1994-05-30 19:09:18 +00:00
|
|
|
.\" Copyright (c) 1983, 1991, 1993
|
2011-02-21 11:56:11 +00:00
|
|
|
.\" The Regents of the University of California.
|
|
|
|
.\" Copyright (c) 2010-2011 The FreeBSD Foundation
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Portions of this documentation were written at the Centre for Advanced
|
|
|
|
.\" Internet Architectures, Swinburne University of Technology, Melbourne,
|
|
|
|
.\" Australia by David Hayes under sponsorship from the FreeBSD Foundation.
|
1994-05-30 19:09:18 +00:00
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
|
|
.\" must display the following acknowledgement:
|
|
|
|
.\" This product includes software developed by the University of
|
|
|
|
.\" California, Berkeley and its contributors.
|
|
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
|
.\" without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
1995-02-15 03:30:54 +00:00
|
|
|
.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
|
1999-08-28 00:22:10 +00:00
|
|
|
.\" $FreeBSD$
|
1994-05-30 19:09:18 +00:00
|
|
|
.\"
|
2013-11-08 13:04:14 +00:00
|
|
|
.Dd November 8, 2013
|
1994-05-30 19:09:18 +00:00
|
|
|
.Dt TCP 4
|
2001-07-10 15:31:11 +00:00
|
|
|
.Os
|
1994-05-30 19:09:18 +00:00
|
|
|
.Sh NAME
|
|
|
|
.Nm tcp
|
|
|
|
.Nd Internet Transmission Control Protocol
|
|
|
|
.Sh SYNOPSIS
|
2001-10-01 16:09:29 +00:00
|
|
|
.In sys/types.h
|
|
|
|
.In sys/socket.h
|
|
|
|
.In netinet/in.h
|
2013-11-08 13:04:14 +00:00
|
|
|
.In netinet/tcp.h
|
1994-05-30 19:09:18 +00:00
|
|
|
.Ft int
|
|
|
|
.Fn socket AF_INET SOCK_STREAM 0
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Tn TCP
|
|
|
|
protocol provides reliable, flow-controlled, two-way
|
2003-03-22 13:43:06 +00:00
|
|
|
transmission of data.
|
|
|
|
It is a byte-stream protocol used to
|
1994-05-30 19:09:18 +00:00
|
|
|
support the
|
|
|
|
.Dv SOCK_STREAM
|
2003-03-22 13:43:06 +00:00
|
|
|
abstraction.
|
|
|
|
.Tn TCP
|
|
|
|
uses the standard
|
1994-05-30 19:09:18 +00:00
|
|
|
Internet address format and, in addition, provides a per-host
|
|
|
|
collection of
|
2003-03-22 13:43:06 +00:00
|
|
|
.Dq "port addresses" .
|
1994-05-30 19:09:18 +00:00
|
|
|
Thus, each address is composed
|
2003-03-22 13:43:06 +00:00
|
|
|
of an Internet address specifying the host and network,
|
|
|
|
with a specific
|
1994-05-30 19:09:18 +00:00
|
|
|
.Tn TCP
|
|
|
|
port on the host identifying the peer entity.
|
|
|
|
.Pp
|
2003-03-22 13:43:06 +00:00
|
|
|
Sockets utilizing the
|
|
|
|
.Tn TCP
|
|
|
|
protocol are either
|
1994-05-30 19:09:18 +00:00
|
|
|
.Dq active
|
|
|
|
or
|
|
|
|
.Dq passive .
|
|
|
|
Active sockets initiate connections to passive
|
2003-03-22 13:43:06 +00:00
|
|
|
sockets.
|
|
|
|
By default,
|
1994-05-30 19:09:18 +00:00
|
|
|
.Tn TCP
|
|
|
|
sockets are created active; to create a
|
2003-03-22 13:43:06 +00:00
|
|
|
passive socket, the
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr listen 2
|
|
|
|
system call must be used
|
|
|
|
after binding the socket with the
|
|
|
|
.Xr bind 2
|
2003-03-22 13:43:06 +00:00
|
|
|
system call.
|
|
|
|
Only passive sockets may use the
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr accept 2
|
2003-03-22 13:43:06 +00:00
|
|
|
call to accept incoming connections.
|
|
|
|
Only active sockets may use the
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr connect 2
|
|
|
|
call to initiate connections.
|
|
|
|
.Pp
|
|
|
|
Passive sockets may
|
|
|
|
.Dq underspecify
|
|
|
|
their location to match
|
2003-03-22 13:43:06 +00:00
|
|
|
incoming connection requests from multiple networks.
