1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 4 * 5 * Begun April 1, 1996, Mike Shaver. 6 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 7 */ 8 9 #include <linux/mm.h> 10 #include <linux/module.h> 11 #include <linux/sysctl.h> 12 #include <linux/igmp.h> 13 #include <linux/inetdevice.h> 14 #include <linux/seqlock.h> 15 #include <linux/init.h> 16 #include <linux/slab.h> 17 #include <linux/nsproxy.h> 18 #include <linux/swap.h> 19 #include <net/snmp.h> 20 #include <net/icmp.h> 21 #include <net/ip.h> 22 #include <net/route.h> 23 #include <net/tcp.h> 24 #include <net/udp.h> 25 #include <net/cipso_ipv4.h> 26 #include <net/inet_frag.h> 27 #include <net/ping.h> 28 #include <net/protocol.h> 29 #include <net/netevent.h> 30 31 static int zero; 32 static int one = 1; 33 static int four = 4; 34 static int thousand = 1000; 35 static int gso_max_segs = GSO_MAX_SEGS; 36 static int tcp_retr1_max = 255; 37 static int ip_local_port_range_min[] = { 1, 1 }; 38 static int ip_local_port_range_max[] = { 65535, 65535 }; 39 static int tcp_adv_win_scale_min = -31; 40 static int tcp_adv_win_scale_max = 31; 41 static int ip_privileged_port_min; 42 static int ip_privileged_port_max = 65535; 43 static int ip_ttl_min = 1; 44 static int ip_ttl_max = 255; 45 static int tcp_syn_retries_min = 1; 46 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 47 static int ip_ping_group_range_min[] = { 0, 0 }; 48 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 49 50 /* obsolete */ 51 static int sysctl_tcp_low_latency __read_mostly; 52 53 /* Update system visible IP port range */ 54 static void set_local_port_range(struct net *net, int range[2]) 55 { 56 bool same_parity = !((range[0] ^ range[1]) & 1); 57 58 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 59 if (same_parity && !net->ipv4.ip_local_ports.warned) { 60 net->ipv4.ip_local_ports.warned = true; 61 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 62 } 63 net->ipv4.ip_local_ports.range[0] = range[0]; 64 net->ipv4.ip_local_ports.range[1] = range[1]; 65 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 66 } 67 68 /* Validate changes from /proc interface. */ 69 static int ipv4_local_port_range(struct ctl_table *table, int write, 70 void __user *buffer, 71 size_t *lenp, loff_t *ppos) 72 { 73 struct net *net = 74 container_of(table->data, struct net, ipv4.ip_local_ports.range); 75 int ret; 76 int range[2]; 77 struct ctl_table tmp = { 78 .data = &range, 79 .maxlen = sizeof(range), 80 .mode = table->mode, 81 .extra1 = &ip_local_port_range_min, 82 .extra2 = &ip_local_port_range_max, 83 }; 84 85 inet_get_local_port_range(net, &range[0], &range[1]); 86 87 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 88 89 if (write && ret == 0) { 90 /* Ensure that the upper limit is not smaller than the lower, 91 * and that the lower does not encroach upon the privileged 92 * port limit. 93 */ 94 if ((range[1] < range[0]) || 95 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 96 ret = -EINVAL; 97 else 98 set_local_port_range(net, range); 99 } 100 101 return ret; 102 } 103 104 /* Validate changes from /proc interface. */ 105 static int ipv4_privileged_ports(struct ctl_table *table, int write, 106 void __user *buffer, size_t *lenp, loff_t *ppos) 107 { 108 struct net *net = container_of(table->data, struct net, 109 ipv4.sysctl_ip_prot_sock); 110 int ret; 111 int pports; 112 int range[2]; 113 struct ctl_table tmp = { 114 .data = &pports, 115 .maxlen = sizeof(pports), 116 .mode = table->mode, 117 .extra1 = &ip_privileged_port_min, 118 .extra2 = &ip_privileged_port_max, 119 }; 120 121 pports = net->ipv4.sysctl_ip_prot_sock; 122 123 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 124 125 if (write && ret == 0) { 126 inet_get_local_port_range(net, &range[0], &range[1]); 127 /* Ensure that the local port range doesn't overlap with the 128 * privileged port range. 