]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet/tcp_subr.c
xnu-792.6.61.tar.gz
[apple/xnu.git] / bsd / netinet / tcp_subr.c
1 /*
2 * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22 /*
23 * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
24 * The Regents of the University of California. All rights reserved.
25 *
26 * Redistribution and use in source and binary forms, with or without
27 * modification, are permitted provided that the following conditions
28 * are met:
29 * 1. Redistributions of source code must retain the above copyright
30 * notice, this list of conditions and the following disclaimer.
31 * 2. Redistributions in binary form must reproduce the above copyright
32 * notice, this list of conditions and the following disclaimer in the
33 * documentation and/or other materials provided with the distribution.
34 * 3. All advertising materials mentioning features or use of this software
35 * must display the following acknowledgement:
36 * This product includes software developed by the University of
37 * California, Berkeley and its contributors.
38 * 4. Neither the name of the University nor the names of its contributors
39 * may be used to endorse or promote products derived from this software
40 * without specific prior written permission.
41 *
42 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
43 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
44 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
45 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
46 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
47 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
48 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
49 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
50 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
51 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * SUCH DAMAGE.
53 *
54 * @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
55 * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.73.2.22 2001/08/22 00:59:12 silby Exp $
56 */
57
58
59 #include <sys/param.h>
60 #include <sys/systm.h>
61 #include <sys/callout.h>
62 #include <sys/kernel.h>
63 #include <sys/sysctl.h>
64 #include <sys/malloc.h>
65 #include <sys/mbuf.h>
66 #if INET6
67 #include <sys/domain.h>
68 #endif
69 #include <sys/proc.h>
70 #include <sys/kauth.h>
71 #include <sys/socket.h>
72 #include <sys/socketvar.h>
73 #include <sys/protosw.h>
74 #include <sys/random.h>
75 #include <sys/syslog.h>
76 #include <kern/locks.h>
77
78
79
80 #include <net/route.h>
81 #include <net/if.h>
82
83 #define _IP_VHL
84 #include <netinet/in.h>
85 #include <netinet/in_systm.h>
86 #include <netinet/ip.h>
87 #if INET6
88 #include <netinet/ip6.h>
89 #endif
90 #include <netinet/in_pcb.h>
91 #if INET6
92 #include <netinet6/in6_pcb.h>
93 #endif
94 #include <netinet/in_var.h>
95 #include <netinet/ip_var.h>
96 #if INET6
97 #include <netinet6/ip6_var.h>
98 #endif
99 #include <netinet/tcp.h>
100 #include <netinet/tcp_fsm.h>
101 #include <netinet/tcp_seq.h>
102 #include <netinet/tcp_timer.h>
103 #include <netinet/tcp_var.h>
104 #if INET6
105 #include <netinet6/tcp6_var.h>
106 #endif
107 #include <netinet/tcpip.h>
108 #if TCPDEBUG
109 #include <netinet/tcp_debug.h>
110 #endif
111 #include <netinet6/ip6protosw.h>
112
113 #if IPSEC
114 #include <netinet6/ipsec.h>
115 #if INET6
116 #include <netinet6/ipsec6.h>
117 #endif
118 #endif /*IPSEC*/
119
120 #include <sys/md5.h>
121 #include <sys/kdebug.h>
122
123 #define DBG_FNC_TCP_CLOSE NETDBG_CODE(DBG_NETTCP, ((5 << 8) | 2))
124
125 extern int tcp_lq_overflow;
126
127 /* temporary: for testing */
128 #if IPSEC
129 extern int ipsec_bypass;
130 extern lck_mtx_t *sadb_mutex;
131 #endif
132
133 int tcp_mssdflt = TCP_MSS;
134 SYSCTL_INT(_net_inet_tcp, TCPCTL_MSSDFLT, mssdflt, CTLFLAG_RW,
135 &tcp_mssdflt , 0, "Default TCP Maximum Segment Size");
136
137 #if INET6
138 int tcp_v6mssdflt = TCP6_MSS;
139 SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt,
140 CTLFLAG_RW, &tcp_v6mssdflt , 0,
141 "Default TCP Maximum Segment Size for IPv6");
142 #endif
143
144 /*
145 * Minimum MSS we accept and use. This prevents DoS attacks where
146 * we are forced to a ridiculous low MSS like 20 and send hundreds
147 * of packets instead of one. The effect scales with the available
148 * bandwidth and quickly saturates the CPU and network interface
149 * with packet generation and sending. Set to zero to disable MINMSS
150 * checking. This setting prevents us from sending too small packets.
151 */
152 int tcp_minmss = TCP_MINMSS;
153 SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW,
154 &tcp_minmss , 0, "Minmum TCP Maximum Segment Size");
155
156 /*
157 * Number of TCP segments per second we accept from remote host
158 * before we start to calculate average segment size. If average
159 * segment size drops below the minimum TCP MSS we assume a DoS
160 * attack and reset+drop the connection. Care has to be taken not to
161 * set this value too small to not kill interactive type connections
162 * (telnet, SSH) which send many small packets.
163 */
164 #ifdef FIX_WORKAROUND_FOR_3894301
165 __private_extern__ int tcp_minmssoverload = TCP_MINMSSOVERLOAD;
166 #else
167 __private_extern__ int tcp_minmssoverload = 0;
168 #endif
169 SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmssoverload, CTLFLAG_RW,
170 &tcp_minmssoverload , 0, "Number of TCP Segments per Second allowed to"
171 "be under the MINMSS Size");
172
173 static int tcp_do_rfc1323 = 1;
174 SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW,
175 &tcp_do_rfc1323 , 0, "Enable rfc1323 (high performance TCP) extensions");
176
177 static int tcp_do_rfc1644 = 0;
178 SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1644, rfc1644, CTLFLAG_RW,
179 &tcp_do_rfc1644 , 0, "Enable rfc1644 (TTCP) extensions");
180
181 static int tcp_tcbhashsize = 0;
182 SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcbhashsize, CTLFLAG_RD,
183 &tcp_tcbhashsize, 0, "Size of TCP control-block hashtable");
184
185 static int do_tcpdrain = 0;
186 SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0,
187 "Enable tcp_drain routine for extra help when low on mbufs");
188
189 SYSCTL_INT(_net_inet_tcp, OID_AUTO, pcbcount, CTLFLAG_RD,
190 &tcbinfo.ipi_count, 0, "Number of active PCBs");
191
192 static int icmp_may_rst = 1;
193 SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0,
194 "Certain ICMP unreachable messages may abort connections in SYN_SENT");
195
196 static int tcp_strict_rfc1948 = 0;
197 SYSCTL_INT(_net_inet_tcp, OID_AUTO, strict_rfc1948, CTLFLAG_RW,
198 &tcp_strict_rfc1948, 0, "Determines if RFC1948 is followed exactly");
199
200 static int tcp_isn_reseed_interval = 0;
201 SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW,
202 &tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret");
203
204 static void tcp_cleartaocache(void);
205 static void tcp_notify(struct inpcb *, int);
206
207 /*
208 * Target size of TCP PCB hash tables. Must be a power of two.
209 *
210 * Note that this can be overridden by the kernel environment
211 * variable net.inet.tcp.tcbhashsize
212 */
213 #ifndef TCBHASHSIZE
214 #define TCBHASHSIZE 4096
215 #endif
216
217 /*
218 * This is the actual shape of what we allocate using the zone
219 * allocator. Doing it this way allows us to protect both structures
220 * using the same generation count, and also eliminates the overhead
221 * of allocating tcpcbs separately. By hiding the structure here,
222 * we avoid changing most of the rest of the code (although it needs
223 * to be changed, eventually, for greater efficiency).
