1 /* 2 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 3 * 4 * Begun April 1, 1996, Mike Shaver. 5 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 6 */ 7 8 #include <linux/mm.h> 9 #include <linux/module.h> 10 #include <linux/sysctl.h> 11 #include <linux/igmp.h> 12 #include <linux/inetdevice.h> 13 #include <linux/seqlock.h> 14 #include <linux/init.h> 15 #include <linux/slab.h> 16 #include <linux/nsproxy.h> 17 #include <linux/swap.h> 18 #include <net/snmp.h> 19 #include <net/icmp.h> 20 #include <net/ip.h> 21 #include <net/route.h> 22 #include <net/tcp.h> 23 #include <net/udp.h> 24 #include <net/cipso_ipv4.h> 25 #include <net/inet_frag.h> 26 #include <net/ping.h> 27 #include <net/protocol.h> 28 29 static int zero; 30 static int one = 1; 31 static int four = 4; 32 static int thousand = 1000; 33 static int gso_max_segs = GSO_MAX_SEGS; 34 static int tcp_retr1_max = 255; 35 static int ip_local_port_range_min[] = { 1, 1 }; 36 static int ip_local_port_range_max[] = { 65535, 65535 }; 37 static int tcp_adv_win_scale_min = -31; 38 static int tcp_adv_win_scale_max = 31; 39 static int ip_privileged_port_min; 40 static int ip_privileged_port_max = 65535; 41 static int ip_ttl_min = 1; 42 static int ip_ttl_max = 255; 43 static int tcp_syn_retries_min = 1; 44 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 45 static int ip_ping_group_range_min[] = { 0, 0 }; 46 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 47 48 /* obsolete */ 49 static int sysctl_tcp_low_latency __read_mostly; 50 51 /* Update system visible IP port range */ 52 static void set_local_port_range(struct net *net, int range[2]) 53 { 54 bool same_parity = !((range[0] ^ range[1]) & 1); 55 56 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 57 if (same_parity && !net->ipv4.ip_local_ports.warned) { 58 net->ipv4.ip_local_ports.warned = true; 59 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 60 } 61 net->ipv4.ip_local_ports.range[0] = range[0]; 62 net->ipv4.ip_local_ports.range[1] = range[1]; 63 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 64 } 65 66 /* Validate changes from /proc interface. */ 67 static int ipv4_local_port_range(struct ctl_table *table, int write, 68 void __user *buffer, 69 size_t *lenp, loff_t *ppos) 70 { 71 struct net *net = 72 container_of(table->data, struct net, ipv4.ip_local_ports.range); 73 int ret; 74 int range[2]; 75 struct ctl_table tmp = { 76 .data = &range, 77 .maxlen = sizeof(range), 78 .mode = table->mode, 79 .extra1 = &ip_local_port_range_min, 80 .extra2 = &ip_local_port_range_max, 81 }; 82 83 inet_get_local_port_range(net, &range[0], &range[1]); 84 85 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 86 87 if (write && ret == 0) { 88 /* Ensure that the upper limit is not smaller than the lower, 89 * and that the lower does not encroach upon the privileged 90 * port limit. 91 */ 92 if ((range[1] < range[0]) || 93 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 94 ret = -EINVAL; 95 else 96 set_local_port_range(net, range); 97 } 98 99 return ret; 100 } 101 102 /* Validate changes from /proc interface. */ 103 static int ipv4_privileged_ports(struct ctl_table *table, int write, 104 void __user *buffer, size_t *lenp, loff_t *ppos) 105 { 106 struct net *net = container_of(table->data, struct net, 107 ipv4.sysctl_ip_prot_sock); 108 int ret; 109 int pports; 110 int range[2]; 111 struct ctl_table tmp = { 112 .data = &pports, 113 .maxlen = sizeof(pports), 114 .mode = table->mode, 115 .extra1 = &ip_privileged_port_min, 116 .extra2 = &ip_privileged_port_max, 117 }; 118 119 pports = net->ipv4.sysctl_ip_prot_sock; 120 121 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 122 123 if (write && ret == 0) { 124 inet_get_local_port_range(net, &range[0], &range[1]); 125 /* Ensure that the local port range doesn't overlap with the 126 * privileged port range. 