4b81ce6dd2
(sorele()/sotryfree()): - This permits the caller to acquire the accept mutex before the socket mutex, avoiding sofree() having to drop the socket mutex and re-order, which could lead to races permitting more than one thread to enter sofree() after a socket is ready to be free'd. - This also covers clearing of the so_pcb weak socket reference from the protocol to the socket, preventing races in clearing and evaluation of the reference such that sofree() might be called more than once on the same socket. This appears to close a race I was able to easily trigger by repeatedly opening and resetting TCP connections to a host, in which the tcp_close() code called as a result of the RST raced with the close() of the accepted socket in the user process resulting in simultaneous attempts to de-allocate the same socket. The new locking increases the overhead for operations that may potentially free the socket, so we will want to revise the synchronization strategy here as we normalize the reference counting model for sockets. The use of the accept mutex in freeing of sockets that are not listen sockets is primarily motivated by the potential need to remove the socket from the incomplete connection queue on its parent (listen) socket, so cleaning up the reference model here may allow us to substantially weaken the synchronization requirements. RELENG_5_3 candidate. MFC after: 3 days Reviewed by: dwhite Discussed with: gnn, dwhite, green Reported by: Marc UBM Bocklet <ubm at u-boot-man dot de> Reported by: Vlad <marchenko at gmail dot com>
2123 lines
58 KiB
C
2123 lines
58 KiB
C
/*
|
|
* Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
|
|
* The Regents of the University of California. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#include "opt_compat.h"
|
|
#include "opt_inet.h"
|
|
#include "opt_inet6.h"
|
|
#include "opt_ipsec.h"
|
|
#include "opt_mac.h"
|
|
#include "opt_tcpdebug.h"
|
|
#include "opt_tcp_sack.h"
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/callout.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/sysctl.h>
|
|
#include <sys/mac.h>
|
|
#include <sys/malloc.h>
|
|
#include <sys/mbuf.h>
|
|
#ifdef INET6
|
|
#include <sys/domain.h>
|
|
#endif
|
|
#include <sys/proc.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/socketvar.h>
|
|
#include <sys/protosw.h>
|
|
#include <sys/random.h>
|
|
|
|
#include <vm/uma.h>
|
|
|
|
#include <net/route.h>
|
|
#include <net/if.h>
|
|
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/ip.h>
|
|
#ifdef INET6
|
|
#include <netinet/ip6.h>
|
|
#endif
|
|
#include <netinet/in_pcb.h>
|
|
#ifdef INET6
|
|
#include <netinet6/in6_pcb.h>
|
|
#endif
|
|
#include <netinet/in_var.h>
|
|
#include <netinet/ip_var.h>
|
|
#ifdef INET6
|
|
#include <netinet6/ip6_var.h>
|
|
#include <netinet6/nd6.h>
|
|
#endif
|
|
#include <netinet/tcp.h>
|
|
#include <netinet/tcp_fsm.h>
|
|
#include <netinet/tcp_seq.h>
|
|
#include <netinet/tcp_timer.h>
|
|
#include <netinet/tcp_var.h>
|
|
#ifdef INET6
|
|
#include <netinet6/tcp6_var.h>
|
|
#endif
|
|
#include <netinet/tcpip.h>
|
|
#ifdef TCPDEBUG
|
|
#include <netinet/tcp_debug.h>
|
|
#endif
|
|
#include <netinet6/ip6protosw.h>
|
|
|
|
#ifdef IPSEC
|
|
#include <netinet6/ipsec.h>
|
|
#ifdef INET6
|
|
#include <netinet6/ipsec6.h>
|
|
#endif
|
|
#endif /*IPSEC*/
|
|
|
|
#ifdef FAST_IPSEC
|
|
#include <netipsec/ipsec.h>
|
|
#include <netipsec/xform.h>
|
|
#ifdef INET6
|
|
#include <netipsec/ipsec6.h>
|
|
#endif
|
|
#include <netipsec/key.h>
|
|
#define IPSEC
|
|
#endif /*FAST_IPSEC*/
|
|
|
|
#include <machine/in_cksum.h>
|
|
#include <sys/md5.h>
|
|
|
|
int tcp_mssdflt = TCP_MSS;
|
|
SYSCTL_INT(_net_inet_tcp, TCPCTL_MSSDFLT, mssdflt, CTLFLAG_RW,
|
|
&tcp_mssdflt , 0, "Default TCP Maximum Segment Size");
|
|
|
|
#ifdef INET6
|
|
int tcp_v6mssdflt = TCP6_MSS;
|
|
SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt,
|
|
CTLFLAG_RW, &tcp_v6mssdflt , 0,
|
|
"Default TCP Maximum Segment Size for IPv6");
|
|
#endif
|
|
|
|
/*
|
|
* Minimum MSS we accept and use. This prevents DoS attacks where
|
|
* we are forced to a ridiculous low MSS like 20 and send hundreds
|
|
* of packets instead of one. The effect scales with the available
|
|
* bandwidth and quickly saturates the CPU and network interface
|
|
* with packet generation and sending. Set to zero to disable MINMSS
|
|
* checking. This setting prevents us from sending too small packets.
|
|
*/
|
|
int tcp_minmss = TCP_MINMSS;
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW,
|
|
&tcp_minmss , 0, "Minmum TCP Maximum Segment Size");
|
|
/*
|
|
* Number of TCP segments per second we accept from remote host
|
|
* before we start to calculate average segment size. If average
|
|
* segment size drops below the minimum TCP MSS we assume a DoS
|
|
* attack and reset+drop the connection. Care has to be taken not to
|
|
* set this value too small to not kill interactive type connections
|
|
* (telnet, SSH) which send many small packets.
|
|
*/
|
|
int tcp_minmssoverload = TCP_MINMSSOVERLOAD;
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmssoverload, CTLFLAG_RW,
|
|
&tcp_minmssoverload , 0, "Number of TCP Segments per Second allowed to"
|
|
"be under the MINMSS Size");
|
|
|
|
#if 0
|
|
static int tcp_rttdflt = TCPTV_SRTTDFLT / PR_SLOWHZ;
|
|
SYSCTL_INT(_net_inet_tcp, TCPCTL_RTTDFLT, rttdflt, CTLFLAG_RW,
|
|
&tcp_rttdflt , 0, "Default maximum TCP Round Trip Time");
|
|
#endif
|
|
|
|
int tcp_do_rfc1323 = 1;
|
|
SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW,
|
|
&tcp_do_rfc1323 , 0, "Enable rfc1323 (high performance TCP) extensions");
|
|
|
|
int tcp_do_rfc1644 = 0;
|
|
SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1644, rfc1644, CTLFLAG_RW,
|
|
&tcp_do_rfc1644 , 0, "Enable rfc1644 (TTCP) extensions");
|
|
|
|
static int tcp_tcbhashsize = 0;
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcbhashsize, CTLFLAG_RDTUN,
|
|
&tcp_tcbhashsize, 0, "Size of TCP control-block hashtable");
|
|
|
|
static int do_tcpdrain = 1;
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0,
|
|
"Enable tcp_drain routine for extra help when low on mbufs");
|
|
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, pcbcount, CTLFLAG_RD,
|
|
&tcbinfo.ipi_count, 0, "Number of active PCBs");
|
|
|
|
static int icmp_may_rst = 1;
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0,
|
|
"Certain ICMP unreachable messages may abort connections in SYN_SENT");
|
|
|
|
static int tcp_isn_reseed_interval = 0;
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW,
|
|
&tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret");
|
|
|
|
/*
|
|
* TCP bandwidth limiting sysctls. Note that the default lower bound of
|
|
* 1024 exists only for debugging. A good production default would be
|
|
* something like 6100.
|
|
*/
|
|
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, inflight, CTLFLAG_RW, 0,
|
|
"TCP inflight data limiting");
|
|
|
|
static int tcp_inflight_enable = 1;
|
|
SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, enable, CTLFLAG_RW,
|
|
&tcp_inflight_enable, 0, "Enable automatic TCP inflight data limiting");
|
|
|
|
static int tcp_inflight_debug = 0;
|
|
SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW,
|
|
&tcp_inflight_debug, 0, "Debug TCP inflight calculations");
|
|
|
|
static int tcp_inflight_min = 6144;
|
|
SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, min, CTLFLAG_RW,
|
|
&tcp_inflight_min, 0, "Lower-bound for TCP inflight window");
|
|
|
|
static int tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
|
SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, max, CTLFLAG_RW,
|
|
&tcp_inflight_max, 0, "Upper-bound for TCP inflight window");
|
|
|
|
static int tcp_inflight_stab = 20;
|
|
SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, stab, CTLFLAG_RW,
|
|
&tcp_inflight_stab, 0, "Inflight Algorithm Stabilization 20 = 2 packets");
|
|
|
|
uma_zone_t sack_hole_zone;
|
|
|
|
static struct inpcb *tcp_notify(struct inpcb *, int);
|
|
static void tcp_discardcb(struct tcpcb *);
|
|
static void tcp_isn_tick(void *);
|
|
|
|
/*
|
|
* Target size of TCP PCB hash tables. Must be a power of two.
|
|
*
|
|
* Note that this can be overridden by the kernel environment
|
|
* variable net.inet.tcp.tcbhashsize
|
|
*/
|
|
#ifndef TCBHASHSIZE
|
|
#define TCBHASHSIZE 512
|
|
#endif
|
|
|
|
/*
|
|
* XXX
|
|
* Callouts should be moved into struct tcp directly. They are currently
|
|
* separate because the tcpcb structure is exported to userland for sysctl
|
|
* parsing purposes, which do not know about callouts.
|
|
*/
|
|
struct tcpcb_mem {
|
|
struct tcpcb tcb;
|
|
struct callout tcpcb_mem_rexmt, tcpcb_mem_persist, tcpcb_mem_keep;
|
|
struct callout tcpcb_mem_2msl, tcpcb_mem_delack;
|
|
};
|
|
|
|
static uma_zone_t tcpcb_zone;
|
|
static uma_zone_t tcptw_zone;
|
|
struct callout isn_callout;
|
|
|
|
/*
|
|
* Tcp initialization
|
|
*/
|
|
void
|
|
tcp_init()
|
|
{
|
|
int hashsize = TCBHASHSIZE;
|
|
|
|
tcp_ccgen = 1;
|
|
|
|
tcp_delacktime = TCPTV_DELACK;
|
|
tcp_keepinit = TCPTV_KEEP_INIT;
|
|
tcp_keepidle = TCPTV_KEEP_IDLE;
|
|
tcp_keepintvl = TCPTV_KEEPINTVL;
|
|
tcp_maxpersistidle = TCPTV_KEEP_IDLE;
|
|
tcp_msl = TCPTV_MSL;
|
|
tcp_rexmit_min = TCPTV_MIN;
|
|
tcp_rexmit_slop = TCPTV_CPU_VAR;
|
|
|
|
INP_INFO_LOCK_INIT(&tcbinfo, "tcp");
|
|
LIST_INIT(&tcb);
|
|
tcbinfo.listhead = &tcb;
|
|
TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize);
|
|
if (!powerof2(hashsize)) {
|
|
printf("WARNING: TCB hash size not a power of 2\n");
|
|
hashsize = 512; /* safe default */
|
|
}
|
|
tcp_tcbhashsize = hashsize;
|
|
tcbinfo.hashbase = hashinit(hashsize, M_PCB, &tcbinfo.hashmask);
|
|
tcbinfo.porthashbase = hashinit(hashsize, M_PCB,
|
|
&tcbinfo.porthashmask);
|
|
tcbinfo.ipi_zone = uma_zcreate("inpcb", sizeof(struct inpcb),
|
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
|
uma_zone_set_max(tcbinfo.ipi_zone, maxsockets);
|
|
#ifdef INET6
|
|
#define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr))
|
|
#else /* INET6 */
|
|
#define TCP_MINPROTOHDR (sizeof(struct tcpiphdr))
|
|
#endif /* INET6 */
|
|
if (max_protohdr < TCP_MINPROTOHDR)
|
|
max_protohdr = TCP_MINPROTOHDR;
|
|
if (max_linkhdr + TCP_MINPROTOHDR > MHLEN)
|
|
panic("tcp_init");
|
|
#undef TCP_MINPROTOHDR
|
|
/*
|
|
* These have to be type stable for the benefit of the timers.
