1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 4 * 5 * Begun April 1, 1996, Mike Shaver. 6 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 7 */ 8 9 #include <linux/mm.h> 10 #include <linux/module.h> 11 #include <linux/sysctl.h> 12 #include <linux/igmp.h> 13 #include <linux/inetdevice.h> 14 #include <linux/seqlock.h> 15 #include <linux/init.h> 16 #include <linux/slab.h> 17 #include <linux/nsproxy.h> 18 #include <linux/swap.h> 19 #include <net/snmp.h> 20 #include <net/icmp.h> 21 #include <net/ip.h> 22 #include <net/route.h> 23 #include <net/tcp.h> 24 #include <net/udp.h> 25 #include <net/cipso_ipv4.h> 26 #include <net/inet_frag.h> 27 #include <net/ping.h> 28 #include <net/protocol.h> 29 #include <net/netevent.h> 30 31 static int zero; 32 static int one = 1; 33 static int two = 2; 34 static int four = 4; 35 static int thousand = 1000; 36 static int gso_max_segs = GSO_MAX_SEGS; 37 static int tcp_retr1_max = 255; 38 static int ip_local_port_range_min[] = { 1, 1 }; 39 static int ip_local_port_range_max[] = { 65535, 65535 }; 40 static int tcp_adv_win_scale_min = -31; 41 static int tcp_adv_win_scale_max = 31; 42 static int ip_privileged_port_min; 43 static int ip_privileged_port_max = 65535; 44 static int ip_ttl_min = 1; 45 static int ip_ttl_max = 255; 46 static int tcp_syn_retries_min = 1; 47 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 48 static int ip_ping_group_range_min[] = { 0, 0 }; 49 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 50 static int comp_sack_nr_max = 255; 51 52 /* obsolete */ 53 static int sysctl_tcp_low_latency __read_mostly; 54 55 /* Update system visible IP port range */ 56 static void set_local_port_range(struct net *net, int range[2]) 57 { 58 bool same_parity = !((range[0] ^ range[1]) & 1); 59 60 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 61 if (same_parity && !net->ipv4.ip_local_ports.warned) { 62 net->ipv4.ip_local_ports.warned = true; 63 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 64 } 65 net->ipv4.ip_local_ports.range[0] = range[0]; 66 net->ipv4.ip_local_ports.range[1] = range[1]; 67 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 68 } 69 70 /* Validate changes from /proc interface. */ 71 static int ipv4_local_port_range(struct ctl_table *table, int write, 72 void __user *buffer, 73 size_t *lenp, loff_t *ppos) 74 { 75 struct net *net = 76 container_of(table->data, struct net, ipv4.ip_local_ports.range); 77 int ret; 78 int range[2]; 79 struct ctl_table tmp = { 80 .data = &range, 81 .maxlen = sizeof(range), 82 .mode = table->mode, 83 .extra1 = &ip_local_port_range_min, 84 .extra2 = &ip_local_port_range_max, 85 }; 86 87 inet_get_local_port_range(net, &range[0], &range[1]); 88 89 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 90 91 if (write && ret == 0) { 92 /* Ensure that the upper limit is not smaller than the lower, 93 * and that the lower does not encroach upon the privileged 94 * port limit. 95 */ 96 if ((range[1] < range[0]) || 97 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 98 ret = -EINVAL; 99 else 100 set_local_port_range(net, range); 101 } 102 103 return ret; 104 } 105 106 /* Validate changes from /proc interface. */ 107 static int ipv4_privileged_ports(struct ctl_table *table, int write, 108 void __user *buffer, size_t *lenp, loff_t *ppos) 109 { 110 struct net *net = container_of(table->data, struct net, 111 ipv4.sysctl_ip_prot_sock); 112 int ret; 113 int pports; 114 int range[2]; 115 struct ctl_table tmp = { 116 .data = &pports, 117 .maxlen = sizeof(pports), 118 .mode = table->mode, 119 .extra1 = &ip_privileged_port_min, 120 .extra2 = &ip_privileged_port_max, 121 }; 122 123 pports = net->ipv4.sysctl_ip_prot_sock; 124 125 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 126 127 if (write && ret == 0) { 128 inet_get_local_port_range(net, &range[0], &range[1]); 129 /* Ensure that the local port range doesn't overlap with the 130 * privileged port range. 