xnu-792.6.70.tar.gz

[apple/xnu.git] / bsd / netinet / tcp_input.c
diff --git a/bsd/netinet/tcp_input.c b/bsd/netinet/tcp_input.c

index eb294a6a2a7f16b41e382f91dde0451772af861d..624b3451fb11a2f2758c826af620cec5680e2a76 100644 (file)
--- a/bsd/netinet/tcp_input.c
+++ b/bsd/netinet/tcp_input.c
@@ -71,6 +71,7 @@
  #include <kern/cpu_number.h>   /* before tcp_seq.h, for tcp_random18() */
  
  #include <net/if.h>
  #include <kern/cpu_number.h>   /* before tcp_seq.h, for tcp_random18() */
  
  #include <net/if.h>
+#include <net/if_types.h>
  #include <net/route.h>
  
  #include <netinet/in.h>
  #include <net/route.h>
  
  #include <netinet/in.h>
@@ -128,6 +129,7 @@ extern int apple_hwcksum_rx;
  
  #if IPSEC
  extern int ipsec_bypass;
  
  #if IPSEC
  extern int ipsec_bypass;
+extern lck_mtx_t *sadb_mutex;
  #endif
  
  struct tcpstat tcpstat;
  #endif
  
  struct tcpstat tcpstat;
@@ -142,7 +144,7 @@ static int blackhole = 0;
  SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
         &blackhole, 0, "Do not send RST when dropping refused connections");
  
  SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
         &blackhole, 0, "Do not send RST when dropping refused connections");
  
-int tcp_delack_enabled = 1;
+int tcp_delack_enabled = 3;
  SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, 
      &tcp_delack_enabled, 0, 
      "Delay ACK to try and piggyback it onto a data packet");
  SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, 
      &tcp_delack_enabled, 0, 
      "Delay ACK to try and piggyback it onto a data packet");
@@ -153,24 +155,48 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcp_lq_overflow, CTLFLAG_RW,
      "Listen Queue Overflow");
  
  #if TCP_DROP_SYNFIN
      "Listen Queue Overflow");
  
  #if TCP_DROP_SYNFIN
-static int drop_synfin = 0;
+static int drop_synfin = 1;
  SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
      &drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
  #endif
  
  SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
      &drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
  #endif
  
+SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
+    "TCP Segment Reassembly Queue");
+
+__private_extern__ int tcp_reass_maxseg = 0;
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RW,
+    &tcp_reass_maxseg, 0,
+    "Global maximum number of TCP Segments in Reassembly Queue");
+
+__private_extern__ int tcp_reass_qsize = 0;
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, cursegments, CTLFLAG_RD,
+    &tcp_reass_qsize, 0,
+    "Global number of TCP Segments currently in Reassembly Queue");
+
+static int tcp_reass_overflows = 0;
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows, CTLFLAG_RD,
+    &tcp_reass_overflows, 0,
+    "Global number of TCP Segment Reassembly Queue Overflows");
+
+
+__private_extern__ int slowlink_wsize = 8192;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, slowlink_wsize, CTLFLAG_RW,
+       &slowlink_wsize, 0, "Maximum advertised window size for slowlink");
+
+
  u_long tcp_now;
  struct inpcbhead tcb;
  #define        tcb6    tcb  /* for KAME src sync over BSD*'s */
  struct inpcbinfo tcbinfo;
  
  u_long tcp_now;
  struct inpcbhead tcb;
  #define        tcb6    tcb  /* for KAME src sync over BSD*'s */
  struct inpcbinfo tcbinfo;
  
-static void     tcp_dooptions __P((struct tcpcb *,
-           u_char *, int, struct tcphdr *, struct tcpopt *));
-static void     tcp_pulloutofband __P((struct socket *,
-           struct tcphdr *, struct mbuf *, int));
-static int      tcp_reass __P((struct tcpcb *, struct tcphdr *, int *,
-                               struct mbuf *));
-static void     tcp_xmit_timer __P((struct tcpcb *, int));
-static int      tcp_newreno __P((struct tcpcb *, struct tcphdr *));
+static void     tcp_dooptions(struct tcpcb *,
+           u_char *, int, struct tcphdr *, struct tcpopt *);
+static void     tcp_pulloutofband(struct socket *,
+           struct tcphdr *, struct mbuf *, int);
+static int      tcp_reass(struct tcpcb *, struct tcphdr *, int *,
+                               struct mbuf *);
+static void    tcp_xmit_timer(struct tcpcb *, int);
+static int     tcp_newreno __P((struct tcpcb *, struct tcphdr *));
  
  /* Neighbor Discovery, Neighbor Unreachability Detection Upper layer hint. */
  #if INET6
  
  /* Neighbor Discovery, Neighbor Unreachability Detection Upper layer hint. */
  #if INET6
@@ -187,16 +213,43 @@ do { \
  
  extern u_long  *delack_bitmask;
  
  
  extern u_long  *delack_bitmask;
  
+extern  void    ipfwsyslog( int level, char *format,...);
+extern int ChkAddressOK( __uint32_t dstaddr, __uint32_t srcaddr );
+extern int fw_verbose;
+
+#define log_in_vain_log( a ) {            \
+        if ( (log_in_vain == 3 ) && (fw_verbose == 2)) {        /* Apple logging, log to ipfw.log */ \
+                ipfwsyslog a ;  \
+        }                       \
+        else log a ;            \
+}
+
  /*
  /*
- * Indicate whether this ack should be delayed.  We can delay the ack if
- *      - delayed acks are enabled and
- *      - there is no delayed ack timer in progress and
+ * Indicate whether this ack should be delayed.  
+ * We can delay the ack if:
+ *  - delayed acks are enabled (set to 1) and
   *      - our last ack wasn't a 0-sized window.  We never want to delay
   *      - our last ack wasn't a 0-sized window.  We never want to delay
- *        the ack that opens up a 0-sized window.
+ *       the ack that opens up a 0-sized window.
+ *  - delayed acks are enabled (set to 2, "more compatible") and
+ *      - our last ack wasn't a 0-sized window.
+ *      - if the peer hasn't sent us a TH_PUSH data packet (this solves 3649245)
+ *      - the peer hasn't sent us a TH_PUSH data packet, if he did, take this as a clue that we
+ *        need to ACK with no delay. This helps higher level protocols who won't send
+ *        us more data even if the window is open because their last "segment" hasn't been ACKed
+ *  - delayed acks are enabled (set to 3, "streaming detection") and
+ *     - if we receive more than 4 full packets per second on this socket, we're streaming acts as "1".
+ *     - if we don't meet that criteria, acts like "2". Allowing faster acking while browsing for example.
+ *
   */
  #define DELAY_ACK(tp) \
   */
  #define DELAY_ACK(tp) \
-       (tcp_delack_enabled && !callout_pending(tp->tt_delack) && \
-       (tp->t_flags & TF_RXWIN0SENT) == 0)
+       (((tcp_delack_enabled == 1) && ((tp->t_flags & TF_RXWIN0SENT) == 0)) || \
+        (((tcp_delack_enabled == 2) && (tp->t_flags & TF_RXWIN0SENT) == 0) && \
+          ((thflags & TH_PUSH) == 0) && ((tp->t_flags & TF_DELACK) == 0)) || \
+        (((tcp_delack_enabled == 3) && (tp->t_flags & TF_RXWIN0SENT) == 0) && \
+          (((tp->t_rcvtime == 0) && (tp->rcv_byps > (4* tp->t_maxseg)))  || (((thflags & TH_PUSH) == 0) && ((tp->t_flags & TF_DELACK) == 0)))))
+
+
+static int tcpdropdropablreq(struct socket *head);
  
  
  static int
  
  
  static int
@@ -212,6 +265,7 @@ tcp_reass(tp, th, tlenp, m)
         struct tseg_qent *te;
         struct socket *so = tp->t_inpcb->inp_socket;
         int flags;
         struct tseg_qent *te;
         struct socket *so = tp->t_inpcb->inp_socket;
         int flags;
+       int dowakeup = 0;
  
         /*
          * Call with th==0 after become established to
  
         /*
          * Call with th==0 after become established to
@@ -220,6 +274,21 @@ tcp_reass(tp, th, tlenp, m)
         if (th == 0)
                 goto present;
  
         if (th == 0)
                 goto present;
  
+       /*
+        * Limit the number of segments in the reassembly queue to prevent
+        * holding on to too many segments (and thus running out of mbufs).
+        * Make sure to let the missing segment through which caused this
+        * queue.  Always keep one global queue entry spare to be able to
+        * process the missing segment.
+        */
+       if (th->th_seq != tp->rcv_nxt &&
+           tcp_reass_qsize + 1 >= tcp_reass_maxseg) {
+               tcp_reass_overflows++;
+               tcpstat.tcps_rcvmemdrop++;
+               m_freem(m);
+               return (0);
+       }
+
         /* Allocate a new queue entry. If we can't, just drop the pkt. XXX */
         MALLOC(te, struct tseg_qent *, sizeof (struct tseg_qent), M_TSEGQ,
                M_NOWAIT);
         /* Allocate a new queue entry. If we can't, just drop the pkt. XXX */
         MALLOC(te, struct tseg_qent *, sizeof (struct tseg_qent), M_TSEGQ,
                M_NOWAIT);
@@ -228,6 +297,7 @@ tcp_reass(tp, th, tlenp, m)
                 m_freem(m);
                 return (0);
         }
                 m_freem(m);
                 return (0);
         }
+       tcp_reass_qsize++;
  
         /*
          * Find a segment which begins after this one does.
  
