[RFC PATCH net-next 0/3] netns: optionally inherit IPv4 TCP sysctls from old net

[RFC PATCH net-next 0/3] netns: optionally inherit IPv4 TCP sysctls from old net

[nmreadelf]

a new network namespace starts with built-in TCP defaults.
In container-heavy setups, operators often tune TCP sysctls in init_net and then
need to re-apply the same values for each new netns.

This series adds an opt-in mechanism to initialize per-netns IPv4 TCP sysctl
settings from init_net at netns creation time.

Behavior:

Default is unchanged.
When net.ipv4.netns_inherit_tcp_sysctls=1, new netns inherit
TCP sysctl from old_net.

nmreadelf (3):
  ipv4: netns: group copyable TCP sysctls in netns_ipv4
  net: ipv4: add netns_inherit_tcp_sysctls sysctl
  tcp: netns: optionally inherit IPv4 TCP sysctls from parent netns

 .../net_cachelines/netns_ipv4_sysctl.rst      | 25 +++----
 include/net/netns/ipv4.h                      | 33 +++++----
 net/core/net_namespace.c                      | 72 +++++++++++++++++++
 net/ipv4/sysctl_net_ipv4.c                    |  9 +++
 4 files changed, 114 insertions(+), 25 deletions(-)

-- 
2.47.3

[RFC PATCH net-next 0/3] netns: optionally inherit IPv4 TCP sysctls from old net

[nmreadelf]

a new network namespace starts with built-in TCP defaults.
In container-heavy setups, operators often tune TCP sysctls in init_net and then
need to re-apply the same values for each new netns.

This series adds an opt-in mechanism to initialize per-netns IPv4 TCP sysctl
settings from init_net at netns creation time.

Behavior:

Default is unchanged.
When net.ipv4.netns_inherit_tcp_sysctls=1, new netns inherit
TCP sysctl from old_net.

nmreadelf (3):
  ipv4: netns: group copyable TCP sysctls in netns_ipv4
  net: ipv4: add netns_inherit_tcp_sysctls sysctl
  tcp: netns: optionally inherit IPv4 TCP sysctls from parent netns

 .../net_cachelines/netns_ipv4_sysctl.rst      | 25 +++----
 include/net/netns/ipv4.h                      | 33 +++++----
 net/core/net_namespace.c                      | 72 +++++++++++++++++++
 net/ipv4/sysctl_net_ipv4.c                    |  9 +++
 4 files changed, 114 insertions(+), 25 deletions(-)

-- 
2.47.3

[RFC PATCH net-next 1/3] ipv4: netns: group copyable TCP sysctls in netns_ipv4

[nmreadelf]

Group the TCP sysctl members into tcp_sysctl using struct_group().
This makes the memcpy and sizeof boundaries clear in follow-up
patches, avoids relying on writes across neighboring
members, and improves readability.
---
 .../net_cachelines/netns_ipv4_sysctl.rst      | 25 ++++++++-------
 include/net/netns/ipv4.h                      | 32 +++++++++++--------
 2 files changed, 32 insertions(+), 25 deletions(-)