131 */ 132 if (range[0] < pports) 133 ret = -EINVAL; 134 else 135 net->ipv4.sysctl_ip_prot_sock = pports; 136 } 137 138 return ret; 139 } 140 141 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 142 { 143 kgid_t *data = table->data; 144 struct net *net = 145 container_of(table->data, struct net, ipv4.ping_group_range.range); 146 unsigned int seq; 147 do { 148 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 149 150 *low = data[0]; 151 *high = data[1]; 152 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 153 } 154 155 /* Update system visible IP port range */ 156 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 157 { 158 kgid_t *data = table->data; 159 struct net *net = 160 container_of(table->data, struct net, ipv4.ping_group_range.range); 161 write_seqlock(&net->ipv4.ping_group_range.lock); 162 data[0] = low; 163 data[1] = high; 164 write_sequnlock(&net->ipv4.ping_group_range.lock); 165 } 166 167 /* Validate changes from /proc interface. */ 168 static int ipv4_ping_group_range(struct ctl_table *table, int write, 169 void __user *buffer, 170 size_t *lenp, loff_t *ppos) 171 { 172 struct user_namespace *user_ns = current_user_ns(); 173 int ret; 174 gid_t urange[2]; 175 kgid_t low, high; 176 struct ctl_table tmp = { 177 .data = &urange, 178 .maxlen = sizeof(urange), 179 .mode = table->mode, 180 .extra1 = &ip_ping_group_range_min, 181 .extra2 = &ip_ping_group_range_max, 182 }; 183 184 inet_get_ping_group_range_table(table, &low, &high); 185 urange[0] = from_kgid_munged(user_ns, low); 186 urange[1] = from_kgid_munged(user_ns, high); 187 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 188 189 if (write && ret == 0) { 190 low = make_kgid(user_ns, urange[0]); 191 high = make_kgid(user_ns, urange[1]); 192 if (!gid_valid(low) || !gid_valid(high)) 193 return -EINVAL; 194 if (urange[1] < urange[0] || gid_lt(high, low)) { 195 low = make_kgid(&init_user_ns, 1); 196 high = make_kgid(&init_user_ns, 0); 197 } 198 set_ping_group_range(table, low, high); 199 } 200 201 return ret; 202 } 203 204 static int ipv4_fwd_update_priority(struct ctl_table *table, int write, 205 void __user *buffer, 206 size_t *lenp, loff_t *ppos) 207 { 208 struct net *net; 209 int ret; 210 211 net = container_of(table->data, struct net, 212 ipv4.sysctl_ip_fwd_update_priority); 213 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 214 if (write && ret == 0) 215 call_netevent_notifiers(NETEVENT_IPV4_FWD_UPDATE_PRIORITY_UPDATE, 216 net); 217 218 return ret; 219 } 220 221 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 222 void __user *buffer, size_t *lenp, loff_t *ppos) 223 { 224 struct net *net = container_of(ctl->data, struct net, 225 ipv4.tcp_congestion_control); 226 char val[TCP_CA_NAME_MAX]; 227 struct ctl_table tbl = { 228 .data = val, 229 .maxlen = TCP_CA_NAME_MAX, 230 }; 231 int ret; 232 233 tcp_get_default_congestion_control(net, val); 234 235 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 236 if (write && ret == 0) 237 ret = tcp_set_default_congestion_control(net, val); 238 return ret; 239 } 240 241 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 242 int write, 243 void __user *buffer, size_t *lenp, 244 loff_t *ppos) 245 { 246 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 247 int ret; 248 249 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 250 if (!tbl.data) 251 return -ENOMEM; 252 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 253 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 254 kfree(tbl.data); 255 return ret; 256 } 257 258 static int proc_allowed_congestion_control(struct ctl_table *ctl, 259 int write, 260 void __user *buffer, size_t *lenp, 261 loff_t *ppos) 262 { 263 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 264 int ret; 265 266 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 267 if (!tbl.data) 268 return -ENOMEM; 269 270 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 271 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 272 if (write && ret == 0) 273 ret = tcp_set_allowed_congestion_control(tbl.data); 274 kfree(tbl.data); 275 return ret; 276 } 277 278 static int proc_tcp_fastopen_key(struct ctl_table *table, int write, 279 void __user *buffer, size_t *lenp, 280 loff_t *ppos) 281 { 282 struct net *net = container_of(table->data, struct net, 283 ipv4.sysctl_tcp_fastopen); 284 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 285 struct tcp_fastopen_context *ctxt; 286 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 287 __le32 key[4]; 288 int ret, i; 289 290 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 291 if (!tbl.data) 292 return -ENOMEM; 293 294 rcu_read_lock(); 295 ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx); 296 if (ctxt) 297 memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 298 else 299 memset(key, 0, sizeof(key)); 300 rcu_read_unlock(); 301 302 for (i = 0; i < ARRAY_SIZE(key); i++) 