1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 4 * 5 * Begun April 1, 1996, Mike Shaver. 6 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 7 */ 8 9 #include <linux/mm.h> 10 #include <linux/module.h> 11 #include <linux/sysctl.h> 12 #include <linux/igmp.h> 13 #include <linux/inetdevice.h> 14 #include <linux/seqlock.h> 15 #include <linux/init.h> 16 #include <linux/slab.h> 17 #include <linux/nsproxy.h> 18 #include <linux/swap.h> 19 #include <net/snmp.h> 20 #include <net/icmp.h> 21 #include <net/ip.h> 22 #include <net/route.h> 23 #include <net/tcp.h> 24 #include <net/udp.h> 25 #include <net/cipso_ipv4.h> 26 #include <net/inet_frag.h> 27 #include <net/ping.h> 28 #include <net/protocol.h> 29 #include <net/netevent.h> 30 31 static int zero; 32 static int one = 1; 33 static int two = 2; 34 static int four = 4; 35 static int thousand = 1000; 36 static int gso_max_segs = GSO_MAX_SEGS; 37 static int tcp_retr1_max = 255; 38 static int ip_local_port_range_min[] = { 1, 1 }; 39 static int ip_local_port_range_max[] = { 65535, 65535 }; 40 static int tcp_adv_win_scale_min = -31; 41 static int tcp_adv_win_scale_max = 31; 42 static int ip_privileged_port_min; 43 static int ip_privileged_port_max = 65535; 44 static int ip_ttl_min = 1; 45 static int ip_ttl_max = 255; 46 static int tcp_syn_retries_min = 1; 47 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 48 static int ip_ping_group_range_min[] = { 0, 0 }; 49 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 50 static int comp_sack_nr_max = 255; 51 52 /* obsolete */ 53 static int sysctl_tcp_low_latency __read_mostly; 54 55 /* Update system visible IP port range */ 56 static void set_local_port_range(struct net *net, int range[2]) 57 { 58 bool same_parity = !((range[0] ^ range[1]) & 1); 59 60 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 61 if (same_parity && !net->ipv4.ip_local_ports.warned) { 62 net->ipv4.ip_local_ports.warned = true; 63 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 64 } 65 net->ipv4.ip_local_ports.range[0] = range[0]; 66 net->ipv4.ip_local_ports.range[1] = range[1]; 67 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 68 } 69 70 /* Validate changes from /proc interface. */ 71 static int ipv4_local_port_range(struct ctl_table *table, int write, 72 void __user *buffer, 73 size_t *lenp, loff_t *ppos) 74 { 75 struct net *net = 76 container_of(table->data, struct net, ipv4.ip_local_ports.range); 77 int ret; 78 int range[2]; 79 struct ctl_table tmp = { 80 .data = &range, 81 .maxlen = sizeof(range), 82 .mode = table->mode, 83 .extra1 = &ip_local_port_range_min, 84 .extra2 = &ip_local_port_range_max, 85 }; 86 87 inet_get_local_port_range(net, &range[0], &range[1]); 88 89 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 90 91 if (write && ret == 0) { 92 /* Ensure that the upper limit is not smaller than the lower, 93 * and that the lower does not encroach upon the privileged 94 * port limit. 95 */ 96 if ((range[1] < range[0]) || 97 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 98 ret = -EINVAL; 99 else 100 set_local_port_range(net, range); 101 } 102 103 return ret; 104 } 105 106 /* Validate changes from /proc interface. */ 107 static int ipv4_privileged_ports(struct ctl_table *table, int write, 108 void __user *buffer, size_t *lenp, loff_t *ppos) 109 { 110 struct net *net = container_of(table->data, struct net, 111 ipv4.sysctl_ip_prot_sock); 112 int ret; 113 int pports; 114 int range[2]; 115 struct ctl_table tmp = { 116 .data = &pports, 117 .maxlen = sizeof(pports), 118 .mode = table->mode, 119 .extra1 = &ip_privileged_port_min, 120 .extra2 = &ip_privileged_port_max, 121 }; 122 123 pports = net->ipv4.sysctl_ip_prot_sock; 124 125 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 126 127 if (write && ret == 0) { 128 inet_get_local_port_range(net, &range[0], &range[1]); 129 /* Ensure that the local port range doesn't overlap with the 130 * privileged port range. 