]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /proc/sys/net/ipv4/* Variables: |
2 | ||
3 | ip_forward - BOOLEAN | |
4 | 0 - disabled (default) | |
e18f5feb | 5 | not 0 - enabled |
1da177e4 LT |
6 | |
7 | Forward Packets between interfaces. | |
8 | ||
9 | This variable is special, its change resets all configuration | |
10 | parameters to their default state (RFC1122 for hosts, RFC1812 | |
11 | for routers) | |
12 | ||
13 | ip_default_ttl - INTEGER | |
cc6f02dd ED |
14 | Default value of TTL field (Time To Live) for outgoing (but not |
15 | forwarded) IP packets. Should be between 1 and 255 inclusive. | |
16 | Default: 64 (as recommended by RFC1700) | |
1da177e4 | 17 | |
cd174e67 HFS |
18 | ip_no_pmtu_disc - INTEGER |
19 | Disable Path MTU Discovery. If enabled in mode 1 and a | |
188b04d5 HFS |
20 | fragmentation-required ICMP is received, the PMTU to this |
21 | destination will be set to min_pmtu (see below). You will need | |
22 | to raise min_pmtu to the smallest interface MTU on your system | |
23 | manually if you want to avoid locally generated fragments. | |
cd174e67 HFS |
24 | |
25 | In mode 2 incoming Path MTU Discovery messages will be | |
26 | discarded. Outgoing frames are handled the same as in mode 1, | |
27 | implicitly setting IP_PMTUDISC_DONT on every created socket. | |
28 | ||
8ed1dc44 HFS |
29 | Mode 3 is a hardend pmtu discover mode. The kernel will only |
30 | accept fragmentation-needed errors if the underlying protocol | |
31 | can verify them besides a plain socket lookup. Current | |
32 | protocols for which pmtu events will be honored are TCP, SCTP | |
33 | and DCCP as they verify e.g. the sequence number or the | |
34 | association. This mode should not be enabled globally but is | |
35 | only intended to secure e.g. name servers in namespaces where | |
36 | TCP path mtu must still work but path MTU information of other | |
37 | protocols should be discarded. If enabled globally this mode | |
38 | could break other protocols. | |
39 | ||
40 | Possible values: 0-3 | |
188b04d5 | 41 | Default: FALSE |
1da177e4 LT |
42 | |
43 | min_pmtu - INTEGER | |
20db93c3 | 44 | default 552 - minimum discovered Path MTU |
1da177e4 | 45 | |
f87c10a8 HFS |
46 | ip_forward_use_pmtu - BOOLEAN |
47 | By default we don't trust protocol path MTUs while forwarding | |
48 | because they could be easily forged and can lead to unwanted | |
49 | fragmentation by the router. | |
50 | You only need to enable this if you have user-space software | |
51 | which tries to discover path mtus by itself and depends on the | |
52 | kernel honoring this information. This is normally not the | |
53 | case. | |
54 | Default: 0 (disabled) | |
55 | Possible values: | |
56 | 0 - disabled | |
57 | 1 - enabled | |
58 | ||
219b5f29 LV |
59 | fwmark_reflect - BOOLEAN |
60 | Controls the fwmark of kernel-generated IPv4 reply packets that are not | |
61 | associated with a socket for example, TCP RSTs or ICMP echo replies). | |
62 | If unset, these packets have a fwmark of zero. If set, they have the | |
63 | fwmark of the packet they are replying to. | |
64 | Default: 0 | |
65 | ||
a6db4494 DA |
66 | fib_multipath_use_neigh - BOOLEAN |
67 | Use status of existing neighbor entry when determining nexthop for | |
68 | multipath routes. If disabled, neighbor information is not used and | |
69 | packets could be directed to a failed nexthop. Only valid for kernels | |
70 | built with CONFIG_IP_ROUTE_MULTIPATH enabled. | |
71 | Default: 0 (disabled) | |
72 | Possible values: | |
73 | 0 - disabled | |
74 | 1 - enabled | |
75 | ||
bf4e0a3d NA |
76 | fib_multipath_hash_policy - INTEGER |
77 | Controls which hash policy to use for multipath routes. Only valid | |
78 | for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. | |
79 | Default: 0 (Layer 3) | |
80 | Possible values: | |
81 | 0 - Layer 3 | |
82 | 1 - Layer 4 | |
83 | ||
cbaf087a BG |
84 | route/max_size - INTEGER |
85 | Maximum number of routes allowed in the kernel. Increase | |
86 | this when using large numbers of interfaces and/or routes. | |
25050c63 AS |
87 | From linux kernel 3.6 onwards, this is deprecated for ipv4 |
88 | as route cache is no longer used. | |
cbaf087a | 89 | |
2724680b YH |
90 | neigh/default/gc_thresh1 - INTEGER |
91 | Minimum number of entries to keep. Garbage collector will not | |
92 | purge entries if there are fewer than this number. | |
b66c66dc | 93 | Default: 128 |
2724680b | 94 | |
a3d12146 | 95 | neigh/default/gc_thresh2 - INTEGER |
96 | Threshold when garbage collector becomes more aggressive about | |
97 | purging entries. Entries older than 5 seconds will be cleared | |
98 | when over this number. | |
99 | Default: 512 | |
100 | ||
cbaf087a BG |
101 | neigh/default/gc_thresh3 - INTEGER |
102 | Maximum number of neighbor entries allowed. Increase this | |
103 | when using large numbers of interfaces and when communicating | |
104 | with large numbers of directly-connected peers. | |
cc868028 | 105 | Default: 1024 |
cbaf087a | 106 | |
8b5c171b ED |
107 | neigh/default/unres_qlen_bytes - INTEGER |
108 | The maximum number of bytes which may be used by packets | |
109 | queued for each unresolved address by other network layers. | |
110 | (added in linux 3.3) | |