224 */
225 #define ALIGNMENT 32
226 #define ALIGNM1 (ALIGNMENT - 1)
227 struct inp_tp {
228 union {
229 struct inpcb inp;
230 char align[(sizeof(struct inpcb) + ALIGNM1) & ~ALIGNM1];
231 } inp_tp_u;
232 struct tcpcb tcb;
233 #ifndef __APPLE__
234 struct callout inp_tp_rexmt, inp_tp_persist, inp_tp_keep, inp_tp_2msl;
235 struct callout inp_tp_delack;
236 #endif
237 };
238 #undef ALIGNMENT
239 #undef ALIGNM1
240
241 static struct tcpcb dummy_tcb;
242
243
244 extern struct inpcbhead time_wait_slots[];
245 extern int cur_tw_slot;
246 extern u_long *delack_bitmask;
247 extern u_long route_generation;
248
249
250 int get_inpcb_str_size()
251 {
252 return sizeof(struct inpcb);
253 }
254
255
256 int get_tcp_str_size()
257 {
258 return sizeof(struct tcpcb);
259 }
260
261 int tcp_freeq(struct tcpcb *tp);
262
263
264 /*
265 * Tcp initialization
266 */
267 void
268 tcp_init()
269 {
270 int hashsize = TCBHASHSIZE;
271 vm_size_t str_size;
272 int i;
273 struct inpcbinfo *pcbinfo;
274
275 tcp_ccgen = 1;
276 tcp_cleartaocache();
277
278 tcp_delacktime = TCPTV_DELACK;
279 tcp_keepinit = TCPTV_KEEP_INIT;
280 tcp_keepidle = TCPTV_KEEP_IDLE;
281 tcp_keepintvl = TCPTV_KEEPINTVL;
282 tcp_maxpersistidle = TCPTV_KEEP_IDLE;
283 tcp_msl = TCPTV_MSL;
284 read_random(&tcp_now, sizeof(tcp_now));
285 tcp_now = tcp_now & 0x7fffffff; /* Starts tcp internal 500ms clock at a random value */
286
287
288 LIST_INIT(&tcb);
289 tcbinfo.listhead = &tcb;
290 pcbinfo = &tcbinfo;
291 #ifndef __APPLE__
292 TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize);
293 #endif
294 if (!powerof2(hashsize)) {
295 printf("WARNING: TCB hash size not a power of 2\n");
296 hashsize = 512; /* safe default */
297 }
298 tcp_tcbhashsize = hashsize;
299 tcbinfo.hashsize = hashsize;
300 tcbinfo.hashbase = hashinit(hashsize, M_PCB, &tcbinfo.hashmask);
301 tcbinfo.porthashbase = hashinit(hashsize, M_PCB,
302 &tcbinfo.porthashmask);
303 #ifdef __APPLE__
304 str_size = (vm_size_t) sizeof(struct inp_tp);
305 tcbinfo.ipi_zone = (void *) zinit(str_size, 120000*str_size, 8192, "tcpcb");
306 #else
307 tcbinfo.ipi_zone = zinit("tcpcb", sizeof(struct inp_tp), maxsockets,
308 ZONE_INTERRUPT, 0);
309 #endif
310
311 tcp_reass_maxseg = nmbclusters / 16;
312 #ifndef __APPLE__
313 TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
314 &tcp_reass_maxseg);
315 #endif
316
317 #if INET6
318 #define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr))
319 #else /* INET6 */
320 #define TCP_MINPROTOHDR (sizeof(struct tcpiphdr))
321 #endif /* INET6 */
322 if (max_protohdr < TCP_MINPROTOHDR)
323 max_protohdr = TCP_MINPROTOHDR;
324 if (max_linkhdr + TCP_MINPROTOHDR > MHLEN)
325 panic("tcp_init");
326 #undef TCP_MINPROTOHDR
327 dummy_tcb.t_state = TCP_NSTATES;
328 dummy_tcb.t_flags = 0;
329 tcbinfo.dummy_cb = (caddr_t) &dummy_tcb;
330
331 /*
332 * allocate lock group attribute and group for tcp pcb mutexes
333 */
334 pcbinfo->mtx_grp_attr = lck_grp_attr_alloc_init();
335 lck_grp_attr_setdefault(pcbinfo->mtx_grp_attr);
336 pcbinfo->mtx_grp = lck_grp_alloc_init("tcppcb", pcbinfo->mtx_grp_attr);
337
338 /*
339 * allocate the lock attribute for tcp pcb mutexes
340 */
341 pcbinfo->mtx_attr = lck_attr_alloc_init();
342 lck_attr_setdefault(pcbinfo->mtx_attr);
343
344 if ((pcbinfo->mtx = lck_rw_alloc_init(pcbinfo->mtx_grp, pcbinfo->mtx_attr)) == NULL) {
345 printf("tcp_init: mutex not alloced!\n");
346 return; /* pretty much dead if this fails... */
347 }
348
349
350 in_pcb_nat_init(&tcbinfo, AF_INET, IPPROTO_TCP, SOCK_STREAM);
351
352 delack_bitmask = _MALLOC((4 * hashsize)/32, M_PCB, M_WAITOK);
353 if (delack_bitmask == 0)
354 panic("Delack Memory");
355
356 for (i=0; i < (tcbinfo.hashsize / 32); i++)
357 delack_bitmask[i] = 0;
358
359 for (i=0; i < N_TIME_WAIT_SLOTS; i++) {
360 LIST_INIT(&time_wait_slots[i]);
361 }
362 }
363
364 /*
365 * Fill in the IP and TCP headers for an outgoing packet, given the tcpcb.
366 * tcp_template used to store this data in mbufs, but we now recopy it out
367 * of the tcpcb each time to conserve mbufs.
368 */
369 void
370 tcp_fillheaders(tp, ip_ptr, tcp_ptr)
371 struct tcpcb *tp;
372 void *ip_ptr;
373 void *tcp_ptr;
374 {
375 struct inpcb *inp = tp->t_inpcb;
376 struct tcphdr *tcp_hdr = (struct tcphdr *)tcp_ptr;
377
378 #if INET6
379 if ((inp->inp_vflag & INP_IPV6) != 0) {
380 struct ip6_hdr *ip6;
381
382 ip6 = (struct ip6_hdr *)ip_ptr;
383 ip6->ip6_flow = (ip6->ip6_flow & ~IPV6_FLOWINFO_MASK) |
384 (inp->in6p_flowinfo & IPV6_FLOWINFO_MASK);
385 ip6->ip6_vfc = (ip6->ip6_vfc & ~IPV6_VERSION_MASK) |
386 (IPV6_VERSION & IPV6_VERSION_MASK);
387 ip6->ip6_nxt = IPPROTO_TCP;
388 ip6->ip6_plen = sizeof(struct tcphdr);
389 ip6->ip6_src = inp->in6p_laddr;
390 ip6->ip6_dst = inp->in6p_faddr;
391 tcp_hdr->th_sum = 0;
392 } else
393 #endif
394 {
395 struct ip *ip = (struct ip *) ip_ptr;
396
397 ip->ip_vhl = IP_VHL_BORING;
398 ip->ip_tos = 0;
399 ip->ip_len = 0;
400 ip->ip_id = 0;
401 ip->ip_off = 0;
402 ip->ip_ttl = 0;
403 ip->ip_sum = 0;
404 ip->ip_p = IPPROTO_TCP;
405 ip->ip_src = inp->inp_laddr;
406 ip->ip_dst = inp->inp_faddr;
407 tcp_hdr->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
408 htons(sizeof(struct tcphdr) + IPPROTO_TCP));
409 }
410
411 tcp_hdr->th_sport = inp->inp_lport;
412 tcp_hdr->th_dport = inp->inp_fport;
413 tcp_hdr->th_seq = 0;
414 tcp_hdr->th_ack = 0;
415 tcp_hdr->th_x2 = 0;
416 tcp_hdr->th_off = 5;
417 tcp_hdr->th_flags = 0;
418 tcp_hdr->th_win = 0;
419 tcp_hdr->th_urp = 0;
420 }
421
422 /*
423 * Create template to be used to send tcp packets on a connection.
424 * Allocates an mbuf and fills in a skeletal tcp/ip header. The only
425 * use for this function is in keepalives, which use tcp_respond.
426 */
427 struct tcptemp *
428 tcp_maketemplate(tp)
429 struct tcpcb *tp;
430 {
431 struct mbuf *m;
432 struct tcptemp *n;
433
434 m = m_get(M_DONTWAIT, MT_HEADER);
435 if (m == NULL)
436 return (0);
437 m->m_len = sizeof(struct tcptemp);
438 n = mtod(m, struct tcptemp *);
439
440 tcp_fillheaders(tp, (void *)&n->tt_ipgen, (void *)&n->tt_t);
441 return (n);
442 }
443
444 /*
445 * Send a single message to the TCP at address specified by
446 * the given TCP/IP header. If m == 0, then we make a copy
447 * of the tcpiphdr at ti and send directly to the addressed host.
448 * This is used to force keep alive messages out using the TCP
449 * template for a connection. If flags are given then we send
450 * a message back to the TCP which originated the * segment ti,
451 * and discard the mbuf containing it and any other attached mbufs.
452 *
453 * In any case the ack and sequence number of the transmitted
454 * segment are as specified by the parameters.
