tcp: Namespaceify sysctl_tcp_timestamps
Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet
David S. Miller
parent
9bb37ef00e
commit
5d2ed0521a
|
|
@ -124,6 +124,7 @@ struct netns_ipv4 {
|
||||||
int sysctl_tcp_tw_reuse;
|
int sysctl_tcp_tw_reuse;
|
||||||
int sysctl_tcp_sack;
|
int sysctl_tcp_sack;
|
||||||
int sysctl_tcp_window_scaling;
|
int sysctl_tcp_window_scaling;
|
||||||
|
int sysctl_tcp_timestamps;
|
||||||
struct inet_timewait_death_row tcp_death_row;
|
struct inet_timewait_death_row tcp_death_row;
|
||||||
int sysctl_max_syn_backlog;
|
int sysctl_max_syn_backlog;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,10 +8,11 @@ u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
|
||||||
__be16 dport);
|
__be16 dport);
|
||||||
u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
|
u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
|
||||||
__be16 sport, __be16 dport);
|
__be16 sport, __be16 dport);
|
||||||
u32 secure_tcp_ts_off(__be32 saddr, __be32 daddr);
|
u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr);
|
||||||
u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,
|
u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,
|
||||||
__be16 sport, __be16 dport);
|
__be16 sport, __be16 dport);
|
||||||
u32 secure_tcpv6_ts_off(const __be32 *saddr, const __be32 *daddr);
|
u32 secure_tcpv6_ts_off(const struct net *net,
|
||||||
|
const __be32 *saddr, const __be32 *daddr);
|
||||||
u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
|
u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
|
||||||
__be16 sport, __be16 dport);
|
__be16 sport, __be16 dport);
|
||||||
u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
|
u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
|
||||||
|
|
|
||||||
|
|
@ -237,7 +237,6 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
|
||||||
|
|
||||||
|
|
||||||
/* sysctl variables for tcp */
|
/* sysctl variables for tcp */
|
||||||
extern int sysctl_tcp_timestamps;
|
|
||||||
extern int sysctl_tcp_fastopen;
|
extern int sysctl_tcp_fastopen;
|
||||||
extern int sysctl_tcp_retrans_collapse;
|
extern int sysctl_tcp_retrans_collapse;
|
||||||
extern int sysctl_tcp_stdurg;
|
extern int sysctl_tcp_stdurg;
|
||||||
|
|
@ -1869,7 +1868,7 @@ struct tcp_request_sock_ops {
|
||||||
struct dst_entry *(*route_req)(const struct sock *sk, struct flowi *fl,
|
struct dst_entry *(*route_req)(const struct sock *sk, struct flowi *fl,
|
||||||
const struct request_sock *req);
|
const struct request_sock *req);
|
||||||
u32 (*init_seq)(const struct sk_buff *skb);
|
u32 (*init_seq)(const struct sk_buff *skb);
|
||||||
u32 (*init_ts_off)(const struct sk_buff *skb);
|
u32 (*init_ts_off)(const struct net *net, const struct sk_buff *skb);
|
||||||
int (*send_synack)(const struct sock *sk, struct dst_entry *dst,
|
int (*send_synack)(const struct sock *sk, struct dst_entry *dst,
|
||||||
struct flowi *fl, struct request_sock *req,
|
struct flowi *fl, struct request_sock *req,
|
||||||
struct tcp_fastopen_cookie *foc,
|
struct tcp_fastopen_cookie *foc,
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,8 @@ static u32 seq_scale(u32 seq)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if IS_ENABLED(CONFIG_IPV6)
|
#if IS_ENABLED(CONFIG_IPV6)
|
||||||
u32 secure_tcpv6_ts_off(const __be32 *saddr, const __be32 *daddr)
|
u32 secure_tcpv6_ts_off(const struct net *net,
|
||||||
|
const __be32 *saddr, const __be32 *daddr)
|
||||||
{
|
{
|
||||||
const struct {
|
const struct {
|
||||||
struct in6_addr saddr;
|
struct in6_addr saddr;
