1// SPDX-License-Identifier: GPL-2.0
2/*
3 * sysctl_net_ipv4.c: sysctl interface to net IPV4 subsystem.
4 *
5 * Begun April 1, 1996, Mike Shaver.
6 * Added /proc/sys/net/ipv4 directory entry (empty =) ). [MS]
7 */
8
9#include <linux/mm.h>
10#include <linux/module.h>
11#include <linux/sysctl.h>
12#include <linux/igmp.h>
13#include <linux/inetdevice.h>
14#include <linux/seqlock.h>
15#include <linux/init.h>
16#include <linux/slab.h>
17#include <linux/nsproxy.h>
18#include <linux/swap.h>
19#include <net/snmp.h>
20#include <net/icmp.h>
21#include <net/ip.h>
22#include <net/route.h>
23#include <net/tcp.h>
24#include <net/udp.h>
25#include <net/cipso_ipv4.h>
26#include <net/inet_frag.h>
27#include <net/ping.h>
28#include <net/protocol.h>
29#include <net/netevent.h>
30
31static int zero;
32static int one = 1;
33static int two = 2;
34static int four = 4;
35static int thousand = 1000;
36static int gso_max_segs = GSO_MAX_SEGS;
37static int tcp_retr1_max = 255;
38static int ip_local_port_range_min[] = { 1, 1 };
39static int ip_local_port_range_max[] = { 65535, 65535 };
40static int tcp_adv_win_scale_min = -31;
41static int tcp_adv_win_scale_max = 31;
42static int ip_privileged_port_min;
43static int ip_privileged_port_max = 65535;
44static int ip_ttl_min = 1;
45static int ip_ttl_max = 255;
46static int tcp_syn_retries_min = 1;
47static int tcp_syn_retries_max = MAX_TCP_SYNCNT;
48static int ip_ping_group_range_min[] = { 0, 0 };
49static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
50static int comp_sack_nr_max = 255;
51static u32 u32_max_div_HZ = UINT_MAX / HZ;
52
53/* obsolete */
54static int sysctl_tcp_low_latency __read_mostly;
55
56/* Update system visible IP port range */
57static void set_local_port_range(struct net *net, int range[2])
58{
59 bool same_parity = !((range[0] ^ range[1]) & 1);
60
61 write_seqlock_bh(&net->ipv4.ip_local_ports.lock);
62 if (same_parity && !net->ipv4.ip_local_ports.warned) {
63 net->ipv4.ip_local_ports.warned = true;
64 pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n");
65 }
66 net->ipv4.ip_local_ports.range[0] = range[0];
67 net->ipv4.ip_local_ports.range[1] = range[1];
68 write_sequnlock_bh(&net->ipv4.ip_local_ports.lock);
69}
70
71/* Validate changes from /proc interface. */
72static int ipv4_local_port_range(struct ctl_table *table, int write,
73 void __user *buffer,
74 size_t *lenp, loff_t *ppos)
75{
76 struct net *net =
77 container_of(table->data, struct net, ipv4.ip_local_ports.range);
78 int ret;
79 int range[2];
80 struct ctl_table tmp = {
81 .data = &range,
82 .maxlen = sizeof(range),
83 .mode = table->mode,
84 .extra1 = &ip_local_port_range_min,
85 .extra2 = &ip_local_port_range_max,
86 };
87
88 inet_get_local_port_range(net, &range[0], &range[1]);
89
90 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
91
92 if (write && ret == 0) {
93 /* Ensure that the upper limit is not smaller than the lower,
94 * and that the lower does not encroach upon the privileged
95 * port limit.
96 */
97 if ((range[1] < range[0]) ||
98 (range[0] < net->ipv4.sysctl_ip_prot_sock))
99 ret = -EINVAL;
100 else
101 set_local_port_range(net, range);
102 }
103
104 return ret;
105}
106
107/* Validate changes from /proc interface. */
108static int ipv4_privileged_ports(struct ctl_table *table, int write,
109 void __user *buffer, size_t *lenp, loff_t *ppos)
110{
111 struct net *net = container_of(table->data, struct net,
112 ipv4.sysctl_ip_prot_sock);
113 int ret;
114 int pports;
115 int range[2];
116 struct ctl_table tmp = {
117 .data = &pports,
118 .maxlen = sizeof(pports),
119 .mode = table->mode,
120 .extra1 = &ip_privileged_port_min,
121 .extra2 = &ip_privileged_port_max,
122 };
123
124 pports = net->ipv4.sysctl_ip_prot_sock;
125
126 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
127
128 if (write && ret == 0) {
129 inet_get_local_port_range(net, &range[0], &range[1]);
130 /* Ensure that the local port range doesn't overlap with the
131 * privileged port range.
