2005-01-07 01:45:51 +00:00
|
|
|
/*-
|
1995-09-22 20:05:58 +00:00
|
|
|
* Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
|
1994-05-24 10:09:53 +00:00
|
|
|
* The Regents of the University of California. All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
1995-09-22 20:05:58 +00:00
|
|
|
* @(#)tcp_output.c 8.4 (Berkeley) 5/24/95
|
1999-08-28 01:08:13 +00:00
|
|
|
* $FreeBSD$
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
#include "opt_inet.h"
|
2000-01-09 19:17:30 +00:00
|
|
|
#include "opt_inet6.h"
|
2000-01-15 14:56:38 +00:00
|
|
|
#include "opt_ipsec.h"
|
2002-07-31 19:06:49 +00:00
|
|
|
#include "opt_mac.h"
|
1997-09-16 18:36:06 +00:00
|
|
|
#include "opt_tcpdebug.h"
|
2004-06-23 21:04:37 +00:00
|
|
|
#include "opt_tcp_sack.h"
|
1997-09-16 18:36:06 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/systm.h>
|
2001-05-01 08:13:21 +00:00
|
|
|
#include <sys/domain.h>
|
1999-05-27 12:24:21 +00:00
|
|
|
#include <sys/kernel.h>
|
2001-05-01 08:13:21 +00:00
|
|
|
#include <sys/lock.h>
|
2002-07-31 19:06:49 +00:00
|
|
|
#include <sys/mac.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/mbuf.h>
|
2001-05-01 08:13:21 +00:00
|
|
|
#include <sys/mutex.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/protosw.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/socketvar.h>
|
2001-05-01 08:13:21 +00:00
|
|
|
#include <sys/sysctl.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
#include <net/route.h>
|
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
#include <netinet/ip.h>
|
|
|
|
#include <netinet/in_pcb.h>
|
|
|
|
#include <netinet/ip_var.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
2000-07-04 16:35:15 +00:00
|
|
|
#include <netinet6/in6_pcb.h>
|
|
|
|
#include <netinet/ip6.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#include <netinet6/ip6_var.h>
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <netinet/tcp.h>
|
|
|
|
#define TCPOUTFLAGS
|
|
|
|
#include <netinet/tcp_fsm.h>
|
|
|
|
#include <netinet/tcp_seq.h>
|
|
|
|
#include <netinet/tcp_timer.h>
|
|
|
|
#include <netinet/tcp_var.h>
|
|
|
|
#include <netinet/tcpip.h>
|
1994-09-15 10:36:56 +00:00
|
|
|
#ifdef TCPDEBUG
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <netinet/tcp_debug.h>
|
1994-09-15 10:36:56 +00:00
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2000-01-15 14:56:38 +00:00
|
|
|
#ifdef IPSEC
|
|
|
|
#include <netinet6/ipsec.h>
|
|
|
|
#endif /*IPSEC*/
|
|
|
|
|
2002-10-16 02:25:05 +00:00
|
|
|
#ifdef FAST_IPSEC
|
|
|
|
#include <netipsec/ipsec.h>
|
|
|
|
#define IPSEC
|
|
|
|
#endif /*FAST_IPSEC*/
|
|
|
|
|
2000-03-27 19:14:27 +00:00
|
|
|
#include <machine/in_cksum.h>
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#ifdef notyet
|
|
|
|
extern struct mbuf *m_copypack();
|
|
|
|
#endif
|
|
|
|
|
2002-06-14 03:08:05 +00:00
|
|
|
int path_mtu_discovery = 1;
|
1999-05-27 12:24:21 +00:00
|
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW,
|
|
|
|
&path_mtu_discovery, 1, "Enable Path MTU Discovery");
|
|
|
|
|
1999-08-30 21:17:07 +00:00
|
|
|
int ss_fltsz = 1;
|
|
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, slowstart_flightsize, CTLFLAG_RW,
|
|
|
|
&ss_fltsz, 1, "Slow start flight size");
|
|
|
|
|
2001-12-14 18:26:52 +00:00
|
|
|
int ss_fltsz_local = 4;
|
1999-08-30 21:17:07 +00:00
|
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, local_slowstart_flightsize, CTLFLAG_RW,
|
|
|
|
&ss_fltsz_local, 1, "Slow start flight size for local networks");
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2000-07-12 22:00:46 +00:00
|
|
|
int tcp_do_newreno = 1;
|
2000-05-06 03:31:09 +00:00
|
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, newreno, CTLFLAG_RW, &tcp_do_newreno,
|
2004-08-16 18:32:07 +00:00
|
|
|
0, "Enable NewReno Algorithms");
|
2003-01-18 19:03:26 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Tcp output routine: figure out what should be sent and send it.
|
|
|
|
*/
|
|
|
|
int
|
2002-06-23 21:25:36 +00:00
|
|
|
tcp_output(struct tcpcb *tp)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2002-06-23 21:25:36 +00:00
|
|
|
struct socket *so = tp->t_inpcb->inp_socket;
|
2004-01-22 23:22:14 +00:00
|
|
|
long len, recwin, sendwin;
|
1994-05-24 10:09:53 +00:00
|
|
|
int off, flags, error;
|
2004-02-11 09:46:54 +00:00
|
|
|
#ifdef TCP_SIGNATURE
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
int sigoff = 0;
|
2004-02-13 18:21:45 +00:00
|
|
|
#endif
|
2002-06-23 21:25:36 +00:00
|
|
|
struct mbuf *m;
|
2000-01-09 19:17:30 +00:00
|
|
|
struct ip *ip = NULL;
|
2002-06-23 21:25:36 +00:00
|
|
|
struct ipovly *ipov = NULL;
|
|
|
|
struct tcphdr *th;
|
1995-02-09 23:13:27 +00:00
|
|
|
u_char opt[TCP_MAXOLEN];
|
1998-05-24 18:41:04 +00:00
|
|
|
unsigned ipoptlen, optlen, hdrlen;
|
1994-05-24 10:09:53 +00:00
|
|
|
int idle, sendalot;
|
2004-06-23 21:04:37 +00:00
|
|
|
int i, sack_rxmit;
|
2004-10-05 18:36:24 +00:00
|
|
|
int sack_bytes_rxmt;
|
2004-06-23 21:04:37 +00:00
|
|
|
struct sackhole *p;
|
2001-12-02 08:49:29 +00:00
|
|
|
#if 0
|
2000-05-06 03:31:09 +00:00
|
|
|
int maxburst = TCP_MAXBURST;
|
2001-12-02 08:49:29 +00:00
|
|
|
#endif
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
2002-06-23 21:25:36 +00:00
|
|
|
struct ip6_hdr *ip6 = NULL;
|
2000-01-09 19:17:30 +00:00
|
|
|
int isipv6;
|
|
|
|
|
|
|
|
isipv6 = (tp->t_inpcb->inp_vflag & INP_IPV6) != 0;
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2003-11-08 22:55:52 +00:00
|
|
|
INP_LOCK_ASSERT(tp->t_inpcb);
|
2002-08-12 03:22:46 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Determine length of data that should be transmitted,
|
|
|
|
* and flags that will be used.
|
|
|
|
* If there is some data or critical controls (SYN, RST)
|
|
|
|
* to send, then transmit; otherwise, investigate further.
|
|
|
|
*/
|
2001-10-05 21:33:38 +00:00
|
|
|
idle = (tp->t_flags & TF_LASTIDLE) || (tp->snd_max == tp->snd_una);
|
1999-08-30 21:17:07 +00:00
|
|
|
if (idle && (ticks - tp->t_rcvtime) >= tp->t_rxtcur) {
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* We have been idle for "a while" and no acks are
|
|
|
|
* expected to clock out any data we send --
|
|
|
|
* slow start to get ack "clock" running again.
|
2004-08-16 18:32:07 +00:00
|
|
|
*
|
1999-08-30 21:17:07 +00:00
|
|
|
* Set the slow-start flight size depending on whether
|
|
|
|
* this is a local network or not.
