280 register struct tcpiphdr *ti; 281 register struct inpcb *inp; 282 u_char *optp = NULL; 283 int optlen = 0; 284 int len, tlen, off; 285 register struct tcpcb *tp = 0; 286 register int tiflags; 287 struct socket *so = 0; 288 int todrop, acked, ourfinisacked, needoutput = 0; 289 struct in_addr laddr; 290 int dropsocket = 0; 291 int iss = 0; 292 u_long tiwin; 293 struct tcpopt to; /* options in this segment */ 294 struct rmxp_tao *taop; /* pointer to our TAO cache entry */ 295 struct rmxp_tao tao_noncached; /* in case there's no cached entry */ 296#ifdef TCPDEBUG 297 short ostate = 0; 298#endif 299 300 bzero((char *)&to, sizeof(to)); 301 302 tcpstat.tcps_rcvtotal++; 303 /* 304 * Get IP and TCP header together in first mbuf. 305 * Note: IP leaves IP header in first mbuf. 306 */ 307 ti = mtod(m, struct tcpiphdr *); 308 if (iphlen > sizeof (struct ip)) 309 ip_stripoptions(m, (struct mbuf *)0); 310 if (m->m_len < sizeof (struct tcpiphdr)) { 311 if ((m = m_pullup(m, sizeof (struct tcpiphdr))) == 0) { 312 tcpstat.tcps_rcvshort++; 313 return; 314 } 315 ti = mtod(m, struct tcpiphdr *); 316 } 317 318 /* 319 * Checksum extended TCP header and data. 320 */ 321 tlen = ((struct ip *)ti)->ip_len; 322 len = sizeof (struct ip) + tlen; 323 bzero(ti->ti_x1, sizeof(ti->ti_x1)); 324 ti->ti_len = (u_short)tlen; 325 HTONS(ti->ti_len); 326 ti->ti_sum = in_cksum(m, len); 327 if (ti->ti_sum) { 328 tcpstat.tcps_rcvbadsum++; 329 goto drop; 330 } 331 332 /* 333 * Check that TCP offset makes sense, 334 * pull out TCP options and adjust length. XXX 335 */ 336 off = ti->ti_off << 2; 337 if (off < sizeof (struct tcphdr) || off > tlen) { 338 tcpstat.tcps_rcvbadoff++; 339 goto drop; 340 } 341 tlen -= off; 342 ti->ti_len = tlen; 343 if (off > sizeof (struct tcphdr)) { 344 if (m->m_len < sizeof(struct ip) + off) { 345 if ((m = m_pullup(m, sizeof (struct ip) + off)) == 0) { 346 tcpstat.tcps_rcvshort++; 347 return; 348 } 349 ti = mtod(m, struct tcpiphdr *); 350 } 351 optlen = off - sizeof (struct tcphdr); 352 optp = mtod(m, u_char *) + sizeof (struct tcpiphdr); 353 } 354 tiflags = ti->ti_flags; 355 356#ifdef TCP_DROP_SYNFIN 357 /* 358 * If the drop_synfin option is enabled, drop all packets with 359 * both the SYN and FIN bits set. This prevents e.g. nmap from 360 * identifying the TCP/IP stack. 361 * 362 * This is incompatible with RFC1644 extensions (T/TCP). 363 */ 364 if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN)) 365 goto drop; 366#endif 367 368 /* 369 * Convert TCP protocol specific fields to host format. 370 */ 371 NTOHL(ti->ti_seq); 372 NTOHL(ti->ti_ack); 373 NTOHS(ti->ti_win); 374 NTOHS(ti->ti_urp); 375 376 /* 377 * Drop TCP, IP headers and TCP options. 378 */ 379 m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr); 380 m->m_len -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr); 381 382 /* 383 * Locate pcb for segment. 384 */ 385findpcb: 386#ifdef IPFIREWALL_FORWARD 387 if (ip_fw_fwd_addr != NULL) { 388 /* 389 * Diverted. Pretend to be the destination. 390 * already got one like this? 391 */ 392 inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport, 393 ti->ti_dst, ti->ti_dport, 0, m->m_pkthdr.rcvif); 394 if (!inp) { 395 /* 396 * No, then it's new. Try find the ambushing socket 397 */ 398 if (!ip_fw_fwd_addr->sin_port) { 399 inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, 400 ti->ti_sport, ip_fw_fwd_addr->sin_addr, 401 ti->ti_dport, 1, m->m_pkthdr.rcvif); 402 } else { 403 inp = in_pcblookup_hash(&tcbinfo, 404 ti->ti_src, ti->ti_sport, 405 ip_fw_fwd_addr->sin_addr, 406 ntohs(ip_fw_fwd_addr->sin_port), 1, 407 m->m_pkthdr.rcvif); 408 } 409 } 410 ip_fw_fwd_addr = NULL; 411 } else 412#endif /* IPFIREWALL_FORWARD */ 413 414 inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport, 415 ti->ti_dst, ti->ti_dport, 1, m->m_pkthdr.rcvif); 416 417 /* 418 * If the state is CLOSED (i.e., TCB does not exist) then 419 * all data in the incoming segment is discarded. 420 * If the TCB exists but is in CLOSED state, it is embryonic, 421 * but should either do a listen or a connect soon. 422 */ 423 if (inp == NULL) { 424 if (log_in_vain) { 425 char buf[4*sizeof "123"]; 426 427 strcpy(buf, inet_ntoa(ti->ti_dst)); 428 switch (log_in_vain) { 429 case 1: 430 if(tiflags & TH_SYN) 431 log(LOG_INFO, 432 "Connection attempt to TCP %s:%d from %s:%d\n", 433 buf, ntohs(ti->ti_dport), 434 inet_ntoa(ti->ti_src), 435 ntohs(ti->ti_sport)); 436 break; 437 case 2: 438 log(LOG_INFO, 439 "Connection attempt to TCP %s:%d from %s:%d flags:0x%x\n", 440 buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src), 441 ntohs(ti->ti_sport), tiflags); 442 break; 443 default: 444 break; 445 } 446 } 447#ifdef ICMP_BANDLIM 448 if (badport_bandlim(1) < 0) 449 goto drop; 450#endif 451 if (blackhole) { 452 switch (blackhole) { 453 case 1: 454 if (tiflags & TH_SYN) 455 goto drop; 456 break; 457 case 2: 458 goto drop; 459 default: 460 goto drop; 461 } 462 } 463 goto dropwithreset; 464 } 465 tp = intotcpcb(inp); 466 if (tp == 0) 467 goto dropwithreset; 468 if (tp->t_state == TCPS_CLOSED) 469 goto drop; 470 471 /* Unscale the window into a 32-bit value. */ 472 if ((tiflags & TH_SYN) == 0) 473 tiwin = ti->ti_win << tp->snd_scale; 474 else 475 tiwin = ti->ti_win; 476 477 so = inp->inp_socket; 478 if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) { 479#ifdef TCPDEBUG 480 if (so->so_options & SO_DEBUG) { 481 ostate = tp->t_state; 482 tcp_saveti = *ti; 483 } 484#endif 485 if (so->so_options & SO_ACCEPTCONN) { 486 register struct tcpcb *tp0 = tp; 487 struct socket *so2; 488 if ((tiflags & (TH_RST|TH_ACK|TH_SYN)) != TH_SYN) { 489 /* 490 * Note: dropwithreset makes sure we don't 491 * send a RST in response to a RST. 492 */ 493 if (tiflags & TH_ACK) { 494 tcpstat.tcps_badsyn++; 495 goto dropwithreset; 496 } 497 goto drop; 498 } 499 so2 = sonewconn(so, 0); 500 if (so2 == 0) { 501 tcpstat.tcps_listendrop++; 502 so2 = sodropablereq(so); 503 if (so2) { 504 tcp_drop(sototcpcb(so2), ETIMEDOUT); 505 so2 = sonewconn(so, 0); 506 } 507 if (!so2) 508 goto drop; 509 } 510 so = so2; 511 /* 512 * This is ugly, but .... 513 * 514 * Mark socket as temporary until we're 515 * committed to keeping it. The code at 516 * ``drop'' and ``dropwithreset'' check the 517 * flag dropsocket to see if the temporary 518 * socket created here should be discarded. 519 * We mark the socket as discardable until 520 * we're committed to it below in TCPS_LISTEN. 521 */ 522 dropsocket++; 523 inp = (struct inpcb *)so->so_pcb; 524 inp->inp_laddr = ti->ti_dst; 525 inp->inp_lport = ti->ti_dport; 526 if (in_pcbinshash(inp) != 0) { 527 /* 528 * Undo the assignments above if we failed to 529 * put the PCB on the hash lists. 530 */ 531 inp->inp_laddr.s_addr = INADDR_ANY; 532 inp->inp_lport = 0; 533 goto drop; 534 } 535 inp->inp_options = ip_srcroute(); 536 tp = intotcpcb(inp); 537 tp->t_state = TCPS_LISTEN; 538 tp->t_flags |= tp0->t_flags & (TF_NOPUSH|TF_NOOPT); 539 540 /* Compute proper scaling value from buffer space */ 541 while (tp->request_r_scale < TCP_MAX_WINSHIFT && 542 TCP_MAXWIN << tp->request_r_scale < 543 so->so_rcv.sb_hiwat) 544 tp->request_r_scale++; 545 } 546 } 547 548 /* 549 * Segment received on connection. 550 * Reset idle time and keep-alive timer. 551 */ 552 tp->t_rcvtime = ticks; 553 if (TCPS_HAVEESTABLISHED(tp->t_state)) 554 callout_reset(tp->tt_keep, tcp_keepidle, tcp_timer_keep, tp); 555 556 /* 557 * Process options if not in LISTEN state, 558 * else do it below (after getting remote address). 559 */ 560 if (tp->t_state != TCPS_LISTEN) 561 tcp_dooptions(tp, optp, optlen, ti, &to); 562 563 /* 564 * Header prediction: check for the two common cases 565 * of a uni-directional data xfer. If the packet has 566 * no control flags, is in-sequence, the window didn't 567 * change and we're not retransmitting, it's a 568 * candidate. If the length is zero and the ack moved 569 * forward, we're the sender side of the xfer. Just 570 * free the data acked & wake any higher level process 571 * that was blocked waiting for space. If the length 572 * is non-zero and the ack didn't move, we're the 573 * receiver side. If we're getting packets in-order 574 * (the reassembly queue is empty), add the data to 575 * the socket buffer and note that we need a delayed ack. 576 * Make sure that the hidden state-flags are also off. 577 * Since we check for TCPS_ESTABLISHED above, it can only 578 * be TH_NEEDSYN. 579 */ 580 if (tp->t_state == TCPS_ESTABLISHED && 581 (tiflags & (TH_SYN|TH_FIN|TH_RST|TH_URG|TH_ACK)) == TH_ACK && 582 ((tp->t_flags & (TF_NEEDSYN|TF_NEEDFIN)) == 0) && 583 ((to.to_flag & TOF_TS) == 0 || 584 TSTMP_GEQ(to.to_tsval, tp->ts_recent)) && 585 /* 586 * Using the CC option is compulsory if once started: 587 * the segment is OK if no T/TCP was negotiated or 588 * if the segment has a CC option equal to CCrecv 589 */ 590 ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) != (TF_REQ_CC|TF_RCVD_CC) || 591 ((to.to_flag & TOF_CC) != 0 && to.to_cc == tp->cc_recv)) && 592 ti->ti_seq == tp->rcv_nxt && 593 tiwin && tiwin == tp->snd_wnd && 594 tp->snd_nxt == tp->snd_max) { 595 596 /* 597 * If last ACK falls within this segment's sequence numbers, 598 * record the timestamp. 599 * NOTE that the test is modified according to the latest 600 * proposal of the tcplw@cray.com list (Braden 1993/04/26). 601 */ 602 if ((to.to_flag & TOF_TS) != 0 && 603 SEQ_LEQ(ti->ti_seq, tp->last_ack_sent)) { 604 tp->ts_recent_age = ticks; 605 tp->ts_recent = to.to_tsval; 606 } 607 608 if (ti->ti_len == 0) { 609 if (SEQ_GT(ti->ti_ack, tp->snd_una) && 610 SEQ_LEQ(ti->ti_ack, tp->snd_max) && 611 tp->snd_cwnd >= tp->snd_wnd && 612 tp->t_dupacks < tcprexmtthresh) { 613 /* 614 * this is a pure ack for outstanding data. 615 */ 616 ++tcpstat.tcps_predack; 617 /* 618 * "bad retransmit" recovery 619 */ 620 if (tp->t_rxtshift == 1 && 621 ticks < tp->t_badrxtwin) { 622 tp->snd_cwnd = tp->snd_cwnd_prev; 623 tp->snd_ssthresh = 624 tp->snd_ssthresh_prev; 625 tp->snd_nxt = tp->snd_max; 626 tp->t_badrxtwin = 0; 627 } 628 if ((to.to_flag & TOF_TS) != 0) 629 tcp_xmit_timer(tp, 630 ticks - to.to_tsecr + 1); 631 else if (tp->t_rtttime && 632 SEQ_GT(ti->ti_ack, tp->t_rtseq)) 633 tcp_xmit_timer(tp, ticks - tp->t_rtttime); 634 acked = ti->ti_ack - tp->snd_una; 635 tcpstat.tcps_rcvackpack++; 636 tcpstat.tcps_rcvackbyte += acked; 637 sbdrop(&so->so_snd, acked); 638 tp->snd_una = ti->ti_ack; 639 m_freem(m); 640 641 /* 642 * If all outstanding data are acked, stop 643 * retransmit timer, otherwise restart timer 644 * using current (possibly backed-off) value. 645 * If process is waiting for space, 646 * wakeup/selwakeup/signal. If data 647 * are ready to send, let tcp_output 648 * decide between more output or persist. 649 */ 650 if (tp->snd_una == tp->snd_max) 651 callout_stop(tp->tt_rexmt); 652 else if (!callout_active(tp->tt_persist)) 653 callout_reset(tp->tt_rexmt, 654 tp->t_rxtcur, 655 tcp_timer_rexmt, tp); 656 657 sowwakeup(so); 658 if (so->so_snd.sb_cc) 659 (void) tcp_output(tp); 660 return; 661 } 662 } else if (ti->ti_ack == tp->snd_una && 663 tp->t_segq == NULL && 664 ti->ti_len <= sbspace(&so->so_rcv)) { 665 /* 666 * this is a pure, in-sequence data packet 667 * with nothing on the reassembly queue and 668 * we have enough buffer space to take it. 669 */ 670 ++tcpstat.tcps_preddat; 671 tp->rcv_nxt += ti->ti_len; 672 tcpstat.tcps_rcvpack++; 673 tcpstat.tcps_rcvbyte += ti->ti_len; 674 /* 675 * Add data to socket buffer. 676 */ 677 sbappend(&so->so_rcv, m); 678 sorwakeup(so); 679 if (tcp_delack_enabled) { 680 callout_reset(tp->tt_delack, tcp_delacktime, 681 tcp_timer_delack, tp); 682 } else { 683 tp->t_flags |= TF_ACKNOW; 684 tcp_output(tp); 685 } 686 return; 687 } 688 } 689 690 /* 691 * Calculate amount of space in receive window, 692 * and then do TCP input processing. 693 * Receive window is amount of space in rcv queue, 694 * but not less than advertised window. 695 */ 696 { int win; 697 698 win = sbspace(&so->so_rcv); 699 if (win < 0) 700 win = 0; 701 tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt)); 702 } 703 704 switch (tp->t_state) { 705 706 /* 707 * If the state is LISTEN then ignore segment if it contains an RST. 708 * If the segment contains an ACK then it is bad and send a RST. 709 * If it does not contain a SYN then it is not interesting; drop it. 710 * If it is from this socket, drop it, it must be forged. 711 * Don't bother responding if the destination was a broadcast. 712 * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial 713 * tp->iss, and send a segment: 714 * <SEQ=ISS><ACK=RCV_NXT><CTL=SYN,ACK> 715 * Also initialize tp->snd_nxt to tp->iss+1 and tp->snd_una to tp->iss. 716 * Fill in remote peer address fields if not previously specified. 717 * Enter SYN_RECEIVED state, and process any other fields of this 718 * segment in this state. 719 */ 720 case TCPS_LISTEN: { 721 register struct sockaddr_in *sin; 722 723 if (tiflags & TH_RST) 724 goto drop; 725 if (tiflags & TH_ACK) 726 goto dropwithreset; 727 if ((tiflags & TH_SYN) == 0) 728 goto drop; 729 if ((ti->ti_dport == ti->ti_sport) && 730 (ti->ti_dst.s_addr == ti->ti_src.s_addr)) 731 goto drop; 732 /* 733 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN 734 * in_broadcast() should never return true on a received 735 * packet with M_BCAST not set. 736 */ 737 if (m->m_flags & (M_BCAST|M_MCAST) || 738 IN_MULTICAST(ntohl(ti->ti_dst.s_addr))) 739 goto drop; 740 MALLOC(sin, struct sockaddr_in *, sizeof *sin, M_SONAME, 741 M_NOWAIT); 742 if (sin == NULL) 743 goto drop; 744 sin->sin_family = AF_INET; 745 sin->sin_len = sizeof(*sin); 746 sin->sin_addr = ti->ti_src; 747 sin->sin_port = ti->ti_sport; 748 bzero((caddr_t)sin->sin_zero, sizeof(sin->sin_zero)); 749 laddr = inp->inp_laddr; 750 if (inp->inp_laddr.s_addr == INADDR_ANY) 751 inp->inp_laddr = ti->ti_dst; 752 if (in_pcbconnect(inp, (struct sockaddr *)sin, &proc0)) { 753 inp->inp_laddr = laddr; 754 FREE(sin, M_SONAME); 755 goto drop; 756 } 757 FREE(sin, M_SONAME); 758 tp->t_template = tcp_template(tp); 759 if (tp->t_template == 0) { 760 tp = tcp_drop(tp, ENOBUFS); 761 dropsocket = 0; /* socket is already gone */ 762 goto drop; 763 } 764 if ((taop = tcp_gettaocache(inp)) == NULL) { 765 taop = &tao_noncached; 766 bzero(taop, sizeof(*taop)); 767 } 768 tcp_dooptions(tp, optp, optlen, ti, &to); 769 if (iss) 770 tp->iss = iss; 771 else 772 tp->iss = tcp_iss; 773 tcp_iss += TCP_ISSINCR/4; 774 tp->irs = ti->ti_seq; 775 tcp_sendseqinit(tp); 776 tcp_rcvseqinit(tp); 777 /* 778 * Initialization of the tcpcb for transaction; 779 * set SND.WND = SEG.WND, 780 * initialize CCsend and CCrecv. 781 */ 782 tp->snd_wnd = tiwin; /* initial send-window */ 783 tp->cc_send = CC_INC(tcp_ccgen); 784 tp->cc_recv = to.to_cc; 785 /* 786 * Perform TAO test on incoming CC (SEG.CC) option, if any. 787 * - compare SEG.CC against cached CC from the same host, 788 * if any. 789 * - if SEG.CC > chached value, SYN must be new and is accepted 790 * immediately: save new CC in the cache, mark the socket 791 * connected, enter ESTABLISHED state, turn on flag to 792 * send a SYN in the next segment. 793 * A virtual advertised window is set in rcv_adv to 794 * initialize SWS prevention. Then enter normal segment 795 * processing: drop SYN, process data and FIN. 796 * - otherwise do a normal 3-way handshake. 797 */ 798 if ((to.to_flag & TOF_CC) != 0) { 799 if (((tp->t_flags & TF_NOPUSH) != 0) && 800 taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) { 801 802 taop->tao_cc = to.to_cc; 803 tp->t_starttime = ticks; 804 tp->t_state = TCPS_ESTABLISHED; 805 806 /* 807 * If there is a FIN, or if there is data and the 808 * connection is local, then delay SYN,ACK(SYN) in 809 * the hope of piggy-backing it on a response 810 * segment. Otherwise must send ACK now in case 811 * the other side is slow starting. 