132 */
133 if (range[0] < pports)
134 ret = -EINVAL;
135 else
136 net->ipv4.sysctl_ip_prot_sock = pports;
137 }
138
139 return ret;
140}
141
142static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high)
143{
144 kgid_t *data = table->data;
145 struct net *net =
146 container_of(table->data, struct net, ipv4.ping_group_range.range);
147 unsigned int seq;
148 do {
149 seq = read_seqbegin(&net->ipv4.ping_group_range.lock);
150
151 *low = data[0];
152 *high = data[1];
153 } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq));
154}
155
156/* Update system visible IP port range */
157static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high)
158{
159 kgid_t *data = table->data;
160 struct net *net =
161 container_of(table->data, struct net, ipv4.ping_group_range.range);
162 write_seqlock(&net->ipv4.ping_group_range.lock);
163 data[0] = low;
164 data[1] = high;
165 write_sequnlock(&net->ipv4.ping_group_range.lock);
166}
167
168/* Validate changes from /proc interface. */
169static int ipv4_ping_group_range(struct ctl_table *table, int write,
170 void __user *buffer,
171 size_t *lenp, loff_t *ppos)
172{
173 struct user_namespace *user_ns = current_user_ns();
174 int ret;
175 gid_t urange[2];
176 kgid_t low, high;
177 struct ctl_table tmp = {
178 .data = &urange,
179 .maxlen = sizeof(urange),
180 .mode = table->mode,
181 .extra1 = &ip_ping_group_range_min,
182 .extra2 = &ip_ping_group_range_max,
183 };
184
185 inet_get_ping_group_range_table(table, &low, &high);
186 urange[0] = from_kgid_munged(user_ns, low);
187 urange[1] = from_kgid_munged(user_ns, high);
188 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
189
190 if (write && ret == 0) {
191 low = make_kgid(user_ns, urange[0]);
192 high = make_kgid(user_ns, urange[1]);
193 if (!gid_valid(low) || !gid_valid(high))
194 return -EINVAL;
195 if (urange[1] < urange[0] || gid_lt(high, low)) {
196 low = make_kgid(&init_user_ns, 1);
197 high = make_kgid(&init_user_ns, 0);
198 }
199 set_ping_group_range(table, low, high);
200 }
201
202 return ret;
203}
204
205static int ipv4_fwd_update_priority(struct ctl_table *table, int write,
206 void __user *buffer,
207 size_t *lenp, loff_t *ppos)
208{
209 struct net *net;
210 int ret;
211
212 net = container_of(table->data, struct net,
213 ipv4.sysctl_ip_fwd_update_priority);
214 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
215 if (write && ret == 0)
216 call_netevent_notifiers(NETEVENT_IPV4_FWD_UPDATE_PRIORITY_UPDATE,
217 net);
218
219 return ret;
220}
221
222static int proc_tcp_congestion_control(struct ctl_table *ctl, int write,
223 void __user *buffer, size_t *lenp, loff_t *ppos)
224{
225 struct net *net = container_of(ctl->data, struct net,
226 ipv4.tcp_congestion_control);
227 char val[TCP_CA_NAME_MAX];
228 struct ctl_table tbl = {
229 .data = val,
230 .maxlen = TCP_CA_NAME_MAX,
231 };
232 int ret;
233
234 tcp_get_default_congestion_control(net, val);
235
236 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
237 if (write && ret == 0)
238 ret = tcp_set_default_congestion_control(net, val);
239 return ret;
240}
241
242static int proc_tcp_available_congestion_control(struct ctl_table *ctl,
243 int write,
244 void __user *buffer, size_t *lenp,
245 loff_t *ppos)
246{
247 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, };
248 int ret;
249
250 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
251 if (!tbl.data)
252 return -ENOMEM;
253 tcp_get_available_congestion_control(tbl.data, TCP_CA_BUF_MAX);
254 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
255 kfree(tbl.data);
256 return ret;
257}
258
259static int proc_allowed_congestion_control(struct ctl_table *ctl,
260 int write,
261 void __user *buffer, size_t *lenp,
262 loff_t *ppos)
263{
264 struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX };
265 int ret;
266
267 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
268 if (!tbl.data)
269 return -ENOMEM;
270
271 tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen);
272 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
273 if (write && ret == 0)
274 ret = tcp_set_allowed_congestion_control(tbl.data);
275 kfree(tbl.data);
276 return ret;
277}
278
279static int proc_tcp_fastopen_key(struct ctl_table *table, int write,
280 void __user *buffer, size_t *lenp,
281 loff_t *ppos)
282{
283 struct net *net = container_of(table->data, struct net,
284 ipv4.sysctl_tcp_fastopen);
285 struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
286 struct tcp_fastopen_context *ctxt;
