data away (tcp_cwr
				 * should then be cleared) or this is a
				 * timeout for a retransmitted segment.
				 */
				uint32_t npkt;

				if (!tcp->tcp_cwr || tcp->tcp_rexmit) {
					npkt = (MIN((tcp->tcp_timer_backoff ?
					    tcp->tcp_cwnd_ssthresh :
					    tcp->tcp_cwnd),
					    tcp->tcp_swnd) >> 1) /
					    tcp->tcp_mss;
					if (npkt < 2)
						npkt = 2;
					tcp->tcp_cwnd_ssthresh = npkt *
					    tcp->tcp_mss;
				}
				tcp->tcp_cwnd = tcp->tcp_mss;
				tcp->tcp_cwnd_cnt = 0;
				if (tcp->tcp_ecn_ok) {
					tcp->tcp_cwr = B_TRUE;
					tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
					tcp->tcp_ecn_cwr_sent = B_FALSE;
				}
			}
			break;
		}
		/*
		 * We have something to send yet we cannot send.  The
		 * reason can be:
		 *
		 * 1. Zero send window: we need to do zero window probe.
		 * 2. Zero cwnd: because of ECN, we need to "clock out
		 * segments.
		 * 3. SWS avoidance: receiver may have shrunk window,
		 * reset our knowledge.
		 *
		 * Note that condition 2 can happen with either 1 or
		 * 3.  But 1 and 3 are exclusive.
		 */
		if (tcp->tcp_unsent != 0) {
			if (tcp->tcp_cwnd == 0) {
				/*
				 * Set tcp_cwnd to 1 MSS so that a
				 * new segment can be sent out.  We
				 * are "clocking out" new data when
				 * the network is really congested.
				 */
				assert(tcp->tcp_ecn_ok);
				tcp->tcp_cwnd = tcp->tcp_mss;
			}
			if (tcp->tcp_swnd == 0) {
				/* Extend window for zero window probe */
				tcp->tcp_swnd++;
				tcp->tcp_zero_win_probe = B_TRUE;
				BUMP_MIB(tcp_mib.tcpOutWinProbe);
			} else {
				/*
				 * Handle timeout from sender SWS avoidance.
				 * Reset our knowledge of the max send window
				 * since the receiver might have reduced its
				 * receive buffer.  Avoid setting tcp_max_swnd
				 * to one since that will essentially disable
				 * the SWS checks.
				 *
				 * Note that since we don't have a SWS
				 * state variable, if the timeout is set
				 * for ECN but not for SWS, this
				 * code will also be executed.  This is
				 * fine as tcp_max_swnd is updated
				 * constantly and it will not affect
				 * anything.
				 */
				tcp->tcp_max_swnd = MAX(tcp->tcp_swnd, 2);
			}
			tcp_wput_data(tcp, NULL, sock_id);
			return;
		}
		/* Is there a FIN that needs to be to re retransmitted? */
		if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
		    !tcp->tcp_fin_acked)
			break;
		/* Nothing to do, return without restarting timer. */
		return;
	case TCPS_FIN_WAIT_2:
		/*
		 * User closed the TCP endpoint and peer ACK'ed our FIN.
		 * We waited some time for for peer's FIN, but it hasn't
		 * arrived.  We flush the connection now to avoid
		 * case where the peer has rebooted.
		 */
		/* FALLTHRU */
	case TCPS_TIME_WAIT:
		(void) tcp_clean_death(sock_id, tcp, 0);
		return;
	default:
		DEBUG_3("tcp_timer (%d): strange state (%d) %s", sock_id,
		    tcp->tcp_state, tcp_display(tcp, NULL,
		    DISP_PORT_ONLY));
		return;
	}
	if ((ms = tcp->tcp_ms_we_have_waited) > second_threshold) {
		/*
		 * For zero window probe, we need to send indefinitely,
		 * unless we have not heard from the other side for some
		 * time...
		 */
		if ((tcp->tcp_zero_win_probe == 0) ||
		    ((prom_gettime() - tcp->tcp_last_recv_time) >
		    second_threshold)) {
			BUMP_MIB(tcp_mib.tcpTimRetransDrop);
			/*
			 * If TCP is in SYN_RCVD state, send back a
			 * RST|ACK as BSD does.  Note that tcp_zero_win_probe
			 * should be zero in TCPS_SYN_RCVD state.
			 */
			if (tcp->tcp_state == TCPS_SYN_RCVD) {
				tcp_xmit_ctl("tcp_timer: RST sent on timeout "
				    "in SYN_RCVD",
				    tcp, NULL, tcp->tcp_snxt,
				    tcp->tcp_rnxt, TH_RST | TH_ACK, 0, sock_id);
			}
			(void) tcp_clean_death(sock_id, tcp,
			    tcp->tcp_client_errno ?
			    tcp->tcp_client_errno : ETIMEDOUT);
			return;
		} else {
			/*
			 * Set tcp_ms_we_have_waited to second_threshold
			 * so that in next timeout, we will do the above
			 * check (lbolt - tcp_last_recv_time).  This is
			 * also to avoid overflow.
			 *
			 * We don't need to decrement tcp_timer_backoff
			 * to avoid overflow because it will be decremented
			 * later if new timeout value is greater than
			 * tcp_rexmit_interval_max.  In the case when
			 * tcp_rexmit_interval_max is greater than
			 * second_threshold, it means that we will wait
			 * longer than second_threshold to send the next
			 * window probe.
			 */
			tcp->tcp_ms_we_have_waited = second_threshold;
		}
	} else if (ms > first_threshold && tcp->tcp_rtt_sa != 0) {
		/*
		 * We have been retransmitting for too long...  The RTT
		 * we calculated is probably incorrect.  Reinitialize it.
		 * Need to compensate for 0 tcp_rtt_sa.  Reset
		 * tcp_rtt_update so that we won't accidentally cache a
		 * bad value.  But only do this if this is not a zero
		 * window probe.
		 */
		if (tcp->tcp_zero_win_probe == 0) {
			tcp->tcp_rtt_sd += (tcp->tcp_rtt_sa >> 3) +
			    (tcp->tcp_rtt_sa >> 5);
			tcp->tcp_rtt_sa = 0;
			tcp->tcp_rtt_update = 0;
		}
	}
	tcp->tcp_timer_backoff++;
	if ((ms = (tcp->tcp_rtt_sa >> 3) + tcp->tcp_rtt_sd +
	    tcp_rexmit_interval_extra + (tcp->tcp_rtt_sa >> 5)) <
	    tcp_rexmit_interval_min) {
		/*
		 * This means the original RTO is tcp_rexmit_interval_min.
		 * So we will use tcp_rexmit_interval_min as the RTO value
		 * and do the backoff.
		 */
		ms = tcp_rexmit_interval_min << tcp->tcp_timer_backoff;
	} else {
		ms <<= tcp->tcp_timer_backoff;
	}
	if (ms > tcp_rexmit_interval_max) {
		ms = tcp_rexmit_interval_max;
		/*
		 * ms is at max, decrement tcp_timer_backoff to avoid
		 * overflow.
		 */
		tcp->tcp_timer_backoff--;
	}
	tcp->tcp_ms_we_have_waited += ms;
	if (tcp->tcp_zero_win_probe == 0) {
		tcp->tcp_rto = ms;
	}
	TCP_TIMER_RESTART(tcp, ms);
	/*
	 * This is after a timeout and tcp_rto is backed off.  Set
	 * tcp_set_timer to 1 so that next time RTO is updated, we will
	 * restart the timer with a correct value.
	 */
	tcp->tcp_set_timer = 1;
	mss = tcp->tcp_snxt - tcp->tcp_suna;
	if (mss > tcp->tcp_mss)
		mss = tcp->tcp_mss;
	if (mss > tcp->tcp_swnd && tcp->tcp_swnd != 0)
		mss = tcp->tcp_swnd;

	if ((mp = tcp->tcp_xmit_head) != NULL) {
		/* use uintptr_t to suppress the gcc warning */
		mp->b_prev = (mblk_t *)(uintptr_t)prom_gettime();
	}
	mp = tcp_xmit_mp(tcp, mp, mss, NULL, NULL, tcp->tcp_suna, B_TRUE, &mss,
	    B_TRUE);
	if (mp == NULL)
		return;
	tcp->tcp_csuna = tcp->tcp_snxt;
	BUMP_MIB(tcp_mib.tcpRetransSegs);
	UPDATE_MIB(tcp_mib.tcpRetransBytes, mss);
	/* Dump the packet when debugging. */
	TCP_DUMP_PACKET("tcp_timer", mp);

	(void) ipv4_tcp_output(sock_id, mp);
	freeb(mp);

	/*
	 * When slow start after retransmission begins, start with
	 * this seq no.  tcp_rexmit_max marks the end of special slow
	 * start phase.  tcp_snd_burst controls how many segments
	 * can be sent because of an ack.
	 */
	tcp->tcp_rexmit_nxt = tcp->tcp_suna;
	tcp->tcp_snd_burst = TCP_CWND_SS;
	if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
	    (tcp->tcp_unsent == 0)) {
		tcp->tcp_rexmit_max = tcp->tcp_fss;
	} else {
		tcp->tcp_rexmit_max = tcp->tcp_snxt;
	}
	tcp->tcp_rexmit = B_TRUE;
	tcp->tcp_dupack_cnt = 0;

	/*
	 * Remove all rexmit SACK blk to start from fresh.
	 */
	if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
		TCP_NOTSACK_REMOVE_ALL(tcp->tcp_notsack_list);
		tcp->tcp_num_notsack_blk = 0;
		tcp->tcp_cnt_notsack_list = 0;
	}
}

/*
 * The TCP normal data output path.
 * NOTE: the logic of the fast path is duplicated from this function.
 */
static void
tcp_wput_data(tcp_t *tcp, mblk_t *mp, int sock_id)
{
	int		len;
	mblk_t		*local_time;
	mblk_t		*mp1;
	uchar_t		*rptr;
	uint32_t	snxt;
	int		tail_unsent;
	int		tcpstate;
	int		usable = 0;
	mblk_t		*xmit_tail;
	int32_t		num_burst_seg;
	int32_t		mss;
	int32_t		num_sack_blk = 0;
	int32_t		tcp_hdr_len;
	ipaddr_t	*dst;
	ipaddr_t	*src;

#ifdef DEBUG
	printf("tcp_wput_data(%d) ##############################\n", sock_id);
#endif
	tcpstate = tcp->tcp_state;
	if (mp == NULL) {
		/* Really tacky... but we need this for detached closes. */
		len = tcp->tcp_unsent;
		goto data_null;
	}

	/*
	 * Don't allow data after T_ORDREL_REQ or T_DISCON_REQ,
	 * or before a connection attempt has begun.
	 *
	 * The following should not happen in inetboot....
	 */
	if (tcpstate < TCPS_SYN_SENT || tcpstate > TCPS_CLOSE_WAIT ||
	    (tcp->tcp_valid_bits & TCP_FSS_VALID) != 0) {
		if ((tcp->tcp_valid_bits & TCP_FSS_VALID) != 0) {
			printf("tcp_wput_data: data after ordrel, %s\n",
			    tcp_display(tcp, NULL, DISP_ADDR_AND_PORT));
		}
		freemsg(mp);
		return;
	}

	/* Strip empties */
	for (;;) {
		assert((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
		    (uintptr_t)INT_MAX);
		len = (int)(mp->b_wptr - mp->b_rptr);
		if (len > 0)
			break;
		mp1 = mp;
		mp = mp->b_cont;
		freeb(mp1);
		if (mp == NULL) {
			return;
		}
	}

	/* If we are the first on the list ... */
	if (tcp->tcp_xmit_head == NULL) {
		tcp->tcp_xmit_head = mp;
		tcp->tcp_xmit_tail = mp;
		tcp->tcp_xmit_tail_unsent = len;
	} else {
		tcp->tcp_xmit_last->b_cont = mp;
		len += tcp->tcp_unsent;
	}

	/* Tack on however many more positive length mblks we have */
	if ((mp1 = mp->b_cont) != NULL) {
		do {
			int tlen;
			assert((uintptr_t)(mp1->b_wptr -
			    mp1->b_rptr) <= (uintptr_t)INT_MAX);
			tlen = (int)(mp1->b_wptr - mp1->b_rptr);
			if (tlen <= 0) {
				mp->b_cont = mp1->b_cont;
				freeb(mp1);
			} else {
				len += tlen;
				mp = mp1;
			}
		} while ((mp1 = mp->b_cont) != NULL);
	}
	tcp->tcp_xmit_last = mp;
	tcp->tcp_unsent = len;

data_null:
	snxt = tcp->tcp_snxt;
	xmit_tail = tcp->tcp_xmit_tail;
	tail_unsent = tcp->tcp_xmit_tail_unsent;

