1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem. 4 * 5 * Begun April 1, 1996, Mike Shaver. 6 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS] 7 */ 8 9 #include <linux/mm.h> 10 #include <linux/module.h> 11 #include <linux/sysctl.h> 12 #include <linux/igmp.h> 13 #include <linux/inetdevice.h> 14 #include <linux/seqlock.h> 15 #include <linux/init.h> 16 #include <linux/slab.h> 17 #include <linux/nsproxy.h> 18 #include <linux/swap.h> 19 #include <net/snmp.h> 20 #include <net/icmp.h> 21 #include <net/ip.h> 22 #include <net/route.h> 23 #include <net/tcp.h> 24 #include <net/udp.h> 25 #include <net/cipso_ipv4.h> 26 #include <net/inet_frag.h> 27 #include <net/ping.h> 28 #include <net/protocol.h> 29 #include <net/netevent.h> 30 31 static int zero; 32 static int one = 1; 33 static int two = 2; 34 static int four = 4; 35 static int thousand = 1000; 36 static int gso_max_segs = GSO_MAX_SEGS; 37 static int tcp_retr1_max = 255; 38 static int ip_local_port_range_min[] = { 1, 1 }; 39 static int ip_local_port_range_max[] = { 65535, 65535 }; 40 static int tcp_adv_win_scale_min = -31; 41 static int tcp_adv_win_scale_max = 31; 42 static int ip_privileged_port_min; 43 static int ip_privileged_port_max = 65535; 44 static int ip_ttl_min = 1; 45 static int ip_ttl_max = 255; 46 static int tcp_syn_retries_min = 1; 47 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 48 static int ip_ping_group_range_min[] = { 0, 0 }; 49 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 50 static int comp_sack_nr_max = 255; 51 52 /* obsolete */ 53 static int sysctl_tcp_low_latency __read_mostly; 54 55 /* Update system visible IP port range */ 56 static void set_local_port_range(struct net *net, int range[2]) 57 { 58 bool same_parity = !((range[0] ^ range[1]) & 1); 59 60 write_seqlock_bh(&net->ipv4.ip_local_ports.lock); 61 if (same_parity && !net->ipv4.ip_local_ports.warned) { 62 net->ipv4.ip_local_ports.warned = true; 63 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); 64 } 65 net->ipv4.ip_local_ports.range[0] = range[0]; 66 net->ipv4.ip_local_ports.range[1] = range[1]; 67 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); 68 } 69 70 /* Validate changes from /proc interface. */ 71 static int ipv4_local_port_range(struct ctl_table *table, int write, 72 void __user *buffer, 73 size_t *lenp, loff_t *ppos) 74 { 75 struct net *net = 76 container_of(table->data, struct net, ipv4.ip_local_ports.range); 77 int ret; 78 int range[2]; 79 struct ctl_table tmp = { 80 .data = &range, 81 .maxlen = sizeof(range), 82 .mode = table->mode, 83 .extra1 = &ip_local_port_range_min, 84 .extra2 = &ip_local_port_range_max, 85 }; 86 87 inet_get_local_port_range(net, &range[0], &range[1]); 88 89 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 90 91 if (write && ret == 0) { 92 /* Ensure that the upper limit is not smaller than the lower, 93 * and that the lower does not encroach upon the privileged 94 * port limit. 95 */ 96 if ((range[1] < range[0]) || 97 (range[0] < net->ipv4.sysctl_ip_prot_sock)) 98 ret = -EINVAL; 99 else 100 set_local_port_range(net, range); 101 } 102 103 return ret; 104 } 105 106 /* Validate changes from /proc interface. */ 107 static int ipv4_privileged_ports(struct ctl_table *table, int write, 108 void __user *buffer, size_t *lenp, loff_t *ppos) 109 { 110 struct net *net = container_of(table->data, struct net, 111 ipv4.sysctl_ip_prot_sock); 112 int ret; 113 int pports; 114 int range[2]; 115 struct ctl_table tmp = { 116 .data = &pports, 117 .maxlen = sizeof(pports), 118 .mode = table->mode, 119 .extra1 = &ip_privileged_port_min, 120 .extra2 = &ip_privileged_port_max, 121 }; 122 123 pports = net->ipv4.sysctl_ip_prot_sock; 124 125 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 126 127 if (write && ret == 0) { 128 inet_get_local_port_range(net, &range[0], &range[1]); 129 /* Ensure that the local port range doesn't overlap with the 130 * privileged port range. 