131 */ 132 if (range[0] < pports) 133 ret = -EINVAL; 134 else 135 net->ipv4.sysctl_ip_prot_sock = pports; 136 } 137 138 return ret; 139 } 140 141 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 142 { 143 kgid_t *data = table->data; 144 struct net *net = 145 container_of(table->data, struct net, ipv4.ping_group_range.range); 146 unsigned int seq; 147 do { 148 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 149 150 *low = data[0]; 151 *high = data[1]; 152 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 153 } 154 155 /* Update system visible IP port range */ 156 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 157 { 158 kgid_t *data = table->data; 159 struct net *net = 160 container_of(table->data, struct net, ipv4.ping_group_range.range); 161 write_seqlock(&net->ipv4.ping_group_range.lock); 162 data[0] = low; 163 data[1] = high; 164 write_sequnlock(&net->ipv4.ping_group_range.lock); 165 } 166 167 /* Validate changes from /proc interface. */ 168 static int ipv4_ping_group_range(struct ctl_table *table, int write, 169 void __user *buffer, 170 size_t *lenp, loff_t *ppos) 171 { 172 struct user_namespace *user_ns = current_user_ns(); 173 int ret; 174 gid_t urange[2]; 175 kgid_t low, high; 176 struct ctl_table tmp = { 177 .data = &urange, 178 .maxlen = sizeof(urange), 179 .mode = table->mode, 180 .extra1 = &ip_ping_group_range_min, 181 .extra2 = &ip_ping_group_range_max, 182 }; 183 184 inet_get_ping_group_range_table(table, &low, &high); 185 urange[0] = from_kgid_munged(user_ns, low); 186 urange[1] = from_kgid_munged(user_ns, high); 187 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 188 189 if (write && ret == 0) { 190 low = make_kgid(user_ns, urange[0]); 191 high = make_kgid(user_ns, urange[1]); 192 if (!gid_valid(low) || !gid_valid(high) || 193 (urange[1] < urange[0]) || gid_lt(high, low)) { 194 low = make_kgid(&init_user_ns, 1); 195 high = make_kgid(&init_user_ns, 0); 196 } 197 set_ping_group_range(table, low, high); 198 } 199 200 return ret; 201 } 202 203 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 204 void __user *buffer, size_t *lenp, loff_t *ppos) 205 { 206 struct net *net = container_of(ctl->data, struct net, 207 ipv4.tcp_congestion_control); 208 char val[TCP_CA_NAME_MAX]; 209 struct ctl_table tbl = { 210 .data = val, 211 .maxlen = TCP_CA_NAME_MAX, 212 }; 213 int ret; 214 215 tcp_get_default_congestion_control(net, val); 216 217 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 218 if (write && ret == 0) 219 ret = tcp_set_default_congestion_control(net, val); 220 return ret; 221 } 222 223 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 224 int write, 225 void __user *buffer, size_t *lenp, 226 loff_t *ppos) 227 { 228 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 229 int ret; 230 231 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 232 if (!tbl.data) 233 return -ENOMEM; 234 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 235 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 236 kfree(tbl.data); 237 return ret; 238 } 239 240 static int proc_allowed_congestion_control(struct ctl_table *ctl, 241 int write, 242 void __user *buffer, size_t *lenp, 243 loff_t *ppos) 244 { 245 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 246 int ret; 247 248 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 249 if (!tbl.data) 250 return -ENOMEM; 251 252 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 253 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 254 if (write && ret == 0) 255 ret = tcp_set_allowed_congestion_control(tbl.data); 256 kfree(tbl.data); 257 return ret; 258 } 259 260 static int proc_tcp_fastopen_key(struct ctl_table *table, int write, 261 void __user *buffer, size_t *lenp, 262 loff_t *ppos) 263 { 264 struct net *net = container_of(table->data, struct net, 265 ipv4.sysctl_tcp_fastopen); 266 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 267 struct tcp_fastopen_context *ctxt; 268 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 269 __le32 key[4]; 270 int ret, i; 271 272 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 273 if (!tbl.data) 274 return -ENOMEM; 275 276 rcu_read_lock(); 277 ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx); 278 if (ctxt) 279 memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 280 else 281 memset(key, 0, sizeof(key)); 282 rcu_read_unlock(); 283 284 for (i = 0; i < ARRAY_SIZE(key); i++) 285 user_key[i] = le32_to_cpu(key[i]); 286 287 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 288 user_key[0], user_key[1], user_key[2], user_key[3]); 289 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 290 291 if (write && ret == 0) { 292 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 