1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 4 * 5 * Begun April 1, 1996, Mike Shaver. 6 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 7 */ 8 9 #include <linux/mm.h> 10 #include <linux/module.h> 11 #include <linux/sysctl.h> 12 #include <linux/igmp.h> 13 #include <linux/inetdevice.h> 14 #include <linux/seqlock.h> 15 #include <linux/init.h> 16 #include <linux/slab.h> 17 #include <linux/nsproxy.h> 18 #include <linux/swap.h> 19 #include <net/snmp.h> 20 #include <net/icmp.h> 21 #include <net/ip.h> 22 #include <net/route.h> 23 #include <net/tcp.h> 24 #include <net/udp.h> 25 #include <net/cipso_ipv4.h> 26 #include <net/inet_frag.h> 27 #include <net/ping.h> 28 #include <net/protocol.h> 29 #include <net/netevent.h> 30 31 static int zero; 32 static int one = 1; 33 static int two = 2; 34 static int four = 4; 35 static int thousand = 1000; 36 static int gso_max_segs = GSO_MAX_SEGS; 37 static int tcp_retr1_max = 255; 38 static int ip_local_port_range_min[] = { 1, 1 }; 39 static int ip_local_port_range_max[] = { 65535, 65535 }; 40 static int tcp_adv_win_scale_min = -31; 41 static int tcp_adv_win_scale_max = 31; 42 static int ip_privileged_port_min; 43 static int ip_privileged_port_max = 65535; 44 static int ip_ttl_min = 1; 45 static int ip_ttl_max = 255; 46 static int tcp_syn_retries_min = 1; 47 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 48 static int ip_ping_group_range_min[] = { 0, 0 }; 49 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 50 static int comp_sack_nr_max = 255; 51 static u32 u32_max_div_HZ = UINT_MAX / HZ; 52 53 /* obsolete */ 54 static int sysctl_tcp_low_latency __read_mostly; 55 56 /* Update system visible IP port range */ 57 static void set_local_port_range(struct net *net, int range[2]) 58 { 59 bool same_parity = !((range[0] ^ range[1]) & 1); 60 61 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 62 if (same_parity && !net->ipv4.ip_local_ports.warned) { 63 net->ipv4.ip_local_ports.warned = true; 64 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 65 } 66 net->ipv4.ip_local_ports.range[0] = range[0]; 67 net->ipv4.ip_local_ports.range[1] = range[1]; 68 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 69 } 70 71 /* Validate changes from /proc interface. */ 72 static int ipv4_local_port_range(struct ctl_table *table, int write, 73 void __user *buffer, 74 size_t *lenp, loff_t *ppos) 75 { 76 struct net *net = 77 container_of(table->data, struct net, ipv4.ip_local_ports.range); 78 int ret; 79 int range[2]; 80 struct ctl_table tmp = { 81 .data = &range, 82 .maxlen = sizeof(range), 83 .mode = table->mode, 84 .extra1 = &ip_local_port_range_min, 85 .extra2 = &ip_local_port_range_max, 86 }; 87 88 inet_get_local_port_range(net, &range[0], &range[1]); 89 90 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 91 92 if (write && ret == 0) { 93 /* Ensure that the upper limit is not smaller than the lower, 94 * and that the lower does not encroach upon the privileged 95 * port limit. 96 */ 97 if ((range[1] < range[0]) || 98 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 99 ret = -EINVAL; 100 else 101 set_local_port_range(net, range); 102 } 103 104 return ret; 105 } 106 107 /* Validate changes from /proc interface. */ 108 static int ipv4_privileged_ports(struct ctl_table *table, int write, 109 void __user *buffer, size_t *lenp, loff_t *ppos) 110 { 111 struct net *net = container_of(table->data, struct net, 112 ipv4.sysctl_ip_prot_sock); 113 int ret; 114 int pports; 115 int range[2]; 116 struct ctl_table tmp = { 117 .data = &pports, 118 .maxlen = sizeof(pports), 119 .mode = table->mode, 120 .extra1 = &ip_privileged_port_min, 121 .extra2 = &ip_privileged_port_max, 122 }; 123 124 pports = net->ipv4.sysctl_ip_prot_sock; 125 126 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 127 128 if (write && ret == 0) { 129 inet_get_local_port_range(net, &range[0], &range[1]); 130 /* Ensure that the local port range doesn't overlap with the 131 * privileged port range. 