inet/tcp/tcp_input.c

11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * CDDL HEADER START
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * The contents of this file are subject to the terms of the
11754SKacheong.Poon@Sun.COM * Common Development and Distribution License (the "License").
11754SKacheong.Poon@Sun.COM * You may not use this file except in compliance with the License.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11754SKacheong.Poon@Sun.COM * or http://www.opensolaris.org/os/licensing.
11754SKacheong.Poon@Sun.COM * See the License for the specific language governing permissions
11754SKacheong.Poon@Sun.COM * and limitations under the License.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * When distributing Covered Code, include this CDDL HEADER in each
11754SKacheong.Poon@Sun.COM * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
11754SKacheong.Poon@Sun.COM * If applicable, add the following below this CDDL HEADER, with the
11754SKacheong.Poon@Sun.COM * fields enclosed by brackets "[]" replaced with your own identifying
11754SKacheong.Poon@Sun.COM * information: Portions Copyright [yyyy] [name of copyright owner]
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * CDDL HEADER END
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
12056SKacheong.Poon@Sun.COM * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* This file contains all TCP input processing functions. */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM#include <sys/types.h>
11754SKacheong.Poon@Sun.COM#include <sys/stream.h>
11754SKacheong.Poon@Sun.COM#include <sys/strsun.h>
11754SKacheong.Poon@Sun.COM#include <sys/strsubr.h>
11754SKacheong.Poon@Sun.COM#include <sys/stropts.h>
11754SKacheong.Poon@Sun.COM#include <sys/strlog.h>
11754SKacheong.Poon@Sun.COM#define	_SUN_TPI_VERSION 2
11754SKacheong.Poon@Sun.COM#include <sys/tihdr.h>
11754SKacheong.Poon@Sun.COM#include <sys/suntpi.h>
11754SKacheong.Poon@Sun.COM#include <sys/xti_inet.h>
11754SKacheong.Poon@Sun.COM#include <sys/squeue_impl.h>
11754SKacheong.Poon@Sun.COM#include <sys/squeue.h>
11754SKacheong.Poon@Sun.COM#include <sys/tsol/tnet.h>
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM#include <inet/common.h>
11754SKacheong.Poon@Sun.COM#include <inet/ip.h>
11754SKacheong.Poon@Sun.COM#include <inet/tcp.h>
11754SKacheong.Poon@Sun.COM#include <inet/tcp_impl.h>
11754SKacheong.Poon@Sun.COM#include <inet/tcp_cluster.h>
11754SKacheong.Poon@Sun.COM#include <inet/proto_set.h>
11754SKacheong.Poon@Sun.COM#include <inet/ipsec_impl.h>
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * RFC1323-recommended phrasing of TSTAMP option, for easier parsing
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM#ifdef _BIG_ENDIAN
11754SKacheong.Poon@Sun.COM#define	TCPOPT_NOP_NOP_TSTAMP ((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) | \
11754SKacheong.Poon@Sun.COM	(TCPOPT_TSTAMP << 8) | 10)
11754SKacheong.Poon@Sun.COM#else
11754SKacheong.Poon@Sun.COM#define	TCPOPT_NOP_NOP_TSTAMP ((10 << 24) | (TCPOPT_TSTAMP << 16) | \
11754SKacheong.Poon@Sun.COM	(TCPOPT_NOP << 8) | TCPOPT_NOP)
11754SKacheong.Poon@Sun.COM#endif
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Flags returned from tcp_parse_options.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM#define	TCP_OPT_MSS_PRESENT	1
11754SKacheong.Poon@Sun.COM#define	TCP_OPT_WSCALE_PRESENT	2
11754SKacheong.Poon@Sun.COM#define	TCP_OPT_TSTAMP_PRESENT	4
11754SKacheong.Poon@Sun.COM#define	TCP_OPT_SACK_OK_PRESENT	8
11754SKacheong.Poon@Sun.COM#define	TCP_OPT_SACK_PRESENT	16
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM *  PAWS needs a timer for 24 days.  This is the number of ticks in 24 days
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM#define	PAWS_TIMEOUT	((clock_t)(24*24*60*60*hz))
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Since tcp_listener is not cleared atomically with tcp_detached
11754SKacheong.Poon@Sun.COM * being cleared we need this extra bit to tell a detached connection
11754SKacheong.Poon@Sun.COM * apart from one that is in the process of being accepted.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM#define	TCP_IS_DETACHED_NONEAGER(tcp)	\
11754SKacheong.Poon@Sun.COM	(TCP_IS_DETACHED(tcp) &&	\
11754SKacheong.Poon@Sun.COM	    (!(tcp)->tcp_hard_binding))
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Steps to do when a tcp_t moves to TIME-WAIT state.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * This connection is done, we don't need to account for it.  Decrement
11754SKacheong.Poon@Sun.COM * the listener connection counter if needed.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Decrement the connection counter of the stack.  Note that this counter
11754SKacheong.Poon@Sun.COM * is per CPU.  So the total number of connections in a stack is the sum of all
11754SKacheong.Poon@Sun.COM * of them.  Since there is no lock for handling all of them exclusively, the
11754SKacheong.Poon@Sun.COM * resulting sum is only an approximation.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Unconditionally clear the exclusive binding bit so this TIME-WAIT
11754SKacheong.Poon@Sun.COM * connection won't interfere with new ones.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Start the TIME-WAIT timer.  If upper layer has not closed the connection,
11754SKacheong.Poon@Sun.COM * the timer is handled within the context of this tcp_t.  When the timer
11754SKacheong.Poon@Sun.COM * fires, tcp_clean_death() is called.  If upper layer closes the connection
11754SKacheong.Poon@Sun.COM * during this period, tcp_time_wait_append() will be called to add this
11754SKacheong.Poon@Sun.COM * tcp_t to the global TIME-WAIT list.  Note that this means that the
11754SKacheong.Poon@Sun.COM * actual wait time in TIME-WAIT state will be longer than the
11754SKacheong.Poon@Sun.COM * tcps_time_wait_interval since the period before upper layer closes the
11754SKacheong.Poon@Sun.COM * connection is not accounted for when tcp_time_wait_append() is called.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * If uppser layer has closed the connection, call tcp_time_wait_append()
11754SKacheong.Poon@Sun.COM * directly.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM#define	SET_TIME_WAIT(tcps, tcp, connp)				\
11754SKacheong.Poon@Sun.COM{								\
11754SKacheong.Poon@Sun.COM	(tcp)->tcp_state = TCPS_TIME_WAIT;			\
11754SKacheong.Poon@Sun.COM	if ((tcp)->tcp_listen_cnt != NULL)			\
11754SKacheong.Poon@Sun.COM		TCP_DECR_LISTEN_CNT(tcp);			\
11754SKacheong.Poon@Sun.COM	atomic_dec_64(						\
11754SKacheong.Poon@Sun.COM	    (uint64_t *)&(tcps)->tcps_sc[CPU->cpu_seqid]->tcp_sc_conn_cnt); \
11754SKacheong.Poon@Sun.COM	(connp)->conn_exclbind = 0;				\
11754SKacheong.Poon@Sun.COM	if (!TCP_IS_DETACHED(tcp)) {				\
11754SKacheong.Poon@Sun.COM		TCP_TIMER_RESTART(tcp, (tcps)->tcps_time_wait_interval); \
11754SKacheong.Poon@Sun.COM	} else {						\
11754SKacheong.Poon@Sun.COM		tcp_time_wait_append(tcp);			\
11754SKacheong.Poon@Sun.COM		TCP_DBGSTAT(tcps, tcp_rput_time_wait);		\
11754SKacheong.Poon@Sun.COM	}							\
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * If tcp_drop_ack_unsent_cnt is greater than 0, when TCP receives more
11754SKacheong.Poon@Sun.COM * than tcp_drop_ack_unsent_cnt number of ACKs which acknowledge unsent
11754SKacheong.Poon@Sun.COM * data, TCP will not respond with an ACK.  RFC 793 requires that
11754SKacheong.Poon@Sun.COM * TCP responds with an ACK for such a bogus ACK.  By not following
11754SKacheong.Poon@Sun.COM * the RFC, we prevent TCP from getting into an ACK storm if somehow
11754SKacheong.Poon@Sun.COM * an attacker successfully spoofs an acceptable segment to our
11754SKacheong.Poon@Sun.COM * peer; or when our peer is "confused."
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic uint32_t tcp_drop_ack_unsent_cnt = 10;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
13008SKacheong.Poon@Sun.COM * To protect TCP against attacker using a small window and requesting
13008SKacheong.Poon@Sun.COM * large amount of data (DoS attack by conuming memory), TCP checks the
13008SKacheong.Poon@Sun.COM * window advertised in the last ACK of the 3-way handshake.  TCP uses
13008SKacheong.Poon@Sun.COM * the tcp_mss (the size of one packet) value for comparion.  The window
13008SKacheong.Poon@Sun.COM * should be larger than tcp_mss.  But while a sane TCP should advertise
13008SKacheong.Poon@Sun.COM * a receive window larger than or equal to 4*MSS to avoid stop and go
13008SKacheong.Poon@Sun.COM * tarrfic, not all TCP stacks do that.  This is especially true when
13008SKacheong.Poon@Sun.COM * tcp_mss is a big value.
13008SKacheong.Poon@Sun.COM *
13008SKacheong.Poon@Sun.COM * To work around this issue, an additional fixed value for comparison
13008SKacheong.Poon@Sun.COM * is also used.  If the advertised window is smaller than both tcp_mss
13008SKacheong.Poon@Sun.COM * and tcp_init_wnd_chk, the ACK is considered as invalid.  So for large
13008SKacheong.Poon@Sun.COM * tcp_mss value (say, 8K), a window larger than tcp_init_wnd_chk but
13008SKacheong.Poon@Sun.COM * smaller than 8K is considered to be OK.
11754SKacheong.Poon@Sun.COM */
13008SKacheong.Poon@Sun.COMstatic uint32_t tcp_init_wnd_chk = 4096;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* Process ICMP source quench message or not. */
11754SKacheong.Poon@Sun.COMstatic boolean_t tcp_icmp_source_quench = B_FALSE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COMstatic boolean_t tcp_outbound_squeue_switch = B_FALSE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COMstatic mblk_t	*tcp_conn_create_v4(conn_t *, conn_t *, mblk_t *,
11754SKacheong.Poon@Sun.COM		    ip_recv_attr_t *);
11754SKacheong.Poon@Sun.COMstatic mblk_t	*tcp_conn_create_v6(conn_t *, conn_t *, mblk_t *,
11754SKacheong.Poon@Sun.COM		    ip_recv_attr_t *);
11754SKacheong.Poon@Sun.COMstatic boolean_t	tcp_drop_q0(tcp_t *);
11754SKacheong.Poon@Sun.COMstatic void	tcp_icmp_error_ipv6(tcp_t *, mblk_t *, ip_recv_attr_t *);
11754SKacheong.Poon@Sun.COMstatic mblk_t	*tcp_input_add_ancillary(tcp_t *, mblk_t *, ip_pkt_t *,
11754SKacheong.Poon@Sun.COM		    ip_recv_attr_t *);
11754SKacheong.Poon@Sun.COMstatic void	tcp_input_listener(void *, mblk_t *, void *, ip_recv_attr_t *);
11754SKacheong.Poon@Sun.COMstatic int	tcp_parse_options(tcpha_t *, tcp_opt_t *);
11754SKacheong.Poon@Sun.COMstatic void	tcp_process_options(tcp_t *, tcpha_t *);
11754SKacheong.Poon@Sun.COMstatic mblk_t	*tcp_reass(tcp_t *, mblk_t *, uint32_t);
11754SKacheong.Poon@Sun.COMstatic void	tcp_reass_elim_overlap(tcp_t *, mblk_t *);
11754SKacheong.Poon@Sun.COMstatic void	tcp_rsrv_input(void *, mblk_t *, void *, ip_recv_attr_t *);
11754SKacheong.Poon@Sun.COMstatic void	tcp_set_rto(tcp_t *, time_t);
11754SKacheong.Poon@Sun.COMstatic void	tcp_setcred_data(mblk_t *, ip_recv_attr_t *);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Set the MSS associated with a particular tcp based on its current value,
11754SKacheong.Poon@Sun.COM * and a new one passed in. Observe minimums and maximums, and reset other
11754SKacheong.Poon@Sun.COM * state variables that we want to view as multiples of MSS.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * The value of MSS could be either increased or descreased.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_mss_set(tcp_t *tcp, uint32_t mss)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	uint32_t	mss_max;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM	conn_t		*connp = tcp->tcp_connp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (connp->conn_ipversion == IPV4_VERSION)
11754SKacheong.Poon@Sun.COM		mss_max = tcps->tcps_mss_max_ipv4;
11754SKacheong.Poon@Sun.COM	else
11754SKacheong.Poon@Sun.COM		mss_max = tcps->tcps_mss_max_ipv6;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (mss < tcps->tcps_mss_min)
11754SKacheong.Poon@Sun.COM		mss = tcps->tcps_mss_min;
11754SKacheong.Poon@Sun.COM	if (mss > mss_max)
11754SKacheong.Poon@Sun.COM		mss = mss_max;
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Unless naglim has been set by our client to
11754SKacheong.Poon@Sun.COM	 * a non-mss value, force naglim to track mss.
11754SKacheong.Poon@Sun.COM	 * This can help to aggregate small writes.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (mss < tcp->tcp_naglim || tcp->tcp_mss == tcp->tcp_naglim)
11754SKacheong.Poon@Sun.COM		tcp->tcp_naglim = mss;
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * TCP should be able to buffer at least 4 MSS data for obvious
11754SKacheong.Poon@Sun.COM	 * performance reason.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if ((mss << 2) > connp->conn_sndbuf)
11754SKacheong.Poon@Sun.COM		connp->conn_sndbuf = mss << 2;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Set the send lowater to at least twice of MSS.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if ((mss << 1) > connp->conn_sndlowat)
11754SKacheong.Poon@Sun.COM		connp->conn_sndlowat = mss << 1;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Update tcp_cwnd according to the new value of MSS. Keep the
11754SKacheong.Poon@Sun.COM	 * previous ratio to preserve the transmit rate.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	tcp->tcp_cwnd = (tcp->tcp_cwnd / tcp->tcp_mss) * mss;
11754SKacheong.Poon@Sun.COM	tcp->tcp_cwnd_cnt = 0;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	tcp->tcp_mss = mss;
11754SKacheong.Poon@Sun.COM	(void) tcp_maxpsz_set(tcp, B_TRUE);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Extract option values from a tcp header.  We put any found values into the
11754SKacheong.Poon@Sun.COM * tcpopt struct and return a bitmask saying which options were found.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic int
11754SKacheong.Poon@Sun.COMtcp_parse_options(tcpha_t *tcpha, tcp_opt_t *tcpopt)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	uchar_t		*endp;
11754SKacheong.Poon@Sun.COM	int		len;
11754SKacheong.Poon@Sun.COM	uint32_t	mss;
11754SKacheong.Poon@Sun.COM	uchar_t		*up = (uchar_t *)tcpha;
11754SKacheong.Poon@Sun.COM	int		found = 0;
11754SKacheong.Poon@Sun.COM	int32_t		sack_len;
11754SKacheong.Poon@Sun.COM	tcp_seq		sack_begin, sack_end;
11754SKacheong.Poon@Sun.COM	tcp_t		*tcp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	endp = up + TCP_HDR_LENGTH(tcpha);
11754SKacheong.Poon@Sun.COM	up += TCP_MIN_HEADER_LENGTH;
11754SKacheong.Poon@Sun.COM	while (up < endp) {
11754SKacheong.Poon@Sun.COM		len = endp - up;
11754SKacheong.Poon@Sun.COM		switch (*up) {
11754SKacheong.Poon@Sun.COM		case TCPOPT_EOL:
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		case TCPOPT_NOP:
11754SKacheong.Poon@Sun.COM			up++;
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		case TCPOPT_MAXSEG:
11754SKacheong.Poon@Sun.COM			if (len < TCPOPT_MAXSEG_LEN ||
11754SKacheong.Poon@Sun.COM			    up[1] != TCPOPT_MAXSEG_LEN)
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			mss = BE16_TO_U16(up+2);
11754SKacheong.Poon@Sun.COM			/* Caller must handle tcp_mss_min and tcp_mss_max_* */
11754SKacheong.Poon@Sun.COM			tcpopt->tcp_opt_mss = mss;
11754SKacheong.Poon@Sun.COM			found |= TCP_OPT_MSS_PRESENT;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			up += TCPOPT_MAXSEG_LEN;
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		case TCPOPT_WSCALE:
11754SKacheong.Poon@Sun.COM			if (len < TCPOPT_WS_LEN || up[1] != TCPOPT_WS_LEN)
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			if (up[2] > TCP_MAX_WINSHIFT)
11754SKacheong.Poon@Sun.COM				tcpopt->tcp_opt_wscale = TCP_MAX_WINSHIFT;
11754SKacheong.Poon@Sun.COM			else
11754SKacheong.Poon@Sun.COM				tcpopt->tcp_opt_wscale = up[2];
11754SKacheong.Poon@Sun.COM			found |= TCP_OPT_WSCALE_PRESENT;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			up += TCPOPT_WS_LEN;
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		case TCPOPT_SACK_PERMITTED:
11754SKacheong.Poon@Sun.COM			if (len < TCPOPT_SACK_OK_LEN ||
11754SKacheong.Poon@Sun.COM			    up[1] != TCPOPT_SACK_OK_LEN)
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			found |= TCP_OPT_SACK_OK_PRESENT;
11754SKacheong.Poon@Sun.COM			up += TCPOPT_SACK_OK_LEN;
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		case TCPOPT_SACK:
11754SKacheong.Poon@Sun.COM			if (len <= 2 || up[1] <= 2 || len < up[1])
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/* If TCP is not interested in SACK blks... */
11754SKacheong.Poon@Sun.COM			if ((tcp = tcpopt->tcp) == NULL) {
11754SKacheong.Poon@Sun.COM				up += up[1];
11754SKacheong.Poon@Sun.COM				continue;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			sack_len = up[1] - TCPOPT_HEADER_LEN;
11754SKacheong.Poon@Sun.COM			up += TCPOPT_HEADER_LEN;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * If the list is empty, allocate one and assume
11754SKacheong.Poon@Sun.COM			 * nothing is sack'ed.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_notsack_list == NULL) {
11754SKacheong.Poon@Sun.COM				tcp_notsack_update(&(tcp->tcp_notsack_list),
11754SKacheong.Poon@Sun.COM				    tcp->tcp_suna, tcp->tcp_snxt,
11754SKacheong.Poon@Sun.COM				    &(tcp->tcp_num_notsack_blk),
11754SKacheong.Poon@Sun.COM				    &(tcp->tcp_cnt_notsack_list));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Make sure tcp_notsack_list is not NULL.
11754SKacheong.Poon@Sun.COM				 * This happens when kmem_alloc(KM_NOSLEEP)
11754SKacheong.Poon@Sun.COM				 * returns NULL.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_notsack_list == NULL) {
11754SKacheong.Poon@Sun.COM					up += sack_len;
11754SKacheong.Poon@Sun.COM					continue;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				tcp->tcp_fack = tcp->tcp_suna;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			while (sack_len > 0) {
11754SKacheong.Poon@Sun.COM				if (up + 8 > endp) {
11754SKacheong.Poon@Sun.COM					up = endp;
11754SKacheong.Poon@Sun.COM					break;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				sack_begin = BE32_TO_U32(up);
11754SKacheong.Poon@Sun.COM				up += 4;
11754SKacheong.Poon@Sun.COM				sack_end = BE32_TO_U32(up);
11754SKacheong.Poon@Sun.COM				up += 4;
11754SKacheong.Poon@Sun.COM				sack_len -= 8;
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Bounds checking.  Make sure the SACK
11754SKacheong.Poon@Sun.COM				 * info is within tcp_suna and tcp_snxt.
11754SKacheong.Poon@Sun.COM				 * If this SACK blk is out of bound, ignore
11754SKacheong.Poon@Sun.COM				 * it but continue to parse the following
11754SKacheong.Poon@Sun.COM				 * blks.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if (SEQ_LEQ(sack_end, sack_begin) ||
11754SKacheong.Poon@Sun.COM				    SEQ_LT(sack_begin, tcp->tcp_suna) ||
11754SKacheong.Poon@Sun.COM				    SEQ_GT(sack_end, tcp->tcp_snxt)) {
11754SKacheong.Poon@Sun.COM					continue;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				tcp_notsack_insert(&(tcp->tcp_notsack_list),
11754SKacheong.Poon@Sun.COM				    sack_begin, sack_end,
11754SKacheong.Poon@Sun.COM				    &(tcp->tcp_num_notsack_blk),
11754SKacheong.Poon@Sun.COM				    &(tcp->tcp_cnt_notsack_list));
11754SKacheong.Poon@Sun.COM				if (SEQ_GT(sack_end, tcp->tcp_fack)) {
11754SKacheong.Poon@Sun.COM					tcp->tcp_fack = sack_end;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			found |= TCP_OPT_SACK_PRESENT;
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		case TCPOPT_TSTAMP:
11754SKacheong.Poon@Sun.COM			if (len < TCPOPT_TSTAMP_LEN ||
11754SKacheong.Poon@Sun.COM			    up[1] != TCPOPT_TSTAMP_LEN)
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			tcpopt->tcp_opt_ts_val = BE32_TO_U32(up+2);
11754SKacheong.Poon@Sun.COM			tcpopt->tcp_opt_ts_ecr = BE32_TO_U32(up+6);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			found |= TCP_OPT_TSTAMP_PRESENT;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			up += TCPOPT_TSTAMP_LEN;
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		default:
11754SKacheong.Poon@Sun.COM			if (len <= 1 || len < (int)up[1] || up[1] == 0)
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			up += up[1];
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	return (found);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Process all TCP option in SYN segment.  Note that this function should
11754SKacheong.Poon@Sun.COM * be called after tcp_set_destination() is called so that the necessary info
11754SKacheong.Poon@Sun.COM * from IRE is already set in the tcp structure.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * This function sets up the correct tcp_mss value according to the
11754SKacheong.Poon@Sun.COM * MSS option value and our header size.  It also sets up the window scale
11754SKacheong.Poon@Sun.COM * and timestamp values, and initialize SACK info blocks.  But it does not
11754SKacheong.Poon@Sun.COM * change receive window size after setting the tcp_mss value.  The caller
11754SKacheong.Poon@Sun.COM * should do the appropriate change.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic void
11754SKacheong.Poon@Sun.COMtcp_process_options(tcp_t *tcp, tcpha_t *tcpha)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	int options;
11754SKacheong.Poon@Sun.COM	tcp_opt_t tcpopt;
11754SKacheong.Poon@Sun.COM	uint32_t mss_max;
11754SKacheong.Poon@Sun.COM	char *tmp_tcph;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM	conn_t		*connp = tcp->tcp_connp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	tcpopt.tcp = NULL;
11754SKacheong.Poon@Sun.COM	options = tcp_parse_options(tcpha, &tcpopt);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Process MSS option.  Note that MSS option value does not account
11754SKacheong.Poon@Sun.COM	 * for IP or TCP options.  This means that it is equal to MTU - minimum
11754SKacheong.Poon@Sun.COM	 * IP+TCP header size, which is 40 bytes for IPv4 and 60 bytes for
11754SKacheong.Poon@Sun.COM	 * IPv6.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (!(options & TCP_OPT_MSS_PRESENT)) {
11754SKacheong.Poon@Sun.COM		if (connp->conn_ipversion == IPV4_VERSION)
11754SKacheong.Poon@Sun.COM			tcpopt.tcp_opt_mss = tcps->tcps_mss_def_ipv4;
11754SKacheong.Poon@Sun.COM		else
11754SKacheong.Poon@Sun.COM			tcpopt.tcp_opt_mss = tcps->tcps_mss_def_ipv6;
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		if (connp->conn_ipversion == IPV4_VERSION)
11754SKacheong.Poon@Sun.COM			mss_max = tcps->tcps_mss_max_ipv4;
11754SKacheong.Poon@Sun.COM		else
11754SKacheong.Poon@Sun.COM			mss_max = tcps->tcps_mss_max_ipv6;
11754SKacheong.Poon@Sun.COM		if (tcpopt.tcp_opt_mss < tcps->tcps_mss_min)
11754SKacheong.Poon@Sun.COM			tcpopt.tcp_opt_mss = tcps->tcps_mss_min;
11754SKacheong.Poon@Sun.COM		else if (tcpopt.tcp_opt_mss > mss_max)
11754SKacheong.Poon@Sun.COM			tcpopt.tcp_opt_mss = mss_max;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Process Window Scale option. */
11754SKacheong.Poon@Sun.COM	if (options & TCP_OPT_WSCALE_PRESENT) {
11754SKacheong.Poon@Sun.COM		tcp->tcp_snd_ws = tcpopt.tcp_opt_wscale;
11754SKacheong.Poon@Sun.COM		tcp->tcp_snd_ws_ok = B_TRUE;
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		tcp->tcp_snd_ws = B_FALSE;
11754SKacheong.Poon@Sun.COM		tcp->tcp_snd_ws_ok = B_FALSE;
11754SKacheong.Poon@Sun.COM		tcp->tcp_rcv_ws = B_FALSE;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Process Timestamp option. */
11754SKacheong.Poon@Sun.COM	if ((options & TCP_OPT_TSTAMP_PRESENT) &&
11754SKacheong.Poon@Sun.COM	    (tcp->tcp_snd_ts_ok || TCP_IS_DETACHED(tcp))) {
11754SKacheong.Poon@Sun.COM		tmp_tcph = (char *)tcp->tcp_tcpha;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		tcp->tcp_snd_ts_ok = B_TRUE;
11754SKacheong.Poon@Sun.COM		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
11754SKacheong.Poon@Sun.COM		tcp->tcp_last_rcv_lbolt = ddi_get_lbolt64();
11754SKacheong.Poon@Sun.COM		ASSERT(OK_32PTR(tmp_tcph));
11754SKacheong.Poon@Sun.COM		ASSERT(connp->conn_ht_ulp_len == TCP_MIN_HEADER_LENGTH);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Fill in our template header with basic timestamp option. */
11754SKacheong.Poon@Sun.COM		tmp_tcph += connp->conn_ht_ulp_len;
11754SKacheong.Poon@Sun.COM		tmp_tcph[0] = TCPOPT_NOP;
11754SKacheong.Poon@Sun.COM		tmp_tcph[1] = TCPOPT_NOP;
11754SKacheong.Poon@Sun.COM		tmp_tcph[2] = TCPOPT_TSTAMP;
11754SKacheong.Poon@Sun.COM		tmp_tcph[3] = TCPOPT_TSTAMP_LEN;
11754SKacheong.Poon@Sun.COM		connp->conn_ht_iphc_len += TCPOPT_REAL_TS_LEN;
11754SKacheong.Poon@Sun.COM		connp->conn_ht_ulp_len += TCPOPT_REAL_TS_LEN;
11754SKacheong.Poon@Sun.COM		tcp->tcp_tcpha->tha_offset_and_reserved += (3 << 4);
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		tcp->tcp_snd_ts_ok = B_FALSE;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Process SACK options.  If SACK is enabled for this connection,
11754SKacheong.Poon@Sun.COM	 * then allocate the SACK info structure.  Note the following ways
11754SKacheong.Poon@Sun.COM	 * when tcp_snd_sack_ok is set to true.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * For active connection: in tcp_set_destination() called in
11754SKacheong.Poon@Sun.COM	 * tcp_connect().
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * For passive connection: in tcp_set_destination() called in
11754SKacheong.Poon@Sun.COM	 * tcp_input_listener().
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * That's the reason why the extra TCP_IS_DETACHED() check is there.
11754SKacheong.Poon@Sun.COM	 * That check makes sure that if we did not send a SACK OK option,
11754SKacheong.Poon@Sun.COM	 * we will not enable SACK for this connection even though the other
11754SKacheong.Poon@Sun.COM	 * side sends us SACK OK option.  For active connection, the SACK
11754SKacheong.Poon@Sun.COM	 * info structure has already been allocated.  So we need to free
11754SKacheong.Poon@Sun.COM	 * it if SACK is disabled.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if ((options & TCP_OPT_SACK_OK_PRESENT) &&
11754SKacheong.Poon@Sun.COM	    (tcp->tcp_snd_sack_ok ||
11754SKacheong.Poon@Sun.COM	    (tcps->tcps_sack_permitted != 0 && TCP_IS_DETACHED(tcp)))) {
12056SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_num_sack_blk == 0);
12056SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_notsack_list == NULL);
12056SKacheong.Poon@Sun.COM
12056SKacheong.Poon@Sun.COM		tcp->tcp_snd_sack_ok = B_TRUE;
12056SKacheong.Poon@Sun.COM		if (tcp->tcp_snd_ts_ok) {
12056SKacheong.Poon@Sun.COM			tcp->tcp_max_sack_blk = 3;
11754SKacheong.Poon@Sun.COM		} else {
12056SKacheong.Poon@Sun.COM			tcp->tcp_max_sack_blk = 4;
11754SKacheong.Poon@Sun.COM		}
12056SKacheong.Poon@Sun.COM	} else if (tcp->tcp_snd_sack_ok) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Resetting tcp_snd_sack_ok to B_FALSE so that
11754SKacheong.Poon@Sun.COM		 * no SACK info will be used for this
11754SKacheong.Poon@Sun.COM		 * connection.  This assumes that SACK usage
11754SKacheong.Poon@Sun.COM		 * permission is negotiated.  This may need
11754SKacheong.Poon@Sun.COM		 * to be changed once this is clarified.
11754SKacheong.Poon@Sun.COM		 */
12056SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_num_sack_blk == 0);
12056SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_notsack_list == NULL);
11754SKacheong.Poon@Sun.COM		tcp->tcp_snd_sack_ok = B_FALSE;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Now we know the exact TCP/IP header length, subtract
11754SKacheong.Poon@Sun.COM	 * that from tcp_mss to get our side's MSS.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	tcp->tcp_mss -= connp->conn_ht_iphc_len;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Here we assume that the other side's header size will be equal to
11754SKacheong.Poon@Sun.COM	 * our header size.  We calculate the real MSS accordingly.  Need to
11754SKacheong.Poon@Sun.COM	 * take into additional stuffs IPsec puts in.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * Real MSS = Opt.MSS - (our TCP/IP header - min TCP/IP header)
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	tcpopt.tcp_opt_mss -= connp->conn_ht_iphc_len +
11754SKacheong.Poon@Sun.COM	    tcp->tcp_ipsec_overhead -
11754SKacheong.Poon@Sun.COM	    ((connp->conn_ipversion == IPV4_VERSION ?
11754SKacheong.Poon@Sun.COM	    IP_SIMPLE_HDR_LENGTH : IPV6_HDR_LEN) + TCP_MIN_HEADER_LENGTH);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Set MSS to the smaller one of both ends of the connection.
11754SKacheong.Poon@Sun.COM	 * We should not have called tcp_mss_set() before, but our
11754SKacheong.Poon@Sun.COM	 * side of the MSS should have been set to a proper value
11754SKacheong.Poon@Sun.COM	 * by tcp_set_destination().  tcp_mss_set() will also set up the
11754SKacheong.Poon@Sun.COM	 * STREAM head parameters properly.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * If we have a larger-than-16-bit window but the other side
11754SKacheong.Poon@Sun.COM	 * didn't want to do window scale, tcp_rwnd_set() will take
11754SKacheong.Poon@Sun.COM	 * care of that.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	tcp_mss_set(tcp, MIN(tcpopt.tcp_opt_mss, tcp->tcp_mss));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Initialize tcp_cwnd value. After tcp_mss_set(), tcp_mss has been
11754SKacheong.Poon@Sun.COM	 * updated properly.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	TCP_SET_INIT_CWND(tcp, tcp->tcp_mss, tcps->tcps_slow_start_initial);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Add a new piece to the tcp reassembly queue.  If the gap at the beginning
11754SKacheong.Poon@Sun.COM * is filled, return as much as we can.  The message passed in may be
11754SKacheong.Poon@Sun.COM * multi-part, chained using b_cont.  "start" is the starting sequence
11754SKacheong.Poon@Sun.COM * number for this piece.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic mblk_t *
11754SKacheong.Poon@Sun.COMtcp_reass(tcp_t *tcp, mblk_t *mp, uint32_t start)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	uint32_t	end;
11754SKacheong.Poon@Sun.COM	mblk_t		*mp1;
11754SKacheong.Poon@Sun.COM	mblk_t		*mp2;
11754SKacheong.Poon@Sun.COM	mblk_t		*next_mp;
11754SKacheong.Poon@Sun.COM	uint32_t	u1;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Walk through all the new pieces. */
11754SKacheong.Poon@Sun.COM	do {
11754SKacheong.Poon@Sun.COM		ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
11754SKacheong.Poon@Sun.COM		    (uintptr_t)INT_MAX);
11754SKacheong.Poon@Sun.COM		end = start + (int)(mp->b_wptr - mp->b_rptr);
11754SKacheong.Poon@Sun.COM		next_mp = mp->b_cont;
11754SKacheong.Poon@Sun.COM		if (start == end) {
11754SKacheong.Poon@Sun.COM			/* Empty.  Blast it. */
11754SKacheong.Poon@Sun.COM			freeb(mp);
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		mp->b_cont = NULL;
11754SKacheong.Poon@Sun.COM		TCP_REASS_SET_SEQ(mp, start);
11754SKacheong.Poon@Sun.COM		TCP_REASS_SET_END(mp, end);
11754SKacheong.Poon@Sun.COM		mp1 = tcp->tcp_reass_tail;
11754SKacheong.Poon@Sun.COM		if (!mp1) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_reass_tail = mp;
11754SKacheong.Poon@Sun.COM			tcp->tcp_reass_head = mp;
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpInDataUnorderSegs);
11754SKacheong.Poon@Sun.COM			TCPS_UPDATE_MIB(tcps, tcpInDataUnorderBytes,
11754SKacheong.Poon@Sun.COM			    end - start);
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/* New stuff completely beyond tail? */
11754SKacheong.Poon@Sun.COM		if (SEQ_GEQ(start, TCP_REASS_END(mp1))) {
11754SKacheong.Poon@Sun.COM			/* Link it on end. */
11754SKacheong.Poon@Sun.COM			mp1->b_cont = mp;
11754SKacheong.Poon@Sun.COM			tcp->tcp_reass_tail = mp;
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpInDataUnorderSegs);
11754SKacheong.Poon@Sun.COM			TCPS_UPDATE_MIB(tcps, tcpInDataUnorderBytes,
11754SKacheong.Poon@Sun.COM			    end - start);
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		mp1 = tcp->tcp_reass_head;
11754SKacheong.Poon@Sun.COM		u1 = TCP_REASS_SEQ(mp1);
11754SKacheong.Poon@Sun.COM		/* New stuff at the front? */
11754SKacheong.Poon@Sun.COM		if (SEQ_LT(start, u1)) {
11754SKacheong.Poon@Sun.COM			/* Yes... Check for overlap. */
11754SKacheong.Poon@Sun.COM			mp->b_cont = mp1;
11754SKacheong.Poon@Sun.COM			tcp->tcp_reass_head = mp;
11754SKacheong.Poon@Sun.COM			tcp_reass_elim_overlap(tcp, mp);
11754SKacheong.Poon@Sun.COM			continue;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * The new piece fits somewhere between the head and tail.
11754SKacheong.Poon@Sun.COM		 * We find our slot, where mp1 precedes us and mp2 trails.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		for (; (mp2 = mp1->b_cont) != NULL; mp1 = mp2) {
11754SKacheong.Poon@Sun.COM			u1 = TCP_REASS_SEQ(mp2);
11754SKacheong.Poon@Sun.COM			if (SEQ_LEQ(start, u1))
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/* Link ourselves in */
11754SKacheong.Poon@Sun.COM		mp->b_cont = mp2;
11754SKacheong.Poon@Sun.COM		mp1->b_cont = mp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Trim overlap with following mblk(s) first */
11754SKacheong.Poon@Sun.COM		tcp_reass_elim_overlap(tcp, mp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Trim overlap with preceding mblk */
11754SKacheong.Poon@Sun.COM		tcp_reass_elim_overlap(tcp, mp1);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	} while (start = end, mp = next_mp);
11754SKacheong.Poon@Sun.COM	mp1 = tcp->tcp_reass_head;
11754SKacheong.Poon@Sun.COM	/* Anything ready to go? */
11754SKacheong.Poon@Sun.COM	if (TCP_REASS_SEQ(mp1) != tcp->tcp_rnxt)
11754SKacheong.Poon@Sun.COM		return (NULL);
11754SKacheong.Poon@Sun.COM	/* Eat what we can off the queue */
11754SKacheong.Poon@Sun.COM	for (;;) {
11754SKacheong.Poon@Sun.COM		mp = mp1->b_cont;
11754SKacheong.Poon@Sun.COM		end = TCP_REASS_END(mp1);
11754SKacheong.Poon@Sun.COM		TCP_REASS_SET_SEQ(mp1, 0);
11754SKacheong.Poon@Sun.COM		TCP_REASS_SET_END(mp1, 0);
11754SKacheong.Poon@Sun.COM		if (!mp) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_reass_tail = NULL;
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (end != TCP_REASS_SEQ(mp)) {
11754SKacheong.Poon@Sun.COM			mp1->b_cont = NULL;
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		mp1 = mp;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	mp1 = tcp->tcp_reass_head;
11754SKacheong.Poon@Sun.COM	tcp->tcp_reass_head = mp;
11754SKacheong.Poon@Sun.COM	return (mp1);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* Eliminate any overlap that mp may have over later mblks */
11754SKacheong.Poon@Sun.COMstatic void
11754SKacheong.Poon@Sun.COMtcp_reass_elim_overlap(tcp_t *tcp, mblk_t *mp)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	uint32_t	end;
11754SKacheong.Poon@Sun.COM	mblk_t		*mp1;
11754SKacheong.Poon@Sun.COM	uint32_t	u1;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	end = TCP_REASS_END(mp);
11754SKacheong.Poon@Sun.COM	while ((mp1 = mp->b_cont) != NULL) {
11754SKacheong.Poon@Sun.COM		u1 = TCP_REASS_SEQ(mp1);
11754SKacheong.Poon@Sun.COM		if (!SEQ_GT(end, u1))
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		if (!SEQ_GEQ(end, TCP_REASS_END(mp1))) {
11754SKacheong.Poon@Sun.COM			mp->b_wptr -= end - u1;
11754SKacheong.Poon@Sun.COM			TCP_REASS_SET_END(mp, u1);
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpInDataPartDupSegs);
11754SKacheong.Poon@Sun.COM			TCPS_UPDATE_MIB(tcps, tcpInDataPartDupBytes,
11754SKacheong.Poon@Sun.COM			    end - u1);
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		mp->b_cont = mp1->b_cont;
11754SKacheong.Poon@Sun.COM		TCP_REASS_SET_SEQ(mp1, 0);
11754SKacheong.Poon@Sun.COM		TCP_REASS_SET_END(mp1, 0);
11754SKacheong.Poon@Sun.COM		freeb(mp1);
11754SKacheong.Poon@Sun.COM		TCPS_BUMP_MIB(tcps, tcpInDataDupSegs);
11754SKacheong.Poon@Sun.COM		TCPS_UPDATE_MIB(tcps, tcpInDataDupBytes, end - u1);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (!mp1)
11754SKacheong.Poon@Sun.COM		tcp->tcp_reass_tail = mp;
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * This function does PAWS protection check. Returns B_TRUE if the
11754SKacheong.Poon@Sun.COM * segment passes the PAWS test, else returns B_FALSE.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMboolean_t
11754SKacheong.Poon@Sun.COMtcp_paws_check(tcp_t *tcp, tcpha_t *tcpha, tcp_opt_t *tcpoptp)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	uint8_t	flags;
11754SKacheong.Poon@Sun.COM	int	options;
11754SKacheong.Poon@Sun.COM	uint8_t *up;
11754SKacheong.Poon@Sun.COM	conn_t	*connp = tcp->tcp_connp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	flags = (unsigned int)tcpha->tha_flags & 0xFF;
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If timestamp option is aligned nicely, get values inline,
11754SKacheong.Poon@Sun.COM	 * otherwise call general routine to parse.  Only do that
11754SKacheong.Poon@Sun.COM	 * if timestamp is the only option.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (TCP_HDR_LENGTH(tcpha) == (uint32_t)TCP_MIN_HEADER_LENGTH +
11754SKacheong.Poon@Sun.COM	    TCPOPT_REAL_TS_LEN &&
11754SKacheong.Poon@Sun.COM	    OK_32PTR((up = ((uint8_t *)tcpha) +
11754SKacheong.Poon@Sun.COM	    TCP_MIN_HEADER_LENGTH)) &&
11754SKacheong.Poon@Sun.COM	    *(uint32_t *)up == TCPOPT_NOP_NOP_TSTAMP) {
11754SKacheong.Poon@Sun.COM		tcpoptp->tcp_opt_ts_val = ABE32_TO_U32((up+4));
11754SKacheong.Poon@Sun.COM		tcpoptp->tcp_opt_ts_ecr = ABE32_TO_U32((up+8));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		options = TCP_OPT_TSTAMP_PRESENT;
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_snd_sack_ok) {
11754SKacheong.Poon@Sun.COM			tcpoptp->tcp = tcp;
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			tcpoptp->tcp = NULL;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		options = tcp_parse_options(tcpha, tcpoptp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (options & TCP_OPT_TSTAMP_PRESENT) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Do PAWS per RFC 1323 section 4.2.  Accept RST
11754SKacheong.Poon@Sun.COM		 * regardless of the timestamp, page 18 RFC 1323.bis.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if ((flags & TH_RST) == 0 &&
11754SKacheong.Poon@Sun.COM		    TSTMP_LT(tcpoptp->tcp_opt_ts_val,
11754SKacheong.Poon@Sun.COM		    tcp->tcp_ts_recent)) {
12806SGeorge.Shepherd@Sun.COM			if (LBOLT_FASTPATH64 <
12806SGeorge.Shepherd@Sun.COM			    (tcp->tcp_last_rcv_lbolt + PAWS_TIMEOUT)) {
11754SKacheong.Poon@Sun.COM				/* This segment is not acceptable. */
11754SKacheong.Poon@Sun.COM				return (B_FALSE);
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Connection has been idle for
11754SKacheong.Poon@Sun.COM				 * too long.  Reset the timestamp
11754SKacheong.Poon@Sun.COM				 * and assume the segment is valid.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				tcp->tcp_ts_recent =
11754SKacheong.Poon@Sun.COM				    tcpoptp->tcp_opt_ts_val;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * If we don't get a timestamp on every packet, we
11754SKacheong.Poon@Sun.COM		 * figure we can't really trust 'em, so we stop sending
11754SKacheong.Poon@Sun.COM		 * and parsing them.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		tcp->tcp_snd_ts_ok = B_FALSE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		connp->conn_ht_iphc_len -= TCPOPT_REAL_TS_LEN;
11754SKacheong.Poon@Sun.COM		connp->conn_ht_ulp_len -= TCPOPT_REAL_TS_LEN;
11754SKacheong.Poon@Sun.COM		tcp->tcp_tcpha->tha_offset_and_reserved -= (3 << 4);
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Adjust the tcp_mss and tcp_cwnd accordingly. We avoid
11754SKacheong.Poon@Sun.COM		 * doing a slow start here so as to not to lose on the
11754SKacheong.Poon@Sun.COM		 * transfer rate built up so far.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		tcp_mss_set(tcp, tcp->tcp_mss + TCPOPT_REAL_TS_LEN);
12056SKacheong.Poon@Sun.COM		if (tcp->tcp_snd_sack_ok)
11754SKacheong.Poon@Sun.COM			tcp->tcp_max_sack_blk = 4;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	return (B_TRUE);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Defense for the SYN attack -
11754SKacheong.Poon@Sun.COM * 1. When q0 is full, drop from the tail (tcp_eager_prev_drop_q0) the oldest
11754SKacheong.Poon@Sun.COM *    one from the list of droppable eagers. This list is a subset of q0.