diff --git a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
index beaf1880a19b..f6edf02618fa 100644
--- a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
+++ b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
@@ -43,23 +43,20 @@ u32                             ip_rt_min_pmtu
 int                             ip_rt_mtu_expires
 int                             ip_rt_min_advmss
 struct_local_ports              ip_local_ports
-u8                              sysctl_tcp_ecn
-u8                              sysctl_tcp_ecn_fallback
 u8                              sysctl_ip_default_ttl                                                                ip4_dst_hoplimit/ip_select_ttl
 u8                              sysctl_ip_no_pmtu_disc
-u8                              sysctl_ip_fwd_use_pmtu                       read_mostly                             ip_dst_mtu_maybe_forward/ip_skb_dst_mtu
 u8                              sysctl_ip_fwd_update_priority                                                        ip_forward
 u8                              sysctl_ip_nonlocal_bind
 u8                              sysctl_ip_autobind_reuse
 u8                              sysctl_ip_dynaddr
-u8                              sysctl_ip_early_demux                                            read_mostly         ip(6)_rcv_finish_core
 u8                              sysctl_raw_l3mdev_accept
-u8                              sysctl_tcp_early_demux                                           read_mostly         ip(6)_rcv_finish_core
 u8                              sysctl_udp_early_demux
 u8                              sysctl_nexthop_compat_mode
 u8                              sysctl_fwmark_reflect
+..                              struct_group(tcp_sysctl)                                                             bulk-copied via memcpy() in tcp_sk_init()
+u8                              sysctl_tcp_ecn
+u8                              sysctl_tcp_ecn_fallback
 u8                              sysctl_tcp_fwmark_accept
-u8                              sysctl_tcp_l3mdev_accept                                         read_mostly         __inet6_lookup_established/inet_request_bound_dev_if
 u8                              sysctl_tcp_mtu_probing
 int                             sysctl_tcp_mtu_probe_floor
 int                             sysctl_tcp_base_mss
@@ -85,6 +82,7 @@ unsigned_int                    sysctl_tcp_notsent_lowat                     rea
 u8                              sysctl_tcp_sack                                                                      tcp_syn_options
 u8                              sysctl_tcp_window_scaling                                                            tcp_syn_options,tcp_parse_options
 u8                              sysctl_tcp_timestamps
+u8                              sysctl_netns_inherit_tcp_sysctls                     read_mostly                             tcp_schedule_loss_probe(tcp_write_xmit)
 u8                              sysctl_tcp_early_retrans                     read_mostly                             tcp_schedule_loss_probe(tcp_write_xmit)
 u32                             sysctl_tcp_rto_max_ms
 u8                              sysctl_tcp_recovery                                                                  tcp_fastretrans_alert
@@ -123,18 +121,21 @@ unsigned_long                   sysctl_tcp_comp_sack_delay_ns
 unsigned_long                   sysctl_tcp_comp_sack_slack_ns                                                        __tcp_ack_snd_check
 int                             sysctl_max_syn_backlog
 int                             sysctl_tcp_fastopen
-struct_tcp_congestion_ops       tcp_congestion_control                                                               init_cc
-struct_tcp_fastopen_context     tcp_fastopen_ctx
 unsigned_int                    sysctl_tcp_fastopen_blackhole_timeout
-atomic_t                        tfo_active_disable_times
-unsigned_long                   tfo_active_disable_stamp
-u32                             tcp_challenge_timestamp
-u32                             tcp_challenge_count
 u8                              sysctl_tcp_plb_enabled
 u8                              sysctl_tcp_plb_idle_rehash_rounds
 u8                              sysctl_tcp_plb_rehash_rounds
 u8                              sysctl_tcp_plb_suspend_rto_sec
 int                             sysctl_tcp_plb_cong_thresh
+u8                              sysctl_tcp_shrink_window
+u8                              sysctl_tcp_syn_linear_timeouts
+..                              end_of(tcp_sysctl)
+struct_tcp_congestion_ops       tcp_congestion_control                                                               init_cc
+struct_tcp_fastopen_context     tcp_fastopen_ctx
+atomic_t                        tfo_active_disable_times
+unsigned_long                   tfo_active_disable_stamp
+u32                             tcp_challenge_timestamp
+u32                             tcp_challenge_count
 int                             sysctl_udp_wmem_min
 int                             sysctl_udp_rmem_min
 u8                              sysctl_fib_notify_on_flag_change
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 2dbd46fc4734..53b180cc7a94 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -116,7 +116,6 @@ struct netns_ipv4 {
 #endif
 	bool			fib_has_custom_local_routes;
 	bool			fib_offload_disabled;
-	u8			sysctl_tcp_shrink_window;
 #ifdef CONFIG_IP_ROUTE_CLASSID
 	atomic_t		fib_num_tclassid_users;
 #endif
@@ -149,11 +148,6 @@ struct netns_ipv4 {
 
 	struct local_ports ip_local_ports;
 
-	u8 sysctl_tcp_ecn;
-	u8 sysctl_tcp_ecn_option;
-	u8 sysctl_tcp_ecn_option_beacon;
-	u8 sysctl_tcp_ecn_fallback;
-
 	u8 sysctl_ip_default_ttl;
 	u8 sysctl_ip_no_pmtu_disc;
 	u8 sysctl_ip_fwd_update_priority;
@@ -169,6 +163,14 @@ struct netns_ipv4 {
 	u8 sysctl_nexthop_compat_mode;
 
 	u8 sysctl_fwmark_reflect;
+
+	/* TCP sysctl fields enclosed in tcp_sysctl group are copied
+	 * using a single memcpy() in tcp_sk_init()
+	 */
+	struct_group(tcp_sysctl, u8 sysctl_tcp_ecn;
+	u8 sysctl_tcp_ecn_option;
+	u8 sysctl_tcp_ecn_option_beacon;
+	u8 sysctl_tcp_ecn_fallback;
 	u8 sysctl_tcp_fwmark_accept;
 	u8 sysctl_tcp_mtu_probing;
 	int sysctl_tcp_mtu_probe_floor;
@@ -227,24 +229,28 @@ struct netns_ipv4 {
 	unsigned long sysctl_tcp_comp_sack_slack_ns;
 	int sysctl_max_syn_backlog;
 	int sysctl_tcp_fastopen;
-	const struct tcp_congestion_ops __rcu  *tcp_congestion_control;
-	struct tcp_fastopen_context __rcu *tcp_fastopen_ctx;
 	unsigned int sysctl_tcp_fastopen_blackhole_timeout;
-	atomic_t tfo_active_disable_times;
-	unsigned long tfo_active_disable_stamp;
-	u32 tcp_challenge_timestamp;
-	u32 tcp_challenge_count;
 	u8 sysctl_tcp_plb_enabled;
 	u8 sysctl_tcp_plb_idle_rehash_rounds;
 	u8 sysctl_tcp_plb_rehash_rounds;
 	u8 sysctl_tcp_plb_suspend_rto_sec;
 	int sysctl_tcp_plb_cong_thresh;
+	u8 sysctl_tcp_shrink_window;
+	u8 sysctl_tcp_syn_linear_timeouts;
+
+	); /* end tcp_sysctl group */
+
+	const struct tcp_congestion_ops __rcu  *tcp_congestion_control;
+	struct tcp_fastopen_context __rcu *tcp_fastopen_ctx;
+	atomic_t tfo_active_disable_times;
+	unsigned long tfo_active_disable_stamp;
+	u32 tcp_challenge_timestamp;
+	u32 tcp_challenge_count;
 
 	int sysctl_udp_wmem_min;
 	int sysctl_udp_rmem_min;
 
 	u8 sysctl_fib_notify_on_flag_change;
-	u8 sysctl_tcp_syn_linear_timeouts;
 
 #ifdef CONFIG_NET_L3_MASTER_DEV
 	u8 sysctl_udp_l3mdev_accept;
-- 
2.47.3

[RFC PATCH net-next 2/3] net: ipv4: add netns_inherit_tcp_sysctls sysctl

[nmreadelf]

Add net.ipv4.netns_inherit_tcp_sysctls to control whether a newly created
netns inherits selected IPv4 TCP sysctl state from old_net.

Default is 0, preserving current behavior.
When set to 1 in old_net, child netns receives parent TCP sysctl policy
during netns creation.
---
 include/net/netns/ipv4.h   | 1 +
 net/ipv4/sysctl_net_ipv4.c | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 53b180cc7a94..184498d4d541 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -60,6 +60,7 @@ struct netns_ipv4 {
 
 	/* TX readonly hotpath cache lines */
 	__cacheline_group_begin(netns_ipv4_read_tx);
+	u8 sysctl_netns_inherit_tcp_sysctls;
 	u8 sysctl_tcp_early_retrans;
 	u8 sysctl_tcp_tso_win_divisor;
 	u8 sysctl_tcp_tso_rtt_log;
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index a1a50a5c80dc..58a310c029d9 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -1641,6 +1641,15 @@ static struct ctl_table ipv4_net_table[] = {
 		.extra1		= SYSCTL_ONE_THOUSAND,
 		.extra2		= &tcp_rto_max_max,
 	},
+	{
+		.procname	= "netns_inherit_tcp_sysctls",
+		.data		= &init_net.ipv4.sysctl_netns_inherit_tcp_sysctls,
+		.maxlen		= sizeof(u8),
+		.mode		= 0644,
+		.proc_handler	= proc_dou8vec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE,
+	},
 };
 
 static __net_init int ipv4_sysctl_init_net(struct net *net)
-- 
2.47.3

[RFC PATCH net-next 3/3] tcp: netns: optionally inherit IPv4 TCP sysctls from parent netns

[nmreadelf]

During netns creation, setup_net() initializes IPv4 TCP sysctls. Add an
optional follow-up copy step in copy_net_ns() so selected IPv4 TCP sysctl
settings can be inherited from old_net when
net.ipv4.netns_inherit_tcp_sysctls=1.

The copy uses the tcp_sysctl struct_group plus selected related fields
outside that group, guarded by BUILD_BUG_ON checks for layout safety.

Default behavior is unchanged because inheritance is disabled unless
explicitly enabled in old_net.
---
 net/core/net_namespace.c | 72 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index a6e6a964a287..d6587362d450 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -548,6 +548,74 @@ void net_drop_ns(void *p)
 		net_passive_dec(net);
 }
 
+static int __net_init copy_net_ns_tcp_sysctls(struct net *net, struct net *old_net)
+{
+	if (net == old_net)
+		return 0;
+
+	/* Make sure TCP sysctl fields are contained by tcp_sysctl group */
+#define CHECK_SYSCTL_TCP_FIELD(lhs, rhs) \
+	BUILD_BUG_ON(offsetof(struct netns_ipv4, lhs) !=                \
+		offsetof(struct netns_ipv4, tcp_sysctl.rhs))
+
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_ecn, sysctl_tcp_ecn);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_ecn_fallback, sysctl_tcp_ecn_fallback);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_base_mss, sysctl_tcp_base_mss);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_keepalive_time, sysctl_tcp_keepalive_time);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_syncookies, sysctl_tcp_syncookies);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_fin_timeout, sysctl_tcp_fin_timeout);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_sack, sysctl_tcp_sack);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_window_scaling, sysctl_tcp_window_scaling);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_timestamps, sysctl_tcp_timestamps);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_rto_min_us, sysctl_tcp_rto_min_us);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_rto_max_ms, sysctl_tcp_rto_max_ms);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_recovery, sysctl_tcp_recovery);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_max_reordering, sysctl_tcp_max_reordering);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_challenge_ack_limit, sysctl_tcp_challenge_ack_limit);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_pacing_ss_ratio, sysctl_tcp_pacing_ss_ratio);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_pacing_ca_ratio, sysctl_tcp_pacing_ca_ratio);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_comp_sack_delay_ns, sysctl_tcp_comp_sack_delay_ns);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_comp_sack_slack_ns, sysctl_tcp_comp_sack_slack_ns);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_fastopen, sysctl_tcp_fastopen);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_fastopen_blackhole_timeout,
+			       sysctl_tcp_fastopen_blackhole_timeout);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_plb_enabled, sysctl_tcp_plb_enabled);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_plb_cong_thresh, sysctl_tcp_plb_cong_thresh);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_shrink_window, sysctl_tcp_shrink_window);
+	CHECK_SYSCTL_TCP_FIELD(sysctl_tcp_syn_linear_timeouts, sysctl_tcp_syn_linear_timeouts);
+
+	memcpy(&net->ipv4.tcp_sysctl,
+	       &old_net->ipv4.tcp_sysctl, sizeof(net->ipv4.tcp_sysctl));
+	net->ipv4.sysctl_netns_inherit_tcp_sysctls =
+	   old_net->ipv4.sysctl_netns_inherit_tcp_sysctls;
+	net->ipv4.sysctl_tcp_min_snd_mss =
+	   old_net->ipv4.sysctl_tcp_min_snd_mss;
+	net->ipv4.sysctl_tcp_reordering =
+	   old_net->ipv4.sysctl_tcp_reordering;
+	net->ipv4.sysctl_tcp_notsent_lowat =
+	   old_net->ipv4.sysctl_tcp_notsent_lowat;
+
+	net->ipv4.sysctl_tcp_early_retrans =
+	   old_net->ipv4.sysctl_tcp_early_retrans;
+	net->ipv4.sysctl_tcp_tso_win_divisor =
+	   old_net->ipv4.sysctl_tcp_tso_win_divisor;
+	net->ipv4.sysctl_tcp_tso_rtt_log =
+	   old_net->ipv4.sysctl_tcp_tso_rtt_log;
+	net->ipv4.sysctl_tcp_autocorking =
+	   old_net->ipv4.sysctl_tcp_autocorking;
+	net->ipv4.sysctl_tcp_limit_output_bytes =
+	   old_net->ipv4.sysctl_tcp_limit_output_bytes;
+	net->ipv4.sysctl_tcp_min_rtt_wlen =
+	   old_net->ipv4.sysctl_tcp_min_rtt_wlen;
+	net->ipv4.sysctl_tcp_moderate_rcvbuf =
+	   old_net->ipv4.sysctl_tcp_moderate_rcvbuf;
+	net->ipv4.sysctl_tcp_rcvbuf_low_rtt =
+	   old_net->ipv4.sysctl_tcp_rcvbuf_low_rtt;
+	atomic_set(&net->ipv4.tfo_active_disable_times,
+		   atomic_read(&old_net->ipv4.tfo_active_disable_times));
+	return 0;
+}
+
 struct net *copy_net_ns(u64 flags,
 			struct user_namespace *user_ns, struct net *old_net)
 {
@@ -594,6 +662,10 @@ struct net *copy_net_ns(u64 flags,
 		dec_net_namespaces(ucounts);
 		return ERR_PTR(rv);
 	}
+
+	if (READ_ONCE(old_net->ipv4.sysctl_netns_inherit_tcp_sysctls))
+		copy_net_ns_tcp_sysctls(net, old_net);
+
 	return net;
 }
 
-- 
2.47.3

Re: [RFC PATCH net-next 0/3] netns: optionally inherit IPv4 TCP sysctls from old net

[Eric Dumazet]

On Wed, Apr 29, 2026 at 6:30 PM nmreadelf <kong414@outlook.com> wrote:
>
> a new network namespace starts with built-in TCP defaults.
> In container-heavy setups, operators often tune TCP sysctls in init_net and then
> need to re-apply the same values for each new netns.
>

There is a mistake here.  init_net is not the same as parent_net (or
old_net in your patches)

unshare -n  # Parent netns might be init_net
unshare -n  # Parent netns is not init_net
...


> This series adds an opt-in mechanism to initialize per-netns IPv4 TCP sysctl
> settings from init_net at netns creation time.
>
> Behavior:
>
> Default is unchanged.
> When net.ipv4.netns_inherit_tcp_sysctls=1, new netns inherit
> TCP sysctl from old_net.
>
> nmreadelf (3):
>   ipv4: netns: group copyable TCP sysctls in netns_ipv4
>   net: ipv4: add netns_inherit_tcp_sysctls sysctl
>   tcp: netns: optionally inherit IPv4 TCP sysctls from parent netns
>
>  .../net_cachelines/netns_ipv4_sysctl.rst      | 25 +++----
>  include/net/netns/ipv4.h                      | 33 +++++----
>  net/core/net_namespace.c                      | 72 +++++++++++++++++++
>  net/ipv4/sysctl_net_ipv4.c                    |  9 +++
>  4 files changed, 114 insertions(+), 25 deletions(-)
>
> --
> 2.47.3
>

Re: [RFC PATCH net-next 0/3] netns: optionally inherit IPv4 TCP sysctls from old net

[Nicolas Dichtel]

Le 30/04/2026 à 03:30, nmreadelf a écrit :
> a new network namespace starts with built-in TCP defaults.
> In container-heavy setups, operators often tune TCP sysctls in init_net and then
> need to re-apply the same values for each new netns.
> 
> This series adds an opt-in mechanism to initialize per-netns IPv4 TCP sysctl
> settings from init_net at netns creation time.
> 
> Behavior:
> 
> Default is unchanged.
> When net.ipv4.netns_inherit_tcp_sysctls=1, new netns inherit
> TCP sysctl from old_net.

There is the same kind of sysctl for net.{ipv4,ipv6}.conf.{all,default}.*:
net.core.devconf_inherit_init_net.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/sysctl/net.rst#n401

I'm not sure if it's acceptable to use this existing entry to control the TCP
sysctl.
At least, putting the new one in the same place + using the same template for
the name + the same values would be nice. Something like
net.core.tcp_inherit_init_net.

Regards,
Nicolas