[PATCH 0/3] Namespaceify tcp keepalive machinery

[PATCH 0/3] Namespaceify tcp keepalive machinery

[Nikolay Borisov]

The following patch series enables the tcp keepalive mechanism
to be configured per net namespace. This is especially useful
if you have multiple containers hosted on one node and one of 
them is under DoS-  in such situations one thing which could 
be done is to configure the tcp keepalive settings such that 
connections for that particular container are being reset 
faster.

Another scenario where not being able to control those knob
comes per container is problematic is occurs the value of 
net.netfilter.nf_conntrack_tcp_timeout_established is set
below the keepalive interval, in such situations the server won't 
send an RST packet resulting in applications not trying to 
reconnect and stale connection waiting. Changing the global 
keepalive value is a possible solution but it might interfere
with other containers. 

The three patches gradually convert each of the affected knobs
to be per netns. I thought it would be easier for review than 
put everything in one patch. If people deem it more appropriate 
to squash everything in one patch (maybe after review) I'd
be more than happy to do it. 

The patches have been compile-tested on 4.4 and functionally 
tested on 3.12 and they work as expected. 

These are based off 4.4-rc8

Nikolay Borisov (3):
  ipv4: Namespaceify tcp_keepalive_time sysctl knob
  ipv4: Namespecify tcp_keepalive_probes sysctl knob 
  ipv4: Namespecify the tcp_keepalive_intvl sysctl knob

 include/net/netns/ipv4.h   |  4 ++++
 include/net/tcp.h          | 15 +++++++++------
 net/ipv4/sysctl_net_ipv4.c | 42 +++++++++++++++++++++---------------------
 net/ipv4/tcp_ipv4.c        |  4 ++++
 net/ipv4/tcp_timer.c       |  3 ---
 5 files changed, 38 insertions(+), 30 deletions(-)

-- 
2.5.0

[PATCH 1/3] ipv4: Namespaceify tcp_keepalive_time sysctl knob

[Nikolay Borisov]

Different net namespaces might have different requirements as to
the keepalive time of tcp sockets. This might be required in cases
where different firewall rules are in place which require tcp
timeout sockets to be increased/decreased independently of the host.

Signed-off-by: Nikolay Borisov <kernel@kyup.com>
---
 include/net/netns/ipv4.h   |  2 ++
 include/net/tcp.h          |  5 +++--
 net/ipv4/sysctl_net_ipv4.c | 14 +++++++-------
 net/ipv4/tcp_ipv4.c        |  2 ++
 net/ipv4/tcp_timer.c       |  1 -
 5 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index c68926b4899c..d7ee5120e3ec 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -91,6 +91,8 @@ struct netns_ipv4 {
 	int sysctl_tcp_probe_threshold;
 	u32 sysctl_tcp_probe_interval;
 
+	int sysctl_tcp_keepalive_time;
+
 	struct ping_group_range ping_group_range;
 
 	atomic_t dev_addr_genid;
diff --git a/include/net/tcp.h b/include/net/tcp.h
index f80e74c5ad18..1145f890f55c 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -240,7 +240,6 @@ extern int sysctl_tcp_timestamps;
 extern int sysctl_tcp_window_scaling;
 extern int sysctl_tcp_sack;
 extern int sysctl_tcp_fin_timeout;
-extern int sysctl_tcp_keepalive_time;
 extern int sysctl_tcp_keepalive_probes;
 extern int sysctl_tcp_keepalive_intvl;
 extern int sysctl_tcp_syn_retries;
@@ -1228,7 +1227,9 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp)
 
 static inline int keepalive_time_when(const struct tcp_sock *tp)
 {
-	return tp->keepalive_time ? : sysctl_tcp_keepalive_time;
+	struct net *net = sock_net((struct sock *)tp);
+
+	return tp->keepalive_time ? : net->ipv4.sysctl_tcp_keepalive_time;
 }
 