|
|
|
|
This technique, termed
|
|
|
|
.Dq "wildcard addressing" ,
|
1994-05-30 19:09:18 +00:00
|
|
|
allows a single
|
|
|
|
server to provide service to clients on multiple networks.
|
|
|
|
To create a socket which listens on all networks, the Internet
|
|
|
|
address
|
|
|
|
.Dv INADDR_ANY
|
2003-03-22 13:43:06 +00:00
|
|
|
must be bound.
|
|
|
|
The
|
1994-05-30 19:09:18 +00:00
|
|
|
.Tn TCP
|
|
|
|
port may still be specified
|
2003-03-22 13:43:06 +00:00
|
|
|
at this time; if the port is not specified, the system will assign one.
|
|
|
|
Once a connection has been established, the socket's address is
|
|
|
|
fixed by the peer entity's location.
|
|
|
|
The address assigned to the
|
1994-05-30 19:09:18 +00:00
|
|
|
socket is the address associated with the network interface
|
2003-03-22 13:43:06 +00:00
|
|
|
through which packets are being transmitted and received.
|
|
|
|
Normally, this address corresponds to the peer entity's network.
|
1994-05-30 19:09:18 +00:00
|
|
|
.Pp
|
|
|
|
.Tn TCP
|
1995-02-15 03:30:54 +00:00
|
|
|
supports a number of socket options which can be set with
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr setsockopt 2
|
|
|
|
and tested with
|
1995-02-15 03:30:54 +00:00
|
|
|
.Xr getsockopt 2 :
|
2011-02-21 11:56:11 +00:00
|
|
|
.Bl -tag -width ".Dv TCP_CONGESTION"
|
2007-01-22 14:16:47 +00:00
|
|
|
.It Dv TCP_INFO
|
|
|
|
Information about a socket's underlying TCP session may be retrieved
|
|
|
|
by passing the read-only option
|
|
|
|
.Dv TCP_INFO
|
|
|
|
to
|
|
|
|
.Xr getsockopt 2 .
|
|
|
|
It accepts a single argument: a pointer to an instance of
|
|
|
|
.Vt "struct tcp_info" .
|
|
|
|
.Pp
|
|
|
|
This API is subject to change; consult the source to determine
|
|
|
|
which fields are currently filled out by this option.
|
|
|
|
.Fx
|
|
|
|
specific additions include
|
|
|
|
send window size,
|
|
|
|
receive window size,
|
|
|
|
and
|
|
|
|
bandwidth-controlled window space.
|
2011-02-21 11:56:11 +00:00
|
|
|
.It Dv TCP_CONGESTION
|
|
|
|
Select or query the congestion control algorithm that TCP will use for the
|
|
|
|
connection.
|
|
|
|
See
|
2011-09-15 12:15:36 +00:00
|
|
|
.Xr mod_cc 4
|
2011-02-21 11:56:11 +00:00
|
|
|
for details.
|
2012-02-05 16:53:02 +00:00
|
|
|
.It Dv TCP_KEEPINIT
|
2013-11-08 13:04:14 +00:00
|
|
|
This
|
2012-02-05 16:53:02 +00:00
|
|
|
.Xr setsockopt 2
|
|
|
|
option accepts a per-socket timeout argument of
|
|
|
|
.Vt "u_int"
|
|
|
|
in seconds, for new, non-established
|
|
|
|
.Tn TCP
|
|
|
|
connections.
|
|
|
|
For the global default in milliseconds see
|
|
|
|
.Va keepinit
|
|
|
|
in the
|
|
|
|
.Sx MIB Variables
|
|
|
|
section further down.
|
|
|
|
.It Dv TCP_KEEPIDLE
|
2013-11-08 13:04:14 +00:00
|
|
|
This
|
2012-02-05 16:53:02 +00:00
|
|
|
.Xr setsockopt 2
|
|
|
|
option accepts an argument of
|
|
|
|
.Vt "u_int"
|
|
|
|
for the amount of time, in seconds, that the connection must be idle
|
|
|
|
before keepalive probes (if enabled) are sent for the connection of this
|
|
|
|
socket.
|
|
|
|
If set on a listening socket, the value is inherited by the newly created
|
|
|
|
socket upon
|
|
|
|
.Xr accept 2 .
|
|
|
|
For the global default in milliseconds see
|
|
|
|
.Va keepidle
|
|
|
|
in the
|
|
|
|
.Sx MIB Variables
|
|
|
|
section further down.
