License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 22:07:57 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
2007-12-17 05:29:36 +08:00
|
|
|
/*
|
|
|
|
|
* ipv4 in net namespaces
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __NETNS_IPV4_H__
|
|
|
|
|
#define __NETNS_IPV4_H__
|
2008-01-10 19:27:51 +08:00
|
|
|
|
2012-05-25 00:34:21 +08:00
|
|
|
#include <linux/uidgid.h>
|
2008-01-22 22:02:14 +08:00
|
|
|
#include <net/inet_frag.h>
|
2015-03-05 07:02:44 +08:00
|
|
|
#include <linux/rcupdate.h>
|
2008-01-22 22:02:14 +08:00
|
|
|
|
2012-07-10 15:49:14 +08:00
|
|
|
struct tcpm_hash_bucket;
|
2007-12-17 05:31:47 +08:00
|
|
|
struct ctl_table_header;
|
|
|
|
|
struct ipv4_devconf;
|
2008-01-10 19:27:51 +08:00
|
|
|
struct fib_rules_ops;
|
2008-01-10 19:28:24 +08:00
|
|
|
struct hlist_head;
|
2012-07-06 13:13:13 +08:00
|
|
|
struct fib_table;
|
2008-01-10 19:28:55 +08:00
|
|
|
struct sock;
|
2013-09-29 05:10:59 +08:00
|
|
|
struct local_ports {
|
|
|
|
|
seqlock_t lock;
|
|
|
|
|
int range[2];
|
2015-05-28 02:34:37 +08:00
|
|
|
bool warned;
|
2013-09-29 05:10:59 +08:00
|
|
|
};
|
2007-12-17 05:31:47 +08:00
|
|
|
|
2014-05-07 02:02:50 +08:00
|
|
|
struct ping_group_range {
|
|
|
|
|
seqlock_t lock;
|
|
|
|
|
kgid_t range[2];
|
|
|
|
|
};
|
|
|
|
|
|
2016-12-28 17:52:32 +08:00
|
|
|
struct inet_hashinfo;
|
|
|
|
|
|
|
|
|
|
struct inet_timewait_death_row {
|
|
|
|
|
atomic_t tw_count;
|
|
|
|
|
|
|
|
|
|
struct inet_hashinfo *hashinfo ____cacheline_aligned_in_smp;
|
|
|
|
|
int sysctl_max_tw_buckets;
|
|
|
|
|
};
|
|
|
|
|
|
2017-09-27 11:35:42 +08:00
|
|
|
struct tcp_fastopen_context;
|
|
|
|
|
|
2007-12-17 05:29:36 +08:00
|
|
|
struct netns_ipv4 {
|
2008-01-06 15:08:49 +08:00
|
|
|
#ifdef CONFIG_SYSCTL
|
2007-12-17 05:31:47 +08:00
|
|
|
struct ctl_table_header *forw_hdr;
|
2008-01-22 22:08:36 +08:00
|
|
|
struct ctl_table_header *frags_hdr;
|
2008-03-26 16:56:24 +08:00
|
|
|
struct ctl_table_header *ipv4_hdr;
|
2008-07-06 10:02:33 +08:00
|
|
|
struct ctl_table_header *route_hdr;
|
2013-02-06 17:46:33 +08:00
|
|
|
struct ctl_table_header *xfrm4_hdr;
|
2008-01-06 15:08:49 +08:00
|
|
|
#endif
|
2007-12-17 05:31:47 +08:00
|
|
|
struct ipv4_devconf *devconf_all;
|
|
|
|
|
struct ipv4_devconf *devconf_dflt;
|
2008-01-10 19:27:51 +08:00
|
|
|
#ifdef CONFIG_IP_MULTIPLE_TABLES
|
|
|
|
|
struct fib_rules_ops *rules_ops;
|
2012-07-06 13:13:13 +08:00
|
|
|
bool fib_has_custom_rules;
|
2015-03-05 07:02:44 +08:00
|
|
|