812 */ 813 if (tcp_delack_enabled && ((tiflags & TH_FIN) || 814 (ti->ti_len != 0 && 815 in_localaddr(inp->inp_faddr)))) { 816 callout_reset(tp->tt_delack, tcp_delacktime, 817 tcp_timer_delack, tp); 818 tp->t_flags |= TF_NEEDSYN; 819 } else 820 tp->t_flags |= (TF_ACKNOW | TF_NEEDSYN); 821 822 /* 823 * Limit the `virtual advertised window' to TCP_MAXWIN 824 * here. Even if we requested window scaling, it will 825 * become effective only later when our SYN is acked. 826 */ 827 tp->rcv_adv += min(tp->rcv_wnd, TCP_MAXWIN); 828 tcpstat.tcps_connects++; 829 soisconnected(so); 830 callout_reset(tp->tt_keep, tcp_keepinit, 831 tcp_timer_keep, tp); 832 dropsocket = 0; /* committed to socket */ 833 tcpstat.tcps_accepts++; 834 goto trimthenstep6; 835 } 836 /* else do standard 3-way handshake */ 837 } else { 838 /* 839 * No CC option, but maybe CC.NEW: 840 * invalidate cached value. 841 */ 842 taop->tao_cc = 0; 843 } 844 /* 845 * TAO test failed or there was no CC option, 846 * do a standard 3-way handshake. 847 */ 848 tp->t_flags |= TF_ACKNOW; 849 tp->t_state = TCPS_SYN_RECEIVED; 850 callout_reset(tp->tt_keep, tcp_keepinit, tcp_timer_keep, tp); 851 dropsocket = 0; /* committed to socket */ 852 tcpstat.tcps_accepts++; 853 goto trimthenstep6; 854 } 855 856 /* 857 * If the state is SYN_RECEIVED: 858 * if seg contains an ACK, but not for our SYN/ACK, send a RST. 859 */ 860 case TCPS_SYN_RECEIVED: 861 if ((tiflags & TH_ACK) && 862 (SEQ_LEQ(ti->ti_ack, tp->snd_una) || 863 SEQ_GT(ti->ti_ack, tp->snd_max))) 864 goto dropwithreset; 865 break; 866 867 /* 868 * If the state is SYN_SENT: 869 * if seg contains an ACK, but not for our SYN, drop the input. 870 * if seg contains a RST, then drop the connection. 871 * if seg does not contain SYN, then drop it. 872 * Otherwise this is an acceptable SYN segment 873 * initialize tp->rcv_nxt and tp->irs 874 * if seg contains ack then advance tp->snd_una 875 * if SYN has been acked change to ESTABLISHED else SYN_RCVD state 876 * arrange for segment to be acked (eventually) 877 * continue processing rest of data/controls, beginning with URG 878 */ 879 case TCPS_SYN_SENT: 880 if ((taop = tcp_gettaocache(inp)) == NULL) { 881 taop = &tao_noncached; 882 bzero(taop, sizeof(*taop)); 883 } 884 885 if ((tiflags & TH_ACK) && 886 (SEQ_LEQ(ti->ti_ack, tp->iss) || 887 SEQ_GT(ti->ti_ack, tp->snd_max))) { 888 /* 889 * If we have a cached CCsent for the remote host, 890 * hence we haven't just crashed and restarted, 891 * do not send a RST. This may be a retransmission 892 * from the other side after our earlier ACK was lost. 893 * Our new SYN, when it arrives, will serve as the 894 * needed ACK. 895 */ 896 if (taop->tao_ccsent != 0) 897 goto drop; 898 else 899 goto dropwithreset; 900 } 901 if (tiflags & TH_RST) { 902 if (tiflags & TH_ACK) 903 tp = tcp_drop(tp, ECONNREFUSED); 904 goto drop; 905 } 906 if ((tiflags & TH_SYN) == 0) 907 goto drop; 908 tp->snd_wnd = ti->ti_win; /* initial send window */ 909 tp->cc_recv = to.to_cc; /* foreign CC */ 910 911 tp->irs = ti->ti_seq; 912 tcp_rcvseqinit(tp); 913 if (tiflags & TH_ACK) { 914 /* 915 * Our SYN was acked. If segment contains CC.ECHO 916 * option, check it to make sure this segment really 917 * matches our SYN. If not, just drop it as old 918 * duplicate, but send an RST if we're still playing 919 * by the old rules. If no CC.ECHO option, make sure 920 * we don't get fooled into using T/TCP. 921 */ 922 if (to.to_flag & TOF_CCECHO) { 923 if (tp->cc_send != to.to_ccecho) { 924 if (taop->tao_ccsent != 0) 925 goto drop; 926 else 927 goto dropwithreset; 928 } 929 } else 930 tp->t_flags &= ~TF_RCVD_CC; 931 tcpstat.tcps_connects++; 932 soisconnected(so); 933 /* Do window scaling on this connection? */ 934 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) == 935 (TF_RCVD_SCALE|TF_REQ_SCALE)) { 936 tp->snd_scale = tp->requested_s_scale; 937 tp->rcv_scale = tp->request_r_scale; 938 } 939 /* Segment is acceptable, update cache if undefined. */ 940 if (taop->tao_ccsent == 0) 941 taop->tao_ccsent = to.to_ccecho; 942 943 tp->rcv_adv += tp->rcv_wnd; 944 tp->snd_una++; /* SYN is acked */ 945 /* 946 * If there's data, delay ACK; if there's also a FIN 947 * ACKNOW will be turned on later. 948 */ 949 if (tcp_delack_enabled && ti->ti_len != 0) 950 callout_reset(tp->tt_delack, tcp_delacktime, 951 tcp_timer_delack, tp); 952 else 953 tp->t_flags |= TF_ACKNOW; 954 /* 955 * Received <SYN,ACK> in SYN_SENT[*] state. 956 * Transitions: 957 * SYN_SENT --> ESTABLISHED 958 * SYN_SENT* --> FIN_WAIT_1 959 */ 960 tp->t_starttime = ticks; 961 if (tp->t_flags & TF_NEEDFIN) { 962 tp->t_state = TCPS_FIN_WAIT_1; 963 tp->t_flags &= ~TF_NEEDFIN; 964 tiflags &= ~TH_SYN; 965 } else { 966 tp->t_state = TCPS_ESTABLISHED; 967 callout_reset(tp->tt_keep, tcp_keepidle, 968 tcp_timer_keep, tp); 969 } 970 } else { 971 /* 972 * Received initial SYN in SYN-SENT[*] state => simul- 973 * taneous open. If segment contains CC option and there is 974 * a cached CC, apply TAO test; if it succeeds, connection is 975 * half-synchronized. Otherwise, do 3-way handshake: 976 * SYN-SENT -> SYN-RECEIVED 977 * SYN-SENT* -> SYN-RECEIVED* 978 * If there was no CC option, clear cached CC value. 979 */ 980 tp->t_flags |= TF_ACKNOW; 981 callout_stop(tp->tt_rexmt); 982 if (to.to_flag & TOF_CC) { 983 if (taop->tao_cc != 0 && 984 CC_GT(to.to_cc, taop->tao_cc)) { 985 /* 986 * update cache and make transition: 987 * SYN-SENT -> ESTABLISHED* 988 * SYN-SENT* -> FIN-WAIT-1* 989 */ 990 taop->tao_cc = to.to_cc; 991 tp->t_starttime = ticks; 992 if (tp->t_flags & TF_NEEDFIN) { 993 tp->t_state = TCPS_FIN_WAIT_1; 994 tp->t_flags &= ~TF_NEEDFIN; 995 } else { 996 tp->t_state = TCPS_ESTABLISHED; 997 callout_reset(tp->tt_keep, 998 tcp_keepidle, 999 tcp_timer_keep, 1000 tp); 1001 } 1002 tp->t_flags |= TF_NEEDSYN; 1003 } else 1004 tp->t_state = TCPS_SYN_RECEIVED; 1005 } else { 1006 /* CC.NEW or no option => invalidate cache */ 1007 taop->tao_cc = 0; 1008 tp->t_state = TCPS_SYN_RECEIVED; 1009 } 1010 } 1011 1012trimthenstep6: 1013 /* 1014 * Advance ti->ti_seq to correspond to first data byte. 1015 * If data, trim to stay within window, 1016 * dropping FIN if necessary. 1017 */ 1018 ti->ti_seq++; 1019 if (ti->ti_len > tp->rcv_wnd) { 1020 todrop = ti->ti_len - tp->rcv_wnd; 1021 m_adj(m, -todrop); 1022 ti->ti_len = tp->rcv_wnd; 1023 tiflags &= ~TH_FIN; 1024 tcpstat.tcps_rcvpackafterwin++; 1025 tcpstat.tcps_rcvbyteafterwin += todrop; 1026 } 1027 tp->snd_wl1 = ti->ti_seq - 1; 1028 tp->rcv_up = ti->ti_seq; 1029 /* 1030 * Client side of transaction: already sent SYN and data. 1031 * If the remote host used T/TCP to validate the SYN, 1032 * our data will be ACK'd; if so, enter normal data segment 1033 * processing in the middle of step 5, ack processing. 1034 * Otherwise, goto step 6. 1035 */ 1036 if (tiflags & TH_ACK) 1037 goto process_ACK; 1038 goto step6; 1039 /* 1040 * If the state is LAST_ACK or CLOSING or TIME_WAIT: 1041 * if segment contains a SYN and CC [not CC.NEW] option: 1042 * if state == TIME_WAIT and connection duration > MSL, 1043 * drop packet and send RST; 1044 * 1045 * if SEG.CC > CCrecv then is new SYN, and can implicitly 1046 * ack the FIN (and data) in retransmission queue. 1047 * Complete close and delete TCPCB. Then reprocess 1048 * segment, hoping to find new TCPCB in LISTEN state; 1049 * 1050 * else must be old SYN; drop it. 1051 * else do normal processing. 1052 */ 1053 case TCPS_LAST_ACK: 1054 case TCPS_CLOSING: 1055 case TCPS_TIME_WAIT: 1056 if ((tiflags & TH_SYN) && 1057 (to.to_flag & TOF_CC) && tp->cc_recv != 0) { 1058 if (tp->t_state == TCPS_TIME_WAIT && 1059 (ticks - tp->t_starttime) > tcp_msl) 1060 goto dropwithreset; 1061 if (CC_GT(to.to_cc, tp->cc_recv)) { 1062 tp = tcp_close(tp); 1063 goto findpcb; 1064 } 1065 else 1066 goto drop; 1067 } 1068 break; /* continue normal processing */ 1069 } 1070 1071 /* 1072 * States other than LISTEN or SYN_SENT. 1073 * First check the RST flag and sequence number since reset segments 1074 * are exempt from the timestamp and connection count tests. This 1075 * fixes a bug introduced by the Stevens, vol. 2, p. 960 bugfix 1076 * below which allowed reset segments in half the sequence space 1077 * to fall though and be processed (which gives forged reset 1078 * segments with a random sequence number a 50 percent chance of 1079 * killing a connection). 1080 * Then check timestamp, if present. 1081 * Then check the connection count, if present. 1082 * Then check that at least some bytes of segment are within 1083 * receive window. If segment begins before rcv_nxt, 1084 * drop leading data (and SYN); if nothing left, just ack. 1085 * 1086 * 1087 * If the RST bit is set, check the sequence number to see 1088 * if this is a valid reset segment. 1089 * RFC 793 page 37: 1090 * In all states except SYN-SENT, all reset (RST) segments 1091 * are validated by checking their SEQ-fields. A reset is 1092 * valid if its sequence number is in the window. 1093 * Note: this does not take into account delayed ACKs, so 1094 * we should test against last_ack_sent instead of rcv_nxt. 1095 * The sequence number in the reset segment is normally an 1096 * echo of our outgoing acknowlegement numbers, but some hosts 1097 * send a reset with the sequence number at the rightmost edge 1098 * of our receive window, and we have to handle this case. 1099 * If we have multiple segments in flight, the intial reset 1100 * segment sequence numbers will be to the left of last_ack_sent, 1101 * but they will eventually catch up. 1102 * In any case, it never made sense to trim reset segments to 1103 * fit the receive window since RFC 1122 says: 1104 * 4.2.2.12 RST Segment: RFC-793 Section 3.4 1105 * 1106 * A TCP SHOULD allow a received RST segment to include data. 1107 * 1108 * DISCUSSION 1109 * It has been suggested that a RST segment could contain 1110 * ASCII text that encoded and explained the cause of the 1111 * RST. No standard has yet been established for such 1112 * data. 1113 * 1114 * If the reset segment passes the sequence number test examine 1115 * the state: 1116 * SYN_RECEIVED STATE: 1117 * If passive open, return to LISTEN state. 1118 * If active open, inform user that connection was refused. 1119 * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES: 1120 * Inform user that connection was reset, and close tcb. 1121 * CLOSING, LAST_ACK STATES: 1122 * Close the tcb. 1123 * TIME_WAIT STATE: 1124 * Drop the segment - see Stevens, vol. 2, p. 964 and 1125 * RFC 1337. 1126 */ 1127 if (tiflags & TH_RST) { 1128 if (SEQ_GEQ(ti->ti_seq, tp->last_ack_sent) && 1129 SEQ_LT(ti->ti_seq, tp->last_ack_sent + tp->rcv_wnd)) { 1130 switch (tp->t_state) { 1131 1132 case TCPS_SYN_RECEIVED: 1133 so->so_error = ECONNREFUSED; 1134 goto close; 1135 1136 case TCPS_ESTABLISHED: 1137 case TCPS_FIN_WAIT_1: 1138 case TCPS_FIN_WAIT_2: 1139 case TCPS_CLOSE_WAIT: 1140 so->so_error = ECONNRESET; 1141 close: 1142 tp->t_state = TCPS_CLOSED; 1143 tcpstat.tcps_drops++; 1144 tp = tcp_close(tp); 1145 break; 1146 1147 case TCPS_CLOSING: 1148 case TCPS_LAST_ACK: 1149 tp = tcp_close(tp); 1150 break; 1151 1152 case TCPS_TIME_WAIT: 1153 break; 1154 } 1155 } 1156 goto drop; 1157 } 1158 1159 /* 1160 * RFC 1323 PAWS: If we have a timestamp reply on this segment 1161 * and it's less than ts_recent, drop it. 1162 */ 1163 if ((to.to_flag & TOF_TS) != 0 && tp->ts_recent && 1164 TSTMP_LT(to.to_tsval, tp->ts_recent)) { 1165 1166 /* Check to see if ts_recent is over 24 days old. */ 1167 if ((int)(ticks - tp->ts_recent_age) > TCP_PAWS_IDLE) { 1168 /* 1169 * Invalidate ts_recent. If this segment updates 1170 * ts_recent, the age will be reset later and ts_recent 1171 * will get a valid value. If it does not, setting 1172 * ts_recent to zero will at least satisfy the 1173 * requirement that zero be placed in the timestamp 1174 * echo reply when ts_recent isn't valid. The 1175 * age isn't reset until we get a valid ts_recent 1176 * because we don't want out-of-order segments to be 1177 * dropped when ts_recent is old. 1178 */ 1179 tp->ts_recent = 0; 1180 } else { 1181 tcpstat.tcps_rcvduppack++; 1182 tcpstat.tcps_rcvdupbyte += ti->ti_len; 1183 tcpstat.tcps_pawsdrop++; 1184 goto dropafterack; 1185 } 1186 } 1187 1188 /* 1189 * T/TCP mechanism 1190 * If T/TCP was negotiated and the segment doesn't have CC, 1191 * or if its CC is wrong then drop the segment. 1192 * RST segments do not have to comply with this. 1193 */ 1194 if ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) == (TF_REQ_CC|TF_RCVD_CC) && 1195 ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc)) 1196 goto dropafterack; 1197 1198 /* 1199 * In the SYN-RECEIVED state, validate that the packet belongs to 1200 * this connection before trimming the data to fit the receive 1201 * window. Check the sequence number versus IRS since we know 1202 * the sequence numbers haven't wrapped. This is a partial fix 1203 * for the "LAND" DoS attack. 1204 */ 1205 if (tp->t_state == TCPS_SYN_RECEIVED && SEQ_LT(ti->ti_seq, tp->irs)) 1206 goto dropwithreset; 1207 1208 todrop = tp->rcv_nxt - ti->ti_seq; 1209 if (todrop > 0) { 1210 if (tiflags & TH_SYN) { 1211 tiflags &= ~TH_SYN; 1212 ti->ti_seq++; 1213 if (ti->ti_urp > 1) 1214 ti->ti_urp--; 1215 else 1216 tiflags &= ~TH_URG; 1217 todrop--; 1218 } 1219 /* 1220 * Following if statement from Stevens, vol. 2, p. 960. 1221 */ 1222 if (todrop > ti->ti_len 1223 || (todrop == ti->ti_len && (tiflags & TH_FIN) == 0)) { 1224 /* 1225 * Any valid FIN must be to the left of the window. 1226 * At this point the FIN must be a duplicate or out 1227 * of sequence; drop it. 1228 */ 1229 tiflags &= ~TH_FIN; 1230 1231 /* 1232 * Send an ACK to resynchronize and drop any data. 1233 * But keep on processing for RST or ACK. 1234 */ 1235 tp->t_flags |= TF_ACKNOW; 1236 todrop = ti->ti_len; 1237 tcpstat.tcps_rcvduppack++; 1238 tcpstat.tcps_rcvdupbyte += todrop; 1239 } else { 1240 tcpstat.tcps_rcvpartduppack++; 1241 tcpstat.tcps_rcvpartdupbyte += todrop; 1242 } 1243 m_adj(m, todrop); 1244 ti->ti_seq += todrop; 1245 ti->ti_len -= todrop; 1246 if (ti->ti_urp > todrop) 1247 ti->ti_urp -= todrop; 1248 else { 1249 tiflags &= ~TH_URG; 1250 ti->ti_urp = 0; 1251 } 1252 } 1253 1254 /* 1255 * If new data are received on a connection after the 1256 * user processes are gone, then RST the other end. 1257 */ 1258 if ((so->so_state & SS_NOFDREF) && 1259 tp->t_state > TCPS_CLOSE_WAIT && ti->ti_len) { 1260 tp = tcp_close(tp); 1261 tcpstat.tcps_rcvafterclose++; 1262 goto dropwithreset; 1263 } 1264 1265 /* 1266 * If segment ends after window, drop trailing data 1267 * (and PUSH and FIN); if nothing left, just ACK. 1268 */ 1269 todrop = (ti->ti_seq+ti->ti_len) - (tp->rcv_nxt+tp->rcv_wnd); 1270 if (todrop > 0) { 1271 tcpstat.tcps_rcvpackafterwin++; 1272 if (todrop >= ti->ti_len) { 1273 tcpstat.tcps_rcvbyteafterwin += ti->ti_len; 1274 /* 1275 * If a new connection request is received 1276 * while in TIME_WAIT, drop the old connection 1277 * and start over if the sequence numbers 1278 * are above the previous ones. 1279 */ 1280 if (tiflags & TH_SYN && 1281 tp->t_state == TCPS_TIME_WAIT && 1282 SEQ_GT(ti->ti_seq, tp->rcv_nxt)) { 1283 iss = tp->snd_nxt + TCP_ISSINCR; 1284 tp = tcp_close(tp); 1285 goto findpcb; 1286 } 1287 /* 1288 * If window is closed can only take segments at 1289 * window edge, and have to drop data and PUSH from 1290 * incoming segments. Continue processing, but 1291 * remember to ack. Otherwise, drop segment 1292 * and ack. 1293 */ 1294 if (tp->rcv_wnd == 0 && ti->ti_seq == tp->rcv_nxt) { 1295 tp->t_flags |= TF_ACKNOW; 1296 tcpstat.tcps_rcvwinprobe++; 1297 } else 1298 goto dropafterack; 1299 } else 1300 tcpstat.tcps_rcvbyteafterwin += todrop; 1301 m_adj(m, -todrop); 1302 ti->ti_len -= todrop; 1303 tiflags &= ~(TH_PUSH|TH_FIN); 1304 } 1305 1306 /* 1307 * If last ACK falls within this segment's sequence numbers, 1308 * record its timestamp. 1309 * NOTE that the test is modified according to the latest 1310 * proposal of the tcplw@cray.com list (Braden 1993/04/26). 