455 *
456 * NOTE: If m != NULL, then ti must point to *inside* the mbuf.
457 */
458 void
459 tcp_respond(tp, ipgen, th, m, ack, seq, flags)
460 struct tcpcb *tp;
461 void *ipgen;
462 register struct tcphdr *th;
463 register struct mbuf *m;
464 tcp_seq ack, seq;
465 int flags;
466 {
467 register int tlen;
468 int win = 0;
469 struct route *ro = 0;
470 struct route sro;
471 struct ip *ip;
472 struct tcphdr *nth;
473 #if INET6
474 struct route_in6 *ro6 = 0;
475 struct route_in6 sro6;
476 struct ip6_hdr *ip6;
477 int isipv6;
478 #endif /* INET6 */
479 int ipflags = 0;
480
481 #if INET6
482 isipv6 = IP_VHL_V(((struct ip *)ipgen)->ip_vhl) == 6;
483 ip6 = ipgen;
484 #endif /* INET6 */
485 ip = ipgen;
486
487 if (tp) {
488 if (!(flags & TH_RST)) {
489 win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
490 if (win > (long)TCP_MAXWIN << tp->rcv_scale)
491 win = (long)TCP_MAXWIN << tp->rcv_scale;
492 }
493 #if INET6
494 if (isipv6)
495 ro6 = &tp->t_inpcb->in6p_route;
496 else
497 #endif /* INET6 */
498 ro = &tp->t_inpcb->inp_route;
499 } else {
500 #if INET6
501 if (isipv6) {
502 ro6 = &sro6;
503 bzero(ro6, sizeof *ro6);
504 } else
505 #endif /* INET6 */
506 {
507 ro = &sro;
508 bzero(ro, sizeof *ro);
509 }
510 }
511 if (m == 0) {
512 m = m_gethdr(M_DONTWAIT, MT_HEADER);
513 if (m == NULL)
514 return;
515 tlen = 0;
516 m->m_data += max_linkhdr;
517 #if INET6
518 if (isipv6) {
519 bcopy((caddr_t)ip6, mtod(m, caddr_t),
520 sizeof(struct ip6_hdr));
521 ip6 = mtod(m, struct ip6_hdr *);
522 nth = (struct tcphdr *)(ip6 + 1);
523 } else
524 #endif /* INET6 */
525 {
526 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
527 ip = mtod(m, struct ip *);
528 nth = (struct tcphdr *)(ip + 1);
529 }
530 bcopy((caddr_t)th, (caddr_t)nth, sizeof(struct tcphdr));
531 flags = TH_ACK;
532 } else {
533 m_freem(m->m_next);
534 m->m_next = 0;
535 m->m_data = (caddr_t)ipgen;
536 /* m_len is set later */
537 tlen = 0;
538 #define xchg(a,b,type) { type t; t=a; a=b; b=t; }
539 #if INET6
540 if (isipv6) {
541 xchg(ip6->ip6_dst, ip6->ip6_src, struct in6_addr);
542 nth = (struct tcphdr *)(ip6 + 1);
543 } else
544 #endif /* INET6 */
545 {
546 xchg(ip->ip_dst.s_addr, ip->ip_src.s_addr, n_long);
547 nth = (struct tcphdr *)(ip + 1);
548 }
549 if (th != nth) {
550 /*
551 * this is usually a case when an extension header
552 * exists between the IPv6 header and the
553 * TCP header.
554 */
555 nth->th_sport = th->th_sport;
556 nth->th_dport = th->th_dport;
557 }
558 xchg(nth->th_dport, nth->th_sport, n_short);
559 #undef xchg
560 }
561 #if INET6
562 if (isipv6) {
563 ip6->ip6_plen = htons((u_short)(sizeof (struct tcphdr) +
564 tlen));
565 tlen += sizeof (struct ip6_hdr) + sizeof (struct tcphdr);
566 } else
567 #endif
568 {
569 tlen += sizeof (struct tcpiphdr);
570 ip->ip_len = tlen;
571 ip->ip_ttl = ip_defttl;
572 }
573 m->m_len = tlen;
574 m->m_pkthdr.len = tlen;
575 m->m_pkthdr.rcvif = 0;
576 nth->th_seq = htonl(seq);
577 nth->th_ack = htonl(ack);
578 nth->th_x2 = 0;
579 nth->th_off = sizeof (struct tcphdr) >> 2;
580 nth->th_flags = flags;
581 if (tp)
582 nth->th_win = htons((u_short) (win >> tp->rcv_scale));
583 else
584 nth->th_win = htons((u_short)win);
585 nth->th_urp = 0;
586 #if INET6
587 if (isipv6) {
588 nth->th_sum = 0;
589 nth->th_sum = in6_cksum(m, IPPROTO_TCP,
590 sizeof(struct ip6_hdr),
591 tlen - sizeof(struct ip6_hdr));
592 ip6->ip6_hlim = in6_selecthlim(tp ? tp->t_inpcb : NULL,
593 ro6 && ro6->ro_rt ?
594 ro6->ro_rt->rt_ifp :
595 NULL);
596 } else
597 #endif /* INET6 */
598 {
599 nth->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
600 htons((u_short)(tlen - sizeof(struct ip) + ip->ip_p)));
601 m->m_pkthdr.csum_flags = CSUM_TCP;
602 m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
603 }
604 #if TCPDEBUG
605 if (tp == NULL || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG))
606 tcp_trace(TA_OUTPUT, 0, tp, mtod(m, void *), th, 0);
607 #endif
608 #if IPSEC
609 if (ipsec_bypass == 0 && ipsec_setsocket(m, tp ? tp->t_inpcb->inp_socket : NULL) != 0) {
610 m_freem(m);
611 return;
612 }
613 #endif
614 #if INET6
615 if (isipv6) {
616 (void)ip6_output(m, NULL, ro6, ipflags, NULL, NULL, 0);
617 if (ro6 == &sro6 && ro6->ro_rt) {
618 rtfree(ro6->ro_rt);
619 ro6->ro_rt = NULL;
620 }
621 } else
622 #endif /* INET6 */
623 {
624 (void) ip_output_list(m, 0, NULL, ro, ipflags, NULL);
625 if (ro == &sro && ro->ro_rt) {
626 rtfree(ro->ro_rt);
627 ro->ro_rt = NULL;
628 }
629 }
630 }
631
632 /*
633 * Create a new TCP control block, making an
634 * empty reassembly queue and hooking it to the argument
635 * protocol control block. The `inp' parameter must have
636 * come from the zone allocator set up in tcp_init().
637 */
638 struct tcpcb *
639 tcp_newtcpcb(inp)
640 struct inpcb *inp;
641 {
642 struct inp_tp *it;
643 register struct tcpcb *tp;
644 register struct socket *so = inp->inp_socket;
645 #if INET6
646 int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
647 #endif /* INET6 */
648
649 if (so->cached_in_sock_layer == 0) {
650 it = (struct inp_tp *)inp;
651 tp = &it->tcb;
652 }
653 else
654 tp = (struct tcpcb *) inp->inp_saved_ppcb;
655
656 bzero((char *) tp, sizeof(struct tcpcb));
657 LIST_INIT(&tp->t_segq);
658 tp->t_maxseg = tp->t_maxopd =
659 #if INET6
660 isipv6 ? tcp_v6mssdflt :
661 #endif /* INET6 */
662 tcp_mssdflt;
663
664 #ifndef __APPLE__
665 /* Set up our timeouts. */
666 callout_init(tp->tt_rexmt = &it->inp_tp_rexmt);
667 callout_init(tp->tt_persist = &it->inp_tp_persist);
668 callout_init(tp->tt_keep = &it->inp_tp_keep);
669 callout_init(tp->tt_2msl = &it->inp_tp_2msl);
670 callout_init(tp->tt_delack = &it->inp_tp_delack);
671 #endif
672
673 if (tcp_do_rfc1323)
674 tp->t_flags = (TF_REQ_SCALE|TF_REQ_TSTMP);
675 if (tcp_do_rfc1644)
676 tp->t_flags |= TF_REQ_CC;
677 tp->t_inpcb = inp; /* XXX */
678 /*
679 * Init srtt to TCPTV_SRTTBASE (0), so we can tell that we have no
680 * rtt estimate. Set rttvar so that srtt + 4 * rttvar gives
681 * reasonable initial retransmit time.