131 */ 132 if (range[0] < pports) 133 ret = -EINVAL; 134 else 135 net->ipv4.sysctl_ip_prot_sock = pports; 136 } 137 138 return ret; 139 } 140 141 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high) 142 { 143 kgid_t *data = table->data; 144 struct net *net = 145 container_of(table->data, struct net, ipv4.ping_group_range.range); 146 unsigned int seq; 147 do { 148 seq = read_seqbegin(&net->ipv4.ping_group_range.lock); 149 150 *low = data[0]; 151 *high = data[1]; 152 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq)); 153 } 154 155 /* Update system visible IP port range */ 156 static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high) 157 { 158 kgid_t *data = table->data; 159 struct net *net = 160 container_of(table->data, struct net, ipv4.ping_group_range.range); 161 write_seqlock(&net->ipv4.ping_group_range.lock); 162 data[0] = low; 163 data[1] = high; 164 write_sequnlock(&net->ipv4.ping_group_range.lock); 165 } 166 167 /* Validate changes from /proc interface. */ 168 static int ipv4_ping_group_range(struct ctl_table *table, int write, 169 void __user *buffer, 170 size_t *lenp, loff_t *ppos) 171 { 172 struct user_namespace *user_ns = current_user_ns(); 173 int ret; 174 gid_t urange[2]; 175 kgid_t low, high; 176 struct ctl_table tmp = { 177 .data = &urange, 178 .maxlen = sizeof(urange), 179 .mode = table->mode, 180 .extra1 = &ip_ping_group_range_min, 181 .extra2 = &ip_ping_group_range_max, 182 }; 183 184 inet_get_ping_group_range_table(table, &low, &high); 185 urange[0] = from_kgid_munged(user_ns, low); 186 urange[1] = from_kgid_munged(user_ns, high); 187 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 188 189 if (write && ret == 0) { 190 low = make_kgid(user_ns, urange[0]); 191 high = make_kgid(user_ns, urange[1]); 192 if (!gid_valid(low) || !gid_valid(high) || 193 (urange[1] < urange[0]) || gid_lt(high, low)) { 194 low = make_kgid(&init_user_ns, 1); 195 high = make_kgid(&init_user_ns, 0); 196 } 197 set_ping_group_range(table, low, high); 198 } 199 200 return ret; 201 } 202 203 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write, 204 void __user *buffer, size_t *lenp, loff_t *ppos) 205 { 206 struct net *net = container_of(ctl->data, struct net, 207 ipv4.tcp_congestion_control); 208 char val[TCP_CA_NAME_MAX]; 209 struct ctl_table tbl = { 210 .data = val, 211 .maxlen = TCP_CA_NAME_MAX, 212 }; 213 int ret; 214 215 tcp_get_default_congestion_control(net, val); 216 217 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 218 if (write && ret == 0) 219 ret = tcp_set_default_congestion_control(net, val); 220 return ret; 221 } 222 223 static int proc_tcp_available_congestion_control(struct ctl_table *ctl, 224 int write, 225 void __user *buffer, size_t *lenp, 226 loff_t *ppos) 227 { 228 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, }; 229 int ret; 230 231 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 232 if (!tbl.data) 233 return -ENOMEM; 234 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX); 235 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 236 kfree(tbl.data); 237 return ret; 238 } 239 240 static int proc_allowed_congestion_control(struct ctl_table *ctl, 241 int write, 242 void __user *buffer, size_t *lenp, 243 loff_t *ppos) 244 { 245 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX }; 246 int ret; 247 248 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 249 if (!tbl.data) 250 return -ENOMEM; 251 252 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen); 253 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 254 if (write && ret == 0) 255 ret = tcp_set_allowed_congestion_control(tbl.data); 256 kfree(tbl.data); 257 return ret; 258 } 259 260 static int proc_tcp_fastopen_key(struct ctl_table *table, int write, 261 void __user *buffer, size_t *lenp, 262 loff_t *ppos) 263 { 264 struct net *net = container_of(table->data, struct net, 265 ipv4.sysctl_tcp_fastopen); 266 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; 267 struct tcp_fastopen_context *ctxt; 268 int ret; 269 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 270 271 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); 272 if (!tbl.data) 273 return -ENOMEM; 274 275 rcu_read_lock(); 276 ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx); 277 if (ctxt) 278 memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); 279 else 280 memset(user_key, 0, sizeof(user_key)); 281 rcu_read_unlock(); 282 283 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", 284 user_key[0], user_key[1], user_key[2], user_key[3]); 285 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 286 287 if (write && ret == 0) { 288 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1, 