127 */ 128 if (range[0] < pports) 129 ret = -EINVAL; 130 else 131 net->ipv4.sysctl_ip_prot_sock = pports; 132 } 133 134 return ret; 135 } 136 137 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 138 { 139 kgid_t *data = table->data; 140 struct net *net = 141 container_of(table->data, struct net, ipv4.ping_group_range.range); 142 unsigned int seq; 143 do { 144 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 145 146 *low = data[0]; 147 *high = data[1]; 148 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 149 } 150 151 /* Update system visible IP port range */ 152 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 153 { 154 kgid_t *data = table->data; 155 struct net *net = 156 container_of(table->data, struct net, ipv4.ping_group_range.range); 157 write_seqlock(&net->ipv4.ping_group_range.lock); 158 data[0] = low; 159 data[1] = high; 160 write_sequnlock(&net->ipv4.ping_group_range.lock); 161 } 162 163 /* Validate changes from /proc interface. */ 164 static int ipv4_ping_group_range(struct ctl_table *table, int write, 165 void __user *buffer, 166 size_t *lenp, loff_t *ppos) 167 { 168 struct user_namespace *user_ns = current_user_ns(); 169 int ret; 170 gid_t urange[2]; 171 kgid_t low, high; 172 struct ctl_table tmp = { 173 .data = &urange, 174 .maxlen = sizeof(urange), 175 .mode = table->mode, 176 .extra1 = &ip_ping_group_range_min, 177 .extra2 = &ip_ping_group_range_max, 178 }; 179 180 inet_get_ping_group_range_table(table, &low, &high); 181 urange[0] = from_kgid_munged(user_ns, low); 182 urange[1] = from_kgid_munged(user_ns, high); 183 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 184 185 if (write && ret == 0) { 186 low = make_kgid(user_ns, urange[0]); 187 high = make_kgid(user_ns, urange[1]); 188 if (!gid_valid(low) || !gid_valid(high) || 189 (urange[1] < urange[0]) || gid_lt(high, low)) { 190 low = make_kgid(&init_user_ns, 1); 191 high = make_kgid(&init_user_ns, 0); 192 } 193 set_ping_group_range(table, low, high); 194 } 195 196 return ret; 197 } 198 199 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 200 void __user *buffer, size_t *lenp, loff_t *ppos) 201 { 202 char val[TCP_CA_NAME_MAX]; 203 struct ctl_table tbl = { 204 .data = val, 205 .maxlen = TCP_CA_NAME_MAX, 206 }; 207 int ret; 208 209 tcp_get_default_congestion_control(val); 210 211 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 212 if (write && ret == 0) 213 ret = tcp_set_default_congestion_control(val); 214 return ret; 215 } 216 217 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 218 int write, 219 void __user *buffer, size_t *lenp, 220 loff_t *ppos) 221 { 222 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 223 int ret; 224 225 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 226 if (!tbl.data) 227 return -ENOMEM; 228 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 229 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 230 kfree(tbl.data); 231 return ret; 232 } 233 234 static int proc_allowed_congestion_control(struct ctl_table *ctl, 235 int write, 236 void __user *buffer, size_t *lenp, 237 loff_t *ppos) 238 { 239 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 240 int ret; 241 242 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 243 if (!tbl.data) 244 return -ENOMEM; 245 246 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 247 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 248 if (write && ret == 0) 249 ret = tcp_set_allowed_congestion_control(tbl.data); 250 kfree(tbl.data); 251 return ret; 252 } 253 254 static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write, 255 void __user *buffer, size_t *lenp, 256 loff_t *ppos) 257 { 258 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 259 struct tcp_fastopen_context *ctxt; 260 int ret; 261 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 262 263 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 264 if (!tbl.data) 265 return -ENOMEM; 266 267 rcu_read_lock(); 268 ctxt = rcu_dereference(tcp_fastopen_ctx); 269 if (ctxt) 270 memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 271 else 272 memset(user_key, 0, sizeof(user_key)); 273 rcu_read_unlock(); 274 275 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 276 user_key[0], user_key[1], user_key[2], user_key[3]); 277 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 278 279 if (write && ret == 0) { 280 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 281 user_key + 2, user_key + 3) != 4) { 282 ret = -EINVAL; 283 goto bad_key; 284 } 285 /* Generate a dummy secret but don't publish it. This 286 * is needed so we don't regenerate a new key on the 287 * first invocation of tcp_fastopen_cookie_gen 288 */ 289 tcp_fastopen_init_key_once(false); 290 tcp_fastopen_reset_cipher(user_key, TCP_FASTOPEN_KEY_LENGTH); 291 } 292 293 bad_key: 294 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 295 user_key[0], user_key[1], user_key[2], user_key[3], 296 (char *)tbl.data, ret); 297 kfree(tbl.data); 298 return ret; 299 } 300 301 static void proc_configure_early_demux(int enabled, int protocol) 302 { 303 struct net_protocol *ipprot; 304 #if IS_ENABLED(CONFIG_IPV6) 305 struct inet6_protocol *ip6prot; 306 #endif 307 308 rcu_read_lock(); 309 310 ipprot = rcu_dereference(inet_protos[protocol]); 311 if (ipprot) 312 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 313 NULL; 314 315 #if IS_ENABLED(CONFIG_IPV6) 316 ip6prot = rcu_dereference(inet6_protos[protocol]); 317 if (ip6prot) 318 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 319 NULL; 320 #endif 321 rcu_read_unlock(); 322 } 323 324 static int proc_tcp_early_demux(struct ctl_table *table, int write, 325 void __user *buffer, size_t *lenp, loff_t *ppos) 326 { 327 int ret = 0; 328 329 ret = proc_dointvec(table, write, buffer, lenp, ppos); 330 331 if (write && !ret) { 332 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 333 334 proc_configure_early_demux(enabled, IPPROTO_TCP); 335 } 336 337 return ret; 338 } 339 340 static int proc_udp_early_demux(struct ctl_table *table, int write, 341 void __user *buffer, size_t *lenp, loff_t *ppos) 342 { 343 int ret = 0; 344 345 ret = proc_dointvec(table, write, buffer, lenp, ppos); 346 347 if (write && !ret) { 348 int enabled = init_net.ipv4.sysctl_udp_early_demux; 349 350 proc_configure_early_demux(enabled, IPPROTO_UDP); 351 } 352 353 return ret; 354 } 355 356 static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table, 357 int write, 358 void __user *buffer, 359 size_t *lenp, loff_t *ppos) 360 { 361 int ret; 362 363 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 364 if (write && ret == 0) 365 tcp_fastopen_active_timeout_reset(); 366 367 return ret; 368 } 369 370 static int proc_tcp_available_ulp(struct ctl_table *ctl, 371 int write, 372 void __user *buffer, size_t *lenp, 373 loff_t *ppos) 374 { 375 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, }; 376 int ret; 377 378 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 379 if (!tbl.data) 380 return -ENOMEM; 381 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX); 382 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 383 kfree(tbl.data); 384 385 return ret; 386 } 387 388 static struct ctl_table ipv4_table[] = { 389 { 390 .procname = "tcp_retrans_collapse", 391 .data = &sysctl_tcp_retrans_collapse, 392 .maxlen = sizeof(int), 393 .mode = 0644, 394 .proc_handler = proc_dointvec 395 }, 396 { 397 .procname = "tcp_max_orphans", 398 .data = &sysctl_tcp_max_orphans, 399 .maxlen = sizeof(int), 400 .mode = 0644, 401 .proc_handler = proc_dointvec 402 }, 403 { 404 .procname = "tcp_fastopen", 405 .data = &sysctl_tcp_fastopen, 406 .maxlen = sizeof(int), 407 .mode = 0644, 408 .proc_handler = proc_dointvec, 409 }, 410 { 411 .procname = "tcp_fastopen_key", 412 .mode = 0600, 413 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 414 .proc_handler = proc_tcp_fastopen_key, 415 }, 416 { 417 .procname = "tcp_fastopen_blackhole_timeout_sec", 418 .data = &sysctl_tcp_fastopen_blackhole_timeout, 419 .maxlen = sizeof(int), 420 .mode = 0644, 421 .proc_handler = proc_tfo_blackhole_detect_timeout, 422 .extra1 = &zero, 423 }, 424 { 425 .procname = "tcp_abort_on_overflow", 426 .data = &sysctl_tcp_abort_on_overflow, 427 .maxlen = sizeof(int), 428 .mode = 0644, 429 .proc_handler = proc_dointvec 430 }, 431 { 432 .procname = "tcp_stdurg", 433 .data = &sysctl_tcp_stdurg, 434 .maxlen = sizeof(int), 435 .mode = 0644, 436 .proc_handler = proc_dointvec 437 }, 438 { 439 .procname = "tcp_rfc1337", 440 .data = &sysctl_tcp_rfc1337, 441 .maxlen = sizeof(int), 442 .mode = 0644, 443 .proc_handler = proc_dointvec 444 }, 445 { 446 .procname = "inet_peer_threshold", 447 .data = &inet_peer_threshold, 448 .maxlen = sizeof(int), 449 .mode = 0644, 450 .proc_handler = proc_dointvec 451 }, 452 { 453 .procname = "inet_peer_minttl", 454 .data = &inet_peer_minttl, 455 .maxlen = sizeof(int), 456 .mode = 0644, 457 .proc_handler = proc_dointvec_jiffies, 458 }, 459 { 460 .procname = "inet_peer_maxttl", 461 .data = &inet_peer_maxttl, 462 .maxlen = sizeof(int), 463 .mode = 0644, 464 .proc_handler = proc_dointvec_jiffies, 465 }, 466 { 467 .procname = "tcp_fack", 468 .data = &sysctl_tcp_fack, 469 .maxlen = sizeof(int), 470 .mode = 0644, 471 .proc_handler = proc_dointvec 472 }, 473 { 474 .procname = "tcp_recovery", 475 .data = &sysctl_tcp_recovery, 476 .maxlen = sizeof(int), 477 .mode = 0644, 478 .proc_handler = proc_dointvec, 479 }, 480 { 481 .procname = "tcp_max_reordering", 482 .data = &sysctl_tcp_max_reordering, 483 .maxlen = sizeof(int), 484 .mode = 0644, 485 .proc_handler = proc_dointvec 486 }, 487 { 488 .procname = "tcp_dsack", 489 .data = &sysctl_tcp_dsack, 490 .maxlen = sizeof(int), 491 .mode = 0644, 492 .proc_handler = proc_dointvec 493 }, 494 { 495 .procname = "tcp_mem", 496 .maxlen = sizeof(sysctl_tcp_mem), 497 .data = &sysctl_tcp_mem, 498 .mode = 0644, 499 .proc_handler = proc_doulongvec_minmax, 500 }, 501 { 502 .procname = "tcp_wmem", 503 .data = &sysctl_tcp_wmem, 504 .maxlen = sizeof(sysctl_tcp_wmem), 505 .mode = 0644, 506 .proc_handler = proc_dointvec_minmax, 507 .extra1 = &one, 508 }, 509 { 510 .procname = "tcp_rmem", 511 .data = &sysctl_tcp_rmem, 512 .maxlen = sizeof(sysctl_tcp_rmem), 513 .mode = 0644, 514 .proc_handler = proc_dointvec_minmax, 515 .extra1 = &one, 516 }, 517 { 518 .procname = "tcp_app_win", 519 .data = &sysctl_tcp_app_win, 520 .maxlen = sizeof(int), 521 .mode = 0644, 522 .proc_handler = proc_dointvec 523 }, 524 { 525 .procname = "tcp_adv_win_scale", 526 .data = &sysctl_tcp_adv_win_scale, 527 .maxlen = sizeof(int), 528 .mode = 0644, 529 .proc_handler = proc_dointvec_minmax, 530 .extra1 = &tcp_adv_win_scale_min, 531 .extra2 = &tcp_adv_win_scale_max, 532 }, 533 { 534 .procname = "tcp_frto", 535 .data = &sysctl_tcp_frto, 536 .maxlen = sizeof(int), 537 .mode = 0644, 538 .proc_handler = proc_dointvec 539 }, 540 { 541 .procname = "tcp_min_rtt_wlen", 542 .data = &sysctl_tcp_min_rtt_wlen, 543 .maxlen = sizeof(int), 544 .mode = 0644, 545 .proc_handler = proc_dointvec 546 }, 547 { 548 .procname = "tcp_low_latency", 549 .data = &sysctl_tcp_low_latency, 550 .maxlen = sizeof(int), 551 .mode = 0644, 552 .proc_handler = proc_dointvec 553 }, 554 { 555 .procname = "tcp_no_metrics_save", 556 .data = &sysctl_tcp_nometrics_save, 557 .maxlen = sizeof(int), 558 .mode = 0644, 559 .proc_handler = proc_dointvec, 560 }, 561 { 562 .procname = "tcp_moderate_rcvbuf", 563 .data = &sysctl_tcp_moderate_rcvbuf, 564 .maxlen = sizeof(int), 565 .mode = 0644, 566 .proc_handler = proc_dointvec, 567 }, 568 { 569 .procname = "tcp_tso_win_divisor", 570 .data = &sysctl_tcp_tso_win_divisor, 571 .maxlen = sizeof(int), 572 .mode = 0644, 573 .proc_handler = proc_dointvec, 574 }, 575 { 576 .procname = "tcp_congestion_control", 577 .mode = 0644, 578 .maxlen = TCP_CA_NAME_MAX, 579 .proc_handler = proc_tcp_congestion_control, 580 }, 581 { 582 .procname = "tcp_workaround_signed_windows", 583 .data = &sysctl_tcp_workaround_signed_windows, 584 .maxlen = sizeof(int), 585 .mode = 0644, 586 .proc_handler = proc_dointvec 587 }, 588 { 589 .procname = "tcp_limit_output_bytes", 590 .data = &sysctl_tcp_limit_output_bytes, 591 .maxlen = sizeof(int), 592 .mode = 0644, 593 .proc_handler = proc_dointvec 594 }, 595 { 596 .procname = "tcp_challenge_ack_limit", 597 .data = &sysctl_tcp_challenge_ack_limit, 598 .maxlen = sizeof(int), 599 .mode = 0644, 600 .proc_handler = proc_dointvec 601 }, 602 { 603 .procname = "tcp_slow_start_after_idle", 604 .data = &sysctl_tcp_slow_start_after_idle, 605 .maxlen = sizeof(int), 606 .mode = 0644, 607 .proc_handler = proc_dointvec 608 }, 609 #ifdef CONFIG_NETLABEL 610 { 611 .procname = "cipso_cache_enable", 612 .data = &cipso_v4_cache_enabled, 613 .maxlen = sizeof(int), 614 .mode = 0644, 615 .proc_handler = proc_dointvec, 616 }, 617 { 618 .procname = "cipso_cache_bucket_size", 619 .data = &cipso_v4_cache_bucketsize, 620 .maxlen = sizeof(int), 621 .mode = 0644, 622 .proc_handler = proc_dointvec, 623 }, 624 { 625 .procname = "cipso_rbm_optfmt", 626 .data = &cipso_v4_rbm_optfmt, 627 .maxlen = sizeof(int), 628 .mode = 0644, 629 .proc_handler = proc_dointvec, 630 }, 631 { 632 .procname = "cipso_rbm_strictvalid", 633 .data = &cipso_v4_rbm_strictvalid, 634 .maxlen = sizeof(int), 635 .mode = 0644, 636 .proc_handler = proc_dointvec, 637 }, 638 #endif /* CONFIG_NETLABEL */ 639 { 640 .procname = "tcp_available_congestion_control", 641 .maxlen = TCP_CA_BUF_MAX, 642 .mode = 0444, 643 .proc_handler = proc_tcp_available_congestion_control, 644 }, 645 { 646 .procname = "tcp_allowed_congestion_control", 647 .maxlen = TCP_CA_BUF_MAX, 648 .mode = 0644, 649 .proc_handler = proc_allowed_congestion_control, 650 }, 651 { 652 .procname = "tcp_thin_linear_timeouts", 653 .data = &sysctl_tcp_thin_linear_timeouts, 654 .maxlen = sizeof(int), 655 .mode = 0644, 656 .proc_handler = proc_dointvec 657 }, 658 { 659 .procname = "tcp_early_retrans", 660 .data = &sysctl_tcp_early_retrans, 661 .maxlen = sizeof(int), 662 .mode = 0644, 663 .proc_handler = proc_dointvec_minmax, 664 .extra1 = &zero, 665 .extra2 = &four, 666 }, 667 { 668 .procname = "tcp_min_tso_segs", 669 .data = &sysctl_tcp_min_tso_segs, 670 .maxlen = sizeof(int), 671 .mode = 0644, 672 .proc_handler = proc_dointvec_minmax, 673 .extra1 = &one, 674 .extra2 = &gso_max_segs, 675 }, 676 { 677 .procname = "tcp_pacing_ss_ratio", 678 .data = &sysctl_tcp_pacing_ss_ratio, 679 .maxlen = sizeof(int), 680 .mode = 0644, 681 .proc_handler = proc_dointvec_minmax, 682 .extra1 = &zero, 683 .extra2 = &thousand, 684 }, 685 { 686 .procname = "tcp_pacing_ca_ratio", 687 .data = &sysctl_tcp_pacing_ca_ratio, 688 .maxlen = sizeof(int), 689 .mode = 0644, 690 .proc_handler = proc_dointvec_minmax, 691 .extra1 = &zero, 692 .extra2 = &thousand, 693 }, 694 { 695 .procname = "tcp_autocorking", 696 .data = &sysctl_tcp_autocorking, 697 .maxlen = sizeof(int), 698 .mode = 0644, 699 .proc_handler = proc_dointvec_minmax, 700 .extra1 = &zero, 701 .extra2 = &one, 702 }, 703 { 704 .procname = "tcp_invalid_ratelimit", 705 .data = &sysctl_tcp_invalid_ratelimit, 706 .maxlen = sizeof(int), 707 .mode = 0644, 708 .proc_handler = proc_dointvec_ms_jiffies, 709 }, 710 { 711 .procname = "tcp_available_ulp", 712 .maxlen = TCP_ULP_BUF_MAX, 713 .mode = 0444, 714 .proc_handler = proc_tcp_available_ulp, 715 }, 716 { 717 .procname = "icmp_msgs_per_sec", 718 .data = &sysctl_icmp_msgs_per_sec, 719 .maxlen = sizeof(int), 720 .mode = 0644, 721 .proc_handler = proc_dointvec_minmax, 722 .extra1 = &zero, 723 }, 724 { 725 .procname = "icmp_msgs_burst", 726 .data = &sysctl_icmp_msgs_burst, 727 .maxlen = sizeof(int), 728 .mode = 0644, 729 .proc_handler = proc_dointvec_minmax, 730 .extra1 = &zero, 731 }, 732 { 733 .procname = "udp_mem", 734 .data = &sysctl_udp_mem, 735 .maxlen = sizeof(sysctl_udp_mem), 736 .mode = 0644, 737 .proc_handler = proc_doulongvec_minmax, 738 }, 739 { 740 .procname = "udp_rmem_min", 741 .data = &sysctl_udp_rmem_min, 742 .maxlen = sizeof(sysctl_udp_rmem_min), 743 .mode = 0644, 744 .proc_handler = proc_dointvec_minmax, 745 .extra1 = &one 746 }, 747 { 748 .procname = "udp_wmem_min", 749 .data = &sysctl_udp_wmem_min, 750 .maxlen = sizeof(sysctl_udp_wmem_min), 751 .mode = 0644, 752 .proc_handler = proc_dointvec_minmax, 753 .extra1 = &one 754 }, 755 { } 756 }; 757 758 static struct ctl_table ipv4_net_table[] = { 759 { 760 .procname = "icmp_echo_ignore_all", 761 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 