682 */
683 tp->t_srtt = TCPTV_SRTTBASE;
684 tp->t_rttvar = ((TCPTV_RTOBASE - TCPTV_SRTTBASE) << TCP_RTTVAR_SHIFT) / 4;
685 tp->t_rttmin = TCPTV_MIN;
686 tp->t_rxtcur = TCPTV_RTOBASE;
687 tp->snd_cwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
688 tp->snd_ssthresh = TCP_MAXWIN << TCP_MAX_WINSHIFT;
689 /*
690 * IPv4 TTL initialization is necessary for an IPv6 socket as well,
691 * because the socket may be bound to an IPv6 wildcard address,
692 * which may match an IPv4-mapped IPv6 address.
693 */
694 inp->inp_ip_ttl = ip_defttl;
695 inp->inp_ppcb = (caddr_t)tp;
696 return (tp); /* XXX */
697 }
698
699 /*
700 * Drop a TCP connection, reporting
701 * the specified error. If connection is synchronized,
702 * then send a RST to peer.
703 */
704 struct tcpcb *
705 tcp_drop(tp, errno)
706 register struct tcpcb *tp;
707 int errno;
708 {
709 struct socket *so = tp->t_inpcb->inp_socket;
710
711 #ifdef __APPLE__
712 switch (tp->t_state)
713 {
714 case TCPS_ESTABLISHED:
715 case TCPS_FIN_WAIT_1:
716 case TCPS_CLOSING:
717 case TCPS_CLOSE_WAIT:
718 case TCPS_LAST_ACK:
719 break;
720 }
721 #endif
722
723 if (TCPS_HAVERCVDSYN(tp->t_state)) {
724 tp->t_state = TCPS_CLOSED;
725 (void) tcp_output(tp);
726 tcpstat.tcps_drops++;
727 } else
728 tcpstat.tcps_conndrops++;
729 if (errno == ETIMEDOUT && tp->t_softerror)
730 errno = tp->t_softerror;
731 so->so_error = errno;
732 return (tcp_close(tp));
733 }
734
735 /*
736 * Close a TCP control block:
737 * discard all space held by the tcp
738 * discard internet protocol block
739 * wake up any sleepers
740 */
741 struct tcpcb *
742 tcp_close(tp)
743 register struct tcpcb *tp;
744 {
745 register struct tseg_qent *q;
746 struct inpcb *inp = tp->t_inpcb;
747 struct socket *so = inp->inp_socket;
748 #if INET6
749 int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
750 #endif /* INET6 */
751 register struct rtentry *rt;
752 int dosavessthresh;
753
754 if ( inp->inp_ppcb == NULL) /* tcp_close was called previously, bail */
755 return;
756
757 #ifndef __APPLE__
758 /*
759 * Make sure that all of our timers are stopped before we
760 * delete the PCB.
761 */
762 callout_stop(tp->tt_rexmt);
763 callout_stop(tp->tt_persist);
764 callout_stop(tp->tt_keep);
765 callout_stop(tp->tt_2msl);
766 callout_stop(tp->tt_delack);
767 #else
768 /* Clear the timers before we delete the PCB. */
769 {
770 int i;
771 for (i = 0; i < TCPT_NTIMERS; i++) {
772 tp->t_timer[i] = 0;
773 }
774 }
775 #endif
776
777 KERNEL_DEBUG(DBG_FNC_TCP_CLOSE | DBG_FUNC_START, tp,0,0,0,0);
778 switch (tp->t_state)
779 {
780 case TCPS_ESTABLISHED:
781 case TCPS_FIN_WAIT_1:
782 case TCPS_CLOSING:
783 case TCPS_CLOSE_WAIT:
784 case TCPS_LAST_ACK:
785 break;
786 }
787
788
789 /*
790 * If we got enough samples through the srtt filter,
791 * save the rtt and rttvar in the routing entry.
792 * 'Enough' is arbitrarily defined as the 16 samples.
793 * 16 samples is enough for the srtt filter to converge
794 * to within 5% of the correct value; fewer samples and
795 * we could save a very bogus rtt.
796 *
797 * Don't update the default route's characteristics and don't
798 * update anything that the user "locked".
799 */
800 if (tp->t_rttupdated >= 16) {
801 register u_long i = 0;
802 #if INET6
803 if (isipv6) {
804 struct sockaddr_in6 *sin6;
805
806 if ((rt = inp->in6p_route.ro_rt) == NULL)
807 goto no_valid_rt;
808 sin6 = (struct sockaddr_in6 *)rt_key(rt);
809 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
810 goto no_valid_rt;
811 }
812 else
813 #endif /* INET6 */
814 rt = inp->inp_route.ro_rt;
815 if (rt == NULL ||
816 ((struct sockaddr_in *)rt_key(rt))->sin_addr.s_addr
817 == INADDR_ANY || rt->generation_id != route_generation) {
818 if (tp->t_state >= TCPS_CLOSE_WAIT)
819 tp->t_state = TCPS_CLOSING;
820
821 goto no_valid_rt;
822 }
823
824 if ((rt->rt_rmx.rmx_locks & RTV_RTT) == 0) {
825 i = tp->t_srtt *
826 (RTM_RTTUNIT / (PR_SLOWHZ * TCP_RTT_SCALE));
827 if (rt->rt_rmx.rmx_rtt && i)
828 /*
829 * filter this update to half the old & half
830 * the new values, converting scale.
831 * See route.h and tcp_var.h for a
832 * description of the scaling constants.
833 */
834 rt->rt_rmx.rmx_rtt =
835 (rt->rt_rmx.rmx_rtt + i) / 2;
836 else
837 rt->rt_rmx.rmx_rtt = i;
838 tcpstat.tcps_cachedrtt++;
839 }
840 if ((rt->rt_rmx.rmx_locks & RTV_RTTVAR) == 0) {
841 i = tp->t_rttvar *
842 (RTM_RTTUNIT / (PR_SLOWHZ * TCP_RTTVAR_SCALE));
843 if (rt->rt_rmx.rmx_rttvar && i)
844 rt->rt_rmx.rmx_rttvar =
845 (rt->rt_rmx.rmx_rttvar + i) / 2;
846 else
847 rt->rt_rmx.rmx_rttvar = i;
848 tcpstat.tcps_cachedrttvar++;
849 }
850 /*
851 * The old comment here said:
852 * update the pipelimit (ssthresh) if it has been updated
853 * already or if a pipesize was specified & the threshhold
854 * got below half the pipesize. I.e., wait for bad news
855 * before we start updating, then update on both good
856 * and bad news.
857 *
858 * But we want to save the ssthresh even if no pipesize is
859 * specified explicitly in the route, because such
860 * connections still have an implicit pipesize specified
861 * by the global tcp_sendspace. In the absence of a reliable
862 * way to calculate the pipesize, it will have to do.
863 */
864 i = tp->snd_ssthresh;
865 if (rt->rt_rmx.rmx_sendpipe != 0)
866 dosavessthresh = (i < rt->rt_rmx.rmx_sendpipe / 2);
867 else
868 dosavessthresh = (i < so->so_snd.sb_hiwat / 2);
869 if (((rt->rt_rmx.rmx_locks & RTV_SSTHRESH) == 0 &&
870 i != 0 && rt->rt_rmx.rmx_ssthresh != 0)
871 || dosavessthresh) {
872 /*
873 * convert the limit from user data bytes to
874 * packets then to packet data bytes.
875 */
876 i = (i + tp->t_maxseg / 2) / tp->t_maxseg;
877 if (i < 2)
878 i = 2;
879 i *= (u_long)(tp->t_maxseg +
880 #if INET6
881 (isipv6 ? sizeof (struct ip6_hdr) +
882 sizeof (struct tcphdr) :
883 #endif
884 sizeof (struct tcpiphdr)
885 #if INET6
886 )
887 #endif
888 );
889 if (rt->rt_rmx.rmx_ssthresh)
890 rt->rt_rmx.rmx_ssthresh =
891 (rt->rt_rmx.rmx_ssthresh + i) / 2;
892 else
893 rt->rt_rmx.rmx_ssthresh = i;
894 tcpstat.tcps_cachedssthresh++;
895 }
896 }
897 rt = inp->inp_route.ro_rt;
898 if (rt) {
899 /*
900 * mark route for deletion if no information is
901 * cached.
