2005-01-07 01:45:51 +00:00
|
|
|
/*-
|
2017-11-20 19:43:44 +00:00
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
*
|
1994-05-24 10:09:53 +00:00
|
|
|
* Copyright (c) 1982, 1986, 1993
|
|
|
|
* The Regents of the University of California. All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
2017-02-28 23:42:47 +00:00
|
|
|
* 3. Neither the name of the University nor the names of its contributors
|
1994-05-24 10:09:53 +00:00
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* @(#)tcp.h 8.1 (Berkeley) 6/10/93
|
1999-08-28 01:08:13 +00:00
|
|
|
* $FreeBSD$
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
|
1994-08-21 05:27:42 +00:00
|
|
|
#ifndef _NETINET_TCP_H_
|
|
|
|
#define _NETINET_TCP_H_
|
|
|
|
|
2002-10-02 04:22:34 +00:00
|
|
|
#include <sys/cdefs.h>
|
2011-10-21 12:58:34 +00:00
|
|
|
#include <sys/types.h>
|
2002-10-02 04:22:34 +00:00
|
|
|
|
2002-10-02 04:19:47 +00:00
|
|
|
#if __BSD_VISIBLE
|
|
|
|
|
1998-07-13 11:09:52 +00:00
|
|
|
typedef u_int32_t tcp_seq;
|
1995-02-08 20:18:48 +00:00
|
|
|
|
2000-01-09 19:17:30 +00:00
|
|
|
#define tcp6_seq tcp_seq /* for KAME src sync over BSD*'s */
|
|
|
|
#define tcp6hdr tcphdr /* for KAME src sync over BSD*'s */
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* TCP header.
|
|
|
|
* Per RFC 793, September, 1981.
|
|
|
|
*/
|
|
|
|
struct tcphdr {
|
|
|
|
u_short th_sport; /* source port */
|
|
|
|
u_short th_dport; /* destination port */
|
|
|
|
tcp_seq th_seq; /* sequence number */
|
|
|
|
tcp_seq th_ack; /* acknowledgement number */
|
1995-05-30 08:16:23 +00:00
|
|
|
#if BYTE_ORDER == LITTLE_ENDIAN
|
2010-02-01 14:13:44 +00:00
|
|
|
u_char th_x2:4, /* (unused) */
|
1994-05-24 10:09:53 +00:00
|
|
|
th_off:4; /* data offset */
|
|
|
|
#endif
|
1995-05-30 08:16:23 +00:00
|
|
|
#if BYTE_ORDER == BIG_ENDIAN
|
2010-02-01 14:13:44 +00:00
|
|
|
u_char th_off:4, /* data offset */
|
1994-05-24 10:09:53 +00:00
|
|
|
th_x2:4; /* (unused) */
|
|
|
|
#endif
|
|
|
|
u_char th_flags;
|
|
|
|
#define TH_FIN 0x01
|
|
|
|
#define TH_SYN 0x02
|
|
|
|
#define TH_RST 0x04
|
|
|
|
#define TH_PUSH 0x08
|
|
|
|
#define TH_ACK 0x10
|
|
|
|
#define TH_URG 0x20
|
o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets. This patch
stops overloading those bits in the IP firewall rules, and moves
colliding flags to a seperate field, ipflg. The IPFW userland
management tool, ipfw(8), is updated to reflect this change. New TCP
flags related to ECN are now included in tcp.h for reference, although
we don't currently implement TCP+ECN.
o To use this fix without completely rebuilding, it is sufficient to copy
ip_fw.h and tcp.h into your appropriate include directory, then rebuild
the ipfw kernel module, and ipfw tool, and install both. Note that a
mismatch between module and userland tool will result in incorrect
installation of firewall rules that may have unexpected effects. This
is an MFC candidate, following shakedown. This bug does not appear
to affect ipfilter.