293 user_key + 2, user_key + 3) != 4) { 294 ret = -EINVAL; 295 goto bad_key; 296 } 297 298 for (i = 0; i < ARRAY_SIZE(user_key); i++) 299 key[i] = cpu_to_le32(user_key[i]); 300 301 tcp_fastopen_reset_cipher(net, NULL, key, 302 TCP_FASTOPEN_KEY_LENGTH); 303 } 304 305 bad_key: 306 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 307 user_key[0], user_key[1], user_key[2], user_key[3], 308 (char *)tbl.data, ret); 309 kfree(tbl.data); 310 return ret; 311 } 312 313 static void proc_configure_early_demux(int enabled, int protocol) 314 { 315 struct net_protocol *ipprot; 316 #if IS_ENABLED(CONFIG_IPV6) 317 struct inet6_protocol *ip6prot; 318 #endif 319 320 rcu_read_lock(); 321 322 ipprot = rcu_dereference(inet_protos[protocol]); 323 if (ipprot) 324 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 325 NULL; 326 327 #if IS_ENABLED(CONFIG_IPV6) 328 ip6prot = rcu_dereference(inet6_protos[protocol]); 329 if (ip6prot) 330 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 331 NULL; 332 #endif 333 rcu_read_unlock(); 334 } 335 336 static int proc_tcp_early_demux(struct ctl_table *table, int write, 337 void __user *buffer, size_t *lenp, loff_t *ppos) 338 { 339 int ret = 0; 340 341 ret = proc_dointvec(table, write, buffer, lenp, ppos); 342 343 if (write && !ret) { 344 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 345 346 proc_configure_early_demux(enabled, IPPROTO_TCP); 347 } 348 349 return ret; 350 } 351 352 static int proc_udp_early_demux(struct ctl_table *table, int write, 353 void __user *buffer, size_t *lenp, loff_t *ppos) 354 { 355 int ret = 0; 356 357 ret = proc_dointvec(table, write, buffer, lenp, ppos); 358 359 if (write && !ret) { 360 int enabled = init_net.ipv4.sysctl_udp_early_demux; 361 362 proc_configure_early_demux(enabled, IPPROTO_UDP); 363 } 364 365 return ret; 366 } 367 368 static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table, 369 int write, 370 void __user *buffer, 371 size_t *lenp, loff_t *ppos) 372 { 373 struct net *net = container_of(table->data, struct net, 374 ipv4.sysctl_tcp_fastopen_blackhole_timeout); 375 int ret; 376 377 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 378 if (write && ret == 0) 379 atomic_set(&net->ipv4.tfo_active_disable_times, 0); 380 381 return ret; 382 } 383 384 static int proc_tcp_available_ulp(struct ctl_table *ctl, 385 int write, 386 void __user *buffer, size_t *lenp, 387 loff_t *ppos) 388 { 389 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, }; 390 int ret; 391 392 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 393 if (!tbl.data) 394 return -ENOMEM; 395 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX); 396 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 397 kfree(tbl.data); 398 399 return ret; 400 } 401 402 #ifdef CONFIG_IP_ROUTE_MULTIPATH 403 static int proc_fib_multipath_hash_policy(struct ctl_table *table, int write, 404 void __user *buffer, size_t *lenp, 405 loff_t *ppos) 406 { 407 struct net *net = container_of(table->data, struct net, 408 ipv4.sysctl_fib_multipath_hash_policy); 409 int ret; 410 411 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 412 if (write && ret == 0) 413 call_netevent_notifiers(NETEVENT_IPV4_MPATH_HASH_UPDATE, net); 414 415 return ret; 416 } 417 #endif 418 419 static struct ctl_table ipv4_table[] = { 420 { 421 .procname = "tcp_max_orphans", 422 .data = &sysctl_tcp_max_orphans, 423 .maxlen = sizeof(int), 424 .mode = 0644, 425 .proc_handler = proc_dointvec 426 }, 427 { 428 .procname = "inet_peer_threshold", 429 .data = &inet_peer_threshold, 430 .maxlen = sizeof(int), 431 .mode = 0644, 432 .proc_handler = proc_dointvec 433 }, 434 { 435 .procname = "inet_peer_minttl", 436 .data = &inet_peer_minttl, 437 .maxlen = sizeof(int), 438 .mode = 0644, 439 .proc_handler = proc_dointvec_jiffies, 440 }, 441 { 442 .procname = "inet_peer_maxttl", 443 .data = &inet_peer_maxttl, 444 .maxlen = sizeof(int), 445 .mode = 0644, 446 .proc_handler = proc_dointvec_jiffies, 447 }, 448 { 449 .procname = "tcp_mem", 450 .maxlen = sizeof(sysctl_tcp_mem), 451 .data = &sysctl_tcp_mem, 452 .mode = 0644, 453 .proc_handler = proc_doulongvec_minmax, 454 }, 455 { 456 .procname = "tcp_low_latency", 457 .data = &sysctl_tcp_low_latency, 458 .maxlen = sizeof(int), 459 .mode = 0644, 460 .proc_handler = proc_dointvec 