902 */
903 if ((tp->t_flags & TF_LQ_OVERFLOW) && tcp_lq_overflow &&
904 ((rt->rt_rmx.rmx_locks & RTV_RTT) == 0)){
905 if (rt->rt_rmx.rmx_rtt == 0)
906 rt->rt_flags |= RTF_DELCLONE;
907 }
908 }
909 no_valid_rt:
910 /* free the reassembly queue, if any */
911 (void) tcp_freeq(tp);
912
913 #ifdef __APPLE__
914 if (so->cached_in_sock_layer)
915 inp->inp_saved_ppcb = (caddr_t) tp;
916 #endif
917
918 soisdisconnected(so);
919 #if INET6
920 if (INP_CHECK_SOCKAF(so, AF_INET6))
921 in6_pcbdetach(inp);
922 else
923 #endif /* INET6 */
924 in_pcbdetach(inp);
925 tcpstat.tcps_closed++;
926 KERNEL_DEBUG(DBG_FNC_TCP_CLOSE | DBG_FUNC_END, tcpstat.tcps_closed,0,0,0,0);
927 return ((struct tcpcb *)0);
928 }
929
930 int
931 tcp_freeq(tp)
932 struct tcpcb *tp;
933 {
934
935 register struct tseg_qent *q;
936 int rv = 0;
937
938 while((q = LIST_FIRST(&tp->t_segq)) != NULL) {
939 LIST_REMOVE(q, tqe_q);
940 m_freem(q->tqe_m);
941 FREE(q, M_TSEGQ);
942 tcp_reass_qsize--;
943 rv = 1;
944 }
945 return (rv);
946 }
947
948 void
949 tcp_drain()
950 {
951 /*
952 * ###LD 05/19/04 locking issue, tcpdrain is disabled, deadlock situation with tcbinfo.mtx
953 */
954 if (do_tcpdrain)
955 {
956 struct inpcb *inpb;
957 struct tcpcb *tcpb;
958 struct tseg_qent *te;
959
960 /*
961 * Walk the tcpbs, if existing, and flush the reassembly queue,
962 * if there is one...
963 * XXX: The "Net/3" implementation doesn't imply that the TCP
964 * reassembly queue should be flushed, but in a situation
965 * where we're really low on mbufs, this is potentially
966 * usefull.
967 */
968 lck_rw_lock_exclusive(tcbinfo.mtx);
969 for (inpb = LIST_FIRST(tcbinfo.listhead); inpb;
970 inpb = LIST_NEXT(inpb, inp_list)) {
971 if ((tcpb = intotcpcb(inpb))) {
972 while ((te = LIST_FIRST(&tcpb->t_segq))
973 != NULL) {
974 LIST_REMOVE(te, tqe_q);
975 m_freem(te->tqe_m);
976 FREE(te, M_TSEGQ);
977 tcp_reass_qsize--;
978 }
979 }
980 }
981 lck_rw_done(tcbinfo.mtx);
982
983 }
984 }
985
986 /*
987 * Notify a tcp user of an asynchronous error;
988 * store error as soft error, but wake up user
989 * (for now, won't do anything until can select for soft error).
990 *
991 * Do not wake up user since there currently is no mechanism for
992 * reporting soft errors (yet - a kqueue filter may be added).
993 */
994 static void
995 tcp_notify(inp, error)
996 struct inpcb *inp;
997 int error;
998 {
999 struct tcpcb *tp;
1000
1001 if (inp == NULL || (inp->inp_state == INPCB_STATE_DEAD))
1002 return; /* pcb is gone already */
1003
1004 tp = (struct tcpcb *)inp->inp_ppcb;
1005
1006 /*
1007 * Ignore some errors if we are hooked up.
1008 * If connection hasn't completed, has retransmitted several times,
1009 * and receives a second error, give up now. This is better
1010 * than waiting a long time to establish a connection that
1011 * can never complete.
1012 */
1013 if (tp->t_state == TCPS_ESTABLISHED &&
1014 (error == EHOSTUNREACH || error == ENETUNREACH ||
1015 error == EHOSTDOWN)) {
1016 return;
1017 } else if (tp->t_state < TCPS_ESTABLISHED && tp->t_rxtshift > 3 &&
1018 tp->t_softerror)
1019 tcp_drop(tp, error);
1020 else
1021 tp->t_softerror = error;
1022 #if 0
1023 wakeup((caddr_t) &so->so_timeo);
1024 sorwakeup(so);
1025 sowwakeup(so);
1026 #endif
1027 }
1028
1029 static int
1030 tcp_pcblist SYSCTL_HANDLER_ARGS
1031 {
1032 int error, i, n, s;
1033 struct inpcb *inp, **inp_list;
1034 inp_gen_t gencnt;
1035 struct xinpgen xig;
1036
1037 /*
1038 * The process of preparing the TCB list is too time-consuming and
1039 * resource-intensive to repeat twice on every request.
1040 */
1041 lck_rw_lock_shared(tcbinfo.mtx);
1042 if (req->oldptr == USER_ADDR_NULL) {
1043 n = tcbinfo.ipi_count;
1044 req->oldidx = 2 * (sizeof xig)
1045 + (n + n/8) * sizeof(struct xtcpcb);
1046 lck_rw_done(tcbinfo.mtx);
1047 return 0;
1048 }
1049
1050 if (req->newptr != USER_ADDR_NULL) {
1051 lck_rw_done(tcbinfo.mtx);
1052 return EPERM;
1053 }
1054
1055 /*
1056 * OK, now we're committed to doing something.
1057 */
1058 gencnt = tcbinfo.ipi_gencnt;
1059 n = tcbinfo.ipi_count;
1060
1061 bzero(&xig, sizeof(xig));
1062 xig.xig_len = sizeof xig;
1063 xig.xig_count = n;
1064 xig.xig_gen = gencnt;
1065 xig.xig_sogen = so_gencnt;
1066 error = SYSCTL_OUT(req, &xig, sizeof xig);
1067 if (error) {
1068 lck_rw_done(tcbinfo.mtx);
1069 return error;
1070 }
1071 /*
1072 * We are done if there is no pcb
1073 */
1074 if (n == 0) {
1075 lck_rw_done(tcbinfo.mtx);
1076 return 0;
1077 }
1078
1079 inp_list = _MALLOC(n * sizeof *inp_list, M_TEMP, M_WAITOK);
1080 if (inp_list == 0) {
1081 lck_rw_done(tcbinfo.mtx);
1082 return ENOMEM;
1083 }
1084
1085 for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n;
1086 inp = LIST_NEXT(inp, inp_list)) {
1087 #ifdef __APPLE__
1088 if (inp->inp_gencnt <= gencnt && inp->inp_state != INPCB_STATE_DEAD)
1089 #else
1090 if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp))
1091 #endif
1092 inp_list[i++] = inp;
1093 }
1094 n = i;
1095
1096 error = 0;
1097 for (i = 0; i < n; i++) {
1098 inp = inp_list[i];
1099 if (inp->inp_gencnt <= gencnt && inp->inp_state != INPCB_STATE_DEAD) {
1100 struct xtcpcb xt;
1101 caddr_t inp_ppcb;
1102
1103 bzero(&xt, sizeof(xt));
1104 xt.xt_len = sizeof xt;
1105 /* XXX should avoid extra copy */
1106 inpcb_to_compat(inp, &xt.xt_inp);
1107 inp_ppcb = inp->inp_ppcb;
1108 if (inp_ppcb != NULL) {
1109 bcopy(inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp);
1110 }
1111 else
1112 bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
1113 if (inp->inp_socket)
1114 sotoxsocket(inp->inp_socket, &xt.xt_socket);
1115 error = SYSCTL_OUT(req, &xt, sizeof xt);
1116 }
1117 }
1118 if (!error) {
1119 /*
1120 * Give the user an updated idea of our state.
1121 * If the generation differs from what we told
1122 * her before, she knows that something happened
1123 * while we were processing this request, and it
1124 * might be necessary to retry.