129 */ 130 if (range[0] < pports) 131 ret = -EINVAL; 132 else 133 net->ipv4.sysctl_ip_prot_sock = pports; 134 } 135 136 return ret; 137 } 138 139 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 140 { 141 kgid_t *data = table->data; 142 struct net *net = 143 container_of(table->data, struct net, ipv4.ping_group_range.range); 144 unsigned int seq; 145 do { 146 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 147 148 *low = data[0]; 149 *high = data[1]; 150 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 151 } 152 153 /* Update system visible IP port range */ 154 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 155 { 156 kgid_t *data = table->data; 157 struct net *net = 158 container_of(table->data, struct net, ipv4.ping_group_range.range); 159 write_seqlock(&net->ipv4.ping_group_range.lock); 160 data[0] = low; 161 data[1] = high; 162 write_sequnlock(&net->ipv4.ping_group_range.lock); 163 } 164 165 /* Validate changes from /proc interface. */ 166 static int ipv4_ping_group_range(struct ctl_table *table, int write, 167 void __user *buffer, 168 size_t *lenp, loff_t *ppos) 169 { 170 struct user_namespace *user_ns = current_user_ns(); 171 int ret; 172 gid_t urange[2]; 173 kgid_t low, high; 174 struct ctl_table tmp = { 175 .data = &urange, 176 .maxlen = sizeof(urange), 177 .mode = table->mode, 178 .extra1 = &ip_ping_group_range_min, 179 .extra2 = &ip_ping_group_range_max, 180 }; 181 182 inet_get_ping_group_range_table(table, &low, &high); 183 urange[0] = from_kgid_munged(user_ns, low); 184 urange[1] = from_kgid_munged(user_ns, high); 185 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 186 187 if (write && ret == 0) { 188 low = make_kgid(user_ns, urange[0]); 189 high = make_kgid(user_ns, urange[1]); 190 if (!gid_valid(low) || !gid_valid(high) || 191 (urange[1] < urange[0]) || gid_lt(high, low)) { 192 low = make_kgid(&init_user_ns, 1); 193 high = make_kgid(&init_user_ns, 0); 194 } 195 set_ping_group_range(table, low, high); 196 } 197 198 return ret; 199 } 200 201 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 202 void __user *buffer, size_t *lenp, loff_t *ppos) 203 { 204 char val[TCP_CA_NAME_MAX]; 205 struct ctl_table tbl = { 206 .data = val, 207 .maxlen = TCP_CA_NAME_MAX, 208 }; 209 int ret; 210 211 tcp_get_default_congestion_control(val); 212 213 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 214 if (write && ret == 0) 215 ret = tcp_set_default_congestion_control(val); 216 return ret; 217 } 218 219 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 220 int write, 221 void __user *buffer, size_t *lenp, 222 loff_t *ppos) 223 { 224 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 225 int ret; 226 227 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 228 if (!tbl.data) 229 return -ENOMEM; 230 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 231 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 232 kfree(tbl.data); 233 return ret; 234 } 235 236 static int proc_allowed_congestion_control(struct ctl_table *ctl, 237 int write, 238 void __user *buffer, size_t *lenp, 239 loff_t *ppos) 240 { 241 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 242 int ret; 243 244 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 245 if (!tbl.data) 246 return -ENOMEM; 247 248 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 249 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 250 if (write && ret == 0) 251 ret = tcp_set_allowed_congestion_control(tbl.data); 252 kfree(tbl.data); 253 return ret; 254 } 255 256 static int proc_tcp_fastopen_key(struct ctl_table *table, int write, 257 void __user *buffer, size_t *lenp, 258 loff_t *ppos) 259 { 260 struct net *net = container_of(table->data, struct net, 261 ipv4.sysctl_tcp_fastopen); 262 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 263 struct tcp_fastopen_context *ctxt; 264 int ret; 265 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 266 267 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 268 if (!tbl.data) 269 return -ENOMEM; 270 271 rcu_read_lock(); 272 ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx); 273 if (ctxt) 274 memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 275 else 276 memset(user_key, 0, sizeof(user_key)); 277 rcu_read_unlock(); 278 279 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 280 user_key[0], user_key[1], user_key[2], user_key[3]); 281 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 282 283 if (write && ret == 0) { 284 