Reviewed by: security-officer, billf
Reported by: Aragon Gouveia <aragon@phat.za.net>
2001-01-09 03:10:30 +00:00
|
|
|
#define TH_ECE 0x40
|
|
|
|
#define TH_CWR 0x80
|
2006-02-18 16:50:08 +00:00
|
|
|
#define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECE|TH_CWR)
|
2007-05-25 21:28:49 +00:00
|
|
|
#define PRINT_TH_FLAGS "\20\1FIN\2SYN\3RST\4PUSH\5ACK\6URG\7ECE\10CWR"
|
1995-02-14 02:35:19 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
u_short th_win; /* window */
|
|
|
|
u_short th_sum; /* checksum */
|
|
|
|
u_short th_urp; /* urgent pointer */
|
|
|
|
};
|
|
|
|
|
|
|
|
#define TCPOPT_EOL 0
|
2007-03-15 15:59:28 +00:00
|
|
|
#define TCPOLEN_EOL 1
|
2008-04-07 18:43:59 +00:00
|
|
|
#define TCPOPT_PAD 0 /* padding after EOL */
|
|
|
|
#define TCPOLEN_PAD 1
|
1994-05-24 10:09:53 +00:00
|
|
|
#define TCPOPT_NOP 1
|
2007-03-15 15:59:28 +00:00
|
|
|
#define TCPOLEN_NOP 1
|
1994-05-24 10:09:53 +00:00
|
|
|
#define TCPOPT_MAXSEG 2
|
|
|
|
#define TCPOLEN_MAXSEG 4
|
|
|
|
#define TCPOPT_WINDOW 3
|
|
|
|
#define TCPOLEN_WINDOW 3
|
2007-03-15 15:59:28 +00:00
|
|
|
#define TCPOPT_SACK_PERMITTED 4
|
1994-05-24 10:09:53 +00:00
|
|
|
#define TCPOLEN_SACK_PERMITTED 2
|
2007-03-15 15:59:28 +00:00
|
|
|
#define TCPOPT_SACK 5
|
|
|
|
#define TCPOLEN_SACKHDR 2
|
2004-06-23 21:04:37 +00:00
|
|
|
#define TCPOLEN_SACK 8 /* 2*sizeof(tcp_seq) */
|
1994-05-24 10:09:53 +00:00
|
|
|
#define TCPOPT_TIMESTAMP 8
|
|
|
|
#define TCPOLEN_TIMESTAMP 10
|
|
|
|
#define TCPOLEN_TSTAMP_APPA (TCPOLEN_TIMESTAMP+2) /* appendix A */
|
2007-04-20 15:08:09 +00:00
|
|
|
#define TCPOPT_SIGNATURE 19 /* Keyed MD5: RFC 2385 */
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
#define TCPOLEN_SIGNATURE 18
|
2015-12-24 19:09:48 +00:00
|
|
|
#define TCPOPT_FAST_OPEN 34
|
|
|
|
#define TCPOLEN_FAST_OPEN_EMPTY 2
|
1995-02-08 20:18:48 +00:00
|
|
|
|
2004-06-23 21:04:37 +00:00
|
|
|
/* Miscellaneous constants */
|
2005-08-24 02:47:16 +00:00
|
|
|
#define MAX_SACK_BLKS 6 /* Max # SACK blocks stored at receiver side */
|
2005-05-23 19:22:48 +00:00
|
|
|
#define TCP_MAX_SACK 4 /* MAX # SACKs sent in any segment */
|
2004-06-23 21:04:37 +00:00
|
|
|
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
2010-09-15 10:39:30 +00:00
|
|
|
* The default maximum segment size (MSS) to be used for new TCP connections
|
|
|
|
* when path MTU discovery is not enabled.
|
|
|
|
*
|
|
|
|
* RFC879 derives the default MSS from the largest datagram size hosts are
|
|
|
|
* minimally required to handle directly or through IP reassembly minus the
|
|
|
|
* size of the IP and TCP header. With IPv6 the minimum MTU is specified
|
|
|
|
* in RFC2460.
|
|
|
|
*
|
|
|
|
* For IPv4 the MSS is 576 - sizeof(struct tcpiphdr)
|
|
|
|
* For IPv6 the MSS is IPV6_MMTU - sizeof(struct ip6_hdr) - sizeof(struct tcphdr)
|
|
|
|
*
|
|
|
|
* We use explicit numerical definition here to avoid header pollution.
|
2004-01-08 17:40:07 +00:00
|
|
|
*/
|
2010-09-15 10:39:30 +00:00
|
|
|
#define TCP_MSS 536
|
|
|
|
#define TCP6_MSS 1220
|
1994-05-24 10:09:53 +00:00
|
|
|
|
1999-11-05 14:41:39 +00:00
|
|
|
/*
|
2010-09-16 12:13:06 +00:00
|
|
|
* Limit the lowest MSS we accept for path MTU discovery and the TCP SYN MSS
|
|
|
|
* option. Allowing low values of MSS can consume significant resources and
|
|
|
|
* be used to mount a resource exhaustion attack.
|
2010-09-15 10:39:30 +00:00
|
|
|
* Connections requesting lower MSS values will be rounded up to this value
|
2010-09-16 12:13:06 +00:00
|
|
|
* and the IP_DF flag will be cleared to allow fragmentation along the path.
|
2010-09-15 10:39:30 +00:00
|
|
|
*
|
|
|
|
* See tcp_subr.c tcp_minmss SYSCTL declaration for more comments. Setting
|
|
|
|
* it to "0" disables the minmss check.
|
|
|
|
*
|
2010-09-16 12:13:06 +00:00
|
|
|
* The default value is fine for TCP across the Internet's smallest official
|
|
|
|
* link MTU (256 bytes for AX.25 packet radio). However, a connection is very
|
|
|
|
* unlikely to come across such low MTU interfaces these days (anno domini 2003).