 static inline int keepalive_probes(const struct tcp_sock *tp)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index a0bd7a55193e..8755825b92a5 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -337,13 +337,6 @@ static struct ctl_table ipv4_table[] = {
 		.proc_handler	= proc_dointvec
 	},
 	{
-		.procname	= "tcp_keepalive_time",
-		.data		= &sysctl_tcp_keepalive_time,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec_jiffies,
-	},
-	{
 		.procname	= "tcp_keepalive_probes",
 		.data		= &sysctl_tcp_keepalive_probes,
 		.maxlen		= sizeof(int),
@@ -950,6 +943,13 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+	{
+		.procname	= "tcp_keepalive_time",
+		.data		= &init_net.ipv4.sysctl_tcp_keepalive_time,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_jiffies,
+	},
 	{ }
 };
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index d8841a2f1569..ca8d98de7846 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2378,6 +2378,8 @@ static int __net_init tcp_sk_init(struct net *net)
 	net->ipv4.sysctl_tcp_probe_threshold = TCP_PROBE_THRESHOLD;
 	net->ipv4.sysctl_tcp_probe_interval = TCP_PROBE_INTERVAL;
 
+	net->ipv4.sysctl_tcp_keepalive_time = TCP_KEEPALIVE_TIME;
+
 	return 0;
 fail:
 	tcp_sk_exit(net);
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 193ba1fa8a9a..166f27b43cc0 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -24,7 +24,6 @@
 
 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
-int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
 int sysctl_tcp_keepalive_probes __read_mostly = TCP_KEEPALIVE_PROBES;
 int sysctl_tcp_keepalive_intvl __read_mostly = TCP_KEEPALIVE_INTVL;
 int sysctl_tcp_retries1 __read_mostly = TCP_RETR1;
-- 
2.5.0

[PATCH 2/3] ipv4: Namespecify tcp_keepalive_probes sysctl knob

[Nikolay Borisov]

This is required to have full tcp keepalive mechanism namespace
support.

Signed-off-by: Nikolay Borisov <kernel@kyup.com>
---
 include/net/netns/ipv4.h   |  1 +
 include/net/tcp.h          |  5 +++--
 net/ipv4/sysctl_net_ipv4.c | 14 +++++++-------
 net/ipv4/tcp_ipv4.c        |  1 +
 net/ipv4/tcp_timer.c       |  1 -
 5 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index d7ee5120e3ec..4955c160be59 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -92,6 +92,7 @@ struct netns_ipv4 {
 	u32 sysctl_tcp_probe_interval;
 
 	int sysctl_tcp_keepalive_time;
+	int sysctl_tcp_keepalive_probes;
 
 	struct ping_group_range ping_group_range;
 
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 1145f890f55c..5cf1cfde7fda 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -240,7 +240,6 @@ extern int sysctl_tcp_timestamps;
 extern int sysctl_tcp_window_scaling;
 extern int sysctl_tcp_sack;
 extern int sysctl_tcp_fin_timeout;
-extern int sysctl_tcp_keepalive_probes;
 extern int sysctl_tcp_keepalive_intvl;
 extern int sysctl_tcp_syn_retries;
 extern int sysctl_tcp_synack_retries;
@@ -1234,7 +1233,9 @@ static inline int keepalive_time_when(const struct tcp_sock *tp)
 
 static inline int keepalive_probes(const struct tcp_sock *tp)
 {
-	return tp->keepalive_probes ? : sysctl_tcp_keepalive_probes;
+	struct net *net = sock_net((struct sock *)tp);
+
+	return tp->keepalive_probes ? : net->ipv4.sysctl_tcp_keepalive_probes;
 }
 
 static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 8755825b92a5..d9e17bbf08cf 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -337,13 +337,6 @@ static struct ctl_table ipv4_table[] = {
 		.proc_handler	= proc_dointvec
 	},
 	{
-		.procname	= "tcp_keepalive_probes",
-		.data		= &sysctl_tcp_keepalive_probes,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec
-	},
-	{
 		.procname	= "tcp_keepalive_intvl",
 		.data		= &sysctl_tcp_keepalive_intvl,
 		.maxlen		= sizeof(int),
@@ -950,6 +943,13 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
+	{
+		.procname	= "tcp_keepalive_probes",
+		.data		= &init_net.ipv4.sysctl_tcp_keepalive_probes,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 	{ }
 };
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index ca8d98de7846..9e9187c3b45a 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2379,6 +2379,7 @@ static int __net_init tcp_sk_init(struct net *net)
 	net->ipv4.sysctl_tcp_probe_interval = TCP_PROBE_INTERVAL;
 
 	net->ipv4.sysctl_tcp_keepalive_time = TCP_KEEPALIVE_TIME;
+	net->ipv4.sysctl_tcp_keepalive_probes = TCP_KEEPALIVE_PROBES;
 
 	return 0;
 fail:
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 166f27b43cc0..0ccb120d591a 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -24,7 +24,6 @@
 
 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
-int sysctl_tcp_keepalive_probes __read_mostly = TCP_KEEPALIVE_PROBES;
 int sysctl_tcp_keepalive_intvl __read_mostly = TCP_KEEPALIVE_INTVL;
 int sysctl_tcp_retries1 __read_mostly = TCP_RETR1;
 int sysctl_tcp_retries2 __read_mostly = TCP_RETR2;
-- 
2.5.0

[PATCH 3/3] ipv4: Namespecify the tcp_keepalive_intvl sysctl knob

[Nikolay Borisov]

This is the final part required to namespaceify the tcp
keep alive mechanism.

Signed-off-by: Nikolay Borisov <kernel@kyup.com>
---
 include/net/netns/ipv4.h   |  1 +
 include/net/tcp.h          |  5 +++--
 net/ipv4/sysctl_net_ipv4.c | 14 +++++++-------
 net/ipv4/tcp_ipv4.c        |  1 +
 net/ipv4/tcp_timer.c       |  1 -
 5 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 4955c160be59..ffa2777b6475 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -93,6 +93,7 @@ struct netns_ipv4 {
 
 	int sysctl_tcp_keepalive_time;
 	int sysctl_tcp_keepalive_probes;
+	int sysctl_tcp_keepalive_intvl;
 
 	struct ping_group_range ping_group_range;
 
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 5cf1cfde7fda..3ed10fc89c7d 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -240,7 +240,6 @@ extern int sysctl_tcp_timestamps;
 extern int sysctl_tcp_window_scaling;
 extern int sysctl_tcp_sack;
 extern int sysctl_tcp_fin_timeout;
-extern int sysctl_tcp_keepalive_intvl;
 extern int sysctl_tcp_syn_retries;
 extern int sysctl_tcp_synack_retries;
 extern int sysctl_tcp_retries1;
@@ -1221,7 +1220,9 @@ void tcp_enter_memory_pressure(struct sock *sk);
 
 static inline int keepalive_intvl_when(const struct tcp_sock *tp)
 {
-	return tp->keepalive_intvl ? : sysctl_tcp_keepalive_intvl;
+	struct net *net = sock_net((struct sock *)tp);
+
+	return tp->keepalive_intvl ? : net->ipv4.sysctl_tcp_keepalive_intvl;
 }
 
 static inline int keepalive_time_when(const struct tcp_sock *tp)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index d9e17bbf08cf..fccf8e92bf81 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -337,13 +337,6 @@ static struct ctl_table ipv4_table[] = {
 		.proc_handler	= proc_dointvec
 	},
 	{
-		.procname	= "tcp_keepalive_intvl",
-		.data		= &sysctl_tcp_keepalive_intvl,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec_jiffies,
-	},
-	{
 		.procname	= "tcp_retries1",
 		.data		= &sysctl_tcp_retries1,
 		.maxlen		= sizeof(int),
@@ -950,6 +943,13 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+	{
+		.procname	= "tcp_keepalive_intvl",
+		.data		= &init_net.ipv4.sysctl_tcp_keepalive_intvl,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_jiffies,
+	},
 	{ }
 };
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 9e9187c3b45a..9db9bdb14449 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2380,6 +2380,7 @@ static int __net_init tcp_sk_init(struct net *net)
 
 	net->ipv4.sysctl_tcp_keepalive_time = TCP_KEEPALIVE_TIME;
 	net->ipv4.sysctl_tcp_keepalive_probes = TCP_KEEPALIVE_PROBES;
+	net->ipv4.sysctl_tcp_keepalive_intvl = TCP_KEEPALIVE_INTVL;
 
 	return 0;
 fail:
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 0ccb120d591a..a4730a28b220 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -24,7 +24,6 @@
 