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 285 user_key + 2, user_key + 3) != 4) { 286 ret = -EINVAL; 287 goto bad_key; 288 } 289 tcp_fastopen_reset_cipher(net, NULL, user_key, 290 TCP_FASTOPEN_KEY_LENGTH); 291 } 292 293 bad_key: 294 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 295 user_key[0], user_key[1], user_key[2], user_key[3], 296 (char *)tbl.data, ret); 297 kfree(tbl.data); 298 return ret; 299 } 300 301 static void proc_configure_early_demux(int enabled, int protocol) 302 { 303 struct net_protocol *ipprot; 304 #if IS_ENABLED(CONFIG_IPV6) 305 struct inet6_protocol *ip6prot; 306 #endif 307 308 rcu_read_lock(); 309 310 ipprot = rcu_dereference(inet_protos[protocol]); 311 if (ipprot) 312 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 313 NULL; 314 315 #if IS_ENABLED(CONFIG_IPV6) 316 ip6prot = rcu_dereference(inet6_protos[protocol]); 317 if (ip6prot) 318 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 319 NULL; 320 #endif 321 rcu_read_unlock(); 322 } 323 324 static int proc_tcp_early_demux(struct ctl_table *table, int write, 325 void __user *buffer, size_t *lenp, loff_t *ppos) 326 { 327 int ret = 0; 328 329 ret = proc_dointvec(table, write, buffer, lenp, ppos); 330 331 if (write && !ret) { 332 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 333 334 proc_configure_early_demux(enabled, IPPROTO_TCP); 335 } 336 337 return ret; 338 } 339 340 static int proc_udp_early_demux(struct ctl_table *table, int write, 341 void __user *buffer, size_t *lenp, loff_t *ppos) 342 { 343 int ret = 0; 344 345 ret = proc_dointvec(table, write, buffer, lenp, ppos); 346 347 if (write && !ret) { 348 int enabled = init_net.ipv4.sysctl_udp_early_demux; 349 350 proc_configure_early_demux(enabled, IPPROTO_UDP); 351 } 352 353 return ret; 354 } 355 356 static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table, 357 int write, 358 void __user *buffer, 359 size_t *lenp, loff_t *ppos) 360 { 361 struct net *net = container_of(table->data, struct net, 362 ipv4.sysctl_tcp_fastopen_blackhole_timeout); 363 int ret; 364 365 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 366 if (write && ret == 0) 367 atomic_set(&net->ipv4.tfo_active_disable_times, 0); 368 369 return ret; 370 } 371 372 static int proc_tcp_available_ulp(struct ctl_table *ctl, 373 int write, 374 void __user *buffer, size_t *lenp, 375 loff_t *ppos) 376 { 377 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, }; 378 int ret; 379 380 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 381 if (!tbl.data) 382 return -ENOMEM; 383 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX); 384 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 385 kfree(tbl.data); 386 387 return ret; 388 } 389 390 #ifdef CONFIG_IP_ROUTE_MULTIPATH 391 static int proc_fib_multipath_hash_policy(struct ctl_table *table, int write, 392 void __user *buffer, size_t *lenp, 393 loff_t *ppos) 394 { 395 struct net *net = container_of(table->data, struct net, 396 ipv4.sysctl_fib_multipath_hash_policy); 397 int ret; 398 399 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 400 if (write && ret == 0) 401 call_netevent_notifiers(NETEVENT_MULTIPATH_HASH_UPDATE, net); 402 403 return ret; 404 } 405 #endif 406 407 static struct ctl_table ipv4_table[] = { 408 { 409 .procname = "tcp_max_orphans", 410 .data = &sysctl_tcp_max_orphans, 411 .maxlen = sizeof(int), 412 .mode = 0644, 413 .proc_handler = proc_dointvec 414 }, 415 { 416 .procname = "inet_peer_threshold", 417 .data = &inet_peer_threshold, 418 .maxlen = sizeof(int), 419 .mode = 0644, 420 .proc_handler = proc_dointvec 421 }, 422 { 423 .procname = "inet_peer_minttl", 424 .data = &inet_peer_minttl, 425 .maxlen = sizeof(int), 426 .mode = 0644, 427 .proc_handler = proc_dointvec_jiffies, 428 }, 429 { 430 .procname = "inet_peer_maxttl", 431 .data = &inet_peer_maxttl, 432 .maxlen = sizeof(int), 433 .mode = 0644, 434 .proc_handler = proc_dointvec_jiffies, 435 }, 436 { 437 .procname = "tcp_mem", 438 .maxlen = sizeof(sysctl_tcp_mem), 439 .data = &sysctl_tcp_mem, 440 .mode = 0644, 441 .proc_handler = proc_doulongvec_minmax, 442 }, 443 { 444 .procname = "tcp_wmem", 445 .data = &sysctl_tcp_wmem, 446 .maxlen = sizeof(sysctl_tcp_wmem), 447 .mode = 0644, 448 .proc_handler = proc_dointvec_minmax, 449 .extra1 = &one, 450 }, 451 { 452 .procname = "tcp_rmem", 453 .data = &sysctl_tcp_rmem, 454 .maxlen = sizeof(sysctl_tcp_rmem), 455 .mode = 0644, 456 .proc_handler = proc_dointvec_minmax, 457 .extra1 = &one, 458 }, 459 { 460 .procname = "tcp_low_latency", 461 .data = &sysctl_tcp_low_latency, 462 .maxlen = sizeof(int), 463 .mode = 0644, 464 .proc_handler = proc_dointvec 465 }, 466 { 467 .procname = "tcp_congestion_control", 468 .mode = 0644, 469 .maxlen = TCP_CA_NAME_MAX, 470 .proc_handler = proc_tcp_congestion_control, 471 }, 472 #ifdef CONFIG_NETLABEL 473 { 474 .procname = "cipso_cache_enable", 475 .data = &cipso_v4_cache_enabled, 476 .maxlen = sizeof(int), 477 .mode = 0644, 478 .proc_handler = proc_dointvec, 479 }, 480 { 481 .procname = "cipso_cache_bucket_size", 482 .data = &cipso_v4_cache_bucketsize, 483 .maxlen = sizeof(int), 484 .mode = 0644, 485 .proc_handler = proc_dointvec, 486 }, 487 { 488 .procname = "cipso_rbm_optfmt", 489 .data = &cipso_v4_rbm_optfmt, 490 .maxlen = sizeof(int), 491 .mode = 0644, 492 .proc_handler = proc_dointvec, 493 }, 494 { 495 .procname = "cipso_rbm_strictvalid", 496 .data = &cipso_v4_rbm_strictvalid, 497 .maxlen = sizeof(int), 498 .mode = 0644, 499 .proc_handler = proc_dointvec, 500 }, 501 #endif /* CONFIG_NETLABEL */ 502 { 503 .procname = "tcp_available_congestion_control", 504 .maxlen = TCP_CA_BUF_MAX, 505 .mode = 0444, 506 .proc_handler = proc_tcp_available_congestion_control, 507 }, 508 { 509 .procname = "tcp_allowed_congestion_control", 510 .maxlen = TCP_CA_BUF_MAX, 511 .mode = 0644, 512 .proc_handler = proc_allowed_congestion_control, 513 }, 514 { 515 .procname = "tcp_available_ulp", 516 .maxlen = TCP_ULP_BUF_MAX, 517 .mode = 0444, 518 .proc_handler = proc_tcp_available_ulp, 519 }, 520 { 521 .procname = "icmp_msgs_per_sec", 522 .data = &sysctl_icmp_msgs_per_sec, 523 .maxlen = sizeof(int), 524 .mode = 0644, 525 .proc_handler = proc_dointvec_minmax, 526 .extra1 = &zero, 527 }, 528 { 529 .procname = "icmp_msgs_burst", 530 .data = &sysctl_icmp_msgs_burst, 531 .maxlen = sizeof(int), 532 .mode = 0644, 533 .proc_handler = proc_dointvec_minmax, 534 .extra1 = &zero, 535 }, 536 { 537 .procname = "udp_mem", 538 .data = &sysctl_udp_mem, 539 .maxlen = sizeof(sysctl_udp_mem), 540 .mode = 0644, 541 .proc_handler = proc_doulongvec_minmax, 542 }, 543 { 544 .procname = "udp_rmem_min", 545 .data = &sysctl_udp_rmem_min, 546 .maxlen = sizeof(sysctl_udp_rmem_min), 547 .mode = 0644, 548 .proc_handler = proc_dointvec_minmax, 549 .extra1 = &one 550 }, 551 { 552 .procname = "udp_wmem_min", 553 .data = &sysctl_udp_wmem_min, 554 .maxlen = sizeof(sysctl_udp_wmem_min), 555 .mode = 0644, 556 .proc_handler = proc_dointvec_minmax, 557 .extra1 = &one 558 }, 559 { } 560 }; 561 562 static struct ctl_table ipv4_net_table[] = { 563 { 564 .procname = "icmp_echo_ignore_all", 565 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 566 .maxlen = sizeof(int), 567 .mode = 0644, 568 .proc_handler = proc_dointvec 569 }, 570 { 571 .procname = "icmp_echo_ignore_broadcasts", 572 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 573 .maxlen = sizeof(int), 574 .mode = 0644, 575 .proc_handler = proc_dointvec 576 }, 577 { 578 .procname = "icmp_ignore_bogus_error_responses", 579 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 580 .maxlen = sizeof(int), 581 .mode = 0644, 582 .proc_handler = proc_dointvec 583 }, 584 { 585 .procname = "icmp_errors_use_inbound_ifaddr", 586 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 587 .maxlen = sizeof(int), 588 .mode = 0644, 589 .proc_handler = proc_dointvec 590 }, 591 { 592 .procname = "icmp_ratelimit", 593 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 594 .maxlen = sizeof(int), 595 .mode = 0644, 596 .proc_handler = proc_dointvec_ms_jiffies, 597 }, 598 { 599 .procname = "icmp_ratemask", 600 .data = &init_net.ipv4.sysctl_icmp_ratemask, 601 .maxlen = sizeof(int), 602 .mode = 0644, 603 .proc_handler = proc_dointvec 604 }, 605 { 606 .procname = "ping_group_range", 607 .data = &init_net.ipv4.ping_group_range.range, 608 .maxlen = sizeof(gid_t)*2, 609 .mode = 0644, 610 .proc_handler = ipv4_ping_group_range, 611 }, 612 { 613 .procname = "tcp_ecn", 614 .data = &init_net.ipv4.sysctl_tcp_ecn, 615 .maxlen = sizeof(int), 616 .mode = 0644, 617 .proc_handler = proc_dointvec 618 }, 619 { 620 .procname = "tcp_ecn_fallback", 621 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 622 .maxlen = sizeof(int), 623 .mode = 0644, 624 .proc_handler = proc_dointvec 625 }, 626 { 627 .procname = "ip_dynaddr", 628 .data = &init_net.ipv4.sysctl_ip_dynaddr, 629 .maxlen = sizeof(int), 630 .mode = 0644, 631 .proc_handler = proc_dointvec 632 }, 633 { 634 .procname = "ip_early_demux", 635 .data = &init_net.ipv4.sysctl_ip_early_demux, 636 .maxlen = sizeof(int), 637 .mode = 0644, 638 .proc_handler = proc_dointvec 639 }, 640 { 641 .procname = "udp_early_demux", 642 .data = &init_net.ipv4.sysctl_udp_early_demux, 643 .maxlen = sizeof(int), 644 .mode = 0644, 645 .proc_handler = proc_udp_early_demux 646 }, 647 { 648 .procname = "tcp_early_demux", 649 .data = &init_net.ipv4.sysctl_tcp_early_demux, 650 .maxlen = sizeof(int), 651 .mode = 0644, 652 .proc_handler = proc_tcp_early_demux 653 }, 654 { 655 .procname = "ip_default_ttl", 656 .data = &init_net.ipv4.sysctl_ip_default_ttl, 657 .maxlen = sizeof(int), 658 .mode = 0644, 659 .proc_handler = proc_dointvec_minmax, 660 .extra1 = &ip_ttl_min, 661 .extra2 = &ip_ttl_max, 662 }, 663 { 664 .procname = "ip_local_port_range", 665 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 666 .data = &init_net.ipv4.ip_local_ports.range, 667 .mode = 0644, 668 .proc_handler = ipv4_local_port_range, 669 }, 670 { 671 .procname = "ip_local_reserved_ports", 672 .data = &init_net.ipv4.sysctl_local_reserved_ports, 673 .maxlen = 65536, 674 .mode = 0644, 675 .proc_handler = proc_do_large_bitmap, 676 }, 677 { 678 .procname = "ip_no_pmtu_disc", 679 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 680 .maxlen = sizeof(int), 681 .mode = 0644, 682 .proc_handler = proc_dointvec 683 }, 684 { 685 .procname = "ip_forward_use_pmtu", 686 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 687 .maxlen = sizeof(int), 688 .mode = 0644, 689 .proc_handler = proc_dointvec, 690 }, 691 { 692 .procname = "ip_nonlocal_bind", 693 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 694 .maxlen = sizeof(int), 695 .mode = 0644, 696 .proc_handler = proc_dointvec 697 }, 698 { 699 .procname = "fwmark_reflect", 700 .data = &init_net.ipv4.sysctl_fwmark_reflect, 701 .maxlen = sizeof(int), 702 .mode = 0644, 703 .proc_handler = proc_dointvec, 704 }, 705 { 706 .procname = "tcp_fwmark_accept", 707 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 708 .maxlen = sizeof(int), 709 .mode = 0644, 710 .proc_handler = proc_dointvec, 711 }, 712 #ifdef CONFIG_NET_L3_MASTER_DEV 713 { 714 .procname = "tcp_l3mdev_accept", 715 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 716 .maxlen = sizeof(int), 717 .mode = 0644, 718 .proc_handler = proc_dointvec_minmax, 719 .extra1 = &zero, 720 .extra2 = &one, 721 }, 722 #endif 723 { 724 .procname = "tcp_mtu_probing", 725 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 726 .maxlen = sizeof(int), 727 .mode = 0644, 728 .proc_handler = proc_dointvec, 729 }, 730 { 731 .procname = "tcp_base_mss", 732 .data = &init_net.ipv4.sysctl_tcp_base_mss, 733 .maxlen = sizeof(int), 734 .mode = 0644, 735 .proc_handler = proc_dointvec, 736 }, 737 { 738 .procname = "tcp_probe_threshold", 739 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 740 .maxlen = sizeof(int), 741 .mode = 0644, 742 .proc_handler = proc_dointvec, 743 }, 744 { 745 .procname = "tcp_probe_interval", 746 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 747 .maxlen = sizeof(int), 748 .mode = 0644, 749 .proc_handler = proc_dointvec, 750 }, 751 { 752 .procname = "igmp_link_local_mcast_reports", 753 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 754 .maxlen = sizeof(int), 755 .mode = 0644, 756 .proc_handler = proc_dointvec 757 }, 758 { 759 .procname = "igmp_max_memberships", 760 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 761 .maxlen = sizeof(int), 762 .mode = 0644, 763 .proc_handler = proc_dointvec 764 }, 765 { 766 .procname = "igmp_max_msf", 767 .data = &init_net.ipv4.sysctl_igmp_max_msf, 768 .maxlen = sizeof(int), 