ipv4: Namespaceify tcp_fastopen_blackhole_timeout knob

Different namespace application might require different time period in
second to disable Fastopen on active TCP sockets.

Tested:
Simulate following similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C?  X <- data ------ S
	[retry and timeout]

And then print netstat of TCPFastOpenBlackhole, the counter increased as
expected when the firewall blackhole issue is detected and active TFO is
disabled.
# cat /proc/net/netstat | awk '{print $91}'
TCPFastOpenBlackhole
1

Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 11 insertions, 19 deletions

diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 4eae44ac3cb0..de470e7e586f 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -422,25 +422,16 @@ EXPORT_SYMBOL(tcp_fastopen_defer_connect);
  * TFO connection with data exchanges.
  */
 
-/* Default to 1hr */
-unsigned int sysctl_tcp_fastopen_blackhole_timeout __read_mostly = 60 * 60;
-static atomic_t tfo_active_disable_times __read_mostly = ATOMIC_INIT(0);
-static unsigned long tfo_active_disable_stamp __read_mostly;
-
 /* Disable active TFO and record current jiffies and
  * tfo_active_disable_times
  */
 void tcp_fastopen_active_disable(struct sock *sk)
 {
-        atomic_inc(&tfo_active_disable_times);
-        tfo_active_disable_stamp = jiffies;
-        NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENBLACKHOLE);
-}
+        struct net *net = sock_net(sk);
 
-/* Reset tfo_active_disable_times to 0 */
-void tcp_fastopen_active_timeout_reset(void)
-{
-        atomic_set(&tfo_active_disable_times, 0);
+        atomic_inc(&net->ipv4.tfo_active_disable_times);
+        net->ipv4.tfo_active_disable_stamp = jiffies;
+        NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE);
 }
 
 /* Calculate timeout for tfo active disable
@@ -449,17 +440,18 @@ void tcp_fastopen_active_timeout_reset(void)
  */
 bool tcp_fastopen_active_should_disable(struct sock *sk)
 {
-        int tfo_da_times = atomic_read(&tfo_active_disable_times);
-        int multiplier;
+        unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout;
+        int tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
         unsigned long timeout;
+        int multiplier;
 
         if (!tfo_da_times)
                 return false;
 
         /* Limit timout to max: 2^6 * initial timeout */
         multiplier = 1 << min(tfo_da_times - 1, 6);
-        timeout = multiplier * sysctl_tcp_fastopen_blackhole_timeout * HZ;
-        if (time_before(jiffies, tfo_active_disable_stamp + timeout))
+        timeout = multiplier * tfo_bh_timeout * HZ;
+        if (time_before(jiffies, sock_net(sk)->ipv4.tfo_active_disable_stamp + timeout))
                 return true;
 
         /* Mark check bit so we can check for successful active TFO
@@ -495,10 +487,10 @@ void tcp_fastopen_active_disable_ofo_check(struct sock *sk)
                         }
                 }
         } else if (tp->syn_fastopen_ch &&
-                   atomic_read(&tfo_active_disable_times)) {
+                   atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times)) {
                 dst = sk_dst_get(sk);
                 if (!(dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK)))
-                        tcp_fastopen_active_timeout_reset();
+                        atomic_set(&sock_net(sk)->ipv4.tfo_active_disable_times, 0);
                 dst_release(dst);
         }
 }