|
|
*/
|
|
tcpcb_zone = uma_zcreate("tcpcb", sizeof(struct tcpcb_mem),
|
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
|
uma_zone_set_max(tcpcb_zone, maxsockets);
|
|
tcptw_zone = uma_zcreate("tcptw", sizeof(struct tcptw),
|
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
|
uma_zone_set_max(tcptw_zone, maxsockets / 5);
|
|
tcp_timer_init();
|
|
syncache_init();
|
|
tcp_hc_init();
|
|
tcp_reass_init();
|
|
callout_init(&isn_callout, CALLOUT_MPSAFE);
|
|
tcp_isn_tick(NULL);
|
|
EVENTHANDLER_REGISTER(shutdown_pre_sync, tcp_fini, NULL,
|
|
SHUTDOWN_PRI_DEFAULT);
|
|
sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
|
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
|
}
|
|
|
|
void
|
|
tcp_fini(xtp)
|
|
void *xtp;
|
|
{
|
|
callout_stop(&isn_callout);
|
|
|
|
}
|
|
|
|
/*
|
|
* Fill in the IP and TCP headers for an outgoing packet, given the tcpcb.
|
|
* tcp_template used to store this data in mbufs, but we now recopy it out
|
|
* of the tcpcb each time to conserve mbufs.
|
|
*/
|
|
void
|
|
tcpip_fillheaders(inp, ip_ptr, tcp_ptr)
|
|
struct inpcb *inp;
|
|
void *ip_ptr;
|
|
void *tcp_ptr;
|
|
{
|
|
struct tcphdr *th = (struct tcphdr *)tcp_ptr;
|
|
|
|
#ifdef INET6
|
|
if ((inp->inp_vflag & INP_IPV6) != 0) {
|
|
struct ip6_hdr *ip6;
|
|
|
|
ip6 = (struct ip6_hdr *)ip_ptr;
|
|
ip6->ip6_flow = (ip6->ip6_flow & ~IPV6_FLOWINFO_MASK) |
|
|
(inp->in6p_flowinfo & IPV6_FLOWINFO_MASK);
|
|
ip6->ip6_vfc = (ip6->ip6_vfc & ~IPV6_VERSION_MASK) |
|
|
(IPV6_VERSION & IPV6_VERSION_MASK);
|
|
ip6->ip6_nxt = IPPROTO_TCP;
|
|
ip6->ip6_plen = sizeof(struct tcphdr);
|
|
ip6->ip6_src = inp->in6p_laddr;
|
|
ip6->ip6_dst = inp->in6p_faddr;
|
|
} else
|
|
#endif
|
|
{
|
|
struct ip *ip;
|
|
|
|
ip = (struct ip *)ip_ptr;
|
|
ip->ip_v = IPVERSION;
|
|
ip->ip_hl = 5;
|
|
ip->ip_tos = inp->inp_ip_tos;
|
|
ip->ip_len = 0;
|
|
ip->ip_id = 0;
|
|
ip->ip_off = 0;
|
|
ip->ip_ttl = inp->inp_ip_ttl;
|
|
ip->ip_sum = 0;
|
|
ip->ip_p = IPPROTO_TCP;
|
|
ip->ip_src = inp->inp_laddr;
|
|
ip->ip_dst = inp->inp_faddr;
|
|
}
|
|
th->th_sport = inp->inp_lport;
|
|
th->th_dport = inp->inp_fport;
|
|
th->th_seq = 0;
|
|
th->th_ack = 0;
|
|
th->th_x2 = 0;
|
|
th->th_off = 5;
|
|
th->th_flags = 0;
|
|
th->th_win = 0;
|
|
th->th_urp = 0;
|
|
th->th_sum = 0; /* in_pseudo() is called later for ipv4 */
|
|
}
|
|
|
|
/*
|
|
* Create template to be used to send tcp packets on a connection.
|
|
* Allocates an mbuf and fills in a skeletal tcp/ip header. The only
|
|
* use for this function is in keepalives, which use tcp_respond.
|
|
*/
|
|
struct tcptemp *
|
|
tcpip_maketemplate(inp)
|
|
struct inpcb *inp;
|
|
{
|
|
struct mbuf *m;
|
|
struct tcptemp *n;
|
|
|
|
m = m_get(M_DONTWAIT, MT_HEADER);
|
|
if (m == NULL)
|
|
return (0);
|
|
m->m_len = sizeof(struct tcptemp);
|
|
n = mtod(m, struct tcptemp *);
|
|
|
|
tcpip_fillheaders(inp, (void *)&n->tt_ipgen, (void *)&n->tt_t);
|
|
return (n);
|
|
}
|
|
|
|
/*
|
|
* Send a single message to the TCP at address specified by
|
|
* the given TCP/IP header. If m == NULL, then we make a copy
|
|
* of the tcpiphdr at ti and send directly to the addressed host.
|
|
* This is used to force keep alive messages out using the TCP
|
|
* template for a connection. If flags are given then we send
|
|
* a message back to the TCP which originated the * segment ti,
|
|
* and discard the mbuf containing it and any other attached mbufs.
|
|
*
|
|
* In any case the ack and sequence number of the transmitted
|
|
* segment are as specified by the parameters.
|
|
*
|
|
* NOTE: If m != NULL, then ti must point to *inside* the mbuf.
|
|
*/
|
|
void
|
|
tcp_respond(tp, ipgen, th, m, ack, seq, flags)
|
|
struct tcpcb *tp;
|
|
void *ipgen;
|
|
register struct tcphdr *th;
|
|
register struct mbuf *m;
|
|
tcp_seq ack, seq;
|
|
int flags;
|
|
{
|
|
register int tlen;
|
|
int win = 0;
|
|
struct ip *ip;
|
|
struct tcphdr *nth;
|
|
#ifdef INET6
|
|
struct ip6_hdr *ip6;
|
|
int isipv6;
|
|
#endif /* INET6 */
|
|
int ipflags = 0;
|
|
struct inpcb *inp;
|
|
|
|
KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL"));
|
|
|
|
#ifdef INET6
|
|
isipv6 = ((struct ip *)ipgen)->ip_v == 6;
|
|
ip6 = ipgen;
|
|
#endif /* INET6 */
|
|
ip = ipgen;
|
|
|
|
if (tp != NULL) {
|
|
inp = tp->t_inpcb;
|
|
KASSERT(inp != NULL, ("tcp control block w/o inpcb"));
|
|
INP_INFO_WLOCK_ASSERT(&tcbinfo);
|
|
INP_LOCK_ASSERT(inp);
|
|
} else
|
|
inp = NULL;
|
|
|
|
if (tp != NULL) {
|
|
if (!(flags & TH_RST)) {
|
|
win = sbspace(&inp->inp_socket->so_rcv);
|
|
if (win > (long)TCP_MAXWIN << tp->rcv_scale)
|
|
win = (long)TCP_MAXWIN << tp->rcv_scale;
|
|
}
|
|
}
|
|
if (m == NULL) {
|
|
m = m_gethdr(M_DONTWAIT, MT_HEADER);
|
|
if (m == NULL)
|
|
return;
|
|
tlen = 0;
|
|
m->m_data += max_linkhdr;
|
|
#ifdef INET6
|
|
if (isipv6) {
|
|
bcopy((caddr_t)ip6, mtod(m, caddr_t),
|
|
sizeof(struct ip6_hdr));
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
nth = (struct tcphdr *)(ip6 + 1);
|
|
} else
|
|
#endif /* INET6 */
|
|
{
|
|
bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
|
|
ip = mtod(m, struct ip *);
|
|
nth = (struct tcphdr *)(ip + 1);
|
|
}
|
|
bcopy((caddr_t)th, (caddr_t)nth, sizeof(struct tcphdr));
|
|
flags = TH_ACK;
|
|
} else {
|
|
m_freem(m->m_next);
|
|
m->m_next = NULL;
|
|
m->m_data = (caddr_t)ipgen;
|
|
/* m_len is set later */
|
|
tlen = 0;
|
|
#define xchg(a,b,type) { type t; t=a; a=b; b=t; }
|
|
#ifdef INET6
|
|
if (isipv6) {
|
|
xchg(ip6->ip6_dst, ip6->ip6_src, struct in6_addr);
|
|
nth = (struct tcphdr *)(ip6 + 1);
|
|
} else
|
|
#endif /* INET6 */
|
|
{
|
|
xchg(ip->ip_dst.s_addr, ip->ip_src.s_addr, n_long);
|
|
nth = (struct tcphdr *)(ip + 1);
|
|
}
|
|
if (th != nth) {
|
|
/*
|
|
* this is usually a case when an extension header
|
|
* exists between the IPv6 header and the
|
|
* TCP header.
|
|
*/
|
|
nth->th_sport = th->th_sport;
|
|
nth->th_dport = th->th_dport;
|
|
}
|
|
xchg(nth->th_dport, nth->th_sport, n_short);
|
|
#undef xchg
|
|
}
|
|
#ifdef INET6
|
|
if (isipv6) {
|
|
ip6->ip6_flow = 0;
|
|
ip6->ip6_vfc = IPV6_VERSION;
|
|
ip6->ip6_nxt = IPPROTO_TCP;
|
|
ip6->ip6_plen = htons((u_short)(sizeof (struct tcphdr) +
|
|
tlen));
|
|
tlen += sizeof (struct ip6_hdr) + sizeof (struct tcphdr);
|
|
} else
|
|
#endif
|
|
{
|
|
tlen += sizeof (struct tcpiphdr);
|
|
ip->ip_len = tlen;
|
|
ip->ip_ttl = ip_defttl;
|
|
if (path_mtu_discovery)
|
|
ip->ip_off |= IP_DF;
|
|
}
|
|
m->m_len = tlen;
|
|
m->m_pkthdr.len = tlen;
|
|
m->m_pkthdr.rcvif = NULL;
|
|
#ifdef MAC
|
|
if (inp != NULL) {
|
|
/*
|
|
* Packet is associated with a socket, so allow the
|
|
* label of the response to reflect the socket label.