461 }, 462 #ifdef CONFIG_NETLABEL 463 { 464 .procname = "cipso_cache_enable", 465 .data = &cipso_v4_cache_enabled, 466 .maxlen = sizeof(int), 467 .mode = 0644, 468 .proc_handler = proc_dointvec, 469 }, 470 { 471 .procname = "cipso_cache_bucket_size", 472 .data = &cipso_v4_cache_bucketsize, 473 .maxlen = sizeof(int), 474 .mode = 0644, 475 .proc_handler = proc_dointvec, 476 }, 477 { 478 .procname = "cipso_rbm_optfmt", 479 .data = &cipso_v4_rbm_optfmt, 480 .maxlen = sizeof(int), 481 .mode = 0644, 482 .proc_handler = proc_dointvec, 483 }, 484 { 485 .procname = "cipso_rbm_strictvalid", 486 .data = &cipso_v4_rbm_strictvalid, 487 .maxlen = sizeof(int), 488 .mode = 0644, 489 .proc_handler = proc_dointvec, 490 }, 491 #endif /* CONFIG_NETLABEL */ 492 { 493 .procname = "tcp_available_congestion_control", 494 .maxlen = TCP_CA_BUF_MAX, 495 .mode = 0444, 496 .proc_handler = proc_tcp_available_congestion_control, 497 }, 498 { 499 .procname = "tcp_allowed_congestion_control", 500 .maxlen = TCP_CA_BUF_MAX, 501 .mode = 0644, 502 .proc_handler = proc_allowed_congestion_control, 503 }, 504 { 505 .procname = "tcp_available_ulp", 506 .maxlen = TCP_ULP_BUF_MAX, 507 .mode = 0444, 508 .proc_handler = proc_tcp_available_ulp, 509 }, 510 { 511 .procname = "icmp_msgs_per_sec", 512 .data = &sysctl_icmp_msgs_per_sec, 513 .maxlen = sizeof(int), 514 .mode = 0644, 515 .proc_handler = proc_dointvec_minmax, 516 .extra1 = &zero, 517 }, 518 { 519 .procname = "icmp_msgs_burst", 520 .data = &sysctl_icmp_msgs_burst, 521 .maxlen = sizeof(int), 522 .mode = 0644, 523 .proc_handler = proc_dointvec_minmax, 524 .extra1 = &zero, 525 }, 526 { 527 .procname = "udp_mem", 528 .data = &sysctl_udp_mem, 529 .maxlen = sizeof(sysctl_udp_mem), 530 .mode = 0644, 531 .proc_handler = proc_doulongvec_minmax, 532 }, 533 { } 534 }; 535 536 static struct ctl_table ipv4_net_table[] = { 537 { 538 .procname = "icmp_echo_ignore_all", 539 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 540 .maxlen = sizeof(int), 541 .mode = 0644, 542 .proc_handler = proc_dointvec 543 }, 544 { 545 .procname = "icmp_echo_ignore_broadcasts", 546 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 547 .maxlen = sizeof(int), 548 .mode = 0644, 549 .proc_handler = proc_dointvec 550 }, 551 { 552 .procname = "icmp_ignore_bogus_error_responses", 553 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 554 .maxlen = sizeof(int), 555 .mode = 0644, 556 .proc_handler = proc_dointvec 557 }, 558 { 559 .procname = "icmp_errors_use_inbound_ifaddr", 560 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 561 .maxlen = sizeof(int), 562 .mode = 0644, 563 .proc_handler = proc_dointvec 564 }, 565 { 566 .procname = "icmp_ratelimit", 567 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 568 .maxlen = sizeof(int), 569 .mode = 0644, 570 .proc_handler = proc_dointvec_ms_jiffies, 571 }, 572 { 573 .procname = "icmp_ratemask", 574 .data = &init_net.ipv4.sysctl_icmp_ratemask, 575 .maxlen = sizeof(int), 576 .mode = 0644, 577 .proc_handler = proc_dointvec 578 }, 579 { 580 .procname = "ping_group_range", 581 .data = &init_net.ipv4.ping_group_range.range, 582 .maxlen = sizeof(gid_t)*2, 583 .mode = 0644, 584 .proc_handler = ipv4_ping_group_range, 585 }, 586 { 587 .procname = "tcp_ecn", 588 .data = &init_net.ipv4.sysctl_tcp_ecn, 589 .maxlen = sizeof(int), 590 .mode = 0644, 591 .proc_handler = proc_dointvec 592 }, 593 { 594 .procname = "tcp_ecn_fallback", 595 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 596 .maxlen = sizeof(int), 597 .mode = 0644, 598 .proc_handler = proc_dointvec 599 }, 600 { 601 .procname = "ip_dynaddr", 602 .data = &init_net.ipv4.sysctl_ip_dynaddr, 603 .maxlen = sizeof(int), 604 .mode = 0644, 605 .proc_handler = proc_dointvec 606 }, 607 { 608 .procname = "ip_early_demux", 609 .data = &init_net.ipv4.sysctl_ip_early_demux, 610 .maxlen = sizeof(int), 611 .mode = 0644, 612 .proc_handler = proc_dointvec 613 }, 614 { 615 .procname = "udp_early_demux", 616 .data = &init_net.ipv4.sysctl_udp_early_demux, 617 .maxlen = sizeof(int), 618 .mode = 0644, 619 .proc_handler = proc_udp_early_demux 620 }, 621 { 622 .procname = "tcp_early_demux", 623 .data = &init_net.ipv4.sysctl_tcp_early_demux, 624 .maxlen = sizeof(int), 625 .mode = 0644, 626 .proc_handler = proc_tcp_early_demux 627 }, 628 { 629 .procname = "ip_default_ttl", 