1 /* 2 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 3 * 4 * Begun April 1, 1996, Mike Shaver. 5 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 6 */ 7 8 #include <linux/mm.h> 9 #include <linux/module.h> 10 #include <linux/sysctl.h> 11 #include <linux/igmp.h> 12 #include <linux/inetdevice.h> 13 #include <linux/seqlock.h> 14 #include <linux/init.h> 15 #include <linux/slab.h> 16 #include <linux/nsproxy.h> 17 #include <linux/swap.h> 18 #include <net/snmp.h> 19 #include <net/icmp.h> 20 #include <net/ip.h> 21 #include <net/route.h> 22 #include <net/tcp.h> 23 #include <net/udp.h> 24 #include <net/cipso_ipv4.h> 25 #include <net/inet_frag.h> 26 #include <net/ping.h> 27 #include <net/protocol.h> 28 29 static int zero; 30 static int one = 1; 31 static int four = 4; 32 static int thousand = 1000; 33 static int gso_max_segs = GSO_MAX_SEGS; 34 static int tcp_retr1_max = 255; 35 static int ip_local_port_range_min[] = { 1, 1 }; 36 static int ip_local_port_range_max[] = { 65535, 65535 }; 37 static int tcp_adv_win_scale_min = -31; 38 static int tcp_adv_win_scale_max = 31; 39 static int ip_privileged_port_min; 40 static int ip_privileged_port_max = 65535; 41 static int ip_ttl_min = 1; 42 static int ip_ttl_max = 255; 43 static int tcp_syn_retries_min = 1; 44 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 45 static int ip_ping_group_range_min[] = { 0, 0 }; 46 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 47 48 /* Update system visible IP port range */ 49 static void set_local_port_range(struct net *net, int range[2]) 50 { 51 bool same_parity = !((range[0] ^ range[1]) & 1); 52 53 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 54 if (same_parity && !net->ipv4.ip_local_ports.warned) { 55 net->ipv4.ip_local_ports.warned = true; 56 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 57 } 58 net->ipv4.ip_local_ports.range[0] = range[0]; 59 net->ipv4.ip_local_ports.range[1] = range[1]; 60 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 61 } 62 63 /* Validate changes from /proc interface. */ 64 static int ipv4_local_port_range(struct ctl_table *table, int write, 65 void __user *buffer, 66 size_t *lenp, loff_t *ppos) 67 { 68 struct net *net = 69 container_of(table->data, struct net, ipv4.ip_local_ports.range); 70 int ret; 71 int range[2]; 72 struct ctl_table tmp = { 73 .data = &range, 74 .maxlen = sizeof(range), 75 .mode = table->mode, 76 .extra1 = &ip_local_port_range_min, 77 .extra2 = &ip_local_port_range_max, 78 }; 79 80 inet_get_local_port_range(net, &range[0], &range[1]); 81 82 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 83 84 if (write && ret == 0) { 85 /* Ensure that the upper limit is not smaller than the lower, 86 * and that the lower does not encroach upon the privileged 87 * port limit. 88 */ 89 if ((range[1] < range[0]) || 90 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 91 ret = -EINVAL; 92 else 93 set_local_port_range(net, range); 94 } 95 96 return ret; 97 } 98 99 /* Validate changes from /proc interface. */ 100 static int ipv4_privileged_ports(struct ctl_table *table, int write, 101 void __user *buffer, size_t *lenp, loff_t *ppos) 102 { 103 struct net *net = container_of(table->data, struct net, 104 ipv4.sysctl_ip_prot_sock); 105 int ret; 106 int pports; 107 int range[2]; 108 struct ctl_table tmp = { 109 .data = &pports, 110 .maxlen = sizeof(pports), 111 .mode = table->mode, 112 .extra1 = &ip_privileged_port_min, 113 .extra2 = &ip_privileged_port_max, 114 }; 115 116 pports = net->ipv4.sysctl_ip_prot_sock; 117 118 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 119 120 if (write && ret == 0) { 121 inet_get_local_port_range(net, &range[0], &range[1]); 122 /* Ensure that the local port range doesn't overlap with the 123 * privileged port range. 124 */ 125 if (range[0] < pports) 126 ret = -EINVAL; 127 else 128 net->ipv4.sysctl_ip_prot_sock = pports; 129 } 130 131 return ret; 132 } 133 134 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 135 { 136 kgid_t *data = table->data; 137 struct net *net = 138 container_of(table->data, struct net, ipv4.ping_group_range.range); 139 unsigned int seq; 140 do { 141 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 142 143 *low = data[0]; 144 *high = data[1]; 145 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 146 } 147 148 /* Update system visible IP port range */ 149 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 150 { 151 kgid_t *data = table->data; 152 struct net *net = 153 container_of(table->data, struct net, ipv4.ping_group_range.range); 154 write_seqlock(&net->ipv4.ping_group_range.lock); 155 data[0] = low; 156 data[1] = high; 157 write_sequnlock(&net->ipv4.ping_group_range.lock); 158 } 159 160 /* Validate changes from /proc interface. */ 161 static int ipv4_ping_group_range(struct ctl_table *table, int write, 162 void __user *buffer, 163 size_t *lenp, loff_t *ppos) 164 { 165 struct user_namespace *user_ns = current_user_ns(); 166 int ret; 167 gid_t urange[2]; 168 kgid_t low, high; 169 struct ctl_table tmp = { 170 .data = &urange, 171 .maxlen = sizeof(urange), 172 .mode = table->mode, 173 .extra1 = &ip_ping_group_range_min, 174 .extra2 = &ip_ping_group_range_max, 175 }; 176 177 inet_get_ping_group_range_table(table, &low, &high); 178 urange[0] = from_kgid_munged(user_ns, low); 179 urange[1] = from_kgid_munged(user_ns, high); 180 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 181 182 if (write && ret == 0) { 183 low = make_kgid(user_ns, urange[0]); 184 high = make_kgid(user_ns, urange[1]); 185 if (!gid_valid(low) || !gid_valid(high) || 186 (urange[1] < urange[0]) || gid_lt(high, low)) { 187 low = make_kgid(&init_user_ns, 1); 188 high = make_kgid(&init_user_ns, 0); 189 } 190 set_ping_group_range(table, low, high); 191 } 192 193 return ret; 194 } 195 196 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 197 void __user *buffer, size_t *lenp, loff_t *ppos) 198 { 199 char val[TCP_CA_NAME_MAX]; 200 struct ctl_table tbl = { 201 .data = val, 202 .maxlen = TCP_CA_NAME_MAX, 203 }; 204 int ret; 205 206 tcp_get_default_congestion_control(val); 207 208 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 209 if (write && ret == 0) 210 ret = tcp_set_default_congestion_control(val); 211 return ret; 212 } 213 214 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 215 int write, 216 void __user *buffer, size_t *lenp, 217 loff_t *ppos) 218 { 219 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 220 int ret; 221 222 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 223 if (!tbl.data) 224 return -ENOMEM; 225 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 226 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 227 kfree(tbl.data); 228 return ret; 229 } 230 231 static int proc_allowed_congestion_control(struct ctl_table *ctl, 232 int write, 233 void __user *buffer, size_t *lenp, 234 loff_t *ppos) 235 { 236 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 237 int ret; 238 239 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 240 if (!tbl.data) 241 return -ENOMEM; 242 243 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 244 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 245 if (write && ret == 0) 246 ret = tcp_set_allowed_congestion_control(tbl.data); 247 kfree(tbl.data); 248 return ret; 249 } 250 251 static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write, 252 void __user *buffer, size_t *lenp, 253 loff_t *ppos) 254 { 255 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 256 struct tcp_fastopen_context *ctxt; 257 int ret; 258 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 259 260 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 261 if (!tbl.data) 262 return -ENOMEM; 263 264 rcu_read_lock(); 265 ctxt = rcu_dereference(tcp_fastopen_ctx); 266 if (ctxt) 267 memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 268 else 269 memset(user_key, 0, sizeof(user_key)); 270 rcu_read_unlock(); 271 272 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 273 user_key[0], user_key[1], user_key[2], user_key[3]); 274 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 275 276 if (write && ret == 0) { 277 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 278 user_key + 2, user_key + 3) != 4) { 279 ret = -EINVAL; 280 goto bad_key; 281 } 282 /* Generate a dummy secret but don't publish it. This 283 * is needed so we don't regenerate a new key on the 284 * first invocation of tcp_fastopen_cookie_gen 285 */ 286 tcp_fastopen_init_key_once(false); 287 tcp_fastopen_reset_cipher(user_key, TCP_FASTOPEN_KEY_LENGTH); 288 } 289 290 bad_key: 291 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 292 user_key[0], user_key[1], user_key[2], user_key[3], 293 (char *)tbl.data, ret); 294 kfree(tbl.data); 295 return ret; 296 } 297 298 static void proc_configure_early_demux(int enabled, int protocol) 299 { 300 struct net_protocol *ipprot; 301 #if IS_ENABLED(CONFIG_IPV6) 302 struct inet6_protocol *ip6prot; 303 #endif 304 305 rcu_read_lock(); 306 307 ipprot = rcu_dereference(inet_protos[protocol]); 308 if (ipprot) 309 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 310 NULL; 311 312 #if IS_ENABLED(CONFIG_IPV6) 313 ip6prot = rcu_dereference(inet6_protos[protocol]); 314 if (ip6prot) 315 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 316 NULL; 317 #endif 318 rcu_read_unlock(); 319 } 320 321 static int proc_tcp_early_demux(struct ctl_table *table, int write, 322 void __user *buffer, size_t *lenp, loff_t *ppos) 323 { 324 int ret = 0; 325 326 ret = proc_dointvec(table, write, buffer, lenp, ppos); 327 328 if (write && !ret) { 329 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 330 331 proc_configure_early_demux(enabled, IPPROTO_TCP); 332 } 333 334 return ret; 335 } 336 337 static int proc_udp_early_demux(struct ctl_table *table, int write, 338 void __user *buffer, size_t *lenp, loff_t *ppos) 339 { 340 int ret = 0; 341 342 ret = proc_dointvec(table, write, buffer, lenp, ppos); 343 344 if (write && !ret) { 345 int enabled = init_net.ipv4.sysctl_udp_early_demux; 346 347 proc_configure_early_demux(enabled, IPPROTO_UDP); 348 } 349 350 return ret; 351 } 352 353 static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table, 354 int write, 355 void __user *buffer, 356 size_t *lenp, loff_t *ppos) 357 { 358 int ret; 359 360 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 361 if (write && ret == 0) 362 tcp_fastopen_active_timeout_reset(); 363 364 return ret; 365 } 366 367 static int proc_tcp_available_ulp(struct ctl_table *ctl, 368 int write, 369 void __user *buffer, size_t *lenp, 370 loff_t *ppos) 371 { 372 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, }; 373 int ret; 374 375 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 376 if (!tbl.data) 377 return -ENOMEM; 378 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX); 379 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 380 kfree(tbl.data); 381 382 return ret; 383 } 384 385 static struct ctl_table ipv4_table[] = { 386 { 387 .procname = "tcp_retrans_collapse", 388 .data = &sysctl_tcp_retrans_collapse, 389 .maxlen = sizeof(int), 390 .mode = 0644, 391 .proc_handler = proc_dointvec 392 }, 393 { 394 .procname = "tcp_max_orphans", 395 .data = &sysctl_tcp_max_orphans, 396 .maxlen = sizeof(int), 397 .mode = 0644, 398 .proc_handler = proc_dointvec 399 }, 400 { 401 .procname = "tcp_fastopen", 402 .data = &sysctl_tcp_fastopen, 403 .maxlen = sizeof(int), 404 .mode = 0644, 405 .proc_handler = proc_dointvec, 406 }, 407 { 408 .procname = "tcp_fastopen_key", 409 .mode = 0600, 410 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 411 .proc_handler = proc_tcp_fastopen_key, 412 }, 413 { 414 .procname = "tcp_fastopen_blackhole_timeout_sec", 415 .data = &sysctl_tcp_fastopen_blackhole_timeout, 416 .maxlen = sizeof(int), 417 .mode = 0644, 418 .proc_handler = proc_tfo_blackhole_detect_timeout, 419 .extra1 = &zero, 420 }, 421 { 422 .procname = "tcp_abort_on_overflow", 423 .data = &sysctl_tcp_abort_on_overflow, 424 .maxlen = sizeof(int), 425 .mode = 0644, 426 .proc_handler = proc_dointvec 427 }, 428 { 429 .procname = "tcp_stdurg", 430 .data = &sysctl_tcp_stdurg, 431 .maxlen = sizeof(int), 432 .mode = 0644, 433 .proc_handler = proc_dointvec 434 }, 435 { 436 .procname = "tcp_rfc1337", 437 .data = &sysctl_tcp_rfc1337, 438 .maxlen = sizeof(int), 439 .mode = 0644, 440 .proc_handler = proc_dointvec 441 }, 442 { 443 .procname = "inet_peer_threshold", 444 .data = &inet_peer_threshold, 445 .maxlen = sizeof(int), 446 .mode = 0644, 447 .proc_handler = proc_dointvec 448 }, 449 { 450 .procname = "inet_peer_minttl", 451 .data = &inet_peer_minttl, 452 .maxlen = sizeof(int), 453 .mode = 0644, 454 .proc_handler = proc_dointvec_jiffies, 455 }, 456 { 457 .procname = "inet_peer_maxttl", 458 .data = &inet_peer_maxttl, 459 .maxlen = sizeof(int), 460 .mode = 0644, 461 .proc_handler = proc_dointvec_jiffies, 462 }, 463 { 464 .procname = "tcp_fack", 465 .data = &sysctl_tcp_fack, 466 .maxlen = sizeof(int), 467 .mode = 0644, 468 .proc_handler = proc_dointvec 469 }, 470 { 471 .procname = "tcp_recovery", 472 .data = &sysctl_tcp_recovery, 473 .maxlen = sizeof(int), 474 .mode = 0644, 475 .proc_handler = proc_dointvec, 476 }, 477 { 478 .procname = "tcp_max_reordering", 479 .data = &sysctl_tcp_max_reordering, 480 .maxlen = sizeof(int), 481 .mode = 0644, 482 .proc_handler = proc_dointvec 483 }, 484 { 485 .procname = "tcp_dsack", 486 .data = &sysctl_tcp_dsack, 487 .maxlen = sizeof(int), 488 .mode = 0644, 489 .proc_handler = proc_dointvec 490 }, 491 { 492 .procname = "tcp_mem", 493 .maxlen = sizeof(sysctl_tcp_mem), 494 .data = &sysctl_tcp_mem, 495 .mode = 0644, 496 .proc_handler = proc_doulongvec_minmax, 497 }, 498 { 499 .procname = "tcp_wmem", 500 .data = &sysctl_tcp_wmem, 501 .maxlen = sizeof(sysctl_tcp_wmem), 502 .mode = 0644, 503 .proc_handler = proc_dointvec_minmax, 504 .extra1 = &one, 505 }, 506 { 507 .procname = "tcp_rmem", 508 .data = &sysctl_tcp_rmem, 509 .maxlen = sizeof(sysctl_tcp_rmem), 510 .mode = 0644, 511 .proc_handler = proc_dointvec_minmax, 512 .extra1 = &one, 513 }, 514 { 515 .procname = "tcp_app_win", 516 .data = &sysctl_tcp_app_win, 517 .maxlen = sizeof(int), 518 .mode = 0644, 519 .proc_handler = proc_dointvec 520 }, 521 { 522 .procname = "tcp_adv_win_scale", 523 .data = &sysctl_tcp_adv_win_scale, 524 .maxlen = sizeof(int), 525 .mode = 0644, 526 .proc_handler = proc_dointvec_minmax, 527 .extra1 = &tcp_adv_win_scale_min, 528 .extra2 = &tcp_adv_win_scale_max, 529 }, 530 { 531 .procname = "tcp_frto", 532 .data = &sysctl_tcp_frto, 533 .maxlen = sizeof(int), 534 .mode = 0644, 535 .proc_handler = proc_dointvec 536 }, 537 { 538 .procname = "tcp_min_rtt_wlen", 539 .data = &sysctl_tcp_min_rtt_wlen, 540 .maxlen = sizeof(int), 541 .mode = 0644, 542 .proc_handler = proc_dointvec 543 }, 544 { 545 .procname = "tcp_low_latency", 546 .data = &sysctl_tcp_low_latency, 547 .maxlen = sizeof(int), 548 .mode = 0644, 549 .proc_handler = proc_dointvec 550 }, 551 { 552 .procname = "tcp_no_metrics_save", 553 .data = &sysctl_tcp_nometrics_save, 554 .maxlen = sizeof(int), 555 .mode = 0644, 556 .proc_handler = proc_dointvec, 557 }, 558 { 559 .procname = "tcp_moderate_rcvbuf", 560 .data = &sysctl_tcp_moderate_rcvbuf, 561 .maxlen = sizeof(int), 562 .mode = 0644, 563 .proc_handler = proc_dointvec, 564 }, 565 { 566 .procname = "tcp_tso_win_divisor", 567 .data = &sysctl_tcp_tso_win_divisor, 568 .maxlen = sizeof(int), 569 .mode = 0644, 570 .proc_handler = proc_dointvec, 571 }, 572 { 573 .procname = "tcp_congestion_control", 574 .mode = 0644, 575 .maxlen = TCP_CA_NAME_MAX, 576 .proc_handler = proc_tcp_congestion_control, 577 }, 578 { 579 .procname = "tcp_workaround_signed_windows", 580 .data = &sysctl_tcp_workaround_signed_windows, 581 .maxlen = sizeof(int), 582 .mode = 0644, 583 .proc_handler = proc_dointvec 584 }, 585 { 586 .procname = "tcp_limit_output_bytes", 587 .data = &sysctl_tcp_limit_output_bytes, 588 .maxlen = sizeof(int), 589 .mode = 0644, 590 .proc_handler = proc_dointvec 591 }, 592 { 593 .procname = "tcp_challenge_ack_limit", 594 .data = &sysctl_tcp_challenge_ack_limit, 595 .maxlen = sizeof(int), 596 .mode = 0644, 597 .proc_handler = proc_dointvec 598 }, 599 { 600 .procname = "tcp_slow_start_after_idle", 601 .data = &sysctl_tcp_slow_start_after_idle, 602 .maxlen = sizeof(int), 603 .mode = 0644, 604 .proc_handler = proc_dointvec 605 }, 606 #ifdef CONFIG_NETLABEL 607 { 608 .procname = "cipso_cache_enable", 609 .data = &cipso_v4_cache_enabled, 610 .maxlen = sizeof(int), 611 .mode = 0644, 612 .proc_handler = proc_dointvec, 613 }, 614 { 615 .procname = "cipso_cache_bucket_size", 616 .data = &cipso_v4_cache_bucketsize, 617 .maxlen = sizeof(int), 618 .mode = 0644, 619 .proc_handler = proc_dointvec, 620 }, 621 { 622 .procname = "cipso_rbm_optfmt", 623 .data = &cipso_v4_rbm_optfmt, 624 .maxlen = sizeof(int), 625 .mode = 0644, 626 .proc_handler = proc_dointvec, 627 }, 628 { 629 .procname = "cipso_rbm_strictvalid", 630 .data = &cipso_v4_rbm_strictvalid, 631 .maxlen = sizeof(int), 632 .mode = 0644, 633 .proc_handler = proc_dointvec, 634 }, 635 #endif /* CONFIG_NETLABEL */ 636 { 637 .procname = "tcp_available_congestion_control", 638 .maxlen = TCP_CA_BUF_MAX, 639 .mode = 0444, 640 .proc_handler = proc_tcp_available_congestion_control, 641 }, 642 { 643 .procname = "tcp_allowed_congestion_control", 644 .maxlen = TCP_CA_BUF_MAX, 645 .mode = 0644, 646 .proc_handler = proc_allowed_congestion_control, 647 }, 648 { 649 .procname = "tcp_thin_linear_timeouts", 650 .data = &sysctl_tcp_thin_linear_timeouts, 651 .maxlen = sizeof(int), 652 .mode = 0644, 653 .proc_handler = proc_dointvec 654 }, 655 { 656 .procname = "tcp_early_retrans", 657 .data = &sysctl_tcp_early_retrans, 658 .maxlen = sizeof(int), 659 .mode = 0644, 660 .proc_handler = proc_dointvec_minmax, 661 .extra1 = &zero, 662 .extra2 = &four, 663 }, 664 { 665 .procname = "tcp_min_tso_segs", 666 .data = &sysctl_tcp_min_tso_segs, 667 .maxlen = sizeof(int), 668 .mode = 0644, 669 .proc_handler = proc_dointvec_minmax, 670 .extra1 = &one, 671 .extra2 = &gso_max_segs, 672 }, 673 { 674 .procname = "tcp_pacing_ss_ratio", 675 .data = &sysctl_tcp_pacing_ss_ratio, 676 .maxlen = sizeof(int), 677 .mode = 0644, 678 .proc_handler = proc_dointvec_minmax, 679 .extra1 = &zero, 680 .extra2 = &thousand, 681 }, 682 { 683 .procname = "tcp_pacing_ca_ratio", 684 .data = &sysctl_tcp_pacing_ca_ratio, 685 .maxlen = sizeof(int), 686 .mode = 0644, 687 .proc_handler = proc_dointvec_minmax, 688 .extra1 = &zero, 689 .extra2 = &thousand, 690 }, 691 { 692 .procname = "tcp_autocorking", 693 .data = &sysctl_tcp_autocorking, 694 .maxlen = sizeof(int), 695 .mode = 0644, 696 .proc_handler = proc_dointvec_minmax, 697 .extra1 = &zero, 698 .extra2 = &one, 699 }, 700 { 701 .procname = "tcp_invalid_ratelimit", 702 .data = &sysctl_tcp_invalid_ratelimit, 703 .maxlen = sizeof(int), 704 .mode = 0644, 705 .proc_handler = proc_dointvec_ms_jiffies, 706 }, 707 { 708 .procname = "tcp_available_ulp", 709 .maxlen = TCP_ULP_BUF_MAX, 710 .mode = 0444, 711 .proc_handler = proc_tcp_available_ulp, 712 }, 713 { 714 .procname = "icmp_msgs_per_sec", 715 .data = &sysctl_icmp_msgs_per_sec, 716 .maxlen = sizeof(int), 717 .mode = 0644, 718 .proc_handler = proc_dointvec_minmax, 719 .extra1 = &zero, 720 }, 721 { 722 .procname = "icmp_msgs_burst", 723 .data = &sysctl_icmp_msgs_burst, 724 .maxlen = sizeof(int), 725 .mode = 0644, 726 .proc_handler = proc_dointvec_minmax, 727 .extra1 = &zero, 728 }, 729 { 730 .procname = "udp_mem", 731 .data = &sysctl_udp_mem, 732 .maxlen = sizeof(sysctl_udp_mem), 733 .mode = 0644, 734 .proc_handler = proc_doulongvec_minmax, 735 }, 736 { 737 .procname = "udp_rmem_min", 738 .data = &sysctl_udp_rmem_min, 739 .maxlen = sizeof(sysctl_udp_rmem_min), 740 .mode = 0644, 741 .proc_handler = proc_dointvec_minmax, 742 .extra1 = &one 743 }, 744 { 745 .procname = "udp_wmem_min", 746 .data = &sysctl_udp_wmem_min, 747 .maxlen = sizeof(sysctl_udp_wmem_min), 748 .mode = 0644, 749 .proc_handler = proc_dointvec_minmax, 750 .extra1 = &one 751 }, 752 { } 753 }; 754 755 static struct ctl_table ipv4_net_table[] = { 756 { 757 .procname = "icmp_echo_ignore_all", 758 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 759 .maxlen = sizeof(int), 760 .mode = 0644, 761 .proc_handler = proc_dointvec 762 }, 763 { 764 .procname = "icmp_echo_ignore_broadcasts", 765 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 766 .maxlen = sizeof(int), 767 .mode = 0644, 768 .proc_handler = proc_dointvec 769 }, 770 { 771 .procname = "icmp_ignore_bogus_error_responses", 772 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 773 .maxlen = sizeof(int), 774 .mode = 0644, 775 .proc_handler = proc_dointvec 776 }, 777 { 778 .procname = "icmp_errors_use_inbound_ifaddr", 779 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 780 .maxlen = sizeof(int), 781 .mode = 0644, 782 .proc_handler = proc_dointvec 783 }, 784 { 785 .procname = "icmp_ratelimit", 786 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 787 .maxlen = sizeof(int), 788 .mode = 0644, 789 .proc_handler = proc_dointvec_ms_jiffies, 790 }, 791 { 792 .procname = "icmp_ratemask", 793 .data = &init_net.ipv4.sysctl_icmp_ratemask, 794 .maxlen = sizeof(int), 795 .mode = 0644, 796 .proc_handler = proc_dointvec 797 }, 798 { 799 .procname = "ping_group_range", 800 .data = &init_net.ipv4.ping_group_range.range, 801 .maxlen = sizeof(gid_t)*2, 802 .mode = 0644, 803 .proc_handler = ipv4_ping_group_range, 804 }, 805 { 806 .procname = "tcp_ecn", 807 .data = &init_net.ipv4.sysctl_tcp_ecn, 808 .maxlen = sizeof(int), 809 .mode = 0644, 810 .proc_handler = proc_dointvec 811 }, 812 { 813 .procname = "tcp_ecn_fallback", 814 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 815 .maxlen = sizeof(int), 816 .mode = 0644, 817 .proc_handler = proc_dointvec 818 }, 819 { 820 .procname = "ip_dynaddr", 821 .data = &init_net.ipv4.sysctl_ip_dynaddr, 822 .maxlen = sizeof(int), 823 .mode = 0644, 824 .proc_handler = proc_dointvec 825 }, 826 { 827 .procname = "ip_early_demux", 828 .data = &init_net.ipv4.sysctl_ip_early_demux, 829 .maxlen = sizeof(int), 830 .mode = 0644, 831 .proc_handler = proc_dointvec 832 }, 833 { 834 .procname = "udp_early_demux", 835 .data = &init_net.ipv4.sysctl_udp_early_demux, 836 .maxlen = sizeof(int), 837 .mode = 0644, 838 .proc_handler = proc_udp_early_demux 839 }, 840 { 841 .procname = "tcp_early_demux", 842 .data = &init_net.ipv4.sysctl_tcp_early_demux, 843 .maxlen = sizeof(int), 844 .mode = 0644, 845 .proc_handler = proc_tcp_early_demux 846 }, 847 { 848 .procname = "ip_default_ttl", 849 .data = &init_net.ipv4.sysctl_ip_default_ttl, 850 .maxlen = sizeof(int), 851 .mode = 0644, 852 .proc_handler = proc_dointvec_minmax, 853 .extra1 = &ip_ttl_min, 854 .extra2 = &ip_ttl_max, 855 }, 856 { 857 .procname = "ip_local_port_range", 858 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 859 .data = &init_net.ipv4.ip_local_ports.range, 860 .mode = 0644, 861 .proc_handler = ipv4_local_port_range, 862 }, 863 { 864 .procname = "ip_local_reserved_ports", 865 .data = &init_net.ipv4.sysctl_local_reserved_ports, 866 .maxlen = 65536, 867 .mode = 0644, 868 .proc_handler = proc_do_large_bitmap, 869 }, 870 { 871 .procname = "ip_no_pmtu_disc", 872 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 873 .maxlen = sizeof(int), 874 .mode = 0644, 875 .proc_handler = proc_dointvec 876 }, 877 { 878 .procname = "ip_forward_use_pmtu", 879 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 880 .maxlen = sizeof(int), 881 .mode = 0644, 882 .proc_handler = proc_dointvec, 883 }, 884 { 885 .procname = "ip_nonlocal_bind", 886 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 887 .maxlen = sizeof(int), 888 .mode = 0644, 889 .proc_handler = proc_dointvec 890 }, 891 { 892 .procname = "fwmark_reflect", 893 .data = &init_net.ipv4.sysctl_fwmark_reflect, 894 .maxlen = sizeof(int), 895 .mode = 0644, 896 .proc_handler = proc_dointvec, 897 }, 898 { 899 .procname = "tcp_fwmark_accept", 900 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 901 .maxlen = sizeof(int), 902 .mode = 0644, 903 .proc_handler = proc_dointvec, 904 }, 905 #ifdef CONFIG_NET_L3_MASTER_DEV 906 { 907 .procname = "tcp_l3mdev_accept", 908 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 909 .maxlen = sizeof(int), 910 .mode = 0644, 911 .proc_handler = proc_dointvec_minmax, 912 .extra1 = &zero, 913 .extra2 = &one, 914 }, 915 #endif 916 { 917 .procname = "tcp_mtu_probing", 918 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 919 .maxlen = sizeof(int), 920 .mode = 0644, 921 .proc_handler = proc_dointvec, 922 }, 923 { 924 .procname = "tcp_base_mss", 925 .data = &init_net.ipv4.sysctl_tcp_base_mss, 926 .maxlen = sizeof(int), 927 .mode = 0644, 928 .proc_handler = proc_dointvec, 929 }, 930 { 931 .procname = "tcp_probe_threshold", 932 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 933 .maxlen = sizeof(int), 934 .mode = 0644, 935 .proc_handler = proc_dointvec, 936 }, 937 { 938 .procname = "tcp_probe_interval", 939 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 940 .maxlen = sizeof(int), 941 .mode = 0644, 942 .proc_handler = proc_dointvec, 943 }, 944 { 945 .procname = "igmp_link_local_mcast_reports", 946 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 947 .maxlen = sizeof(int), 948 .mode = 0644, 949 .proc_handler = proc_dointvec 950 }, 951 { 952 .procname = "igmp_max_memberships", 953 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 954 .maxlen = sizeof(int), 955 .mode = 0644, 956 .proc_handler = proc_dointvec 957 }, 958 { 959 .procname = "igmp_max_msf", 960 .data = &init_net.ipv4.sysctl_igmp_max_msf, 961 .maxlen = sizeof(int), 962 .mode = 0644, 963 .proc_handler = proc_dointvec 964 }, 965 #ifdef CONFIG_IP_MULTICAST 966 { 967 .procname = "igmp_qrv", 968 .data = &init_net.ipv4.sysctl_igmp_qrv, 969 .maxlen = sizeof(int), 970 .mode = 0644, 971 .proc_handler = proc_dointvec_minmax, 972 .extra1 = &one 973 }, 974 #endif 975 { 976 .procname = "tcp_keepalive_time", 977 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 978 .maxlen = sizeof(int), 979 .mode = 0644, 980 .proc_handler = proc_dointvec_jiffies, 981 }, 982 { 983 .procname = "tcp_keepalive_probes", 984 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 985 .maxlen = sizeof(int), 986 .mode = 0644, 987 .proc_handler = proc_dointvec 988 }, 989 { 990 .procname = "tcp_keepalive_intvl", 991 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 992 .maxlen = sizeof(int), 993 .mode = 0644, 994 .proc_handler = proc_dointvec_jiffies, 995 }, 996 { 997 .procname = "tcp_syn_retries", 998 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 999 .maxlen = sizeof(int), 1000 .mode = 0644, 1001 .proc_handler = proc_dointvec_minmax, 1002 .extra1 = &tcp_syn_retries_min, 1003 .extra2 = &tcp_syn_retries_max 1004 }, 1005 { 1006 .procname = "tcp_synack_retries", 1007 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 1008 .maxlen = sizeof(int), 1009 .mode = 0644, 1010 .proc_handler = proc_dointvec 1011 }, 1012 #ifdef CONFIG_SYN_COOKIES 1013 { 1014 .procname = "tcp_syncookies", 1015 .data = &init_net.ipv4.sysctl_tcp_syncookies, 1016 .maxlen = sizeof(int), 1017 .mode = 0644, 1018 .proc_handler = proc_dointvec 1019 }, 1020 #endif 1021 { 1022 .procname = "tcp_reordering", 1023 .data = &init_net.ipv4.sysctl_tcp_reordering, 1024 .maxlen = sizeof(int), 1025 .mode = 0644, 1026 .proc_handler = proc_dointvec 1027 }, 1028 { 1029 .procname = "tcp_retries1", 1030 .data = &init_net.ipv4.sysctl_tcp_retries1, 1031 .maxlen = sizeof(int), 1032 .mode = 0644, 1033 .proc_handler = proc_dointvec_minmax, 1034 .extra2 = &tcp_retr1_max 1035 }, 1036 { 1037 .procname = "tcp_retries2", 1038 .data = &init_net.ipv4.sysctl_tcp_retries2, 1039 .maxlen = sizeof(int), 1040 .mode = 0644, 1041 .proc_handler = proc_dointvec 1042 }, 1043 { 1044 .procname = "tcp_orphan_retries", 1045 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 1046 .maxlen = sizeof(int), 1047 .mode = 0644, 1048 .proc_handler = proc_dointvec 1049 }, 1050 { 1051 .procname = "tcp_fin_timeout", 1052 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 1053 .maxlen = sizeof(int), 1054 .mode = 0644, 1055 .proc_handler = proc_dointvec_jiffies, 1056 }, 1057 { 1058 .procname = "tcp_notsent_lowat", 1059 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 1060 .maxlen = sizeof(unsigned int), 1061 .mode = 0644, 1062 .proc_handler = proc_douintvec, 1063 }, 1064 { 1065 .procname = "tcp_tw_reuse", 1066 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 1067 .maxlen = sizeof(int), 1068 .mode = 0644, 1069 .proc_handler = proc_dointvec 1070 }, 1071 { 1072 .procname = "tcp_max_tw_buckets", 1073 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 1074 .maxlen = sizeof(int), 1075 .mode = 0644, 1076 .proc_handler = proc_dointvec 1077 }, 1078 { 1079 .procname = "tcp_max_syn_backlog", 1080 .data = &init_net.ipv4.sysctl_max_syn_backlog, 1081 .maxlen = sizeof(int), 1082 .mode = 0644, 1083 .proc_handler = proc_dointvec 1084 }, 1085 #ifdef CONFIG_IP_ROUTE_MULTIPATH 1086 { 1087 .procname = "fib_multipath_use_neigh", 1088 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 1089 .maxlen = sizeof(int), 1090 .mode = 0644, 1091 .proc_handler = proc_dointvec_minmax, 1092 .extra1 = &zero, 1093 .extra2 = &one, 1094 }, 1095 { 1096 .procname = "fib_multipath_hash_policy", 1097 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 1098 .maxlen = sizeof(int), 1099 .mode = 0644, 1100 .proc_handler = proc_dointvec_minmax, 1101 .extra1 = &zero, 1102 .extra2 = &one, 1103 }, 1104 #endif 1105 { 1106 .procname = "ip_unprivileged_port_start", 1107 .maxlen = sizeof(int), 1108 .data = &init_net.ipv4.sysctl_ip_prot_sock, 1109 .mode = 0644, 1110 .proc_handler = ipv4_privileged_ports, 1111 }, 1112 #ifdef CONFIG_NET_L3_MASTER_DEV 1113 { 1114 .procname = "udp_l3mdev_accept", 1115 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 1116 .maxlen = sizeof(int), 1117 .mode = 0644, 1118 .proc_handler = proc_dointvec_minmax, 1119 .extra1 = &zero, 1120 .extra2 = &one, 1121 }, 1122 #endif 1123 { 1124 .procname = "tcp_sack", 1125 .data = &init_net.ipv4.sysctl_tcp_sack, 1126 .maxlen = sizeof(int), 1127 .mode = 0644, 1128 .proc_handler = proc_dointvec 1129 }, 1130 { 1131 .procname = "tcp_window_scaling", 1132 .data = &init_net.ipv4.sysctl_tcp_window_scaling, 1133 .maxlen = sizeof(int), 1134 .mode = 0644, 1135 .proc_handler = proc_dointvec 1136 }, 1137 { 1138 .procname = "tcp_timestamps", 1139 .data = &init_net.ipv4.sysctl_tcp_timestamps, 1140 .maxlen = sizeof(int), 1141 .mode = 0644, 1142 .proc_handler = proc_dointvec 1143 }, 1144 { } 1145 }; 1146 1147 static __net_init int ipv4_sysctl_init_net(struct net *net) 1148 { 1149 struct ctl_table *table; 1150 1151 table = ipv4_net_table; 1152 if (!net_eq(net, &init_net)) { 1153 int i; 1154 1155 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1156 if (!table) 1157 goto err_alloc; 1158 1159 /* Update the variables to point into the current struct net */ 1160 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1161 table[i].data += (void *)net - (void *)&init_net; 1162 } 1163 1164 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1165 if (!net->ipv4.ipv4_hdr) 1166 goto err_reg; 1167 1168 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1169 if (!net->ipv4.sysctl_local_reserved_ports) 1170 goto err_ports; 1171 1172 return 0; 1173 1174 err_ports: 1175 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1176 err_reg: 1177 if (!net_eq(net, &init_net)) 1178 kfree(table); 1179 err_alloc: 1180 return -ENOMEM; 1181 } 1182 1183 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1184 { 1185 struct ctl_table *table; 1186 1187 kfree(net->ipv4.sysctl_local_reserved_ports); 1188 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1189 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1190 kfree(table); 1191 } 1192 1193 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1194 .init = ipv4_sysctl_init_net, 1195 .exit = ipv4_sysctl_exit_net, 1196 }; 1197 1198 static __init int sysctl_ipv4_init(void) 1199 { 1200 struct ctl_table_header *hdr; 1201 1202 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1203 if (!hdr) 1204 return -ENOMEM; 1205 1206 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1207 unregister_net_sysctl_table(hdr); 1208 return -ENOMEM; 1209 } 1210 1211 return 0; 1212 } 1213 1214 __initcall(sysctl_ipv4_init); 1215