struct fib_table __rcu *fib_main;
|
|
|
|
|
struct fib_table __rcu *fib_default;
|
2012-07-06 13:13:13 +08:00
|
|
|
#endif
|
2017-09-22 09:18:23 +08:00
|
|
|
bool fib_has_custom_local_routes;
|
2012-07-06 13:13:13 +08:00
|
|
|
#ifdef CONFIG_IP_ROUTE_CLASSID
|
|
|
|
|
int fib_num_tclassid_users;
|
2008-01-10 19:27:51 +08:00
|
|
|
#endif
|
2008-01-10 19:28:24 +08:00
|
|
|
struct hlist_head *fib_table_hash;
|
2015-03-06 13:21:18 +08:00
|
|
|
bool fib_offload_disabled;
|
2008-01-10 19:28:55 +08:00
|
|
|
struct sock *fibnl;
|
2008-01-22 22:02:14 +08:00
|
|
|
|
2015-01-30 07:58:09 +08:00
|
|
|
struct sock * __percpu *icmp_sk;
|
2015-02-26 01:58:35 +08:00
|
|
|
struct sock *mc_autojoin_sk;
|
2015-01-30 07:58:09 +08:00
|
|
|
|
2012-06-08 09:20:41 +08:00
|
|
|
struct inet_peer_base *peers;
|
2015-01-30 13:35:05 +08:00
|
|
|
struct sock * __percpu *tcp_sk;
|
2008-01-22 22:02:14 +08:00
|
|
|
struct netns_frags frags;
|
2008-01-31 20:03:23 +08:00
|
|
|
#ifdef CONFIG_NETFILTER
|
|
|
|
|
struct xt_table *iptable_filter;
|
|
|
|
|
struct xt_table *iptable_mangle;
|
|
|
|
|
struct xt_table *iptable_raw;
|
2008-01-31 20:05:09 +08:00
|
|
|
struct xt_table *arptable_filter;
|
2010-01-18 15:08:37 +08:00
|
|
|
#ifdef CONFIG_SECURITY
|
2008-06-10 06:57:24 +08:00
|
|
|
struct xt_table *iptable_security;
|
2010-01-18 15:08:37 +08:00
|
|
|
#endif
|
2008-10-08 17:35:10 +08:00
|
|
|
struct xt_table *nat_table;
|
2008-01-31 20:03:23 +08:00
|
|
|
#endif
|
2008-03-26 16:55:37 +08:00
|
|
|
|
|
|
|
|
int sysctl_icmp_echo_ignore_all;
|
|
|
|
|
int sysctl_icmp_echo_ignore_broadcasts;
|
|
|
|
|
int sysctl_icmp_ignore_bogus_error_responses;
|
|
|
|
|
int sysctl_icmp_ratelimit;
|
|
|
|
|
int sysctl_icmp_ratemask;
|
|
|
|
|
int sysctl_icmp_errors_use_inbound_ifaddr;
|
2008-07-06 10:02:59 +08:00
|
|
|
|
2014-05-07 02:02:49 +08:00
|
|
|
struct local_ports ip_local_ports;
|
2013-09-29 05:10:59 +08:00
|
|
|
|
2013-01-06 00:10:48 +08:00
|
|
|
int sysctl_tcp_ecn;
|
tcp: add rfc3168, section 6.1.1.1. fallback
This work as a follow-up of commit f7b3bec6f516 ("net: allow setting ecn
via routing table") and adds RFC3168 section 6.1.1.1. fallback for outgoing
ECN connections. In other words, this work adds a retry with a non-ECN
setup SYN packet, as suggested from the RFC on the first timeout:
[...] A host that receives no reply to an ECN-setup SYN within the
normal SYN retransmission timeout interval MAY resend the SYN and
any subsequent SYN retransmissions with CWR and ECE cleared. [...]