303 user_key[i] = le32_to_cpu(key[i]); 304 305 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 306 user_key[0], user_key[1], user_key[2], user_key[3]); 307 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 308 309 if (write && ret == 0) { 310 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 311 user_key + 2, user_key + 3) != 4) { 312 ret = -EINVAL; 313 goto bad_key; 314 } 315 316 for (i = 0; i < ARRAY_SIZE(user_key); i++) 317 key[i] = cpu_to_le32(user_key[i]); 318 319 tcp_fastopen_reset_cipher(net, NULL, key, 320 TCP_FASTOPEN_KEY_LENGTH); 321 } 322 323 bad_key: 324 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 325 user_key[0], user_key[1], user_key[2], user_key[3], 326 (char *)tbl.data, ret); 327 kfree(tbl.data); 328 return ret; 329 } 330 331 static void proc_configure_early_demux(int enabled, int protocol) 332 { 333 struct net_protocol *ipprot; 334 #if IS_ENABLED(CONFIG_IPV6) 335 struct inet6_protocol *ip6prot; 336 #endif 337 338 rcu_read_lock(); 339 340 ipprot = rcu_dereference(inet_protos[protocol]); 341 if (ipprot) 342 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 343 NULL; 344 345 #if IS_ENABLED(CONFIG_IPV6) 346 ip6prot = rcu_dereference(inet6_protos[protocol]); 347 if (ip6prot) 348 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 349 NULL; 350 #endif 351 rcu_read_unlock(); 352 } 353 354 static int proc_tcp_early_demux(struct ctl_table *table, int write, 355 void __user *buffer, size_t *lenp, loff_t *ppos) 356 { 357 int ret = 0; 358 359 ret = proc_dointvec(table, write, buffer, lenp, ppos); 360 361 if (write && !ret) { 362 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 363 364 proc_configure_early_demux(enabled, IPPROTO_TCP); 365 } 366 367 return ret; 368 } 369 370 static int proc_udp_early_demux(struct ctl_table *table, int write, 371 void __user *buffer, size_t *lenp, loff_t *ppos) 372 { 373 int ret = 0; 374 375 ret = proc_dointvec(table, write, buffer, lenp, ppos); 376 377 if (write && !ret) { 378 int enabled = init_net.ipv4.sysctl_udp_early_demux; 379 380 proc_configure_early_demux(enabled, IPPROTO_UDP); 381 } 382 383 return ret; 384 } 385 386 static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table, 387 int write, 388 void __user *buffer, 389 size_t *lenp, loff_t *ppos) 390 { 391 struct net *net = container_of(table->data, struct net, 392 ipv4.sysctl_tcp_fastopen_blackhole_timeout); 393 int ret; 394 395 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 396 if (write && ret == 0) 397 atomic_set(&net->ipv4.tfo_active_disable_times, 0); 398 399 return ret; 400 } 401 402 static int proc_tcp_available_ulp(struct ctl_table *ctl, 403 int write, 404 void __user *buffer, size_t *lenp, 405 loff_t *ppos) 406 { 407 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, }; 408 int ret; 409 410 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 411 if (!tbl.data) 412 return -ENOMEM; 413 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX); 414 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 415 kfree(tbl.data); 416 417 return ret; 418 } 419 420 #ifdef CONFIG_IP_ROUTE_MULTIPATH 421 static int proc_fib_multipath_hash_policy(struct ctl_table *table, int write, 422 void __user *buffer, size_t *lenp, 423 loff_t *ppos) 424 { 425 struct net *net = container_of(table->data, struct net, 426 ipv4.sysctl_fib_multipath_hash_policy); 427 int ret; 428 429 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 430 if (write && ret == 0) 431 call_netevent_notifiers(NETEVENT_IPV4_MPATH_HASH_UPDATE, net); 432 433 return ret; 434 } 435 #endif 436 437 static struct ctl_table ipv4_table[] = { 438 { 439 .procname = "tcp_max_orphans", 440 .data = &sysctl_tcp_max_orphans, 441 .maxlen = sizeof(int), 442 .mode = 0644, 443 .proc_handler = proc_dointvec 444 }, 445 { 446 .procname = "inet_peer_threshold", 447 .data = &inet_peer_threshold, 448 .maxlen = sizeof(int), 449 .mode = 0644, 450 .proc_handler = proc_dointvec 451 }, 452 { 453 .procname = "inet_peer_minttl", 454 .data = &inet_peer_minttl, 455 .maxlen = sizeof(int), 456 .mode = 0644, 457 .proc_handler = proc_dointvec_jiffies, 458 }, 459 { 460 .procname = "inet_peer_maxttl", 461 .data = &inet_peer_maxttl, 462 .maxlen = sizeof(int), 463 .mode = 0644, 464 .proc_handler = proc_dointvec_jiffies, 465 }, 466 { 467 .procname = "tcp_mem", 468 .maxlen = sizeof(sysctl_tcp_mem), 469 .data = &sysctl_tcp_mem, 470 .mode = 0644, 471 .proc_handler = proc_doulongvec_minmax, 472 }, 473 { 474 .procname = "tcp_low_latency", 475 .data = &sysctl_tcp_low_latency, 476 .maxlen = sizeof(int), 477 .mode = 0644, 478 .proc_handler = proc_dointvec 479 }, 480 #ifdef CONFIG_NETLABEL 481 { 482 .procname = "cipso_cache_enable", 483 .data = &cipso_v4_cache_enabled, 484 .maxlen = sizeof(int), 485 .mode = 0644, 486 .proc_handler = proc_dointvec, 487 }, 488 { 489 .procname = "cipso_cache_bucket_size", 490 .data = &cipso_v4_cache_bucketsize, 491 .maxlen = sizeof(int), 492 .mode = 0644, 493 .proc_handler = proc_dointvec, 494 }, 495 { 496 .procname = "cipso_rbm_optfmt", 497 .data = &cipso_v4_rbm_optfmt, 498 .maxlen = sizeof(int), 499 .mode = 0644, 500 .proc_handler = proc_dointvec, 501 }, 502 { 503 .procname = "cipso_rbm_strictvalid", 504 .data = &cipso_v4_rbm_strictvalid, 505 .maxlen = sizeof(int), 506 .mode = 0644, 507 .proc_handler = proc_dointvec, 508 }, 509 #endif /* CONFIG_NETLABEL */ 510 { 511 .procname = "tcp_available_congestion_control", 512 .maxlen = TCP_CA_BUF_MAX, 513 .mode = 0444, 514 .proc_handler = proc_tcp_available_congestion_control, 515 }, 516 { 517 .procname = "tcp_allowed_congestion_control", 518 .maxlen = TCP_CA_BUF_MAX, 519 .mode = 0644, 520 .proc_handler = proc_allowed_congestion_control, 521 }, 522 { 523 .procname = "tcp_available_ulp", 524 .maxlen = TCP_ULP_BUF_MAX, 525 .mode = 0444, 526 .proc_handler = proc_tcp_available_ulp, 527 }, 528 { 529 .procname = "icmp_msgs_per_sec", 530 .data = &sysctl_icmp_msgs_per_sec, 531 .maxlen = sizeof(int), 532 .mode = 0644, 533 .proc_handler = proc_dointvec_minmax, 534 .extra1 = &zero, 535 }, 536 { 537 .procname = "icmp_msgs_burst", 538 .data = &sysctl_icmp_msgs_burst, 539 .maxlen = sizeof(int), 540 .mode = 0644, 541 .proc_handler = proc_dointvec_minmax, 542 .extra1 = &zero, 543 }, 544 { 545 .procname = "udp_mem", 546 .data = &sysctl_udp_mem, 547 .maxlen = sizeof(sysctl_udp_mem), 548 .mode = 0644, 549 .proc_handler = proc_doulongvec_minmax, 550 }, 551 { } 552 }; 553 554 static struct ctl_table ipv4_net_table[] = { 555 { 556 .procname = "icmp_echo_ignore_all", 557 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 558 .maxlen = sizeof(int), 559 .mode = 0644, 560 .proc_handler = proc_dointvec 561 }, 562 { 563 .procname = "icmp_echo_ignore_broadcasts", 564 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 565 .maxlen = sizeof(int), 566 .mode = 0644, 567 .proc_handler = proc_dointvec 568 }, 569 { 570 .procname = "icmp_ignore_bogus_error_responses", 571 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 572 .maxlen = sizeof(int), 573 .mode = 0644, 574 .proc_handler = proc_dointvec 575 }, 576 { 577 .procname = "icmp_errors_use_inbound_ifaddr", 578 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 579 .maxlen = sizeof(int), 580 .mode = 0644, 581 .proc_handler = proc_dointvec 582 }, 583 { 584 .procname = "icmp_ratelimit", 585 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 586 .maxlen = sizeof(int), 587 .mode = 0644, 588 .proc_handler = proc_dointvec_ms_jiffies, 589 }, 590 { 591 .procname = "icmp_ratemask", 592 .data = &init_net.ipv4.sysctl_icmp_ratemask, 593 .maxlen = sizeof(int), 594 .mode = 0644, 595 .proc_handler = proc_dointvec 596 }, 597 { 598 .procname = "ping_group_range", 599 .data = &init_net.ipv4.ping_group_range.range, 600 .maxlen = sizeof(gid_t)*2, 601 .mode = 0644, 602 .proc_handler = ipv4_ping_group_range, 603 }, 604 { 605 .procname = "tcp_ecn", 606 .data = &init_net.ipv4.sysctl_tcp_ecn, 607 .maxlen = sizeof(int), 608 .mode = 0644, 609 .proc_handler = proc_dointvec 610 }, 611 { 612 .procname = "tcp_ecn_fallback", 613 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 614 .maxlen = sizeof(int), 615 .mode = 0644, 616 .proc_handler = proc_dointvec 617 }, 618 { 619 .procname = "ip_dynaddr", 620 .data = &init_net.ipv4.sysctl_ip_dynaddr, 621 .maxlen = sizeof(int), 622 .mode = 0644, 623 .proc_handler = proc_dointvec 624 }, 625 { 626 .procname = "ip_early_demux", 627 .data = &init_net.ipv4.sysctl_ip_early_demux, 628 .maxlen = sizeof(int), 629 .mode = 0644, 630 .proc_handler = proc_dointvec 631 }, 632 { 633 .procname = "udp_early_demux", 634 .data = &init_net.ipv4.sysctl_udp_early_demux, 635 .maxlen = sizeof(int), 636 .mode = 0644, 637 .proc_handler = proc_udp_early_demux 638 }, 639 { 640 .procname = "tcp_early_demux", 641 .data = &init_net.ipv4.sysctl_tcp_early_demux, 642 .maxlen = sizeof(int), 643 .mode = 0644, 644 .proc_handler = proc_tcp_early_demux 645 }, 646 { 647 .procname = "ip_default_ttl", 648 .data = &init_net.ipv4.sysctl_ip_default_ttl, 649 .maxlen = sizeof(int), 650 .mode = 0644, 651 .proc_handler = proc_dointvec_minmax, 652 .extra1 = &ip_ttl_min, 653 .extra2 = &ip_ttl_max, 654 }, 655 { 656 .procname = "ip_local_port_range", 657 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 658 .data = &init_net.ipv4.ip_local_ports.range, 659 .mode = 0644, 660 .proc_handler = ipv4_local_port_range, 661 }, 662 { 663 .procname = "ip_local_reserved_ports", 664 .data = &init_net.ipv4.sysctl_local_reserved_ports, 665 .maxlen = 65536, 666 .mode = 0644, 667 .proc_handler = proc_do_large_bitmap, 668 }, 669 { 670 .procname = "ip_no_pmtu_disc", 671 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 672 .maxlen = sizeof(int), 673 .mode = 0644, 674 .proc_handler = proc_dointvec 675 }, 676 { 677 .procname = "ip_forward_use_pmtu", 678 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 679 .maxlen = sizeof(int), 680 .mode = 0644, 681 .proc_handler = proc_dointvec, 682 }, 683 { 684 .procname = "ip_forward_update_priority", 685 .data = &init_net.ipv4.sysctl_ip_fwd_update_priority, 686 .maxlen = sizeof(int), 687 .mode = 0644, 688 .proc_handler = ipv4_fwd_update_priority, 689 .extra1 = &zero, 690 .extra2 = &one, 691 }, 692 { 693 .procname = "ip_nonlocal_bind", 694 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 695 .maxlen = sizeof(int), 696 .mode = 0644, 697 .proc_handler = proc_dointvec 698 }, 699 { 700 .procname = "fwmark_reflect", 701 .data = &init_net.ipv4.sysctl_fwmark_reflect, 702 .maxlen = sizeof(int), 703 .mode = 0644, 704 .proc_handler = proc_dointvec, 705 }, 706 { 707 .procname = "tcp_fwmark_accept", 708 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 709 .maxlen = sizeof(int), 710 .mode = 0644, 711 .proc_handler = proc_dointvec, 712 }, 713 #ifdef CONFIG_NET_L3_MASTER_DEV 714 { 715 .procname = "tcp_l3mdev_accept", 716 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 717 .maxlen = sizeof(int), 718 .mode = 0644, 719 .proc_handler = proc_dointvec_minmax, 720 .extra1 = &zero, 721 .extra2 = &one, 722 }, 723 #endif 724 { 725 .procname = "tcp_mtu_probing", 726 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 727 .maxlen = sizeof(int), 728 .mode = 0644, 729 .proc_handler = proc_dointvec, 730 }, 731 { 732 .procname = "tcp_base_mss", 733 .data = &init_net.ipv4.sysctl_tcp_base_mss, 734 .maxlen = sizeof(int), 735 .mode = 0644, 736 .proc_handler = proc_dointvec, 737 }, 738 { 739 .procname = "tcp_probe_threshold", 740 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 741 .maxlen = sizeof(int), 742 .mode = 0644, 743 .proc_handler = proc_dointvec, 744 }, 745 { 746 .procname = "tcp_probe_interval", 747 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 748 .maxlen = sizeof(int), 749 .mode = 0644, 750 .proc_handler = proc_dointvec, 751 }, 752 { 753 .procname = "igmp_link_local_mcast_reports", 754 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 755 .maxlen = sizeof(int), 756 .mode = 0644, 757 .proc_handler = proc_dointvec 758 }, 759 { 760 .procname = "igmp_max_memberships", 761 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 762 .maxlen = sizeof(int), 763 .mode = 0644, 764 .proc_handler = proc_dointvec 765 }, 766 { 767 .procname = "igmp_max_msf", 768 .data = &init_net.ipv4.sysctl_igmp_max_msf, 769 .maxlen = sizeof(int), 770 .mode = 0644, 771 .proc_handler = proc_dointvec 772 }, 773 #ifdef CONFIG_IP_MULTICAST 774 { 775 .procname = "igmp_qrv", 776 .data = &init_net.ipv4.sysctl_igmp_qrv, 777 .maxlen = sizeof(int), 778 .mode = 0644, 779 .proc_handler = proc_dointvec_minmax, 780 .extra1 = &one 781 }, 782 #endif 783 { 784 .procname = "tcp_congestion_control", 785 .data = &init_net.ipv4.tcp_congestion_control, 786 .mode = 0644, 787 .maxlen = TCP_CA_NAME_MAX, 788 .proc_handler = proc_tcp_congestion_control, 789 }, 790 { 791 .procname = "tcp_keepalive_time", 792 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 793 .maxlen = sizeof(int), 794 .mode = 0644, 795 .proc_handler = proc_dointvec_jiffies, 796 }, 797 { 798 .procname = "tcp_keepalive_probes", 799 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 800 .maxlen = sizeof(int), 801 .mode = 0644, 802 .proc_handler = proc_dointvec 803 }, 804 { 805 .procname = "tcp_keepalive_intvl", 806 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 807 .maxlen = sizeof(int), 808 .mode = 0644, 809 .proc_handler = proc_dointvec_jiffies, 810 }, 811 { 812 .procname = "tcp_syn_retries", 813 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 814 .maxlen = sizeof(int), 815 .mode = 0644, 816 .proc_handler = proc_dointvec_minmax, 817 .extra1 = &tcp_syn_retries_min, 818 .extra2 = &tcp_syn_retries_max 819 }, 820 { 821 .procname = "tcp_synack_retries", 822 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 823 .maxlen = sizeof(int), 824 .mode = 0644, 825 .proc_handler = proc_dointvec 826 }, 827 #ifdef CONFIG_SYN_COOKIES 828 { 829 .procname = "tcp_syncookies", 830 .data = &init_net.ipv4.sysctl_tcp_syncookies, 831 .maxlen = sizeof(int), 832 .mode = 0644, 833 .proc_handler = proc_dointvec 834 }, 835 #endif 836 { 837 .procname = "tcp_reordering", 838 .data = &init_net.ipv4.sysctl_tcp_reordering, 839 .maxlen = sizeof(int), 840 .mode = 0644, 841 .proc_handler = proc_dointvec 842 }, 843 { 844 .procname = "tcp_retries1", 845 .data = &init_net.ipv4.sysctl_tcp_retries1, 846 .maxlen = sizeof(int), 847 .mode = 0644, 848 .proc_handler = proc_dointvec_minmax, 849 .extra2 = &tcp_retr1_max 850 }, 851 { 852 .procname = "tcp_retries2", 853 .data = &init_net.ipv4.sysctl_tcp_retries2, 854 .maxlen = sizeof(int), 855 .mode = 0644, 856 .proc_handler = proc_dointvec 857 }, 858 { 859 .procname = "tcp_orphan_retries", 860 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 861 .maxlen = sizeof(int), 862 .mode = 0644, 863 .proc_handler = proc_dointvec 864 }, 865 { 866 .procname = "tcp_fin_timeout", 867 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 868 .maxlen = sizeof(int), 869 .mode = 0644, 870 .proc_handler = proc_dointvec_jiffies, 871 }, 872 { 873 .procname = "tcp_notsent_lowat", 874 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 875 .maxlen = sizeof(unsigned int), 876 .mode = 0644, 877 .proc_handler = proc_douintvec, 878 }, 879 { 880 .procname = "tcp_tw_reuse", 881 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 882 .maxlen = sizeof(int), 883 .mode = 0644, 884 .proc_handler = proc_dointvec_minmax, 885 .extra1 = &zero, 886 .extra2 = &two, 887 }, 888 { 889 .procname = "tcp_max_tw_buckets", 890 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 891 .maxlen = sizeof(int), 892 .mode = 0644, 893 .proc_handler = proc_dointvec 894 }, 895 { 896 .procname = "tcp_max_syn_backlog", 897 .data = &init_net.ipv4.sysctl_max_syn_backlog, 898 .maxlen = sizeof(int), 899 .mode = 0644, 900 .proc_handler = proc_dointvec 901 }, 902 { 903 .procname = "tcp_fastopen", 904 .data = &init_net.ipv4.sysctl_tcp_fastopen, 905 .maxlen = sizeof(int), 906 .mode = 0644, 907 .proc_handler = proc_dointvec, 908 }, 909 { 910 .procname = "tcp_fastopen_key", 911 .mode = 0600, 912 .data = &init_net.ipv4.sysctl_tcp_fastopen, 913 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 914 .proc_handler = proc_tcp_fastopen_key, 915 }, 916 { 917 .procname = "tcp_fastopen_blackhole_timeout_sec", 918 .data = &init_net.ipv4.sysctl_tcp_fastopen_blackhole_timeout, 919 .maxlen = sizeof(int), 920 .mode = 0644, 921 .proc_handler = proc_tfo_blackhole_detect_timeout, 922 .extra1 = &zero, 923 }, 924 #ifdef CONFIG_IP_ROUTE_MULTIPATH 925 { 926 .procname = "fib_multipath_use_neigh", 927 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 928 .maxlen = sizeof(int), 929 .mode = 0644, 930 .proc_handler = proc_dointvec_minmax, 931 .extra1 = &zero, 932 .extra2 = &one, 933 }, 934 { 935 .procname = "fib_multipath_hash_policy", 936 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 937 .maxlen = sizeof(int), 938 .mode = 0644, 939 .proc_handler = proc_fib_multipath_hash_policy, 940 .extra1 = &zero, 941 .extra2 = &one, 942 }, 943 #endif 944 { 945 .procname = "ip_unprivileged_port_start", 946 .maxlen = sizeof(int), 947 .data = &init_net.ipv4.sysctl_ip_prot_sock, 948 .mode = 0644, 949 .proc_handler = ipv4_privileged_ports, 950 }, 951 #ifdef CONFIG_NET_L3_MASTER_DEV 952 { 953 .procname = "udp_l3mdev_accept", 954 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 955 .maxlen = sizeof(int), 956 .mode = 0644, 957 .proc_handler = proc_dointvec_minmax, 958 .extra1 = &zero, 959 .extra2 = &one, 960 }, 961 #endif 962 { 963 .procname = "tcp_sack", 964 .data = &init_net.ipv4.sysctl_tcp_sack, 965 .maxlen = sizeof(int), 966 .mode = 0644, 967 .proc_handler = proc_dointvec 968 }, 969 { 970 .procname = "tcp_window_scaling", 971 .data = &init_net.ipv4.sysctl_tcp_window_scaling, 972 .maxlen = sizeof(int), 973 .mode = 0644, 974 .proc_handler = proc_dointvec 975 }, 976 { 977 .procname = "tcp_timestamps", 978 .data = &init_net.ipv4.sysctl_tcp_timestamps, 979 .maxlen = sizeof(int), 980 .mode = 0644, 981 .proc_handler = proc_dointvec 982 }, 983 { 984 .procname = "tcp_early_retrans", 985 .data = &init_net.ipv4.sysctl_tcp_early_retrans, 986 .maxlen = sizeof(int), 987 .mode = 0644, 988 .proc_handler = proc_dointvec_minmax, 989 .extra1 = &zero, 990 .extra2 = &four, 991 }, 992 { 993 .procname = "tcp_recovery", 994 .data = &init_net.ipv4.sysctl_tcp_recovery, 995 .maxlen = sizeof(int), 996 .mode = 0644, 997 .proc_handler = proc_dointvec, 998 }, 999 { 1000 .procname = "tcp_thin_linear_timeouts", 1001 .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts, 1002 .maxlen = sizeof(int), 1003 .mode = 0644, 1004 .proc_handler = proc_dointvec 1005 }, 1006 { 1007 .procname = "tcp_slow_start_after_idle", 1008 .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle, 1009 .maxlen = sizeof(int), 1010 .mode = 0644, 1011 .proc_handler = proc_dointvec 1012 }, 1013 { 1014 .procname = "tcp_retrans_collapse", 1015 .data = &init_net.ipv4.sysctl_tcp_retrans_collapse, 1016 .maxlen = sizeof(int), 1017 .mode = 0644, 1018 .proc_handler = proc_dointvec 1019 }, 1020 { 1021 .procname = "tcp_stdurg", 1022 .data = &init_net.ipv4.sysctl_tcp_stdurg, 1023 .maxlen = sizeof(int), 1024 .mode = 0644, 1025 .proc_handler = proc_dointvec 1026 }, 1027 { 1028 .procname = "tcp_rfc1337", 1029 .data = &init_net.ipv4.sysctl_tcp_rfc1337, 1030 .maxlen = sizeof(int), 1031 .mode = 0644, 1032 .proc_handler = proc_dointvec 1033 }, 1034 { 1035 .procname = "tcp_abort_on_overflow", 1036 .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow, 1037 .maxlen = sizeof(int), 1038 .mode = 0644, 1039 .proc_handler = proc_dointvec 1040 }, 1041 { 1042 .procname = "tcp_fack", 1043 .data = &init_net.ipv4.sysctl_tcp_fack, 1044 .maxlen = sizeof(int), 1045 .mode = 0644, 1046 .proc_handler = proc_dointvec 1047 }, 1048 { 1049 .procname = "tcp_max_reordering", 1050 .data = &init_net.ipv4.sysctl_tcp_max_reordering, 1051 .maxlen = sizeof(int), 1052 .mode = 0644, 1053 .proc_handler = proc_dointvec 1054 }, 1055 { 1056 .procname = "tcp_dsack", 1057 .data = &init_net.ipv4.sysctl_tcp_dsack, 1058 .maxlen = sizeof(int), 1059 .mode = 0644, 1060 .proc_handler = proc_dointvec 1061 }, 1062 { 1063 .procname = "tcp_app_win", 1064 .data = &init_net.ipv4.sysctl_tcp_app_win, 1065 .maxlen = sizeof(int), 1066 .mode = 0644, 1067 .proc_handler = proc_dointvec 1068 }, 1069 { 1070 .procname = "tcp_adv_win_scale", 1071 .data = &init_net.ipv4.sysctl_tcp_adv_win_scale, 1072 .maxlen = sizeof(int), 1073 .mode = 0644, 1074 .proc_handler = proc_dointvec_minmax, 1075 .extra1 = &tcp_adv_win_scale_min, 1076 .extra2 = &tcp_adv_win_scale_max, 1077 }, 1078 { 1079 .procname = "tcp_frto", 1080 .data = &init_net.ipv4.sysctl_tcp_frto, 1081 .maxlen = sizeof(int), 1082 .mode = 0644, 1083 .proc_handler = proc_dointvec 1084 }, 1085 { 1086 .procname = "tcp_no_metrics_save", 1087 .data = &init_net.ipv4.sysctl_tcp_nometrics_save, 1088 .maxlen = sizeof(int), 1089 .mode = 0644, 1090 .proc_handler = proc_dointvec, 1091 }, 1092 { 1093 .procname = "tcp_moderate_rcvbuf", 1094 .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf, 1095 .maxlen = sizeof(int), 1096 .mode = 0644, 1097 .proc_handler = proc_dointvec, 1098 }, 1099 { 1100 .procname = "tcp_tso_win_divisor", 1101 .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor, 1102 .maxlen = sizeof(int), 1103 .mode = 0644, 1104 .proc_handler = proc_dointvec, 1105 }, 1106 { 1107 .procname = "tcp_workaround_signed_windows", 1108 .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows, 1109 .maxlen = sizeof(int), 1110 .mode = 0644, 1111 .proc_handler = proc_dointvec 1112 }, 1113 { 1114 .procname = "tcp_limit_output_bytes", 1115 .data = &init_net.ipv4.sysctl_tcp_limit_output_bytes, 1116 .maxlen = sizeof(int), 1117 .mode = 0644, 1118 .proc_handler = proc_dointvec 1119 }, 1120 { 1121 .procname = "tcp_challenge_ack_limit", 1122 .data = &init_net.ipv4.sysctl_tcp_challenge_ack_limit, 1123 .maxlen = sizeof(int), 1124 .mode = 0644, 1125 .proc_handler = proc_dointvec 1126 }, 1127 { 1128 .procname = "tcp_min_tso_segs", 1129 .data = &init_net.ipv4.sysctl_tcp_min_tso_segs, 1130 .maxlen = sizeof(int), 1131 .mode = 0644, 1132 .proc_handler = proc_dointvec_minmax, 1133 .extra1 = &one, 1134 .extra2 = &gso_max_segs, 1135 }, 1136 { 1137 .procname = "tcp_min_rtt_wlen", 1138 .