|
1999-11-05 14:41:39 +00:00
|
|
|
*/
|
2010-09-15 10:39:30 +00:00
|
|
|
#define TCP_MINMSS 216
|
1999-11-05 14:41:39 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#define TCP_MAXWIN 65535 /* largest value for (unscaled) window */
|
1995-02-08 20:18:48 +00:00
|
|
|
#define TTCP_CLIENT_SND_WND 4096 /* dflt send window for T/TCP client */
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
#define TCP_MAX_WINSHIFT 14 /* maximum window shift */
|
|
|
|
|
2004-08-16 18:32:07 +00:00
|
|
|
#define TCP_MAXBURST 4 /* maximum segments in a burst */
|
2000-05-06 03:31:09 +00:00
|
|
|
|
1995-02-08 20:18:48 +00:00
|
|
|
#define TCP_MAXHLEN (0xf<<2) /* max length of header in bytes */
|
|
|
|
#define TCP_MAXOLEN (TCP_MAXHLEN - sizeof(struct tcphdr))
|
|
|
|
/* max space left for options */
|
2018-02-26 02:53:22 +00:00
|
|
|
|
|
|
|
#define TCP_FASTOPEN_MIN_COOKIE_LEN 4 /* Per RFC7413 */
|
|
|
|
#define TCP_FASTOPEN_MAX_COOKIE_LEN 16 /* Per RFC7413 */
|
|
|
|
#define TCP_FASTOPEN_PSK_LEN 16 /* Same as TCP_FASTOPEN_KEY_LEN */
|
2002-10-02 04:19:47 +00:00
|
|
|
#endif /* __BSD_VISIBLE */
|
1995-02-08 20:18:48 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
2013-01-22 19:45:04 +00:00
|
|
|
* User-settable options (used with setsockopt). These are discrete
|
|
|
|
* values and are not masked together. Some values appear to be
|
|
|
|
* bitmasks for historical reasons.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
2013-01-22 19:45:04 +00:00
|
|
|
#define TCP_NODELAY 1 /* don't delay send to coalesce packets */
|
2002-10-02 04:19:47 +00:00
|
|
|
#if __BSD_VISIBLE
|
2013-01-22 19:45:04 +00:00
|
|
|
#define TCP_MAXSEG 2 /* set maximum segment size */
|
|
|
|
#define TCP_NOPUSH 4 /* don't push last block of write */
|
|
|
|
#define TCP_NOOPT 8 /* don't use TCP options */
|
|
|
|
#define TCP_MD5SIG 16 /* use MD5 digests (RFC2385) */
|
|
|
|
#define TCP_INFO 32 /* retrieve tcp_info structure */
|
2018-03-22 09:40:08 +00:00
|
|
|
#define TCP_LOG 34 /* configure event logging for connection */
|
|
|
|
#define TCP_LOGBUF 35 /* retrieve event log for connection */
|
|
|
|
#define TCP_LOGID 36 /* configure log ID to correlate connections */
|
|
|
|
#define TCP_LOGDUMP 37 /* dump connection log events to device */
|
|
|
|
#define TCP_LOGDUMPID 38 /* dump events from connections with same ID to
|
|
|
|
device */
|
Add kernel-side support for in-kernel TLS.
KTLS adds support for in-kernel framing and encryption of Transport
Layer Security (1.0-1.2) data on TCP sockets. KTLS only supports
offload of TLS for transmitted data. Key negotation must still be
performed in userland. Once completed, transmit session keys for a
connection are provided to the kernel via a new TCP_TXTLS_ENABLE
socket option. All subsequent data transmitted on the socket is
placed into TLS frames and encrypted using the supplied keys.
Any data written to a KTLS-enabled socket via write(2), aio_write(2),
or sendfile(2) is assumed to be application data and is encoded in TLS
frames with an application data type. Individual records can be sent
with a custom type (e.g. handshake messages) via sendmsg(2) with a new
control message (TLS_SET_RECORD_TYPE) specifying the record type.
At present, rekeying is not supported though the in-kernel framework
should support rekeying.
KTLS makes use of the recently added unmapped mbufs to store TLS
frames in the socket buffer. Each TLS frame is described by a single
ext_pgs mbuf. The ext_pgs structure contains the header of the TLS
record (and trailer for encrypted records) as well as references to
the associated TLS session.
KTLS supports two primary methods of encrypting TLS frames: software
TLS and ifnet TLS.
Software TLS marks mbufs holding socket data as not ready via
M_NOTREADY similar to sendfile(2) when TLS framing information is
added to an unmapped mbuf in ktls_frame(). ktls_enqueue() is then
called to schedule TLS frames for encryption. In the case of
sendfile_iodone() calls ktls_enqueue() instead of pru_ready() leaving
the mbufs marked M_NOTREADY until encryption is completed. For other
writes (vn_sendfile when pages are available, write(2), etc.), the
PRUS_NOTREADY is set when invoking pru_send() along with invoking
ktls_enqueue().
A pool of worker threads (the "KTLS" kernel process) encrypts TLS
frames queued via ktls_enqueue(). Each TLS frame is temporarily
mapped using the direct map and passed to a software encryption
backend to perform the actual encryption.
(Note: The use of PHYS_TO_DMAP could be replaced with sf_bufs if
someone wished to make this work on architectures without a direct
map.)
KTLS supports pluggable software encryption backends. Internally,
Netflix uses proprietary pure-software backends. This commit includes
a simple backend in a new ktls_ocf.ko module that uses the kernel's
OpenCrypto framework to provide AES-GCM encryption of TLS frames. As
a result, software TLS is now a bit of a misnomer as it can make use
of hardware crypto accelerators.