630 .data = &init_net.ipv4.sysctl_ip_default_ttl, 631 .maxlen = sizeof(int), 632 .mode = 0644, 633 .proc_handler = proc_dointvec_minmax, 634 .extra1 = &ip_ttl_min, 635 .extra2 = &ip_ttl_max, 636 }, 637 { 638 .procname = "ip_local_port_range", 639 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 640 .data = &init_net.ipv4.ip_local_ports.range, 641 .mode = 0644, 642 .proc_handler = ipv4_local_port_range, 643 }, 644 { 645 .procname = "ip_local_reserved_ports", 646 .data = &init_net.ipv4.sysctl_local_reserved_ports, 647 .maxlen = 65536, 648 .mode = 0644, 649 .proc_handler = proc_do_large_bitmap, 650 }, 651 { 652 .procname = "ip_no_pmtu_disc", 653 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 654 .maxlen = sizeof(int), 655 .mode = 0644, 656 .proc_handler = proc_dointvec 657 }, 658 { 659 .procname = "ip_forward_use_pmtu", 660 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 661 .maxlen = sizeof(int), 662 .mode = 0644, 663 .proc_handler = proc_dointvec, 664 }, 665 { 666 .procname = "ip_nonlocal_bind", 667 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 668 .maxlen = sizeof(int), 669 .mode = 0644, 670 .proc_handler = proc_dointvec 671 }, 672 { 673 .procname = "fwmark_reflect", 674 .data = &init_net.ipv4.sysctl_fwmark_reflect, 675 .maxlen = sizeof(int), 676 .mode = 0644, 677 .proc_handler = proc_dointvec, 678 }, 679 { 680 .procname = "tcp_fwmark_accept", 681 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 682 .maxlen = sizeof(int), 683 .mode = 0644, 684 .proc_handler = proc_dointvec, 685 }, 686 #ifdef CONFIG_NET_L3_MASTER_DEV 687 { 688 .procname = "tcp_l3mdev_accept", 689 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 690 .maxlen = sizeof(int), 691 .mode = 0644, 692 .proc_handler = proc_dointvec_minmax, 693 .extra1 = &zero, 694 .extra2 = &one, 695 }, 696 #endif 697 { 698 .procname = "tcp_mtu_probing", 699 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 700 .maxlen = sizeof(int), 701 .mode = 0644, 702 .proc_handler = proc_dointvec, 703 }, 704 { 705 .procname = "tcp_base_mss", 706 .data = &init_net.ipv4.sysctl_tcp_base_mss, 707 .maxlen = sizeof(int), 708 .mode = 0644, 709 .proc_handler = proc_dointvec, 710 }, 711 { 712 .procname = "tcp_probe_threshold", 713 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 714 .maxlen = sizeof(int), 715 .mode = 0644, 716 .proc_handler = proc_dointvec, 717 }, 718 { 719 .procname = "tcp_probe_interval", 720 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 721 .maxlen = sizeof(int), 722 .mode = 0644, 723 .proc_handler = proc_dointvec, 724 }, 725 { 726 .procname = "igmp_link_local_mcast_reports", 727 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 728 .maxlen = sizeof(int), 729 .mode = 0644, 730 .proc_handler = proc_dointvec 731 }, 732 { 733 .procname = "igmp_max_memberships", 734 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 735 .maxlen = sizeof(int), 736 .mode = 0644, 737 .proc_handler = proc_dointvec 738 }, 739 { 740 .procname = "igmp_max_msf", 741 .data = &init_net.ipv4.sysctl_igmp_max_msf, 742 .maxlen = sizeof(int), 743 .mode = 0644, 744 .proc_handler = proc_dointvec 745 }, 746 #ifdef CONFIG_IP_MULTICAST 747 { 748 .procname = "igmp_qrv", 749 .data = &init_net.ipv4.sysctl_igmp_qrv, 750 .maxlen = sizeof(int), 751 .mode = 0644, 752 .proc_handler = proc_dointvec_minmax, 753 .extra1 = &one 754 }, 755 #endif 756 { 757 .procname = "tcp_congestion_control", 758 .data = &init_net.ipv4.tcp_congestion_control, 759 .mode = 0644, 760 .maxlen = TCP_CA_NAME_MAX, 761 .proc_handler = proc_tcp_congestion_control, 762 }, 763 { 764 .procname = "tcp_keepalive_time", 765 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 766 .maxlen = sizeof(int), 767 .mode = 0644, 768 .proc_handler = proc_dointvec_jiffies, 769 }, 770 { 771 .procname = "tcp_keepalive_probes", 772 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 773 .maxlen = sizeof(int), 774 .mode = 0644, 775 .proc_handler = proc_dointvec 776 }, 777 { 778 .procname = "tcp_keepalive_intvl", 779 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 780 .maxlen = sizeof(int), 781 .mode = 0644, 782 .proc_handler = proc_dointvec_jiffies, 783 }, 784 { 785 .procname = "tcp_syn_retries", 786 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 787 .maxlen = sizeof(int), 788 .mode = 0644, 789 .proc_handler = proc_dointvec_minmax, 790 .extra1 = &tcp_syn_retries_min, 791 .extra2 = &tcp_syn_retries_max 792 }, 793 { 794 .procname = "tcp_synack_retries", 795 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 796 .maxlen = sizeof(int), 797 .mode = 0644, 798 .proc_handler = proc_dointvec 799 }, 800 #ifdef CONFIG_SYN_COOKIES 801 { 802 .procname = "tcp_syncookies", 803 .data = &init_net.ipv4.sysctl_tcp_syncookies, 804 .maxlen = sizeof(int), 805 .mode = 0644, 806 .proc_handler = proc_dointvec 807 }, 808 #endif 809 { 810 .procname = "tcp_reordering", 811 .data = &init_net.ipv4.sysctl_tcp_reordering, 812 .maxlen = sizeof(int), 813 .mode = 0644, 814 .proc_handler = proc_dointvec 815 }, 816 { 817 .procname = "tcp_retries1", 818 .data = &init_net.ipv4.sysctl_tcp_retries1, 819 .maxlen = sizeof(int), 820 .mode = 0644, 821 .proc_handler = proc_dointvec_minmax, 822 .extra2 = &tcp_retr1_max 823 }, 824 { 825 .procname = "tcp_retries2", 826 .data = &init_net.ipv4.sysctl_tcp_retries2, 827 .maxlen = sizeof(int), 828 .mode = 0644, 829 .proc_handler = proc_dointvec 830 }, 831 { 832 .procname = "tcp_orphan_retries", 833 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 834 .maxlen = sizeof(int), 835 .mode = 0644, 836 .proc_handler = proc_dointvec 837 }, 838 { 839 .procname = "tcp_fin_timeout", 840 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 841 .maxlen = sizeof(int), 842 .mode = 0644, 843 .proc_handler = proc_dointvec_jiffies, 844 }, 845 { 846 .procname = "tcp_notsent_lowat", 847 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 848 .maxlen = sizeof(unsigned int), 849 .mode = 0644, 850 .proc_handler = proc_douintvec, 851 }, 852 { 853 .procname = "tcp_tw_reuse", 854 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 855 .maxlen = sizeof(int), 856 .mode = 0644, 857 .proc_handler = proc_dointvec_minmax, 858 .extra1 = &zero, 859 .extra2 = &two, 860 }, 861 { 862 .procname = "tcp_max_tw_buckets", 863 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 864 .maxlen = sizeof(int), 865 .mode = 0644, 866 .proc_handler = proc_dointvec 867 }, 868 { 869 .procname = "tcp_max_syn_backlog", 870 .data = &init_net.ipv4.sysctl_max_syn_backlog, 871 .maxlen = sizeof(int), 872 .mode = 0644, 873 .proc_handler = proc_dointvec 874 }, 875 { 876 .procname = "tcp_fastopen", 877 .data = &init_net.ipv4.sysctl_tcp_fastopen, 878 .maxlen = sizeof(int), 879 .mode = 0644, 880 .proc_handler = proc_dointvec, 881 }, 882 { 883 .procname = "tcp_fastopen_key", 884 .mode = 0600, 885 .data = &init_net.ipv4.sysctl_tcp_fastopen, 886 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 887 .proc_handler = proc_tcp_fastopen_key, 888 }, 889 { 890 .procname = "tcp_fastopen_blackhole_timeout_sec", 891 .data = &init_net.ipv4.sysctl_tcp_fastopen_blackhole_timeout, 892 .maxlen = sizeof(int), 893 .mode = 0644, 894 .proc_handler = proc_tfo_blackhole_detect_timeout, 895 .extra1 = &zero, 896 }, 897 #ifdef CONFIG_IP_ROUTE_MULTIPATH 898 { 899 .procname = "fib_multipath_use_neigh", 900 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 901 .maxlen = sizeof(int), 902 .mode = 0644, 903 .proc_handler = proc_dointvec_minmax, 904 .extra1 = &zero, 905 .extra2 = &one, 906 }, 907 { 908 .procname = "fib_multipath_hash_policy", 909 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 910 .maxlen = sizeof(int), 911 .mode = 0644, 912 .proc_handler = proc_fib_multipath_hash_policy, 913 .extra1 = &zero, 914 .extra2 = &one, 915 }, 916 #endif 917 { 918 .procname = "ip_unprivileged_port_start", 919 .maxlen = sizeof(int), 920 .data = &init_net.ipv4.sysctl_ip_prot_sock, 921 .mode = 0644, 922 .proc_handler = ipv4_privileged_ports, 923 }, 924 #ifdef CONFIG_NET_L3_MASTER_DEV 925 { 926 .procname = "udp_l3mdev_accept", 927 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 928 .maxlen = sizeof(int), 929 .mode = 0644, 930 .proc_handler = proc_dointvec_minmax, 931 .extra1 = &zero, 932 .extra2 = &one, 933 }, 934 #endif 935 { 936 .procname = "tcp_sack", 937 .data = &init_net.ipv4.sysctl_tcp_sack, 938 .maxlen = sizeof(int), 939 .mode = 0644, 940 .proc_handler = proc_dointvec 941 }, 942 { 943 .procname = "tcp_window_scaling", 944 .data = &init_net.ipv4.sysctl_tcp_window_scaling, 945 .maxlen = sizeof(int), 946 .mode = 0644, 947 .proc_handler = proc_dointvec 948 }, 949 { 950 .procname = "tcp_timestamps", 951 .data = &init_net.ipv4.sysctl_tcp_timestamps, 952 .maxlen = sizeof(int), 953 .mode = 0644, 954 .proc_handler = proc_dointvec 955 }, 956 { 957 .procname = "tcp_early_retrans", 958 .data = &init_net.ipv4.sysctl_tcp_early_retrans, 959 .maxlen = sizeof(int), 960 .mode = 0644, 961 .proc_handler = proc_dointvec_minmax, 962 .extra1 = &zero, 963 .extra2 = &four, 964 }, 965 { 966 .procname = "tcp_recovery", 967 .data = &init_net.ipv4.sysctl_tcp_recovery, 968 .maxlen = sizeof(int), 969 .mode = 0644, 970 .proc_handler = proc_dointvec, 971 }, 972 { 973 .procname = "tcp_thin_linear_timeouts", 974 .