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen, 1139 .maxlen = sizeof(int), 1140 .mode = 0644, 1141 .proc_handler = proc_dointvec 1142 }, 1143 { 1144 .procname = "tcp_autocorking", 1145 .data = &init_net.ipv4.sysctl_tcp_autocorking, 1146 .maxlen = sizeof(int), 1147 .mode = 0644, 1148 .proc_handler = proc_dointvec_minmax, 1149 .extra1 = &zero, 1150 .extra2 = &one, 1151 }, 1152 { 1153 .procname = "tcp_invalid_ratelimit", 1154 .data = &init_net.ipv4.sysctl_tcp_invalid_ratelimit, 1155 .maxlen = sizeof(int), 1156 .mode = 0644, 1157 .proc_handler = proc_dointvec_ms_jiffies, 1158 }, 1159 { 1160 .procname = "tcp_pacing_ss_ratio", 1161 .data = &init_net.ipv4.sysctl_tcp_pacing_ss_ratio, 1162 .maxlen = sizeof(int), 1163 .mode = 0644, 1164 .proc_handler = proc_dointvec_minmax, 1165 .extra1 = &zero, 1166 .extra2 = &thousand, 1167 }, 1168 { 1169 .procname = "tcp_pacing_ca_ratio", 1170 .data = &init_net.ipv4.sysctl_tcp_pacing_ca_ratio, 1171 .maxlen = sizeof(int), 1172 .mode = 0644, 1173 .proc_handler = proc_dointvec_minmax, 1174 .extra1 = &zero, 1175 .extra2 = &thousand, 1176 }, 1177 { 1178 .procname = "tcp_wmem", 1179 .data = &init_net.ipv4.sysctl_tcp_wmem, 1180 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_wmem), 1181 .mode = 0644, 1182 .proc_handler = proc_dointvec_minmax, 1183 .extra1 = &one, 1184 }, 1185 { 1186 .procname = "tcp_rmem", 1187 .data = &init_net.ipv4.sysctl_tcp_rmem, 1188 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_rmem), 1189 .mode = 0644, 1190 .proc_handler = proc_dointvec_minmax, 1191 .extra1 = &one, 1192 }, 1193 { 1194 .procname = "tcp_comp_sack_delay_ns", 1195 .data = &init_net.ipv4.sysctl_tcp_comp_sack_delay_ns, 1196 .maxlen = sizeof(unsigned long), 1197 .mode = 0644, 1198 .proc_handler = proc_doulongvec_minmax, 1199 }, 1200 { 1201 .procname = "tcp_comp_sack_nr", 1202 .data = &init_net.ipv4.sysctl_tcp_comp_sack_nr, 1203 .maxlen = sizeof(int), 1204 .mode = 0644, 1205 .proc_handler = proc_dointvec_minmax, 1206 .extra1 = &zero, 1207 .extra2 = &comp_sack_nr_max, 1208 }, 1209 { 1210 .procname = "udp_rmem_min", 1211 .data = &init_net.ipv4.sysctl_udp_rmem_min, 1212 .maxlen = sizeof(init_net.ipv4.sysctl_udp_rmem_min), 1213 .mode = 0644, 1214 .proc_handler = proc_dointvec_minmax, 1215 .extra1 = &one 1216 }, 1217 { 1218 .procname = "udp_wmem_min", 1219 .data = &init_net.ipv4.sysctl_udp_wmem_min, 1220 .maxlen = sizeof(init_net.ipv4.sysctl_udp_wmem_min), 1221 .mode = 0644, 1222 .proc_handler = proc_dointvec_minmax, 1223 .extra1 = &one 1224 }, 1225 { } 1226 }; 1227 1228 static __net_init int ipv4_sysctl_init_net(struct net *net) 1229 { 1230 struct ctl_table *table; 1231 1232 table = ipv4_net_table; 1233 if (!net_eq(net, &init_net)) { 1234 int i; 1235 1236 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1237 if (!table) 1238 goto err_alloc; 1239 1240 /* Update the variables to point into the current struct net */ 1241 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1242 table[i].data += (void *)net - (void *)&init_net; 1243 } 1244 1245 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1246 if (!net->ipv4.ipv4_hdr) 1247 goto err_reg; 1248 1249 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1250 if (!net->ipv4.sysctl_local_reserved_ports) 1251 goto err_ports; 1252 1253 return 0; 1254 1255 err_ports: 1256 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1257 err_reg: 1258 if (!net_eq(net, &init_net)) 1259 kfree(table); 1260 err_alloc: 1261 return -ENOMEM; 1262 } 1263 1264 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1265 { 1266 struct ctl_table *table; 1267 1268 kfree(net->ipv4.sysctl_local_reserved_ports); 1269 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1270 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1271 kfree(table); 1272 } 1273 1274 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1275 .init = ipv4_sysctl_init_net, 1276 .exit = ipv4_sysctl_exit_net, 1277 }; 1278 1279 static __init int sysctl_ipv4_init(void) 1280 { 1281 struct ctl_table_header *hdr; 1282 1283 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1284 if (!hdr) 1285 return -ENOMEM; 1286 1287 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1288 unregister_net_sysctl_table(hdr); 1289 return -ENOMEM; 1290 } 1291 1292 return 0; 1293 } 1294 1295 __initcall(sysctl_ipv4_init); 1296