|
2004-08-16 18:32:07 +00:00
|
|
|
*/
|
2002-06-23 21:25:36 +00:00
|
|
|
int ss = ss_fltsz;
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
2002-06-23 21:25:36 +00:00
|
|
|
if (isipv6) {
|
|
|
|
if (in6_localaddr(&tp->t_inpcb->in6p_faddr))
|
|
|
|
ss = ss_fltsz_local;
|
|
|
|
} else
|
|
|
|
#endif /* INET6 */
|
|
|
|
if (in_localaddr(tp->t_inpcb->inp_faddr))
|
|
|
|
ss = ss_fltsz_local;
|
|
|
|
tp->snd_cwnd = tp->t_maxseg * ss;
|
1999-08-30 21:17:07 +00:00
|
|
|
}
|
2001-10-05 21:33:38 +00:00
|
|
|
tp->t_flags &= ~TF_LASTIDLE;
|
|
|
|
if (idle) {
|
|
|
|
if (tp->t_flags & TF_MORETOCOME) {
|
|
|
|
tp->t_flags |= TF_LASTIDLE;
|
|
|
|
idle = 0;
|
|
|
|
}
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
again:
|
2004-06-23 21:04:37 +00:00
|
|
|
/*
|
|
|
|
* If we've recently taken a timeout, snd_max will be greater than
|
|
|
|
* snd_nxt. There may be SACK information that allows us to avoid
|
|
|
|
* resending already delivered data. Adjust snd_nxt accordingly.
|
|
|
|
*/
|
|
|
|
if (tp->sack_enable && SEQ_LT(tp->snd_nxt, tp->snd_max))
|
|
|
|
tcp_sack_adjust(tp);
|
1994-05-24 10:09:53 +00:00
|
|
|
sendalot = 0;
|
|
|
|
off = tp->snd_nxt - tp->snd_una;
|
2004-01-22 23:22:14 +00:00
|
|
|
sendwin = min(tp->snd_wnd, tp->snd_cwnd);
|
|
|
|
sendwin = min(sendwin, tp->snd_bwnd);
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
flags = tcp_outflags[tp->t_state];
|
2004-06-23 21:04:37 +00:00
|
|
|
/*
|
|
|
|
* Send any SACK-generated retransmissions. If we're explicitly trying
|
|
|
|
* to send out new data (when sendalot is 1), bypass this function.
|
|
|
|
* If we retransmit in fast recovery mode, decrement snd_cwnd, since
|
|
|
|
* we're replacing a (future) new transmission with a retransmission
|
|
|
|
* now, and we previously incremented snd_cwnd in tcp_input().
|
|
|
|
*/
|
2004-08-16 18:32:07 +00:00
|
|
|
/*
|
2004-06-23 21:04:37 +00:00
|
|
|
* Still in sack recovery , reset rxmit flag to zero.
|
|
|
|
*/
|
|
|
|
sack_rxmit = 0;
|
2004-10-05 18:36:24 +00:00
|
|
|
sack_bytes_rxmt = 0;
|
2004-06-23 21:04:37 +00:00
|
|
|
len = 0;
|
|
|
|
p = NULL;
|
2004-07-19 22:37:33 +00:00
|
|
|
if (tp->sack_enable && IN_FASTRECOVERY(tp) &&
|
2004-10-05 18:36:24 +00:00
|
|
|
(p = tcp_sack_output(tp, &sack_bytes_rxmt))) {
|
|
|
|
long cwin;
|
|
|
|
|
|
|
|
cwin = min(tp->snd_wnd, tp->snd_cwnd) - sack_bytes_rxmt;
|
|
|
|
if (cwin < 0)
|
|
|
|
cwin = 0;
|
2004-07-19 22:06:01 +00:00
|
|
|
/* Do not retransmit SACK segments beyond snd_recover */
|
|
|
|
if (SEQ_GT(p->end, tp->snd_recover)) {
|
|
|
|
/*
|
2004-08-16 18:32:07 +00:00
|
|
|
* (At least) part of sack hole extends beyond
|
|
|
|
* snd_recover. Check to see if we can rexmit data
|
2004-07-19 22:06:01 +00:00
|
|
|
* for this hole.
|
|
|
|
*/
|
|
|
|
if (SEQ_GEQ(p->rxmit, tp->snd_recover)) {
|
2004-08-16 18:32:07 +00:00
|
|
|
/*
|
2004-07-19 22:06:01 +00:00
|
|
|
* Can't rexmit any more data for this hole.
|
2004-08-16 18:32:07 +00:00
|
|
|
* That data will be rexmitted in the next
|
|
|
|
* sack recovery episode, when snd_recover
|
2004-07-19 22:06:01 +00:00
|
|
|
* moves past p->rxmit.
|
|
|
|
*/
|
|
|
|
p = NULL;
|
|
|
|
goto after_sack_rexmit;
|
|
|
|
} else
|
|
|
|
/* Can rexmit part of the current hole */
|
2004-10-05 18:36:24 +00:00
|
|
|
len = ((long)ulmin(cwin,
|
|
|
|
tp->snd_recover - p->rxmit));
|
2004-07-19 22:06:01 +00:00
|
|
|
} else
|
2004-10-05 18:36:24 +00:00
|
|
|
len = ((long)ulmin(cwin, p->end - p->rxmit));
|
2004-06-23 21:04:37 +00:00
|
|
|
off = p->rxmit - tp->snd_una;
|
2004-08-16 18:32:07 +00:00
|
|
|
KASSERT(off >= 0,("%s: sack block to the left of una : %d",
|
2004-07-19 22:06:01 +00:00
|
|
|
__func__, off));
|
2004-06-23 21:04:37 +00:00
|
|
|
if (len > 0) {
|
2004-10-30 12:02:50 +00:00
|
|
|
sack_rxmit = 1;
|
|
|
|
sendalot = 1;
|
2004-06-23 21:04:37 +00:00
|
|
|
tcpstat.tcps_sack_rexmits++;
|
2004-08-16 18:32:07 +00:00
|
|
|
tcpstat.tcps_sack_rexmit_bytes +=
|
2004-07-19 22:06:01 +00:00
|
|
|
min(len, tp->t_maxseg);
|
2004-06-23 21:04:37 +00:00
|
|
|
}
|
|
|
|
}
|
2004-07-19 22:06:01 +00:00
|
|
|
after_sack_rexmit:
|
1995-02-09 23:13:27 +00:00
|
|
|
/*
|
|
|
|
* Get standard flags, and add SYN or FIN if requested by 'hidden'
|
|
|
|
* state flags.
|
|
|
|
*/
|
|
|
|
if (tp->t_flags & TF_NEEDFIN)
|
|
|
|
flags |= TH_FIN;
|
|
|
|
if (tp->t_flags & TF_NEEDSYN)
|
|
|
|
flags |= TH_SYN;
|
|
|
|
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_LOCK(&so->so_snd);
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* If in persist timeout with window of 0, send 1 byte.
|
|
|
|
* Otherwise, if window is small but nonzero
|
|
|
|
* and timer expired, we will send what we can
|
|
|
|
* and go to transmit state.
|
|
|
|
*/
|
|
|
|
if (tp->t_force) {
|
2004-01-22 23:22:14 +00:00
|
|
|
if (sendwin == 0) {
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* If we still have some data to send, then
|
|
|
|
* clear the FIN bit. Usually this would
|
|
|
|
* happen below when it realizes that we
|
|
|
|
* aren't sending all the data. However,
|
1999-04-07 22:22:06 +00:00
|
|
|
* if we have exactly 1 byte of unsent data,
|
1994-05-24 10:09:53 +00:00
|
|
|
* then it won't clear the FIN bit below,
|
|
|
|
* and if we are in persist state, we wind
|
|
|
|
* up sending the packet without recording
|
|
|
|
* that we sent the FIN bit.
|
|
|
|
*
|
|
|
|
* We can't just blindly clear the FIN bit,
|
|
|
|
* because if we don't have any more data
|
|
|
|
* to send then the probe will be the FIN
|
|
|
|
* itself.
|
|
|
|
*/
|
|
|
|
if (off < so->so_snd.sb_cc)
|
|
|
|
flags &= ~TH_FIN;
|
2004-01-22 23:22:14 +00:00
|
|
|
sendwin = 1;
|
1994-05-24 10:09:53 +00:00
|
|
|
} else {
|
1999-08-30 21:17:07 +00:00
|
|
|
callout_stop(tp->tt_persist);
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->t_rxtshift = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2002-10-10 19:21:50 +00:00
|
|
|
/*
|
2004-08-16 18:32:07 +00:00
|
|
|
* If snd_nxt == snd_max and we have transmitted a FIN, the
|
2002-10-10 19:21:50 +00:00
|
|
|
* offset will be > 0 even if so_snd.sb_cc is 0, resulting in
|
2004-01-22 23:22:14 +00:00
|
|
|
* a negative length. This can also occur when TCP opens up
|
2002-10-10 19:21:50 +00:00
|
|
|
* its congestion window while receiving additional duplicate
|
|
|
|
* acks after fast-retransmit because TCP will reset snd_nxt
|
|
|
|
* to snd_max after the fast-retransmit.
