1// SPDX-License-Identifier: GPL-2.0
2/*
3 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem.
4 *
5 * Begun April 1, 1996, Mike Shaver.
6 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS]
7 */
8
9#include <linux/mm.h>
10#include <linux/module.h>
11#include <linux/sysctl.h>
12#include <linux/igmp.h>
13#include <linux/inetdevice.h>
14#include <linux/seqlock.h>
15#include <linux/init.h>
16#include <linux/slab.h>
17#include <linux/nsproxy.h>
18#include <linux/swap.h>
19#include <net/snmp.h>
20#include <net/icmp.h>
21#include <net/ip.h>
22#include <net/route.h>
23#include <net/tcp.h>
24#include <net/udp.h>
25#include <net/cipso_ipv4.h>
26#include <net/inet_frag.h>
27#include <net/ping.h>
28#include <net/protocol.h>
29#include <net/netevent.h>
30
31static int zero;
32static int one = 1;
33static int two = 2;
34static int four = 4;
35static int thousand = 1000;
36static int gso_max_segs = GSO_MAX_SEGS;
37static int tcp_retr1_max = 255;
38static int ip_local_port_range_min[] = { 1, 1 };
39static int ip_local_port_range_max[] = { 65535, 65535 };
40static int tcp_adv_win_scale_min = -31;
41static int tcp_adv_win_scale_max = 31;
42static int ip_privileged_port_min;
43static int ip_privileged_port_max = 65535;
44static int ip_ttl_min = 1;
45static int ip_ttl_max = 255;
46static int tcp_syn_retries_min = 1;
47static int tcp_syn_retries_max = MAX_TCP_SYNCNT;
48static int ip_ping_group_range_min[] = { 0, 0 };
49static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
50static int comp_sack_nr_max = 255;
51
52/* obsolete */
53static int sysctl_tcp_low_latency __read_mostly;
54
55/* Update system visible IP port range */
56static void set_local_port_range(struct net *net, int range[2])
57{
58 bool same_parity = !((range[0] ^ range[1]) & 1);
59
60 write_seqlock_bh(&net->ipv4.ip_local_ports.lock);
61 if (same_parity && !net->ipv4.ip_local_ports.warned) {
62 net->ipv4.ip_local_ports.warned = true;
63 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n");
64 }
65 net->ipv4.ip_local_ports.range[0] = range[0];
66 net->ipv4.ip_local_ports.range[1] = range[1];
67 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock);
68}
69
70/* Validate changes from /proc interface. */
71static int ipv4_local_port_range(struct ctl_table *table, int write,
72 void __user *buffer,
73 size_t *lenp, loff_t *ppos)
74{
75 struct net *net =
76 container_of(table->data, struct net, ipv4.ip_local_ports.range);
77 int ret;
78 int range[2];
79 struct ctl_table tmp = {
80 .data = &range,
81 .maxlen = sizeof(range),
82 .mode = table->mode,
83 .extra1 = &ip_local_port_range_min,
84 .extra2 = &ip_local_port_range_max,
85 };
86
87 inet_get_local_port_range(net, &range[0], &range[1]);
88
89 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
90
91 if (write && ret == 0) {
92 /* Ensure that the upper limit is not smaller than the lower,
93 * and that the lower does not encroach upon the privileged
94 * port limit.
95 */
96 if ((range[1] < range[0]) ||
97 (range[0] < net->ipv4.sysctl_ip_prot_sock))
98 ret = -EINVAL;
99 else
100 set_local_port_range(net, range);
101 }
102
103 return ret;
104}
105
106/* Validate changes from /proc interface. */
107static int ipv4_privileged_ports(struct ctl_table *table, int write,
108 void __user *buffer, size_t *lenp, loff_t *ppos)
109{
110 struct net *net = container_of(table->data, struct net,
111 ipv4.sysctl_ip_prot_sock);
112 int ret;
113 int pports;
114 int range[2];
115 struct ctl_table tmp = {
116 .data = &pports,
117 .maxlen = sizeof(pports),
118 .mode = table->mode,
119 .extra1 = &ip_privileged_port_min,
120 .extra2 = &ip_privileged_port_max,
121 };
122
123 pports = net->ipv4.sysctl_ip_prot_sock;
124
125 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
126
127 if (write && ret == 0) {
128 inet_get_local_port_range(net, &range[0], &range[1]);
129 /* Ensure that the local port range doesn't overlap with the
130 * privileged port range.
