1 /* 2 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 3 * 4 * Begun April 1, 1996, Mike Shaver. 5 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 6 */ 7 8 #include <linux/mm.h> 9 #include <linux/module.h> 10 #include <linux/sysctl.h> 11 #include <linux/igmp.h> 12 #include <linux/inetdevice.h> 13 #include <linux/seqlock.h> 14 #include <linux/init.h> 15 #include <linux/slab.h> 16 #include <linux/nsproxy.h> 17 #include <linux/swap.h> 18 #include <net/snmp.h> 19 #include <net/icmp.h> 20 #include <net/ip.h> 21 #include <net/route.h> 22 #include <net/tcp.h> 23 #include <net/udp.h> 24 #include <net/cipso_ipv4.h> 25 #include <net/inet_frag.h> 26 #include <net/ping.h> 27 #include <net/protocol.h> 28 29 static int zero; 30 static int one = 1; 31 static int four = 4; 32 static int thousand = 1000; 33 static int gso_max_segs = GSO_MAX_SEGS; 34 static int tcp_retr1_max = 255; 35 static int ip_local_port_range_min[] = { 1, 1 }; 36 static int ip_local_port_range_max[] = { 65535, 65535 }; 37 static int tcp_adv_win_scale_min = -31; 38 static int tcp_adv_win_scale_max = 31; 39 static int ip_privileged_port_min; 40 static int ip_privileged_port_max = 65535; 41 static int ip_ttl_min = 1; 42 static int ip_ttl_max = 255; 43 static int tcp_syn_retries_min = 1; 44 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 45 static int ip_ping_group_range_min[] = { 0, 0 }; 46 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 47 48 /* Update system visible IP port range */ 49 static void set_local_port_range(struct net *net, int range[2]) 50 { 51 bool same_parity = !((range[0] ^ range[1]) & 1); 52 53 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 54 if (same_parity && !net->ipv4.ip_local_ports.warned) { 55 net->ipv4.ip_local_ports.warned = true; 56 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 57 } 58 net->ipv4.ip_local_ports.range[0] = range[0]; 59 net->ipv4.ip_local_ports.range[1] = range[1]; 60 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 61 } 62 63 /* Validate changes from /proc interface. */ 64 static int ipv4_local_port_range(struct ctl_table *table, int write, 65 void __user *buffer, 66 size_t *lenp, loff_t *ppos) 67 { 68 struct net *net = 69 container_of(table->data, struct net, ipv4.ip_local_ports.range); 70 int ret; 71 int range[2]; 72 struct ctl_table tmp = { 73 .data = &range, 74 .maxlen = sizeof(range), 75 .mode = table->mode, 76 .extra1 = &ip_local_port_range_min, 77 .extra2 = &ip_local_port_range_max, 78 }; 79 80 inet_get_local_port_range(net, &range[0], &range[1]); 81 82 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 83 84 if (write && ret == 0) { 85 /* Ensure that the upper limit is not smaller than the lower, 86 * and that the lower does not encroach upon the privileged 87 * port limit. 88 */ 89 if ((range[1] < range[0]) || 90 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 91 ret = -EINVAL; 92 else 93 set_local_port_range(net, range); 94 } 95 96 return ret; 97 } 98 99 /* Validate changes from /proc interface. */ 100 static int ipv4_privileged_ports(struct ctl_table *table, int write, 101 void __user *buffer, size_t *lenp, loff_t *ppos) 102 { 103 struct net *net = container_of(table->data, struct net, 104 ipv4.sysctl_ip_prot_sock); 105 int ret; 106 int pports; 107 int range[2]; 108 struct ctl_table tmp = { 109 .data = &pports, 110 .maxlen = sizeof(pports), 111 .mode = table->mode, 112 .extra1 = &ip_privileged_port_min, 113 .extra2 = &ip_privileged_port_max, 114 }; 115 116 pports = net->ipv4.sysctl_ip_prot_sock; 117 118 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 119 120 if (write && ret == 0) { 121 inet_get_local_port_range(net, &range[0], &range[1]); 122 /* Ensure that the local port range doesn't overlap with the 123 * privileged port range. 