1311 */ 1312 if ((to.to_flag & TOF_TS) != 0 && 1313 SEQ_LEQ(ti->ti_seq, tp->last_ack_sent)) { 1314 tp->ts_recent_age = ticks; 1315 tp->ts_recent = to.to_tsval; 1316 } 1317 1318 /* 1319 * If a SYN is in the window, then this is an 1320 * error and we send an RST and drop the connection. 1321 */ 1322 if (tiflags & TH_SYN) { 1323 tp = tcp_drop(tp, ECONNRESET); 1324 goto dropwithreset; 1325 } 1326 1327 /* 1328 * If the ACK bit is off: if in SYN-RECEIVED state or SENDSYN 1329 * flag is on (half-synchronized state), then queue data for 1330 * later processing; else drop segment and return. 1331 */ 1332 if ((tiflags & TH_ACK) == 0) { 1333 if (tp->t_state == TCPS_SYN_RECEIVED || 1334 (tp->t_flags & TF_NEEDSYN)) 1335 goto step6; 1336 else 1337 goto drop; 1338 } 1339 1340 /* 1341 * Ack processing. 1342 */ 1343 switch (tp->t_state) { 1344 1345 /* 1346 * In SYN_RECEIVED state, the ack ACKs our SYN, so enter 1347 * ESTABLISHED state and continue processing. 1348 * The ACK was checked above. 1349 */ 1350 case TCPS_SYN_RECEIVED: 1351 1352 tcpstat.tcps_connects++; 1353 soisconnected(so); 1354 /* Do window scaling? */ 1355 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) == 1356 (TF_RCVD_SCALE|TF_REQ_SCALE)) { 1357 tp->snd_scale = tp->requested_s_scale; 1358 tp->rcv_scale = tp->request_r_scale; 1359 } 1360 /* 1361 * Upon successful completion of 3-way handshake, 1362 * update cache.CC if it was undefined, pass any queued 1363 * data to the user, and advance state appropriately. 1364 */ 1365 if ((taop = tcp_gettaocache(inp)) != NULL && 1366 taop->tao_cc == 0) 1367 taop->tao_cc = tp->cc_recv; 1368 1369 /* 1370 * Make transitions: 1371 * SYN-RECEIVED -> ESTABLISHED 1372 * SYN-RECEIVED* -> FIN-WAIT-1 1373 */ 1374 tp->t_starttime = ticks; 1375 if (tp->t_flags & TF_NEEDFIN) { 1376 tp->t_state = TCPS_FIN_WAIT_1; 1377 tp->t_flags &= ~TF_NEEDFIN; 1378 } else { 1379 tp->t_state = TCPS_ESTABLISHED; 1380 callout_reset(tp->tt_keep, tcp_keepidle, 1381 tcp_timer_keep, tp); 1382 } 1383 /* 1384 * If segment contains data or ACK, will call tcp_reass() 1385 * later; if not, do so now to pass queued data to user. 1386 */ 1387 if (ti->ti_len == 0 && (tiflags & TH_FIN) == 0) 1388 (void) tcp_reass(tp, (struct tcpiphdr *)0, 1389 (struct mbuf *)0); 1390 tp->snd_wl1 = ti->ti_seq - 1; 1391 /* fall into ... */ 1392 1393 /* 1394 * In ESTABLISHED state: drop duplicate ACKs; ACK out of range 1395 * ACKs. If the ack is in the range 1396 * tp->snd_una < ti->ti_ack <= tp->snd_max 1397 * then advance tp->snd_una to ti->ti_ack and drop 1398 * data from the retransmission queue. If this ACK reflects 1399 * more up to date window information we update our window information. 1400 */ 1401 case TCPS_ESTABLISHED: 1402 case TCPS_FIN_WAIT_1: 1403 case TCPS_FIN_WAIT_2: 1404 case TCPS_CLOSE_WAIT: 1405 case TCPS_CLOSING: 1406 case TCPS_LAST_ACK: 1407 case TCPS_TIME_WAIT: 1408 1409 if (SEQ_LEQ(ti->ti_ack, tp->snd_una)) { 1410 if (ti->ti_len == 0 && tiwin == tp->snd_wnd) { 1411 tcpstat.tcps_rcvdupack++; 1412 /* 1413 * If we have outstanding data (other than 1414 * a window probe), this is a completely 1415 * duplicate ack (ie, window info didn't 1416 * change), the ack is the biggest we've 1417 * seen and we've seen exactly our rexmt 1418 * threshhold of them, assume a packet 1419 * has been dropped and retransmit it. 1420 * Kludge snd_nxt & the congestion 1421 * window so we send only this one 1422 * packet. 1423 * 1424 * We know we're losing at the current 1425 * window size so do congestion avoidance 1426 * (set ssthresh to half the current window 1427 * and pull our congestion window back to 1428 * the new ssthresh). 1429 * 1430 * Dup acks mean that packets have left the 1431 * network (they're now cached at the receiver) 1432 * so bump cwnd by the amount in the receiver 1433 * to keep a constant cwnd packets in the 1434 * network. 1435 */ 1436 if (!callout_active(tp->tt_rexmt) || 1437 ti->ti_ack != tp->snd_una) 1438 tp->t_dupacks = 0; 1439 else if (++tp->t_dupacks == tcprexmtthresh) { 1440 tcp_seq onxt = tp->snd_nxt; 1441 u_int win = 1442 min(tp->snd_wnd, tp->snd_cwnd) / 2 / 1443 tp->t_maxseg; 1444 1445 if (win < 2) 1446 win = 2; 1447 tp->snd_ssthresh = win * tp->t_maxseg; 1448 callout_stop(tp->tt_rexmt); 1449 tp->t_rtttime = 0; 1450 tp->snd_nxt = ti->ti_ack; 1451 tp->snd_cwnd = tp->t_maxseg; 1452 (void) tcp_output(tp); 1453 tp->snd_cwnd = tp->snd_ssthresh + 1454 tp->t_maxseg * tp->t_dupacks; 1455 if (SEQ_GT(onxt, tp->snd_nxt)) 1456 tp->snd_nxt = onxt; 1457 goto drop; 1458 } else if (tp->t_dupacks > tcprexmtthresh) { 1459 tp->snd_cwnd += tp->t_maxseg; 1460 (void) tcp_output(tp); 1461 goto drop; 1462 } 1463 } else 1464 tp->t_dupacks = 0; 1465 break; 1466 } 1467 /* 1468 * If the congestion window was inflated to account 1469 * for the other side's cached packets, retract it. 1470 */ 1471 if (tp->t_dupacks >= tcprexmtthresh && 1472 tp->snd_cwnd > tp->snd_ssthresh) 1473 tp->snd_cwnd = tp->snd_ssthresh; 1474 tp->t_dupacks = 0; 1475 if (SEQ_GT(ti->ti_ack, tp->snd_max)) { 1476 tcpstat.tcps_rcvacktoomuch++; 1477 goto dropafterack; 1478 } 1479 /* 1480 * If we reach this point, ACK is not a duplicate, 1481 * i.e., it ACKs something we sent. 1482 */ 1483 if (tp->t_flags & TF_NEEDSYN) { 1484 /* 1485 * T/TCP: Connection was half-synchronized, and our 1486 * SYN has been ACK'd (so connection is now fully 1487 * synchronized). Go to non-starred state, 1488 * increment snd_una for ACK of SYN, and check if 1489 * we can do window scaling. 1490 */ 1491 tp->t_flags &= ~TF_NEEDSYN; 1492 tp->snd_una++; 1493 /* Do window scaling? */ 1494 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) == 1495 (TF_RCVD_SCALE|TF_REQ_SCALE)) { 1496 tp->snd_scale = tp->requested_s_scale; 1497 tp->rcv_scale = tp->request_r_scale; 1498 } 1499 } 1500 1501process_ACK: 1502 acked = ti->ti_ack - tp->snd_una; 1503 tcpstat.tcps_rcvackpack++; 1504 tcpstat.tcps_rcvackbyte += acked; 1505 1506 /* 1507 * If we just performed our first retransmit, and the ACK 1508 * arrives within our recovery window, then it was a mistake 1509 * to do the retransmit in the first place. Recover our 1510 * original cwnd and ssthresh, and proceed to transmit where 1511 * we left off. 1512 */ 1513 if (tp->t_rxtshift == 1 && ticks < tp->t_badrxtwin) { 1514 tp->snd_cwnd = tp->snd_cwnd_prev; 1515 tp->snd_ssthresh = tp->snd_ssthresh_prev; 1516 tp->snd_nxt = tp->snd_max; 1517 tp->t_badrxtwin = 0; /* XXX probably not required */ 1518 } 1519 1520 /* 1521 * If we have a timestamp reply, update smoothed 1522 * round trip time. If no timestamp is present but 1523 * transmit timer is running and timed sequence 1524 * number was acked, update smoothed round trip time. 1525 * Since we now have an rtt measurement, cancel the 1526 * timer backoff (cf., Phil Karn's retransmit alg.). 1527 * Recompute the initial retransmit timer. 1528 */ 1529 if (to.to_flag & TOF_TS) 1530 tcp_xmit_timer(tp, ticks - to.to_tsecr + 1); 1531 else if (tp->t_rtttime && SEQ_GT(ti->ti_ack, tp->t_rtseq)) 1532 tcp_xmit_timer(tp, ticks - tp->t_rtttime); 1533 1534 /* 1535 * If all outstanding data is acked, stop retransmit 1536 * timer and remember to restart (more output or persist). 1537 * If there is more data to be acked, restart retransmit 1538 * timer, using current (possibly backed-off) value. 1539 */ 1540 if (ti->ti_ack == tp->snd_max) { 1541 callout_stop(tp->tt_rexmt); 1542 needoutput = 1; 1543 } else if (!callout_active(tp->tt_persist)) 1544 callout_reset(tp->tt_rexmt, tp->t_rxtcur, 1545 tcp_timer_rexmt, tp); 1546 1547 /* 1548 * If no data (only SYN) was ACK'd, 1549 * skip rest of ACK processing. 1550 */ 1551 if (acked == 0) 1552 goto step6; 1553 1554 /* 1555 * When new data is acked, open the congestion window. 1556 * If the window gives us less than ssthresh packets 1557 * in flight, open exponentially (maxseg per packet). 1558 * Otherwise open linearly: maxseg per window 1559 * (maxseg^2 / cwnd per packet). 1560 */ 1561 { 1562 register u_int cw = tp->snd_cwnd; 1563 register u_int incr = tp->t_maxseg; 1564 1565 if (cw > tp->snd_ssthresh) 1566 incr = incr * incr / cw; 1567 tp->snd_cwnd = min(cw + incr, TCP_MAXWIN << tp->snd_scale); 1568 } 1569 if (acked > so->so_snd.sb_cc) { 1570 tp->snd_wnd -= so->so_snd.sb_cc; 1571 sbdrop(&so->so_snd, (int)so->so_snd.sb_cc); 1572 ourfinisacked = 1; 1573 } else { 1574 sbdrop(&so->so_snd, acked); 1575 tp->snd_wnd -= acked; 1576 ourfinisacked = 0; 1577 } 1578 sowwakeup(so); 1579 tp->snd_una = ti->ti_ack; 1580 if (SEQ_LT(tp->snd_nxt, tp->snd_una)) 1581 tp->snd_nxt = tp->snd_una; 1582 1583 switch (tp->t_state) { 1584 1585 /* 1586 * In FIN_WAIT_1 STATE in addition to the processing 1587 * for the ESTABLISHED state if our FIN is now acknowledged 1588 * then enter FIN_WAIT_2. 1589 */ 1590 case TCPS_FIN_WAIT_1: 1591 if (ourfinisacked) { 1592 /* 1593 * If we can't receive any more 1594 * data, then closing user can proceed. 1595 * Starting the timer is contrary to the 1596 * specification, but if we don't get a FIN 1597 * we'll hang forever. 1598 */ 1599 if (so->so_state & SS_CANTRCVMORE) { 1600 soisdisconnected(so); 1601 callout_reset(tp->tt_2msl, tcp_maxidle, 1602 tcp_timer_2msl, tp); 1603 } 1604 tp->t_state = TCPS_FIN_WAIT_2; 1605 } 1606 break; 1607 1608 /* 1609 * In CLOSING STATE in addition to the processing for 1610 * the ESTABLISHED state if the ACK acknowledges our FIN 1611 * then enter the TIME-WAIT state, otherwise ignore 1612 * the segment. 1613 */ 1614 case TCPS_CLOSING: 1615 if (ourfinisacked) { 1616 tp->t_state = TCPS_TIME_WAIT; 1617 tcp_canceltimers(tp); 1618 /* Shorten TIME_WAIT [RFC-1644, p.28] */ 1619 if (tp->cc_recv != 0 && 1620 (ticks - tp->t_starttime) < tcp_msl) 1621 callout_reset(tp->tt_2msl, 1622 tp->t_rxtcur * 1623 TCPTV_TWTRUNC, 1624 tcp_timer_2msl, tp); 1625 else 1626 callout_reset(tp->tt_2msl, 2 * tcp_msl, 1627 tcp_timer_2msl, tp); 1628 soisdisconnected(so); 1629 } 1630 break; 1631 1632 /* 1633 * In LAST_ACK, we may still be waiting for data to drain 1634 * and/or to be acked, as well as for the ack of our FIN. 1635 * If our FIN is now acknowledged, delete the TCB, 1636 * enter the closed state and return. 1637 */ 1638 case TCPS_LAST_ACK: 1639 if (ourfinisacked) { 1640 tp = tcp_close(tp); 1641 goto drop; 1642 } 1643 break; 1644 1645 /* 1646 * In TIME_WAIT state the only thing that should arrive 1647 * is a retransmission of the remote FIN. Acknowledge 1648 * it and restart the finack timer. 1649 */ 1650 case TCPS_TIME_WAIT: 1651 callout_reset(tp->tt_2msl, 2 * tcp_msl, 1652 tcp_timer_2msl, tp); 1653 goto dropafterack; 1654 } 1655 } 1656 1657step6: 1658 /* 1659 * Update window information. 1660 * Don't look at window if no ACK: TAC's send garbage on first SYN. 1661 */ 1662 if ((tiflags & TH_ACK) && 1663 (SEQ_LT(tp->snd_wl1, ti->ti_seq) || 1664 (tp->snd_wl1 == ti->ti_seq && (SEQ_LT(tp->snd_wl2, ti->ti_ack) || 1665 (tp->snd_wl2 == ti->ti_ack && tiwin > tp->snd_wnd))))) { 1666 /* keep track of pure window updates */ 1667 if (ti->ti_len == 0 && 1668 tp->snd_wl2 == ti->ti_ack && tiwin > tp->snd_wnd) 1669 tcpstat.tcps_rcvwinupd++; 1670 tp->snd_wnd = tiwin; 1671 tp->snd_wl1 = ti->ti_seq; 1672 tp->snd_wl2 = ti->ti_ack; 1673 if (tp->snd_wnd > tp->max_sndwnd) 1674 tp->max_sndwnd = tp->snd_wnd; 1675 needoutput = 1; 1676 } 1677 1678 /* 1679 * Process segments with URG. 1680 */ 1681 if ((tiflags & TH_URG) && ti->ti_urp && 1682 TCPS_HAVERCVDFIN(tp->t_state) == 0) { 1683 /* 1684 * This is a kludge, but if we receive and accept 1685 * random urgent pointers, we'll crash in 1686 * soreceive. It's hard to imagine someone 1687 * actually wanting to send this much urgent data. 1688 */ 1689 if (ti->ti_urp + so->so_rcv.sb_cc > sb_max) { 1690 ti->ti_urp = 0; /* XXX */ 1691 tiflags &= ~TH_URG; /* XXX */ 1692 goto dodata; /* XXX */ 1693 } 1694 /* 1695 * If this segment advances the known urgent pointer, 1696 * then mark the data stream. This should not happen 1697 * in CLOSE_WAIT, CLOSING, LAST_ACK or TIME_WAIT STATES since 1698 * a FIN has been received from the remote side. 1699 * In these states we ignore the URG. 1700 * 1701 * According to RFC961 (Assigned Protocols), 1702 * the urgent pointer points to the last octet 1703 * of urgent data. We continue, however, 1704 * to consider it to indicate the first octet 1705 * of data past the urgent section as the original 1706 * spec states (in one of two places). 1707 */ 1708 if (SEQ_GT(ti->ti_seq+ti->ti_urp, tp->rcv_up)) { 1709 tp->rcv_up = ti->ti_seq + ti->ti_urp; 1710 so->so_oobmark = so->so_rcv.sb_cc + 1711 (tp->rcv_up - tp->rcv_nxt) - 1; 1712 if (so->so_oobmark == 0) 1713 so->so_state |= SS_RCVATMARK; 1714 sohasoutofband(so); 1715 tp->t_oobflags &= ~(TCPOOB_HAVEDATA | TCPOOB_HADDATA); 1716 } 1717 /* 1718 * Remove out of band data so doesn't get presented to user. 1719 * This can happen independent of advancing the URG pointer, 1720 * but if two URG's are pending at once, some out-of-band 1721 * data may creep in... ick. 1722 */ 1723 if (ti->ti_urp <= (u_long)ti->ti_len 1724#ifdef SO_OOBINLINE 1725 && (so->so_options & SO_OOBINLINE) == 0 1726#endif 1727 ) 1728 tcp_pulloutofband(so, ti, m); 1729 } else 1730 /* 1731 * If no out of band data is expected, 1732 * pull receive urgent pointer along 1733 * with the receive window. 1734 */ 1735 if (SEQ_GT(tp->rcv_nxt, tp->rcv_up)) 1736 tp->rcv_up = tp->rcv_nxt; 1737dodata: /* XXX */ 1738 1739 /* 1740 * Process the segment text, merging it into the TCP sequencing queue, 1741 * and arranging for acknowledgment of receipt if necessary. 1742 * This process logically involves adjusting tp->rcv_wnd as data 1743 * is presented to the user (this happens in tcp_usrreq.c, 1744 * case PRU_RCVD). If a FIN has already been received on this 1745 * connection then we just ignore the text. 1746 */ 1747 if ((ti->ti_len || (tiflags&TH_FIN)) && 1748 TCPS_HAVERCVDFIN(tp->t_state) == 0) { 1749 TCP_REASS(tp, ti, m, so, tiflags); 1750 /* 1751 * Note the amount of data that peer has sent into 1752 * our window, in order to estimate the sender's 1753 * buffer size. 1754 */ 1755 len = so->so_rcv.sb_hiwat - (tp->rcv_adv - tp->rcv_nxt); 1756 } else { 1757 m_freem(m); 1758 tiflags &= ~TH_FIN; 1759 } 1760 1761 /* 1762 * If FIN is received ACK the FIN and let the user know 1763 * that the connection is closing. 1764 */ 1765 if (tiflags & TH_FIN) { 1766 if (TCPS_HAVERCVDFIN(tp->t_state) == 0) { 1767 socantrcvmore(so); 1768 /* 1769 * If connection is half-synchronized 1770 * (ie NEEDSYN flag on) then delay ACK, 1771 * so it may be piggybacked when SYN is sent. 1772 * Otherwise, since we received a FIN then no 1773 * more input can be expected, send ACK now. 1774 */ 1775 if (tcp_delack_enabled && (tp->t_flags & TF_NEEDSYN)) 1776 callout_reset(tp->tt_delack, tcp_delacktime, 1777 tcp_timer_delack, tp); 1778 else 1779 tp->t_flags |= TF_ACKNOW; 1780 tp->rcv_nxt++; 1781 } 1782 switch (tp->t_state) { 1783 1784 /* 1785 * In SYN_RECEIVED and ESTABLISHED STATES 1786 * enter the CLOSE_WAIT state. 1787 */ 1788 case TCPS_SYN_RECEIVED: 1789 tp->t_starttime = ticks; 1790 /*FALLTHROUGH*/ 1791 case TCPS_ESTABLISHED: 1792 tp->t_state = TCPS_CLOSE_WAIT; 1793 break; 1794 1795 /* 1796 * If still in FIN_WAIT_1 STATE FIN has not been acked so 1797 * enter the CLOSING state. 1798 */ 1799 case TCPS_FIN_WAIT_1: 1800 tp->t_state = TCPS_CLOSING; 1801 break; 1802 1803 /* 1804 * In FIN_WAIT_2 state enter the TIME_WAIT state, 1805 * starting the time-wait timer, turning off the other 1806 * standard timers. 1807 */ 1808 case TCPS_FIN_WAIT_2: 1809 tp->t_state = TCPS_TIME_WAIT; 1810 tcp_canceltimers(tp); 1811 /* Shorten TIME_WAIT [RFC-1644, p.28] */ 1812 if (tp->cc_recv != 0 && 1813 (ticks - tp->t_starttime) < tcp_msl) { 1814 callout_reset(tp->tt_2msl, 1815 tp->t_rxtcur * TCPTV_TWTRUNC, 1816 tcp_timer_2msl, tp); 1817 /* For transaction client, force ACK now. */ 1818 tp->t_flags |= TF_ACKNOW; 1819 } 1820 else 1821 callout_reset(tp->tt_2msl, 2 * tcp_msl, 1822 tcp_timer_2msl, tp); 1823 soisdisconnected(so); 1824 break; 1825 1826 /* 1827 * In TIME_WAIT state restart the 2 MSL time_wait timer. 