132 */ 133 if (range[0] < pports) 134 ret = -EINVAL; 135 else 136 net->ipv4.sysctl_ip_prot_sock = pports; 137 } 138 139 return ret; 140 } 141 142 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 143 { 144 kgid_t *data = table->data; 145 struct net *net = 146 container_of(table->data, struct net, ipv4.ping_group_range.range); 147 unsigned int seq; 148 do { 149 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 150 151 *low = data[0]; 152 *high = data[1]; 153 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 154 } 155 156 /* Update system visible IP port range */ 157 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 158 { 159 kgid_t *data = table->data; 160 struct net *net = 161 container_of(table->data, struct net, ipv4.ping_group_range.range); 162 write_seqlock(&net->ipv4.ping_group_range.lock); 163 data[0] = low; 164 data[1] = high; 165 write_sequnlock(&net->ipv4.ping_group_range.lock); 166 } 167 168 /* Validate changes from /proc interface. */ 169 static int ipv4_ping_group_range(struct ctl_table *table, int write, 170 void __user *buffer, 171 size_t *lenp, loff_t *ppos) 172 { 173 struct user_namespace *user_ns = current_user_ns(); 174 int ret; 175 gid_t urange[2]; 176 kgid_t low, high; 177 struct ctl_table tmp = { 178 .data = &urange, 179 .maxlen = sizeof(urange), 180 .mode = table->mode, 181 .extra1 = &ip_ping_group_range_min, 182 .extra2 = &ip_ping_group_range_max, 183 }; 184 185 inet_get_ping_group_range_table(table, &low, &high); 186 urange[0] = from_kgid_munged(user_ns, low); 187 urange[1] = from_kgid_munged(user_ns, high); 188 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 189 190 if (write && ret == 0) { 191 low = make_kgid(user_ns, urange[0]); 192 high = make_kgid(user_ns, urange[1]); 193 if (!gid_valid(low) || !gid_valid(high)) 194 return -EINVAL; 195 if (urange[1] < urange[0] || gid_lt(high, low)) { 196 low = make_kgid(&init_user_ns, 1); 197 high = make_kgid(&init_user_ns, 0); 198 } 199 set_ping_group_range(table, low, high); 200 } 201 202 return ret; 203 } 204 205 static int ipv4_fwd_update_priority(struct ctl_table *table, int write, 206 void __user *buffer, 207 size_t *lenp, loff_t *ppos) 208 { 209 struct net *net; 210 int ret; 211 212 net = container_of(table->data, struct net, 213 ipv4.sysctl_ip_fwd_update_priority); 214 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 215 if (write && ret == 0) 216 call_netevent_notifiers(NETEVENT_IPV4_FWD_UPDATE_PRIORITY_UPDATE, 217 net); 218 219 return ret; 220 } 221 222 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 223 void __user *buffer, size_t *lenp, loff_t *ppos) 224 { 225 struct net *net = container_of(ctl->data, struct net, 226 ipv4.tcp_congestion_control); 227 char val[TCP_CA_NAME_MAX]; 228 struct ctl_table tbl = { 229 .data = val, 230 .maxlen = TCP_CA_NAME_MAX, 231 }; 232 int ret; 233 234 tcp_get_default_congestion_control(net, val); 235 236 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 237 if (write && ret == 0) 238 ret = tcp_set_default_congestion_control(net, val); 239 return ret; 240 } 241 242 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 243 int write, 244 void __user *buffer, size_t *lenp, 245 loff_t *ppos) 246 { 247 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 248 int ret; 249 250 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 251 if (!tbl.data) 252 return -ENOMEM; 253 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 254 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 255 kfree(tbl.data); 256 return ret; 257 } 258 259 static int proc_allowed_congestion_control(struct ctl_table *ctl, 260 int write, 261 void __user *buffer, size_t *lenp, 262 loff_t *ppos) 263 { 264 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 265 int ret; 266 267 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 268 if (!tbl.data) 269 return -ENOMEM; 270 271 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 272 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 273 if (write && ret == 0) 274 ret = tcp_set_allowed_congestion_control(tbl.data); 275 kfree(tbl.data); 276 return ret; 277 } 278 279 static int proc_tcp_fastopen_key(struct ctl_table *table, int write, 280 void __user *buffer, size_t *lenp, 281 loff_t *ppos) 282 { 283 struct net *net = container_of(table->data, struct net, 284 ipv4.sysctl_tcp_fastopen); 285 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 286 struct tcp_fastopen_context *ctxt; 287 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 288 __le32 key[4]; 289 int ret, i; 290 291 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 292 if (!tbl.data) 293 return -ENOMEM; 294 295 rcu_read_lock(); 296 ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx); 297 if (ctxt) 298 memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 299 else 300 memset(key, 0, sizeof(key)); 301 rcu_read_unlock(); 302 303 for (i = 0; i < ARRAY_SIZE(key); i++) 304 user_key[i] = le32_to_cpu(key[i]); 305 306 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 307 