|
|
*/
|
|
INP_LOCK_ASSERT(inp);
|
|
mac_create_mbuf_from_inpcb(inp, m);
|
|
} else {
|
|
/*
|
|
* Packet is not associated with a socket, so possibly
|
|
* update the label in place.
|
|
*/
|
|
mac_reflect_mbuf_tcp(m);
|
|
}
|
|
#endif
|
|
nth->th_seq = htonl(seq);
|
|
nth->th_ack = htonl(ack);
|
|
nth->th_x2 = 0;
|
|
nth->th_off = sizeof (struct tcphdr) >> 2;
|
|
nth->th_flags = flags;
|
|
if (tp != NULL)
|
|
nth->th_win = htons((u_short) (win >> tp->rcv_scale));
|
|
else
|
|
nth->th_win = htons((u_short)win);
|
|
nth->th_urp = 0;
|
|
#ifdef INET6
|
|
if (isipv6) {
|
|
nth->th_sum = 0;
|
|
nth->th_sum = in6_cksum(m, IPPROTO_TCP,
|
|
sizeof(struct ip6_hdr),
|
|
tlen - sizeof(struct ip6_hdr));
|
|
ip6->ip6_hlim = in6_selecthlim(tp != NULL ? tp->t_inpcb :
|
|
NULL, NULL);
|
|
} else
|
|
#endif /* INET6 */
|
|
{
|
|
nth->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
|
|
htons((u_short)(tlen - sizeof(struct ip) + ip->ip_p)));
|
|
m->m_pkthdr.csum_flags = CSUM_TCP;
|
|
m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
|
|
}
|
|
#ifdef TCPDEBUG
|
|
if (tp == NULL || (inp->inp_socket->so_options & SO_DEBUG))
|
|
tcp_trace(TA_OUTPUT, 0, tp, mtod(m, void *), th, 0);
|
|
#endif
|
|
#ifdef INET6
|
|
if (isipv6)
|
|
(void) ip6_output(m, NULL, NULL, ipflags, NULL, NULL, inp);
|
|
else
|
|
#endif /* INET6 */
|
|
(void) ip_output(m, NULL, NULL, ipflags, NULL, inp);
|
|
}
|
|
|
|
/*
|
|
* Create a new TCP control block, making an
|
|
* empty reassembly queue and hooking it to the argument
|
|
* protocol control block. The `inp' parameter must have
|
|
* come from the zone allocator set up in tcp_init().
|
|
*/
|
|
struct tcpcb *
|
|
tcp_newtcpcb(inp)
|
|
struct inpcb *inp;
|
|
{
|
|
struct tcpcb_mem *tm;
|
|
struct tcpcb *tp;
|
|
#ifdef INET6
|
|
int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
|
|
#endif /* INET6 */
|
|
int callout_flag;
|
|
|
|
tm = uma_zalloc(tcpcb_zone, M_NOWAIT | M_ZERO);
|
|
if (tm == NULL)
|
|
return (NULL);
|
|
tp = &tm->tcb;
|
|
/* LIST_INIT(&tp->t_segq); */ /* XXX covered by M_ZERO */
|
|
tp->t_maxseg = tp->t_maxopd =
|
|
#ifdef INET6
|
|
isipv6 ? tcp_v6mssdflt :
|
|
#endif /* INET6 */
|
|
tcp_mssdflt;
|
|
|
|
/* Set up our timeouts. */
|
|
/*
|
|
* XXXRW: Are these actually MPSAFE? I think so, but need to
|
|
* review the timed wait code, as it has some list variables,
|
|
* etc, that are global.
|
|
*/
|
|
callout_flag = debug_mpsafenet ? CALLOUT_MPSAFE : 0;
|
|
callout_init(tp->tt_rexmt = &tm->tcpcb_mem_rexmt, callout_flag);
|
|
callout_init(tp->tt_persist = &tm->tcpcb_mem_persist, callout_flag);
|
|
callout_init(tp->tt_keep = &tm->tcpcb_mem_keep, callout_flag);
|
|
callout_init(tp->tt_2msl = &tm->tcpcb_mem_2msl, callout_flag);
|
|
callout_init(tp->tt_delack = &tm->tcpcb_mem_delack, callout_flag);
|
|
|
|
if (tcp_do_rfc1323)
|
|
tp->t_flags = (TF_REQ_SCALE|TF_REQ_TSTMP);
|
|
if (tcp_do_rfc1644)
|
|
tp->t_flags |= TF_REQ_CC;
|
|
tp->sack_enable = tcp_do_sack;
|
|
tp->t_inpcb = inp; /* XXX */
|
|
/*
|
|
* Init srtt to TCPTV_SRTTBASE (0), so we can tell that we have no
|
|
* rtt estimate. Set rttvar so that srtt + 4 * rttvar gives
|
|
* reasonable initial retransmit time.
|
|
*/
|
|
tp->t_srtt = TCPTV_SRTTBASE;
|
|
tp->t_rttvar = ((TCPTV_RTOBASE - TCPTV_SRTTBASE) << TCP_RTTVAR_SHIFT) / 4;
|
|
tp->t_rttmin = tcp_rexmit_min;
|
|
tp->t_rxtcur = TCPTV_RTOBASE;
|
|
tp->snd_cwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
|
tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
|
tp->snd_ssthresh = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
|
tp->t_rcvtime = ticks;
|
|
tp->t_bw_rtttime = ticks;
|
|
/*
|
|
* IPv4 TTL initialization is necessary for an IPv6 socket as well,
|
|
* because the socket may be bound to an IPv6 wildcard address,
|
|
* which may match an IPv4-mapped IPv6 address.
|
|
*/
|
|
inp->inp_ip_ttl = ip_defttl;
|
|
inp->inp_ppcb = (caddr_t)tp;
|
|
return (tp); /* XXX */
|
|
}
|
|
|
|
/*
|
|
* Drop a TCP connection, reporting
|
|
* the specified error. If connection is synchronized,
|
|
* then send a RST to peer.
|
|
*/
|
|
struct tcpcb *
|
|
tcp_drop(tp, errno)
|
|
register struct tcpcb *tp;
|
|
int errno;
|
|
{
|
|
struct socket *so = tp->t_inpcb->inp_socket;
|
|
|
|
if (TCPS_HAVERCVDSYN(tp->t_state)) {
|
|
tp->t_state = TCPS_CLOSED;
|
|
(void) tcp_output(tp);
|
|
tcpstat.tcps_drops++;
|
|
} else
|
|
tcpstat.tcps_conndrops++;
|
|
if (errno == ETIMEDOUT && tp->t_softerror)
|
|
errno = tp->t_softerror;
|
|
so->so_error = errno;
|
|
return (tcp_close(tp));
|
|
}
|
|
|
|
static void
|
|
tcp_discardcb(tp)
|
|
struct tcpcb *tp;
|
|
{
|
|
struct tseg_qent *q;
|
|
struct inpcb *inp = tp->t_inpcb;
|
|
struct socket *so = inp->inp_socket;
|
|
#ifdef INET6
|
|
int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
|
|
#endif /* INET6 */
|
|
|
|
/*
|
|
* Make sure that all of our timers are stopped before we
|
|
* delete the PCB.
|
|
*/
|
|
callout_stop(tp->tt_rexmt);
|
|
callout_stop(tp->tt_persist);
|
|
callout_stop(tp->tt_keep);
|
|
callout_stop(tp->tt_2msl);
|
|
callout_stop(tp->tt_delack);
|
|
|
|
/*
|
|
* If we got enough samples through the srtt filter,
|
|
* save the rtt and rttvar in the routing entry.
|
|
* 'Enough' is arbitrarily defined as 4 rtt samples.
|
|
* 4 samples is enough for the srtt filter to converge
|
|
* to within enough % of the correct value; fewer samples
|
|
* and we could save a bogus rtt. The danger is not high
|
|
* as tcp quickly recovers from everything.
|
|
* XXX: Works very well but needs some more statistics!
|
|
*/
|
|
if (tp->t_rttupdated >= 4) {
|
|
struct hc_metrics_lite metrics;
|
|
u_long ssthresh;
|
|
|
|
bzero(&metrics, sizeof(metrics));
|
|
/*
|
|
* Update the ssthresh always when the conditions below
|
|
* are satisfied. This gives us better new start value
|
|
* for the congestion avoidance for new connections.
|
|
* ssthresh is only set if packet loss occured on a session.
|
|
*/
|
|
ssthresh = tp->snd_ssthresh;
|
|
if (ssthresh != 0 && ssthresh < so->so_snd.sb_hiwat / 2) {
|
|
/*
|
|
* convert the limit from user data bytes to
|
|
* packets then to packet data bytes.
|
|
*/
|
|
ssthresh = (ssthresh + tp->t_maxseg / 2) / tp->t_maxseg;
|
|
if (ssthresh < 2)
|
|
ssthresh = 2;
|
|
ssthresh *= (u_long)(tp->t_maxseg +
|
|
#ifdef INET6
|
|
(isipv6 ? sizeof (struct ip6_hdr) +
|
|
sizeof (struct tcphdr) :
|
|
#endif
|
|
sizeof (struct tcpiphdr)
|
|
#ifdef INET6
|
|
)
|
|
#endif
|
|
);
|
|
} else
|
|
ssthresh = 0;
|
|
metrics.rmx_ssthresh = ssthresh;
|
|
|
|
metrics.rmx_rtt = tp->t_srtt;
|
|
metrics.rmx_rttvar = tp->t_rttvar;
|
|
/* XXX: This wraps if the pipe is more than 4 Gbit per second */
|
|
metrics.rmx_bandwidth = tp->snd_bandwidth;
|
|
metrics.rmx_cwnd = tp->snd_cwnd;
|
|
metrics.rmx_sendpipe = 0;
|
|
metrics.rmx_recvpipe = 0;
|
|
|
|
tcp_hc_update(&inp->inp_inc, &metrics);
|
|
}
|
|
|
|
/* free the reassembly queue, if any */
|
|
while ((q = LIST_FIRST(&tp->t_segq)) != NULL) {
|
|
LIST_REMOVE(q, tqe_q);
|
|
m_freem(q->tqe_m);
|
|
uma_zfree(tcp_reass_zone, q);
|
|
tp->t_segqlen--;
|
|
tcp_reass_qsize--;
|
|
}
|
|
tcp_free_sackholes(tp);
|
|
inp->inp_ppcb = NULL;
|
|
tp->t_inpcb = NULL;
|
|
uma_zfree(tcpcb_zone, tp);
|
|
soisdisconnected(so);
|
|
}
|
|
|
|
/*
|
|
* Close a TCP control block:
|
|
* discard all space held by the tcp
|
|
* discard internet protocol block
|
|
* wake up any sleepers
|
|
*/
|
|
struct tcpcb *
|
|
tcp_close(tp)
|
|
struct tcpcb *tp;
|
|
{
|
|
struct inpcb *inp = tp->t_inpcb;
|
|
#ifdef INET6
|
|
struct socket *so = inp->inp_socket;
|
|
#endif
|
|
|
|
tcp_discardcb(tp);
|
|
#ifdef INET6
|
|
if (INP_CHECK_SOCKAF(so, AF_INET6))
|
|
in6_pcbdetach(inp);
|
|
else
|
|
#endif
|
|
in_pcbdetach(inp);
|
|
tcpstat.tcps_closed++;
|
|
return (NULL);
|
|
}
|
|
|
|
void
|
|
tcp_drain()
|
|
{
|
|
if (do_tcpdrain)
|
|
{
|
|
struct inpcb *inpb;
|
|
struct tcpcb *tcpb;
|
|
struct tseg_qent *te;
|
|
|
|
/*
|
|
* Walk the tcpbs, if existing, and flush the reassembly queue,
|
|
* if there is one...