         /*
          * Find a segment which begins after this one does.
@@ -253,6 +323,7 @@ tcp_reass(tp, th, tlenp, m)
                                 tcpstat.tcps_rcvdupbyte += *tlenp;
                                 m_freem(m);
                                 FREE(te, M_TSEGQ);
                                 tcpstat.tcps_rcvdupbyte += *tlenp;
                                 m_freem(m);
                                 FREE(te, M_TSEGQ);
+                               tcp_reass_qsize--;
                                 /*
                                  * Try to present any queued data
                                  * at the left window edge to the user.
                                 /*
                                  * Try to present any queued data
                                  * at the left window edge to the user.
@@ -288,6 +359,7 @@ tcp_reass(tp, th, tlenp, m)
                 LIST_REMOVE(q, tqe_q);
                 m_freem(q->tqe_m);
                 FREE(q, M_TSEGQ);
                 LIST_REMOVE(q, tqe_q);
                 m_freem(q->tqe_m);
                 FREE(q, M_TSEGQ);
+               tcp_reass_qsize--;
                 q = nq;
         }
  
                 q = nq;
         }
  
@@ -319,9 +391,12 @@ present:
                 LIST_REMOVE(q, tqe_q);
                 if (so->so_state & SS_CANTRCVMORE)
                         m_freem(q->tqe_m);
                 LIST_REMOVE(q, tqe_q);
                 if (so->so_state & SS_CANTRCVMORE)
                         m_freem(q->tqe_m);
-               else
-                       sbappend(&so->so_rcv, q->tqe_m);
+               else {
+                       if (sbappend(&so->so_rcv, q->tqe_m))
+                               dowakeup = 1;
+               }
                 FREE(q, M_TSEGQ);
                 FREE(q, M_TSEGQ);
+               tcp_reass_qsize--;
                 q = nq;
         } while (q && q->tqe_th->th_seq == tp->rcv_nxt);
         ND6_HINT(tp);
                 q = nq;
         } while (q && q->tqe_th->th_seq == tp->rcv_nxt);
         ND6_HINT(tp);
@@ -343,8 +418,9 @@ present:
                      (((tp->t_inpcb->inp_laddr.s_addr & 0xffff) << 16) |
                       (tp->t_inpcb->inp_faddr.s_addr & 0xffff)),
                      0,0,0);
                      (((tp->t_inpcb->inp_laddr.s_addr & 0xffff) << 16) |
                       (tp->t_inpcb->inp_faddr.s_addr & 0xffff)),
                      0,0,0);
-       }       
-       sorwakeup(so);
+       }
+       if (dowakeup)
+               sorwakeup(so); /* done with socket lock held */
         return (flags);
  
  }
         return (flags);
  
  }
@@ -356,14 +432,14 @@ present:
   */
  #if INET6
  int
   */
  #if INET6
  int
-tcp6_input(mp, offp, proto)
+tcp6_input(mp, offp)
         struct mbuf **mp;
         struct mbuf **mp;
-       int *offp, proto;
+       int *offp;
  {
         register struct mbuf *m = *mp;
         struct in6_ifaddr *ia6;
  
  {
         register struct mbuf *m = *mp;
         struct in6_ifaddr *ia6;
  
-       IP6_EXTHDR_CHECK(m, *offp, sizeof(struct tcphdr), IPPROTO_DONE);
+       IP6_EXTHDR_CHECK(m, *offp, sizeof(struct tcphdr), return IPPROTO_DONE);
  
         /*
          * draft-itojun-ipv6-tcp-to-anycast
  
         /*
          * draft-itojun-ipv6-tcp-to-anycast
@@ -407,13 +483,26 @@ tcp_input(m, off0)
  #endif
         int dropsocket = 0;
         int iss = 0;
  #endif
         int dropsocket = 0;
         int iss = 0;
+       int nosock = 0;
         u_long tiwin;
         struct tcpopt to;               /* options in this segment */
         struct rmxp_tao *taop;          /* pointer to our TAO cache entry */
         struct rmxp_tao tao_noncached;  /* in case there's no cached entry */
         u_long tiwin;
         struct tcpopt to;               /* options in this segment */
         struct rmxp_tao *taop;          /* pointer to our TAO cache entry */
         struct rmxp_tao tao_noncached;  /* in case there's no cached entry */
+       struct sockaddr_in *next_hop = NULL;
  #if TCPDEBUG
         short ostate = 0;
  #endif
  #if TCPDEBUG
         short ostate = 0;
  #endif
+       struct m_tag *fwd_tag;
+
+       /* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */
+       fwd_tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFORWARD, NULL);
+       if (fwd_tag != NULL) {
+               struct ip_fwd_tag *ipfwd_tag = (struct ip_fwd_tag *)(fwd_tag+1);
+               
+               next_hop = ipfwd_tag->next_hop;
+               m_tag_delete(m, fwd_tag);
+       }
+       
  #if INET6
         struct ip6_hdr *ip6 = NULL;
         int isipv6;
  #if INET6
         struct ip6_hdr *ip6 = NULL;
         int isipv6;
@@ -439,7 +528,7 @@ tcp_input(m, off0)
                 tlen = sizeof(*ip6) + ntohs(ip6->ip6_plen) - off0;
                 if (in6_cksum(m, IPPROTO_TCP, off0, tlen)) {
                         tcpstat.tcps_rcvbadsum++;
                 tlen = sizeof(*ip6) + ntohs(ip6->ip6_plen) - off0;
                 if (in6_cksum(m, IPPROTO_TCP, off0, tlen)) {
                         tcpstat.tcps_rcvbadsum++;
-                       goto drop;
+                       goto dropnosock;
                 }
                 th = (struct tcphdr *)((caddr_t)ip6 + off0);
  
                 }
                 th = (struct tcphdr *)((caddr_t)ip6 + off0);
  
@@ -456,11 +545,11 @@ tcp_input(m, off0)
                  */
                 if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
                         /* XXX stat */
                  */
                 if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
                         /* XXX stat */
-                       goto drop;
+                       goto dropnosock;
                 }
         } else
  #endif /* INET6 */
                 }
         } else
  #endif /* INET6 */
-      {
+       {
         /*
          * Get IP and TCP header together in first mbuf.
          * Note: IP leaves IP header in first mbuf.
         /*
          * Get IP and TCP header together in first mbuf.
          * Note: IP leaves IP header in first mbuf.
@@ -490,10 +579,20 @@ tcp_input(m, off0)
         if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
                 if (apple_hwcksum_rx && (m->m_pkthdr.csum_flags & CSUM_TCP_SUM16)) {
                         u_short pseudo;
         if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
                 if (apple_hwcksum_rx && (m->m_pkthdr.csum_flags & CSUM_TCP_SUM16)) {
                         u_short pseudo;
+                       char b[9];
+                       *(uint32_t*)&b[0] = *(uint32_t*)&ipov->ih_x1[0];
+                       *(uint32_t*)&b[4] = *(uint32_t*)&ipov->ih_x1[4];
+                       *(uint8_t*)&b[8] = *(uint8_t*)&ipov->ih_x1[8];
+                       
                         bzero(ipov->ih_x1, sizeof(ipov->ih_x1));
                         ipov->ih_len = (u_short)tlen;
                         HTONS(ipov->ih_len);
                         pseudo = in_cksum(m, sizeof (struct ip));
                         bzero(ipov->ih_x1, sizeof(ipov->ih_x1));
                         ipov->ih_len = (u_short)tlen;
                         HTONS(ipov->ih_len);
                         pseudo = in_cksum(m, sizeof (struct ip));
+                       
+                       *(uint32_t*)&ipov->ih_x1[0] = *(uint32_t*)&b[0];
+                       *(uint32_t*)&ipov->ih_x1[4] = *(uint32_t*)&b[4];
+                       *(uint8_t*)&ipov->ih_x1[8] = *(uint8_t*)&b[8];
+                       
                         th->th_sum = in_addword(pseudo, (m->m_pkthdr.csum_data & 0xFFFF));
                 } else {
                         if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
                         th->th_sum = in_addword(pseudo, (m->m_pkthdr.csum_data & 0xFFFF));
                 } else {
                         if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
@@ -505,24 +604,33 @@ tcp_input(m, off0)
                 }
                 th->th_sum ^= 0xffff;
         } else {
                 }
                 th->th_sum ^= 0xffff;
         } else {
+               char b[9];
                 /*
                  * Checksum extended TCP header and data.
                  */
                 /*
                  * Checksum extended TCP header and data.
                  */
+               *(uint32_t*)&b[0] = *(uint32_t*)&ipov->ih_x1[0];
+               *(uint32_t*)&b[4] = *(uint32_t*)&ipov->ih_x1[4];
+               *(uint8_t*)&b[8] = *(uint8_t*)&ipov->ih_x1[8];
+               
                 len = sizeof (struct ip) + tlen;
                 bzero(ipov->ih_x1, sizeof(ipov->ih_x1));
                 ipov->ih_len = (u_short)tlen;
                 HTONS(ipov->ih_len);
                 th->th_sum = in_cksum(m, len);
                 len = sizeof (struct ip) + tlen;
                 bzero(ipov->ih_x1, sizeof(ipov->ih_x1));
                 ipov->ih_len = (u_short)tlen;
                 HTONS(ipov->ih_len);
                 th->th_sum = in_cksum(m, len);
+               
+               *(uint32_t*)&ipov->ih_x1[0] = *(uint32_t*)&b[0];
+               *(uint32_t*)&ipov->ih_x1[4] = *(uint32_t*)&b[4];
+               *(uint8_t*)&ipov->ih_x1[8] = *(uint8_t*)&b[8];
         }
         if (th->th_sum) {
                 tcpstat.tcps_rcvbadsum++;
         }
         if (th->th_sum) {
                 tcpstat.tcps_rcvbadsum++;
-               goto drop;
+               goto dropnosock;
         }
  #if INET6
         /* Re-initialization for later version check */
         ip->ip_v = IPVERSION;
  #endif
         }
  #if INET6
         /* Re-initialization for later version check */
         ip->ip_v = IPVERSION;
  #endif
-      }
+       }
  