 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
-int sysctl_tcp_keepalive_intvl __read_mostly = TCP_KEEPALIVE_INTVL;
 int sysctl_tcp_retries1 __read_mostly = TCP_RETR1;
 int sysctl_tcp_retries2 __read_mostly = TCP_RETR2;
 int sysctl_tcp_orphan_retries __read_mostly;
-- 
2.5.0

Re: [PATCH 0/3] Namespaceify tcp keepalive machinery

[Eric W. Biederman]

Nikolay Borisov <kernel@kyup.com> writes:

> The following patch series enables the tcp keepalive mechanism
> to be configured per net namespace. This is especially useful
> if you have multiple containers hosted on one node and one of 
> them is under DoS-  in such situations one thing which could 
> be done is to configure the tcp keepalive settings such that 
> connections for that particular container are being reset 
> faster.
>
> Another scenario where not being able to control those knob
> comes per container is problematic is occurs the value of 
> net.netfilter.nf_conntrack_tcp_timeout_established is set
> below the keepalive interval, in such situations the server won't 
> send an RST packet resulting in applications not trying to 
> reconnect and stale connection waiting. Changing the global 
> keepalive value is a possible solution but it might interfere
> with other containers. 
>
> The three patches gradually convert each of the affected knobs
> to be per netns. I thought it would be easier for review than 
> put everything in one patch. If people deem it more appropriate 
> to squash everything in one patch (maybe after review) I'd
> be more than happy to do it. 
>
> The patches have been compile-tested on 4.4 and functionally 
> tested on 3.12 and they work as expected. 
>
> These are based off 4.4-rc8

Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>

I took a quick skim and there appears to be nothing scary in your
patches and the separation of the patches did make the review easy.

All of the knobs are already per socket with a global default.  Moving
that global to be per network namespace appears straight forward in
your patches.

> Nikolay Borisov (3):
>   ipv4: Namespaceify tcp_keepalive_time sysctl knob
>   ipv4: Namespecify tcp_keepalive_probes sysctl knob 
>   ipv4: Namespecify the tcp_keepalive_intvl sysctl knob
>
>  include/net/netns/ipv4.h   |  4 ++++
>  include/net/tcp.h          | 15 +++++++++------
>  net/ipv4/sysctl_net_ipv4.c | 42 +++++++++++++++++++++---------------------
>  net/ipv4/tcp_ipv4.c        |  4 ++++
>  net/ipv4/tcp_timer.c       |  3 ---
>  5 files changed, 38 insertions(+), 30 deletions(-)

Re: [PATCH 0/3] Namespaceify tcp keepalive machinery

[David Miller]

From: Nikolay Borisov <kernel@kyup.com>
Date: Thu,  7 Jan 2016 16:38:42 +0200

> The following patch series enables the tcp keepalive mechanism
> to be configured per net namespace. This is especially useful
> if you have multiple containers hosted on one node and one of 
> them is under DoS-  in such situations one thing which could 
> be done is to configure the tcp keepalive settings such that 
> connections for that particular container are being reset 
> faster.
> 
> Another scenario where not being able to control those knob
> comes per container is problematic is occurs the value of 
> net.netfilter.nf_conntrack_tcp_timeout_established is set
> below the keepalive interval, in such situations the server won't 
> send an RST packet resulting in applications not trying to 
> reconnect and stale connection waiting. Changing the global 
> keepalive value is a possible solution but it might interfere
> with other containers. 
> 
> The three patches gradually convert each of the affected knobs
> to be per netns. I thought it would be easier for review than 
> put everything in one patch. If people deem it more appropriate 
> to squash everything in one patch (maybe after review) I'd
> be more than happy to do it. 
> 
> The patches have been compile-tested on 4.4 and functionally 
> tested on 3.12 and they work as expected. 
> 
> These are based off 4.4-rc8

Series applied, thanks.