124 */ 125 if (range[0] < pports) 126 ret = -EINVAL; 127 else 128 net->ipv4.sysctl_ip_prot_sock = pports; 129 } 130 131 return ret; 132 } 133 134 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 135 { 136 kgid_t *data = table->data; 137 struct net *net = 138 container_of(table->data, struct net, ipv4.ping_group_range.range); 139 unsigned int seq; 140 do { 141 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 142 143 *low = data[0]; 144 *high = data[1]; 145 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 146 } 147 148 /* Update system visible IP port range */ 149 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 150 { 151 kgid_t *data = table->data; 152 struct net *net = 153 container_of(table->data, struct net, ipv4.ping_group_range.range); 154 write_seqlock(&net->ipv4.ping_group_range.lock); 155 data[0] = low; 156 data[1] = high; 157 write_sequnlock(&net->ipv4.ping_group_range.lock); 158 } 159 160 /* Validate changes from /proc interface. */ 161 static int ipv4_ping_group_range(struct ctl_table *table, int write, 162 void __user *buffer, 163 size_t *lenp, loff_t *ppos) 164 { 165 struct user_namespace *user_ns = current_user_ns(); 166 int ret; 167 gid_t urange[2]; 168 kgid_t low, high; 169 struct ctl_table tmp = { 170 .data = &urange, 171 .maxlen = sizeof(urange), 172 .mode = table->mode, 173 .extra1 = &ip_ping_group_range_min, 174 .extra2 = &ip_ping_group_range_max, 175 }; 176 177 inet_get_ping_group_range_table(table, &low, &high); 178 urange[0] = from_kgid_munged(user_ns, low); 179 urange[1] = from_kgid_munged(user_ns, high); 180 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 181 182 if (write && ret == 0) { 183 low = make_kgid(user_ns, urange[0]); 184 high = make_kgid(user_ns, urange[1]); 185 if (!gid_valid(low) || !gid_valid(high) || 186 (urange[1] < urange[0]) || gid_lt(high, low)) { 187 low = make_kgid(&init_user_ns, 1); 188 high = make_kgid(&init_user_ns, 0); 189 } 190 set_ping_group_range(table, low, high); 191 } 192 193 return ret; 194 } 195 196 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 197 void __user *buffer, size_t *lenp, loff_t *ppos) 198 { 199 char val[TCP_CA_NAME_MAX]; 200 struct ctl_table tbl = { 201 .data = val, 202 .maxlen = TCP_CA_NAME_MAX, 203 }; 204 int ret; 205 206 tcp_get_default_congestion_control(val); 207 208 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 209 if (write && ret == 0) 210 ret = tcp_set_default_congestion_control(val); 211 return ret; 212 } 213 214 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 215 int write, 216 void __user *buffer, size_t *lenp, 217 loff_t *ppos) 218 { 219 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 220 int ret; 221 222 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 223 if (!tbl.data) 224 return -ENOMEM; 225 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 226 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 227 kfree(tbl.data); 228 return ret; 229 } 230 231 static int proc_allowed_congestion_control(struct ctl_table *ctl, 232 int write, 233 void __user *buffer, size_t *lenp, 234 loff_t *ppos) 235 { 236 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 237 int ret; 238 239 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 240 if (!tbl.data) 241 return -ENOMEM; 242 243 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 244 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 245 if (write && ret == 0) 246 ret = tcp_set_allowed_congestion_control(tbl.data); 247 kfree(tbl.data); 248 return ret; 249 } 250 251 static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write, 252 void __user *buffer, size_t *lenp, 253 loff_t *ppos) 254 { 255 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 256 struct tcp_fastopen_context *ctxt; 257 int ret; 258 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 259 260 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 261 if (!tbl.data) 262 return -ENOMEM; 263 264 rcu_read_lock(); 265 ctxt = rcu_dereference(tcp_fastopen_ctx); 266 if (ctxt) 267 memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 268 else 269 memset(user_key, 0, sizeof(user_key)); 270 rcu_read_unlock(); 271 272 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 273 user_key[0], user_key[1], user_key[2], user_key[3]); 274 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 275 276 if (write && ret == 0) { 277 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 278 user_key + 2, user_key + 3) != 4) { 279 ret = -EINVAL; 280 goto bad_key; 281 } 282 /* Generate a dummy secret but don't publish it. This 283 * is needed so we don't regenerate a new key on the 284 * first invocation of tcp_fastopen_cookie_gen 285 */ 286 tcp_fastopen_init_key_once(false); 287 tcp_fastopen_reset_cipher(user_key, TCP_FASTOPEN_KEY_LENGTH); 288 } 289 290 bad_key: 291 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 292 user_key[0], user_key[1], user_key[2], user_key[3], 293 (char *)tbl.data, ret); 294 kfree(tbl.data); 295 return ret; 296 } 297 298 static void proc_configure_early_demux(int enabled, int protocol) 299 { 300 struct net_protocol *ipprot; 301 #if IS_ENABLED(CONFIG_IPV6) 302 struct inet6_protocol *ip6prot; 303 #endif 304 305 ipprot = rcu_dereference(inet_protos[protocol]); 306 if (ipprot) 307 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 308 NULL; 309 310 #if IS_ENABLED(CONFIG_IPV6) 311 ip6prot = rcu_dereference(inet6_protos[protocol]); 312 if (ip6prot) 313 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 314 NULL; 315 #endif 316 } 317 318 static int proc_tcp_early_demux(struct ctl_table *table, int write, 319 void __user *buffer, size_t *lenp, loff_t *ppos) 320 { 321 int ret = 0; 322 323 ret = proc_dointvec(table, write, buffer, lenp, ppos); 324 325 if (write && !ret) { 326 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 327 328 proc_configure_early_demux(enabled, IPPROTO_TCP); 329 } 330 331 return ret; 332 } 333 334 static int proc_udp_early_demux(struct ctl_table *table, int write, 335 void __user *buffer, size_t *lenp, loff_t *ppos) 336 { 337 int ret = 0; 338 339 ret = proc_dointvec(table, write, buffer, lenp, ppos); 340 341 if (write && !ret) { 342 int enabled = init_net.ipv4.sysctl_udp_early_demux; 343 344 proc_configure_early_demux(enabled, IPPROTO_UDP); 345 } 346 347 return ret; 348 } 349 350 static struct ctl_table ipv4_table[] = { 351 { 352 .procname = "tcp_timestamps", 353 .data = &sysctl_tcp_timestamps, 354 .maxlen = sizeof(int), 355 .mode = 0644, 356 .proc_handler = proc_dointvec 357 }, 358 { 359 .procname = "tcp_window_scaling", 360 .data = &sysctl_tcp_window_scaling, 361 .maxlen = sizeof(int), 362 .mode = 0644, 363 .proc_handler = proc_dointvec 364 }, 365 { 366 .procname = "tcp_sack", 367 .data = &sysctl_tcp_sack, 368 .maxlen = sizeof(int), 369 .mode = 0644, 370 .proc_handler = proc_dointvec 371 }, 372 { 373 .procname = "tcp_retrans_collapse", 374 .data = &sysctl_tcp_retrans_collapse, 375 .maxlen = sizeof(int), 376 .mode = 0644, 377 .proc_handler = proc_dointvec 378 }, 379 { 380 .procname = "tcp_max_orphans", 381 .data = &sysctl_tcp_max_orphans, 382 .maxlen = sizeof(int), 383 .mode = 0644, 384 .proc_handler = proc_dointvec 385 }, 386 { 387 .procname = "tcp_fastopen", 388 .data = &sysctl_tcp_fastopen, 389 .maxlen = sizeof(int), 390 .mode = 0644, 391 .proc_handler = proc_dointvec, 392 }, 393 { 394 .procname = "tcp_fastopen_key", 395 .mode = 0600, 396 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 397 .proc_handler = proc_tcp_fastopen_key, 398 }, 399 { 400 .procname = "tcp_abort_on_overflow", 401 .data = &sysctl_tcp_abort_on_overflow, 402 .maxlen = sizeof(int), 403 .mode = 0644, 404 .proc_handler = proc_dointvec 405 }, 406 { 407 .procname = "tcp_stdurg", 408 .data = &sysctl_tcp_stdurg, 409 .maxlen = sizeof(int), 410 .mode = 0644, 411 .proc_handler = proc_dointvec 412 }, 413 { 414 .procname = "tcp_rfc1337", 415 .data = &sysctl_tcp_rfc1337, 416 .maxlen = sizeof(int), 417 .mode = 0644, 418 .proc_handler = proc_dointvec 419 }, 420 { 421 .procname = "inet_peer_threshold", 422 .data = &inet_peer_threshold, 423 .maxlen = sizeof(int), 424 .mode = 0644, 425 .proc_handler = proc_dointvec 426 }, 427 { 428 .procname = "inet_peer_minttl", 429 .data = &inet_peer_minttl, 430 .maxlen = sizeof(int), 431 .mode = 0644, 432 .proc_handler = proc_dointvec_jiffies, 433 }, 434 { 435 .procname = "inet_peer_maxttl", 436 .data = &inet_peer_maxttl, 437 .maxlen = sizeof(int), 438 .mode = 0644, 439 .proc_handler = proc_dointvec_jiffies, 440 }, 441 { 442 .procname = "tcp_fack", 443 .data = &sysctl_tcp_fack, 444 .maxlen = sizeof(int), 445 .mode = 0644, 446 .proc_handler = proc_dointvec 447 }, 448 { 449 .procname = "tcp_recovery", 450 .data = &sysctl_tcp_recovery, 451 .maxlen = sizeof(int), 452 .mode = 0644, 453 .proc_handler = proc_dointvec, 454 }, 455 { 456 .procname = "tcp_max_reordering", 457 .data = &sysctl_tcp_max_reordering, 458 .maxlen = sizeof(int), 459 .mode = 0644, 460 .proc_handler = proc_dointvec 461 }, 462 { 463 .procname = "tcp_dsack", 464 .data = &sysctl_tcp_dsack, 465 .maxlen = sizeof(int), 466 .mode = 0644, 467 .proc_handler = proc_dointvec 468 }, 469 { 470 .procname = "tcp_mem", 471 .maxlen = sizeof(sysctl_tcp_mem), 472 .data = &sysctl_tcp_mem, 473 .mode = 0644, 474 .proc_handler = proc_doulongvec_minmax, 475 }, 476 { 477 .procname = "tcp_wmem", 478 .data = &sysctl_tcp_wmem, 479 .maxlen = sizeof(sysctl_tcp_wmem), 480 .mode = 0644, 481 .proc_handler = proc_dointvec_minmax, 482 .extra1 = &one, 483 }, 484 { 485 .procname = "tcp_rmem", 486 .data = &sysctl_tcp_rmem, 487 .maxlen = sizeof(sysctl_tcp_rmem), 488 .mode = 0644, 489 .proc_handler = proc_dointvec_minmax, 490 .extra1 = &one, 491 }, 492 { 493 .procname = "tcp_app_win", 494 .data = &sysctl_tcp_app_win, 495 .maxlen = sizeof(int), 496 .mode = 0644, 497 .proc_handler = proc_dointvec 498 }, 499 { 500 .procname = "tcp_adv_win_scale", 501 .data = &sysctl_tcp_adv_win_scale, 502 .maxlen = sizeof(int), 503 .mode = 0644, 504 .proc_handler = proc_dointvec_minmax, 505 .extra1 = &tcp_adv_win_scale_min, 506 .extra2 = &tcp_adv_win_scale_max, 507 }, 508 { 509 .procname = "tcp_frto", 510 .data = &sysctl_tcp_frto, 511 .maxlen = sizeof(int), 512 .mode = 0644, 513 .proc_handler = proc_dointvec 514 }, 515 { 516 .procname = "tcp_min_rtt_wlen", 517 .data = &sysctl_tcp_min_rtt_wlen, 518 .maxlen = sizeof(int), 519 .mode = 0644, 520 .proc_handler = proc_dointvec 521 }, 522 { 523 .procname = "tcp_low_latency", 524 .data = &sysctl_tcp_low_latency, 525 .maxlen = sizeof(int), 526 .mode = 0644, 527 .proc_handler = proc_dointvec 528 }, 529 { 530 .procname = "tcp_no_metrics_save", 531 .data = &sysctl_tcp_nometrics_save, 532 .maxlen = sizeof(int), 533 .mode = 0644, 534 .proc_handler = proc_dointvec, 535 }, 536 { 537 .procname = "tcp_moderate_rcvbuf", 538 .data = &sysctl_tcp_moderate_rcvbuf, 539 .maxlen = sizeof(int), 540 .mode = 0644, 541 .proc_handler = proc_dointvec, 542 }, 543 { 544 .procname = "tcp_tso_win_divisor", 545 .data = &sysctl_tcp_tso_win_divisor, 546 .maxlen = sizeof(int), 547 .mode = 0644, 548 .proc_handler = proc_dointvec, 549 }, 550 { 551 .procname = "tcp_congestion_control", 552 .mode = 0644, 553 .maxlen = TCP_CA_NAME_MAX, 554 .proc_handler = proc_tcp_congestion_control, 555 }, 556 { 557 .procname = "tcp_workaround_signed_windows", 558 .data = &sysctl_tcp_workaround_signed_windows, 559 .maxlen = sizeof(int), 560 .mode = 0644, 561 .proc_handler = proc_dointvec 562 }, 563 { 564 .procname = "tcp_limit_output_bytes", 565 .data = &sysctl_tcp_limit_output_bytes, 566 .maxlen = sizeof(int), 567 .mode = 0644, 568 .proc_handler = proc_dointvec 569 }, 570 { 571 .procname = "tcp_challenge_ack_limit", 572 .data = &sysctl_tcp_challenge_ack_limit, 573 .maxlen = sizeof(int), 574 .mode = 0644, 575 .proc_handler = proc_dointvec 576 }, 577 { 578 .procname = "tcp_slow_start_after_idle", 579 .data = &sysctl_tcp_slow_start_after_idle, 580 .maxlen = sizeof(int), 581 .mode = 0644, 582 .proc_handler = proc_dointvec 583 }, 584 #ifdef CONFIG_NETLABEL 585 { 586 .procname = "cipso_cache_enable", 587 .data = &cipso_v4_cache_enabled, 588 .maxlen = sizeof(int), 589 .mode = 0644, 590 .proc_handler = proc_dointvec, 591 }, 592 { 593 .procname = "cipso_cache_bucket_size", 594 .data = &cipso_v4_cache_bucketsize, 595 .maxlen = sizeof(int), 596 .mode = 0644, 597 .proc_handler = proc_dointvec, 598 }, 599 { 600 .procname = "cipso_rbm_optfmt", 601 .data = &cipso_v4_rbm_optfmt, 602 .maxlen = sizeof(int), 603 .mode = 0644, 604 .proc_handler = proc_dointvec, 605 }, 606 { 607 .procname = "cipso_rbm_strictvalid", 608 .data = &cipso_v4_rbm_strictvalid, 609 .maxlen = sizeof(int), 610 .mode = 0644, 611 .proc_handler = proc_dointvec, 612 }, 613 #endif /* CONFIG_NETLABEL */ 614 { 615 .procname = "tcp_available_congestion_control", 616 .maxlen = TCP_CA_BUF_MAX, 617 .mode = 0444, 618 .proc_handler = proc_tcp_available_congestion_control, 619 }, 620 { 621 .procname = "tcp_allowed_congestion_control", 622 .maxlen = TCP_CA_BUF_MAX, 623 .mode = 0644, 624 .proc_handler = proc_allowed_congestion_control, 625 }, 626 { 627 .procname = "tcp_thin_linear_timeouts", 628 .data = &sysctl_tcp_thin_linear_timeouts, 629 .maxlen = sizeof(int), 630 .mode = 0644, 631 .proc_handler = proc_dointvec 632 }, 633 { 634 .procname = "tcp_early_retrans", 635 .data = &sysctl_tcp_early_retrans, 636 .maxlen = sizeof(int), 637 .mode = 0644, 638 .proc_handler = proc_dointvec_minmax, 639 .extra1 = &zero, 640 .extra2 = &four, 641 }, 642 { 643 .procname = "tcp_min_tso_segs", 644 .data = &sysctl_tcp_min_tso_segs, 645 .maxlen = sizeof(int), 646 .mode = 0644, 647 .proc_handler = proc_dointvec_minmax, 648 .extra1 = &one, 649 .extra2 = &gso_max_segs, 650 }, 651 { 652 .procname = "tcp_pacing_ss_ratio", 653 .data = &sysctl_tcp_pacing_ss_ratio, 654 .maxlen = sizeof(int), 655 .mode = 0644, 656 .proc_handler = proc_dointvec_minmax, 657 .extra1 = &zero, 658 .extra2 = &thousand, 659 }, 660 { 661 .procname = "tcp_pacing_ca_ratio", 662 .data = &sysctl_tcp_pacing_ca_ratio, 663 .maxlen = sizeof(int), 664 .mode = 0644, 665 .proc_handler = proc_dointvec_minmax, 666 .extra1 = &zero, 667 .extra2 = &thousand, 668 }, 669 { 670 .procname = "tcp_autocorking", 671 .data = &sysctl_tcp_autocorking, 672 .maxlen = sizeof(int), 673 .mode = 0644, 674 .proc_handler = proc_dointvec_minmax, 675 .extra1 = &zero, 676 .extra2 = &one, 677 }, 678 { 679 .procname = "tcp_invalid_ratelimit", 680 .data = &sysctl_tcp_invalid_ratelimit, 681 .maxlen = sizeof(int), 682 .mode = 0644, 683 .proc_handler = proc_dointvec_ms_jiffies, 684 }, 685 { 686 .procname = "icmp_msgs_per_sec", 687 .data = &sysctl_icmp_msgs_per_sec, 688 .maxlen = sizeof(int), 689 .mode = 0644, 690 .proc_handler = proc_dointvec_minmax, 691 .extra1 = &zero, 692 }, 693 { 694 .procname = "icmp_msgs_burst", 695 .data = &sysctl_icmp_msgs_burst, 696 .maxlen = sizeof(int), 697 .mode = 0644, 698 .proc_handler = proc_dointvec_minmax, 699 .extra1 = &zero, 700 }, 701 { 702 .procname = "udp_mem", 703 .data = &sysctl_udp_mem, 704 .maxlen = sizeof(sysctl_udp_mem), 705 .mode = 0644, 706 .proc_handler = proc_doulongvec_minmax, 707 }, 708 { 709 .procname = "udp_rmem_min", 710 .data = &sysctl_udp_rmem_min, 711 .maxlen = sizeof(sysctl_udp_rmem_min), 712 .mode = 0644, 713 .proc_handler = proc_dointvec_minmax, 714 .extra1 = &one 715 }, 716 { 717 .procname = "udp_wmem_min", 718 .data = &sysctl_udp_wmem_min, 719 .maxlen = sizeof(sysctl_udp_wmem_min), 720 .mode = 0644, 721 .proc_handler = proc_dointvec_minmax, 722 .extra1 = &one 723 }, 724 { } 725 }; 726 727 static struct ctl_table ipv4_net_table[] = { 728 { 729 .procname = "icmp_echo_ignore_all", 