|
|
|
|
*
|
|
|
|
* In the normal retransmit-FIN-only case, however, snd_nxt will
|
|
|
|
* be set to snd_una, the offset will be 0, and the length may
|
|
|
|
* wind up 0.
|
2004-08-16 18:32:07 +00:00
|
|
|
*
|
2004-06-23 21:04:37 +00:00
|
|
|
* If sack_rxmit is true we are retransmitting from the scoreboard
|
2004-08-16 18:32:07 +00:00
|
|
|
* in which case len is already set.
|
2002-10-10 19:21:50 +00:00
|
|
|
*/
|
2004-10-05 18:36:24 +00:00
|
|
|
if (sack_rxmit == 0) {
|
|
|
|
if (sack_bytes_rxmt == 0)
|
|
|
|
len = ((long)ulmin(so->so_snd.sb_cc, sendwin) - off);
|
|
|
|
else {
|
|
|
|
long cwin;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We are inside of a SACK recovery episode and are
|
|
|
|
* sending new data, having retransmitted all the
|
|
|
|
* data possible in the scoreboard.
|
|
|
|
*/
|
2004-11-29 18:47:27 +00:00
|
|
|
len = ((long)ulmin(so->so_snd.sb_cc, tp->snd_wnd)
|
|
|
|
- off);
|
2005-01-12 21:40:51 +00:00
|
|
|
/*
|
|
|
|
* Don't remove this (len > 0) check !
|
|
|
|
* We explicitly check for len > 0 here (although it
|
|
|
|
* isn't really necessary), to work around a gcc
|
|
|
|
* optimization issue - to force gcc to compute
|
|
|
|
* len above. Without this check, the computation
|
|
|
|
* of len is bungled by the optimizer.
|
|
|
|
*/
|
|
|
|
if (len > 0) {
|
|
|
|
cwin = tp->snd_cwnd -
|
|
|
|
(tp->snd_nxt - tp->sack_newdata) -
|
|
|
|
sack_bytes_rxmt;
|
|
|
|
if (cwin < 0)
|
|
|
|
cwin = 0;
|
|
|
|
len = lmin(len, cwin);
|
|
|
|
}
|
2004-10-05 18:36:24 +00:00
|
|
|
}
|
|
|
|
}
|
1995-02-09 23:13:27 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Lop off SYN bit if it has already been sent. However, if this
|
|
|
|
* is SYN-SENT state and if segment contains data and if we don't
|
|
|
|
* know that foreign host supports TAO, suppress sending segment.
|
|
|
|
*/
|
|
|
|
if ((flags & TH_SYN) && SEQ_GT(tp->snd_nxt, tp->snd_una)) {
|
|
|
|
flags &= ~TH_SYN;
|
|
|
|
off--, len++;
|
|
|
|
}
|
|
|
|
|
1996-01-17 09:35:23 +00:00
|
|
|
/*
|
2004-11-02 22:22:22 +00:00
|
|
|
* Be careful not to send data and/or FIN on SYN segments.
|
1996-01-17 09:35:23 +00:00
|
|
|
* This measure is needed to prevent interoperability problems
|
|
|
|
* with not fully conformant TCP implementations.
|
|
|
|
*/
|
2004-11-02 22:22:22 +00:00
|
|
|
if ((flags & TH_SYN) && (tp->t_flags & TF_NOOPT)) {
|
1996-01-17 09:35:23 +00:00
|
|
|
len = 0;
|
|
|
|
flags &= ~TH_FIN;
|
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
if (len < 0) {
|
|
|
|
/*
|
|
|
|
* If FIN has been sent but not acked,
|
|
|
|
* but we haven't been called to retransmit,
|
2002-10-10 19:21:50 +00:00
|
|
|
* len will be < 0. Otherwise, window shrank
|
1994-05-24 10:09:53 +00:00
|
|
|
* after we sent into it. If window shrank to 0,
|
1996-04-15 03:46:33 +00:00
|
|
|
* cancel pending retransmit, pull snd_nxt back
|
|
|
|
* to (closed) window, and set the persist timer
|
|
|
|
* if it isn't already going. If the window didn't
|
|
|
|
* close completely, just wait for an ACK.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
len = 0;
|
2004-01-22 23:22:14 +00:00
|
|
|
if (sendwin == 0) {
|
1999-08-30 21:17:07 +00:00
|
|
|
callout_stop(tp->tt_rexmt);
|
1996-04-15 03:46:33 +00:00
|
|
|
tp->t_rxtshift = 0;
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->snd_nxt = tp->snd_una;
|
1999-08-30 21:17:07 +00:00
|
|
|
if (!callout_active(tp->tt_persist))
|
1996-04-15 03:46:33 +00:00
|
|
|
tcp_setpersist(tp);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
}
|
2002-10-10 19:21:50 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* len will be >= 0 after this point. Truncate to the maximum
|
|
|
|
* segment length and ensure that FIN is removed if the length
|
|
|
|
* no longer contains the last data byte.
|
|
|
|
*/
|
1994-05-24 10:09:53 +00:00
|
|
|
if (len > tp->t_maxseg) {
|
|
|
|
len = tp->t_maxseg;
|
|
|
|
sendalot = 1;
|
|
|
|
}
|
2004-07-28 02:15:14 +00:00
|
|
|
if (sack_rxmit) {
|
|
|
|
if (SEQ_LT(p->rxmit + len, tp->snd_una + so->so_snd.sb_cc))
|
|
|
|
flags &= ~TH_FIN;
|
2004-08-16 18:32:07 +00:00
|
|
|
} else {
|
2004-07-28 02:15:14 +00:00
|
|
|
if (SEQ_LT(tp->snd_nxt + len, tp->snd_una + so->so_snd.sb_cc))
|
|
|
|
flags &= ~TH_FIN;
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2004-01-22 23:22:14 +00:00
|
|
|
recwin = sbspace(&so->so_rcv);
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
/*
|
2001-12-02 08:49:29 +00:00
|
|
|
* Sender silly window avoidance. We transmit under the following
|
|
|
|
* conditions when len is non-zero:
|
|
|
|
*
|
2001-12-13 04:02:31 +00:00
|
|
|
* - We have a full segment
|
|
|
|
* - This is the last buffer in a write()/send() and we are
|
|
|
|
* either idle or running NODELAY
|
|
|
|
* - we've timed out (e.g. persist timer)
|
|
|
|
* - we have more then 1/2 the maximum send window's worth of
|
|
|
|
* data (receiver may be limited the window size)
|
|
|
|
* - we need to retransmit
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
if (len) {
|
|
|
|
if (len == tp->t_maxseg)
|
|
|
|
goto send;
|
2001-12-02 08:49:29 +00:00
|
|
|
/*
|
|
|
|
* NOTE! on localhost connections an 'ack' from the remote
|
|
|
|
* end may occur synchronously with the output and cause
|
|
|
|
* us to flush a buffer queued with moretocome. XXX
|
|
|
|
*
|
|
|
|
* note: the len + off check is almost certainly unnecessary.
|
|
|
|
*/
|
2001-12-13 04:02:31 +00:00
|
|
|
if (!(tp->t_flags & TF_MORETOCOME) && /* normal case */
|
2001-12-02 08:49:29 +00:00
|
|
|
(idle || (tp->t_flags & TF_NODELAY)) &&
|
|
|
|
len + off >= so->so_snd.sb_cc &&
|
|
|
|
(tp->t_flags & TF_NOPUSH) == 0) {
|
1994-05-24 10:09:53 +00:00
|
|
|
goto send;
|
2001-12-02 08:49:29 +00:00
|
|
|
}
|
|
|
|
if (tp->t_force) /* typ. timeout case */
|
1994-05-24 10:09:53 +00:00
|
|
|
goto send;
|
1995-02-09 23:13:27 +00:00
|
|
|
if (len >= tp->max_sndwnd / 2 && tp->max_sndwnd > 0)
|
1994-05-24 10:09:53 +00:00
|
|
|
goto send;
|
2001-12-02 08:49:29 +00:00
|
|
|
if (SEQ_LT(tp->snd_nxt, tp->snd_max)) /* retransmit case */
|
1994-05-24 10:09:53 +00:00
|
|
|
goto send;
|
2004-06-23 21:04:37 +00:00
|
|
|
if (sack_rxmit)
|
|
|
|
goto send;
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Compare available window to amount of window
|
|
|
|
* known to peer (as advertised window less
|
|
|
|
* next expected input). If the difference is at least two
|
|
|
|
* max size segments, or at least 50% of the maximum possible
|
|
|
|
* window, then want to send a window update to peer.
|
2003-02-19 21:18:23 +00:00
|
|
|
* Skip this if the connection is in T/TCP half-open state.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
2004-01-22 23:22:14 +00:00
|
|
|
if (recwin > 0 && !(tp->t_flags & TF_NEEDSYN)) {
|
1995-05-30 08:16:23 +00:00
|
|
|
/*
|
1994-05-24 10:09:53 +00:00
|
|
|
* "adv" is the amount we can increase the window,
|
|
|
|
* taking into account that we are limited by
|
|
|
|
* TCP_MAXWIN << tp->rcv_scale.
|
|
|
|
*/
|
2004-01-22 23:22:14 +00:00
|
|
|
long adv = min(recwin, (long)TCP_MAXWIN << tp->rcv_scale) -
|
1994-05-24 10:09:53 +00:00
|
|
|
(tp->rcv_adv - tp->rcv_nxt);
|
|
|
|
|
|
|
|
if (adv >= (long) (2 * tp->t_maxseg))
|
|
|
|
goto send;
|
|
|
|
if (2 * adv >= (long) so->so_rcv.sb_hiwat)
|
|
|
|
goto send;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2002-10-10 19:21:50 +00:00
|
|
|
* Send if we owe the peer an ACK, RST, SYN, or urgent data. ACKNOW
|
|
|
|
* is also a catch-all for the retransmit timer timeout case.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
if (tp->t_flags & TF_ACKNOW)
|
|
|
|
goto send;
|
1995-02-09 23:13:27 +00:00
|
|
|
if ((flags & TH_RST) ||
|
|
|
|
((flags & TH_SYN) && (tp->t_flags & TF_NEEDSYN) == 0))
|
1994-05-24 10:09:53 +00:00
|
|
|
goto send;
|
|
|
|
if (SEQ_GT(tp->snd_up, tp->snd_una))
|
|
|
|
goto send;
|
|
|
|
/*
|
|
|
|
* If our state indicates that FIN should be sent
|
2002-10-10 19:21:50 +00:00
|
|
|
* and we have not yet done so, then we need to send.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
if (flags & TH_FIN &&
|
|
|
|
((tp->t_flags & TF_SENTFIN) == 0 || tp->snd_nxt == tp->snd_una))
|
|
|
|
goto send;
|
2004-06-23 21:04:37 +00:00
|
|
|
/*
|
|
|
|
* In SACK, it is possible for tcp_output to fail to send a segment
|
|
|
|
* after the retransmission timer has been turned off. Make sure
|
|
|
|
* that the retransmission timer is set.
|
|
|
|
*/
|
|
|
|
if (tp->sack_enable && SEQ_GT(tp->snd_max, tp->snd_una) &&
|
2004-08-16 18:32:07 +00:00
|
|
|
!callout_active(tp->tt_rexmt) &&
|
2004-06-23 21:04:37 +00:00
|
|
|
!callout_active(tp->tt_persist)) {
|
|
|
|
callout_reset(tp->tt_rexmt, tp->t_rxtcur,
|
|
|
|
tcp_timer_rexmt, tp);
|
2004-10-09 16:48:51 +00:00
|
|
|
goto just_return;
|
2004-08-16 18:32:07 +00:00
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* TCP window updates are not reliable, rather a polling protocol
|
|
|
|
* using ``persist'' packets is used to insure receipt of window
|
|
|
|
* updates. The three ``states'' for the output side are:
|
|
|
|
* idle not doing retransmits or persists
|
|
|
|
* persisting to move a small or zero window
|
|
|
|
* (re)transmitting and thereby not persisting
|
|
|
|
*
|
1999-08-30 21:17:07 +00:00
|
|
|
* callout_active(tp->tt_persist)
|
|
|
|
* is true when we are in persist state.
|
1994-05-24 10:09:53 +00:00
|
|
|
* tp->t_force
|
|
|
|
* is set when we are called to send a persist packet.
|
1999-08-30 21:17:07 +00:00
|
|
|
* callout_active(tp->tt_rexmt)
|
1994-05-24 10:09:53 +00:00
|
|
|
* is set when we are retransmitting
|
|
|
|
* The output side is idle when both timers are zero.
|
|
|
|
*
|
|
|
|
* If send window is too small, there is data to transmit, and no
|
|
|
|
* retransmit or persist is pending, then go to persist state.
|
|
|
|
* If nothing happens soon, send when timer expires:
|
|
|
|
* if window is nonzero, transmit what we can,
|
|
|
|
* otherwise force out a byte.
|
|
|
|
*/
|
1999-08-30 21:17:07 +00:00
|
|
|
if (so->so_snd.sb_cc && !callout_active(tp->tt_rexmt) &&
|
|
|
|
!callout_active(tp->tt_persist)) {
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->t_rxtshift = 0;
|
|
|
|
tcp_setpersist(tp);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* No reason to send a segment, just return.
|
|
|
|
*/
|
2004-10-09 16:48:51 +00:00
|
|
|
just_return:
|
|
|
|
SOCKBUF_UNLOCK(&so->so_snd);
|
1994-05-24 10:09:53 +00:00
|
|
|
return (0);
|
|
|
|
|
|
|
|
send:
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_LOCK_ASSERT(&so->so_snd);
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Before ESTABLISHED, force sending of initial options
|
|
|
|
* unless TCP set not to do any options.
|
|
|
|
* NOTE: we assume that the IP/TCP header plus TCP options
|
|
|
|
* always fit in a single mbuf, leaving room for a maximum
|
|
|
|
* link header, i.e.
|
2001-06-11 12:39:29 +00:00
|
|
|
* max_linkhdr + sizeof (struct tcpiphdr) + optlen <= MCLBYTES
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
optlen = 0;
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
if (isipv6)
|
|
|
|
hdrlen = sizeof (struct ip6_hdr) + sizeof (struct tcphdr);
|
|
|
|
else
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
hdrlen = sizeof (struct tcpiphdr);
|
|
|
|
if (flags & TH_SYN) {
|
|
|
|
tp->snd_nxt = tp->iss;
|
|
|
|
if ((tp->t_flags & TF_NOOPT) == 0) {
|
|
|
|
u_short mss;
|
|
|
|
|
|
|
|
opt[0] = TCPOPT_MAXSEG;
|
1995-02-09 23:13:27 +00:00
|
|
|
opt[1] = TCPOLEN_MAXSEG;
|
2003-11-20 20:07:39 +00:00
|
|
|
mss = htons((u_short) tcp_mssopt(&tp->t_inpcb->inp_inc));
|
1995-05-09 13:35:48 +00:00
|
|
|
(void)memcpy(opt + 2, &mss, sizeof(mss));
|
1995-02-09 23:13:27 +00:00
|
|
|
optlen = TCPOLEN_MAXSEG;
|
1995-05-30 08:16:23 +00:00
|
|
|
|
2004-08-16 18:32:07 +00:00
|
|
|
/*
|
|
|
|
* If this is the first SYN of connection (not a SYN
|
|
|
|
* ACK), include SACK_PERMIT_HDR option. If this is a
|
|
|
|
* SYN ACK, include SACK_PERMIT_HDR option if peer has
|
|
|
|
* already done so. This is only for active connect,
|
2004-06-23 21:04:37 +00:00
|
|
|
* since the syncache takes care of the passive connect.