11754SKacheong.Poon@Sun.COM *    see comments before the definition of MAKE_DROPPABLE().
11754SKacheong.Poon@Sun.COM * 2. Don't drop a SYN request before its first timeout. This gives every
11754SKacheong.Poon@Sun.COM *    request at least til the first timeout to complete its 3-way handshake.
11754SKacheong.Poon@Sun.COM * 3. Maintain tcp_syn_rcvd_timeout as an accurate count of how many
11754SKacheong.Poon@Sun.COM *    requests currently on the queue that has timed out. This will be used
11754SKacheong.Poon@Sun.COM *    as an indicator of whether an attack is under way, so that appropriate
11754SKacheong.Poon@Sun.COM *    actions can be taken. (It's incremented in tcp_timer() and decremented
11754SKacheong.Poon@Sun.COM *    either when eager goes into ESTABLISHED, or gets freed up.)
11754SKacheong.Poon@Sun.COM * 4. The current threshold is - # of timeout > q0len/4 => SYN alert on
11754SKacheong.Poon@Sun.COM *    # of timeout drops back to <= q0len/32 => SYN alert off
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic boolean_t
11754SKacheong.Poon@Sun.COMtcp_drop_q0(tcp_t *tcp)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	tcp_t	*eager;
11754SKacheong.Poon@Sun.COM	mblk_t	*mp;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(MUTEX_HELD(&tcp->tcp_eager_lock));
11754SKacheong.Poon@Sun.COM	ASSERT(tcp->tcp_eager_next_q0 != tcp->tcp_eager_prev_q0);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Pick oldest eager from the list of droppable eagers */
11754SKacheong.Poon@Sun.COM	eager = tcp->tcp_eager_prev_drop_q0;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* If list is empty. return B_FALSE */
11754SKacheong.Poon@Sun.COM	if (eager == tcp) {
11754SKacheong.Poon@Sun.COM		return (B_FALSE);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* If allocated, the mp will be freed in tcp_clean_death_wrapper() */
11754SKacheong.Poon@Sun.COM	if ((mp = allocb(0, BPRI_HI)) == NULL)
11754SKacheong.Poon@Sun.COM		return (B_FALSE);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Take this eager out from the list of droppable eagers since we are
11754SKacheong.Poon@Sun.COM	 * going to drop it.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	MAKE_UNDROPPABLE(eager);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_connp->conn_debug) {
11754SKacheong.Poon@Sun.COM		(void) strlog(TCP_MOD_ID, 0, 3, SL_TRACE,
11754SKacheong.Poon@Sun.COM		    "tcp_drop_q0: listen half-open queue (max=%d) overflow"
11754SKacheong.Poon@Sun.COM		    " (%d pending) on %s, drop one", tcps->tcps_conn_req_max_q0,
11754SKacheong.Poon@Sun.COM		    tcp->tcp_conn_req_cnt_q0,
11754SKacheong.Poon@Sun.COM		    tcp_display(tcp, NULL, DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	TCPS_BUMP_MIB(tcps, tcpHalfOpenDrop);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Put a reference on the conn as we are enqueueing it in the sqeue */
11754SKacheong.Poon@Sun.COM	CONN_INC_REF(eager->tcp_connp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
11754SKacheong.Poon@Sun.COM	    tcp_clean_death_wrapper, eager->tcp_connp, NULL,
11754SKacheong.Poon@Sun.COM	    SQ_FILL, SQTAG_TCP_DROP_Q0);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	return (B_TRUE);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Handle a SYN on an AF_INET6 socket; can be either IPv4 or IPv6
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic mblk_t *
11754SKacheong.Poon@Sun.COMtcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
11754SKacheong.Poon@Sun.COM    ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	tcp_t 		*ltcp = lconnp->conn_tcp;
11754SKacheong.Poon@Sun.COM	tcp_t		*tcp = connp->conn_tcp;
11754SKacheong.Poon@Sun.COM	mblk_t		*tpi_mp;
11754SKacheong.Poon@Sun.COM	ipha_t		*ipha;
11754SKacheong.Poon@Sun.COM	ip6_t		*ip6h;
11754SKacheong.Poon@Sun.COM	sin6_t 		sin6;
11754SKacheong.Poon@Sun.COM	uint_t		ifindex = ira->ira_ruifindex;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (ira->ira_flags & IRAF_IS_IPV4) {
11754SKacheong.Poon@Sun.COM		ipha = (ipha_t *)mp->b_rptr;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		connp->conn_ipversion = IPV4_VERSION;
11754SKacheong.Poon@Sun.COM		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_laddr_v6);
11754SKacheong.Poon@Sun.COM		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_faddr_v6);
11754SKacheong.Poon@Sun.COM		connp->conn_saddr_v6 = connp->conn_laddr_v6;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		sin6 = sin6_null;
11754SKacheong.Poon@Sun.COM		sin6.sin6_addr = connp->conn_faddr_v6;
11754SKacheong.Poon@Sun.COM		sin6.sin6_port = connp->conn_fport;
11754SKacheong.Poon@Sun.COM		sin6.sin6_family = AF_INET6;
11754SKacheong.Poon@Sun.COM		sin6.__sin6_src_id = ip_srcid_find_addr(&connp->conn_laddr_v6,
11754SKacheong.Poon@Sun.COM		    IPCL_ZONEID(lconnp), tcps->tcps_netstack);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (connp->conn_recv_ancillary.crb_recvdstaddr) {
11754SKacheong.Poon@Sun.COM			sin6_t	sin6d;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			sin6d = sin6_null;
11754SKacheong.Poon@Sun.COM			sin6d.sin6_addr = connp->conn_laddr_v6;
11754SKacheong.Poon@Sun.COM			sin6d.sin6_port = connp->conn_lport;
11754SKacheong.Poon@Sun.COM			sin6d.sin6_family = AF_INET;
11754SKacheong.Poon@Sun.COM			tpi_mp = mi_tpi_extconn_ind(NULL,
11754SKacheong.Poon@Sun.COM			    (char *)&sin6d, sizeof (sin6_t),
11754SKacheong.Poon@Sun.COM			    (char *)&tcp,
11754SKacheong.Poon@Sun.COM			    (t_scalar_t)sizeof (intptr_t),
11754SKacheong.Poon@Sun.COM			    (char *)&sin6d, sizeof (sin6_t),
11754SKacheong.Poon@Sun.COM			    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			tpi_mp = mi_tpi_conn_ind(NULL,
11754SKacheong.Poon@Sun.COM			    (char *)&sin6, sizeof (sin6_t),
11754SKacheong.Poon@Sun.COM			    (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
11754SKacheong.Poon@Sun.COM			    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		ip6h = (ip6_t *)mp->b_rptr;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		connp->conn_ipversion = IPV6_VERSION;
11754SKacheong.Poon@Sun.COM		connp->conn_laddr_v6 = ip6h->ip6_dst;
11754SKacheong.Poon@Sun.COM		connp->conn_faddr_v6 = ip6h->ip6_src;
11754SKacheong.Poon@Sun.COM		connp->conn_saddr_v6 = connp->conn_laddr_v6;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		sin6 = sin6_null;
11754SKacheong.Poon@Sun.COM		sin6.sin6_addr = connp->conn_faddr_v6;
11754SKacheong.Poon@Sun.COM		sin6.sin6_port = connp->conn_fport;
11754SKacheong.Poon@Sun.COM		sin6.sin6_family = AF_INET6;
11754SKacheong.Poon@Sun.COM		sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
11754SKacheong.Poon@Sun.COM		sin6.__sin6_src_id = ip_srcid_find_addr(&connp->conn_laddr_v6,
11754SKacheong.Poon@Sun.COM		    IPCL_ZONEID(lconnp), tcps->tcps_netstack);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src)) {
11754SKacheong.Poon@Sun.COM			/* Pass up the scope_id of remote addr */
11754SKacheong.Poon@Sun.COM			sin6.sin6_scope_id = ifindex;
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			sin6.sin6_scope_id = 0;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (connp->conn_recv_ancillary.crb_recvdstaddr) {
11754SKacheong.Poon@Sun.COM			sin6_t	sin6d;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			sin6d = sin6_null;
11754SKacheong.Poon@Sun.COM			sin6.sin6_addr = connp->conn_laddr_v6;
11754SKacheong.Poon@Sun.COM			sin6d.sin6_port = connp->conn_lport;
11754SKacheong.Poon@Sun.COM			sin6d.sin6_family = AF_INET6;
11754SKacheong.Poon@Sun.COM			if (IN6_IS_ADDR_LINKSCOPE(&connp->conn_laddr_v6))
11754SKacheong.Poon@Sun.COM				sin6d.sin6_scope_id = ifindex;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			tpi_mp = mi_tpi_extconn_ind(NULL,
11754SKacheong.Poon@Sun.COM			    (char *)&sin6d, sizeof (sin6_t),
11754SKacheong.Poon@Sun.COM			    (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
11754SKacheong.Poon@Sun.COM			    (char *)&sin6d, sizeof (sin6_t),
11754SKacheong.Poon@Sun.COM			    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			tpi_mp = mi_tpi_conn_ind(NULL,
11754SKacheong.Poon@Sun.COM			    (char *)&sin6, sizeof (sin6_t),
11754SKacheong.Poon@Sun.COM			    (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
11754SKacheong.Poon@Sun.COM			    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	tcp->tcp_mss = tcps->tcps_mss_def_ipv6;
11754SKacheong.Poon@Sun.COM	return (tpi_mp);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* Handle a SYN on an AF_INET socket */
11754SKacheong.Poon@Sun.COMstatic mblk_t *
11754SKacheong.Poon@Sun.COMtcp_conn_create_v4(conn_t *lconnp, conn_t *connp, mblk_t *mp,
11754SKacheong.Poon@Sun.COM    ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	tcp_t 		*ltcp = lconnp->conn_tcp;
11754SKacheong.Poon@Sun.COM	tcp_t		*tcp = connp->conn_tcp;
11754SKacheong.Poon@Sun.COM	sin_t		sin;
11754SKacheong.Poon@Sun.COM	mblk_t		*tpi_mp = NULL;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM	ipha_t		*ipha;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(ira->ira_flags & IRAF_IS_IPV4);
11754SKacheong.Poon@Sun.COM	ipha = (ipha_t *)mp->b_rptr;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	connp->conn_ipversion = IPV4_VERSION;
11754SKacheong.Poon@Sun.COM	IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_laddr_v6);
11754SKacheong.Poon@Sun.COM	IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_faddr_v6);
11754SKacheong.Poon@Sun.COM	connp->conn_saddr_v6 = connp->conn_laddr_v6;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	sin = sin_null;
11754SKacheong.Poon@Sun.COM	sin.sin_addr.s_addr = connp->conn_faddr_v4;
11754SKacheong.Poon@Sun.COM	sin.sin_port = connp->conn_fport;
11754SKacheong.Poon@Sun.COM	sin.sin_family = AF_INET;
11754SKacheong.Poon@Sun.COM	if (lconnp->conn_recv_ancillary.crb_recvdstaddr) {
11754SKacheong.Poon@Sun.COM		sin_t	sind;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		sind = sin_null;
11754SKacheong.Poon@Sun.COM		sind.sin_addr.s_addr = connp->conn_laddr_v4;
11754SKacheong.Poon@Sun.COM		sind.sin_port = connp->conn_lport;
11754SKacheong.Poon@Sun.COM		sind.sin_family = AF_INET;
11754SKacheong.Poon@Sun.COM		tpi_mp = mi_tpi_extconn_ind(NULL,
11754SKacheong.Poon@Sun.COM		    (char *)&sind, sizeof (sin_t), (char *)&tcp,
11754SKacheong.Poon@Sun.COM		    (t_scalar_t)sizeof (intptr_t), (char *)&sind,
11754SKacheong.Poon@Sun.COM		    sizeof (sin_t), (t_scalar_t)ltcp->tcp_conn_req_seqnum);
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		tpi_mp = mi_tpi_conn_ind(NULL,
11754SKacheong.Poon@Sun.COM		    (char *)&sin, sizeof (sin_t),
11754SKacheong.Poon@Sun.COM		    (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
11754SKacheong.Poon@Sun.COM		    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	tcp->tcp_mss = tcps->tcps_mss_def_ipv4;
11754SKacheong.Poon@Sun.COM	return (tpi_mp);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Called via squeue to get on to eager's perimeter. It sends a
11754SKacheong.Poon@Sun.COM * TH_RST if eager is in the fanout table. The listener wants the
11754SKacheong.Poon@Sun.COM * eager to disappear either by means of tcp_eager_blowoff() or
11754SKacheong.Poon@Sun.COM * tcp_eager_cleanup() being called. tcp_eager_kill() can also be
11754SKacheong.Poon@Sun.COM * called (via squeue) if the eager cannot be inserted in the
11754SKacheong.Poon@Sun.COM * fanout table in tcp_input_listener().
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM/* ARGSUSED */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_eager_kill(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	conn_t	*econnp = (conn_t *)arg;
11754SKacheong.Poon@Sun.COM	tcp_t	*eager = econnp->conn_tcp;
11754SKacheong.Poon@Sun.COM	tcp_t	*listener = eager->tcp_listener;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * We could be called because listener is closing. Since
11754SKacheong.Poon@Sun.COM	 * the eager was using listener's queue's, we avoid
11754SKacheong.Poon@Sun.COM	 * using the listeners queues from now on.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	ASSERT(eager->tcp_detached);
11754SKacheong.Poon@Sun.COM	econnp->conn_rq = NULL;
11754SKacheong.Poon@Sun.COM	econnp->conn_wq = NULL;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * An eager's conn_fanout will be NULL if it's a duplicate
11754SKacheong.Poon@Sun.COM	 * for an existing 4-tuples in the conn fanout table.
11754SKacheong.Poon@Sun.COM	 * We don't want to send an RST out in such case.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (econnp->conn_fanout != NULL && eager->tcp_state > TCPS_LISTEN) {
11754SKacheong.Poon@Sun.COM		tcp_xmit_ctl("tcp_eager_kill, can't wait",
11754SKacheong.Poon@Sun.COM		    eager, eager->tcp_snxt, 0, TH_RST);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* We are here because listener wants this eager gone */
11754SKacheong.Poon@Sun.COM	if (listener != NULL) {
11754SKacheong.Poon@Sun.COM		mutex_enter(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM		tcp_eager_unlink(eager);
11754SKacheong.Poon@Sun.COM		if (eager->tcp_tconnind_started) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * The eager has sent a conn_ind up to the
11754SKacheong.Poon@Sun.COM			 * listener but listener decides to close
11754SKacheong.Poon@Sun.COM			 * instead. We need to drop the extra ref
11754SKacheong.Poon@Sun.COM			 * placed on eager in tcp_input_data() before
11754SKacheong.Poon@Sun.COM			 * sending the conn_ind to listener.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			CONN_DEC_REF(econnp);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM		CONN_DEC_REF(listener->tcp_connp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (eager->tcp_state != TCPS_CLOSED)
11754SKacheong.Poon@Sun.COM		tcp_close_detached(eager);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Reset any eager connection hanging off this listener marked
11754SKacheong.Poon@Sun.COM * with 'seqnum' and then reclaim it's resources.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMboolean_t
11754SKacheong.Poon@Sun.COMtcp_eager_blowoff(tcp_t	*listener, t_scalar_t seqnum)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	tcp_t	*eager;
11754SKacheong.Poon@Sun.COM	mblk_t 	*mp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	eager = listener;
11754SKacheong.Poon@Sun.COM	mutex_enter(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM	do {
11754SKacheong.Poon@Sun.COM		eager = eager->tcp_eager_next_q;
11754SKacheong.Poon@Sun.COM		if (eager == NULL) {
11754SKacheong.Poon@Sun.COM			mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM			return (B_FALSE);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} while (eager->tcp_conn_req_seqnum != seqnum);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (eager->tcp_closemp_used) {
11754SKacheong.Poon@Sun.COM		mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM		return (B_TRUE);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	eager->tcp_closemp_used = B_TRUE;
11754SKacheong.Poon@Sun.COM	TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
11754SKacheong.Poon@Sun.COM	CONN_INC_REF(eager->tcp_connp);
11754SKacheong.Poon@Sun.COM	mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM	mp = &eager->tcp_closemp;
11754SKacheong.Poon@Sun.COM	SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp, tcp_eager_kill,
11754SKacheong.Poon@Sun.COM	    eager->tcp_connp, NULL, SQ_FILL, SQTAG_TCP_EAGER_BLOWOFF);
11754SKacheong.Poon@Sun.COM	return (B_TRUE);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Reset any eager connection hanging off this listener
11754SKacheong.Poon@Sun.COM * and then reclaim it's resources.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_eager_cleanup(tcp_t *listener, boolean_t q0_only)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	tcp_t	*eager;
11754SKacheong.Poon@Sun.COM	mblk_t	*mp;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = listener->tcp_tcps;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(MUTEX_HELD(&listener->tcp_eager_lock));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (!q0_only) {
11754SKacheong.Poon@Sun.COM		/* First cleanup q */
11754SKacheong.Poon@Sun.COM		TCP_STAT(tcps, tcp_eager_blowoff_q);
11754SKacheong.Poon@Sun.COM		eager = listener->tcp_eager_next_q;
11754SKacheong.Poon@Sun.COM		while (eager != NULL) {
11754SKacheong.Poon@Sun.COM			if (!eager->tcp_closemp_used) {
11754SKacheong.Poon@Sun.COM				eager->tcp_closemp_used = B_TRUE;
11754SKacheong.Poon@Sun.COM				TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
11754SKacheong.Poon@Sun.COM				CONN_INC_REF(eager->tcp_connp);
11754SKacheong.Poon@Sun.COM				mp = &eager->tcp_closemp;
11754SKacheong.Poon@Sun.COM				SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
11754SKacheong.Poon@Sun.COM				    tcp_eager_kill, eager->tcp_connp, NULL,
11754SKacheong.Poon@Sun.COM				    SQ_FILL, SQTAG_TCP_EAGER_CLEANUP);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			eager = eager->tcp_eager_next_q;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* Then cleanup q0 */
11754SKacheong.Poon@Sun.COM	TCP_STAT(tcps, tcp_eager_blowoff_q0);
11754SKacheong.Poon@Sun.COM	eager = listener->tcp_eager_next_q0;
11754SKacheong.Poon@Sun.COM	while (eager != listener) {
11754SKacheong.Poon@Sun.COM		if (!eager->tcp_closemp_used) {
11754SKacheong.Poon@Sun.COM			eager->tcp_closemp_used = B_TRUE;
11754SKacheong.Poon@Sun.COM			TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
11754SKacheong.Poon@Sun.COM			CONN_INC_REF(eager->tcp_connp);
11754SKacheong.Poon@Sun.COM			mp = &eager->tcp_closemp;
11754SKacheong.Poon@Sun.COM			SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
11754SKacheong.Poon@Sun.COM			    tcp_eager_kill, eager->tcp_connp, NULL, SQ_FILL,
11754SKacheong.Poon@Sun.COM			    SQTAG_TCP_EAGER_CLEANUP_Q0);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		eager = eager->tcp_eager_next_q0;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * If we are an eager connection hanging off a listener that hasn't
11754SKacheong.Poon@Sun.COM * formally accepted the connection yet, get off his list and blow off
11754SKacheong.Poon@Sun.COM * any data that we have accumulated.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_eager_unlink(tcp_t *tcp)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	tcp_t	*listener = tcp->tcp_listener;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(listener != NULL);
11754SKacheong.Poon@Sun.COM	ASSERT(MUTEX_HELD(&listener->tcp_eager_lock));
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_eager_next_q0 != NULL) {
11754SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_eager_prev_q0 != NULL);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Remove the eager tcp from q0 */
11754SKacheong.Poon@Sun.COM		tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
11754SKacheong.Poon@Sun.COM		    tcp->tcp_eager_prev_q0;
11754SKacheong.Poon@Sun.COM		tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
11754SKacheong.Poon@Sun.COM		    tcp->tcp_eager_next_q0;
11754SKacheong.Poon@Sun.COM		ASSERT(listener->tcp_conn_req_cnt_q0 > 0);
11754SKacheong.Poon@Sun.COM		listener->tcp_conn_req_cnt_q0--;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		tcp->tcp_eager_next_q0 = NULL;
11754SKacheong.Poon@Sun.COM		tcp->tcp_eager_prev_q0 = NULL;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Take the eager out, if it is in the list of droppable
11754SKacheong.Poon@Sun.COM		 * eagers.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		MAKE_UNDROPPABLE(tcp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_syn_rcvd_timeout != 0) {
11754SKacheong.Poon@Sun.COM			/* we have timed out before */
11754SKacheong.Poon@Sun.COM			ASSERT(listener->tcp_syn_rcvd_timeout > 0);
11754SKacheong.Poon@Sun.COM			listener->tcp_syn_rcvd_timeout--;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		tcp_t   **tcpp = &listener->tcp_eager_next_q;
11754SKacheong.Poon@Sun.COM		tcp_t	*prev = NULL;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		for (; tcpp[0]; tcpp = &tcpp[0]->tcp_eager_next_q) {
11754SKacheong.Poon@Sun.COM			if (tcpp[0] == tcp) {
11754SKacheong.Poon@Sun.COM				if (listener->tcp_eager_last_q == tcp) {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * If we are unlinking the last
11754SKacheong.Poon@Sun.COM					 * element on the list, adjust
11754SKacheong.Poon@Sun.COM					 * tail pointer. Set tail pointer
11754SKacheong.Poon@Sun.COM					 * to nil when list is empty.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					ASSERT(tcp->tcp_eager_next_q == NULL);
11754SKacheong.Poon@Sun.COM					if (listener->tcp_eager_last_q ==
11754SKacheong.Poon@Sun.COM					    listener->tcp_eager_next_q) {
11754SKacheong.Poon@Sun.COM						listener->tcp_eager_last_q =
11754SKacheong.Poon@Sun.COM						    NULL;
11754SKacheong.Poon@Sun.COM					} else {
11754SKacheong.Poon@Sun.COM						/*
11754SKacheong.Poon@Sun.COM						 * We won't get here if there
11754SKacheong.Poon@Sun.COM						 * is only one eager in the
11754SKacheong.Poon@Sun.COM						 * list.
11754SKacheong.Poon@Sun.COM						 */
11754SKacheong.Poon@Sun.COM						ASSERT(prev != NULL);
11754SKacheong.Poon@Sun.COM						listener->tcp_eager_last_q =
11754SKacheong.Poon@Sun.COM						    prev;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				tcpp[0] = tcp->tcp_eager_next_q;
11754SKacheong.Poon@Sun.COM				tcp->tcp_eager_next_q = NULL;
11754SKacheong.Poon@Sun.COM				tcp->tcp_eager_last_q = NULL;
11754SKacheong.Poon@Sun.COM				ASSERT(listener->tcp_conn_req_cnt_q > 0);
11754SKacheong.Poon@Sun.COM				listener->tcp_conn_req_cnt_q--;
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			prev = tcpp[0];
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	tcp->tcp_listener = NULL;
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* BEGIN CSTYLED */
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * The sockfs ACCEPT path:
11754SKacheong.Poon@Sun.COM * =======================
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * The eager is now established in its own perimeter as soon as SYN is
11754SKacheong.Poon@Sun.COM * received in tcp_input_listener(). When sockfs receives conn_ind, it
11754SKacheong.Poon@Sun.COM * completes the accept processing on the acceptor STREAM. The sending
11754SKacheong.Poon@Sun.COM * of conn_ind part is common for both sockfs listener and a TLI/XTI
11754SKacheong.Poon@Sun.COM * listener but a TLI/XTI listener completes the accept processing
11754SKacheong.Poon@Sun.COM * on the listener perimeter.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Common control flow for 3 way handshake:
11754SKacheong.Poon@Sun.COM * ----------------------------------------
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * incoming SYN (listener perimeter)	-> tcp_input_listener()
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * incoming SYN-ACK-ACK (eager perim) 	-> tcp_input_data()
11754SKacheong.Poon@Sun.COM * send T_CONN_IND (listener perim)	-> tcp_send_conn_ind()
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Sockfs ACCEPT Path:
11754SKacheong.Poon@Sun.COM * -------------------
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * open acceptor stream (tcp_open allocates tcp_tli_accept()
11754SKacheong.Poon@Sun.COM * as STREAM entry point)
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * soaccept() sends T_CONN_RES on the acceptor STREAM to tcp_tli_accept()
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * tcp_tli_accept() extracts the eager and makes the q->q_ptr <-> eager
11754SKacheong.Poon@Sun.COM * association (we are not behind eager's squeue but sockfs is protecting us
11754SKacheong.Poon@Sun.COM * and no one knows about this stream yet. The STREAMS entry point q->q_info
11754SKacheong.Poon@Sun.COM * is changed to point at tcp_wput().
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * tcp_accept_common() sends any deferred eagers via tcp_send_pending() to
11754SKacheong.Poon@Sun.COM * listener (done on listener's perimeter).
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * tcp_tli_accept() calls tcp_accept_finish() on eagers perimeter to finish
11754SKacheong.Poon@Sun.COM * accept.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * TLI/XTI client ACCEPT path:
11754SKacheong.Poon@Sun.COM * ---------------------------
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * soaccept() sends T_CONN_RES on the listener STREAM.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * tcp_tli_accept() -> tcp_accept_swap() complete the processing and send
11754SKacheong.Poon@Sun.COM * a M_SETOPS mblk to eager perimeter to finish accept (tcp_accept_finish()).
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Locks:
11754SKacheong.Poon@Sun.COM * ======
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * listener->tcp_eager_lock protects the listeners->tcp_eager_next_q0 and
11754SKacheong.Poon@Sun.COM * and listeners->tcp_eager_next_q.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Referencing:
11754SKacheong.Poon@Sun.COM * ============
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * 1) We start out in tcp_input_listener by eager placing a ref on
11754SKacheong.Poon@Sun.COM * listener and listener adding eager to listeners->tcp_eager_next_q0.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * 2) When a SYN-ACK-ACK arrives, we send the conn_ind to listener. Before
11754SKacheong.Poon@Sun.COM * doing so we place a ref on the eager. This ref is finally dropped at the
11754SKacheong.Poon@Sun.COM * end of tcp_accept_finish() while unwinding from the squeue, i.e. the
11754SKacheong.Poon@Sun.COM * reference is dropped by the squeue framework.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * 3) The ref on listener placed in 1 above is dropped in tcp_accept_finish
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * The reference must be released by the same entity that added the reference
11754SKacheong.Poon@Sun.COM * In the above scheme, the eager is the entity that adds and releases the
11754SKacheong.Poon@Sun.COM * references. Note that tcp_accept_finish executes in the squeue of the eager
11754SKacheong.Poon@Sun.COM * (albeit after it is attached to the acceptor stream). Though 1. executes
11754SKacheong.Poon@Sun.COM * in the listener's squeue, the eager is nascent at this point and the
11754SKacheong.Poon@Sun.COM * reference can be considered to have been added on behalf of the eager.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Eager getting a Reset or listener closing:
11754SKacheong.Poon@Sun.COM * ==========================================
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Once the listener and eager are linked, the listener never does the unlink.
11754SKacheong.Poon@Sun.COM * If the listener needs to close, tcp_eager_cleanup() is called which queues
11754SKacheong.Poon@Sun.COM * a message on all eager perimeter. The eager then does the unlink, clears
11754SKacheong.Poon@Sun.COM * any pointers to the listener's queue and drops the reference to the
11754SKacheong.Poon@Sun.COM * listener. The listener waits in tcp_close outside the squeue until its
11754SKacheong.Poon@Sun.COM * refcount has dropped to 1. This ensures that the listener has waited for
11754SKacheong.Poon@Sun.COM * all eagers to clear their association with the listener.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Similarly, if eager decides to go away, it can unlink itself and close.
11754SKacheong.Poon@Sun.COM * When the T_CONN_RES comes down, we check if eager has closed. Note that
11754SKacheong.Poon@Sun.COM * the reference to eager is still valid because of the extra ref we put
11754SKacheong.Poon@Sun.COM * in tcp_send_conn_ind.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Listener can always locate the eager under the protection
11754SKacheong.Poon@Sun.COM * of the listener->tcp_eager_lock, and then do a refhold
11754SKacheong.Poon@Sun.COM * on the eager during the accept processing.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * The acceptor stream accesses the eager in the accept processing
11754SKacheong.Poon@Sun.COM * based on the ref placed on eager before sending T_conn_ind.
11754SKacheong.Poon@Sun.COM * The only entity that can negate this refhold is a listener close
11754SKacheong.Poon@Sun.COM * which is mutually exclusive with an active acceptor stream.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Eager's reference on the listener
11754SKacheong.Poon@Sun.COM * ===================================
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * If the accept happens (even on a closed eager) the eager drops its
11754SKacheong.Poon@Sun.COM * reference on the listener at the start of tcp_accept_finish. If the
11754SKacheong.Poon@Sun.COM * eager is killed due to an incoming RST before the T_conn_ind is sent up,
11754SKacheong.Poon@Sun.COM * the reference is dropped in tcp_closei_local. If the listener closes,
11754SKacheong.Poon@Sun.COM * the reference is dropped in tcp_eager_kill. In all cases the reference
11754SKacheong.Poon@Sun.COM * is dropped while executing in the eager's context (squeue).
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM/* END CSTYLED */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* Process the SYN packet, mp, directed at the listener 'tcp' */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * THIS FUNCTION IS DIRECTLY CALLED BY IP VIA SQUEUE FOR SYN.
11754SKacheong.Poon@Sun.COM * tcp_input_data will not see any packets for listeners since the listener
11754SKacheong.Poon@Sun.COM * has conn_recv set to tcp_input_listener.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM/* ARGSUSED */
11754SKacheong.Poon@Sun.COMstatic void
11754SKacheong.Poon@Sun.COMtcp_input_listener(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	tcpha_t		*tcpha;
11754SKacheong.Poon@Sun.COM	uint32_t	seg_seq;
11754SKacheong.Poon@Sun.COM	tcp_t		*eager;
11754SKacheong.Poon@Sun.COM	int		err;
11754SKacheong.Poon@Sun.COM	conn_t		*econnp = NULL;
11754SKacheong.Poon@Sun.COM	squeue_t	*new_sqp;
11754SKacheong.Poon@Sun.COM	mblk_t		*mp1;
11754SKacheong.Poon@Sun.COM	uint_t 		ip_hdr_len;
11754SKacheong.Poon@Sun.COM	conn_t		*lconnp = (conn_t *)arg;
11754SKacheong.Poon@Sun.COM	tcp_t		*listener = lconnp->conn_tcp;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = listener->tcp_tcps;
11754SKacheong.Poon@Sun.COM	ip_stack_t	*ipst = tcps->tcps_netstack->netstack_ip;
11754SKacheong.Poon@Sun.COM	uint_t		flags;
11754SKacheong.Poon@Sun.COM	mblk_t		*tpi_mp;
11754SKacheong.Poon@Sun.COM	uint_t		ifindex = ira->ira_ruifindex;
11754SKacheong.Poon@Sun.COM	boolean_t	tlc_set = B_FALSE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ip_hdr_len = ira->ira_ip_hdr_length;
11754SKacheong.Poon@Sun.COM	tcpha = (tcpha_t *)&mp->b_rptr[ip_hdr_len];
11754SKacheong.Poon@Sun.COM	flags = (unsigned int)tcpha->tha_flags & 0xFF;
11754SKacheong.Poon@Sun.COM
12507SAlan.Maguire@Sun.COM	DTRACE_TCP5(receive, mblk_t *, NULL, ip_xmit_attr_t *, lconnp->conn_ixa,
12507SAlan.Maguire@Sun.COM	    __dtrace_tcp_void_ip_t *, mp->b_rptr, tcp_t *, listener,
12507SAlan.Maguire@Sun.COM	    __dtrace_tcp_tcph_t *, tcpha);
12507SAlan.Maguire@Sun.COM
11754SKacheong.Poon@Sun.COM	if (!(flags & TH_SYN)) {
11754SKacheong.Poon@Sun.COM		if ((flags & TH_RST) || (flags & TH_URG)) {
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (flags & TH_ACK) {
11754SKacheong.Poon@Sun.COM			/* Note this executes in listener's squeue */
11754SKacheong.Poon@Sun.COM			tcp_xmit_listeners_reset(mp, ira, ipst, lconnp);
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (listener->tcp_state != TCPS_LISTEN)
11754SKacheong.Poon@Sun.COM		goto error2;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(IPCL_IS_BOUND(lconnp));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	mutex_enter(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * The system is under memory pressure, so we need to do our part
11754SKacheong.Poon@Sun.COM	 * to relieve the pressure.  So we only accept new request if there
11754SKacheong.Poon@Sun.COM	 * is nothing waiting to be accepted or waiting to complete the 3-way
11754SKacheong.Poon@Sun.COM	 * handshake.  This means that busy listener will not get too many
11754SKacheong.Poon@Sun.COM	 * new requests which they cannot handle in time while non-busy
11754SKacheong.Poon@Sun.COM	 * listener is still functioning properly.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (tcps->tcps_reclaim && (listener->tcp_conn_req_cnt_q > 0 ||
11754SKacheong.Poon@Sun.COM	    listener->tcp_conn_req_cnt_q0 > 0)) {
11754SKacheong.Poon@Sun.COM		mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM		TCP_STAT(tcps, tcp_listen_mem_drop);
11754SKacheong.Poon@Sun.COM		goto error2;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (listener->tcp_conn_req_cnt_q >= listener->tcp_conn_req_max) {
11754SKacheong.Poon@Sun.COM		mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM		TCP_STAT(tcps, tcp_listendrop);
11754SKacheong.Poon@Sun.COM		TCPS_BUMP_MIB(tcps, tcpListenDrop);
11754SKacheong.Poon@Sun.COM		if (lconnp->conn_debug) {
11754SKacheong.Poon@Sun.COM			(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE|SL_ERROR,
11754SKacheong.Poon@Sun.COM			    "tcp_input_listener: listen backlog (max=%d) "
11754SKacheong.Poon@Sun.COM			    "overflow (%d pending) on %s",
11754SKacheong.Poon@Sun.COM			    listener->tcp_conn_req_max,
11754SKacheong.Poon@Sun.COM			    listener->tcp_conn_req_cnt_q,
11754SKacheong.Poon@Sun.COM			    tcp_display(listener, NULL, DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		goto error2;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (listener->tcp_conn_req_cnt_q0 >=
11754SKacheong.Poon@Sun.COM	    listener->tcp_conn_req_max + tcps->tcps_conn_req_max_q0) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Q0 is full. Drop a pending half-open req from the queue
11754SKacheong.Poon@Sun.COM		 * to make room for the new SYN req. Also mark the time we
11754SKacheong.Poon@Sun.COM		 * drop a SYN.
11754SKacheong.Poon@Sun.COM		 *
11754SKacheong.Poon@Sun.COM		 * A more aggressive defense against SYN attack will
11754SKacheong.Poon@Sun.COM		 * be to set the "tcp_syn_defense" flag now.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		TCP_STAT(tcps, tcp_listendropq0);
11754SKacheong.Poon@Sun.COM		listener->tcp_last_rcv_lbolt = ddi_get_lbolt64();
11754SKacheong.Poon@Sun.COM		if (!tcp_drop_q0(listener)) {
11754SKacheong.Poon@Sun.COM			mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpListenDropQ0);
11754SKacheong.Poon@Sun.COM			if (lconnp->conn_debug) {
11754SKacheong.Poon@Sun.COM				(void) strlog(TCP_MOD_ID, 0, 3, SL_TRACE,
11754SKacheong.Poon@Sun.COM				    "tcp_input_listener: listen half-open "
11754SKacheong.Poon@Sun.COM				    "queue (max=%d) full (%d pending) on %s",
11754SKacheong.Poon@Sun.COM				    tcps->tcps_conn_req_max_q0,
11754SKacheong.Poon@Sun.COM				    listener->tcp_conn_req_cnt_q0,
11754SKacheong.Poon@Sun.COM				    tcp_display(listener, NULL,
11754SKacheong.Poon@Sun.COM				    DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			goto error2;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Enforce the limit set on the number of connections per listener.