Schematic client-side view when assuming the server is in tcp_ecn=2 mode,
that is, Linux default since 2009 via commit 255cac91c3c9 ("tcp: extend
ECN sysctl to allow server-side only ECN"):
1) Normal ECN-capable path:
SYN ECE CWR ----->
<----- SYN ACK ECE
ACK ----->
2) Path with broken middlebox, when client has fallback:
SYN ECE CWR ----X crappy middlebox drops packet
(timeout, rtx)
SYN ----->
<----- SYN ACK
ACK ----->
In case we would not have the fallback implemented, the middlebox drop
point would basically end up as:
SYN ECE CWR ----X crappy middlebox drops packet
(timeout, rtx)
SYN ECE CWR ----X crappy middlebox drops packet
(timeout, rtx)
SYN ECE CWR ----X crappy middlebox drops packet
(timeout, rtx)
In any case, it's rather a smaller percentage of sites where there would
occur such additional setup latency: it was found in end of 2014 that ~56%
of IPv4 and 65% of IPv6 servers of Alexa 1 million list would negotiate
ECN (aka tcp_ecn=2 default), 0.42% of these webservers will fail to connect
when trying to negotiate with ECN (tcp_ecn=1) due to timeouts, which the
fallback would mitigate with a slight latency trade-off. Recent related
paper on this topic:
Brian Trammell, Mirja Kühlewind, Damiano Boppart, Iain Learmonth,
Gorry Fairhurst, and Richard Scheffenegger:
"Enabling Internet-Wide Deployment of Explicit Congestion Notification."
Proc. PAM 2015, New York.
http://ecn.ethz.ch/ecn-pam15.pdf
Thus, when net.ipv4.tcp_ecn=1 is being set, the patch will perform RFC3168,
section 6.1.1.1. fallback on timeout. For users explicitly not wanting this
which can be in DC use case, we add a net.ipv4.tcp_ecn_fallback knob that
allows for disabling the fallback.
tp->ecn_flags are not being cleared in tcp_ecn_clear_syn() on output, but
rather we let tcp_ecn_rcv_synack() take that over on input path in case a
SYN ACK ECE was delayed. Thus a spurious SYN retransmission will not prevent
ECN being negotiated eventually in that case.
Reference: https://www.ietf.org/proceedings/92/slides/slides-92-iccrg-1.pdf
Reference: https://www.ietf.org/proceedings/89/slides/slides-89-tsvarea-1.pdf
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Signed-off-by: Brian Trammell <trammell@tik.ee.ethz.ch>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Dave That <dave.taht@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 03:04:22 +08:00
|
|
|
int sysctl_tcp_ecn_fallback;
|
|
|
|
|
|
2016-02-15 18:11:27 +08:00
|
|
|
int sysctl_ip_default_ttl;
|
2013-12-14 12:13:38 +08:00
|
|
|
int sysctl_ip_no_pmtu_disc;
|
2014-01-09 17:01:15 +08:00
|
|
|
int sysctl_ip_fwd_use_pmtu;
|
2014-09-05 21:09:03 +08:00
|
|
|
int sysctl_ip_nonlocal_bind;
|
2016-02-15 18:11:29 +08:00
|
|
|
/* Shall we try to damage output packets if routing dev changes? */
|
|
|
|
|
int sysctl_ip_dynaddr;
|
2016-02-15 18:11:30 +08:00
|
|
|
int sysctl_ip_early_demux;
|
2017-03-24 03:34:16 +08:00
|
|
|
int sysctl_tcp_early_demux;
|
|
|
|
|
int sysctl_udp_early_demux;
|
2013-01-06 00:10:48 +08:00
|
|
|
|
2014-05-14 01:17:33 +08:00
|
|
|
int sysctl_fwmark_reflect;
|
net: support marking accepting TCP sockets
When using mark-based routing, sockets returned from accept()
may need to be marked differently depending on the incoming
connection request.
This is the case, for example, if different socket marks identify
different networks: a listening socket may want to accept
connections from all networks, but each connection should be
marked with the network that the request came in on, so that
subsequent packets are sent on the correct network.