	/*
	 * Note that tcp_mss has been adjusted to take into account the
	 * timestamp option if applicable.  Because SACK options do not
	 * appear in every TCP segments and they are of variable lengths,
	 * they cannot be included in tcp_mss.  Thus we need to calculate
	 * the actual segment length when we need to send a segment which
	 * includes SACK options.
	 */
	if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
		int32_t	opt_len;

		num_sack_blk = MIN(tcp->tcp_max_sack_blk,
		    tcp->tcp_num_sack_blk);
		opt_len = num_sack_blk * sizeof (sack_blk_t) + TCPOPT_NOP_LEN *
		    2 + TCPOPT_HEADER_LEN;
		mss = tcp->tcp_mss - opt_len;
		tcp_hdr_len = tcp->tcp_hdr_len + opt_len;
	} else {
		mss = tcp->tcp_mss;
		tcp_hdr_len = tcp->tcp_hdr_len;
	}

	if ((tcp->tcp_suna == snxt) &&
	    (prom_gettime() - tcp->tcp_last_recv_time) >= tcp->tcp_rto) {
		tcp->tcp_cwnd = MIN(tcp_slow_start_after_idle * mss,
		    MIN(4 * mss, MAX(2 * mss, 4380 / mss * mss)));
	}
	if (tcpstate == TCPS_SYN_RCVD) {
		/*
		 * The three-way connection establishment handshake is not
		 * complete yet. We want to queue the data for transmission
		 * after entering ESTABLISHED state (RFC793). Setting usable to
		 * zero cause a jump to "done" label effectively leaving data
		 * on the queue.
		 */

		usable = 0;
	} else {
		int usable_r = tcp->tcp_swnd;

		/*
		 * In the special case when cwnd is zero, which can only
		 * happen if the connection is ECN capable, return now.
		 * New segments is sent using tcp_timer().  The timer
		 * is set in tcp_rput_data().
		 */
		if (tcp->tcp_cwnd == 0) {
			/*
			 * Note that tcp_cwnd is 0 before 3-way handshake is
			 * finished.
			 */
			assert(tcp->tcp_ecn_ok ||
			    tcp->tcp_state < TCPS_ESTABLISHED);
			return;
		}

		/* usable = MIN(swnd, cwnd) - unacked_bytes */
		if (usable_r > tcp->tcp_cwnd)
			usable_r = tcp->tcp_cwnd;

		/* NOTE: trouble if xmitting while SYN not acked? */
		usable_r -= snxt;
		usable_r += tcp->tcp_suna;

		/* usable = MIN(usable, unsent) */
		if (usable_r > len)
			usable_r = len;

		/* usable = MAX(usable, {1 for urgent, 0 for data}) */
		if (usable_r != 0)
			usable = usable_r;
	}

	/* use uintptr_t to suppress the gcc warning */
	local_time = (mblk_t *)(uintptr_t)prom_gettime();

	/*
	 * "Our" Nagle Algorithm.  This is not the same as in the old
	 * BSD.  This is more in line with the true intent of Nagle.
	 *
	 * The conditions are:
	 * 1. The amount of unsent data (or amount of data which can be
	 *    sent, whichever is smaller) is less than Nagle limit.
	 * 2. The last sent size is also less than Nagle limit.
	 * 3. There is unack'ed data.
	 * 4. Urgent pointer is not set.  Send urgent data ignoring the
	 *    Nagle algorithm.  This reduces the probability that urgent
	 *    bytes get "merged" together.
	 * 5. The app has not closed the connection.  This eliminates the
	 *    wait time of the receiving side waiting for the last piece of
	 *    (small) data.
	 *
	 * If all are satisified, exit without sending anything.  Note
	 * that Nagle limit can be smaller than 1 MSS.  Nagle limit is
	 * the smaller of 1 MSS and global tcp_naglim_def (default to be
	 * 4095).
	 */
	if (usable < (int)tcp->tcp_naglim &&
	    tcp->tcp_naglim > tcp->tcp_last_sent_len &&
	    snxt != tcp->tcp_suna &&
	    !(tcp->tcp_valid_bits & TCP_URG_VALID))
		goto done;

	num_burst_seg = tcp->tcp_snd_burst;
	for (;;) {
		tcph_t		*tcph;
		mblk_t		*new_mp;

		if (num_burst_seg-- == 0)
			goto done;

		len = mss;
		if (len > usable) {
			len = usable;
			if (len <= 0) {
				/* Terminate the loop */
				goto done;
			}
			/*
			 * Sender silly-window avoidance.
			 * Ignore this if we are going to send a
			 * zero window probe out.
			 *
			 * TODO: force data into microscopic window ??
			 *	==> (!pushed || (unsent > usable))
			 */
			if (len < (tcp->tcp_max_swnd >> 1) &&
			    (tcp->tcp_unsent - (snxt - tcp->tcp_snxt)) > len &&
			    !((tcp->tcp_valid_bits & TCP_URG_VALID) &&
			    len == 1) && (! tcp->tcp_zero_win_probe)) {
				/*
				 * If the retransmit timer is not running
				 * we start it so that we will retransmit
				 * in the case when the the receiver has
				 * decremented the window.
				 */
				if (snxt == tcp->tcp_snxt &&
				    snxt == tcp->tcp_suna) {
					/*
					 * We are not supposed to send
					 * anything.  So let's wait a little
					 * bit longer before breaking SWS
					 * avoidance.
					 *
					 * What should the value be?
					 * Suggestion: MAX(init rexmit time,
					 * tcp->tcp_rto)
					 */
					TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
				}
				goto done;
			}
		}

		tcph = tcp->tcp_tcph;

		usable -= len;	/* Approximate - can be adjusted later */
		if (usable > 0)
			tcph->th_flags[0] = TH_ACK;
		else
			tcph->th_flags[0] = (TH_ACK | TH_PUSH);

		U32_TO_ABE32(snxt, tcph->th_seq);

		if (tcp->tcp_valid_bits) {
			uchar_t		*prev_rptr = xmit_tail->b_rptr;
			uint32_t	prev_snxt = tcp->tcp_snxt;

			if (tail_unsent == 0) {
				assert(xmit_tail->b_cont != NULL);
				xmit_tail = xmit_tail->b_cont;
				prev_rptr = xmit_tail->b_rptr;
				tail_unsent = (int)(xmit_tail->b_wptr -
				    xmit_tail->b_rptr);
			} else {
				xmit_tail->b_rptr = xmit_tail->b_wptr -
				    tail_unsent;
			}
			mp = tcp_xmit_mp(tcp, xmit_tail, len, NULL, NULL,
			    snxt, B_FALSE, (uint32_t *)&len, B_FALSE);
			/* Restore tcp_snxt so we get amount sent right. */
			tcp->tcp_snxt = prev_snxt;
			if (prev_rptr == xmit_tail->b_rptr)
				xmit_tail->b_prev = local_time;
			else
				xmit_tail->b_rptr = prev_rptr;

			if (mp == NULL)
				break;

			mp1 = mp->b_cont;

			snxt += len;
			tcp->tcp_last_sent_len = (ushort_t)len;
			while (mp1->b_cont) {
				xmit_tail = xmit_tail->b_cont;
				xmit_tail->b_prev = local_time;
				mp1 = mp1->b_cont;
			}
			tail_unsent = xmit_tail->b_wptr - mp1->b_wptr;
			BUMP_MIB(tcp_mib.tcpOutDataSegs);
			UPDATE_MIB(tcp_mib.tcpOutDataBytes, len);
			/* Dump the packet when debugging. */
			TCP_DUMP_PACKET("tcp_wput_data (valid bits)", mp);
			(void) ipv4_tcp_output(sock_id, mp);
			freeb(mp);
			continue;
		}

		snxt += len;	/* Adjust later if we don't send all of len */
		BUMP_MIB(tcp_mib.tcpOutDataSegs);
		UPDATE_MIB(tcp_mib.tcpOutDataBytes, len);

		if (tail_unsent) {
			/* Are the bytes above us in flight? */
			rptr = xmit_tail->b_wptr - tail_unsent;
			if (rptr != xmit_tail->b_rptr) {
				tail_unsent -= len;
				len += tcp_hdr_len;
				tcp->tcp_ipha->ip_len = htons(len);
				mp = dupb(xmit_tail);
				if (!mp)
					break;
				mp->b_rptr = rptr;
				goto must_alloc;
			}
		} else {
			xmit_tail = xmit_tail->b_cont;
			assert((uintptr_t)(xmit_tail->b_wptr -
			    xmit_tail->b_rptr) <= (uintptr_t)INT_MAX);
			tail_unsent = (int)(xmit_tail->b_wptr -
			    xmit_tail->b_rptr);
		}

		tail_unsent -= len;
		tcp->tcp_last_sent_len = (ushort_t)len;

		len += tcp_hdr_len;
		if (tcp->tcp_ipversion == IPV4_VERSION)
			tcp->tcp_ipha->ip_len = htons(len);

		xmit_tail->b_prev = local_time;

		mp = dupb(xmit_tail);
		if (mp == NULL)
			goto out_of_mem;

		len = tcp_hdr_len;
		/*
		 * There are four reasons to allocate a new hdr mblk:
		 *  1) The bytes above us are in use by another packet
		 *  2) We don't have good alignment
		 *  3) The mblk is being shared
		 *  4) We don't have enough room for a header
		 */
		rptr = mp->b_rptr - len;
		if (!OK_32PTR(rptr) ||
		    rptr < mp->b_datap) {
			/* NOTE: we assume allocb returns an OK_32PTR */

		must_alloc:;
			mp1 = allocb(tcp->tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH +
			    tcp_wroff_xtra, 0);
			if (mp1 == NULL) {
				freemsg(mp);
				goto out_of_mem;
			}
			mp1->b_cont = mp;
			mp = mp1;
			/* Leave room for Link Level header */
			len = tcp_hdr_len;
			rptr = &mp->b_rptr[tcp_wroff_xtra];
			mp->b_wptr = &rptr[len];
		}

		if (tcp->tcp_snd_ts_ok) {
			/* use uintptr_t to suppress the gcc warning */
			U32_TO_BE32((uint32_t)(uintptr_t)local_time,
				(char *)tcph+TCP_MIN_HEADER_LENGTH+4);
			U32_TO_BE32(tcp->tcp_ts_recent,
			    (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
		} else {
			assert(tcp->tcp_tcp_hdr_len == TCP_MIN_HEADER_LENGTH);
		}

		mp->b_rptr = rptr;

		/* Copy the template header. */
		dst = (ipaddr_t *)rptr;
		src = (ipaddr_t *)tcp->tcp_iphc;
		dst[0] = src[0];
		dst[1] = src[1];
		dst[2] = src[2];
		dst[3] = src[3];
		dst[4] = src[4];
		dst[5] = src[5];
		dst[6] = src[6];
		dst[7] = src[7];
		dst[8] = src[8];
		dst[9] = src[9];
		len = tcp->tcp_hdr_len;
		if (len -= 40) {
			len >>= 2;
			dst += 10;
			src += 10;
			do {
				*dst++ = *src++;
			} while (--len);
		}

		/*
		 * Set tcph to point to the header of the outgoing packet,
		 * not to the template header.
		 */
		tcph = (tcph_t *)(rptr + tcp->tcp_ip_hdr_len);

		/*
		 * Set the ECN info in the TCP header if it is not a zero
		 * window probe.  Zero window probe is only sent in
		 * tcp_wput_data() and tcp_timer().
		 */
		if (tcp->tcp_ecn_ok && !tcp->tcp_zero_win_probe) {
			SET_ECT(tcp, rptr);

			if (tcp->tcp_ecn_echo_on)
				tcph->th_flags[0] |= TH_ECE;
			if (tcp->tcp_cwr && !tcp->tcp_ecn_cwr_sent) {
				tcph->th_flags[0] |= TH_CWR;
				tcp->tcp_ecn_cwr_sent = B_TRUE;
			}
		}