|
|
|
|
.It Dv TCP_KEEPINTVL
|
2013-11-08 13:04:14 +00:00
|
|
|
This
|
2012-02-05 16:53:02 +00:00
|
|
|
.Xr setsockopt 2
|
|
|
|
option accepts an argument of
|
|
|
|
.Vt "u_int"
|
|
|
|
to set the per-socket interval, in seconds, between keepalive probes sent
|
|
|
|
to a peer.
|
|
|
|
If set on a listening socket, the value is inherited by the newly created
|
|
|
|
socket upon
|
|
|
|
.Xr accept 2 .
|
|
|
|
For the global default in milliseconds see
|
|
|
|
.Va keepintvl
|
|
|
|
in the
|
|
|
|
.Sx MIB Variables
|
|
|
|
section further down.
|
|
|
|
.It Dv TCP_KEEPCNT
|
2013-11-08 13:04:14 +00:00
|
|
|
This
|
2012-02-05 16:53:02 +00:00
|
|
|
.Xr setsockopt 2
|
|
|
|
option accepts an argument of
|
|
|
|
.Vt "u_int"
|
|
|
|
and allows a per-socket tuning of the number of probes sent, with no response,
|
|
|
|
before the connection will be dropped.
|
|
|
|
If set on a listening socket, the value is inherited by the newly created
|
|
|
|
socket upon
|
|
|
|
.Xr accept 2 .
|
|
|
|
For the global default see the
|
|
|
|
.Va keepcnt
|
|
|
|
in the
|
|
|
|
.Sx MIB Variables
|
|
|
|
section further down.
|
1995-02-15 03:30:54 +00:00
|
|
|
.It Dv TCP_NODELAY
|
1994-05-30 19:09:18 +00:00
|
|
|
Under most circumstances,
|
|
|
|
.Tn TCP
|
|
|
|
sends data when it is presented;
|
|
|
|
when outstanding data has not yet been acknowledged, it gathers
|
|
|
|
small amounts of output to be sent in a single packet once
|
|
|
|
an acknowledgement is received.
|
|
|
|
For a small number of clients, such as window systems
|
|
|
|
that send a stream of mouse events which receive no replies,
|
|
|
|
this packetization may cause significant delays.
|
1995-02-15 03:30:54 +00:00
|
|
|
The boolean option
|
1994-05-30 19:09:18 +00:00
|
|
|
.Dv TCP_NODELAY
|
1995-02-15 03:30:54 +00:00
|
|
|
defeats this algorithm.
|
|
|
|
.It Dv TCP_MAXSEG
|
2003-03-22 13:43:06 +00:00
|
|
|
By default, a sender- and
|
|
|
|
.No receiver- Ns Tn TCP
|
1995-02-15 03:30:54 +00:00
|
|
|
will negotiate among themselves to determine the maximum segment size
|
2003-03-22 13:43:06 +00:00
|
|
|
to be used for each connection.
|
|
|
|
The
|
1995-02-15 03:30:54 +00:00
|
|
|
.Dv TCP_MAXSEG
|
|
|
|
option allows the user to determine the result of this negotiation,
|
|
|
|
and to reduce it if desired.
|
|
|
|
.It Dv TCP_NOOPT
|
|
|
|
.Tn TCP
|
|
|
|
usually sends a number of options in each packet, corresponding to
|
|
|
|
various
|
|
|
|
.Tn TCP
|
2003-03-22 13:43:06 +00:00
|
|
|
extensions which are provided in this implementation.
|
|
|
|
The boolean option
|
1995-02-15 03:30:54 +00:00
|
|
|
.Dv TCP_NOOPT
|
2001-07-14 19:41:16 +00:00
|
|
|
is provided to disable
|
1995-02-15 03:30:54 +00:00
|
|
|
.Tn TCP
|
|
|
|
option use on a per-connection basis.
|
|
|
|
.It Dv TCP_NOPUSH
|
2003-03-22 13:43:06 +00:00
|
|
|
By convention, the
|
|
|
|
.No sender- Ns Tn TCP
|
1995-02-15 03:30:54 +00:00
|
|
|
will set the
|
|
|
|
.Dq push
|
2003-03-22 13:43:06 +00:00
|
|
|
bit, and begin transmission immediately (if permitted) at the end of
|
1995-02-15 03:30:54 +00:00
|
|
|
every user call to
|
1996-04-08 04:18:31 +00:00
|
|
|
.Xr write 2
|
1995-02-15 03:30:54 +00:00
|
|
|
or
|
1996-04-08 04:18:31 +00:00
|
|
|
.Xr writev 2 .