131 */
132 if (range[0] < pports)
133 ret = -EINVAL;
134 else
135 net->ipv4.sysctl_ip_prot_sock = pports;
136 }
137
138 return ret;
139}
140
141static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high)
142{
143 kgid_t *data = table->data;
144 struct net *net =
145 container_of(table->data, struct net, ipv4.ping_group_range.range);
146 unsigned int seq;
147 do {
148 seq = read_seqbegin(&net->ipv4.ping_group_range.lock);
149
150 *low = data[0];
151 *high = data[1];
152 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq));
153}
154
155/* Update system visible IP port range */
156static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high)
157{
158 kgid_t *data = table->data;
159 struct net *net =
160 container_of(table->data, struct net, ipv4.ping_group_range.range);
161 write_seqlock(&net->ipv4.ping_group_range.lock);
162 data[0] = low;
163 data[1] = high;
164 write_sequnlock(&net->ipv4.ping_group_range.lock);
165}
166
167/* Validate changes from /proc interface. */
168static int ipv4_ping_group_range(struct ctl_table *table, int write,
169 void __user *buffer,
170 size_t *lenp, loff_t *ppos)
171{
172 struct user_namespace *user_ns = current_user_ns();
173 int ret;
174 gid_t urange[2];
175 kgid_t low, high;
176 struct ctl_table tmp = {
177 .data = &urange,
178 .maxlen = sizeof(urange),
179 .mode = table->mode,
180 .extra1 = &ip_ping_group_range_min,
181 .extra2 = &ip_ping_group_range_max,
182 };
183
184 inet_get_ping_group_range_table(table, &low, &high);
185 urange[0] = from_kgid_munged(user_ns, low);
186 urange[1] = from_kgid_munged(user_ns, high);
187 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
188
189 if (write && ret == 0) {
190 low = make_kgid(user_ns, urange[0]);
191 high = make_kgid(user_ns, urange[1]);
192 if (!gid_valid(low) || !gid_valid(high))
193 return -EINVAL;
194 if (urange[1] < urange[0] || gid_lt(high, low)) {
195 low = make_kgid(&init_user_ns, 1);
196 high = make_kgid(&init_user_ns, 0);
197 }
198 set_ping_group_range(table, low, high);
199 }
200
201 return ret;
202}
203
204static int ipv4_fwd_update_priority(struct ctl_table *table, int write,
205 void __user *buffer,
206 size_t *lenp, loff_t *ppos)
207{
208 struct net *net;
209 int ret;
210
211 net = container_of(table->data, struct net,
212 ipv4.sysctl_ip_fwd_update_priority);
213 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
214 if (write && ret == 0)
215 call_netevent_notifiers(NETEVENT_IPV4_FWD_UPDATE_PRIORITY_UPDATE,
216 net);
217
218 return ret;
219}
220
221static int proc_tcp_congestion_control(struct ctl_table *ctl, int write,
222 void __user *buffer, size_t *lenp, loff_t *ppos)
223{
224 struct net *net = container_of(ctl->data, struct net,
225 ipv4.tcp_congestion_control);
226 char val[TCP_CA_NAME_MAX];
227 struct ctl_table tbl = {
228 .data = val,
229 .maxlen = TCP_CA_NAME_MAX,
230 };
231 int ret;
232
233 tcp_get_default_congestion_control(net, val);
234
235 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
236 if (write && ret == 0)
237 ret = tcp_set_default_congestion_control(net, val);
238 return ret;
239}
240
241static int proc_tcp_available_congestion_control(struct ctl_table *ctl,
242 int write,
243 void __user *buffer, size_t *lenp,
244 loff_t *ppos)
245{
246 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, };
247 int ret;
248
249 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
250 if (!tbl.data)
251 return -ENOMEM;
252 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX);
253 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
254 kfree(tbl.data);
255 return ret;
256}
257
258static int proc_allowed_congestion_control(struct ctl_table *ctl,
259 int write,
260 void __user *buffer, size_t *lenp,
261 loff_t *ppos)
262{
263 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX };
264 int ret;
265
266 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
267 if (!tbl.data)
268 return -ENOMEM;
269
270 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen);
271 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
272 if (write && ret == 0)
273 ret = tcp_set_allowed_congestion_control(tbl.data);
274 kfree(tbl.data);
275 return ret;
276}
277
278static int proc_tcp_fastopen_key(struct ctl_table *table, int write,
279 void __user *buffer, size_t *lenp,
280 loff_t *ppos)
281{
282 struct net *net = container_of(table->data, struct net,
283 ipv4.sysctl_tcp_fastopen);
284 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
285 struct tcp_fastopen_context *ctxt;