|
|
* XXX: The "Net/3" implementation doesn't imply that the TCP
|
|
* reassembly queue should be flushed, but in a situation
|
|
* where we're really low on mbufs, this is potentially
|
|
* usefull.
|
|
*/
|
|
INP_INFO_RLOCK(&tcbinfo);
|
|
LIST_FOREACH(inpb, tcbinfo.listhead, inp_list) {
|
|
if (inpb->inp_vflag & INP_TIMEWAIT)
|
|
continue;
|
|
INP_LOCK(inpb);
|
|
if ((tcpb = intotcpcb(inpb)) != NULL) {
|
|
while ((te = LIST_FIRST(&tcpb->t_segq))
|
|
!= NULL) {
|
|
LIST_REMOVE(te, tqe_q);
|
|
m_freem(te->tqe_m);
|
|
uma_zfree(tcp_reass_zone, te);
|
|
tcpb->t_segqlen--;
|
|
tcp_reass_qsize--;
|
|
}
|
|
}
|
|
INP_UNLOCK(inpb);
|
|
}
|
|
INP_INFO_RUNLOCK(&tcbinfo);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Notify a tcp user of an asynchronous error;
|
|
* store error as soft error, but wake up user
|
|
* (for now, won't do anything until can select for soft error).
|
|
*
|
|
* Do not wake up user since there currently is no mechanism for
|
|
* reporting soft errors (yet - a kqueue filter may be added).
|
|
*/
|
|
static struct inpcb *
|
|
tcp_notify(inp, error)
|
|
struct inpcb *inp;
|
|
int error;
|
|
{
|
|
struct tcpcb *tp = (struct tcpcb *)inp->inp_ppcb;
|
|
|
|
/*
|
|
* Ignore some errors if we are hooked up.
|
|
* If connection hasn't completed, has retransmitted several times,
|
|
* and receives a second error, give up now. This is better
|
|
* than waiting a long time to establish a connection that
|
|
* can never complete.
|
|
*/
|
|
if (tp->t_state == TCPS_ESTABLISHED &&
|
|
(error == EHOSTUNREACH || error == ENETUNREACH ||
|
|
error == EHOSTDOWN)) {
|
|
return inp;
|
|
} else if (tp->t_state < TCPS_ESTABLISHED && tp->t_rxtshift > 3 &&
|
|
tp->t_softerror) {
|
|
tcp_drop(tp, error);
|
|
return (struct inpcb *)0;
|
|
} else {
|
|
tp->t_softerror = error;
|
|
return inp;
|
|
}
|
|
#if 0
|
|
wakeup( &so->so_timeo);
|
|
sorwakeup(so);
|
|
sowwakeup(so);
|
|
#endif
|
|
}
|
|
|
|
static int
|
|
tcp_pcblist(SYSCTL_HANDLER_ARGS)
|
|
{
|
|
int error, i, n, s;
|
|
struct inpcb *inp, **inp_list;
|
|
inp_gen_t gencnt;
|
|
struct xinpgen xig;
|
|
|
|
/*
|
|
* The process of preparing the TCB list is too time-consuming and
|
|
* resource-intensive to repeat twice on every request.
|
|
*/
|
|
if (req->oldptr == NULL) {
|
|
n = tcbinfo.ipi_count;
|
|
req->oldidx = 2 * (sizeof xig)
|
|
+ (n + n/8) * sizeof(struct xtcpcb);
|
|
return 0;
|
|
}
|
|
|
|
if (req->newptr != NULL)
|
|
return EPERM;
|
|
|
|
/*
|
|
* OK, now we're committed to doing something.
|
|
*/
|
|
s = splnet();
|
|
INP_INFO_RLOCK(&tcbinfo);
|
|
gencnt = tcbinfo.ipi_gencnt;
|
|
n = tcbinfo.ipi_count;
|
|
INP_INFO_RUNLOCK(&tcbinfo);
|
|
splx(s);
|
|
|
|
error = sysctl_wire_old_buffer(req, 2 * (sizeof xig)
|
|
+ n * sizeof(struct xtcpcb));
|
|
if (error != 0)
|
|
return (error);
|
|
|
|
xig.xig_len = sizeof xig;
|
|
xig.xig_count = n;
|
|
xig.xig_gen = gencnt;
|
|
xig.xig_sogen = so_gencnt;
|
|
error = SYSCTL_OUT(req, &xig, sizeof xig);
|
|
if (error)
|
|
return error;
|
|
|
|
inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK);
|
|
if (inp_list == NULL)
|
|
return ENOMEM;
|
|
|
|
s = splnet();
|
|
INP_INFO_RLOCK(&tcbinfo);
|
|
for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp != NULL && i < n;
|
|
inp = LIST_NEXT(inp, inp_list)) {
|
|
INP_LOCK(inp);
|
|
if (inp->inp_gencnt <= gencnt) {
|
|
/*
|
|
* XXX: This use of cr_cansee(), introduced with
|
|
* TCP state changes, is not quite right, but for
|
|
* now, better than nothing.
|
|
*/
|
|
if (inp->inp_vflag & INP_TIMEWAIT)
|
|
error = cr_cansee(req->td->td_ucred,
|
|
intotw(inp)->tw_cred);
|
|
else
|
|
error = cr_canseesocket(req->td->td_ucred,
|
|
inp->inp_socket);
|
|
if (error == 0)
|
|
inp_list[i++] = inp;
|
|
}
|
|
INP_UNLOCK(inp);
|
|
}
|
|
INP_INFO_RUNLOCK(&tcbinfo);
|
|
splx(s);
|
|
n = i;
|
|
|
|
error = 0;
|
|
for (i = 0; i < n; i++) {
|
|
inp = inp_list[i];
|
|
if (inp->inp_gencnt <= gencnt) {
|
|
struct xtcpcb xt;
|
|
caddr_t inp_ppcb;
|
|
xt.xt_len = sizeof xt;
|
|
/* XXX should avoid extra copy */
|
|
bcopy(inp, &xt.xt_inp, sizeof *inp);
|
|
inp_ppcb = inp->inp_ppcb;
|
|
if (inp_ppcb == NULL)
|
|
bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
|
|
else if (inp->inp_vflag & INP_TIMEWAIT) {
|
|
bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
|
|
xt.xt_tp.t_state = TCPS_TIME_WAIT;
|
|
} else
|
|
bcopy(inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp);
|
|
if (inp->inp_socket != NULL)
|
|
sotoxsocket(inp->inp_socket, &xt.xt_socket);
|
|
else {
|
|
bzero(&xt.xt_socket, sizeof xt.xt_socket);
|
|
xt.xt_socket.xso_protocol = IPPROTO_TCP;
|
|
}
|
|
xt.xt_inp.inp_gencnt = inp->inp_gencnt;
|
|
error = SYSCTL_OUT(req, &xt, sizeof xt);
|
|
}
|
|
}
|
|
if (!error) {
|
|
/*
|
|
* Give the user an updated idea of our state.
|
|
* If the generation differs from what we told
|
|
* her before, she knows that something happened
|
|
* while we were processing this request, and it
|
|
* might be necessary to retry.
|
|
*/
|
|
s = splnet();
|
|
INP_INFO_RLOCK(&tcbinfo);
|
|
xig.xig_gen = tcbinfo.ipi_gencnt;
|
|
xig.xig_sogen = so_gencnt;
|
|
xig.xig_count = tcbinfo.ipi_count;
|
|
INP_INFO_RUNLOCK(&tcbinfo);
|
|
splx(s);
|
|
error = SYSCTL_OUT(req, &xig, sizeof xig);
|
|
}
|
|
free(inp_list, M_TEMP);
|
|
return error;
|
|
}
|
|
|
|
SYSCTL_PROC(_net_inet_tcp, TCPCTL_PCBLIST, pcblist, CTLFLAG_RD, 0, 0,
|
|
tcp_pcblist, "S,xtcpcb", "List of active TCP connections");
|
|
|
|
static int
|
|
tcp_getcred(SYSCTL_HANDLER_ARGS)
|
|
{
|
|
struct xucred xuc;
|
|
struct sockaddr_in addrs[2];
|
|
struct inpcb *inp;
|
|
int error, s;
|
|
|
|
error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL);
|
|
if (error)
|
|
return (error);
|
|
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
|
if (error)
|
|
return (error);
|
|
s = splnet();
|
|
INP_INFO_RLOCK(&tcbinfo);
|
|
inp = in_pcblookup_hash(&tcbinfo, addrs[1].sin_addr, addrs[1].sin_port,
|
|
addrs[0].sin_addr, addrs[0].sin_port, 0, NULL);
|
|
if (inp == NULL) {
|
|
error = ENOENT;
|
|
goto outunlocked;
|
|
}
|
|
INP_LOCK(inp);
|
|
if (inp->inp_socket == NULL) {
|
|
error = ENOENT;
|
|
goto out;
|
|
}
|
|
error = cr_canseesocket(req->td->td_ucred, inp->inp_socket);
|
|
if (error)
|
|
goto out;
|
|
cru2x(inp->inp_socket->so_cred, &xuc);
|
|
out:
|
|
INP_UNLOCK(inp);
|
|
outunlocked:
|
|
INP_INFO_RUNLOCK(&tcbinfo);
|
|
splx(s);
|
|
if (error == 0)
|
|
error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
|
|
return (error);
|
|
}
|
|
|
|
SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred,
|
|
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
|
tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
|
|
|
|
#ifdef INET6
|
|
static int
|
|
tcp6_getcred(SYSCTL_HANDLER_ARGS)
|
|
{
|
|
struct xucred xuc;
|
|
struct sockaddr_in6 addrs[2];
|
|
struct inpcb *inp;
|
|
int error, s, mapped = 0;
|
|
|
|
error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL);
|
|
if (error)
|
|
return (error);
|
|
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
|
if (error)
|
|
return (error);
|
|
if (IN6_IS_ADDR_V4MAPPED(&addrs[0].sin6_addr)) {
|
|
if (IN6_IS_ADDR_V4MAPPED(&addrs[1].sin6_addr))
|
|
mapped = 1;
|
|
else
|
|
return (EINVAL);
|
|
}
|
|
s = splnet();
|
|
INP_INFO_RLOCK(&tcbinfo);
|
|
if (mapped == 1)
|
|
inp = in_pcblookup_hash(&tcbinfo,
|
|
*(struct in_addr *)&addrs[1].sin6_addr.s6_addr[12],
|
|
addrs[1].sin6_port,
|
|
*(struct in_addr *)&addrs[0].sin6_addr.s6_addr[12],
|
|
addrs[0].sin6_port,
|
|
0, NULL);
|
|
else
|
|
inp = in6_pcblookup_hash(&tcbinfo, &addrs[1].sin6_addr,
|
|
addrs[1].sin6_port,
|
|
&addrs[0].sin6_addr, addrs[0].sin6_port,
|
|
0, NULL);
|
|
if (inp == NULL) {
|
|
error = ENOENT;
|
|
goto outunlocked;
|
|
}
|
|
INP_LOCK(inp);
|
|
if (inp->inp_socket == NULL) {
|
|
error = ENOENT;
|
|
goto out;
|
|
}
|
|
error = cr_canseesocket(req->td->td_ucred, inp->inp_socket);
|
|
if (error)
|
|
goto out;
|
|
cru2x(inp->inp_socket->so_cred, &xuc);
|
|
out:
|
|
INP_UNLOCK(inp);
|
|
outunlocked:
|
|
INP_INFO_RUNLOCK(&tcbinfo);
|
|
splx(s);
|
|
if (error == 0)
|
|
error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
|
|
return (error);
|
|
}
|
|
|
|
SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred,
|
|
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
|
tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
|
|
#endif
|
|
|
|
|
|
void
|
|
tcp_ctlinput(cmd, sa, vip)
|
|
int cmd;
|
|
struct sockaddr *sa;
|
|
void *vip;
|
|
{
|
|
struct ip *ip = vip;
|
|
struct tcphdr *th;
|
|
struct in_addr faddr;
|
|
struct inpcb *inp;
|
|
struct tcpcb *tp;
|
|
struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify;
|
|
tcp_seq icmp_seq;
|
|
int s;
|
|
|
|
faddr = ((struct sockaddr_in *)sa)->sin_addr;
|
|
if (sa->sa_family != AF_INET || faddr.s_addr == INADDR_ANY)
|
|
return;
|
|
|
|
if (cmd == PRC_QUENCH)
|
|
notify = tcp_quench;
|
|
else if (icmp_may_rst && (cmd == PRC_UNREACH_ADMIN_PROHIB ||
|
|
cmd == PRC_UNREACH_PORT || cmd == PRC_TIMXCEED_INTRANS) && ip)
|
|
notify = tcp_drop_syn_sent;
|
|
else if (cmd == PRC_MSGSIZE)
|
|
notify = tcp_mtudisc;
|
|
/*
|
|
* Redirects don't need to be handled up here.