         /*
          * Check that TCP offset makes sense,
  
         /*
          * Check that TCP offset makes sense,
@@ -531,13 +639,13 @@ tcp_input(m, off0)
         off = th->th_off << 2;
         if (off < sizeof (struct tcphdr) || off > tlen) {
                 tcpstat.tcps_rcvbadoff++;
         off = th->th_off << 2;
         if (off < sizeof (struct tcphdr) || off > tlen) {
                 tcpstat.tcps_rcvbadoff++;
-               goto drop;
+               goto dropnosock;
         }
         tlen -= off;    /* tlen is used instead of ti->ti_len */
         if (off > sizeof (struct tcphdr)) {
  #if INET6
                 if (isipv6) {
         }
         tlen -= off;    /* tlen is used instead of ti->ti_len */
         if (off > sizeof (struct tcphdr)) {
  #if INET6
                 if (isipv6) {
-                       IP6_EXTHDR_CHECK(m, off0, off, );
+                       IP6_EXTHDR_CHECK(m, off0, off, return);
                         ip6 = mtod(m, struct ip6_hdr *);
                         th = (struct tcphdr *)((caddr_t)ip6 + off0);
                 } else
                         ip6 = mtod(m, struct ip6_hdr *);
                         th = (struct tcphdr *)((caddr_t)ip6 + off0);
                 } else
@@ -584,7 +692,7 @@ tcp_input(m, off0)
          * This is incompatible with RFC1644 extensions (T/TCP).
          */
         if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
          * This is incompatible with RFC1644 extensions (T/TCP).
          */
         if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
-               goto drop;
+               goto dropnosock;
  #endif
  
         /*
  #endif
  
         /*
@@ -610,7 +718,7 @@ tcp_input(m, off0)
          */
  findpcb:
  #if IPFIREWALL_FORWARD
          */
  findpcb:
  #if IPFIREWALL_FORWARD
-       if (ip_fw_fwd_addr != NULL
+       if (next_hop != NULL
  #if INET6
             && isipv6 == NULL /* IPv6 support is not yet */
  #endif /* INET6 */
  #if INET6
             && isipv6 == NULL /* IPv6 support is not yet */
  #endif /* INET6 */
@@ -625,19 +733,18 @@ findpcb:
                         /* 
                          * No, then it's new. Try find the ambushing socket
                          */
                         /* 
                          * No, then it's new. Try find the ambushing socket
                          */
-                       if (!ip_fw_fwd_addr->sin_port) {
+                       if (!next_hop->sin_port) {
                                 inp = in_pcblookup_hash(&tcbinfo, ip->ip_src,
                                 inp = in_pcblookup_hash(&tcbinfo, ip->ip_src,
-                                   th->th_sport, ip_fw_fwd_addr->sin_addr,
+                                   th->th_sport, next_hop->sin_addr,
                                     th->th_dport, 1, m->m_pkthdr.rcvif);
                         } else {
                                 inp = in_pcblookup_hash(&tcbinfo,
                                     ip->ip_src, th->th_sport,
                                     th->th_dport, 1, m->m_pkthdr.rcvif);
                         } else {
                                 inp = in_pcblookup_hash(&tcbinfo,
                                     ip->ip_src, th->th_sport,
-                                   ip_fw_fwd_addr->sin_addr,
-                                   ntohs(ip_fw_fwd_addr->sin_port), 1,
+                                   next_hop->sin_addr,
+                                   ntohs(next_hop->sin_port), 1,
                                     m->m_pkthdr.rcvif);
                         }
                 }
                                     m->m_pkthdr.rcvif);
                         }
                 }
-               ip_fw_fwd_addr = NULL;
         } else
  #endif /* IPFIREWALL_FORWARD */
        {
         } else
  #endif /* IPFIREWALL_FORWARD */
        {
@@ -653,17 +760,23 @@ findpcb:
        }
  
  #if IPSEC
        }
  
  #if IPSEC
+       if (ipsec_bypass == 0)  {
+               lck_mtx_lock(sadb_mutex);
  #if INET6
  #if INET6
-       if (isipv6) {
-               if (ipsec_bypass == 0 && inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) {
-                       ipsec6stat.in_polvio++;
-                       goto drop;
-               }
-       } else
+               if (isipv6) {
+                       if (inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) {
+                               ipsec6stat.in_polvio++;
+                               lck_mtx_unlock(sadb_mutex);
+                               goto dropnosock;
+                       }
+               } else
  #endif /* INET6 */
  #endif /* INET6 */
-       if (ipsec_bypass == 0 && inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) {
-               ipsecstat.in_polvio++;
-               goto drop;
+                       if (inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) {
+                               ipsecstat.in_polvio++;
+                               lck_mtx_unlock(sadb_mutex);
+                               goto dropnosock;
+                       }
+               lck_mtx_unlock(sadb_mutex);
         }
  #endif /*IPSEC*/
  
         }
  #endif /*IPSEC*/
  
@@ -676,55 +789,88 @@ findpcb:
         if (inp == NULL) {
                 if (log_in_vain) {
  #if INET6
         if (inp == NULL) {
                 if (log_in_vain) {
  #if INET6
-                       char dbuf[INET6_ADDRSTRLEN], sbuf[INET6_ADDRSTRLEN];
+                       char dbuf[MAX_IPv6_STR_LEN], sbuf[MAX_IPv6_STR_LEN];
  #else /* INET6 */
  #else /* INET6 */
-                       char dbuf[4*sizeof "123"], sbuf[4*sizeof "123"];
+                       char dbuf[MAX_IPv4_STR_LEN], sbuf[MAX_IPv4_STR_LEN];
  #endif /* INET6 */
  