This patch adds a sysctl to mark TCP sockets based on the fwmark
of the incoming SYN packet. If enabled, and an unmarked socket
receives a SYN, then the SYN packet's fwmark is written to the
connection's inet_request_sock, and later written back to the
accepted socket when the connection is established. If the
socket already has a nonzero mark, then the behaviour is the same
as it is today, i.e., the listening socket's fwmark is used.
Black-box tested using user-mode linux:
- IPv4/IPv6 SYN+ACK, FIN, etc. packets are routed based on the
mark of the incoming SYN packet.
- The socket returned by accept() is marked with the mark of the
incoming SYN packet.
- Tested with syncookies=1 and syncookies=2.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-14 01:17:35 +08:00
|
|
|
int sysctl_tcp_fwmark_accept;
|
2015-12-17 05:20:44 +08:00
|
|
|
#ifdef CONFIG_NET_L3_MASTER_DEV
|
|
|
|
|
int sysctl_tcp_l3mdev_accept;
|
|
|
|
|
#endif
|
2015-02-10 09:53:16 +08:00
|
|
|
int sysctl_tcp_mtu_probing;
|
|
|
|
|
int sysctl_tcp_base_mss;
|
2015-03-06 11:18:23 +08:00
|
|
|
int sysctl_tcp_probe_threshold;
|
2015-03-06 11:18:24 +08:00
|
|
|
u32 sysctl_tcp_probe_interval;
|
2014-05-14 01:17:33 +08:00
|
|
|
|
2016-01-07 22:38:43 +08:00
|
|
|
int sysctl_tcp_keepalive_time;
|
2016-01-07 22:38:44 +08:00
|
|
|
int sysctl_tcp_keepalive_probes;
|
2016-01-07 22:38:45 +08:00
|
|
|
int sysctl_tcp_keepalive_intvl;
|
2016-01-07 22:38:43 +08:00
|
|
|
|
2016-02-03 15:46:49 +08:00
|
|
|
int sysctl_tcp_syn_retries;
|
2016-02-03 15:46:50 +08:00
|
|
|
int sysctl_tcp_synack_retries;
|
2016-02-03 15:46:51 +08:00
|
|
|
int sysctl_tcp_syncookies;
|
2016-02-03 15:46:52 +08:00
|
|
|
int sysctl_tcp_reordering;
|
2016-02-03 15:46:53 +08:00
|
|
|
int sysctl_tcp_retries1;
|
2016-02-03 15:46:54 +08:00
|
|
|
int sysctl_tcp_retries2;
|
2016-02-03 15:46:55 +08:00
|
|
|
int sysctl_tcp_orphan_retries;
|
2016-02-03 15:46:56 +08:00
|
|
|
int sysctl_tcp_fin_timeout;
|
2016-02-03 15:46:57 +08:00
|
|
|
unsigned int sysctl_tcp_notsent_lowat;
|
2016-12-25 14:33:16 +08:00
|
|
|
int sysctl_tcp_tw_reuse;
|
2017-06-08 01:34:37 +08:00
|
|
|
int sysctl_tcp_sack;
|
2017-06-08 01:34:38 +08:00
|
|
|
int sysctl_tcp_window_scaling;
|
2017-06-08 01:34:39 +08:00
|
|
|
int sysctl_tcp_timestamps;
|
2017-10-27 12:54:56 +08:00
|
|
|
int sysctl_tcp_early_retrans;
|
2017-10-27 12:54:57 +08:00
|
|
|
int sysctl_tcp_recovery;
|
2017-10-27 12:54:58 +08:00
|
|
|
int sysctl_tcp_thin_linear_timeouts;
|
2017-10-27 12:54:59 +08:00
|
|
|
int sysctl_tcp_slow_start_after_idle;
|
2017-10-27 12:55:00 +08:00
|
|
|
int sysctl_tcp_retrans_collapse;
|
2017-10-27 12:55:01 +08:00
|
|
|
int sysctl_tcp_stdurg;
|
2017-10-27 12:55:02 +08:00
|
|
|
int sysctl_tcp_rfc1337;
|
2017-10-27 12:55:03 +08:00
|
|
|
int sysctl_tcp_abort_on_overflow;
|
2017-10-27 12:55:04 +08:00