730 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 731 .maxlen = sizeof(int), 732 .mode = 0644, 733 .proc_handler = proc_dointvec 734 }, 735 { 736 .procname = "icmp_echo_ignore_broadcasts", 737 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 738 .maxlen = sizeof(int), 739 .mode = 0644, 740 .proc_handler = proc_dointvec 741 }, 742 { 743 .procname = "icmp_ignore_bogus_error_responses", 744 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 745 .maxlen = sizeof(int), 746 .mode = 0644, 747 .proc_handler = proc_dointvec 748 }, 749 { 750 .procname = "icmp_errors_use_inbound_ifaddr", 751 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 752 .maxlen = sizeof(int), 753 .mode = 0644, 754 .proc_handler = proc_dointvec 755 }, 756 { 757 .procname = "icmp_ratelimit", 758 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 759 .maxlen = sizeof(int), 760 .mode = 0644, 761 .proc_handler = proc_dointvec_ms_jiffies, 762 }, 763 { 764 .procname = "icmp_ratemask", 765 .data = &init_net.ipv4.sysctl_icmp_ratemask, 766 .maxlen = sizeof(int), 767 .mode = 0644, 768 .proc_handler = proc_dointvec 769 }, 770 { 771 .procname = "ping_group_range", 772 .data = &init_net.ipv4.ping_group_range.range, 773 .maxlen = sizeof(gid_t)*2, 774 .mode = 0644, 775 .proc_handler = ipv4_ping_group_range, 776 }, 777 { 778 .procname = "tcp_ecn", 779 .data = &init_net.ipv4.sysctl_tcp_ecn, 780 .maxlen = sizeof(int), 781 .mode = 0644, 782 .proc_handler = proc_dointvec 783 }, 784 { 785 .procname = "tcp_ecn_fallback", 786 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 787 .maxlen = sizeof(int), 788 .mode = 0644, 789 .proc_handler = proc_dointvec 790 }, 791 { 792 .procname = "ip_dynaddr", 793 .data = &init_net.ipv4.sysctl_ip_dynaddr, 794 .maxlen = sizeof(int), 795 .mode = 0644, 796 .proc_handler = proc_dointvec 797 }, 798 { 799 .procname = "ip_early_demux", 800 .data = &init_net.ipv4.sysctl_ip_early_demux, 801 .maxlen = sizeof(int), 802 .mode = 0644, 803 .proc_handler = proc_dointvec 804 }, 805 { 806 .procname = "udp_early_demux", 807 .data = &init_net.ipv4.sysctl_udp_early_demux, 808 .maxlen = sizeof(int), 809 .mode = 0644, 810 .proc_handler = proc_udp_early_demux 811 }, 812 { 813 .procname = "tcp_early_demux", 814 .data = &init_net.ipv4.sysctl_tcp_early_demux, 815 .maxlen = sizeof(int), 816 .mode = 0644, 817 .proc_handler = proc_tcp_early_demux 818 }, 819 { 820 .procname = "ip_default_ttl", 821 .data = &init_net.ipv4.sysctl_ip_default_ttl, 822 .maxlen = sizeof(int), 823 .mode = 0644, 824 .proc_handler = proc_dointvec_minmax, 825 .extra1 = &ip_ttl_min, 826 .extra2 = &ip_ttl_max, 827 }, 828 { 829 .procname = "ip_local_port_range", 830 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 831 .data = &init_net.ipv4.ip_local_ports.range, 832 .mode = 0644, 833 .proc_handler = ipv4_local_port_range, 834 }, 835 { 836 .procname = "ip_local_reserved_ports", 837 .data = &init_net.ipv4.sysctl_local_reserved_ports, 838 .maxlen = 65536, 839 .mode = 0644, 840 .proc_handler = proc_do_large_bitmap, 841 }, 842 { 843 .procname = "ip_no_pmtu_disc", 844 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 845 .maxlen = sizeof(int), 846 .mode = 0644, 847 .proc_handler = proc_dointvec 848 }, 849 { 850 .procname = "ip_forward_use_pmtu", 851 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 852 .maxlen = sizeof(int), 853 .mode = 0644, 854 .proc_handler = proc_dointvec, 855 }, 856 { 857 .procname = "ip_nonlocal_bind", 858 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 859 .maxlen = sizeof(int), 860 .mode = 0644, 861 .proc_handler = proc_dointvec 862 }, 863 { 864 .procname = "fwmark_reflect", 865 .data = &init_net.ipv4.sysctl_fwmark_reflect, 866 .maxlen = sizeof(int), 867 .mode = 0644, 868 .proc_handler = proc_dointvec, 869 }, 870 { 871 .procname = "tcp_fwmark_accept", 872 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 873 .maxlen = sizeof(int), 874 .mode = 0644, 875 .proc_handler = proc_dointvec, 876 }, 877 #ifdef CONFIG_NET_L3_MASTER_DEV 878 { 879 .procname = "tcp_l3mdev_accept", 880 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 881 .maxlen = sizeof(int), 882 .mode = 0644, 883 .proc_handler = proc_dointvec_minmax, 884 .extra1 = &zero, 885 .extra2 = &one, 886 }, 887 #endif 888 { 889 .procname = "tcp_mtu_probing", 890 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 891 .maxlen = sizeof(int), 892 .mode = 0644, 893 .proc_handler = proc_dointvec, 894 }, 895 { 896 .procname = "tcp_base_mss", 897 .data = &init_net.ipv4.sysctl_tcp_base_mss, 898 .maxlen = sizeof(int), 899 .mode = 0644, 900 .proc_handler = proc_dointvec, 901 }, 902 { 903 .procname = "tcp_probe_threshold", 904 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 905 .maxlen = sizeof(int), 906 .mode = 0644, 907 .proc_handler = proc_dointvec, 908 }, 909 { 910 .procname = "tcp_probe_interval", 911 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 912 .maxlen = sizeof(int), 913 .mode = 0644, 914 .proc_handler = proc_dointvec, 915 }, 916 { 917 .procname = "igmp_link_local_mcast_reports", 918 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 919 .maxlen = sizeof(int), 920 .mode = 0644, 921 .proc_handler = proc_dointvec 922 }, 923 { 924 .procname = "igmp_max_memberships", 925 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 926 .maxlen = sizeof(int), 927 .mode = 0644, 928 .proc_handler = proc_dointvec 929 }, 930 { 931 .procname = "igmp_max_msf", 932 .data = &init_net.ipv4.sysctl_igmp_max_msf, 933 .maxlen = sizeof(int), 934 .mode = 0644, 935 .proc_handler = proc_dointvec 936 }, 937 #ifdef CONFIG_IP_MULTICAST 938 { 939 .procname = "igmp_qrv", 940 .data = &init_net.ipv4.sysctl_igmp_qrv, 941 .maxlen = sizeof(int), 942 .mode = 0644, 943 .proc_handler = proc_dointvec_minmax, 944 .extra1 = &one 945 }, 946 #endif 947 { 948 .procname = "tcp_keepalive_time", 949 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 950 .maxlen = sizeof(int), 951 .mode = 0644, 952 .proc_handler = proc_dointvec_jiffies, 953 }, 954 { 955 .procname = "tcp_keepalive_probes", 956 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 957 .maxlen = sizeof(int), 958 .mode = 0644, 959 .proc_handler = proc_dointvec 960 }, 961 { 962 .procname = "tcp_keepalive_intvl", 963 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 964 .maxlen = sizeof(int), 965 .mode = 0644, 966 .proc_handler = proc_dointvec_jiffies, 967 }, 968 { 969 .procname = "tcp_syn_retries", 970 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 971 .maxlen = sizeof(int), 972 .mode = 0644, 973 .proc_handler = proc_dointvec_minmax, 974 .extra1 = &tcp_syn_retries_min, 975 .extra2 = &tcp_syn_retries_max 976 }, 977 { 978 .procname = "tcp_synack_retries", 979 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 980 .maxlen = sizeof(int), 981 .mode = 0644, 982 .proc_handler = proc_dointvec 983 }, 984 #ifdef CONFIG_SYN_COOKIES 985 { 986 .procname = "tcp_syncookies", 987 .data = &init_net.ipv4.sysctl_tcp_syncookies, 988 .maxlen = sizeof(int), 989 .mode = 0644, 990 .proc_handler = proc_dointvec 991 }, 992 #endif 993 { 994 .procname = "tcp_reordering", 995 .data = &init_net.ipv4.sysctl_tcp_reordering, 996 .maxlen = sizeof(int), 997 .mode = 0644, 998 .proc_handler = proc_dointvec 999 }, 1000 { 1001 .procname = "tcp_retries1", 1002 .data = &init_net.ipv4.sysctl_tcp_retries1, 1003 .maxlen = sizeof(int), 1004 .mode = 0644, 1005 .proc_handler = proc_dointvec_minmax, 1006 .extra2 = &tcp_retr1_max 1007 }, 1008 { 1009 .procname = "tcp_retries2", 1010 .data = &init_net.ipv4.sysctl_tcp_retries2, 1011 .maxlen = sizeof(int), 1012 .mode = 0644, 1013 .proc_handler = proc_dointvec 1014 }, 1015 { 1016 .procname = "tcp_orphan_retries", 1017 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 1018 .maxlen = sizeof(int), 1019 .mode = 