|
2004-08-16 18:32:07 +00:00
|
|
|
*/
|
|
|
|
if (tp->sack_enable && ((flags & TH_ACK) == 0 ||
|
2004-06-23 21:04:37 +00:00
|
|
|
(tp->t_flags & TF_SACK_PERMIT))) {
|
2004-08-16 18:32:07 +00:00
|
|
|
*((u_int32_t *) (opt + optlen)) =
|
2004-06-23 21:04:37 +00:00
|
|
|
htonl(TCPOPT_SACK_PERMIT_HDR);
|
2004-08-16 18:32:07 +00:00
|
|
|
optlen += 4;
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
if ((tp->t_flags & TF_REQ_SCALE) &&
|
|
|
|
((flags & TH_ACK) == 0 ||
|
|
|
|
(tp->t_flags & TF_RCVD_SCALE))) {
|
1998-07-13 11:53:59 +00:00
|
|
|
*((u_int32_t *)(opt + optlen)) = htonl(
|
1994-05-24 10:09:53 +00:00
|
|
|
TCPOPT_NOP << 24 |
|
|
|
|
TCPOPT_WINDOW << 16 |
|
|
|
|
TCPOLEN_WINDOW << 8 |
|
|
|
|
tp->request_r_scale);
|
|
|
|
optlen += 4;
|
|
|
|
}
|
|
|
|
}
|
2004-08-16 18:32:07 +00:00
|
|
|
}
|
1995-05-30 08:16:23 +00:00
|
|
|
|
2004-08-16 18:32:07 +00:00
|
|
|
/*
|
1995-05-30 08:16:23 +00:00
|
|
|
* Send a timestamp and echo-reply if this is a SYN and our side
|
1994-05-24 10:09:53 +00:00
|
|
|
* wants to use timestamps (TF_REQ_TSTMP is set) or both our side
|
|
|
|
* and our peer have sent timestamps in our SYN's.
|
2004-08-16 18:32:07 +00:00
|
|
|
*/
|
|
|
|
if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP &&
|
|
|
|
(flags & TH_RST) == 0 &&
|
1995-02-09 23:13:27 +00:00
|
|
|
((flags & TH_ACK) == 0 ||
|
1994-05-24 10:09:53 +00:00
|
|
|
(tp->t_flags & TF_RCVD_TSTMP))) {
|
1998-07-13 11:53:59 +00:00
|
|
|
u_int32_t *lp = (u_int32_t *)(opt + optlen);
|
1995-05-30 08:16:23 +00:00
|
|
|
|
2004-08-16 18:32:07 +00:00
|
|
|
/* Form timestamp option as shown in appendix A of RFC 1323. */
|
|
|
|
*lp++ = htonl(TCPOPT_TSTAMP_HDR);
|
|
|
|
*lp++ = htonl(ticks);
|
|
|
|
*lp = htonl(tp->ts_recent);
|
|
|
|
optlen += TCPOLEN_TSTAMP_APPA;
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2004-06-23 21:04:37 +00:00
|
|
|
/*
|
|
|
|
* Send SACKs if necessary. This should be the last option processed.
|
|
|
|
* Only as many SACKs are sent as are permitted by the maximum options
|
|
|
|
* size. No more than three SACKs are sent.
|
|
|
|
*/
|
|
|
|
if (tp->sack_enable && tp->t_state == TCPS_ESTABLISHED &&
|
|
|
|
(tp->t_flags & (TF_SACK_PERMIT|TF_NOOPT)) == TF_SACK_PERMIT &&
|
|
|
|
tp->rcv_numsacks) {
|
|
|
|
u_int32_t *lp = (u_int32_t *)(opt + optlen);
|
|
|
|
u_int32_t *olp = lp++;
|
|
|
|
int count = 0; /* actual number of SACKs inserted */
|
|
|
|
int maxsack = (MAX_TCPOPTLEN - (optlen + 4))/TCPOLEN_SACK;
|
|
|
|
|
|
|
|
tcpstat.tcps_sack_send_blocks++;
|
|
|
|
maxsack = min(maxsack, TCP_MAX_SACK);
|
|
|
|
for (i = 0; (i < tp->rcv_numsacks && count < maxsack); i++) {
|
|
|
|
struct sackblk sack = tp->sackblks[i];
|
|
|
|
if (sack.start == 0 && sack.end == 0)
|
|
|
|
continue;
|
|
|
|
*lp++ = htonl(sack.start);
|
|
|
|
*lp++ = htonl(sack.end);
|
|
|
|
count++;
|
|
|
|
}
|
|
|
|
*olp = htonl(TCPOPT_SACK_HDR|(TCPOLEN_SACK*count+2));
|
|
|
|
optlen += TCPOLEN_SACK*count + 4; /* including leading NOPs */
|
|
|
|
}
|
1995-02-09 23:13:27 +00:00
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
#ifdef TCP_SIGNATURE
|
|
|
|
#ifdef INET6
|
|
|
|
if (!isipv6)
|
|
|
|
#endif
|
|
|
|
if (tp->t_flags & TF_SIGNATURE) {
|
|
|
|
int i;
|
|
|
|
u_char *bp;
|
2004-02-12 20:12:48 +00:00
|
|
|
|
|
|
|
/* Initialize TCP-MD5 option (RFC2385) */
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
bp = (u_char *)opt + optlen;
|
|
|
|
*bp++ = TCPOPT_SIGNATURE;
|
|
|
|
*bp++ = TCPOLEN_SIGNATURE;
|
|
|
|
sigoff = optlen + 2;
|
|
|
|
for (i = 0; i < TCP_SIGLEN; i++)
|
|
|
|
*bp++ = 0;
|
|
|
|
optlen += TCPOLEN_SIGNATURE;
|
2004-02-12 20:12:48 +00:00
|
|
|
|
|
|
|
/* Terminate options list and maintain 32-bit alignment. */
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
*bp++ = TCPOPT_NOP;
|
|
|
|
*bp++ = TCPOPT_EOL;
|
|
|
|
optlen += 2;
|
|
|
|
}
|
|
|
|
#endif /* TCP_SIGNATURE */
|
|
|
|
|
2004-08-16 18:32:07 +00:00
|
|
|
hdrlen += optlen;
|
1995-05-30 08:16:23 +00:00
|
|
|
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
if (isipv6)
|
|
|
|
ipoptlen = ip6_optlen(tp->t_inpcb);
|
|
|
|
else
|
|
|
|
#endif
|
2002-06-23 21:25:36 +00:00
|
|
|
if (tp->t_inpcb->inp_options)
|
1998-05-24 18:41:04 +00:00
|
|
|
ipoptlen = tp->t_inpcb->inp_options->m_len -
|
|
|
|
offsetof(struct ipoption, ipopt_list);
|
2002-06-23 21:25:36 +00:00
|
|
|
else
|
1998-05-24 18:41:04 +00:00
|
|
|
ipoptlen = 0;
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef IPSEC
|
|
|
|
ipoptlen += ipsec_hdrsiz_tcp(tp);
|
|
|
|
#endif
|
1998-05-24 18:41:04 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Adjust data length if insertion of options will
|
1995-02-09 23:13:27 +00:00
|
|
|
* bump the packet length beyond the t_maxopd length.
|
|
|
|
* Clear the FIN bit because we cut off the tail of
|
|
|
|
* the segment.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
1998-05-24 18:41:04 +00:00
|
|
|
if (len + optlen + ipoptlen > tp->t_maxopd) {
|
1995-01-23 17:58:27 +00:00
|
|
|
/*
|
|
|
|
* If there is still more to send, don't close the connection.
|
|
|
|
*/
|
|
|
|
flags &= ~TH_FIN;
|
1998-05-24 18:41:04 +00:00
|
|
|
len = tp->t_maxopd - optlen - ipoptlen;
|
1994-05-24 10:09:53 +00:00
|
|
|
sendalot = 1;
|
1995-02-09 23:13:27 +00:00
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
1995-02-09 23:13:27 +00:00
|
|
|
/*#ifdef DIAGNOSTIC*/
|
2000-02-09 00:34:40 +00:00
|
|
|
#ifdef INET6
|
2004-08-16 18:32:07 +00:00
|
|
|
if (max_linkhdr + hdrlen > MCLBYTES)
|
2000-02-09 00:34:40 +00:00
|
|
|
#else
|
2004-08-16 18:32:07 +00:00
|
|
|
if (max_linkhdr + hdrlen > MHLEN)
|
2000-02-09 00:34:40 +00:00
|
|
|
#endif
|
2002-06-23 21:25:36 +00:00
|
|
|
panic("tcphdr too big");
|
1995-02-09 23:13:27 +00:00
|
|
|
/*#endif*/
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Grab a header mbuf, attaching a copy of data to
|
|
|
|
* be transmitted, and initialize the header from
|
|
|
|
* the template for sends on this connection.