|
|
|
int sysctl_tcp_fack;
|
2017-10-27 12:55:06 +08:00
|
|
|
int sysctl_tcp_max_reordering;
|
2017-10-27 12:55:07 +08:00
|
|
|
int sysctl_tcp_dsack;
|
2017-10-27 12:55:08 +08:00
|
|
|
int sysctl_tcp_app_win;
|
2017-10-27 12:55:09 +08:00
|
|
|
int sysctl_tcp_adv_win_scale;
|
2017-10-27 12:55:10 +08:00
|
|
|
int sysctl_tcp_frto;
|
2017-10-27 22:47:21 +08:00
|
|
|
int sysctl_tcp_nometrics_save;
|
2017-10-27 22:47:22 +08:00
|
|
|
int sysctl_tcp_moderate_rcvbuf;
|
2017-10-27 22:47:23 +08:00
|
|
|
int sysctl_tcp_tso_win_divisor;
|
2017-10-27 22:47:24 +08:00
|
|
|
int sysctl_tcp_workaround_signed_windows;
|
2017-10-27 22:47:25 +08:00
|
|
|
int sysctl_tcp_limit_output_bytes;
|
2017-10-27 22:47:26 +08:00
|
|
|
int sysctl_tcp_challenge_ack_limit;
|
2017-10-27 22:47:27 +08:00
|
|
|
int sysctl_tcp_min_tso_segs;
|
2017-10-27 22:47:28 +08:00
|
|
|
int sysctl_tcp_min_rtt_wlen;
|
2017-10-27 22:47:29 +08:00
|
|
|
int sysctl_tcp_autocorking;
|
2017-10-27 22:47:30 +08:00
|
|
|
int sysctl_tcp_invalid_ratelimit;
|
2017-10-27 22:47:31 +08:00
|
|
|
int sysctl_tcp_pacing_ss_ratio;
|
2017-10-27 22:47:32 +08:00
|
|
|
int sysctl_tcp_pacing_ca_ratio;
|
2017-11-07 16:29:28 +08:00
|
|
|
int sysctl_tcp_wmem[3];
|
|
|
|
|
int sysctl_tcp_rmem[3];
|
2016-12-28 17:52:32 +08:00
|
|
|
struct inet_timewait_death_row tcp_death_row;
|
2016-12-28 17:52:33 +08:00
|
|
|
int sysctl_max_syn_backlog;
|
2017-09-27 11:35:40 +08:00
|
|
|
int sysctl_tcp_fastopen;
|
2017-09-27 11:35:42 +08:00
|
|
|
struct tcp_fastopen_context __rcu *tcp_fastopen_ctx;
|
|
|
|
|
spinlock_t tcp_fastopen_ctx_lock;
|
2017-09-27 11:35:43 +08:00
|
|
|
unsigned int sysctl_tcp_fastopen_blackhole_timeout;
|
|
|
|
|
atomic_t tfo_active_disable_times;
|
|
|
|
|
unsigned long tfo_active_disable_stamp;
|
2016-02-03 15:46:51 +08:00
|
|
|
|
2017-01-27 02:02:24 +08:00
|
|
|
#ifdef CONFIG_NET_L3_MASTER_DEV
|
|
|
|
|
int sysctl_udp_l3mdev_accept;
|
|
|
|
|
#endif
|
|
|
|
|
|
2016-02-09 05:29:21 +08:00
|
|
|
int sysctl_igmp_max_memberships;
|
2016-02-09 05:29:22 +08:00
|
|
|
int sysctl_igmp_max_msf;
|
2016-02-09 06:13:50 +08:00
|
|
|
int sysctl_igmp_llm_reports;
|
2016-02-09 05:29:24 +08:00
|
|
|
int sysctl_igmp_qrv;
|
2016-02-09 05:29:21 +08:00
|
|
|
|
2014-05-07 02:02:50 +08:00
|
|
|
struct ping_group_range ping_group_range;
|
net: ipv4: add IPPROTO_ICMP socket kind
This patch adds IPPROTO_ICMP socket kind. It makes it possible to send
ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages
without any special privileges. In other words, the patch makes it
possible to implement setuid-less and CAP_NET_RAW-less /bin/ping. In
order not to increase the kernel's attack surface, the new functionality
is disabled by default, but is enabled at bootup by supporting Linux
distributions, optionally with restriction to a group or a group range
(see below).
