[TCP]: Restrict congestion control choices.
Allow normal users to only choose among a restricted set of congestion control choices. The default is reno and what ever has been configured as default. But the policy can be changed by administrator at any time. For example, to allow any choice: cp /proc/sys/net/ipv4/tcp_available_congestion_control \ /proc/sys/net/ipv4/tcp_allowed_congestion_control Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
3ff825b28d
commit
ce7bc3bf15
5 changed files with 125 additions and 0 deletions
|
@ -351,6 +351,12 @@ tcp_frto - BOOLEAN
|
||||||
where packet loss is typically due to random radio interference
|
where packet loss is typically due to random radio interference
|
||||||
rather than intermediate router congestion.
|
rather than intermediate router congestion.
|
||||||
|
|
||||||
|
tcp_allowed_congestion_control - STRING
|
||||||
|
Show/set the congestion control choices available to non-privileged
|
||||||
|
processes. The list is a subset of those listed in
|
||||||
|
tcp_available_congestion_control.
|
||||||
|
Default is "reno" and the default setting (tcp_congestion_control).
|
||||||
|
|
||||||
tcp_available_congestion_control - STRING
|
tcp_available_congestion_control - STRING
|
||||||
Shows the available congestion control choices that are registered.
|
Shows the available congestion control choices that are registered.
|
||||||
More congestion control algorithms may be available as modules,
|
More congestion control algorithms may be available as modules,
|
||||||
|
|
|
@ -427,6 +427,7 @@ enum
|
||||||
NET_CIPSOV4_RBM_OPTFMT=120,
|
NET_CIPSOV4_RBM_OPTFMT=120,
|
||||||
NET_CIPSOV4_RBM_STRICTVALID=121,
|
NET_CIPSOV4_RBM_STRICTVALID=121,
|
||||||
NET_TCP_AVAIL_CONG_CONTROL=122,
|
NET_TCP_AVAIL_CONG_CONTROL=122,
|
||||||
|
NET_TCP_ALLOWED_CONG_CONTROL=123,
|
||||||
};
|
};
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
|
|
|
@ -625,6 +625,7 @@ enum tcp_ca_event {
|
||||||
|
|
||||||
struct tcp_congestion_ops {
|
struct tcp_congestion_ops {
|
||||||
struct list_head list;
|
struct list_head list;
|
||||||
|
int non_restricted;
|
||||||
|
|
||||||
/* initialize private data (optional) */
|
/* initialize private data (optional) */
|
||||||
void (*init)(struct sock *sk);
|
void (*init)(struct sock *sk);
|
||||||
|
@ -663,6 +664,8 @@ extern void tcp_cleanup_congestion_control(struct sock *sk);
|
||||||
extern int tcp_set_default_congestion_control(const char *name);
|
extern int tcp_set_default_congestion_control(const char *name);
|
||||||
extern void tcp_get_default_congestion_control(char *name);
|
extern void tcp_get_default_congestion_control(char *name);
|
||||||
extern void tcp_get_available_congestion_control(char *buf, size_t len);
|
extern void tcp_get_available_congestion_control(char *buf, size_t len);
|
||||||
|
extern void tcp_get_allowed_congestion_control(char *buf, size_t len);
|
||||||
|
extern int tcp_set_allowed_congestion_control(char *allowed);
|
||||||
extern int tcp_set_congestion_control(struct sock *sk, const char *name);
|
extern int tcp_set_congestion_control(struct sock *sk, const char *name);
|
||||||
extern void tcp_slow_start(struct tcp_sock *tp);
|
extern void tcp_slow_start(struct tcp_sock *tp);
|
||||||
|
|
||||||
|
|
|
@ -146,6 +146,50 @@ static int proc_tcp_available_congestion_control(ctl_table *ctl,
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int proc_allowed_congestion_control(ctl_table *ctl,
|
||||||
|
int write, struct file * filp,
|
||||||
|
void __user *buffer, size_t *lenp,
|
||||||
|
loff_t *ppos)
|
||||||
|
{
|
||||||
|
ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX };
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
tbl.data = kmalloc(tbl.maxlen, GFP_USER);
|
||||||
|
if (!tbl.data)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
tcp_get_allowed_congestion_control(tbl.data, tbl.maxlen);
|
||||||
|
ret = proc_dostring(&tbl, write, filp, buffer, lenp, ppos);
|
||||||
|
if (write && ret == 0)
|
||||||
|
ret = tcp_set_allowed_congestion_control(tbl.data);
|
||||||
|
kfree(tbl.data);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int strategy_allowed_congestion_control(ctl_table *table, int __user *name,
|
||||||
|
int nlen, void __user *oldval,
|
||||||
|
size_t __user *oldlenp,
|
||||||
|
void __user *newval, size_t newlen,
|
||||||
|
void **context)
|
||||||
|
{
|
||||||
|
ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX };
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
tbl.data = kmalloc(tbl.maxlen, GFP_USER);
|
||||||
|
if (!tbl.data)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