|
2003-03-22 13:43:06 +00:00
|
|
|
When this option is set to a non-zero value,
|
1995-02-15 03:30:54 +00:00
|
|
|
.Tn TCP
|
|
|
|
will delay sending any data at all until either the socket is closed,
|
|
|
|
or the internal send buffer is filled.
|
2004-02-16 22:21:16 +00:00
|
|
|
.It Dv TCP_MD5SIG
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
This option enables the use of MD5 digests (also known as TCP-MD5)
|
|
|
|
on writes to the specified socket.
|
2012-03-08 01:37:01 +00:00
|
|
|
Outgoing traffic is digested;
|
2012-03-08 15:27:29 +00:00
|
|
|
digests on incoming traffic are verified if the
|
|
|
|
.Va net.inet.tcp.signature_verify_input
|
2012-03-09 15:25:27 +00:00
|
|
|
sysctl is nonzero.
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
The current default behavior for the system is to respond to a system
|
|
|
|
advertising this option with TCP-MD5; this may change.
|
|
|
|
.Pp
|
2004-06-16 08:33:57 +00:00
|
|
|
One common use for this in a
|
|
|
|
.Fx
|
|
|
|
router deployment is to enable
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
based routers to interwork with Cisco equipment at peering points.
|
|
|
|
Support for this feature conforms to RFC 2385.
|
2004-06-16 08:33:57 +00:00
|
|
|
Only IPv4
|
|
|
|
.Pq Dv AF_INET
|
|
|
|
sessions are supported.
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
.Pp
|
|
|
|
In order for this option to function correctly, it is necessary for the
|
|
|
|
administrator to add a tcp-md5 key entry to the system's security
|
|
|
|
associations database (SADB) using the
|
|
|
|
.Xr setkey 8
|
|
|
|
utility.
|
|
|
|
This entry must have an SPI of 0x1000 and can therefore only be specified
|
|
|
|
on a per-host basis at this time.
|
|
|
|
.Pp
|
|
|
|
If an SADB entry cannot be found for the destination, the outgoing traffic
|
|
|
|
will have an invalid digest option prepended, and the following error message
|
|
|
|
will be visible on the system console:
|
2004-02-14 22:17:38 +00:00
|
|
|
.Em "tcp_signature_compute: SADB lookup failed for %d.%d.%d.%d" .
|
1995-02-15 03:30:54 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
1994-05-30 19:09:18 +00:00
|
|
|
The option level for the
|
1996-04-08 04:18:31 +00:00
|
|
|
.Xr setsockopt 2
|
1994-05-30 19:09:18 +00:00
|
|
|
call is the protocol number for
|
|
|
|
.Tn TCP ,
|
|
|
|
available from
|
1995-02-15 03:30:54 +00:00
|
|
|
.Xr getprotobyname 3 ,
|
|
|
|
or
|
|
|
|
.Dv IPPROTO_TCP .
|
|
|
|
All options are declared in
|
2003-09-08 19:57:22 +00:00
|
|
|
.In netinet/tcp.h .
|
1994-05-30 19:09:18 +00:00
|
|
|
.Pp
|
|
|
|
Options at the
|
|
|
|
.Tn IP
|
|
|
|
transport level may be used with
|
|
|
|
.Tn TCP ;
|
|
|
|
see
|
|
|
|
.Xr ip 4 .
|
|
|
|
Incoming connection requests that are source-routed are noted,
|
|
|
|
and the reverse source route is used in responding.
|
2011-02-21 11:56:11 +00:00
|
|
|
.Pp
|
|
|
|
The default congestion control algorithm for
|
|
|
|
.Tn TCP
|
|
|
|
is
|
|
|
|
.Xr cc_newreno 4 .
|
|
|
|
Other congestion control algorithms can be made available using the
|
2011-09-15 12:15:36 +00:00
|
|
|
.Xr mod_cc 4
|
2011-02-21 11:56:11 +00:00
|
|
|
framework.
|
2003-03-22 13:43:06 +00:00
|
|
|
.Ss MIB Variables
|
1995-02-15 03:30:54 +00:00
|
|
|
The
|
2003-03-22 13:43:06 +00:00
|
|
|
.Tn TCP
|
1999-08-17 14:54:26 +00:00
|
|
|
protocol implements a number of variables in the
|
2003-03-22 13:43:06 +00:00
|
|
|
.Va net.inet.tcp
|
1995-02-15 03:30:54 +00:00
|
|
|
branch of the
|
|
|
|
.Xr sysctl 3
|
|
|
|
MIB.
