1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 4 * 5 * Begun April 1, 1996, Mike Shaver. 6 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 7 */ 8 9 #include <linux/mm.h> 10 #include <linux/module.h> 11 #include <linux/sysctl.h> 12 #include <linux/igmp.h> 13 #include <linux/inetdevice.h> 14 #include <linux/seqlock.h> 15 #include <linux/init.h> 16 #include <linux/slab.h> 17 #include <linux/nsproxy.h> 18 #include <linux/swap.h> 19 #include <net/snmp.h> 20 #include <net/icmp.h> 21 #include <net/ip.h> 22 #include <net/route.h> 23 #include <net/tcp.h> 24 #include <net/udp.h> 25 #include <net/cipso_ipv4.h> 26 #include <net/inet_frag.h> 27 #include <net/ping.h> 28 #include <net/protocol.h> 29 #include <net/netevent.h> 30 31 static int zero; 32 static int one = 1; 33 static int four = 4; 34 static int thousand = 1000; 35 static int gso_max_segs = GSO_MAX_SEGS; 36 static int tcp_retr1_max = 255; 37 static int ip_local_port_range_min[] = { 1, 1 }; 38 static int ip_local_port_range_max[] = { 65535, 65535 }; 39 static int tcp_adv_win_scale_min = -31; 40 static int tcp_adv_win_scale_max = 31; 41 static int ip_privileged_port_min; 42 static int ip_privileged_port_max = 65535; 43 static int ip_ttl_min = 1; 44 static int ip_ttl_max = 255; 45 static int tcp_syn_retries_min = 1; 46 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 47 static int ip_ping_group_range_min[] = { 0, 0 }; 48 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 49 50 /* obsolete */ 51 static int sysctl_tcp_low_latency __read_mostly; 52 53 /* Update system visible IP port range */ 54 static void set_local_port_range(struct net *net, int range[2]) 55 { 56 bool same_parity = !((range[0] ^ range[1]) & 1); 57 58 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 59 if (same_parity && !net->ipv4.ip_local_ports.warned) { 60 net->ipv4.ip_local_ports.warned = true; 61 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 62 } 63 net->ipv4.ip_local_ports.range[0] = range[0]; 64 net->ipv4.ip_local_ports.range[1] = range[1]; 65 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 66 } 67 68 /* Validate changes from /proc interface. */ 69 static int ipv4_local_port_range(struct ctl_table *table, int write, 70 void __user *buffer, 71 size_t *lenp, loff_t *ppos) 72 { 73 struct net *net = 74 container_of(table->data, struct net, ipv4.ip_local_ports.range); 75 int ret; 76 int range[2]; 77 struct ctl_table tmp = { 78 .data = &range, 79 .maxlen = sizeof(range), 80 .mode = table->mode, 81 .extra1 = &ip_local_port_range_min, 82 .extra2 = &ip_local_port_range_max, 83 }; 84 85 inet_get_local_port_range(net, &range[0], &range[1]); 86 87 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 88 89 if (write && ret == 0) { 90 /* Ensure that the upper limit is not smaller than the lower, 91 * and that the lower does not encroach upon the privileged 92 * port limit. 93 */ 94 if ((range[1] < range[0]) || 95 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 96 ret = -EINVAL; 97 else 98 set_local_port_range(net, range); 99 } 100 101 return ret; 102 } 103 104 /* Validate changes from /proc interface. */ 105 static int ipv4_privileged_ports(struct ctl_table *table, int write, 106 void __user *buffer, size_t *lenp, loff_t *ppos) 107 { 108 struct net *net = container_of(table->data, struct net, 109 ipv4.sysctl_ip_prot_sock); 110 int ret; 111 int pports; 112 int range[2]; 113 struct ctl_table tmp = { 114 .data = &pports, 115 .maxlen = sizeof(pports), 116 .mode = table->mode, 117 .extra1 = &ip_privileged_port_min, 118 .extra2 = &ip_privileged_port_max, 119 }; 120 121 pports = net->ipv4.sysctl_ip_prot_sock; 122 123 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 124 125 if (write && ret == 0) { 126 inet_get_local_port_range(net, &range[0], &range[1]); 127 /* Ensure that the local port range doesn't overlap with the 128 * privileged port range. 