1828 */ 1829 case TCPS_TIME_WAIT: 1830 callout_reset(tp->tt_2msl, 2 * tcp_msl, 1831 tcp_timer_2msl, tp); 1832 break; 1833 } 1834 } 1835#ifdef TCPDEBUG 1836 if (so->so_options & SO_DEBUG) 1837 tcp_trace(TA_INPUT, ostate, tp, &tcp_saveti, 0); 1838#endif 1839 1840 /* 1841 * Return any desired output. 1842 */ 1843 if (needoutput || (tp->t_flags & TF_ACKNOW)) 1844 (void) tcp_output(tp); 1845 return; 1846 1847dropafterack: 1848 /* 1849 * Generate an ACK dropping incoming segment if it occupies 1850 * sequence space, where the ACK reflects our state. 1851 * 1852 * We can now skip the test for the RST flag since all 1853 * paths to this code happen after packets containing 1854 * RST have been dropped. 1855 * 1856 * In the SYN-RECEIVED state, don't send an ACK unless the 1857 * segment we received passes the SYN-RECEIVED ACK test. 1858 * If it fails send a RST. This breaks the loop in the 1859 * "LAND" DoS attack, and also prevents an ACK storm 1860 * between two listening ports that have been sent forged 1861 * SYN segments, each with the source address of the other. 1862 */ 1863 if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && 1864 (SEQ_GT(tp->snd_una, ti->ti_ack) || 1865 SEQ_GT(ti->ti_ack, tp->snd_max)) ) 1866 goto dropwithreset; 1867#ifdef TCPDEBUG 1868 if (so->so_options & SO_DEBUG) 1869 tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); 1870#endif 1871 m_freem(m); 1872 tp->t_flags |= TF_ACKNOW; 1873 (void) tcp_output(tp); 1874 return; 1875 1876dropwithreset: 1877#ifdef TCP_RESTRICT_RST 1878 if (restrict_rst) 1879 goto drop; 1880#endif 1881 /* 1882 * Generate a RST, dropping incoming segment. 1883 * Make ACK acceptable to originator of segment. 1884 * Don't bother to respond if destination was broadcast/multicast. 1885 */ 1886 if ((tiflags & TH_RST) || m->m_flags & (M_BCAST|M_MCAST) || 1887 IN_MULTICAST(ntohl(ti->ti_dst.s_addr))) 1888 goto drop; 1889#ifdef TCPDEBUG 1890 if (tp == 0 || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG)) 1891 tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); 1892#endif 1893 if (tiflags & TH_ACK) 1894 tcp_respond(tp, ti, m, (tcp_seq)0, ti->ti_ack, TH_RST); 1895 else { 1896 if (tiflags & TH_SYN) 1897 ti->ti_len++; 1898 tcp_respond(tp, ti, m, ti->ti_seq+ti->ti_len, (tcp_seq)0, 1899 TH_RST|TH_ACK); 1900 } 1901 /* destroy temporarily created socket */ 1902 if (dropsocket) 1903 (void) soabort(so); 1904 return; 1905 1906drop: 1907 /* 1908 * Drop space held by incoming segment and return. 1909 */ 1910#ifdef TCPDEBUG 1911 if (tp == 0 || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG)) 1912 tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); 1913#endif 1914 m_freem(m); 1915 /* destroy temporarily created socket */ 1916 if (dropsocket) 1917 (void) soabort(so); 1918 return; 1919} 1920 1921static void 1922tcp_dooptions(tp, cp, cnt, ti, to) 1923 struct tcpcb *tp; 1924 u_char *cp; 1925 int cnt; 1926 struct tcpiphdr *ti; 1927 struct tcpopt *to; 1928{ 1929 u_short mss = 0; 1930 int opt, optlen; 1931 1932 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1933 opt = cp[0]; 1934 if (opt == TCPOPT_EOL) 1935 break; 1936 if (opt == TCPOPT_NOP) 1937 optlen = 1; 1938 else { 1939 optlen = cp[1]; 1940 if (optlen <= 0) 1941 break; 1942 } 1943 switch (opt) { 1944 1945 default: 1946 continue; 1947 1948 case TCPOPT_MAXSEG: 1949 if (optlen != TCPOLEN_MAXSEG) 1950 continue; 1951 if (!(ti->ti_flags & TH_SYN)) 1952 continue; 1953 bcopy((char *) cp + 2, (char *) &mss, sizeof(mss)); 1954 NTOHS(mss); 1955 break; 1956 1957 case TCPOPT_WINDOW: 1958 if (optlen != TCPOLEN_WINDOW) 1959 continue; 1960 if (!(ti->ti_flags & TH_SYN)) 1961 continue; 1962 tp->t_flags |= TF_RCVD_SCALE; 1963 tp->requested_s_scale = min(cp[2], TCP_MAX_WINSHIFT); 1964 break; 1965 1966 case TCPOPT_TIMESTAMP: 1967 if (optlen != TCPOLEN_TIMESTAMP) 1968 continue; 1969 to->to_flag |= TOF_TS; 1970 bcopy((char *)cp + 2, 1971 (char *)&to->to_tsval, sizeof(to->to_tsval)); 1972 NTOHL(to->to_tsval); 1973 bcopy((char *)cp + 6, 1974 (char *)&to->to_tsecr, sizeof(to->to_tsecr)); 1975 NTOHL(to->to_tsecr); 1976 1977 /* 1978 * A timestamp received in a SYN makes 1979 * it ok to send timestamp requests and replies. 1980 */ 1981 if (ti->ti_flags & TH_SYN) { 1982 tp->t_flags |= TF_RCVD_TSTMP; 1983 tp->ts_recent = to->to_tsval; 1984 tp->ts_recent_age = ticks; 1985 } 1986 break; 1987 case TCPOPT_CC: 1988 if (optlen != TCPOLEN_CC) 1989 continue; 1990 to->to_flag |= TOF_CC; 1991 bcopy((char *)cp + 2, 1992 (char *)&to->to_cc, sizeof(to->to_cc)); 1993 NTOHL(to->to_cc); 1994 /* 1995 * A CC or CC.new option received in a SYN makes 1996 * it ok to send CC in subsequent segments. 1997 */ 1998 if (ti->ti_flags & TH_SYN) 1999 tp->t_flags |= TF_RCVD_CC; 2000 break; 2001 case TCPOPT_CCNEW: 2002 if (optlen != TCPOLEN_CC) 2003 continue; 2004 if (!(ti->ti_flags & TH_SYN)) 2005 continue; 2006 to->to_flag |= TOF_CCNEW; 2007 bcopy((char *)cp + 2, 2008 (char *)&to->to_cc, sizeof(to->to_cc)); 2009 NTOHL(to->to_cc); 2010 /* 2011 * A CC or CC.new option received in a SYN makes 2012 * it ok to send CC in subsequent segments. 2013 */ 2014 tp->t_flags |= TF_RCVD_CC; 2015 break; 2016 case TCPOPT_CCECHO: 2017 if (optlen != TCPOLEN_CC) 2018 continue; 2019 if (!(ti->ti_flags & TH_SYN)) 2020 continue; 2021 to->to_flag |= TOF_CCECHO; 2022 bcopy((char *)cp + 2, 2023 (char *)&to->to_ccecho, sizeof(to->to_ccecho)); 2024 NTOHL(to->to_ccecho); 2025 break; 2026 } 2027 } 2028 if (ti->ti_flags & TH_SYN) 2029 tcp_mss(tp, mss); /* sets t_maxseg */ 2030} 2031 2032/* 2033 * Pull out of band byte out of a segment so 2034 * it doesn't appear in the user's data queue. 2035 * It is still reflected in the segment length for 2036 * sequencing purposes. 2037 */ 2038static void 2039tcp_pulloutofband(so, ti, m) 2040 struct socket *so; 2041 struct tcpiphdr *ti; 2042 register struct mbuf *m; 2043{ 2044 int cnt = ti->ti_urp - 1; 2045 2046 while (cnt >= 0) { 2047 if (m->m_len > cnt) { 2048 char *cp = mtod(m, caddr_t) + cnt; 2049 struct tcpcb *tp = sototcpcb(so); 2050 2051 tp->t_iobc = *cp; 2052 tp->t_oobflags |= TCPOOB_HAVEDATA; 2053 bcopy(cp+1, cp, (unsigned)(m->m_len - cnt - 1)); 2054 m->m_len--; 2055 return; 2056 } 2057 cnt -= m->m_len; 2058 m = m->m_next; 2059 if (m == 0) 2060 break; 2061 } 2062 panic("tcp_pulloutofband"); 2063} 2064 2065/* 2066 * Collect new round-trip time estimate 2067 * and update averages and current timeout. 2068 */ 2069static void 2070tcp_xmit_timer(tp, rtt) 2071 register struct tcpcb *tp; 2072 int rtt; 2073{ 2074 register int delta; 2075 2076 tcpstat.tcps_rttupdated++; 2077 tp->t_rttupdated++; 2078 if (tp->t_srtt != 0) { 2079 /* 2080 * srtt is stored as fixed point with 5 bits after the 2081 * binary point (i.e., scaled by 8). The following magic 2082 * is equivalent to the smoothing algorithm in rfc793 with 2083 * an alpha of .875 (srtt = rtt/8 + srtt*7/8 in fixed 2084 * point). Adjust rtt to origin 0. 2085 */ 2086 delta = ((rtt - 1) << TCP_DELTA_SHIFT) 2087 - (tp->t_srtt >> (TCP_RTT_SHIFT - TCP_DELTA_SHIFT)); 2088 2089 if ((tp->t_srtt += delta) <= 0) 2090 tp->t_srtt = 1; 2091 2092 /* 2093 * We accumulate a smoothed rtt variance (actually, a 2094 * smoothed mean difference), then set the retransmit 2095 * timer to smoothed rtt + 4 times the smoothed variance. 2096 * rttvar is stored as fixed point with 4 bits after the 2097 * binary point (scaled by 16). The following is 2098 * equivalent to rfc793 smoothing with an alpha of .75 2099 * (rttvar = rttvar*3/4 + |delta| / 4). This replaces 2100 * rfc793's wired-in beta. 2101 */ 2102 if (delta < 0) 2103 delta = -delta; 2104 delta -= tp->t_rttvar >> (TCP_RTTVAR_SHIFT - TCP_DELTA_SHIFT); 2105 if ((tp->t_rttvar += delta) <= 0) 2106 tp->t_rttvar = 1; 2107 } else { 2108 /* 2109 * No rtt measurement yet - use the unsmoothed rtt. 2110 * Set the variance to half the rtt (so our first 2111 * retransmit happens at 3*rtt). 2112 */ 2113 tp->t_srtt = rtt << TCP_RTT_SHIFT; 2114 tp->t_rttvar = rtt << (TCP_RTTVAR_SHIFT - 1); 2115 } 2116 tp->t_rtttime = 0; 2117 tp->t_rxtshift = 0; 2118 2119 /* 2120 * the retransmit should happen at rtt + 4 * rttvar. 2121 * Because of the way we do the smoothing, srtt and rttvar 2122 * will each average +1/2 tick of bias. When we compute 2123 * the retransmit timer, we want 1/2 tick of rounding and 2124 * 1 extra tick because of +-1/2 tick uncertainty in the 2125 * firing of the timer. The bias will give us exactly the 2126 * 1.5 tick we need. But, because the bias is 2127 * statistical, we have to test that we don't drop below 2128 * the minimum feasible timer (which is 2 ticks). 2129 */ 2130 TCPT_RANGESET(tp->t_rxtcur, TCP_REXMTVAL(tp), 2131 max(tp->t_rttmin, rtt + 2), TCPTV_REXMTMAX); 2132 2133 /* 2134 * We received an ack for a packet that wasn't retransmitted; 2135 * it is probably safe to discard any error indications we've 2136 * received recently. This isn't quite right, but close enough 2137 * for now (a route might have failed after we sent a segment, 2138 * and the return path might not be symmetrical). 2139 */ 2140 tp->t_softerror = 0; 2141} 2142 2143/* 2144 * Determine a reasonable value for maxseg size. 2145 * If the route is known, check route for mtu. 2146 * If none, use an mss that can be handled on the outgoing 2147 * interface without forcing IP to fragment; if bigger than 2148 * an mbuf cluster (MCLBYTES), round down to nearest multiple of MCLBYTES 2149 * to utilize large mbufs. If no route is found, route has no mtu, 2150 * or the destination isn't local, use a default, hopefully conservative 2151 * size (usually 512 or the default IP max size, but no more than the mtu 2152 * of the interface), as we can't discover anything about intervening 2153 * gateways or networks. We also initialize the congestion/slow start 2154 * window to be a single segment if the destination isn't local. 2155 * While looking at the routing entry, we also initialize other path-dependent 2156 * parameters from pre-set or cached values in the routing entry. 2157 * 2158 * Also take into account the space needed for options that we 2159 * send regularly. Make maxseg shorter by that amount to assure 2160 * that we can send maxseg amount of data even when the options 2161 * are present. Store the upper limit of the length of options plus 2162 * data in maxopd. 2163 * 2164 * NOTE that this routine is only called when we process an incoming 2165 * segment, for outgoing segments only tcp_mssopt is called. 2166 * 2167 * In case of T/TCP, we call this routine during implicit connection 2168 * setup as well (offer = -1), to initialize maxseg from the cached 2169 * MSS of our peer. 2170 */ 2171void 2172tcp_mss(tp, offer) 2173 struct tcpcb *tp; 2174 int offer; 2175{ 2176 register struct rtentry *rt; 2177 struct ifnet *ifp; 2178 register int rtt, mss; 2179 u_long bufsize; 2180 struct inpcb *inp; 2181 struct socket *so; 2182 struct rmxp_tao *taop; 2183 int origoffer = offer; 2184 2185 inp = tp->t_inpcb; 2186 if ((rt = tcp_rtlookup(inp)) == NULL) { 2187 tp->t_maxopd = tp->t_maxseg = tcp_mssdflt; 2188 return; 2189 } 2190 ifp = rt->rt_ifp; 2191 so = inp->inp_socket; 2192 2193 taop = rmx_taop(rt->rt_rmx); 2194 /* 2195 * Offer == -1 means that we didn't receive SYN yet, 2196 * use cached value in that case; 2197 */ 2198 if (offer == -1) 2199 offer = taop->tao_mssopt; 2200 /* 2201 * Offer == 0 means that there was no MSS on the SYN segment, 2202 * in this case we use tcp_mssdflt. 2203 */ 2204 if (offer == 0) 2205 offer = tcp_mssdflt; 2206 else 2207 /* 2208 * Sanity check: make sure that maxopd will be large 2209 * enough to allow some data on segments even is the 2210 * all the option space is used (40bytes). Otherwise 2211 * funny things may happen in tcp_output. 2212 */ 2213 offer = max(offer, 64); 2214 taop->tao_mssopt = offer; 2215 2216 /* 2217 * While we're here, check if there's an initial rtt 2218 * or rttvar. Convert from the route-table units 2219 * to scaled multiples of the slow timeout timer. 2220 */ 2221 if (tp->t_srtt == 0 && (rtt = rt->rt_rmx.rmx_rtt)) { 2222 /* 2223 * XXX the lock bit for RTT indicates that the value 2224 * is also a minimum value; this is subject to time. 2225 */ 2226 if (rt->rt_rmx.rmx_locks & RTV_RTT) 2227 tp->t_rttmin = rtt / (RTM_RTTUNIT / hz); 2228 tp->t_srtt = rtt / (RTM_RTTUNIT / (hz * TCP_RTT_SCALE)); 2229 tcpstat.tcps_usedrtt++; 2230 if (rt->rt_rmx.rmx_rttvar) { 2231 tp->t_rttvar = rt->rt_rmx.rmx_rttvar / 2232 (RTM_RTTUNIT / (hz * TCP_RTTVAR_SCALE)); 2233 tcpstat.tcps_usedrttvar++; 2234 } else { 2235 /* default variation is +- 1 rtt */ 2236 tp->t_rttvar = 2237 tp->t_srtt * TCP_RTTVAR_SCALE / TCP_RTT_SCALE; 2238 } 2239 TCPT_RANGESET(tp->t_rxtcur, 2240 ((tp->t_srtt >> 2) + tp->t_rttvar) >> 1, 2241 tp->t_rttmin, TCPTV_REXMTMAX); 2242 } 2243 /* 2244 * if there's an mtu associated with the route, use it 2245 */ 2246 if (rt->rt_rmx.rmx_mtu) 2247 mss = rt->rt_rmx.rmx_mtu - sizeof(struct tcpiphdr); 2248 else 2249 { 2250 mss = ifp->if_mtu - sizeof(struct tcpiphdr); 2251 if (!in_localaddr(inp->inp_faddr)) 2252 mss = min(mss, tcp_mssdflt); 2253 } 2254 mss = min(mss, offer); 2255 /* 2256 * maxopd stores the maximum length of data AND options 2257 * in a segment; maxseg is the amount of data in a normal 2258 * segment. We need to store this value (maxopd) apart 2259 * from maxseg, because now every segment carries options 2260 * and thus we normally have somewhat less data in segments. 2261 */ 2262 tp->t_maxopd = mss; 2263 2264 /* 2265 * In case of T/TCP, origoffer==-1 indicates, that no segments 2266 * were received yet. In this case we just guess, otherwise 2267 * we do the same as before T/TCP. 2268 */ 2269 if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP && 2270 (origoffer == -1 || 2271 (tp->t_flags & TF_RCVD_TSTMP) == TF_RCVD_TSTMP)) 2272 mss -= TCPOLEN_TSTAMP_APPA; 2273 if ((tp->t_flags & (TF_REQ_CC|TF_NOOPT)) == TF_REQ_CC && 2274 (origoffer == -1 || 2275 (tp->t_flags & TF_RCVD_CC) == TF_RCVD_CC)) 2276 mss -= TCPOLEN_CC_APPA; 2277 2278#if (MCLBYTES & (MCLBYTES - 1)) == 0 2279 if (mss > MCLBYTES) 2280 mss &= ~(MCLBYTES-1); 2281#else 2282 if (mss > MCLBYTES) 2283 mss = mss / MCLBYTES * MCLBYTES; 2284#endif 2285 /* 2286 * If there's a pipesize, change the socket buffer 2287 * to that size. Make the socket buffers an integral 2288 * number of mss units; if the mss is larger than 2289 * the socket buffer, decrease the mss. 2290 */ 2291#ifdef RTV_SPIPE 2292 if ((bufsize = rt->rt_rmx.rmx_sendpipe) == 0) 2293#endif 2294 bufsize = so->so_snd.sb_hiwat; 2295 if (bufsize < mss) 2296 mss = bufsize; 2297 else { 2298 bufsize = roundup(bufsize, mss); 2299 if (bufsize > sb_max) 2300 bufsize = sb_max; 2301 (void)sbreserve(&so->so_snd, bufsize, so, NULL); 2302 } 2303 tp->t_maxseg = mss; 2304 2305#ifdef RTV_RPIPE 2306 if ((bufsize = rt->rt_rmx.rmx_recvpipe) == 0) 2307#endif 2308 bufsize = so->so_rcv.sb_hiwat; 2309 if (bufsize > mss) { 2310 bufsize = roundup(bufsize, mss); 2311 if (bufsize > sb_max) 2312 bufsize = sb_max; 2313 (void)sbreserve(&so->so_rcv, bufsize, so, NULL); 2314 } 2315 2316 /* 2317 * Set the slow-start flight size depending on whether this 2318 * is a local network or not. 2319 */ 2320 if (in_localaddr(inp->inp_faddr)) 2321 tp->snd_cwnd = mss * ss_fltsz_local; 2322 else 2323 tp->snd_cwnd = mss * ss_fltsz; 2324 2325 if (rt->rt_rmx.rmx_ssthresh) { 2326 /* 2327 * There's some sort of gateway or interface 2328 * buffer limit on the path. Use this to set 2329 * the slow start threshhold, but set the 2330 * threshold to no less than 2*mss. 2331 */ 2332 tp->snd_ssthresh = max(2 * mss, rt->rt_rmx.rmx_ssthresh); 2333 tcpstat.tcps_usedssthresh++; 2334 } 2335} 2336 2337/* 2338 * Determine the MSS option to send on an outgoing SYN. 2339 */ 2340int 2341tcp_mssopt(tp) 2342 struct tcpcb *tp; 2343{ 2344 struct rtentry *rt; 2345 2346 rt = tcp_rtlookup(tp->t_inpcb); 2347 if (rt == NULL) 2348 return tcp_mssdflt; 2349 2350 return rt->rt_ifp->if_mtu - sizeof(struct tcpiphdr); 2351}
| 281 register struct tcpiphdr *ti; 282 register struct inpcb *inp; 283 u_char *optp = NULL; 284 int optlen = 0; 285 int len, tlen, off; 286 register struct tcpcb *tp = 0; 287 register int tiflags; 288 struct socket *so = 0; 289 int todrop, acked, ourfinisacked, needoutput = 0; 290 struct in_addr laddr; 291 int dropsocket = 0; 292 int iss = 0; 293 u_long tiwin; 294 struct tcpopt to; /* options in this segment */ 295 struct rmxp_tao *taop; /* pointer to our TAO cache entry */ 296 struct rmxp_tao tao_noncached; /* in case there's no cached entry */ 297#ifdef TCPDEBUG 298 short ostate = 0; 299#endif 300 301 bzero((char *)&to, sizeof(to)); 302 303 tcpstat.tcps_rcvtotal++; 304 /* 305 * Get IP and TCP header together in first mbuf. 306 * Note: IP leaves IP header in first mbuf. 307 */ 308 ti = mtod(m, struct tcpiphdr *); 309 if (iphlen > sizeof (struct ip)) 310 ip_stripoptions(m, (struct mbuf *)0); 311 if (m->m_len < sizeof (struct tcpiphdr)) { 312 if ((m = m_pullup(m, sizeof (struct tcpiphdr))) == 0) { 313 tcpstat.tcps_rcvshort++; 314 return; 315 } 316 ti = mtod(m, struct tcpiphdr *); 317 } 318 319 /* 320 * Checksum extended TCP header and data. 321 */ 322 tlen = ((struct ip *)ti)->ip_len; 323 len = sizeof (struct ip) + tlen; 324 bzero(ti->ti_x1, sizeof(ti->ti_x1)); 325 ti->ti_len = (u_short)tlen; 326 HTONS(ti->ti_len); 327 ti->ti_sum = in_cksum(m, len); 328 if (ti->ti_sum) { 329 tcpstat.tcps_rcvbadsum++; 330 goto drop; 331 } 332 333 /* 334 * Check that TCP offset makes sense, 335 * pull out TCP options and adjust length. XXX 336 */ 337 off = ti->ti_off << 2; 338 if (off < sizeof (struct tcphdr) || off > tlen) { 339 tcpstat.tcps_rcvbadoff++; 340 goto drop; 341 } 342 tlen -= off; 343 ti->ti_len = tlen; 344 if (off > sizeof (struct tcphdr)) { 345 if (m->m_len < sizeof(struct ip) + off) { 346 if ((m = m_pullup(m, sizeof (struct ip) + off)) == 0) { 347 tcpstat.tcps_rcvshort++; 348 return; 349 } 350 ti = mtod(m, struct tcpiphdr *); 351 } 352 optlen = off - sizeof (struct tcphdr); 353 optp = mtod(m, u_char *) + sizeof (struct tcpiphdr); 354 } 355 tiflags = ti->ti_flags; 356 357#ifdef TCP_DROP_SYNFIN 358 /* 359 * If the drop_synfin option is enabled, drop all packets with 360 * both the SYN and FIN bits set. This prevents e.g. nmap from 361 * identifying the TCP/IP stack. 362 * 363 * This is incompatible with RFC1644 extensions (T/TCP). 364 */ 365 if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN)) 366 goto drop; 367#endif 368 369 /* 370 * Convert TCP protocol specific fields to host format. 371 */ 372 NTOHL(ti->ti_seq); 373 NTOHL(ti->ti_ack); 374 NTOHS(ti->ti_win); 375 NTOHS(ti->ti_urp); 376 377 /* 378 * Drop TCP, IP headers and TCP options. 379 */ 380 m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr); 381 m->m_len -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr); 382 383 /* 384 * Locate pcb for segment. 385 */ 386findpcb: 387#ifdef IPFIREWALL_FORWARD 388 if (ip_fw_fwd_addr != NULL) { 389 /* 390 * Diverted. Pretend to be the destination. 391 * already got one like this? 392 */ 393 inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport, 394 ti->ti_dst, ti->ti_dport, 0, m->m_pkthdr.rcvif); 395 if (!inp) { 396 /* 397 * No, then it's new. Try find the ambushing socket 398 */ 399 if (!ip_fw_fwd_addr->sin_port) { 400 inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, 401 ti->ti_sport, ip_fw_fwd_addr->sin_addr, 402 ti->ti_dport, 1, m->m_pkthdr.rcvif); 403 } else { 404 inp = in_pcblookup_hash(&tcbinfo, 405 ti->ti_src, ti->ti_sport, 406 ip_fw_fwd_addr->sin_addr, 407 ntohs(ip_fw_fwd_addr->sin_port), 1, 408 m->m_pkthdr.rcvif); 409 } 410 } 411 ip_fw_fwd_addr = NULL; 412 } else 413#endif /* IPFIREWALL_FORWARD */ 414 415 inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport, 416 ti->ti_dst, ti->ti_dport, 1, m->m_pkthdr.rcvif); 417 418 /* 419 * If the state is CLOSED (i.e., TCB does not exist) then 420 * all data in the incoming segment is discarded. 421 * If the TCB exists but is in CLOSED state, it is embryonic, 422 * but should either do a listen or a connect soon. 423 */ 424 if (inp == NULL) { 425 if (log_in_vain) { 426 char buf[4*sizeof "123"]; 427 428 strcpy(buf, inet_ntoa(ti->ti_dst)); 429 switch (log_in_vain) { 430 case 1: 431 if(tiflags & TH_SYN) 432 log(LOG_INFO, 433 "Connection attempt to TCP %s:%d from %s:%d\n", 434 buf, ntohs(ti->ti_dport), 435 inet_ntoa(ti->ti_src), 436 ntohs(ti->ti_sport)); 437 break; 438 case 2: 439 log(LOG_INFO, 440 "Connection attempt to TCP %s:%d from %s:%d flags:0x%x\n", 441 buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src), 442 ntohs(ti->ti_sport), tiflags); 443 break; 444 default: 445 break; 446 } 447 } 448#ifdef ICMP_BANDLIM 449 if (badport_bandlim(1) < 0) 450 goto drop; 451#endif 452 if (blackhole) { 453 switch (blackhole) { 454 case 1: 455 if (tiflags & TH_SYN) 456 goto drop; 457 break; 458 case 2: 459 goto drop; 460 default: 461 goto drop; 462 } 463 } 464 goto dropwithreset; 465 } 466 tp = intotcpcb(inp); 467 if (tp == 0) 468 goto dropwithreset; 469 if (tp->t_state == TCPS_CLOSED) 470 goto drop; 471 472 /* Unscale the window into a 32-bit value. */ 473 if ((tiflags & TH_SYN) == 0) 474 tiwin = ti->ti_win << tp->snd_scale; 475 else 476 tiwin = ti->ti_win; 477 478 so = inp->inp_socket; 479 if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) { 480#ifdef TCPDEBUG 481 if (so->so_options & SO_DEBUG) { 482 ostate = tp->t_state; 483 tcp_saveti = *ti; 484 } 485#endif 486 if (so->so_options & SO_ACCEPTCONN) { 487 register struct tcpcb *tp0 = tp; 488 struct socket *so2; 489 if ((tiflags & (TH_RST|TH_ACK|TH_SYN)) != TH_SYN) { 490 /* 491 * Note: dropwithreset makes sure we don't 492 * send a RST in response to a RST. 493 */ 494 if (tiflags & TH_ACK) { 495 tcpstat.tcps_badsyn++; 496 goto dropwithreset; 497 } 498 goto drop; 499 } 500 so2 = sonewconn(so, 0); 501 if (so2 == 0) { 502 tcpstat.tcps_listendrop++; 503 so2 = sodropablereq(so); 504 if (so2) { 505 tcp_drop(sototcpcb(so2), ETIMEDOUT); 506 so2 = sonewconn(so, 0); 507 } 508 if (!so2) 509 goto drop; 510 } 511 so = so2; 512 /* 513 * This is ugly, but .... 514 * 515 * Mark socket as temporary until we're 516 * committed to keeping it. The code at 517 * ``drop'' and ``dropwithreset'' check the 518 * flag dropsocket to see if the temporary 519 * socket created here should be discarded. 520 * We mark the socket as discardable until 521 * we're committed to it below in TCPS_LISTEN. 522 */ 523 dropsocket++; 524 inp = (struct inpcb *)so->so_pcb; 525 inp->inp_laddr = ti->ti_dst; 526 inp->inp_lport = ti->ti_dport; 527 if (in_pcbinshash(inp) != 0) { 528 /* 529 * Undo the assignments above if we failed to 530 * put the PCB on the hash lists. 531 */ 532 inp->inp_laddr.s_addr = INADDR_ANY; 533 inp->inp_lport = 0; 534 goto drop; 535 } 536 inp->inp_options = ip_srcroute(); 537 tp = intotcpcb(inp); 538 tp->t_state = TCPS_LISTEN; 539 tp->t_flags |= tp0->t_flags & (TF_NOPUSH|TF_NOOPT); 540 541 /* Compute proper scaling value from buffer space */ 542 while (tp->request_r_scale < TCP_MAX_WINSHIFT && 543 TCP_MAXWIN << tp->request_r_scale < 544 so->so_rcv.sb_hiwat) 545 tp->request_r_scale++; 546 } 547 } 548 549 /* 550 * Segment received on connection. 551 * Reset idle time and keep-alive timer. 552 */ 553 tp->t_rcvtime = ticks; 554 if (TCPS_HAVEESTABLISHED(tp->t_state)) 555 callout_reset(tp->tt_keep, tcp_keepidle, tcp_timer_keep, tp); 556 557 /* 558 * Process options if not in LISTEN state, 559 * else do it below (after getting remote address). 560 */ 561 if (tp->t_state != TCPS_LISTEN) 562 tcp_dooptions(tp, optp, optlen, ti, &to); 563 564 /* 565 * Header prediction: check for the two common cases 566 * of a uni-directional data xfer. If the packet has 567 * no control flags, is in-sequence, the window didn't 568 * change and we're not retransmitting, it's a 569 * candidate. If the length is zero and the ack moved 570 * forward, we're the sender side of the xfer. Just 571 * free the data acked & wake any higher level process 572 * that was blocked waiting for space. If the length 573 * is non-zero and the ack didn't move, we're the 574 * receiver side. If we're getting packets in-order 575 * (the reassembly queue is empty), add the data to 576 * the socket buffer and note that we need a delayed ack. 577 * Make sure that the hidden state-flags are also off. 578 * Since we check for TCPS_ESTABLISHED above, it can only 579 * be TH_NEEDSYN. 580 */ 581 if (tp->t_state == TCPS_ESTABLISHED && 582 (tiflags & (TH_SYN|TH_FIN|TH_RST|TH_URG|TH_ACK)) == TH_ACK && 583 ((tp->t_flags & (TF_NEEDSYN|TF_NEEDFIN)) == 0) && 584 ((to.to_flag & TOF_TS) == 0 || 585 TSTMP_GEQ(to.to_tsval, tp->ts_recent)) && 586 /* 587 * Using the CC option is compulsory if once started: 588 * the segment is OK if no T/TCP was negotiated or 589 * if the segment has a CC option equal to CCrecv 590 */ 591 ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) != (TF_REQ_CC|TF_RCVD_CC) || 592 ((to.to_flag & TOF_CC) != 0 && to.to_cc == tp->cc_recv)) && 593 ti->ti_seq == tp->rcv_nxt && 594 tiwin && tiwin == tp->snd_wnd && 595 tp->snd_nxt == tp->snd_max) { 596 597 /* 598 * If last ACK falls within this segment's sequence numbers, 599 * record the timestamp. 600 * NOTE that the test is modified according to the latest 601 * proposal of the tcplw@cray.com list (Braden 1993/04/26). 602 */ 603 if ((to.to_flag & TOF_TS) != 0 && 604 SEQ_LEQ(ti->ti_seq, tp->last_ack_sent)) { 605 tp->ts_recent_age = ticks; 606 tp->ts_recent = to.to_tsval; 607 } 608 609 if (ti->ti_len == 0) { 610 if (SEQ_GT(ti->ti_ack, tp->snd_una) && 611 SEQ_LEQ(ti->ti_ack, tp->snd_max) && 612 tp->snd_cwnd >= tp->snd_wnd && 613 tp->t_dupacks < tcprexmtthresh) { 614 /* 615 * this is a pure ack for outstanding data. 616 */ 617 ++tcpstat.tcps_predack; 618 /* 619 * "bad retransmit" recovery 620 */ 621 if (tp->t_rxtshift == 1 && 622 ticks < tp->t_badrxtwin) { 623 tp->snd_cwnd = tp->snd_cwnd_prev; 624 tp->snd_ssthresh = 625 tp->snd_ssthresh_prev; 626 tp->snd_nxt = tp->snd_max; 627 tp->t_badrxtwin = 0; 628 } 629 if ((to.to_flag & TOF_TS) != 0) 630 tcp_xmit_timer(tp, 631 ticks - to.to_tsecr + 1); 632 else if (tp->t_rtttime && 633 SEQ_GT(ti->ti_ack, tp->t_rtseq)) 634 tcp_xmit_timer(tp, ticks - tp->t_rtttime); 635 acked = ti->ti_ack - tp->snd_una; 636 tcpstat.tcps_rcvackpack++; 637 tcpstat.tcps_rcvackbyte += acked; 638 sbdrop(&so->so_snd, acked); 639 tp->snd_una = ti->ti_ack; 640 m_freem(m); 641 642 /* 643 * If all outstanding data are acked, stop 644 * retransmit timer, otherwise restart timer 645 * using current (possibly backed-off) value. 646 * If process is waiting for space, 647 * wakeup/selwakeup/signal. If data 648 * are ready to send, let tcp_output 649 * decide between more output or persist. 650 */ 651 if (tp->snd_una == tp->snd_max) 652 callout_stop(tp->tt_rexmt); 653 else if (!callout_active(tp->tt_persist)) 654 callout_reset(tp->tt_rexmt, 655 tp->t_rxtcur, 656 tcp_timer_rexmt, tp); 657 658 sowwakeup(so); 659 if (so->so_snd.sb_cc) 660 (void) tcp_output(tp); 661 return; 662 } 663 } else if (ti->ti_ack == tp->snd_una && 664 tp->t_segq == NULL && 665 ti->ti_len <= sbspace(&so->so_rcv)) { 666 /* 667 * this is a pure, in-sequence data packet 668 * with nothing on the reassembly queue and 669 * we have enough buffer space to take it. 670 */ 671 ++tcpstat.tcps_preddat; 672 tp->rcv_nxt += ti->ti_len; 673 tcpstat.tcps_rcvpack++; 674 tcpstat.tcps_rcvbyte += ti->ti_len; 675 /* 676 * Add data to socket buffer. 677 */ 678 sbappend(&so->so_rcv, m); 679 sorwakeup(so); 680 if (tcp_delack_enabled) { 681 callout_reset(tp->tt_delack, tcp_delacktime, 682 tcp_timer_delack, tp); 683 } else { 684 tp->t_flags |= TF_ACKNOW; 685 tcp_output(tp); 686 } 687 return; 688 } 689 } 690 691 /* 692 * Calculate amount of space in receive window, 693 * and then do TCP input processing. 694 * Receive window is amount of space in rcv queue, 695 * but not less than advertised window. 696 */ 697 { int win; 698 699 win = sbspace(&so->so_rcv); 700 if (win < 0) 701 win = 0; 702 tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt)); 703 } 704 705 switch (tp->t_state) { 706 707 /* 708 * If the state is LISTEN then ignore segment if it contains an RST. 709 * If the segment contains an ACK then it is bad and send a RST. 710 * If it does not contain a SYN then it is not interesting; drop it. 711 * If it is from this socket, drop it, it must be forged. 712 * Don't bother responding if the destination was a broadcast. 713 * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial 714 * tp->iss, and send a segment: 715 * <SEQ=ISS><ACK=RCV_NXT><CTL=SYN,ACK> 716 * Also initialize tp->snd_nxt to tp->iss+1 and tp->snd_una to tp->iss. 717 * Fill in remote peer address fields if not previously specified. 718 * Enter SYN_RECEIVED state, and process any other fields of this 719 * segment in this state. 720 */ 721 case TCPS_LISTEN: { 722 register struct sockaddr_in *sin; 723 724 if (tiflags & TH_RST) 725 goto drop; 726 if (tiflags & TH_ACK) 727 goto dropwithreset; 728 if ((tiflags & TH_SYN) == 0) 729 goto drop; 730 if ((ti->ti_dport == ti->ti_sport) && 731 (ti->ti_dst.s_addr == ti->ti_src.s_addr)) 732 goto drop; 733 /* 734 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN 735 * in_broadcast() should never return true on a received 736 * packet with M_BCAST not set. 737 */ 738 if (m->m_flags & (M_BCAST|M_MCAST) || 739 IN_MULTICAST(ntohl(ti->ti_dst.s_addr))) 740 goto drop; 741 MALLOC(sin, struct sockaddr_in *, sizeof *sin, M_SONAME, 742 M_NOWAIT); 743 if (sin == NULL) 744 goto drop; 745 sin->sin_family = AF_INET; 746 sin->sin_len = sizeof(*sin); 747 sin->sin_addr = ti->ti_src; 748 sin->sin_port = ti->ti_sport; 749 bzero((caddr_t)sin->sin_zero, sizeof(sin->sin_zero)); 750 laddr = inp->inp_laddr; 751 if (inp->inp_laddr.s_addr == INADDR_ANY) 752 inp->inp_laddr = ti->ti_dst; 753 if (in_pcbconnect(inp, (struct sockaddr *)sin, &proc0)) { 754 inp->inp_laddr = laddr; 755 FREE(sin, M_SONAME); 756 goto drop; 757 } 758 FREE(sin, M_SONAME); 759 tp->t_template = tcp_template(tp); 760 if (tp->t_template == 0) { 761 tp = tcp_drop(tp, ENOBUFS); 762 dropsocket = 0; /* socket is already gone */ 763 goto drop; 764 } 765 if ((taop = tcp_gettaocache(inp)) == NULL) { 766 taop = &tao_noncached; 767 bzero(taop, sizeof(*taop)); 768 } 769 tcp_dooptions(tp, optp, optlen, ti, &to); 770 if (iss) 771 tp->iss = iss; 772 else 773 tp->iss = tcp_iss; 774 tcp_iss += TCP_ISSINCR/4; 775 tp->irs = ti->ti_seq; 776 tcp_sendseqinit(tp); 777 tcp_rcvseqinit(tp); 778 /* 779 * Initialization of the tcpcb for transaction; 780 * set SND.WND = SEG.WND, 781 * initialize CCsend and CCrecv. 782 */ 783 tp->snd_wnd = tiwin; /* initial send-window */ 784 tp->cc_send = CC_INC(tcp_ccgen); 785 tp->cc_recv = to.to_cc; 786 /* 787 * Perform TAO test on incoming CC (SEG.CC) option, if any. 788 * - compare SEG.CC against cached CC from the same host, 789 * if any. 790 * - if SEG.CC > chached value, SYN must be new and is accepted 791 * immediately: save new CC in the cache, mark the socket 792 * connected, enter ESTABLISHED state, turn on flag to 793 * send a SYN in the next segment. 794 * A virtual advertised window is set in rcv_adv to 795 * initialize SWS prevention. Then enter normal segment 796 * processing: drop SYN, process data and FIN. 797 * - otherwise do a normal 3-way handshake. 798 */ 799 if ((to.to_flag & TOF_CC) != 0) { 800 if (((tp->t_flags & TF_NOPUSH) != 0) && 801 taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) { 802 803 taop->tao_cc = to.to_cc; 804 tp->t_starttime = ticks; 805 tp->t_state = TCPS_ESTABLISHED; 806 807 /* 808 * If there is a FIN, or if there is data and the 809 * connection is local, then delay SYN,ACK(SYN) in 810 * the hope of piggy-backing it on a response 811 * segment. Otherwise must send ACK now in case 812 * the other side is slow starting. 813 */ 814 if (tcp_delack_enabled && ((tiflags & TH_FIN) || 815 (ti->ti_len != 0 && 816 in_localaddr(inp->inp_faddr)))) { 817 callout_reset(tp->tt_delack, tcp_delacktime, 818 tcp_timer_delack, tp); 819 tp->t_flags |= TF_NEEDSYN; 820 } else 821 tp->t_flags |= (TF_ACKNOW | TF_NEEDSYN); 822 823 /* 824 * Limit the `virtual advertised window' to TCP_MAXWIN 825 * here. Even if we requested window scaling, it will 826 * become effective only later when our SYN is acked. 827 */ 828 tp->rcv_adv += min(tp->rcv_wnd, TCP_MAXWIN); 829 tcpstat.tcps_connects++; 830 soisconnected(so); 831 callout_reset(tp->tt_keep, tcp_keepinit, 832 tcp_timer_keep, tp); 833 dropsocket = 0; /* committed to socket */ 834 tcpstat.tcps_accepts++; 835 goto trimthenstep6; 836 } 837 /* else do standard 3-way handshake */ 838 } else { 839 /* 840 * No CC option, but maybe CC.NEW: 841 * invalidate cached value. 842 */ 843 taop->tao_cc = 0; 844 } 845 /* 846 * TAO test failed or there was no CC option, 847 * do a standard 3-way handshake. 848 */ 849 tp->t_flags |= TF_ACKNOW; 850 tp->t_state = TCPS_SYN_RECEIVED; 851 callout_reset(tp->tt_keep, tcp_keepinit, tcp_timer_keep, tp); 852 dropsocket = 0; /* committed to socket */ 853 tcpstat.tcps_accepts++; 854 goto trimthenstep6; 855 } 856 857 /* 858 * If the state is SYN_RECEIVED: 859 * if seg contains an ACK, but not for our SYN/ACK, send a RST. 860 */ 861 case TCPS_SYN_RECEIVED: 862 if ((tiflags & TH_ACK) && 863 (SEQ_LEQ(ti->ti_ack, tp->snd_una) || 864 SEQ_GT(ti->ti_ack, tp->snd_max))) 865 goto dropwithreset; 866 break; 867 868 /* 869 * If the state is SYN_SENT: 870 * if seg contains an ACK, but not for our SYN, drop the input. 871 * if seg contains a RST, then drop the connection. 872 * if seg does not contain SYN, then drop it. 873 * Otherwise this is an acceptable SYN segment 874 * initialize tp->rcv_nxt and tp->irs 875 * if seg contains ack then advance tp->snd_una 876 * if SYN has been acked change to ESTABLISHED else SYN_RCVD state 877 * arrange for segment to be acked (eventually) 878 * continue processing rest of data/controls, beginning with URG 879 */ 880 case TCPS_SYN_SENT: 881 if ((taop = tcp_gettaocache(inp)) == NULL) { 882 taop = &tao_noncached; 883 bzero(taop, sizeof(*taop)); 884 } 885 886 if ((tiflags & TH_ACK) && 887 (SEQ_LEQ(ti->ti_ack, tp->iss) || 888 SEQ_GT(ti->ti_ack, tp->snd_max))) { 889 /* 890 * If we have a cached CCsent for the remote host, 891 * hence we haven't just crashed and restarted, 892 * do not send a RST. This may be a retransmission 893 * from the other side after our earlier ACK was lost. 894 * Our new SYN, when it arrives, will serve as the 895 * needed ACK. 896 */ 897 if (taop->tao_ccsent != 0) 898 goto drop; 899 else 900 goto dropwithreset; 901 } 902 if (tiflags & TH_RST) { 903 if (tiflags & TH_ACK) 904 tp = tcp_drop(tp, ECONNREFUSED); 905 goto drop; 906 } 907 if ((tiflags & TH_SYN) == 0) 908 goto drop; 909 tp->snd_wnd = ti->ti_win; /* initial send window */ 910 tp->cc_recv = to.to_cc; /* foreign CC */ 911 912 tp->irs = ti->ti_seq; 913 tcp_rcvseqinit(tp); 914 if (tiflags & TH_ACK) { 915 /* 916 * Our SYN was acked. If segment contains CC.ECHO 917 * option, check it to make sure this segment really 918 * matches our SYN. If not, just drop it as old 919 * duplicate, but send an RST if we're still playing 920 * by the old rules. If no CC.ECHO option, make sure 921 * we don't get fooled into using T/TCP. 922 */ 923 if (to.to_flag & TOF_CCECHO) { 924 if (tp->cc_send != to.to_ccecho) { 925 if (taop->tao_ccsent != 0) 926 goto drop; 927 else 928 goto dropwithreset; 929 } 930 } else 931 tp->t_flags &= ~TF_RCVD_CC; 932 tcpstat.tcps_connects++; 933 soisconnected(so); 934 /* Do window scaling on this connection? */ 935 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) == 936 (TF_RCVD_SCALE|TF_REQ_SCALE)) { 937 tp->snd_scale = tp->requested_s_scale; 938 tp->rcv_scale = tp->request_r_scale; 939 } 940 /* Segment is acceptable, update cache if undefined. */ 941 if (taop->tao_ccsent == 0) 942 taop->tao_ccsent = to.to_ccecho; 943 944 tp->rcv_adv += tp->rcv_wnd; 945 tp->snd_una++; /* SYN is acked */ 946 /* 947 * If there's data, delay ACK; if there's also a FIN 948 * ACKNOW will be turned on later. 949 */ 950 if (tcp_delack_enabled && ti->ti_len != 0) 951 callout_reset(tp->tt_delack, tcp_delacktime, 952 tcp_timer_delack, tp); 953 else 954 tp->t_flags |= TF_ACKNOW; 955 /* 956 * Received <SYN,ACK> in SYN_SENT[*] state. 957 * Transitions: 958 * SYN_SENT --> ESTABLISHED 959 * SYN_SENT* --> FIN_WAIT_1 960 */ 961 tp->t_starttime = ticks; 962 if (tp->t_flags & TF_NEEDFIN) { 963 tp->t_state = TCPS_FIN_WAIT_1; 964 tp->t_flags &= ~TF_NEEDFIN; 965 tiflags &= ~TH_SYN; 966 } else { 967 tp->t_state = TCPS_ESTABLISHED; 968 callout_reset(tp->tt_keep, tcp_keepidle, 969 tcp_timer_keep, tp); 970 } 971 } else { 972 /* 973 * Received initial SYN in SYN-SENT[*] state => simul- 974 * taneous open. If segment contains CC option and there is 975 * a cached CC, apply TAO test; if it succeeds, connection is 976 * half-synchronized. Otherwise, do 3-way handshake: 977 * SYN-SENT -> SYN-RECEIVED 978 * SYN-SENT* -> SYN-RECEIVED* 979 * If there was no CC option, clear cached CC value. 980 */ 981 tp->t_flags |= TF_ACKNOW; 982 callout_stop(tp->tt_rexmt); 983 if (to.to_flag & TOF_CC) { 984 if (taop->tao_cc != 0 && 985 CC_GT(to.to_cc, taop->tao_cc)) { 986 /* 987 * update cache and make transition: 988 * SYN-SENT -> ESTABLISHED* 989 * SYN-SENT* -> FIN-WAIT-1* 990 */ 991 taop->tao_cc = to.to_cc; 992 tp->t_starttime = ticks; 993 if (tp->t_flags & TF_NEEDFIN) { 994 tp->t_state = TCPS_FIN_WAIT_1; 995 tp->t_flags &= ~TF_NEEDFIN; 996 } else { 997 tp->t_state = TCPS_ESTABLISHED; 998 callout_reset(tp->tt_keep, 999 tcp_keepidle, 1000 tcp_timer_keep, 1001 tp); 1002 } 1003 tp->t_flags |= TF_NEEDSYN; 1004 } else 1005 tp->t_state = TCPS_SYN_RECEIVED; 1006 } else { 1007 /* CC.NEW or no option => invalidate cache */ 1008 taop->tao_cc = 0; 1009 tp->t_state = TCPS_SYN_RECEIVED; 1010 } 1011 } 1012 1013trimthenstep6: 1014 /* 1015 * Advance ti->ti_seq to correspond to first data byte. 1016 * If data, trim to stay within window, 1017 * dropping FIN if necessary. 1018 */ 1019 ti->ti_seq++; 1020 if (ti->ti_len > tp->rcv_wnd) { 1021 todrop = ti->ti_len - tp->rcv_wnd; 1022 m_adj(m, -todrop); 1023 ti->ti_len = tp->rcv_wnd; 1024 tiflags &= ~TH_FIN; 1025 tcpstat.tcps_rcvpackafterwin++; 1026 tcpstat.tcps_rcvbyteafterwin += todrop; 1027 } 1028 tp->snd_wl1 = ti->ti_seq - 1; 1029 tp->rcv_up = ti->ti_seq; 1030 /* 1031 * Client side of transaction: already sent SYN and data. 1032 * If the remote host used T/TCP to validate the SYN, 1033 * our data will be ACK'd; if so, enter normal data segment 1034 * processing in the middle of step 5, ack processing. 1035 * Otherwise, goto step 6. 1036 */ 1037 if (tiflags & TH_ACK) 1038 goto process_ACK; 1039 goto step6; 1040 /* 1041 * If the state is LAST_ACK or CLOSING or TIME_WAIT: 1042 * if segment contains a SYN and CC [not CC.NEW] option: 1043 * if state == TIME_WAIT and connection duration > MSL, 1044 * drop packet and send RST; 1045 * 1046 * if SEG.CC > CCrecv then is new SYN, and can implicitly 1047 * ack the FIN (and data) in retransmission queue. 1048 * Complete close and delete TCPCB. Then reprocess 1049 * segment, hoping to find new TCPCB in LISTEN state; 1050 * 1051 * else must be old SYN; drop it. 1052 * else do normal processing. 1053 */ 1054 case TCPS_LAST_ACK: 1055 case TCPS_CLOSING: 1056 case TCPS_TIME_WAIT: 1057 if ((tiflags & TH_SYN) && 1058 (to.to_flag & TOF_CC) && tp->cc_recv != 0) { 1059 if (tp->t_state == TCPS_TIME_WAIT && 1060 (ticks - tp->t_starttime) > tcp_msl) 1061 goto dropwithreset; 1062 if (CC_GT(to.to_cc, tp->cc_recv)) { 1063 tp = tcp_close(tp); 1064 goto findpcb; 1065 } 1066 else 1067 goto drop; 1068 } 1069 break; /* continue normal processing */ 1070 } 1071 1072 /* 1073 * States other than LISTEN or SYN_SENT. 1074 * First check the RST flag and sequence number since reset segments 1075 * are exempt from the timestamp and connection count tests. This 1076 * fixes a bug introduced by the Stevens, vol. 2, p. 960 bugfix 1077 * below which allowed reset segments in half the sequence space 1078 * to fall though and be processed (which gives forged reset 1079 * segments with a random sequence number a 50 percent chance of 1080 * killing a connection). 1081 * Then check timestamp, if present. 1082 * Then check the connection count, if present. 1083 * Then check that at least some bytes of segment are within 1084 * receive window. If segment begins before rcv_nxt, 1085 * drop leading data (and SYN); if nothing left, just ack. 1086 * 1087 * 1088 * If the RST bit is set, check the sequence number to see 1089 * if this is a valid reset segment. 1090 * RFC 793 page 37: 1091 * In all states except SYN-SENT, all reset (RST) segments 1092 * are validated by checking their SEQ-fields. A reset is 1093 * valid if its sequence number is in the window. 1094 * Note: this does not take into account delayed ACKs, so 1095 * we should test against last_ack_sent instead of rcv_nxt. 1096 * The sequence number in the reset segment is normally an 1097 * echo of our outgoing acknowlegement numbers, but some hosts 1098 * send a reset with the sequence number at the rightmost edge 1099 * of our receive window, and we have to handle this case. 1100 * If we have multiple segments in flight, the intial reset 1101 * segment sequence numbers will be to the left of last_ack_sent, 1102 * but they will eventually catch up. 1103 * In any case, it never made sense to trim reset segments to 1104 * fit the receive window since RFC 1122 says: 1105 * 4.2.2.12 RST Segment: RFC-793 Section 3.4 1106 * 1107 * A TCP SHOULD allow a received RST segment to include data. 1108 * 1109 * DISCUSSION 1110 * It has been suggested that a RST segment could contain 1111 * ASCII text that encoded and explained the cause of the 1112 * RST. No standard has yet been established for such 1113 * data. 1114 * 1115 * If the reset segment passes the sequence number test examine 1116 * the state: 1117 * SYN_RECEIVED STATE: 1118 * If passive open, return to LISTEN state. 1119 * If active open, inform user that connection was refused. 1120 * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES: 1121 * Inform user that connection was reset, and close tcb. 1122 * CLOSING, LAST_ACK STATES: 1123 * Close the tcb. 1124 * TIME_WAIT STATE: 1125 * Drop the segment - see Stevens, vol. 2, p. 964 and 1126 * RFC 1337. 1127 */ 1128 if (tiflags & TH_RST) { 1129 if (SEQ_GEQ(ti->ti_seq, tp->last_ack_sent) && 1130 SEQ_LT(ti->ti_seq, tp->last_ack_sent + tp->rcv_wnd)) { 1131 switch (tp->t_state) { 1132 1133 case TCPS_SYN_RECEIVED: 1134 so->so_error = ECONNREFUSED; 1135 goto close; 1136 1137 case TCPS_ESTABLISHED: 1138 case TCPS_FIN_WAIT_1: 1139 case TCPS_FIN_WAIT_2: 1140 case TCPS_CLOSE_WAIT: 1141 so->so_error = ECONNRESET; 1142 close: 1143 tp->t_state = TCPS_CLOSED; 1144 tcpstat.tcps_drops++; 1145 tp = tcp_close(tp); 1146 break; 1147 1148 case TCPS_CLOSING: 1149 case TCPS_LAST_ACK: 1150 tp = tcp_close(tp); 1151 break; 1152 1153 case TCPS_TIME_WAIT: 1154 break; 1155 } 1156 } 1157 goto drop; 1158 } 1159 1160 /* 1161 * RFC 1323 PAWS: If we have a timestamp reply on this segment 1162 * and it's less than ts_recent, drop it. 1163 */ 1164 if ((to.to_flag & TOF_TS) != 0 && tp->ts_recent && 1165 TSTMP_LT(to.to_tsval, tp->ts_recent)) { 1166 1167 /* Check to see if ts_recent is over 24 days old. */ 1168 if ((int)(ticks - tp->ts_recent_age) > TCP_PAWS_IDLE) { 1169 /* 1170 * Invalidate ts_recent. If this segment updates 1171 * ts_recent, the age will be reset later and ts_recent 1172 * will get a valid value. If it does not, setting 1173 * ts_recent to zero will at least satisfy the 1174 * requirement that zero be placed in the timestamp 1175 * echo reply when ts_recent isn't valid. The 1176 * age isn't reset until we get a valid ts_recent 1177 * because we don't want out-of-order segments to be 1178 * dropped when ts_recent is old. 1179 */ 1180 tp->ts_recent = 0; 1181 } else { 1182 tcpstat.tcps_rcvduppack++; 1183 tcpstat.tcps_rcvdupbyte += ti->ti_len; 1184 tcpstat.tcps_pawsdrop++; 1185 goto dropafterack; 1186 } 1187 } 1188 1189 /* 1190 * T/TCP mechanism 1191 * If T/TCP was negotiated and the segment doesn't have CC, 1192 * or if its CC is wrong then drop the segment. 1193 * RST segments do not have to comply with this. 1194 */ 1195 if ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) == (TF_REQ_CC|TF_RCVD_CC) && 1196 ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc)) 1197 goto dropafterack; 1198 1199 /* 1200 * In the SYN-RECEIVED state, validate that the packet belongs to 1201 * this connection before trimming the data to fit the receive 1202 * window. Check the sequence number versus IRS since we know 1203 * the sequence numbers haven't wrapped. This is a partial fix 1204 * for the "LAND" DoS attack. 1205 */ 1206 if (tp->t_state == TCPS_SYN_RECEIVED && SEQ_LT(ti->ti_seq, tp->irs)) 1207 goto dropwithreset; 1208 1209 todrop = tp->rcv_nxt - ti->ti_seq; 1210 if (todrop > 0) { 1211 if (tiflags & TH_SYN) { 1212 tiflags &= ~TH_SYN; 1213 ti->ti_seq++; 1214 if (ti->ti_urp > 1) 1215 ti->ti_urp--; 1216 else 1217 tiflags &= ~TH_URG; 1218 todrop--; 1219 } 1220 /* 1221 * Following if statement from Stevens, vol. 2, p. 960. 1222 */ 1223 if (todrop > ti->ti_len 1224 || (todrop == ti->ti_len && (tiflags & TH_FIN) == 0)) { 1225 /* 1226 * Any valid FIN must be to the left of the window. 1227 * At this point the FIN must be a duplicate or out 1228 * of sequence; drop it. 1229 */ 1230 tiflags &= ~TH_FIN; 1231 1232 /* 1233 * Send an ACK to resynchronize and drop any data. 1234 * But keep on processing for RST or ACK. 1235 */ 1236 tp->t_flags |= TF_ACKNOW; 1237 todrop = ti->ti_len; 1238 tcpstat.tcps_rcvduppack++; 1239 tcpstat.tcps_rcvdupbyte += todrop; 1240 } else { 1241 tcpstat.tcps_rcvpartduppack++; 1242 tcpstat.tcps_rcvpartdupbyte += todrop; 1243 } 1244 m_adj(m, todrop); 1245 ti->ti_seq += todrop; 1246 ti->ti_len -= todrop; 1247 if (ti->ti_urp > todrop) 1248 ti->ti_urp -= todrop; 1249 else { 1250 tiflags &= ~TH_URG; 1251 ti->ti_urp = 0; 1252 } 1253 } 1254 1255 /* 1256 * If new data are received on a connection after the 1257 * user processes are gone, then RST the other end. 1258 */ 1259 if ((so->so_state & SS_NOFDREF) && 1260 tp->t_state > TCPS_CLOSE_WAIT && ti->ti_len) { 1261 tp = tcp_close(tp); 1262 tcpstat.tcps_rcvafterclose++; 1263 goto dropwithreset; 1264 } 1265 1266 /* 1267 * If segment ends after window, drop trailing data 1268 * (and PUSH and FIN); if nothing left, just ACK. 1269 */ 1270 todrop = (ti->ti_seq+ti->ti_len) - (tp->rcv_nxt+tp->rcv_wnd); 1271 if (todrop > 0) { 1272 tcpstat.tcps_rcvpackafterwin++; 1273 if (todrop >= ti->ti_len) { 1274 tcpstat.tcps_rcvbyteafterwin += ti->ti_len; 1275 /* 1276 * If a new connection request is received 1277 * while in TIME_WAIT, drop the old connection 1278 * and start over if the sequence numbers 1279 * are above the previous ones. 1280 */ 1281 if (tiflags & TH_SYN && 1282 tp->t_state == TCPS_TIME_WAIT && 1283 SEQ_GT(ti->ti_seq, tp->rcv_nxt)) { 1284 iss = tp->snd_nxt + TCP_ISSINCR; 1285 tp = tcp_close(tp); 1286 goto findpcb; 1287 } 1288 /* 1289 * If window is closed can only take segments at 1290 * window edge, and have to drop data and PUSH from 1291 * incoming segments. Continue processing, but 1292 * remember to ack. Otherwise, drop segment 1293 * and ack. 1294 */ 1295 if (tp->rcv_wnd == 0 && ti->ti_seq == tp->rcv_nxt) { 1296 tp->t_flags |= TF_ACKNOW; 1297 tcpstat.tcps_rcvwinprobe++; 1298 } else 1299 goto dropafterack; 1300 } else 1301 tcpstat.tcps_rcvbyteafterwin += todrop; 1302 m_adj(m, -todrop); 1303 ti->ti_len -= todrop; 1304 tiflags &= ~(TH_PUSH|TH_FIN); 1305 } 1306 1307 /* 1308 * If last ACK falls within this segment's sequence numbers, 1309 * record its timestamp. 1310 * NOTE that the test is modified according to the latest 1311 * proposal of the tcplw@cray.com list (Braden 1993/04/26). 1312 */ 1313 if ((to.to_flag & TOF_TS) != 0 && 1314 SEQ_LEQ(ti->ti_seq, tp->last_ack_sent)) { 1315 tp->ts_recent_age = ticks; 1316 tp->ts_recent = to.to_tsval; 1317 } 1318 1319 /* 1320 * If a SYN is in the window, then this is an 1321 * error and we send an RST and drop the connection. 1322 */ 1323 if (tiflags & TH_SYN) { 1324 tp = tcp_drop(tp, ECONNRESET); 1325 goto dropwithreset; 1326 } 1327 1328 /* 1329 * If the ACK bit is off: if in SYN-RECEIVED state or SENDSYN 1330 * flag is on (half-synchronized state), then queue data for 1331 * later processing; else drop segment and return. 1332 */ 1333 if ((tiflags & TH_ACK) == 0) { 1334 if (tp->t_state == TCPS_SYN_RECEIVED || 1335 (tp->t_flags & TF_NEEDSYN)) 1336 goto step6; 1337 else 1338 goto drop; 1339 } 1340 1341 /* 1342 * Ack processing. 1343 */ 1344 switch (tp->t_state) { 1345 1346 /* 1347 * In SYN_RECEIVED state, the ack ACKs our SYN, so enter 1348 * ESTABLISHED state and continue processing. 1349 * The ACK was checked above. 1350 */ 1351 case TCPS_SYN_RECEIVED: 1352 1353 tcpstat.tcps_connects++; 1354 soisconnected(so); 1355 /* Do window scaling? */ 1356 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) == 1357 (TF_RCVD_SCALE|TF_REQ_SCALE)) { 1358 tp->snd_scale = tp->requested_s_scale; 1359 tp->rcv_scale = tp->request_r_scale; 1360 } 1361 /* 1362 * Upon successful completion of 3-way handshake, 1363 * update cache.CC if it was undefined, pass any queued 1364 * data to the user, and advance state appropriately. 1365 */ 1366 if ((taop = tcp_gettaocache(inp)) != NULL && 1367 taop->tao_cc == 0) 1368 taop->tao_cc = tp->cc_recv; 1369 1370 /* 1371 * Make transitions: 1372 * SYN-RECEIVED -> ESTABLISHED 1373 * SYN-RECEIVED* -> FIN-WAIT-1 1374 */ 1375 tp->t_starttime = ticks; 1376 if (tp->t_flags & TF_NEEDFIN) { 1377 tp->t_state = TCPS_FIN_WAIT_1; 1378 tp->t_flags &= ~TF_NEEDFIN; 1379 } else { 1380 tp->t_state = TCPS_ESTABLISHED; 1381 callout_reset(tp->tt_keep, tcp_keepidle, 1382 tcp_timer_keep, tp); 1383 } 1384 /* 1385 * If segment contains data or ACK, will call tcp_reass() 1386 * later; if not, do so now to pass queued data to user. 1387 */ 1388 if (ti->ti_len == 0 && (tiflags & TH_FIN) == 0) 1389 (void) tcp_reass(tp, (struct tcpiphdr *)0, 1390 (struct mbuf *)0); 1391 tp->snd_wl1 = ti->ti_seq - 1; 1392 /* fall into ... */ 1393 1394 /* 1395 * In ESTABLISHED state: drop duplicate ACKs; ACK out of range 1396 * ACKs. If the ack is in the range 1397 * tp->snd_una < ti->ti_ack <= tp->snd_max 1398 * then advance tp->snd_una to ti->ti_ack and drop 1399 * data from the retransmission queue. If this ACK reflects 1400 * more up to date window information we update our window information. 1401 */ 1402 case TCPS_ESTABLISHED: 1403 case TCPS_FIN_WAIT_1: 1404 case TCPS_FIN_WAIT_2: 1405 case TCPS_CLOSE_WAIT: 1406 case TCPS_CLOSING: 1407 case TCPS_LAST_ACK: 1408 case TCPS_TIME_WAIT: 1409 1410 if (SEQ_LEQ(ti->ti_ack, tp->snd_una)) { 1411 if (ti->ti_len == 0 && tiwin == tp->snd_wnd) { 1412 tcpstat.tcps_rcvdupack++; 1413 /* 1414 * If we have outstanding data (other than 1415 * a window probe), this is a completely 1416 * duplicate ack (ie, window info didn't 1417 * change), the ack is the biggest we've 1418 * seen and we've seen exactly our rexmt 1419 * threshhold of them, assume a packet 1420 * has been dropped and retransmit it. 1421 * Kludge snd_nxt & the congestion 1422 * window so we send only this one 1423 * packet. 1424 * 1425 * We know we're losing at the current 1426 * window size so do congestion avoidance 1427 * (set ssthresh to half the current window 1428 * and pull our congestion window back to 1429 * the new ssthresh). 1430 * 1431 * Dup acks mean that packets have left the 1432 * network (they're now cached at the receiver) 1433 * so bump cwnd by the amount in the receiver 1434 * to keep a constant cwnd packets in the 1435 * network. 1436 */ 1437 if (!callout_active(tp->tt_rexmt) || 1438 ti->ti_ack != tp->snd_una) 1439 tp->t_dupacks = 0; 1440 else if (++tp->t_dupacks == tcprexmtthresh) { 1441 tcp_seq onxt = tp->snd_nxt; 1442 u_int win = 1443 min(tp->snd_wnd, tp->snd_cwnd) / 2 / 1444 tp->t_maxseg; 1445 1446 if (win < 2) 1447 win = 2; 1448 tp->snd_ssthresh = win * tp->t_maxseg; 1449 callout_stop(tp->tt_rexmt); 1450 tp->t_rtttime = 0; 1451 tp->snd_nxt = ti->ti_ack; 1452 tp->snd_cwnd = tp->t_maxseg; 1453 (void) tcp_output(tp); 1454 tp->snd_cwnd = tp->snd_ssthresh + 1455 tp->t_maxseg * tp->t_dupacks; 1456 if (SEQ_GT(onxt, tp->snd_nxt)) 1457 tp->snd_nxt = onxt; 1458 goto drop; 1459 } else if (tp->t_dupacks > tcprexmtthresh) { 1460 tp->snd_cwnd += tp->t_maxseg; 1461 (void) tcp_output(tp); 1462 goto drop; 1463 } 1464 } else 1465 tp->t_dupacks = 0; 1466 break; 1467 } 1468 /* 1469 * If the congestion window was inflated to account 1470 * for the other side's cached packets, retract it. 1471 */ 1472 if (tp->t_dupacks >= tcprexmtthresh && 1473 tp->snd_cwnd > tp->snd_ssthresh) 1474 tp->snd_cwnd = tp->snd_ssthresh; 1475 tp->t_dupacks = 0; 1476 if (SEQ_GT(ti->ti_ack, tp->snd_max)) { 1477 tcpstat.tcps_rcvacktoomuch++; 1478 goto dropafterack; 1479 } 1480 /* 1481 * If we reach this point, ACK is not a duplicate, 1482 * i.e., it ACKs something we sent. 1483 */ 1484 if (tp->t_flags & TF_NEEDSYN) { 1485 /* 1486 * T/TCP: Connection was half-synchronized, and our 1487 * SYN has been ACK'd (so connection is now fully 1488 * synchronized). Go to non-starred state, 1489 * increment snd_una for ACK of SYN, and check if 1490 * we can do window scaling. 1491 */ 1492 tp->t_flags &= ~TF_NEEDSYN; 1493 tp->snd_una++; 1494 /* Do window scaling? */ 1495 if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) == 1496 (TF_RCVD_SCALE|TF_REQ_SCALE)) { 1497 tp->snd_scale = tp->requested_s_scale; 1498 tp->rcv_scale = tp->request_r_scale; 1499 } 1500 } 1501 1502process_ACK: 1503 acked = ti->ti_ack - tp->snd_una; 1504 tcpstat.tcps_rcvackpack++; 1505 tcpstat.tcps_rcvackbyte += acked; 1506 1507 /* 1508 * If we just performed our first retransmit, and the ACK 1509 * arrives within our recovery window, then it was a mistake 1510 * to do the retransmit in the first place. Recover our 1511 * original cwnd and ssthresh, and proceed to transmit where 1512 * we left off. 1513 */ 1514 if (tp->t_rxtshift == 1 && ticks < tp->t_badrxtwin) { 1515 tp->snd_cwnd = tp->snd_cwnd_prev; 1516 tp->snd_ssthresh = tp->snd_ssthresh_prev; 1517 tp->snd_nxt = tp->snd_max; 1518 tp->t_badrxtwin = 0; /* XXX probably not required */ 1519 } 1520 1521 /* 1522 * If we have a timestamp reply, update smoothed 1523 * round trip time. If no timestamp is present but 1524 * transmit timer is running and timed sequence 1525 * number was acked, update smoothed round trip time. 1526 * Since we now have an rtt measurement, cancel the 1527 * timer backoff (cf., Phil Karn's retransmit alg.). 1528 * Recompute the initial retransmit timer. 1529 */ 1530 if (to.to_flag & TOF_TS) 1531 tcp_xmit_timer(tp, ticks - to.to_tsecr + 1); 1532 else if (tp->t_rtttime && SEQ_GT(ti->ti_ack, tp->t_rtseq)) 1533 tcp_xmit_timer(tp, ticks - tp->t_rtttime); 1534 1535 /* 1536 * If all outstanding data is acked, stop retransmit 1537 * timer and remember to restart (more output or persist). 1538 * If there is more data to be acked, restart retransmit 1539 * timer, using current (possibly backed-off) value. 1540 */ 1541 if (ti->ti_ack == tp->snd_max) { 1542 callout_stop(tp->tt_rexmt); 1543 needoutput = 1; 1544 } else if (!callout_active(tp->tt_persist)) 1545 callout_reset(tp->tt_rexmt, tp->t_rxtcur, 1546 tcp_timer_rexmt, tp); 1547 1548 /* 1549 * If no data (only SYN) was ACK'd, 1550 * skip rest of ACK processing. 1551 */ 1552 if (acked == 0) 1553 goto step6; 1554 1555 /* 1556 * When new data is acked, open the congestion window. 1557 * If the window gives us less than ssthresh packets 1558 * in flight, open exponentially (maxseg per packet). 1559 * Otherwise open linearly: maxseg per window 1560 * (maxseg^2 / cwnd per packet). 1561 */ 1562 { 1563 register u_int cw = tp->snd_cwnd; 1564 register u_int incr = tp->t_maxseg; 1565 1566 if (cw > tp->snd_ssthresh) 1567 incr = incr * incr / cw; 1568 tp->snd_cwnd = min(cw + incr, TCP_MAXWIN << tp->snd_scale); 1569 } 1570 if (acked > so->so_snd.sb_cc) { 1571 tp->snd_wnd -= so->so_snd.sb_cc; 1572 sbdrop(&so->so_snd, (int)so->so_snd.sb_cc); 1573 ourfinisacked = 1; 1574 } else { 1575 sbdrop(&so->so_snd, acked); 1576 tp->snd_wnd -= acked; 1577 ourfinisacked = 0; 1578 } 1579 sowwakeup(so); 1580 tp->snd_una = ti->ti_ack; 1581 if (SEQ_LT(tp->snd_nxt, tp->snd_una)) 1582 tp->snd_nxt = tp->snd_una; 1583 1584 switch (tp->t_state) { 1585 1586 /* 1587 * In FIN_WAIT_1 STATE in addition to the processing 1588 * for the ESTABLISHED state if our FIN is now acknowledged 1589 * then enter FIN_WAIT_2. 1590 */ 1591 case TCPS_FIN_WAIT_1: 1592 if (ourfinisacked) { 1593 /* 1594 * If we can't receive any more 1595 * data, then closing user can proceed. 1596 * Starting the timer is contrary to the 1597 * specification, but if we don't get a FIN 1598 * we'll hang forever. 1599 */ 1600 if (so->so_state & SS_CANTRCVMORE) { 1601 soisdisconnected(so); 1602 callout_reset(tp->tt_2msl, tcp_maxidle, 1603 tcp_timer_2msl, tp); 1604 } 1605 tp->t_state = TCPS_FIN_WAIT_2; 1606 } 1607 break; 1608 1609 /* 1610 * In CLOSING STATE in addition to the processing for 1611 * the ESTABLISHED state if the ACK acknowledges our FIN 1612 * then enter the TIME-WAIT state, otherwise ignore 1613 * the segment. 1614 */ 1615 case TCPS_CLOSING: 1616 if (ourfinisacked) { 1617 tp->t_state = TCPS_TIME_WAIT; 1618 tcp_canceltimers(tp); 1619 /* Shorten TIME_WAIT [RFC-1644, p.28] */ 1620 if (tp->cc_recv != 0 && 1621 (ticks - tp->t_starttime) < tcp_msl) 1622 callout_reset(tp->tt_2msl, 1623 tp->t_rxtcur * 1624 TCPTV_TWTRUNC, 1625 tcp_timer_2msl, tp); 1626 else 1627 callout_reset(tp->tt_2msl, 2 * tcp_msl, 1628 tcp_timer_2msl, tp); 1629 soisdisconnected(so); 1630 } 1631 break; 1632 1633 /* 1634 * In LAST_ACK, we may still be waiting for data to drain 1635 * and/or to be acked, as well as for the ack of our FIN. 1636 * If our FIN is now acknowledged, delete the TCB, 1637 * enter the closed state and return. 1638 */ 1639 case TCPS_LAST_ACK: 1640 if (ourfinisacked) { 1641 tp = tcp_close(tp); 1642 goto drop; 1643 } 1644 break; 1645 1646 /* 1647 * In TIME_WAIT state the only thing that should arrive 1648 * is a retransmission of the remote FIN. Acknowledge 1649 * it and restart the finack timer. 1650 */ 1651 case TCPS_TIME_WAIT: 1652 callout_reset(tp->tt_2msl, 2 * tcp_msl, 1653 tcp_timer_2msl, tp); 1654 goto dropafterack; 1655 } 1656 } 1657 1658step6: 1659 /* 1660 * Update window information. 1661 * Don't look at window if no ACK: TAC's send garbage on first SYN. 1662 */ 1663 if ((tiflags & TH_ACK) && 1664 (SEQ_LT(tp->snd_wl1, ti->ti_seq) || 1665 (tp->snd_wl1 == ti->ti_seq && (SEQ_LT(tp->snd_wl2, ti->ti_ack) || 1666 (tp->snd_wl2 == ti->ti_ack && tiwin > tp->snd_wnd))))) { 1667 /* keep track of pure window updates */ 1668 if (ti->ti_len == 0 && 1669 tp->snd_wl2 == ti->ti_ack && tiwin > tp->snd_wnd) 1670 tcpstat.tcps_rcvwinupd++; 1671 tp->snd_wnd = tiwin; 1672 tp->snd_wl1 = ti->ti_seq; 1673 tp->snd_wl2 = ti->ti_ack; 1674 if (tp->snd_wnd > tp->max_sndwnd) 1675 tp->max_sndwnd = tp->snd_wnd; 1676 needoutput = 1; 1677 } 1678 1679 /* 1680 * Process segments with URG. 1681 */ 1682 if ((tiflags & TH_URG) && ti->ti_urp && 1683 TCPS_HAVERCVDFIN(tp->t_state) == 0) { 1684 /* 1685 * This is a kludge, but if we receive and accept 1686 * random urgent pointers, we'll crash in 1687 * soreceive. It's hard to imagine someone 1688 * actually wanting to send this much urgent data. 1689 */ 1690 if (ti->ti_urp + so->so_rcv.sb_cc > sb_max) { 1691 ti->ti_urp = 0; /* XXX */ 1692 tiflags &= ~TH_URG; /* XXX */ 1693 goto dodata; /* XXX */ 1694 } 1695 /* 1696 * If this segment advances the known urgent pointer, 1697 * then mark the data stream. This should not happen 1698 * in CLOSE_WAIT, CLOSING, LAST_ACK or TIME_WAIT STATES since 1699 * a FIN has been received from the remote side. 1700 * In these states we ignore the URG. 1701 * 1702 * According to RFC961 (Assigned Protocols), 1703 * the urgent pointer points to the last octet 1704 * of urgent data. We continue, however, 1705 * to consider it to indicate the first octet 1706 * of data past the urgent section as the original 1707 * spec states (in one of two places). 1708 */ 1709 if (SEQ_GT(ti->ti_seq+ti->ti_urp, tp->rcv_up)) { 1710 tp->rcv_up = ti->ti_seq + ti->ti_urp; 1711 so->so_oobmark = so->so_rcv.sb_cc + 1712 (tp->rcv_up - tp->rcv_nxt) - 1; 1713 if (so->so_oobmark == 0) 1714 so->so_state |= SS_RCVATMARK; 1715 sohasoutofband(so); 1716 tp->t_oobflags &= ~(TCPOOB_HAVEDATA | TCPOOB_HADDATA); 1717 } 1718 /* 1719 * Remove out of band data so doesn't get presented to user. 1720 * This can happen independent of advancing the URG pointer, 1721 * but if two URG's are pending at once, some out-of-band 1722 * data may creep in... ick. 1723 */ 1724 if (ti->ti_urp <= (u_long)ti->ti_len 1725#ifdef SO_OOBINLINE 1726 && (so->so_options & SO_OOBINLINE) == 0 1727#endif 1728 ) 1729 tcp_pulloutofband(so, ti, m); 1730 } else 1731 /* 1732 * If no out of band data is expected, 1733 * pull receive urgent pointer along 1734 * with the receive window. 1735 */ 1736 if (SEQ_GT(tp->rcv_nxt, tp->rcv_up)) 1737 tp->rcv_up = tp->rcv_nxt; 1738dodata: /* XXX */ 1739 1740 /* 1741 * Process the segment text, merging it into the TCP sequencing queue, 1742 * and arranging for acknowledgment of receipt if necessary. 1743 * This process logically involves adjusting tp->rcv_wnd as data 1744 * is presented to the user (this happens in tcp_usrreq.c, 1745 * case PRU_RCVD). If a FIN has already been received on this 1746 * connection then we just ignore the text. 1747 */ 1748 if ((ti->ti_len || (tiflags&TH_FIN)) && 1749 TCPS_HAVERCVDFIN(tp->t_state) == 0) { 1750 TCP_REASS(tp, ti, m, so, tiflags); 1751 /* 1752 * Note the amount of data that peer has sent into 1753 * our window, in order to estimate the sender's 1754 * buffer size. 1755 */ 1756 len = so->so_rcv.sb_hiwat - (tp->rcv_adv - tp->rcv_nxt); 1757 } else { 1758 m_freem(m); 1759 tiflags &= ~TH_FIN; 1760 } 1761 1762 /* 1763 * If FIN is received ACK the FIN and let the user know 1764 * that the connection is closing. 1765 */ 1766 if (tiflags & TH_FIN) { 1767 if (TCPS_HAVERCVDFIN(tp->t_state) == 0) { 1768 socantrcvmore(so); 1769 /* 1770 * If connection is half-synchronized 1771 * (ie NEEDSYN flag on) then delay ACK, 1772 * so it may be piggybacked when SYN is sent. 1773 * Otherwise, since we received a FIN then no 1774 * more input can be expected, send ACK now. 1775 */ 1776 if (tcp_delack_enabled && (tp->t_flags & TF_NEEDSYN)) 1777 callout_reset(tp->tt_delack, tcp_delacktime, 1778 tcp_timer_delack, tp); 1779 else 1780 tp->t_flags |= TF_ACKNOW; 1781 tp->rcv_nxt++; 1782 } 1783 switch (tp->t_state) { 1784 1785 /* 1786 * In SYN_RECEIVED and ESTABLISHED STATES 1787 * enter the CLOSE_WAIT state. 1788 */ 1789 case TCPS_SYN_RECEIVED: 1790 tp->t_starttime = ticks; 1791 /*FALLTHROUGH*/ 1792 case TCPS_ESTABLISHED: 1793 tp->t_state = TCPS_CLOSE_WAIT; 1794 break; 1795 1796 /* 1797 * If still in FIN_WAIT_1 STATE FIN has not been acked so 1798 * enter the CLOSING state. 1799 */ 1800 case TCPS_FIN_WAIT_1: 1801 tp->t_state = TCPS_CLOSING; 1802 break; 1803 1804 /* 1805 * In FIN_WAIT_2 state enter the TIME_WAIT state, 1806 * starting the time-wait timer, turning off the other 1807 * standard timers. 1808 */ 1809 case TCPS_FIN_WAIT_2: 1810 tp->t_state = TCPS_TIME_WAIT; 1811 tcp_canceltimers(tp); 1812 /* Shorten TIME_WAIT [RFC-1644, p.28] */ 1813 if (tp->cc_recv != 0 && 1814 (ticks - tp->t_starttime) < tcp_msl) { 1815 callout_reset(tp->tt_2msl, 1816 tp->t_rxtcur * TCPTV_TWTRUNC, 1817 tcp_timer_2msl, tp); 1818 /* For transaction client, force ACK now. */ 1819 tp->t_flags |= TF_ACKNOW; 1820 } 1821 else 1822 callout_reset(tp->tt_2msl, 2 * tcp_msl, 1823 tcp_timer_2msl, tp); 1824 soisdisconnected(so); 1825 break; 1826 1827 /* 1828 * In TIME_WAIT state restart the 2 MSL time_wait timer. 1829 */ 1830 case TCPS_TIME_WAIT: 1831 callout_reset(tp->tt_2msl, 2 * tcp_msl, 1832 tcp_timer_2msl, tp); 1833 break; 1834 } 1835 } 1836#ifdef TCPDEBUG 1837 if (so->so_options & SO_DEBUG) 1838 tcp_trace(TA_INPUT, ostate, tp, &tcp_saveti, 0); 1839#endif 1840 1841 /* 1842 * Return any desired output. 1843 */ 1844 if (needoutput || (tp->t_flags & TF_ACKNOW)) 1845 (void) tcp_output(tp); 1846 return; 1847 1848dropafterack: 1849 /* 1850 * Generate an ACK dropping incoming segment if it occupies 1851 * sequence space, where the ACK reflects our state. 1852 * 1853 * We can now skip the test for the RST flag since all 1854 * paths to this code happen after packets containing 1855 * RST have been dropped. 1856 * 1857 * In the SYN-RECEIVED state, don't send an ACK unless the 1858 * segment we received passes the SYN-RECEIVED ACK test. 1859 * If it fails send a RST. This breaks the loop in the 1860 * "LAND" DoS attack, and also prevents an ACK storm 1861 * between two listening ports that have been sent forged 1862 * SYN segments, each with the source address of the other. 1863 */ 1864 if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && 1865 (SEQ_GT(tp->snd_una, ti->ti_ack) || 1866 SEQ_GT(ti->ti_ack, tp->snd_max)) ) 1867 goto dropwithreset; 1868#ifdef TCPDEBUG 1869 if (so->so_options & SO_DEBUG) 1870 tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); 1871#endif 1872 m_freem(m); 1873 tp->t_flags |= TF_ACKNOW; 1874 (void) tcp_output(tp); 1875 return; 1876 1877dropwithreset: 1878#ifdef TCP_RESTRICT_RST 1879 if (restrict_rst) 1880 goto drop; 1881#endif 1882 /* 1883 * Generate a RST, dropping incoming segment. 1884 * Make ACK acceptable to originator of segment. 1885 * Don't bother to respond if destination was broadcast/multicast. 1886 */ 1887 if ((tiflags & TH_RST) || m->m_flags & (M_BCAST|M_MCAST) || 1888 IN_MULTICAST(ntohl(ti->ti_dst.s_addr))) 1889 goto drop; 1890#ifdef TCPDEBUG 1891 if (tp == 0 || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG)) 1892 tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); 1893#endif 1894 if (tiflags & TH_ACK) 1895 tcp_respond(tp, ti, m, (tcp_seq)0, ti->ti_ack, TH_RST); 1896 else { 1897 if (tiflags & TH_SYN) 1898 ti->ti_len++; 1899 tcp_respond(tp, ti, m, ti->ti_seq+ti->ti_len, (tcp_seq)0, 1900 TH_RST|TH_ACK); 1901 } 1902 /* destroy temporarily created socket */ 1903 if (dropsocket) 1904 (void) soabort(so); 1905 return; 1906 1907drop: 1908 /* 1909 * Drop space held by incoming segment and return. 1910 */ 1911#ifdef TCPDEBUG 1912 if (tp == 0 || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG)) 1913 tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); 1914#endif 1915 m_freem(m); 1916 /* destroy temporarily created socket */ 1917 if (dropsocket) 1918 (void) soabort(so); 1919 return; 1920} 1921 1922static void 1923tcp_dooptions(tp, cp, cnt, ti, to) 1924 struct tcpcb *tp; 1925 u_char *cp; 1926 int cnt; 1927 struct tcpiphdr *ti; 1928 struct tcpopt *to; 1929{ 1930 u_short mss = 0; 1931 int opt, optlen; 1932 1933 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1934 opt = cp[0]; 1935 if (opt == TCPOPT_EOL) 1936 break; 1937 if (opt == TCPOPT_NOP) 1938 optlen = 1; 1939 else { 1940 optlen = cp[1]; 1941 if (optlen <= 0) 1942 break; 1943 } 1944 switch (opt) { 1945 1946 default: 1947 continue; 1948 1949 case TCPOPT_MAXSEG: 1950 if (optlen != TCPOLEN_MAXSEG) 1951 continue; 1952 if (!(ti->ti_flags & TH_SYN)) 1953 continue; 1954 bcopy((char *) cp + 2, (char *) &mss, sizeof(mss)); 1955 NTOHS(mss); 1956 break; 1957 1958 case TCPOPT_WINDOW: 1959 if (optlen != TCPOLEN_WINDOW) 1960 continue; 1961 if (!(ti->ti_flags & TH_SYN)) 1962 continue; 1963 tp->t_flags |= TF_RCVD_SCALE; 1964 tp->requested_s_scale = min(cp[2], TCP_MAX_WINSHIFT); 1965 break; 1966 1967 case TCPOPT_TIMESTAMP: 1968 if (optlen != TCPOLEN_TIMESTAMP) 1969 continue; 1970 to->to_flag |= TOF_TS; 1971 bcopy((char *)cp + 2, 1972 (char *)&to->to_tsval, sizeof(to->to_tsval)); 1973 NTOHL(to->to_tsval); 1974 bcopy((char *)cp + 6, 1975 (char *)&to->to_tsecr, sizeof(to->to_tsecr)); 1976 NTOHL(to->to_tsecr); 1977 1978 /* 1979 * A timestamp received in a SYN makes 1980 * it ok to send timestamp requests and replies. 1981 */ 1982 if (ti->ti_flags & TH_SYN) { 1983 tp->t_flags |= TF_RCVD_TSTMP; 1984 tp->ts_recent = to->to_tsval; 1985 tp->ts_recent_age = ticks; 1986 } 1987 break; 1988 case TCPOPT_CC: 1989 if (optlen != TCPOLEN_CC) 1990 continue; 1991 to->to_flag |= TOF_CC; 1992 bcopy((char *)cp + 2, 1993 (char *)&to->to_cc, sizeof(to->to_cc)); 1994 NTOHL(to->to_cc); 1995 /* 1996 * A CC or CC.new option received in a SYN makes 1997 * it ok to send CC in subsequent segments. 1998 */ 1999 if (ti->ti_flags & TH_SYN) 2000 tp->t_flags |= TF_RCVD_CC; 2001 break; 2002 case TCPOPT_CCNEW: 2003 if (optlen != TCPOLEN_CC) 2004 continue; 2005 if (!(ti->ti_flags & TH_SYN)) 2006 continue; 2007 to->to_flag |= TOF_CCNEW; 2008 bcopy((char *)cp + 2, 2009 (char *)&to->to_cc, sizeof(to->to_cc)); 2010 NTOHL(to->to_cc); 2011 /* 2012 * A CC or CC.new option received in a SYN makes 2013 * it ok to send CC in subsequent segments. 2014 */ 2015 tp->t_flags |= TF_RCVD_CC; 2016 break; 2017 case TCPOPT_CCECHO: 2018 if (optlen != TCPOLEN_CC) 2019 continue; 2020 if (!(ti->ti_flags & TH_SYN)) 2021 continue; 2022 to->to_flag |= TOF_CCECHO; 2023 bcopy((char *)cp + 2, 2024 (char *)&to->to_ccecho, sizeof(to->to_ccecho)); 2025 NTOHL(to->to_ccecho); 2026 break; 2027 } 2028 } 2029 if (ti->ti_flags & TH_SYN) 2030 tcp_mss(tp, mss); /* sets t_maxseg */ 2031} 2032 2033/* 2034 * Pull out of band byte out of a segment so 2035 * it doesn't appear in the user's data queue. 2036 * It is still reflected in the segment length for 2037 * sequencing purposes. 2038 */ 2039static void 2040tcp_pulloutofband(so, ti, m) 2041 struct socket *so; 2042 struct tcpiphdr *ti; 2043 register struct mbuf *m; 2044{ 2045 int cnt = ti->ti_urp - 1; 2046 2047 while (cnt >= 0) { 2048 if (m->m_len > cnt) { 2049 char *cp = mtod(m, caddr_t) + cnt; 2050 struct tcpcb *tp = sototcpcb(so); 2051 2052 tp->t_iobc = *cp; 2053 tp->t_oobflags |= TCPOOB_HAVEDATA; 2054 bcopy(cp+1, cp, (unsigned)(m->m_len - cnt - 1)); 2055 m->m_len--; 2056 return; 2057 } 2058 cnt -= m->m_len; 2059 m = m->m_next; 2060 if (m == 0) 2061 break; 2062 } 2063 panic("tcp_pulloutofband"); 2064} 2065 2066/* 2067 * Collect new round-trip time estimate 2068 * and update averages and current timeout. 2069 */ 2070static void 2071tcp_xmit_timer(tp, rtt) 2072 register struct tcpcb *tp; 2073 int rtt; 2074{ 2075 register int delta; 2076 2077 tcpstat.tcps_rttupdated++; 2078 tp->t_rttupdated++; 2079 if (tp->t_srtt != 0) { 2080 /* 2081 * srtt is stored as fixed point with 5 bits after the 2082 * binary point (i.e., scaled by 8). The following magic 2083 * is equivalent to the smoothing algorithm in rfc793 with 2084 * an alpha of .875 (srtt = rtt/8 + srtt*7/8 in fixed 2085 * point). Adjust rtt to origin 0. 2086 */ 2087 delta = ((rtt - 1) << TCP_DELTA_SHIFT) 2088 - (tp->t_srtt >> (TCP_RTT_SHIFT - TCP_DELTA_SHIFT)); 2089 2090 if ((tp->t_srtt += delta) <= 0) 2091 tp->t_srtt = 1; 2092 2093 /* 2094 * We accumulate a smoothed rtt variance (actually, a 2095 * smoothed mean difference), then set the retransmit 2096 * timer to smoothed rtt + 4 times the smoothed variance. 2097 * rttvar is stored as fixed point with 4 bits after the 2098 * binary point (scaled by 16). The following is 2099 * equivalent to rfc793 smoothing with an alpha of .75 2100 * (rttvar = rttvar*3/4 + |delta| / 4). This replaces 2101 * rfc793's wired-in beta. 2102 */ 2103 if (delta < 0) 2104 delta = -delta; 2105 delta -= tp->t_rttvar >> (TCP_RTTVAR_SHIFT - TCP_DELTA_SHIFT); 2106 if ((tp->t_rttvar += delta) <= 0) 2107 tp->t_rttvar = 1; 2108 } else { 2109 /* 2110 * No rtt measurement yet - use the unsmoothed rtt. 2111 * Set the variance to half the rtt (so our first 2112 * retransmit happens at 3*rtt). 2113 */ 2114 tp->t_srtt = rtt << TCP_RTT_SHIFT; 2115 tp->t_rttvar = rtt << (TCP_RTTVAR_SHIFT - 1); 2116 } 2117 tp->t_rtttime = 0; 2118 tp->t_rxtshift = 0; 2119 2120 /* 2121 * the retransmit should happen at rtt + 4 * rttvar. 2122 * Because of the way we do the smoothing, srtt and rttvar 2123 * will each average +1/2 tick of bias. When we compute 2124 * the retransmit timer, we want 1/2 tick of rounding and 2125 * 1 extra tick because of +-1/2 tick uncertainty in the 2126 * firing of the timer. The bias will give us exactly the 2127 * 1.5 tick we need. But, because the bias is 2128 * statistical, we have to test that we don't drop below 2129 * the minimum feasible timer (which is 2 ticks). 2130 */ 2131 TCPT_RANGESET(tp->t_rxtcur, TCP_REXMTVAL(tp), 2132 max(tp->t_rttmin, rtt + 2), TCPTV_REXMTMAX); 2133 2134 /* 2135 * We received an ack for a packet that wasn't retransmitted; 2136 * it is probably safe to discard any error indications we've 2137 * received recently. This isn't quite right, but close enough 2138 * for now (a route might have failed after we sent a segment, 2139 * and the return path might not be symmetrical). 2140 */ 2141 tp->t_softerror = 0; 2142} 2143 2144/* 2145 * Determine a reasonable value for maxseg size. 2146 * If the route is known, check route for mtu. 2147 * If none, use an mss that can be handled on the outgoing 2148 * interface without forcing IP to fragment; if bigger than 2149 * an mbuf cluster (MCLBYTES), round down to nearest multiple of MCLBYTES 2150 * to utilize large mbufs. If no route is found, route has no mtu, 2151 * or the destination isn't local, use a default, hopefully conservative 2152 * size (usually 512 or the default IP max size, but no more than the mtu 2153 * of the interface), as we can't discover anything about intervening 2154 * gateways or networks. We also initialize the congestion/slow start 2155 * window to be a single segment if the destination isn't local. 2156 * While looking at the routing entry, we also initialize other path-dependent 2157 * parameters from pre-set or cached values in the routing entry. 2158 * 2159 * Also take into account the space needed for options that we 2160 * send regularly. Make maxseg shorter by that amount to assure 2161 * that we can send maxseg amount of data even when the options 2162 * are present. Store the upper limit of the length of options plus 2163 * data in maxopd. 2164 * 2165 * NOTE that this routine is only called when we process an incoming 2166 * segment, for outgoing segments only tcp_mssopt is called. 2167 * 2168 * In case of T/TCP, we call this routine during implicit connection 2169 * setup as well (offer = -1), to initialize maxseg from the cached 2170 * MSS of our peer. 2171 */ 2172void 2173tcp_mss(tp, offer) 2174 struct tcpcb *tp; 2175 int offer; 2176{ 2177 register struct rtentry *rt; 2178 struct ifnet *ifp; 2179 register int rtt, mss; 2180 u_long bufsize; 2181 struct inpcb *inp; 2182 struct socket *so; 2183 struct rmxp_tao *taop; 2184 int origoffer = offer; 2185 2186 inp = tp->t_inpcb; 2187 if ((rt = tcp_rtlookup(inp)) == NULL) { 2188 tp->t_maxopd = tp->t_maxseg = tcp_mssdflt; 2189 return; 2190 } 2191 ifp = rt->rt_ifp; 2192 so = inp->inp_socket; 2193 2194 taop = rmx_taop(rt->rt_rmx); 2195 /* 2196 * Offer == -1 means that we didn't receive SYN yet, 2197 * use cached value in that case; 2198 */ 2199 if (offer == -1) 2200 offer = taop->tao_mssopt; 2201 /* 2202 * Offer == 0 means that there was no MSS on the SYN segment, 2203 * in this case we use tcp_mssdflt. 2204 */ 2205 if (offer == 0) 2206 offer = tcp_mssdflt; 2207 else 2208 /* 2209 * Sanity check: make sure that maxopd will be large 2210 * enough to allow some data on segments even is the 2211 * all the option space is used (40bytes). Otherwise 2212 * funny things may happen in tcp_output. 2213 */ 2214 offer = max(offer, 64); 2215 taop->tao_mssopt = offer; 2216 2217 /* 2218 * While we're here, check if there's an initial rtt 2219 * or rttvar. Convert from the route-table units 2220 * to scaled multiples of the slow timeout timer. 2221 */ 2222 if (tp->t_srtt == 0 && (rtt = rt->rt_rmx.rmx_rtt)) { 2223 /* 2224 * XXX the lock bit for RTT indicates that the value 2225 * is also a minimum value; this is subject to time. 2226 */ 2227 if (rt->rt_rmx.rmx_locks & RTV_RTT) 2228 tp->t_rttmin = rtt / (RTM_RTTUNIT / hz); 2229 tp->t_srtt = rtt / (RTM_RTTUNIT / (hz * TCP_RTT_SCALE)); 2230 tcpstat.tcps_usedrtt++; 2231 if (rt->rt_rmx.rmx_rttvar) { 2232 tp->t_rttvar = rt->rt_rmx.rmx_rttvar / 2233 (RTM_RTTUNIT / (hz * TCP_RTTVAR_SCALE)); 2234 tcpstat.tcps_usedrttvar++; 2235 } else { 2236 /* default variation is +- 1 rtt */ 2237 tp->t_rttvar = 2238 tp->t_srtt * TCP_RTTVAR_SCALE / TCP_RTT_SCALE; 2239 } 2240 TCPT_RANGESET(tp->t_rxtcur, 2241 ((tp->t_srtt >> 2) + tp->t_rttvar) >> 1, 2242 tp->t_rttmin, TCPTV_REXMTMAX); 2243 } 2244 /* 2245 * if there's an mtu associated with the route, use it 2246 */ 2247 if (rt->rt_rmx.rmx_mtu) 2248 mss = rt->rt_rmx.rmx_mtu - sizeof(struct tcpiphdr); 2249 else 2250 { 2251 mss = ifp->if_mtu - sizeof(struct tcpiphdr); 2252 if (!in_localaddr(inp->inp_faddr)) 2253 mss = min(mss, tcp_mssdflt); 2254 } 2255 mss = min(mss, offer); 2256 /* 2257 * maxopd stores the maximum length of data AND options 2258 * in a segment; maxseg is the amount of data in a normal 2259 * segment. We need to store this value (maxopd) apart 2260 * from maxseg, because now every segment carries options 2261 * and thus we normally have somewhat less data in segments. 2262 */ 2263 tp->t_maxopd = mss; 2264 2265 /* 2266 * In case of T/TCP, origoffer==-1 indicates, that no segments 2267 * were received yet. In this case we just guess, otherwise 2268 * we do the same as before T/TCP. 2269 */ 2270 if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP && 2271 (origoffer == -1 || 2272 (tp->t_flags & TF_RCVD_TSTMP) == TF_RCVD_TSTMP)) 2273 mss -= TCPOLEN_TSTAMP_APPA; 2274 if ((tp->t_flags & (TF_REQ_CC|TF_NOOPT)) == TF_REQ_CC && 2275 (origoffer == -1 || 2276 (tp->t_flags & TF_RCVD_CC) == TF_RCVD_CC)) 2277 mss -= TCPOLEN_CC_APPA; 2278 2279#if (MCLBYTES & (MCLBYTES - 1)) == 0 2280 if (mss > MCLBYTES) 2281 mss &= ~(MCLBYTES-1); 2282#else 2283 if (mss > MCLBYTES) 2284 mss = mss / MCLBYTES * MCLBYTES; 2285#endif 2286 /* 2287 * If there's a pipesize, change the socket buffer 2288 * to that size. Make the socket buffers an integral 2289 * number of mss units; if the mss is larger than 2290 * the socket buffer, decrease the mss. 2291 */ 2292#ifdef RTV_SPIPE 2293 if ((bufsize = rt->rt_rmx.rmx_sendpipe) == 0) 2294#endif 2295 bufsize = so->so_snd.sb_hiwat; 2296 if (bufsize < mss) 2297 mss = bufsize; 2298 else { 2299 bufsize = roundup(bufsize, mss); 2300 if (bufsize > sb_max) 2301 bufsize = sb_max; 2302 (void)sbreserve(&so->so_snd, bufsize, so, NULL); 2303 } 2304 tp->t_maxseg = mss; 2305 2306#ifdef RTV_RPIPE 2307 if ((bufsize = rt->rt_rmx.rmx_recvpipe) == 0) 2308#endif 2309 bufsize = so->so_rcv.sb_hiwat; 2310 if (bufsize > mss) { 2311 bufsize = roundup(bufsize, mss); 2312 if (bufsize > sb_max) 2313 bufsize = sb_max; 2314 (void)sbreserve(&so->so_rcv, bufsize, so, NULL); 2315 } 2316 2317 /* 2318 * Set the slow-start flight size depending on whether this 2319 * is a local network or not. 2320 */ 2321 if (in_localaddr(inp->inp_faddr)) 2322 tp->snd_cwnd = mss * ss_fltsz_local; 2323 else 2324 tp->snd_cwnd = mss * ss_fltsz; 2325 2326 if (rt->rt_rmx.rmx_ssthresh) { 2327 /* 2328 * There's some sort of gateway or interface 2329 * buffer limit on the path. Use this to set 2330 * the slow start threshhold, but set the 2331 * threshold to no less than 2*mss. 2332 */ 2333 tp->snd_ssthresh = max(2 * mss, rt->rt_rmx.rmx_ssthresh); 2334 tcpstat.tcps_usedssthresh++; 2335 } 2336} 2337 2338/* 2339 * Determine the MSS option to send on an outgoing SYN. 2340 */ 2341int 2342tcp_mssopt(tp) 2343 struct tcpcb *tp; 2344{ 2345 struct rtentry *rt; 2346 2347 rt = tcp_rtlookup(tp->t_inpcb); 2348 if (rt == NULL) 2349 return tcp_mssdflt; 2350 2351 return rt->rt_ifp->if_mtu - sizeof(struct tcpiphdr); 2352}
|