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts, 975 .maxlen = sizeof(int), 976 .mode = 0644, 977 .proc_handler = proc_dointvec 978 }, 979 { 980 .procname = "tcp_slow_start_after_idle", 981 .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle, 982 .maxlen = sizeof(int), 983 .mode = 0644, 984 .proc_handler = proc_dointvec 985 }, 986 { 987 .procname = "tcp_retrans_collapse", 988 .data = &init_net.ipv4.sysctl_tcp_retrans_collapse, 989 .maxlen = sizeof(int), 990 .mode = 0644, 991 .proc_handler = proc_dointvec 992 }, 993 { 994 .procname = "tcp_stdurg", 995 .data = &init_net.ipv4.sysctl_tcp_stdurg, 996 .maxlen = sizeof(int), 997 .mode = 0644, 998 .proc_handler = proc_dointvec 999 }, 1000 { 1001 .procname = "tcp_rfc1337", 1002 .data = &init_net.ipv4.sysctl_tcp_rfc1337, 1003 .maxlen = sizeof(int), 1004 .mode = 0644, 1005 .proc_handler = proc_dointvec 1006 }, 1007 { 1008 .procname = "tcp_abort_on_overflow", 1009 .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow, 1010 .maxlen = sizeof(int), 1011 .mode = 0644, 1012 .proc_handler = proc_dointvec 1013 }, 1014 { 1015 .procname = "tcp_fack", 1016 .data = &init_net.ipv4.sysctl_tcp_fack, 1017 .maxlen = sizeof(int), 1018 .mode = 0644, 1019 .proc_handler = proc_dointvec 1020 }, 1021 { 1022 .procname = "tcp_max_reordering", 1023 .data = &init_net.ipv4.sysctl_tcp_max_reordering, 1024 .maxlen = sizeof(int), 1025 .mode = 0644, 1026 .proc_handler = proc_dointvec 1027 }, 1028 { 1029 .procname = "tcp_dsack", 1030 .data = &init_net.ipv4.sysctl_tcp_dsack, 1031 .maxlen = sizeof(int), 1032 .mode = 0644, 1033 .proc_handler = proc_dointvec 1034 }, 1035 { 1036 .procname = "tcp_app_win", 1037 .data = &init_net.ipv4.sysctl_tcp_app_win, 1038 .maxlen = sizeof(int), 1039 .mode = 0644, 1040 .proc_handler = proc_dointvec 1041 }, 1042 { 1043 .procname = "tcp_adv_win_scale", 1044 .data = &init_net.ipv4.sysctl_tcp_adv_win_scale, 1045 .maxlen = sizeof(int), 1046 .mode = 0644, 1047 .proc_handler = proc_dointvec_minmax, 1048 .extra1 = &tcp_adv_win_scale_min, 1049 .extra2 = &tcp_adv_win_scale_max, 1050 }, 1051 { 1052 .procname = "tcp_frto", 1053 .data = &init_net.ipv4.sysctl_tcp_frto, 1054 .maxlen = sizeof(int), 1055 .mode = 0644, 1056 .proc_handler = proc_dointvec 1057 }, 1058 { 1059 .procname = "tcp_no_metrics_save", 1060 .data = &init_net.ipv4.sysctl_tcp_nometrics_save, 1061 .maxlen = sizeof(int), 1062 .mode = 0644, 1063 .proc_handler = proc_dointvec, 1064 }, 1065 { 1066 .procname = "tcp_moderate_rcvbuf", 1067 .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf, 1068 .maxlen = sizeof(int), 1069 .mode = 0644, 1070 .proc_handler = proc_dointvec, 1071 }, 1072 { 1073 .procname = "tcp_tso_win_divisor", 1074 .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor, 1075 .maxlen = sizeof(int), 1076 .mode = 0644, 1077 .proc_handler = proc_dointvec, 1078 }, 1079 { 1080 .procname = "tcp_workaround_signed_windows", 1081 .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows, 1082 .maxlen = sizeof(int), 1083 .mode = 0644, 1084 .proc_handler = proc_dointvec 1085 }, 1086 { 1087 .procname = "tcp_limit_output_bytes", 1088 .data = &init_net.ipv4.sysctl_tcp_limit_output_bytes, 1089 .maxlen = sizeof(int), 1090 .mode = 0644, 1091 .proc_handler = proc_dointvec 1092 }, 1093 { 1094 .procname = "tcp_challenge_ack_limit", 1095 .data = &init_net.ipv4.sysctl_tcp_challenge_ack_limit, 1096 .maxlen = sizeof(int), 1097 .mode = 0644, 1098 .proc_handler = proc_dointvec 1099 }, 1100 { 1101 .procname = "tcp_min_tso_segs", 1102 .data = &init_net.ipv4.sysctl_tcp_min_tso_segs, 1103 .maxlen = sizeof(int), 1104 .mode = 0644, 1105 .proc_handler = proc_dointvec_minmax, 1106 .extra1 = &one, 1107 .extra2 = &gso_max_segs, 1108 }, 1109 { 1110 .procname = "tcp_min_rtt_wlen", 1111 .