287 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */
288 __le32 key[4];
289 int ret, i;
290
291 tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL);
292 if (!tbl.data)
293 return -ENOMEM;
294
295 rcu_read_lock();
296 ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
297 if (ctxt)
298 memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH);
299 else
300 memset(key, 0, sizeof(key));
301 rcu_read_unlock();
302
303 for (i = 0; i < ARRAY_SIZE(key); i++)
304 user_key[i] = le32_to_cpu(key[i]);
305
306 snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x",
307 user_key[0], user_key[1], user_key[2], user_key[3]);
308 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
309
310 if (write && ret == 0) {
311 if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1,
312 user_key + 2, user_key + 3) != 4) {
313 ret = -EINVAL;
314 goto bad_key;
315 }
316
317 for (i = 0; i < ARRAY_SIZE(user_key); i++)
318 key[i] = cpu_to_le32(user_key[i]);
319
320 tcp_fastopen_reset_cipher(net, NULL, key,
321 TCP_FASTOPEN_KEY_LENGTH);
322 }
323
324bad_key:
325 pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n",
326 user_key[0], user_key[1], user_key[2], user_key[3],
327 (char *)tbl.data, ret);
328 kfree(tbl.data);
329 return ret;
330}
331
332static void proc_configure_early_demux(int enabled, int protocol)
333{
334 struct net_protocol *ipprot;
335#if IS_ENABLED(CONFIG_IPV6)
336 struct inet6_protocol *ip6prot;
337#endif
338
339 rcu_read_lock();
340
341 ipprot = rcu_dereference(inet_protos[protocol]);
342 if (ipprot)
343 ipprot->early_demux = enabled ? ipprot->early_demux_handler :
344 NULL;
345
346#if IS_ENABLED(CONFIG_IPV6)
347 ip6prot = rcu_dereference(inet6_protos[protocol]);
348 if (ip6prot)
349 ip6prot->early_demux = enabled ? ip6prot->early_demux_handler :
350 NULL;
351#endif
352 rcu_read_unlock();
353}
354
355static int proc_tcp_early_demux(struct ctl_table *table, int write,
356 void __user *buffer, size_t *lenp, loff_t *ppos)
357{
358 int ret = 0;
359
360 ret = proc_dointvec(table, write, buffer, lenp, ppos);
361
362 if (write && !ret) {
363 int enabled = init_net.ipv4.sysctl_tcp_early_demux;
364
365 proc_configure_early_demux(enabled, IPPROTO_TCP);
366 }
367
368 return ret;
369}
370
371static int proc_udp_early_demux(struct ctl_table *table, int write,
372 void __user *buffer, size_t *lenp, loff_t *ppos)
373{
374 int ret = 0;
375
376 ret = proc_dointvec(table, write, buffer, lenp, ppos);
377
378 if (write && !ret) {
379 int enabled = init_net.ipv4.sysctl_udp_early_demux;
380
381 proc_configure_early_demux(enabled, IPPROTO_UDP);
382 }
383
384 return ret;
385}
386
387static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table,
388 int write,
389 void __user *buffer,
390 size_t *lenp, loff_t *ppos)
391{
392 struct net *net = container_of(table->data, struct net,
393 ipv4.sysctl_tcp_fastopen_blackhole_timeout);
394 int ret;
395
396 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
397 if (write && ret == 0)
398 atomic_set(&net->ipv4.tfo_active_disable_times, 0);
399
400 return ret;
401}
402
403static int proc_tcp_available_ulp(struct ctl_table *ctl,
404 int write,
405 void __user *buffer, size_t *lenp,
406 loff_t *ppos)
407{
408 struct ctl_table tbl = { .maxlen = TCP_ULP_BUF_MAX, };
409 int ret;
410
411 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
412 if (!tbl.data)
413 return -ENOMEM;
414 tcp_get_available_ulp(tbl.data, TCP_ULP_BUF_MAX);
415 ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
416 kfree(tbl.data);
417
418 return ret;
419}
420
421#ifdef CONFIG_IP_ROUTE_MULTIPATH
422static int proc_fib_multipath_hash_policy(struct ctl_table *table, int write,
423 void __user *buffer, size_t *lenp,
424 loff_t *ppos)
425{
426 struct net *net = container_of(table->data, struct net,
427 ipv4.sysctl_fib_multipath_hash_policy);
428 int ret;
429
430 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
431 if (write && ret == 0)
432 call_netevent_notifiers(NETEVENT_IPV4_MPATH_HASH_UPDATE, net);
433
434 return ret;
435}
436#endif
437
438static struct ctl_table ipv4_table[] = {
439 {
440 .procname = "tcp_max_orphans",
441 .data = &sysctl_tcp_max_orphans,
442 .maxlen = sizeof(int),
443 .mode = 0644,
444 .proc_handler = proc_dointvec
445 },
446 {
447 .procname = "inet_peer_threshold",
448 .data = &inet_peer_threshold,
449 .maxlen = sizeof(int),
450 .mode = 0644,
451 .proc_handler = proc_dointvec
452 },
453 {
454 .procname = "inet_peer_minttl",
455 .data = &inet_peer_minttl,
456 .maxlen = sizeof(int),
457 .mode = 0644,
458 .proc_handler = proc_dointvec_jiffies,