|
|
|
|
*/
|
|
|
|
if (len) {
|
|
|
|
if (tp->t_force && len == 1)
|
|
|
|
tcpstat.tcps_sndprobe++;
|
|
|
|
else if (SEQ_LT(tp->snd_nxt, tp->snd_max)) {
|
|
|
|
tcpstat.tcps_sndrexmitpack++;
|
|
|
|
tcpstat.tcps_sndrexmitbyte += len;
|
|
|
|
} else {
|
|
|
|
tcpstat.tcps_sndpack++;
|
|
|
|
tcpstat.tcps_sndbyte += len;
|
|
|
|
}
|
|
|
|
#ifdef notyet
|
|
|
|
if ((m = m_copypack(so->so_snd.sb_mb, off,
|
|
|
|
(int)len, max_linkhdr + hdrlen)) == 0) {
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_UNLOCK(&so->so_snd);
|
1994-05-24 10:09:53 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* m_copypack left space for our hdr; use it.
|
|
|
|
*/
|
|
|
|
m->m_len += hdrlen;
|
|
|
|
m->m_data -= hdrlen;
|
|
|
|
#else
|
2003-02-19 05:47:46 +00:00
|
|
|
MGETHDR(m, M_DONTWAIT, MT_HEADER);
|
1994-05-24 10:09:53 +00:00
|
|
|
if (m == NULL) {
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_UNLOCK(&so->so_snd);
|
1994-05-24 10:09:53 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto out;
|
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
2000-02-09 00:34:40 +00:00
|
|
|
if (MHLEN < hdrlen + max_linkhdr) {
|
2003-02-19 05:47:46 +00:00
|
|
|
MCLGET(m, M_DONTWAIT);
|
2000-02-09 00:34:40 +00:00
|
|
|
if ((m->m_flags & M_EXT) == 0) {
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_UNLOCK(&so->so_snd);
|
2000-02-09 00:34:40 +00:00
|
|
|
m_freem(m);
|
|
|
|
error = ENOBUFS;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
m->m_data += max_linkhdr;
|
|
|
|
m->m_len = hdrlen;
|
|
|
|
if (len <= MHLEN - hdrlen - max_linkhdr) {
|
|
|
|
m_copydata(so->so_snd.sb_mb, off, (int) len,
|
|
|
|
mtod(m, caddr_t) + hdrlen);
|
|
|
|
m->m_len += len;
|
|
|
|
} else {
|
|
|
|
m->m_next = m_copy(so->so_snd.sb_mb, off, (int) len);
|
1995-09-13 17:36:31 +00:00
|
|
|
if (m->m_next == 0) {
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_UNLOCK(&so->so_snd);
|
1995-09-22 20:05:58 +00:00
|
|
|
(void) m_free(m);
|
1995-09-13 17:36:31 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
goto out;
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
/*
|
|
|
|
* If we're sending everything we've got, set PUSH.
|
|
|
|
* (This will keep happy those implementations which only
|
|
|
|
* give data to the user when a buffer fills or
|
|
|
|
* a PUSH comes in.)
|
|
|
|
*/
|
|
|
|
if (off + len == so->so_snd.sb_cc)
|
|
|
|
flags |= TH_PUSH;
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_UNLOCK(&so->so_snd);
|
1994-05-24 10:09:53 +00:00
|
|
|
} else {
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_UNLOCK(&so->so_snd);
|
1994-05-24 10:09:53 +00:00
|
|
|
if (tp->t_flags & TF_ACKNOW)
|
|
|
|
tcpstat.tcps_sndacks++;
|
|
|
|
else if (flags & (TH_SYN|TH_FIN|TH_RST))
|
|
|
|
tcpstat.tcps_sndctrl++;
|
|
|
|
else if (SEQ_GT(tp->snd_up, tp->snd_una))
|
|
|
|
tcpstat.tcps_sndurg++;
|
|
|
|
else
|
|
|
|
tcpstat.tcps_sndwinup++;
|
|
|
|
|
2003-02-19 05:47:46 +00:00
|
|
|
MGETHDR(m, M_DONTWAIT, MT_HEADER);
|
1994-05-24 10:09:53 +00:00
|
|
|
if (m == NULL) {
|
|
|
|
error = ENOBUFS;
|
|
|
|
goto out;
|
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
if (isipv6 && (MHLEN < hdrlen + max_linkhdr) &&
|
|
|
|
MHLEN >= hdrlen) {
|
|
|
|
MH_ALIGN(m, hdrlen);
|
|
|
|
} else
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
m->m_data += max_linkhdr;
|
|
|
|
m->m_len = hdrlen;
|
|
|
|
}
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_UNLOCK_ASSERT(&so->so_snd);
|
1994-05-24 10:09:53 +00:00
|
|
|
m->m_pkthdr.rcvif = (struct ifnet *)0;
|
2002-07-31 19:06:49 +00:00
|
|
|
#ifdef MAC
|
2004-05-04 02:11:47 +00:00
|
|
|
mac_create_mbuf_from_inpcb(tp->t_inpcb, m);
|
2002-07-31 19:06:49 +00:00
|
|
|
#endif
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
if (isipv6) {
|
|
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
|
|
th = (struct tcphdr *)(ip6 + 1);
|
2003-02-19 22:18:06 +00:00
|
|
|
tcpip_fillheaders(tp->t_inpcb, ip6, th);
|
2000-01-09 19:17:30 +00:00
|
|
|
} else
|
|
|
|
#endif /* INET6 */
|
2004-08-16 18:32:07 +00:00
|
|
|
{
|
|
|
|
ip = mtod(m, struct ip *);
|
|
|
|
ipov = (struct ipovly *)ip;
|
|
|
|
th = (struct tcphdr *)(ip + 1);
|
|
|
|
tcpip_fillheaders(tp->t_inpcb, ip, th);
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Fill in fields, remembering maximum advertised
|
|
|
|
* window for use in delaying messages about window sizes.
|
|
|
|
* If resending a FIN, be sure not to use a new sequence number.
|
|
|
|
*/
|
1995-05-30 08:16:23 +00:00
|
|
|
if (flags & TH_FIN && tp->t_flags & TF_SENTFIN &&
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->snd_nxt == tp->snd_max)
|
|
|
|
tp->snd_nxt--;
|
|
|
|
/*
|
|
|
|
* If we are doing retransmissions, then snd_nxt will
|
|
|
|
* not reflect the first unsent octet. For ACK only
|
|
|
|
* packets, we do not want the sequence number of the
|
|
|
|
* retransmitted packet, we want the sequence number
|
|
|
|
* of the next unsent octet. So, if there is no data
|
|
|
|
* (and no SYN or FIN), use snd_max instead of snd_nxt
|
|
|
|
* when filling in ti_seq. But if we are in persist
|
|
|
|
* state, snd_max might reflect one byte beyond the
|
|
|
|
* right edge of the window, so use snd_nxt in that
|
|
|
|
* case, since we know we aren't doing a retransmission.
|
|
|
|
* (retransmit and persist are mutually exclusive...)
|
|
|
|
*/
|
2004-10-05 18:36:24 +00:00
|
|
|
if (sack_rxmit == 0) {
|
|
|
|
if (len || (flags & (TH_SYN|TH_FIN))
|
|
|
|
|| callout_active(tp->tt_persist))
|
|
|
|
th->th_seq = htonl(tp->snd_nxt);
|
|
|
|
else
|
|
|
|
th->th_seq = htonl(tp->snd_max);
|
|
|
|
} else {
|
2004-06-23 21:04:37 +00:00
|
|
|
th->th_seq = htonl(p->rxmit);
|
|
|
|
p->rxmit += len;
|
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
th->th_ack = htonl(tp->rcv_nxt);
|
1994-05-24 10:09:53 +00:00
|
|
|
if (optlen) {
|
2000-01-09 19:17:30 +00:00
|
|
|
bcopy(opt, th + 1, optlen);
|
|
|
|
th->th_off = (sizeof (struct tcphdr) + optlen) >> 2;
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
th->th_flags = flags;
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Calculate receive window. Don't shrink window,
|
|
|
|
* but avoid silly window syndrome.
|
|
|
|
*/
|
2004-01-22 23:22:14 +00:00
|
|
|
if (recwin < (long)(so->so_rcv.sb_hiwat / 4) &&
|
|
|
|
recwin < (long)tp->t_maxseg)
|
|
|
|
recwin = 0;
|
|
|
|
if (recwin < (long)(tp->rcv_adv - tp->rcv_nxt))
|
|
|
|
recwin = (long)(tp->rcv_adv - tp->rcv_nxt);
|
|
|
|
if (recwin > (long)TCP_MAXWIN << tp->rcv_scale)
|
|
|
|
recwin = (long)TCP_MAXWIN << tp->rcv_scale;
|
|
|
|
th->th_win = htons((u_short) (recwin >> tp->rcv_scale));
|
2001-12-02 08:49:29 +00:00
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Adjust the RXWIN0SENT flag - indicate that we have advertised
|
|
|
|
* a 0 window. This may cause the remote transmitter to stall. This
|
|
|
|
* flag tells soreceive() to disable delayed acknowledgements when
|
|
|
|
* draining the buffer. This can occur if the receiver is attempting
|
|
|
|
* to read more data then can be buffered prior to transmitting on
|
|
|
|
* the connection.
|
|
|
|
*/
|
2004-01-22 23:22:14 +00:00
|
|
|
if (recwin == 0)
|
2001-12-02 08:49:29 +00:00
|
|
|
tp->t_flags |= TF_RXWIN0SENT;
|
|
|
|
else
|
|
|
|
tp->t_flags &= ~TF_RXWIN0SENT;
|
1994-05-24 10:09:53 +00:00
|
|
|
if (SEQ_GT(tp->snd_up, tp->snd_nxt)) {
|
2000-01-09 19:17:30 +00:00
|
|
|
th->th_urp = htons((u_short)(tp->snd_up - tp->snd_nxt));
|
|
|
|
th->th_flags |= TH_URG;
|
1994-05-24 10:09:53 +00:00
|
|
|
} else
|
|
|
|
/*
|
|
|
|
* If no urgent pointer to send, then we pull
|
|
|
|
* the urgent pointer to the left edge of the send window
|
|
|
|
* so that it doesn't drift into the send window on sequence
|
|
|
|
* number wraparound.
|
|
|
|
*/
|
|
|
|
tp->snd_up = tp->snd_una; /* drag it along */
|
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
#ifdef TCP_SIGNATURE
|
|
|
|
#ifdef INET6
|
|
|
|
if (!isipv6)
|
|
|
|
#endif
|
|
|
|
if (tp->t_flags & TF_SIGNATURE)
|
2004-02-13 18:21:45 +00:00
|
|
|
tcp_signature_compute(m, sizeof(struct ip), len, optlen,
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
(u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
|
2004-02-13 18:21:45 +00:00
|
|
|
#endif
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Put TCP length in extended header, and then
|
|
|
|
* checksum extended header and data.
|
|
|
|
*/
|
2000-01-09 19:17:30 +00:00
|
|
|
m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */
|
|
|
|
#ifdef INET6
|
|
|
|
if (isipv6)
|
|
|
|
/*
|
|
|
|
* ip6_plen is not need to be filled now, and will be filled
|
|
|
|
* in ip6_output.
|
|
|
|
*/
|
|
|
|
th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr),
|
|
|
|
sizeof(struct tcphdr) + optlen + len);
|
|
|
|
else
|
|
|
|
#endif /* INET6 */
|
2004-08-16 18:32:07 +00:00
|
|
|
{
|
|
|
|
m->m_pkthdr.csum_flags = CSUM_TCP;
|
|
|
|
m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
|
|
|
|
th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
|
|
|
|
htons(sizeof(struct tcphdr) + IPPROTO_TCP + len + optlen));
|
|
|
|
|
|
|
|
/* IP version must be set here for ipv4/ipv6 checking later */
|
|
|
|
KASSERT(ip->ip_v == IPVERSION,
|
|
|
|
("%s: IP version incorrect: %d", __func__, ip->ip_v));
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* In transmit state, time the transmission and arrange for
|
|
|
|
* the retransmit. In persist state, just set snd_max.
|
|
|
|
*/
|
1999-08-30 21:17:07 +00:00
|
|
|
if (tp->t_force == 0 || !callout_active(tp->tt_persist)) {
|
1994-05-24 10:09:53 +00:00
|
|
|
tcp_seq startseq = tp->snd_nxt;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Advance snd_nxt over sequence space of this segment.
|
|
|
|
*/
|
|
|
|
if (flags & (TH_SYN|TH_FIN)) {
|
|
|
|
if (flags & TH_SYN)
|
|
|
|
tp->snd_nxt++;
|
|
|
|
if (flags & TH_FIN) {
|
|
|
|
tp->snd_nxt++;
|
|
|
|
tp->t_flags |= TF_SENTFIN;
|
|
|
|
}
|
|
|
|
}
|
2004-10-05 18:36:24 +00:00
|
|
|
if (sack_rxmit)
|
2004-06-23 21:04:37 +00:00
|
|
|
goto timer;
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->snd_nxt += len;
|
|
|
|
if (SEQ_GT(tp->snd_nxt, tp->snd_max)) {
|
|
|
|
tp->snd_max = tp->snd_nxt;
|
|
|
|
/*
|
|
|
|
* Time this transmission if not a retransmission and
|
|
|
|
* not currently timing anything.
|
|
|
|
*/
|
1999-08-30 21:17:07 +00:00
|
|
|
if (tp->t_rtttime == 0) {
|
|
|
|
tp->t_rtttime = ticks;
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->t_rtseq = startseq;
|
|
|
|
tcpstat.tcps_segstimed++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set retransmit timer if not currently set,
|
2002-10-10 19:21:50 +00:00
|
|
|
* and not doing a pure ack or a keep-alive probe.
|
1994-05-24 10:09:53 +00:00
|
|
|
* Initial value for retransmit timer is smoothed
|
|
|
|
* round-trip time + 2 * round-trip time variance.
|
|
|
|
* Initialize shift counter which is used for backoff
|
|
|
|
* of retransmit time.
|
|
|
|
*/
|
2004-06-23 21:04:37 +00:00
|
|
|
timer:
|
1999-08-30 21:17:07 +00:00
|
|
|
if (!callout_active(tp->tt_rexmt) &&
|
2004-10-05 18:36:24 +00:00
|
|
|
((sack_rxmit && tp->snd_nxt != tp->snd_max) ||
|
|
|
|
(tp->snd_nxt != tp->snd_una))) {
|
1999-08-30 21:17:07 +00:00
|
|
|
if (callout_active(tp->tt_persist)) {
|
|
|
|
callout_stop(tp->tt_persist);
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->t_rxtshift = 0;
|
|
|
|
}
|
2000-05-06 03:31:09 +00:00
|
|
|
callout_reset(tp->tt_rexmt, tp->t_rxtcur,
|
|
|
|
tcp_timer_rexmt, tp);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2002-10-10 19:21:50 +00:00
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Persist case, update snd_max but since we are in
|
|
|
|
* persist mode (no window) we do not update snd_nxt.
|
|
|
|
*/
|
|
|
|
int xlen = len;
|
|
|
|
if (flags & TH_SYN)
|
|
|
|
++xlen;
|
|
|
|
if (flags & TH_FIN) {
|
|
|
|
++xlen;
|
|
|
|
tp->t_flags |= TF_SENTFIN;
|
|
|
|
}
|
2002-10-16 19:16:33 +00:00
|
|
|
if (SEQ_GT(tp->snd_nxt + xlen, tp->snd_max))
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->snd_max = tp->snd_nxt + len;
|
2002-10-10 19:21:50 +00:00
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
1994-09-15 10:36:56 +00:00
|
|
|
#ifdef TCPDEBUG
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Trace.
|
|
|
|
*/
|
2003-08-13 08:50:42 +00:00
|
|
|
if (so->so_options & SO_DEBUG) {
|
2004-06-18 09:53:58 +00:00
|
|
|
u_short save = 0;
|
2004-06-18 03:31:07 +00:00
|
|
|
#ifdef INET6
|
|
|
|
if (!isipv6)
|
|
|
|
#endif
|
|
|
|
{
|
|
|
|
save = ipov->ih_len;
|
|
|
|
ipov->ih_len = htons(m->m_pkthdr.len /* - hdrlen + (th->th_off << 2) */);
|
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
tcp_trace(TA_OUTPUT, tp->t_state, tp, mtod(m, void *), th, 0);
|
2004-06-18 03:31:07 +00:00
|
|
|
#ifdef INET6
|
|
|
|
if (!isipv6)
|
|
|
|
#endif
|
2003-08-13 08:50:42 +00:00
|
|
|
ipov->ih_len = save;
|
|
|
|
}
|
1994-09-15 10:36:56 +00:00
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Fill in IP length and desired time to live and
|
|
|
|
* send to IP level. There should be a better way
|
|
|
|
* to handle ttl and tos; we could keep them in
|
|
|
|
* the template, but need a way to checksum without them.