1125 */
1126 bzero(&xig, sizeof(xig));
1127 xig.xig_len = sizeof xig;
1128 xig.xig_gen = tcbinfo.ipi_gencnt;
1129 xig.xig_sogen = so_gencnt;
1130 xig.xig_count = tcbinfo.ipi_count;
1131 error = SYSCTL_OUT(req, &xig, sizeof xig);
1132 }
1133 FREE(inp_list, M_TEMP);
1134 lck_rw_done(tcbinfo.mtx);
1135 return error;
1136 }
1137
1138 SYSCTL_PROC(_net_inet_tcp, TCPCTL_PCBLIST, pcblist, CTLFLAG_RD, 0, 0,
1139 tcp_pcblist, "S,xtcpcb", "List of active TCP connections");
1140
1141 #ifndef __APPLE__
1142 static int
1143 tcp_getcred(SYSCTL_HANDLER_ARGS)
1144 {
1145 struct sockaddr_in addrs[2];
1146 struct inpcb *inp;
1147 int error, s;
1148
1149 error = suser(req->p);
1150 if (error)
1151 return (error);
1152 error = SYSCTL_IN(req, addrs, sizeof(addrs));
1153 if (error)
1154 return (error);
1155 s = splnet();
1156 inp = in_pcblookup_hash(&tcbinfo, addrs[1].sin_addr, addrs[1].sin_port,
1157 addrs[0].sin_addr, addrs[0].sin_port, 0, NULL);
1158 if (inp == NULL || inp->inp_socket == NULL) {
1159 error = ENOENT;
1160 goto out;
1161 }
1162 error = SYSCTL_OUT(req, inp->inp_socket->so_cred, sizeof(*(kauth_cred_t)0);
1163 out:
1164 splx(s);
1165 return (error);
1166 }
1167
1168 SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW,
1169 0, 0, tcp_getcred, "S,ucred", "Get the ucred of a TCP connection");
1170
1171 #if INET6
1172 static int
1173 tcp6_getcred(SYSCTL_HANDLER_ARGS)
1174 {
1175 struct sockaddr_in6 addrs[2];
1176 struct inpcb *inp;
1177 int error, s, mapped = 0;
1178
1179 error = suser(req->p);
1180 if (error)
1181 return (error);
1182 error = SYSCTL_IN(req, addrs, sizeof(addrs));
1183 if (error)
1184 return (error);
1185 if (IN6_IS_ADDR_V4MAPPED(&addrs[0].sin6_addr)) {
1186 if (IN6_IS_ADDR_V4MAPPED(&addrs[1].sin6_addr))
1187 mapped = 1;
1188 else
1189 return (EINVAL);
1190 }
1191 s = splnet();
1192 if (mapped == 1)
1193 inp = in_pcblookup_hash(&tcbinfo,
1194 *(struct in_addr *)&addrs[1].sin6_addr.s6_addr[12],
1195 addrs[1].sin6_port,
1196 *(struct in_addr *)&addrs[0].sin6_addr.s6_addr[12],
1197 addrs[0].sin6_port,
1198 0, NULL);
1199 else
1200 inp = in6_pcblookup_hash(&tcbinfo, &addrs[1].sin6_addr,
1201 addrs[1].sin6_port,
1202 &addrs[0].sin6_addr, addrs[0].sin6_port,
1203 0, NULL);
1204 if (inp == NULL || inp->inp_socket == NULL) {
1205 error = ENOENT;
1206 goto out;
1207 }
1208 error = SYSCTL_OUT(req, inp->inp_socket->so_cred,
1209 sizeof(*(kauth_cred_t)0);
1210 out:
1211 splx(s);
1212 return (error);
1213 }
1214
1215 SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW,
1216 0, 0,
1217 tcp6_getcred, "S,ucred", "Get the ucred of a TCP6 connection");
1218 #endif
1219 #endif /* __APPLE__*/
1220
1221 void
1222 tcp_ctlinput(cmd, sa, vip)
1223 int cmd;
1224 struct sockaddr *sa;
1225 void *vip;
1226 {
1227 struct ip *ip = vip;
1228 struct tcphdr *th;
1229 struct in_addr faddr;
1230 struct inpcb *inp;
1231 struct tcpcb *tp;
1232 void (*notify)(struct inpcb *, int) = tcp_notify;
1233 tcp_seq icmp_seq;
1234 int s;
1235
1236 faddr = ((struct sockaddr_in *)sa)->sin_addr;
1237 if (sa->sa_family != AF_INET || faddr.s_addr == INADDR_ANY)
1238 return;
1239
1240 if (cmd == PRC_QUENCH)
1241 notify = tcp_quench;
1242 else if (icmp_may_rst && (cmd == PRC_UNREACH_ADMIN_PROHIB ||
1243 cmd == PRC_UNREACH_PORT) && ip)
1244 notify = tcp_drop_syn_sent;
1245 else if (cmd == PRC_MSGSIZE)
1246 notify = tcp_mtudisc;
1247 else if (PRC_IS_REDIRECT(cmd)) {
1248 ip = 0;
1249 notify = in_rtchange;
1250 } else if (cmd == PRC_HOSTDEAD)
1251 ip = 0;
1252 else if ((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0)
1253 return;
1254 if (ip) {
1255 th = (struct tcphdr *)((caddr_t)ip
1256 + (IP_VHL_HL(ip->ip_vhl) << 2));
1257 inp = in_pcblookup_hash(&tcbinfo, faddr, th->th_dport,
1258 ip->ip_src, th->th_sport, 0, NULL);
1259 if (inp != NULL && inp->inp_socket != NULL) {
1260 tcp_lock(inp->inp_socket, 1, 0);
1261 if (in_pcb_checkstate(inp, WNT_RELEASE, 1) == WNT_STOPUSING) {
1262 tcp_unlock(inp->inp_socket, 1, 0);
1263 return;
1264 }
1265 icmp_seq = htonl(th->th_seq);
1266 tp = intotcpcb(inp);
1267 if (SEQ_GEQ(icmp_seq, tp->snd_una) &&
1268 SEQ_LT(icmp_seq, tp->snd_max))
1269 (*notify)(inp, inetctlerrmap[cmd]);
1270 tcp_unlock(inp->inp_socket, 1, 0);
1271 }
1272 } else
1273 in_pcbnotifyall(&tcbinfo, faddr, inetctlerrmap[cmd], notify);
1274 }
1275
1276 #if INET6
1277 void
1278 tcp6_ctlinput(cmd, sa, d)
1279 int cmd;
1280 struct sockaddr *sa;
1281 void *d;
1282 {
1283 struct tcphdr th;
1284 void (*notify)(struct inpcb *, int) = tcp_notify;
1285 struct ip6_hdr *ip6;
1286 struct mbuf *m;
1287 struct ip6ctlparam *ip6cp = NULL;
1288 const struct sockaddr_in6 *sa6_src = NULL;
1289 int off;
1290 struct tcp_portonly {
1291 u_int16_t th_sport;
1292 u_int16_t th_dport;
1293 } *thp;
1294
1295 if (sa->sa_family != AF_INET6 ||
1296 sa->sa_len != sizeof(struct sockaddr_in6))
1297 return;
1298
1299 if (cmd == PRC_QUENCH)
1300 notify = tcp_quench;
1301 else if (cmd == PRC_MSGSIZE)
1302 notify = tcp_mtudisc;
1303 else if (!PRC_IS_REDIRECT(cmd) &&
1304 ((unsigned)cmd > PRC_NCMDS || inet6ctlerrmap[cmd] == 0))
1305 return;
1306
1307 /* if the parameter is from icmp6, decode it. */
1308 if (d != NULL) {
1309 ip6cp = (struct ip6ctlparam *)d;
1310 m = ip6cp->ip6c_m;
1311 ip6 = ip6cp->ip6c_ip6;
1312 off = ip6cp->ip6c_off;
1313 sa6_src = ip6cp->ip6c_src;
1314 } else {
1315 m = NULL;
1316 ip6 = NULL;
1317 off = 0; /* fool gcc */
1318 sa6_src = &sa6_any;
1319 }
1320
1321 if (ip6) {
1322 /*
1323 * XXX: We assume that when IPV6 is non NULL,
1324 * M and OFF are valid.
1325 */
1326
1327 /* check if we can safely examine src and dst ports */
1328 if (m->m_pkthdr.len < off + sizeof(*thp))
1329 return;
1330
1331 bzero(&th, sizeof(th));
1332 m_copydata(m, off, sizeof(*thp), (caddr_t)&th);
1333
1334 in6_pcbnotify(&tcbinfo, sa, th.th_dport,
1335 (struct sockaddr *)ip6cp->ip6c_src,
1336 th.th_sport, cmd, notify);
1337 } else
1338 in6_pcbnotify(&tcbinfo, sa, 0, (struct sockaddr *)sa6_src,
1339 0, cmd, notify);
1340 }
1341 #endif /* INET6 */
1342
1343
1344 /*
1345 * Following is where TCP initial sequence number generation occurs.
1346 *
1347 * There are two places where we must use initial sequence numbers:
1348 * 1. In SYN-ACK packets.
1349 * 2. In SYN packets.