769 .mode = 0644, 770 .proc_handler = proc_dointvec 771 }, 772 #ifdef CONFIG_IP_MULTICAST 773 { 774 .procname = "igmp_qrv", 775 .data = &init_net.ipv4.sysctl_igmp_qrv, 776 .maxlen = sizeof(int), 777 .mode = 0644, 778 .proc_handler = proc_dointvec_minmax, 779 .extra1 = &one 780 }, 781 #endif 782 { 783 .procname = "tcp_keepalive_time", 784 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 785 .maxlen = sizeof(int), 786 .mode = 0644, 787 .proc_handler = proc_dointvec_jiffies, 788 }, 789 { 790 .procname = "tcp_keepalive_probes", 791 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 792 .maxlen = sizeof(int), 793 .mode = 0644, 794 .proc_handler = proc_dointvec 795 }, 796 { 797 .procname = "tcp_keepalive_intvl", 798 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 799 .maxlen = sizeof(int), 800 .mode = 0644, 801 .proc_handler = proc_dointvec_jiffies, 802 }, 803 { 804 .procname = "tcp_syn_retries", 805 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 806 .maxlen = sizeof(int), 807 .mode = 0644, 808 .proc_handler = proc_dointvec_minmax, 809 .extra1 = &tcp_syn_retries_min, 810 .extra2 = &tcp_syn_retries_max 811 }, 812 { 813 .procname = "tcp_synack_retries", 814 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 815 .maxlen = sizeof(int), 816 .mode = 0644, 817 .proc_handler = proc_dointvec 818 }, 819 #ifdef CONFIG_SYN_COOKIES 820 { 821 .procname = "tcp_syncookies", 822 .data = &init_net.ipv4.sysctl_tcp_syncookies, 823 .maxlen = sizeof(int), 824 .mode = 0644, 825 .proc_handler = proc_dointvec 826 }, 827 #endif 828 { 829 .procname = "tcp_reordering", 830 .data = &init_net.ipv4.sysctl_tcp_reordering, 831 .maxlen = sizeof(int), 832 .mode = 0644, 833 .proc_handler = proc_dointvec 834 }, 835 { 836 .procname = "tcp_retries1", 837 .data = &init_net.ipv4.sysctl_tcp_retries1, 838 .maxlen = sizeof(int), 839 .mode = 0644, 840 .proc_handler = proc_dointvec_minmax, 841 .extra2 = &tcp_retr1_max 842 }, 843 { 844 .procname = "tcp_retries2", 845 .data = &init_net.ipv4.sysctl_tcp_retries2, 846 .maxlen = sizeof(int), 847 .mode = 0644, 848 .proc_handler = proc_dointvec 849 }, 850 { 851 .procname = "tcp_orphan_retries", 852 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 853 .maxlen = sizeof(int), 854 .mode = 0644, 855 .proc_handler = proc_dointvec 856 }, 857 { 858 .procname = "tcp_fin_timeout", 859 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 860 .maxlen = sizeof(int), 861 .mode = 0644, 862 .proc_handler = proc_dointvec_jiffies, 863 }, 864 { 865 .procname = "tcp_notsent_lowat", 866 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 867 .maxlen = sizeof(unsigned int), 868 .mode = 0644, 869 .proc_handler = proc_douintvec, 870 }, 871 { 872 .procname = "tcp_tw_reuse", 873 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 874 .maxlen = sizeof(int), 875 .mode = 0644, 876 .proc_handler = proc_dointvec 877 }, 878 { 879 .procname = "tcp_max_tw_buckets", 880 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 881 .maxlen = sizeof(int), 882 .mode = 0644, 883 .proc_handler = proc_dointvec 884 }, 885 { 886 .procname = "tcp_max_syn_backlog", 887 .data = &init_net.ipv4.sysctl_max_syn_backlog, 888 .maxlen = sizeof(int), 889 .mode = 0644, 890 .proc_handler = proc_dointvec 891 }, 892 { 893 .procname = "tcp_fastopen", 894 .data = &init_net.ipv4.sysctl_tcp_fastopen, 895 .maxlen = sizeof(int), 896 .mode = 0644, 897 .proc_handler = proc_dointvec, 898 }, 899 { 900 .procname = "tcp_fastopen_key", 901 .mode = 0600, 902 .data = &init_net.ipv4.sysctl_tcp_fastopen, 903 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 904 .proc_handler = proc_tcp_fastopen_key, 905 }, 906 { 907 .procname = "tcp_fastopen_blackhole_timeout_sec", 908 .data = &init_net.ipv4.sysctl_tcp_fastopen_blackhole_timeout, 909 .maxlen = sizeof(int), 910 .mode = 0644, 911 .proc_handler = proc_tfo_blackhole_detect_timeout, 912 .extra1 = &zero, 913 }, 914 #ifdef CONFIG_IP_ROUTE_MULTIPATH 915 { 916 .procname = "fib_multipath_use_neigh", 917 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 918 .maxlen = sizeof(int), 919 .mode = 0644, 920 .proc_handler = proc_dointvec_minmax, 921 .extra1 = &zero, 922 .extra2 = &one, 923 }, 924 { 925 .procname = "fib_multipath_hash_policy", 926 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 927 .maxlen = sizeof(int), 928 .mode = 0644, 929 .proc_handler = proc_fib_multipath_hash_policy, 930 .extra1 = &zero, 931 .extra2 = &one, 932 }, 933 #endif 934 { 935 .procname = "ip_unprivileged_port_start", 936 .maxlen = sizeof(int), 937 .data = &init_net.ipv4.sysctl_ip_prot_sock, 938 .mode = 0644, 939 .proc_handler = ipv4_privileged_ports, 940 }, 941 #ifdef CONFIG_NET_L3_MASTER_DEV 942 { 943 .procname = "udp_l3mdev_accept", 944 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 945 .maxlen = sizeof(int), 946 .mode = 0644, 947 .proc_handler = proc_dointvec_minmax, 948 .extra1 = &zero, 949 .extra2 = &one, 950 }, 951 #endif 952 { 953 .procname = "tcp_sack", 954 .data = &init_net.ipv4.sysctl_tcp_sack, 955 .maxlen = sizeof(int), 956 .mode = 0644, 957 .proc_handler = proc_dointvec 958 }, 959 { 960 .procname = "tcp_window_scaling", 961 .data = &init_net.ipv4.sysctl_tcp_window_scaling, 962 .maxlen = sizeof(int), 963 .mode = 0644, 964 .proc_handler = proc_dointvec 965 }, 966 { 967 .procname = "tcp_timestamps", 968 .data = &init_net.ipv4.sysctl_tcp_timestamps, 969 .maxlen = sizeof(int), 970 .mode = 0644, 971 .proc_handler = proc_dointvec 972 }, 973 { 974 .procname = "tcp_early_retrans", 975 .data = &init_net.ipv4.sysctl_tcp_early_retrans, 976 .maxlen = sizeof(int), 977 .mode = 0644, 978 .proc_handler = proc_dointvec_minmax, 979 .extra1 = &zero, 980 .extra2 = &four, 981 }, 982 { 983 .procname = "tcp_recovery", 984 .data = &init_net.ipv4.sysctl_tcp_recovery, 985 .maxlen = sizeof(int), 986 .mode = 0644, 987 .proc_handler = proc_dointvec, 988 }, 989 { 990 .procname = "tcp_thin_linear_timeouts", 991 .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts, 992 .maxlen = sizeof(int), 993 .mode = 0644, 994 .proc_handler = proc_dointvec 995 }, 996 { 997 .procname = "tcp_slow_start_after_idle", 998 .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle, 999 .maxlen = sizeof(int), 1000 .mode = 0644, 1001 .proc_handler = proc_dointvec 1002 }, 1003 { 1004 .procname = "tcp_retrans_collapse", 1005 .data = &init_net.ipv4.sysctl_tcp_retrans_collapse, 1006 .maxlen = sizeof(int), 1007 .mode = 0644, 1008 .proc_handler = proc_dointvec 1009 }, 1010 { 1011 .procname = "tcp_stdurg", 1012 .data = &init_net.ipv4.sysctl_tcp_stdurg, 1013 .maxlen = sizeof(int), 1014 .mode = 0644, 1015 .proc_handler = proc_dointvec 1016 }, 1017 { 1018 .procname = "tcp_rfc1337", 1019 .data = &init_net.ipv4.sysctl_tcp_rfc1337, 1020 .maxlen = sizeof(int), 1021 .mode = 0644, 1022 .proc_handler = proc_dointvec 1023 }, 1024 { 1025 .procname = "tcp_abort_on_overflow", 1026 .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow, 1027 .maxlen = sizeof(int), 1028 .mode = 0644, 1029 .proc_handler = proc_dointvec 1030 }, 1031 { 1032 .procname = "tcp_fack", 1033 .data = &init_net.ipv4.sysctl_tcp_fack, 1034 .maxlen = sizeof(int), 1035 .mode = 0644, 1036 .proc_handler = proc_dointvec 1037 }, 1038 { 1039 .procname = "tcp_max_reordering", 1040 .data = &init_net.ipv4.sysctl_tcp_max_reordering, 1041 .maxlen = sizeof(int), 1042 .mode = 0644, 1043 .proc_handler = proc_dointvec 1044 }, 1045 { 1046 .procname = "tcp_dsack", 1047 .data = &init_net.ipv4.sysctl_tcp_dsack, 1048 .maxlen = sizeof(int), 1049 .mode = 0644, 1050 .proc_handler = proc_dointvec 1051 }, 1052 { 1053 .procname = "tcp_app_win", 1054 .data = &init_net.ipv4.sysctl_tcp_app_win, 1055 .maxlen = sizeof(int), 1056 .mode = 0644, 1057 .proc_handler = proc_dointvec 1058 }, 1059 { 1060 .procname = "tcp_adv_win_scale", 1061 .data = &init_net.ipv4.sysctl_tcp_adv_win_scale, 1062 .maxlen = sizeof(int), 1063 .mode = 0644, 1064 .proc_handler = proc_dointvec_minmax, 1065 .extra1 = &tcp_adv_win_scale_min, 1066 .extra2 = &tcp_adv_win_scale_max, 1067 }, 1068 { 1069 .procname = "tcp_frto", 1070 .data = &init_net.ipv4.sysctl_tcp_frto, 1071 .maxlen = sizeof(int), 1072 .mode = 0644, 1073 .proc_handler = proc_dointvec 1074 }, 1075 { 1076 .procname = "tcp_no_metrics_save", 1077 .data = &init_net.ipv4.sysctl_tcp_nometrics_save, 1078 .maxlen = sizeof(int), 1079 .mode = 0644, 1080 .proc_handler = proc_dointvec, 1081 }, 1082 { 1083 .procname = "tcp_moderate_rcvbuf", 1084 .