kernel/include/net/netns/ipv4.h, branch linux-5.2.y Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.2.y 2019-06-16T01:47:31Z tcp: add tcp_min_snd_mss sysctl 2019-06-16T01:47:31Z Eric Dumazet edumazet@google.com 2019-06-06T16:15:31Z urn:sha1:5f3e2bf008c2221478101ee72f5cb4654b9fc363 Some TCP peers announce a very small MSS option in their SYN and/or SYN/ACK messages. This forces the stack to send packets with a very high network/cpu overhead. Linux has enforced a minimal value of 48. Since this value includes the size of TCP options, and that the options can consume up to 40 bytes, this means that each segment can include only 8 bytes of payload. In some cases, it can be useful to increase the minimal value to a saner value. We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility reasons. Note that TCP_MAXSEG socket option enforces a minimal value of (TCP_MIN_MSS). David Miller increased this minimal value in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.") from 64 to 88. We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS. CVE-2019-11479 -- tcp mss hardcoded to 48 Signed-off-by: Eric Dumazet <edumazet@google.com> Suggested-by: Jonathan Looney <jtl@netflix.com> Acked-by: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Cc: Tyler Hicks <tyhicks@canonical.com> Cc: Bruce Curtis <brucec@netflix.com> Cc: Jonathan Lemon <jonathan.lemon@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> inet: switch IP ID generator to siphash 2019-03-27T21:29:26Z Eric Dumazet edumazet@google.com 2019-03-27T19:40:33Z urn:sha1:df453700e8d81b1bdafdf684365ee2b9431fb702 According to Amit Klein and Benny Pinkas, IP ID generation is too weak and might be used by attackers. Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix()) having 64bit key and Jenkins hash is risky. It is time to switch to siphash and its 128bit keys. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Amit Klein <aksecurity@gmail.com> Reported-by: Benny Pinkas <benny@pinkas.net> Signed-off-by: David S. Miller <davem@davemloft.net> net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs 2018-11-08T00:12:38Z Mike Manning mmanning@vyatta.att-mail.com 2018-11-07T15:36:05Z urn:sha1:6897445fb194c8ad046df4a13e1ee9f080a5a21e Add a sysctl raw_l3mdev_accept to control raw socket lookup in a manner similar to use of tcp_l3mdev_accept for stream and of udp_l3mdev_accept for datagram sockets. Have this default to enabled for reasons of backwards compatibility. This is so as to specify the output device with cmsg and IP_PKTINFO, but using a socket not bound to the corresponding VRF. This allows e.g. older ping implementations to be run with specifying the device but without executing it in the VRF. If the option is disabled, packets received in a VRF context are only handled by a raw socket bound to the VRF, and correspondingly packets in the default VRF are only handled by a socket not bound to any VRF. Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com> Reviewed-by: David Ahern <dsahern@gmail.com> Tested-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net: ipv4: Control SKB reprioritization after forwarding 2018-08-01T16:52:30Z Petr Machata petrm@mellanox.com 2018-07-31T22:36:03Z urn:sha1:432e05d328921c68c35bfdeff7d7b7400b8e3d1a After IPv4 packets are forwarded, the priority of the corresponding SKB is updated according to the TOS field of IPv4 header. This overrides any prioritization done earlier by e.g. an skbedit action or ingress-qos-map defined at a vlan device. Such overriding may not always be desirable. Even if the packet ends up being routed, which implies this is an L3 network node, an administrator may wish to preserve whatever prioritization was done earlier on in the pipeline. Therefore introduce a sysctl that controls this behavior. Keep the default value at 1 to maintain backward-compatible behavior. Signed-off-by: Petr Machata <petrm@mellanox.com> Reviewed-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> tcp: add tcp_comp_sack_nr sysctl 2018-05-18T15:40:27Z Eric Dumazet edumazet@google.com 2018-05-17T21:47:29Z urn:sha1:9c21d2fc41c0c8930600c9dd83eadac2e336fcfa This per netns sysctl allows for TCP SACK compression fine-tuning. This limits number of SACK that can be compressed. Using 0 disables SACK compression. Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> tcp: add tcp_comp_sack_delay_ns sysctl 2018-05-18T15:40:27Z Eric Dumazet edumazet@google.com 2018-05-17T21:47:28Z urn:sha1:6d82aa242092d73c6d2e210cfaf0ebfbe6de1ccf This per netns sysctl allows for TCP SACK compression fine-tuning. Its default value is 1,000,000, or 1 ms to meet TSO autosizing period. Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net: Replace ip_ra_lock with per-net mutex 2018-03-22T19:12:56Z Kirill Tkhai ktkhai@virtuozzo.com 2018-03-22T09:45:40Z urn:sha1:d9ff3049739e349b5380b96226f9ad766741773d Since ra_chain is per-net, we may use per-net mutexes to protect them in ip_ra_control(). This improves scalability. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> net: Make ip_ra_chain per struct net 2018-03-22T19:12:56Z Kirill Tkhai ktkhai@virtuozzo.com 2018-03-22T09:45:32Z urn:sha1:5796ef75ec7b6019eac88f66751d663d537a5cd3 This is optimization, which makes ip_call_ra_chain() iterate less sockets to find the sockets it's looking for. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> udp: Move the udp sysctl to namespace. 2018-03-16T16:03:30Z Tonghao Zhang xiangxia.m.yue@gmail.com 2018-03-14T04:57:16Z urn:sha1:1e8029515816f771b9b3751f24f19fe6df4c72ae This patch moves the udp_rmem_min, udp_wmem_min to namespace and init the udp_l3mdev_accept explicitly. The udp_rmem_min/udp_wmem_min affect udp rx/tx queue, with this patch namespaces can set them differently. Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> ipv6: route: dissect flow in input path if fib rules need it 2018-03-01T03:44:44Z Roopa Prabhu roopa@cumulusnetworks.com 2018-03-01T03:42:41Z urn:sha1:e37b1e978bec5334dc379d8c2423d063af207430 Dissect flow in fwd path if fib rules require it. Controlled by a flag to avoid penatly for the common case. Flag is set when fib rules with sport, dport and proto match that require flow dissect are installed. Also passes the dissected hash keys to the multipath hash function when applicable to avoid dissecting the flow again. icmp packets will continue to use inner header for hash calculations (Thanks to Nikolay Aleksandrov for some review here). Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com> Acked-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>