129 */ 130 if (range[0] < pports) 131 ret = -EINVAL; 132 else 133 net->ipv4.sysctl_ip_prot_sock = pports; 134 } 135 136 return ret; 137 } 138 139 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 140 { 141 kgid_t *data = table->data; 142 struct net *net = 143 container_of(table->data, struct net, ipv4.ping_group_range.range); 144 unsigned int seq; 145 do { 146 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 147 148 *low = data[0]; 149 *high = data[1]; 150 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 151 } 152 153 /* Update system visible IP port range */ 154 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 155 { 156 kgid_t *data = table->data; 157 struct net *net = 158 container_of(table->data, struct net, ipv4.ping_group_range.range); 159 write_seqlock(&net->ipv4.ping_group_range.lock); 160 data[0] = low; 161 data[1] = high; 162 write_sequnlock(&net->ipv4.ping_group_range.lock); 163 } 164 165 /* Validate changes from /proc interface. */ 166 static int ipv4_ping_group_range(struct ctl_table *table, int write, 167 void __user *buffer, 168 size_t *lenp, loff_t *ppos) 169 { 170 struct user_namespace *user_ns = current_user_ns(); 171 int ret; 172 gid_t urange[2]; 173 kgid_t low, high; 174 struct ctl_table tmp = { 175 .data = &urange, 176 .maxlen = sizeof(urange), 177 .mode = table->mode, 178 .extra1 = &ip_ping_group_range_min, 179 .extra2 = &ip_ping_group_range_max, 180 }; 181 182 inet_get_ping_group_range_table(table, &low, &high); 183 urange[0] = from_kgid_munged(user_ns, low); 184 urange[1] = from_kgid_munged(user_ns, high); 185 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 186 187 if (write && ret == 0) { 188 low = make_kgid(user_ns, urange[0]); 189 high = make_kgid(user_ns, urange[1]); 190 if (!gid_valid(low) || !gid_valid(high) || 191 (urange[1] < urange[0]) || gid_lt(high, low)) { 192 low = make_kgid(&init_user_ns, 1); 193 high = make_kgid(&init_user_ns, 0); 194 } 195 set_ping_group_range(table, low, high); 196 } 197 198 return ret; 199 } 200 201 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 202 void __user *buffer, size_t *lenp, loff_t *ppos) 203 { 204 struct net *net = container_of(ctl->data, struct net, 205 ipv4.tcp_congestion_control); 206 char val[TCP_CA_NAME_MAX]; 207 struct ctl_table tbl = { 208 .data = val, 209 .maxlen = TCP_CA_NAME_MAX, 210 }; 211 int ret; 212 213 tcp_get_default_congestion_control(net, val); 214 215 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 216 if (write && ret == 0) 217 ret = tcp_set_default_congestion_control(net, val); 218 return ret; 219 } 220 221 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 222 int write, 223 void __user *buffer, size_t *lenp, 224 loff_t *ppos) 225 { 226 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 227 int ret; 228 229 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 230 if (!tbl.data) 231 return -ENOMEM; 232 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 233 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 234 kfree(tbl.data); 235 return ret; 236 } 237 238 static int proc_allowed_congestion_control(struct ctl_table *ctl, 239 int write, 240 void __user *buffer, size_t *lenp, 241 loff_t *ppos) 242 { 243 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 244 int ret; 245 246 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 247 if (!tbl.data) 248 return -ENOMEM; 249 250 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 251 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 252 if (write && ret == 0) 253 ret = tcp_set_allowed_congestion_control(tbl.data); 254 kfree(tbl.data); 255 return ret; 256 } 257 258 static int proc_tcp_fastopen_key(struct ctl_table *table, int write, 259 void __user *buffer, size_t *lenp, 260 loff_t *ppos) 261 { 262 struct net *net = container_of(table->data, struct net, 263 ipv4.sysctl_tcp_fastopen); 264 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 265 struct tcp_fastopen_context *ctxt; 266 int ret; 267 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 268 269 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 270 if (!tbl.data) 271 return -ENOMEM; 272 273 rcu_read_lock(); 274 ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx); 275 if (ctxt) 276 memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 277 else 278 memset(user_key, 0, sizeof(user_key)); 279 rcu_read_unlock(); 280 281 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 282 user_key[0], user_key[1], user_key[2], user_key[3]); 283 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 284 285 if (write && ret == 