0644, 1020 .proc_handler = proc_dointvec 1021 }, 1022 { 1023 .procname = "tcp_fin_timeout", 1024 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 1025 .maxlen = sizeof(int), 1026 .mode = 0644, 1027 .proc_handler = proc_dointvec_jiffies, 1028 }, 1029 { 1030 .procname = "tcp_notsent_lowat", 1031 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 1032 .maxlen = sizeof(unsigned int), 1033 .mode = 0644, 1034 .proc_handler = proc_douintvec, 1035 }, 1036 { 1037 .procname = "tcp_tw_reuse", 1038 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 1039 .maxlen = sizeof(int), 1040 .mode = 0644, 1041 .proc_handler = proc_dointvec 1042 }, 1043 { 1044 .procname = "tcp_max_tw_buckets", 1045 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 1046 .maxlen = sizeof(int), 1047 .mode = 0644, 1048 .proc_handler = proc_dointvec 1049 }, 1050 { 1051 .procname = "tcp_max_syn_backlog", 1052 .data = &init_net.ipv4.sysctl_max_syn_backlog, 1053 .maxlen = sizeof(int), 1054 .mode = 0644, 1055 .proc_handler = proc_dointvec 1056 }, 1057 #ifdef CONFIG_IP_ROUTE_MULTIPATH 1058 { 1059 .procname = "fib_multipath_use_neigh", 1060 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 1061 .maxlen = sizeof(int), 1062 .mode = 0644, 1063 .proc_handler = proc_dointvec_minmax, 1064 .extra1 = &zero, 1065 .extra2 = &one, 1066 }, 1067 { 1068 .procname = "fib_multipath_hash_policy", 1069 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 1070 .maxlen = sizeof(int), 1071 .mode = 0644, 1072 .proc_handler = proc_dointvec_minmax, 1073 .extra1 = &zero, 1074 .extra2 = &one, 1075 }, 1076 #endif 1077 { 1078 .procname = "ip_unprivileged_port_start", 1079 .maxlen = sizeof(int), 1080 .data = &init_net.ipv4.sysctl_ip_prot_sock, 1081 .mode = 0644, 1082 .proc_handler = ipv4_privileged_ports, 1083 }, 1084 #ifdef CONFIG_NET_L3_MASTER_DEV 1085 { 1086 .procname = "udp_l3mdev_accept", 1087 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 1088 .maxlen = sizeof(int), 1089 .mode = 0644, 1090 .proc_handler = proc_dointvec_minmax, 1091 .extra1 = &zero, 1092 .extra2 = &one, 1093 }, 1094 #endif 1095 { } 1096 }; 1097 1098 static __net_init int ipv4_sysctl_init_net(struct net *net) 1099 { 1100 struct ctl_table *table; 1101 1102 table = ipv4_net_table; 1103 if (!net_eq(net, &init_net)) { 1104 int i; 1105 1106 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1107 if (!table) 1108 goto err_alloc; 1109 1110 /* Update the variables to point into the current struct net */ 1111 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1112 table[i].data += (void *)net - (void *)&init_net; 1113 } 1114 1115 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1116 if (!net->ipv4.ipv4_hdr) 1117 goto err_reg; 1118 1119 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1120 if (!net->ipv4.sysctl_local_reserved_ports) 1121 goto err_ports; 1122 1123 return 0; 1124 1125 err_ports: 1126 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1127 err_reg: 1128 if (!net_eq(net, &init_net)) 1129 kfree(table); 1130 err_alloc: 1131 return -ENOMEM; 1132 } 1133 1134 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1135 { 1136 struct ctl_table *table; 1137 1138 kfree(net->ipv4.sysctl_local_reserved_ports); 1139 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1140 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1141 kfree(table); 1142 } 1143 1144 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1145 .init = ipv4_sysctl_init_net, 1146 .exit = ipv4_sysctl_exit_net, 1147 }; 1148 1149 static __init int sysctl_ipv4_init(void) 1150 { 1151 struct ctl_table_header *hdr; 1152 1153 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1154 if (!hdr) 1155 return -ENOMEM; 1156 1157 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1158 unregister_net_sysctl_table(hdr); 1159 return -ENOMEM; 1160 } 1161 1162 return 0; 1163 } 1164 1165 __initcall(sysctl_ipv4_init); 1166