459 },
460 {
461 .procname = "inet_peer_maxttl",
462 .data = &inet_peer_maxttl,
463 .maxlen = sizeof(int),
464 .mode = 0644,
465 .proc_handler = proc_dointvec_jiffies,
466 },
467 {
468 .procname = "tcp_mem",
469 .maxlen = sizeof(sysctl_tcp_mem),
470 .data = &sysctl_tcp_mem,
471 .mode = 0644,
472 .proc_handler = proc_doulongvec_minmax,
473 },
474 {
475 .procname = "tcp_low_latency",
476 .data = &sysctl_tcp_low_latency,
477 .maxlen = sizeof(int),
478 .mode = 0644,
479 .proc_handler = proc_dointvec
480 },
481#ifdef CONFIG_NETLABEL
482 {
483 .procname = "cipso_cache_enable",
484 .data = &cipso_v4_cache_enabled,
485 .maxlen = sizeof(int),
486 .mode = 0644,
487 .proc_handler = proc_dointvec,
488 },
489 {
490 .procname = "cipso_cache_bucket_size",
491 .data = &cipso_v4_cache_bucketsize,
492 .maxlen = sizeof(int),
493 .mode = 0644,
494 .proc_handler = proc_dointvec,
495 },
496 {
497 .procname = "cipso_rbm_optfmt",
498 .data = &cipso_v4_rbm_optfmt,
499 .maxlen = sizeof(int),
500 .mode = 0644,
501 .proc_handler = proc_dointvec,
502 },
503 {
504 .procname = "cipso_rbm_strictvalid",
505 .data = &cipso_v4_rbm_strictvalid,
506 .maxlen = sizeof(int),
507 .mode = 0644,
508 .proc_handler = proc_dointvec,
509 },
510#endif /* CONFIG_NETLABEL */
511 {
512 .procname = "tcp_available_congestion_control",
513 .maxlen = TCP_CA_BUF_MAX,
514 .mode = 0444,
515 .proc_handler = proc_tcp_available_congestion_control,
516 },
517 {
518 .procname = "tcp_allowed_congestion_control",
519 .maxlen = TCP_CA_BUF_MAX,
520 .mode = 0644,
521 .proc_handler = proc_allowed_congestion_control,
522 },
523 {
524 .procname = "tcp_available_ulp",
525 .maxlen = TCP_ULP_BUF_MAX,
526 .mode = 0444,
527 .proc_handler = proc_tcp_available_ulp,
528 },
529 {
530 .procname = "icmp_msgs_per_sec",
531 .data = &sysctl_icmp_msgs_per_sec,
532 .maxlen = sizeof(int),
533 .mode = 0644,
534 .proc_handler = proc_dointvec_minmax,
535 .extra1 = &zero,
536 },
537 {
538 .procname = "icmp_msgs_burst",
539 .data = &sysctl_icmp_msgs_burst,
540 .maxlen = sizeof(int),
541 .mode = 0644,
542 .proc_handler = proc_dointvec_minmax,
543 .extra1 = &zero,
544 },
545 {
546 .procname = "udp_mem",
547 .data = &sysctl_udp_mem,
548 .maxlen = sizeof(sysctl_udp_mem),
549 .mode = 0644,
550 .proc_handler = proc_doulongvec_minmax,
551 },
552 { }
553};
554
555static struct ctl_table ipv4_net_table[] = {
556 {
557 .procname = "icmp_echo_ignore_all",
558 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all,
559 .maxlen = sizeof(int),
560 .mode = 0644,
561 .proc_handler = proc_dointvec
562 },
563 {
564 .procname = "icmp_echo_ignore_broadcasts",
565 .data = &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts,
566 .maxlen = sizeof(int),
567 .mode = 0644,
568 .proc_handler = proc_dointvec
569 },
570 {
571 .procname = "icmp_ignore_bogus_error_responses",
572 .data = &init_net.ipv4.sysctl_icmp_ignore_bogus_error_responses,
573 .maxlen = sizeof(int),
574 .mode = 0644,
575 .proc_handler = proc_dointvec
576 },
577 {
578 .procname = "icmp_errors_use_inbound_ifaddr",
579 .data = &init_net.ipv4.sysctl_icmp_errors_use_inbound_ifaddr,
580 .maxlen = sizeof(int),
581 .mode = 0644,
582 .proc_handler = proc_dointvec
583 },
584 {
585 .procname = "icmp_ratelimit",
586 .data = &init_net.ipv4.sysctl_icmp_ratelimit,
587 .maxlen = sizeof(int),
588 .mode = 0644,
589 .proc_handler = proc_dointvec_ms_jiffies,
590 },
591 {
592 .procname = "icmp_ratemask",
593 .data = &init_net.ipv4.sysctl_icmp_ratemask,
594 .maxlen = sizeof(int),
595 .mode = 0644,
596 .proc_handler = proc_dointvec
597 },
598 {
599 .procname = "ping_group_range",
600 .data = &init_net.ipv4.ping_group_range.range,
601 .maxlen = sizeof(gid_t)*2,
602 .mode = 0644,
603 .proc_handler = ipv4_ping_group_range,
604 },
605#ifdef CONFIG_NET_L3_MASTER_DEV
606 {
607 .procname = "raw_l3mdev_accept",
608 .data = &init_net.ipv4.sysctl_raw_l3mdev_accept,
609 .maxlen = sizeof(int),
610 .mode = 0644,
611 .proc_handler = proc_dointvec_minmax,
612 .extra1 = &zero,
613 .extra2 = &one,
614 },
615#endif
616 {
617 .procname = "tcp_ecn",
618 .data = &init_net.ipv4.sysctl_tcp_ecn,
619 .maxlen = sizeof(int),
620 .mode = 0644,
621 .proc_handler = proc_dointvec
622 },
623 {
624 .procname = "tcp_ecn_fallback",
625 .data = &init_net.ipv4.sysctl_tcp_ecn_fallback,
626 .maxlen = sizeof(int),
627 .mode = 0644,
628 .proc_handler = proc_dointvec
629 },
630 {
631 .procname = "ip_dynaddr",
632 .data = &init_net.ipv4.sysctl_ip_dynaddr,
633 .maxlen = sizeof(int),
634 .mode = 0644,
635 .proc_handler = proc_dointvec
636 },
637 {
638 .procname = "ip_early_demux",
639 .data = &init_net.ipv4.sysctl_ip_early_demux,
640 .maxlen = sizeof(int),
641 .mode = 0644,
642 .proc_handler = proc_dointvec
643 },
644 {
645 .procname = "udp_early_demux",
646 .data = &init_net.ipv4.sysctl_udp_early_demux,
647 .maxlen = sizeof(int),
648 .mode = 0644,
649 .proc_handler = proc_udp_early_demux
650 },
651 {
652 .procname = "tcp_early_demux",
653 .data = &init_net.ipv4.sysctl_tcp_early_demux,
654 .maxlen = sizeof(int),
655 .mode = 0644,
656 .proc_handler = proc_tcp_early_demux
657 },
658 {
659 .procname = "ip_default_ttl",
660 .data = &init_net.ipv4.sysctl_ip_default_ttl,
661 .maxlen = sizeof(int),
662 .mode = 0644,
663 .proc_handler = proc_dointvec_minmax,
664 .extra1 = &ip_ttl_min,
665 .extra2 = &ip_ttl_max,
666 },
667 {
668 .procname = "ip_local_port_range",
669 .maxlen = sizeof(init_net.ipv4.ip_local_ports.range),
670 .data = &init_net.ipv4.ip_local_ports.range,
671 .mode = 0644,
672 .proc_handler = ipv4_local_port_range,
673 },
674 {
675 .procname = "ip_local_reserved_ports",
676 .data = &init_net.ipv4.sysctl_local_reserved_ports,
677 .maxlen = 65536,
678 .mode = 0644,
679 .proc_handler = proc_do_large_bitmap,
680 },
681 {
682 .procname = "ip_no_pmtu_disc",
683 .data = &init_net.ipv4.sysctl_ip_no_pmtu_disc,
684 .maxlen = sizeof(int),
685 .mode = 0644,
686 .proc_handler = proc_dointvec
687 },
688 {
689 .procname = "ip_forward_use_pmtu",
690 .data = &init_net.ipv4.sysctl_ip_fwd_use_pmtu,
691 .maxlen = sizeof(int),
692 .mode = 0644,
693 .proc_handler = proc_dointvec,
694 },
695 {
696 .procname = "ip_forward_update_priority",
697 .data = &init_net.ipv4.sysctl_ip_fwd_update_priority,
698 .maxlen = sizeof(int),
699 .mode = 0644,
700 .proc_handler = ipv4_fwd_update_priority,
701 .extra1 = &zero,
702 .extra2 = &one,
703 },
704 {
705 .procname = "ip_nonlocal_bind",
706 .data = &init_net.ipv4.sysctl_ip_nonlocal_bind,
707 .maxlen = sizeof(int),
708 .mode = 0644,
709 .proc_handler = proc_dointvec
710 },
711 {
712 .procname = "fwmark_reflect",
713 .data = &init_net.ipv4.sysctl_fwmark_reflect,
714 .maxlen = sizeof(int),
715 .mode = 0644,
716 .proc_handler = proc_dointvec,
717 },
718 {
719 .procname = "tcp_fwmark_accept",
720 .data = &init_net.ipv4.sysctl_tcp_fwmark_accept,
721 .maxlen = sizeof(int),
722 .mode = 0644,
723 .proc_handler = proc_dointvec,
724 },
725#ifdef CONFIG_NET_L3_MASTER_DEV
726 {
727 .procname = "tcp_l3mdev_accept",
728 .data = &init_net.ipv4.sysctl_tcp_l3mdev_accept,
729 .maxlen = sizeof(int),
730 .mode = 0644,
731 .proc_handler = proc_dointvec_minmax,
732 .extra1 = &zero,
733 .extra2 = &one,
734 },
735#endif
736 {
737 .procname = "tcp_mtu_probing",
738 .data = &init_net.ipv4.sysctl_tcp_mtu_probing,
739 .maxlen = sizeof(int),
740 .mode = 0644,
741 .proc_handler = proc_dointvec,
742 },
743 {
744 .procname = "tcp_base_mss",
745 .data = &init_net.ipv4.sysctl_tcp_base_mss,
746 .maxlen = sizeof(int),
747 .mode = 0644,
748 .proc_handler = proc_dointvec,
749 },
750 {
751 .procname = "tcp_probe_threshold",
752 .data = &init_net.ipv4.sysctl_tcp_probe_threshold,
753 .maxlen = sizeof(int),
754 .mode = 0644,
755 .proc_handler = proc_dointvec,
756 },
757 {
758 .procname = "tcp_probe_interval",
759 .data = &init_net.ipv4.sysctl_tcp_probe_interval,
760 .maxlen = sizeof(u32),
761 .mode = 0644,
762 .proc_handler = proc_douintvec_minmax,
763 .extra2 = &u32_max_div_HZ,
764 },
765 {
766 .procname = "igmp_link_local_mcast_reports",
767 .data = &init_net.ipv4.sysctl_igmp_llm_reports,
768 .maxlen = sizeof(int),
769 .mode = 0644,
770 .proc_handler = proc_dointvec
771 },
772 {
773 .procname = "igmp_max_memberships",
774 .data = &init_net.ipv4.sysctl_igmp_max_memberships,
775 .maxlen = sizeof(int),
776 .mode = 0644,
777 .proc_handler = proc_dointvec
778 },
779 {
780 .procname = "igmp_max_msf",
781 .data = &init_net.ipv4.sysctl_igmp_max_msf,
782 .maxlen = sizeof(int),
783 .mode = 0644,
784 .proc_handler = proc_dointvec
785 },
786#ifdef CONFIG_IP_MULTICAST
787 {
788 .procname = "igmp_qrv",
789 .data = &init_net.ipv4.sysctl_igmp_qrv,
790 .maxlen = sizeof(int),
791 .mode = 0644,
792 .proc_handler = proc_dointvec_minmax,
793 .extra1 = &one
794 },
795#endif
796 {
797 .procname = "tcp_congestion_control",
798 .data = &init_net.ipv4.tcp_congestion_control,
799 .mode = 0644,
800 .maxlen = TCP_CA_NAME_MAX,
801 .proc_handler = proc_tcp_congestion_control,
802 },
803 {
804 .procname = "tcp_keepalive_time",
805 .data = &init_net.ipv4.sysctl_tcp_keepalive_time,
806 .maxlen = sizeof(int),
807 .mode = 0644,
808 .proc_handler = proc_dointvec_jiffies,
809 },
810 {
811 .procname = "tcp_keepalive_probes",
812 .data = &init_net.ipv4.sysctl_tcp_keepalive_probes,
813 .maxlen = sizeof(int),
814 .mode = 0644,
815 .proc_handler = proc_dointvec
816 },
817 {
818 .procname = "tcp_keepalive_intvl",
819 .data = &init_net.ipv4.sysctl_tcp_keepalive_intvl,
820 .maxlen = sizeof(int),
821 .mode = 0644,
822 .proc_handler = proc_dointvec_jiffies,
823 },
824 {
825 .procname = "tcp_syn_retries",
826 .data = &init_net.ipv4.sysctl_tcp_syn_retries,
827 .maxlen = sizeof(int),
828 .mode = 0644,
829 .proc_handler = proc_dointvec_minmax,
830 .extra1 = &tcp_syn_retries_min,
831 .extra2 = &tcp_syn_retries_max
832 },
833 {
834 .procname = "tcp_synack_retries",
835 .data = &init_net.ipv4.sysctl_tcp_synack_retries,
836 .maxlen = sizeof(int),
837 .mode = 0644,
838 .proc_handler = proc_dointvec
839 },
840#ifdef CONFIG_SYN_COOKIES
841 {
842 .procname = "tcp_syncookies",
843 .data = &init_net.ipv4.sysctl_tcp_syncookies,
844 .maxlen = sizeof(int),
845 .mode = 0644,
846 .proc_handler = proc_dointvec
847 },
848#endif
849 {
850 .procname = "tcp_reordering",
851 .data = &init_net.ipv4.sysctl_tcp_reordering,
852 .maxlen = sizeof(int),
853 .mode = 0644,
854 .proc_handler = proc_dointvec
855 },
856 {
857 .procname = "tcp_retries1",
858 .data = &init_net.ipv4.sysctl_tcp_retries1,
859 .maxlen = sizeof(int),
860 .mode = 0644,
861 .proc_handler = proc_dointvec_minmax,
862 .extra2 = &tcp_retr1_max
863 },
864 {
865 .procname = "tcp_retries2",
866 .data = &init_net.ipv4.sysctl_tcp_retries2,
867 .maxlen = sizeof(int),
868 .mode = 0644,
869 .proc_handler = proc_dointvec
870 },
871 {
872 .procname = "tcp_orphan_retries",
873 .data = &init_net.ipv4.sysctl_tcp_orphan_retries,
874 .maxlen = sizeof(int),
875 .mode = 0644,
876 .proc_handler = proc_dointvec
877 },
878 {
879 .procname = "tcp_fin_timeout",
880 .data = &init_net.ipv4.sysctl_tcp_fin_timeout,
881 .maxlen = sizeof(int),
882 .mode = 0644,
883 .proc_handler = proc_dointvec_jiffies,
884 },
885 {
886 .procname = "tcp_notsent_lowat",
887 .data = &init_net.ipv4.sysctl_tcp_notsent_lowat,
888 .maxlen = sizeof(unsigned int),
889 .mode = 0644,
890 .proc_handler = proc_douintvec,
891 },
892 {
893 .procname = "tcp_tw_reuse",
894 .data = &init_net.ipv4.sysctl_tcp_tw_reuse,
895 .maxlen = sizeof(int),
896 .mode = 0644,
897 .proc_handler = proc_dointvec_minmax,
898 .extra1 = &zero,
899 .extra2 = &two,
900 },
901 {
902 .procname = "tcp_max_tw_buckets",
903 .data = &init_net.ipv4.tcp_death_row.sysctl_max_tw_buckets,
904 .maxlen = sizeof(int),
905 .mode = 0644,
906 .proc_handler = proc_dointvec
907 },
908 {
909 .procname = "tcp_max_syn_backlog",
910 .data = &init_net.ipv4.sysctl_max_syn_backlog,
911 .maxlen = sizeof(int),
912 .mode = 0644,
913 .proc_handler = proc_dointvec
914 },
915 {
916 .procname = "tcp_fastopen",
917 .data = &init_net.ipv4.sysctl_tcp_fastopen,
918 .maxlen = sizeof(int),
919 .mode = 0644,
920 .proc_handler = proc_dointvec,
921 },
922 {
923 .procname = "tcp_fastopen_key",
924 .mode = 0600,
925 .data = &init_net.ipv4.sysctl_tcp_fastopen,
926 .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10),
927 .proc_handler = proc_tcp_fastopen_key,
928 },
929 {
930 .procname = "tcp_fastopen_blackhole_timeout_sec",
931 .data = &init_net.ipv4.sysctl_tcp_fastopen_blackhole_timeout,
932 .maxlen = sizeof(int),
933 .mode = 0644,
934 .proc_handler = proc_tfo_blackhole_detect_timeout,
935 .extra1 = &zero,
936 },
937#ifdef CONFIG_IP_ROUTE_MULTIPATH
938 {
939 .procname = "fib_multipath_use_neigh",
940 .data = &init_net.ipv4.sysctl_fib_multipath_use_neigh,
941 .maxlen = sizeof(int),
942 .mode = 0644,
943 .proc_handler = proc_dointvec_minmax,
944 .extra1 = &zero,
945 .extra2 = &one,
946 },
947 {
948 .procname = "fib_multipath_hash_policy",
949 .data = &init_net.ipv4.sysctl_fib_multipath_hash_policy,
950 .maxlen = sizeof(int),
951 .mode = 0644,
952 .proc_handler = proc_fib_multipath_hash_policy,
953 .extra1 = &zero,
954 .extra2 = &one,
955 },
956#endif
957 {
958 .procname = "ip_unprivileged_port_start",
959 .maxlen = sizeof(int),
960 .data = &init_net.ipv4.sysctl_ip_prot_sock,
961 .mode = 0644,
962 .proc_handler = ipv4_privileged_ports,
963 },
964#ifdef CONFIG_NET_L3_MASTER_DEV
965 {
966 .procname = "udp_l3mdev_accept",
967 .data = &init_net.ipv4.sysctl_udp_l3mdev_accept,
968 .maxlen = sizeof(int),
969 .mode = 0644,
970 .proc_handler = proc_dointvec_minmax,
971 .extra1 = &zero,
972 .extra2 = &one,
973 },
974#endif
975 {
976 .procname = "tcp_sack",