  #if INET6
                         if (isipv6) {
  #endif /* INET6 */
  
  #if INET6
                         if (isipv6) {
-                               strcpy(dbuf, ip6_sprintf(&ip6->ip6_dst));
-                               strcpy(sbuf, ip6_sprintf(&ip6->ip6_src));
+                               inet_ntop(AF_INET6, &ip6->ip6_dst, dbuf, sizeof(dbuf));
+                               inet_ntop(AF_INET6, &ip6->ip6_src, sbuf, sizeof(sbuf));
                         } else
  #endif
                         } else
  #endif
-                     {
-                       strcpy(dbuf, inet_ntoa(ip->ip_dst));
-                       strcpy(sbuf, inet_ntoa(ip->ip_src));
-                     }
+                       {
+                               inet_ntop(AF_INET, &ip->ip_dst, dbuf, sizeof(dbuf));
+                               inet_ntop(AF_INET, &ip->ip_src, sbuf, sizeof(sbuf));
+                       }
                         switch (log_in_vain) {
                         case 1:
                                 if(thflags & TH_SYN)
                                         log(LOG_INFO,
                         switch (log_in_vain) {
                         case 1:
                                 if(thflags & TH_SYN)
                                         log(LOG_INFO,
-                                       "Connection attempt to TCP %s:%d from %s:%d\n",
-                                       dbuf, ntohs(th->th_dport),
-                                       sbuf,
-                                       ntohs(th->th_sport));
+                                               "Connection attempt to TCP %s:%d from %s:%d\n",
+                                               dbuf, ntohs(th->th_dport),
+                                               sbuf,
+                                               ntohs(th->th_sport));
                                 break;
                         case 2:
                                 log(LOG_INFO,
                                 break;
                         case 2:
                                 log(LOG_INFO,
-                               "Connection attempt to TCP %s:%d from %s:%d flags:0x%x\n",
-                               dbuf, ntohs(th->th_dport), sbuf,
-                               ntohs(th->th_sport), thflags);
+                                       "Connection attempt to TCP %s:%d from %s:%d flags:0x%x\n",
+                                       dbuf, ntohs(th->th_dport), sbuf,
+                                       ntohs(th->th_sport), thflags);
+                               break;
+                       case 3:
+                               if ((thflags & TH_SYN) &&
+                                       !(m->m_flags & (M_BCAST | M_MCAST)) &&
+#if INET6
+                                       ((isipv6 && !IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &ip6->ip6_src)) ||
+                                        (!isipv6 && ip->ip_dst.s_addr != ip->ip_src.s_addr))
+#else
+                                       ip->ip_dst.s_addr != ip->ip_src.s_addr
+#endif
+                                        )
+                                       log_in_vain_log((LOG_INFO,
+                                               "Stealth Mode connection attempt to TCP %s:%d from %s:%d\n",
+                                               dbuf, ntohs(th->th_dport),
+                                               sbuf,
+                                               ntohs(th->th_sport)));
                                 break;
                         default:
                                 break;
                         }
                 }
                 if (blackhole) { 
                                 break;
                         default:
                                 break;
                         }
                 }
                 if (blackhole) { 
-                       switch (blackhole) {
-                       case 1:
-                               if (thflags & TH_SYN)
-                                       goto drop;
-                               break;
-                       case 2:
-                               goto drop;
-                       default:
-                               goto drop;
-                       }
+                       if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_type != IFT_LOOP)
+                               switch (blackhole) {
+                               case 1:
+                                       if (thflags & TH_SYN)
+                                               goto dropnosock;
+                                       break;
+                               case 2:
+                                       goto dropnosock;
+                               default:
+                                       goto dropnosock;
+                               }
                 }
                 rstreason = BANDLIM_RST_CLOSEDPORT;
                 }
                 rstreason = BANDLIM_RST_CLOSEDPORT;
-               goto dropwithreset;
+               goto dropwithresetnosock;
         }
         }
+       so = inp->inp_socket;
+       if (so == NULL) {
+               if (in_pcb_checkstate(inp, WNT_RELEASE, 1) == WNT_STOPUSING) 
+                       inp = NULL;     // pretend we didn't find it 
+#if TEMPDEBUG
+               printf("tcp_input: no more socket for inp=%x\n", inp);
+#endif
+               goto dropnosock;
+       }
+       tcp_lock(so, 1, 2);
+       if (in_pcb_checkstate(inp, WNT_RELEASE, 1) == WNT_STOPUSING) {
+               tcp_unlock(so, 1, 2);
+               inp = NULL;     // pretend we didn't find it 
+               goto dropnosock;
+       }
+
         tp = intotcpcb(inp);
         if (tp == 0) {
                 rstreason = BANDLIM_RST_CLOSEDPORT;
         tp = intotcpcb(inp);
         if (tp == 0) {
                 rstreason = BANDLIM_RST_CLOSEDPORT;
@@ -748,7 +894,6 @@ findpcb:
         else
                 tiwin = th->th_win;
  
         else
                 tiwin = th->th_win;
  
-       so = inp->inp_socket;
         if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) {
  #if TCPDEBUG
                 if (so->so_options & SO_DEBUG) {
         if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) {
  #if TCPDEBUG
                 if (so->so_options & SO_DEBUG) {
@@ -764,14 +909,14 @@ findpcb:
                 }
  #endif
                 if (so->so_options & SO_ACCEPTCONN) {
                 }
  #endif
                 if (so->so_options & SO_ACCEPTCONN) {
-                       register struct tcpcb *tp0 = tp;
+                   register struct tcpcb *tp0 = tp;
                         struct socket *so2;
                         struct socket *so2;
-#if IPSEC
                         struct socket *oso;
                         struct socket *oso;
-#endif
+                       struct sockaddr_storage from;
  #if INET6
                         struct inpcb *oinp = sotoinpcb(so);
  #endif /* INET6 */
  #if INET6
                         struct inpcb *oinp = sotoinpcb(so);
  #endif /* INET6 */
+                       int ogencnt = so->so_gencnt;
  
  #if !IPSEC
                         /*
  
  #if !IPSEC
                         /*
@@ -836,25 +981,51 @@ findpcb:
                                 }
                         }
  #endif
                                 }
                         }
  #endif
-
-                       so2 = sonewconn(so, 0);
+                       if (so->so_filt) {
+                               if (isipv6) {
+                                       struct sockaddr_in6     *sin6 = (struct sockaddr_in6*)&from;
+                                       
+                                       sin6->sin6_len = sizeof(*sin6);
+                                       sin6->sin6_family = AF_INET6;
+                                       sin6->sin6_port = th->th_sport;
+                                       sin6->sin6_flowinfo = 0;
+                                       sin6->sin6_addr = ip6->ip6_src;
+                                       sin6->sin6_scope_id = 0;
+                               } else {
+                                       struct sockaddr_in *sin = (struct sockaddr_in*)&from;
+                                       
+                                       sin->sin_len = sizeof(*sin);
+                                       sin->sin_family = AF_INET;
+                                       sin->sin_port = th->th_sport;
+                                       sin->sin_addr = ip->ip_src;
+                               }
+                               so2 = sonewconn(so, 0, (struct sockaddr*)&from);
+                       } else {
+                               so2 = sonewconn(so, 0, NULL);
+                       }
                         if (so2 == 0) {
                                 tcpstat.tcps_listendrop++;
                         if (so2 == 0) {
                                 tcpstat.tcps_listendrop++;
-                               so2 = sodropablereq(so);
-                               if (so2) {
-                                       if (tcp_lq_overflow)
-                                               sototcpcb(so2)->t_flags |= 
-                                                   TF_LQ_OVERFLOW;
-                                       tcp_drop(sototcpcb(so2), ETIMEDOUT);
-                                       so2 = sonewconn(so, 0);
+                               if (tcpdropdropablreq(so)) {
+                                       if (so->so_filt)
+                                               so2 = sonewconn(so, 0, (struct sockaddr*)&from);
+                                       else
+                                               so2 = sonewconn(so, 0, NULL);
                                 }
                                 }
-                               if (!so2)
+                               if (!so2) 
                                         goto drop;
                         }
                                         goto drop;
                         }
-#if IPSEC
+                       /*
+                        * Make sure listening socket did not get closed during socket allocation,
+                        * not only this is incorrect but it is know to cause panic
+                        */
+                       if (so->so_gencnt != ogencnt)
+                               goto drop;
+
                         oso = so;
                         oso = so;
-#endif
+                       tcp_unlock(so, 0, 0); /* Unlock but keep a reference on listener for now */
+
                         so = so2;
                         so = so2;
+                       tcp_lock(so, 1, 0);
                         /*
                          * This is ugly, but ....
                          *
                         /*
                          * This is ugly, but ....
                          *
@@ -880,7 +1051,7 @@ findpcb:
                         }
  #endif /* INET6 */
                         inp->inp_lport = th->th_dport;
                         }
  #endif /* INET6 */
                         inp->inp_lport = th->th_dport;
-                       if (in_pcbinshash(inp) != 0) {
+                       if (in_pcbinshash(inp, 0) != 0) {
                                 /*
                                  * Undo the assignments above if we failed to
                                  * put the PCB on the hash lists.
                                 /*
                                  * Undo the assignments above if we failed to
                                  * put the PCB on the hash lists.
@@ -892,6 +1063,8 @@ findpcb:
  #endif /* INET6 */
                                 inp->inp_laddr.s_addr = INADDR_ANY;
                                 inp->inp_lport = 0;
  #endif /* INET6 */
                                 inp->inp_laddr.s_addr = INADDR_ANY;
                                 inp->inp_lport = 0;
+                               tcp_lock(oso, 0, 0);    /* release ref on parent */
+                               tcp_unlock(oso, 1, 0);
                                 goto drop;
                         }
  #if IPSEC
                                 goto drop;
                         }
  #if IPSEC
@@ -908,6 +1081,8 @@ findpcb:
                                  * Note: dropwithreset makes sure we don't
                                  * send a RST in response to a RST.
                                  */
                                  * Note: dropwithreset makes sure we don't
                                  * send a RST in response to a RST.
                                  */
+                               tcp_lock(oso, 0, 0);    /* release ref on parent */
+                               tcp_unlock(oso, 1, 0);
                                 if (thflags & TH_ACK) {
                                         tcpstat.tcps_badsyn++;
                                         rstreason = BANDLIM_RST_OPENPORT;
                                 if (thflags & TH_ACK) {
                                         tcpstat.tcps_badsyn++;
                                         rstreason = BANDLIM_RST_OPENPORT;
@@ -940,22 +1115,26 @@ findpcb:
                         } else
  #endif /* INET6 */
                         inp->inp_options = ip_srcroute();
                         } else
  #endif /* INET6 */
                         inp->inp_options = ip_srcroute();
+                       tcp_lock(oso, 0, 0);
  #if IPSEC
                         /* copy old policy into new socket's */
                         if (sotoinpcb(oso)->inp_sp)
                         {
                                 int error = 0;
  #if IPSEC
                         /* copy old policy into new socket's */
                         if (sotoinpcb(oso)->inp_sp)
                         {
                                 int error = 0;
+                               lck_mtx_lock(sadb_mutex);
                                 /* Is it a security hole here to silently fail to copy the policy? */
                                 if (inp->inp_sp != NULL)
                                         error = ipsec_init_policy(so, &inp->inp_sp);
                                 if (error != 0 || ipsec_copy_policy(sotoinpcb(oso)->inp_sp, inp->inp_sp))
                                         printf("tcp_input: could not copy policy\n");
                                 /* Is it a security hole here to silently fail to copy the policy? */
                                 if (inp->inp_sp != NULL)
                                         error = ipsec_init_policy(so, &inp->inp_sp);
                                 if (error != 0 || ipsec_copy_policy(sotoinpcb(oso)->inp_sp, inp->inp_sp))
                                         printf("tcp_input: could not copy policy\n");
+                               lck_mtx_unlock(sadb_mutex);
                         }
  #endif
                         }
  #endif
+                       tcp_unlock(oso, 1, 0);  /* now drop the reference on the listener */
                         tp = intotcpcb(inp);
                         tp->t_state = TCPS_LISTEN;
                         tp->t_flags |= tp0->t_flags & (TF_NOPUSH|TF_NOOPT|TF_NODELAY);
                         tp = intotcpcb(inp);
                         tp->t_state = TCPS_LISTEN;
                         tp->t_flags |= tp0->t_flags & (TF_NOPUSH|TF_NOOPT|TF_NODELAY);
-
+                       tp->t_inpcb->inp_ip_ttl = tp0->t_inpcb->inp_ip_ttl;
                         /* Compute proper scaling value from buffer space */
                         while (tp->request_r_scale < TCP_MAX_WINSHIFT &&
                            TCP_MAXWIN << tp->request_r_scale <
                         /* Compute proper scaling value from buffer space */
                         while (tp->request_r_scale < TCP_MAX_WINSHIFT &&
                            TCP_MAXWIN << tp->request_r_scale <
@@ -966,13 +1145,80 @@ findpcb:
                 }
         }
  
                 }
         }
  
+#if 1
+       lck_mtx_assert(((struct inpcb *)so->so_pcb)->inpcb_mtx, LCK_MTX_ASSERT_OWNED);
+#endif
+       /*
+        * Radar 3529618
+        * This is the second part of the MSS DoS prevention code (after
+        * minmss on the sending side) and it deals with too many too small
+        * tcp packets in a too short timeframe (1 second).
+        *
+        * For every full second we count the number of received packets
+        * and bytes. If we get a lot of packets per second for this connection
+        * (tcp_minmssoverload) we take a closer look at it and compute the
+        * average packet size for the past second. If that is less than
+        * tcp_minmss we get too many packets with very small payload which
+        * is not good and burdens our system (and every packet generates
+        * a wakeup to the process connected to our socket). We can reasonable
+        * expect this to be small packet DoS attack to exhaust our CPU
+        * cycles.
+        *
+        * Care has to be taken for the minimum packet overload value. This
+        * value defines the minimum number of packets per second before we
+        * start to worry. This must not be too low to avoid killing for
+        * example interactive connections with many small packets like
+        * telnet or SSH.
+        *
+        *
+        * Account for packet if payload packet, skip over ACK, etc.
+        *
+        * The packet per second count is done all the time and is also used
+        * by "DELAY_ACK" to detect streaming situations.
+        *
+        */
+       if (tp->t_state == TCPS_ESTABLISHED && tlen > 0) {
+               if (tp->rcv_reset > tcp_now) {
+                       tp->rcv_pps++;
+                       tp->rcv_byps += tlen + off;
+               /*
+                * Setting either tcp_minmssoverload or tcp_minmss to "0" disables
+                * the check. 
+                */
+                       if (tcp_minmss && tcp_minmssoverload && tp->rcv_pps > tcp_minmssoverload) {
+                               if ((tp->rcv_byps / tp->rcv_pps) < tcp_minmss) {
+                                       char    ipstrbuf[MAX_IPv6_STR_LEN];
+                                       printf("too many small tcp packets from "
+                                              "%s:%u, av. %lubyte/packet, "
+                                              "dropping connection\n",
+#ifdef INET6
+                                               isipv6 ?
+                                               inet_ntop(AF_INET6, &inp->in6p_faddr, ipstrbuf,
+                                                                 sizeof(ipstrbuf)) :
+#endif
+                                               inet_ntop(AF_INET, &inp->inp_faddr, ipstrbuf,
+                                                                 sizeof(ipstrbuf)),
+                                               inp->inp_fport,
+                                               tp->rcv_byps / tp->rcv_pps);
+                                       tp = tcp_drop(tp, ECONNRESET);
+/*                                     tcpstat.tcps_minmssdrops++; */
+                                       goto drop;
+                               }
+                       }
+               } else {
+                       tp->rcv_reset = tcp_now + PR_SLOWHZ;
+                       tp->rcv_pps = 1;
+                       tp->rcv_byps = tlen + off;
+               }
+       }
+       
         /*
          * Segment received on connection.
          * Reset idle time and keep-alive timer.
          */
         tp->t_rcvtime = 0;
         if (TCPS_HAVEESTABLISHED(tp->t_state))
         /*
          * Segment received on connection.
          * Reset idle time and keep-alive timer.
          */
         tp->t_rcvtime = 0;
         if (TCPS_HAVEESTABLISHED(tp->t_state))
-               tp->t_timer[TCPT_KEEP] = tcp_keepidle;
+               tp->t_timer[TCPT_KEEP] = TCP_KEEPIDLE(tp);
  
         /*
          * Process options if not in LISTEN state,
  
         /*
          * Process options if not in LISTEN state,
@@ -1074,9 +1320,10 @@ findpcb:
                                 else if (tp->t_timer[TCPT_PERSIST] == 0)
                                         tp->t_timer[TCPT_REXMT] = tp->t_rxtcur;
  
                                 else if (tp->t_timer[TCPT_PERSIST] == 0)
                                         tp->t_timer[TCPT_REXMT] = tp->t_rxtcur;
  
-                               if (so->so_snd.sb_cc)
+                               sowwakeup(so); /* has to be done with socket lock held */
+                               if ((so->so_snd.sb_cc) || (tp->t_flags & TF_ACKNOW))
                                         (void) tcp_output(tp);
                                         (void) tcp_output(tp);
-                               sowwakeup(so);
+                               tcp_unlock(so, 1, 0);
                                 KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
                                 return;
                         }
                                 KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
                                 return;
                         }
@@ -1097,7 +1344,8 @@ findpcb:
                          * Add data to socket buffer.
                          */
                         m_adj(m, drop_hdrlen);  /* delayed header drop */
                          * Add data to socket buffer.
                          */
                         m_adj(m, drop_hdrlen);  /* delayed header drop */
-                       sbappend(&so->so_rcv, m);
+                       if (sbappend(&so->so_rcv, m))
+                               sorwakeup(so);
  #if INET6
                         if (isipv6) {
                                 KERNEL_DEBUG(DBG_LAYER_END, ((th->th_dport << 16) | th->th_sport),
  #if INET6
                         if (isipv6) {
                                 KERNEL_DEBUG(DBG_LAYER_END, ((th->th_dport << 16) | th->th_sport),
@@ -1111,14 +1359,13 @@ findpcb:
                                         (((ip->ip_src.s_addr & 0xffff) << 16) | (ip->ip_dst.s_addr & 0xffff)),
                                         th->th_seq, th->th_ack, th->th_win); 
                         }
                                         (((ip->ip_src.s_addr & 0xffff) << 16) | (ip->ip_dst.s_addr & 0xffff)),
                                         th->th_seq, th->th_ack, th->th_win); 
                         }
-                       if (tcp_delack_enabled) {
-                           TCP_DELACK_BITSET(tp->t_inpcb->hash_element); 
+                       if (DELAY_ACK(tp))  {
                             tp->t_flags |= TF_DELACK;
                         } else {
                                 tp->t_flags |= TF_ACKNOW;
                                 tcp_output(tp);
                         }
                             tp->t_flags |= TF_DELACK;
                         } else {
                                 tp->t_flags |= TF_ACKNOW;
                                 tcp_output(tp);
                         }
-                       sorwakeup(so);
+                       tcp_unlock(so, 1, 0);
                         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
                         return;
                 }
                         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
                         return;
                 }
@@ -1130,11 +1377,18 @@ findpcb:
          * Receive window is amount of space in rcv queue,
          * but not less than advertised window.
          */
          * Receive window is amount of space in rcv queue,
          * but not less than advertised window.
          */
+#if 1
+       lck_mtx_assert(((struct inpcb *)so->so_pcb)->inpcb_mtx, LCK_MTX_ASSERT_OWNED);
+#endif
         { int win;
  
         win = sbspace(&so->so_rcv);
         if (win < 0)
                 win = 0;
         { int win;
  
         win = sbspace(&so->so_rcv);
         if (win < 0)
                 win = 0;
+       else {  /* clip rcv window to 4K for modems */
+               if (tp->t_flags & TF_SLOWLINK && slowlink_wsize > 0)
+                       win = min(win, slowlink_wsize);
+       }
         tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
         }
  
         tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
         }
  
@@ -1160,7 +1414,10 @@ findpcb:
                 register struct sockaddr_in6 *sin6;
  #endif
  
                 register struct sockaddr_in6 *sin6;
  #endif
  
-               if (thflags & TH_RST)
+#if 1
+               lck_mtx_assert(((struct inpcb *)so->so_pcb)->inpcb_mtx, LCK_MTX_ASSERT_OWNED);
+#endif
+               if (thflags & TH_RST) 
                         goto drop;
                 if (thflags & TH_ACK) {
                         rstreason = BANDLIM_RST_OPENPORT;
                         goto drop;
                 if (thflags & TH_ACK) {
                         rstreason = BANDLIM_RST_OPENPORT;
@@ -1225,6 +1482,9 @@ findpcb:
                 } else
  #endif
             {
                 } else
  #endif
             {
+#if 1
+                       lck_mtx_assert(((struct inpcb *)so->so_pcb)->inpcb_mtx, LCK_MTX_ASSERT_OWNED);
+#endif
                         MALLOC(sin, struct sockaddr_in *, sizeof *sin, M_SONAME,
                        M_NOWAIT);
                         if (sin == NULL)
                         MALLOC(sin, struct sockaddr_in *, sizeof *sin, M_SONAME,
                        M_NOWAIT);
                         if (sin == NULL)
@@ -1294,7 +1554,7 @@ findpcb:
                          * segment.  Otherwise must send ACK now in case
                          * the other side is slow starting.
                          */
                          * segment.  Otherwise must send ACK now in case
                          * the other side is slow starting.
                          */
-                       if (tcp_delack_enabled && ((thflags & TH_FIN) ||
+                       if (DELAY_ACK(tp) && ((thflags & TH_FIN) ||
                             (tlen != 0 &&
  #if INET6
                               (isipv6 && in6_localaddr(&inp->in6p_faddr))
                             (tlen != 0 &&
  #if INET6
                               (isipv6 && in6_localaddr(&inp->in6p_faddr))
@@ -1306,18 +1566,21 @@ findpcb:
                                )
  #endif /* INET6 */
                               ))) {
                                )
  #endif /* INET6 */
                               ))) {
-                               TCP_DELACK_BITSET(tp->t_inpcb->hash_element); 
                                 tp->t_flags |= (TF_DELACK | TF_NEEDSYN);
                         }
                                 tp->t_flags |= (TF_DELACK | TF_NEEDSYN);
                         }
-                       else
+                       else {
                                 tp->t_flags |= (TF_ACKNOW | TF_NEEDSYN);
                                 tp->t_flags |= (TF_ACKNOW | TF_NEEDSYN);
+                       }
  
                         /*
                          * Limit the `virtual advertised window' to TCP_MAXWIN
                          * here.  Even if we requested window scaling, it will
                          * become effective only later when our SYN is acked.
                          */
  
                         /*
                          * Limit the `virtual advertised window' to TCP_MAXWIN
                          * here.  Even if we requested window scaling, it will
                          * become effective only later when our SYN is acked.
                          */
-                       tp->rcv_adv += min(tp->rcv_wnd, TCP_MAXWIN);
+                       if (tp->t_flags & TF_SLOWLINK && slowlink_wsize > 0) /* clip window size for for slow link */
+                               tp->rcv_adv += min(tp->rcv_wnd, slowlink_wsize);
+                       else 
+                               tp->rcv_adv += min(tp->rcv_wnd, TCP_MAXWIN);
                         tcpstat.tcps_connects++;
                         soisconnected(so);
                         tp->t_timer[TCPT_KEEP] = tcp_keepinit;
                         tcpstat.tcps_connects++;
                         soisconnected(so);
                         tp->t_timer[TCPT_KEEP] = tcp_keepinit;
@@ -1446,12 +1709,12 @@ findpcb:
                          * If there's data, delay ACK; if there's also a FIN
                          * ACKNOW will be turned on later.
                          */
                          * If there's data, delay ACK; if there's also a FIN
                          * ACKNOW will be turned on later.
                          */
-                       if (tcp_delack_enabled && tlen != 0) {
-                               TCP_DELACK_BITSET(tp->t_inpcb->hash_element); 
+                       if (DELAY_ACK(tp) && tlen != 0) {
                                 tp->t_flags |= TF_DELACK;
                         }
                                 tp->t_flags |= TF_DELACK;
                         }
-                       else
+                       else {
                                 tp->t_flags |= TF_ACKNOW;
                                 tp->t_flags |= TF_ACKNOW;
+                       }
                         /*
                          * Received <SYN,ACK> in SYN_SENT[*] state.
                          * Transitions:
                         /*
                          * Received <SYN,ACK> in SYN_SENT[*] state.
                          * Transitions:
@@ -1464,7 +1727,7 @@ findpcb:
                                 thflags &= ~TH_SYN;
                         } else {
                                 tp->t_state = TCPS_ESTABLISHED;
                                 thflags &= ~TH_SYN;
                         } else {
                                 tp->t_state = TCPS_ESTABLISHED;
-                               tp->t_timer[TCPT_KEEP] = tcp_keepidle;
+                               tp->t_timer[TCPT_KEEP] = TCP_KEEPIDLE(tp);
                         }
                 } else {
                 /*
                         }
                 } else {
                 /*
@@ -1492,7 +1755,7 @@ findpcb:
                                                 tp->t_flags &= ~TF_NEEDFIN;
                                         } else {
                                                 tp->t_state = TCPS_ESTABLISHED;
                                                 tp->t_flags &= ~TF_NEEDFIN;
                                         } else {
                                                 tp->t_state = TCPS_ESTABLISHED;
-                                               tp->t_timer[TCPT_KEEP] = tcp_keepidle;
+                                               tp->t_timer[TCPT_KEEP] = TCP_KEEPIDLE(tp);
                                         }
                                         tp->t_flags |= TF_NEEDSYN;
                                 } else
                                         }
                                         tp->t_flags |= TF_NEEDSYN;
                                 } else
@@ -1557,12 +1820,23 @@ trimthenstep6:
                         }
                         if (CC_GT(to.to_cc, tp->cc_recv)) {
                                 tp = tcp_close(tp);
                         }
                         if (CC_GT(to.to_cc, tp->cc_recv)) {
                                 tp = tcp_close(tp);
+                               tcp_unlock(so, 1, 50);
                                 goto findpcb;
                         }
                         else
                                 goto drop;
                 }
                 break;  /* continue normal processing */
                                 goto findpcb;
                         }
                         else
                                 goto drop;
                 }
                 break;  /* continue normal processing */
+
+       /* Received a SYN while connection is already established.
+        * This is a "half open connection and other anomalies" described
+        * in RFC793 page 34, send an ACK so the remote reset the connection
+        * or recovers by adjusting its sequence numberering 
+        */
+       case TCPS_ESTABLISHED:
+               if (thflags & TH_SYN)  
+                       goto dropafterack; 
+               break;
         }
  
         /*
         }
  
         /*
@@ -1657,6 +1931,9 @@ trimthenstep6:
                 goto drop;
         }
  
                 goto drop;
         }
  
+#if 1
+       lck_mtx_assert(((struct inpcb *)so->so_pcb)->inpcb_mtx, LCK_MTX_ASSERT_OWNED);
+#endif
         /*
          * RFC 1323 PAWS: If we have a timestamp reply on this segment
          * and it's less than ts_recent, drop it.
         /*
          * RFC 1323 PAWS: If we have a timestamp reply on this segment
          * and it's less than ts_recent, drop it.
@@ -1786,6 +2063,7 @@ trimthenstep6:
                             SEQ_GT(th->th_seq, tp->rcv_nxt)) {
                                 iss = tcp_new_isn(tp);
                                 tp = tcp_close(tp);
                             SEQ_GT(th->th_seq, tp->rcv_nxt)) {
                                 iss = tcp_new_isn(tp);
                                 tp = tcp_close(tp);
+                               tcp_unlock(so, 1, 0);
                                 goto findpcb;
                         }
                         /*
                                 goto findpcb;
                         }
                         /*
@@ -1883,7 +2161,7 @@ trimthenstep6:
                         tp->t_flags &= ~TF_NEEDFIN;
                 } else {
                         tp->t_state = TCPS_ESTABLISHED;
                         tp->t_flags &= ~TF_NEEDFIN;
                 } else {
                         tp->t_state = TCPS_ESTABLISHED;
-                       tp->t_timer[TCPT_KEEP] = tcp_keepidle;
+                       tp->t_timer[TCPT_KEEP] = TCP_KEEPIDLE(tp);
                 }
                 /*
                  * If segment contains data or ACK, will call tcp_reass()
                 }
                 /*
                  * If segment contains data or ACK, will call tcp_reass()
@@ -2117,6 +2395,13 @@ process_ACK:
                         ourfinisacked = 0;
                 }
                 sowwakeup(so);
                         ourfinisacked = 0;
                 }
                 sowwakeup(so);
+               /* detect una wraparound */
+               if (SEQ_GEQ(tp->snd_una, tp->snd_recover) &&
+                   SEQ_LT(th->th_ack, tp->snd_recover))
+                       tp->snd_recover = th->th_ack;
+               if (SEQ_GT(tp->snd_una, tp->snd_high) &&
+                   SEQ_LEQ(th->th_ack, tp->snd_high))
+                       tp->snd_high = th->th_ack - 1;
                 tp->snd_una = th->th_ack;
                 if (SEQ_LT(tp->snd_nxt, tp->snd_una))
                         tp->snd_nxt = tp->snd_una;
                 tp->snd_una = th->th_ack;
                 if (SEQ_LT(tp->snd_nxt, tp->snd_una))
                         tp->snd_nxt = tp->snd_una;
@@ -2143,6 +2428,7 @@ process_ACK:
                                 }
                                 add_to_time_wait(tp);
                                 tp->t_state = TCPS_FIN_WAIT_2;
                                 }
                                 add_to_time_wait(tp);
                                 tp->t_state = TCPS_FIN_WAIT_2;
+                               goto drop;
                         }
                         break;
  
                         }
                         break;
  
@@ -2302,25 +2588,19 @@ dodata:                                                 /* XXX */
                 if (th->th_seq == tp->rcv_nxt &&
                     LIST_EMPTY(&tp->t_segq) &&
                     TCPS_HAVEESTABLISHED(tp->t_state)) {
                 if (th->th_seq == tp->rcv_nxt &&
                     LIST_EMPTY(&tp->t_segq) &&
                     TCPS_HAVEESTABLISHED(tp->t_state)) {
-#ifdef __APPLE__
-                       if (tcp_delack_enabled) {
-                               TCP_DELACK_BITSET(tp->t_inpcb->hash_element);
+                       if (DELAY_ACK(tp) && ((tp->t_flags & TF_ACKNOW) == 0)) {
                                 tp->t_flags |= TF_DELACK;
                         }         
                                 tp->t_flags |= TF_DELACK;
                         }         
-#else
-                       if (DELAY_ACK(tp))
-                               callout_reset(tp->tt_delack, tcp_delacktime,
-                                   tcp_timer_delack, tp);
-#endif
-                       else
+                       else {
                                 tp->t_flags |= TF_ACKNOW;
                                 tp->t_flags |= TF_ACKNOW;
+                       }
                         tp->rcv_nxt += tlen;
                         thflags = th->th_flags & TH_FIN;
                         tcpstat.tcps_rcvpack++;
                         tcpstat.tcps_rcvbyte += tlen;
                         ND6_HINT(tp);
                         tp->rcv_nxt += tlen;
                         thflags = th->th_flags & TH_FIN;
                         tcpstat.tcps_rcvpack++;
                         tcpstat.tcps_rcvbyte += tlen;
                         ND6_HINT(tp);
-                       sbappend(&so->so_rcv, m);
-                       sorwakeup(so);
+                       if (sbappend(&so->so_rcv, m))
+                               sorwakeup(so);
                 } else {
                         thflags = tcp_reass(tp, th, &tlen, m);
                         tp->t_flags |= TF_ACKNOW;
                 } else {
                         thflags = tcp_reass(tp, th, &tlen, m);
                         tp->t_flags |= TF_ACKNOW;
@@ -2369,12 +2649,12 @@ dodata:                                                 /* XXX */
                          *  Otherwise, since we received a FIN then no
                          *  more input can be expected, send ACK now.
                          */
                          *  Otherwise, since we received a FIN then no
                          *  more input can be expected, send ACK now.
                          */
-                       if (tcp_delack_enabled && (tp->t_flags & TF_NEEDSYN)) {
-                               TCP_DELACK_BITSET(tp->t_inpcb->hash_element); 
+                       if (DELAY_ACK(tp) && (tp->t_flags & TF_NEEDSYN)) {
                                 tp->t_flags |= TF_DELACK;
                         }
                                 tp->t_flags |= TF_DELACK;
                         }
-                       else
+                       else {
                                 tp->t_flags |= TF_ACKNOW;
                                 tp->t_flags |= TF_ACKNOW;
+                       }
                         tp->rcv_nxt++;
                 }
                 switch (tp->t_state) {
                         tp->rcv_nxt++;
                 }
                 switch (tp->t_state) {
@@ -2440,6 +2720,7 @@ dodata:                                                   /* XXX */
          */
         if (needoutput || (tp->t_flags & TF_ACKNOW))
                 (void) tcp_output(tp);
          */
         if (needoutput || (tp->t_flags & TF_ACKNOW))
                 (void) tcp_output(tp);
+       tcp_unlock(so, 1, 0);
         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
         return;
  
         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
         return;
  
@@ -2473,9 +2754,11 @@ dropafterack:
         m_freem(m);
         tp->t_flags |= TF_ACKNOW;
         (void) tcp_output(tp);
         m_freem(m);
         tp->t_flags |= TF_ACKNOW;
         (void) tcp_output(tp);
+       tcp_unlock(so, 1, 0);
         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
         return;
         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
         return;
-
+dropwithresetnosock:
+       nosock = 1;
  dropwithreset:
         /*
          * Generate a RST, dropping incoming segment.
  dropwithreset:
         /*
          * Generate a RST, dropping incoming segment.
@@ -2523,11 +2806,17 @@ dropwithreset:
                             (tcp_seq)0, TH_RST|TH_ACK);
         }
         /* destroy temporarily created socket */
                             (tcp_seq)0, TH_RST|TH_ACK);
         }
         /* destroy temporarily created socket */
-       if (dropsocket)
-               (void) soabort(so);
+       if (dropsocket) {
+               (void) soabort(so); 
+               tcp_unlock(so, 1, 0);
+       }
+       else
+               if ((inp != NULL) && (nosock == 0))
+                       tcp_unlock(so, 1, 0);
         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
         return;
         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
         return;
-
+dropnosock:
+       nosock = 1;
  drop:
         /*
          * Drop space held by incoming segment and return.
  drop:
         /*
          * Drop space held by incoming segment and return.
@@ -2539,8 +2828,13 @@ drop:
  #endif
         m_freem(m);
         /* destroy temporarily created socket */
  #endif
         m_freem(m);
         /* destroy temporarily created socket */
-       if (dropsocket)
-               (void) soabort(so);
+       if (dropsocket) {
+               (void) soabort(so); 
+               tcp_unlock(so, 1, 0);
+       }
+       else
+               if (nosock == 0)
+                       tcp_unlock(so, 1, 0);
         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
         return;
  }
         KERNEL_DEBUG(DBG_FNC_TCP_INPUT | DBG_FUNC_END,0,0,0,0,0);
         return;
  }
@@ -2841,6 +3135,16 @@ tcp_mss(tp, offer)
                 return;
         }
         ifp = rt->rt_ifp;
                 return;
         }
         ifp = rt->rt_ifp;
+       /*
+        * Slower link window correction:
+        * If a value is specificied for slowlink_wsize use it for PPP links
+        * believed to be on a serial modem (speed <128Kbps). Excludes 9600bps as
+        * it is the default value adversized by pseudo-devices over ppp.
+        */
+       if (ifp->if_type == IFT_PPP && slowlink_wsize > 0 && 
+           ifp->if_baudrate > 9600 && ifp->if_baudrate <= 128000) {
+               tp->t_flags |= TF_SLOWLINK;
+       }
         so = inp->inp_socket;
  
         taop = rmx_taop(rt->rt_rmx);
         so = inp->inp_socket;
  
         taop = rmx_taop(rt->rt_rmx);
@@ -2860,7 +3164,12 @@ tcp_mss(tp, offer)
                         isipv6 ? tcp_v6mssdflt :
  #endif /* INET6 */
                         tcp_mssdflt;
                         isipv6 ? tcp_v6mssdflt :
  #endif /* INET6 */
                         tcp_mssdflt;
-       else
+       else {
+               /*
+                * Prevent DoS attack with too small MSS. Round up
+                * to at least minmss.
+                */
+               offer = max(offer, tcp_minmss);
                 /*
                  * Sanity check: make sure that maxopd will be large
                  * enough to allow some data on segments even is the
                 /*
                  * Sanity check: make sure that maxopd will be large
                  * enough to allow some data on segments even is the
@@ -2868,6 +3177,7 @@ tcp_mss(tp, offer)
                  * funny things may happen in tcp_output.
                  */
                 offer = max(offer, 64);
                  * funny things may happen in tcp_output.
                  */
                 offer = max(offer, 64);
+       }
         taop->tao_mssopt = offer;
  
         /*
         taop->tao_mssopt = offer;
  
         /*
@@ -2947,21 +3257,16 @@ tcp_mss(tp, offer)
              (tp->t_flags & TF_RCVD_CC) == TF_RCVD_CC))
                 mss -= TCPOLEN_CC_APPA;
  
              (tp->t_flags & TF_RCVD_CC) == TF_RCVD_CC))
                 mss -= TCPOLEN_CC_APPA;
  
-#if    (MCLBYTES & (MCLBYTES - 1)) == 0
-               if (mss > MCLBYTES)
-                       mss &= ~(MCLBYTES-1);
-#else
-               if (mss > MCLBYTES)
-                       mss = mss / MCLBYTES * MCLBYTES;
-#endif
         /*
         /*
-        * If there's a pipesize, change the socket buffer
-        * to that size.  Make the socket buffers an integral
+        * If there's a pipesize (ie loopback), change the socket
+        * buffer to that size only if it's bigger than the current
+        * sockbuf size.  Make the socket buffers an integral
          * number of mss units; if the mss is larger than
          * the socket buffer, decrease the mss.
          */
  #if RTV_SPIPE
          * number of mss units; if the mss is larger than
          * the socket buffer, decrease the mss.
          */
  #if RTV_SPIPE
-       if ((bufsize = rt->rt_rmx.rmx_sendpipe) == 0)
+       bufsize = rt->rt_rmx.rmx_sendpipe;
+       if (bufsize < so->so_snd.sb_hiwat)
  #endif
                 bufsize = so->so_snd.sb_hiwat;
         if (bufsize < mss)
  #endif
                 bufsize = so->so_snd.sb_hiwat;
         if (bufsize < mss)
@@ -2975,7 +3280,8 @@ tcp_mss(tp, offer)
         tp->t_maxseg = mss;
  
  #if RTV_RPIPE
         tp->t_maxseg = mss;
  
  #if RTV_RPIPE
-       if ((bufsize = rt->rt_rmx.rmx_recvpipe) == 0)
+       bufsize = rt->rt_rmx.rmx_recvpipe;
+       if (bufsize < so->so_rcv.sb_hiwat)
  #endif
                 bufsize = so->so_rcv.sb_hiwat;
         if (bufsize > mss) {
  #endif
                 bufsize = so->so_rcv.sb_hiwat;
         if (bufsize > mss) {
@@ -3047,6 +3353,16 @@ tcp_mssopt(tp)
                         isipv6 ? tcp_v6mssdflt :
  #endif /* INET6 */
                         tcp_mssdflt;
                         isipv6 ? tcp_v6mssdflt :
  #endif /* INET6 */
                         tcp_mssdflt;
+       /*
+        * Slower link window correction:
+        * If a value is specificied for slowlink_wsize use it for PPP links
+        * believed to be on a serial modem (speed <128Kbps). Excludes 9600bps as
+        * it is the default value adversized by pseudo-devices over ppp.
+        */
+       if (rt->rt_ifp->if_type == IFT_PPP && slowlink_wsize > 0 && 
+           rt->rt_ifp->if_baudrate > 9600 && rt->rt_ifp->if_baudrate <= 128000) {
+               tp->t_flags |= TF_SLOWLINK;
+       }
  
         return rt->rt_ifp->if_mtu - min_protoh;
  }
  
         return rt->rt_ifp->if_mtu - min_protoh;
  }
@@ -3079,6 +3395,7 @@ tcp_newreno(tp, th)
                  *  is called)
                  */
                 tp->snd_cwnd = tp->t_maxseg + (th->th_ack - tp->snd_una);
                  *  is called)
                  */
                 tp->snd_cwnd = tp->t_maxseg + (th->th_ack - tp->snd_una);
+               tp->t_flags |= TF_ACKNOW;
                 (void) tcp_output(tp);
                 tp->snd_cwnd = ocwnd;
                 if (SEQ_GT(onxt, tp->snd_nxt))
                 (void) tcp_output(tp);
                 tp->snd_cwnd = ocwnd;
                 if (SEQ_GT(onxt, tp->snd_nxt))
@@ -3092,3 +3409,93 @@ tcp_newreno(tp, th)
         }
         return (0);
  }
         }
         return (0);
  }
+
+/*
+ * Drop a random TCP connection that hasn't been serviced yet and
+ * is eligible for discard.  There is a one in qlen chance that
+ * we will return a null, saying that there are no dropable
+ * requests.  In this case, the protocol specific code should drop
+ * the new request.  This insures fairness.
+ *
+ * The listening TCP socket "head" must be locked
+ */
+static int
+tcpdropdropablreq(struct socket *head)
+{
+       struct socket *so;
+       unsigned int i, j, qlen;
+       static int rnd;
+       static struct timeval old_runtime;
+       static unsigned int cur_cnt, old_cnt;
+       struct timeval tv;
+       struct inpcb *inp = NULL;
+       struct tcpcb *tp;
+       
+       microtime(&tv);
+       if ((i = (tv.tv_sec - old_runtime.tv_sec)) != 0) {
+               old_runtime = tv;
+               old_cnt = cur_cnt / i;
+               cur_cnt = 0;
+       }
+       
+       so = TAILQ_FIRST(&head->so_incomp);
+       if (!so)
+               return 0;
+       
+       qlen = head->so_incqlen;
+       if (++cur_cnt > qlen || old_cnt > qlen) {
+               rnd = (314159 * rnd + 66329) & 0xffff;
+               j = ((qlen + 1) * rnd) >> 16;
+
+               while (j-- && so)
+                       so = TAILQ_NEXT(so, so_list);
+       }
+       /* Find a connection that is not already closing */
+       while (so) {
+               inp = (struct inpcb *)so->so_pcb;
+               
+               if (in_pcb_checkstate(inp, WNT_ACQUIRE, 0) != WNT_STOPUSING)
+                       break;
+               
+               so = TAILQ_NEXT(so, so_list);
+       }
+       if (!so)
+               return 0;
+       
+       head->so_incqlen--;
+       head->so_qlen--;
+       TAILQ_REMOVE(&head->so_incomp, so, so_list);
+       tcp_unlock(head, 0, 0);
+
+       /* Let's remove this connection from the incomplete list */
+       tcp_lock(so, 1, 0);
+       
+       if (in_pcb_checkstate(inp, WNT_RELEASE, 1) == WNT_STOPUSING) {
+               tcp_unlock(so, 1, 0);
+               return 0;
+       }
+       
+       so->so_head = NULL;
+       so->so_usecount--;      /* No more held by so_head */
+
+       /* 
+        * We do not want to lose track of the PCB right away in case we receive 
+        * more segments from the peer
+        */
+       tp = sototcpcb(so);
+       tp->t_flags |= TF_LQ_OVERFLOW;
+       tp->t_state = TCPS_CLOSED;
+       (void) tcp_output(tp);
+       tcpstat.tcps_drops++;
+       soisdisconnected(so);
+       tcp_canceltimers(tp);
+       add_to_time_wait(tp);
+       
+       tcp_unlock(so, 1, 0);
+       tcp_lock(head, 0, 0);
+       
+       return 1;
+       
+}
+
+