tcp_get_available_congestion_control(tbl.data, tbl.maxlen);
|
||||||
|
ret = sysctl_string(&tbl, name, nlen, oldval, oldlenp, newval, newlen,
|
||||||
|
context);
|
||||||
|
if (ret == 0 && newval && newlen)
|
||||||
|
ret = tcp_set_allowed_congestion_control(tbl.data);
|
||||||
|
kfree(tbl.data);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
ctl_table ipv4_table[] = {
|
ctl_table ipv4_table[] = {
|
||||||
{
|
{
|
||||||
.ctl_name = NET_IPV4_TCP_TIMESTAMPS,
|
.ctl_name = NET_IPV4_TCP_TIMESTAMPS,
|
||||||
|
@ -755,6 +799,14 @@ ctl_table ipv4_table[] = {
|
||||||
.mode = 0444,
|
.mode = 0444,
|
||||||
.proc_handler = &proc_tcp_available_congestion_control,
|
.proc_handler = &proc_tcp_available_congestion_control,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.ctl_name = NET_TCP_ALLOWED_CONG_CONTROL,
|
||||||
|
.procname = "tcp_allowed_congestion_control",
|
||||||
|
.maxlen = TCP_CA_BUF_MAX,
|
||||||
|
.mode = 0644,
|
||||||
|
.proc_handler = &proc_allowed_congestion_control,
|
||||||
|
.strategy = &strategy_allowed_congestion_control,
|
||||||
|
},
|
||||||
{ .ctl_name = 0 }
|
{ .ctl_name = 0 }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -123,6 +123,7 @@ int tcp_set_default_congestion_control(const char *name)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (ca) {
|
if (ca) {
|
||||||
|
ca->non_restricted = 1; /* default is always allowed */
|
||||||
list_move(&ca->list, &tcp_cong_list);
|
list_move(&ca->list, &tcp_cong_list);
|
||||||
ret = 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
|
@ -168,6 +169,64 @@ void tcp_get_default_congestion_control(char *name)
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Built list of non-restricted congestion control values */
|
||||||
|
void tcp_get_allowed_congestion_control(char *buf, size_t maxlen)
|
||||||
|
{
|
||||||
|
struct tcp_congestion_ops *ca;
|
||||||
|
size_t offs = 0;
|
||||||
|
|
||||||
|
*buf = '\0';
|
||||||
|
rcu_read_lock();
|
||||||
|
list_for_each_entry_rcu(ca, &tcp_cong_list, list) {
|
||||||
|
if (!ca->non_restricted)
|
||||||
|
continue;
|
||||||
|
offs += snprintf(buf + offs, maxlen - offs,
|
||||||
|
"%s%s",
|
||||||
|
offs == 0 ? "" : " ", ca->name);
|
||||||
|
|
||||||
|
}
|
||||||
|
rcu_read_unlock();
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Change list of non-restricted congestion control */
|
||||||
|
int tcp_set_allowed_congestion_control(char *val)
|
||||||
|
{
|
||||||
|
struct tcp_congestion_ops *ca;
|
||||||
|
char *clone, *name;
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
clone = kstrdup(val, GFP_USER);
|
||||||
|
if (!clone)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
spin_lock(&tcp_cong_list_lock);
|
||||||
|
/* pass 1 check for bad entries */
|
||||||
|
while ((name = strsep(&clone, " ")) && *name) {
|
||||||
|
ca = tcp_ca_find(name);
|
||||||
|
if (!ca) {
|
||||||
|
ret = -ENOENT;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* pass 2 clear */
|
||||||
|
list_for_each_entry_rcu(ca, &tcp_cong_list, list)
|
||||||
|
ca->non_restricted = 0;
|
||||||
|
|
||||||
|
/* pass 3 mark as allowed */
|
||||||
|
while ((name = strsep(&val, " ")) && *name) {
|
||||||
|
ca = tcp_ca_find(name);
|
||||||
|
WARN_ON(!ca);
|
||||||
|
if (ca)
|
||||||
|
ca->non_restricted = 1;
|
||||||
|
}
|
||||||
|
out:
|
||||||
|
spin_unlock(&tcp_cong_list_lock);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Change congestion control for socket */
|
/* Change congestion control for socket */
|
||||||
int tcp_set_congestion_control(struct sock *sk, const char *name)
|
int tcp_set_congestion_control(struct sock *sk, const char *name)
|
||||||
{
|
{
|
||||||
|
@ -183,6 +242,9 @@ int tcp_set_congestion_control(struct sock *sk, const char *name)
|
||||||
if (!ca)
|
if (!ca)
|
||||||
err = -ENOENT;
|
err = -ENOENT;
|
||||||
|
|
||||||
|
else if (!(ca->non_restricted || capable(CAP_NET_ADMIN)))
|
||||||
|
err = -EPERM;
|
||||||
|
|
||||||
else if (!try_module_get(ca->owner))
|
else if (!try_module_get(ca->owner))
|
||||||
err = -EBUSY;
|
err = -EBUSY;
|
||||||
|
|
||||||
|
@ -284,6 +346,7 @@ EXPORT_SYMBOL_GPL(tcp_reno_min_cwnd);
|
||||||
|
|
||||||
struct tcp_congestion_ops tcp_reno = {
|
struct tcp_congestion_ops tcp_reno = {
|
||||||
.name = "reno",
|
.name = "reno",
|
||||||
|
.non_restricted = 1,
|
||||||
.owner = THIS_MODULE,
|
.owner = THIS_MODULE,
|
||||||
.ssthresh = tcp_reno_ssthresh,
|
.ssthresh = tcp_reno_ssthresh,
|
||||||
.cong_avoid = tcp_reno_cong_avoid,
|
.cong_avoid = tcp_reno_cong_avoid,
|
||||||
|
|
Loading…
Reference in a new issue