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf, 1085 .maxlen = sizeof(int), 1086 .mode = 0644, 1087 .proc_handler = proc_dointvec, 1088 }, 1089 { 1090 .procname = "tcp_tso_win_divisor", 1091 .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor, 1092 .maxlen = sizeof(int), 1093 .mode = 0644, 1094 .proc_handler = proc_dointvec, 1095 }, 1096 { 1097 .procname = "tcp_workaround_signed_windows", 1098 .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows, 1099 .maxlen = sizeof(int), 1100 .mode = 0644, 1101 .proc_handler = proc_dointvec 1102 }, 1103 { 1104 .procname = "tcp_limit_output_bytes", 1105 .data = &init_net.ipv4.sysctl_tcp_limit_output_bytes, 1106 .maxlen = sizeof(int), 1107 .mode = 0644, 1108 .proc_handler = proc_dointvec 1109 }, 1110 { 1111 .procname = "tcp_challenge_ack_limit", 1112 .data = &init_net.ipv4.sysctl_tcp_challenge_ack_limit, 1113 .maxlen = sizeof(int), 1114 .mode = 0644, 1115 .proc_handler = proc_dointvec 1116 }, 1117 { 1118 .procname = "tcp_min_tso_segs", 1119 .data = &init_net.ipv4.sysctl_tcp_min_tso_segs, 1120 .maxlen = sizeof(int), 1121 .mode = 0644, 1122 .proc_handler = proc_dointvec_minmax, 1123 .extra1 = &one, 1124 .extra2 = &gso_max_segs, 1125 }, 1126 { 1127 .procname = "tcp_min_rtt_wlen", 1128 .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen, 1129 .maxlen = sizeof(int), 1130 .mode = 0644, 1131 .proc_handler = proc_dointvec 1132 }, 1133 { 1134 .procname = "tcp_autocorking", 1135 .data = &init_net.ipv4.sysctl_tcp_autocorking, 1136 .maxlen = sizeof(int), 1137 .mode = 0644, 1138 .proc_handler = proc_dointvec_minmax, 1139 .extra1 = &zero, 1140 .extra2 = &one, 1141 }, 1142 { 1143 .procname = "tcp_invalid_ratelimit", 1144 .data = &init_net.ipv4.sysctl_tcp_invalid_ratelimit, 1145 .maxlen = sizeof(int), 1146 .mode = 0644, 1147 .proc_handler = proc_dointvec_ms_jiffies, 1148 }, 1149 { 1150 .procname = "tcp_pacing_ss_ratio", 1151 .data = &init_net.ipv4.sysctl_tcp_pacing_ss_ratio, 1152 .maxlen = sizeof(int), 1153 .mode = 0644, 1154 .proc_handler = proc_dointvec_minmax, 1155 .extra1 = &zero, 1156 .extra2 = &thousand, 1157 }, 1158 { 1159 .procname = "tcp_pacing_ca_ratio", 1160 .data = &init_net.ipv4.sysctl_tcp_pacing_ca_ratio, 1161 .maxlen = sizeof(int), 1162 .mode = 0644, 1163 .proc_handler = proc_dointvec_minmax, 1164 .extra1 = &zero, 1165 .extra2 = &thousand, 1166 }, 1167 { } 1168 }; 1169 1170 static __net_init int ipv4_sysctl_init_net(struct net *net) 1171 { 1172 struct ctl_table *table; 1173 1174 table = ipv4_net_table; 1175 if (!net_eq(net, &init_net)) { 1176 int i; 1177 1178 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1179 if (!table) 1180 goto err_alloc; 1181 1182 /* Update the variables to point into the current struct net */ 1183 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1184 table[i].data += (void *)net - (void *)&init_net; 1185 } 1186 1187 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1188 if (!net->ipv4.ipv4_hdr) 1189 goto err_reg; 1190 1191 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1192 if (!net->ipv4.sysctl_local_reserved_ports) 1193 goto err_ports; 1194 1195 return 0; 1196 1197 err_ports: 1198 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1199 err_reg: 1200 if (!net_eq(net, &init_net)) 1201 kfree(table); 1202 err_alloc: 1203 return -ENOMEM; 1204 } 1205 1206 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1207 { 1208 struct ctl_table *table; 1209 1210 kfree(net->ipv4.sysctl_local_reserved_ports); 1211 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1212 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1213 kfree(table); 1214 } 1215 1216 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1217 .init = ipv4_sysctl_init_net, 1218 .exit = ipv4_sysctl_exit_net, 1219 }; 1220 1221 static __init int sysctl_ipv4_init(void) 1222 { 1223 struct ctl_table_header *hdr; 1224 1225 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1226 if (!hdr) 1227 return -ENOMEM; 1228 1229 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1230 unregister_net_sysctl_table(hdr); 1231 return -ENOMEM; 1232 } 1233 1234 return 0; 1235 } 1236 1237 __initcall(sysctl_ipv4_init); 1238