|
||||||
|
|
@ -61,7 +62,7 @@ u32 secure_tcpv6_ts_off(const __be32 *saddr, const __be32 *daddr)
|
||||||
.daddr = *(struct in6_addr *)daddr,
|
.daddr = *(struct in6_addr *)daddr,
|
||||||
};
|
};
|
||||||
|
|
||||||
if (sysctl_tcp_timestamps != 1)
|
if (net->ipv4.sysctl_tcp_timestamps != 1)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
ts_secret_init();
|
ts_secret_init();
|
||||||
|
|
@ -113,9 +114,9 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef CONFIG_INET
|
#ifdef CONFIG_INET
|
||||||
u32 secure_tcp_ts_off(__be32 saddr, __be32 daddr)
|
u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr)
|
||||||
{
|
{
|
||||||
if (sysctl_tcp_timestamps != 1)
|
if (net->ipv4.sysctl_tcp_timestamps != 1)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
ts_secret_init();
|
ts_secret_init();
|
||||||
|
|
|
||||||
|
|
@ -243,7 +243,7 @@ bool cookie_timestamp_decode(const struct net *net,
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!sysctl_tcp_timestamps)
|
if (!net->ipv4.sysctl_tcp_timestamps)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
tcp_opt->sack_ok = (options & TS_OPT_SACK) ? TCP_SACK_SEEN : 0;
|
tcp_opt->sack_ok = (options & TS_OPT_SACK) ? TCP_SACK_SEEN : 0;
|
||||||
|
|
@ -316,7 +316,9 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
|
||||||
tcp_parse_options(sock_net(sk), skb, &tcp_opt, 0, NULL);
|
tcp_parse_options(sock_net(sk), skb, &tcp_opt, 0, NULL);
|
||||||
|
|
||||||
if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) {
|
if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) {
|
||||||
tsoff = secure_tcp_ts_off(ip_hdr(skb)->daddr, ip_hdr(skb)->saddr);
|
tsoff = secure_tcp_ts_off(sock_net(sk),
|
||||||
|
ip_hdr(skb)->daddr,
|
||||||
|
ip_hdr(skb)->saddr);
|
||||||
tcp_opt.rcv_tsecr -= tsoff;
|
tcp_opt.rcv_tsecr -= tsoff;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -364,13 +364,6 @@ static int proc_tfo_blackhole_detect_timeout(struct ctl_table *table,
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct ctl_table ipv4_table[] = {
|
static struct ctl_table ipv4_table[] = {
|
||||||
{
|
|
||||||
.procname = "tcp_timestamps",
|
|
||||||
.data = &sysctl_tcp_timestamps,
|
|
||||||
.maxlen = sizeof(int),
|
|
||||||
.mode = 0644,
|
|
||||||
.proc_handler = proc_dointvec
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
.procname = "tcp_retrans_collapse",
|
.procname = "tcp_retrans_collapse",
|
||||||
.data = &sysctl_tcp_retrans_collapse,
|
.data = &sysctl_tcp_retrans_collapse,
|
||||||
|
|
@ -1116,6 +1109,13 @@ static struct ctl_table ipv4_net_table[] = {
|
||||||
.mode = 0644,
|
.mode = 0644,
|
||||||
.proc_handler = proc_dointvec
|
.proc_handler = proc_dointvec
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.procname = "tcp_timestamps",
|
||||||
|
.data = &init_net.ipv4.sysctl_tcp_timestamps,
|
||||||
|
.maxlen = sizeof(int),
|
||||||
|
.mode = 0644,
|
||||||
|
.proc_handler = proc_dointvec
|
||||||
|
},
|
||||||
{ }
|
{ }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,6 @@
|
||||||
#include <asm/unaligned.h>
|
#include <asm/unaligned.h>
|
||||||
#include <linux/errqueue.h>
|
#include <linux/errqueue.h>
|
||||||
|
|
||||||
int sysctl_tcp_timestamps __read_mostly = 1;
|
|
||||||
int sysctl_tcp_fack __read_mostly;
|
int sysctl_tcp_fack __read_mostly;
|
||||||
int sysctl_tcp_max_reordering __read_mostly = 300;
|
int sysctl_tcp_max_reordering __read_mostly = 300;
|
||||||
int sysctl_tcp_dsack __read_mostly = 1;
|
int sysctl_tcp_dsack __read_mostly = 1;
|
||||||
|
|