user_key[0], user_key[1], user_key[2], user_key[3]); 308 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 309 310 if (write && ret == 0) { 311 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 312 user_key + 2, user_key + 3) != 4) { 313 ret = -EINVAL; 314 goto bad_key; 315 } 316 317 for (i = 0; i < ARRAY_SIZE(user_key); i++) 318 key[i] = cpu_to_le32(user_key[i]); 319 320 tcp_fastopen_reset_cipher(net, NULL, key, 321 TCP_FASTOPEN_KEY_LENGTH); 322 } 323 324 bad_key: 325 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 326 user_key[0], user_key[1], user_key[2], user_key[3], 327 (char *)tbl.data, ret); 328 kfree(tbl.data); 329 return ret; 330 } 331 332 static void proc_configure_early_demux(int enabled, int protocol) 333 { 334 struct net_protocol *ipprot; 335 #if IS_ENABLED(CONFIG_IPV6) 336 struct inet6_protocol *ip6prot; 337 #endif 338 339 rcu_read_lock(); 340 341 ipprot = rcu_dereference(inet_protos[protocol]); 342 if (ipprot) 343 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 344 NULL; 345 346 #if IS_ENABLED(CONFIG_IPV6) 347 ip6prot = rcu_dereference(inet6_protos[protocol]); 348 if (ip6prot) 349 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 350 NULL; 351 #endif 352 rcu_read_unlock(); 353 } 354 355 static int proc_tcp_early_demux(struct ctl_table *table, int write, 356 void __user *buffer, size_t *lenp, loff_t *ppos) 357 { 358 int ret = 0; 359 360 ret = proc_dointvec(table, write, buffer, lenp, ppos); 361 362 if (write && !ret) { 363 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 364 365 proc_configure_early_demux(enabled, IPPROTO_TCP); 366 } 367 368 return ret; 369 } 370 371 static int proc_udp_early_demux(struct ctl_table *table, int write, 372 void __user *buffer, size_t *lenp, loff_t *ppos) 373 { 374 int ret = 0; 375 376 ret = proc_dointvec(table, write, buffer, lenp, ppos); 377 378 if (write && !ret) { 379 int enabled = init_net.ipv4.sysctl_udp_early_demux; 380 381 proc_configure_early_demux(enabled, IPPROTO_UDP); 382 } 383 384 return ret; 385 } 386 387 static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table, 388 int write, 389 void __user *buffer, 390 size_t *lenp, loff_t *ppos) 391 { 392 struct net *net = container_of(table->data, struct net, 393 ipv4.sysctl_tcp_fastopen_blackhole_timeout); 394 int ret; 395 396 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 397 if (write && ret == 0) 398 atomic_set(&net->ipv4.tfo_active_disable_times, 0); 399 400 return ret; 401 } 402 403 static int proc_tcp_available_ulp(struct ctl_table *ctl, 404 int write, 405 void __user *buffer, size_t *lenp, 406 loff_t *ppos) 407 { 408 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, }; 409 int ret; 410 411 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 412 if (!tbl.data) 413 return -ENOMEM; 414 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX); 415 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 416 kfree(tbl.data); 417 418 return ret; 419 } 420 421 #ifdef CONFIG_IP_ROUTE_MULTIPATH 422 static int proc_fib_multipath_hash_policy(struct ctl_table *table, int write, 423 void __user *buffer, size_t *lenp, 424 loff_t *ppos) 425 { 426 struct net *net = container_of(table->data, struct net, 427 ipv4.sysctl_fib_multipath_hash_policy); 428 int ret; 429 430 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 431 if (write && ret == 0) 432 call_netevent_notifiers(NETEVENT_IPV4_MPATH_HASH_UPDATE, net); 433 434 return ret; 435 } 436 #endif 437 438 static struct ctl_table ipv4_table[] = { 439 { 440 .procname = "tcp_max_orphans", 441 .data = &sysctl_tcp_max_orphans, 442 .maxlen = sizeof(int), 443 .mode = 0644, 444 .proc_handler = proc_dointvec 445 }, 446 { 447 .procname = "inet_peer_threshold", 448 .data = &inet_peer_threshold, 449 .maxlen = sizeof(int), 450 .mode = 0644, 451 .proc_handler = proc_dointvec 452 }, 453 { 454 .procname = "inet_peer_minttl", 455 .data = &inet_peer_minttl, 456 .maxlen = sizeof(int), 457 .mode = 0644, 458 .proc_handler = proc_dointvec_jiffies, 459 }, 460 { 461 .procname = "inet_peer_maxttl", 462 .data = &inet_peer_maxttl, 463 .maxlen = sizeof(int), 464 .mode = 0644, 465 .proc_handler = proc_dointvec_jiffies, 466 }, 467 { 468 .procname = "tcp_mem", 469 .maxlen = sizeof(sysctl_tcp_mem), 470 .data = &sysctl_tcp_mem, 471 .mode = 0644, 472 .proc_handler = proc_doulongvec_minmax, 473 }, 474 { 475 .procname = "tcp_low_latency", 476 .data = &sysctl_tcp_low_latency, 477 .maxlen = sizeof(int), 478 .mode = 0644, 479 .proc_handler = proc_dointvec 480 }, 481 #ifdef CONFIG_NETLABEL 482 { 483 .procname = "cipso_cache_enable", 484 .data = &cipso_v4_cache_enabled, 485 .maxlen = sizeof(int), 486 .mode = 0644, 487 .proc_handler = proc_dointvec, 488 }, 489 { 490 .procname = "cipso_cache_bucket_size", 491 .data = &cipso_v4_cache_bucketsize, 492 .maxlen = sizeof(int), 493 .mode = 0644, 494 .proc_handler = proc_dointvec, 495 }, 496 { 497 .procname = "cipso_rbm_optfmt", 498 .data = &cipso_v4_rbm_optfmt, 499 .maxlen = sizeof(int), 500 .mode = 0644, 501 .proc_handler = proc_dointvec, 502 }, 503 { 504 .procname = "cipso_rbm_strictvalid", 505 .data = &cipso_v4_rbm_strictvalid, 506 .maxlen = sizeof(int), 507 .mode = 0644, 508 .proc_handler = proc_dointvec, 509 }, 510 #endif /* CONFIG_NETLABEL */ 511 { 512 .procname = "tcp_available_congestion_control", 513 .maxlen = TCP_CA_BUF_MAX, 514 .mode = 0444, 515 .proc_handler = proc_tcp_available_congestion_control, 516 }, 517 { 518 .procname = "tcp_allowed_congestion_control", 519 .maxlen = TCP_CA_BUF_MAX, 520 .mode = 0644, 521 .proc_handler = proc_allowed_congestion_control, 522 }, 523 { 524 .procname = "tcp_available_ulp", 525 .maxlen = TCP_ULP_BUF_MAX, 526 .mode = 0444, 527 .proc_handler = proc_tcp_available_ulp, 528 }, 529 { 530 .procname = "icmp_msgs_per_sec", 531 .data = &sysctl_icmp_msgs_per_sec, 532 .maxlen = sizeof(int), 533 .mode = 0644, 534 .proc_handler = proc_dointvec_minmax, 535 .extra1 = &zero, 536 }, 537 { 538 .procname = "icmp_msgs_burst", 539 .data = &sysctl_icmp_msgs_burst, 540 .maxlen = sizeof(int), 541 .mode = 0644, 542 .proc_handler = proc_dointvec_minmax, 543 .extra1 = &zero, 544 }, 545 { 546 .procname = "udp_mem", 547 .data = &sysctl_udp_mem, 548 .maxlen = sizeof(sysctl_udp_mem), 549 .mode = 0644, 550 .proc_handler = proc_doulongvec_minmax, 551 }, 552 { 553 .procname = "fib_sync_mem", 554 .data = &sysctl_fib_sync_mem, 555 .maxlen = sizeof(sysctl_fib_sync_mem), 556 .mode = 0644, 557 .proc_handler = proc_douintvec_minmax, 558 .extra1 = &sysctl_fib_sync_mem_min, 559 .extra2 = &sysctl_fib_sync_mem_max, 560 }, 561 { } 562 }; 563 564 static struct ctl_table ipv4_net_table[] = { 565 { 566 .procname = "icmp_echo_ignore_all", 567 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 568 .maxlen = sizeof(int), 569 .mode = 0644, 570 .proc_handler = proc_dointvec 571 }, 572 { 573 .procname = "icmp_echo_ignore_broadcasts", 574 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 575 .maxlen = sizeof(int), 576 .mode = 0644, 577 .proc_handler = proc_dointvec 578 }, 579 { 580 .procname = "icmp_ignore_bogus_error_responses", 581 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 582 .maxlen = sizeof(int), 583 .mode = 0644, 584 .proc_handler = proc_dointvec 585 }, 586 { 587 .procname = "icmp_errors_use_inbound_ifaddr", 588 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 589 .maxlen = sizeof(int), 590 .mode = 0644, 591 .proc_handler = proc_dointvec 592 }, 593 { 594 .procname = "icmp_ratelimit", 595 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 596 .maxlen = sizeof(int), 597 .mode = 0644, 598 .proc_handler = proc_dointvec_ms_jiffies, 599 }, 600 { 601 .procname = "icmp_ratemask", 602 .data = &init_net.ipv4.sysctl_icmp_ratemask, 603 .maxlen = sizeof(int), 604 .mode = 0644, 605 .proc_handler = proc_dointvec 606 }, 607 { 608 .procname = "ping_group_range", 609 .data = &init_net.ipv4.ping_group_range.range, 610 .maxlen = sizeof(gid_t)*2, 611 .mode = 0644, 612 .proc_handler = ipv4_ping_group_range, 613 }, 614 #ifdef CONFIG_NET_L3_MASTER_DEV 615 { 616 .procname = "raw_l3mdev_accept", 617 .data = &init_net.ipv4.sysctl_raw_l3mdev_accept, 618 .maxlen = sizeof(int), 619 .mode = 0644, 620 .proc_handler = proc_dointvec_minmax, 621 .extra1 = &zero, 622 .extra2 = &one, 623 }, 624 #endif 625 { 626 .procname = "tcp_ecn", 627 .data = &init_net.ipv4.sysctl_tcp_ecn, 628 .maxlen = sizeof(int), 629 .mode = 0644, 630 .proc_handler = proc_dointvec 631 }, 632 { 633 .procname = "tcp_ecn_fallback", 634 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 635 .maxlen = sizeof(int), 636 .mode = 0644, 637 .proc_handler = proc_dointvec 638 }, 639 { 640 .procname = "ip_dynaddr", 641 .data = &init_net.ipv4.sysctl_ip_dynaddr, 642 .maxlen = sizeof(int), 643 .mode = 0644, 644 .proc_handler = proc_dointvec 645 }, 646 { 647 .procname = "ip_early_demux", 648 .data = &init_net.ipv4.sysctl_ip_early_demux, 649 .maxlen = sizeof(int), 650 .mode = 0644, 651 .proc_handler = proc_dointvec 652 }, 653 { 654 .procname = "udp_early_demux", 655 .data = &init_net.ipv4.sysctl_udp_early_demux, 656 .maxlen = sizeof(int), 657 .mode = 0644, 658 .proc_handler = proc_udp_early_demux 659 }, 660 { 661 .procname = "tcp_early_demux", 662 .data = &init_net.ipv4.sysctl_tcp_early_demux, 663 .maxlen = sizeof(int), 664 .mode = 0644, 665 .proc_handler = proc_tcp_early_demux 666 }, 667 { 668 .procname = "ip_default_ttl", 669 .data = &init_net.ipv4.sysctl_ip_default_ttl, 670 .maxlen = sizeof(int), 671 .mode = 0644, 672 .proc_handler = proc_dointvec_minmax, 673 .extra1 = &ip_ttl_min, 674 .extra2 = &ip_ttl_max, 675 }, 676 { 677 .procname = "ip_local_port_range", 678 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 679 .data = &init_net.ipv4.ip_local_ports.range, 680 .mode = 0644, 681 .proc_handler = ipv4_local_port_range, 682 }, 683 { 684 .procname = "ip_local_reserved_ports", 685 .data = &init_net.ipv4.sysctl_local_reserved_ports, 686 .maxlen = 65536, 687 .mode = 0644, 688 .proc_handler = proc_do_large_bitmap, 689 }, 690 { 691 .procname = "ip_no_pmtu_disc", 692 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 693 .maxlen = sizeof(int), 694 .mode = 0644, 695 .proc_handler = proc_dointvec 696 }, 697 { 698 .procname = "ip_forward_use_pmtu", 699 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 700 .maxlen = sizeof(int), 701 .mode = 0644, 702 .proc_handler = proc_dointvec, 703 }, 704 { 705 .procname = "ip_forward_update_priority", 706 .data = &init_net.ipv4.sysctl_ip_fwd_update_priority, 707 .maxlen = sizeof(int), 708 .mode = 0644, 709 .proc_handler = ipv4_fwd_update_priority, 710 .extra1 = &zero, 711 .extra2 = &one, 712 }, 713 { 714 .procname = "ip_nonlocal_bind", 715 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 716 .maxlen = sizeof(int), 717 .mode = 0644, 718 .proc_handler = proc_dointvec 719 }, 720 { 721 .procname = "fwmark_reflect", 722 .data = &init_net.ipv4.sysctl_fwmark_reflect, 723 .maxlen = sizeof(int), 724 .mode = 0644, 725 .proc_handler = proc_dointvec, 726 }, 727 { 728 .procname = "tcp_fwmark_accept", 729 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 730 .maxlen = sizeof(int), 731 .mode = 0644, 732 .proc_handler = proc_dointvec, 733 }, 734 #ifdef CONFIG_NET_L3_MASTER_DEV 735 { 736 .procname = "tcp_l3mdev_accept", 737 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 738 .maxlen = sizeof(int), 739 .mode = 0644, 740 .proc_handler = proc_dointvec_minmax, 741 .extra1 = &zero, 742 .extra2 = &one, 743 }, 744 #endif 745 { 746 .procname = "tcp_mtu_probing", 747 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 748 .maxlen = sizeof(int), 749 .mode = 0644, 750 .proc_handler = proc_dointvec, 751 }, 752 { 753 .procname = "tcp_base_mss", 754 .data = &init_net.ipv4.sysctl_tcp_base_mss, 755 .maxlen = sizeof(int), 756 .mode = 0644, 757 .proc_handler = proc_dointvec, 758 }, 759 { 760 .procname = "tcp_probe_threshold", 761 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 762 .maxlen = sizeof(int), 763 .mode = 0644, 764 .proc_handler = proc_dointvec, 765 }, 766 { 767 .procname = "tcp_probe_interval", 768 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 769 .maxlen = sizeof(u32), 770 .mode = 0644, 771 .proc_handler = proc_douintvec_minmax, 772 .extra2 = &u32_max_div_HZ, 773 }, 774 { 775 .procname = "igmp_link_local_mcast_reports", 776 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 777 .maxlen = sizeof(int), 778 .mode = 0644, 779 .proc_handler = proc_dointvec 780 }, 781 { 782 .procname = "igmp_max_memberships", 783 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 784 .maxlen = sizeof(int), 785 .mode = 0644, 786 .proc_handler = proc_dointvec 787 }, 788 { 789 .procname = "igmp_max_msf", 790 .data = &init_net.ipv4.sysctl_igmp_max_msf, 791 .maxlen = sizeof(int), 792 .mode = 0644, 793 .proc_handler = proc_dointvec 794 }, 795 #ifdef CONFIG_IP_MULTICAST 796 { 797 .procname = "igmp_qrv", 798 .data = &init_net.ipv4.sysctl_igmp_qrv, 799 .maxlen = sizeof(int), 800 .mode = 0644, 801 .proc_handler = proc_dointvec_minmax, 802 .extra1 = &one 803 }, 804 #endif 805 { 806 .procname = "tcp_congestion_control", 807 .data = &init_net.ipv4.tcp_congestion_control, 808 .mode = 0644, 809 .maxlen = TCP_CA_NAME_MAX, 810 .proc_handler = proc_tcp_congestion_control, 811 }, 812 { 813 .procname = "tcp_keepalive_time", 814 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 815 .maxlen = sizeof(int), 816 .mode = 0644, 817 .proc_handler = proc_dointvec_jiffies, 818 }, 819 { 820 .procname = "tcp_keepalive_probes", 821 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 822 .maxlen = sizeof(int), 823 .mode = 0644, 824 .proc_handler = proc_dointvec 825 }, 826 { 827 .procname = "tcp_keepalive_intvl", 828 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 829 .maxlen = sizeof(int), 830 .mode = 0644, 831 .proc_handler = proc_dointvec_jiffies, 832 }, 833 { 834 .procname = "tcp_syn_retries", 835 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 836 .maxlen = sizeof(int), 837 .mode = 0644, 838 .proc_handler = proc_dointvec_minmax, 839 .extra1 = &tcp_syn_retries_min, 840 .extra2 = &tcp_syn_retries_max 841 }, 842 { 843 .procname = "tcp_synack_retries", 844 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 845 .maxlen = sizeof(int), 846 .mode = 0644, 847 .proc_handler = proc_dointvec 848 }, 849 #ifdef CONFIG_SYN_COOKIES 850 { 851 .procname = "tcp_syncookies", 852 .data = &init_net.ipv4.sysctl_tcp_syncookies, 853 .maxlen = sizeof(int), 854 .mode = 0644, 855 .proc_handler = proc_dointvec 856 }, 857 #endif 858 { 859 .procname = "tcp_reordering", 860 .data = &init_net.ipv4.sysctl_tcp_reordering, 861 .maxlen = sizeof(int), 862 .mode = 0644, 863 .proc_handler = proc_dointvec 864 }, 865 { 866 .procname = "tcp_retries1", 867 .data = &init_net.ipv4.sysctl_tcp_retries1, 868 .maxlen = sizeof(int), 869 .mode = 0644, 870 .proc_handler = proc_dointvec_minmax, 871 .extra2 = &tcp_retr1_max 872 }, 873 { 874 .procname = "tcp_retries2", 875 .data = &init_net.ipv4.sysctl_tcp_retries2, 876 .maxlen = sizeof(int), 877 .mode = 0644, 878 .proc_handler = proc_dointvec 879 }, 880 { 881 .procname = "tcp_orphan_retries", 882 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 883 .maxlen = sizeof(int), 884 .mode = 0644, 885 .proc_handler = proc_dointvec 886 }, 887 { 888 .procname = "tcp_fin_timeout", 889 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 890 .maxlen = sizeof(int), 891 .mode = 0644, 892 .proc_handler = proc_dointvec_jiffies, 893 }, 894 { 895 .procname = "tcp_notsent_lowat", 896 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 897 .maxlen = sizeof(unsigned int), 898 .mode = 0644, 899 .proc_handler = proc_douintvec, 900 }, 901 { 902 .procname = "tcp_tw_reuse", 903 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 904 .maxlen = sizeof(int), 905 .mode = 0644, 906 .proc_handler = proc_dointvec_minmax, 907 .extra1 = &zero, 908 .extra2 = &two, 909 }, 910 { 911 .procname = "tcp_max_tw_buckets", 912 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 913 .maxlen = sizeof(int), 914 .mode = 0644, 915 .proc_handler = proc_dointvec 916 }, 917 { 918 .procname = "tcp_max_syn_backlog", 919 .data = &init_net.ipv4.sysctl_max_syn_backlog, 920 .maxlen = sizeof(int), 921 .mode = 0644, 922 .proc_handler = proc_dointvec 923 }, 924 { 925 .procname = "tcp_fastopen", 926 .data = &init_net.ipv4.sysctl_tcp_fastopen, 927 .maxlen = sizeof(int), 928 .mode = 0644, 929 .proc_handler = proc_dointvec, 930 }, 931 { 932 .procname = "tcp_fastopen_key", 933 .mode = 0600, 934 .data = &init_net.ipv4.sysctl_tcp_fastopen, 935 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 936 .proc_handler = proc_tcp_fastopen_key, 937 }, 938 { 939 .procname = "tcp_fastopen_blackhole_timeout_sec", 940 .data = &init_net.ipv4.sysctl_tcp_fastopen_blackhole_timeout, 941 .maxlen = sizeof(int), 942 .mode = 0644, 943 .proc_handler = proc_tfo_blackhole_detect_timeout, 944 .extra1 = &zero, 945 }, 946 #ifdef CONFIG_IP_ROUTE_MULTIPATH 947 { 948 .procname = "fib_multipath_use_neigh", 949 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 950 .maxlen = sizeof(int), 951 .mode = 0644, 952 .proc_handler = proc_dointvec_minmax, 953 .extra1 = &zero, 954 .extra2 = &one, 955 }, 956 { 957 .procname = "fib_multipath_hash_policy", 958 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 959 .maxlen = sizeof(int), 960 .mode = 0644, 961 .proc_handler = proc_fib_multipath_hash_policy, 962 .extra1 = &zero, 963 .extra2 = &one, 964 }, 965 #endif 966 { 967 .procname = "ip_unprivileged_port_start", 968 .maxlen = sizeof(int), 969 .data = &init_net.ipv4.sysctl_ip_prot_sock, 970 .mode = 0644, 971 .proc_handler = ipv4_privileged_ports, 972 }, 973 #ifdef CONFIG_NET_L3_MASTER_DEV 974 { 975 .procname = "udp_l3mdev_accept", 976 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 977 .maxlen = sizeof(int), 978 .mode = 0644, 979 .proc_handler = proc_dointvec_minmax, 980 .extra1 = &zero, 981 .extra2 = &one, 982 }, 983 #endif 984 { 985 .procname = "tcp_sack", 986 .data = &init_net.ipv4.sysctl_tcp_sack, 987 .maxlen = sizeof(int), 988 .mode = 0644, 989 .proc_handler = proc_dointvec 990 }, 991 { 992 .procname = "tcp_window_scaling", 993 .data = &init_net.ipv4.sysctl_tcp_window_scaling, 994 .maxlen = sizeof(int), 995 .mode = 0644, 996 .proc_handler = proc_dointvec 997 }, 998 { 999 .procname = "tcp_timestamps", 1000 .data = &init_net.ipv4.sysctl_tcp_timestamps, 1001 .maxlen = sizeof(int), 1002 .mode = 0644, 1003 .proc_handler = proc_dointvec 1004 }, 1005 { 1006 .procname = "tcp_early_retrans", 1007 .data = &init_net.ipv4.sysctl_tcp_early_retrans, 1008 .maxlen = sizeof(int), 1009 .mode = 0644, 1010 .proc_handler = proc_dointvec_minmax, 1011 .extra1 = &zero, 1012 .extra2 = &four, 1013 }, 1014 { 1015 .procname = "tcp_recovery", 1016 .data = &init_net.ipv4.sysctl_tcp_recovery, 1017 .maxlen = sizeof(int), 1018 .mode = 0644, 1019 .proc_handler = proc_dointvec, 1020 }, 1021 { 1022 .procname = "tcp_thin_linear_timeouts", 1023 .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts, 1024 .maxlen = sizeof(int), 1025 .mode = 0644, 1026 .proc_handler = proc_dointvec 1027 }, 1028 { 1029 .procname = "tcp_slow_start_after_idle", 1030 .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle, 1031 .maxlen = sizeof(int), 1032 .mode = 0644, 1033 .proc_handler = proc_dointvec 1034 }, 1035 { 1036 .procname = "tcp_retrans_collapse", 1037 .data = &init_net.ipv4.sysctl_tcp_retrans_collapse, 1038 .maxlen = sizeof(int), 1039 .mode = 0644, 1040 .proc_handler = proc_dointvec 1041 }, 1042 { 1043 .procname = "tcp_stdurg", 1044 .data = &init_net.ipv4.sysctl_tcp_stdurg, 1045 .maxlen = sizeof(int), 1046 .mode = 0644, 1047 .proc_handler = proc_dointvec 1048 }, 1049 { 1050 .procname = "tcp_rfc1337", 1051 .data = &init_net.ipv4.sysctl_tcp_rfc1337, 1052 .maxlen = sizeof(int), 1053 .mode = 0644, 1054 .proc_handler = proc_dointvec 1055 }, 1056 { 1057 .procname = "tcp_abort_on_overflow", 1058 .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow, 1059 .maxlen = sizeof(int), 1060 .mode = 0644, 1061 .proc_handler = proc_dointvec 1062 }, 1063 { 1064 .procname = "tcp_fack", 1065 .data = &init_net.ipv4.sysctl_tcp_fack, 1066 .maxlen = sizeof(int), 1067 .mode = 0644, 1068 .proc_handler = proc_dointvec 1069 }, 1070 { 1071 .procname = "tcp_max_reordering", 1072 .data = &init_net.ipv4.sysctl_tcp_max_reordering, 1073 .maxlen = sizeof(int), 1074 .mode = 0644, 1075 .proc_handler = proc_dointvec 1076 }, 1077 { 1078 .procname = "tcp_dsack", 1079 .data = &init_net.ipv4.sysctl_tcp_dsack, 1080 .maxlen = sizeof(int), 1081 .mode = 0644, 1082 .proc_handler = proc_dointvec 1083 }, 1084 { 1085 .procname = "tcp_app_win", 1086 .data = &init_net.ipv4.sysctl_tcp_app_win, 1087 .maxlen = sizeof(int), 1088 .mode = 0644, 1089 .proc_handler = proc_dointvec 1090 }, 1091 { 1092 .procname = "tcp_adv_win_scale", 1093 .data = &init_net.ipv4.sysctl_tcp_adv_win_scale, 1094 .maxlen = sizeof(int), 1095 .mode = 0644, 1096 .proc_handler = proc_dointvec_minmax, 1097 .extra1 = &tcp_adv_win_scale_min, 1098 .extra2 = &tcp_adv_win_scale_max, 1099 }, 1100 { 1101 .procname = "tcp_frto", 1102 .data = &init_net.ipv4.sysctl_tcp_frto, 1103 .maxlen = sizeof(int), 1104 .mode = 0644, 1105 .proc_handler = proc_dointvec 1106 }, 1107 { 1108 .procname = "tcp_no_metrics_save", 1109 .data = &init_net.ipv4.sysctl_tcp_nometrics_save, 1110 .maxlen = sizeof(int), 1111 .mode = 0644, 1112 .proc_handler = proc_dointvec, 1113 }, 1114 { 1115 .procname = "tcp_moderate_rcvbuf", 1116 .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf, 1117 .maxlen = sizeof(int), 1118 .mode = 0644, 1119 .proc_handler = proc_dointvec, 1120 }, 1121 { 1122 .procname = "tcp_tso_win_divisor", 1123 .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor, 1124 .maxlen = sizeof(int), 1125 .mode = 0644, 1126 .proc_handler = proc_dointvec, 1127 }, 1128 { 1129 .procname = "tcp_workaround_signed_windows", 1130 .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows, 1131 .maxlen = sizeof(int), 1132 .mode = 0644, 1133 .proc_handler = proc_dointvec 1134 }, 1135 { 1136 .procname = "tcp_limit_output_bytes", 1137 .data = &init_net.ipv4.sysctl_tcp_limit_output_bytes, 1138 .maxlen = sizeof(int), 1139 .mode = 0644, 1140 .proc_handler = proc_dointvec 1141 }, 1142 { 1143 .procname = "tcp_challenge_ack_limit", 1144 .data = &init_net.ipv4.sysctl_tcp_challenge_ack_limit, 1145 .maxlen = sizeof(int), 1146 .mode = 0644, 1147 .proc_handler = proc_dointvec 1148 }, 1149 { 1150 .procname = "tcp_min_tso_segs", 1151 .data = &init_net.ipv4.sysctl_tcp_min_tso_segs, 1152 .maxlen = sizeof(int), 1153 .mode = 0644, 1154 .proc_handler = proc_dointvec_minmax, 1155 .extra1 = &one, 1156 .extra2 = &gso_max_segs, 1157 }, 1158 { 1159 .procname = "tcp_min_rtt_wlen", 1160 .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen, 1161 .maxlen = sizeof(int), 1162 .mode = 0644, 1163 .proc_handler = proc_dointvec 1164 }, 1165 { 1166 .procname = "tcp_autocorking", 1167 .data = &init_net.ipv4.sysctl_tcp_autocorking, 1168 .maxlen = sizeof(int), 1169 .mode = 0644, 1170 .proc_handler = proc_dointvec_minmax, 1171 .extra1 = &zero, 1172 .extra2 = &one, 1173 }, 1174 { 1175 .procname = "tcp_invalid_ratelimit", 1176 .data = &init_net.ipv4.sysctl_tcp_invalid_ratelimit, 1177 .maxlen = sizeof(int), 1178 .mode = 0644, 1179 .proc_handler = proc_dointvec_ms_jiffies, 1180 }, 1181 { 1182 .procname = "tcp_pacing_ss_ratio", 1183 .data = &init_net.ipv4.sysctl_tcp_pacing_ss_ratio, 1184 .maxlen = sizeof(int), 1185 .mode = 0644, 1186 .proc_handler = proc_dointvec_minmax, 1187 .extra1 = &zero, 1188 .extra2 = &thousand, 1189 }, 1190 { 1191 .procname = "tcp_pacing_ca_ratio", 1192 .data = &init_net.ipv4.sysctl_tcp_pacing_ca_ratio, 1193 .maxlen = sizeof(int), 1194 .mode = 0644, 1195 .proc_handler = proc_dointvec_minmax, 1196 .extra1 = &zero, 1197 .extra2 = &thousand, 1198 }, 1199 { 1200 .procname = "tcp_wmem", 1201 .data = &init_net.ipv4.sysctl_tcp_wmem, 1202 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_wmem), 1203 .mode = 0644, 1204 .proc_handler = proc_dointvec_minmax, 1205 .extra1 = &one, 1206 }, 1207 { 1208 .procname = "tcp_rmem", 1209 .data = &init_net.ipv4.sysctl_tcp_rmem, 1210 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_rmem), 1211 .mode = 0644, 1212 .proc_handler = proc_dointvec_minmax, 1213 .extra1 = &one, 1214 }, 1215 { 1216 .procname = "tcp_comp_sack_delay_ns", 1217 .data = &init_net.ipv4.sysctl_tcp_comp_sack_delay_ns, 1218 .maxlen = sizeof(unsigned long), 1219 .mode = 0644, 1220 .proc_handler = proc_doulongvec_minmax, 1221 }, 1222 { 1223 .procname = "tcp_comp_sack_nr", 1224 .data = &init_net.ipv4.sysctl_tcp_comp_sack_nr, 1225 .maxlen = sizeof(int), 1226 .mode = 0644, 1227 .proc_handler = proc_dointvec_minmax, 1228 .extra1 = &zero, 1229 .extra2 = &comp_sack_nr_max, 1230 }, 1231 { 1232 .procname = "udp_rmem_min", 1233 .data = &init_net.ipv4.sysctl_udp_rmem_min, 1234 .maxlen = sizeof(init_net.ipv4.sysctl_udp_rmem_min), 1235 .mode = 0644, 1236 .proc_handler = proc_dointvec_minmax, 1237 .extra1 = &one 1238 }, 1239 { 1240 .procname = "udp_wmem_min", 1241 .data = &init_net.ipv4.sysctl_udp_wmem_min, 1242 .maxlen = sizeof(init_net.ipv4.sysctl_udp_wmem_min), 1243 .mode = 0644, 1244 .proc_handler = proc_dointvec_minmax, 1245 .extra1 = &one 1246 }, 1247 { } 1248 }; 1249 1250 static __net_init int ipv4_sysctl_init_net(struct net *net) 1251 { 1252 struct ctl_table *table; 1253 1254 table = ipv4_net_table; 1255 if (!net_eq(net, &init_net)) { 1256 int i; 1257 1258 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1259 if (!table) 1260 goto err_alloc; 1261 1262 /* Update the variables to point into the current struct net */ 1263 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1264 table[i].data += (void *)net - (void *)&init_net; 1265 } 1266 1267 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1268 if (!net->ipv4.ipv4_hdr) 1269 goto err_reg; 1270 1271 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1272 if (!net->ipv4.sysctl_local_reserved_ports) 1273 goto err_ports; 1274 1275 return 0; 1276 1277 err_ports: 1278 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1279 err_reg: 1280 if (!net_eq(net, &init_net)) 1281 kfree(table); 1282 err_alloc: 1283 return -ENOMEM; 1284 } 1285 1286 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1287 { 1288 struct ctl_table *table; 1289 1290 kfree(net->ipv4.sysctl_local_reserved_ports); 1291 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1292 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1293 kfree(table); 1294 } 1295 1296 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1297 .init = ipv4_sysctl_init_net, 1298 .exit = ipv4_sysctl_exit_net, 1299 }; 1300 1301 static __init int sysctl_ipv4_init(void) 1302 { 1303 struct ctl_table_header *hdr; 1304 1305 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1306 if (!hdr) 1307 return -ENOMEM; 1308 1309 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1310 unregister_net_sysctl_table(hdr); 1311 return -ENOMEM; 1312 } 1313 1314 return 0; 1315 } 1316 1317 __initcall(sysctl_ipv4_init); 1318