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen, 1112 .maxlen = sizeof(int), 1113 .mode = 0644, 1114 .proc_handler = proc_dointvec 1115 }, 1116 { 1117 .procname = "tcp_autocorking", 1118 .data = &init_net.ipv4.sysctl_tcp_autocorking, 1119 .maxlen = sizeof(int), 1120 .mode = 0644, 1121 .proc_handler = proc_dointvec_minmax, 1122 .extra1 = &zero, 1123 .extra2 = &one, 1124 }, 1125 { 1126 .procname = "tcp_invalid_ratelimit", 1127 .data = &init_net.ipv4.sysctl_tcp_invalid_ratelimit, 1128 .maxlen = sizeof(int), 1129 .mode = 0644, 1130 .proc_handler = proc_dointvec_ms_jiffies, 1131 }, 1132 { 1133 .procname = "tcp_pacing_ss_ratio", 1134 .data = &init_net.ipv4.sysctl_tcp_pacing_ss_ratio, 1135 .maxlen = sizeof(int), 1136 .mode = 0644, 1137 .proc_handler = proc_dointvec_minmax, 1138 .extra1 = &zero, 1139 .extra2 = &thousand, 1140 }, 1141 { 1142 .procname = "tcp_pacing_ca_ratio", 1143 .data = &init_net.ipv4.sysctl_tcp_pacing_ca_ratio, 1144 .maxlen = sizeof(int), 1145 .mode = 0644, 1146 .proc_handler = proc_dointvec_minmax, 1147 .extra1 = &zero, 1148 .extra2 = &thousand, 1149 }, 1150 { 1151 .procname = "tcp_wmem", 1152 .data = &init_net.ipv4.sysctl_tcp_wmem, 1153 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_wmem), 1154 .mode = 0644, 1155 .proc_handler = proc_dointvec_minmax, 1156 .extra1 = &one, 1157 }, 1158 { 1159 .procname = "tcp_rmem", 1160 .data = &init_net.ipv4.sysctl_tcp_rmem, 1161 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_rmem), 1162 .mode = 0644, 1163 .proc_handler = proc_dointvec_minmax, 1164 .extra1 = &one, 1165 }, 1166 { 1167 .procname = "tcp_comp_sack_delay_ns", 1168 .data = &init_net.ipv4.sysctl_tcp_comp_sack_delay_ns, 1169 .maxlen = sizeof(unsigned long), 1170 .mode = 0644, 1171 .proc_handler = proc_doulongvec_minmax, 1172 }, 1173 { 1174 .procname = "tcp_comp_sack_nr", 1175 .data = &init_net.ipv4.sysctl_tcp_comp_sack_nr, 1176 .maxlen = sizeof(int), 1177 .mode = 0644, 1178 .proc_handler = proc_dointvec_minmax, 1179 .extra1 = &zero, 1180 .extra2 = &comp_sack_nr_max, 1181 }, 1182 { 1183 .procname = "udp_rmem_min", 1184 .data = &init_net.ipv4.sysctl_udp_rmem_min, 1185 .maxlen = sizeof(init_net.ipv4.sysctl_udp_rmem_min), 1186 .mode = 0644, 1187 .proc_handler = proc_dointvec_minmax, 1188 .extra1 = &one 1189 }, 1190 { 1191 .procname = "udp_wmem_min", 1192 .data = &init_net.ipv4.sysctl_udp_wmem_min, 1193 .maxlen = sizeof(init_net.ipv4.sysctl_udp_wmem_min), 1194 .mode = 0644, 1195 .proc_handler = proc_dointvec_minmax, 1196 .extra1 = &one 1197 }, 1198 { } 1199 }; 1200 1201 static __net_init int ipv4_sysctl_init_net(struct net *net) 1202 { 1203 struct ctl_table *table; 1204 1205 table = ipv4_net_table; 1206 if (!net_eq(net, &init_net)) { 1207 int i; 1208 1209 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1210 if (!table) 1211 goto err_alloc; 1212 1213 /* Update the variables to point into the current struct net */ 1214 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1215 table[i].data += (void *)net - (void *)&init_net; 1216 } 1217 1218 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1219 if (!net->ipv4.ipv4_hdr) 1220 goto err_reg; 1221 1222 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1223 if (!net->ipv4.sysctl_local_reserved_ports) 1224 goto err_ports; 1225 1226 return 0; 1227 1228 err_ports: 1229 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1230 err_reg: 1231 if (!net_eq(net, &init_net)) 1232 kfree(table); 1233 err_alloc: 1234 return -ENOMEM; 1235 } 1236 1237 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1238 { 1239 struct ctl_table *table; 1240 1241 kfree(net->ipv4.sysctl_local_reserved_ports); 1242 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1243 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1244 kfree(table); 1245 } 1246 1247 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1248 .init = ipv4_sysctl_init_net, 1249 .exit = ipv4_sysctl_exit_net, 1250 }; 1251 1252 static __init int sysctl_ipv4_init(void) 1253 { 1254 struct ctl_table_header *hdr; 1255 1256 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1257 if (!hdr) 1258 return -ENOMEM; 1259 1260 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1261 unregister_net_sysctl_table(hdr); 1262 return -ENOMEM; 1263 } 1264 1265 return 0; 1266 } 1267 1268 __initcall(sysctl_ipv4_init); 1269