Once software encryption has finished, the TLS frame mbufs are marked
ready via pru_ready(). At this point, the encrypted data appears as
regular payload to the TCP stack stored in unmapped mbufs.
ifnet TLS permits a NIC to offload the TLS encryption and TCP
segmentation. In this mode, a new send tag type (IF_SND_TAG_TYPE_TLS)
is allocated on the interface a socket is routed over and associated
with a TLS session. TLS records for a TLS session using ifnet TLS are
not marked M_NOTREADY but are passed down the stack unencrypted. The
ip_output_send() and ip6_output_send() helper functions that apply
send tags to outbound IP packets verify that the send tag of the TLS
record matches the outbound interface. If so, the packet is tagged
with the TLS send tag and sent to the interface. The NIC device
driver must recognize packets with the TLS send tag and schedule them
for TLS encryption and TCP segmentation. If the the outbound
interface does not match the interface in the TLS send tag, the packet
is dropped. In addition, a task is scheduled to refresh the TLS send
tag for the TLS session. If a new TLS send tag cannot be allocated,
the connection is dropped. If a new TLS send tag is allocated,
however, subsequent packets will be tagged with the correct TLS send
tag. (This latter case has been tested by configuring both ports of a
Chelsio T6 in a lagg and failing over from one port to another. As
the connections migrated to the new port, new TLS send tags were
allocated for the new port and connections resumed without being
dropped.)
ifnet TLS can be enabled and disabled on supported network interfaces
via new '[-]txtls[46]' options to ifconfig(8). ifnet TLS is supported
across both vlan devices and lagg interfaces using failover, lacp with
flowid enabled, or lacp with flowid enabled.
Applications may request the current KTLS mode of a connection via a
new TCP_TXTLS_MODE socket option. They can also use this socket
option to toggle between software and ifnet TLS modes.
In addition, a testing tool is available in tools/tools/switch_tls.
This is modeled on tcpdrop and uses similar syntax. However, instead
of dropping connections, -s is used to force KTLS connections to
switch to software TLS and -i is used to switch to ifnet TLS.
Various sysctls and counters are available under the kern.ipc.tls
sysctl node. The kern.ipc.tls.enable node must be set to true to
enable KTLS (it is off by default). The use of unmapped mbufs must
also be enabled via kern.ipc.mb_use_ext_pgs to enable KTLS.
KTLS is enabled via the KERN_TLS kernel option.
This patch is the culmination of years of work by several folks
including Scott Long and Randall Stewart for the original design and
implementation; Drew Gallatin for several optimizations including the
use of ext_pgs mbufs, the M_NOTREADY mechanism for TLS records
awaiting software encryption, and pluggable software crypto backends;
and John Baldwin for modifications to support hardware TLS offload.
Reviewed by: gallatin, hselasky, rrs
Obtained from: Netflix
Sponsored by: Netflix, Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D21277
2019-08-27 00:01:56 +00:00
|
|
|
#define TCP_TXTLS_ENABLE 39 /* TLS framing and encryption for transmit */
|
|
|
|
#define TCP_TXTLS_MODE 40 /* Transmit TLS mode */
|
2013-01-22 19:45:04 +00:00
|
|
|
#define TCP_CONGESTION 64 /* get/set congestion control algorithm */
|
2016-01-22 02:07:48 +00:00
|
|
|
#define TCP_CCALGOOPT 65 /* get/set cc algorithm specific options */
|
2018-06-07 18:18:13 +00:00
|
|
|
#define TCP_DELACK 72 /* socket option for delayed ack */
|
2013-01-22 19:45:04 +00:00
|
|
|
#define TCP_KEEPINIT 128 /* N, time to establish connection */
|
|
|
|
#define TCP_KEEPIDLE 256 /* L,N,X start keeplives after this period */
|
|
|
|
#define TCP_KEEPINTVL 512 /* L,N interval between keepalives */
|
|
|
|
#define TCP_KEEPCNT 1024 /* L,N number of keepalives before close */
|
2015-12-24 19:09:48 +00:00
|
|
|
#define TCP_FASTOPEN 1025 /* enable TFO / was created via TFO */
|
There are times when it would be really nice to have a record of the last few
packets and/or state transitions from each TCP socket. That would help with
narrowing down certain problems we see in the field that are hard to reproduce
without understanding the history of how we got into a certain state. This
change provides just that.
It saves copies of the last N packets in a list in the tcpcb. When the tcpcb is
destroyed, the list is freed. I thought this was likely to be more
performance-friendly than saving copies of the tcpcb. Plus, with the packets,
you should be able to reverse-engineer what happened to the tcpcb.
To enable the feature, you will need to compile a kernel with the TCPPCAP
option. Even then, the feature defaults to being deactivated. You can activate
it by setting a positive value for the number of captured packets. You can do
that on either a global basis or on a per-socket basis (via a setsockopt call).
There is no way to get the packets out of the kernel other than using kmem or
getting a coredump. I thought that would help some of the legal/privacy concerns
regarding such a feature. However, it should be possible to add a future effort
to export them in PCAP format.
I tested this at low scale, and found that there were no mbuf leaks and the peak
mbuf usage appeared to be unchanged with and without the feature.
The main performance concern I can envision is the number of mbufs that would be
used on systems with a large number of sockets. If you save five packets per
direction per socket and have 3,000 sockets, that will consume at least 30,000
mbufs just to keep these packets. I tried to reduce the concerns associated with
this by limiting the number of clusters (not mbufs) that could be used for this
feature. Again, in my testing, that appears to work correctly.