		/* Fill in SACK options */
		if (num_sack_blk > 0) {
			uchar_t *wptr = rptr + tcp->tcp_hdr_len;
			sack_blk_t *tmp;
			int32_t	i;

			wptr[0] = TCPOPT_NOP;
			wptr[1] = TCPOPT_NOP;
			wptr[2] = TCPOPT_SACK;
			wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
			    sizeof (sack_blk_t);
			wptr += TCPOPT_REAL_SACK_LEN;

			tmp = tcp->tcp_sack_list;
			for (i = 0; i < num_sack_blk; i++) {
				U32_TO_BE32(tmp[i].begin, wptr);
				wptr += sizeof (tcp_seq);
				U32_TO_BE32(tmp[i].end, wptr);
				wptr += sizeof (tcp_seq);
			}
			tcph->th_offset_and_rsrvd[0] += ((num_sack_blk * 2 + 1)
			    << 4);
		}

		if (tail_unsent) {
			mp1 = mp->b_cont;
			if (mp1 == NULL)
				mp1 = mp;
			/*
			 * If we're a little short, tack on more mblks
			 * as long as we don't need to split an mblk.
			 */
			while (tail_unsent < 0 &&
			    tail_unsent + (int)(xmit_tail->b_cont->b_wptr -
			    xmit_tail->b_cont->b_rptr) <= 0) {
				xmit_tail = xmit_tail->b_cont;
				/* Stash for rtt use later */
				xmit_tail->b_prev = local_time;
				mp1->b_cont = dupb(xmit_tail);
				mp1 = mp1->b_cont;
				assert((uintptr_t)(xmit_tail->b_wptr -
				    xmit_tail->b_rptr) <= (uintptr_t)INT_MAX);
				tail_unsent += (int)(xmit_tail->b_wptr -
				    xmit_tail->b_rptr);
				if (mp1 == NULL) {
					freemsg(mp);
					goto out_of_mem;
				}
			}
			/* Trim back any surplus on the last mblk */
			if (tail_unsent > 0)
				mp1->b_wptr -= tail_unsent;
			if (tail_unsent < 0) {
				uint32_t ip_len;

				/*
				 * We did not send everything we could in
				 * order to preserve mblk boundaries.
				 */
				usable -= tail_unsent;
				snxt += tail_unsent;
				tcp->tcp_last_sent_len += tail_unsent;
				UPDATE_MIB(tcp_mib.tcpOutDataBytes,
				    tail_unsent);
				/* Adjust the IP length field. */
				ip_len = ntohs(((struct ip *)rptr)->ip_len) +
				    tail_unsent;
				((struct ip *)rptr)->ip_len = htons(ip_len);
				tail_unsent = 0;
			}
		}

		if (mp == NULL)
			goto out_of_mem;

		/*
		 * Performance hit!  We need to pullup the whole message
		 * in order to do checksum and for the MAC output routine.
		 */
		if (mp->b_cont != NULL) {
			int mp_size;
#ifdef	DEBUG
			printf("Multiple mblk %d\n", msgdsize(mp));
#endif
			new_mp = allocb(msgdsize(mp) + tcp_wroff_xtra, 0);
			new_mp->b_rptr += tcp_wroff_xtra;
			new_mp->b_wptr = new_mp->b_rptr;
			while (mp != NULL) {
				mp_size = mp->b_wptr - mp->b_rptr;
				bcopy(mp->b_rptr, new_mp->b_wptr, mp_size);
				new_mp->b_wptr += mp_size;
				mp = mp->b_cont;
			}
			freemsg(mp);
			mp = new_mp;
		}
		tcp_set_cksum(mp);
		((struct ip *)mp->b_rptr)->ip_ttl = (uint8_t)tcp_ipv4_ttl;
		TCP_DUMP_PACKET("tcp_wput_data", mp);
		(void) ipv4_tcp_output(sock_id, mp);
		freemsg(mp);
	}
out_of_mem:;
	/* Pretend that all we were trying to send really got sent */
	if (tail_unsent < 0) {
		do {
			xmit_tail = xmit_tail->b_cont;
			xmit_tail->b_prev = local_time;
			assert((uintptr_t)(xmit_tail->b_wptr -
			    xmit_tail->b_rptr) <= (uintptr_t)INT_MAX);
			tail_unsent += (int)(xmit_tail->b_wptr -
			    xmit_tail->b_rptr);
		} while (tail_unsent < 0);
	}
done:;
	tcp->tcp_xmit_tail = xmit_tail;
	tcp->tcp_xmit_tail_unsent = tail_unsent;
	len = tcp->tcp_snxt - snxt;
	if (len) {
		/*
		 * If new data was sent, need to update the notsack
		 * list, which is, afterall, data blocks that have
		 * not been sack'ed by the receiver.  New data is
		 * not sack'ed.
		 */
		if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
			/* len is a negative value. */
			tcp->tcp_pipe -= len;
			tcp_notsack_update(&(tcp->tcp_notsack_list),
			    tcp->tcp_snxt, snxt,
			    &(tcp->tcp_num_notsack_blk),
			    &(tcp->tcp_cnt_notsack_list));
		}
		tcp->tcp_snxt = snxt + tcp->tcp_fin_sent;
		tcp->tcp_rack = tcp->tcp_rnxt;
		tcp->tcp_rack_cnt = 0;
		if ((snxt + len) == tcp->tcp_suna) {
			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
		}
		/*
		 * Note that len is the amount we just sent but with a negative
		 * sign. We update tcp_unsent here since we may come back to
		 * tcp_wput_data from tcp_state_wait.
		 */
		len += tcp->tcp_unsent;
		tcp->tcp_unsent = len;

		/*
		 * Let's wait till all the segments have been acked, since we
		 * don't have a timer.
		 */
		(void) tcp_state_wait(sock_id, tcp, TCPS_ALL_ACKED);
		return;
	} else if (snxt == tcp->tcp_suna && tcp->tcp_swnd == 0) {
		/*
		 * Didn't send anything. Make sure the timer is running
		 * so that we will probe a zero window.
		 */
		TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
	}

	/* Note that len is the amount we just sent but with a negative sign */
	len += tcp->tcp_unsent;
	tcp->tcp_unsent = len;

}

static void
tcp_time_wait_processing(tcp_t *tcp, mblk_t *mp,
    uint32_t seg_seq, uint32_t seg_ack, int seg_len, tcph_t *tcph,
    int sock_id)
{
	int32_t		bytes_acked;
	int32_t		gap;
	int32_t		rgap;
	tcp_opt_t	tcpopt;
	uint_t		flags;
	uint32_t	new_swnd = 0;

#ifdef DEBUG
	printf("Time wait processing called ###############3\n");
#endif

	/* Just make sure we send the right sock_id to tcp_clean_death */
	if ((sockets[sock_id].pcb == NULL) || (sockets[sock_id].pcb != tcp))
		sock_id = -1;

	flags = (unsigned int)tcph->th_flags[0] & 0xFF;
	new_swnd = BE16_TO_U16(tcph->th_win) <<
	    ((tcph->th_flags[0] & TH_SYN) ? 0 : tcp->tcp_snd_ws);
	if (tcp->tcp_snd_ts_ok) {
		if (!tcp_paws_check(tcp, tcph, &tcpopt)) {
			freemsg(mp);
			tcp_xmit_ctl(NULL, tcp, NULL, tcp->tcp_snxt,
			    tcp->tcp_rnxt, TH_ACK, 0, -1);
			return;
		}
	}
	gap = seg_seq - tcp->tcp_rnxt;
	rgap = tcp->tcp_rwnd - (gap + seg_len);
	if (gap < 0) {
		BUMP_MIB(tcp_mib.tcpInDataDupSegs);
		UPDATE_MIB(tcp_mib.tcpInDataDupBytes,
		    (seg_len > -gap ? -gap : seg_len));
		seg_len += gap;
		if (seg_len < 0 || (seg_len == 0 && !(flags & TH_FIN))) {
			if (flags & TH_RST) {
				freemsg(mp);
				return;
			}
			if ((flags & TH_FIN) && seg_len == -1) {
				/*
				 * When TCP receives a duplicate FIN in
				 * TIME_WAIT state, restart the 2 MSL timer.
				 * See page 73 in RFC 793. Make sure this TCP
				 * is already on the TIME_WAIT list. If not,
				 * just restart the timer.
				 */
				tcp_time_wait_remove(tcp);
				tcp_time_wait_append(tcp);
				TCP_TIMER_RESTART(tcp, tcp_time_wait_interval);
				tcp_xmit_ctl(NULL, tcp, NULL, tcp->tcp_snxt,
				    tcp->tcp_rnxt, TH_ACK, 0, -1);
				freemsg(mp);
				return;
			}
			flags |=  TH_ACK_NEEDED;
			seg_len = 0;
			goto process_ack;
		}

		/* Fix seg_seq, and chew the gap off the front. */
		seg_seq = tcp->tcp_rnxt;
	}

	if ((flags & TH_SYN) && gap > 0 && rgap < 0) {
		/*
		 * Make sure that when we accept the connection, pick
		 * an ISS greater than (tcp_snxt + ISS_INCR/2) for the
		 * old connection.
		 *
		 * The next ISS generated is equal to tcp_iss_incr_extra
		 * + ISS_INCR/2 + other components depending on the
		 * value of tcp_strong_iss.  We pre-calculate the new
		 * ISS here and compare with tcp_snxt to determine if
		 * we need to make adjustment to tcp_iss_incr_extra.
		 *
		 * Note that since we are now in the global queue
		 * perimeter and need to do a lateral_put() to the
		 * listener queue, there can be other connection requests/
		 * attempts while the lateral_put() is going on.  That
		 * means what we calculate here may not be correct.  This
		 * is extremely difficult to solve unless TCP and IP
		 * modules are merged and there is no perimeter, but just
		 * locks.  The above calculation is ugly and is a
		 * waste of CPU cycles...
		 */
		uint32_t new_iss = tcp_iss_incr_extra;
		int32_t adj;

		/* Add time component and min random (i.e. 1). */
		new_iss += (prom_gettime() >> ISS_NSEC_SHT) + 1;
		if ((adj = (int32_t)(tcp->tcp_snxt - new_iss)) > 0) {
			/*
			 * New ISS not guaranteed to be ISS_INCR/2
			 * ahead of the current tcp_snxt, so add the
			 * difference to tcp_iss_incr_extra.
			 */
			tcp_iss_incr_extra += adj;
		}
		tcp_clean_death(sock_id, tcp, 0);

		/*
		 * This is a passive open.  Right now we do not
		 * do anything...
		 */
		freemsg(mp);
		return;
	}

	/*
	 * rgap is the amount of stuff received out of window.  A negative
	 * value is the amount out of window.
	 */
	if (rgap < 0) {
		BUMP_MIB(tcp_mib.tcpInDataPastWinSegs);
		UPDATE_MIB(tcp_mib.tcpInDataPastWinBytes, -rgap);
		/* Fix seg_len and make sure there is something left. */
		seg_len += rgap;
		if (seg_len <= 0) {
			if (flags & TH_RST) {
				freemsg(mp);
				return;
			}
			flags |=  TH_ACK_NEEDED;
			seg_len = 0;
			goto process_ack;
		}
	}
	/*
	 * Check whether we can update tcp_ts_recent.  This test is
	 * NOT the one in RFC 1323 3.4.  It is from Braden, 1993, "TCP
	 * Extensions for High Performance: An Update", Internet Draft.
	 */
	if (tcp->tcp_snd_ts_ok &&
	    TSTMP_GEQ(tcpopt.tcp_opt_ts_val, tcp->tcp_ts_recent) &&
	    SEQ_LEQ(seg_seq, tcp->tcp_rack)) {
		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
		tcp->tcp_last_rcv_lbolt = prom_gettime();
	}

	if (seg_seq != tcp->tcp_rnxt && seg_len > 0) {
		/* Always ack out of order packets */
		flags |= TH_ACK_NEEDED;
		seg_len = 0;
	} else if (seg_len > 0) {
		BUMP_MIB(tcp_mib.tcpInDataInorderSegs);
		UPDATE_MIB(tcp_mib.tcpInDataInorderBytes, seg_len);
	}
	if (flags & TH_RST) {
		freemsg(mp);
		(void) tcp_clean_death(sock_id, tcp, 0);
		return;
	}
	if (flags & TH_SYN) {
		freemsg(mp);
		tcp_xmit_ctl("TH_SYN", tcp, NULL, seg_ack, seg_seq + 1,
		    TH_RST|TH_ACK, 0, -1);
		/*
		 * Do not delete the TCP structure if it is in
		 * TIME_WAIT state.  Refer to RFC 1122, 4.2.2.13.
		 */
		return;
	}
process_ack:
	if (flags & TH_ACK) {
		bytes_acked = (int)(seg_ack - tcp->tcp_suna);
		if (bytes_acked <= 0) {
			if (bytes_acked == 0 && seg_len == 0 &&
			    new_swnd == tcp->tcp_swnd)
				BUMP_MIB(tcp_mib.tcpInDupAck);
		} else {
			/* Acks something not sent */
			flags |= TH_ACK_NEEDED;
		}
	}
	freemsg(mp);
	if (flags & TH_ACK_NEEDED) {
		/*
		 * Time to send an ack for some reason.
		 */
		tcp_xmit_ctl(NULL, tcp, NULL, tcp->tcp_snxt,
		    tcp->tcp_rnxt, TH_ACK, 0, -1);
	}
}

static int
tcp_init_values(tcp_t *tcp, struct inetboot_socket *isp)
{
	int	err;

	tcp->tcp_family = AF_INET;
	tcp->tcp_ipversion = IPV4_VERSION;

	/*
	 * Initialize tcp_rtt_sa and tcp_rtt_sd so that the calculated RTO
	 * will be close to tcp_rexmit_interval_initial.  By doing this, we
	 * allow the algorithm to adjust slowly to large fluctuations of RTT
	 * during first few transmissions of a connection as seen in slow
	 * links.
	 */
	tcp->tcp_rtt_sa = tcp_rexmit_interval_initial << 2;
	tcp->tcp_rtt_sd = tcp_rexmit_interval_initial >> 1;
	tcp->tcp_rto = (tcp->tcp_rtt_sa >> 3) + tcp->tcp_rtt_sd +
	    tcp_rexmit_interval_extra + (tcp->tcp_rtt_sa >> 5) +
	    tcp_conn_grace_period;
	if (tcp->tcp_rto < tcp_rexmit_interval_min)
		tcp->tcp_rto = tcp_rexmit_interval_min;
	tcp->tcp_timer_backoff = 0;
	tcp->tcp_ms_we_have_waited = 0;
	tcp->tcp_last_recv_time = prom_gettime();
	tcp->tcp_cwnd_max = tcp_cwnd_max_;
	tcp->tcp_snd_burst = TCP_CWND_INFINITE;
	tcp->tcp_cwnd_ssthresh = TCP_MAX_LARGEWIN;
	/* For Ethernet, the mtu returned is actually 1550... */
	if (mac_get_type() == IFT_ETHER) {
		tcp->tcp_if_mtu = mac_get_mtu() - 50;
	} else {
		tcp->tcp_if_mtu = mac_get_mtu();
	}
	tcp->tcp_mss = tcp->tcp_if_mtu;

	tcp->tcp_first_timer_threshold = tcp_ip_notify_interval;
	tcp->tcp_first_ctimer_threshold = tcp_ip_notify_cinterval;
	tcp->tcp_second_timer_threshold = tcp_ip_abort_interval;
	/*
	 * Fix it to tcp_ip_abort_linterval later if it turns out to be a
	 * passive open.
	 */
	tcp->tcp_second_ctimer_threshold = tcp_ip_abort_cinterval;

	tcp->tcp_naglim = tcp_naglim_def;

	/* NOTE:  ISS is now set in tcp_adapt_ire(). */

	/* Initialize the header template */
	if (tcp->tcp_ipversion == IPV4_VERSION) {
		err = tcp_header_init_ipv4(tcp);
	}
	if (err)
		return (err);

	/*
	 * Init the window scale to the max so tcp_rwnd_set() won't pare
	 * down tcp_rwnd. tcp_adapt_ire() will set the right value later.
	 */
	tcp->tcp_rcv_ws = TCP_MAX_WINSHIFT;
	tcp->tcp_xmit_lowater = tcp_xmit_lowat;
	if (isp != NULL) {
		tcp->tcp_xmit_hiwater = isp->so_sndbuf;
		tcp->tcp_rwnd = isp->so_rcvbuf;
		tcp->tcp_rwnd_max = isp->so_rcvbuf;
	}
	tcp->tcp_state = TCPS_IDLE;
	return (0);
}

/*
 * Initialize the IPv4 header. Loses any record of any IP options.
 */
static int
tcp_header_init_ipv4(tcp_t *tcp)
{
	tcph_t		*tcph;

	/*
	 * This is a simple initialization. If there's
	 * already a template, it should never be too small,
	 * so reuse it.  Otherwise, allocate space for the new one.
	 */
	if (tcp->tcp_iphc != NULL) {
		assert(tcp->tcp_iphc_len >= TCP_MAX_COMBINED_HEADER_LENGTH);
		bzero(tcp->tcp_iphc, tcp->tcp_iphc_len);
	} else {
		tcp->tcp_iphc_len = TCP_MAX_COMBINED_HEADER_LENGTH;
		tcp->tcp_iphc = bkmem_zalloc(tcp->tcp_iphc_len);
		if (tcp->tcp_iphc == NULL) {
			tcp->tcp_iphc_len = 0;
			return (ENOMEM);
		}
	}
	tcp->tcp_ipha = (struct ip *)tcp->tcp_iphc;
	tcp->tcp_ipversion = IPV4_VERSION;

	/*
	 * Note that it does not include TCP options yet.  It will
	 * after the connection is established.
	 */
	tcp->tcp_hdr_len = sizeof (struct ip) + sizeof (tcph_t);
	tcp->tcp_tcp_hdr_len = sizeof (tcph_t);
	tcp->tcp_ip_hdr_len = sizeof (struct ip);
	tcp->tcp_ipha->ip_v = IP_VERSION;
	/* We don't support IP options... */
	tcp->tcp_ipha->ip_hl = IP_SIMPLE_HDR_LENGTH_IN_WORDS;
	tcp->tcp_ipha->ip_p = IPPROTO_TCP;
	/* We are not supposed to do PMTU discovery... */
	tcp->tcp_ipha->ip_sum = 0;

	tcph = (tcph_t *)(tcp->tcp_iphc + sizeof (struct ip));
	tcp->tcp_tcph = tcph;
	tcph->th_offset_and_rsrvd[0] = (5 << 4);
	return (0);
}

/*
 * Send out a control packet on the tcp connection specified.  This routine
 * is typically called where we need a simple ACK or RST generated.
 *
 * This function is called with or without a mp.
 */
static void
tcp_xmit_ctl(char *str, tcp_t *tcp, mblk_t *mp, uint32_t seq,
    uint32_t ack, int ctl, uint_t ip_hdr_len, int sock_id)
{
	uchar_t		*rptr;
	tcph_t		*tcph;
	struct ip	*iph = NULL;
	int		tcp_hdr_len;
	int		tcp_ip_hdr_len;

	tcp_hdr_len = tcp->tcp_hdr_len;
	tcp_ip_hdr_len = tcp->tcp_ip_hdr_len;

	if (mp) {
		assert(ip_hdr_len != 0);
		rptr = mp->b_rptr;
		tcph = (tcph_t *)(rptr + ip_hdr_len);
		/* Don't reply to a RST segment. */
		if (tcph->th_flags[0] & TH_RST) {
			freeb(mp);
			return;
		}
		freemsg(mp);
		rptr = NULL;
	} else {
		assert(ip_hdr_len == 0);
	}
	/* If a text string is passed in with the request, print it out. */
	if (str != NULL) {
		dprintf("tcp_xmit_ctl(%d): '%s', seq 0x%x, ack 0x%x, "
		    "ctl 0x%x\n", sock_id, str, seq, ack, ctl);
	}
	mp = allocb(tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH + tcp_wroff_xtra, 0);
	if (mp == NULL) {
		dprintf("tcp_xmit_ctl(%d): Cannot allocate memory\n", sock_id);
		return;
	}
	rptr = &mp->b_rptr[tcp_wroff_xtra];
	mp->b_rptr = rptr;
	mp->b_wptr = &rptr[tcp_hdr_len];
	bcopy(tcp->tcp_iphc, rptr, tcp_hdr_len);

	iph = (struct ip *)rptr;
	iph->ip_len = htons(tcp_hdr_len);

	tcph = (tcph_t *)&rptr[tcp_ip_hdr_len];
	tcph->th_flags[0] = (uint8_t)ctl;
	if (ctl & TH_RST) {
		BUMP_MIB(tcp_mib.tcpOutRsts);
		BUMP_MIB(tcp_mib.tcpOutControl);
		/*
		 * Don't send TSopt w/ TH_RST packets per RFC 1323.
		 */
		if (tcp->tcp_snd_ts_ok && tcp->tcp_state > TCPS_SYN_SENT) {
			mp->b_wptr = &rptr[tcp_hdr_len - TCPOPT_REAL_TS_LEN];
			*(mp->b_wptr) = TCPOPT_EOL;
			iph->ip_len = htons(tcp_hdr_len -
			    TCPOPT_REAL_TS_LEN);
			tcph->th_offset_and_rsrvd[0] -= (3 << 4);
		}
	}
	if (ctl & TH_ACK) {
		uint32_t now = prom_gettime();

		if (tcp->tcp_snd_ts_ok) {
			U32_TO_BE32(now,
			    (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
			U32_TO_BE32(tcp->tcp_ts_recent,
			    (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
		}
		tcp->tcp_rack = ack;
		tcp->tcp_rack_cnt = 0;
		BUMP_MIB(tcp_mib.tcpOutAck);
	}
	BUMP_MIB(tcp_mib.tcpOutSegs);
	U32_TO_BE32(seq, tcph->th_seq);
	U32_TO_BE32(ack, tcph->th_ack);

	tcp_set_cksum(mp);
	iph->ip_ttl = (uint8_t)tcp_ipv4_ttl;
	TCP_DUMP_PACKET("tcp_xmit_ctl", mp);
	(void) ipv4_tcp_output(sock_id, mp);
	freeb(mp);
}

/* Generate an ACK-only (no data) segment for a TCP endpoint */
static mblk_t *
tcp_ack_mp(tcp_t *tcp)
{
	if (tcp->tcp_valid_bits) {
		/*
		 * For the complex case where we have to send some
		 * controls (FIN or SYN), let tcp_xmit_mp do it.
		 * When sending an ACK-only segment (no data)
		 * into a zero window, always set the seq number to
		 * suna, since snxt will be extended past the window.
		 * If we used snxt, the receiver might consider the ACK
		 * unacceptable.
		 */
		return (tcp_xmit_mp(tcp, NULL, 0, NULL, NULL,
		    (tcp->tcp_zero_win_probe) ?
		    tcp->tcp_suna :
		    tcp->tcp_snxt, B_FALSE, NULL, B_FALSE));
	} else {
		/* Generate a simple ACK */
		uchar_t	*rptr;
		tcph_t	*tcph;
		mblk_t	*mp1;
		int32_t	tcp_hdr_len;
		int32_t	num_sack_blk = 0;
		int32_t sack_opt_len;

		/*
		 * Allocate space for TCP + IP headers
		 * and link-level header
		 */
		if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
			num_sack_blk = MIN(tcp->tcp_max_sack_blk,
			    tcp->tcp_num_sack_blk);
			sack_opt_len = num_sack_blk * sizeof (sack_blk_t) +
			    TCPOPT_NOP_LEN * 2 + TCPOPT_HEADER_LEN;
			tcp_hdr_len = tcp->tcp_hdr_len + sack_opt_len;
		} else {
			tcp_hdr_len = tcp->tcp_hdr_len;
		}
		mp1 = allocb(tcp_hdr_len + tcp_wroff_xtra, 0);
		if (mp1 == NULL)
			return (NULL);

		/* copy in prototype TCP + IP header */
		rptr = mp1->b_rptr + tcp_wroff_xtra;
		mp1->b_rptr = rptr;
		mp1->b_wptr = rptr + tcp_hdr_len;
		bcopy(tcp->tcp_iphc, rptr, tcp->tcp_hdr_len);

		tcph = (tcph_t *)&rptr[tcp->tcp_ip_hdr_len];

		/*
		 * Set the TCP sequence number.
		 * When sending an ACK-only segment (no data)
		 * into a zero window, always set the seq number to
		 * suna, since snxt will be extended past the window.
		 * If we used snxt, the receiver might consider the ACK
		 * unacceptable.
		 */
		U32_TO_ABE32((tcp->tcp_zero_win_probe) ?
		    tcp->tcp_suna : tcp->tcp_snxt, tcph->th_seq);

		/* Set up the TCP flag field. */
		tcph->th_flags[0] = (uchar_t)TH_ACK;
		if (tcp->tcp_ecn_echo_on)
			tcph->th_flags[0] |= TH_ECE;

		tcp->tcp_rack = tcp->tcp_rnxt;
		tcp->tcp_rack_cnt = 0;

		/* fill in timestamp option if in use */
		if (tcp->tcp_snd_ts_ok) {
			uint32_t llbolt = (uint32_t)prom_gettime();

			U32_TO_BE32(llbolt,
			    (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
			U32_TO_BE32(tcp->tcp_ts_recent,
			    (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
		}

		/* Fill in SACK options */
		if (num_sack_blk > 0) {
			uchar_t *wptr = (uchar_t *)tcph + tcp->tcp_tcp_hdr_len;
			sack_blk_t *tmp;
			int32_t	i;

			wptr[0] = TCPOPT_NOP;
			wptr[1] = TCPOPT_NOP;
			wptr[2] = TCPOPT_SACK;
			wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
			    sizeof (sack_blk_t);
			wptr += TCPOPT_REAL_SACK_LEN;

			tmp = tcp->tcp_sack_list;
			for (i = 0; i < num_sack_blk; i++) {
				U32_TO_BE32(tmp[i].begin, wptr);
				wptr += sizeof (tcp_seq);
				U32_TO_BE32(tmp[i].end, wptr);
				wptr += sizeof (tcp_seq);
			}
			tcph->th_offset_and_rsrvd[0] += ((num_sack_blk * 2 + 1)
			    << 4);
		}

		((struct ip *)rptr)->ip_len = htons(tcp_hdr_len);
		tcp_set_cksum(mp1);
		((struct ip *)rptr)->ip_ttl = (uint8_t)tcp_ipv4_ttl;
		return (mp1);
	}
}

/*
 * tcp_xmit_mp is called to return a pointer to an mblk chain complete with
 * ip and tcp header ready to pass down to IP.  If the mp passed in is
 * non-NULL, then up to max_to_send bytes of data will be dup'ed off that
 * mblk. (If sendall is not set the dup'ing will stop at an mblk boundary
 * otherwise it will dup partial mblks.)
 * Otherwise, an appropriate ACK packet will be generated.  This
 * routine is not usually called to send new data for the first time.  It
 * is mostly called out of the timer for retransmits, and to generate ACKs.
 *
 * If offset is not NULL, the returned mblk chain's first mblk's b_rptr will
 * be adjusted by *offset.  And after dupb(), the offset and the ending mblk
 * of the original mblk chain will be returned in *offset and *end_mp.
 */
static mblk_t *
tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
    mblk_t **end_mp, uint32_t seq, boolean_t sendall, uint32_t *seg_len,
    boolean_t rexmit)
{
	int	data_length;
	int32_t	off = 0;
	uint_t	flags;
	mblk_t	*mp1;
	mblk_t	*mp2;
	mblk_t	*new_mp;
	uchar_t	*rptr;
	tcph_t	*tcph;
	int32_t	num_sack_blk = 0;
	int32_t	sack_opt_len = 0;

	/* Allocate for our maximum TCP header + link-level */
	mp1 = allocb(tcp->tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH +
	    tcp_wroff_xtra, 0);
	if (mp1 == NULL)
		return (NULL);
	data_length = 0;

	/*
	 * Note that tcp_mss has been adjusted to take into account the
	 * timestamp option if applicable.  Because SACK options do not
	 * appear in every TCP segments and they are of variable lengths,
	 * they cannot be included in tcp_mss.  Thus we need to calculate
	 * the actual segment length when we need to send a segment which
	 * includes SACK options.
	 */
	if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
		num_sack_blk = MIN(tcp->tcp_max_sack_blk,
		    tcp->tcp_num_sack_blk);
		sack_opt_len = num_sack_blk * sizeof (sack_blk_t) +
		    TCPOPT_NOP_LEN * 2 + TCPOPT_HEADER_LEN;
		if (max_to_send + sack_opt_len > tcp->tcp_mss)
			max_to_send -= sack_opt_len;
	}

	if (offset != NULL) {
		off = *offset;
		/* We use offset as an indicator that end_mp is not NULL. */
		*end_mp = NULL;
	}
	for (mp2 = mp1; mp && data_length != max_to_send; mp = mp->b_cont) {
		/* This could be faster with cooperation from downstream */
		if (mp2 != mp1 && !sendall &&
		    data_length + (int)(mp->b_wptr - mp->b_rptr) >
		    max_to_send)
			/*
			 * Don't send the next mblk since the whole mblk
			 * does not fit.
			 */
			break;
		mp2->b_cont = dupb(mp);
		mp2 = mp2->b_cont;
		if (mp2 == NULL) {
			freemsg(mp1);
			return (NULL);
		}
		mp2->b_rptr += off;
		assert((uintptr_t)(mp2->b_wptr - mp2->b_rptr) <=
		    (uintptr_t)INT_MAX);

		data_length += (int)(mp2->b_wptr - mp2->b_rptr);
		if (data_length > max_to_send) {
			mp2->b_wptr -= data_length - max_to_send;
			data_length = max_to_send;
			off = mp2->b_wptr - mp->b_rptr;
			break;
		} else {
			off = 0;
		}
	}
	if (offset != NULL) {
		*offset = off;
		*end_mp = mp;
	}
	if (seg_len != NULL) {
		*seg_len = data_length;
	}

	rptr = mp1->b_rptr + tcp_wroff_xtra;
	mp1->b_rptr = rptr;
	mp1->b_wptr = rptr + tcp->tcp_hdr_len + sack_opt_len;
	bcopy(tcp->tcp_iphc, rptr, tcp->tcp_hdr_len);
	tcph = (tcph_t *)&rptr[tcp->tcp_ip_hdr_len];
	U32_TO_ABE32(seq, tcph->th_seq);

	/*
	 * Use tcp_unsent to determine if the PUSH bit should be used assumes
	 * that this function was called from tcp_wput_data. Thus, when called
	 * to retransmit data the setting of the PUSH bit may appear some
	 * what random in that it might get set when it should not. This
	 * should not pose any performance issues.
	 */
	if (data_length != 0 && (tcp->tcp_unsent == 0 ||
	    tcp->tcp_unsent == data_length)) {
		flags = TH_ACK | TH_PUSH;
	} else {
		flags = TH_ACK;
	}

	if (tcp->tcp_ecn_ok) {
		if (tcp->tcp_ecn_echo_on)
			flags |= TH_ECE;

		/*
		 * Only set ECT bit and ECN_CWR if a segment contains new data.
		 * There is no TCP flow control for non-data segments, and
		 * only data segment is transmitted reliably.
		 */
		if (data_length > 0 && !rexmit) {
			SET_ECT(tcp, rptr);
			if (tcp->tcp_cwr && !tcp->tcp_ecn_cwr_sent) {
				flags |= TH_CWR;
				tcp->tcp_ecn_cwr_sent = B_TRUE;
			}
		}
	}

	if (tcp->tcp_valid_bits) {
		uint32_t u1;

		if ((tcp->tcp_valid_bits & TCP_ISS_VALID) &&
		    seq == tcp->tcp_iss) {
			uchar_t	*wptr;

			/*
			 * Tack on the MSS option.  It is always needed
			 * for both active and passive open.
			 */
			wptr = mp1->b_wptr;
			wptr[0] = TCPOPT_MAXSEG;
			wptr[1] = TCPOPT_MAXSEG_LEN;
			wptr += 2;
			/*
			 * MSS option value should be interface MTU - MIN
			 * TCP/IP header.
			 */
			u1 = tcp->tcp_if_mtu - IP_SIMPLE_HDR_LENGTH -
			    TCP_MIN_HEADER_LENGTH;
			U16_TO_BE16(u1, wptr);
			mp1->b_wptr = wptr + 2;
			/* Update the offset to cover the additional word */
			tcph->th_offset_and_rsrvd[0] += (1 << 4);

			/*
			 * Note that the following way of filling in
			 * TCP options are not optimal.  Some NOPs can
			 * be saved.  But there is no need at this time
			 * to optimize it.  When it is needed, we will
			 * do it.
			 */
			switch (tcp->tcp_state) {
			case TCPS_SYN_SENT:
				flags = TH_SYN;

				if (tcp->tcp_snd_ws_ok) {
					wptr = mp1->b_wptr;
					wptr[0] =  TCPOPT_NOP;
					wptr[1] =  TCPOPT_WSCALE;
					wptr[2] =  TCPOPT_WS_LEN;
					wptr[3] = (uchar_t)tcp->tcp_rcv_ws;
					mp1->b_wptr += TCPOPT_REAL_WS_LEN;
					tcph->th_offset_and_rsrvd[0] +=
					    (1 << 4);
				}

				if (tcp->tcp_snd_ts_ok) {
					uint32_t llbolt;

					llbolt = prom_gettime();
					wptr = mp1->b_wptr;
					wptr[0] = TCPOPT_NOP;
					wptr[1] = TCPOPT_NOP;
					wptr[2] = TCPOPT_TSTAMP;
					wptr[3] = TCPOPT_TSTAMP_LEN;
					wptr += 4;
					U32_TO_BE32(llbolt, wptr);
					wptr += 4;
					assert(tcp->tcp_ts_recent == 0);
					U32_TO_BE32(0L, wptr);
					mp1->b_wptr += TCPOPT_REAL_TS_LEN;
					tcph->th_offset_and_rsrvd[0] +=
					    (3 << 4);
				}

				if (tcp->tcp_snd_sack_ok) {
					wptr = mp1->b_wptr;
					wptr[0] = TCPOPT_NOP;
					wptr[1] = TCPOPT_NOP;
					wptr[2] = TCPOPT_SACK_PERMITTED;
					wptr[3] = TCPOPT_SACK_OK_LEN;
					mp1->b_wptr += TCPOPT_REAL_SACK_OK_LEN;
					tcph->th_offset_and_rsrvd[0] +=
					    (1 << 4);
				}

				/*
				 * Set up all the bits to tell other side
				 * we are ECN capable.
				 */
				if (tcp->tcp_ecn_ok) {
					flags |= (TH_ECE | TH_CWR);
				}
				break;
			case TCPS_SYN_RCVD:
				flags |= TH_SYN;

				if (tcp->tcp_snd_ws_ok) {
				    wptr = mp1->b_wptr;
				    wptr[0] =  TCPOPT_NOP;
				    wptr[1] =  TCPOPT_WSCALE;
				    wptr[2] =  TCPOPT_WS_LEN;
				    wptr[3] = (uchar_t)tcp->tcp_rcv_ws;
				    mp1->b_wptr += TCPOPT_REAL_WS_LEN;
				    tcph->th_offset_and_rsrvd[0] += (1 << 4);
				}

				if (tcp->tcp_snd_sack_ok) {
					wptr = mp1->b_wptr;
					wptr[0] = TCPOPT_NOP;
					wptr[1] = TCPOPT_NOP;
					wptr[2] = TCPOPT_SACK_PERMITTED;
					wptr[3] = TCPOPT_SACK_OK_LEN;
					mp1->b_wptr += TCPOPT_REAL_SACK_OK_LEN;
					tcph->th_offset_and_rsrvd[0] +=
					    (1 << 4);
				}

				/*
				 * If the other side is ECN capable, reply
				 * that we are also ECN capable.
				 */
				if (tcp->tcp_ecn_ok) {
					flags |= TH_ECE;
				}
				break;
			default:
				break;
			}
			/* allocb() of adequate mblk assures space */
			assert((uintptr_t)(mp1->b_wptr -
			    mp1->b_rptr) <= (uintptr_t)INT_MAX);
			if (flags & TH_SYN)
				BUMP_MIB(tcp_mib.tcpOutControl);
		}
		if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
		    (seq + data_length) == tcp->tcp_fss) {
			if (!tcp->tcp_fin_acked) {
				flags |= TH_FIN;
				BUMP_MIB(tcp_mib.tcpOutControl);
			}
			if (!tcp->tcp_fin_sent) {
				tcp->tcp_fin_sent = B_TRUE;
				switch (tcp->tcp_state) {
				case TCPS_SYN_RCVD:
				case TCPS_ESTABLISHED:
					tcp->tcp_state = TCPS_FIN_WAIT_1;
					break;
				case TCPS_CLOSE_WAIT:
					tcp->tcp_state = TCPS_LAST_ACK;
					break;
				}
				if (tcp->tcp_suna == tcp->tcp_snxt)
					TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
				tcp->tcp_snxt = tcp->tcp_fss + 1;
			}
		}
	}
	tcph->th_flags[0] = (uchar_t)flags;
	tcp->tcp_rack = tcp->tcp_rnxt;
	tcp->tcp_rack_cnt = 0;

	if (tcp->tcp_snd_ts_ok) {
		if (tcp->tcp_state != TCPS_SYN_SENT) {
			uint32_t llbolt = prom_gettime();

			U32_TO_BE32(llbolt,
			    (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
			U32_TO_BE32(tcp->tcp_ts_recent,
			    (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
		}
	}

	if (num_sack_blk > 0) {
		uchar_t *wptr = (uchar_t *)tcph + tcp->tcp_tcp_hdr_len;
		sack_blk_t *tmp;
		int32_t	i;

		wptr[0] = TCPOPT_NOP;
		wptr[1] = TCPOPT_NOP;
		wptr[2] = TCPOPT_SACK;
		wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
		    sizeof (sack_blk_t);
		wptr += TCPOPT_REAL_SACK_LEN;

		tmp = tcp->tcp_sack_list;
		for (i = 0; i < num_sack_blk; i++) {
			U32_TO_BE32(tmp[i].begin, wptr);
			wptr += sizeof (tcp_seq);
			U32_TO_BE32(tmp[i].end, wptr);
			wptr += sizeof (tcp_seq);
		}
		tcph->th_offset_and_rsrvd[0] += ((num_sack_blk * 2 + 1) << 4);
	}
	assert((uintptr_t)(mp1->b_wptr - rptr) <= (uintptr_t)INT_MAX);
	data_length += (int)(mp1->b_wptr - rptr);
	if (tcp->tcp_ipversion == IPV4_VERSION)
		((struct ip *)rptr)->ip_len = htons(data_length);

	/*
	 * Performance hit!  We need to pullup the whole message
	 * in order to do checksum and for the MAC output routine.
	 */
	if (mp1->b_cont != NULL) {
		int mp_size;
#ifdef DEBUG
		printf("Multiple mblk %d\n", msgdsize(mp1));
#endif
		mp2 = mp1;
		new_mp = allocb(msgdsize(mp1) + tcp_wroff_xtra, 0);
		new_mp->b_rptr += tcp_wroff_xtra;
		new_mp->b_wptr = new_mp->b_rptr;
		while (mp1 != NULL) {
			mp_size = mp1->b_wptr - mp1->b_rptr;
			bcopy(mp1->b_rptr, new_mp->b_wptr, mp_size);
			new_mp->b_wptr += mp_size;
			mp1 = mp1->b_cont;
		}
		freemsg(mp2);
		mp1 = new_mp;
	}
	tcp_set_cksum(mp1);
	/* Fill in the TTL field as it is 0 in the header template. */
	((struct ip *)mp1->b_rptr)->ip_ttl = (uint8_t)tcp_ipv4_ttl;

	return (mp1);
}

/*
 * Generate a "no listener here" reset in response to the
 * connection request contained within 'mp'
 */
static void
tcp_xmit_listeners_reset(int sock_id, mblk_t *mp, uint_t ip_hdr_len)
{
	uchar_t		*rptr;
	uint32_t	seg_len;
	tcph_t		*tcph;
	uint32_t	seg_seq;
	uint32_t	seg_ack;
	uint_t		flags;

	rptr = mp->b_rptr;

	tcph = (tcph_t *)&rptr[ip_hdr_len];
	seg_seq = BE32_TO_U32(tcph->th_seq);
	seg_ack = BE32_TO_U32(tcph->th_ack);
	flags = tcph->th_flags[0];

	seg_len = msgdsize(mp) - (TCP_HDR_LENGTH(tcph) + ip_hdr_len);
	if (flags & TH_RST) {
		freeb(mp);
	} else if (flags & TH_ACK) {
		tcp_xmit_early_reset("no tcp, reset",
		    sock_id, mp, seg_ack, 0, TH_RST, ip_hdr_len);
	} else {
		if (flags & TH_SYN)
			seg_len++;
		tcp_xmit_early_reset("no tcp, reset/ack", sock_id,
		    mp, 0, seg_seq + seg_len,
		    TH_RST | TH_ACK, ip_hdr_len);
	}
}

/* Non overlapping byte exchanger */
static void
tcp_xchg(uchar_t *a, uchar_t *b, int len)
{
	uchar_t	uch;

	while (len-- > 0) {
		uch = a[len];
		a[len] = b[len];
		b[len] = uch;
	}
}

/*
 * Generate a reset based on an inbound packet for which there is no active
 * tcp state that we can find.
 */
static void
tcp_xmit_early_reset(char *str, int sock_id, mblk_t *mp, uint32_t seq,
    uint32_t ack, int ctl, uint_t ip_hdr_len)
{
	struct ip	*iph = NULL;
	ushort_t	len;
	tcph_t		*tcph;
	int		i;
	ipaddr_t	addr;
	mblk_t		*new_mp;

	if (str != NULL) {
		dprintf("tcp_xmit_early_reset: '%s', seq 0x%x, ack 0x%x, "
		    "flags 0x%x\n", str, seq, ack, ctl);
	}

	/*
	 * We skip reversing source route here.
	 * (for now we replace all IP options with EOL)
	 */
	iph = (struct ip *)mp->b_rptr;
	for (i = IP_SIMPLE_HDR_LENGTH; i < (int)ip_hdr_len; i++)
		mp->b_rptr[i] = IPOPT_EOL;
	/*
	 * Make sure that src address is not a limited broadcast
	 * address. Not all broadcast address checking for the
	 * src address is possible, since we don't know the
	 * netmask of the src addr.
	 * No check for destination address is done, since
	 * IP will not pass up a packet with a broadcast dest address
	 * to TCP.
	 */
	if (iph->ip_src.s_addr == INADDR_ANY ||
	    iph->ip_src.s_addr == INADDR_BROADCAST) {
		freemsg(mp);
		return;
	}

	tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
	if (tcph->th_flags[0] & TH_RST) {
		freemsg(mp);
		return;
	}
	/*
	 * Now copy the original header to a new buffer.  The reason
	 * for doing this is that we need to put extra room before
	 * the header for the MAC layer address.  The original mblk
	 * does not have this extra head room.
	 */
	len = ip_hdr_len + sizeof (tcph_t);
	if ((new_mp = allocb(len + tcp_wroff_xtra, 0)) == NULL) {
		freemsg(mp);
		return;
	}
	new_mp->b_rptr += tcp_wroff_xtra;
	bcopy(mp->b_rptr, new_mp->b_rptr, len);
	new_mp->b_wptr = new_mp->b_rptr + len;
	freemsg(mp);
	mp = new_mp;
	iph = (struct ip *)mp->b_rptr;
	tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];

	tcph->th_offset_and_rsrvd[0] = (5 << 4);
	tcp_xchg(tcph->th_fport, tcph->th_lport, 2);
	U32_TO_BE32(ack, tcph->th_ack);
	U32_TO_BE32(seq, tcph->th_seq);
	U16_TO_BE16(0, tcph->th_win);
	bzero(tcph->th_sum, sizeof (int16_t));
	tcph->th_flags[0] = (uint8_t)ctl;
	if (ctl & TH_RST) {
		BUMP_MIB(tcp_mib.tcpOutRsts);
		BUMP_MIB(tcp_mib.tcpOutControl);
	}

	iph->ip_len = htons(len);
	/* Swap addresses */
	addr = iph->ip_src.s_addr;
	iph->ip_src = iph->ip_dst;
	iph->ip_dst.s_addr = addr;
	iph->ip_id = 0;
	iph->ip_ttl = 0;
	tcp_set_cksum(mp);
	iph->ip_ttl = (uint8_t)tcp_ipv4_ttl;

	/* Dump the packet when debugging. */
	TCP_DUMP_PACKET("tcp_xmit_early_reset", mp);
	(void) ipv4_tcp_output(sock_id, mp);
	freemsg(mp);
}

static void
tcp_set_cksum(mblk_t *mp)
{
	struct ip *iph;
	tcpha_t *tcph;
	int len;

	iph = (struct ip *)mp->b_rptr;
	tcph = (tcpha_t *)(iph + 1);
	len = ntohs(iph->ip_len);
	/*
	 * Calculate the TCP checksum.  Need to include the psuedo header,
	 * which is similar to the real IP header starting at the TTL field.
	 */
	iph->ip_sum = htons(len - IP_SIMPLE_HDR_LENGTH);
	tcph->tha_sum = 0;
	tcph->tha_sum = tcp_cksum((uint16_t *)&(iph->ip_ttl),
	    len - IP_SIMPLE_HDR_LENGTH + 12);
	iph->ip_sum = 0;
}

static uint16_t
tcp_cksum(uint16_t *buf, uint32_t len)
{
	/*
	 * Compute Internet Checksum for "count" bytes
	 * beginning at location "addr".
	 */
	int32_t sum = 0;

	while (len > 1) {
		/*  This is the inner loop */
		sum += *buf++;
		len -= 2;
	}

	/*  Add left-over byte, if any */
	if (len > 0)
		sum += *(unsigned char *)buf * 256;

	/*  Fold 32-bit sum to 16 bits */
	while (sum >> 16)
		sum = (sum & 0xffff) + (sum >> 16);

	return ((uint16_t)~sum);
}

/*
 * Type three generator adapted from the random() function in 4.4 BSD:
 */

/*
 * Copyright (c) 1983, 1993
 *	The Regents of the University of California.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *	This product includes software developed by the University of
 *	California, Berkeley and its contributors.
 * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/* Type 3 -- x**31 + x**3 + 1 */
#define	DEG_3		31
#define	SEP_3		3


/* Protected by tcp_random_lock */
static int tcp_randtbl[DEG_3 + 1];

static int *tcp_random_fptr = &tcp_randtbl[SEP_3 + 1];
static int *tcp_random_rptr = &tcp_randtbl[1];

static int *tcp_random_state = &tcp_randtbl[1];
static int *tcp_random_end_ptr = &tcp_randtbl[DEG_3 + 1];

static void
tcp_random_init(void)
{
	int i;
	uint32_t hrt;
	uint32_t wallclock;
	uint32_t result;

	/*
	 *
	 * XXX We don't have high resolution time in standalone...  The
	 * following is just some approximation on the comment below.
	 *
	 * Use high-res timer and current time for seed.  Gethrtime() returns
	 * a longlong, which may contain resolution down to nanoseconds.
	 * The current time will either be a 32-bit or a 64-bit quantity.
	 * XOR the two together in a 64-bit result variable.
	 * Convert the result to a 32-bit value by multiplying the high-order
	 * 32-bits by the low-order 32-bits.
	 *
	 * XXX We don't have gethrtime() in prom and the wallclock....
	 */

	hrt = prom_gettime();
	wallclock = (uint32_t)time(NULL);
	result = wallclock ^ hrt;
	tcp_random_state[0] = result;

	for (i = 1; i < DEG_3; i++)
		tcp_random_state[i] = 1103515245 * tcp_random_state[i - 1]
			+ 12345;
	tcp_random_fptr = &tcp_random_state[SEP_3];
	tcp_random_rptr = &tcp_random_state[0];
	for (i = 0; i < 10 * DEG_3; i++)
		(void) tcp_random();
}

/*
 * tcp_random: Return a random number in the range [1 - (128K + 1)].
 * This range is selected to be approximately centered on TCP_ISS / 2,
 * and easy to compute. We get this value by generating a 32-bit random
 * number, selecting out the high-order 17 bits, and then adding one so
 * that we never return zero.
 */
static int
tcp_random(void)
{
	int i;

	*tcp_random_fptr += *tcp_random_rptr;

	/*
	 * The high-order bits are more random than the low-order bits,
	 * so we select out the high-order 17 bits and add one so that
	 * we never return zero.
	 */
	i = ((*tcp_random_fptr >> 15) & 0x1ffff) + 1;
	if (++tcp_random_fptr >= tcp_random_end_ptr) {
		tcp_random_fptr = tcp_random_state;
		++tcp_random_rptr;
	} else if (++tcp_random_rptr >= tcp_random_end_ptr)
		tcp_random_rptr = tcp_random_state;

	return (i);
}

/*
 * Generate ISS, taking into account NDD changes may happen halfway through.
 * (If the iss is not zero, set it.)
 */
static void
tcp_iss_init(tcp_t *tcp)
{
	tcp_iss_incr_extra += (ISS_INCR >> 1);
	tcp->tcp_iss = tcp_iss_incr_extra;
	tcp->tcp_iss += (prom_gettime() >> ISS_NSEC_SHT) + tcp_random();
	tcp->tcp_valid_bits = TCP_ISS_VALID;
	tcp->tcp_fss = tcp->tcp_iss - 1;
	tcp->tcp_suna = tcp->tcp_iss;
	tcp->tcp_snxt = tcp->tcp_iss + 1;
	tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
	tcp->tcp_csuna = tcp->tcp_snxt;
}

/*
 * Diagnostic routine used to return a string associated with the tcp state.
 * Note that if the caller does not supply a buffer, it will use an internal
 * static string.  This means that if multiple threads call this function at
 * the same time, output can be corrupted...  Note also that this function
 * does not check the size of the supplied buffer.  The caller has to make
 * sure that it is big enough.
 */
static char *
tcp_display(tcp_t *tcp, char *sup_buf, char format)
{
	char		buf1[30];
	static char	priv_buf[INET_ADDRSTRLEN * 2 + 80];
	char		*buf;
	char		*cp;
	char		local_addrbuf[INET_ADDRSTRLEN];
	char		remote_addrbuf[INET_ADDRSTRLEN];
	struct in_addr	addr;

	if (sup_buf != NULL)
		buf = sup_buf;
	else
		buf = priv_buf;

	if (tcp == NULL)
		return ("NULL_TCP");
	switch (tcp->tcp_state) {
	case TCPS_CLOSED:
		cp = "TCP_CLOSED";
		break;
	case TCPS_IDLE:
		cp = "TCP_IDLE";
		break;
	case TCPS_BOUND:
		cp = "TCP_BOUND";
		break;
	case TCPS_LISTEN:
		cp = "TCP_LISTEN";
		break;
	case TCPS_SYN_SENT:
		cp = "TCP_SYN_SENT";
		break;
	case TCPS_SYN_RCVD:
		cp = "TCP_SYN_RCVD";
		break;
	case TCPS_ESTABLISHED:
		cp = "TCP_ESTABLISHED";
		break;
	case TCPS_CLOSE_WAIT:
		cp = "TCP_CLOSE_WAIT";
		break;
	case TCPS_FIN_WAIT_1:
		cp = "TCP_FIN_WAIT_1";
		break;
	case TCPS_CLOSING:
		cp = "TCP_CLOSING";
		break;
	case TCPS_LAST_ACK:
		cp = "TCP_LAST_ACK";
		break;
	case TCPS_FIN_WAIT_2:
		cp = "TCP_FIN_WAIT_2";
		break;
	case TCPS_TIME_WAIT:
		cp = "TCP_TIME_WAIT";
		break;
	default:
		(void) sprintf(buf1, "TCPUnkState(%d)", tcp->tcp_state);
		cp = buf1;
		break;
	}
	switch (format) {
	case DISP_ADDR_AND_PORT:
		/*
		 * Note that we use the remote address in the tcp_b
		 * structure.  This means that it will print out
		 * the real destination address, not the next hop's
		 * address if source routing is used.
		 */
		addr.s_addr = tcp->tcp_bound_source;
		bcopy(inet_ntoa(addr), local_addrbuf, sizeof (local_addrbuf));
		addr.s_addr = tcp->tcp_remote;
		bcopy(inet_ntoa(addr), remote_addrbuf, sizeof (remote_addrbuf));
		(void) snprintf(buf, sizeof (priv_buf), "[%s.%u, %s.%u] %s",
		    local_addrbuf, ntohs(tcp->tcp_lport), remote_addrbuf,
		    ntohs(tcp->tcp_fport), cp);
		break;
	case DISP_PORT_ONLY:
	default:
		(void) snprintf(buf, sizeof (priv_buf), "[%u, %u] %s",
		    ntohs(tcp->tcp_lport), ntohs(tcp->tcp_fport), cp);
		break;
	}

	return (buf);
}

/*
 * Add a new piece to the tcp reassembly queue.  If the gap at the beginning
 * is filled, return as much as we can.  The message passed in may be
 * multi-part, chained using b_cont.  "start" is the starting sequence
 * number for this piece.
 */
static mblk_t *
tcp_reass(tcp_t *tcp, mblk_t *mp, uint32_t start)
{
	uint32_t	end;
	mblk_t		*mp1;
	mblk_t		*mp2;
	mblk_t		*next_mp;
	uint32_t	u1;

	/* Walk through all the new pieces. */
	do {
		assert((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
		    (uintptr_t)INT_MAX);
		end = start + (int)(mp->b_wptr - mp->b_rptr);
		next_mp = mp->b_cont;
		if (start == end) {
			/* Empty.  Blast it. */
			freeb(mp);
			continue;
		}
		mp->b_cont = NULL;
		TCP_REASS_SET_SEQ(mp, start);
		TCP_REASS_SET_END(mp, end);
		mp1 = tcp->tcp_reass_tail;
		if (!mp1) {
			tcp->tcp_reass_tail = mp;
			tcp->tcp_reass_head = mp;
			BUMP_MIB(tcp_mib.tcpInDataUnorderSegs);
			UPDATE_MIB(tcp_mib.tcpInDataUnorderBytes, end - start);
			continue;
		}
		/* New stuff completely beyond tail? */
		if (SEQ_GEQ(start, TCP_REASS_END(mp1))) {
			/* Link it on end. */
			mp1->b_cont = mp;
			tcp->tcp_reass_tail = mp;
			BUMP_MIB(tcp_mib.tcpInDataUnorderSegs);
			UPDATE_MIB(tcp_mib.tcpInDataUnorderBytes, end - start);
			continue;
		}
		mp1 = tcp->tcp_reass_head;
		u1 = TCP_REASS_SEQ(mp1);
		/* New stuff at the front? */
		if (SEQ_LT(start, u1)) {
			/* Yes... Check for overlap. */
			mp->b_cont = mp1;
			tcp->tcp_reass_head = mp;
			tcp_reass_elim_overlap(tcp, mp);
			continue;
		}
		/*
		 * The new piece fits somewhere between the head and tail.
		 * We find our slot, where mp1 precedes us and mp2 trails.
		 */
		for (; (mp2 = mp1->b_cont) != NULL; mp1 = mp2) {
			u1 = TCP_REASS_SEQ(mp2);
			if (SEQ_LEQ(start, u1))
				break;
		}
		/* Link ourselves in */
		mp->b_cont = mp2;
		mp1->b_cont = mp;

		/* Trim overlap with following mblk(s) first */
		tcp_reass_elim_overlap(tcp, mp);

		/* Trim overlap with preceding mblk */
		tcp_reass_elim_overlap(tcp, mp1);

	} while (start = end, mp = next_mp);
	mp1 = tcp->tcp_reass_head;
	/* Anything ready to go? */
	if (TCP_REASS_SEQ(mp1) != tcp->tcp_rnxt)
		return (NULL);
	/* Eat what we can off the queue */
	for (;;) {
		mp = mp1->b_cont;
		end = TCP_REASS_END(mp1);
		TCP_REASS_SET_SEQ(mp1, 0);
		TCP_REASS_SET_END(mp1, 0);
		if (!mp) {
			tcp->tcp_reass_tail = NULL;
			break;
		}
		if (end != TCP_REASS_SEQ(mp)) {
			mp1->b_cont = NULL;
			break;
		}
		mp1 = mp;
	}
	mp1 = tcp->tcp_reass_head;
	tcp->tcp_reass_head = mp;
	return (mp1);
}

/* Eliminate any overlap that mp may have over later mblks */
static void
tcp_reass_elim_overlap(tcp_t *tcp, mblk_t *mp)
{
	uint32_t	end;
	mblk_t		*mp1;
	uint32_t	u1;

	end = TCP_REASS_END(mp);
	while ((mp1 = mp->b_cont) != NULL) {
		u1 = TCP_REASS_SEQ(mp1);
		if (!SEQ_GT(end, u1))
			break;
		if (!SEQ_GEQ(end, TCP_REASS_END(mp1))) {
			mp->b_wptr -= end - u1;
			TCP_REASS_SET_END(mp, u1);
			BUMP_MIB(tcp_mib.tcpInDataPartDupSegs);
			UPDATE_MIB(tcp_mib.tcpInDataPartDupBytes, end - u1);
			break;
		}
		mp->b_cont = mp1->b_cont;
		freeb(mp1);
		BUMP_MIB(tcp_mib.tcpInDataDupSegs);
		UPDATE_MIB(tcp_mib.tcpInDataDupBytes, end - u1);
	}
	if (!mp1)
		tcp->tcp_reass_tail = mp;
}

/*
 * Remove a connection from the list of detached TIME_WAIT connections.
 */
static void
tcp_time_wait_remove(tcp_t *tcp)
{
	if (tcp->tcp_time_wait_expire == 0) {
		assert(tcp->tcp_time_wait_next == NULL);
		assert(tcp->tcp_time_wait_prev == NULL);
		return;
	}
	assert(tcp->tcp_state == TCPS_TIME_WAIT);
	if (tcp == tcp_time_wait_head) {
		assert(tcp->tcp_time_wait_prev == NULL);
		tcp_time_wait_head = tcp->tcp_time_wait_next;
		if (tcp_time_wait_head != NULL) {
			tcp_time_wait_head->tcp_time_wait_prev = NULL;
		} else {
			tcp_time_wait_tail = NULL;
		}
	} else if (tcp == tcp_time_wait_tail) {
		assert(tcp != tcp_time_wait_head);
		assert(tcp->tcp_time_wait_next == NULL);
		tcp_time_wait_tail = tcp->tcp_time_wait_prev;
		assert(tcp_time_wait_tail != NULL);
		tcp_time_wait_tail->tcp_time_wait_next = NULL;
	} else {
		assert(tcp->tcp_time_wait_prev->tcp_time_wait_next == tcp);
		assert(tcp->tcp_time_wait_next->tcp_time_wait_prev == tcp);
		tcp->tcp_time_wait_prev->tcp_time_wait_next =
		    tcp->tcp_time_wait_next;
		tcp->tcp_time_wait_next->tcp_time_wait_prev =
		    tcp->tcp_time_wait_prev;
	}
	tcp->tcp_time_wait_next = NULL;
	tcp->tcp_time_wait_prev = NULL;
	tcp->tcp_time_wait_expire = 0;
}

/*
 * Add a connection to the list of detached TIME_WAIT connections
 * and set its time to expire ...
 */
static void
tcp_time_wait_append(tcp_t *tcp)
{
	tcp->tcp_time_wait_expire = prom_gettime() + tcp_time_wait_interval;
	if (tcp->tcp_time_wait_expire == 0)
		tcp->tcp_time_wait_expire = 1;

	if (tcp_time_wait_head == NULL) {
		assert(tcp_time_wait_tail == NULL);
		tcp_time_wait_head = tcp;
	} else {
		assert(tcp_time_wait_tail != NULL);
		assert(tcp_time_wait_tail->tcp_state == TCPS_TIME_WAIT);
		tcp_time_wait_tail->tcp_time_wait_next = tcp;
		tcp->tcp_time_wait_prev = tcp_time_wait_tail;
	}
	tcp_time_wait_tail = tcp;

	/* for ndd stats about compression */
	tcp_cum_timewait++;
}

/*
 * Periodic qtimeout routine run on the default queue.
 * Performs 2 functions.
 * 	1.  Does TIME_WAIT compression on all recently added tcps. List
 *	    traversal is done backwards from the tail.
 *	2.  Blows away all tcps whose TIME_WAIT has expired. List traversal
 *	    is done forwards from the head.
 */
void
tcp_time_wait_collector(void)
{
	tcp_t *tcp;
	uint32_t now;

	/*
	 * In order to reap time waits reliably, we should use a
	 * source of time that is not adjustable by the user
	 */
	now = prom_gettime();
	while ((tcp = tcp_time_wait_head) != NULL) {
		/*
		 * Compare times using modular arithmetic, since
		 * lbolt can wrapover.
		 */
		if ((int32_t)(now - tcp->tcp_time_wait_expire) < 0) {
			break;
		}
		/*
		 * Note that the err must be 0 as there is no socket
		 * associated with this TCP...
		 */
		(void) tcp_clean_death(-1, tcp, 0);
	}
	/* Schedule next run time. */
	tcp_time_wait_runtime = prom_gettime() + 10000;
}

void
tcp_time_wait_report(void)
{
	tcp_t *tcp;

	printf("Current time %u\n", prom_gettime());
	for (tcp = tcp_time_wait_head; tcp != NULL;
	    tcp = tcp->tcp_time_wait_next) {
		printf("%s expires at %u\n", tcp_display(tcp, NULL,
		    DISP_ADDR_AND_PORT), tcp->tcp_time_wait_expire);
	}
}

/*
 * Send up all messages queued on tcp_rcv_list.
 * Have to set tcp_co_norm since we use putnext.
 */
static void
tcp_rcv_drain(int sock_id, tcp_t *tcp)
{
	mblk_t *mp;
	struct inetgram *in_gram;
	mblk_t *in_mp;
	int len;

	/* Don't drain if the app has not finished reading all the data. */
	if (sockets[sock_id].so_rcvbuf <= 0)
		return;

	/* We might have come here just to updated the rwnd */
	if (tcp->tcp_rcv_list == NULL)
		goto win_update;

	if ((in_gram = (struct inetgram *)bkmem_zalloc(
	    sizeof (struct inetgram))) == NULL) {
		return;
	}
	if ((in_mp = allocb(tcp->tcp_rcv_cnt, 0)) == NULL) {
		bkmem_free((caddr_t)in_gram, sizeof (struct inetgram));
		return;
	}
	in_gram->igm_level = APP_LVL;
	in_gram->igm_mp = in_mp;
	in_gram->igm_id = 0;

	while ((mp = tcp->tcp_rcv_list) != NULL) {
		tcp->tcp_rcv_list = mp->b_cont;
		len = mp->b_wptr - mp->b_rptr;
		bcopy(mp->b_rptr, in_mp->b_wptr, len);
		in_mp->b_wptr += len;
		freeb(mp);
	}

	tcp->tcp_rcv_last_tail = NULL;
	tcp->tcp_rcv_cnt = 0;
	add_grams(&sockets[sock_id].inq, in_gram);

	/* This means that so_rcvbuf can be less than 0. */
	sockets[sock_id].so_rcvbuf -= in_mp->b_wptr - in_mp->b_rptr;
win_update:
	/*
	 * Increase the receive window to max.  But we need to do receiver
	 * SWS avoidance.  This means that we need to check the increase of
	 * of receive window is at least 1 MSS.
	 */
	if (sockets[sock_id].so_rcvbuf > 0 &&
	    (tcp->tcp_rwnd_max - tcp->tcp_rwnd >= tcp->tcp_mss)) {
		tcp->tcp_rwnd = tcp->tcp_rwnd_max;
		U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws,
		    tcp->tcp_tcph->th_win);
	}
}

/*
 * Wrapper for recvfrom to call
 */
void
tcp_rcv_drain_sock(int sock_id)
{
	tcp_t *tcp;
	if ((tcp = sockets[sock_id].pcb) == NULL)
		return;
	tcp_rcv_drain(sock_id, tcp);
}

/*
 * If the inq == NULL and the tcp_rcv_list != NULL, we have data that
 * recvfrom could read. Place a magic message in the inq to let recvfrom
 * know that it needs to call tcp_rcv_drain_sock to pullup the data.
 */
static void
tcp_drain_needed(int sock_id, tcp_t *tcp)
{
	struct inetgram *in_gram;
#ifdef DEBUG
	printf("tcp_drain_needed: inq %x, tcp_rcv_list %x\n",
		sockets[sock_id].inq, tcp->tcp_rcv_list);
#endif
	if ((sockets[sock_id].inq != NULL) ||
		(tcp->tcp_rcv_list == NULL))
		return;

	if ((in_gram = (struct inetgram *)bkmem_zalloc(
		sizeof (struct inetgram))) == NULL)
		return;

	in_gram->igm_level = APP_LVL;
	in_gram->igm_mp = NULL;
	in_gram->igm_id = TCP_CALLB_MAGIC_ID;

	add_grams(&sockets[sock_id].inq, in_gram);
}

/*
 * Queue data on tcp_rcv_list which is a b_next chain.
 * Each element of the chain is a b_cont chain.
 *
 * M_DATA messages are added to the current element.
 * Other messages are added as new (b_next) elements.
 */
static void
tcp_rcv_enqueue(tcp_t *tcp, mblk_t *mp, uint_t seg_len)
{
	assert(seg_len == msgdsize(mp));
	if (tcp->tcp_rcv_list == NULL) {
		tcp->tcp_rcv_list = mp;
	} else {
		tcp->tcp_rcv_last_tail->b_cont = mp;
	}
	while (mp->b_cont)
		mp = mp->b_cont;
	tcp->tcp_rcv_last_tail = mp;
	tcp->tcp_rcv_cnt += seg_len;
	tcp->tcp_rwnd -= seg_len;
#ifdef DEBUG
	printf("tcp_rcv_enqueue rwnd %d\n", tcp->tcp_rwnd);
#endif
	U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws, tcp->tcp_tcph->th_win);
}

/* The minimum of smoothed mean deviation in RTO calculation. */
#define	TCP_SD_MIN	400

/*
 * Set RTO for this connection.  The formula is from Jacobson and Karels'
 * "Congestion Avoidance and Control" in SIGCOMM '88.  The variable names
 * are the same as those in Appendix A.2 of that paper.
 *
 * m = new measurement
 * sa = smoothed RTT average (8 * average estimates).
 * sv = smoothed mean deviation (mdev) of RTT (4 * deviation estimates).
 */
static void
tcp_set_rto(tcp_t *tcp, int32_t rtt)
{
	int32_t m = rtt;
	uint32_t sa = tcp->tcp_rtt_sa;
	uint32_t sv = tcp->tcp_rtt_sd;
	uint32_t rto;

	BUMP_MIB(tcp_mib.tcpRttUpdate);
	tcp->tcp_rtt_update++;

	/* tcp_rtt_sa is not 0 means this is a new sample. */
	if (sa != 0) {
		/*
		 * Update average estimator:
		 *	new rtt = 7/8 old rtt + 1/8 Error
		 */

		/* m is now Error in estimate. */
		m -= sa >> 3;
		if ((int32_t)(sa += m) <= 0) {
			/*
			 * Don't allow the smoothed average to be negative.
			 * We use 0 to denote reinitialization of the
			 * variables.
			 */
			sa = 1;
		}

		/*
		 * Update deviation estimator:
		 *	new mdev = 3/4 old mdev + 1/4 (abs(Error) - old mdev)
		 */
		if (m < 0)
			m = -m;
		m -= sv >> 2;
		sv += m;
	} else {
		/*
		 * This follows BSD's implementation.  So the reinitialized
		 * RTO is 3 * m.  We cannot go less than 2 because if the
		 * link is bandwidth dominated, doubling the window size
		 * during slow start means doubling the RTT.  We want to be
		 * more conservative when we reinitialize our estimates.  3
		 * is just a convenient number.
		 */
		sa = m << 3;
		sv = m << 1;
	}
	if (sv < TCP_SD_MIN) {
		/*
		 * We do not know that if sa captures the delay ACK
		 * effect as in a long train of segments, a receiver
		 * does not delay its ACKs.  So set the minimum of sv
		 * to be TCP_SD_MIN, which is default to 400 ms, twice
		 * of BSD DATO.  That means the minimum of mean
		 * deviation is 100 ms.
		 *
		 */
		sv = TCP_SD_MIN;
	}
	tcp->tcp_rtt_sa = sa;
	tcp->tcp_rtt_sd = sv;
	/*
	 * RTO = average estimates (sa / 8) + 4 * deviation estimates (sv)
	 *
	 * Add tcp_rexmit_interval extra in case of extreme environment
	 * where the algorithm fails to work.  The default value of
	 * tcp_rexmit_interval_extra should be 0.
	 *
	 * As we use a finer grained clock than BSD and update
	 * RTO for every ACKs, add in another .25 of RTT to the
	 * deviation of RTO to accomodate burstiness of 1/4 of
	 * window size.
	 */
	rto = (sa >> 3) + sv + tcp_rexmit_interval_extra + (sa >> 5);

	if (rto > tcp_rexmit_interval_max) {
		tcp->tcp_rto = tcp_rexmit_interval_max;
	} else if (rto < tcp_rexmit_interval_min) {
		tcp->tcp_rto = tcp_rexmit_interval_min;
	} else {
		tcp->tcp_rto = rto;
	}

	/* Now, we can reset tcp_timer_backoff to use the new RTO... */
	tcp->tcp_timer_backoff = 0;
}

/*
 * Initiate closedown sequence on an active connection.
 * Return value zero for OK return, non-zero for error return.
 */
static int
tcp_xmit_end(tcp_t *tcp, int sock_id)
{
	mblk_t	*mp;

	if (tcp->tcp_state < TCPS_SYN_RCVD ||
	    tcp->tcp_state > TCPS_CLOSE_WAIT) {
		/*
		 * Invalid state, only states TCPS_SYN_RCVD,
		 * TCPS_ESTABLISHED and TCPS_CLOSE_WAIT are valid
		 */
		return (-1);
	}

	tcp->tcp_fss = tcp->tcp_snxt + tcp->tcp_unsent;
	tcp->tcp_valid_bits |= TCP_FSS_VALID;
	/*
	 * If there is nothing more unsent, send the FIN now.
	 * Otherwise, it will go out with the last segment.
	 */
	if (tcp->tcp_unsent == 0) {
		mp = tcp_xmit_mp(tcp, NULL, 0, NULL, NULL,
		    tcp->tcp_fss, B_FALSE, NULL, B_FALSE);

		if (mp != NULL) {
			/* Dump the packet when debugging. */
			TCP_DUMP_PACKET("tcp_xmit_end", mp);
			(void) ipv4_tcp_output(sock_id, mp);
			freeb(mp);
		} else {
			/*
			 * Couldn't allocate msg.  Pretend we got it out.
			 * Wait for rexmit timeout.
			 */
			tcp->tcp_snxt = tcp->tcp_fss + 1;
			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
		}

		/*
		 * If needed, update tcp_rexmit_snxt as tcp_snxt is
		 * changed.
		 */
		if (tcp->tcp_rexmit && tcp->tcp_rexmit_nxt == tcp->tcp_fss) {
			tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
		}
	} else {
		tcp_wput_data(tcp, NULL, B_FALSE);
	}

	return (0);
}

int
tcp_opt_set(tcp_t *tcp, int level, int option, const void *optval,
    socklen_t optlen)
{
	switch (level) {
	case SOL_SOCKET: {
		switch (option) {
		case SO_RCVBUF:
			if (optlen == sizeof (int)) {
				int val = *(int *)optval;

				if (val > tcp_max_buf) {
					errno = ENOBUFS;
					break;
				}
				/* Silently ignore zero */
				if (val != 0) {
					val = MSS_ROUNDUP(val, tcp->tcp_mss);
					(void) tcp_rwnd_set(tcp, val);
				}
			} else {
				errno = EINVAL;
			}
			break;
		case SO_SNDBUF:
			if (optlen == sizeof (int)) {
				tcp->tcp_xmit_hiwater = *(int *)optval;
				if (tcp->tcp_xmit_hiwater > tcp_max_buf)
					tcp->tcp_xmit_hiwater = tcp_max_buf;
			} else {
				errno = EINVAL;
			}
			break;
		case SO_LINGER:
			if (optlen == sizeof (struct linger)) {
				struct linger *lgr = (struct linger *)optval;

				if (lgr->l_onoff) {
					tcp->tcp_linger = 1;
					tcp->tcp_lingertime = lgr->l_linger;
				} else {
					tcp->tcp_linger = 0;
					tcp->tcp_lingertime = 0;
				}
			} else {
				errno = EINVAL;
			}
			break;
		default:
			errno = ENOPROTOOPT;
			break;
		}
		break;
	} /* case SOL_SOCKET */
	case IPPROTO_TCP: {
		switch (option) {
		default:
			errno = ENOPROTOOPT;
			break;
		}
		break;
	} /* case IPPROTO_TCP */
	case IPPROTO_IP: {
		switch (option) {
		default:
			errno = ENOPROTOOPT;
			break;
		}
		break;
	} /* case IPPROTO_IP */
	default:
		errno = ENOPROTOOPT;
		break;
	} /* switch (level) */

	if (errno != 0)
		return (-1);
	else
		return (0);
}