977 .data = &init_net.ipv4.sysctl_tcp_sack,
978 .maxlen = sizeof(int),
979 .mode = 0644,
980 .proc_handler = proc_dointvec
981 },
982 {
983 .procname = "tcp_window_scaling",
984 .data = &init_net.ipv4.sysctl_tcp_window_scaling,
985 .maxlen = sizeof(int),
986 .mode = 0644,
987 .proc_handler = proc_dointvec
988 },
989 {
990 .procname = "tcp_timestamps",
991 .data = &init_net.ipv4.sysctl_tcp_timestamps,
992 .maxlen = sizeof(int),
993 .mode = 0644,
994 .proc_handler = proc_dointvec
995 },
996 {
997 .procname = "tcp_early_retrans",
998 .data = &init_net.ipv4.sysctl_tcp_early_retrans,
999 .maxlen = sizeof(int),
1000 .mode = 0644,
1001 .proc_handler = proc_dointvec_minmax,
1002 .extra1 = &zero,
1003 .extra2 = &four,
1004 },
1005 {
1006 .procname = "tcp_recovery",
1007 .data = &init_net.ipv4.sysctl_tcp_recovery,
1008 .maxlen = sizeof(int),
1009 .mode = 0644,
1010 .proc_handler = proc_dointvec,
1011 },
1012 {
1013 .procname = "tcp_thin_linear_timeouts",
1014 .data = &init_net.ipv4.sysctl_tcp_thin_linear_timeouts,
1015 .maxlen = sizeof(int),
1016 .mode = 0644,
1017 .proc_handler = proc_dointvec
1018 },
1019 {
1020 .procname = "tcp_slow_start_after_idle",
1021 .data = &init_net.ipv4.sysctl_tcp_slow_start_after_idle,
1022 .maxlen = sizeof(int),
1023 .mode = 0644,
1024 .proc_handler = proc_dointvec
1025 },
1026 {
1027 .procname = "tcp_retrans_collapse",
1028 .data = &init_net.ipv4.sysctl_tcp_retrans_collapse,
1029 .maxlen = sizeof(int),
1030 .mode = 0644,
1031 .proc_handler = proc_dointvec
1032 },
1033 {
1034 .procname = "tcp_stdurg",
1035 .data = &init_net.ipv4.sysctl_tcp_stdurg,
1036 .maxlen = sizeof(int),
1037 .mode = 0644,
1038 .proc_handler = proc_dointvec
1039 },
1040 {
1041 .procname = "tcp_rfc1337",
1042 .data = &init_net.ipv4.sysctl_tcp_rfc1337,
1043 .maxlen = sizeof(int),
1044 .mode = 0644,
1045 .proc_handler = proc_dointvec
1046 },
1047 {
1048 .procname = "tcp_abort_on_overflow",
1049 .data = &init_net.ipv4.sysctl_tcp_abort_on_overflow,
1050 .maxlen = sizeof(int),
1051 .mode = 0644,
1052 .proc_handler = proc_dointvec
1053 },
1054 {
1055 .procname = "tcp_fack",
1056 .data = &init_net.ipv4.sysctl_tcp_fack,
1057 .maxlen = sizeof(int),
1058 .mode = 0644,
1059 .proc_handler = proc_dointvec
1060 },
1061 {
1062 .procname = "tcp_max_reordering",
1063 .data = &init_net.ipv4.sysctl_tcp_max_reordering,
1064 .maxlen = sizeof(int),
1065 .mode = 0644,
1066 .proc_handler = proc_dointvec
1067 },
1068 {
1069 .procname = "tcp_dsack",
1070 .data = &init_net.ipv4.sysctl_tcp_dsack,
1071 .maxlen = sizeof(int),
1072 .mode = 0644,
1073 .proc_handler = proc_dointvec
1074 },
1075 {
1076 .procname = "tcp_app_win",
1077 .data = &init_net.ipv4.sysctl_tcp_app_win,
1078 .maxlen = sizeof(int),
1079 .mode = 0644,
1080 .proc_handler = proc_dointvec
1081 },
1082 {
1083 .procname = "tcp_adv_win_scale",
1084 .data = &init_net.ipv4.sysctl_tcp_adv_win_scale,
1085 .maxlen = sizeof(int),
1086 .mode = 0644,
1087 .proc_handler = proc_dointvec_minmax,
1088 .extra1 = &tcp_adv_win_scale_min,
1089 .extra2 = &tcp_adv_win_scale_max,
1090 },
1091 {
1092 .procname = "tcp_frto",
1093 .data = &init_net.ipv4.sysctl_tcp_frto,
1094 .maxlen = sizeof(int),
1095 .mode = 0644,
1096 .proc_handler = proc_dointvec
1097 },
1098 {
1099 .procname = "tcp_no_metrics_save",
1100 .data = &init_net.ipv4.sysctl_tcp_nometrics_save,
1101 .maxlen = sizeof(int),
1102 .mode = 0644,
1103 .proc_handler = proc_dointvec,
1104 },
1105 {
1106 .procname = "tcp_moderate_rcvbuf",
1107 .data = &init_net.ipv4.sysctl_tcp_moderate_rcvbuf,
1108 .maxlen = sizeof(int),
1109 .mode = 0644,
1110 .proc_handler = proc_dointvec,
1111 },
1112 {
1113 .procname = "tcp_tso_win_divisor",
1114 .data = &init_net.ipv4.sysctl_tcp_tso_win_divisor,
1115 .maxlen = sizeof(int),
1116 .mode = 0644,
1117 .proc_handler = proc_dointvec,
1118 },
1119 {
1120 .procname = "tcp_workaround_signed_windows",
1121 .data = &init_net.ipv4.sysctl_tcp_workaround_signed_windows,
1122 .maxlen = sizeof(int),
1123 .mode = 0644,
1124 .proc_handler = proc_dointvec
1125 },
1126 {
1127 .procname = "tcp_limit_output_bytes",
1128 .data = &init_net.ipv4.sysctl_tcp_limit_output_bytes,
1129 .maxlen = sizeof(int),
1130 .mode = 0644,
1131 .proc_handler = proc_dointvec
1132 },
1133 {
1134 .procname = "tcp_challenge_ack_limit",
1135 .data = &init_net.ipv4.sysctl_tcp_challenge_ack_limit,
1136 .maxlen = sizeof(int),
1137 .mode = 0644,
1138 .proc_handler = proc_dointvec
1139 },
1140 {
1141 .procname = "tcp_min_tso_segs",
1142 .data = &init_net.ipv4.sysctl_tcp_min_tso_segs,