Differential Revision: D3100
Submitted by: Jonathan Looney <jlooney at juniper dot net>
Reviewed by: gnn, hiren
2015-10-14 00:35:37 +00:00
|
|
|
#define TCP_PCAP_OUT 2048 /* number of output packets to keep */
|
|
|
|
#define TCP_PCAP_IN 4096 /* number of input packets to keep */
|
2015-12-16 00:56:45 +00:00
|
|
|
#define TCP_FUNCTION_BLK 8192 /* Set the tcp function pointers to the specified stack */
|
2018-06-07 18:18:13 +00:00
|
|
|
/* Options for Rack and BBR */
|
|
|
|
#define TCP_RACK_PROP 1051 /* RACK proportional rate reduction (bool) */
|
|
|
|
#define TCP_RACK_TLP_REDUCE 1052 /* RACK TLP cwnd reduction (bool) */
|
|
|
|
#define TCP_RACK_PACE_REDUCE 1053 /* RACK Pacing reduction factor (divisor) */
|
|
|
|
#define TCP_RACK_PACE_MAX_SEG 1054 /* Max segments in a pace */
|
|
|
|
#define TCP_RACK_PACE_ALWAYS 1055 /* Use the always pace method */
|
|
|
|
#define TCP_RACK_PROP_RATE 1056 /* The proportional reduction rate */
|
|
|
|
#define TCP_RACK_PRR_SENDALOT 1057 /* Allow PRR to send more than one seg */
|
|
|
|
#define TCP_RACK_MIN_TO 1058 /* Minimum time between rack t-o's in ms */
|
|
|
|
#define TCP_RACK_EARLY_RECOV 1059 /* Should recovery happen early (bool) */
|
|
|
|
#define TCP_RACK_EARLY_SEG 1060 /* If early recovery max segments */
|
|
|
|
#define TCP_RACK_REORD_THRESH 1061 /* RACK reorder threshold (shift amount) */
|
|
|
|
#define TCP_RACK_REORD_FADE 1062 /* Does reordering fade after ms time */
|
|
|
|
#define TCP_RACK_TLP_THRESH 1063 /* RACK TLP theshold i.e. srtt+(srtt/N) */
|
|
|
|
#define TCP_RACK_PKT_DELAY 1064 /* RACK added ms i.e. rack-rtt + reord + N */
|
|
|
|
#define TCP_RACK_TLP_INC_VAR 1065 /* Does TLP include rtt variance in t-o */
|
|
|
|
#define TCP_BBR_IWINTSO 1067 /* Initial TSO window for BBRs first sends */
|
2019-07-10 20:40:39 +00:00
|
|
|
#define TCP_BBR_RECFORCE 1068 /* Enter recovery force out a segment disregard pacer no longer valid */
|
2018-06-07 18:18:13 +00:00
|
|
|
#define TCP_BBR_STARTUP_PG 1069 /* Startup pacing gain */
|
|
|
|
#define TCP_BBR_DRAIN_PG 1070 /* Drain pacing gain */
|
|
|
|
#define TCP_BBR_RWND_IS_APP 1071 /* Rwnd limited is considered app limited */
|
|
|
|
#define TCP_BBR_PROBE_RTT_INT 1072 /* How long in useconds between probe-rtt */
|
|
|
|
#define TCP_BBR_ONE_RETRAN 1073 /* Is only one segment allowed out during retran */
|
|
|
|
#define TCP_BBR_STARTUP_LOSS_EXIT 1074 /* Do we exit a loss during startup if not 20% incr */
|
|
|
|
#define TCP_BBR_USE_LOWGAIN 1075 /* lower the gain in PROBE_BW enable */
|
2019-07-10 20:40:39 +00:00
|
|
|
#define TCP_BBR_LOWGAIN_THRESH 1076 /* Unused after 2.3 morphs to TSLIMITS >= 2.3 */
|
|
|
|
#define TCP_BBR_TSLIMITS 1076 /* Do we use experimental Timestamp limiting for our algo */
|
|
|
|
#define TCP_BBR_LOWGAIN_HALF 1077 /* Unused after 2.3 */
|
|
|
|
#define TCP_BBR_PACE_OH 1077 /* Reused in 4.2 for pacing overhead setting */
|
|
|
|
#define TCP_BBR_LOWGAIN_FD 1078 /* Unused after 2.3 */
|
|
|
|
#define TCP_BBR_HOLD_TARGET 1078 /* For 4.3 on */
|
2018-06-07 18:18:13 +00:00
|
|
|
#define TCP_BBR_USEDEL_RATE 1079 /* Enable use of delivery rate for loss recovery */
|
|
|
|
#define TCP_BBR_MIN_RTO 1080 /* Min RTO in milliseconds */
|
|
|
|
#define TCP_BBR_MAX_RTO 1081 /* Max RTO in milliseconds */
|
|
|
|
#define TCP_BBR_REC_OVER_HPTS 1082 /* Recovery override htps settings 0/1/3 */
|
2019-07-10 20:40:39 +00:00
|
|
|
#define TCP_BBR_UNLIMITED 1083 /* Not used before 2.3 and morphs to algorithm >= 2.3 */
|
|
|
|
#define TCP_BBR_ALGORITHM 1083 /* What measurement algo does BBR use netflix=0, google=1 */
|
2018-06-07 18:18:13 +00:00
|
|
|
#define TCP_BBR_DRAIN_INC_EXTRA 1084 /* Does the 3/4 drain target include the extra gain */
|
|
|
|
#define TCP_BBR_STARTUP_EXIT_EPOCH 1085 /* what epoch gets us out of startup */
|
|
|
|
#define TCP_BBR_PACE_PER_SEC 1086
|
|
|
|
#define TCP_BBR_PACE_DEL_TAR 1087
|
|
|
|
#define TCP_BBR_PACE_SEG_MAX 1088
|
|
|
|
#define TCP_BBR_PACE_SEG_MIN 1089
|
|
|
|
#define TCP_BBR_PACE_CROSS 1090
|
|
|
|
#define TCP_RACK_IDLE_REDUCE_HIGH 1092 /* Reduce the highest cwnd seen to IW on idle */
|
|
|
|
#define TCP_RACK_MIN_PACE 1093 /* Do we enforce rack min pace time */
|
|
|
|
#define TCP_RACK_MIN_PACE_SEG 1094 /* If so what is the seg threshould */
|
2019-07-10 20:40:39 +00:00
|
|
|
#define TCP_RACK_GP_INCREASE 1094 /* After 4.1 its the GP increase */
|
2018-06-07 18:18:13 +00:00
|
|
|
#define TCP_RACK_TLP_USE 1095
|
|
|
|
#define TCP_BBR_ACK_COMP_ALG 1096 /* Not used */
|
2019-07-10 20:40:39 +00:00
|
|
|
#define TCP_BBR_TMR_PACE_OH 1096 /* Recycled in 4.2 */
|
2018-06-07 18:18:13 +00:00
|
|
|
#define TCP_BBR_EXTRA_GAIN 1097
|
|
|
|
#define TCP_BBR_RACK_RTT_USE 1098 /* what RTT should we use 0, 1, or 2? */
|
|
|
|
#define TCP_BBR_RETRAN_WTSO 1099
|
|
|
|
#define TCP_DATA_AFTER_CLOSE 1100
|
|
|
|
#define TCP_BBR_PROBE_RTT_GAIN 1101
|
|
|
|
#define TCP_BBR_PROBE_RTT_LEN 1102
|
2019-07-10 20:40:39 +00:00
|
|
|
#define TCP_BBR_SEND_IWND_IN_TSO 1103 /* Do we burst out whole iwin size chunks at start? */
|
|
|
|
#define TCP_BBR_USE_RACK_CHEAT 1104 /* Do we use the rack cheat for pacing rxt's */
|
|
|
|
#define TCP_BBR_HDWR_PACE 1105 /* Enable/disable hardware pacing */
|
|
|
|
#define TCP_BBR_UTTER_MAX_TSO 1106 /* Do we enforce an utter max TSO size */
|
|
|
|
#define TCP_BBR_EXTRA_STATE 1107 /* Special exit-persist catch up */
|
|
|
|
#define TCP_BBR_FLOOR_MIN_TSO 1108 /* The min tso size */
|
|
|
|
#define TCP_BBR_MIN_TOPACEOUT 1109 /* Do we suspend pacing until */
|
|
|
|
#define TCP_BBR_TSTMP_RAISES 1110 /* Can a timestamp measurement raise the b/w */
|
|
|
|
#define TCP_BBR_POLICER_DETECT 1111 /* Turn on/off google mode policer detection */
|
2018-06-07 18:18:13 +00:00
|
|
|
|
|
|
|
|
2013-02-01 15:32:20 +00:00
|
|
|
/* Start of reserved space for third-party user-settable options. */
|
|
|
|
#define TCP_VENDOR SO_VENDOR
|
|
|
|
|
2007-12-16 03:30:07 +00:00
|
|
|
#define TCP_CA_NAME_MAX 16 /* max congestion control name length */
|
2004-11-26 18:58:46 +00:00
|
|
|
|
|
|
|
#define TCPI_OPT_TIMESTAMPS 0x01
|
|
|
|
#define TCPI_OPT_SACK 0x02
|
|
|
|
#define TCPI_OPT_WSCALE 0x04
|
|
|
|
#define TCPI_OPT_ECN 0x08
|
2008-05-05 20:13:31 +00:00
|
|
|
#define TCPI_OPT_TOE 0x10
|
2004-11-26 18:58:46 +00:00
|
|
|
|
2018-03-22 09:40:08 +00:00
|
|
|
/* Maximum length of log ID. */
|
|
|
|
#define TCP_LOG_ID_LEN 64
|
|
|
|
|
2004-11-26 18:58:46 +00:00
|
|
|
/*
|
|
|
|
* The TCP_INFO socket option comes from the Linux 2.6 TCP API, and permits
|
|
|
|
* the caller to query certain information about the state of a TCP
|
|
|
|
* connection. We provide an overlapping set of fields with the Linux
|
|
|
|
* implementation, but since this is a fixed size structure, room has been
|
|
|
|
* left for growth. In order to maximize potential future compatibility with
|
|
|
|
* the Linux API, the same variable names and order have been adopted, and
|
|
|
|
* padding left to make room for omitted fields in case they are added later.
|
|
|
|
*
|
|
|
|
* XXX: This is currently an unstable ABI/API, in that it is expected to
|
|
|
|
* change.
|
|
|
|
*/
|
|
|
|
struct tcp_info {
|
|
|
|
u_int8_t tcpi_state; /* TCP FSM state. */
|
|
|
|
u_int8_t __tcpi_ca_state;
|
|
|
|
u_int8_t __tcpi_retransmits;
|
|
|
|
u_int8_t __tcpi_probes;
|
|
|
|
u_int8_t __tcpi_backoff;
|
|
|
|
u_int8_t tcpi_options; /* Options enabled on conn. */
|
|
|
|
u_int8_t tcpi_snd_wscale:4, /* RFC1323 send shift value. */
|
|
|
|
tcpi_rcv_wscale:4; /* RFC1323 recv shift value. */
|
|
|
|
|
2009-12-22 15:47:40 +00:00
|
|
|
u_int32_t tcpi_rto; /* Retransmission timeout (usec). */
|
2004-11-26 18:58:46 +00:00
|
|
|
u_int32_t __tcpi_ato;
|
2009-12-22 15:47:40 +00:00
|
|
|
u_int32_t tcpi_snd_mss; /* Max segment size for send. */
|
|
|
|
u_int32_t tcpi_rcv_mss; /* Max segment size for receive. */
|
2004-11-26 18:58:46 +00:00
|
|
|
|
|
|
|
u_int32_t __tcpi_unacked;
|
|
|
|
u_int32_t __tcpi_sacked;
|
|
|
|
u_int32_t __tcpi_lost;
|
|
|
|
u_int32_t __tcpi_retrans;
|
|
|
|
u_int32_t __tcpi_fackets;
|
|
|
|
|
|
|
|
/* Times; measurements in usecs. */
|
|
|
|
u_int32_t __tcpi_last_data_sent;
|
|
|
|
u_int32_t __tcpi_last_ack_sent; /* Also unimpl. on Linux? */
|
2009-12-22 15:47:40 +00:00
|
|
|
u_int32_t tcpi_last_data_recv; /* Time since last recv data. */
|
2004-11-26 18:58:46 +00:00
|
|
|
u_int32_t __tcpi_last_ack_recv;
|
|
|
|
|
|
|
|
/* Metrics; variable units. */
|
|
|
|
u_int32_t __tcpi_pmtu;
|
|
|
|
u_int32_t __tcpi_rcv_ssthresh;
|
2007-02-02 18:34:18 +00:00
|
|
|
u_int32_t tcpi_rtt; /* Smoothed RTT in usecs. */
|
|
|
|
u_int32_t tcpi_rttvar; /* RTT variance in usecs. */
|
2004-11-26 18:58:46 +00:00
|
|
|
u_int32_t tcpi_snd_ssthresh; /* Slow start threshold. */
|
|
|
|
u_int32_t tcpi_snd_cwnd; /* Send congestion window. */
|
|
|
|
u_int32_t __tcpi_advmss;
|
|
|
|
u_int32_t __tcpi_reordering;
|
|
|
|
|
|
|
|
u_int32_t __tcpi_rcv_rtt;
|
2004-11-27 20:20:11 +00:00
|
|
|
u_int32_t tcpi_rcv_space; /* Advertised recv window. */
|
2004-11-26 18:58:46 +00:00
|
|
|
|
|
|
|
/* FreeBSD extensions to tcp_info. */
|
|
|
|
u_int32_t tcpi_snd_wnd; /* Advertised send window. */
|
2010-09-16 21:06:45 +00:00
|
|
|
u_int32_t tcpi_snd_bwnd; /* No longer used. */
|
2008-05-05 20:13:31 +00:00
|
|
|
u_int32_t tcpi_snd_nxt; /* Next egress seqno */
|
|
|
|
u_int32_t tcpi_rcv_nxt; /* Next ingress seqno */
|
|
|
|
u_int32_t tcpi_toe_tid; /* HWTID for TOE endpoints */
|
2010-11-17 18:55:12 +00:00
|
|
|
u_int32_t tcpi_snd_rexmitpack; /* Retransmitted packets */
|
|
|
|
u_int32_t tcpi_rcv_ooopack; /* Out-of-order packets */
|
|
|
|
u_int32_t tcpi_snd_zerowin; /* Zero-sized windows sent */
|
2008-05-05 20:13:31 +00:00
|
|
|
|
2004-11-26 18:58:46 +00:00
|
|
|
/* Padding to grow without breaking ABI. */
|
2010-11-17 18:55:12 +00:00
|
|
|
u_int32_t __tcpi_pad[26]; /* Padding. */
|
2004-11-26 18:58:46 +00:00
|
|
|
};
|
2018-02-26 02:53:22 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If this structure is provided when setting the TCP_FASTOPEN socket
|
|
|
|
* option, and the enable member is non-zero, a subsequent connect will use
|
|
|
|
* pre-shared key (PSK) mode using the provided key.
|
|
|
|
*/
|
|
|
|
struct tcp_fastopen {
|
|
|
|
int enable;
|
|
|
|
uint8_t psk[TCP_FASTOPEN_PSK_LEN];
|
|
|
|
};
|
1994-08-21 05:27:42 +00:00
|
|
|
#endif
|
2015-12-16 00:56:45 +00:00
|
|
|
#define TCP_FUNCTION_NAME_LEN_MAX 32
|
|
|
|
|
|
|
|
struct tcp_function_set {
|
|
|
|
char function_set_name[TCP_FUNCTION_NAME_LEN_MAX];
|
|
|
|
uint32_t pcbcnt;
|
|
|
|
};
|
2002-10-02 04:19:47 +00:00
|
|
|
|
Add kernel-side support for in-kernel TLS.
KTLS adds support for in-kernel framing and encryption of Transport
Layer Security (1.0-1.2) data on TCP sockets. KTLS only supports
offload of TLS for transmitted data. Key negotation must still be
performed in userland. Once completed, transmit session keys for a
connection are provided to the kernel via a new TCP_TXTLS_ENABLE
socket option. All subsequent data transmitted on the socket is
placed into TLS frames and encrypted using the supplied keys.
Any data written to a KTLS-enabled socket via write(2), aio_write(2),
or sendfile(2) is assumed to be application data and is encoded in TLS
frames with an application data type. Individual records can be sent
with a custom type (e.g. handshake messages) via sendmsg(2) with a new
control message (TLS_SET_RECORD_TYPE) specifying the record type.
At present, rekeying is not supported though the in-kernel framework
should support rekeying.
KTLS makes use of the recently added unmapped mbufs to store TLS
frames in the socket buffer. Each TLS frame is described by a single
ext_pgs mbuf. The ext_pgs structure contains the header of the TLS
record (and trailer for encrypted records) as well as references to
the associated TLS session.
KTLS supports two primary methods of encrypting TLS frames: software
TLS and ifnet TLS.
Software TLS marks mbufs holding socket data as not ready via
M_NOTREADY similar to sendfile(2) when TLS framing information is
added to an unmapped mbuf in ktls_frame(). ktls_enqueue() is then
called to schedule TLS frames for encryption. In the case of
sendfile_iodone() calls ktls_enqueue() instead of pru_ready() leaving
the mbufs marked M_NOTREADY until encryption is completed. For other
writes (vn_sendfile when pages are available, write(2), etc.), the
PRUS_NOTREADY is set when invoking pru_send() along with invoking
ktls_enqueue().
A pool of worker threads (the "KTLS" kernel process) encrypts TLS
frames queued via ktls_enqueue(). Each TLS frame is temporarily
mapped using the direct map and passed to a software encryption
backend to perform the actual encryption.
(Note: The use of PHYS_TO_DMAP could be replaced with sf_bufs if
someone wished to make this work on architectures without a direct
map.)
KTLS supports pluggable software encryption backends. Internally,
Netflix uses proprietary pure-software backends. This commit includes
a simple backend in a new ktls_ocf.ko module that uses the kernel's
OpenCrypto framework to provide AES-GCM encryption of TLS frames. As
a result, software TLS is now a bit of a misnomer as it can make use
of hardware crypto accelerators.
Once software encryption has finished, the TLS frame mbufs are marked
ready via pru_ready(). At this point, the encrypted data appears as
regular payload to the TCP stack stored in unmapped mbufs.
ifnet TLS permits a NIC to offload the TLS encryption and TCP
segmentation. In this mode, a new send tag type (IF_SND_TAG_TYPE_TLS)
is allocated on the interface a socket is routed over and associated
with a TLS session. TLS records for a TLS session using ifnet TLS are
not marked M_NOTREADY but are passed down the stack unencrypted. The
ip_output_send() and ip6_output_send() helper functions that apply
send tags to outbound IP packets verify that the send tag of the TLS
record matches the outbound interface. If so, the packet is tagged
with the TLS send tag and sent to the interface. The NIC device
driver must recognize packets with the TLS send tag and schedule them
for TLS encryption and TCP segmentation. If the the outbound
interface does not match the interface in the TLS send tag, the packet
is dropped. In addition, a task is scheduled to refresh the TLS send
tag for the TLS session. If a new TLS send tag cannot be allocated,
the connection is dropped. If a new TLS send tag is allocated,
however, subsequent packets will be tagged with the correct TLS send
tag. (This latter case has been tested by configuring both ports of a
Chelsio T6 in a lagg and failing over from one port to another. As
the connections migrated to the new port, new TLS send tags were
allocated for the new port and connections resumed without being
dropped.)
ifnet TLS can be enabled and disabled on supported network interfaces
via new '[-]txtls[46]' options to ifconfig(8). ifnet TLS is supported
across both vlan devices and lagg interfaces using failover, lacp with
flowid enabled, or lacp with flowid enabled.
Applications may request the current KTLS mode of a connection via a
new TCP_TXTLS_MODE socket option. They can also use this socket
option to toggle between software and ifnet TLS modes.
In addition, a testing tool is available in tools/tools/switch_tls.
This is modeled on tcpdrop and uses similar syntax. However, instead
of dropping connections, -s is used to force KTLS connections to
switch to software TLS and -i is used to switch to ifnet TLS.
Various sysctls and counters are available under the kern.ipc.tls
sysctl node. The kern.ipc.tls.enable node must be set to true to
enable KTLS (it is off by default). The use of unmapped mbufs must
also be enabled via kern.ipc.mb_use_ext_pgs to enable KTLS.
KTLS is enabled via the KERN_TLS kernel option.
This patch is the culmination of years of work by several folks
including Scott Long and Randall Stewart for the original design and
implementation; Drew Gallatin for several optimizations including the
use of ext_pgs mbufs, the M_NOTREADY mechanism for TLS records
awaiting software encryption, and pluggable software crypto backends;
and John Baldwin for modifications to support hardware TLS offload.
Reviewed by: gallatin, hselasky, rrs
Obtained from: Netflix
Sponsored by: Netflix, Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D21277
2019-08-27 00:01:56 +00:00
|
|
|
/* TLS modes for TCP_TXTLS_MODE */
|
|
|
|
#define TCP_TLS_MODE_NONE 0
|
|
|
|
#define TCP_TLS_MODE_SW 1
|
|
|
|
#define TCP_TLS_MODE_IFNET 2
|
|
|
|
|
|
|
|
/*
|
|
|
|
* TCP Control message types
|
|
|
|
*/
|
|
|
|
#define TLS_SET_RECORD_TYPE 1
|
|
|
|
|
2002-10-02 04:19:47 +00:00
|
|
|
#endif /* !_NETINET_TCP_H_ */
|