286 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */
287 __le32 key[4];
288 int ret, i;
289
290 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL);
291 if (!tbl.data)
292 return -ENOMEM;
293
294 rcu_read_lock();
295 ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
296 if (ctxt)
297 memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH);
298 else
299 memset(key, 0, sizeof(key));
300 rcu_read_unlock();
301
302 for (i = 0; i < ARRAY_SIZE(key); i++)
303 user_key[i] = le32_to_cpu(key[i]);
304
305 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x",
306 user_key[0], user_key[1], user_key[2], user_key[3]);
307 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
308
309 if (write && ret == 0) {
310 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1,
311 user_key + 2, user_key + 3) != 4) {
312 ret = -EINVAL;
313 goto bad_key;
314 }
315
316 for (i = 0; i < ARRAY_SIZE(user_key); i++)
317 key[i] = cpu_to_le32(user_key[i]);
318
319 tcp_fastopen_reset_cipher(net, NULL, key,
320 TCP_FASTOPEN_KEY_LENGTH);
321 }
322
323bad_key:
324 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n",
325 user_key[0], user_key[1], user_key[2], user_key[3],
326 (char *)tbl.data, ret);
327 kfree(tbl.data);
328 return ret;
329}
330
331static void proc_configure_early_demux(int enabled, int protocol)
332{
333 struct net_protocol *ipprot;
334#if IS_ENABLED(CONFIG_IPV6)
335 struct inet6_protocol *ip6prot;
336#endif
337
338 rcu_read_lock();
339
340 ipprot = rcu_dereference(inet_protos[protocol]);
341 if (ipprot)
342 ipprot->early_demux = enabled ? ipprot->early_demux_handler :
343 NULL;
344
345#if IS_ENABLED(CONFIG_IPV6)
346 ip6prot = rcu_dereference(inet6_protos[protocol]);
347 if (ip6prot)
348 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler :
349 NULL;
350#endif
351 rcu_read_unlock();
352}
353
354static int proc_tcp_early_demux(struct ctl_table *table, int write,
355 void __user *buffer, size_t *lenp, loff_t *ppos)
356{
357 int ret = 0;
358
359 ret = proc_dointvec(table, write, buffer, lenp, ppos);
360
361 if (write && !ret) {
362 int enabled = init_net.ipv4.sysctl_tcp_early_demux;
363
364 proc_configure_early_demux(enabled, IPPROTO_TCP);
365 }
366
367 return ret;
368}
369
370static int proc_udp_early_demux(struct ctl_table *table, int write,
371 void __user *buffer, size_t *lenp, loff_t *ppos)
372{
373 int ret = 0;
374
375 ret = proc_dointvec(table, write, buffer, lenp, ppos);
376
377 if (write && !ret) {
378 int enabled = init_net.ipv4.sysctl_udp_early_demux;
379
380 proc_configure_early_demux(enabled, IPPROTO_UDP);
381 }
382
383 return ret;
384}
385
386static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table,
387 int write,
388 void __user *buffer,
389 size_t *lenp, loff_t *ppos)
390{
391 struct net *net = container_of(table->data, struct net,
392 ipv4.sysctl_tcp_fastopen_blackhole_timeout);
393 int ret;
394
395 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
396 if (write && ret == 0)
397 atomic_set(&net->ipv4.tfo_active_disable_times, 0);
398
399 return ret;
400}
401
402static int proc_tcp_available_ulp(struct ctl_table *ctl,
403 int write,
404 void __user *buffer, size_t *lenp,
405 loff_t *ppos)
406{
407 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, };
408 int ret;
409
410 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
411 if (!tbl.data)
412 return -ENOMEM;
413 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX);
414 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
415 kfree(tbl.data);
416
417 return ret;
418}
419
420#ifdef CONFIG_IP_ROUTE_MULTIPATH
421static int proc_fib_multipath_hash_policy(struct ctl_table *table, int write,
422 void __user *buffer, size_t *lenp,
423 loff_t *ppos)
424{
425 struct net *net = container_of(table->data, struct net,
426 ipv4.sysctl_fib_multipath_hash_policy);
427 int ret;
428
429 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
430 if (write && ret == 0)
431 call_netevent_notifiers(NETEVENT_IPV4_MPATH_HASH_UPDATE, net);
432
433 return ret;
434}
435#endif
436
437static struct ctl_table ipv4_table[] = {
438 {
439 .procname = "tcp_max_orphans",
440 .data = &sysctl_tcp_max_orphans,
441 .maxlen = sizeof(int),
442 .mode = 0644,
443 .proc_handler = proc_dointvec
444 },
445 {
446 .procname = "inet_peer_threshold",
447 .data = &inet_peer_threshold,
448 .maxlen = sizeof(int),
449 .mode = 0644,
450 .proc_handler = proc_dointvec
451 },
452 {
453 .procname = "inet_peer_minttl",
454 .data = &inet_peer_minttl,
455 .maxlen = sizeof(int),