1350 *
1351 * The ISNs in SYN-ACK packets have no monotonicity requirement,
1352 * and should be as unpredictable as possible to avoid the possibility
1353 * of spoofing and/or connection hijacking. To satisfy this
1354 * requirement, SYN-ACK ISNs are generated via the arc4random()
1355 * function. If exact RFC 1948 compliance is requested via sysctl,
1356 * these ISNs will be generated just like those in SYN packets.
1357 *
1358 * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
1359 * depends on this property. In addition, these ISNs should be
1360 * unguessable so as to prevent connection hijacking. To satisfy
1361 * the requirements of this situation, the algorithm outlined in
1362 * RFC 1948 is used to generate sequence numbers.
1363 *
1364 * For more information on the theory of operation, please see
1365 * RFC 1948.
1366 *
1367 * Implementation details:
1368 *
1369 * Time is based off the system timer, and is corrected so that it
1370 * increases by one megabyte per second. This allows for proper
1371 * recycling on high speed LANs while still leaving over an hour
1372 * before rollover.
1373 *
1374 * Two sysctls control the generation of ISNs:
1375 *
1376 * net.inet.tcp.isn_reseed_interval controls the number of seconds
1377 * between seeding of isn_secret. This is normally set to zero,
1378 * as reseeding should not be necessary.
1379 *
1380 * net.inet.tcp.strict_rfc1948 controls whether RFC 1948 is followed
1381 * strictly. When strict compliance is requested, reseeding is
1382 * disabled and SYN-ACKs will be generated in the same manner as
1383 * SYNs. Strict mode is disabled by default.
1384 *
1385 */
1386
1387 #define ISN_BYTES_PER_SECOND 1048576
1388
1389 u_char isn_secret[32];
1390 int isn_last_reseed;
1391 MD5_CTX isn_ctx;
1392
1393 tcp_seq
1394 tcp_new_isn(tp)
1395 struct tcpcb *tp;
1396 {
1397 u_int32_t md5_buffer[4];
1398 tcp_seq new_isn;
1399 struct timeval time;
1400
1401 /* Use arc4random for SYN-ACKs when not in exact RFC1948 mode. */
1402 if (((tp->t_state == TCPS_LISTEN) || (tp->t_state == TCPS_TIME_WAIT))
1403 && tcp_strict_rfc1948 == 0)
1404 #ifdef __APPLE__
1405 return random();
1406 #else
1407 return arc4random();
1408 #endif
1409
1410 /* Seed if this is the first use, reseed if requested. */
1411 if ((isn_last_reseed == 0) ||
1412 ((tcp_strict_rfc1948 == 0) && (tcp_isn_reseed_interval > 0) &&
1413 (((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz)
1414 < (u_int)time.tv_sec))) {
1415 #ifdef __APPLE__
1416 read_random(&isn_secret, sizeof(isn_secret));
1417 #else
1418 read_random_unlimited(&isn_secret, sizeof(isn_secret));
1419 #endif
1420 isn_last_reseed = time.tv_sec;
1421 }
1422
1423 /* Compute the md5 hash and return the ISN. */
1424 MD5Init(&isn_ctx);
1425 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_fport, sizeof(u_short));
1426 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_lport, sizeof(u_short));
1427 #if INET6
1428 if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0) {
1429 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_faddr,
1430 sizeof(struct in6_addr));
1431 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_laddr,
1432 sizeof(struct in6_addr));
1433 } else
1434 #endif
1435 {
1436 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_faddr,
1437 sizeof(struct in_addr));
1438 MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_laddr,
1439 sizeof(struct in_addr));
1440 }
1441 MD5Update(&isn_ctx, (u_char *) &isn_secret, sizeof(isn_secret));
1442 MD5Final((u_char *) &md5_buffer, &isn_ctx);
1443 new_isn = (tcp_seq) md5_buffer[0];
1444 new_isn += time.tv_sec * (ISN_BYTES_PER_SECOND / hz);
1445 return new_isn;
1446 }
1447
1448 /*
1449 * When a source quench is received, close congestion window
1450 * to one segment. We will gradually open it again as we proceed.
1451 */
1452 void
1453 tcp_quench(inp, errno)
1454 struct inpcb *inp;
1455 int errno;
1456 {
1457 struct tcpcb *tp = intotcpcb(inp);
1458
1459 if (tp)
1460 tp->snd_cwnd = tp->t_maxseg;
1461 }
1462
1463 /*
1464 * When a specific ICMP unreachable message is received and the
1465 * connection state is SYN-SENT, drop the connection. This behavior
1466 * is controlled by the icmp_may_rst sysctl.
1467 */
1468 void
1469 tcp_drop_syn_sent(inp, errno)
1470 struct inpcb *inp;
1471 int errno;
1472 {
1473 struct tcpcb *tp = intotcpcb(inp);
1474
1475 if (tp && tp->t_state == TCPS_SYN_SENT)
1476 tcp_drop(tp, errno);
1477 }
1478
1479 /*
1480 * When `need fragmentation' ICMP is received, update our idea of the MSS
1481 * based on the new value in the route. Also nudge TCP to send something,
1482 * since we know the packet we just sent was dropped.
1483 * This duplicates some code in the tcp_mss() function in tcp_input.c.
1484 */
1485 void
1486 tcp_mtudisc(inp, errno)
1487 struct inpcb *inp;
1488 int errno;
1489 {
1490 struct tcpcb *tp = intotcpcb(inp);
1491 struct rtentry *rt;
1492 struct rmxp_tao *taop;
1493 struct socket *so = inp->inp_socket;
1494 int offered;
1495 int mss;
1496 #if INET6
1497 int isipv6 = (tp->t_inpcb->inp_vflag & INP_IPV6) != 0;
1498 #endif /* INET6 */
1499
1500 if (tp) {
1501 #if INET6
1502 if (isipv6)
1503 rt = tcp_rtlookup6(inp);
1504 else
1505 #endif /* INET6 */
1506 rt = tcp_rtlookup(inp);
1507 if (!rt || !rt->rt_rmx.rmx_mtu) {
1508 tp->t_maxopd = tp->t_maxseg =
1509 #if INET6
1510 isipv6 ? tcp_v6mssdflt :
1511 #endif /* INET6 */
1512 tcp_mssdflt;
1513 return;
1514 }
1515 taop = rmx_taop(rt->rt_rmx);
1516 offered = taop->tao_mssopt;
1517 mss = rt->rt_rmx.rmx_mtu -
1518 #if INET6
1519 (isipv6 ?
1520 sizeof(struct ip6_hdr) + sizeof(struct tcphdr) :
1521 #endif /* INET6 */
1522 sizeof(struct tcpiphdr)
1523 #if INET6
1524 )
1525 #endif /* INET6 */
1526 ;
1527
1528 if (offered)
1529 mss = min(mss, offered);
1530 /*
1531 * XXX - The above conditional probably violates the TCP
1532 * spec. The problem is that, since we don't know the
1533 * other end's MSS, we are supposed to use a conservative
1534 * default. But, if we do that, then MTU discovery will
1535 * never actually take place, because the conservative
1536 * default is much less than the MTUs typically seen
1537 * on the Internet today. For the moment, we'll sweep
1538 * this under the carpet.
1539 *
1540 * The conservative default might not actually be a problem
1541 * if the only case this occurs is when sending an initial
1542 * SYN with options and data to a host we've never talked
1543 * to before. Then, they will reply with an MSS value which
1544 * will get recorded and the new parameters should get
1545 * recomputed. For Further Study.
1546 */
1547 if (tp->t_maxopd <= mss)
1548 return;
1549 tp->t_maxopd = mss;
1550
1551 if ((tp->t_flags & (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP &&
1552 (tp->t_flags & TF_RCVD_TSTMP) == TF_RCVD_TSTMP)
1553 mss -= TCPOLEN_TSTAMP_APPA;
1554 if ((tp->t_flags & (TF_REQ_CC|TF_NOOPT)) == TF_REQ_CC &&
1555 (tp->t_flags & TF_RCVD_CC) == TF_RCVD_CC)
1556 mss -= TCPOLEN_CC_APPA;
1557
1558 if (so->so_snd.sb_hiwat < mss)
1559 mss = so->so_snd.sb_hiwat;
1560
1561 tp->t_maxseg = mss;
1562
1563 tcpstat.tcps_mturesent++;
1564 tp->t_rtttime = 0;
1565 tp->snd_nxt = tp->snd_una;
1566 tcp_output(tp);
1567 }
1568 }
1569
1570 /*
1571 * Look-up the routing entry to the peer of this inpcb. If no route
1572 * is found and it cannot be allocated the return NULL. This routine
1573 * is called by TCP routines that access the rmx structure and by tcp_mss
1574 * to get the interface MTU.