@ -3780,7 +3779,7 @@ void tcp_parse_options(const struct net *net,
|
||||||
case TCPOPT_TIMESTAMP:
|
case TCPOPT_TIMESTAMP:
|
||||||
if ((opsize == TCPOLEN_TIMESTAMP) &&
|
if ((opsize == TCPOLEN_TIMESTAMP) &&
|
||||||
((estab && opt_rx->tstamp_ok) ||
|
((estab && opt_rx->tstamp_ok) ||
|
||||||
(!estab && sysctl_tcp_timestamps))) {
|
(!estab && net->ipv4.sysctl_tcp_timestamps))) {
|
||||||
opt_rx->saw_tstamp = 1;
|
opt_rx->saw_tstamp = 1;
|
||||||
opt_rx->rcv_tsval = get_unaligned_be32(ptr);
|
opt_rx->rcv_tsval = get_unaligned_be32(ptr);
|
||||||
opt_rx->rcv_tsecr = get_unaligned_be32(ptr + 4);
|
opt_rx->rcv_tsecr = get_unaligned_be32(ptr + 4);
|
||||||
|
|
@ -6352,7 +6351,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
|
||||||
goto drop_and_free;
|
goto drop_and_free;
|
||||||
|
|
||||||
if (tmp_opt.tstamp_ok)
|
if (tmp_opt.tstamp_ok)
|
||||||
tcp_rsk(req)->ts_off = af_ops->init_ts_off(skb);
|
tcp_rsk(req)->ts_off = af_ops->init_ts_off(net, skb);
|
||||||
|
|
||||||
if (!want_cookie && !isn) {
|
if (!want_cookie && !isn) {
|
||||||
/* Kill the following clause, if you dislike this way. */
|
/* Kill the following clause, if you dislike this way. */
|
||||||
|
|
|
||||||
|
|
@ -102,10 +102,9 @@ static u32 tcp_v4_init_seq(const struct sk_buff *skb)
|
||||||
tcp_hdr(skb)->source);
|
tcp_hdr(skb)->source);
|
||||||
}
|
}
|
||||||
|
|
||||||
static u32 tcp_v4_init_ts_off(const struct sk_buff *skb)
|
static u32 tcp_v4_init_ts_off(const struct net *net, const struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
return secure_tcp_ts_off(ip_hdr(skb)->daddr,
|
return secure_tcp_ts_off(net, ip_hdr(skb)->daddr, ip_hdr(skb)->saddr);
|
||||||
ip_hdr(skb)->saddr);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
|
int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
|
||||||
|
|
@ -242,7 +241,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
|
||||||
inet->inet_daddr,
|
inet->inet_daddr,
|
||||||
inet->inet_sport,
|
inet->inet_sport,
|
||||||
usin->sin_port);
|
usin->sin_port);
|
||||||
tp->tsoffset = secure_tcp_ts_off(inet->inet_saddr,
|
tp->tsoffset = secure_tcp_ts_off(sock_net(sk),
|
||||||
|
inet->inet_saddr,
|
||||||
inet->inet_daddr);
|
inet->inet_daddr);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2467,6 +2467,7 @@ static int __net_init tcp_sk_init(struct net *net)
|
||||||
net->ipv4.sysctl_max_syn_backlog = max(128, cnt / 256);
|
net->ipv4.sysctl_max_syn_backlog = max(128, cnt / 256);
|
||||||
net->ipv4.sysctl_tcp_sack = 1;
|
net->ipv4.sysctl_tcp_sack = 1;
|
||||||
net->ipv4.sysctl_tcp_window_scaling = 1;
|
net->ipv4.sysctl_tcp_window_scaling = 1;
|
||||||
|
net->ipv4.sysctl_tcp_timestamps = 1;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
fail:
|
fail:
|
||||||
|
|
|
||||||
|
|
@ -569,7 +569,7 @@ static unsigned int tcp_syn_options(struct sock *sk, struct sk_buff *skb,
|
||||||
opts->mss = tcp_advertise_mss(sk);
|
opts->mss = tcp_advertise_mss(sk);
|
||||||
remaining -= TCPOLEN_MSS_ALIGNED;
|
remaining -= TCPOLEN_MSS_ALIGNED;
|
||||||
|
|
||||||
if (likely(sysctl_tcp_timestamps && !*md5)) {
|
if (likely(sock_net(sk)->ipv4.sysctl_tcp_timestamps && !*md5)) {
|
||||||
opts->options |= OPTION_TS;
|
opts->options |= OPTION_TS;
|
||||||
opts->tsval = tcp_skb_timestamp(skb) + tp->tsoffset;
|
opts->tsval = tcp_skb_timestamp(skb) + tp->tsoffset;
|
||||||
opts->tsecr = tp->rx_opt.ts_recent;
|
opts->tsecr = tp->rx_opt.ts_recent;
|
||||||
|
|
@ -3271,8 +3271,9 @@ static void tcp_connect_init(struct sock *sk)
|
||||||
/* We'll fix this up when we get a response from the other end.