456 .mode = 0644,
457 .proc_handler = proc_dointvec_jiffies,
458 },
459 {
460 .procname = "inet_peer_maxttl",
461 .data = &inet_peer_maxttl,
462 .maxlen = sizeof(int),
463 .mode = 0644,
464 .proc_handler = proc_dointvec_jiffies,
465 },
466 {
467 .procname = "tcp_mem",
468 .maxlen = sizeof(sysctl_tcp_mem),
469 .data = &sysctl_tcp_mem,
470 .mode = 0644,
471 .proc_handler = proc_doulongvec_minmax,
472 },
473 {
474 .procname = "tcp_low_latency",
475 .data = &sysctl_tcp_low_latency,
476 .maxlen = sizeof(int),
477 .mode = 0644,
478 .proc_handler = proc_dointvec
479 },
480#ifdef CONFIG_NETLABEL
481 {
482 .procname = "cipso_cache_enable",
483 .data = &cipso_v4_cache_enabled,
484 .maxlen = sizeof(int),
485 .mode = 0644,
486 .proc_handler = proc_dointvec,
487 },
488 {
489 .procname = "cipso_cache_bucket_size",
490 .data = &cipso_v4_cache_bucketsize,
491 .maxlen = sizeof(int),
492 .mode = 0644,
493 .proc_handler = proc_dointvec,
494 },
495 {
496 .procname = "cipso_rbm_optfmt",
497 .data = &cipso_v4_rbm_optfmt,
498 .maxlen = sizeof(int),
499 .mode = 0644,
500 .proc_handler = proc_dointvec,
501 },
502 {
503 .procname = "cipso_rbm_strictvalid",
504 .data = &cipso_v4_rbm_strictvalid,
505 .maxlen = sizeof(int),
506 .mode = 0644,
507 .proc_handler = proc_dointvec,
508 },
509#endif /* CONFIG_NETLABEL */
510 {
511 .procname = "tcp_available_congestion_control",
512 .maxlen = TCP_CA_BUF_MAX,
513 .mode = 0444,
514 .proc_handler = proc_tcp_available_congestion_control,
515 },
516 {
517 .procname = "tcp_allowed_congestion_control",
518 .maxlen = TCP_CA_BUF_MAX,
519 .mode = 0644,
520 .proc_handler = proc_allowed_congestion_control,
521 },
522 {
523 .procname = "tcp_available_ulp",
524 .maxlen = TCP_ULP_BUF_MAX,
525 .mode = 0444,
526 .proc_handler = proc_tcp_available_ulp,
527 },
528 {
529 .procname = "icmp_msgs_per_sec",
530 .data = &sysctl_icmp_msgs_per_sec,
531 .maxlen = sizeof(int),
532 .mode = 0644,
533 .proc_handler = proc_dointvec_minmax,
534 .extra1 = &zero,
535 },
536 {
537 .procname = "icmp_msgs_burst",
538 .data = &sysctl_icmp_msgs_burst,
539 .maxlen = sizeof(int),
540 .mode = 0644,
541 .proc_handler = proc_dointvec_minmax,
542 .extra1 = &zero,
543 },
544 {
545 .procname = "udp_mem",
546 .data = &sysctl_udp_mem,
547 .maxlen = sizeof(sysctl_udp_mem),
548 .mode = 0644,
549 .proc_handler = proc_doulongvec_minmax,
550 },
551 { }
552};
553
554static struct ctl_table ipv4_net_table[] = {
555 {
556 .procname = "icmp_echo_ignore_all",
557 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all,
558 .maxlen = sizeof(int),
559 .mode = 0644,
560 .proc_handler = proc_dointvec
561 },
562 {
563 .procname = "icmp_echo_ignore_broadcasts",
564 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts,
565 .maxlen = sizeof(int),
566 .mode = 0644,
567 .proc_handler = proc_dointvec
568 },
569 {
570 .procname = "icmp_ignore_bogus_error_responses",
571 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses,
572 .maxlen = sizeof(int),
573 .mode = 0644,
574 .proc_handler = proc_dointvec
575 },
576 {
577 .procname = "icmp_errors_use_inbound_ifaddr",
578 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr,
579 .maxlen = sizeof(int),
580 .mode = 0644,
581 .proc_handler = proc_dointvec
582 },
583 {
584 .procname = "icmp_ratelimit",
585 .data = &init_net.ipv4.sysctl_icmp_ratelimit,
586 .maxlen = sizeof(int),
587 .mode = 0644,
588 .proc_handler = proc_dointvec_ms_jiffies,
589 },
590 {
591 .procname = "icmp_ratemask",
592 .data = &init_net.ipv4.sysctl_icmp_ratemask,
593 .maxlen = sizeof(int),
594 .mode = 0644,
595 .proc_handler = proc_dointvec
596 },
597 {
598 .procname = "ping_group_range",
599 .data = &init_net.ipv4.ping_group_range.range,
600 .maxlen = sizeof(gid_t)*2,
601 .mode = 0644,
602 .proc_handler = ipv4_ping_group_range,
603 },
604 {
605 .procname = "tcp_ecn",
606 .data = &init_net.ipv4.sysctl_tcp_ecn,
607 .maxlen = sizeof(int),
608 .mode = 0644,
609 .proc_handler = proc_dointvec
610 },
611 {
612 .procname = "tcp_ecn_fallback",
613 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback,
614 .maxlen = sizeof(int),
615 .mode = 0644,
616 .proc_handler = proc_dointvec
617 },
618 {
619 .procname = "ip_dynaddr",
620 .data = &init_net.ipv4.sysctl_ip_dynaddr,
621 .maxlen = sizeof(int),
622 .mode = 0644,
623 .proc_handler = proc_dointvec
624 },
625 {
626 .procname = "ip_early_demux",
627 .data = &init_net.ipv4.sysctl_ip_early_demux,
628 .maxlen = sizeof(int),
629 .mode = 0644,
630 .proc_handler = proc_dointvec
631 },
632 {
633 .procname = "udp_early_demux",
634 .data = &init_net.ipv4.sysctl_udp_early_demux,
635 .maxlen = sizeof(int),
636 .mode = 0644,
637 .proc_handler = proc_udp_early_demux
638 },
639 {
640 .procname = "tcp_early_demux",
641 .data = &init_net.ipv4.sysctl_tcp_early_demux,
642 .maxlen = sizeof(int),
643 .mode = 0644,
644 .proc_handler = proc_tcp_early_demux
645 },
646 {
647 .procname = "ip_default_ttl",
648 .data = &init_net.ipv4.sysctl_ip_default_ttl,
649 .maxlen = sizeof(int),
650 .mode = 0644,
651 .proc_handler = proc_dointvec_minmax,
652 .extra1 = &ip_ttl_min,
653 .extra2 = &ip_ttl_max,
654 },
655 {
656 .procname = "ip_local_port_range",
657 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range),
658 .data = &init_net.ipv4.ip_local_ports.range,
659 .mode = 0644,
660 .proc_handler = ipv4_local_port_range,
661 },
662 {
663 .procname = "ip_local_reserved_ports",
664 .data = &init_net.ipv4.sysctl_local_reserved_ports,
665 .maxlen = 65536,
666 .mode = 0644,
667 .proc_handler = proc_do_large_bitmap,
668 },
669 {
670 .procname = "ip_no_pmtu_disc",
671 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc,
672 .maxlen = sizeof(int),
673 .mode = 0644,
674 .proc_handler = proc_dointvec
675 },
676 {
677 .procname = "ip_forward_use_pmtu",
678 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu,
679 .maxlen = sizeof(int),
680 .mode = 0644,
681 .proc_handler = proc_dointvec,
682 },
683 {
684 .procname = "ip_forward_update_priority",
685 .data = &init_net.ipv4.sysctl_ip_fwd_update_priority,
686 .maxlen = sizeof(int),
687 .mode = 0644,
688 .proc_handler = ipv4_fwd_update_priority,
689 .extra1 = &zero,
690 .extra2 = &one,
691 },
692 {
693 .procname = "ip_nonlocal_bind",
694 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind,
695 .maxlen = sizeof(int),
696 .mode = 0644,
697 .proc_handler = proc_dointvec
698 },
699 {
700 .procname = "fwmark_reflect",
701 .data = &init_net.ipv4.sysctl_fwmark_reflect,
702 .maxlen = sizeof(int),
703 .mode = 0644,
704 .proc_handler = proc_dointvec,
705 },
706 {
707 .procname = "tcp_fwmark_accept",
708 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept,
709 .maxlen = sizeof(int),
710 .mode = 0644,
711 .proc_handler = proc_dointvec,
712 },
713#ifdef CONFIG_NET_L3_MASTER_DEV
714 {
715 .procname = "tcp_l3mdev_accept",
716 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept,
717 .maxlen = sizeof(int),
718 .mode = 0644,
719 .proc_handler = proc_dointvec_minmax,
720 .extra1 = &zero,
721 .extra2 = &one,
722 },
723#endif
724 {
725 .procname = "tcp_mtu_probing",
726 .data = &init_net.ipv4.sysctl_tcp_mtu_probing,
727 .maxlen = sizeof(int),
728 .mode = 0644,
729 .proc_handler = proc_dointvec,
730 },
731 {
732 .procname = "tcp_base_mss",
733 .data = &init_net.ipv4.sysctl_tcp_base_mss,
734 .maxlen = sizeof(int),
735 .mode = 0644,
736 .proc_handler = proc_dointvec,
737 },
738 {
739 .procname = "tcp_probe_threshold",
740 .data = &init_net.ipv4.sysctl_tcp_probe_threshold,
741 .maxlen = sizeof(int),
742 .mode = 0644,
743 .proc_handler = proc_dointvec,
744 },
745 {
746 .procname = "tcp_probe_interval",
747 .data = &init_net.ipv4.sysctl_tcp_probe_interval,
748 .maxlen = sizeof(int),
749 .mode = 0644,
750 .proc_handler = proc_dointvec,
751 },
752 {
753 .procname = "igmp_link_local_mcast_reports",
754 .data = &init_net.ipv4.sysctl_igmp_llm_reports,
755 .maxlen = sizeof(int),
756 .mode = 0644,
757 .proc_handler = proc_dointvec
758 },
759 {
760 .procname = "igmp_max_memberships",
761 .data = &init_net.ipv4.sysctl_igmp_max_memberships,
762 .maxlen = sizeof(int),
763 .mode = 0644,
764 .proc_handler = proc_dointvec
765 },
766 {
767 .procname = "igmp_max_msf",
768 .data = &init_net.ipv4.sysctl_igmp_max_msf,
769 .maxlen = sizeof(int),
770 .mode = 0644,
771 .proc_handler = proc_dointvec
772 },
773#ifdef CONFIG_IP_MULTICAST
774 {
775 .procname = "igmp_qrv",
776 .data = &init_net.ipv4.sysctl_igmp_qrv,
777 .maxlen = sizeof(int),
778 .mode = 0644,
779 .proc_handler = proc_dointvec_minmax,
780 .extra1 = &one
781 },
782#endif
783 {
784 .procname = "tcp_congestion_control",
785 .data = &init_net.ipv4.tcp_congestion_control,
786 .mode = 0644,
787 .maxlen = TCP_CA_NAME_MAX,
788 .proc_handler = proc_tcp_congestion_control,
789 },
790 {
791 .procname = "tcp_keepalive_time",
792 .data = &init_net.ipv4.sysctl_tcp_keepalive_time,
793 .maxlen = sizeof(int),
794 .mode = 0644,
795 .proc_handler = proc_dointvec_jiffies,
796 },
797 {
798 .procname = "tcp_keepalive_probes",