0) { 286 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 287 user_key + 2, user_key + 3) != 4) { 288 ret = -EINVAL; 289 goto bad_key; 290 } 291 tcp_fastopen_reset_cipher(net, NULL, user_key, 292 TCP_FASTOPEN_KEY_LENGTH); 293 } 294 295 bad_key: 296 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 297 user_key[0], user_key[1], user_key[2], user_key[3], 298 (char *)tbl.data, ret); 299 kfree(tbl.data); 300 return ret; 301 } 302 303 static void proc_configure_early_demux(int enabled, int protocol) 304 { 305 struct net_protocol *ipprot; 306 #if IS_ENABLED(CONFIG_IPV6) 307 struct inet6_protocol *ip6prot; 308 #endif 309 310 rcu_read_lock(); 311 312 ipprot = rcu_dereference(inet_protos[protocol]); 313 if (ipprot) 314 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 315 NULL; 316 317 #if IS_ENABLED(CONFIG_IPV6) 318 ip6prot = rcu_dereference(inet6_protos[protocol]); 319 if (ip6prot) 320 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 321 NULL; 322 #endif 323 rcu_read_unlock(); 324 } 325 326 static int proc_tcp_early_demux(struct ctl_table *table, int write, 327 void __user *buffer, size_t *lenp, loff_t *ppos) 328 { 329 int ret = 0; 330 331 ret = proc_dointvec(table, write, buffer, lenp, ppos); 332 333 if (write && !ret) { 334 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 335 336 proc_configure_early_demux(enabled, IPPROTO_TCP); 337 } 338 339 return ret; 340 } 341 342 static int proc_udp_early_demux(struct ctl_table *table, int write, 343 void __user *buffer, size_t *lenp, loff_t *ppos) 344 { 345 int ret = 0; 346 347 ret = proc_dointvec(table, write, buffer, lenp, ppos); 348 349 if (write && !ret) { 350 int enabled = init_net.ipv4.sysctl_udp_early_demux; 351 352 proc_configure_early_demux(enabled, IPPROTO_UDP); 353 } 354 355 return ret; 356 } 357 358 static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table, 359 int write, 360 void __user *buffer, 361 size_t *lenp, loff_t *ppos) 362 { 363 struct net *net = container_of(table->data, struct net, 364 ipv4.sysctl_tcp_fastopen_blackhole_timeout); 365 int ret; 366 367 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 368 if (write && ret == 0) 369 atomic_set(&net->ipv4.tfo_active_disable_times, 0); 370 371 return ret; 372 } 373 374 static int proc_tcp_available_ulp(struct ctl_table *ctl, 375 int write, 376 void __user *buffer, size_t *lenp, 377 loff_t *ppos) 378 { 379 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, }; 380 int ret; 381 382 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 383 if (!tbl.data) 384 return -ENOMEM; 385 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX); 386 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 387 kfree(tbl.data); 388 389 return ret; 390 } 391 392 #ifdef CONFIG_IP_ROUTE_MULTIPATH 393 static int proc_fib_multipath_hash_policy(struct ctl_table *table, int write, 394 void __user *buffer, size_t *lenp, 395 loff_t *ppos) 396 { 397 struct net *net = container_of(table->data, struct net, 398 ipv4.sysctl_fib_multipath_hash_policy); 399 int ret; 400 401 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 402 if (write && ret == 0) 403 call_netevent_notifiers(NETEVENT_IPV4_MPATH_HASH_UPDATE, net); 404 405 return ret; 406 } 407 #endif 408 409 static struct ctl_table ipv4_table[] = { 410 { 411 .procname = "tcp_max_orphans", 412 .data = &sysctl_tcp_max_orphans, 413 .maxlen = sizeof(int), 414 .mode = 0644, 415 .proc_handler = proc_dointvec 416 }, 417 { 418 .procname = "inet_peer_threshold", 419 .data = &inet_peer_threshold, 420 .maxlen = sizeof(int), 421 .mode = 0644, 422 .proc_handler = proc_dointvec 423 }, 424 { 425 .procname = "inet_peer_minttl", 426 .data = &inet_peer_minttl, 427 .maxlen = sizeof(int), 428 .mode = 0644, 429 .proc_handler = proc_dointvec_jiffies, 430 }, 431 { 432 .procname = "inet_peer_maxttl", 433 .data = &inet_peer_maxttl, 434 .maxlen = sizeof(int), 435 .mode = 0644, 436 .proc_handler = proc_dointvec_jiffies, 437 }, 438 { 439 .procname = "tcp_mem", 440 .maxlen = sizeof(sysctl_tcp_mem), 441 .data = &sysctl_tcp_mem, 442 .mode = 0644, 443 .proc_handler = proc_doulongvec_minmax, 444 }, 445 { 446 .procname = "tcp_low_latency", 447 .data = &sysctl_tcp_low_latency, 448 .maxlen = sizeof(int), 449 .mode = 0644, 450 .proc_handler = proc_dointvec 451 }, 452 #ifdef CONFIG_NETLABEL 453 { 454 .procname = "cipso_cache_enable", 455 .data = &cipso_v4_cache_enabled, 456 .maxlen = sizeof(int), 457 .mode = 0644, 458 .proc_handler = proc_dointvec, 459 }, 460 { 461 .procname = "cipso_cache_bucket_size", 462 .data = &cipso_v4_cache_bucketsize, 463 .maxlen = sizeof(int), 464 .mode = 0644, 465 .proc_handler = proc_dointvec, 466 }, 467 { 468 .procname = "cipso_rbm_optfmt", 469 .data = &cipso_v4_rbm_optfmt, 470 .maxlen = sizeof(int), 471 .mode = 0644, 472 .proc_handler = proc_dointvec, 473 }, 474 { 475 .procname = "cipso_rbm_strictvalid", 476 .data = &cipso_v4_rbm_strictvalid, 477 .maxlen = sizeof(int), 478 .mode = 0644, 479 .proc_handler = proc_dointvec, 480 }, 481 #endif /* CONFIG_NETLABEL */ 482 { 483 .procname = "tcp_available_congestion_control", 484 .maxlen = TCP_CA_BUF_MAX, 485 .mode = 0444, 486 .proc_handler = proc_tcp_available_congestion_control, 487 }, 488 { 489 .procname = "tcp_allowed_congestion_control", 490 .maxlen = TCP_CA_BUF_MAX, 491 .mode = 0644, 492 .proc_handler = proc_allowed_congestion_control, 493 }, 494 { 495 .procname = "tcp_available_ulp", 496 .maxlen = TCP_ULP_BUF_MAX, 497 .mode = 0444, 498 .proc_handler = proc_tcp_available_ulp, 499 }, 500 { 501 .procname = "icmp_msgs_per_sec", 502 .data = &sysctl_icmp_msgs_per_sec, 503 .maxlen = sizeof(int), 504 .mode = 0644, 505 .proc_handler = proc_dointvec_minmax, 506 .extra1 = &zero, 507 }, 508 { 509 .procname = "icmp_msgs_burst", 510 .data = &sysctl_icmp_msgs_burst, 511 .maxlen = sizeof(int), 512 .mode = 0644, 513 .proc_handler = proc_dointvec_minmax, 514 .extra1 = &zero, 515 }, 516 { 517 .procname = "udp_mem", 518 .data = &sysctl_udp_mem, 519 .maxlen = sizeof(sysctl_udp_mem), 520 .mode = 0644, 521 .proc_handler = proc_doulongvec_minmax, 522 }, 523 { } 524 }; 525 526 static struct ctl_table ipv4_net_table[] = { 527 { 528 .procname = "icmp_echo_ignore_all", 529 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 530 .maxlen = sizeof(int), 531 .mode = 0644, 532 .proc_handler = proc_dointvec 533 }, 534 { 535 .procname = "icmp_echo_ignore_broadcasts", 536 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 537 .maxlen = sizeof(int), 538 .mode = 0644, 539 .proc_handler = proc_dointvec 540 }, 541 { 542 .procname = "icmp_ignore_bogus_error_responses", 543 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 544 .maxlen = sizeof(int), 545 .mode = 0644, 546 .proc_handler = proc_dointvec 547 }, 548 { 549 .procname = "icmp_errors_use_inbound_ifaddr", 550 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 551 .maxlen = sizeof(int), 552 .mode = 0644, 553 .proc_handler = proc_dointvec 554 }, 555 { 556 .procname = "icmp_ratelimit", 557 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 558 .maxlen = sizeof(int), 559 .mode = 0644, 560 .proc_handler = proc_dointvec_ms_jiffies, 561 }, 562 { 563 .procname = "icmp_ratemask", 564 .data = &init_net.ipv4.sysctl_icmp_ratemask, 565 .maxlen = sizeof(int), 566 .mode = 0644, 567 .proc_handler = proc_dointvec 568 }, 569 { 570 .procname = "ping_group_range", 571 .data = &init_net.ipv4.ping_group_range.range, 572 .maxlen = sizeof(gid_t)*2, 573 .mode = 0644, 574 .proc_handler = ipv4_ping_group_range, 575 }, 576 { 577 .procname = "tcp_ecn", 578 .data = &init_net.ipv4.sysctl_tcp_ecn, 579 .maxlen = sizeof(int), 580 .mode = 0644, 581 .proc_handler = proc_dointvec 582 }, 583 { 584 .procname = "tcp_ecn_fallback", 585 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 586 .maxlen = sizeof(int), 587 .mode = 0644, 588 .proc_handler = proc_dointvec 589 }, 590 { 591 .procname = "ip_dynaddr", 592 .data = &init_net.ipv4.sysctl_ip_dynaddr, 593 .maxlen = sizeof(int), 594 .mode = 0644, 595 .proc_handler = proc_dointvec 596 }, 597 { 598 .procname = "ip_early_demux", 599 .data = &init_net.ipv4.sysctl_ip_early_demux, 600 .maxlen = sizeof(int), 601 .mode = 0644, 602 .proc_handler = proc_dointvec 603 }, 604 { 605 .procname = "udp_early_demux", 606 .data = &init_net.ipv4.sysctl_udp_early_demux, 607 .maxlen = sizeof(int), 608 .mode = 0644, 609 .proc_handler = proc_udp_early_demux 610 }, 611 { 612 .procname = "tcp_early_demux", 613 .data = &init_net.ipv4.sysctl_tcp_early_demux, 614 .maxlen = sizeof(int), 615 .mode = 0644, 616 .proc_handler = proc_tcp_early_demux 617 }, 618 { 619 .procname = "ip_default_ttl", 620 .data = &init_net.ipv4.sysctl_ip_default_ttl, 621 .maxlen = sizeof(int), 622 .mode = 0644, 623 .proc_handler = proc_dointvec_minmax, 624 .extra1 = &ip_ttl_min, 625 .extra2 = &ip_ttl_max, 626 }, 627 { 628 .procname = "ip_local_port_range", 629 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 630 .data = &init_net.ipv4.ip_local_ports.range, 631 .mode = 0644, 632 .proc_handler = ipv4_local_port_range, 633 }, 634 { 635 .procname = "ip_local_reserved_ports", 636 .data = &init_net.ipv4.sysctl_local_reserved_ports, 637 .maxlen = 65536, 638 .mode = 0644, 639 .proc_handler = proc_do_large_bitmap, 640 }, 641 { 642 .procname = "ip_no_pmtu_disc", 643 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 644 .maxlen = sizeof(int), 645 .mode = 0644, 646 .proc_handler = proc_dointvec 647 }, 648 { 649 .procname = "ip_forward_use_pmtu", 650 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 651 .maxlen = sizeof(int), 652 .mode = 0644, 653 .proc_handler = proc_dointvec, 654 }, 655 { 656 .procname = "ip_nonlocal_bind", 657 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 658 .maxlen = sizeof(int), 659 .mode = 0644, 660 .proc_handler = proc_dointvec 661 }, 662 { 663 .procname = "fwmark_reflect", 664 .data = &init_net.ipv4.sysctl_fwmark_reflect, 665 .maxlen = sizeof(int), 666 .mode = 0644, 667 .proc_handler = proc_dointvec, 668 }, 669 { 670 .procname = "tcp_fwmark_accept", 671 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 672 .maxlen = sizeof(int), 673 .mode = 0644, 674 .proc_handler = proc_dointvec, 675 }, 676 #ifdef CONFIG_NET_L3_MASTER_DEV 677 { 678 .procname = "tcp_l3mdev_accept", 679 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 680 .maxlen = sizeof(int), 681 .mode = 0644, 682 .proc_handler = proc_dointvec_minmax, 683 .extra1 = &zero, 684 .extra2 = &one, 685 }, 686 #endif 687 { 688 .procname = "tcp_mtu_probing", 689 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 690 .maxlen = sizeof(int), 691 .mode = 0644, 692 .proc_handler = proc_dointvec, 693 }, 694 { 695 .procname = "tcp_base_mss", 696 .data = &init_net.ipv4.sysctl_tcp_base_mss, 697 .maxlen = sizeof(int), 698 .mode = 0644, 699 .proc_handler = proc_dointvec, 700 }, 701 { 702 .procname = "tcp_probe_threshold", 703 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 704 .maxlen = sizeof(int), 705 .mode = 0644, 706 .proc_handler = proc_dointvec, 707 }, 708 { 709 .procname = "tcp_probe_interval", 710 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 711 .maxlen = sizeof(int), 712 .mode = 0644, 713 .proc_handler = proc_dointvec, 714 }, 715 { 716 .procname = "igmp_link_local_mcast_reports", 717 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 718 .maxlen = sizeof(int), 719 .mode = 0644, 720 .proc_handler = proc_dointvec 721 }, 722 { 723 .procname = "igmp_max_memberships", 724 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 725 .maxlen = sizeof(int), 726 .mode = 0644, 727 .proc_handler = proc_dointvec 728 }, 729 { 730 .procname = "igmp_max_msf", 731 .data = &init_net.ipv4.sysctl_igmp_max_msf, 732 .maxlen = sizeof(int), 733 .mode = 0644, 734 .proc_handler = proc_dointvec 735 }, 736 #ifdef CONFIG_IP_MULTICAST 737 { 738 .procname = "igmp_qrv", 739 .data = &init_net.ipv4.sysctl_igmp_qrv, 740 .maxlen = sizeof(int), 741 .mode = 0644, 742 .proc_handler = proc_dointvec_minmax, 743 .extra1 = &one 744 }, 745 #endif 746 { 747 .procname = "tcp_congestion_control", 748 .data = &init_net.ipv4.tcp_congestion_control, 749 .mode = 0644, 750 .maxlen = TCP_CA_NAME_MAX, 751 .proc_handler = proc_tcp_congestion_control, 752 }, 753 { 754 .procname = "tcp_keepalive_time", 755 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 756 .maxlen = sizeof(int), 757 .mode = 0644, 758 .proc_handler = proc_dointvec_jiffies, 759 }, 760 { 761 .procname = "tcp_keepalive_probes", 762 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 763 .maxlen = sizeof(int), 764 .mode = 0644, 765 .proc_handler = proc_dointvec 766 }, 767 { 768 .procname = "tcp_keepalive_intvl", 769 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 770 .maxlen = sizeof(int), 771 .mode = 0644, 772 .proc_handler = proc_dointvec_jiffies, 773 }, 774 { 775 .procname = "tcp_syn_retries", 776 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 777 .maxlen = sizeof(int), 778 .mode = 0644, 779 .proc_handler = proc_dointvec_minmax, 780 .extra1 = &tcp_syn_retries_min, 781 .extra2 = &tcp_syn_retries_max 782 }, 783 { 784 .procname = "tcp_synack_retries", 785 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 786 .maxlen = sizeof(int), 787 .mode = 0644, 788 .proc_handler = proc_dointvec 789 }, 790 #ifdef CONFIG_SYN_COOKIES 791 { 792 .procname = "tcp_syncookies", 793 .data = &init_net.ipv4.sysctl_tcp_syncookies, 794 .maxlen = sizeof(int), 795 .mode = 0644, 796 .proc_handler = proc_dointvec 797 }, 798 #endif 799 { 800 .procname = "tcp_reordering", 801 .data = &init_net.ipv4.sysctl_tcp_reordering, 802 .maxlen = sizeof(int), 803 .mode = 0644, 804 .proc_handler = proc_dointvec 805 }, 806 { 807 .procname = "tcp_retries1", 808 .data = &init_net.ipv4.sysctl_tcp_retries1, 809 .maxlen = sizeof(int), 810 .mode = 0644, 811 .proc_handler = proc_dointvec_minmax, 812 .extra2 = &tcp_retr1_max 813 }, 814 { 815 .procname = "tcp_retries2", 816 .data = &init_net.ipv4.sysctl_tcp_retries2, 817 .maxlen = sizeof(int), 818 .mode = 0644, 819 .proc_handler = proc_dointvec 820 }, 821 { 822 .procname = "tcp_orphan_retries", 823 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 824 .maxlen = sizeof(int), 825 .mode = 0644, 826 .proc_handler = proc_dointvec 827 }, 828 { 829 .procname = "tcp_fin_timeout", 830 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 831 .maxlen = sizeof(int), 832 .mode = 0644, 833 .proc_handler = proc_dointvec_jiffies, 834 }, 835 { 836 .procname = "tcp_notsent_lowat", 837 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 838 .maxlen = sizeof(unsigned int), 839 .mode = 0644, 840 .proc_handler = proc_douintvec, 841 }, 842 { 843 .procname = "tcp_tw_reuse", 844 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 845 .maxlen = sizeof(int), 846 .mode = 0644, 847 .proc_handler = proc_dointvec 848 }, 849 { 850 .procname = "tcp_max_tw_buckets", 851 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 852 .maxlen = sizeof(int), 853 .mode = 0644, 854 .proc_handler = proc_dointvec 855 }, 856 { 857 .procname = "tcp_max_syn_backlog", 858 .data = &init_net.ipv4.sysctl_max_syn_backlog, 859 .maxlen = sizeof(int), 860 .mode = 0644, 861 .proc_handler = proc_dointvec 862 }, 863 { 864 .procname = "tcp_fastopen", 865 .data = &init_net.ipv4.sysctl_tcp_fastopen, 866 .maxlen = sizeof(int), 867 .mode = 0644, 868 .proc_handler = proc_dointvec, 869 }, 870 { 871 .procname = "tcp_fastopen_key", 872 .mode = 0600, 873 .data = &init_net.ipv4.sysctl_tcp_fastopen, 874 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 875 .proc_handler = proc_tcp_fastopen_key, 876 }, 877 { 878 .procname = "tcp_fastopen_blackhole_timeout_sec", 879 .data = &init_net.ipv4.sysctl_tcp_fastopen_blackhole_timeout, 880 .maxlen = sizeof(int), 881 .mode = 0644, 882 .proc_handler = proc_tfo_blackhole_detect_timeout, 883 .extra1 = &zero, 884 }, 885 #ifdef CONFIG_IP_ROUTE_MULTIPATH 886 { 887 .procname = "fib_multipath_use_neigh", 888 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 889 .maxlen = sizeof(int), 890 .mode = 0644, 891 .proc_handler = proc_dointvec_minmax, 892 .extra1 = &zero, 893 .extra2 = &one, 894 }, 895 { 896 .procname = "fib_multipath_hash_policy", 897 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 898 .maxlen = sizeof(int), 899 .mode = 0644, 900 .proc_handler = proc_fib_multipath_hash_policy, 901 .extra1 = &zero, 902 .extra2 = &one, 903 }, 904 #endif 905 { 906 .procname = "ip_unprivileged_port_start", 907 .maxlen = sizeof(int), 908 .data = &init_net.ipv4.sysctl_ip_prot_sock, 909 .mode = 0644, 910 .proc_handler = ipv4_privileged_ports, 911 }, 912 #ifdef CONFIG_NET_L3_MASTER_DEV 913 { 914 .procname = "udp_l3mdev_accept", 915 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 916 .maxlen = sizeof(int), 917 .mode = 0644, 918 .proc_handler = proc_dointvec_minmax, 919 .extra1 = &zero, 920 .extra2 = &one, 921 }, 922 #endif 923 { 924 .procname = "tcp_sack", 925 .data = &init_net.ipv4.sysctl_tcp_sack, 926 .maxlen = sizeof(int), 927 .mode = 0644, 928 .proc_handler = proc_dointvec 929 }, 930 { 931 .procname = "tcp_window_scaling", 932 .data = &init_net.ipv4.sysctl_tcp_window_scaling, 933 .maxlen = sizeof(int), 934 .mode = 0644, 935 .proc_handler = proc_dointvec 936 }, 937 { 938 .procname = "tcp_timestamps", 939 .data = &init_net.ipv4.sysctl_tcp_timestamps, 940 .maxlen = sizeof(int), 941 .mode = 0644, 942 .proc_handler = proc_dointvec 943 }, 944 { 945 .procname = "tcp_early_retrans", 946 .data = &init_net.ipv4.sysctl_tcp_early_retrans, 947 .maxlen = sizeof(int), 948 .mode = 0644, 949 .proc_handler = proc_dointvec_minmax, 950 .extra1 = &zero, 951 .extra2 = &four, 952 }, 953 { 954 .procname = "tcp_recovery", 955 .data = &init_net.ipv4.sysctl_tcp_recovery, 956 .maxlen = sizeof(int), 957 .mode = 0644, 958 .proc_handler = proc_dointvec, 959 }, 960 { 961 .procname = "tcp_thin_linear_timeouts", 962 .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts, 963 .maxlen = sizeof(int), 964 .mode = 0644, 965 .proc_handler = proc_dointvec 966 }, 967 { 968 .procname = "tcp_slow_start_after_idle", 969 .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle, 970 .maxlen = sizeof(int), 971 .mode = 0644, 972 .proc_handler = proc_dointvec 973 }, 974 { 975 .procname = "tcp_retrans_collapse", 976 .data = &init_net.ipv4.sysctl_tcp_retrans_collapse, 977 .maxlen = sizeof(int), 978 .mode = 0644, 979 .proc_handler = proc_dointvec 980 }, 981 { 982 .procname = "tcp_stdurg", 983 .data = &init_net.ipv4.sysctl_tcp_stdurg, 984 .maxlen = sizeof(int), 985 .mode = 0644, 986 .proc_handler = proc_dointvec 987 }, 988 { 989 .procname = "tcp_rfc1337", 990 .data = &init_net.ipv4.sysctl_tcp_rfc1337, 991 .maxlen = sizeof(int), 992 .mode = 0644, 993 .proc_handler = proc_dointvec 994 }, 995 { 996 .procname = "tcp_abort_on_overflow", 997 .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow, 998 .maxlen = sizeof(int), 999 .mode = 0644, 1000 .proc_handler = proc_dointvec 1001 }, 1002 { 1003 .procname = "tcp_fack", 1004 .data = &init_net.ipv4.sysctl_tcp_fack, 1005 .maxlen = sizeof(int), 1006 .mode = 0644, 1007 .proc_handler = proc_dointvec 1008 }, 1009 { 1010 .procname = "tcp_max_reordering", 1011 .data = &init_net.ipv4.sysctl_tcp_max_reordering, 1012 .maxlen = sizeof(int), 1013 .mode = 0644, 1014 .proc_handler = proc_dointvec 1015 }, 1016 { 1017 .procname = "tcp_dsack", 1018 .data = &init_net.ipv4.sysctl_tcp_dsack, 1019 .maxlen = sizeof(int), 1020 .mode = 0644, 1021 .proc_handler = proc_dointvec 1022 }, 1023 { 1024 .procname = "tcp_app_win", 1025 .data = &init_net.ipv4.sysctl_tcp_app_win, 1026 .maxlen = sizeof(int), 1027 .mode = 0644, 1028 .proc_handler = proc_dointvec 1029 }, 1030 { 1031 .procname = "tcp_adv_win_scale", 1032 .data = &init_net.ipv4.sysctl_tcp_adv_win_scale, 1033 .maxlen = sizeof(int), 1034 .mode = 0644, 1035 .proc_handler = proc_dointvec_minmax, 1036 .extra1 = &tcp_adv_win_scale_min, 1037 .extra2 = &tcp_adv_win_scale_max, 1038 }, 1039 { 1040 .procname = "tcp_frto", 1041 .data = &init_net.ipv4.sysctl_tcp_frto, 1042 .maxlen = sizeof(int), 1043 .mode = 0644, 1044 .proc_handler = proc_dointvec 1045 }, 1046 { 1047 .procname = "tcp_no_metrics_save", 1048 .data = &init_net.ipv4.sysctl_tcp_nometrics_save, 1049 .maxlen = sizeof(int), 1050 .mode = 0644, 1051 .proc_handler = proc_dointvec, 1052 }, 1053 { 1054 .procname = "tcp_moderate_rcvbuf", 1055 .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf, 1056 .maxlen = sizeof(int), 1057 .mode = 0644, 1058 .proc_handler = proc_dointvec, 1059 }, 1060 { 1061 .procname = "tcp_tso_win_divisor", 1062 .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor, 1063 .maxlen = sizeof(int), 1064 .mode = 0644, 1065 .proc_handler = proc_dointvec, 1066 }, 1067 { 1068 .procname = "tcp_workaround_signed_windows", 1069 .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows, 1070 .maxlen = sizeof(int), 1071 .mode = 0644, 1072 .proc_handler = proc_dointvec 1073 }, 1074 { 1075 .procname = "tcp_limit_output_bytes", 1076 .data = &init_net.ipv4.sysctl_tcp_limit_output_bytes, 1077 .maxlen = sizeof(int), 1078 .mode = 0644, 1079 .proc_handler = proc_dointvec 1080 }, 1081 { 1082 .procname = "tcp_challenge_ack_limit", 1083 .data = &init_net.ipv4.sysctl_tcp_challenge_ack_limit, 1084 .maxlen = sizeof(int), 1085 .mode = 0644, 1086 .proc_handler = proc_dointvec 1087 }, 1088 { 1089 .procname = "tcp_min_tso_segs", 1090 .data = &init_net.ipv4.sysctl_tcp_min_tso_segs, 1091 .maxlen = sizeof(int), 1092 .mode = 0644, 1093 .proc_handler = proc_dointvec_minmax, 1094 .extra1 = &one, 1095 .extra2 = &gso_max_segs, 1096 }, 1097 { 1098 .procname = "tcp_min_rtt_wlen", 1099 .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen, 1100 .maxlen = sizeof(int), 1101 .mode = 0644, 1102 .proc_handler = proc_dointvec 1103 }, 1104 { 1105 .procname = "tcp_autocorking", 1106 .data = &init_net.ipv4.sysctl_tcp_autocorking, 1107 .maxlen = sizeof(int), 1108 .mode = 0644, 1109 .proc_handler = proc_dointvec_minmax, 1110 .extra1 = &zero, 1111 .extra2 = &one, 1112 }, 1113 { 1114 .procname = "tcp_invalid_ratelimit", 1115 .data = &init_net.ipv4.sysctl_tcp_invalid_ratelimit, 1116 .maxlen = sizeof(int), 1117 .mode = 0644, 1118 .proc_handler = proc_dointvec_ms_jiffies, 1119 }, 1120 { 1121 .procname = "tcp_pacing_ss_ratio", 1122 .data = &init_net.ipv4.sysctl_tcp_pacing_ss_ratio, 1123 .maxlen = sizeof(int), 1124 .mode = 0644, 1125 .proc_handler = proc_dointvec_minmax, 1126 .extra1 = &zero, 1127 .extra2 = &thousand, 1128 }, 1129 { 1130 .procname = "tcp_pacing_ca_ratio", 1131 .data = &init_net.ipv4.sysctl_tcp_pacing_ca_ratio, 1132 .maxlen = sizeof(int), 1133 .mode = 0644, 1134 .proc_handler = proc_dointvec_minmax, 1135 .extra1 = &zero, 1136 .extra2 = &thousand, 1137 }, 1138 { 1139 .procname = "tcp_wmem", 1140 .data = &init_net.ipv4.sysctl_tcp_wmem, 1141 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_wmem), 1142 .mode = 0644, 1143 .proc_handler = proc_dointvec_minmax, 1144 .extra1 = &one, 1145 }, 1146 { 1147 .procname = "tcp_rmem", 1148 .data = &init_net.ipv4.sysctl_tcp_rmem, 1149 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_rmem), 1150 .mode = 0644, 1151 .proc_handler = proc_dointvec_minmax, 1152 .extra1 = &one, 1153 }, 1154 { 1155 .procname = "udp_rmem_min", 1156 .data = &init_net.ipv4.sysctl_udp_rmem_min, 1157 .maxlen = sizeof(init_net.ipv4.sysctl_udp_rmem_min), 1158 .mode = 0644, 1159 .proc_handler = proc_dointvec_minmax, 1160 .extra1 = &one 1161 }, 1162 { 1163 .procname = "udp_wmem_min", 1164 .data = &init_net.ipv4.sysctl_udp_wmem_min, 1165 .maxlen = sizeof(init_net.ipv4.sysctl_udp_wmem_min), 1166 .mode = 0644, 1167 .proc_handler = proc_dointvec_minmax, 1168 .extra1 = &one 1169 }, 1170 { } 1171 }; 1172 1173 static __net_init int ipv4_sysctl_init_net(struct net *net) 1174 { 1175 struct ctl_table *table; 1176 1177 table = ipv4_net_table; 1178 if (!net_eq(net, &init_net)) { 1179 int i; 1180 1181 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1182 if (!table) 1183 goto err_alloc; 1184 1185 /* Update the variables to point into the current struct net */ 1186 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1187 table[i].data += (void *)net - (void *)&init_net; 1188 } 1189 1190 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1191 if (!net->ipv4.ipv4_hdr) 1192 goto err_reg; 1193 1194 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1195 if (!net->ipv4.sysctl_local_reserved_ports) 1196 goto err_ports; 1197 1198 return 0; 1199 1200 err_ports: 1201 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1202 err_reg: 1203 if (!net_eq(net, &init_net)) 1204 kfree(table); 1205 err_alloc: 1206 return -ENOMEM; 1207 } 1208 1209 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1210 { 1211 struct ctl_table *table; 1212 1213 kfree(net->ipv4.sysctl_local_reserved_ports); 1214 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1215 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1216 kfree(table); 1217 } 1218 1219 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1220 .init = ipv4_sysctl_init_net, 1221 .exit = ipv4_sysctl_exit_net, 1222 }; 1223 1224 static __init int sysctl_ipv4_init(void) 1225 { 1226 struct ctl_table_header *hdr; 1227 1228 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1229 if (!hdr) 1230 return -ENOMEM; 1231 1232 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1233 unregister_net_sysctl_table(hdr); 1234 return -ENOMEM; 1235 } 1236 1237 return 0; 1238 } 1239 1240 __initcall(sysctl_ipv4_init); 1241