1575 */
1576 struct rtentry *
1577 tcp_rtlookup(inp)
1578 struct inpcb *inp;
1579 {
1580 struct route *ro;
1581 struct rtentry *rt;
1582
1583 ro = &inp->inp_route;
1584 if (ro == NULL)
1585 return (NULL);
1586 rt = ro->ro_rt;
1587 if (rt == NULL || !(rt->rt_flags & RTF_UP) || rt->generation_id != route_generation) {
1588 /* No route yet, so try to acquire one */
1589 if (inp->inp_faddr.s_addr != INADDR_ANY) {
1590 ro->ro_dst.sa_family = AF_INET;
1591 ro->ro_dst.sa_len = sizeof(struct sockaddr_in);
1592 ((struct sockaddr_in *) &ro->ro_dst)->sin_addr =
1593 inp->inp_faddr;
1594 rtalloc(ro);
1595 rt = ro->ro_rt;
1596 }
1597 }
1598 return rt;
1599 }
1600
1601 #if INET6
1602 struct rtentry *
1603 tcp_rtlookup6(inp)
1604 struct inpcb *inp;
1605 {
1606 struct route_in6 *ro6;
1607 struct rtentry *rt;
1608
1609 ro6 = &inp->in6p_route;
1610 rt = ro6->ro_rt;
1611 if (rt == NULL || !(rt->rt_flags & RTF_UP)) {
1612 /* No route yet, so try to acquire one */
1613 if (!IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr)) {
1614 struct sockaddr_in6 *dst6;
1615
1616 dst6 = (struct sockaddr_in6 *)&ro6->ro_dst;
1617 dst6->sin6_family = AF_INET6;
1618 dst6->sin6_len = sizeof(*dst6);
1619 dst6->sin6_addr = inp->in6p_faddr;
1620 rtalloc((struct route *)ro6);
1621 rt = ro6->ro_rt;
1622 }
1623 }
1624 return rt;
1625 }
1626 #endif /* INET6 */
1627
1628 #if IPSEC
1629 /* compute ESP/AH header size for TCP, including outer IP header. */
1630 size_t
1631 ipsec_hdrsiz_tcp(tp)
1632 struct tcpcb *tp;
1633 {
1634 struct inpcb *inp;
1635 struct mbuf *m;
1636 size_t hdrsiz;
1637 struct ip *ip;
1638 #if INET6
1639 struct ip6_hdr *ip6 = NULL;
1640 #endif /* INET6 */
1641 struct tcphdr *th;
1642
1643 if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL))
1644 return 0;
1645 MGETHDR(m, M_DONTWAIT, MT_DATA);
1646 if (!m)
1647 return 0;
1648
1649 lck_mtx_lock(sadb_mutex);
1650 #if INET6
1651 if ((inp->inp_vflag & INP_IPV6) != 0) {
1652 ip6 = mtod(m, struct ip6_hdr *);
1653 th = (struct tcphdr *)(ip6 + 1);
1654 m->m_pkthdr.len = m->m_len =
1655 sizeof(struct ip6_hdr) + sizeof(struct tcphdr);
1656 tcp_fillheaders(tp, ip6, th);
1657 hdrsiz = ipsec6_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp);
1658 } else
1659 #endif /* INET6 */
1660 {
1661 ip = mtod(m, struct ip *);
1662 th = (struct tcphdr *)(ip + 1);
1663 m->m_pkthdr.len = m->m_len = sizeof(struct tcpiphdr);
1664 tcp_fillheaders(tp, ip, th);
1665 hdrsiz = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp);
1666 }
1667 lck_mtx_unlock(sadb_mutex);
1668 m_free(m);
1669 return hdrsiz;
1670 }
1671 #endif /*IPSEC*/
1672
1673 /*
1674 * Return a pointer to the cached information about the remote host.
1675 * The cached information is stored in the protocol specific part of
1676 * the route metrics.
1677 */
1678 struct rmxp_tao *
1679 tcp_gettaocache(inp)
1680 struct inpcb *inp;
1681 {
1682 struct rtentry *rt;
1683
1684 #if INET6
1685 if ((inp->inp_vflag & INP_IPV6) != 0)
1686 rt = tcp_rtlookup6(inp);
1687 else
1688 #endif /* INET6 */
1689 rt = tcp_rtlookup(inp);
1690
1691 /* Make sure this is a host route and is up. */
1692 if (rt == NULL ||
1693 (rt->rt_flags & (RTF_UP|RTF_HOST)) != (RTF_UP|RTF_HOST))
1694 return NULL;
1695
1696 return rmx_taop(rt->rt_rmx);
1697 }
1698
1699 /*
1700 * Clear all the TAO cache entries, called from tcp_init.
1701 *
1702 * XXX
1703 * This routine is just an empty one, because we assume that the routing
1704 * routing tables are initialized at the same time when TCP, so there is
1705 * nothing in the cache left over.
1706 */
1707 static void
1708 tcp_cleartaocache()
1709 {
1710 }
1711
1712 int
1713 tcp_lock(so, refcount, lr)
1714 struct socket *so;
1715 int refcount;
1716 int lr;
1717 {
1718 int lr_saved;
1719 #ifdef __ppc__
1720 if (lr == 0) {
1721 __asm__ volatile("mflr %0" : "=r" (lr_saved));
1722 }
1723 else lr_saved = lr;
1724 #endif
1725
1726 if (so->so_pcb) {
1727 lck_mtx_lock(((struct inpcb *)so->so_pcb)->inpcb_mtx);
1728 }
1729 else {
1730 panic("tcp_lock: so=%x NO PCB! lr=%x\n", so, lr_saved);
1731 lck_mtx_lock(so->so_proto->pr_domain->dom_mtx);
1732 }
1733
1734 if (so->so_usecount < 0)
1735 panic("tcp_lock: so=%x so_pcb=%x lr=%x ref=%x\n",
1736 so, so->so_pcb, lr_saved, so->so_usecount);
1737
1738 if (refcount)
1739 so->so_usecount++;
1740 so->reserved3 = (void *)lr_saved;
1741 return (0);
1742 }
1743
1744 int
1745 tcp_unlock(so, refcount, lr)
1746 struct socket *so;
1747 int refcount;
1748 int lr;
1749 {
1750 int lr_saved;
1751 #ifdef __ppc__
1752 if (lr == 0) {
1753 __asm__ volatile("mflr %0" : "=r" (lr_saved));
1754 }
1755 else lr_saved = lr;
1756 #endif
1757
1758 #ifdef MORE_TCPLOCK_DEBUG
1759 printf("tcp_unlock: so=%x sopcb=%x lock=%x ref=%x lr=%x\n",
1760 so, so->so_pcb, ((struct inpcb *)so->so_pcb)->inpcb_mtx, so->so_usecount, lr_saved);
1761 #endif
1762 if (refcount)
1763 so->so_usecount--;
1764
1765 if (so->so_usecount < 0)
1766 panic("tcp_unlock: so=%x usecount=%x\n", so, so->so_usecount);
1767 if (so->so_pcb == NULL) {
1768 panic("tcp_unlock: so=%x NO PCB usecount=%x lr=%x\n", so, so->so_usecount, lr_saved);
1769 lck_mtx_unlock(so->so_proto->pr_domain->dom_mtx);
1770 }
1771 else {
1772 lck_mtx_assert(((struct inpcb *)so->so_pcb)->inpcb_mtx, LCK_MTX_ASSERT_OWNED);
1773 lck_mtx_unlock(((struct inpcb *)so->so_pcb)->inpcb_mtx);
1774 }
1775 so->reserved4 = (void *)lr_saved;
1776 return (0);
1777 }
1778
1779 lck_mtx_t *
1780 tcp_getlock(so, locktype)
1781 struct socket *so;
1782 int locktype;
1783 {
1784 struct inpcb *inp = sotoinpcb(so);
1785
1786 if (so->so_pcb) {
1787 if (so->so_usecount < 0)
1788 panic("tcp_getlock: so=%x usecount=%x\n", so, so->so_usecount);
1789 return(inp->inpcb_mtx);
1790 }
1791 else {
1792 panic("tcp_getlock: so=%x NULL so_pcb\n", so);
1793 return (so->so_proto->pr_domain->dom_mtx);
1794 }
1795 }