|
2004-11-02 22:22:22 +00:00
|
|
|
.Bl -tag -width ".Va TCPCTL_DO_RFC1323"
|
1995-02-15 03:30:54 +00:00
|
|
|
.It Dv TCPCTL_DO_RFC1323
|
2003-03-22 13:43:06 +00:00
|
|
|
.Pq Va rfc1323
|
1995-02-15 03:30:54 +00:00
|
|
|
Implement the window scaling and timestamp options of RFC 1323
|
2003-03-22 13:43:06 +00:00
|
|
|
(default is true).
|
1995-02-15 03:30:54 +00:00
|
|
|
.It Dv TCPCTL_MSSDFLT
|
2003-03-22 13:43:06 +00:00
|
|
|
.Pq Va mssdflt
|
1995-02-15 03:30:54 +00:00
|
|
|
The default value used for the maximum segment size
|
|
|
|
.Pq Dq MSS
|
|
|
|
when no advice to the contrary is received from MSS negotiation.
|
2001-09-06 22:50:12 +00:00
|
|
|
.It Dv TCPCTL_SENDSPACE
|
2003-03-22 13:43:06 +00:00
|
|
|
.Pq Va sendspace
|
|
|
|
Maximum
|
|
|
|
.Tn TCP
|
|
|
|
send window.
|
2001-09-06 22:50:12 +00:00
|
|
|
.It Dv TCPCTL_RECVSPACE
|
2003-03-22 13:43:06 +00:00
|
|
|
.Pq Va recvspace
|
|
|
|
Maximum
|
|
|
|
.Tn TCP
|
|
|
|
receive window.
|
|
|
|
.It Va log_in_vain
|
1999-08-17 14:54:26 +00:00
|
|
|
Log any connection attempts to ports where there is not a socket
|
|
|
|
accepting connections.
|
2003-03-22 13:43:06 +00:00
|
|
|
The value of 1 limits the logging to
|
|
|
|
.Tn SYN
|
|
|
|
(connection establishment) packets only.
|
|
|
|
That of 2 results in any
|
|
|
|
.Tn TCP
|
|
|
|
packets to closed ports being logged.
|
2002-04-16 13:19:33 +00:00
|
|
|
Any value unlisted above disables the logging
|
|
|
|
(default is 0, i.e., the logging is disabled).
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va msl
|
2002-01-21 12:09:13 +00:00
|
|
|
The Maximum Segment Lifetime, in milliseconds, for a packet.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va keepinit
|
|
|
|
Timeout, in milliseconds, for new, non-established
|
|
|
|
.Tn TCP
|
|
|
|
connections.
|
2012-02-05 16:53:02 +00:00
|
|
|
The default is 75000 msec.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va keepidle
|
2002-01-19 03:44:42 +00:00
|
|
|
Amount of time, in milliseconds, that the connection must be idle
|
|
|
|
before keepalive probes (if enabled) are sent.
|
2012-02-05 16:53:02 +00:00
|
|
|
The default is 7200000 msec (2 hours).
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va keepintvl
|
2002-01-19 03:44:42 +00:00
|
|
|
The interval, in milliseconds, between keepalive probes sent to remote
|
2011-01-08 00:44:17 +00:00
|
|
|
machines, when no response is received on a
|
|
|
|
.Va keepidle
|
|
|
|
probe.
|
2012-02-05 16:53:02 +00:00
|
|
|
The default is 75000 msec.
|
|
|
|
.It Va keepcnt
|
|
|
|
Number of probes sent, with no response, before a connection
|
|
|
|
is dropped.
|
|
|
|
The default is 8 packets.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va always_keepalive
|
2001-05-17 17:53:21 +00:00
|
|
|
Assume that
|
|
|
|
.Dv SO_KEEPALIVE
|
|
|
|
is set on all
|
|
|
|
.Tn TCP
|
|
|
|
connections, the kernel will
|
|
|
|
periodically send a packet to the remote host to verify the connection
|
|
|
|
is still up.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va icmp_may_rst
|
2001-05-17 17:53:21 +00:00
|
|
|
Certain
|
|
|
|
.Tn ICMP
|
|
|
|
unreachable messages may abort connections in
|
|
|
|
.Tn SYN-SENT
|
|
|
|
state.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va do_tcpdrain
|
2001-05-17 17:53:21 +00:00
|
|
|
Flush packets in the
|
|
|
|
.Tn TCP
|
|
|
|
reassembly queue if the system is low on mbufs.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va blackhole
|
1999-08-17 14:54:26 +00:00
|
|
|
If enabled, disable sending of RST when a connection is attempted
|
|
|
|
to a port where there is not a socket accepting connections.
|
|
|
|
See
|
|
|
|
.Xr blackhole 4 .
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va delayed_ack
|
1999-08-17 14:54:26 +00:00
|
|
|
Delay ACK to try and piggyback it onto a data packet.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va delacktime
|
2002-01-19 03:44:42 +00:00
|
|
|
Maximum amount of time, in milliseconds, before a delayed ACK is sent.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va path_mtu_discovery
|
|
|
|
Enable Path MTU Discovery.
|
|
|
|
.It Va tcbhashsize
|
2001-05-17 17:53:21 +00:00
|
|
|
Size of the
|
|
|
|
.Tn TCP
|
2003-03-22 13:43:06 +00:00
|
|
|
control-block hash table
|
2001-05-17 17:53:21 +00:00
|
|
|
(read-only).
|
|
|
|
This may be tuned using the kernel option
|
|
|
|
.Dv TCBHASHSIZE
|
|
|
|
or by setting
|
|
|
|
.Va net.inet.tcp.tcbhashsize
|
|
|
|
in the
|
|
|
|
.Xr loader 8 .
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va pcbcount
|
2001-05-17 17:53:21 +00:00
|
|
|
Number of active process control blocks
|
|
|
|
(read-only).
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va syncookies
|
|
|
|
Determines whether or not
|
|
|
|
.Tn SYN
|
|
|
|
cookies should be generated for outbound
|
|
|
|
.Tn SYN-ACK
|
|
|
|
packets.
|
|
|
|
.Tn SYN
|
|
|
|
cookies are a great help during
|
|
|
|
.Tn SYN
|
|
|
|
flood attacks, and are enabled by default.
|
|
|
|
(See
|
|
|
|
.Xr syncookies 4 . )
|
|
|
|
.It Va isn_reseed_interval
|
2001-09-06 22:50:12 +00:00
|
|
|
The interval (in seconds) specifying how often the secret data used in
|
|
|
|
RFC 1948 initial sequence number calculations should be reseeded.
|
|
|
|
By default, this variable is set to zero, indicating that
|
|
|
|
no reseeding will occur.
|
|
|
|
Reseeding should not be necessary, and will break
|
|
|
|
.Dv TIME_WAIT
|
|
|
|
recycling for a few minutes.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va rexmit_min , rexmit_slop
|
|
|
|
Adjust the retransmit timer calculation for
|
|
|
|
.Tn TCP .
|
|
|
|
The slop is
|
2002-08-25 01:51:57 +00:00
|
|
|
typically added to the raw calculation to take into account
|
2003-03-22 13:43:06 +00:00
|
|
|
occasional variances that the
|
|
|
|
.Tn SRTT
|
|
|
|
(smoothed round-trip time)
|
2004-06-21 17:42:49 +00:00
|
|
|
is unable to accommodate, while the minimum specifies an
|
2003-03-22 13:43:06 +00:00
|
|
|
absolute minimum.
|
|
|
|
While a number of
|
|
|
|
.Tn TCP
|
|
|
|
RFCs suggest a 1
|
|
|
|
second minimum, these RFCs tend to focus on streaming behavior,
|
2002-08-25 01:51:57 +00:00
|
|
|
and fail to deal with the fact that a 1 second minimum has severe
|
|
|
|
detrimental effects over lossy interactive connections, such
|
|
|
|
as a 802.11b wireless link, and over very fast but lossy
|
|
|
|
connections for those cases not covered by the fast retransmit
|
2003-03-22 13:43:06 +00:00
|
|
|
code.
|
|
|
|
For this reason, we use 200ms of slop and a near-0
|
|
|
|
minimum, which gives us an effective minimum of 200ms (similar to
|
|
|
|
.Tn Linux ) .
|
|
|
|
.It Va rfc3042
|
|
|
|
Enable the Limited Transmit algorithm as described in RFC 3042.
|
2004-10-23 18:37:23 +00:00
|
|
|
It helps avoid timeouts on lossy links and also when the congestion window
|
2003-03-22 13:43:06 +00:00
|
|
|
is small, as happens on short transfers.
|
|
|
|
.It Va rfc3390
|
2003-03-13 01:44:58 +00:00
|
|
|
Enable support for RFC 3390, which allows for a variable-sized
|
|
|
|
starting congestion window on new connections, depending on the
|
2003-03-22 13:43:06 +00:00
|
|
|
maximum segment size.
|
|
|
|
This helps throughput in general, but
|
2003-03-13 01:44:58 +00:00
|
|
|
particularly affects short transfers and high-bandwidth large
|
2003-03-22 13:43:06 +00:00
|
|
|
propagation-delay connections.
|
2004-07-10 17:55:13 +00:00
|
|
|
.It Va sack.enable
|
|
|
|
Enable support for RFC 2018, TCP Selective Acknowledgment option,
|
|
|
|
which allows the receiver to inform the sender about all successfully
|
|
|
|
arrived segments, allowing the sender to retransmit the missing segments
|
|
|
|
only.
|
2007-02-28 19:32:46 +00:00
|
|
|
.It Va sack.maxholes
|
2007-02-28 21:36:11 +00:00
|
|
|
Maximum number of SACK holes per connection.
|
|
|
|
Defaults to 128.
|
2007-02-28 19:32:46 +00:00
|
|
|
.It Va sack.globalmaxholes
|
2007-02-28 22:40:21 +00:00
|
|
|
Maximum number of SACK holes per system, across all connections.
|
2007-02-28 19:32:46 +00:00
|
|
|
Defaults to 65536.
|
2006-09-13 15:24:27 +00:00
|
|
|
.It Va maxtcptw
|
|
|
|
When a TCP connection enters the
|
|
|
|
.Dv TIME_WAIT
|
|
|
|
state, its associated socket structure is freed, since it is of
|
|
|
|
negligible size and use, and a new structure is allocated to contain a
|
|
|
|
minimal amount of information necessary for sustaining a connection in
|
|
|
|
this state, called the compressed TCP TIME_WAIT state.
|
|
|
|
Since this structure is smaller than a socket structure, it can save
|
|
|
|
a significant amount of system memory.
|
|
|
|
The
|
|
|
|
.Va net.inet.tcp.maxtcptw
|
|
|
|
MIB variable controls the maximum number of these structures allocated.
|
|
|
|
By default, it is initialized to
|
|
|
|
.Va kern.ipc.maxsockets
|
2006-09-13 15:47:26 +00:00
|
|
|
/ 5.
|
2006-09-13 15:24:27 +00:00
|
|
|
.It Va nolocaltimewait
|
|
|
|
Suppress creating of compressed TCP TIME_WAIT states for connections in
|
|
|
|
which both endpoints are local.
|
2007-02-28 19:32:46 +00:00
|
|
|
.It Va fast_finwait2_recycle
|
2007-02-28 22:40:21 +00:00
|
|
|
Recycle
|
|
|
|
.Tn TCP
|
|
|
|
.Dv FIN_WAIT_2
|
2007-04-03 18:57:09 +00:00
|
|
|
connections faster when the socket is marked as
|
2007-02-28 22:40:21 +00:00
|
|
|
.Dv SBS_CANTRCVMORE
|
|
|
|
(no user process has the socket open, data received on
|
2007-02-28 21:36:11 +00:00
|
|
|
the socket cannot be read).
|
2007-02-28 22:40:21 +00:00
|
|
|
The timeout used here is
|
2007-02-28 21:36:11 +00:00
|
|
|
.Va finwait2_timeout .
|
2007-02-28 19:32:46 +00:00
|
|
|
.It Va finwait2_timeout
|
2007-02-28 22:40:21 +00:00
|
|
|
Timeout to use for fast recycling of
|
2007-02-28 19:32:46 +00:00
|
|
|
.Tn TCP
|
2007-02-28 22:40:21 +00:00
|
|
|
.Dv FIN_WAIT_2
|
2007-02-28 21:36:11 +00:00
|
|
|
connections.
|
|
|
|
Defaults to 60 seconds.
|
2008-08-16 21:12:25 +00:00
|
|
|
.It Va ecn.enable
|
|
|
|
Enable support for TCP Explicit Congestion Notification (ECN).
|
|
|
|
ECN allows a TCP sender to reduce the transmission rate in order to
|
|
|
|
avoid packet drops.
|
|
|
|
.It Va ecn.maxretries
|
|
|
|
Number of retries (SYN or SYN/ACK retransmits) before disabling ECN on a
|
|
|
|
specific connection. This is needed to help with connection establishment
|
|
|
|
when a broken firewall is in the network path.
|
1995-02-15 03:30:54 +00:00
|
|
|
.El
|
2001-04-13 19:49:07 +00:00
|
|
|
.Sh ERRORS
|
1994-05-30 19:09:18 +00:00
|
|
|
A socket operation may fail with one of the following errors returned:
|
2001-04-13 19:49:07 +00:00
|
|
|
.Bl -tag -width Er
|
1994-05-30 19:09:18 +00:00
|
|
|
.It Bq Er EISCONN
|
|
|
|
when trying to establish a connection on a socket which
|
|
|
|
already has one;
|
|
|
|
.It Bq Er ENOBUFS
|
|
|
|
when the system runs out of memory for
|
|
|
|
an internal data structure;
|
|
|
|
.It Bq Er ETIMEDOUT
|
|
|
|
when a connection was dropped
|
|
|
|
due to excessive retransmissions;
|
|
|
|
.It Bq Er ECONNRESET
|
|
|
|
when the remote peer
|
|
|
|
forces the connection to be closed;
|
|
|
|
.It Bq Er ECONNREFUSED
|
|
|
|
when the remote
|
|
|
|
peer actively refuses connection establishment (usually because
|
|
|
|
no process is listening to the port);
|
|
|
|
.It Bq Er EADDRINUSE
|
|
|
|
when an attempt
|
|
|
|
is made to create a socket with a port which has already been
|
|
|
|
allocated;
|
|
|
|
.It Bq Er EADDRNOTAVAIL
|
2001-07-14 19:41:16 +00:00
|
|
|
when an attempt is made to create a
|
1994-05-30 19:09:18 +00:00
|
|
|
socket with a network address for which no network interface
|
2003-03-22 13:43:06 +00:00
|
|
|
exists;
|
1994-12-15 20:54:28 +00:00
|
|
|
.It Bq Er EAFNOSUPPORT
|
|
|
|
when an attempt is made to bind or connect a socket to a multicast
|
|
|
|
address.
|
1994-05-30 19:09:18 +00:00
|
|
|
.El
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr getsockopt 2 ,
|
|
|
|
.Xr socket 2 ,
|
1995-02-15 03:30:54 +00:00
|
|
|
.Xr sysctl 3 ,
|
2001-07-06 16:46:48 +00:00
|
|
|
.Xr blackhole 4 ,
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr inet 4 ,
|
1996-12-26 16:16:37 +00:00
|
|
|
.Xr intro 4 ,
|
1995-02-15 03:30:54 +00:00
|
|
|
.Xr ip 4 ,
|
2011-09-15 12:15:36 +00:00
|
|
|
.Xr mod_cc 4 ,
|
2012-03-20 12:24:36 +00:00
|
|
|
.Xr siftr 4 ,
|
2002-12-23 14:51:18 +00:00
|
|
|
.Xr syncache 4 ,
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
.Xr setkey 8
|
1995-02-15 03:30:54 +00:00
|
|
|
.Rs
|
2003-03-22 13:43:06 +00:00
|
|
|
.%A "V. Jacobson"
|
|
|
|
.%A "R. Braden"
|
|
|
|
.%A "D. Borman"
|
1995-02-15 03:30:54 +00:00
|
|
|
.%T "TCP Extensions for High Performance"
|
2003-03-22 13:43:06 +00:00
|
|
|
.%O "RFC 1323"
|
1995-02-15 03:30:54 +00:00
|
|
|
.Re
|
|
|
|
.Rs
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
.%A "A. Heffernan"
|
|
|
|
.%T "Protection of BGP Sessions via the TCP MD5 Signature Option"
|
|
|
|
.%O "RFC 2385"
|
|
|
|
.Re
|
2008-08-16 21:12:25 +00:00
|
|
|
.Rs
|
|
|
|
.%A "K. Ramakrishnan"
|
|
|
|
.%A "S. Floyd"
|
|
|
|
.%A "D. Black"
|
|
|
|
.%T "The Addition of Explicit Congestion Notification (ECN) to IP"
|
|
|
|
.%O "RFC 3168"
|
|
|
|
.Re
|
1994-05-30 19:09:18 +00:00
|
|
|
.Sh HISTORY
|
|
|
|
The
|
2003-03-22 13:43:06 +00:00
|
|
|
.Tn TCP
|
1995-02-15 03:30:54 +00:00
|
|
|
protocol appeared in
|
1994-05-30 19:09:18 +00:00
|
|
|
.Bx 4.2 .
|
1995-02-15 03:30:54 +00:00
|
|
|
The RFC 1323 extensions for window scaling and timestamps were added
|
|
|
|
in
|
|
|
|
.Bx 4.4 .
|
2007-01-22 14:16:47 +00:00
|
|
|
The
|
|
|
|
.Dv TCP_INFO
|
|
|
|
option was introduced in
|
|
|
|
.Tn Linux 2.6
|
|
|
|
and is
|
|
|
|
.Em subject to change .
|