|
|
|
|
*/
|
2000-01-09 19:17:30 +00:00
|
|
|
/*
|
|
|
|
* m->m_pkthdr.len should have been set before cksum calcuration,
|
|
|
|
* because in6_cksum() need it.
|
|
|
|
*/
|
|
|
|
#ifdef INET6
|
|
|
|
if (isipv6) {
|
2000-07-04 16:35:15 +00:00
|
|
|
/*
|
2000-01-09 19:17:30 +00:00
|
|
|
* we separately set hoplimit for every segment, since the
|
|
|
|
* user might want to change the value via setsockopt.
|
|
|
|
* Also, desired default hop limit might be changed via
|
2000-07-04 16:35:15 +00:00
|
|
|
* Neighbor Discovery.
|
|
|
|
*/
|
2003-11-20 20:07:39 +00:00
|
|
|
ip6->ip6_hlim = in6_selecthlim(tp->t_inpcb, NULL);
|
2000-01-09 19:17:30 +00:00
|
|
|
|
|
|
|
/* TODO: IPv6 IP6TOS_ECT bit on */
|
|
|
|
error = ip6_output(m,
|
2003-11-20 20:07:39 +00:00
|
|
|
tp->t_inpcb->in6p_outputopts, NULL,
|
2004-09-05 02:34:12 +00:00
|
|
|
((so->so_options & SO_DONTROUTE) ?
|
|
|
|
IP_ROUTETOIF : 0), NULL, NULL, tp->t_inpcb);
|
2000-01-09 19:17:30 +00:00
|
|
|
} else
|
|
|
|
#endif /* INET6 */
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2000-01-09 19:17:30 +00:00
|
|
|
ip->ip_len = m->m_pkthdr.len;
|
2000-07-04 16:35:15 +00:00
|
|
|
#ifdef INET6
|
2004-08-16 18:32:07 +00:00
|
|
|
if (INP_CHECK_SOCKAF(so, AF_INET6))
|
|
|
|
ip->ip_ttl = in6_selecthlim(tp->t_inpcb, NULL);
|
2000-07-04 16:35:15 +00:00
|
|
|
#endif /* INET6 */
|
1995-09-20 21:00:59 +00:00
|
|
|
/*
|
2003-11-20 20:07:39 +00:00
|
|
|
* If we do path MTU discovery, then we set DF on every packet.
|
|
|
|
* This might not be the best thing to do according to RFC3390
|
|
|
|
* Section 2. However the tcp hostcache migitates the problem
|
|
|
|
* so it affects only the first tcp connection with a host.
|
1995-09-20 21:00:59 +00:00
|
|
|
*/
|
2003-11-20 20:07:39 +00:00
|
|
|
if (path_mtu_discovery)
|
2000-01-09 19:17:30 +00:00
|
|
|
ip->ip_off |= IP_DF;
|
2003-11-20 20:07:39 +00:00
|
|
|
|
|
|
|
error = ip_output(m, tp->t_inpcb->inp_options, NULL,
|
2004-09-05 02:34:12 +00:00
|
|
|
((so->so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0), 0,
|
|
|
|
tp->t_inpcb);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
if (error) {
|
2000-08-03 23:23:36 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* We know that the packet was lost, so back out the
|
|
|
|
* sequence number advance, if any.
|
|
|
|
*/
|
|
|
|
if (tp->t_force == 0 || !callout_active(tp->tt_persist)) {
|
|
|
|
/*
|
|
|
|
* No need to check for TH_FIN here because
|
|
|
|
* the TF_SENTFIN flag handles that case.
|
|
|
|
*/
|
2004-07-28 02:15:14 +00:00
|
|
|
if ((flags & TH_SYN) == 0) {
|
|
|
|
if (sack_rxmit)
|
|
|
|
p->rxmit -= len;
|
2004-08-16 18:32:07 +00:00
|
|
|
else
|
2004-07-28 02:15:14 +00:00
|
|
|
tp->snd_nxt -= len;
|
|
|
|
}
|
2000-08-03 23:23:36 +00:00
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
out:
|
2004-10-09 16:48:51 +00:00
|
|
|
SOCKBUF_UNLOCK_ASSERT(&so->so_snd); /* Check gotos. */
|
1994-05-24 10:09:53 +00:00
|
|
|
if (error == ENOBUFS) {
|
2000-06-02 17:38:45 +00:00
|
|
|
if (!callout_active(tp->tt_rexmt) &&
|
2004-08-16 18:32:07 +00:00
|
|
|
!callout_active(tp->tt_persist))
|
2000-06-02 17:38:45 +00:00
|
|
|
callout_reset(tp->tt_rexmt, tp->t_rxtcur,
|
2004-08-16 18:32:07 +00:00
|
|
|
tcp_timer_rexmt, tp);
|
1994-05-24 10:09:53 +00:00
|
|
|
tcp_quench(tp->t_inpcb, 0);
|
|
|
|
return (0);
|
|
|
|
}
|
1995-10-16 18:21:26 +00:00
|
|
|
if (error == EMSGSIZE) {
|
|
|
|
/*
|
|
|
|
* ip_output() will have already fixed the route
|
|
|
|
* for us. tcp_mtudisc() will, as its last action,
|
|
|
|
* initiate retransmission, so it is important to
|
|
|
|
* not do so here.
|
|
|
|
*/
|
|
|
|
tcp_mtudisc(tp->t_inpcb, 0);
|
|
|
|
return 0;
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
if ((error == EHOSTUNREACH || error == ENETDOWN)
|
|
|
|
&& TCPS_HAVERCVDSYN(tp->t_state)) {
|
|
|
|
tp->t_softerror = error;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
tcpstat.tcps_sndtotal++;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Data sent (as far as we can tell).
|
|
|
|
* If this advertises a larger window than any other segment,
|
|
|
|
* then remember the size of the advertised window.
|
|
|
|
* Any pending ACK has now been sent.
|
|
|
|
*/
|
2004-01-22 23:22:14 +00:00
|
|
|
if (recwin > 0 && SEQ_GT(tp->rcv_nxt + recwin, tp->rcv_adv))
|
|
|
|
tp->rcv_adv = tp->rcv_nxt + recwin;
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->last_ack_sent = tp->rcv_nxt;
|
2003-02-19 21:18:23 +00:00
|
|
|
tp->t_flags &= ~(TF_ACKNOW | TF_DELACK);
|
|
|
|
if (callout_active(tp->tt_delack))
|
1999-08-30 21:17:07 +00:00
|
|
|
callout_stop(tp->tt_delack);
|
2001-11-30 21:33:39 +00:00
|
|
|
#if 0
|
|
|
|
/*
|
|
|
|
* This completely breaks TCP if newreno is turned on. What happens
|
|
|
|
* is that if delayed-acks are turned on on the receiver, this code
|
|
|
|
* on the transmitter effectively destroys the TCP window, forcing
|
|
|
|
* it to four packets (1.5Kx4 = 6K window).
|
|
|
|
*/
|
2000-05-06 03:31:09 +00:00
|
|
|
if (sendalot && (!tcp_do_newreno || --maxburst))
|
1994-05-24 10:09:53 +00:00
|
|
|
goto again;
|
2001-11-30 21:33:39 +00:00
|
|
|
#endif
|
|
|
|
if (sendalot)
|
|
|
|
goto again;
|
1994-05-24 10:09:53 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
tcp_setpersist(tp)
|
|
|
|
register struct tcpcb *tp;
|
|
|
|
{
|
1999-08-30 21:17:07 +00:00
|
|
|
int t = ((tp->t_srtt >> 2) + tp->t_rttvar) >> 1;
|
|
|
|
int tt;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
1999-08-30 21:17:07 +00:00
|
|
|
if (callout_active(tp->tt_rexmt))
|
|
|
|
panic("tcp_setpersist: retransmit pending");
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Start/restart persistance timer.
|
|
|
|
*/
|
1999-08-30 21:17:07 +00:00
|
|
|
TCPT_RANGESET(tt, t * tcp_backoff[tp->t_rxtshift],
|
|
|
|
TCPTV_PERSMIN, TCPTV_PERSMAX);
|
|
|
|
callout_reset(tp->tt_persist, tt, tcp_timer_persist, tp);
|
1994-05-24 10:09:53 +00:00
|
|
|
if (tp->t_rxtshift < TCP_MAXRXTSHIFT)
|
|
|
|
tp->t_rxtshift++;
|
|
|
|
}
|