|
/* We'll fix this up when we get a response from the other end.
|
||||||
* See tcp_input.c:tcp_rcv_state_process case TCP_SYN_SENT.
|
* See tcp_input.c:tcp_rcv_state_process case TCP_SYN_SENT.
|
||||||
*/
|
*/
|
||||||
tp->tcp_header_len = sizeof(struct tcphdr) +
|
tp->tcp_header_len = sizeof(struct tcphdr);
|
||||||
(sysctl_tcp_timestamps ? TCPOLEN_TSTAMP_ALIGNED : 0);
|
if (sock_net(sk)->ipv4.sysctl_tcp_timestamps)
|
||||||
|
tp->tcp_header_len += TCPOLEN_TSTAMP_ALIGNED;
|
||||||
|
|
||||||
#ifdef CONFIG_TCP_MD5SIG
|
#ifdef CONFIG_TCP_MD5SIG
|
||||||
if (tp->af_specific->md5_lookup(sk, sk))
|
if (tp->af_specific->md5_lookup(sk, sk))
|
||||||
|
|
|
||||||
|
|
@ -165,7 +165,8 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
|
||||||
tcp_parse_options(sock_net(sk), skb, &tcp_opt, 0, NULL);
|
tcp_parse_options(sock_net(sk), skb, &tcp_opt, 0, NULL);
|
||||||
|
|
||||||
if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) {
|
if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) {
|
||||||
tsoff = secure_tcpv6_ts_off(ipv6_hdr(skb)->daddr.s6_addr32,
|
tsoff = secure_tcpv6_ts_off(sock_net(sk),
|
||||||
|
ipv6_hdr(skb)->daddr.s6_addr32,
|
||||||
ipv6_hdr(skb)->saddr.s6_addr32);
|
ipv6_hdr(skb)->saddr.s6_addr32);
|
||||||
tcp_opt.rcv_tsecr -= tsoff;
|
tcp_opt.rcv_tsecr -= tsoff;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -109,9 +109,9 @@ static u32 tcp_v6_init_seq(const struct sk_buff *skb)
|
||||||
tcp_hdr(skb)->source);
|
tcp_hdr(skb)->source);
|
||||||
}
|
}
|
||||||
|
|
||||||
static u32 tcp_v6_init_ts_off(const struct sk_buff *skb)
|
static u32 tcp_v6_init_ts_off(const struct net *net, const struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
return secure_tcpv6_ts_off(ipv6_hdr(skb)->daddr.s6_addr32,
|
return secure_tcpv6_ts_off(net, ipv6_hdr(skb)->daddr.s6_addr32,
|
||||||
ipv6_hdr(skb)->saddr.s6_addr32);
|
ipv6_hdr(skb)->saddr.s6_addr32);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -292,7 +292,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
|
||||||
sk->sk_v6_daddr.s6_addr32,
|
sk->sk_v6_daddr.s6_addr32,
|
||||||
inet->inet_sport,
|
inet->inet_sport,
|
||||||
inet->inet_dport);
|
inet->inet_dport);
|
||||||
tp->tsoffset = secure_tcpv6_ts_off(np->saddr.s6_addr32,
|
tp->tsoffset = secure_tcpv6_ts_off(sock_net(sk),
|
||||||
|
np->saddr.s6_addr32,
|
||||||
sk->sk_v6_daddr.s6_addr32);
|
sk->sk_v6_daddr.s6_addr32);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue