ipv4: Namespaceify tcp syncookies sysctl knob

	int sysctl_tcp_syn_retries;

	int sysctl_tcp_syn_retries;

	int sysctl_tcp_synack_retries;

	int sysctl_tcp_synack_retries;

	int sysctl_tcp_syncookies;

	struct ping_group_range ping_group_range;

	struct ping_group_range ping_group_range;

	atomic_t dev_addr_genid;

	atomic_t dev_addr_genid;

extern int sysctl_tcp_retries1;

extern int sysctl_tcp_retries1;

extern int sysctl_tcp_retries2;

extern int sysctl_tcp_retries2;

extern int sysctl_tcp_orphan_retries;

extern int sysctl_tcp_orphan_retries;

extern int sysctl_tcp_syncookies;

extern int sysctl_tcp_fastopen;

extern int sysctl_tcp_fastopen;

extern int sysctl_tcp_retrans_collapse;

extern int sysctl_tcp_retrans_collapse;

extern int sysctl_tcp_stdurg;

extern int sysctl_tcp_stdurg;

#include <net/tcp.h>

#include <net/tcp.h>

#include <net/route.h>

#include <net/route.h>

extern int sysctl_tcp_syncookies;

static u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS] __read_mostly;

static u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS] __read_mostly;

#define COOKIEBITS 24	/* Upper bits store count */

#define COOKIEBITS 24	/* Upper bits store count */

	__u8 rcv_wscale;

	__u8 rcv_wscale;

	struct flowi4 fl4;

	struct flowi4 fl4;

	if (!sysctl_tcp_syncookies || !th->ack || th->rst)

	if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst)

		goto out;

		goto out;

	if (tcp_synq_no_recent_overflow(sk))

	if (tcp_synq_no_recent_overflow(sk))

		.mode		= 0644,

		.mode		= 0644,

		.proc_handler	= proc_dointvec_jiffies,

		.proc_handler	= proc_dointvec_jiffies,

	},

	},

#ifdef CONFIG_SYN_COOKIES

	{

		.procname	= "tcp_syncookies",

		.data		= &sysctl_tcp_syncookies,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec

	},

#endif

	{

	{

		.procname	= "tcp_fastopen",

		.procname	= "tcp_fastopen",

		.data		= &sysctl_tcp_fastopen,

		.data		= &sysctl_tcp_fastopen,

		.mode		= 0644,

		.mode		= 0644,

		.proc_handler	= proc_dointvec

		.proc_handler	= proc_dointvec

	},

	},

#ifdef CONFIG_SYN_COOKIES

	{

		.procname	= "tcp_syncookies",

		.data		= &init_net.ipv4.sysctl_tcp_syncookies,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec

	},

#endif

	{ }

	{ }

};

};

	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;

	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;

	const char *msg = "Dropping request";

	const char *msg = "Dropping request";

	bool want_cookie = false;

	bool want_cookie = false;

	struct net *net = sock_net(sk);

#ifdef CONFIG_SYN_COOKIES

#ifdef CONFIG_SYN_COOKIES

	if (sysctl_tcp_syncookies) {

	if (net->ipv4.sysctl_tcp_syncookies) {

		msg = "Sending cookies";

		msg = "Sending cookies";

		want_cookie = true;

		want_cookie = true;

		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDOCOOKIES);

		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDOCOOKIES);

		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);

		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);

	if (!queue->synflood_warned &&

	if (!queue->synflood_warned &&

	    sysctl_tcp_syncookies != 2 &&

	    net->ipv4.sysctl_tcp_syncookies != 2 &&

	    xchg(&queue->synflood_warned, 1) == 0)

	    xchg(&queue->synflood_warned, 1) == 0)

		pr_info("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",

		pr_info("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",

			proto, ntohs(tcp_hdr(skb)->dest), msg);

			proto, ntohs(tcp_hdr(skb)->dest), msg);

	__u32 isn = TCP_SKB_CB(skb)->tcp_tw_isn;

	__u32 isn = TCP_SKB_CB(skb)->tcp_tw_isn;

	struct tcp_options_received tmp_opt;

	struct tcp_options_received tmp_opt;

	struct tcp_sock *tp = tcp_sk(sk);

	struct tcp_sock *tp = tcp_sk(sk);

	struct net *net = sock_net(sk);

	struct sock *fastopen_sk = NULL;

	struct sock *fastopen_sk = NULL;

	struct dst_entry *dst = NULL;

	struct dst_entry *dst = NULL;

	struct request_sock *req;

	struct request_sock *req;

	 * limitations, they conserve resources and peer is

	 * limitations, they conserve resources and peer is

	 * evidently real one.

	 * evidently real one.

	 */

	 */

	if ((sysctl_tcp_syncookies == 2 ||

	if ((net->ipv4.sysctl_tcp_syncookies == 2 ||

	     inet_csk_reqsk_queue_is_full(sk)) && !isn) {

	     inet_csk_reqsk_queue_is_full(sk)) && !isn) {

		want_cookie = tcp_syn_flood_action(sk, skb, rsk_ops->slab_name);

		want_cookie = tcp_syn_flood_action(sk, skb, rsk_ops->slab_name);

		if (!want_cookie)

		if (!want_cookie)

			}

			}

		}

		}

		/* Kill the following clause, if you dislike this way. */

		/* Kill the following clause, if you dislike this way. */

		else if (!sysctl_tcp_syncookies &&

		else if (!net->ipv4.sysctl_tcp_syncookies &&

			 (sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) <

			 (sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) <

			  (sysctl_max_syn_backlog >> 2)) &&

			  (sysctl_max_syn_backlog >> 2)) &&

			 !tcp_peer_is_proven(req, dst, false,

			 !tcp_peer_is_proven(req, dst, false,