799 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes,
800 .maxlen = sizeof(int),
801 .mode = 0644,
802 .proc_handler = proc_dointvec
803 },
804 {
805 .procname = "tcp_keepalive_intvl",
806 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl,
807 .maxlen = sizeof(int),
808 .mode = 0644,
809 .proc_handler = proc_dointvec_jiffies,
810 },
811 {
812 .procname = "tcp_syn_retries",
813 .data = &init_net.ipv4.sysctl_tcp_syn_retries,
814 .maxlen = sizeof(int),
815 .mode = 0644,
816 .proc_handler = proc_dointvec_minmax,
817 .extra1 = &tcp_syn_retries_min,
818 .extra2 = &tcp_syn_retries_max
819 },
820 {
821 .procname = "tcp_synack_retries",
822 .data = &init_net.ipv4.sysctl_tcp_synack_retries,
823 .maxlen = sizeof(int),
824 .mode = 0644,
825 .proc_handler = proc_dointvec
826 },
827#ifdef CONFIG_SYN_COOKIES
828 {
829 .procname = "tcp_syncookies",
830 .data = &init_net.ipv4.sysctl_tcp_syncookies,
831 .maxlen = sizeof(int),
832 .mode = 0644,
833 .proc_handler = proc_dointvec
834 },
835#endif
836 {
837 .procname = "tcp_reordering",
838 .data = &init_net.ipv4.sysctl_tcp_reordering,
839 .maxlen = sizeof(int),
840 .mode = 0644,
841 .proc_handler = proc_dointvec
842 },
843 {
844 .procname = "tcp_retries1",
845 .data = &init_net.ipv4.sysctl_tcp_retries1,
846 .maxlen = sizeof(int),
847 .mode = 0644,
848 .proc_handler = proc_dointvec_minmax,
849 .extra2 = &tcp_retr1_max
850 },
851 {
852 .procname = "tcp_retries2",
853 .data = &init_net.ipv4.sysctl_tcp_retries2,
854 .maxlen = sizeof(int),
855 .mode = 0644,
856 .proc_handler = proc_dointvec
857 },
858 {
859 .procname = "tcp_orphan_retries",
860 .data = &init_net.ipv4.sysctl_tcp_orphan_retries,
861 .maxlen = sizeof(int),
862 .mode = 0644,
863 .proc_handler = proc_dointvec
864 },
865 {
866 .procname = "tcp_fin_timeout",
867 .data = &init_net.ipv4.sysctl_tcp_fin_timeout,
868 .maxlen = sizeof(int),
869 .mode = 0644,
870 .proc_handler = proc_dointvec_jiffies,
871 },
872 {
873 .procname = "tcp_notsent_lowat",
874 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat,
875 .maxlen = sizeof(unsigned int),
876 .mode = 0644,
877 .proc_handler = proc_douintvec,
878 },
879 {
880 .procname = "tcp_tw_reuse",
881 .data = &init_net.ipv4.sysctl_tcp_tw_reuse,
882 .maxlen = sizeof(int),
883 .mode = 0644,
884 .proc_handler = proc_dointvec_minmax,
885 .extra1 = &zero,
886 .extra2 = &two,
887 },
888 {
889 .procname = "tcp_max_tw_buckets",
890 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets,
891 .maxlen = sizeof(int),
892 .mode = 0644,
893 .proc_handler = proc_dointvec
894 },
895 {
896 .procname = "tcp_max_syn_backlog",
897 .data = &init_net.ipv4.sysctl_max_syn_backlog,
898 .maxlen = sizeof(int),
899 .mode = 0644,
900 .proc_handler = proc_dointvec
901 },
902 {
903 .procname = "tcp_fastopen",
904 .data = &init_net.ipv4.sysctl_tcp_fastopen,
905 .maxlen = sizeof(int),
906 .mode = 0644,
907 .proc_handler = proc_dointvec,
908 },
909 {
910 .procname = "tcp_fastopen_key",
911 .mode = 0600,
912 .data = &init_net.ipv4.sysctl_tcp_fastopen,
913 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10),
914 .proc_handler = proc_tcp_fastopen_key,
915 },
916 {
917 .procname = "tcp_fastopen_blackhole_timeout_sec",
918 .data = &init_net.ipv4.sysctl_tcp_fastopen_blackhole_timeout,
919 .maxlen = sizeof(int),
920 .mode = 0644,
921 .proc_handler = proc_tfo_blackhole_detect_timeout,
922 .extra1 = &zero,
923 },
924#ifdef CONFIG_IP_ROUTE_MULTIPATH
925 {
926 .procname = "fib_multipath_use_neigh",
927 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh,
928 .maxlen = sizeof(int),
929 .mode = 0644,
930 .proc_handler = proc_dointvec_minmax,
931 .extra1 = &zero,
932 .extra2 = &one,
933 },
934 {
935 .procname = "fib_multipath_hash_policy",
936 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy,
937 .maxlen = sizeof(int),
938 .mode = 0644,
939 .proc_handler = proc_fib_multipath_hash_policy,
940 .extra1 = &zero,
941 .extra2 = &one,
942 },
943#endif
944 {
945 .procname = "ip_unprivileged_port_start",
946 .maxlen = sizeof(int),
947 .data = &init_net.ipv4.sysctl_ip_prot_sock,
948 .mode = 0644,
949 .proc_handler = ipv4_privileged_ports,
950 },
951#ifdef CONFIG_NET_L3_MASTER_DEV
952 {
953 .procname = "udp_l3mdev_accept",
954 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept,
955 .maxlen = sizeof(int),
956 .mode = 0644,
957 .proc_handler = proc_dointvec_minmax,
958 .extra1 = &zero,
959 .extra2 = &one,
960 },
961#endif
962 {
963 .procname = "tcp_sack",
964 .data = &init_net.ipv4.sysctl_tcp_sack,
965 .maxlen = sizeof(int),