1143 .maxlen = sizeof(int),
1144 .mode = 0644,
1145 .proc_handler = proc_dointvec_minmax,
1146 .extra1 = &one,
1147 .extra2 = &gso_max_segs,
1148 },
1149 {
1150 .procname = "tcp_min_rtt_wlen",
1151 .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen,
1152 .maxlen = sizeof(int),
1153 .mode = 0644,
1154 .proc_handler = proc_dointvec
1155 },
1156 {
1157 .procname = "tcp_autocorking",
1158 .data = &init_net.ipv4.sysctl_tcp_autocorking,
1159 .maxlen = sizeof(int),
1160 .mode = 0644,
1161 .proc_handler = proc_dointvec_minmax,
1162 .extra1 = &zero,
1163 .extra2 = &one,
1164 },
1165 {
1166 .procname = "tcp_invalid_ratelimit",
1167 .data = &init_net.ipv4.sysctl_tcp_invalid_ratelimit,
1168 .maxlen = sizeof(int),
1169 .mode = 0644,
1170 .proc_handler = proc_dointvec_ms_jiffies,
1171 },
1172 {
1173 .procname = "tcp_pacing_ss_ratio",
1174 .data = &init_net.ipv4.sysctl_tcp_pacing_ss_ratio,
1175 .maxlen = sizeof(int),
1176 .mode = 0644,
1177 .proc_handler = proc_dointvec_minmax,
1178 .extra1 = &zero,
1179 .extra2 = &thousand,
1180 },
1181 {
1182 .procname = "tcp_pacing_ca_ratio",
1183 .data = &init_net.ipv4.sysctl_tcp_pacing_ca_ratio,
1184 .maxlen = sizeof(int),
1185 .mode = 0644,
1186 .proc_handler = proc_dointvec_minmax,
1187 .extra1 = &zero,
1188 .extra2 = &thousand,
1189 },
1190 {
1191 .procname = "tcp_wmem",
1192 .data = &init_net.ipv4.sysctl_tcp_wmem,
1193 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_wmem),
1194 .mode = 0644,
1195 .proc_handler = proc_dointvec_minmax,
1196 .extra1 = &one,
1197 },
1198 {
1199 .procname = "tcp_rmem",
1200 .data = &init_net.ipv4.sysctl_tcp_rmem,
1201 .maxlen = sizeof(init_net.ipv4.sysctl_tcp_rmem),
1202 .mode = 0644,
1203 .proc_handler = proc_dointvec_minmax,
1204 .extra1 = &one,
1205 },
1206 {
1207 .procname = "tcp_comp_sack_delay_ns",
1208 .data = &init_net.ipv4.sysctl_tcp_comp_sack_delay_ns,
1209 .maxlen = sizeof(unsigned long),
1210 .mode = 0644,
1211 .proc_handler = proc_doulongvec_minmax,
1212 },
1213 {
1214 .procname = "tcp_comp_sack_nr",
1215 .data = &init_net.ipv4.sysctl_tcp_comp_sack_nr,
1216 .maxlen = sizeof(int),
1217 .mode = 0644,
1218 .proc_handler = proc_dointvec_minmax,
1219 .extra1 = &zero,
1220 .extra2 = &comp_sack_nr_max,
1221 },
1222 {
1223 .procname = "udp_rmem_min",
1224 .data = &init_net.ipv4.sysctl_udp_rmem_min,
1225 .maxlen = sizeof(init_net.ipv4.sysctl_udp_rmem_min),
1226 .mode = 0644,
1227 .proc_handler = proc_dointvec_minmax,
1228 .extra1 = &one
1229 },
1230 {
1231 .procname = "udp_wmem_min",
1232 .data = &init_net.ipv4.sysctl_udp_wmem_min,
1233 .maxlen = sizeof(init_net.ipv4.sysctl_udp_wmem_min),
1234 .mode = 0644,
1235 .proc_handler = proc_dointvec_minmax,
1236 .extra1 = &one
1237 },
1238 { }
1239};
1240
1241static __net_init int ipv4_sysctl_init_net(struct net *net)
1242{
1243 struct ctl_table *table;
1244
1245 table = ipv4_net_table;
1246 if (!net_eq(net, &init_net)) {
1247 int i;
1248
1249 table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL);
1250 if (!table)
1251 goto err_alloc;
1252
1253 /* Update the variables to point into the current struct net */
1254 for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++)
1255 table[i].data += (void *)net - (void *)&init_net;
1256 }
1257
1258 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
1259 if (!net->ipv4.ipv4_hdr)
1260 goto err_reg;
1261
1262 net->ipv4.sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL);
1263 if (!net->ipv4.sysctl_local_reserved_ports)
1264 goto err_ports;
1265
1266 return 0;
1267
1268err_ports:
1269 unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
1270err_reg:
1271 if (!net_eq(net, &init_net))
1272 kfree(table);
1273err_alloc:
1274 return -ENOMEM;
1275}
1276
1277static __net_exit void ipv4_sysctl_exit_net(struct net *net)
1278{
1279 struct ctl_table *table;
1280
1281 kfree(net->ipv4.sysctl_local_reserved_ports);
1282 table = net->ipv4.ipv4_hdr->ctl_table_arg;
1283 unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
1284 kfree(table);
1285}
1286
1287static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
1288 .init = ipv4_sysctl_init_net,
1289 .exit = ipv4_sysctl_exit_net,
1290};
1291
1292static __init int sysctl_ipv4_init(void)
1293{
1294 struct ctl_table_header *hdr;
1295
1296 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table);
1297 if (!hdr)
1298 return -ENOMEM;
1299
1300 if (register_pernet_subsys(&ipv4_sysctl_ops)) {
1301 unregister_net_sysctl_table(hdr);
1302 return -ENOMEM;
1303 }
1304
1305 return 0;
1306}
1307
1308__initcall(sysctl_ipv4_init);
1309