762 .maxlen = sizeof(int), 763 .mode = 0644, 764 .proc_handler = proc_dointvec 765 }, 766 { 767 .procname = "icmp_echo_ignore_broadcasts", 768 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 769 .maxlen = sizeof(int), 770 .mode = 0644, 771 .proc_handler = proc_dointvec 772 }, 773 { 774 .procname = "icmp_ignore_bogus_error_responses", 775 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 776 .maxlen = sizeof(int), 777 .mode = 0644, 778 .proc_handler = proc_dointvec 779 }, 780 { 781 .procname = "icmp_errors_use_inbound_ifaddr", 782 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 783 .maxlen = sizeof(int), 784 .mode = 0644, 785 .proc_handler = proc_dointvec 786 }, 787 { 788 .procname = "icmp_ratelimit", 789 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 790 .maxlen = sizeof(int), 791 .mode = 0644, 792 .proc_handler = proc_dointvec_ms_jiffies, 793 }, 794 { 795 .procname = "icmp_ratemask", 796 .data = &init_net.ipv4.sysctl_icmp_ratemask, 797 .maxlen = sizeof(int), 798 .mode = 0644, 799 .proc_handler = proc_dointvec 800 }, 801 { 802 .procname = "ping_group_range", 803 .data = &init_net.ipv4.ping_group_range.range, 804 .maxlen = sizeof(gid_t)*2, 805 .mode = 0644, 806 .proc_handler = ipv4_ping_group_range, 807 }, 808 { 809 .procname = "tcp_ecn", 810 .data = &init_net.ipv4.sysctl_tcp_ecn, 811 .maxlen = sizeof(int), 812 .mode = 0644, 813 .proc_handler = proc_dointvec 814 }, 815 { 816 .procname = "tcp_ecn_fallback", 817 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 818 .maxlen = sizeof(int), 819 .mode = 0644, 820 .proc_handler = proc_dointvec 821 }, 822 { 823 .procname = "ip_dynaddr", 824 .data = &init_net.ipv4.sysctl_ip_dynaddr, 825 .maxlen = sizeof(int), 826 .mode = 0644, 827 .proc_handler = proc_dointvec 828 }, 829 { 830 .procname = "ip_early_demux", 831 .data = &init_net.ipv4.sysctl_ip_early_demux, 832 .maxlen = sizeof(int), 833 .mode = 0644, 834 .proc_handler = proc_dointvec 835 }, 836 { 837 .procname = "udp_early_demux", 838 .data = &init_net.ipv4.sysctl_udp_early_demux, 839 .maxlen = sizeof(int), 840 .mode = 0644, 841 .proc_handler = proc_udp_early_demux 842 }, 843 { 844 .procname = "tcp_early_demux", 845 .data = &init_net.ipv4.sysctl_tcp_early_demux, 846 .maxlen = sizeof(int), 847 .mode = 0644, 848 .proc_handler = proc_tcp_early_demux 849 }, 850 { 851 .procname = "ip_default_ttl", 852 .data = &init_net.ipv4.sysctl_ip_default_ttl, 853 .maxlen = sizeof(int), 854 .mode = 0644, 855 .proc_handler = proc_dointvec_minmax, 856 .extra1 = &ip_ttl_min, 857 .extra2 = &ip_ttl_max, 858 }, 859 { 860 .procname = "ip_local_port_range", 861 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 862 .data = &init_net.ipv4.ip_local_ports.range, 863 .mode = 0644, 864 .proc_handler = ipv4_local_port_range, 865 }, 866 { 867 .procname = "ip_local_reserved_ports", 868 .data = &init_net.ipv4.sysctl_local_reserved_ports, 869 .maxlen = 65536, 870 .mode = 0644, 871 .proc_handler = proc_do_large_bitmap, 872 }, 873 { 874 .procname = "ip_no_pmtu_disc", 875 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 876 .maxlen = sizeof(int), 877 .mode = 0644, 878 .proc_handler = proc_dointvec 879 }, 880 { 881 .procname = "ip_forward_use_pmtu", 882 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 883 .maxlen = sizeof(int), 884 .mode = 0644, 885 .proc_handler = proc_dointvec, 886 }, 887 { 888 .procname = "ip_nonlocal_bind", 889 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 890 .maxlen = sizeof(int), 891 .mode = 0644, 892 .proc_handler = proc_dointvec 893 }, 894 { 895 .procname = "fwmark_reflect", 896 .data = &init_net.ipv4.sysctl_fwmark_reflect, 897 .maxlen = sizeof(int), 898 .mode = 0644, 899 .proc_handler = proc_dointvec, 900 }, 901 { 902 .procname = "tcp_fwmark_accept", 903 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 904 .maxlen = sizeof(int), 905 .mode = 0644, 906 .proc_handler = proc_dointvec, 907 }, 908 #ifdef CONFIG_NET_L3_MASTER_DEV 909 { 910 .procname = "tcp_l3mdev_accept", 911 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 912 .maxlen = sizeof(int), 913 .mode = 0644, 914 .proc_handler = proc_dointvec_minmax, 915 .extra1 = &zero, 916 .extra2 = &one, 917 }, 918 #endif 919 { 920 .procname = "tcp_mtu_probing", 921 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 922 .maxlen = sizeof(int), 923 .mode = 0644, 924 .proc_handler = proc_dointvec, 925 }, 926 { 927 .procname = "tcp_base_mss", 928 .data = &init_net.ipv4.sysctl_tcp_base_mss, 929 .maxlen = sizeof(int), 930 .mode = 0644, 931 .proc_handler = proc_dointvec, 932 }, 933 { 934 .procname = "tcp_probe_threshold", 935 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 936 .maxlen = sizeof(int), 937 .mode = 0644, 938 .proc_handler = proc_dointvec, 939 }, 940 { 941 .procname = "tcp_probe_interval", 942 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 943 .maxlen = sizeof(int), 944 .mode = 0644, 945 .proc_handler = proc_dointvec, 946 }, 947 { 948 .procname = "igmp_link_local_mcast_reports", 949 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 950 .maxlen = sizeof(int), 951 .mode = 0644, 952 .proc_handler = proc_dointvec 953 }, 954 { 955 .procname = "igmp_max_memberships", 956 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 957 .maxlen = sizeof(int), 958 .mode = 0644, 959 .proc_handler = proc_dointvec 960 }, 961 { 962 .procname = "igmp_max_msf", 963 .data = &init_net.ipv4.sysctl_igmp_max_msf, 964 .maxlen = sizeof(int), 965 .mode = 0644, 966 .proc_handler = proc_dointvec 967 }, 968 #ifdef CONFIG_IP_MULTICAST 969 { 970 .procname = "igmp_qrv", 971 .data = &init_net.ipv4.sysctl_igmp_qrv, 972 .maxlen = sizeof(int), 973 .mode = 0644, 974 .proc_handler = proc_dointvec_minmax, 975 .extra1 = &one 976 }, 977 #endif 978 { 979 .procname = "tcp_keepalive_time", 980 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 981 .maxlen = sizeof(int), 982 .mode = 0644, 983 .proc_handler = proc_dointvec_jiffies, 984 }, 985 { 986 .procname = "tcp_keepalive_probes", 987 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 988 .maxlen = sizeof(int), 989 .mode = 0644, 990 .proc_handler = proc_dointvec 991 }, 992 { 993 .procname = "tcp_keepalive_intvl", 994 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 995 .maxlen = sizeof(int), 996 .mode = 0644, 997 .proc_handler = proc_dointvec_jiffies, 998 }, 999 { 1000 .procname = "tcp_syn_retries", 1001 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 1002 .maxlen = sizeof(int), 1003 .mode = 0644, 1004 .proc_handler = proc_dointvec_minmax, 1005 .extra1 = &tcp_syn_retries_min, 1006 .extra2 = &tcp_syn_retries_max 1007 }, 1008 { 1009 .procname = "tcp_synack_retries", 1010 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 1011 .maxlen = sizeof(int), 1012 .mode = 0644, 1013 .proc_handler = proc_dointvec 1014 }, 1015 #ifdef CONFIG_SYN_COOKIES 1016 { 1017 .procname = "tcp_syncookies", 1018 .data = &init_net.ipv4.sysctl_tcp_syncookies, 1019 .maxlen = sizeof(int), 1020 .mode = 0644, 1021 .proc_handler = proc_dointvec 1022 }, 1023 #endif 1024 { 1025 .procname = "tcp_reordering", 1026 .data = &init_net.ipv4.sysctl_tcp_reordering, 1027 .maxlen = sizeof(int), 1028 .mode = 0644, 1029 .proc_handler = proc_dointvec 1030 }, 1031 { 1032 .procname = "tcp_retries1", 1033 .data = &init_net.ipv4.sysctl_tcp_retries1, 1034 .maxlen = sizeof(int), 1035 .mode = 0644, 1036 .proc_handler = proc_dointvec_minmax, 1037 .extra2 = &tcp_retr1_max 1038 }, 1039 { 1040 .procname = "tcp_retries2", 1041 .data = &init_net.ipv4.sysctl_tcp_retries2, 1042 .maxlen = sizeof(int), 1043 .mode = 0644, 1044 .proc_handler = proc_dointvec 1045 }, 1046 { 1047 .procname = "tcp_orphan_retries", 1048 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 1049 .maxlen = sizeof(int), 1050 .mode = 0644, 1051 .proc_handler = proc_dointvec 1052 }, 1053 { 1054 .procname = "tcp_fin_timeout", 1055 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 1056 .maxlen = sizeof(int), 1057 .mode = 0644, 1058 .proc_handler = proc_dointvec_jiffies, 1059 }, 1060 { 1061 .procname = "tcp_notsent_lowat", 1062 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 1063 .maxlen = sizeof(unsigned int), 1064 .mode = 0644, 1065 .proc_handler = proc_douintvec, 1066 }, 1067 { 1068 .procname = "tcp_tw_reuse", 1069 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 1070 .maxlen = sizeof(int), 1071 .mode = 0644, 1072 .proc_handler = proc_dointvec 1073 }, 1074 { 1075 .procname = "tcp_max_tw_buckets", 1076 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 1077 .maxlen = sizeof(int), 1078 .mode = 0644, 1079 .proc_handler = proc_dointvec 1080 }, 1081 { 1082 .procname = "tcp_max_syn_backlog", 1083 .data = &init_net.ipv4.sysctl_max_syn_backlog, 1084 .maxlen = sizeof(int), 1085 .mode = 0644, 1086 .proc_handler = proc_dointvec 1087 }, 1088 #ifdef CONFIG_IP_ROUTE_MULTIPATH 1089 { 1090 .procname = "fib_multipath_use_neigh", 1091 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 1092 .maxlen = sizeof(int), 1093 .mode = 0644, 1094 .proc_handler = proc_dointvec_minmax, 1095 .extra1 = &zero, 1096 .extra2 = &one, 1097 }, 1098 { 1099 .procname = "fib_multipath_hash_policy", 1100 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 1101 .maxlen = sizeof(int), 1102 .mode = 0644, 1103 .proc_handler = proc_dointvec_minmax, 1104 .extra1 = &zero, 1105 .extra2 = &one, 1106 }, 1107 #endif 1108 { 1109 .procname = "ip_unprivileged_port_start", 1110 .maxlen = sizeof(int), 1111 .data = &init_net.ipv4.sysctl_ip_prot_sock, 1112 .mode = 0644, 1113 .proc_handler = ipv4_privileged_ports, 1114 }, 1115 #ifdef CONFIG_NET_L3_MASTER_DEV 1116 { 1117 .procname = "udp_l3mdev_accept", 1118 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 1119 .maxlen = sizeof(int), 1120 .mode = 0644, 1121 .proc_handler = proc_dointvec_minmax, 1122 .extra1 = &zero, 1123 .extra2 = &one, 1124 }, 1125 #endif 1126 { 1127 .procname = "tcp_sack", 1128 .data = &init_net.ipv4.sysctl_tcp_sack, 1129 .maxlen = sizeof(int), 1130 .mode = 0644, 1131 .proc_handler = proc_dointvec 1132 }, 1133 { 1134 .procname = "tcp_window_scaling", 1135 .data = &init_net.ipv4.sysctl_tcp_window_scaling, 1136 .maxlen = sizeof(int), 1137 .mode = 0644, 1138 .proc_handler = proc_dointvec 1139 }, 1140 { 1141 .procname = "tcp_timestamps", 1142 .data = &init_net.ipv4.sysctl_tcp_timestamps, 1143 .maxlen = sizeof(int), 1144 .mode = 0644, 1145 .proc_handler = proc_dointvec 1146 }, 1147 { } 1148 }; 1149 1150 static __net_init int ipv4_sysctl_init_net(struct net *net) 1151 { 1152 struct ctl_table *table; 1153 1154 table = ipv4_net_table; 1155 if (!net_eq(net, &init_net)) { 1156 int i; 1157 1158 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1159 if (!table) 1160 goto err_alloc; 1161 1162 /* Update the variables to point into the current struct net */ 1163 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1164 table[i].data += (void *)net - (void *)&init_net; 1165 } 1166 1167 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1168 if (!net->ipv4.ipv4_hdr) 1169 goto err_reg; 1170 1171 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1172 if (!net->ipv4.sysctl_local_reserved_ports) 1173 goto err_ports; 1174 1175 return 0; 1176 1177 err_ports: 1178 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1179 err_reg: 1180 if (!net_eq(net, &init_net)) 1181 kfree(table); 1182 err_alloc: 1183 return -ENOMEM; 1184 } 1185 1186 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1187 { 1188 struct ctl_table *table; 1189 1190 kfree(net->ipv4.sysctl_local_reserved_ports); 1191 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1192 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1193 kfree(table); 1194 } 1195 1196 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1197 .init = ipv4_sysctl_init_net, 1198 .exit = ipv4_sysctl_exit_net, 1199 }; 1200 1201 static __init int sysctl_ipv4_init(void) 1202 { 1203 struct ctl_table_header *hdr; 1204 1205 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1206 if (!hdr) 1207 return -ENOMEM; 1208 1209 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1210 unregister_net_sysctl_table(hdr); 1211 return -ENOMEM; 1212 } 1213 1214 return 0; 1215 } 1216 1217 __initcall(sysctl_ipv4_init); 1218