|
|
*/
|
|
else if (PRC_IS_REDIRECT(cmd))
|
|
return;
|
|
/*
|
|
* Hostdead is ugly because it goes linearly through all PCBs.
|
|
* XXX: We never get this from ICMP, otherwise it makes an
|
|
* excellent DoS attack on machines with many connections.
|
|
*/
|
|
else if (cmd == PRC_HOSTDEAD)
|
|
ip = NULL;
|
|
else if ((unsigned)cmd >= PRC_NCMDS || inetctlerrmap[cmd] == 0)
|
|
return;
|
|
if (ip != NULL) {
|
|
s = splnet();
|
|
th = (struct tcphdr *)((caddr_t)ip
|
|
+ (ip->ip_hl << 2));
|
|
INP_INFO_WLOCK(&tcbinfo);
|
|
inp = in_pcblookup_hash(&tcbinfo, faddr, th->th_dport,
|
|
ip->ip_src, th->th_sport, 0, NULL);
|
|
if (inp != NULL) {
|
|
INP_LOCK(inp);
|
|
if (inp->inp_socket != NULL) {
|
|
icmp_seq = htonl(th->th_seq);
|
|
tp = intotcpcb(inp);
|
|
if (SEQ_GEQ(icmp_seq, tp->snd_una) &&
|
|
SEQ_LT(icmp_seq, tp->snd_max))
|
|
inp = (*notify)(inp, inetctlerrmap[cmd]);
|
|
}
|
|
if (inp != NULL)
|
|
INP_UNLOCK(inp);
|
|
} else {
|
|
struct in_conninfo inc;
|
|
|
|
inc.inc_fport = th->th_dport;
|
|
inc.inc_lport = th->th_sport;
|
|
inc.inc_faddr = faddr;
|
|
inc.inc_laddr = ip->ip_src;
|
|
#ifdef INET6
|
|
inc.inc_isipv6 = 0;
|
|
#endif
|
|
syncache_unreach(&inc, th);
|
|
}
|
|
INP_INFO_WUNLOCK(&tcbinfo);
|
|
splx(s);
|
|
} else
|
|
in_pcbnotifyall(&tcbinfo, faddr, inetctlerrmap[cmd], notify);
|
|
}
|
|
|
|
#ifdef INET6
|
|
void
|
|
tcp6_ctlinput(cmd, sa, d)
|
|
int cmd;
|
|
struct sockaddr *sa;
|
|
void *d;
|
|
{
|
|
struct tcphdr th;
|
|
struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify;
|
|
struct ip6_hdr *ip6;
|
|
struct mbuf *m;
|
|
struct ip6ctlparam *ip6cp = NULL;
|
|
const struct sockaddr_in6 *sa6_src = NULL;
|
|
int off;
|
|
struct tcp_portonly {
|
|
u_int16_t th_sport;
|
|
u_int16_t th_dport;
|
|
} *thp;
|
|
|
|
if (sa->sa_family != AF_INET6 ||
|
|
sa->sa_len != sizeof(struct sockaddr_in6))
|
|
return;
|
|
|
|
if (cmd == PRC_QUENCH)
|
|
notify = tcp_quench;
|
|
else if (cmd == PRC_MSGSIZE)
|
|
notify = tcp_mtudisc;
|
|
else if (!PRC_IS_REDIRECT(cmd) &&
|
|
((unsigned)cmd >= PRC_NCMDS || inet6ctlerrmap[cmd] == 0))
|
|
return;
|
|
|
|
/* if the parameter is from icmp6, decode it. */
|
|
if (d != NULL) {
|
|
ip6cp = (struct ip6ctlparam *)d;
|
|
m = ip6cp->ip6c_m;
|
|
ip6 = ip6cp->ip6c_ip6;
|
|
off = ip6cp->ip6c_off;
|
|
sa6_src = ip6cp->ip6c_src;
|
|
} else {
|
|
m = NULL;
|
|
ip6 = NULL;
|
|
off = 0; /* fool gcc */
|
|
sa6_src = &sa6_any;
|
|
}
|
|
|
|
if (ip6 != NULL) {
|
|
struct in_conninfo inc;
|
|
/*
|
|
* XXX: We assume that when IPV6 is non NULL,
|
|
* M and OFF are valid.
|
|
*/
|
|
|
|
/* check if we can safely examine src and dst ports */
|
|
if (m->m_pkthdr.len < off + sizeof(*thp))
|
|
return;
|
|
|
|
bzero(&th, sizeof(th));
|
|
m_copydata(m, off, sizeof(*thp), (caddr_t)&th);
|
|
|
|
in6_pcbnotify(&tcbinfo, sa, th.th_dport,
|
|
(struct sockaddr *)ip6cp->ip6c_src,
|
|
th.th_sport, cmd, NULL, notify);
|
|
|
|
inc.inc_fport = th.th_dport;
|
|
inc.inc_lport = th.th_sport;
|
|
inc.inc6_faddr = ((struct sockaddr_in6 *)sa)->sin6_addr;
|
|
inc.inc6_laddr = ip6cp->ip6c_src->sin6_addr;
|
|
inc.inc_isipv6 = 1;
|
|
INP_INFO_WLOCK(&tcbinfo);
|
|
syncache_unreach(&inc, &th);
|
|
INP_INFO_WUNLOCK(&tcbinfo);
|
|
} else
|
|
in6_pcbnotify(&tcbinfo, sa, 0, (const struct sockaddr *)sa6_src,
|
|
0, cmd, NULL, notify);
|
|
}
|
|
#endif /* INET6 */
|
|
|
|
|
|
/*
|
|
* Following is where TCP initial sequence number generation occurs.
|
|
*
|
|
* There are two places where we must use initial sequence numbers:
|
|
* 1. In SYN-ACK packets.
|
|
* 2. In SYN packets.
|
|
*
|
|
* All ISNs for SYN-ACK packets are generated by the syncache. See
|
|
* tcp_syncache.c for details.
|
|
*
|
|
* The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
|
|
* depends on this property. In addition, these ISNs should be
|
|
* unguessable so as to prevent connection hijacking. To satisfy
|
|
* the requirements of this situation, the algorithm outlined in
|
|
* RFC 1948 is used, with only small modifications.
|
|
*
|
|
* Implementation details:
|
|
*
|
|
* Time is based off the system timer, and is corrected so that it
|
|
* increases by one megabyte per second. This allows for proper
|
|
* recycling on high speed LANs while still leaving over an hour
|
|
* before rollover.
|
|
*
|
|
* As reading the *exact* system time is too expensive to be done
|
|
* whenever setting up a TCP connection, we increment the time
|
|
* offset in two ways. First, a small random positive increment
|
|
* is added to isn_offset for each connection that is set up.
|
|
* Second, the function tcp_isn_tick fires once per clock tick
|
|
* and increments isn_offset as necessary so that sequence numbers
|
|
* are incremented at approximately ISN_BYTES_PER_SECOND. The
|
|
* random positive increments serve only to ensure that the same
|
|
* exact sequence number is never sent out twice (as could otherwise
|
|
* happen when a port is recycled in less than the system tick
|
|
* interval.)
|
|
*
|
|
* net.inet.tcp.isn_reseed_interval controls the number of seconds
|
|
* between seeding of isn_secret. This is normally set to zero,
|
|
* as reseeding should not be necessary.
|
|
*
|
|
*/
|
|
|
|
#define ISN_BYTES_PER_SECOND 1048576
|
|
#define ISN_STATIC_INCREMENT 4096
|
|
#define ISN_RANDOM_INCREMENT (4096 - 1)
|
|
|
|
u_char isn_secret[32];
|
|
int isn_last_reseed;
|
|
u_int32_t isn_offset, isn_offset_old;
|
|
MD5_CTX isn_ctx;
|
|
|
|
tcp_seq
|
|
tcp_new_isn(tp)
|
|
struct tcpcb *tp;
|
|
{
|
|
u_int32_t md5_buffer[4];
|
|
tcp_seq new_isn;
|
|
|
|
/* Seed if this is the first use, reseed if requested. */
|
|
if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) &&
|
|
(((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz)
|
|
< (u_int)ticks))) {
|
|
read_random(&isn_secret, sizeof(isn_secret));
|
|
isn_last_reseed = ticks;
|
|
}
|
|
|
|
/* Compute the md5 hash and return the ISN. */
|
|
MD5Init(&isn_ctx);
|
|
MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_fport, sizeof(u_short));
|
|
MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_lport, sizeof(u_short));
|
|
#ifdef INET6
|
|
if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0) {
|
|
MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_faddr,
|
|
sizeof(struct in6_addr));
|
|
MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_laddr,
|
|
sizeof(struct in6_addr));
|
|
} else
|
|
#endif
|
|
{
|
|
MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_faddr,
|
|
sizeof(struct in_addr));
|
|
MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_laddr,
|
|
sizeof(struct in_addr));
|
|
}
|
|
MD5Update(&isn_ctx, (u_char *) &isn_secret, sizeof(isn_secret));
|
|
MD5Final((u_char *) &md5_buffer, &isn_ctx);
|
|
new_isn = (tcp_seq) md5_buffer[0];
|
|
isn_offset += ISN_STATIC_INCREMENT +
|
|
(arc4random() & ISN_RANDOM_INCREMENT);
|
|
new_isn += isn_offset;
|
|
return new_isn;
|
|
}
|
|
|
|
/*
|
|
* Increment the offset to the next ISN_BYTES_PER_SECOND / hz boundary
|
|
* to keep time flowing at a relatively constant rate. If the random
|
|
* increments have already pushed us past the projected offset, do nothing.
|
|
*/
|
|
static void
|
|
tcp_isn_tick(xtp)
|
|
void *xtp;
|
|
{
|
|
u_int32_t projected_offset;
|
|
|
|
projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND / hz;
|
|
|
|
if (projected_offset > isn_offset)
|
|
isn_offset = projected_offset;
|
|
|
|
isn_offset_old = isn_offset;
|
|
callout_reset(&isn_callout, 1, tcp_isn_tick, NULL);
|
|
}
|
|
|
|
/*
|
|
* When a source quench is received, close congestion window
|
|
* to one segment. We will gradually open it again as we proceed.
|
|
*/
|
|
struct inpcb *
|
|
tcp_quench(inp, errno)
|
|
struct inpcb *inp;
|
|
int errno;
|
|
{
|
|
struct tcpcb *tp = intotcpcb(inp);
|
|
|
|
if (tp != NULL)
|
|
tp->snd_cwnd = tp->t_maxseg;
|
|
return (inp);
|
|
}
|
|
|
|
/*
|
|
* When a specific ICMP unreachable message is received and the
|
|
* connection state is SYN-SENT, drop the connection. This behavior
|
|
* is controlled by the icmp_may_rst sysctl.
|
|
*/
|
|
struct inpcb *
|
|
tcp_drop_syn_sent(inp, errno)
|
|
struct inpcb *inp;
|
|
int errno;
|
|
{
|
|
struct tcpcb *tp = intotcpcb(inp);
|
|
|
|
if (tp != NULL && tp->t_state == TCPS_SYN_SENT) {
|
|
tcp_drop(tp, errno);
|
|
return (struct inpcb *)0;
|
|
}
|
|
return inp;
|
|
}
|
|
|
|
/*
|
|
* When `need fragmentation' ICMP is received, update our idea of the MSS
|
|
* based on the new value in the route. Also nudge TCP to send something,
|
|
* since we know the packet we just sent was dropped.
|
|
* This duplicates some code in the tcp_mss() function in tcp_input.c.
|
|
*/
|
|
struct inpcb *
|
|
tcp_mtudisc(inp, errno)
|
|
struct inpcb *inp;
|
|
int errno;
|
|
{
|
|
struct tcpcb *tp = intotcpcb(inp);
|
|
struct rmxp_tao tao;
|
|
struct socket *so = inp->inp_socket;
|
|
u_int maxmtu;
|
|
u_int romtu;
|
|
int mss;
|
|
#ifdef INET6
|
|
int isipv6;
|
|
#endif /* INET6 */
|
|
bzero(&tao, sizeof(tao));
|
|
|
|
if (tp != NULL) {
|
|
#ifdef INET6
|
|
isipv6 = (tp->t_inpcb->inp_vflag & INP_IPV6) != 0;
|
|
#endif
|
|
maxmtu = tcp_hc_getmtu(&inp->inp_inc); /* IPv4 and IPv6 */
|
|
romtu =
|
|
#ifdef INET6
|
|
isipv6 ? tcp_maxmtu6(&inp->inp_inc) :
|
|
#endif /* INET6 */
|
|
tcp_maxmtu(&inp->inp_inc);
|
|
if (!maxmtu)
|
|
maxmtu = romtu;
|
|
else
|
|
maxmtu = min(maxmtu, romtu);
|
|
if (!maxmtu) {
|
|
tp->t_maxopd = tp->t_maxseg =
|
|
#ifdef INET6
|
|
isipv6 ? tcp_v6mssdflt :
|
|
#endif /* INET6 */
|
|
tcp_mssdflt;
|
|
return inp;
|
|
}
|
|
mss = maxmtu -
|
|
#ifdef INET6
|
|
(isipv6 ?
|
|
sizeof(struct ip6_hdr) + sizeof(struct tcphdr) :
|
|
#endif /* INET6 */
|
|
sizeof(struct tcpiphdr)
|
|
#ifdef INET6
|
|
)
|
|
#endif /* INET6 */
|
|
;
|
|
|
|
if (tcp_do_rfc1644) {
|
|
tcp_hc_gettao(&inp->inp_inc, &tao);
|
|
if (tao.tao_mssopt)
|
|
mss = min(mss, tao.tao_mssopt);
|
|
}
|
|
/*
|
|
* XXX - The above conditional probably violates the TCP
|
|
* spec. The problem is that, since we don't know the
|
|
* other end's MSS, we are supposed to use a conservative
|
|
* default. But, if we do that, then MTU discovery will
|
|
* never actually take place, because the conservative
|
|
* default is much less than the MTUs typically seen
|
|
* on the Internet today. For the moment, we'll sweep
|
|
* this under the carpet.
|
|
*
|
|
* The conservative default might not actually be a problem
|
|
* if the only case this occurs is when sending an initial
|
|
* SYN with options and data to a host we've never talked
|
|
* to before. Then, they will reply with an MSS value which
|
|
* will get recorded and the new parameters should get
|
|
* recomputed. For Further Study.
|
|
*/
|
|
if (tp->t_maxopd <= mss)
|
|
return inp;
|
|
tp->t_maxopd = mss;
|
|
|
|
if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP &&
|
|
(tp->t_flags & TF_RCVD_TSTMP) == TF_RCVD_TSTMP)
|
|
mss -= TCPOLEN_TSTAMP_APPA;
|
|
if ((tp->t_flags & (TF_REQ_CC|TF_NOOPT)) == TF_REQ_CC &&
|
|
(tp->t_flags & TF_RCVD_CC) == TF_RCVD_CC)
|
|
mss -= TCPOLEN_CC_APPA;
|
|
#if (MCLBYTES & (MCLBYTES - 1)) == 0
|
|
if (mss > MCLBYTES)
|
|
mss &= ~(MCLBYTES-1);
|
|
#else
|
|
if (mss > MCLBYTES)
|
|
mss = mss / MCLBYTES * MCLBYTES;
|
|
#endif
|
|
if (so->so_snd.sb_hiwat < mss)
|
|
mss = so->so_snd.sb_hiwat;
|
|
|
|
tp->t_maxseg = mss;
|
|
|
|
tcpstat.tcps_mturesent++;
|
|
tp->t_rtttime = 0;
|
|
tp->snd_nxt = tp->snd_una;
|
|
tcp_output(tp);
|
|
}
|
|
return inp;
|
|
}
|
|
|
|
/*
|
|
* Look-up the routing entry to the peer of this inpcb. If no route
|
|
* is found and it cannot be allocated, then return NULL. This routine
|
|
* is called by TCP routines that access the rmx structure and by tcp_mss
|
|
* to get the interface MTU.
|
|
*/
|
|
u_long
|
|
tcp_maxmtu(inc)
|
|
struct in_conninfo *inc;
|
|
{
|
|
struct route sro;
|
|
struct sockaddr_in *dst;
|
|
struct ifnet *ifp;
|
|
u_long maxmtu = 0;
|
|
|
|
KASSERT(inc != NULL, ("tcp_maxmtu with NULL in_conninfo pointer"));
|
|
|
|
bzero(&sro, sizeof(sro));
|
|
if (inc->inc_faddr.s_addr != INADDR_ANY) {
|
|
dst = (struct sockaddr_in *)&sro.ro_dst;
|
|
dst->sin_family = AF_INET;
|
|
dst->sin_len = sizeof(*dst);
|
|
dst->sin_addr = inc->inc_faddr;
|
|
rtalloc_ign(&sro, RTF_CLONING);
|
|
}
|
|
if (sro.ro_rt != NULL) {
|
|
ifp = sro.ro_rt->rt_ifp;
|
|
if (sro.ro_rt->rt_rmx.rmx_mtu == 0)
|
|
maxmtu = ifp->if_mtu;
|
|
else
|
|
maxmtu = min(sro.ro_rt->rt_rmx.rmx_mtu, ifp->if_mtu);
|
|
RTFREE(sro.ro_rt);
|
|
}
|
|
return (maxmtu);
|
|
}
|
|
|
|
#ifdef INET6
|
|
u_long
|
|
tcp_maxmtu6(inc)
|
|
struct in_conninfo *inc;
|
|
{
|
|
struct route_in6 sro6;
|
|
struct ifnet *ifp;
|
|
u_long maxmtu = 0;
|
|
|
|
KASSERT(inc != NULL, ("tcp_maxmtu6 with NULL in_conninfo pointer"));
|
|
|
|
bzero(&sro6, sizeof(sro6));
|
|
if (!IN6_IS_ADDR_UNSPECIFIED(&inc->inc6_faddr)) {
|
|
sro6.ro_dst.sin6_family = AF_INET6;
|
|
sro6.ro_dst.sin6_len = sizeof(struct sockaddr_in6);
|
|
sro6.ro_dst.sin6_addr = inc->inc6_faddr;
|
|
rtalloc_ign((struct route *)&sro6, RTF_CLONING);
|
|
}
|
|
if (sro6.ro_rt != NULL) {
|
|
ifp = sro6.ro_rt->rt_ifp;
|
|
if (sro6.ro_rt->rt_rmx.rmx_mtu == 0)
|
|
maxmtu = IN6_LINKMTU(sro6.ro_rt->rt_ifp);
|
|
else
|
|
maxmtu = min(sro6.ro_rt->rt_rmx.rmx_mtu,
|
|
IN6_LINKMTU(sro6.ro_rt->rt_ifp));
|
|
RTFREE(sro6.ro_rt);
|
|
}
|
|
|
|
return (maxmtu);
|
|
}
|
|
#endif /* INET6 */
|
|
|
|
#ifdef IPSEC
|
|
/* compute ESP/AH header size for TCP, including outer IP header. */
|
|
size_t
|
|
ipsec_hdrsiz_tcp(tp)
|
|
struct tcpcb *tp;
|
|
{
|
|
struct inpcb *inp;
|
|
struct mbuf *m;
|
|
size_t hdrsiz;
|
|
struct ip *ip;
|
|
#ifdef INET6
|
|
struct ip6_hdr *ip6;
|
|
#endif
|
|
struct tcphdr *th;
|
|
|
|
if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL))
|
|
return 0;
|
|
MGETHDR(m, M_DONTWAIT, MT_DATA);
|
|
if (!m)
|
|
return 0;
|
|
|
|
#ifdef INET6
|
|
if ((inp->inp_vflag & INP_IPV6) != 0) {
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
th = (struct tcphdr *)(ip6 + 1);
|
|
m->m_pkthdr.len = m->m_len =
|
|
sizeof(struct ip6_hdr) + sizeof(struct tcphdr);
|
|
tcpip_fillheaders(inp, ip6, th);
|
|
hdrsiz = ipsec6_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp);
|
|
} else
|
|
#endif /* INET6 */
|
|
{
|
|
ip = mtod(m, struct ip *);
|
|
th = (struct tcphdr *)(ip + 1);
|
|
m->m_pkthdr.len = m->m_len = sizeof(struct tcpiphdr);
|
|
tcpip_fillheaders(inp, ip, th);
|
|
hdrsiz = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp);
|
|
}
|
|
|
|
m_free(m);
|
|
return hdrsiz;
|
|
}
|
|
#endif /*IPSEC*/
|
|
|
|
/*
|
|
* Move a TCP connection into TIME_WAIT state.
