From patchwork Thu Aug 29 14:46:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 13783343 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B43E71B1418 for ; Thu, 29 Aug 2024 14:46:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724942813; cv=none; b=q+lYmd3466usWyweoM4VmM62Nb46R0DXjpUkycxw5pWpu/E5sBhBbUVtnuj3VWv8kMbQ5eEYuafbFTLFkhiNN7V8X6lwlnXKORYhuCVDhCzeqoG2bCzGg/Me7ImCgAbQebwz5DHlJKppN1eFOCiItHP+eZLjcUeOyZTRCKEqBB8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724942813; c=relaxed/simple; bh=4OE2aGBgG2nZ7aIpfhhwLjWANwH7jOqUo5bpUyTU3rQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=FC9d0b0ngi2wmSaIXOfhn5MAOQRDOste83PP5N9GBOwBh+Cz+RkWVDUFhzpGZsjjRkphWnM7IVR6wtPG+2I+sMIFvK8+hd3Z9PPDRdSMhZjNRe/g8CB2QZMyj3GANK9VpJ72q1Do84bvOXTchxxU0dtRQaMEoSd+/KUTrTvXnXk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edumazet.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=p7avtr9t; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edumazet.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="p7avtr9t" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e1166ecfacdso1383223276.1 for ; Thu, 29 Aug 2024 07:46:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1724942811; x=1725547611; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ySiNPSOW6cMUAhrPmgMi6C/tYAcCH+NJfoKW7cgN0cA=; b=p7avtr9tWv4zsCOw7ohVVYLVDfCwMMbGreieGlc4T3/C5MD7YOcWszb647mzutylP0 DGRLnSPwk3m4NUOHwPNsagW3bCBpfjLwwpwzHeRwJAabMKPorBxstLiNYqC1Aas6rtDe nLlxXfYhEx0aBQp5Sjte36IUcKPbboageVXBj9XrT+rfohlHunQj3MSel1MhgArBeeCa u2nGXOXI/yduq1yHDfgPzRLcuURmlKirmyz/Agj+IQnmH3Gg56l/Lmdo24qjbJOvMgPw 0K35AHQD0QPbzVX+7sQGtlmO4vsCcD1O5zYEpJyn8bl1aU99LkwoVhcxumczSncUE0t7 81QA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724942811; x=1725547611; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ySiNPSOW6cMUAhrPmgMi6C/tYAcCH+NJfoKW7cgN0cA=; b=md3gLYP7rAQOMWpwXaVWN1P5OHpk2I5baPbEOlkgpaPsx9O+cNnkU6OVrQXjTXt2X2 edW4s03vYz9AR1swbYBqPZytPtnAAElx7oMPjxGKNhrBpM9zzoI3vG26Xhl6NrR8IVtP zO/luVGTHjruzcp0N1o2bB0sb3wKe0CfCKCJC+qIQ5AeiLavOcXkM5t2/Uw1uQYO37ch ZEXKjEPZh/Im59RMaRhbloS66w/S4z94nkKf/3Owc3JL4txLNfJoYBPPwo9wvNR0ZZwJ xeuZacLLbR2fXkkSi0ogEeRfhYF01lkytU/HouP0OKU6gqPGHxKEKR41hSYaCEOEnz1+ ZkOA== X-Forwarded-Encrypted: i=1; AJvYcCVeScUZBVdtMdMhvE5/lg58flRqOhSfDoAdE3cKMONksInAJZFqMbiWbrN4nz/qLKA6oBvc+CM=@vger.kernel.org X-Gm-Message-State: AOJu0YzezfOEI9mHrUiFi+WgzMvf8wjAgXfJ3M/4CBRELb7sOLgCGEU2 mcGXri38wO1MNcPrjblirlb9uUTXhGPPcwD5RdG6QXgB9cFSbVSRtvbXknIxOhbdx/qupaQz4v1 fx4Csuwj5Aw== X-Google-Smtp-Source: AGHT+IEZtSb9paxuNqGsZ4wCM7Ec2erg4Qnd3tx7UBrbQC6MRGSNED1oLMVZN/Yk1hYHWOzJTR4m0lXPe7W0gQ== X-Received: from edumazet1.c.googlers.com ([fda3:e722:ac3:cc00:2b:7d90:c0a8:395a]) (user=edumazet job=sendgmr) by 2002:a25:b205:0:b0:e0b:ab63:b9c7 with SMTP id 3f1490d57ef6-e1a5ae0a289mr5002276.7.1724942810396; Thu, 29 Aug 2024 07:46:50 -0700 (PDT) Date: Thu, 29 Aug 2024 14:46:41 +0000 In-Reply-To: <20240829144641.3880376-1-edumazet@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240829144641.3880376-1-edumazet@google.com> X-Mailer: git-send-email 2.46.0.295.g3b9ea8a38a-goog Message-ID: <20240829144641.3880376-4-edumazet@google.com> Subject: [PATCH v2 net-next 3/3] icmp: icmp_msgs_per_sec and icmp_msgs_burst sysctls become per netns From: Eric Dumazet To: "David S . Miller" , Jakub Kicinski , Paolo Abeni Cc: David Ahern , Willy Tarreau , Keyu Man , Jesper Dangaard Brouer , netdev@vger.kernel.org, eric.dumazet@gmail.com, Eric Dumazet X-Patchwork-Delegate: kuba@kernel.org Previous patch made ICMP rate limits per netns, it makes sense to allow each netns to change the associated sysctl. Signed-off-by: Eric Dumazet Reviewed-by: David Ahern --- include/net/ip.h | 3 --- include/net/netns/ipv4.h | 2 ++ net/ipv4/icmp.c | 9 ++++----- net/ipv4/sysctl_net_ipv4.c | 32 ++++++++++++++++---------------- 4 files changed, 22 insertions(+), 24 deletions(-) diff --git a/include/net/ip.h b/include/net/ip.h index d3bca4e83979f681c4931e9ff62db5941a059c11..1ee472fa8b373e85907146f9a3f29ecc98e2e55b 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -797,9 +797,6 @@ static inline void ip_cmsg_recv(struct msghdr *msg, struct sk_buff *skb) bool icmp_global_allow(struct net *net); void icmp_global_consume(struct net *net); -extern int sysctl_icmp_msgs_per_sec; -extern int sysctl_icmp_msgs_burst; - #ifdef CONFIG_PROC_FS int ip_misc_proc_init(void); #endif diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 54fe7c079fffb285b7a8a069f3d57f9440a6655a..276f622f3516871c438be27bafe61c039445b335 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -122,6 +122,8 @@ struct netns_ipv4 { u8 sysctl_icmp_errors_use_inbound_ifaddr; int sysctl_icmp_ratelimit; int sysctl_icmp_ratemask; + int sysctl_icmp_msgs_per_sec; + int sysctl_icmp_msgs_burst; atomic_t icmp_global_credit; u32 icmp_global_stamp; u32 ip_rt_min_pmtu; diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 2e1d81dbdbb6fe93ea53398bbe3b3627b35852b0..1ed88883e1f2579c875f4e0769789dc2e0c6e15a 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -220,9 +220,6 @@ static inline void icmp_xmit_unlock(struct sock *sk) spin_unlock(&sk->sk_lock.slock); } -int sysctl_icmp_msgs_per_sec __read_mostly = 1000; -int sysctl_icmp_msgs_burst __read_mostly = 50; - /** * icmp_global_allow - Are we allowed to send one more ICMP message ? * @net: network namespace @@ -249,14 +246,14 @@ bool icmp_global_allow(struct net *net) if (delta < HZ / 50) return false; - incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; + incr = READ_ONCE(net->ipv4.sysctl_icmp_msgs_per_sec) * delta / HZ; if (!incr) return false; if (cmpxchg(&net->ipv4.icmp_global_stamp, oldstamp, now) == oldstamp) { old = atomic_read(&net->ipv4.icmp_global_credit); do { - new = min(old + incr, READ_ONCE(sysctl_icmp_msgs_burst)); + new = min(old + incr, READ_ONCE(net->ipv4.sysctl_icmp_msgs_burst)); } while (!atomic_try_cmpxchg(&net->ipv4.icmp_global_credit, &old, new)); } return true; @@ -1492,6 +1489,8 @@ static int __net_init icmp_sk_init(struct net *net) net->ipv4.sysctl_icmp_ratelimit = 1 * HZ; net->ipv4.sysctl_icmp_ratemask = 0x1818; net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr = 0; + net->ipv4.sysctl_icmp_msgs_per_sec = 1000; + net->ipv4.sysctl_icmp_msgs_burst = 50; return 0; } diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 4af0c234d8d763f430608d60f38eff8a6d9935b4..a79b2a52ce01e6c1a1257ba31c17ac2f51ba19ec 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -600,22 +600,6 @@ static struct ctl_table ipv4_table[] = { .mode = 0444, .proc_handler = proc_tcp_available_ulp, }, - { - .procname = "icmp_msgs_per_sec", - .data = &sysctl_icmp_msgs_per_sec, - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, - .extra1 = SYSCTL_ZERO, - }, - { - .procname = "icmp_msgs_burst", - .data = &sysctl_icmp_msgs_burst, - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, - .extra1 = SYSCTL_ZERO, - }, { .procname = "udp_mem", .data = &sysctl_udp_mem, @@ -701,6 +685,22 @@ static struct ctl_table ipv4_net_table[] = { .mode = 0644, .proc_handler = proc_dointvec }, + { + .procname = "icmp_msgs_per_sec", + .data = &init_net.ipv4.sysctl_icmp_msgs_per_sec, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + }, + { + .procname = "icmp_msgs_burst", + .data = &init_net.ipv4.sysctl_icmp_msgs_burst, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + }, { .procname = "ping_group_range", .data = &init_net.ipv4.ping_group_range.range,