966 .mode = 0644,
967 .proc_handler = proc_dointvec
968 },
969 {
970 .procname = "tcp_window_scaling",
971 .data = &init_net.ipv4.sysctl_tcp_window_scaling,
972 .maxlen = sizeof(int),
973 .mode = 0644,
974 .proc_handler = proc_dointvec
975 },
976 {
977 .procname = "tcp_timestamps",
978 .data = &init_net.ipv4.sysctl_tcp_timestamps,
979 .maxlen = sizeof(int),
980 .mode = 0644,
981 .proc_handler = proc_dointvec
982 },
983 {
984 .procname = "tcp_early_retrans",
985 .data = &init_net.ipv4.sysctl_tcp_early_retrans,
986 .maxlen = sizeof(int),
987 .mode = 0644,
988 .proc_handler = proc_dointvec_minmax,
989 .extra1 = &zero,
990 .extra2 = &four,
991 },
992 {
993 .procname = "tcp_recovery",
994 .data = &init_net.ipv4.sysctl_tcp_recovery,
995 .maxlen = sizeof(int),
996 .mode = 0644,
997 .proc_handler = proc_dointvec,
998 },
999 {
1000 .procname = "tcp_thin_linear_timeouts",
1001 .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts,
1002 .maxlen = sizeof(int),
1003 .mode = 0644,
1004 .proc_handler = proc_dointvec
1005 },
1006 {
1007 .procname = "tcp_slow_start_after_idle",
1008 .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle,
1009 .maxlen = sizeof(int),
1010 .mode = 0644,
1011 .proc_handler = proc_dointvec
1012 },
1013 {
1014 .procname = "tcp_retrans_collapse",
1015 .data = &init_net.ipv4.sysctl_tcp_retrans_collapse,
1016 .maxlen = sizeof(int),
1017 .mode = 0644,
1018 .proc_handler = proc_dointvec
1019 },
1020 {
1021 .procname = "tcp_stdurg",
1022 .data = &init_net.ipv4.sysctl_tcp_stdurg,
1023 .maxlen = sizeof(int),
1024 .mode = 0644,
1025 .proc_handler = proc_dointvec
1026 },
1027 {
1028 .procname = "tcp_rfc1337",
1029 .data = &init_net.ipv4.sysctl_tcp_rfc1337,
1030 .maxlen = sizeof(int),
1031 .mode = 0644,
1032 .proc_handler = proc_dointvec
1033 },
1034 {
1035 .procname = "tcp_abort_on_overflow",
1036 .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow,
1037 .maxlen = sizeof(int),
1038 .mode = 0644,
1039 .proc_handler = proc_dointvec
1040 },
1041 {
1042 .procname = "tcp_fack",
1043 .data = &init_net.ipv4.sysctl_tcp_fack,
1044 .maxlen = sizeof(int),
1045 .mode = 0644,
1046 .proc_handler = proc_dointvec
1047 },
1048 {
1049 .procname = "tcp_max_reordering",
1050 .data = &init_net.ipv4.sysctl_tcp_max_reordering,
1051 .maxlen = sizeof(int),
1052 .mode = 0644,
1053 .proc_handler = proc_dointvec
1054 },
1055 {
1056 .procname = "tcp_dsack",
1057 .data = &init_net.ipv4.sysctl_tcp_dsack,
1058 .maxlen = sizeof(int),
1059 .mode = 0644,
1060 .proc_handler = proc_dointvec
1061 },
1062 {
1063 .procname = "tcp_app_win",
1064 .data = &init_net.ipv4.sysctl_tcp_app_win,
1065 .maxlen = sizeof(int),
1066 .mode = 0644,
1067 .proc_handler = proc_dointvec
1068 },
1069 {
1070 .procname = "tcp_adv_win_scale",
1071 .data = &init_net.ipv4.sysctl_tcp_adv_win_scale,
1072 .maxlen = sizeof(int),
1073 .mode = 0644,
1074 .proc_handler = proc_dointvec_minmax,
1075 .extra1 = &tcp_adv_win_scale_min,
1076 .extra2 = &tcp_adv_win_scale_max,
1077 },
1078 {
1079 .procname = "tcp_frto",
1080 .data = &init_net.ipv4.sysctl_tcp_frto,
1081 .maxlen = sizeof(int),
1082 .mode = 0644,
1083 .proc_handler = proc_dointvec
1084 },
1085 {
1086 .procname = "tcp_no_metrics_save",
1087 .data = &init_net.ipv4.sysctl_tcp_nometrics_save,
1088 .maxlen = sizeof(int),
1089 .mode = 0644,
1090 .proc_handler = proc_dointvec,
1091 },
1092 {
1093 .procname = "tcp_moderate_rcvbuf",
1094 .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf,
1095 .maxlen = sizeof(int),
1096 .mode = 0644,
1097 .proc_handler = proc_dointvec,
1098 },
1099 {
1100 .procname = "tcp_tso_win_divisor",
1101 .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor,
1102 .maxlen = sizeof(int),
1103 .mode = 0644,
1104 .proc_handler = proc_dointvec,
1105 },
1106 {
1107 .procname = "tcp_workaround_signed_windows",
1108 .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows,
1109 .maxlen = sizeof(int),
1110 .mode = 0644,
1111 .proc_handler = proc_dointvec
1112 },
1113 {
1114 .procname = "tcp_limit_output_bytes",
1115 .data = &init_net.ipv4.sysctl_tcp_limit_output_bytes,
1116 .maxlen = sizeof(int),
1117 .mode = 0644,
1118 .proc_handler = proc_dointvec
1119 },
1120 {
1121 .procname = "tcp_challenge_ack_limit",
1122 .data = &init_net.ipv4.sysctl_tcp_challenge_ack_limit,
1123 .maxlen = sizeof(int),
1124 .mode = 0644,
1125 .proc_handler = proc_dointvec
1126 },
1127 {
1128 .procname = "tcp_min_tso_segs",
1129 .data = &init_net.ipv4.sysctl_tcp_min_tso_segs,
1130 .maxlen = sizeof(int),
1131 .mode = 0644,
1132 .proc_handler = proc_dointvec_minmax,
1133 .extra1 = &one,
1134 .extra2 = &gso_max_segs,
1135 },
1136 {
1137 .procname = "tcp_min_rtt_wlen",
1138 .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen,
1139 .maxlen = sizeof(int),
1140 .mode = 0644,
1141 .proc_handler = proc_dointvec
1142 },
1143 {
1144 .procname = "tcp_autocorking",
1145 .data = &init_net.ipv4.sysctl_tcp_autocorking,
1146 .maxlen = sizeof(int),
1147 .mode = 0644,
1148 .proc_handler = proc_dointvec_minmax,
1149 .extra1 = &zero,
1150 .extra2 = &one,
1151 },
1152 {
1153 .procname = "tcp_invalid_ratelimit",
1154 .data = &init_net.ipv4.sysctl_tcp_invalid_ratelimit,
1155 .maxlen = sizeof(int),
1156 .mode = 0644,
1157 .proc_handler = proc_dointvec_ms_jiffies,
1158 },
1159 {
1160 .procname = "tcp_pacing_ss_ratio",
1161 .data = &init_net.ipv4.sysctl_tcp_pacing_ss_ratio,
1162 .maxlen = sizeof(int),
1163 .mode = 0644,
1164 .proc_handler = proc_dointvec_minmax,
1165 .extra1 = &zero,
1166 .extra2 = &thousand,
1167 },
1168 {
1169 .procname = "tcp_pacing_ca_ratio",
1170 .data = &init_net.ipv4.sysctl_tcp_pacing_ca_ratio,
1171 .maxlen = sizeof(int),
1172 .mode = 0644,
1173 .proc_handler = proc_dointvec_minmax,
1174 .extra1 = &zero,
1175 .extra2 = &thousand,
1176 },
1177 {
1178 .procname = "tcp_wmem",
1179 .data = &init_net.ipv4.sysctl_tcp_wmem,
1180 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_wmem),
1181 .mode = 0644,
1182 .proc_handler = proc_dointvec_minmax,
1183 .extra1 = &one,
1184 },
1185 {
1186 .procname = "tcp_rmem",
1187 .data = &init_net.ipv4.sysctl_tcp_rmem,
1188 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_rmem),
1189 .mode = 0644,
1190 .proc_handler = proc_dointvec_minmax,
1191 .extra1 = &one,
1192 },
1193 {
1194 .procname = "tcp_comp_sack_delay_ns",
1195 .data = &init_net.ipv4.sysctl_tcp_comp_sack_delay_ns,
1196 .maxlen = sizeof(unsigned long),
1197 .mode = 0644,
1198 .proc_handler = proc_doulongvec_minmax,
1199 },
1200 {
1201 .procname = "tcp_comp_sack_nr",
1202 .data = &init_net.ipv4.sysctl_tcp_comp_sack_nr,
1203 .maxlen = sizeof(int),
1204 .mode = 0644,
1205 .proc_handler = proc_dointvec_minmax,
1206 .extra1 = &zero,
1207 .extra2 = &comp_sack_nr_max,
1208 },
1209 {
1210 .procname = "udp_rmem_min",
1211 .data = &init_net.ipv4.sysctl_udp_rmem_min,
1212 .maxlen = sizeof(init_net.ipv4.sysctl_udp_rmem_min),
1213 .mode = 0644,
1214 .proc_handler = proc_dointvec_minmax,
1215 .extra1 = &one
1216 },
1217 {
1218 .procname = "udp_wmem_min",
1219 .data = &init_net.ipv4.sysctl_udp_wmem_min,
1220 .maxlen = sizeof(init_net.ipv4.sysctl_udp_wmem_min),
1221 .mode = 0644,
1222 .proc_handler = proc_dointvec_minmax,
1223 .extra1 = &one
1224 },
1225 { }
1226};
1227
1228static __net_init int ipv4_sysctl_init_net(struct net *net)
1229{
1230 struct ctl_table *table;
1231
1232 table = ipv4_net_table;
1233 if (!net_eq(net, &init_net)) {
1234 int i;
1235
1236 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL);
1237 if (!table)
1238 goto err_alloc;
1239
1240 /* Update the variables to point into the current struct net */
1241 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++)
1242 table[i].data += (void *)net - (void *)&init_net;
1243 }
1244
1245 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
1246 if (!net->ipv4.ipv4_hdr)
1247 goto err_reg;
1248
1249 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL);
1250 if (!net->ipv4.sysctl_local_reserved_ports)
1251 goto err_ports;
1252
1253 return 0;
1254
1255err_ports:
1256 unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
1257err_reg:
1258 if (!net_eq(net, &init_net))
1259 kfree(table);
1260err_alloc:
1261 return -ENOMEM;
1262}
1263
1264static __net_exit void ipv4_sysctl_exit_net(struct net *net)
1265{
1266 struct ctl_table *table;
1267
1268 kfree(net->ipv4.sysctl_local_reserved_ports);
1269 table = net->ipv4.ipv4_hdr->ctl_table_arg;
1270 unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
1271 kfree(table);
1272}
1273
1274static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
1275 .init = ipv4_sysctl_init_net,
1276 .exit = ipv4_sysctl_exit_net,
1277};
1278
1279static __init int sysctl_ipv4_init(void)
1280{
1281 struct ctl_table_header *hdr;
1282
1283 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table);
1284 if (!hdr)
1285 return -ENOMEM;
1286
1287 if (register_pernet_subsys(&ipv4_sysctl_ops)) {
1288 unregister_net_sysctl_table(hdr);
1289 return -ENOMEM;
1290 }
1291
1292 return 0;
1293}
1294
1295__initcall(sysctl_ipv4_init);
1296