|
|
* tcbinfo is unlocked.
|
|
* inp is locked, and is unlocked before returning.
|
|
*/
|
|
void
|
|
tcp_twstart(tp)
|
|
struct tcpcb *tp;
|
|
{
|
|
struct tcptw *tw;
|
|
struct inpcb *inp;
|
|
int tw_time, acknow;
|
|
struct socket *so;
|
|
|
|
tw = uma_zalloc(tcptw_zone, M_NOWAIT);
|
|
if (tw == NULL) {
|
|
tw = tcp_timer_2msl_tw(1);
|
|
if (tw == NULL) {
|
|
tcp_close(tp);
|
|
return;
|
|
}
|
|
}
|
|
inp = tp->t_inpcb;
|
|
tw->tw_inpcb = inp;
|
|
|
|
/*
|
|
* Recover last window size sent.
|
|
*/
|
|
tw->last_win = (tp->rcv_adv - tp->rcv_nxt) >> tp->rcv_scale;
|
|
|
|
/*
|
|
* Set t_recent if timestamps are used on the connection.
|
|
*/
|
|
if ((tp->t_flags & (TF_REQ_TSTMP|TF_RCVD_TSTMP|TF_NOOPT)) ==
|
|
(TF_REQ_TSTMP|TF_RCVD_TSTMP))
|
|
tw->t_recent = tp->ts_recent;
|
|
else
|
|
tw->t_recent = 0;
|
|
|
|
tw->snd_nxt = tp->snd_nxt;
|
|
tw->rcv_nxt = tp->rcv_nxt;
|
|
tw->iss = tp->iss;
|
|
tw->irs = tp->irs;
|
|
tw->cc_recv = tp->cc_recv;
|
|
tw->cc_send = tp->cc_send;
|
|
tw->t_starttime = tp->t_starttime;
|
|
tw->tw_time = 0;
|
|
|
|
/* XXX
|
|
* If this code will
|
|
* be used for fin-wait-2 state also, then we may need
|
|
* a ts_recent from the last segment.
|
|
*/
|
|
/* Shorten TIME_WAIT [RFC-1644, p.28] */
|
|
if (tp->cc_recv != 0 && (ticks - tp->t_starttime) < tcp_msl) {
|
|
tw_time = tp->t_rxtcur * TCPTV_TWTRUNC;
|
|
/* For T/TCP client, force ACK now. */
|
|
acknow = 1;
|
|
} else {
|
|
tw_time = 2 * tcp_msl;
|
|
acknow = tp->t_flags & TF_ACKNOW;
|
|
}
|
|
tcp_discardcb(tp);
|
|
so = inp->inp_socket;
|
|
ACCEPT_LOCK();
|
|
SOCK_LOCK(so);
|
|
so->so_pcb = NULL;
|
|
tw->tw_cred = crhold(so->so_cred);
|
|
tw->tw_so_options = so->so_options;
|
|
sotryfree(so);
|
|
inp->inp_socket = NULL;
|
|
if (acknow)
|
|
tcp_twrespond(tw, TH_ACK);
|
|
inp->inp_ppcb = (caddr_t)tw;
|
|
inp->inp_vflag |= INP_TIMEWAIT;
|
|
tcp_timer_2msl_reset(tw, tw_time);
|
|
INP_UNLOCK(inp);
|
|
}
|
|
|
|
/*
|
|
* The appromixate rate of ISN increase of Microsoft TCP stacks;
|
|
* the actual rate is slightly higher due to the addition of
|
|
* random positive increments.
|
|
*
|
|
* Most other new OSes use semi-randomized ISN values, so we
|
|
* do not need to worry about them.
|
|
*/
|
|
#define MS_ISN_BYTES_PER_SECOND 250000
|
|
|
|
/*
|
|
* Determine if the ISN we will generate has advanced beyond the last
|
|
* sequence number used by the previous connection. If so, indicate
|
|
* that it is safe to recycle this tw socket by returning 1.
|
|
*/
|
|
int
|
|
tcp_twrecycleable(struct tcptw *tw)
|
|
{
|
|
tcp_seq new_iss = tw->iss;
|
|
tcp_seq new_irs = tw->irs;
|
|
|
|
new_iss += (ticks - tw->t_starttime) * (ISN_BYTES_PER_SECOND / hz);
|
|
new_irs += (ticks - tw->t_starttime) * (MS_ISN_BYTES_PER_SECOND / hz);
|
|
|
|
if (SEQ_GT(new_iss, tw->snd_nxt) && SEQ_GT(new_irs, tw->rcv_nxt))
|
|
return 1;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
struct tcptw *
|
|
tcp_twclose(struct tcptw *tw, int reuse)
|
|
{
|
|
struct inpcb *inp;
|
|
|
|
inp = tw->tw_inpcb;
|
|
tw->tw_inpcb = NULL;
|
|
tcp_timer_2msl_stop(tw);
|
|
inp->inp_ppcb = NULL;
|
|
#ifdef INET6
|
|
if (inp->inp_vflag & INP_IPV6PROTO)
|
|
in6_pcbdetach(inp);
|
|
else
|
|
#endif
|
|
in_pcbdetach(inp);
|
|
tcpstat.tcps_closed++;
|
|
crfree(tw->tw_cred);
|
|
tw->tw_cred = NULL;
|
|
if (reuse)
|
|
return (tw);
|
|
uma_zfree(tcptw_zone, tw);
|
|
return (NULL);
|
|
}
|
|
|
|
int
|
|
tcp_twrespond(struct tcptw *tw, int flags)
|
|
{
|
|
struct inpcb *inp = tw->tw_inpcb;
|
|
struct tcphdr *th;
|
|
struct mbuf *m;
|
|
struct ip *ip = NULL;
|
|
u_int8_t *optp;
|
|
u_int hdrlen, optlen;
|
|
int error;
|
|
#ifdef INET6
|
|
struct ip6_hdr *ip6 = NULL;
|
|
int isipv6 = inp->inp_inc.inc_isipv6;
|
|
#endif
|
|
|
|
m = m_gethdr(M_DONTWAIT, MT_HEADER);
|
|
if (m == NULL)
|
|
return (ENOBUFS);
|
|
m->m_data += max_linkhdr;
|
|
|
|
#ifdef MAC
|
|
mac_create_mbuf_from_inpcb(inp, m);
|
|
#endif
|
|
|
|
#ifdef INET6
|
|
if (isipv6) {
|
|
hdrlen = sizeof(struct ip6_hdr) + sizeof(struct tcphdr);
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
th = (struct tcphdr *)(ip6 + 1);
|
|
tcpip_fillheaders(inp, ip6, th);
|
|
} else
|
|
#endif
|
|
{
|
|
hdrlen = sizeof(struct tcpiphdr);
|
|
ip = mtod(m, struct ip *);
|
|
th = (struct tcphdr *)(ip + 1);
|
|
tcpip_fillheaders(inp, ip, th);
|
|
}
|
|
optp = (u_int8_t *)(th + 1);
|
|
|
|
/*
|
|
* Send a timestamp and echo-reply if both our side and our peer
|
|
* have sent timestamps in our SYN's and this is not a RST.
|
|
*/
|
|
if (tw->t_recent && flags == TH_ACK) {
|
|
u_int32_t *lp = (u_int32_t *)optp;
|
|
|
|
/* Form timestamp option as shown in appendix A of RFC 1323. */
|
|
*lp++ = htonl(TCPOPT_TSTAMP_HDR);
|
|
*lp++ = htonl(ticks);
|
|
*lp = htonl(tw->t_recent);
|
|
optp += TCPOLEN_TSTAMP_APPA;
|
|
}
|
|
|
|
/*
|
|
* Send `CC-family' options if needed, and it's not a RST.
|
|
*/
|
|
if (tw->cc_recv != 0 && flags == TH_ACK) {
|
|
u_int32_t *lp = (u_int32_t *)optp;
|
|
|
|
*lp++ = htonl(TCPOPT_CC_HDR(TCPOPT_CC));
|
|
*lp = htonl(tw->cc_send);
|
|
optp += TCPOLEN_CC_APPA;
|
|
}
|
|
optlen = optp - (u_int8_t *)(th + 1);
|
|
|
|
m->m_len = hdrlen + optlen;
|
|
m->m_pkthdr.len = m->m_len;
|
|
|
|
KASSERT(max_linkhdr + m->m_len <= MHLEN, ("tcptw: mbuf too small"));
|
|
|
|
th->th_seq = htonl(tw->snd_nxt);
|
|
th->th_ack = htonl(tw->rcv_nxt);
|
|
th->th_off = (sizeof(struct tcphdr) + optlen) >> 2;
|
|
th->th_flags = flags;
|
|
th->th_win = htons(tw->last_win);
|
|
|
|
#ifdef INET6
|
|
if (isipv6) {
|
|
th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(struct ip6_hdr),
|
|
sizeof(struct tcphdr) + optlen);
|
|
ip6->ip6_hlim = in6_selecthlim(inp, NULL);
|
|
error = ip6_output(m, inp->in6p_outputopts, NULL,
|
|
(tw->tw_so_options & SO_DONTROUTE), NULL, NULL, inp);
|
|
} else
|
|
#endif
|
|
{
|
|
th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
|
|
htons(sizeof(struct tcphdr) + optlen + IPPROTO_TCP));
|
|
m->m_pkthdr.csum_flags = CSUM_TCP;
|
|
m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
|
|
ip->ip_len = m->m_pkthdr.len;
|
|
if (path_mtu_discovery)
|
|
ip->ip_off |= IP_DF;
|
|
error = ip_output(m, inp->inp_options, NULL,
|
|
((tw->tw_so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0),
|
|
NULL, inp);
|
|
}
|
|
if (flags & TH_ACK)
|
|
tcpstat.tcps_sndacks++;
|
|
else
|
|
tcpstat.tcps_sndctrl++;
|
|
tcpstat.tcps_sndtotal++;
|
|
return (error);
|
|
}
|
|
|
|
/*
|
|
* TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING
|
|
*
|
|
* This code attempts to calculate the bandwidth-delay product as a
|
|
* means of determining the optimal window size to maximize bandwidth,
|
|
* minimize RTT, and avoid the over-allocation of buffers on interfaces and
|
|
* routers. This code also does a fairly good job keeping RTTs in check
|
|
* across slow links like modems. We implement an algorithm which is very
|
|
* similar (but not meant to be) TCP/Vegas. The code operates on the
|
|
* transmitter side of a TCP connection and so only effects the transmit
|
|
* side of the connection.
|
|
*
|
|
* BACKGROUND: TCP makes no provision for the management of buffer space
|
|
* at the end points or at the intermediate routers and switches. A TCP
|
|
* stream, whether using NewReno or not, will eventually buffer as
|
|
* many packets as it is able and the only reason this typically works is
|
|
* due to the fairly small default buffers made available for a connection
|
|
* (typicaly 16K or 32K). As machines use larger windows and/or window
|
|
* scaling it is now fairly easy for even a single TCP connection to blow-out
|
|
* all available buffer space not only on the local interface, but on
|
|
* intermediate routers and switches as well. NewReno makes a misguided
|
|
* attempt to 'solve' this problem by waiting for an actual failure to occur,
|
|
* then backing off, then steadily increasing the window again until another
|
|
* failure occurs, ad-infinitum. This results in terrible oscillation that
|
|
* is only made worse as network loads increase and the idea of intentionally
|
|
* blowing out network buffers is, frankly, a terrible way to manage network
|
|
* resources.
|
|
*
|
|
* It is far better to limit the transmit window prior to the failure
|
|
* condition being achieved. There are two general ways to do this: First
|
|
* you can 'scan' through different transmit window sizes and locate the
|
|
* point where the RTT stops increasing, indicating that you have filled the
|
|
* pipe, then scan backwards until you note that RTT stops decreasing, then
|
|
* repeat ad-infinitum. This method works in principle but has severe
|
|
* implementation issues due to RTT variances, timer granularity, and
|
|
* instability in the algorithm which can lead to many false positives and
|
|
* create oscillations as well as interact badly with other TCP streams
|
|
* implementing the same algorithm.
|
|
*
|
|
* The second method is to limit the window to the bandwidth delay product
|
|
* of the link. This is the method we implement. RTT variances and our
|
|
* own manipulation of the congestion window, bwnd, can potentially
|
|
* destabilize the algorithm. For this reason we have to stabilize the
|
|
* elements used to calculate the window. We do this by using the minimum
|
|
* observed RTT, the long term average of the observed bandwidth, and
|
|
* by adding two segments worth of slop. It isn't perfect but it is able
|
|
* to react to changing conditions and gives us a very stable basis on
|
|
* which to extend the algorithm.
|
|
*/
|
|
void
|
|
tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq)
|
|
{
|
|
u_long bw;
|
|
u_long bwnd;
|
|
int save_ticks;
|
|
|
|
/*
|
|
* If inflight_enable is disabled in the middle of a tcp connection,
|
|
* make sure snd_bwnd is effectively disabled.
|
|
*/
|
|
if (tcp_inflight_enable == 0) {
|
|
tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
|
tp->snd_bandwidth = 0;
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Figure out the bandwidth. Due to the tick granularity this
|
|
* is a very rough number and it MUST be averaged over a fairly
|
|
* long period of time. XXX we need to take into account a link
|
|
* that is not using all available bandwidth, but for now our
|
|
* slop will ramp us up if this case occurs and the bandwidth later
|
|
* increases.
|
|
*
|
|
* Note: if ticks rollover 'bw' may wind up negative. We must
|
|
* effectively reset t_bw_rtttime for this case.
|
|
*/
|
|
save_ticks = ticks;
|
|
if ((u_int)(save_ticks - tp->t_bw_rtttime) < 1)
|
|
return;
|
|
|
|
bw = (int64_t)(ack_seq - tp->t_bw_rtseq) * hz /
|
|
(save_ticks - tp->t_bw_rtttime);
|
|
tp->t_bw_rtttime = save_ticks;
|
|
tp->t_bw_rtseq = ack_seq;
|
|
if (tp->t_bw_rtttime == 0 || (int)bw < 0)
|
|
return;
|
|
bw = ((int64_t)tp->snd_bandwidth * 15 + bw) >> 4;
|
|
|
|
tp->snd_bandwidth = bw;
|
|
|
|
/*
|
|
* Calculate the semi-static bandwidth delay product, plus two maximal
|
|
* segments. The additional slop puts us squarely in the sweet
|
|
* spot and also handles the bandwidth run-up case and stabilization.
|
|
* Without the slop we could be locking ourselves into a lower
|
|
* bandwidth.
|
|
*
|
|
* Situations Handled:
|
|
* (1) Prevents over-queueing of packets on LANs, especially on
|
|
* high speed LANs, allowing larger TCP buffers to be
|
|
* specified, and also does a good job preventing
|
|
* over-queueing of packets over choke points like modems
|
|
* (at least for the transmit side).
|
|
*
|
|
* (2) Is able to handle changing network loads (bandwidth
|
|
* drops so bwnd drops, bandwidth increases so bwnd
|
|
* increases).
|
|
*
|
|
* (3) Theoretically should stabilize in the face of multiple
|
|
* connections implementing the same algorithm (this may need
|
|
* a little work).
|
|
*
|
|
* (4) Stability value (defaults to 20 = 2 maximal packets) can
|
|
* be adjusted with a sysctl but typically only needs to be
|
|
* on very slow connections. A value no smaller then 5
|
|
* should be used, but only reduce this default if you have
|
|
* no other choice.
|
|
*/
|
|
#define USERTT ((tp->t_srtt + tp->t_rttbest) / 2)
|
|
bwnd = (int64_t)bw * USERTT / (hz << TCP_RTT_SHIFT) + tcp_inflight_stab * tp->t_maxseg / 10;
|
|
#undef USERTT
|
|
|
|
if (tcp_inflight_debug > 0) {
|
|
static int ltime;
|
|
if ((u_int)(ticks - ltime) >= hz / tcp_inflight_debug) {
|
|
ltime = ticks;
|
|
printf("%p bw %ld rttbest %d srtt %d bwnd %ld\n",
|
|
tp,
|
|
bw,
|
|
tp->t_rttbest,
|
|
tp->t_srtt,
|
|
bwnd
|
|
);
|
|
}
|
|
}
|
|
if ((long)bwnd < tcp_inflight_min)
|
|
bwnd = tcp_inflight_min;
|
|
if (bwnd > tcp_inflight_max)
|
|
bwnd = tcp_inflight_max;
|
|
if ((long)bwnd < tp->t_maxseg * 2)
|
|
bwnd = tp->t_maxseg * 2;
|
|
tp->snd_bwnd = bwnd;
|
|
}
|
|
|
|
#ifdef TCP_SIGNATURE
|
|
/*
|
|
* Callback function invoked by m_apply() to digest TCP segment data
|
|
* contained within an mbuf chain.
|
|
*/
|
|
static int
|
|
tcp_signature_apply(void *fstate, void *data, u_int len)
|
|
{
|
|
|
|
MD5Update(fstate, (u_char *)data, len);
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385)
|
|
*
|
|
* Parameters:
|
|
* m pointer to head of mbuf chain
|
|
* off0 offset to TCP header within the mbuf chain
|
|
* len length of TCP segment data, excluding options
|
|
* optlen length of TCP segment options
|
|
* buf pointer to storage for computed MD5 digest
|
|
* direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND)
|
|
*
|
|
* We do this over ip, tcphdr, segment data, and the key in the SADB.
|
|
* When called from tcp_input(), we can be sure that th_sum has been
|
|
* zeroed out and verified already.
|
|
*
|
|
* This function is for IPv4 use only. Calling this function with an
|
|
* IPv6 packet in the mbuf chain will yield undefined results.
|
|
*
|
|
* Return 0 if successful, otherwise return -1.
|
|
*
|
|
* XXX The key is retrieved from the system's PF_KEY SADB, by keying a
|
|
* search with the destination IP address, and a 'magic SPI' to be
|
|
* determined by the application. This is hardcoded elsewhere to 1179
|
|
* right now. Another branch of this code exists which uses the SPD to
|
|
* specify per-application flows but it is unstable.
|
|
*/
|
|
int
|
|
tcp_signature_compute(struct mbuf *m, int off0, int len, int optlen,
|
|
u_char *buf, u_int direction)
|
|
{
|
|
union sockaddr_union dst;
|
|
struct ippseudo ippseudo;
|
|
MD5_CTX ctx;
|
|
int doff;
|
|
struct ip *ip;
|
|
struct ipovly *ipovly;
|
|
struct secasvar *sav;
|
|
struct tcphdr *th;
|
|
u_short savecsum;
|
|
|
|
KASSERT(m != NULL, ("NULL mbuf chain"));
|
|
KASSERT(buf != NULL, ("NULL signature pointer"));
|
|
|
|
/* Extract the destination from the IP header in the mbuf. */
|
|
ip = mtod(m, struct ip *);
|
|
bzero(&dst, sizeof(union sockaddr_union));
|
|
dst.sa.sa_len = sizeof(struct sockaddr_in);
|
|
dst.sa.sa_family = AF_INET;
|
|
dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ?
|
|
ip->ip_src : ip->ip_dst;
|
|
|
|
/* Look up an SADB entry which matches the address of the peer. */
|
|
sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI));
|
|
if (sav == NULL) {
|
|
printf("%s: SADB lookup failed for %s\n", __func__,
|
|
inet_ntoa(dst.sin.sin_addr));
|
|
return (EINVAL);
|
|
}
|
|
|
|
MD5Init(&ctx);
|
|
ipovly = (struct ipovly *)ip;
|
|
th = (struct tcphdr *)((u_char *)ip + off0);
|
|
doff = off0 + sizeof(struct tcphdr) + optlen;
|
|
|
|
/*
|
|
* Step 1: Update MD5 hash with IP pseudo-header.
|
|
*
|
|
* XXX The ippseudo header MUST be digested in network byte order,
|
|
* or else we'll fail the regression test. Assume all fields we've
|
|
* been doing arithmetic on have been in host byte order.
|
|
* XXX One cannot depend on ipovly->ih_len here. When called from
|
|
* tcp_output(), the underlying ip_len member has not yet been set.
|
|
*/
|
|
ippseudo.ippseudo_src = ipovly->ih_src;
|
|
ippseudo.ippseudo_dst = ipovly->ih_dst;
|
|
ippseudo.ippseudo_pad = 0;
|
|
ippseudo.ippseudo_p = IPPROTO_TCP;
|
|
ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen);
|
|
MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo));
|
|
|
|
/*
|
|
* Step 2: Update MD5 hash with TCP header, excluding options.
|
|
* The TCP checksum must be set to zero.
|
|
*/
|
|
savecsum = th->th_sum;
|
|
th->th_sum = 0;
|
|
MD5Update(&ctx, (char *)th, sizeof(struct tcphdr));
|
|
th->th_sum = savecsum;
|
|
|
|
/*
|
|
* Step 3: Update MD5 hash with TCP segment data.
|
|
* Use m_apply() to avoid an early m_pullup().
|
|
*/
|
|
if (len > 0)
|
|
m_apply(m, doff, len, tcp_signature_apply, &ctx);
|
|
|
|
/*
|
|
* Step 4: Update MD5 hash with shared secret.
|
|
*/
|
|
MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
|
|
MD5Final(buf, &ctx);
|
|
|
|
key_sa_recordxfer(sav, m);
|
|
KEY_FREESAV(&sav);
|
|
return (0);
|
|
}
|
|
#endif /* TCP_SIGNATURE */
|