Similar functionality is implemented in Mac OS X:
http://www.manpagez.com/man/4/icmp/
A new ping socket is created with
socket(PF_INET, SOCK_DGRAM, PROT_ICMP)
Message identifiers (octets 4-5 of ICMP header) are interpreted as local
ports. Addresses are stored in struct sockaddr_in. No port numbers are
reserved for privileged processes, port 0 is reserved for API ("let the
kernel pick a free number"). There is no notion of remote ports, remote
port numbers provided by the user (e.g. in connect()) are ignored.
Data sent and received include ICMP headers. This is deliberate to:
1) Avoid the need to transport headers values like sequence numbers by
other means.
2) Make it easier to port existing programs using raw sockets.
ICMP headers given to send() are checked and sanitized. The type must be
ICMP_ECHO and the code must be zero (future extensions might relax this,
see below). The id is set to the number (local port) of the socket, the
checksum is always recomputed.
ICMP reply packets received from the network are demultiplexed according
to their id's, and are returned by recv() without any modifications.
IP header information and ICMP errors of those packets may be obtained
via ancillary data (IP_RECVTTL, IP_RETOPTS, and IP_RECVERR). ICMP source
quenches and redirects are reported as fake errors via the error queue
(IP_RECVERR); the next hop address for redirects is saved to ee_info (in
network order).
socket(2) is restricted to the group range specified in
"/proc/sys/net/ipv4/ping_group_range". It is "1 0" by default, meaning
that nobody (not even root) may create ping sockets. Setting it to "100
100" would grant permissions to the single group (to either make
/sbin/ping g+s and owned by this group or to grant permissions to the
"netadmins" group), "0 4294967295" would enable it for the world, "100
4294967295" would enable it for the users, but not daemons.
The existing code might be (in the unlikely case anyone needs it)
extended rather easily to handle other similar pairs of ICMP messages
(Timestamp/Reply, Information Request/Reply, Address Mask Request/Reply
etc.).
Userspace ping util & patch for it:
http://openwall.info/wiki/people/segoon/ping
For Openwall GNU/*/Linux it was the last step on the road to the
setuid-less distro. A revision of this patch (for RHEL5/OpenVZ kernels)
is in use in Owl-current, such as in the 2011/03/12 LiveCD ISOs:
http://mirrors.kernel.org/openwall/Owl/current/iso/
Initially this functionality was written by Pavel Kankovsky for
Linux 2.4.32, but unfortunately it was never made public.
All ping options (-b, -p, -Q, -R, -s, -t, -T, -M, -I), are tested with
the patch.
PATCH v3:
- switched to flowi4.
- minor changes to be consistent with raw sockets code.
PATCH v2:
- changed ping_debug() to pr_debug().
- removed CONFIG_IP_PING.
- removed ping_seq_fops.owner field (unused for procfs).
- switched to proc_net_fops_create().
- switched to %pK in seq_printf().
PATCH v1:
- fixed checksumming bug.
- CAP_NET_RAW may not create icmp sockets anymore.
RFC v2:
- minor cleanups.
- introduced sysctl'able group range to restrict socket(2).
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-13 18:01:00 +08:00
|
|
|
|
2011-03-25 08:42:21 +08:00
|
|
|
atomic_t dev_addr_genid;
|
2009-01-22 12:56:15 +08:00
|
|
|
|
2014-05-13 07:04:53 +08:00
|
|
|
#ifdef CONFIG_SYSCTL
|
|
|
|
|
unsigned long *sysctl_local_reserved_ports;
|
2017-01-21 09:49:11 +08:00
|
|
|
int sysctl_ip_prot_sock;
|
2014-05-13 07:04:53 +08:00
|
|
|
#endif
|
|
|
|
|
|
2009-01-22 12:56:15 +08:00
|
|
|
#ifdef CONFIG_IP_MROUTE
|
ipv4: ipmr: support multiple tables
This patch adds support for multiple independant multicast routing instances,
named "tables".
Userspace multicast routing daemons can bind to a specific table instance by
issuing a setsockopt call using a new option MRT_TABLE. The table number is
stored in the raw socket data and affects all following ipmr setsockopt(),
getsockopt() and ioctl() calls. By default, a single table (RT_TABLE_DEFAULT)
is created with a default routing rule pointing to it. Newly created pimreg
devices have the table number appended ("pimregX"), with the exception of
devices created in the default table, which are named just "pimreg" for
compatibility reasons.
Packets are directed to a specific table instance using routing rules,
similar to how regular routing rules work. Currently iif, oif and mark
are supported as keys, source and destination addresses could be supported
additionally.
Example usage:
- bind pimd/xorp/... to a specific table:
uint32_t table = 123;
setsockopt(fd, IPPROTO_IP, MRT_TABLE, &table, sizeof(table));
- create routing rules directing packets to the new table:
# ip mrule add iif eth0 lookup 123
# ip mrule add oif eth0 lookup 123
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-13 13:03:23 +08:00
|
|
|
#ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
|
2010-04-13 13:03:22 +08:00
|
|
|
struct mr_table *mrt;
|
ipv4: ipmr: support multiple tables
This patch adds support for multiple independant multicast routing instances,
named "tables".
Userspace multicast routing daemons can bind to a specific table instance by
issuing a setsockopt call using a new option MRT_TABLE. The table number is
stored in the raw socket data and affects all following ipmr setsockopt(),
getsockopt() and ioctl() calls. By default, a single table (RT_TABLE_DEFAULT)
is created with a default routing rule pointing to it. Newly created pimreg
devices have the table number appended ("pimregX"), with the exception of
devices created in the default table, which are named just "pimreg" for
compatibility reasons.
Packets are directed to a specific table instance using routing rules,
similar to how regular routing rules work. Currently iif, oif and mark
are supported as keys, source and destination addresses could be supported
additionally.
Example usage:
- bind pimd/xorp/... to a specific table:
uint32_t table = 123;
setsockopt(fd, IPPROTO_IP, MRT_TABLE, &table, sizeof(table));
- create routing rules directing packets to the new table:
# ip mrule add iif eth0 lookup 123
# ip mrule add oif eth0 lookup 123
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-13 13:03:23 +08:00
|
|
|
#else
|
|
|
|
|
struct list_head mr_tables;
|
|
|
|
|
struct fib_rules_ops *mr_rules_ops;
|
|
|
|
|
#endif
|
2016-04-07 22:21:00 +08:00
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_IP_ROUTE_MULTIPATH
|
|
|
|
|
int sysctl_fib_multipath_use_neigh;
|
2017-03-16 21:28:00 +08:00
|
|
|
int sysctl_fib_multipath_hash_policy;
|
2009-01-22 12:56:15 +08:00
|
|
|
#endif
|
2016-12-03 23:45:06 +08:00
|
|
|
|
2017-08-03 19:28:11 +08:00
|
|
|
struct fib_notifier_ops *notifier_ops;
|
2016-12-03 23:45:06 +08:00
|
|
|
unsigned int fib_seq; /* protected by rtnl_mutex */
|
|
|
|
|
|
2017-09-27 14:23:13 +08:00
|
|
|
struct fib_notifier_ops *ipmr_notifier_ops;
|
|
|
|
|
unsigned int ipmr_seq; /* protected by rtnl_mutex */
|
|
|
|
|
|
2013-07-30 08:33:53 +08:00
|
|
|
atomic_t rt_genid;
|
2007-12-17 05:29:36 +08:00
|
|
|
};
|
|
|
|
|
#endif
|