289 user_key + 2, user_key + 3) != 4) { 290 ret = -EINVAL; 291 goto bad_key; 292 } 293 tcp_fastopen_reset_cipher(net, NULL, user_key, 294 TCP_FASTOPEN_KEY_LENGTH); 295 } 296 297 bad_key: 298 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", 299 user_key[0], user_key[1], user_key[2], user_key[3], 300 (char *)tbl.data, ret); 301 kfree(tbl.data); 302 return ret; 303 } 304 305 static void proc_configure_early_demux(int enabled, int protocol) 306 { 307 struct net_protocol *ipprot; 308 #if IS_ENABLED(CONFIG_IPV6) 309 struct inet6_protocol *ip6prot; 310 #endif 311 312 rcu_read_lock(); 313 314 ipprot = rcu_dereference(inet_protos[protocol]); 315 if (ipprot) 316 ipprot->early_demux = enabled ? ipprot->early_demux_handler : 317 NULL; 318 319 #if IS_ENABLED(CONFIG_IPV6) 320 ip6prot = rcu_dereference(inet6_protos[protocol]); 321 if (ip6prot) 322 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler : 323 NULL; 324 #endif 325 rcu_read_unlock(); 326 } 327 328 static int proc_tcp_early_demux(struct ctl_table *table, int write, 329 void __user *buffer, size_t *lenp, loff_t *ppos) 330 { 331 int ret = 0; 332 333 ret = proc_dointvec(table, write, buffer, lenp, ppos); 334 335 if (write && !ret) { 336 int enabled = init_net.ipv4.sysctl_tcp_early_demux; 337 338 proc_configure_early_demux(enabled, IPPROTO_TCP); 339 } 340 341 return ret; 342 } 343 344 static int proc_udp_early_demux(struct ctl_table *table, int write, 345 void __user *buffer, size_t *lenp, loff_t *ppos) 346 { 347 int ret = 0; 348 349 ret = proc_dointvec(table, write, buffer, lenp, ppos); 350 351 if (write && !ret) { 352 int enabled = init_net.ipv4.sysctl_udp_early_demux; 353 354 proc_configure_early_demux(enabled, IPPROTO_UDP); 355 } 356 357 return ret; 358 } 359 360 static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table, 361 int write, 362 void __user *buffer, 363 size_t *lenp, loff_t *ppos) 364 { 365 struct net *net = container_of(table->data, struct net, 366 ipv4.sysctl_tcp_fastopen_blackhole_timeout); 367 int ret; 368 369 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 370 if (write && ret == 0) 371 atomic_set(&net->ipv4.tfo_active_disable_times, 0); 372 373 return ret; 374 } 375 376 static int proc_tcp_available_ulp(struct ctl_table *ctl, 377 int write, 378 void __user *buffer, size_t *lenp, 379 loff_t *ppos) 380 { 381 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, }; 382 int ret; 383 384 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 385 if (!tbl.data) 386 return -ENOMEM; 387 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX); 388 ret = proc_dostring(&tbl, write, buffer, lenp, ppos); 389 kfree(tbl.data); 390 391 return ret; 392 } 393 394 #ifdef CONFIG_IP_ROUTE_MULTIPATH 395 static int proc_fib_multipath_hash_policy(struct ctl_table *table, int write, 396 void __user *buffer, size_t *lenp, 397 loff_t *ppos) 398 { 399 struct net *net = container_of(table->data, struct net, 400 ipv4.sysctl_fib_multipath_hash_policy); 401 int ret; 402 403 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 404 if (write && ret == 0) 405 call_netevent_notifiers(NETEVENT_IPV4_MPATH_HASH_UPDATE, net); 406 407 return ret; 408 } 409 #endif 410 411 static struct ctl_table ipv4_table[] = { 412 { 413 .procname = "tcp_max_orphans", 414 .data = &sysctl_tcp_max_orphans, 415 .maxlen = sizeof(int), 416 .mode = 0644, 417 .proc_handler = proc_dointvec 418 }, 419 { 420 .procname = "inet_peer_threshold", 421 .data = &inet_peer_threshold, 422 .maxlen = sizeof(int), 423 .mode = 0644, 424 .proc_handler = proc_dointvec 425 }, 426 { 427 .procname = "inet_peer_minttl", 428 .data = &inet_peer_minttl, 429 .maxlen = sizeof(int), 430 .mode = 0644, 431 .proc_handler = proc_dointvec_jiffies, 432 }, 433 { 434 .procname = "inet_peer_maxttl", 435 .data = &inet_peer_maxttl, 436 .maxlen = sizeof(int), 437 .mode = 0644, 438 .proc_handler = proc_dointvec_jiffies, 439 }, 440 { 441 .procname = "tcp_mem", 442 .maxlen = sizeof(sysctl_tcp_mem), 443 .data = &sysctl_tcp_mem, 444 .mode = 0644, 445 .proc_handler = proc_doulongvec_minmax, 446 }, 447 { 448 .procname = "tcp_low_latency", 449 .data = &sysctl_tcp_low_latency, 450 .maxlen = sizeof(int), 451 .mode = 0644, 452 .proc_handler = proc_dointvec 453 }, 454 #ifdef CONFIG_NETLABEL 455 { 456 .procname = "cipso_cache_enable", 457 .data = &cipso_v4_cache_enabled, 458 .maxlen = sizeof(int), 459 .mode = 0644, 460 .proc_handler = proc_dointvec, 461 }, 462 { 463 .procname = "cipso_cache_bucket_size", 464 .data = &cipso_v4_cache_bucketsize, 465 .maxlen = sizeof(int), 466 .mode = 0644, 467 .proc_handler = proc_dointvec, 468 }, 469 { 470 .procname = "cipso_rbm_optfmt", 471 .data = &cipso_v4_rbm_optfmt, 472 .maxlen = sizeof(int), 473 .mode = 0644, 474 .proc_handler = proc_dointvec, 475 }, 476 { 477 .procname = "cipso_rbm_strictvalid", 478 .data = &cipso_v4_rbm_strictvalid, 479 .maxlen = sizeof(int), 480 .mode = 0644, 481 .proc_handler = proc_dointvec, 482 }, 483 #endif /* CONFIG_NETLABEL */ 484 { 485 .procname = "tcp_available_congestion_control", 486 .maxlen = TCP_CA_BUF_MAX, 487 .mode = 0444, 488 .proc_handler = proc_tcp_available_congestion_control, 489 }, 490 { 491 .procname = "tcp_allowed_congestion_control", 492 .maxlen = TCP_CA_BUF_MAX, 493 .mode = 0644, 494 .proc_handler = proc_allowed_congestion_control, 495 }, 496 { 497 .procname = "tcp_available_ulp", 498 .maxlen = TCP_ULP_BUF_MAX, 499 .mode = 0444, 500 .proc_handler = proc_tcp_available_ulp, 501 }, 502 { 503 .procname = "icmp_msgs_per_sec", 504 .data = &sysctl_icmp_msgs_per_sec, 505 .maxlen = sizeof(int), 506 .mode = 0644, 507 .proc_handler = proc_dointvec_minmax, 508 .extra1 = &zero, 509 }, 510 { 511 .procname = "icmp_msgs_burst", 512 .data = &sysctl_icmp_msgs_burst, 513 .maxlen = sizeof(int), 514 .mode = 0644, 515 .proc_handler = proc_dointvec_minmax, 516 .extra1 = &zero, 517 }, 518 { 519 .procname = "udp_mem", 520 .data = &sysctl_udp_mem, 521 .maxlen = sizeof(sysctl_udp_mem), 522 .mode = 0644, 523 .proc_handler = proc_doulongvec_minmax, 524 }, 525 { } 526 }; 527 528 static struct ctl_table ipv4_net_table[] = { 529 { 530 .procname = "icmp_echo_ignore_all", 531 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, 532 .maxlen = sizeof(int), 533 .mode = 0644, 534 .proc_handler = proc_dointvec 535 }, 536 { 537 .procname = "icmp_echo_ignore_broadcasts", 538 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts, 539 .maxlen = sizeof(int), 540 .mode = 0644, 541 .proc_handler = proc_dointvec 542 }, 543 { 544 .procname = "icmp_ignore_bogus_error_responses", 545 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses, 546 .maxlen = sizeof(int), 547 .mode = 0644, 548 .proc_handler = proc_dointvec 549 }, 550 { 551 .procname = "icmp_errors_use_inbound_ifaddr", 552 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr, 553 .maxlen = sizeof(int), 554 .mode = 0644, 555 .proc_handler = proc_dointvec 556 }, 557 { 558 .procname = "icmp_ratelimit", 559 .data = &init_net.ipv4.sysctl_icmp_ratelimit, 560 .maxlen = sizeof(int), 561 .mode = 0644, 562 .proc_handler = proc_dointvec_ms_jiffies, 563 }, 564 { 565 .procname = "icmp_ratemask", 566 .data = &init_net.ipv4.sysctl_icmp_ratemask, 567 .maxlen = sizeof(int), 568 .mode = 0644, 569 .proc_handler = proc_dointvec 570 }, 571 { 572 .procname = "ping_group_range", 573 .data = &init_net.ipv4.ping_group_range.range, 574 .maxlen = sizeof(gid_t)*2, 575 .mode = 0644, 576 .proc_handler = ipv4_ping_group_range, 577 }, 578 { 579 .procname = "tcp_ecn", 580 .data = &init_net.ipv4.sysctl_tcp_ecn, 581 .maxlen = sizeof(int), 582 .mode = 0644, 583 .proc_handler = proc_dointvec 584 }, 585 { 586 .procname = "tcp_ecn_fallback", 587 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback, 588 .maxlen = sizeof(int), 589 .mode = 0644, 590 .proc_handler = proc_dointvec 591 }, 592 { 593 .procname = "ip_dynaddr", 594 .data = &init_net.ipv4.sysctl_ip_dynaddr, 595 .maxlen = sizeof(int), 596 .mode = 0644, 597 .proc_handler = proc_dointvec 598 }, 599 { 600 .procname = "ip_early_demux", 601 .data = &init_net.ipv4.sysctl_ip_early_demux, 602 .maxlen = sizeof(int), 603 .mode = 0644, 604 .proc_handler = proc_dointvec 605 }, 606 { 607 .procname = "udp_early_demux", 608 .data = &init_net.ipv4.sysctl_udp_early_demux, 609 .maxlen = sizeof(int), 610 .mode = 0644, 611 .proc_handler = proc_udp_early_demux 612 }, 613 { 614 .procname = "tcp_early_demux", 615 .data = &init_net.ipv4.sysctl_tcp_early_demux, 616 .maxlen = sizeof(int), 617 .mode = 0644, 618 .proc_handler = proc_tcp_early_demux 619 }, 620 { 621 .procname = "ip_default_ttl", 622 .data = &init_net.ipv4.sysctl_ip_default_ttl, 623 .maxlen = sizeof(int), 624 .mode = 0644, 625 .proc_handler = proc_dointvec_minmax, 626 .extra1 = &ip_ttl_min, 627 .extra2 = &ip_ttl_max, 628 }, 629 { 630 .procname = "ip_local_port_range", 631 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range), 632 .data = &init_net.ipv4.ip_local_ports.range, 633 .mode = 0644, 634 .proc_handler = ipv4_local_port_range, 635 }, 636 { 637 .procname = "ip_local_reserved_ports", 638 .data = &init_net.ipv4.sysctl_local_reserved_ports, 639 .maxlen = 65536, 640 .mode = 0644, 641 .proc_handler = proc_do_large_bitmap, 642 }, 643 { 644 .procname = "ip_no_pmtu_disc", 645 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc, 646 .maxlen = sizeof(int), 647 .mode = 0644, 648 .proc_handler = proc_dointvec 649 }, 650 { 651 .procname = "ip_forward_use_pmtu", 652 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu, 653 .maxlen = sizeof(int), 654 .mode = 0644, 655 .proc_handler = proc_dointvec, 656 }, 657 { 658 .procname = "ip_nonlocal_bind", 659 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind, 660 .maxlen = sizeof(int), 661 .mode = 0644, 662 .proc_handler = proc_dointvec 663 }, 664 { 665 .procname = "fwmark_reflect", 666 .data = &init_net.ipv4.sysctl_fwmark_reflect, 667 .maxlen = sizeof(int), 668 .mode = 0644, 669 .proc_handler = proc_dointvec, 670 }, 671 { 672 .procname = "tcp_fwmark_accept", 673 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept, 674 .maxlen = sizeof(int), 675 .mode = 0644, 676 .proc_handler = proc_dointvec, 677 }, 678 #ifdef CONFIG_NET_L3_MASTER_DEV 679 { 680 .procname = "tcp_l3mdev_accept", 681 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept, 682 .maxlen = sizeof(int), 683 .mode = 0644, 684 .proc_handler = proc_dointvec_minmax, 685 .extra1 = &zero, 686 .extra2 = &one, 687 }, 688 #endif 689 { 690 .procname = "tcp_mtu_probing", 691 .data = &init_net.ipv4.sysctl_tcp_mtu_probing, 692 .maxlen = sizeof(int), 693 .mode = 0644, 694 .proc_handler = proc_dointvec, 695 }, 696 { 697 .procname = "tcp_base_mss", 698 .data = &init_net.ipv4.sysctl_tcp_base_mss, 699 .maxlen = sizeof(int), 700 .mode = 0644, 701 .proc_handler = proc_dointvec, 702 }, 703 { 704 .procname = "tcp_probe_threshold", 705 .data = &init_net.ipv4.sysctl_tcp_probe_threshold, 706 .maxlen = sizeof(int), 707 .mode = 0644, 708 .proc_handler = proc_dointvec, 709 }, 710 { 711 .procname = "tcp_probe_interval", 712 .data = &init_net.ipv4.sysctl_tcp_probe_interval, 713 .maxlen = sizeof(int), 714 .mode = 0644, 715 .proc_handler = proc_dointvec, 716 }, 717 { 718 .procname = "igmp_link_local_mcast_reports", 719 .data = &init_net.ipv4.sysctl_igmp_llm_reports, 720 .maxlen = sizeof(int), 721 .mode = 0644, 722 .proc_handler = proc_dointvec 723 }, 724 { 725 .procname = "igmp_max_memberships", 726 .data = &init_net.ipv4.sysctl_igmp_max_memberships, 727 .maxlen = sizeof(int), 728 .mode = 0644, 729 .proc_handler = proc_dointvec 730 }, 731 { 732 .procname = "igmp_max_msf", 733 .data = &init_net.ipv4.sysctl_igmp_max_msf, 734 .maxlen = sizeof(int), 735 .mode = 0644, 736 .proc_handler = proc_dointvec 737 }, 738 #ifdef CONFIG_IP_MULTICAST 739 { 740 .procname = "igmp_qrv", 741 .data = &init_net.ipv4.sysctl_igmp_qrv, 742 .maxlen = sizeof(int), 743 .mode = 0644, 744 .proc_handler = proc_dointvec_minmax, 745 .extra1 = &one 746 }, 747 #endif 748 { 749 .procname = "tcp_congestion_control", 750 .data = &init_net.ipv4.tcp_congestion_control, 751 .mode = 0644, 752 .maxlen = TCP_CA_NAME_MAX, 753 .proc_handler = proc_tcp_congestion_control, 754 }, 755 { 756 .procname = "tcp_keepalive_time", 757 .data = &init_net.ipv4.sysctl_tcp_keepalive_time, 758 .maxlen = sizeof(int), 759 .mode = 0644, 760 .proc_handler = proc_dointvec_jiffies, 761 }, 762 { 763 .procname = "tcp_keepalive_probes", 764 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes, 765 .maxlen = sizeof(int), 766 .mode = 0644, 767 .proc_handler = proc_dointvec 768 }, 769 { 770 .procname = "tcp_keepalive_intvl", 771 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl, 772 .maxlen = sizeof(int), 773 .mode = 0644, 774 .proc_handler = proc_dointvec_jiffies, 775 }, 776 { 777 .procname = "tcp_syn_retries", 778 .data = &init_net.ipv4.sysctl_tcp_syn_retries, 779 .maxlen = sizeof(int), 780 .mode = 0644, 781 .proc_handler = proc_dointvec_minmax, 782 .extra1 = &tcp_syn_retries_min, 783 .extra2 = &tcp_syn_retries_max 784 }, 785 { 786 .procname = "tcp_synack_retries", 787 .data = &init_net.ipv4.sysctl_tcp_synack_retries, 788 .maxlen = sizeof(int), 789 .mode = 0644, 790 .proc_handler = proc_dointvec 791 }, 792 #ifdef CONFIG_SYN_COOKIES 793 { 794 .procname = "tcp_syncookies", 795 .data = &init_net.ipv4.sysctl_tcp_syncookies, 796 .maxlen = sizeof(int), 797 .mode = 0644, 798 .proc_handler = proc_dointvec 799 }, 800 #endif 801 { 802 .procname = "tcp_reordering", 803 .data = &init_net.ipv4.sysctl_tcp_reordering, 804 .maxlen = sizeof(int), 805 .mode = 0644, 806 .proc_handler = proc_dointvec 807 }, 808 { 809 .procname = "tcp_retries1", 810 .data = &init_net.ipv4.sysctl_tcp_retries1, 811 .maxlen = sizeof(int), 812 .mode = 0644, 813 .proc_handler = proc_dointvec_minmax, 814 .extra2 = &tcp_retr1_max 815 }, 816 { 817 .procname = "tcp_retries2", 818 .data = &init_net.ipv4.sysctl_tcp_retries2, 819 .maxlen = sizeof(int), 820 .mode = 0644, 821 .proc_handler = proc_dointvec 822 }, 823 { 824 .procname = "tcp_orphan_retries", 825 .data = &init_net.ipv4.sysctl_tcp_orphan_retries, 826 .maxlen = sizeof(int), 827 .mode = 0644, 828 .proc_handler = proc_dointvec 829 }, 830 { 831 .procname = "tcp_fin_timeout", 832 .data = &init_net.ipv4.sysctl_tcp_fin_timeout, 833 .maxlen = sizeof(int), 834 .mode = 0644, 835 .proc_handler = proc_dointvec_jiffies, 836 }, 837 { 838 .procname = "tcp_notsent_lowat", 839 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat, 840 .maxlen = sizeof(unsigned int), 841 .mode = 0644, 842 .proc_handler = proc_douintvec, 843 }, 844 { 845 .procname = "tcp_tw_reuse", 846 .data = &init_net.ipv4.sysctl_tcp_tw_reuse, 847 .maxlen = sizeof(int), 848 .mode = 0644, 849 .proc_handler = proc_dointvec_minmax, 850 .extra1 = &zero, 851 .extra2 = &two, 852 }, 853 { 854 .procname = "tcp_max_tw_buckets", 855 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets, 856 .maxlen = sizeof(int), 857 .mode = 0644, 858 .proc_handler = proc_dointvec 859 }, 860 { 861 .procname = "tcp_max_syn_backlog", 862 .data = &init_net.ipv4.sysctl_max_syn_backlog, 863 .maxlen = sizeof(int), 864 .mode = 0644, 865 .proc_handler = proc_dointvec 866 }, 867 { 868 .procname = "tcp_fastopen", 869 .data = &init_net.ipv4.sysctl_tcp_fastopen, 870 .maxlen = sizeof(int), 871 .mode = 0644, 872 .proc_handler = proc_dointvec, 873 }, 874 { 875 .procname = "tcp_fastopen_key", 876 .mode = 0600, 877 .data = &init_net.ipv4.sysctl_tcp_fastopen, 878 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10), 879 .proc_handler = proc_tcp_fastopen_key, 880 }, 881 { 882 .procname = "tcp_fastopen_blackhole_timeout_sec", 883 .data = &init_net.ipv4.sysctl_tcp_fastopen_blackhole_timeout, 884 .maxlen = sizeof(int), 885 .mode = 0644, 886 .proc_handler = proc_tfo_blackhole_detect_timeout, 887 .extra1 = &zero, 888 }, 889 #ifdef CONFIG_IP_ROUTE_MULTIPATH 890 { 891 .procname = "fib_multipath_use_neigh", 892 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh, 893 .maxlen = sizeof(int), 894 .mode = 0644, 895 .proc_handler = proc_dointvec_minmax, 896 .extra1 = &zero, 897 .extra2 = &one, 898 }, 899 { 900 .procname = "fib_multipath_hash_policy", 901 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy, 902 .maxlen = sizeof(int), 903 .mode = 0644, 904 .proc_handler = proc_fib_multipath_hash_policy, 905 .extra1 = &zero, 906 .extra2 = &one, 907 }, 908 #endif 909 { 910 .procname = "ip_unprivileged_port_start", 911 .maxlen = sizeof(int), 912 .data = &init_net.ipv4.sysctl_ip_prot_sock, 913 .mode = 0644, 914 .proc_handler = ipv4_privileged_ports, 915 }, 916 #ifdef CONFIG_NET_L3_MASTER_DEV 917 { 918 .procname = "udp_l3mdev_accept", 919 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept, 920 .maxlen = sizeof(int), 921 .mode = 0644, 922 .proc_handler = proc_dointvec_minmax, 923 .extra1 = &zero, 924 .extra2 = &one, 925 }, 926 #endif 927 { 928 .procname = "tcp_sack", 929 .data = &init_net.ipv4.sysctl_tcp_sack, 930 .maxlen = sizeof(int), 931 .mode = 0644, 932 .proc_handler = proc_dointvec 933 }, 934 { 935 .procname = "tcp_window_scaling", 936 .data = &init_net.ipv4.sysctl_tcp_window_scaling, 937 .maxlen = sizeof(int), 938 .mode = 0644, 939 .proc_handler = proc_dointvec 940 }, 941 { 942 .procname = "tcp_timestamps", 943 .data = &init_net.ipv4.sysctl_tcp_timestamps, 944 .maxlen = sizeof(int), 945 .mode = 0644, 946 .proc_handler = proc_dointvec 947 }, 948 { 949 .procname = "tcp_early_retrans", 950 .data = &init_net.ipv4.sysctl_tcp_early_retrans, 951 .maxlen = sizeof(int), 952 .mode = 0644, 953 .proc_handler = proc_dointvec_minmax, 954 .extra1 = &zero, 955 .extra2 = &four, 956 }, 957 { 958 .procname = "tcp_recovery", 959 .data = &init_net.ipv4.sysctl_tcp_recovery, 960 .maxlen = sizeof(int), 961 .mode = 0644, 962 .proc_handler = proc_dointvec, 963 }, 964 { 965 .procname = "tcp_thin_linear_timeouts", 966 .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts, 967 .maxlen = sizeof(int), 968 .mode = 0644, 969 .proc_handler = proc_dointvec 970 }, 971 { 972 .procname = "tcp_slow_start_after_idle", 973 .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle, 974 .maxlen = sizeof(int), 975 .mode = 0644, 976 .proc_handler = proc_dointvec 977 }, 978 { 979 .procname = "tcp_retrans_collapse", 980 .data = &init_net.ipv4.sysctl_tcp_retrans_collapse, 981 .maxlen = sizeof(int), 982 .mode = 0644, 983 .proc_handler = proc_dointvec 984 }, 985 { 986 .procname = "tcp_stdurg", 987 .data = &init_net.ipv4.sysctl_tcp_stdurg, 988 .maxlen = sizeof(int), 989 .mode = 0644, 990 .proc_handler = proc_dointvec 991 }, 992 { 993 .procname = "tcp_rfc1337", 994 .data = &init_net.ipv4.sysctl_tcp_rfc1337, 995 .maxlen = sizeof(int), 996 .mode = 0644, 997 .proc_handler = proc_dointvec 998 }, 999 { 1000 .procname = "tcp_abort_on_overflow", 1001 .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow, 1002 .maxlen = sizeof(int), 1003 .mode = 0644, 1004 .proc_handler = proc_dointvec 1005 }, 1006 { 1007 .procname = "tcp_fack", 1008 .data = &init_net.ipv4.sysctl_tcp_fack, 1009 .maxlen = sizeof(int), 1010 .mode = 0644, 1011 .proc_handler = proc_dointvec 1012 }, 1013 { 1014 .procname = "tcp_max_reordering", 1015 .data = &init_net.ipv4.sysctl_tcp_max_reordering, 1016 .maxlen = sizeof(int), 1017 .mode = 0644, 1018 .proc_handler = proc_dointvec 1019 }, 1020 { 1021 .procname = "tcp_dsack", 1022 .data = &init_net.ipv4.sysctl_tcp_dsack, 1023 .maxlen = sizeof(int), 1024 .mode = 0644, 1025 .proc_handler = proc_dointvec 1026 }, 1027 { 1028 .procname = "tcp_app_win", 1029 .data = &init_net.ipv4.sysctl_tcp_app_win, 1030 .maxlen = sizeof(int), 1031 .mode = 0644, 1032 .proc_handler = proc_dointvec 1033 }, 1034 { 1035 .procname = "tcp_adv_win_scale", 1036 .data = &init_net.ipv4.sysctl_tcp_adv_win_scale, 1037 .maxlen = sizeof(int), 1038 .mode = 0644, 1039 .proc_handler = proc_dointvec_minmax, 1040 .extra1 = &tcp_adv_win_scale_min, 1041 .extra2 = &tcp_adv_win_scale_max, 1042 }, 1043 { 1044 .procname = "tcp_frto", 1045 .data = &init_net.ipv4.sysctl_tcp_frto, 1046 .maxlen = sizeof(int), 1047 .mode = 0644, 1048 .proc_handler = proc_dointvec 1049 }, 1050 { 1051 .procname = "tcp_no_metrics_save", 1052 .data = &init_net.ipv4.sysctl_tcp_nometrics_save, 1053 .maxlen = sizeof(int), 1054 .mode = 0644, 1055 .proc_handler = proc_dointvec, 1056 }, 1057 { 1058 .procname = "tcp_moderate_rcvbuf", 1059 .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf, 1060 .maxlen = sizeof(int), 1061 .mode = 0644, 1062 .proc_handler = proc_dointvec, 1063 }, 1064 { 1065 .procname = "tcp_tso_win_divisor", 1066 .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor, 1067 .maxlen = sizeof(int), 1068 .mode = 0644, 1069 .proc_handler = proc_dointvec, 1070 }, 1071 { 1072 .procname = "tcp_workaround_signed_windows", 1073 .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows, 1074 .maxlen = sizeof(int), 1075 .mode = 0644, 1076 .proc_handler = proc_dointvec 1077 }, 1078 { 1079 .procname = "tcp_limit_output_bytes", 1080 .data = &init_net.ipv4.sysctl_tcp_limit_output_bytes, 1081 .maxlen = sizeof(int), 1082 .mode = 0644, 1083 .proc_handler = proc_dointvec 1084 }, 1085 { 1086 .procname = "tcp_challenge_ack_limit", 1087 .data = &init_net.ipv4.sysctl_tcp_challenge_ack_limit, 1088 .maxlen = sizeof(int), 1089 .mode = 0644, 1090 .proc_handler = proc_dointvec 1091 }, 1092 { 1093 .procname = "tcp_min_tso_segs", 1094 .data = &init_net.ipv4.sysctl_tcp_min_tso_segs, 1095 .maxlen = sizeof(int), 1096 .mode = 0644, 1097 .proc_handler = proc_dointvec_minmax, 1098 .extra1 = &one, 1099 .extra2 = &gso_max_segs, 1100 }, 1101 { 1102 .procname = "tcp_min_rtt_wlen", 1103 .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen, 1104 .maxlen = sizeof(int), 1105 .mode = 0644, 1106 .proc_handler = proc_dointvec 1107 }, 1108 { 1109 .procname = "tcp_autocorking", 1110 .data = &init_net.ipv4.sysctl_tcp_autocorking, 1111 .maxlen = sizeof(int), 1112 .mode = 0644, 1113 .proc_handler = proc_dointvec_minmax, 1114 .extra1 = &zero, 1115 .extra2 = &one, 1116 }, 1117 { 1118 .procname = "tcp_invalid_ratelimit", 1119 .data = &init_net.ipv4.sysctl_tcp_invalid_ratelimit, 1120 .maxlen = sizeof(int), 1121 .mode = 0644, 1122 .proc_handler = proc_dointvec_ms_jiffies, 1123 }, 1124 { 1125 .procname = "tcp_pacing_ss_ratio", 1126 .data = &init_net.ipv4.sysctl_tcp_pacing_ss_ratio, 1127 .maxlen = sizeof(int), 1128 .mode = 0644, 1129 .proc_handler = proc_dointvec_minmax, 1130 .extra1 = &zero, 1131 .extra2 = &thousand, 1132 }, 1133 { 1134 .procname = "tcp_pacing_ca_ratio", 1135 .data = &init_net.ipv4.sysctl_tcp_pacing_ca_ratio, 1136 .maxlen = sizeof(int), 1137 .mode = 0644, 1138 .proc_handler = proc_dointvec_minmax, 1139 .extra1 = &zero, 1140 .extra2 = &thousand, 1141 }, 1142 { 1143 .procname = "tcp_wmem", 1144 .data = &init_net.ipv4.sysctl_tcp_wmem, 1145 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_wmem), 1146 .mode = 0644, 1147 .proc_handler = proc_dointvec_minmax, 1148 .extra1 = &one, 1149 }, 1150 { 1151 .procname = "tcp_rmem", 1152 .data = &init_net.ipv4.sysctl_tcp_rmem, 1153 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_rmem), 1154 .mode = 0644, 1155 .proc_handler = proc_dointvec_minmax, 1156 .extra1 = &one, 1157 }, 1158 { 1159 .procname = "tcp_comp_sack_delay_ns", 1160 .data = &init_net.ipv4.sysctl_tcp_comp_sack_delay_ns, 1161 .maxlen = sizeof(unsigned long), 1162 .mode = 0644, 1163 .proc_handler = proc_doulongvec_minmax, 1164 }, 1165 { 1166 .procname = "tcp_comp_sack_nr", 1167 .data = &init_net.ipv4.sysctl_tcp_comp_sack_nr, 1168 .maxlen = sizeof(int), 1169 .mode = 0644, 1170 .proc_handler = proc_dointvec_minmax, 1171 .extra1 = &zero, 1172 .extra2 = &comp_sack_nr_max, 1173 }, 1174 { 1175 .procname = "udp_rmem_min", 1176 .data = &init_net.ipv4.sysctl_udp_rmem_min, 1177 .maxlen = sizeof(init_net.ipv4.sysctl_udp_rmem_min), 1178 .mode = 0644, 1179 .proc_handler = proc_dointvec_minmax, 1180 .extra1 = &one 1181 }, 1182 { 1183 .procname = "udp_wmem_min", 1184 .data = &init_net.ipv4.sysctl_udp_wmem_min, 1185 .maxlen = sizeof(init_net.ipv4.sysctl_udp_wmem_min), 1186 .mode = 0644, 1187 .proc_handler = proc_dointvec_minmax, 1188 .extra1 = &one 1189 }, 1190 { } 1191 }; 1192 1193 static __net_init int ipv4_sysctl_init_net(struct net *net) 1194 { 1195 struct ctl_table *table; 1196 1197 table = ipv4_net_table; 1198 if (!net_eq(net, &init_net)) { 1199 int i; 1200 1201 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL); 1202 if (!table) 1203 goto err_alloc; 1204 1205 /* Update the variables to point into the current struct net */ 1206 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1207 table[i].data += (void *)net - (void *)&init_net; 1208 } 1209 1210 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table); 1211 if (!net->ipv4.ipv4_hdr) 1212 goto err_reg; 1213 1214 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL); 1215 if (!net->ipv4.sysctl_local_reserved_ports) 1216 goto err_ports; 1217 1218 return 0; 1219 1220 err_ports: 1221 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1222 err_reg: 1223 if (!net_eq(net, &init_net)) 1224 kfree(table); 1225 err_alloc: 1226 return -ENOMEM; 1227 } 1228 1229 static __net_exit void ipv4_sysctl_exit_net(struct net *net) 1230 { 1231 struct ctl_table *table; 1232 1233 kfree(net->ipv4.sysctl_local_reserved_ports); 1234 table = net->ipv4.ipv4_hdr->ctl_table_arg; 1235 unregister_net_sysctl_table(net->ipv4.ipv4_hdr); 1236 kfree(table); 1237 } 1238 1239 static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 1240 .init = ipv4_sysctl_init_net, 1241 .exit = ipv4_sysctl_exit_net, 1242 }; 1243 1244 static __init int sysctl_ipv4_init(void) 1245 { 1246 struct ctl_table_header *hdr; 1247 1248 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); 1249 if (!hdr) 1250 return -ENOMEM; 1251 1252 if (register_pernet_subsys(&ipv4_sysctl_ops)) { 1253 unregister_net_sysctl_table(hdr); 1254 return -ENOMEM; 1255 } 1256 1257 return 0; 1258 } 1259 1260 __initcall(sysctl_ipv4_init); 1261