11754SKacheong.Poon@Sun.COM	 * Note that tlc_cnt starts with 1.  So need to add 1 to tlc_max
11754SKacheong.Poon@Sun.COM	 * for comparison.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (listener->tcp_listen_cnt != NULL) {
11754SKacheong.Poon@Sun.COM		tcp_listen_cnt_t *tlc = listener->tcp_listen_cnt;
11754SKacheong.Poon@Sun.COM		int64_t now;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (atomic_add_32_nv(&tlc->tlc_cnt, 1) > tlc->tlc_max + 1) {
11754SKacheong.Poon@Sun.COM			mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM			now = ddi_get_lbolt64();
11754SKacheong.Poon@Sun.COM			atomic_add_32(&tlc->tlc_cnt, -1);
11754SKacheong.Poon@Sun.COM			TCP_STAT(tcps, tcp_listen_cnt_drop);
11754SKacheong.Poon@Sun.COM			tlc->tlc_drop++;
11754SKacheong.Poon@Sun.COM			if (now - tlc->tlc_report_time >
11754SKacheong.Poon@Sun.COM			    MSEC_TO_TICK(TCP_TLC_REPORT_INTERVAL)) {
11754SKacheong.Poon@Sun.COM				zcmn_err(lconnp->conn_zoneid, CE_WARN,
11754SKacheong.Poon@Sun.COM				    "Listener (port %d) connection max (%u) "
11754SKacheong.Poon@Sun.COM				    "reached: %u attempts dropped total\n",
11754SKacheong.Poon@Sun.COM				    ntohs(listener->tcp_connp->conn_lport),
11754SKacheong.Poon@Sun.COM				    tlc->tlc_max, tlc->tlc_drop);
11754SKacheong.Poon@Sun.COM				tlc->tlc_report_time = now;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			goto error2;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		tlc_set = B_TRUE;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * IP sets ira_sqp to either the senders conn_sqp (for loopback)
11754SKacheong.Poon@Sun.COM	 * or based on the ring (for packets from GLD). Otherwise it is
11754SKacheong.Poon@Sun.COM	 * set based on lbolt i.e., a somewhat random number.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	ASSERT(ira->ira_sqp != NULL);
11754SKacheong.Poon@Sun.COM	new_sqp = ira->ira_sqp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	econnp = (conn_t *)tcp_get_conn(arg2, tcps);
11754SKacheong.Poon@Sun.COM	if (econnp == NULL)
11754SKacheong.Poon@Sun.COM		goto error2;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(econnp->conn_netstack == lconnp->conn_netstack);
11754SKacheong.Poon@Sun.COM	econnp->conn_sqp = new_sqp;
11754SKacheong.Poon@Sun.COM	econnp->conn_initial_sqp = new_sqp;
11754SKacheong.Poon@Sun.COM	econnp->conn_ixa->ixa_sqp = new_sqp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	econnp->conn_fport = tcpha->tha_lport;
11754SKacheong.Poon@Sun.COM	econnp->conn_lport = tcpha->tha_fport;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	err = conn_inherit_parent(lconnp, econnp);
11754SKacheong.Poon@Sun.COM	if (err != 0)
11754SKacheong.Poon@Sun.COM		goto error3;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* We already know the laddr of the new connection is ours */
11754SKacheong.Poon@Sun.COM	econnp->conn_ixa->ixa_src_generation = ipst->ips_src_generation;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(OK_32PTR(mp->b_rptr));
11754SKacheong.Poon@Sun.COM	ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION ||
11754SKacheong.Poon@Sun.COM	    IPH_HDR_VERSION(mp->b_rptr) == IPV6_VERSION);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (lconnp->conn_family == AF_INET) {
11754SKacheong.Poon@Sun.COM		ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
11754SKacheong.Poon@Sun.COM		tpi_mp = tcp_conn_create_v4(lconnp, econnp, mp, ira);
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		tpi_mp = tcp_conn_create_v6(lconnp, econnp, mp, ira);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tpi_mp == NULL)
11754SKacheong.Poon@Sun.COM		goto error3;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	eager = econnp->conn_tcp;
11754SKacheong.Poon@Sun.COM	eager->tcp_detached = B_TRUE;
11754SKacheong.Poon@Sun.COM	SOCK_CONNID_INIT(eager->tcp_connid);
11754SKacheong.Poon@Sun.COM
12544SKacheong.Poon@Sun.COM	/*
12544SKacheong.Poon@Sun.COM	 * Initialize the eager's tcp_t and inherit some parameters from
12544SKacheong.Poon@Sun.COM	 * the listener.
12544SKacheong.Poon@Sun.COM	 */
12544SKacheong.Poon@Sun.COM	tcp_init_values(eager, listener);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT((econnp->conn_ixa->ixa_flags &
11754SKacheong.Poon@Sun.COM	    (IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
11754SKacheong.Poon@Sun.COM	    IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO)) ==
11754SKacheong.Poon@Sun.COM	    (IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
11754SKacheong.Poon@Sun.COM	    IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (!tcps->tcps_dev_flow_ctl)
11754SKacheong.Poon@Sun.COM		econnp->conn_ixa->ixa_flags |= IXAF_NO_DEV_FLOW_CTL;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Prepare for diffing against previous packets */
11754SKacheong.Poon@Sun.COM	eager->tcp_recvifindex = 0;
11754SKacheong.Poon@Sun.COM	eager->tcp_recvhops = 0xffffffffU;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (!(ira->ira_flags & IRAF_IS_IPV4) && econnp->conn_bound_if == 0) {
11754SKacheong.Poon@Sun.COM		if (IN6_IS_ADDR_LINKSCOPE(&econnp->conn_faddr_v6) ||
11754SKacheong.Poon@Sun.COM		    IN6_IS_ADDR_LINKSCOPE(&econnp->conn_laddr_v6)) {
11754SKacheong.Poon@Sun.COM			econnp->conn_incoming_ifindex = ifindex;
11754SKacheong.Poon@Sun.COM			econnp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
11754SKacheong.Poon@Sun.COM			econnp->conn_ixa->ixa_scopeid = ifindex;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if ((ira->ira_flags & (IRAF_IS_IPV4|IRAF_IPV4_OPTIONS)) ==
11754SKacheong.Poon@Sun.COM	    (IRAF_IS_IPV4|IRAF_IPV4_OPTIONS) &&
11754SKacheong.Poon@Sun.COM	    tcps->tcps_rev_src_routes) {
11754SKacheong.Poon@Sun.COM		ipha_t *ipha = (ipha_t *)mp->b_rptr;
11754SKacheong.Poon@Sun.COM		ip_pkt_t *ipp = &econnp->conn_xmit_ipp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Source routing option copyover (reverse it) */
11754SKacheong.Poon@Sun.COM		err = ip_find_hdr_v4(ipha, ipp, B_TRUE);
11754SKacheong.Poon@Sun.COM		if (err != 0) {
11754SKacheong.Poon@Sun.COM			freemsg(tpi_mp);
11754SKacheong.Poon@Sun.COM			goto error3;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		ip_pkt_source_route_reverse_v4(ipp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(eager->tcp_conn.tcp_eager_conn_ind == NULL);
11754SKacheong.Poon@Sun.COM	ASSERT(!eager->tcp_tconnind_started);
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If the SYN came with a credential, it's a loopback packet or a
11754SKacheong.Poon@Sun.COM	 * labeled packet; attach the credential to the TPI message.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (ira->ira_cred != NULL)
11754SKacheong.Poon@Sun.COM		mblk_setcred(tpi_mp, ira->ira_cred, ira->ira_cpid);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	eager->tcp_conn.tcp_eager_conn_ind = tpi_mp;
12643SAnders.Persson@Sun.COM	ASSERT(eager->tcp_ordrel_mp == NULL);
12643SAnders.Persson@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Inherit the listener's non-STREAMS flag */
11754SKacheong.Poon@Sun.COM	if (IPCL_IS_NONSTR(lconnp)) {
11754SKacheong.Poon@Sun.COM		econnp->conn_flags |= IPCL_NONSTR;
12643SAnders.Persson@Sun.COM		/* All non-STREAMS tcp_ts are sockets */
12643SAnders.Persson@Sun.COM		eager->tcp_issocket = B_TRUE;
12643SAnders.Persson@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Pre-allocate the T_ordrel_ind mblk for TPI socket so that
11754SKacheong.Poon@Sun.COM		 * at close time, we will always have that to send up.
11754SKacheong.Poon@Sun.COM		 * Otherwise, we need to do special handling in case the
11754SKacheong.Poon@Sun.COM		 * allocation fails at that time.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if ((eager->tcp_ordrel_mp = mi_tpi_ordrel_ind()) == NULL)
11754SKacheong.Poon@Sun.COM			goto error3;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Now that the IP addresses and ports are setup in econnp we
11754SKacheong.Poon@Sun.COM	 * can do the IPsec policy work.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (ira->ira_flags & IRAF_IPSEC_SECURE) {
11754SKacheong.Poon@Sun.COM		if (lconnp->conn_policy != NULL) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Inherit the policy from the listener; use
11754SKacheong.Poon@Sun.COM			 * actions from ira
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (!ip_ipsec_policy_inherit(econnp, lconnp, ira)) {
11754SKacheong.Poon@Sun.COM				CONN_DEC_REF(econnp);
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				goto error3;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * tcp_set_destination() may set tcp_rwnd according to the route
11754SKacheong.Poon@Sun.COM	 * metrics. If it does not, the eager's receive window will be set
11754SKacheong.Poon@Sun.COM	 * to the listener's receive window later in this function.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	eager->tcp_rwnd = 0;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (is_system_labeled()) {
11754SKacheong.Poon@Sun.COM		ip_xmit_attr_t *ixa = econnp->conn_ixa;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		ASSERT(ira->ira_tsl != NULL);
11754SKacheong.Poon@Sun.COM		/* Discard any old label */
11754SKacheong.Poon@Sun.COM		if (ixa->ixa_free_flags & IXA_FREE_TSL) {
11754SKacheong.Poon@Sun.COM			ASSERT(ixa->ixa_tsl != NULL);
11754SKacheong.Poon@Sun.COM			label_rele(ixa->ixa_tsl);
11754SKacheong.Poon@Sun.COM			ixa->ixa_free_flags &= ~IXA_FREE_TSL;
11754SKacheong.Poon@Sun.COM			ixa->ixa_tsl = NULL;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if ((lconnp->conn_mlp_type != mlptSingle ||
11754SKacheong.Poon@Sun.COM		    lconnp->conn_mac_mode != CONN_MAC_DEFAULT) &&
11754SKacheong.Poon@Sun.COM		    ira->ira_tsl != NULL) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * If this is an MLP connection or a MAC-Exempt
11754SKacheong.Poon@Sun.COM			 * connection with an unlabeled node, packets are to be
11754SKacheong.Poon@Sun.COM			 * exchanged using the security label of the received
11754SKacheong.Poon@Sun.COM			 * SYN packet instead of the server application's label.
11754SKacheong.Poon@Sun.COM			 * tsol_check_dest called from ip_set_destination
11754SKacheong.Poon@Sun.COM			 * might later update TSF_UNLABELED by replacing
11754SKacheong.Poon@Sun.COM			 * ixa_tsl with a new label.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			label_hold(ira->ira_tsl);
11754SKacheong.Poon@Sun.COM			ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
11754SKacheong.Poon@Sun.COM			DTRACE_PROBE2(mlp_syn_accept, conn_t *,
11754SKacheong.Poon@Sun.COM			    econnp, ts_label_t *, ixa->ixa_tsl)
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			ixa->ixa_tsl = crgetlabel(econnp->conn_cred);
11754SKacheong.Poon@Sun.COM			DTRACE_PROBE2(syn_accept, conn_t *,
11754SKacheong.Poon@Sun.COM			    econnp, ts_label_t *, ixa->ixa_tsl)
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * conn_connect() called from tcp_set_destination will verify
11754SKacheong.Poon@Sun.COM		 * the destination is allowed to receive packets at the
11754SKacheong.Poon@Sun.COM		 * security label of the SYN-ACK we are generating. As part of
11754SKacheong.Poon@Sun.COM		 * that, tsol_check_dest() may create a new effective label for
11754SKacheong.Poon@Sun.COM		 * this connection.
11754SKacheong.Poon@Sun.COM		 * Finally conn_connect() will call conn_update_label.
11754SKacheong.Poon@Sun.COM		 * All that remains for TCP to do is to call
11754SKacheong.Poon@Sun.COM		 * conn_build_hdr_template which is done as part of
11754SKacheong.Poon@Sun.COM		 * tcp_set_destination.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Since we will clear tcp_listener before we clear tcp_detached
11754SKacheong.Poon@Sun.COM	 * in the accept code we need tcp_hard_binding aka tcp_accept_inprogress
12643SAnders.Persson@Sun.COM	 * so we can tell a TCP_IS_DETACHED_NONEAGER apart.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	eager->tcp_hard_binding = B_TRUE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	tcp_bind_hash_insert(&tcps->tcps_bind_fanout[
11754SKacheong.Poon@Sun.COM	    TCP_BIND_HASH(econnp->conn_lport)], eager, 0);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	CL_INET_CONNECT(econnp, B_FALSE, err);
11754SKacheong.Poon@Sun.COM	if (err != 0) {
11754SKacheong.Poon@Sun.COM		tcp_bind_hash_remove(eager);
11754SKacheong.Poon@Sun.COM		goto error3;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	SOCK_CONNID_BUMP(eager->tcp_connid);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Adapt our mss, ttl, ... based on the remote address.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tcp_set_destination(eager) != 0) {
11754SKacheong.Poon@Sun.COM		TCPS_BUMP_MIB(tcps, tcpAttemptFails);
11754SKacheong.Poon@Sun.COM		/* Undo the bind_hash_insert */
11754SKacheong.Poon@Sun.COM		tcp_bind_hash_remove(eager);
11754SKacheong.Poon@Sun.COM		goto error3;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Process all TCP options. */
11754SKacheong.Poon@Sun.COM	tcp_process_options(eager, tcpha);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Is the other end ECN capable? */
11754SKacheong.Poon@Sun.COM	if (tcps->tcps_ecn_permitted >= 1 &&
11754SKacheong.Poon@Sun.COM	    (tcpha->tha_flags & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) {
11754SKacheong.Poon@Sun.COM		eager->tcp_ecn_ok = B_TRUE;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * The listener's conn_rcvbuf should be the default window size or a
11754SKacheong.Poon@Sun.COM	 * window size changed via SO_RCVBUF option. First round up the
11754SKacheong.Poon@Sun.COM	 * eager's tcp_rwnd to the nearest MSS. Then find out the window
11754SKacheong.Poon@Sun.COM	 * scale option value if needed. Call tcp_rwnd_set() to finish the
11754SKacheong.Poon@Sun.COM	 * setting.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * Note if there is a rpipe metric associated with the remote host,
11754SKacheong.Poon@Sun.COM	 * we should not inherit receive window size from listener.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	eager->tcp_rwnd = MSS_ROUNDUP(
11754SKacheong.Poon@Sun.COM	    (eager->tcp_rwnd == 0 ? econnp->conn_rcvbuf :
11754SKacheong.Poon@Sun.COM	    eager->tcp_rwnd), eager->tcp_mss);
11754SKacheong.Poon@Sun.COM	if (eager->tcp_snd_ws_ok)
11754SKacheong.Poon@Sun.COM		tcp_set_ws_value(eager);
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Note that this is the only place tcp_rwnd_set() is called for
11754SKacheong.Poon@Sun.COM	 * accepting a connection.  We need to call it here instead of
11754SKacheong.Poon@Sun.COM	 * after the 3-way handshake because we need to tell the other
11754SKacheong.Poon@Sun.COM	 * side our rwnd in the SYN-ACK segment.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	(void) tcp_rwnd_set(eager, eager->tcp_rwnd);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(eager->tcp_connp->conn_rcvbuf != 0 &&
11754SKacheong.Poon@Sun.COM	    eager->tcp_connp->conn_rcvbuf == eager->tcp_rwnd);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(econnp->conn_rcvbuf != 0 &&
11754SKacheong.Poon@Sun.COM	    econnp->conn_rcvbuf == eager->tcp_rwnd);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Put a ref on the listener for the eager. */
11754SKacheong.Poon@Sun.COM	CONN_INC_REF(lconnp);
11754SKacheong.Poon@Sun.COM	mutex_enter(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM	listener->tcp_eager_next_q0->tcp_eager_prev_q0 = eager;
11754SKacheong.Poon@Sun.COM	eager->tcp_eager_next_q0 = listener->tcp_eager_next_q0;
11754SKacheong.Poon@Sun.COM	listener->tcp_eager_next_q0 = eager;
11754SKacheong.Poon@Sun.COM	eager->tcp_eager_prev_q0 = listener;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Set tcp_listener before adding it to tcp_conn_fanout */
11754SKacheong.Poon@Sun.COM	eager->tcp_listener = listener;
11754SKacheong.Poon@Sun.COM	eager->tcp_saved_listener = listener;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Set tcp_listen_cnt so that when the connection is done, the counter
11754SKacheong.Poon@Sun.COM	 * is decremented.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	eager->tcp_listen_cnt = listener->tcp_listen_cnt;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Tag this detached tcp vector for later retrieval
11754SKacheong.Poon@Sun.COM	 * by our listener client in tcp_accept().
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	eager->tcp_conn_req_seqnum = listener->tcp_conn_req_seqnum;
11754SKacheong.Poon@Sun.COM	listener->tcp_conn_req_cnt_q0++;
11754SKacheong.Poon@Sun.COM	if (++listener->tcp_conn_req_seqnum == -1) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * -1 is "special" and defined in TPI as something
11754SKacheong.Poon@Sun.COM		 * that should never be used in T_CONN_IND
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		++listener->tcp_conn_req_seqnum;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	mutex_exit(&listener->tcp_eager_lock);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (listener->tcp_syn_defense) {
11754SKacheong.Poon@Sun.COM		/* Don't drop the SYN that comes from a good IP source */
11754SKacheong.Poon@Sun.COM		ipaddr_t *addr_cache;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		addr_cache = (ipaddr_t *)(listener->tcp_ip_addr_cache);
11754SKacheong.Poon@Sun.COM		if (addr_cache != NULL && econnp->conn_faddr_v4 ==
11754SKacheong.Poon@Sun.COM		    addr_cache[IP_ADDR_CACHE_HASH(econnp->conn_faddr_v4)]) {
11754SKacheong.Poon@Sun.COM			eager->tcp_dontdrop = B_TRUE;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * We need to insert the eager in its own perimeter but as soon
11754SKacheong.Poon@Sun.COM	 * as we do that, we expose the eager to the classifier and
11754SKacheong.Poon@Sun.COM	 * should not touch any field outside the eager's perimeter.
11754SKacheong.Poon@Sun.COM	 * So do all the work necessary before inserting the eager
11754SKacheong.Poon@Sun.COM	 * in its own perimeter. Be optimistic that conn_connect()
11754SKacheong.Poon@Sun.COM	 * will succeed but undo everything if it fails.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	seg_seq = ntohl(tcpha->tha_seq);
11754SKacheong.Poon@Sun.COM	eager->tcp_irs = seg_seq;
11754SKacheong.Poon@Sun.COM	eager->tcp_rack = seg_seq;
11754SKacheong.Poon@Sun.COM	eager->tcp_rnxt = seg_seq + 1;
11754SKacheong.Poon@Sun.COM	eager->tcp_tcpha->tha_ack = htonl(eager->tcp_rnxt);
11754SKacheong.Poon@Sun.COM	TCPS_BUMP_MIB(tcps, tcpPassiveOpens);
11754SKacheong.Poon@Sun.COM	eager->tcp_state = TCPS_SYN_RCVD;
12507SAlan.Maguire@Sun.COM	DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
12507SAlan.Maguire@Sun.COM	    econnp->conn_ixa, void, NULL, tcp_t *, eager, void, NULL,
12507SAlan.Maguire@Sun.COM	    int32_t, TCPS_LISTEN);
12507SAlan.Maguire@Sun.COM
11754SKacheong.Poon@Sun.COM	mp1 = tcp_xmit_mp(eager, eager->tcp_xmit_head, eager->tcp_mss,
11754SKacheong.Poon@Sun.COM	    NULL, NULL, eager->tcp_iss, B_FALSE, NULL, B_FALSE);
11754SKacheong.Poon@Sun.COM	if (mp1 == NULL) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Increment the ref count as we are going to
11754SKacheong.Poon@Sun.COM		 * enqueueing an mp in squeue
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		CONN_INC_REF(econnp);
11754SKacheong.Poon@Sun.COM		goto error;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * We need to start the rto timer. In normal case, we start
11754SKacheong.Poon@Sun.COM	 * the timer after sending the packet on the wire (or at
11754SKacheong.Poon@Sun.COM	 * least believing that packet was sent by waiting for
11754SKacheong.Poon@Sun.COM	 * conn_ip_output() to return). Since this is the first packet
11754SKacheong.Poon@Sun.COM	 * being sent on the wire for the eager, our initial tcp_rto
11754SKacheong.Poon@Sun.COM	 * is at least tcp_rexmit_interval_min which is a fairly
11754SKacheong.Poon@Sun.COM	 * large value to allow the algorithm to adjust slowly to large
11754SKacheong.Poon@Sun.COM	 * fluctuations of RTT during first few transmissions.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * Starting the timer first and then sending the packet in this
11754SKacheong.Poon@Sun.COM	 * case shouldn't make much difference since tcp_rexmit_interval_min
11754SKacheong.Poon@Sun.COM	 * is of the order of several 100ms and starting the timer
11754SKacheong.Poon@Sun.COM	 * first and then sending the packet will result in difference
11754SKacheong.Poon@Sun.COM	 * of few micro seconds.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * Without this optimization, we are forced to hold the fanout
11754SKacheong.Poon@Sun.COM	 * lock across the ipcl_bind_insert() and sending the packet
11754SKacheong.Poon@Sun.COM	 * so that we don't race against an incoming packet (maybe RST)
11754SKacheong.Poon@Sun.COM	 * for this eager.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * It is necessary to acquire an extra reference on the eager
11754SKacheong.Poon@Sun.COM	 * at this point and hold it until after tcp_send_data() to
11754SKacheong.Poon@Sun.COM	 * ensure against an eager close race.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	CONN_INC_REF(econnp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	TCP_TIMER_RESTART(eager, eager->tcp_rto);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Insert the eager in its own perimeter now. We are ready to deal
11754SKacheong.Poon@Sun.COM	 * with any packets on eager.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (ipcl_conn_insert(econnp) != 0)
11754SKacheong.Poon@Sun.COM		goto error;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(econnp->conn_ixa->ixa_notify_cookie == econnp->conn_tcp);
11754SKacheong.Poon@Sun.COM	freemsg(mp);
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Send the SYN-ACK. Use the right squeue so that conn_ixa is
11754SKacheong.Poon@Sun.COM	 * only used by one thread at a time.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (econnp->conn_sqp == lconnp->conn_sqp) {
12507SAlan.Maguire@Sun.COM		DTRACE_TCP5(send, mblk_t *, NULL, ip_xmit_attr_t *,
12507SAlan.Maguire@Sun.COM		    econnp->conn_ixa, __dtrace_tcp_void_ip_t *, mp1->b_rptr,
12507SAlan.Maguire@Sun.COM		    tcp_t *, eager, __dtrace_tcp_tcph_t *,
12507SAlan.Maguire@Sun.COM		    &mp1->b_rptr[econnp->conn_ixa->ixa_ip_hdr_length]);
11754SKacheong.Poon@Sun.COM		(void) conn_ip_output(mp1, econnp->conn_ixa);
11754SKacheong.Poon@Sun.COM		CONN_DEC_REF(econnp);
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		SQUEUE_ENTER_ONE(econnp->conn_sqp, mp1, tcp_send_synack,
11754SKacheong.Poon@Sun.COM		    econnp, NULL, SQ_PROCESS, SQTAG_TCP_SEND_SYNACK);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	return;
11754SKacheong.Poon@Sun.COMerror:
11754SKacheong.Poon@Sun.COM	freemsg(mp1);
11754SKacheong.Poon@Sun.COM	eager->tcp_closemp_used = B_TRUE;
11754SKacheong.Poon@Sun.COM	TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
11754SKacheong.Poon@Sun.COM	mp1 = &eager->tcp_closemp;
11754SKacheong.Poon@Sun.COM	SQUEUE_ENTER_ONE(econnp->conn_sqp, mp1, tcp_eager_kill,
11754SKacheong.Poon@Sun.COM	    econnp, NULL, SQ_FILL, SQTAG_TCP_CONN_REQ_2);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If a connection already exists, send the mp to that connections so
11754SKacheong.Poon@Sun.COM	 * that it can be appropriately dealt with.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	ipst = tcps->tcps_netstack->netstack_ip;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if ((econnp = ipcl_classify(mp, ira, ipst)) != NULL) {
11754SKacheong.Poon@Sun.COM		if (!IPCL_IS_CONNECTED(econnp)) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Something bad happened. ipcl_conn_insert()
11754SKacheong.Poon@Sun.COM			 * failed because a connection already existed
11754SKacheong.Poon@Sun.COM			 * in connected hash but we can't find it
11754SKacheong.Poon@Sun.COM			 * anymore (someone blew it away). Just
11754SKacheong.Poon@Sun.COM			 * free this message and hopefully remote
11754SKacheong.Poon@Sun.COM			 * will retransmit at which time the SYN can be
11754SKacheong.Poon@Sun.COM			 * treated as a new connection or dealth with
11754SKacheong.Poon@Sun.COM			 * a TH_RST if a connection already exists.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			CONN_DEC_REF(econnp);
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			SQUEUE_ENTER_ONE(econnp->conn_sqp, mp, tcp_input_data,
11754SKacheong.Poon@Sun.COM			    econnp, ira, SQ_FILL, SQTAG_TCP_CONN_REQ_1);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		/* Nobody wants this packet */
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	return;
11754SKacheong.Poon@Sun.COMerror3:
11754SKacheong.Poon@Sun.COM	CONN_DEC_REF(econnp);
11754SKacheong.Poon@Sun.COMerror2:
11754SKacheong.Poon@Sun.COM	freemsg(mp);
11754SKacheong.Poon@Sun.COM	if (tlc_set)
11754SKacheong.Poon@Sun.COM		atomic_add_32(&listener->tcp_listen_cnt->tlc_cnt, -1);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * In an ideal case of vertical partition in NUMA architecture, its
11754SKacheong.Poon@Sun.COM * beneficial to have the listener and all the incoming connections
11754SKacheong.Poon@Sun.COM * tied to the same squeue. The other constraint is that incoming
11754SKacheong.Poon@Sun.COM * connections should be tied to the squeue attached to interrupted
11754SKacheong.Poon@Sun.COM * CPU for obvious locality reason so this leaves the listener to
11754SKacheong.Poon@Sun.COM * be tied to the same squeue. Our only problem is that when listener
11754SKacheong.Poon@Sun.COM * is binding, the CPU that will get interrupted by the NIC whose
11754SKacheong.Poon@Sun.COM * IP address the listener is binding to is not even known. So
11754SKacheong.Poon@Sun.COM * the code below allows us to change that binding at the time the
11754SKacheong.Poon@Sun.COM * CPU is interrupted by virtue of incoming connection's squeue.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * This is usefull only in case of a listener bound to a specific IP
11754SKacheong.Poon@Sun.COM * address. For other kind of listeners, they get bound the
11754SKacheong.Poon@Sun.COM * very first time and there is no attempt to rebind them.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_input_listener_unbound(void *arg, mblk_t *mp, void *arg2,
11754SKacheong.Poon@Sun.COM    ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	conn_t		*connp = (conn_t *)arg;
11754SKacheong.Poon@Sun.COM	squeue_t	*sqp = (squeue_t *)arg2;
11754SKacheong.Poon@Sun.COM	squeue_t	*new_sqp;
11754SKacheong.Poon@Sun.COM	uint32_t	conn_flags;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * IP sets ira_sqp to either the senders conn_sqp (for loopback)
11754SKacheong.Poon@Sun.COM	 * or based on the ring (for packets from GLD). Otherwise it is
11754SKacheong.Poon@Sun.COM	 * set based on lbolt i.e., a somewhat random number.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	ASSERT(ira->ira_sqp != NULL);
11754SKacheong.Poon@Sun.COM	new_sqp = ira->ira_sqp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (connp->conn_fanout == NULL)
11754SKacheong.Poon@Sun.COM		goto done;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (!(connp->conn_flags & IPCL_FULLY_BOUND)) {
11754SKacheong.Poon@Sun.COM		mutex_enter(&connp->conn_fanout->connf_lock);
11754SKacheong.Poon@Sun.COM		mutex_enter(&connp->conn_lock);
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * No one from read or write side can access us now
11754SKacheong.Poon@Sun.COM		 * except for already queued packets on this squeue.
11754SKacheong.Poon@Sun.COM		 * But since we haven't changed the squeue yet, they
11754SKacheong.Poon@Sun.COM		 * can't execute. If they are processed after we have
11754SKacheong.Poon@Sun.COM		 * changed the squeue, they are sent back to the
11754SKacheong.Poon@Sun.COM		 * correct squeue down below.
11754SKacheong.Poon@Sun.COM		 * But a listner close can race with processing of
11754SKacheong.Poon@Sun.COM		 * incoming SYN. If incoming SYN processing changes
11754SKacheong.Poon@Sun.COM		 * the squeue then the listener close which is waiting
11754SKacheong.Poon@Sun.COM		 * to enter the squeue would operate on the wrong
11754SKacheong.Poon@Sun.COM		 * squeue. Hence we don't change the squeue here unless
11754SKacheong.Poon@Sun.COM		 * the refcount is exactly the minimum refcount. The
11754SKacheong.Poon@Sun.COM		 * minimum refcount of 4 is counted as - 1 each for
11754SKacheong.Poon@Sun.COM		 * TCP and IP, 1 for being in the classifier hash, and
11754SKacheong.Poon@Sun.COM		 * 1 for the mblk being processed.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (connp->conn_ref != 4 ||
11754SKacheong.Poon@Sun.COM		    connp->conn_tcp->tcp_state != TCPS_LISTEN) {
11754SKacheong.Poon@Sun.COM			mutex_exit(&connp->conn_lock);
11754SKacheong.Poon@Sun.COM			mutex_exit(&connp->conn_fanout->connf_lock);
11754SKacheong.Poon@Sun.COM			goto done;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (connp->conn_sqp != new_sqp) {
11754SKacheong.Poon@Sun.COM			while (connp->conn_sqp != new_sqp)
11754SKacheong.Poon@Sun.COM				(void) casptr(&connp->conn_sqp, sqp, new_sqp);
11754SKacheong.Poon@Sun.COM			/* No special MT issues for outbound ixa_sqp hint */
11754SKacheong.Poon@Sun.COM			connp->conn_ixa->ixa_sqp = new_sqp;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		do {
11754SKacheong.Poon@Sun.COM			conn_flags = connp->conn_flags;
11754SKacheong.Poon@Sun.COM			conn_flags |= IPCL_FULLY_BOUND;
11754SKacheong.Poon@Sun.COM			(void) cas32(&connp->conn_flags, connp->conn_flags,
11754SKacheong.Poon@Sun.COM			    conn_flags);
11754SKacheong.Poon@Sun.COM		} while (!(connp->conn_flags & IPCL_FULLY_BOUND));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		mutex_exit(&connp->conn_fanout->connf_lock);
11754SKacheong.Poon@Sun.COM		mutex_exit(&connp->conn_lock);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Assume we have picked a good squeue for the listener. Make
11754SKacheong.Poon@Sun.COM		 * subsequent SYNs not try to change the squeue.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		connp->conn_recv = tcp_input_listener;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COMdone:
11754SKacheong.Poon@Sun.COM	if (connp->conn_sqp != sqp) {
11754SKacheong.Poon@Sun.COM		CONN_INC_REF(connp);
11754SKacheong.Poon@Sun.COM		SQUEUE_ENTER_ONE(connp->conn_sqp, mp, connp->conn_recv, connp,
11754SKacheong.Poon@Sun.COM		    ira, SQ_FILL, SQTAG_TCP_CONN_REQ_UNBOUND);
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		tcp_input_listener(connp, mp, sqp, ira);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Send up all messages queued on tcp_rcv_list.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMuint_t
11754SKacheong.Poon@Sun.COMtcp_rcv_drain(tcp_t *tcp)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	mblk_t *mp;
11754SKacheong.Poon@Sun.COM	uint_t ret = 0;
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM	uint_t cnt = 0;
11754SKacheong.Poon@Sun.COM#endif
11754SKacheong.Poon@Sun.COM	queue_t	*q = tcp->tcp_connp->conn_rq;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Can't drain on an eager connection */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_listener != NULL)
11754SKacheong.Poon@Sun.COM		return (ret);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Can't be a non-STREAMS connection */
11754SKacheong.Poon@Sun.COM	ASSERT(!IPCL_IS_NONSTR(tcp->tcp_connp));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* No need for the push timer now. */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_push_tid != 0) {
11754SKacheong.Poon@Sun.COM		(void) TCP_TIMER_CANCEL(tcp, tcp->tcp_push_tid);
11754SKacheong.Poon@Sun.COM		tcp->tcp_push_tid = 0;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Handle two cases here: we are currently fused or we were
11754SKacheong.Poon@Sun.COM	 * previously fused and have some urgent data to be delivered
11754SKacheong.Poon@Sun.COM	 * upstream.  The latter happens because we either ran out of
11754SKacheong.Poon@Sun.COM	 * memory or were detached and therefore sending the SIGURG was
11754SKacheong.Poon@Sun.COM	 * deferred until this point.  In either case we pass control
11754SKacheong.Poon@Sun.COM	 * over to tcp_fuse_rcv_drain() since it may need to complete
11754SKacheong.Poon@Sun.COM	 * some work.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if ((tcp->tcp_fused || tcp->tcp_fused_sigurg)) {
11754SKacheong.Poon@Sun.COM		if (tcp_fuse_rcv_drain(q, tcp, tcp->tcp_fused ? NULL :
11754SKacheong.Poon@Sun.COM		    &tcp->tcp_fused_sigurg_mp))
11754SKacheong.Poon@Sun.COM			return (ret);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	while ((mp = tcp->tcp_rcv_list) != NULL) {
11754SKacheong.Poon@Sun.COM		tcp->tcp_rcv_list = mp->b_next;
11754SKacheong.Poon@Sun.COM		mp->b_next = NULL;
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM		cnt += msgdsize(mp);
11754SKacheong.Poon@Sun.COM#endif
11754SKacheong.Poon@Sun.COM		putnext(q, mp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM	ASSERT(cnt == tcp->tcp_rcv_cnt);
11754SKacheong.Poon@Sun.COM#endif
11754SKacheong.Poon@Sun.COM	tcp->tcp_rcv_last_head = NULL;
11754SKacheong.Poon@Sun.COM	tcp->tcp_rcv_last_tail = NULL;
11754SKacheong.Poon@Sun.COM	tcp->tcp_rcv_cnt = 0;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (canputnext(q))
11754SKacheong.Poon@Sun.COM		return (tcp_rwnd_reopen(tcp));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	return (ret);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Queue data on tcp_rcv_list which is a b_next chain.
11754SKacheong.Poon@Sun.COM * tcp_rcv_last_head/tail is the last element of this chain.
11754SKacheong.Poon@Sun.COM * Each element of the chain is a b_cont chain.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * M_DATA messages are added to the current element.
11754SKacheong.Poon@Sun.COM * Other messages are added as new (b_next) elements.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_rcv_enqueue(tcp_t *tcp, mblk_t *mp, uint_t seg_len, cred_t *cr)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	ASSERT(seg_len == msgdsize(mp));
11754SKacheong.Poon@Sun.COM	ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_rcv_last_head != NULL);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (is_system_labeled()) {
11754SKacheong.Poon@Sun.COM		ASSERT(cr != NULL || msg_getcred(mp, NULL) != NULL);
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Provide for protocols above TCP such as RPC. NOPID leaves
11754SKacheong.Poon@Sun.COM		 * db_cpid unchanged.
11754SKacheong.Poon@Sun.COM		 * The cred could have already been set.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (cr != NULL)
11754SKacheong.Poon@Sun.COM			mblk_setcred(mp, cr, NOPID);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_rcv_list == NULL) {
11754SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_rcv_last_head == NULL);
11754SKacheong.Poon@Sun.COM		tcp->tcp_rcv_list = mp;
11754SKacheong.Poon@Sun.COM		tcp->tcp_rcv_last_head = mp;
11754SKacheong.Poon@Sun.COM	} else if (DB_TYPE(mp) == DB_TYPE(tcp->tcp_rcv_last_head)) {
11754SKacheong.Poon@Sun.COM		tcp->tcp_rcv_last_tail->b_cont = mp;
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		tcp->tcp_rcv_last_head->b_next = mp;
11754SKacheong.Poon@Sun.COM		tcp->tcp_rcv_last_head = mp;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	while (mp->b_cont)
11754SKacheong.Poon@Sun.COM		mp = mp->b_cont;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	tcp->tcp_rcv_last_tail = mp;
11754SKacheong.Poon@Sun.COM	tcp->tcp_rcv_cnt += seg_len;
11754SKacheong.Poon@Sun.COM	tcp->tcp_rwnd -= seg_len;
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* Generate an ACK-only (no data) segment for a TCP endpoint */
11754SKacheong.Poon@Sun.COMmblk_t *
11754SKacheong.Poon@Sun.COMtcp_ack_mp(tcp_t *tcp)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	uint32_t	seq_no;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM	conn_t		*connp = tcp->tcp_connp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * There are a few cases to be considered while setting the sequence no.
11754SKacheong.Poon@Sun.COM	 * Essentially, we can come here while processing an unacceptable pkt
11754SKacheong.Poon@Sun.COM	 * in the TCPS_SYN_RCVD state, in which case we set the sequence number
11754SKacheong.Poon@Sun.COM	 * to snxt (per RFC 793), note the swnd wouldn't have been set yet.
11754SKacheong.Poon@Sun.COM	 * If we are here for a zero window probe, stick with suna. In all
11754SKacheong.Poon@Sun.COM	 * other cases, we check if suna + swnd encompasses snxt and set
11754SKacheong.Poon@Sun.COM	 * the sequence number to snxt, if so. If snxt falls outside the
11754SKacheong.Poon@Sun.COM	 * window (the receiver probably shrunk its window), we will go with
11754SKacheong.Poon@Sun.COM	 * suna + swnd, otherwise the sequence no will be unacceptable to the
11754SKacheong.Poon@Sun.COM	 * receiver.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_zero_win_probe) {
11754SKacheong.Poon@Sun.COM		seq_no = tcp->tcp_suna;
11754SKacheong.Poon@Sun.COM	} else if (tcp->tcp_state == TCPS_SYN_RCVD) {
11754SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_swnd == 0);
11754SKacheong.Poon@Sun.COM		seq_no = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		seq_no = SEQ_GT(tcp->tcp_snxt,
11754SKacheong.Poon@Sun.COM		    (tcp->tcp_suna + tcp->tcp_swnd)) ?
11754SKacheong.Poon@Sun.COM		    (tcp->tcp_suna + tcp->tcp_swnd) : tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_valid_bits) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * For the complex case where we have to send some
11754SKacheong.Poon@Sun.COM		 * controls (FIN or SYN), let tcp_xmit_mp do it.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		return (tcp_xmit_mp(tcp, NULL, 0, NULL, NULL, seq_no, B_FALSE,
11754SKacheong.Poon@Sun.COM		    NULL, B_FALSE));
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		/* Generate a simple ACK */
11754SKacheong.Poon@Sun.COM		int	data_length;
11754SKacheong.Poon@Sun.COM		uchar_t	*rptr;
11754SKacheong.Poon@Sun.COM		tcpha_t	*tcpha;
11754SKacheong.Poon@Sun.COM		mblk_t	*mp1;
11754SKacheong.Poon@Sun.COM		int32_t	total_hdr_len;
11754SKacheong.Poon@Sun.COM		int32_t	tcp_hdr_len;
11754SKacheong.Poon@Sun.COM		int32_t	num_sack_blk = 0;
11754SKacheong.Poon@Sun.COM		int32_t sack_opt_len;
11754SKacheong.Poon@Sun.COM		ip_xmit_attr_t *ixa = connp->conn_ixa;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Allocate space for TCP + IP headers
11754SKacheong.Poon@Sun.COM		 * and link-level header
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
11754SKacheong.Poon@Sun.COM			num_sack_blk = MIN(tcp->tcp_max_sack_blk,
11754SKacheong.Poon@Sun.COM			    tcp->tcp_num_sack_blk);
11754SKacheong.Poon@Sun.COM			sack_opt_len = num_sack_blk * sizeof (sack_blk_t) +
11754SKacheong.Poon@Sun.COM			    TCPOPT_NOP_LEN * 2 + TCPOPT_HEADER_LEN;
11754SKacheong.Poon@Sun.COM			total_hdr_len = connp->conn_ht_iphc_len + sack_opt_len;
11754SKacheong.Poon@Sun.COM			tcp_hdr_len = connp->conn_ht_ulp_len + sack_opt_len;
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			total_hdr_len = connp->conn_ht_iphc_len;
11754SKacheong.Poon@Sun.COM			tcp_hdr_len = connp->conn_ht_ulp_len;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		mp1 = allocb(total_hdr_len + tcps->tcps_wroff_xtra, BPRI_MED);
11754SKacheong.Poon@Sun.COM		if (!mp1)
11754SKacheong.Poon@Sun.COM			return (NULL);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Update the latest receive window size in TCP header. */
11754SKacheong.Poon@Sun.COM		tcp->tcp_tcpha->tha_win =
11754SKacheong.Poon@Sun.COM		    htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
11754SKacheong.Poon@Sun.COM		/* copy in prototype TCP + IP header */
11754SKacheong.Poon@Sun.COM		rptr = mp1->b_rptr + tcps->tcps_wroff_xtra;
11754SKacheong.Poon@Sun.COM		mp1->b_rptr = rptr;
11754SKacheong.Poon@Sun.COM		mp1->b_wptr = rptr + total_hdr_len;
11754SKacheong.Poon@Sun.COM		bcopy(connp->conn_ht_iphc, rptr, connp->conn_ht_iphc_len);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		tcpha = (tcpha_t *)&rptr[ixa->ixa_ip_hdr_length];
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Set the TCP sequence number. */
11754SKacheong.Poon@Sun.COM		tcpha->tha_seq = htonl(seq_no);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Set up the TCP flag field. */
11754SKacheong.Poon@Sun.COM		tcpha->tha_flags = (uchar_t)TH_ACK;
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_ecn_echo_on)
11754SKacheong.Poon@Sun.COM			tcpha->tha_flags |= TH_ECE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		tcp->tcp_rack = tcp->tcp_rnxt;
11754SKacheong.Poon@Sun.COM		tcp->tcp_rack_cnt = 0;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* fill in timestamp option if in use */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_snd_ts_ok) {
11754SKacheong.Poon@Sun.COM			uint32_t llbolt = (uint32_t)LBOLT_FASTPATH;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			U32_TO_BE32(llbolt,
11754SKacheong.Poon@Sun.COM			    (char *)tcpha + TCP_MIN_HEADER_LENGTH+4);
11754SKacheong.Poon@Sun.COM			U32_TO_BE32(tcp->tcp_ts_recent,
11754SKacheong.Poon@Sun.COM			    (char *)tcpha + TCP_MIN_HEADER_LENGTH+8);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Fill in SACK options */
11754SKacheong.Poon@Sun.COM		if (num_sack_blk > 0) {
11754SKacheong.Poon@Sun.COM			uchar_t *wptr = (uchar_t *)tcpha +
11754SKacheong.Poon@Sun.COM			    connp->conn_ht_ulp_len;
11754SKacheong.Poon@Sun.COM			sack_blk_t *tmp;
11754SKacheong.Poon@Sun.COM			int32_t	i;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			wptr[0] = TCPOPT_NOP;
11754SKacheong.Poon@Sun.COM			wptr[1] = TCPOPT_NOP;
11754SKacheong.Poon@Sun.COM			wptr[2] = TCPOPT_SACK;
11754SKacheong.Poon@Sun.COM			wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
11754SKacheong.Poon@Sun.COM			    sizeof (sack_blk_t);
11754SKacheong.Poon@Sun.COM			wptr += TCPOPT_REAL_SACK_LEN;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			tmp = tcp->tcp_sack_list;
11754SKacheong.Poon@Sun.COM			for (i = 0; i < num_sack_blk; i++) {
11754SKacheong.Poon@Sun.COM				U32_TO_BE32(tmp[i].begin, wptr);
11754SKacheong.Poon@Sun.COM				wptr += sizeof (tcp_seq);
11754SKacheong.Poon@Sun.COM				U32_TO_BE32(tmp[i].end, wptr);
11754SKacheong.Poon@Sun.COM				wptr += sizeof (tcp_seq);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			tcpha->tha_offset_and_reserved +=
11754SKacheong.Poon@Sun.COM			    ((num_sack_blk * 2 + 1) << 4);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		ixa->ixa_pktlen = total_hdr_len;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (ixa->ixa_flags & IXAF_IS_IPV4) {
11754SKacheong.Poon@Sun.COM			((ipha_t *)rptr)->ipha_length = htons(total_hdr_len);
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			ip6_t *ip6 = (ip6_t *)rptr;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			ip6->ip6_plen = htons(total_hdr_len - IPV6_HDR_LEN);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Prime pump for checksum calculation in IP.  Include the
11754SKacheong.Poon@Sun.COM		 * adjustment for a source route if any.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		data_length = tcp_hdr_len + connp->conn_sum;
11754SKacheong.Poon@Sun.COM		data_length = (data_length >> 16) + (data_length & 0xFFFF);
11754SKacheong.Poon@Sun.COM		tcpha->tha_sum = htons(data_length);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_ip_forward_progress) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_ip_forward_progress = B_FALSE;
11754SKacheong.Poon@Sun.COM			connp->conn_ixa->ixa_flags |= IXAF_REACH_CONF;
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			connp->conn_ixa->ixa_flags &= ~IXAF_REACH_CONF;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		return (mp1);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Handle M_DATA messages from IP. Its called directly from IP via
11754SKacheong.Poon@Sun.COM * squeue for received IP packets.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * The first argument is always the connp/tcp to which the mp belongs.
11754SKacheong.Poon@Sun.COM * There are no exceptions to this rule. The caller has already put
11754SKacheong.Poon@Sun.COM * a reference on this connp/tcp and once tcp_input_data() returns,
11754SKacheong.Poon@Sun.COM * the squeue will do the refrele.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * The TH_SYN for the listener directly go to tcp_input_listener via
11754SKacheong.Poon@Sun.COM * squeue. ICMP errors go directly to tcp_icmp_input().
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * sqp: NULL = recursive, sqp != NULL means called from squeue
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_input_data(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	int32_t		bytes_acked;
11754SKacheong.Poon@Sun.COM	int32_t		gap;
11754SKacheong.Poon@Sun.COM	mblk_t		*mp1;
11754SKacheong.Poon@Sun.COM	uint_t		flags;
11754SKacheong.Poon@Sun.COM	uint32_t	new_swnd = 0;
11754SKacheong.Poon@Sun.COM	uchar_t		*iphdr;
11754SKacheong.Poon@Sun.COM	uchar_t		*rptr;
11754SKacheong.Poon@Sun.COM	int32_t		rgap;
11754SKacheong.Poon@Sun.COM	uint32_t	seg_ack;
11754SKacheong.Poon@Sun.COM	int		seg_len;
11754SKacheong.Poon@Sun.COM	uint_t		ip_hdr_len;
11754SKacheong.Poon@Sun.COM	uint32_t	seg_seq;
11754SKacheong.Poon@Sun.COM	tcpha_t		*tcpha;
11754SKacheong.Poon@Sun.COM	int		urp;
11754SKacheong.Poon@Sun.COM	tcp_opt_t	tcpopt;
11754SKacheong.Poon@Sun.COM	ip_pkt_t	ipp;
11754SKacheong.Poon@Sun.COM	boolean_t	ofo_seg = B_FALSE; /* Out of order segment */
11754SKacheong.Poon@Sun.COM	uint32_t	cwnd;
11754SKacheong.Poon@Sun.COM	uint32_t	add;
11754SKacheong.Poon@Sun.COM	int		npkt;
11754SKacheong.Poon@Sun.COM	int		mss;
11754SKacheong.Poon@Sun.COM	conn_t		*connp = (conn_t *)arg;
11754SKacheong.Poon@Sun.COM	squeue_t	*sqp = (squeue_t *)arg2;
11754SKacheong.Poon@Sun.COM	tcp_t		*tcp = connp->conn_tcp;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * RST from fused tcp loopback peer should trigger an unfuse.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_fused) {
11754SKacheong.Poon@Sun.COM		TCP_STAT(tcps, tcp_fusion_aborted);
11754SKacheong.Poon@Sun.COM		tcp_unfuse(tcp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	iphdr = mp->b_rptr;
11754SKacheong.Poon@Sun.COM	rptr = mp->b_rptr;
11754SKacheong.Poon@Sun.COM	ASSERT(OK_32PTR(rptr));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ip_hdr_len = ira->ira_ip_hdr_length;
11754SKacheong.Poon@Sun.COM	if (connp->conn_recv_ancillary.crb_all != 0) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Record packet information in the ip_pkt_t
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		ipp.ipp_fields = 0;
11754SKacheong.Poon@Sun.COM		if (ira->ira_flags & IRAF_IS_IPV4) {
11754SKacheong.Poon@Sun.COM			(void) ip_find_hdr_v4((ipha_t *)rptr, &ipp,
11754SKacheong.Poon@Sun.COM			    B_FALSE);
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			uint8_t nexthdrp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * IPv6 packets can only be received by applications
11754SKacheong.Poon@Sun.COM			 * that are prepared to receive IPv6 addresses.
11754SKacheong.Poon@Sun.COM			 * The IP fanout must ensure this.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			ASSERT(connp->conn_family == AF_INET6);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			(void) ip_find_hdr_v6(mp, (ip6_t *)rptr, B_TRUE, &ipp,
11754SKacheong.Poon@Sun.COM			    &nexthdrp);
11754SKacheong.Poon@Sun.COM			ASSERT(nexthdrp == IPPROTO_TCP);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/* Could have caused a pullup? */
11754SKacheong.Poon@Sun.COM			iphdr = mp->b_rptr;
11754SKacheong.Poon@Sun.COM			rptr = mp->b_rptr;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	ASSERT(DB_TYPE(mp) == M_DATA);
11754SKacheong.Poon@Sun.COM	ASSERT(mp->b_next == NULL);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	tcpha = (tcpha_t *)&rptr[ip_hdr_len];
11754SKacheong.Poon@Sun.COM	seg_seq = ntohl(tcpha->tha_seq);
11754SKacheong.Poon@Sun.COM	seg_ack = ntohl(tcpha->tha_ack);
11754SKacheong.Poon@Sun.COM	ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
11754SKacheong.Poon@Sun.COM	seg_len = (int)(mp->b_wptr - rptr) -
11754SKacheong.Poon@Sun.COM	    (ip_hdr_len + TCP_HDR_LENGTH(tcpha));
11754SKacheong.Poon@Sun.COM	if ((mp1 = mp->b_cont) != NULL && mp1->b_datap->db_type == M_DATA) {
11754SKacheong.Poon@Sun.COM		do {
11754SKacheong.Poon@Sun.COM			ASSERT((uintptr_t)(mp1->b_wptr - mp1->b_rptr) <=
11754SKacheong.Poon@Sun.COM			    (uintptr_t)INT_MAX);
11754SKacheong.Poon@Sun.COM			seg_len += (int)(mp1->b_wptr - mp1->b_rptr);
11754SKacheong.Poon@Sun.COM		} while ((mp1 = mp1->b_cont) != NULL &&
11754SKacheong.Poon@Sun.COM		    mp1->b_datap->db_type == M_DATA);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
12507SAlan.Maguire@Sun.COM	DTRACE_TCP5(receive, mblk_t *, NULL, ip_xmit_attr_t *, connp->conn_ixa,
12507SAlan.Maguire@Sun.COM	    __dtrace_tcp_void_ip_t *, iphdr, tcp_t *, tcp,
12507SAlan.Maguire@Sun.COM	    __dtrace_tcp_tcph_t *, tcpha);
12507SAlan.Maguire@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_state == TCPS_TIME_WAIT) {
11754SKacheong.Poon@Sun.COM		tcp_time_wait_processing(tcp, mp, seg_seq, seg_ack,
11754SKacheong.Poon@Sun.COM		    seg_len, tcpha, ira);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (sqp != NULL) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * This is the correct place to update tcp_last_recv_time. Note
11754SKacheong.Poon@Sun.COM		 * that it is also updated for tcp structure that belongs to
11754SKacheong.Poon@Sun.COM		 * global and listener queues which do not really need updating.
11754SKacheong.Poon@Sun.COM		 * But that should not cause any harm.  And it is updated for
11754SKacheong.Poon@Sun.COM		 * all kinds of incoming segments, not only for data segments.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		tcp->tcp_last_recv_time = LBOLT_FASTPATH;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	flags = (unsigned int)tcpha->tha_flags & 0xFF;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	BUMP_LOCAL(tcp->tcp_ibsegs);
11754SKacheong.Poon@Sun.COM	DTRACE_PROBE2(tcp__trace__recv, mblk_t *, mp, tcp_t *, tcp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if ((flags & TH_URG) && sqp != NULL) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * TCP can't handle urgent pointers that arrive before
11754SKacheong.Poon@Sun.COM		 * the connection has been accept()ed since it can't
11754SKacheong.Poon@Sun.COM		 * buffer OOB data.  Discard segment if this happens.
11754SKacheong.Poon@Sun.COM		 *
11754SKacheong.Poon@Sun.COM		 * We can't just rely on a non-null tcp_listener to indicate
11754SKacheong.Poon@Sun.COM		 * that the accept() has completed since unlinking of the
11754SKacheong.Poon@Sun.COM		 * eager and completion of the accept are not atomic.
11754SKacheong.Poon@Sun.COM		 * tcp_detached, when it is not set (B_FALSE) indicates
11754SKacheong.Poon@Sun.COM		 * that the accept() has completed.
11754SKacheong.Poon@Sun.COM		 *
11754SKacheong.Poon@Sun.COM		 * Nor can it reassemble urgent pointers, so discard
11754SKacheong.Poon@Sun.COM		 * if it's not the next segment expected.
11754SKacheong.Poon@Sun.COM		 *
11754SKacheong.Poon@Sun.COM		 * Otherwise, collapse chain into one mblk (discard if
11754SKacheong.Poon@Sun.COM		 * that fails).  This makes sure the headers, retransmitted
11754SKacheong.Poon@Sun.COM		 * data, and new data all are in the same mblk.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		ASSERT(mp != NULL);
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_detached || !pullupmsg(mp, -1)) {
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/* Update pointers into message */
11754SKacheong.Poon@Sun.COM		iphdr = rptr = mp->b_rptr;
11754SKacheong.Poon@Sun.COM		tcpha = (tcpha_t *)&rptr[ip_hdr_len];
11754SKacheong.Poon@Sun.COM		if (SEQ_GT(seg_seq, tcp->tcp_rnxt)) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Since we can't handle any data with this urgent
11754SKacheong.Poon@Sun.COM			 * pointer that is out of sequence, we expunge
11754SKacheong.Poon@Sun.COM			 * the data.  This allows us to still register
11754SKacheong.Poon@Sun.COM			 * the urgent mark and generate the M_PCSIG,
11754SKacheong.Poon@Sun.COM			 * which we can do.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			mp->b_wptr = (uchar_t *)tcpha + TCP_HDR_LENGTH(tcpha);
11754SKacheong.Poon@Sun.COM			seg_len = 0;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	switch (tcp->tcp_state) {
11754SKacheong.Poon@Sun.COM	case TCPS_SYN_SENT:
11754SKacheong.Poon@Sun.COM		if (connp->conn_final_sqp == NULL &&
11754SKacheong.Poon@Sun.COM		    tcp_outbound_squeue_switch && sqp != NULL) {
11754SKacheong.Poon@Sun.COM			ASSERT(connp->conn_initial_sqp == connp->conn_sqp);
11754SKacheong.Poon@Sun.COM			connp->conn_final_sqp = sqp;
11754SKacheong.Poon@Sun.COM			if (connp->conn_final_sqp != connp->conn_sqp) {
11754SKacheong.Poon@Sun.COM				DTRACE_PROBE1(conn__final__sqp__switch,
11754SKacheong.Poon@Sun.COM				    conn_t *, connp);
11754SKacheong.Poon@Sun.COM				CONN_INC_REF(connp);
11754SKacheong.Poon@Sun.COM				SQUEUE_SWITCH(connp, connp->conn_final_sqp);
11754SKacheong.Poon@Sun.COM				SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
11754SKacheong.Poon@Sun.COM				    tcp_input_data, connp, ira, ip_squeue_flag,
11754SKacheong.Poon@Sun.COM				    SQTAG_CONNECT_FINISH);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			DTRACE_PROBE1(conn__final__sqp__same, conn_t *, connp);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (flags & TH_ACK) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Note that our stack cannot send data before a
11754SKacheong.Poon@Sun.COM			 * connection is established, therefore the
11754SKacheong.Poon@Sun.COM			 * following check is valid.  Otherwise, it has
11754SKacheong.Poon@Sun.COM			 * to be changed.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (SEQ_LEQ(seg_ack, tcp->tcp_iss) ||
11754SKacheong.Poon@Sun.COM			    SEQ_GT(seg_ack, tcp->tcp_snxt)) {
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				if (flags & TH_RST)
11754SKacheong.Poon@Sun.COM					return;
11754SKacheong.Poon@Sun.COM				tcp_xmit_ctl("TCPS_SYN_SENT-Bad_seq",
11754SKacheong.Poon@Sun.COM				    tcp, seg_ack, 0, TH_RST);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			ASSERT(tcp->tcp_suna + 1 == seg_ack);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (flags & TH_RST) {
12507SAlan.Maguire@Sun.COM			if (flags & TH_ACK) {
12507SAlan.Maguire@Sun.COM				DTRACE_TCP5(connect__refused, mblk_t *, NULL,
12507SAlan.Maguire@Sun.COM				    ip_xmit_attr_t *, connp->conn_ixa,
12507SAlan.Maguire@Sun.COM				    void_ip_t *, iphdr, tcp_t *, tcp,
12507SAlan.Maguire@Sun.COM				    tcph_t *, tcpha);
12507SAlan.Maguire@Sun.COM				(void) tcp_clean_death(tcp, ECONNREFUSED);
12507SAlan.Maguire@Sun.COM			}
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (!(flags & TH_SYN)) {
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Process all TCP options. */
11754SKacheong.Poon@Sun.COM		tcp_process_options(tcp, tcpha);
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * The following changes our rwnd to be a multiple of the
11754SKacheong.Poon@Sun.COM		 * MIN(peer MSS, our MSS) for performance reason.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		(void) tcp_rwnd_set(tcp, MSS_ROUNDUP(connp->conn_rcvbuf,
11754SKacheong.Poon@Sun.COM		    tcp->tcp_mss));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Is the other end ECN capable? */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_ecn_ok) {
11754SKacheong.Poon@Sun.COM			if ((flags & (TH_ECE|TH_CWR)) != TH_ECE) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_ecn_ok = B_FALSE;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Clear ECN flags because it may interfere with later
11754SKacheong.Poon@Sun.COM		 * processing.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		flags &= ~(TH_ECE|TH_CWR);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		tcp->tcp_irs = seg_seq;
11754SKacheong.Poon@Sun.COM		tcp->tcp_rack = seg_seq;
11754SKacheong.Poon@Sun.COM		tcp->tcp_rnxt = seg_seq + 1;
11754SKacheong.Poon@Sun.COM		tcp->tcp_tcpha->tha_ack = htonl(tcp->tcp_rnxt);
11754SKacheong.Poon@Sun.COM		if (!TCP_IS_DETACHED(tcp)) {
11754SKacheong.Poon@Sun.COM			/* Allocate room for SACK options if needed. */
11754SKacheong.Poon@Sun.COM			connp->conn_wroff = connp->conn_ht_iphc_len;
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_snd_sack_ok)
11754SKacheong.Poon@Sun.COM				connp->conn_wroff += TCPOPT_MAX_SACK_LEN;
11754SKacheong.Poon@Sun.COM			if (!tcp->tcp_loopback)
11754SKacheong.Poon@Sun.COM				connp->conn_wroff += tcps->tcps_wroff_xtra;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			(void) proto_set_tx_wroff(connp->conn_rq, connp,
11754SKacheong.Poon@Sun.COM			    connp->conn_wroff);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (flags & TH_ACK) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * If we can't get the confirmation upstream, pretend
11754SKacheong.Poon@Sun.COM			 * we didn't even see this one.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * XXX: how can we pretend we didn't see it if we
11754SKacheong.Poon@Sun.COM			 * have updated rnxt et. al.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * For loopback we defer sending up the T_CONN_CON
11754SKacheong.Poon@Sun.COM			 * until after some checks below.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			mp1 = NULL;
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * tcp_sendmsg() checks tcp_state without entering
11754SKacheong.Poon@Sun.COM			 * the squeue so tcp_state should be updated before
12507SAlan.Maguire@Sun.COM			 * sending up connection confirmation.  Probe the
12507SAlan.Maguire@Sun.COM			 * state change below when we are sure the connection
12507SAlan.Maguire@Sun.COM			 * confirmation has been sent.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			tcp->tcp_state = TCPS_ESTABLISHED;
11754SKacheong.Poon@Sun.COM			if (!tcp_conn_con(tcp, iphdr, mp,
11754SKacheong.Poon@Sun.COM			    tcp->tcp_loopback ? &mp1 : NULL, ira)) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_state = TCPS_SYN_SENT;
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			TCPS_CONN_INC(tcps);
11754SKacheong.Poon@Sun.COM			/* SYN was acked - making progress */
11754SKacheong.Poon@Sun.COM			tcp->tcp_ip_forward_progress = B_TRUE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/* One for the SYN */
11754SKacheong.Poon@Sun.COM			tcp->tcp_suna = tcp->tcp_iss + 1;
11754SKacheong.Poon@Sun.COM			tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * If SYN was retransmitted, need to reset all
11754SKacheong.Poon@Sun.COM			 * retransmission info.  This is because this
11754SKacheong.Poon@Sun.COM			 * segment will be treated as a dup ACK.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_rexmit) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_rexmit = B_FALSE;
11754SKacheong.Poon@Sun.COM				tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM				tcp->tcp_rexmit_max = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM				tcp->tcp_snd_burst = tcp->tcp_localnet ?
11754SKacheong.Poon@Sun.COM				    TCP_CWND_INFINITE : TCP_CWND_NORMAL;
11754SKacheong.Poon@Sun.COM				tcp->tcp_ms_we_have_waited = 0;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Set tcp_cwnd back to 1 MSS, per
11754SKacheong.Poon@Sun.COM				 * recommendation from
11754SKacheong.Poon@Sun.COM				 * draft-floyd-incr-init-win-01.txt,
11754SKacheong.Poon@Sun.COM				 * Increasing TCP's Initial Window.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				tcp->tcp_cwnd = tcp->tcp_mss;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			tcp->tcp_swl1 = seg_seq;
11754SKacheong.Poon@Sun.COM			tcp->tcp_swl2 = seg_ack;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			new_swnd = ntohs(tcpha->tha_win);
11754SKacheong.Poon@Sun.COM			tcp->tcp_swnd = new_swnd;
11754SKacheong.Poon@Sun.COM			if (new_swnd > tcp->tcp_max_swnd)
11754SKacheong.Poon@Sun.COM				tcp->tcp_max_swnd = new_swnd;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Always send the three-way handshake ack immediately
11754SKacheong.Poon@Sun.COM			 * in order to make the connection complete as soon as
11754SKacheong.Poon@Sun.COM			 * possible on the accepting host.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			flags |= TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
12507SAlan.Maguire@Sun.COM			 * Trace connect-established here.
12507SAlan.Maguire@Sun.COM			 */
12507SAlan.Maguire@Sun.COM			DTRACE_TCP5(connect__established, mblk_t *, NULL,
12507SAlan.Maguire@Sun.COM			    ip_xmit_attr_t *, tcp->tcp_connp->conn_ixa,
12507SAlan.Maguire@Sun.COM			    void_ip_t *, iphdr, tcp_t *, tcp, tcph_t *, tcpha);
12507SAlan.Maguire@Sun.COM
12507SAlan.Maguire@Sun.COM			/* Trace change from SYN_SENT -> ESTABLISHED here */
12507SAlan.Maguire@Sun.COM			DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
12507SAlan.Maguire@Sun.COM			    connp->conn_ixa, void, NULL, tcp_t *, tcp,
12507SAlan.Maguire@Sun.COM			    void, NULL, int32_t, TCPS_SYN_SENT);
12507SAlan.Maguire@Sun.COM
12507SAlan.Maguire@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Special case for loopback.  At this point we have
11754SKacheong.Poon@Sun.COM			 * received SYN-ACK from the remote endpoint.  In
11754SKacheong.Poon@Sun.COM			 * order to ensure that both endpoints reach the
11754SKacheong.Poon@Sun.COM			 * fused state prior to any data exchange, the final
11754SKacheong.Poon@Sun.COM			 * ACK needs to be sent before we indicate T_CONN_CON
11754SKacheong.Poon@Sun.COM			 * to the module upstream.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_loopback) {
11754SKacheong.Poon@Sun.COM				mblk_t *ack_mp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				ASSERT(!tcp->tcp_unfusable);
11754SKacheong.Poon@Sun.COM				ASSERT(mp1 != NULL);
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * For loopback, we always get a pure SYN-ACK
11754SKacheong.Poon@Sun.COM				 * and only need to send back the final ACK
11754SKacheong.Poon@Sun.COM				 * with no data (this is because the other
11754SKacheong.Poon@Sun.COM				 * tcp is ours and we don't do T/TCP).  This
11754SKacheong.Poon@Sun.COM				 * final ACK triggers the passive side to
11754SKacheong.Poon@Sun.COM				 * perform fusion in ESTABLISHED state.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if ((ack_mp = tcp_ack_mp(tcp)) != NULL) {
11754SKacheong.Poon@Sun.COM					if (tcp->tcp_ack_tid != 0) {
11754SKacheong.Poon@Sun.COM						(void) TCP_TIMER_CANCEL(tcp,
11754SKacheong.Poon@Sun.COM						    tcp->tcp_ack_tid);
11754SKacheong.Poon@Sun.COM						tcp->tcp_ack_tid = 0;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM					tcp_send_data(tcp, ack_mp);
11754SKacheong.Poon@Sun.COM					BUMP_LOCAL(tcp->tcp_obsegs);
11754SKacheong.Poon@Sun.COM					TCPS_BUMP_MIB(tcps, tcpOutAck);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM					if (!IPCL_IS_NONSTR(connp)) {
11754SKacheong.Poon@Sun.COM						/* Send up T_CONN_CON */
11754SKacheong.Poon@Sun.COM						if (ira->ira_cred != NULL) {
11754SKacheong.Poon@Sun.COM							mblk_setcred(mp1,
11754SKacheong.Poon@Sun.COM							    ira->ira_cred,
11754SKacheong.Poon@Sun.COM							    ira->ira_cpid);
11754SKacheong.Poon@Sun.COM						}
11754SKacheong.Poon@Sun.COM						putnext(connp->conn_rq, mp1);
11754SKacheong.Poon@Sun.COM					} else {
11754SKacheong.Poon@Sun.COM						(*connp->conn_upcalls->
11754SKacheong.Poon@Sun.COM						    su_connected)
11754SKacheong.Poon@Sun.COM						    (connp->conn_upper_handle,
11754SKacheong.Poon@Sun.COM						    tcp->tcp_connid,
11754SKacheong.Poon@Sun.COM						    ira->ira_cred,
11754SKacheong.Poon@Sun.COM						    ira->ira_cpid);
11754SKacheong.Poon@Sun.COM						freemsg(mp1);
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM					freemsg(mp);
11754SKacheong.Poon@Sun.COM					return;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Forget fusion; we need to handle more
11754SKacheong.Poon@Sun.COM				 * complex cases below.  Send the deferred
11754SKacheong.Poon@Sun.COM				 * T_CONN_CON message upstream and proceed
11754SKacheong.Poon@Sun.COM				 * as usual.  Mark this tcp as not capable
11754SKacheong.Poon@Sun.COM				 * of fusion.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				TCP_STAT(tcps, tcp_fusion_unfusable);
11754SKacheong.Poon@Sun.COM				tcp->tcp_unfusable = B_TRUE;
11754SKacheong.Poon@Sun.COM				if (!IPCL_IS_NONSTR(connp)) {
11754SKacheong.Poon@Sun.COM					if (ira->ira_cred != NULL) {
11754SKacheong.Poon@Sun.COM						mblk_setcred(mp1, ira->ira_cred,
11754SKacheong.Poon@Sun.COM						    ira->ira_cpid);
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM					putnext(connp->conn_rq, mp1);
11754SKacheong.Poon@Sun.COM				} else {
11754SKacheong.Poon@Sun.COM					(*connp->conn_upcalls->su_connected)
11754SKacheong.Poon@Sun.COM					    (connp->conn_upper_handle,
11754SKacheong.Poon@Sun.COM					    tcp->tcp_connid, ira->ira_cred,
11754SKacheong.Poon@Sun.COM					    ira->ira_cpid);
11754SKacheong.Poon@Sun.COM					freemsg(mp1);
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Check to see if there is data to be sent.  If
11754SKacheong.Poon@Sun.COM			 * yes, set the transmit flag.  Then check to see
11754SKacheong.Poon@Sun.COM			 * if received data processing needs to be done.
11754SKacheong.Poon@Sun.COM			 * If not, go straight to xmit_check.  This short
11754SKacheong.Poon@Sun.COM			 * cut is OK as we don't support T/TCP.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_unsent)
11754SKacheong.Poon@Sun.COM				flags |= TH_XMIT_NEEDED;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			if (seg_len == 0 && !(flags & TH_URG)) {
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				goto xmit_check;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			flags &= ~TH_SYN;
11754SKacheong.Poon@Sun.COM			seg_seq++;
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		tcp->tcp_state = TCPS_SYN_RCVD;
12507SAlan.Maguire@Sun.COM		DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
12507SAlan.Maguire@Sun.COM		    connp->conn_ixa, void_ip_t *, NULL, tcp_t *, tcp,
12507SAlan.Maguire@Sun.COM		    tcph_t *, NULL, int32_t, TCPS_SYN_SENT);
11754SKacheong.Poon@Sun.COM		mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, tcp->tcp_mss,
11754SKacheong.Poon@Sun.COM		    NULL, NULL, tcp->tcp_iss, B_FALSE, NULL, B_FALSE);
11754SKacheong.Poon@Sun.COM		if (mp1 != NULL) {
11754SKacheong.Poon@Sun.COM			tcp_send_data(tcp, mp1);
11754SKacheong.Poon@Sun.COM			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	case TCPS_SYN_RCVD:
11754SKacheong.Poon@Sun.COM		if (flags & TH_ACK) {
13008SKacheong.Poon@Sun.COM			uint32_t pinit_wnd;
13008SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * In this state, a SYN|ACK packet is either bogus
11754SKacheong.Poon@Sun.COM			 * because the other side must be ACKing our SYN which
11754SKacheong.Poon@Sun.COM			 * indicates it has seen the ACK for their SYN and
11754SKacheong.Poon@Sun.COM			 * shouldn't retransmit it or we're crossing SYNs
11754SKacheong.Poon@Sun.COM			 * on active open.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if ((flags & TH_SYN) && !tcp->tcp_active_open) {
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				tcp_xmit_ctl("TCPS_SYN_RCVD-bad_syn",
11754SKacheong.Poon@Sun.COM				    tcp, seg_ack, 0, TH_RST);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * NOTE: RFC 793 pg. 72 says this should be
11754SKacheong.Poon@Sun.COM			 * tcp->tcp_suna <= seg_ack <= tcp->tcp_snxt
11754SKacheong.Poon@Sun.COM			 * but that would mean we have an ack that ignored
11754SKacheong.Poon@Sun.COM			 * our SYN.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (SEQ_LEQ(seg_ack, tcp->tcp_suna) ||
11754SKacheong.Poon@Sun.COM			    SEQ_GT(seg_ack, tcp->tcp_snxt)) {
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				tcp_xmit_ctl("TCPS_SYN_RCVD-bad_ack",
11754SKacheong.Poon@Sun.COM				    tcp, seg_ack, 0, TH_RST);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * No sane TCP stack will send such a small window
11754SKacheong.Poon@Sun.COM			 * without receiving any data.  Just drop this invalid
11754SKacheong.Poon@Sun.COM			 * ACK.  We also shorten the abort timeout in case
11754SKacheong.Poon@Sun.COM			 * this is an attack.
11754SKacheong.Poon@Sun.COM			 */
13008SKacheong.Poon@Sun.COM			pinit_wnd = ntohs(tcpha->tha_win) << tcp->tcp_snd_ws;
13008SKacheong.Poon@Sun.COM			if (pinit_wnd < tcp->tcp_mss &&
13008SKacheong.Poon@Sun.COM			    pinit_wnd < tcp_init_wnd_chk) {
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				TCP_STAT(tcps, tcp_zwin_ack_syn);
11754SKacheong.Poon@Sun.COM				tcp->tcp_second_ctimer_threshold =
11754SKacheong.Poon@Sun.COM				    tcp_early_abort * SECONDS;
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM	case TCPS_LISTEN:
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Only a TLI listener can come through this path when a
11754SKacheong.Poon@Sun.COM		 * acceptor is going back to be a listener and a packet
11754SKacheong.Poon@Sun.COM		 * for the acceptor hits the classifier. For a socket
11754SKacheong.Poon@Sun.COM		 * listener, this can never happen because a listener
11754SKacheong.Poon@Sun.COM		 * can never accept connection on itself and hence a
11754SKacheong.Poon@Sun.COM		 * socket acceptor can not go back to being a listener.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		ASSERT(!TCP_IS_SOCKET(tcp));
11754SKacheong.Poon@Sun.COM		/*FALLTHRU*/
11754SKacheong.Poon@Sun.COM	case TCPS_CLOSED:
11754SKacheong.Poon@Sun.COM	case TCPS_BOUND: {
11754SKacheong.Poon@Sun.COM		conn_t	*new_connp;
11754SKacheong.Poon@Sun.COM		ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Don't accept any input on a closed tcp as this TCP logically
11754SKacheong.Poon@Sun.COM		 * does not exist on the system. Don't proceed further with
11754SKacheong.Poon@Sun.COM		 * this TCP. For instance, this packet could trigger another
11754SKacheong.Poon@Sun.COM		 * close of this tcp which would be disastrous for tcp_refcnt.
11754SKacheong.Poon@Sun.COM		 * tcp_close_detached / tcp_clean_death / tcp_closei_local must
11754SKacheong.Poon@Sun.COM		 * be called at most once on a TCP. In this case we need to
11754SKacheong.Poon@Sun.COM		 * refeed the packet into the classifier and figure out where
11754SKacheong.Poon@Sun.COM		 * the packet should go.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		new_connp = ipcl_classify(mp, ira, ipst);
11754SKacheong.Poon@Sun.COM		if (new_connp != NULL) {
11754SKacheong.Poon@Sun.COM			/* Drops ref on new_connp */
11754SKacheong.Poon@Sun.COM			tcp_reinput(new_connp, mp, ira, ipst);
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/* We failed to classify. For now just drop the packet */
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	case TCPS_IDLE:
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Handle the case where the tcp_clean_death() has happened
11754SKacheong.Poon@Sun.COM		 * on a connection (application hasn't closed yet) but a packet
11754SKacheong.Poon@Sun.COM		 * was already queued on squeue before tcp_clean_death()
11754SKacheong.Poon@Sun.COM		 * was processed. Calling tcp_clean_death() twice on same
11754SKacheong.Poon@Sun.COM		 * connection can result in weird behaviour.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	default:
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Already on the correct queue/perimeter.
11754SKacheong.Poon@Sun.COM	 * If this is a detached connection and not an eager
11754SKacheong.Poon@Sun.COM	 * connection hanging off a listener then new data
11754SKacheong.Poon@Sun.COM	 * (past the FIN) will cause a reset.
11754SKacheong.Poon@Sun.COM	 * We do a special check here where it
11754SKacheong.Poon@Sun.COM	 * is out of the main line, rather than check
11754SKacheong.Poon@Sun.COM	 * if we are detached every time we see new
11754SKacheong.Poon@Sun.COM	 * data down below.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (TCP_IS_DETACHED_NONEAGER(tcp) &&
11754SKacheong.Poon@Sun.COM	    (seg_len > 0 && SEQ_GT(seg_seq + seg_len, tcp->tcp_rnxt))) {
11754SKacheong.Poon@Sun.COM		TCPS_BUMP_MIB(tcps, tcpInClosed);
11754SKacheong.Poon@Sun.COM		DTRACE_PROBE2(tcp__trace__recv, mblk_t *, mp, tcp_t *, tcp);
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		tcp_xmit_ctl("new data when detached", tcp,
11754SKacheong.Poon@Sun.COM		    tcp->tcp_snxt, 0, TH_RST);
11754SKacheong.Poon@Sun.COM		(void) tcp_clean_death(tcp, EPROTO);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	mp->b_rptr = (uchar_t *)tcpha + TCP_HDR_LENGTH(tcpha);
11754SKacheong.Poon@Sun.COM	urp = ntohs(tcpha->tha_urp) - TCP_OLD_URP_INTERPRETATION;
11754SKacheong.Poon@Sun.COM	new_swnd = ntohs(tcpha->tha_win) <<
11754SKacheong.Poon@Sun.COM	    ((tcpha->tha_flags & TH_SYN) ? 0 : tcp->tcp_snd_ws);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_snd_ts_ok) {
11754SKacheong.Poon@Sun.COM		if (!tcp_paws_check(tcp, tcpha, &tcpopt)) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * This segment is not acceptable.
11754SKacheong.Poon@Sun.COM			 * Drop it and send back an ACK.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM			flags |= TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM			goto ack_check;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else if (tcp->tcp_snd_sack_ok) {
11754SKacheong.Poon@Sun.COM		tcpopt.tcp = tcp;
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * SACK info in already updated in tcp_parse_options.  Ignore
11754SKacheong.Poon@Sun.COM		 * all other TCP options...
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		(void) tcp_parse_options(tcpha, &tcpopt);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COMtry_again:;
11754SKacheong.Poon@Sun.COM	mss = tcp->tcp_mss;
11754SKacheong.Poon@Sun.COM	gap = seg_seq - tcp->tcp_rnxt;
11754SKacheong.Poon@Sun.COM	rgap = tcp->tcp_rwnd - (gap + seg_len);
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * gap is the amount of sequence space between what we expect to see
11754SKacheong.Poon@Sun.COM	 * and what we got for seg_seq.  A positive value for gap means
11754SKacheong.Poon@Sun.COM	 * something got lost.  A negative value means we got some old stuff.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (gap < 0) {
11754SKacheong.Poon@Sun.COM		/* Old stuff present.  Is the SYN in there? */
11754SKacheong.Poon@Sun.COM		if (seg_seq == tcp->tcp_irs && (flags & TH_SYN) &&
11754SKacheong.Poon@Sun.COM		    (seg_len != 0)) {
11754SKacheong.Poon@Sun.COM			flags &= ~TH_SYN;
11754SKacheong.Poon@Sun.COM			seg_seq++;
11754SKacheong.Poon@Sun.COM			urp--;
11754SKacheong.Poon@Sun.COM			/* Recompute the gaps after noting the SYN. */
11754SKacheong.Poon@Sun.COM			goto try_again;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		TCPS_BUMP_MIB(tcps, tcpInDataDupSegs);
11754SKacheong.Poon@Sun.COM		TCPS_UPDATE_MIB(tcps, tcpInDataDupBytes,
11754SKacheong.Poon@Sun.COM		    (seg_len > -gap ? -gap : seg_len));
11754SKacheong.Poon@Sun.COM		/* Remove the old stuff from seg_len. */
11754SKacheong.Poon@Sun.COM		seg_len += gap;
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Anything left?
11754SKacheong.Poon@Sun.COM		 * Make sure to check for unack'd FIN when rest of data
11754SKacheong.Poon@Sun.COM		 * has been previously ack'd.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (seg_len < 0 || (seg_len == 0 && !(flags & TH_FIN))) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Resets are only valid if they lie within our offered
11754SKacheong.Poon@Sun.COM			 * window.  If the RST bit is set, we just ignore this
11754SKacheong.Poon@Sun.COM			 * segment.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (flags & TH_RST) {
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * The arriving of dup data packets indicate that we
11754SKacheong.Poon@Sun.COM			 * may have postponed an ack for too long, or the other
11754SKacheong.Poon@Sun.COM			 * side's RTT estimate is out of shape. Start acking
11754SKacheong.Poon@Sun.COM			 * more often.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (SEQ_GEQ(seg_seq + seg_len - gap, tcp->tcp_rack) &&
11754SKacheong.Poon@Sun.COM			    tcp->tcp_rack_cnt >= 1 &&
11754SKacheong.Poon@Sun.COM			    tcp->tcp_rack_abs_max > 2) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_rack_abs_max--;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			tcp->tcp_rack_cur_max = 1;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * This segment is "unacceptable".  None of its
11754SKacheong.Poon@Sun.COM			 * sequence space lies within our advertized window.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * Adjust seg_len to the original value for tracing.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			seg_len -= gap;
11754SKacheong.Poon@Sun.COM			if (connp->conn_debug) {
11754SKacheong.Poon@Sun.COM				(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
11754SKacheong.Poon@Sun.COM				    "tcp_rput: unacceptable, gap %d, rgap %d, "
11754SKacheong.Poon@Sun.COM				    "flags 0x%x, seg_seq %u, seg_ack %u, "
11754SKacheong.Poon@Sun.COM				    "seg_len %d, rnxt %u, snxt %u, %s",
11754SKacheong.Poon@Sun.COM				    gap, rgap, flags, seg_seq, seg_ack,
11754SKacheong.Poon@Sun.COM				    seg_len, tcp->tcp_rnxt, tcp->tcp_snxt,
11754SKacheong.Poon@Sun.COM				    tcp_display(tcp, NULL,
11754SKacheong.Poon@Sun.COM				    DISP_ADDR_AND_PORT));
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Arrange to send an ACK in response to the
11754SKacheong.Poon@Sun.COM			 * unacceptable segment per RFC 793 page 69. There
11754SKacheong.Poon@Sun.COM			 * is only one small difference between ours and the
11754SKacheong.Poon@Sun.COM			 * acceptability test in the RFC - we accept ACK-only
11754SKacheong.Poon@Sun.COM			 * packet with SEG.SEQ = RCV.NXT+RCV.WND and no ACK
11754SKacheong.Poon@Sun.COM			 * will be generated.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * Note that we have to ACK an ACK-only packet at least
11754SKacheong.Poon@Sun.COM			 * for stacks that send 0-length keep-alives with
11754SKacheong.Poon@Sun.COM			 * SEG.SEQ = SND.NXT-1 as recommended by RFC1122,
11754SKacheong.Poon@Sun.COM			 * section 4.2.3.6. As long as we don't ever generate
11754SKacheong.Poon@Sun.COM			 * an unacceptable packet in response to an incoming
11754SKacheong.Poon@Sun.COM			 * packet that is unacceptable, it should not cause
11754SKacheong.Poon@Sun.COM			 * "ACK wars".
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			flags |=  TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Continue processing this segment in order to use the
11754SKacheong.Poon@Sun.COM			 * ACK information it contains, but skip all other
11754SKacheong.Poon@Sun.COM			 * sequence-number processing.	Processing the ACK
11754SKacheong.Poon@Sun.COM			 * information is necessary in order to
11754SKacheong.Poon@Sun.COM			 * re-synchronize connections that may have lost
11754SKacheong.Poon@Sun.COM			 * synchronization.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * We clear seg_len and flag fields related to
11754SKacheong.Poon@Sun.COM			 * sequence number processing as they are not
11754SKacheong.Poon@Sun.COM			 * to be trusted for an unacceptable segment.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			seg_len = 0;
11754SKacheong.Poon@Sun.COM			flags &= ~(TH_SYN | TH_FIN | TH_URG);
11754SKacheong.Poon@Sun.COM			goto process_ack;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Fix seg_seq, and chew the gap off the front. */
11754SKacheong.Poon@Sun.COM		seg_seq = tcp->tcp_rnxt;
11754SKacheong.Poon@Sun.COM		urp += gap;
11754SKacheong.Poon@Sun.COM		do {
11754SKacheong.Poon@Sun.COM			mblk_t	*mp2;
11754SKacheong.Poon@Sun.COM			ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
11754SKacheong.Poon@Sun.COM			    (uintptr_t)UINT_MAX);
11754SKacheong.Poon@Sun.COM			gap += (uint_t)(mp->b_wptr - mp->b_rptr);
11754SKacheong.Poon@Sun.COM			if (gap > 0) {
11754SKacheong.Poon@Sun.COM				mp->b_rptr = mp->b_wptr - gap;
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			mp2 = mp;
11754SKacheong.Poon@Sun.COM			mp = mp->b_cont;
11754SKacheong.Poon@Sun.COM			freeb(mp2);
11754SKacheong.Poon@Sun.COM		} while (gap < 0);
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * If the urgent data has already been acknowledged, we
11754SKacheong.Poon@Sun.COM		 * should ignore TH_URG below
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (urp < 0)
11754SKacheong.Poon@Sun.COM			flags &= ~TH_URG;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * rgap is the amount of stuff received out of window.  A negative
11754SKacheong.Poon@Sun.COM	 * value is the amount out of window.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (rgap < 0) {
11754SKacheong.Poon@Sun.COM		mblk_t	*mp2;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_rwnd == 0) {
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpInWinProbe);
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpInDataPastWinSegs);
11754SKacheong.Poon@Sun.COM			TCPS_UPDATE_MIB(tcps, tcpInDataPastWinBytes, -rgap);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * seg_len does not include the FIN, so if more than
11754SKacheong.Poon@Sun.COM		 * just the FIN is out of window, we act like we don't
11754SKacheong.Poon@Sun.COM		 * see it.  (If just the FIN is out of window, rgap
11754SKacheong.Poon@Sun.COM		 * will be zero and we will go ahead and acknowledge
11754SKacheong.Poon@Sun.COM		 * the FIN.)
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		flags &= ~TH_FIN;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Fix seg_len and make sure there is something left. */
11754SKacheong.Poon@Sun.COM		seg_len += rgap;
11754SKacheong.Poon@Sun.COM		if (seg_len <= 0) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Resets are only valid if they lie within our offered
11754SKacheong.Poon@Sun.COM			 * window.  If the RST bit is set, we just ignore this
11754SKacheong.Poon@Sun.COM			 * segment.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (flags & TH_RST) {
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/* Per RFC 793, we need to send back an ACK. */
11754SKacheong.Poon@Sun.COM			flags |= TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Send SIGURG as soon as possible i.e. even
11754SKacheong.Poon@Sun.COM			 * if the TH_URG was delivered in a window probe
11754SKacheong.Poon@Sun.COM			 * packet (which will be unacceptable).
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * We generate a signal if none has been generated
11754SKacheong.Poon@Sun.COM			 * for this connection or if this is a new urgent
11754SKacheong.Poon@Sun.COM			 * byte. Also send a zero-length "unmarked" message
11754SKacheong.Poon@Sun.COM			 * to inform SIOCATMARK that this is not the mark.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * tcp_urp_last_valid is cleared when the T_exdata_ind
11754SKacheong.Poon@Sun.COM			 * is sent up. This plus the check for old data
11754SKacheong.Poon@Sun.COM			 * (gap >= 0) handles the wraparound of the sequence
11754SKacheong.Poon@Sun.COM			 * number space without having to always track the
11754SKacheong.Poon@Sun.COM			 * correct MAX(tcp_urp_last, tcp_rnxt). (BSD tracks
11754SKacheong.Poon@Sun.COM			 * this max in its rcv_up variable).
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * This prevents duplicate SIGURGS due to a "late"
11754SKacheong.Poon@Sun.COM			 * zero-window probe when the T_EXDATA_IND has already
11754SKacheong.Poon@Sun.COM			 * been sent up.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if ((flags & TH_URG) &&
11754SKacheong.Poon@Sun.COM			    (!tcp->tcp_urp_last_valid || SEQ_GT(urp + seg_seq,
11754SKacheong.Poon@Sun.COM			    tcp->tcp_urp_last))) {
11754SKacheong.Poon@Sun.COM				if (IPCL_IS_NONSTR(connp)) {
11754SKacheong.Poon@Sun.COM					if (!TCP_IS_DETACHED(tcp)) {
11754SKacheong.Poon@Sun.COM						(*connp->conn_upcalls->
11754SKacheong.Poon@Sun.COM						    su_signal_oob)
11754SKacheong.Poon@Sun.COM						    (connp->conn_upper_handle,
11754SKacheong.Poon@Sun.COM						    urp);
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM				} else {
11754SKacheong.Poon@Sun.COM					mp1 = allocb(0, BPRI_MED);
11754SKacheong.Poon@Sun.COM					if (mp1 == NULL) {
11754SKacheong.Poon@Sun.COM						freemsg(mp);
11754SKacheong.Poon@Sun.COM						return;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM					if (!TCP_IS_DETACHED(tcp) &&
11754SKacheong.Poon@Sun.COM					    !putnextctl1(connp->conn_rq,
11754SKacheong.Poon@Sun.COM					    M_PCSIG, SIGURG)) {
11754SKacheong.Poon@Sun.COM						/* Try again on the rexmit. */
11754SKacheong.Poon@Sun.COM						freemsg(mp1);
11754SKacheong.Poon@Sun.COM						freemsg(mp);
11754SKacheong.Poon@Sun.COM						return;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * If the next byte would be the mark
11754SKacheong.Poon@Sun.COM					 * then mark with MARKNEXT else mark
11754SKacheong.Poon@Sun.COM					 * with NOTMARKNEXT.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					if (gap == 0 && urp == 0)
11754SKacheong.Poon@Sun.COM						mp1->b_flag |= MSGMARKNEXT;
11754SKacheong.Poon@Sun.COM					else
11754SKacheong.Poon@Sun.COM						mp1->b_flag |= MSGNOTMARKNEXT;
11754SKacheong.Poon@Sun.COM					freemsg(tcp->tcp_urp_mark_mp);
11754SKacheong.Poon@Sun.COM					tcp->tcp_urp_mark_mp = mp1;
11754SKacheong.Poon@Sun.COM					flags |= TH_SEND_URP_MARK;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				tcp->tcp_urp_last_valid = B_TRUE;
11754SKacheong.Poon@Sun.COM				tcp->tcp_urp_last = urp + seg_seq;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * If this is a zero window probe, continue to
11754SKacheong.Poon@Sun.COM			 * process the ACK part.  But we need to set seg_len
11754SKacheong.Poon@Sun.COM			 * to 0 to avoid data processing.  Otherwise just
11754SKacheong.Poon@Sun.COM			 * drop the segment and send back an ACK.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_rwnd == 0 && seg_seq == tcp->tcp_rnxt) {
11754SKacheong.Poon@Sun.COM				flags &= ~(TH_SYN | TH_URG);
11754SKacheong.Poon@Sun.COM				seg_len = 0;
11754SKacheong.Poon@Sun.COM				goto process_ack;
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				goto ack_check;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/* Pitch out of window stuff off the end. */
11754SKacheong.Poon@Sun.COM		rgap = seg_len;
11754SKacheong.Poon@Sun.COM		mp2 = mp;
11754SKacheong.Poon@Sun.COM		do {
11754SKacheong.Poon@Sun.COM			ASSERT((uintptr_t)(mp2->b_wptr - mp2->b_rptr) <=
11754SKacheong.Poon@Sun.COM			    (uintptr_t)INT_MAX);
11754SKacheong.Poon@Sun.COM			rgap -= (int)(mp2->b_wptr - mp2->b_rptr);
11754SKacheong.Poon@Sun.COM			if (rgap < 0) {
11754SKacheong.Poon@Sun.COM				mp2->b_wptr += rgap;
11754SKacheong.Poon@Sun.COM				if ((mp1 = mp2->b_cont) != NULL) {
11754SKacheong.Poon@Sun.COM					mp2->b_cont = NULL;
11754SKacheong.Poon@Sun.COM					freemsg(mp1);
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		} while ((mp2 = mp2->b_cont) != NULL);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COMok:;
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * TCP should check ECN info for segments inside the window only.
11754SKacheong.Poon@Sun.COM	 * Therefore the check should be done here.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_ecn_ok) {
11754SKacheong.Poon@Sun.COM		if (flags & TH_CWR) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_ecn_echo_on = B_FALSE;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Note that both ECN_CE and CWR can be set in the
11754SKacheong.Poon@Sun.COM		 * same segment.  In this case, we once again turn
11754SKacheong.Poon@Sun.COM		 * on ECN_ECHO.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (connp->conn_ipversion == IPV4_VERSION) {
11754SKacheong.Poon@Sun.COM			uchar_t tos = ((ipha_t *)rptr)->ipha_type_of_service;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			if ((tos & IPH_ECN_CE) == IPH_ECN_CE) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_ecn_echo_on = B_TRUE;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			uint32_t vcf = ((ip6_t *)rptr)->ip6_vcf;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			if ((vcf & htonl(IPH_ECN_CE << 20)) ==
11754SKacheong.Poon@Sun.COM			    htonl(IPH_ECN_CE << 20)) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_ecn_echo_on = B_TRUE;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Check whether we can update tcp_ts_recent.  This test is
11754SKacheong.Poon@Sun.COM	 * NOT the one in RFC 1323 3.4.  It is from Braden, 1993, "TCP
11754SKacheong.Poon@Sun.COM	 * Extensions for High Performance: An Update", Internet Draft.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_snd_ts_ok &&
11754SKacheong.Poon@Sun.COM	    TSTMP_GEQ(tcpopt.tcp_opt_ts_val, tcp->tcp_ts_recent) &&
11754SKacheong.Poon@Sun.COM	    SEQ_LEQ(seg_seq, tcp->tcp_rack)) {
11754SKacheong.Poon@Sun.COM		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
11754SKacheong.Poon@Sun.COM		tcp->tcp_last_rcv_lbolt = LBOLT_FASTPATH64;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (seg_seq != tcp->tcp_rnxt || tcp->tcp_reass_head) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * FIN in an out of order segment.  We record this in
11754SKacheong.Poon@Sun.COM		 * tcp_valid_bits and the seq num of FIN in tcp_ofo_fin_seq.
11754SKacheong.Poon@Sun.COM		 * Clear the FIN so that any check on FIN flag will fail.
11754SKacheong.Poon@Sun.COM		 * Remember that FIN also counts in the sequence number
11754SKacheong.Poon@Sun.COM		 * space.  So we need to ack out of order FIN only segments.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (flags & TH_FIN) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_valid_bits |= TCP_OFO_FIN_VALID;
11754SKacheong.Poon@Sun.COM			tcp->tcp_ofo_fin_seq = seg_seq + seg_len;
11754SKacheong.Poon@Sun.COM			flags &= ~TH_FIN;
11754SKacheong.Poon@Sun.COM			flags |= TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (seg_len > 0) {
11754SKacheong.Poon@Sun.COM			/* Fill in the SACK blk list. */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_snd_sack_ok) {
11754SKacheong.Poon@Sun.COM				tcp_sack_insert(tcp->tcp_sack_list,
11754SKacheong.Poon@Sun.COM				    seg_seq, seg_seq + seg_len,
11754SKacheong.Poon@Sun.COM				    &(tcp->tcp_num_sack_blk));
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Attempt reassembly and see if we have something
11754SKacheong.Poon@Sun.COM			 * ready to go.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			mp = tcp_reass(tcp, mp, seg_seq);
11754SKacheong.Poon@Sun.COM			/* Always ack out of order packets */
11754SKacheong.Poon@Sun.COM			flags |= TH_ACK_NEEDED | TH_PUSH;
11754SKacheong.Poon@Sun.COM			if (mp) {
11754SKacheong.Poon@Sun.COM				ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
11754SKacheong.Poon@Sun.COM				    (uintptr_t)INT_MAX);
11754SKacheong.Poon@Sun.COM				seg_len = mp->b_cont ? msgdsize(mp) :
11754SKacheong.Poon@Sun.COM				    (int)(mp->b_wptr - mp->b_rptr);
11754SKacheong.Poon@Sun.COM				seg_seq = tcp->tcp_rnxt;
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * A gap is filled and the seq num and len
11754SKacheong.Poon@Sun.COM				 * of the gap match that of a previously
11754SKacheong.Poon@Sun.COM				 * received FIN, put the FIN flag back in.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
11754SKacheong.Poon@Sun.COM				    seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
11754SKacheong.Poon@Sun.COM					flags |= TH_FIN;
11754SKacheong.Poon@Sun.COM					tcp->tcp_valid_bits &=
11754SKacheong.Poon@Sun.COM					    ~TCP_OFO_FIN_VALID;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_reass_tid != 0) {
11754SKacheong.Poon@Sun.COM					(void) TCP_TIMER_CANCEL(tcp,
11754SKacheong.Poon@Sun.COM					    tcp->tcp_reass_tid);
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * Restart the timer if there is still
11754SKacheong.Poon@Sun.COM					 * data in the reassembly queue.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					if (tcp->tcp_reass_head != NULL) {
11754SKacheong.Poon@Sun.COM						tcp->tcp_reass_tid = TCP_TIMER(
11754SKacheong.Poon@Sun.COM						    tcp, tcp_reass_timer,
12056SKacheong.Poon@Sun.COM						    tcps->tcps_reass_timeout);
11754SKacheong.Poon@Sun.COM					} else {
11754SKacheong.Poon@Sun.COM						tcp->tcp_reass_tid = 0;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Keep going even with NULL mp.
11754SKacheong.Poon@Sun.COM				 * There may be a useful ACK or something else
11754SKacheong.Poon@Sun.COM				 * we don't want to miss.
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * But TCP should not perform fast retransmit
11754SKacheong.Poon@Sun.COM				 * because of the ack number.  TCP uses
11754SKacheong.Poon@Sun.COM				 * seg_len == 0 to determine if it is a pure
11754SKacheong.Poon@Sun.COM				 * ACK.  And this is not a pure ACK.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				seg_len = 0;
11754SKacheong.Poon@Sun.COM				ofo_seg = B_TRUE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				if (tcps->tcps_reass_timeout != 0 &&
11754SKacheong.Poon@Sun.COM				    tcp->tcp_reass_tid == 0) {
11754SKacheong.Poon@Sun.COM					tcp->tcp_reass_tid = TCP_TIMER(tcp,
12056SKacheong.Poon@Sun.COM					    tcp_reass_timer,
12056SKacheong.Poon@Sun.COM					    tcps->tcps_reass_timeout);
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else if (seg_len > 0) {
11754SKacheong.Poon@Sun.COM		TCPS_BUMP_MIB(tcps, tcpInDataInorderSegs);
11754SKacheong.Poon@Sun.COM		TCPS_UPDATE_MIB(tcps, tcpInDataInorderBytes, seg_len);
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * If an out of order FIN was received before, and the seq
11754SKacheong.Poon@Sun.COM		 * num and len of the new segment match that of the FIN,
11754SKacheong.Poon@Sun.COM		 * put the FIN flag back in.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
11754SKacheong.Poon@Sun.COM		    seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
11754SKacheong.Poon@Sun.COM			flags |= TH_FIN;
11754SKacheong.Poon@Sun.COM			tcp->tcp_valid_bits &= ~TCP_OFO_FIN_VALID;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if ((flags & (TH_RST | TH_SYN | TH_URG | TH_ACK)) != TH_ACK) {
11754SKacheong.Poon@Sun.COM	if (flags & TH_RST) {
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		switch (tcp->tcp_state) {
11754SKacheong.Poon@Sun.COM		case TCPS_SYN_RCVD:
11754SKacheong.Poon@Sun.COM			(void) tcp_clean_death(tcp, ECONNREFUSED);
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		case TCPS_ESTABLISHED:
11754SKacheong.Poon@Sun.COM		case TCPS_FIN_WAIT_1:
11754SKacheong.Poon@Sun.COM		case TCPS_FIN_WAIT_2:
11754SKacheong.Poon@Sun.COM		case TCPS_CLOSE_WAIT:
11754SKacheong.Poon@Sun.COM			(void) tcp_clean_death(tcp, ECONNRESET);
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		case TCPS_CLOSING:
11754SKacheong.Poon@Sun.COM		case TCPS_LAST_ACK:
11754SKacheong.Poon@Sun.COM			(void) tcp_clean_death(tcp, 0);
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		default:
11754SKacheong.Poon@Sun.COM			ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
11754SKacheong.Poon@Sun.COM			(void) tcp_clean_death(tcp, ENXIO);
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (flags & TH_SYN) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * See RFC 793, Page 71
11754SKacheong.Poon@Sun.COM		 *
11754SKacheong.Poon@Sun.COM		 * The seq number must be in the window as it should
11754SKacheong.Poon@Sun.COM		 * be "fixed" above.  If it is outside window, it should
11754SKacheong.Poon@Sun.COM		 * be already rejected.  Note that we allow seg_seq to be
11754SKacheong.Poon@Sun.COM		 * rnxt + rwnd because we want to accept 0 window probe.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		ASSERT(SEQ_GEQ(seg_seq, tcp->tcp_rnxt) &&
11754SKacheong.Poon@Sun.COM		    SEQ_LEQ(seg_seq, tcp->tcp_rnxt + tcp->tcp_rwnd));
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * If the ACK flag is not set, just use our snxt as the
11754SKacheong.Poon@Sun.COM		 * seq number of the RST segment.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (!(flags & TH_ACK)) {
11754SKacheong.Poon@Sun.COM			seg_ack = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		tcp_xmit_ctl("TH_SYN", tcp, seg_ack, seg_seq + 1,
11754SKacheong.Poon@Sun.COM		    TH_RST|TH_ACK);
11754SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
11754SKacheong.Poon@Sun.COM		(void) tcp_clean_death(tcp, ECONNRESET);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * urp could be -1 when the urp field in the packet is 0
11754SKacheong.Poon@Sun.COM	 * and TCP_OLD_URP_INTERPRETATION is set. This implies that the urgent
11754SKacheong.Poon@Sun.COM	 * byte was at seg_seq - 1, in which case we ignore the urgent flag.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (flags & TH_URG && urp >= 0) {
11754SKacheong.Poon@Sun.COM		if (!tcp->tcp_urp_last_valid ||
11754SKacheong.Poon@Sun.COM		    SEQ_GT(urp + seg_seq, tcp->tcp_urp_last)) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Non-STREAMS sockets handle the urgent data a litte
11754SKacheong.Poon@Sun.COM			 * differently from STREAMS based sockets. There is no
11754SKacheong.Poon@Sun.COM			 * need to mark any mblks with the MSG{NOT,}MARKNEXT
11754SKacheong.Poon@Sun.COM			 * flags to keep SIOCATMARK happy. Instead a
11754SKacheong.Poon@Sun.COM			 * su_signal_oob upcall is made to update the mark.
11754SKacheong.Poon@Sun.COM			 * Neither is a T_EXDATA_IND mblk needed to be
11754SKacheong.Poon@Sun.COM			 * prepended to the urgent data. The urgent data is
11754SKacheong.Poon@Sun.COM			 * delivered using the su_recv upcall, where we set
11754SKacheong.Poon@Sun.COM			 * the MSG_OOB flag to indicate that it is urg data.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * Neither TH_SEND_URP_MARK nor TH_MARKNEXT_NEEDED
11754SKacheong.Poon@Sun.COM			 * are used by non-STREAMS sockets.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (IPCL_IS_NONSTR(connp)) {
11754SKacheong.Poon@Sun.COM				if (!TCP_IS_DETACHED(tcp)) {
11754SKacheong.Poon@Sun.COM					(*connp->conn_upcalls->su_signal_oob)
11754SKacheong.Poon@Sun.COM					    (connp->conn_upper_handle, urp);
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * If we haven't generated the signal yet for
11754SKacheong.Poon@Sun.COM				 * this urgent pointer value, do it now.  Also,
11754SKacheong.Poon@Sun.COM				 * send up a zero-length M_DATA indicating
11754SKacheong.Poon@Sun.COM				 * whether or not this is the mark. The latter
11754SKacheong.Poon@Sun.COM				 * is not needed when a T_EXDATA_IND is sent up.
11754SKacheong.Poon@Sun.COM				 * However, if there are allocation failures
11754SKacheong.Poon@Sun.COM				 * this code relies on the sender retransmitting
11754SKacheong.Poon@Sun.COM				 * and the socket code for determining the mark
11754SKacheong.Poon@Sun.COM				 * should not block waiting for the peer to
11754SKacheong.Poon@Sun.COM				 * transmit. Thus, for simplicity we always
11754SKacheong.Poon@Sun.COM				 * send up the mark indication.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				mp1 = allocb(0, BPRI_MED);
11754SKacheong.Poon@Sun.COM				if (mp1 == NULL) {
11754SKacheong.Poon@Sun.COM					freemsg(mp);
11754SKacheong.Poon@Sun.COM					return;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				if (!TCP_IS_DETACHED(tcp) &&
11754SKacheong.Poon@Sun.COM				    !putnextctl1(connp->conn_rq, M_PCSIG,
11754SKacheong.Poon@Sun.COM				    SIGURG)) {
11754SKacheong.Poon@Sun.COM					/* Try again on the rexmit. */
11754SKacheong.Poon@Sun.COM					freemsg(mp1);
11754SKacheong.Poon@Sun.COM					freemsg(mp);
11754SKacheong.Poon@Sun.COM					return;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Mark with NOTMARKNEXT for now.
11754SKacheong.Poon@Sun.COM				 * The code below will change this to MARKNEXT
11754SKacheong.Poon@Sun.COM				 * if we are at the mark.
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * If there are allocation failures (e.g. in
11754SKacheong.Poon@Sun.COM				 * dupmsg below) the next time tcp_input_data
11754SKacheong.Poon@Sun.COM				 * sees the urgent segment it will send up the
11754SKacheong.Poon@Sun.COM				 * MSGMARKNEXT message.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				mp1->b_flag |= MSGNOTMARKNEXT;
11754SKacheong.Poon@Sun.COM				freemsg(tcp->tcp_urp_mark_mp);
11754SKacheong.Poon@Sun.COM				tcp->tcp_urp_mark_mp = mp1;
11754SKacheong.Poon@Sun.COM				flags |= TH_SEND_URP_MARK;
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM				(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
11754SKacheong.Poon@Sun.COM				    "tcp_rput: sent M_PCSIG 2 seq %x urp %x "
11754SKacheong.Poon@Sun.COM				    "last %x, %s",
11754SKacheong.Poon@Sun.COM				    seg_seq, urp, tcp->tcp_urp_last,
11754SKacheong.Poon@Sun.COM				    tcp_display(tcp, NULL, DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM#endif /* DEBUG */
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			tcp->tcp_urp_last_valid = B_TRUE;
11754SKacheong.Poon@Sun.COM			tcp->tcp_urp_last = urp + seg_seq;
11754SKacheong.Poon@Sun.COM		} else if (tcp->tcp_urp_mark_mp != NULL) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * An allocation failure prevented the previous
11754SKacheong.Poon@Sun.COM			 * tcp_input_data from sending up the allocated
11754SKacheong.Poon@Sun.COM			 * MSG*MARKNEXT message - send it up this time
11754SKacheong.Poon@Sun.COM			 * around.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			flags |= TH_SEND_URP_MARK;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * If the urgent byte is in this segment, make sure that it is
11754SKacheong.Poon@Sun.COM		 * all by itself.  This makes it much easier to deal with the
11754SKacheong.Poon@Sun.COM		 * possibility of an allocation failure on the T_exdata_ind.
11754SKacheong.Poon@Sun.COM		 * Note that seg_len is the number of bytes in the segment, and
11754SKacheong.Poon@Sun.COM		 * urp is the offset into the segment of the urgent byte.
11754SKacheong.Poon@Sun.COM		 * urp < seg_len means that the urgent byte is in this segment.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (urp < seg_len) {
11754SKacheong.Poon@Sun.COM			if (seg_len != 1) {
11754SKacheong.Poon@Sun.COM				uint32_t  tmp_rnxt;
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Break it up and feed it back in.
11754SKacheong.Poon@Sun.COM				 * Re-attach the IP header.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				mp->b_rptr = iphdr;
11754SKacheong.Poon@Sun.COM				if (urp > 0) {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * There is stuff before the urgent
11754SKacheong.Poon@Sun.COM					 * byte.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					mp1 = dupmsg(mp);
11754SKacheong.Poon@Sun.COM					if (!mp1) {
11754SKacheong.Poon@Sun.COM						/*
11754SKacheong.Poon@Sun.COM						 * Trim from urgent byte on.
11754SKacheong.Poon@Sun.COM						 * The rest will come back.
11754SKacheong.Poon@Sun.COM						 */
11754SKacheong.Poon@Sun.COM						(void) adjmsg(mp,
11754SKacheong.Poon@Sun.COM						    urp - seg_len);
11754SKacheong.Poon@Sun.COM						tcp_input_data(connp,
11754SKacheong.Poon@Sun.COM						    mp, NULL, ira);
11754SKacheong.Poon@Sun.COM						return;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM					(void) adjmsg(mp1, urp - seg_len);
11754SKacheong.Poon@Sun.COM					/* Feed this piece back in. */
11754SKacheong.Poon@Sun.COM					tmp_rnxt = tcp->tcp_rnxt;
11754SKacheong.Poon@Sun.COM					tcp_input_data(connp, mp1, NULL, ira);
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * If the data passed back in was not
11754SKacheong.Poon@Sun.COM					 * processed (ie: bad ACK) sending
11754SKacheong.Poon@Sun.COM					 * the remainder back in will cause a
11754SKacheong.Poon@Sun.COM					 * loop. In this case, drop the
11754SKacheong.Poon@Sun.COM					 * packet and let the sender try
11754SKacheong.Poon@Sun.COM					 * sending a good packet.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					if (tmp_rnxt == tcp->tcp_rnxt) {
11754SKacheong.Poon@Sun.COM						freemsg(mp);
11754SKacheong.Poon@Sun.COM						return;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				if (urp != seg_len - 1) {
11754SKacheong.Poon@Sun.COM					uint32_t  tmp_rnxt;
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * There is stuff after the urgent
11754SKacheong.Poon@Sun.COM					 * byte.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					mp1 = dupmsg(mp);
11754SKacheong.Poon@Sun.COM					if (!mp1) {
11754SKacheong.Poon@Sun.COM						/*
11754SKacheong.Poon@Sun.COM						 * Trim everything beyond the
11754SKacheong.Poon@Sun.COM						 * urgent byte.  The rest will
11754SKacheong.Poon@Sun.COM						 * come back.
11754SKacheong.Poon@Sun.COM						 */
11754SKacheong.Poon@Sun.COM						(void) adjmsg(mp,
11754SKacheong.Poon@Sun.COM						    urp + 1 - seg_len);
11754SKacheong.Poon@Sun.COM						tcp_input_data(connp,
11754SKacheong.Poon@Sun.COM						    mp, NULL, ira);
11754SKacheong.Poon@Sun.COM						return;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM					(void) adjmsg(mp1, urp + 1 - seg_len);
11754SKacheong.Poon@Sun.COM					tmp_rnxt = tcp->tcp_rnxt;
11754SKacheong.Poon@Sun.COM					tcp_input_data(connp, mp1, NULL, ira);
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * If the data passed back in was not
11754SKacheong.Poon@Sun.COM					 * processed (ie: bad ACK) sending
11754SKacheong.Poon@Sun.COM					 * the remainder back in will cause a
11754SKacheong.Poon@Sun.COM					 * loop. In this case, drop the
11754SKacheong.Poon@Sun.COM					 * packet and let the sender try
11754SKacheong.Poon@Sun.COM					 * sending a good packet.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					if (tmp_rnxt == tcp->tcp_rnxt) {
11754SKacheong.Poon@Sun.COM						freemsg(mp);
11754SKacheong.Poon@Sun.COM						return;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				tcp_input_data(connp, mp, NULL, ira);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * This segment contains only the urgent byte.  We
11754SKacheong.Poon@Sun.COM			 * have to allocate the T_exdata_ind, if we can.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (IPCL_IS_NONSTR(connp)) {
11754SKacheong.Poon@Sun.COM				int error;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				(*connp->conn_upcalls->su_recv)
11754SKacheong.Poon@Sun.COM				    (connp->conn_upper_handle, mp, seg_len,
11754SKacheong.Poon@Sun.COM				    MSG_OOB, &error, NULL);
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * We should never be in middle of a
11754SKacheong.Poon@Sun.COM				 * fallback, the squeue guarantees that.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				ASSERT(error != EOPNOTSUPP);
11754SKacheong.Poon@Sun.COM				mp = NULL;
11754SKacheong.Poon@Sun.COM				goto update_ack;
11754SKacheong.Poon@Sun.COM			} else if (!tcp->tcp_urp_mp) {
11754SKacheong.Poon@Sun.COM				struct T_exdata_ind *tei;
11754SKacheong.Poon@Sun.COM				mp1 = allocb(sizeof (struct T_exdata_ind),
11754SKacheong.Poon@Sun.COM				    BPRI_MED);
11754SKacheong.Poon@Sun.COM				if (!mp1) {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * Sigh... It'll be back.
11754SKacheong.Poon@Sun.COM					 * Generate any MSG*MARK message now.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					freemsg(mp);
11754SKacheong.Poon@Sun.COM					seg_len = 0;
11754SKacheong.Poon@Sun.COM					if (flags & TH_SEND_URP_MARK) {
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM						ASSERT(tcp->tcp_urp_mark_mp);
11754SKacheong.Poon@Sun.COM						tcp->tcp_urp_mark_mp->b_flag &=
11754SKacheong.Poon@Sun.COM						    ~MSGNOTMARKNEXT;
11754SKacheong.Poon@Sun.COM						tcp->tcp_urp_mark_mp->b_flag |=
11754SKacheong.Poon@Sun.COM						    MSGMARKNEXT;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM					goto ack_check;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				mp1->b_datap->db_type = M_PROTO;
11754SKacheong.Poon@Sun.COM				tei = (struct T_exdata_ind *)mp1->b_rptr;
11754SKacheong.Poon@Sun.COM				tei->PRIM_type = T_EXDATA_IND;
11754SKacheong.Poon@Sun.COM				tei->MORE_flag = 0;
11754SKacheong.Poon@Sun.COM				mp1->b_wptr = (uchar_t *)&tei[1];
11754SKacheong.Poon@Sun.COM				tcp->tcp_urp_mp = mp1;
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM				(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
11754SKacheong.Poon@Sun.COM				    "tcp_rput: allocated exdata_ind %s",
11754SKacheong.Poon@Sun.COM				    tcp_display(tcp, NULL,
11754SKacheong.Poon@Sun.COM				    DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM#endif /* DEBUG */
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * There is no need to send a separate MSG*MARK
11754SKacheong.Poon@Sun.COM				 * message since the T_EXDATA_IND will be sent
11754SKacheong.Poon@Sun.COM				 * now.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				flags &= ~TH_SEND_URP_MARK;
11754SKacheong.Poon@Sun.COM				freemsg(tcp->tcp_urp_mark_mp);
11754SKacheong.Poon@Sun.COM				tcp->tcp_urp_mark_mp = NULL;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Now we are all set.  On the next putnext upstream,
11754SKacheong.Poon@Sun.COM			 * tcp_urp_mp will be non-NULL and will get prepended
11754SKacheong.Poon@Sun.COM			 * to what has to be this piece containing the urgent
11754SKacheong.Poon@Sun.COM			 * byte.  If for any reason we abort this segment below,
11754SKacheong.Poon@Sun.COM			 * if it comes back, we will have this ready, or it
11754SKacheong.Poon@Sun.COM			 * will get blown off in close.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM		} else if (urp == seg_len) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * The urgent byte is the next byte after this sequence
11754SKacheong.Poon@Sun.COM			 * number. If this endpoint is non-STREAMS, then there
11754SKacheong.Poon@Sun.COM			 * is nothing to do here since the socket has already
11754SKacheong.Poon@Sun.COM			 * been notified about the urg pointer by the
11754SKacheong.Poon@Sun.COM			 * su_signal_oob call above.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * In case of STREAMS, some more work might be needed.
11754SKacheong.Poon@Sun.COM			 * If there is data it is marked with MSGMARKNEXT and
11754SKacheong.Poon@Sun.COM			 * and any tcp_urp_mark_mp is discarded since it is not
11754SKacheong.Poon@Sun.COM			 * needed. Otherwise, if the code above just allocated
11754SKacheong.Poon@Sun.COM			 * a zero-length tcp_urp_mark_mp message, that message
11754SKacheong.Poon@Sun.COM			 * is tagged with MSGMARKNEXT. Sending up these
11754SKacheong.Poon@Sun.COM			 * MSGMARKNEXT messages makes SIOCATMARK work correctly
11754SKacheong.Poon@Sun.COM			 * even though the T_EXDATA_IND will not be sent up
11754SKacheong.Poon@Sun.COM			 * until the urgent byte arrives.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (!IPCL_IS_NONSTR(tcp->tcp_connp)) {
11754SKacheong.Poon@Sun.COM				if (seg_len != 0) {
11754SKacheong.Poon@Sun.COM					flags |= TH_MARKNEXT_NEEDED;
11754SKacheong.Poon@Sun.COM					freemsg(tcp->tcp_urp_mark_mp);
11754SKacheong.Poon@Sun.COM					tcp->tcp_urp_mark_mp = NULL;
11754SKacheong.Poon@Sun.COM					flags &= ~TH_SEND_URP_MARK;
11754SKacheong.Poon@Sun.COM				} else if (tcp->tcp_urp_mark_mp != NULL) {
11754SKacheong.Poon@Sun.COM					flags |= TH_SEND_URP_MARK;
11754SKacheong.Poon@Sun.COM					tcp->tcp_urp_mark_mp->b_flag &=
11754SKacheong.Poon@Sun.COM					    ~MSGNOTMARKNEXT;
11754SKacheong.Poon@Sun.COM					tcp->tcp_urp_mark_mp->b_flag |=
11754SKacheong.Poon@Sun.COM					    MSGMARKNEXT;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM			(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
11754SKacheong.Poon@Sun.COM			    "tcp_rput: AT MARK, len %d, flags 0x%x, %s",
11754SKacheong.Poon@Sun.COM			    seg_len, flags,
11754SKacheong.Poon@Sun.COM			    tcp_display(tcp, NULL, DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM#endif /* DEBUG */
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM		else {
11754SKacheong.Poon@Sun.COM			/* Data left until we hit mark */
11754SKacheong.Poon@Sun.COM			(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
11754SKacheong.Poon@Sun.COM			    "tcp_rput: URP %d bytes left, %s",
11754SKacheong.Poon@Sun.COM			    urp - seg_len, tcp_display(tcp, NULL,
11754SKacheong.Poon@Sun.COM			    DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM#endif /* DEBUG */
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COMprocess_ack:
11754SKacheong.Poon@Sun.COM	if (!(flags & TH_ACK)) {
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		goto xmit_check;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	bytes_acked = (int)(seg_ack - tcp->tcp_suna);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (bytes_acked > 0)
11754SKacheong.Poon@Sun.COM		tcp->tcp_ip_forward_progress = B_TRUE;
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_state == TCPS_SYN_RCVD) {
12643SAnders.Persson@Sun.COM		/*
12643SAnders.Persson@Sun.COM		 * tcp_sendmsg() checks tcp_state without entering
12643SAnders.Persson@Sun.COM		 * the squeue so tcp_state should be updated before
12643SAnders.Persson@Sun.COM		 * sending up a connection confirmation or a new
12643SAnders.Persson@Sun.COM		 * connection indication.
12643SAnders.Persson@Sun.COM		 */
12643SAnders.Persson@Sun.COM		tcp->tcp_state = TCPS_ESTABLISHED;
12643SAnders.Persson@Sun.COM
12643SAnders.Persson@Sun.COM		/*
12643SAnders.Persson@Sun.COM		 * We are seeing the final ack in the three way
12643SAnders.Persson@Sun.COM		 * hand shake of a active open'ed connection
12643SAnders.Persson@Sun.COM		 * so we must send up a T_CONN_CON
12643SAnders.Persson@Sun.COM		 */
12643SAnders.Persson@Sun.COM		if (tcp->tcp_active_open) {
12643SAnders.Persson@Sun.COM			if (!tcp_conn_con(tcp, iphdr, mp, NULL, ira)) {
12643SAnders.Persson@Sun.COM				freemsg(mp);
12643SAnders.Persson@Sun.COM				tcp->tcp_state = TCPS_SYN_RCVD;
12643SAnders.Persson@Sun.COM				return;
12643SAnders.Persson@Sun.COM			}
12643SAnders.Persson@Sun.COM			/*
12643SAnders.Persson@Sun.COM			 * Don't fuse the loopback endpoints for
12643SAnders.Persson@Sun.COM			 * simultaneous active opens.
12643SAnders.Persson@Sun.COM			 */
12643SAnders.Persson@Sun.COM			if (tcp->tcp_loopback) {
12643SAnders.Persson@Sun.COM				TCP_STAT(tcps, tcp_fusion_unfusable);
12643SAnders.Persson@Sun.COM				tcp->tcp_unfusable = B_TRUE;
12643SAnders.Persson@Sun.COM			}
12643SAnders.Persson@Sun.COM			/*
12643SAnders.Persson@Sun.COM			 * For simultaneous active open, trace receipt of final
12643SAnders.Persson@Sun.COM			 * ACK as tcp:::connect-established.
12643SAnders.Persson@Sun.COM			 */
12643SAnders.Persson@Sun.COM			DTRACE_TCP5(connect__established, mblk_t *, NULL,
12643SAnders.Persson@Sun.COM			    ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
12643SAnders.Persson@Sun.COM			    iphdr, tcp_t *, tcp, tcph_t *, tcpha);
12643SAnders.Persson@Sun.COM		} else if (IPCL_IS_NONSTR(connp)) {
12643SAnders.Persson@Sun.COM			/*
12643SAnders.Persson@Sun.COM			 * 3-way handshake has completed, so notify socket
12643SAnders.Persson@Sun.COM			 * of the new connection.
12643SAnders.Persson@Sun.COM			 *
12643SAnders.Persson@Sun.COM			 * We are here means eager is fine but it can
12643SAnders.Persson@Sun.COM			 * get a TH_RST at any point between now and till
12643SAnders.Persson@Sun.COM			 * accept completes and disappear. We need to
12643SAnders.Persson@Sun.COM			 * ensure that reference to eager is valid after
12643SAnders.Persson@Sun.COM			 * we get out of eager's perimeter. So we do
12643SAnders.Persson@Sun.COM			 * an extra refhold.
12643SAnders.Persson@Sun.COM			 */
12643SAnders.Persson@Sun.COM			CONN_INC_REF(connp);
12643SAnders.Persson@Sun.COM
12643SAnders.Persson@Sun.COM			if (!tcp_newconn_notify(tcp, ira)) {
*13062SAnders.Persson@Sun.COM				/*
*13062SAnders.Persson@Sun.COM				 * The state-change probe for SYN_RCVD ->
*13062SAnders.Persson@Sun.COM				 * ESTABLISHED has not fired yet. We reset
*13062SAnders.Persson@Sun.COM				 * the state to SYN_RCVD so that future
*13062SAnders.Persson@Sun.COM				 * state-change probes report correct state
*13062SAnders.Persson@Sun.COM				 * transistions.
*13062SAnders.Persson@Sun.COM				 */
*13062SAnders.Persson@Sun.COM				tcp->tcp_state = TCPS_SYN_RCVD;
12643SAnders.Persson@Sun.COM				freemsg(mp);
12643SAnders.Persson@Sun.COM				/* notification did not go up, so drop ref */
12643SAnders.Persson@Sun.COM				CONN_DEC_REF(connp);
*13062SAnders.Persson@Sun.COM				/* ... and close the eager */
*13062SAnders.Persson@Sun.COM				ASSERT(TCP_IS_DETACHED(tcp));
*13062SAnders.Persson@Sun.COM				(void) tcp_close_detached(tcp);
12643SAnders.Persson@Sun.COM				return;
12643SAnders.Persson@Sun.COM			}
12643SAnders.Persson@Sun.COM			/*
12643SAnders.Persson@Sun.COM			 * For passive open, trace receipt of final ACK as
12643SAnders.Persson@Sun.COM			 * tcp:::accept-established.
12643SAnders.Persson@Sun.COM			 */
12643SAnders.Persson@Sun.COM			DTRACE_TCP5(accept__established, mlbk_t *, NULL,
12643SAnders.Persson@Sun.COM			    ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
12643SAnders.Persson@Sun.COM			    iphdr, tcp_t *, tcp, tcph_t *, tcpha);
12644SAnders.Persson@Sun.COM		} else {
12643SAnders.Persson@Sun.COM			/*
12643SAnders.Persson@Sun.COM			 * 3-way handshake complete - this is a STREAMS based
12643SAnders.Persson@Sun.COM			 * socket, so pass up the T_CONN_IND.
12643SAnders.Persson@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			tcp_t	*listener = tcp->tcp_listener;
11754SKacheong.Poon@Sun.COM			mblk_t	*mp = tcp->tcp_conn.tcp_eager_conn_ind;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			tcp->tcp_tconnind_started = B_TRUE;
11754SKacheong.Poon@Sun.COM			tcp->tcp_conn.tcp_eager_conn_ind = NULL;
12643SAnders.Persson@Sun.COM			ASSERT(mp != NULL);
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * We are here means eager is fine but it can
11754SKacheong.Poon@Sun.COM			 * get a TH_RST at any point between now and till
11754SKacheong.Poon@Sun.COM			 * accept completes and disappear. We need to
11754SKacheong.Poon@Sun.COM			 * ensure that reference to eager is valid after
11754SKacheong.Poon@Sun.COM			 * we get out of eager's perimeter. So we do
11754SKacheong.Poon@Sun.COM			 * an extra refhold.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			CONN_INC_REF(connp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * The listener also exists because of the refhold
11754SKacheong.Poon@Sun.COM			 * done in tcp_input_listener. Its possible that it
11754SKacheong.Poon@Sun.COM			 * might have closed. We will check that once we
11754SKacheong.Poon@Sun.COM			 * get inside listeners context.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			CONN_INC_REF(listener->tcp_connp);
11754SKacheong.Poon@Sun.COM			if (listener->tcp_connp->conn_sqp ==
11754SKacheong.Poon@Sun.COM			    connp->conn_sqp) {
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * We optimize by not calling an SQUEUE_ENTER
11754SKacheong.Poon@Sun.COM				 * on the listener since we know that the
11754SKacheong.Poon@Sun.COM				 * listener and eager squeues are the same.
11754SKacheong.Poon@Sun.COM				 * We are able to make this check safely only
11754SKacheong.Poon@Sun.COM				 * because neither the eager nor the listener
11754SKacheong.Poon@Sun.COM				 * can change its squeue. Only an active connect
11754SKacheong.Poon@Sun.COM				 * can change its squeue
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				tcp_send_conn_ind(listener->tcp_connp, mp,
11754SKacheong.Poon@Sun.COM				    listener->tcp_connp->conn_sqp);
11754SKacheong.Poon@Sun.COM				CONN_DEC_REF(listener->tcp_connp);
11754SKacheong.Poon@Sun.COM			} else if (!tcp->tcp_loopback) {
11754SKacheong.Poon@Sun.COM				SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp,
11754SKacheong.Poon@Sun.COM				    mp, tcp_send_conn_ind,
11754SKacheong.Poon@Sun.COM				    listener->tcp_connp, NULL, SQ_FILL,
11754SKacheong.Poon@Sun.COM				    SQTAG_TCP_CONN_IND);
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp,
11754SKacheong.Poon@Sun.COM				    mp, tcp_send_conn_ind,
12438SGeorge.Shepherd@Sun.COM				    listener->tcp_connp, NULL, SQ_NODRAIN,
11754SKacheong.Poon@Sun.COM				    SQTAG_TCP_CONN_IND);
11754SKacheong.Poon@Sun.COM			}
12507SAlan.Maguire@Sun.COM			/*
12507SAlan.Maguire@Sun.COM			 * For passive open, trace receipt of final ACK as
12507SAlan.Maguire@Sun.COM			 * tcp:::accept-established.
12507SAlan.Maguire@Sun.COM			 */
12507SAlan.Maguire@Sun.COM			DTRACE_TCP5(accept__established, mlbk_t *, NULL,
12507SAlan.Maguire@Sun.COM			    ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
12507SAlan.Maguire@Sun.COM			    iphdr, tcp_t *, tcp, tcph_t *, tcpha);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		TCPS_CONN_INC(tcps);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		tcp->tcp_suna = tcp->tcp_iss + 1;	/* One for the SYN */
11754SKacheong.Poon@Sun.COM		bytes_acked--;
11754SKacheong.Poon@Sun.COM		/* SYN was acked - making progress */
11754SKacheong.Poon@Sun.COM		tcp->tcp_ip_forward_progress = B_TRUE;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * If SYN was retransmitted, need to reset all
11754SKacheong.Poon@Sun.COM		 * retransmission info as this segment will be
11754SKacheong.Poon@Sun.COM		 * treated as a dup ACK.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_rexmit) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_rexmit = B_FALSE;
11754SKacheong.Poon@Sun.COM			tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM			tcp->tcp_rexmit_max = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM			tcp->tcp_snd_burst = tcp->tcp_localnet ?
11754SKacheong.Poon@Sun.COM			    TCP_CWND_INFINITE : TCP_CWND_NORMAL;
11754SKacheong.Poon@Sun.COM			tcp->tcp_ms_we_have_waited = 0;
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwnd = mss;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * We set the send window to zero here.
11754SKacheong.Poon@Sun.COM		 * This is needed if there is data to be
11754SKacheong.Poon@Sun.COM		 * processed already on the queue.
11754SKacheong.Poon@Sun.COM		 * Later (at swnd_update label), the
11754SKacheong.Poon@Sun.COM		 * "new_swnd > tcp_swnd" condition is satisfied
11754SKacheong.Poon@Sun.COM		 * the XMIT_NEEDED flag is set in the current
11754SKacheong.Poon@Sun.COM		 * (SYN_RCVD) state. This ensures tcp_wput_data() is
11754SKacheong.Poon@Sun.COM		 * called if there is already data on queue in
11754SKacheong.Poon@Sun.COM		 * this state.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		tcp->tcp_swnd = 0;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (new_swnd > tcp->tcp_max_swnd)
11754SKacheong.Poon@Sun.COM			tcp->tcp_max_swnd = new_swnd;
11754SKacheong.Poon@Sun.COM		tcp->tcp_swl1 = seg_seq;
11754SKacheong.Poon@Sun.COM		tcp->tcp_swl2 = seg_ack;
11754SKacheong.Poon@Sun.COM		tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
11754SKacheong.Poon@Sun.COM
12507SAlan.Maguire@Sun.COM		/* Trace change from SYN_RCVD -> ESTABLISHED here */
12507SAlan.Maguire@Sun.COM		DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
12507SAlan.Maguire@Sun.COM		    connp->conn_ixa, void, NULL, tcp_t *, tcp, void, NULL,
12507SAlan.Maguire@Sun.COM		    int32_t, TCPS_SYN_RCVD);
12507SAlan.Maguire@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Fuse when both sides are in ESTABLISHED state */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_loopback && do_tcp_fusion)
11754SKacheong.Poon@Sun.COM			tcp_fuse(tcp, iphdr, tcpha);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* This code follows 4.4BSD-Lite2 mostly. */
11754SKacheong.Poon@Sun.COM	if (bytes_acked < 0)
11754SKacheong.Poon@Sun.COM		goto est;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If TCP is ECN capable and the congestion experience bit is
11754SKacheong.Poon@Sun.COM	 * set, reduce tcp_cwnd and tcp_ssthresh.  But this should only be
11754SKacheong.Poon@Sun.COM	 * done once per window (or more loosely, per RTT).
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_cwr && SEQ_GT(seg_ack, tcp->tcp_cwr_snd_max))
11754SKacheong.Poon@Sun.COM		tcp->tcp_cwr = B_FALSE;
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_ecn_ok && (flags & TH_ECE)) {
11754SKacheong.Poon@Sun.COM		if (!tcp->tcp_cwr) {
11754SKacheong.Poon@Sun.COM			npkt = ((tcp->tcp_snxt - tcp->tcp_suna) >> 1) / mss;
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) * mss;
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwnd = npkt * mss;
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * If the cwnd is 0, use the timer to clock out
11754SKacheong.Poon@Sun.COM			 * new segments.  This is required by the ECN spec.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (npkt == 0) {
11754SKacheong.Poon@Sun.COM				TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * This makes sure that when the ACK comes
11754SKacheong.Poon@Sun.COM				 * back, we will increase tcp_cwnd by 1 MSS.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				tcp->tcp_cwnd_cnt = 0;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwr = B_TRUE;
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * This marks the end of the current window of in
11754SKacheong.Poon@Sun.COM			 * flight data.  That is why we don't use
11754SKacheong.Poon@Sun.COM			 * tcp_suna + tcp_swnd.  Only data in flight can
11754SKacheong.Poon@Sun.COM			 * provide ECN info.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM			tcp->tcp_ecn_cwr_sent = B_FALSE;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	mp1 = tcp->tcp_xmit_head;
11754SKacheong.Poon@Sun.COM	if (bytes_acked == 0) {
11754SKacheong.Poon@Sun.COM		if (!ofo_seg && seg_len == 0 && new_swnd == tcp->tcp_swnd) {
11754SKacheong.Poon@Sun.COM			int dupack_cnt;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpInDupAck);
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Fast retransmit.  When we have seen exactly three
11754SKacheong.Poon@Sun.COM			 * identical ACKs while we have unacked data
11754SKacheong.Poon@Sun.COM			 * outstanding we take it as a hint that our peer
11754SKacheong.Poon@Sun.COM			 * dropped something.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * If TCP is retransmitting, don't do fast retransmit.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (mp1 && tcp->tcp_suna != tcp->tcp_snxt &&
11754SKacheong.Poon@Sun.COM			    ! tcp->tcp_rexmit) {
11754SKacheong.Poon@Sun.COM				/* Do Limited Transmit */
11754SKacheong.Poon@Sun.COM				if ((dupack_cnt = ++tcp->tcp_dupack_cnt) <
11754SKacheong.Poon@Sun.COM				    tcps->tcps_dupack_fast_retransmit) {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * RFC 3042
11754SKacheong.Poon@Sun.COM					 *
11754SKacheong.Poon@Sun.COM					 * What we need to do is temporarily
11754SKacheong.Poon@Sun.COM					 * increase tcp_cwnd so that new
11754SKacheong.Poon@Sun.COM					 * data can be sent if it is allowed
11754SKacheong.Poon@Sun.COM					 * by the receive window (tcp_rwnd).
11754SKacheong.Poon@Sun.COM					 * tcp_wput_data() will take care of
11754SKacheong.Poon@Sun.COM					 * the rest.
11754SKacheong.Poon@Sun.COM					 *
11754SKacheong.Poon@Sun.COM					 * If the connection is SACK capable,
11754SKacheong.Poon@Sun.COM					 * only do limited xmit when there
11754SKacheong.Poon@Sun.COM					 * is SACK info.
11754SKacheong.Poon@Sun.COM					 *
11754SKacheong.Poon@Sun.COM					 * Note how tcp_cwnd is incremented.
11754SKacheong.Poon@Sun.COM					 * The first dup ACK will increase
11754SKacheong.Poon@Sun.COM					 * it by 1 MSS.  The second dup ACK
11754SKacheong.Poon@Sun.COM					 * will increase it by 2 MSS.  This
11754SKacheong.Poon@Sun.COM					 * means that only 1 new segment will
11754SKacheong.Poon@Sun.COM					 * be sent for each dup ACK.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					if (tcp->tcp_unsent > 0 &&
11754SKacheong.Poon@Sun.COM					    (!tcp->tcp_snd_sack_ok ||
11754SKacheong.Poon@Sun.COM					    (tcp->tcp_snd_sack_ok &&
11754SKacheong.Poon@Sun.COM					    tcp->tcp_notsack_list != NULL))) {
11754SKacheong.Poon@Sun.COM						tcp->tcp_cwnd += mss <<
11754SKacheong.Poon@Sun.COM						    (tcp->tcp_dupack_cnt - 1);
11754SKacheong.Poon@Sun.COM						flags |= TH_LIMIT_XMIT;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM				} else if (dupack_cnt ==
11754SKacheong.Poon@Sun.COM				    tcps->tcps_dupack_fast_retransmit) {
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * If we have reduced tcp_ssthresh
11754SKacheong.Poon@Sun.COM				 * because of ECN, do not reduce it again
11754SKacheong.Poon@Sun.COM				 * unless it is already one window of data
11754SKacheong.Poon@Sun.COM				 * away.  After one window of data, tcp_cwr
11754SKacheong.Poon@Sun.COM				 * should then be cleared.  Note that
11754SKacheong.Poon@Sun.COM				 * for non ECN capable connection, tcp_cwr
11754SKacheong.Poon@Sun.COM				 * should always be false.
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * Adjust cwnd since the duplicate
11754SKacheong.Poon@Sun.COM				 * ack indicates that a packet was
11754SKacheong.Poon@Sun.COM				 * dropped (due to congestion.)
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if (!tcp->tcp_cwr) {
11754SKacheong.Poon@Sun.COM					npkt = ((tcp->tcp_snxt -
11754SKacheong.Poon@Sun.COM					    tcp->tcp_suna) >> 1) / mss;
11754SKacheong.Poon@Sun.COM					tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) *
11754SKacheong.Poon@Sun.COM					    mss;
11754SKacheong.Poon@Sun.COM					tcp->tcp_cwnd = (npkt +
11754SKacheong.Poon@Sun.COM					    tcp->tcp_dupack_cnt) * mss;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_ecn_ok) {
11754SKacheong.Poon@Sun.COM					tcp->tcp_cwr = B_TRUE;
11754SKacheong.Poon@Sun.COM					tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM					tcp->tcp_ecn_cwr_sent = B_FALSE;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * We do Hoe's algorithm.  Refer to her
11754SKacheong.Poon@Sun.COM				 * paper "Improving the Start-up Behavior
11754SKacheong.Poon@Sun.COM				 * of a Congestion Control Scheme for TCP,"
11754SKacheong.Poon@Sun.COM				 * appeared in SIGCOMM'96.
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * Save highest seq no we have sent so far.
11754SKacheong.Poon@Sun.COM				 * Be careful about the invisible FIN byte.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
11754SKacheong.Poon@Sun.COM				    (tcp->tcp_unsent == 0)) {
11754SKacheong.Poon@Sun.COM					tcp->tcp_rexmit_max = tcp->tcp_fss;
11754SKacheong.Poon@Sun.COM				} else {
11754SKacheong.Poon@Sun.COM					tcp->tcp_rexmit_max = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Do not allow bursty traffic during.
11754SKacheong.Poon@Sun.COM				 * fast recovery.  Refer to Fall and Floyd's
11754SKacheong.Poon@Sun.COM				 * paper "Simulation-based Comparisons of
11754SKacheong.Poon@Sun.COM				 * Tahoe, Reno and SACK TCP" (in CCR?)
11754SKacheong.Poon@Sun.COM				 * This is a best current practise.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				tcp->tcp_snd_burst = TCP_CWND_SS;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * For SACK:
11754SKacheong.Poon@Sun.COM				 * Calculate tcp_pipe, which is the
11754SKacheong.Poon@Sun.COM				 * estimated number of bytes in
11754SKacheong.Poon@Sun.COM				 * network.
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * tcp_fack is the highest sack'ed seq num
11754SKacheong.Poon@Sun.COM				 * TCP has received.
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * tcp_pipe is explained in the above quoted
11754SKacheong.Poon@Sun.COM				 * Fall and Floyd's paper.  tcp_fack is
11754SKacheong.Poon@Sun.COM				 * explained in Mathis and Mahdavi's
11754SKacheong.Poon@Sun.COM				 * "Forward Acknowledgment: Refining TCP
11754SKacheong.Poon@Sun.COM				 * Congestion Control" in SIGCOMM '96.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_snd_sack_ok) {
11754SKacheong.Poon@Sun.COM					if (tcp->tcp_notsack_list != NULL) {
11754SKacheong.Poon@Sun.COM						tcp->tcp_pipe = tcp->tcp_snxt -
11754SKacheong.Poon@Sun.COM						    tcp->tcp_fack;
11754SKacheong.Poon@Sun.COM						tcp->tcp_sack_snxt = seg_ack;
11754SKacheong.Poon@Sun.COM						flags |= TH_NEED_SACK_REXMIT;
11754SKacheong.Poon@Sun.COM					} else {
11754SKacheong.Poon@Sun.COM						/*
11754SKacheong.Poon@Sun.COM						 * Always initialize tcp_pipe
11754SKacheong.Poon@Sun.COM						 * even though we don't have
11754SKacheong.Poon@Sun.COM						 * any SACK info.  If later
11754SKacheong.Poon@Sun.COM						 * we get SACK info and
11754SKacheong.Poon@Sun.COM						 * tcp_pipe is not initialized,
11754SKacheong.Poon@Sun.COM						 * funny things will happen.
11754SKacheong.Poon@Sun.COM						 */
11754SKacheong.Poon@Sun.COM						tcp->tcp_pipe =
11754SKacheong.Poon@Sun.COM						    tcp->tcp_cwnd_ssthresh;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM				} else {
11754SKacheong.Poon@Sun.COM					flags |= TH_REXMIT_NEEDED;
11754SKacheong.Poon@Sun.COM				} /* tcp_snd_sack_ok */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				} else {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * Here we perform congestion
11754SKacheong.Poon@Sun.COM					 * avoidance, but NOT slow start.
11754SKacheong.Poon@Sun.COM					 * This is known as the Fast
11754SKacheong.Poon@Sun.COM					 * Recovery Algorithm.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					if (tcp->tcp_snd_sack_ok &&
11754SKacheong.Poon@Sun.COM					    tcp->tcp_notsack_list != NULL) {
11754SKacheong.Poon@Sun.COM						flags |= TH_NEED_SACK_REXMIT;
11754SKacheong.Poon@Sun.COM						tcp->tcp_pipe -= mss;
11754SKacheong.Poon@Sun.COM						if (tcp->tcp_pipe < 0)
11754SKacheong.Poon@Sun.COM							tcp->tcp_pipe = 0;
11754SKacheong.Poon@Sun.COM					} else {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * We know that one more packet has
11754SKacheong.Poon@Sun.COM					 * left the pipe thus we can update
11754SKacheong.Poon@Sun.COM					 * cwnd.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					cwnd = tcp->tcp_cwnd + mss;
11754SKacheong.Poon@Sun.COM					if (cwnd > tcp->tcp_cwnd_max)
11754SKacheong.Poon@Sun.COM						cwnd = tcp->tcp_cwnd_max;
11754SKacheong.Poon@Sun.COM					tcp->tcp_cwnd = cwnd;
11754SKacheong.Poon@Sun.COM					if (tcp->tcp_unsent > 0)
11754SKacheong.Poon@Sun.COM						flags |= TH_XMIT_NEEDED;
11754SKacheong.Poon@Sun.COM					}
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		} else if (tcp->tcp_zero_win_probe) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * If the window has opened, need to arrange
11754SKacheong.Poon@Sun.COM			 * to send additional data.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (new_swnd != 0) {
11754SKacheong.Poon@Sun.COM				/* tcp_suna != tcp_snxt */
11754SKacheong.Poon@Sun.COM				/* Packet contains a window update */
11754SKacheong.Poon@Sun.COM				TCPS_BUMP_MIB(tcps, tcpInWinUpdate);
11754SKacheong.Poon@Sun.COM				tcp->tcp_zero_win_probe = 0;
11754SKacheong.Poon@Sun.COM				tcp->tcp_timer_backoff = 0;
11754SKacheong.Poon@Sun.COM				tcp->tcp_ms_we_have_waited = 0;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Transmit starting with tcp_suna since
11754SKacheong.Poon@Sun.COM				 * the one byte probe is not ack'ed.
11754SKacheong.Poon@Sun.COM				 * If TCP has sent more than one identical
11754SKacheong.Poon@Sun.COM				 * probe, tcp_rexmit will be set.  That means
11754SKacheong.Poon@Sun.COM				 * tcp_ss_rexmit() will send out the one
11754SKacheong.Poon@Sun.COM				 * byte along with new data.  Otherwise,
11754SKacheong.Poon@Sun.COM				 * fake the retransmission.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				flags |= TH_XMIT_NEEDED;
11754SKacheong.Poon@Sun.COM				if (!tcp->tcp_rexmit) {
11754SKacheong.Poon@Sun.COM					tcp->tcp_rexmit = B_TRUE;
11754SKacheong.Poon@Sun.COM					tcp->tcp_dupack_cnt = 0;
11754SKacheong.Poon@Sun.COM					tcp->tcp_rexmit_nxt = tcp->tcp_suna;
11754SKacheong.Poon@Sun.COM					tcp->tcp_rexmit_max = tcp->tcp_suna + 1;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		goto swnd_update;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Check for "acceptability" of ACK value per RFC 793, pages 72 - 73.
11754SKacheong.Poon@Sun.COM	 * If the ACK value acks something that we have not yet sent, it might
11754SKacheong.Poon@Sun.COM	 * be an old duplicate segment.  Send an ACK to re-synchronize the
11754SKacheong.Poon@Sun.COM	 * other side.
11754SKacheong.Poon@Sun.COM	 * Note: reset in response to unacceptable ACK in SYN_RECEIVE
11754SKacheong.Poon@Sun.COM	 * state is handled above, so we can always just drop the segment and
11754SKacheong.Poon@Sun.COM	 * send an ACK here.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * In the case where the peer shrinks the window, we see the new window
11754SKacheong.Poon@Sun.COM	 * update, but all the data sent previously is queued up by the peer.
11754SKacheong.Poon@Sun.COM	 * To account for this, in tcp_process_shrunk_swnd(), the sequence
11754SKacheong.Poon@Sun.COM	 * number, which was already sent, and within window, is recorded.
11754SKacheong.Poon@Sun.COM	 * tcp_snxt is then updated.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * If the window has previously shrunk, and an ACK for data not yet
11754SKacheong.Poon@Sun.COM	 * sent, according to tcp_snxt is recieved, it may still be valid. If
11754SKacheong.Poon@Sun.COM	 * the ACK is for data within the window at the time the window was
11754SKacheong.Poon@Sun.COM	 * shrunk, then the ACK is acceptable. In this case tcp_snxt is set to
11754SKacheong.Poon@Sun.COM	 * the sequence number ACK'ed.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * If the ACK covers all the data sent at the time the window was
11754SKacheong.Poon@Sun.COM	 * shrunk, we can now set tcp_is_wnd_shrnk to B_FALSE.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * Should we send ACKs in response to ACK only segments?
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (SEQ_GT(seg_ack, tcp->tcp_snxt)) {
11754SKacheong.Poon@Sun.COM		if ((tcp->tcp_is_wnd_shrnk) &&
11754SKacheong.Poon@Sun.COM		    (SEQ_LEQ(seg_ack, tcp->tcp_snxt_shrunk))) {
11754SKacheong.Poon@Sun.COM			uint32_t data_acked_ahead_snxt;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			data_acked_ahead_snxt = seg_ack - tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM			tcp_update_xmit_tail(tcp, seg_ack);
11754SKacheong.Poon@Sun.COM			tcp->tcp_unsent -= data_acked_ahead_snxt;
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpInAckUnsent);
11754SKacheong.Poon@Sun.COM			/* drop the received segment */
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Send back an ACK.  If tcp_drop_ack_unsent_cnt is
11754SKacheong.Poon@Sun.COM			 * greater than 0, check if the number of such
11754SKacheong.Poon@Sun.COM			 * bogus ACks is greater than that count.  If yes,
11754SKacheong.Poon@Sun.COM			 * don't send back any ACK.  This prevents TCP from
11754SKacheong.Poon@Sun.COM			 * getting into an ACK storm if somehow an attacker
11754SKacheong.Poon@Sun.COM			 * successfully spoofs an acceptable segment to our
11754SKacheong.Poon@Sun.COM			 * peer.  If this continues (count > 2 X threshold),
11754SKacheong.Poon@Sun.COM			 * we should abort this connection.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp_drop_ack_unsent_cnt > 0 &&
11754SKacheong.Poon@Sun.COM			    ++tcp->tcp_in_ack_unsent >
11754SKacheong.Poon@Sun.COM			    tcp_drop_ack_unsent_cnt) {
11754SKacheong.Poon@Sun.COM				TCP_STAT(tcps, tcp_in_ack_unsent_drop);
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_in_ack_unsent > 2 *
11754SKacheong.Poon@Sun.COM				    tcp_drop_ack_unsent_cnt) {
11754SKacheong.Poon@Sun.COM					(void) tcp_clean_death(tcp, EPROTO);
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			mp = tcp_ack_mp(tcp);
11754SKacheong.Poon@Sun.COM			if (mp != NULL) {
11754SKacheong.Poon@Sun.COM				BUMP_LOCAL(tcp->tcp_obsegs);
11754SKacheong.Poon@Sun.COM				TCPS_BUMP_MIB(tcps, tcpOutAck);
11754SKacheong.Poon@Sun.COM				tcp_send_data(tcp, mp);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else if (tcp->tcp_is_wnd_shrnk && SEQ_GEQ(seg_ack,
11754SKacheong.Poon@Sun.COM	    tcp->tcp_snxt_shrunk)) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_is_wnd_shrnk = B_FALSE;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * TCP gets a new ACK, update the notsack'ed list to delete those
11754SKacheong.Poon@Sun.COM	 * blocks that are covered by this ACK.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
11754SKacheong.Poon@Sun.COM		tcp_notsack_remove(&(tcp->tcp_notsack_list), seg_ack,
11754SKacheong.Poon@Sun.COM		    &(tcp->tcp_num_notsack_blk), &(tcp->tcp_cnt_notsack_list));
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If we got an ACK after fast retransmit, check to see
11754SKacheong.Poon@Sun.COM	 * if it is a partial ACK.  If it is not and the congestion
11754SKacheong.Poon@Sun.COM	 * window was inflated to account for the other side's
11754SKacheong.Poon@Sun.COM	 * cached packets, retract it.  If it is, do Hoe's algorithm.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_dupack_cnt >= tcps->tcps_dupack_fast_retransmit) {
11754SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_rexmit == B_FALSE);
11754SKacheong.Poon@Sun.COM		if (SEQ_GEQ(seg_ack, tcp->tcp_rexmit_max)) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_dupack_cnt = 0;
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Restore the orig tcp_cwnd_ssthresh after
11754SKacheong.Poon@Sun.COM			 * fast retransmit phase.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_cwnd > tcp->tcp_cwnd_ssthresh) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_cwnd = tcp->tcp_cwnd_ssthresh;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			tcp->tcp_rexmit_max = seg_ack;
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwnd_cnt = 0;
11754SKacheong.Poon@Sun.COM			tcp->tcp_snd_burst = tcp->tcp_localnet ?
11754SKacheong.Poon@Sun.COM			    TCP_CWND_INFINITE : TCP_CWND_NORMAL;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Remove all notsack info to avoid confusion with
11754SKacheong.Poon@Sun.COM			 * the next fast retrasnmit/recovery phase.
11754SKacheong.Poon@Sun.COM			 */
12056SKacheong.Poon@Sun.COM			if (tcp->tcp_snd_sack_ok) {
11754SKacheong.Poon@Sun.COM				TCP_NOTSACK_REMOVE_ALL(tcp->tcp_notsack_list,
11754SKacheong.Poon@Sun.COM				    tcp);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_snd_sack_ok &&
11754SKacheong.Poon@Sun.COM			    tcp->tcp_notsack_list != NULL) {
11754SKacheong.Poon@Sun.COM				flags |= TH_NEED_SACK_REXMIT;
11754SKacheong.Poon@Sun.COM				tcp->tcp_pipe -= mss;
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_pipe < 0)
11754SKacheong.Poon@Sun.COM					tcp->tcp_pipe = 0;
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Hoe's algorithm:
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * Retransmit the unack'ed segment and
11754SKacheong.Poon@Sun.COM				 * restart fast recovery.  Note that we
11754SKacheong.Poon@Sun.COM				 * need to scale back tcp_cwnd to the
11754SKacheong.Poon@Sun.COM				 * original value when we started fast
11754SKacheong.Poon@Sun.COM				 * recovery.  This is to prevent overly
11754SKacheong.Poon@Sun.COM				 * aggressive behaviour in sending new
11754SKacheong.Poon@Sun.COM				 * segments.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				tcp->tcp_cwnd = tcp->tcp_cwnd_ssthresh +
11754SKacheong.Poon@Sun.COM				    tcps->tcps_dupack_fast_retransmit * mss;
11754SKacheong.Poon@Sun.COM				tcp->tcp_cwnd_cnt = tcp->tcp_cwnd;
11754SKacheong.Poon@Sun.COM				flags |= TH_REXMIT_NEEDED;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		tcp->tcp_dupack_cnt = 0;
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_rexmit) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * TCP is retranmitting.  If the ACK ack's all
11754SKacheong.Poon@Sun.COM			 * outstanding data, update tcp_rexmit_max and
11754SKacheong.Poon@Sun.COM			 * tcp_rexmit_nxt.  Otherwise, update tcp_rexmit_nxt
11754SKacheong.Poon@Sun.COM			 * to the correct value.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * Note that SEQ_LEQ() is used.  This is to avoid
11754SKacheong.Poon@Sun.COM			 * unnecessary fast retransmit caused by dup ACKs
11754SKacheong.Poon@Sun.COM			 * received when TCP does slow start retransmission
11754SKacheong.Poon@Sun.COM			 * after a time out.  During this phase, TCP may
11754SKacheong.Poon@Sun.COM			 * send out segments which are already received.
11754SKacheong.Poon@Sun.COM			 * This causes dup ACKs to be sent back.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (SEQ_LEQ(seg_ack, tcp->tcp_rexmit_max)) {
11754SKacheong.Poon@Sun.COM				if (SEQ_GT(seg_ack, tcp->tcp_rexmit_nxt)) {
11754SKacheong.Poon@Sun.COM					tcp->tcp_rexmit_nxt = seg_ack;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				if (seg_ack != tcp->tcp_rexmit_max) {
11754SKacheong.Poon@Sun.COM					flags |= TH_XMIT_NEEDED;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				tcp->tcp_rexmit = B_FALSE;
11754SKacheong.Poon@Sun.COM				tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM				tcp->tcp_snd_burst = tcp->tcp_localnet ?
11754SKacheong.Poon@Sun.COM				    TCP_CWND_INFINITE : TCP_CWND_NORMAL;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			tcp->tcp_ms_we_have_waited = 0;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	TCPS_BUMP_MIB(tcps, tcpInAckSegs);
11754SKacheong.Poon@Sun.COM	TCPS_UPDATE_MIB(tcps, tcpInAckBytes, bytes_acked);
11754SKacheong.Poon@Sun.COM	tcp->tcp_suna = seg_ack;
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_zero_win_probe != 0) {
11754SKacheong.Poon@Sun.COM		tcp->tcp_zero_win_probe = 0;
11754SKacheong.Poon@Sun.COM		tcp->tcp_timer_backoff = 0;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If tcp_xmit_head is NULL, then it must be the FIN being ack'ed.
11754SKacheong.Poon@Sun.COM	 * Note that it cannot be the SYN being ack'ed.  The code flow
11754SKacheong.Poon@Sun.COM	 * will not reach here.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (mp1 == NULL) {
11754SKacheong.Poon@Sun.COM		goto fin_acked;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Update the congestion window.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * If TCP is not ECN capable or TCP is ECN capable but the
11754SKacheong.Poon@Sun.COM	 * congestion experience bit is not set, increase the tcp_cwnd as
11754SKacheong.Poon@Sun.COM	 * usual.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (!tcp->tcp_ecn_ok || !(flags & TH_ECE)) {
11754SKacheong.Poon@Sun.COM		cwnd = tcp->tcp_cwnd;
11754SKacheong.Poon@Sun.COM		add = mss;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (cwnd >= tcp->tcp_cwnd_ssthresh) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * This is to prevent an increase of less than 1 MSS of
11754SKacheong.Poon@Sun.COM			 * tcp_cwnd.  With partial increase, tcp_wput_data()
11754SKacheong.Poon@Sun.COM			 * may send out tinygrams in order to preserve mblk
11754SKacheong.Poon@Sun.COM			 * boundaries.
11754SKacheong.Poon@Sun.COM			 *
11754SKacheong.Poon@Sun.COM			 * By initializing tcp_cwnd_cnt to new tcp_cwnd and
11754SKacheong.Poon@Sun.COM			 * decrementing it by 1 MSS for every ACKs, tcp_cwnd is
11754SKacheong.Poon@Sun.COM			 * increased by 1 MSS for every RTTs.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_cwnd_cnt <= 0) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_cwnd_cnt = cwnd + add;
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				tcp->tcp_cwnd_cnt -= add;
11754SKacheong.Poon@Sun.COM				add = 0;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		tcp->tcp_cwnd = MIN(cwnd + add, tcp->tcp_cwnd_max);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* See if the latest urgent data has been acknowledged */
11754SKacheong.Poon@Sun.COM	if ((tcp->tcp_valid_bits & TCP_URG_VALID) &&
11754SKacheong.Poon@Sun.COM	    SEQ_GT(seg_ack, tcp->tcp_urg))
11754SKacheong.Poon@Sun.COM		tcp->tcp_valid_bits &= ~TCP_URG_VALID;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Can we update the RTT estimates? */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_snd_ts_ok) {
11754SKacheong.Poon@Sun.COM		/* Ignore zero timestamp echo-reply. */
11754SKacheong.Poon@Sun.COM		if (tcpopt.tcp_opt_ts_ecr != 0) {
11754SKacheong.Poon@Sun.COM			tcp_set_rto(tcp, (int32_t)LBOLT_FASTPATH -
11754SKacheong.Poon@Sun.COM			    (int32_t)tcpopt.tcp_opt_ts_ecr);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* If needed, restart the timer. */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_set_timer == 1) {
11754SKacheong.Poon@Sun.COM			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
11754SKacheong.Poon@Sun.COM			tcp->tcp_set_timer = 0;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Update tcp_csuna in case the other side stops sending
11754SKacheong.Poon@Sun.COM		 * us timestamps.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		tcp->tcp_csuna = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM	} else if (SEQ_GT(seg_ack, tcp->tcp_csuna)) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * An ACK sequence we haven't seen before, so get the RTT
11754SKacheong.Poon@Sun.COM		 * and update the RTO. But first check if the timestamp is
11754SKacheong.Poon@Sun.COM		 * valid to use.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if ((mp1->b_next != NULL) &&
11754SKacheong.Poon@Sun.COM		    SEQ_GT(seg_ack, (uint32_t)(uintptr_t)(mp1->b_next)))
11754SKacheong.Poon@Sun.COM			tcp_set_rto(tcp, (int32_t)LBOLT_FASTPATH -
11754SKacheong.Poon@Sun.COM			    (int32_t)(intptr_t)mp1->b_prev);
11754SKacheong.Poon@Sun.COM		else
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpRttNoUpdate);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Remeber the last sequence to be ACKed */
11754SKacheong.Poon@Sun.COM		tcp->tcp_csuna = seg_ack;
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_set_timer == 1) {
11754SKacheong.Poon@Sun.COM			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
11754SKacheong.Poon@Sun.COM			tcp->tcp_set_timer = 0;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		TCPS_BUMP_MIB(tcps, tcpRttNoUpdate);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Eat acknowledged bytes off the xmit queue. */
11754SKacheong.Poon@Sun.COM	for (;;) {
11754SKacheong.Poon@Sun.COM		mblk_t	*mp2;
11754SKacheong.Poon@Sun.COM		uchar_t	*wptr;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		wptr = mp1->b_wptr;
11754SKacheong.Poon@Sun.COM		ASSERT((uintptr_t)(wptr - mp1->b_rptr) <= (uintptr_t)INT_MAX);
11754SKacheong.Poon@Sun.COM		bytes_acked -= (int)(wptr - mp1->b_rptr);
11754SKacheong.Poon@Sun.COM		if (bytes_acked < 0) {
11754SKacheong.Poon@Sun.COM			mp1->b_rptr = wptr + bytes_acked;
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Set a new timestamp if all the bytes timed by the
11754SKacheong.Poon@Sun.COM			 * old timestamp have been ack'ed.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (SEQ_GT(seg_ack,
11754SKacheong.Poon@Sun.COM			    (uint32_t)(uintptr_t)(mp1->b_next))) {
11754SKacheong.Poon@Sun.COM				mp1->b_prev =
11754SKacheong.Poon@Sun.COM				    (mblk_t *)(uintptr_t)LBOLT_FASTPATH;
11754SKacheong.Poon@Sun.COM				mp1->b_next = NULL;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		mp1->b_next = NULL;
11754SKacheong.Poon@Sun.COM		mp1->b_prev = NULL;
11754SKacheong.Poon@Sun.COM		mp2 = mp1;
11754SKacheong.Poon@Sun.COM		mp1 = mp1->b_cont;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * This notification is required for some zero-copy
11754SKacheong.Poon@Sun.COM		 * clients to maintain a copy semantic. After the data
11754SKacheong.Poon@Sun.COM		 * is ack'ed, client is safe to modify or reuse the buffer.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_snd_zcopy_aware &&
11754SKacheong.Poon@Sun.COM		    (mp2->b_datap->db_struioflag & STRUIO_ZCNOTIFY))
11754SKacheong.Poon@Sun.COM			tcp_zcopy_notify(tcp);
11754SKacheong.Poon@Sun.COM		freeb(mp2);
11754SKacheong.Poon@Sun.COM		if (bytes_acked == 0) {
11754SKacheong.Poon@Sun.COM			if (mp1 == NULL) {
11754SKacheong.Poon@Sun.COM				/* Everything is ack'ed, clear the tail. */
11754SKacheong.Poon@Sun.COM				tcp->tcp_xmit_tail = NULL;
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Cancel the timer unless we are still
11754SKacheong.Poon@Sun.COM				 * waiting for an ACK for the FIN packet.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_timer_tid != 0 &&
11754SKacheong.Poon@Sun.COM				    tcp->tcp_snxt == tcp->tcp_suna) {
11754SKacheong.Poon@Sun.COM					(void) TCP_TIMER_CANCEL(tcp,
11754SKacheong.Poon@Sun.COM					    tcp->tcp_timer_tid);
11754SKacheong.Poon@Sun.COM					tcp->tcp_timer_tid = 0;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				goto pre_swnd_update;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			if (mp2 != tcp->tcp_xmit_tail)
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			tcp->tcp_xmit_tail = mp1;
11754SKacheong.Poon@Sun.COM			ASSERT((uintptr_t)(mp1->b_wptr - mp1->b_rptr) <=
11754SKacheong.Poon@Sun.COM			    (uintptr_t)INT_MAX);
11754SKacheong.Poon@Sun.COM			tcp->tcp_xmit_tail_unsent = (int)(mp1->b_wptr -
11754SKacheong.Poon@Sun.COM			    mp1->b_rptr);
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (mp1 == NULL) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * More was acked but there is nothing more
11754SKacheong.Poon@Sun.COM			 * outstanding.  This means that the FIN was
11754SKacheong.Poon@Sun.COM			 * just acked or that we're talking to a clown.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COMfin_acked:
11754SKacheong.Poon@Sun.COM			ASSERT(tcp->tcp_fin_sent);
11754SKacheong.Poon@Sun.COM			tcp->tcp_xmit_tail = NULL;
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_fin_sent) {
11754SKacheong.Poon@Sun.COM				/* FIN was acked - making progress */
11754SKacheong.Poon@Sun.COM				if (!tcp->tcp_fin_acked)
11754SKacheong.Poon@Sun.COM					tcp->tcp_ip_forward_progress = B_TRUE;
11754SKacheong.Poon@Sun.COM				tcp->tcp_fin_acked = B_TRUE;
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_linger_tid != 0 &&
11754SKacheong.Poon@Sun.COM				    TCP_TIMER_CANCEL(tcp,
11754SKacheong.Poon@Sun.COM				    tcp->tcp_linger_tid) >= 0) {
11754SKacheong.Poon@Sun.COM					tcp_stop_lingering(tcp);
11754SKacheong.Poon@Sun.COM					freemsg(mp);
11754SKacheong.Poon@Sun.COM					mp = NULL;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * We should never get here because
11754SKacheong.Poon@Sun.COM				 * we have already checked that the
11754SKacheong.Poon@Sun.COM				 * number of bytes ack'ed should be
11754SKacheong.Poon@Sun.COM				 * smaller than or equal to what we
11754SKacheong.Poon@Sun.COM				 * have sent so far (it is the
11754SKacheong.Poon@Sun.COM				 * acceptability check of the ACK).
11754SKacheong.Poon@Sun.COM				 * We can only get here if the send
11754SKacheong.Poon@Sun.COM				 * queue is corrupted.
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * Terminate the connection and
11754SKacheong.Poon@Sun.COM				 * panic the system.  It is better
11754SKacheong.Poon@Sun.COM				 * for us to panic instead of
11754SKacheong.Poon@Sun.COM				 * continuing to avoid other disaster.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				tcp_xmit_ctl(NULL, tcp, tcp->tcp_snxt,
11754SKacheong.Poon@Sun.COM				    tcp->tcp_rnxt, TH_RST|TH_ACK);
11754SKacheong.Poon@Sun.COM				panic("Memory corruption "
11754SKacheong.Poon@Sun.COM				    "detected for connection %s.",
11754SKacheong.Poon@Sun.COM				    tcp_display(tcp, NULL,
11754SKacheong.Poon@Sun.COM				    DISP_ADDR_AND_PORT));
11754SKacheong.Poon@Sun.COM				/*NOTREACHED*/
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			goto pre_swnd_update;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		ASSERT(mp2 != tcp->tcp_xmit_tail);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_unsent) {
11754SKacheong.Poon@Sun.COM		flags |= TH_XMIT_NEEDED;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COMpre_swnd_update:
11754SKacheong.Poon@Sun.COM	tcp->tcp_xmit_head = mp1;
11754SKacheong.Poon@Sun.COMswnd_update:
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * The following check is different from most other implementations.
11754SKacheong.Poon@Sun.COM	 * For bi-directional transfer, when segments are dropped, the
11754SKacheong.Poon@Sun.COM	 * "normal" check will not accept a window update in those
11754SKacheong.Poon@Sun.COM	 * retransmitted segemnts.  Failing to do that, TCP may send out
11754SKacheong.Poon@Sun.COM	 * segments which are outside receiver's window.  As TCP accepts
11754SKacheong.Poon@Sun.COM	 * the ack in those retransmitted segments, if the window update in
11754SKacheong.Poon@Sun.COM	 * the same segment is not accepted, TCP will incorrectly calculates
11754SKacheong.Poon@Sun.COM	 * that it can send more segments.  This can create a deadlock
11754SKacheong.Poon@Sun.COM	 * with the receiver if its window becomes zero.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (SEQ_LT(tcp->tcp_swl2, seg_ack) ||
11754SKacheong.Poon@Sun.COM	    SEQ_LT(tcp->tcp_swl1, seg_seq) ||
11754SKacheong.Poon@Sun.COM	    (tcp->tcp_swl1 == seg_seq && new_swnd > tcp->tcp_swnd)) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * The criteria for update is:
11754SKacheong.Poon@Sun.COM		 *
11754SKacheong.Poon@Sun.COM		 * 1. the segment acknowledges some data.  Or
11754SKacheong.Poon@Sun.COM		 * 2. the segment is new, i.e. it has a higher seq num. Or
11754SKacheong.Poon@Sun.COM		 * 3. the segment is not old and the advertised window is
11754SKacheong.Poon@Sun.COM		 * larger than the previous advertised window.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_unsent && new_swnd > tcp->tcp_swnd)
11754SKacheong.Poon@Sun.COM			flags |= TH_XMIT_NEEDED;
11754SKacheong.Poon@Sun.COM		tcp->tcp_swnd = new_swnd;
11754SKacheong.Poon@Sun.COM		if (new_swnd > tcp->tcp_max_swnd)
11754SKacheong.Poon@Sun.COM			tcp->tcp_max_swnd = new_swnd;
11754SKacheong.Poon@Sun.COM		tcp->tcp_swl1 = seg_seq;
11754SKacheong.Poon@Sun.COM		tcp->tcp_swl2 = seg_ack;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COMest:
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_state > TCPS_ESTABLISHED) {
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		switch (tcp->tcp_state) {
11754SKacheong.Poon@Sun.COM		case TCPS_FIN_WAIT_1:
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_fin_acked) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_state = TCPS_FIN_WAIT_2;
12507SAlan.Maguire@Sun.COM				DTRACE_TCP6(state__change, void, NULL,
12507SAlan.Maguire@Sun.COM				    ip_xmit_attr_t *, connp->conn_ixa,
12507SAlan.Maguire@Sun.COM				    void, NULL, tcp_t *, tcp, void, NULL,
12507SAlan.Maguire@Sun.COM				    int32_t, TCPS_FIN_WAIT_1);
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * We implement the non-standard BSD/SunOS
11754SKacheong.Poon@Sun.COM				 * FIN_WAIT_2 flushing algorithm.
11754SKacheong.Poon@Sun.COM				 * If there is no user attached to this
11754SKacheong.Poon@Sun.COM				 * TCP endpoint, then this TCP struct
11754SKacheong.Poon@Sun.COM				 * could hang around forever in FIN_WAIT_2
11754SKacheong.Poon@Sun.COM				 * state if the peer forgets to send us
11754SKacheong.Poon@Sun.COM				 * a FIN.  To prevent this, we wait only
11754SKacheong.Poon@Sun.COM				 * 2*MSL (a convenient time value) for
11754SKacheong.Poon@Sun.COM				 * the FIN to arrive.  If it doesn't show up,
11754SKacheong.Poon@Sun.COM				 * we flush the TCP endpoint.  This algorithm,
11754SKacheong.Poon@Sun.COM				 * though a violation of RFC-793, has worked
11754SKacheong.Poon@Sun.COM				 * for over 10 years in BSD systems.
11754SKacheong.Poon@Sun.COM				 * Note: SunOS 4.x waits 675 seconds before
11754SKacheong.Poon@Sun.COM				 * flushing the FIN_WAIT_2 connection.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				TCP_TIMER_RESTART(tcp,
12544SKacheong.Poon@Sun.COM				    tcp->tcp_fin_wait_2_flush_interval);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		case TCPS_FIN_WAIT_2:
11754SKacheong.Poon@Sun.COM			break;	/* Shutdown hook? */
11754SKacheong.Poon@Sun.COM		case TCPS_LAST_ACK:
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_fin_acked) {
11754SKacheong.Poon@Sun.COM				(void) tcp_clean_death(tcp, 0);
11754SKacheong.Poon@Sun.COM				return;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			goto xmit_check;
11754SKacheong.Poon@Sun.COM		case TCPS_CLOSING:
12507SAlan.Maguire@Sun.COM			if (tcp->tcp_fin_acked) {
11754SKacheong.Poon@Sun.COM				SET_TIME_WAIT(tcps, tcp, connp);
12507SAlan.Maguire@Sun.COM				DTRACE_TCP6(state__change, void, NULL,
12507SAlan.Maguire@Sun.COM				    ip_xmit_attr_t *, connp->conn_ixa, void,
12507SAlan.Maguire@Sun.COM				    NULL, tcp_t *, tcp, void, NULL, int32_t,
12507SAlan.Maguire@Sun.COM				    TCPS_CLOSING);
12507SAlan.Maguire@Sun.COM			}
11754SKacheong.Poon@Sun.COM			/*FALLTHRU*/
11754SKacheong.Poon@Sun.COM		case TCPS_CLOSE_WAIT:
11754SKacheong.Poon@Sun.COM			freemsg(mp);
11754SKacheong.Poon@Sun.COM			goto xmit_check;
11754SKacheong.Poon@Sun.COM		default:
11754SKacheong.Poon@Sun.COM			ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (flags & TH_FIN) {
11754SKacheong.Poon@Sun.COM		/* Make sure we ack the fin */
11754SKacheong.Poon@Sun.COM		flags |= TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM		if (!tcp->tcp_fin_rcvd) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_fin_rcvd = B_TRUE;
11754SKacheong.Poon@Sun.COM			tcp->tcp_rnxt++;
11754SKacheong.Poon@Sun.COM			tcpha = tcp->tcp_tcpha;
11754SKacheong.Poon@Sun.COM			tcpha->tha_ack = htonl(tcp->tcp_rnxt);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			/*
12643SAnders.Persson@Sun.COM			 * Generate the ordrel_ind at the end unless the
12643SAnders.Persson@Sun.COM			 * conn is detached or it is a STREAMS based eager.
12643SAnders.Persson@Sun.COM			 * In the eager case we defer the notification until
12643SAnders.Persson@Sun.COM			 * tcp_accept_finish has run.
11754SKacheong.Poon@Sun.COM			 */
12643SAnders.Persson@Sun.COM			if (!TCP_IS_DETACHED(tcp) && (IPCL_IS_NONSTR(connp) ||
12643SAnders.Persson@Sun.COM			    (tcp->tcp_listener == NULL &&
12643SAnders.Persson@Sun.COM			    !tcp->tcp_hard_binding)))
11754SKacheong.Poon@Sun.COM				flags |= TH_ORDREL_NEEDED;
11754SKacheong.Poon@Sun.COM			switch (tcp->tcp_state) {
11754SKacheong.Poon@Sun.COM			case TCPS_SYN_RCVD:
12507SAlan.Maguire@Sun.COM				tcp->tcp_state = TCPS_CLOSE_WAIT;
12507SAlan.Maguire@Sun.COM				DTRACE_TCP6(state__change, void, NULL,
12507SAlan.Maguire@Sun.COM				    ip_xmit_attr_t *, connp->conn_ixa,
12507SAlan.Maguire@Sun.COM				    void, NULL, tcp_t *, tcp, void, NULL,
12507SAlan.Maguire@Sun.COM				    int32_t, TCPS_SYN_RCVD);
12507SAlan.Maguire@Sun.COM				/* Keepalive? */
12507SAlan.Maguire@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			case TCPS_ESTABLISHED:
11754SKacheong.Poon@Sun.COM				tcp->tcp_state = TCPS_CLOSE_WAIT;
12507SAlan.Maguire@Sun.COM				DTRACE_TCP6(state__change, void, NULL,
12507SAlan.Maguire@Sun.COM				    ip_xmit_attr_t *, connp->conn_ixa,
12507SAlan.Maguire@Sun.COM				    void, NULL, tcp_t *, tcp, void, NULL,
12507SAlan.Maguire@Sun.COM				    int32_t, TCPS_ESTABLISHED);
11754SKacheong.Poon@Sun.COM				/* Keepalive? */
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			case TCPS_FIN_WAIT_1:
11754SKacheong.Poon@Sun.COM				if (!tcp->tcp_fin_acked) {
11754SKacheong.Poon@Sun.COM					tcp->tcp_state = TCPS_CLOSING;
12507SAlan.Maguire@Sun.COM					DTRACE_TCP6(state__change, void, NULL,
12507SAlan.Maguire@Sun.COM					    ip_xmit_attr_t *, connp->conn_ixa,
12507SAlan.Maguire@Sun.COM					    void, NULL, tcp_t *, tcp, void,
12507SAlan.Maguire@Sun.COM					    NULL, int32_t, TCPS_FIN_WAIT_1);
11754SKacheong.Poon@Sun.COM					break;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				/* FALLTHRU */
11754SKacheong.Poon@Sun.COM			case TCPS_FIN_WAIT_2:
11754SKacheong.Poon@Sun.COM				SET_TIME_WAIT(tcps, tcp, connp);
12507SAlan.Maguire@Sun.COM				DTRACE_TCP6(state__change, void, NULL,
12507SAlan.Maguire@Sun.COM				    ip_xmit_attr_t *, connp->conn_ixa, void,
12507SAlan.Maguire@Sun.COM				    NULL, tcp_t *, tcp, void, NULL, int32_t,
12507SAlan.Maguire@Sun.COM				    TCPS_FIN_WAIT_2);
11754SKacheong.Poon@Sun.COM				if (seg_len) {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * implies data piggybacked on FIN.
11754SKacheong.Poon@Sun.COM					 * break to handle data.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					break;
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				freemsg(mp);
11754SKacheong.Poon@Sun.COM				goto ack_check;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (mp == NULL)
11754SKacheong.Poon@Sun.COM		goto xmit_check;
11754SKacheong.Poon@Sun.COM	if (seg_len == 0) {
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		goto xmit_check;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (mp->b_rptr == mp->b_wptr) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * The header has been consumed, so we remove the
11754SKacheong.Poon@Sun.COM		 * zero-length mblk here.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		mp1 = mp;
11754SKacheong.Poon@Sun.COM		mp = mp->b_cont;
11754SKacheong.Poon@Sun.COM		freeb(mp1);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COMupdate_ack:
11754SKacheong.Poon@Sun.COM	tcpha = tcp->tcp_tcpha;
11754SKacheong.Poon@Sun.COM	tcp->tcp_rack_cnt++;
11754SKacheong.Poon@Sun.COM	{
11754SKacheong.Poon@Sun.COM		uint32_t cur_max;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		cur_max = tcp->tcp_rack_cur_max;
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_rack_cnt >= cur_max) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * We have more unacked data than we should - send
11754SKacheong.Poon@Sun.COM			 * an ACK now.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			flags |= TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM			cur_max++;
11754SKacheong.Poon@Sun.COM			if (cur_max > tcp->tcp_rack_abs_max)
11754SKacheong.Poon@Sun.COM				tcp->tcp_rack_cur_max = tcp->tcp_rack_abs_max;
11754SKacheong.Poon@Sun.COM			else
11754SKacheong.Poon@Sun.COM				tcp->tcp_rack_cur_max = cur_max;
11754SKacheong.Poon@Sun.COM		} else if (TCP_IS_DETACHED(tcp)) {
11754SKacheong.Poon@Sun.COM			/* We don't have an ACK timer for detached TCP. */
11754SKacheong.Poon@Sun.COM			flags |= TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM		} else if (seg_len < mss) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * If we get a segment that is less than an mss, and we
11754SKacheong.Poon@Sun.COM			 * already have unacknowledged data, and the amount
11754SKacheong.Poon@Sun.COM			 * unacknowledged is not a multiple of mss, then we
11754SKacheong.Poon@Sun.COM			 * better generate an ACK now.  Otherwise, this may be
11754SKacheong.Poon@Sun.COM			 * the tail piece of a transaction, and we would rather
11754SKacheong.Poon@Sun.COM			 * wait for the response.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			uint32_t udif;
11754SKacheong.Poon@Sun.COM			ASSERT((uintptr_t)(tcp->tcp_rnxt - tcp->tcp_rack) <=
11754SKacheong.Poon@Sun.COM			    (uintptr_t)INT_MAX);
11754SKacheong.Poon@Sun.COM			udif = (int)(tcp->tcp_rnxt - tcp->tcp_rack);
11754SKacheong.Poon@Sun.COM			if (udif && (udif % mss))
11754SKacheong.Poon@Sun.COM				flags |= TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM			else
11754SKacheong.Poon@Sun.COM				flags |= TH_ACK_TIMER_NEEDED;
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			/* Start delayed ack timer */
11754SKacheong.Poon@Sun.COM			flags |= TH_ACK_TIMER_NEEDED;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	tcp->tcp_rnxt += seg_len;
11754SKacheong.Poon@Sun.COM	tcpha->tha_ack = htonl(tcp->tcp_rnxt);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (mp == NULL)
11754SKacheong.Poon@Sun.COM		goto xmit_check;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Update SACK list */
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
11754SKacheong.Poon@Sun.COM		tcp_sack_remove(tcp->tcp_sack_list, tcp->tcp_rnxt,
11754SKacheong.Poon@Sun.COM		    &(tcp->tcp_num_sack_blk));
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_urp_mp) {
11754SKacheong.Poon@Sun.COM		tcp->tcp_urp_mp->b_cont = mp;
11754SKacheong.Poon@Sun.COM		mp = tcp->tcp_urp_mp;
11754SKacheong.Poon@Sun.COM		tcp->tcp_urp_mp = NULL;
11754SKacheong.Poon@Sun.COM		/* Ready for a new signal. */
11754SKacheong.Poon@Sun.COM		tcp->tcp_urp_last_valid = B_FALSE;
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM		(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
11754SKacheong.Poon@Sun.COM		    "tcp_rput: sending exdata_ind %s",
11754SKacheong.Poon@Sun.COM		    tcp_display(tcp, NULL, DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM#endif /* DEBUG */
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Check for ancillary data changes compared to last segment.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (connp->conn_recv_ancillary.crb_all != 0) {
11754SKacheong.Poon@Sun.COM		mp = tcp_input_add_ancillary(tcp, mp, &ipp, ira);
11754SKacheong.Poon@Sun.COM		if (mp == NULL)
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
12643SAnders.Persson@Sun.COM	if (IPCL_IS_NONSTR(connp)) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Non-STREAMS socket
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		boolean_t push = flags & (TH_PUSH|TH_FIN);
11754SKacheong.Poon@Sun.COM		int error;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if ((*connp->conn_upcalls->su_recv)(
11754SKacheong.Poon@Sun.COM		    connp->conn_upper_handle,
11754SKacheong.Poon@Sun.COM		    mp, seg_len, 0, &error, &push) <= 0) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * We should never be in middle of a
11754SKacheong.Poon@Sun.COM			 * fallback, the squeue guarantees that.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			ASSERT(error != EOPNOTSUPP);
11754SKacheong.Poon@Sun.COM			if (error == ENOSPC)
11754SKacheong.Poon@Sun.COM				tcp->tcp_rwnd -= seg_len;
11754SKacheong.Poon@Sun.COM		} else if (push) {
11754SKacheong.Poon@Sun.COM			/* PUSH bit set and sockfs is not flow controlled */
11754SKacheong.Poon@Sun.COM			flags |= tcp_rwnd_reopen(tcp);
11754SKacheong.Poon@Sun.COM		}
12643SAnders.Persson@Sun.COM	} else if (tcp->tcp_listener != NULL || tcp->tcp_hard_binding) {
12643SAnders.Persson@Sun.COM		/*
12643SAnders.Persson@Sun.COM		 * Side queue inbound data until the accept happens.
12643SAnders.Persson@Sun.COM		 * tcp_accept/tcp_rput drains this when the accept happens.
12643SAnders.Persson@Sun.COM		 * M_DATA is queued on b_cont. Otherwise (T_OPTDATA_IND or
12643SAnders.Persson@Sun.COM		 * T_EXDATA_IND) it is queued on b_next.
12643SAnders.Persson@Sun.COM		 * XXX Make urgent data use this. Requires:
12643SAnders.Persson@Sun.COM		 *	Removing tcp_listener check for TH_URG
12643SAnders.Persson@Sun.COM		 *	Making M_PCPROTO and MARK messages skip the eager case
12643SAnders.Persson@Sun.COM		 */
12643SAnders.Persson@Sun.COM
12644SAnders.Persson@Sun.COM		tcp_rcv_enqueue(tcp, mp, seg_len, ira->ira_cred);
11754SKacheong.Poon@Sun.COM	} else {
12643SAnders.Persson@Sun.COM		/* Active STREAMS socket */
11754SKacheong.Poon@Sun.COM		if (mp->b_datap->db_type != M_DATA ||
11754SKacheong.Poon@Sun.COM		    (flags & TH_MARKNEXT_NEEDED)) {
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_rcv_list != NULL) {
11754SKacheong.Poon@Sun.COM				flags |= tcp_rcv_drain(tcp);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			ASSERT(tcp->tcp_rcv_list == NULL ||
11754SKacheong.Poon@Sun.COM			    tcp->tcp_fused_sigurg);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			if (flags & TH_MARKNEXT_NEEDED) {
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM				(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
11754SKacheong.Poon@Sun.COM				    "tcp_rput: sending MSGMARKNEXT %s",
11754SKacheong.Poon@Sun.COM				    tcp_display(tcp, NULL,
11754SKacheong.Poon@Sun.COM				    DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM#endif /* DEBUG */
11754SKacheong.Poon@Sun.COM				mp->b_flag |= MSGMARKNEXT;
11754SKacheong.Poon@Sun.COM				flags &= ~TH_MARKNEXT_NEEDED;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
12644SAnders.Persson@Sun.COM			if (is_system_labeled())
12644SAnders.Persson@Sun.COM				tcp_setcred_data(mp, ira);
12644SAnders.Persson@Sun.COM
12644SAnders.Persson@Sun.COM			putnext(connp->conn_rq, mp);
12644SAnders.Persson@Sun.COM			if (!canputnext(connp->conn_rq))
12644SAnders.Persson@Sun.COM				tcp->tcp_rwnd -= seg_len;
11754SKacheong.Poon@Sun.COM		} else if ((flags & (TH_PUSH|TH_FIN)) ||
11754SKacheong.Poon@Sun.COM		    tcp->tcp_rcv_cnt + seg_len >= connp->conn_rcvbuf >> 3) {
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_rcv_list != NULL) {
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * Enqueue the new segment first and then
11754SKacheong.Poon@Sun.COM				 * call tcp_rcv_drain() to send all data
11754SKacheong.Poon@Sun.COM				 * up.  The other way to do this is to
11754SKacheong.Poon@Sun.COM				 * send all queued data up and then call
11754SKacheong.Poon@Sun.COM				 * putnext() to send the new segment up.
11754SKacheong.Poon@Sun.COM				 * This way can remove the else part later
11754SKacheong.Poon@Sun.COM				 * on.
11754SKacheong.Poon@Sun.COM				 *
11754SKacheong.Poon@Sun.COM				 * We don't do this to avoid one more call to
11754SKacheong.Poon@Sun.COM				 * canputnext() as tcp_rcv_drain() needs to
11754SKacheong.Poon@Sun.COM				 * call canputnext().
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				tcp_rcv_enqueue(tcp, mp, seg_len,
11754SKacheong.Poon@Sun.COM				    ira->ira_cred);
11754SKacheong.Poon@Sun.COM				flags |= tcp_rcv_drain(tcp);
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				if (is_system_labeled())
11754SKacheong.Poon@Sun.COM					tcp_setcred_data(mp, ira);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM				putnext(connp->conn_rq, mp);
11754SKacheong.Poon@Sun.COM				if (!canputnext(connp->conn_rq))
11754SKacheong.Poon@Sun.COM					tcp->tcp_rwnd -= seg_len;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Enqueue all packets when processing an mblk
11754SKacheong.Poon@Sun.COM			 * from the co queue and also enqueue normal packets.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			tcp_rcv_enqueue(tcp, mp, seg_len, ira->ira_cred);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Make sure the timer is running if we have data waiting
11754SKacheong.Poon@Sun.COM		 * for a push bit. This provides resiliency against
11754SKacheong.Poon@Sun.COM		 * implementations that do not correctly generate push bits.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_rcv_list != NULL && tcp->tcp_push_tid == 0) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * The connection may be closed at this point, so don't
11754SKacheong.Poon@Sun.COM			 * do anything for a detached tcp.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (!TCP_IS_DETACHED(tcp))
11754SKacheong.Poon@Sun.COM				tcp->tcp_push_tid = TCP_TIMER(tcp,
11754SKacheong.Poon@Sun.COM				    tcp_push_timer,
12056SKacheong.Poon@Sun.COM				    tcps->tcps_push_timer_interval);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COMxmit_check:
11754SKacheong.Poon@Sun.COM	/* Is there anything left to do? */
11754SKacheong.Poon@Sun.COM	ASSERT(!(flags & TH_MARKNEXT_NEEDED));
11754SKacheong.Poon@Sun.COM	if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_ACK_NEEDED|
11754SKacheong.Poon@Sun.COM	    TH_NEED_SACK_REXMIT|TH_LIMIT_XMIT|TH_ACK_TIMER_NEEDED|
11754SKacheong.Poon@Sun.COM	    TH_ORDREL_NEEDED|TH_SEND_URP_MARK)) == 0)
11754SKacheong.Poon@Sun.COM		goto done;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Any transmit work to do and a non-zero window? */
11754SKacheong.Poon@Sun.COM	if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_NEED_SACK_REXMIT|
11754SKacheong.Poon@Sun.COM	    TH_LIMIT_XMIT)) && tcp->tcp_swnd != 0) {
11754SKacheong.Poon@Sun.COM		if (flags & TH_REXMIT_NEEDED) {
11754SKacheong.Poon@Sun.COM			uint32_t snd_size = tcp->tcp_snxt - tcp->tcp_suna;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpOutFastRetrans);
11754SKacheong.Poon@Sun.COM			if (snd_size > mss)
11754SKacheong.Poon@Sun.COM				snd_size = mss;
11754SKacheong.Poon@Sun.COM			if (snd_size > tcp->tcp_swnd)
11754SKacheong.Poon@Sun.COM				snd_size = tcp->tcp_swnd;
11754SKacheong.Poon@Sun.COM			mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, snd_size,
11754SKacheong.Poon@Sun.COM			    NULL, NULL, tcp->tcp_suna, B_TRUE, &snd_size,
11754SKacheong.Poon@Sun.COM			    B_TRUE);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			if (mp1 != NULL) {
11754SKacheong.Poon@Sun.COM				tcp->tcp_xmit_head->b_prev =
11754SKacheong.Poon@Sun.COM				    (mblk_t *)LBOLT_FASTPATH;
11754SKacheong.Poon@Sun.COM				tcp->tcp_csuna = tcp->tcp_snxt;
11754SKacheong.Poon@Sun.COM				TCPS_BUMP_MIB(tcps, tcpRetransSegs);
11754SKacheong.Poon@Sun.COM				TCPS_UPDATE_MIB(tcps, tcpRetransBytes,
11754SKacheong.Poon@Sun.COM				    snd_size);
11754SKacheong.Poon@Sun.COM				tcp_send_data(tcp, mp1);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (flags & TH_NEED_SACK_REXMIT) {
11754SKacheong.Poon@Sun.COM			tcp_sack_rexmit(tcp, &flags);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * For TH_LIMIT_XMIT, tcp_wput_data() is called to send
11754SKacheong.Poon@Sun.COM		 * out new segment.  Note that tcp_rexmit should not be
11754SKacheong.Poon@Sun.COM		 * set, otherwise TH_LIMIT_XMIT should not be set.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (flags & (TH_XMIT_NEEDED|TH_LIMIT_XMIT)) {
11754SKacheong.Poon@Sun.COM			if (!tcp->tcp_rexmit) {
11754SKacheong.Poon@Sun.COM				tcp_wput_data(tcp, NULL, B_FALSE);
11754SKacheong.Poon@Sun.COM			} else {
11754SKacheong.Poon@Sun.COM				tcp_ss_rexmit(tcp);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Adjust tcp_cwnd back to normal value after sending
11754SKacheong.Poon@Sun.COM		 * new data segments.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (flags & TH_LIMIT_XMIT) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwnd -= mss << (tcp->tcp_dupack_cnt - 1);
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * This will restart the timer.  Restarting the
11754SKacheong.Poon@Sun.COM			 * timer is used to avoid a timeout before the
11754SKacheong.Poon@Sun.COM			 * limited transmitted segment's ACK gets back.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_xmit_head != NULL)
11754SKacheong.Poon@Sun.COM				tcp->tcp_xmit_head->b_prev =
11754SKacheong.Poon@Sun.COM				    (mblk_t *)LBOLT_FASTPATH;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* Anything more to do? */
11754SKacheong.Poon@Sun.COM		if ((flags & (TH_ACK_NEEDED|TH_ACK_TIMER_NEEDED|
11754SKacheong.Poon@Sun.COM		    TH_ORDREL_NEEDED|TH_SEND_URP_MARK)) == 0)
11754SKacheong.Poon@Sun.COM			goto done;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COMack_check:
11754SKacheong.Poon@Sun.COM	if (flags & TH_SEND_URP_MARK) {
11754SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_urp_mark_mp);
11754SKacheong.Poon@Sun.COM		ASSERT(!IPCL_IS_NONSTR(connp));
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Send up any queued data and then send the mark message
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_rcv_list != NULL) {
11754SKacheong.Poon@Sun.COM			flags |= tcp_rcv_drain(tcp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_fused_sigurg);
11754SKacheong.Poon@Sun.COM		mp1 = tcp->tcp_urp_mark_mp;
11754SKacheong.Poon@Sun.COM		tcp->tcp_urp_mark_mp = NULL;
11754SKacheong.Poon@Sun.COM		if (is_system_labeled())
11754SKacheong.Poon@Sun.COM			tcp_setcred_data(mp1, ira);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		putnext(connp->conn_rq, mp1);
11754SKacheong.Poon@Sun.COM#ifdef DEBUG
11754SKacheong.Poon@Sun.COM		(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
11754SKacheong.Poon@Sun.COM		    "tcp_rput: sending zero-length %s %s",
11754SKacheong.Poon@Sun.COM		    ((mp1->b_flag & MSGMARKNEXT) ? "MSGMARKNEXT" :
11754SKacheong.Poon@Sun.COM		    "MSGNOTMARKNEXT"),
11754SKacheong.Poon@Sun.COM		    tcp_display(tcp, NULL, DISP_PORT_ONLY));
11754SKacheong.Poon@Sun.COM#endif /* DEBUG */
11754SKacheong.Poon@Sun.COM		flags &= ~TH_SEND_URP_MARK;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (flags & TH_ACK_NEEDED) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Time to send an ack for some reason.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		mp1 = tcp_ack_mp(tcp);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (mp1 != NULL) {
11754SKacheong.Poon@Sun.COM			tcp_send_data(tcp, mp1);
11754SKacheong.Poon@Sun.COM			BUMP_LOCAL(tcp->tcp_obsegs);
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcps, tcpOutAck);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_ack_tid != 0) {
11754SKacheong.Poon@Sun.COM			(void) TCP_TIMER_CANCEL(tcp, tcp->tcp_ack_tid);
11754SKacheong.Poon@Sun.COM			tcp->tcp_ack_tid = 0;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (flags & TH_ACK_TIMER_NEEDED) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Arrange for deferred ACK or push wait timeout.
11754SKacheong.Poon@Sun.COM		 * Start timer if it is not already running.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_ack_tid == 0) {
11754SKacheong.Poon@Sun.COM			tcp->tcp_ack_tid = TCP_TIMER(tcp, tcp_ack_timer,
12056SKacheong.Poon@Sun.COM			    tcp->tcp_localnet ?
12056SKacheong.Poon@Sun.COM			    tcps->tcps_local_dack_interval :
12056SKacheong.Poon@Sun.COM			    tcps->tcps_deferred_ack_interval);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (flags & TH_ORDREL_NEEDED) {
11754SKacheong.Poon@Sun.COM		/*
12643SAnders.Persson@Sun.COM		 * Notify upper layer about an orderly release. If this is
12643SAnders.Persson@Sun.COM		 * a non-STREAMS socket, then just make an upcall. For STREAMS
12643SAnders.Persson@Sun.COM		 * we send up an ordrel_ind, unless this is an eager, in which
12643SAnders.Persson@Sun.COM		 * case the ordrel will be sent when tcp_accept_finish runs.
12643SAnders.Persson@Sun.COM		 * Note that for non-STREAMS we make an upcall even if it is an
12643SAnders.Persson@Sun.COM		 * eager, because we have an upper handle to send it to.
11754SKacheong.Poon@Sun.COM		 */
12643SAnders.Persson@Sun.COM		ASSERT(IPCL_IS_NONSTR(connp) || tcp->tcp_listener == NULL);
11754SKacheong.Poon@Sun.COM		ASSERT(!tcp->tcp_detached);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (IPCL_IS_NONSTR(connp)) {
11754SKacheong.Poon@Sun.COM			ASSERT(tcp->tcp_ordrel_mp == NULL);
11754SKacheong.Poon@Sun.COM			tcp->tcp_ordrel_done = B_TRUE;
11754SKacheong.Poon@Sun.COM			(*connp->conn_upcalls->su_opctl)
11754SKacheong.Poon@Sun.COM			    (connp->conn_upper_handle, SOCK_OPCTL_SHUT_RECV, 0);
11754SKacheong.Poon@Sun.COM			goto done;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_rcv_list != NULL) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Push any mblk(s) enqueued from co processing.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			flags |= tcp_rcv_drain(tcp);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_fused_sigurg);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		mp1 = tcp->tcp_ordrel_mp;
11754SKacheong.Poon@Sun.COM		tcp->tcp_ordrel_mp = NULL;
11754SKacheong.Poon@Sun.COM		tcp->tcp_ordrel_done = B_TRUE;
11754SKacheong.Poon@Sun.COM		putnext(connp->conn_rq, mp1);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COMdone:
11754SKacheong.Poon@Sun.COM	ASSERT(!(flags & TH_MARKNEXT_NEEDED));
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Attach ancillary data to a received TCP segments for the
11754SKacheong.Poon@Sun.COM * ancillary pieces requested by the application that are
11754SKacheong.Poon@Sun.COM * different than they were in the previous data segment.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Save the "current" values once memory allocation is ok so that
11754SKacheong.Poon@Sun.COM * when memory allocation fails we can just wait for the next data segment.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic mblk_t *
11754SKacheong.Poon@Sun.COMtcp_input_add_ancillary(tcp_t *tcp, mblk_t *mp, ip_pkt_t *ipp,
11754SKacheong.Poon@Sun.COM    ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	struct T_optdata_ind *todi;
11754SKacheong.Poon@Sun.COM	int optlen;
11754SKacheong.Poon@Sun.COM	uchar_t *optptr;
11754SKacheong.Poon@Sun.COM	struct T_opthdr *toh;
11754SKacheong.Poon@Sun.COM	crb_t addflag;	/* Which pieces to add */
11754SKacheong.Poon@Sun.COM	mblk_t *mp1;
11754SKacheong.Poon@Sun.COM	conn_t	*connp = tcp->tcp_connp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	optlen = 0;
11754SKacheong.Poon@Sun.COM	addflag.crb_all = 0;
11754SKacheong.Poon@Sun.COM	/* If app asked for pktinfo and the index has changed ... */
11754SKacheong.Poon@Sun.COM	if (connp->conn_recv_ancillary.crb_ip_recvpktinfo &&
11754SKacheong.Poon@Sun.COM	    ira->ira_ruifindex != tcp->tcp_recvifindex) {
11754SKacheong.Poon@Sun.COM		optlen += sizeof (struct T_opthdr) +
11754SKacheong.Poon@Sun.COM		    sizeof (struct in6_pktinfo);
11754SKacheong.Poon@Sun.COM		addflag.crb_ip_recvpktinfo = 1;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* If app asked for hoplimit and it has changed ... */
11754SKacheong.Poon@Sun.COM	if (connp->conn_recv_ancillary.crb_ipv6_recvhoplimit &&
11754SKacheong.Poon@Sun.COM	    ipp->ipp_hoplimit != tcp->tcp_recvhops) {
11754SKacheong.Poon@Sun.COM		optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
11754SKacheong.Poon@Sun.COM		addflag.crb_ipv6_recvhoplimit = 1;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* If app asked for tclass and it has changed ... */
11754SKacheong.Poon@Sun.COM	if (connp->conn_recv_ancillary.crb_ipv6_recvtclass &&
11754SKacheong.Poon@Sun.COM	    ipp->ipp_tclass != tcp->tcp_recvtclass) {
11754SKacheong.Poon@Sun.COM		optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
11754SKacheong.Poon@Sun.COM		addflag.crb_ipv6_recvtclass = 1;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If app asked for hopbyhop headers and it has changed ...
11754SKacheong.Poon@Sun.COM	 * For security labels, note that (1) security labels can't change on
11754SKacheong.Poon@Sun.COM	 * a connected socket at all, (2) we're connected to at most one peer,
11754SKacheong.Poon@Sun.COM	 * (3) if anything changes, then it must be some other extra option.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (connp->conn_recv_ancillary.crb_ipv6_recvhopopts &&
11754SKacheong.Poon@Sun.COM	    ip_cmpbuf(tcp->tcp_hopopts, tcp->tcp_hopoptslen,
11754SKacheong.Poon@Sun.COM	    (ipp->ipp_fields & IPPF_HOPOPTS),
11754SKacheong.Poon@Sun.COM	    ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
11754SKacheong.Poon@Sun.COM		optlen += sizeof (struct T_opthdr) + ipp->ipp_hopoptslen;
11754SKacheong.Poon@Sun.COM		addflag.crb_ipv6_recvhopopts = 1;
11754SKacheong.Poon@Sun.COM		if (!ip_allocbuf((void **)&tcp->tcp_hopopts,
11754SKacheong.Poon@Sun.COM		    &tcp->tcp_hopoptslen, (ipp->ipp_fields & IPPF_HOPOPTS),
11754SKacheong.Poon@Sun.COM		    ipp->ipp_hopopts, ipp->ipp_hopoptslen))
11754SKacheong.Poon@Sun.COM			return (mp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* If app asked for dst headers before routing headers ... */
11754SKacheong.Poon@Sun.COM	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts &&
11754SKacheong.Poon@Sun.COM	    ip_cmpbuf(tcp->tcp_rthdrdstopts, tcp->tcp_rthdrdstoptslen,
11754SKacheong.Poon@Sun.COM	    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
11754SKacheong.Poon@Sun.COM	    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen)) {
11754SKacheong.Poon@Sun.COM		optlen += sizeof (struct T_opthdr) +
11754SKacheong.Poon@Sun.COM		    ipp->ipp_rthdrdstoptslen;
11754SKacheong.Poon@Sun.COM		addflag.crb_ipv6_recvrthdrdstopts = 1;
11754SKacheong.Poon@Sun.COM		if (!ip_allocbuf((void **)&tcp->tcp_rthdrdstopts,
11754SKacheong.Poon@Sun.COM		    &tcp->tcp_rthdrdstoptslen,
11754SKacheong.Poon@Sun.COM		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
11754SKacheong.Poon@Sun.COM		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen))
11754SKacheong.Poon@Sun.COM			return (mp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* If app asked for routing headers and it has changed ... */
11754SKacheong.Poon@Sun.COM	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdr &&
11754SKacheong.Poon@Sun.COM	    ip_cmpbuf(tcp->tcp_rthdr, tcp->tcp_rthdrlen,
11754SKacheong.Poon@Sun.COM	    (ipp->ipp_fields & IPPF_RTHDR),
11754SKacheong.Poon@Sun.COM	    ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
11754SKacheong.Poon@Sun.COM		optlen += sizeof (struct T_opthdr) + ipp->ipp_rthdrlen;
11754SKacheong.Poon@Sun.COM		addflag.crb_ipv6_recvrthdr = 1;
11754SKacheong.Poon@Sun.COM		if (!ip_allocbuf((void **)&tcp->tcp_rthdr,
11754SKacheong.Poon@Sun.COM		    &tcp->tcp_rthdrlen, (ipp->ipp_fields & IPPF_RTHDR),
11754SKacheong.Poon@Sun.COM		    ipp->ipp_rthdr, ipp->ipp_rthdrlen))
11754SKacheong.Poon@Sun.COM			return (mp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* If app asked for dest headers and it has changed ... */
11754SKacheong.Poon@Sun.COM	if ((connp->conn_recv_ancillary.crb_ipv6_recvdstopts ||
11754SKacheong.Poon@Sun.COM	    connp->conn_recv_ancillary.crb_old_ipv6_recvdstopts) &&
11754SKacheong.Poon@Sun.COM	    ip_cmpbuf(tcp->tcp_dstopts, tcp->tcp_dstoptslen,
11754SKacheong.Poon@Sun.COM	    (ipp->ipp_fields & IPPF_DSTOPTS),
11754SKacheong.Poon@Sun.COM	    ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
11754SKacheong.Poon@Sun.COM		optlen += sizeof (struct T_opthdr) + ipp->ipp_dstoptslen;
11754SKacheong.Poon@Sun.COM		addflag.crb_ipv6_recvdstopts = 1;
11754SKacheong.Poon@Sun.COM		if (!ip_allocbuf((void **)&tcp->tcp_dstopts,
11754SKacheong.Poon@Sun.COM		    &tcp->tcp_dstoptslen, (ipp->ipp_fields & IPPF_DSTOPTS),
11754SKacheong.Poon@Sun.COM		    ipp->ipp_dstopts, ipp->ipp_dstoptslen))
11754SKacheong.Poon@Sun.COM			return (mp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (optlen == 0) {
11754SKacheong.Poon@Sun.COM		/* Nothing to add */
11754SKacheong.Poon@Sun.COM		return (mp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	mp1 = allocb(sizeof (struct T_optdata_ind) + optlen, BPRI_MED);
11754SKacheong.Poon@Sun.COM	if (mp1 == NULL) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Defer sending ancillary data until the next TCP segment
11754SKacheong.Poon@Sun.COM		 * arrives.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		return (mp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	mp1->b_cont = mp;
11754SKacheong.Poon@Sun.COM	mp = mp1;
11754SKacheong.Poon@Sun.COM	mp->b_wptr += sizeof (*todi) + optlen;
11754SKacheong.Poon@Sun.COM	mp->b_datap->db_type = M_PROTO;
11754SKacheong.Poon@Sun.COM	todi = (struct T_optdata_ind *)mp->b_rptr;
11754SKacheong.Poon@Sun.COM	todi->PRIM_type = T_OPTDATA_IND;
11754SKacheong.Poon@Sun.COM	todi->DATA_flag = 1;	/* MORE data */
11754SKacheong.Poon@Sun.COM	todi->OPT_length = optlen;
11754SKacheong.Poon@Sun.COM	todi->OPT_offset = sizeof (*todi);
11754SKacheong.Poon@Sun.COM	optptr = (uchar_t *)&todi[1];
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If app asked for pktinfo and the index has changed ...
11754SKacheong.Poon@Sun.COM	 * Note that the local address never changes for the connection.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (addflag.crb_ip_recvpktinfo) {
11754SKacheong.Poon@Sun.COM		struct in6_pktinfo *pkti;
11754SKacheong.Poon@Sun.COM		uint_t ifindex;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		ifindex = ira->ira_ruifindex;
11754SKacheong.Poon@Sun.COM		toh = (struct T_opthdr *)optptr;
11754SKacheong.Poon@Sun.COM		toh->level = IPPROTO_IPV6;
11754SKacheong.Poon@Sun.COM		toh->name = IPV6_PKTINFO;
11754SKacheong.Poon@Sun.COM		toh->len = sizeof (*toh) + sizeof (*pkti);
11754SKacheong.Poon@Sun.COM		toh->status = 0;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (*toh);
11754SKacheong.Poon@Sun.COM		pkti = (struct in6_pktinfo *)optptr;
11754SKacheong.Poon@Sun.COM		pkti->ipi6_addr = connp->conn_laddr_v6;
11754SKacheong.Poon@Sun.COM		pkti->ipi6_ifindex = ifindex;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (*pkti);
11754SKacheong.Poon@Sun.COM		ASSERT(OK_32PTR(optptr));
11754SKacheong.Poon@Sun.COM		/* Save as "last" value */
11754SKacheong.Poon@Sun.COM		tcp->tcp_recvifindex = ifindex;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* If app asked for hoplimit and it has changed ... */
11754SKacheong.Poon@Sun.COM	if (addflag.crb_ipv6_recvhoplimit) {
11754SKacheong.Poon@Sun.COM		toh = (struct T_opthdr *)optptr;
11754SKacheong.Poon@Sun.COM		toh->level = IPPROTO_IPV6;
11754SKacheong.Poon@Sun.COM		toh->name = IPV6_HOPLIMIT;
11754SKacheong.Poon@Sun.COM		toh->len = sizeof (*toh) + sizeof (uint_t);
11754SKacheong.Poon@Sun.COM		toh->status = 0;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (*toh);
11754SKacheong.Poon@Sun.COM		*(uint_t *)optptr = ipp->ipp_hoplimit;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (uint_t);
11754SKacheong.Poon@Sun.COM		ASSERT(OK_32PTR(optptr));
11754SKacheong.Poon@Sun.COM		/* Save as "last" value */
11754SKacheong.Poon@Sun.COM		tcp->tcp_recvhops = ipp->ipp_hoplimit;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	/* If app asked for tclass and it has changed ... */
11754SKacheong.Poon@Sun.COM	if (addflag.crb_ipv6_recvtclass) {
11754SKacheong.Poon@Sun.COM		toh = (struct T_opthdr *)optptr;
11754SKacheong.Poon@Sun.COM		toh->level = IPPROTO_IPV6;
11754SKacheong.Poon@Sun.COM		toh->name = IPV6_TCLASS;
11754SKacheong.Poon@Sun.COM		toh->len = sizeof (*toh) + sizeof (uint_t);
11754SKacheong.Poon@Sun.COM		toh->status = 0;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (*toh);
11754SKacheong.Poon@Sun.COM		*(uint_t *)optptr = ipp->ipp_tclass;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (uint_t);
11754SKacheong.Poon@Sun.COM		ASSERT(OK_32PTR(optptr));
11754SKacheong.Poon@Sun.COM		/* Save as "last" value */
11754SKacheong.Poon@Sun.COM		tcp->tcp_recvtclass = ipp->ipp_tclass;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (addflag.crb_ipv6_recvhopopts) {
11754SKacheong.Poon@Sun.COM		toh = (struct T_opthdr *)optptr;
11754SKacheong.Poon@Sun.COM		toh->level = IPPROTO_IPV6;
11754SKacheong.Poon@Sun.COM		toh->name = IPV6_HOPOPTS;
11754SKacheong.Poon@Sun.COM		toh->len = sizeof (*toh) + ipp->ipp_hopoptslen;
11754SKacheong.Poon@Sun.COM		toh->status = 0;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (*toh);
11754SKacheong.Poon@Sun.COM		bcopy((uchar_t *)ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
11754SKacheong.Poon@Sun.COM		optptr += ipp->ipp_hopoptslen;
11754SKacheong.Poon@Sun.COM		ASSERT(OK_32PTR(optptr));
11754SKacheong.Poon@Sun.COM		/* Save as last value */
11754SKacheong.Poon@Sun.COM		ip_savebuf((void **)&tcp->tcp_hopopts, &tcp->tcp_hopoptslen,
11754SKacheong.Poon@Sun.COM		    (ipp->ipp_fields & IPPF_HOPOPTS),
11754SKacheong.Poon@Sun.COM		    ipp->ipp_hopopts, ipp->ipp_hopoptslen);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (addflag.crb_ipv6_recvrthdrdstopts) {
11754SKacheong.Poon@Sun.COM		toh = (struct T_opthdr *)optptr;
11754SKacheong.Poon@Sun.COM		toh->level = IPPROTO_IPV6;
11754SKacheong.Poon@Sun.COM		toh->name = IPV6_RTHDRDSTOPTS;
11754SKacheong.Poon@Sun.COM		toh->len = sizeof (*toh) + ipp->ipp_rthdrdstoptslen;
11754SKacheong.Poon@Sun.COM		toh->status = 0;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (*toh);
11754SKacheong.Poon@Sun.COM		bcopy(ipp->ipp_rthdrdstopts, optptr, ipp->ipp_rthdrdstoptslen);
11754SKacheong.Poon@Sun.COM		optptr += ipp->ipp_rthdrdstoptslen;
11754SKacheong.Poon@Sun.COM		ASSERT(OK_32PTR(optptr));
11754SKacheong.Poon@Sun.COM		/* Save as last value */
11754SKacheong.Poon@Sun.COM		ip_savebuf((void **)&tcp->tcp_rthdrdstopts,
11754SKacheong.Poon@Sun.COM		    &tcp->tcp_rthdrdstoptslen,
11754SKacheong.Poon@Sun.COM		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
11754SKacheong.Poon@Sun.COM		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (addflag.crb_ipv6_recvrthdr) {
11754SKacheong.Poon@Sun.COM		toh = (struct T_opthdr *)optptr;
11754SKacheong.Poon@Sun.COM		toh->level = IPPROTO_IPV6;
11754SKacheong.Poon@Sun.COM		toh->name = IPV6_RTHDR;
11754SKacheong.Poon@Sun.COM		toh->len = sizeof (*toh) + ipp->ipp_rthdrlen;
11754SKacheong.Poon@Sun.COM		toh->status = 0;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (*toh);
11754SKacheong.Poon@Sun.COM		bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
11754SKacheong.Poon@Sun.COM		optptr += ipp->ipp_rthdrlen;
11754SKacheong.Poon@Sun.COM		ASSERT(OK_32PTR(optptr));
11754SKacheong.Poon@Sun.COM		/* Save as last value */
11754SKacheong.Poon@Sun.COM		ip_savebuf((void **)&tcp->tcp_rthdr, &tcp->tcp_rthdrlen,
11754SKacheong.Poon@Sun.COM		    (ipp->ipp_fields & IPPF_RTHDR),
11754SKacheong.Poon@Sun.COM		    ipp->ipp_rthdr, ipp->ipp_rthdrlen);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (addflag.crb_ipv6_recvdstopts) {
11754SKacheong.Poon@Sun.COM		toh = (struct T_opthdr *)optptr;
11754SKacheong.Poon@Sun.COM		toh->level = IPPROTO_IPV6;
11754SKacheong.Poon@Sun.COM		toh->name = IPV6_DSTOPTS;
11754SKacheong.Poon@Sun.COM		toh->len = sizeof (*toh) + ipp->ipp_dstoptslen;
11754SKacheong.Poon@Sun.COM		toh->status = 0;
11754SKacheong.Poon@Sun.COM		optptr += sizeof (*toh);
11754SKacheong.Poon@Sun.COM		bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
11754SKacheong.Poon@Sun.COM		optptr += ipp->ipp_dstoptslen;
11754SKacheong.Poon@Sun.COM		ASSERT(OK_32PTR(optptr));
11754SKacheong.Poon@Sun.COM		/* Save as last value */
11754SKacheong.Poon@Sun.COM		ip_savebuf((void **)&tcp->tcp_dstopts, &tcp->tcp_dstoptslen,
11754SKacheong.Poon@Sun.COM		    (ipp->ipp_fields & IPPF_DSTOPTS),
11754SKacheong.Poon@Sun.COM		    ipp->ipp_dstopts, ipp->ipp_dstoptslen);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	ASSERT(optptr == mp->b_wptr);
11754SKacheong.Poon@Sun.COM	return (mp);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* The minimum of smoothed mean deviation in RTO calculation. */
11754SKacheong.Poon@Sun.COM#define	TCP_SD_MIN	400
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Set RTO for this connection.  The formula is from Jacobson and Karels'
11754SKacheong.Poon@Sun.COM * "Congestion Avoidance and Control" in SIGCOMM '88.  The variable names
11754SKacheong.Poon@Sun.COM * are the same as those in Appendix A.2 of that paper.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * m = new measurement
11754SKacheong.Poon@Sun.COM * sa = smoothed RTT average (8 * average estimates).
11754SKacheong.Poon@Sun.COM * sv = smoothed mean deviation (mdev) of RTT (4 * deviation estimates).
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic void
11754SKacheong.Poon@Sun.COMtcp_set_rto(tcp_t *tcp, clock_t rtt)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	long m = TICK_TO_MSEC(rtt);
11754SKacheong.Poon@Sun.COM	clock_t sa = tcp->tcp_rtt_sa;
11754SKacheong.Poon@Sun.COM	clock_t sv = tcp->tcp_rtt_sd;
11754SKacheong.Poon@Sun.COM	clock_t rto;
11754SKacheong.Poon@Sun.COM	tcp_stack_t	*tcps = tcp->tcp_tcps;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	TCPS_BUMP_MIB(tcps, tcpRttUpdate);
11754SKacheong.Poon@Sun.COM	tcp->tcp_rtt_update++;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* tcp_rtt_sa is not 0 means this is a new sample. */
11754SKacheong.Poon@Sun.COM	if (sa != 0) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Update average estimator:
11754SKacheong.Poon@Sun.COM		 *	new rtt = 7/8 old rtt + 1/8 Error
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/* m is now Error in estimate. */
11754SKacheong.Poon@Sun.COM		m -= sa >> 3;
11754SKacheong.Poon@Sun.COM		if ((sa += m) <= 0) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Don't allow the smoothed average to be negative.
11754SKacheong.Poon@Sun.COM			 * We use 0 to denote reinitialization of the
11754SKacheong.Poon@Sun.COM			 * variables.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			sa = 1;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Update deviation estimator:
11754SKacheong.Poon@Sun.COM		 *	new mdev = 3/4 old mdev + 1/4 (abs(Error) - old mdev)
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (m < 0)
11754SKacheong.Poon@Sun.COM			m = -m;
11754SKacheong.Poon@Sun.COM		m -= sv >> 2;
11754SKacheong.Poon@Sun.COM		sv += m;
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * This follows BSD's implementation.  So the reinitialized
11754SKacheong.Poon@Sun.COM		 * RTO is 3 * m.  We cannot go less than 2 because if the
11754SKacheong.Poon@Sun.COM		 * link is bandwidth dominated, doubling the window size
11754SKacheong.Poon@Sun.COM		 * during slow start means doubling the RTT.  We want to be
11754SKacheong.Poon@Sun.COM		 * more conservative when we reinitialize our estimates.  3
11754SKacheong.Poon@Sun.COM		 * is just a convenient number.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		sa = m << 3;
11754SKacheong.Poon@Sun.COM		sv = m << 1;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	if (sv < TCP_SD_MIN) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * We do not know that if sa captures the delay ACK
11754SKacheong.Poon@Sun.COM		 * effect as in a long train of segments, a receiver
11754SKacheong.Poon@Sun.COM		 * does not delay its ACKs.  So set the minimum of sv
11754SKacheong.Poon@Sun.COM		 * to be TCP_SD_MIN, which is default to 400 ms, twice
11754SKacheong.Poon@Sun.COM		 * of BSD DATO.  That means the minimum of mean
11754SKacheong.Poon@Sun.COM		 * deviation is 100 ms.
11754SKacheong.Poon@Sun.COM		 *
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		sv = TCP_SD_MIN;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	tcp->tcp_rtt_sa = sa;
11754SKacheong.Poon@Sun.COM	tcp->tcp_rtt_sd = sv;
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * RTO = average estimates (sa / 8) + 4 * deviation estimates (sv)
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * Add tcp_rexmit_interval extra in case of extreme environment
11754SKacheong.Poon@Sun.COM	 * where the algorithm fails to work.  The default value of
11754SKacheong.Poon@Sun.COM	 * tcp_rexmit_interval_extra should be 0.
11754SKacheong.Poon@Sun.COM	 *
11754SKacheong.Poon@Sun.COM	 * As we use a finer grained clock than BSD and update
11754SKacheong.Poon@Sun.COM	 * RTO for every ACKs, add in another .25 of RTT to the
11754SKacheong.Poon@Sun.COM	 * deviation of RTO to accomodate burstiness of 1/4 of
11754SKacheong.Poon@Sun.COM	 * window size.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	rto = (sa >> 3) + sv + tcps->tcps_rexmit_interval_extra + (sa >> 5);
11754SKacheong.Poon@Sun.COM
12544SKacheong.Poon@Sun.COM	TCP_SET_RTO(tcp, rto);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Now, we can reset tcp_timer_backoff to use the new RTO... */
11754SKacheong.Poon@Sun.COM	tcp->tcp_timer_backoff = 0;
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * On a labeled system we have some protocols above TCP, such as RPC, which
11754SKacheong.Poon@Sun.COM * appear to assume that every mblk in a chain has a db_credp.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic void
11754SKacheong.Poon@Sun.COMtcp_setcred_data(mblk_t *mp, ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	ASSERT(is_system_labeled());
11754SKacheong.Poon@Sun.COM	ASSERT(ira->ira_cred != NULL);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	while (mp != NULL) {
11754SKacheong.Poon@Sun.COM		mblk_setcred(mp, ira->ira_cred, NOPID);
11754SKacheong.Poon@Sun.COM		mp = mp->b_cont;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COMuint_t
11754SKacheong.Poon@Sun.COMtcp_rwnd_reopen(tcp_t *tcp)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	uint_t ret = 0;
11754SKacheong.Poon@Sun.COM	uint_t thwin;
11754SKacheong.Poon@Sun.COM	conn_t *connp = tcp->tcp_connp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Learn the latest rwnd information that we sent to the other side. */
11754SKacheong.Poon@Sun.COM	thwin = ((uint_t)ntohs(tcp->tcp_tcpha->tha_win))
11754SKacheong.Poon@Sun.COM	    << tcp->tcp_rcv_ws;
11754SKacheong.Poon@Sun.COM	/* This is peer's calculated send window (our receive window). */
11754SKacheong.Poon@Sun.COM	thwin -= tcp->tcp_rnxt - tcp->tcp_rack;
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Increase the receive window to max.  But we need to do receiver
11754SKacheong.Poon@Sun.COM	 * SWS avoidance.  This means that we need to check the increase of
11754SKacheong.Poon@Sun.COM	 * of receive window is at least 1 MSS.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (connp->conn_rcvbuf - thwin >= tcp->tcp_mss) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * If the window that the other side knows is less than max
11754SKacheong.Poon@Sun.COM		 * deferred acks segments, send an update immediately.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (thwin < tcp->tcp_rack_cur_max * tcp->tcp_mss) {
11754SKacheong.Poon@Sun.COM			TCPS_BUMP_MIB(tcp->tcp_tcps, tcpOutWinUpdate);
11754SKacheong.Poon@Sun.COM			ret = TH_ACK_NEEDED;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		tcp->tcp_rwnd = connp->conn_rcvbuf;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	return (ret);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * Handle a packet that has been reclassified by TCP.
11754SKacheong.Poon@Sun.COM * This function drops the ref on connp that the caller had.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_reinput(conn_t *connp, mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (connp->conn_incoming_ifindex != 0 &&
11754SKacheong.Poon@Sun.COM	    connp->conn_incoming_ifindex != ira->ira_ruifindex) {
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		CONN_DEC_REF(connp);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
11754SKacheong.Poon@Sun.COM	    (ira->ira_flags & IRAF_IPSEC_SECURE)) {
11754SKacheong.Poon@Sun.COM		ip6_t *ip6h;
11754SKacheong.Poon@Sun.COM		ipha_t *ipha;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		if (ira->ira_flags & IRAF_IS_IPV4) {
11754SKacheong.Poon@Sun.COM			ipha = (ipha_t *)mp->b_rptr;
11754SKacheong.Poon@Sun.COM			ip6h = NULL;
11754SKacheong.Poon@Sun.COM		} else {
11754SKacheong.Poon@Sun.COM			ipha = NULL;
11754SKacheong.Poon@Sun.COM			ip6h = (ip6_t *)mp->b_rptr;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		mp = ipsec_check_inbound_policy(mp, connp, ipha, ip6h, ira);
11754SKacheong.Poon@Sun.COM		if (mp == NULL) {
11754SKacheong.Poon@Sun.COM			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
11754SKacheong.Poon@Sun.COM			/* Note that mp is NULL */
11754SKacheong.Poon@Sun.COM			ip_drop_input("ipIfStatsInDiscards", mp, NULL);
11754SKacheong.Poon@Sun.COM			CONN_DEC_REF(connp);
11754SKacheong.Poon@Sun.COM			return;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (IPCL_IS_TCP(connp)) {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * do not drain, certain use cases can blow
11754SKacheong.Poon@Sun.COM		 * the stack
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
11754SKacheong.Poon@Sun.COM		    connp->conn_recv, connp, ira,
11754SKacheong.Poon@Sun.COM		    SQ_NODRAIN, SQTAG_IP_TCP_INPUT);
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		/* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
11754SKacheong.Poon@Sun.COM		(connp->conn_recv)(connp, mp, NULL,
11754SKacheong.Poon@Sun.COM		    ira);
11754SKacheong.Poon@Sun.COM		CONN_DEC_REF(connp);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* ARGSUSED */
11754SKacheong.Poon@Sun.COMstatic void
11754SKacheong.Poon@Sun.COMtcp_rsrv_input(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	conn_t	*connp = (conn_t *)arg;
11754SKacheong.Poon@Sun.COM	tcp_t	*tcp = connp->conn_tcp;
11754SKacheong.Poon@Sun.COM	queue_t	*q = connp->conn_rq;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	ASSERT(!IPCL_IS_NONSTR(connp));
11754SKacheong.Poon@Sun.COM	mutex_enter(&tcp->tcp_rsrv_mp_lock);
11754SKacheong.Poon@Sun.COM	tcp->tcp_rsrv_mp = mp;
11754SKacheong.Poon@Sun.COM	mutex_exit(&tcp->tcp_rsrv_mp_lock);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (TCP_IS_DETACHED(tcp) || q == NULL) {
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (tcp->tcp_fused) {
11754SKacheong.Poon@Sun.COM		tcp_fuse_backenable(tcp);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (canputnext(q)) {
11754SKacheong.Poon@Sun.COM		/* Not flow-controlled, open rwnd */
11754SKacheong.Poon@Sun.COM		tcp->tcp_rwnd = connp->conn_rcvbuf;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Send back a window update immediately if TCP is above
11754SKacheong.Poon@Sun.COM		 * ESTABLISHED state and the increase of the rcv window
11754SKacheong.Poon@Sun.COM		 * that the other side knows is at least 1 MSS after flow
11754SKacheong.Poon@Sun.COM		 * control is lifted.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp->tcp_state >= TCPS_ESTABLISHED &&
11754SKacheong.Poon@Sun.COM		    tcp_rwnd_reopen(tcp) == TH_ACK_NEEDED) {
11754SKacheong.Poon@Sun.COM			tcp_xmit_ctl(NULL, tcp,
11754SKacheong.Poon@Sun.COM			    (tcp->tcp_swnd == 0) ? tcp->tcp_suna :
11754SKacheong.Poon@Sun.COM			    tcp->tcp_snxt, tcp->tcp_rnxt, TH_ACK);
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * The read side service routine is called mostly when we get back-enabled as a
11754SKacheong.Poon@Sun.COM * result of flow control relief.  Since we don't actually queue anything in
11754SKacheong.Poon@Sun.COM * TCP, we have no data to send out of here.  What we do is clear the receive
11754SKacheong.Poon@Sun.COM * window, and send out a window update.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_rsrv(queue_t *q)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	conn_t		*connp = Q_TO_CONN(q);
11754SKacheong.Poon@Sun.COM	tcp_t		*tcp = connp->conn_tcp;
11754SKacheong.Poon@Sun.COM	mblk_t		*mp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* No code does a putq on the read side */
11754SKacheong.Poon@Sun.COM	ASSERT(q->q_first == NULL);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If tcp->tcp_rsrv_mp == NULL, it means that tcp_rsrv() has already
11754SKacheong.Poon@Sun.COM	 * been run.  So just return.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	mutex_enter(&tcp->tcp_rsrv_mp_lock);
11754SKacheong.Poon@Sun.COM	if ((mp = tcp->tcp_rsrv_mp) == NULL) {
11754SKacheong.Poon@Sun.COM		mutex_exit(&tcp->tcp_rsrv_mp_lock);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	tcp->tcp_rsrv_mp = NULL;
11754SKacheong.Poon@Sun.COM	mutex_exit(&tcp->tcp_rsrv_mp_lock);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	CONN_INC_REF(connp);
11754SKacheong.Poon@Sun.COM	SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_rsrv_input, connp,
11754SKacheong.Poon@Sun.COM	    NULL, SQ_PROCESS, SQTAG_TCP_RSRV);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/* At minimum we need 8 bytes in the TCP header for the lookup */
11754SKacheong.Poon@Sun.COM#define	ICMP_MIN_TCP_HDR	8
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * tcp_icmp_input is called as conn_recvicmp to process ICMP error messages
11754SKacheong.Poon@Sun.COM * passed up by IP. The message is always received on the correct tcp_t.
11754SKacheong.Poon@Sun.COM * Assumes that IP has pulled up everything up to and including the ICMP header.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM/* ARGSUSED2 */
11754SKacheong.Poon@Sun.COMvoid
11754SKacheong.Poon@Sun.COMtcp_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	conn_t		*connp = (conn_t *)arg1;
11754SKacheong.Poon@Sun.COM	icmph_t		*icmph;
11754SKacheong.Poon@Sun.COM	ipha_t		*ipha;
11754SKacheong.Poon@Sun.COM	int		iph_hdr_length;
11754SKacheong.Poon@Sun.COM	tcpha_t		*tcpha;
11754SKacheong.Poon@Sun.COM	uint32_t	seg_seq;
11754SKacheong.Poon@Sun.COM	tcp_t		*tcp = connp->conn_tcp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Assume IP provides aligned packets */
11754SKacheong.Poon@Sun.COM	ASSERT(OK_32PTR(mp->b_rptr));
11754SKacheong.Poon@Sun.COM	ASSERT((MBLKL(mp) >= sizeof (ipha_t)));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Verify IP version. Anything other than IPv4 or IPv6 packet is sent
11754SKacheong.Poon@Sun.COM	 * upstream. ICMPv6 is handled in tcp_icmp_error_ipv6.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (!(ira->ira_flags & IRAF_IS_IPV4)) {
11754SKacheong.Poon@Sun.COM		tcp_icmp_error_ipv6(tcp, mp, ira);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Skip past the outer IP and ICMP headers */
11754SKacheong.Poon@Sun.COM	iph_hdr_length = ira->ira_ip_hdr_length;
11754SKacheong.Poon@Sun.COM	icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If we don't have the correct outer IP header length
11754SKacheong.Poon@Sun.COM	 * or if we don't have a complete inner IP header
11754SKacheong.Poon@Sun.COM	 * drop it.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (iph_hdr_length < sizeof (ipha_t) ||
11754SKacheong.Poon@Sun.COM	    (ipha_t *)&icmph[1] + 1 > (ipha_t *)mp->b_wptr) {
11754SKacheong.Poon@Sun.COMnoticmpv4:
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	ipha = (ipha_t *)&icmph[1];
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* Skip past the inner IP and find the ULP header */
11754SKacheong.Poon@Sun.COM	iph_hdr_length = IPH_HDR_LENGTH(ipha);
11754SKacheong.Poon@Sun.COM	tcpha = (tcpha_t *)((char *)ipha + iph_hdr_length);
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * If we don't have the correct inner IP header length or if the ULP
11754SKacheong.Poon@Sun.COM	 * is not IPPROTO_TCP or if we don't have at least ICMP_MIN_TCP_HDR
11754SKacheong.Poon@Sun.COM	 * bytes of TCP header, drop it.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (iph_hdr_length < sizeof (ipha_t) ||
11754SKacheong.Poon@Sun.COM	    ipha->ipha_protocol != IPPROTO_TCP ||
11754SKacheong.Poon@Sun.COM	    (uchar_t *)tcpha + ICMP_MIN_TCP_HDR > mp->b_wptr) {
11754SKacheong.Poon@Sun.COM		goto noticmpv4;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	seg_seq = ntohl(tcpha->tha_seq);
11754SKacheong.Poon@Sun.COM	switch (icmph->icmph_type) {
11754SKacheong.Poon@Sun.COM	case ICMP_DEST_UNREACHABLE:
11754SKacheong.Poon@Sun.COM		switch (icmph->icmph_code) {
11754SKacheong.Poon@Sun.COM		case ICMP_FRAGMENTATION_NEEDED:
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Update Path MTU, then try to send something out.
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			tcp_update_pmtu(tcp, B_TRUE);
11754SKacheong.Poon@Sun.COM			tcp_rexmit_after_error(tcp);
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		case ICMP_PORT_UNREACHABLE:
11754SKacheong.Poon@Sun.COM		case ICMP_PROTOCOL_UNREACHABLE:
11754SKacheong.Poon@Sun.COM			switch (tcp->tcp_state) {
11754SKacheong.Poon@Sun.COM			case TCPS_SYN_SENT:
11754SKacheong.Poon@Sun.COM			case TCPS_SYN_RCVD:
11754SKacheong.Poon@Sun.COM				/*
11754SKacheong.Poon@Sun.COM				 * ICMP can snipe away incipient
11754SKacheong.Poon@Sun.COM				 * TCP connections as long as
11754SKacheong.Poon@Sun.COM				 * seq number is same as initial
11754SKacheong.Poon@Sun.COM				 * send seq number.
11754SKacheong.Poon@Sun.COM				 */
11754SKacheong.Poon@Sun.COM				if (seg_seq == tcp->tcp_iss) {
11754SKacheong.Poon@Sun.COM					(void) tcp_clean_death(tcp,
11754SKacheong.Poon@Sun.COM					    ECONNREFUSED);
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM				break;
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		case ICMP_HOST_UNREACHABLE:
11754SKacheong.Poon@Sun.COM		case ICMP_NET_UNREACHABLE:
11754SKacheong.Poon@Sun.COM			/* Record the error in case we finally time out. */
11754SKacheong.Poon@Sun.COM			if (icmph->icmph_code == ICMP_HOST_UNREACHABLE)
11754SKacheong.Poon@Sun.COM				tcp->tcp_client_errno = EHOSTUNREACH;
11754SKacheong.Poon@Sun.COM			else
11754SKacheong.Poon@Sun.COM				tcp->tcp_client_errno = ENETUNREACH;
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_state == TCPS_SYN_RCVD) {
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_listener != NULL &&
11754SKacheong.Poon@Sun.COM				    tcp->tcp_listener->tcp_syn_defense) {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * Ditch the half-open connection if we
11754SKacheong.Poon@Sun.COM					 * suspect a SYN attack is under way.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					(void) tcp_clean_death(tcp,
11754SKacheong.Poon@Sun.COM					    tcp->tcp_client_errno);
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		default:
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM	case ICMP_SOURCE_QUENCH: {
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * use a global boolean to control
11754SKacheong.Poon@Sun.COM		 * whether TCP should respond to ICMP_SOURCE_QUENCH.
11754SKacheong.Poon@Sun.COM		 * The default is false.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		if (tcp_icmp_source_quench) {
11754SKacheong.Poon@Sun.COM			/*
11754SKacheong.Poon@Sun.COM			 * Reduce the sending rate as if we got a
11754SKacheong.Poon@Sun.COM			 * retransmit timeout
11754SKacheong.Poon@Sun.COM			 */
11754SKacheong.Poon@Sun.COM			uint32_t npkt;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			npkt = ((tcp->tcp_snxt - tcp->tcp_suna) >> 1) /
11754SKacheong.Poon@Sun.COM			    tcp->tcp_mss;
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) * tcp->tcp_mss;
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwnd = tcp->tcp_mss;
11754SKacheong.Poon@Sun.COM			tcp->tcp_cwnd_cnt = 0;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	freemsg(mp);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * tcp_icmp_error_ipv6 is called from tcp_icmp_input to process ICMPv6
11754SKacheong.Poon@Sun.COM * error messages passed up by IP.
11754SKacheong.Poon@Sun.COM * Assumes that IP has pulled up all the extension headers as well
11754SKacheong.Poon@Sun.COM * as the ICMPv6 header.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COMstatic void
11754SKacheong.Poon@Sun.COMtcp_icmp_error_ipv6(tcp_t *tcp, mblk_t *mp, ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	icmp6_t		*icmp6;
11754SKacheong.Poon@Sun.COM	ip6_t		*ip6h;
11754SKacheong.Poon@Sun.COM	uint16_t	iph_hdr_length = ira->ira_ip_hdr_length;
11754SKacheong.Poon@Sun.COM	tcpha_t		*tcpha;
11754SKacheong.Poon@Sun.COM	uint8_t		*nexthdrp;
11754SKacheong.Poon@Sun.COM	uint32_t	seg_seq;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Verify that we have a complete IP header.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	ASSERT((MBLKL(mp) >= sizeof (ip6_t)));
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	icmp6 = (icmp6_t *)&mp->b_rptr[iph_hdr_length];
11754SKacheong.Poon@Sun.COM	ip6h = (ip6_t *)&icmp6[1];
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Verify if we have a complete ICMP and inner IP header.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if ((uchar_t *)&ip6h[1] > mp->b_wptr) {
11754SKacheong.Poon@Sun.COMnoticmpv6:
11754SKacheong.Poon@Sun.COM		freemsg(mp);
11754SKacheong.Poon@Sun.COM		return;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, &nexthdrp))
11754SKacheong.Poon@Sun.COM		goto noticmpv6;
11754SKacheong.Poon@Sun.COM	tcpha = (tcpha_t *)((char *)ip6h + iph_hdr_length);
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * Validate inner header. If the ULP is not IPPROTO_TCP or if we don't
11754SKacheong.Poon@Sun.COM	 * have at least ICMP_MIN_TCP_HDR bytes of  TCP header drop the
11754SKacheong.Poon@Sun.COM	 * packet.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if ((*nexthdrp != IPPROTO_TCP) ||
11754SKacheong.Poon@Sun.COM	    ((uchar_t *)tcpha + ICMP_MIN_TCP_HDR) > mp->b_wptr) {
11754SKacheong.Poon@Sun.COM		goto noticmpv6;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	seg_seq = ntohl(tcpha->tha_seq);
11754SKacheong.Poon@Sun.COM	switch (icmp6->icmp6_type) {
11754SKacheong.Poon@Sun.COM	case ICMP6_PACKET_TOO_BIG:
11754SKacheong.Poon@Sun.COM		/*
11754SKacheong.Poon@Sun.COM		 * Update Path MTU, then try to send something out.
11754SKacheong.Poon@Sun.COM		 */
11754SKacheong.Poon@Sun.COM		tcp_update_pmtu(tcp, B_TRUE);
11754SKacheong.Poon@Sun.COM		tcp_rexmit_after_error(tcp);
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM	case ICMP6_DST_UNREACH:
11754SKacheong.Poon@Sun.COM		switch (icmp6->icmp6_code) {
11754SKacheong.Poon@Sun.COM		case ICMP6_DST_UNREACH_NOPORT:
11754SKacheong.Poon@Sun.COM			if (((tcp->tcp_state == TCPS_SYN_SENT) ||
11754SKacheong.Poon@Sun.COM			    (tcp->tcp_state == TCPS_SYN_RCVD)) &&
11754SKacheong.Poon@Sun.COM			    (seg_seq == tcp->tcp_iss)) {
11754SKacheong.Poon@Sun.COM				(void) tcp_clean_death(tcp, ECONNREFUSED);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		case ICMP6_DST_UNREACH_ADMIN:
11754SKacheong.Poon@Sun.COM		case ICMP6_DST_UNREACH_NOROUTE:
11754SKacheong.Poon@Sun.COM		case ICMP6_DST_UNREACH_BEYONDSCOPE:
11754SKacheong.Poon@Sun.COM		case ICMP6_DST_UNREACH_ADDR:
11754SKacheong.Poon@Sun.COM			/* Record the error in case we finally time out. */
11754SKacheong.Poon@Sun.COM			tcp->tcp_client_errno = EHOSTUNREACH;
11754SKacheong.Poon@Sun.COM			if (((tcp->tcp_state == TCPS_SYN_SENT) ||
11754SKacheong.Poon@Sun.COM			    (tcp->tcp_state == TCPS_SYN_RCVD)) &&
11754SKacheong.Poon@Sun.COM			    (seg_seq == tcp->tcp_iss)) {
11754SKacheong.Poon@Sun.COM				if (tcp->tcp_listener != NULL &&
11754SKacheong.Poon@Sun.COM				    tcp->tcp_listener->tcp_syn_defense) {
11754SKacheong.Poon@Sun.COM					/*
11754SKacheong.Poon@Sun.COM					 * Ditch the half-open connection if we
11754SKacheong.Poon@Sun.COM					 * suspect a SYN attack is under way.
11754SKacheong.Poon@Sun.COM					 */
11754SKacheong.Poon@Sun.COM					(void) tcp_clean_death(tcp,
11754SKacheong.Poon@Sun.COM					    tcp->tcp_client_errno);
11754SKacheong.Poon@Sun.COM				}
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		default:
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM	case ICMP6_PARAM_PROB:
11754SKacheong.Poon@Sun.COM		/* If this corresponds to an ICMP_PROTOCOL_UNREACHABLE */
11754SKacheong.Poon@Sun.COM		if (icmp6->icmp6_code == ICMP6_PARAMPROB_NEXTHEADER &&
11754SKacheong.Poon@Sun.COM		    (uchar_t *)ip6h + icmp6->icmp6_pptr ==
11754SKacheong.Poon@Sun.COM		    (uchar_t *)nexthdrp) {
11754SKacheong.Poon@Sun.COM			if (tcp->tcp_state == TCPS_SYN_SENT ||
11754SKacheong.Poon@Sun.COM			    tcp->tcp_state == TCPS_SYN_RCVD) {
11754SKacheong.Poon@Sun.COM				(void) tcp_clean_death(tcp, ECONNREFUSED);
11754SKacheong.Poon@Sun.COM			}
11754SKacheong.Poon@Sun.COM			break;
11754SKacheong.Poon@Sun.COM		}
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	case ICMP6_TIME_EXCEEDED:
11754SKacheong.Poon@Sun.COM	default:
11754SKacheong.Poon@Sun.COM		break;
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	freemsg(mp);
11754SKacheong.Poon@Sun.COM}
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM/*
11754SKacheong.Poon@Sun.COM * CALLED OUTSIDE OF SQUEUE! It can not follow any pointers that tcp might
11754SKacheong.Poon@Sun.COM * change. But it can refer to fields like tcp_suna and tcp_snxt.
11754SKacheong.Poon@Sun.COM *
11754SKacheong.Poon@Sun.COM * Function tcp_verifyicmp is called as conn_verifyicmp to verify the ICMP
11754SKacheong.Poon@Sun.COM * error messages received by IP. The message is always received on the correct
11754SKacheong.Poon@Sun.COM * tcp_t.
11754SKacheong.Poon@Sun.COM */
11754SKacheong.Poon@Sun.COM/* ARGSUSED */
11754SKacheong.Poon@Sun.COMboolean_t
11754SKacheong.Poon@Sun.COMtcp_verifyicmp(conn_t *connp, void *arg2, icmph_t *icmph, icmp6_t *icmp6,
11754SKacheong.Poon@Sun.COM    ip_recv_attr_t *ira)
11754SKacheong.Poon@Sun.COM{
11754SKacheong.Poon@Sun.COM	tcpha_t		*tcpha = (tcpha_t *)arg2;
11754SKacheong.Poon@Sun.COM	uint32_t	seq = ntohl(tcpha->tha_seq);
11754SKacheong.Poon@Sun.COM	tcp_t		*tcp = connp->conn_tcp;
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/*
11754SKacheong.Poon@Sun.COM	 * TCP sequence number contained in payload of the ICMP error message
11754SKacheong.Poon@Sun.COM	 * should be within the range SND.UNA <= SEG.SEQ < SND.NXT. Otherwise,
11754SKacheong.Poon@Sun.COM	 * the message is either a stale ICMP error, or an attack from the
11754SKacheong.Poon@Sun.COM	 * network. Fail the verification.
11754SKacheong.Poon@Sun.COM	 */
11754SKacheong.Poon@Sun.COM	if (SEQ_LT(seq, tcp->tcp_suna) || SEQ_GEQ(seq, tcp->tcp_snxt))
11754SKacheong.Poon@Sun.COM		return (B_FALSE);
11754SKacheong.Poon@Sun.COM
11754SKacheong.Poon@Sun.COM	/* For "too big" we also check the ignore flag */
11754SKacheong.Poon@Sun.COM	if (ira->ira_flags & IRAF_IS_IPV4) {
11754SKacheong.Poon@Sun.COM		ASSERT(icmph != NULL);
11754SKacheong.Poon@Sun.COM		if (icmph->icmph_type == ICMP_DEST_UNREACHABLE &&
11754SKacheong.Poon@Sun.COM		    icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED &&
11754SKacheong.Poon@Sun.COM		    tcp->tcp_tcps->tcps_ignore_path_mtu)
11754SKacheong.Poon@Sun.COM			return (B_FALSE);
11754SKacheong.Poon@Sun.COM	} else {
11754SKacheong.Poon@Sun.COM		ASSERT(icmp6 != NULL);
11754SKacheong.Poon@Sun.COM		if (icmp6->icmp6_type == ICMP6_PACKET_TOO_BIG &&
11754SKacheong.Poon@Sun.COM		    tcp->tcp_tcps->tcps_ignore_path_mtu)
11754SKacheong.Poon@Sun.COM			return (B_FALSE);
11754SKacheong.Poon@Sun.COM	}
11754SKacheong.Poon@Sun.COM	return (B_TRUE);
11754SKacheong.Poon@Sun.COM}