3b09adcb | 111 | Setting negative value is meaningless and will return error. |
cc868028 | 112 | Default: 65536 Bytes(64KB) |
8b5c171b ED |
113 | |
114 | neigh/default/unres_qlen - INTEGER | |
115 | The maximum number of packets which may be queued for each | |
116 | unresolved address by other network layers. | |
117 | (deprecated in linux 3.3) : use unres_qlen_bytes instead. | |
cc868028 | 118 | Prior to linux 3.3, the default value is 3 which may cause |
5d248c49 | 119 | unexpected packet loss. The current default value is calculated |
cc868028 SW |
120 | according to default value of unres_qlen_bytes and true size of |
121 | packet. | |
122 | Default: 31 | |
8b5c171b | 123 | |
1da177e4 LT |
124 | mtu_expires - INTEGER |
125 | Time, in seconds, that cached PMTU information is kept. | |
126 | ||
127 | min_adv_mss - INTEGER | |
128 | The advertised MSS depends on the first hop route MTU, but will | |
129 | never be lower than this setting. | |
130 | ||
131 | IP Fragmentation: | |
132 | ||
133 | ipfrag_high_thresh - INTEGER | |
e18f5feb | 134 | Maximum memory used to reassemble IP fragments. When |
1da177e4 LT |
135 | ipfrag_high_thresh bytes of memory is allocated for this purpose, |
136 | the fragment handler will toss packets until ipfrag_low_thresh | |
1bab4c75 NA |
137 | is reached. This also serves as a maximum limit to namespaces |
138 | different from the initial one. | |
e18f5feb | 139 | |
1da177e4 | 140 | ipfrag_low_thresh - INTEGER |
b13d3cbf FW |
141 | Maximum memory used to reassemble IP fragments before the kernel |
142 | begins to remove incomplete fragment queues to free up resources. | |
143 | The kernel still accepts new fragments for defragmentation. | |
1da177e4 LT |
144 | |
145 | ipfrag_time - INTEGER | |
e18f5feb | 146 | Time in seconds to keep an IP fragment in memory. |
1da177e4 | 147 | |
89cee8b1 | 148 | ipfrag_max_dist - INTEGER |
e18f5feb JDB |
149 | ipfrag_max_dist is a non-negative integer value which defines the |
150 | maximum "disorder" which is allowed among fragments which share a | |
151 | common IP source address. Note that reordering of packets is | |
152 | not unusual, but if a large number of fragments arrive from a source | |
153 | IP address while a particular fragment queue remains incomplete, it | |
154 | probably indicates that one or more fragments belonging to that queue | |
155 | have been lost. When ipfrag_max_dist is positive, an additional check | |
156 | is done on fragments before they are added to a reassembly queue - if | |
157 | ipfrag_max_dist (or more) fragments have arrived from a particular IP | |
158 | address between additions to any IP fragment queue using that source | |
159 | address, it's presumed that one or more fragments in the queue are | |
160 | lost. The existing fragment queue will be dropped, and a new one | |
89cee8b1 HX |
161 | started. An ipfrag_max_dist value of zero disables this check. |
162 | ||
163 | Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can | |
164 | result in unnecessarily dropping fragment queues when normal | |
e18f5feb JDB |
165 | reordering of packets occurs, which could lead to poor application |
166 | performance. Using a very large value, e.g. 50000, increases the | |
167 | likelihood of incorrectly reassembling IP fragments that originate | |
89cee8b1 HX |
168 | from different IP datagrams, which could result in data corruption. |
169 | Default: 64 | |
170 | ||
1da177e4 LT |
171 | INET peer storage: |
172 | ||
173 | inet_peer_threshold - INTEGER | |
e18f5feb | 174 | The approximate size of the storage. Starting from this threshold |
1da177e4 LT |
175 | entries will be thrown aggressively. This threshold also determines |
176 | entries' time-to-live and time intervals between garbage collection | |
177 | passes. More entries, less time-to-live, less GC interval. | |
178 | ||
179 | inet_peer_minttl - INTEGER | |
180 | Minimum time-to-live of entries. Should be enough to cover fragment | |
181 | time-to-live on the reassembling side. This minimum time-to-live is | |
182 | guaranteed if the pool size is less than inet_peer_threshold. | |
77a538d5 | 183 | Measured in seconds. |
1da177e4 LT |
184 | |
185 | inet_peer_maxttl - INTEGER | |
186 | Maximum time-to-live of entries. Unused entries will expire after | |
187 | this period of time if there is no memory pressure on the pool (i.e. | |
188 | when the number of entries in the pool is very small). | |
77a538d5 | 189 | Measured in seconds. |
1da177e4 | 190 | |
e18f5feb | 191 | TCP variables: |
1da177e4 | 192 | |
ef56e622 SH |
193 | somaxconn - INTEGER |
194 | Limit of socket listen() backlog, known in userspace as SOMAXCONN. | |
195 | Defaults to 128. See also tcp_max_syn_backlog for additional tuning | |
196 | for TCP sockets. | |
197 | ||
ef56e622 SH |
198 | tcp_abort_on_overflow - BOOLEAN |
199 | If listening service is too slow to accept new connections, | |
200 | reset them. Default state is FALSE. It means that if overflow | |
201 | occurred due to a burst, connection will recover. Enable this | |
202 | option _only_ if you are really sure that listening daemon | |
203 | cannot be tuned to accept connections faster. Enabling this | |
204 | option can harm clients of your server. | |
1da177e4 | 205 | |
ef56e622 SH |
206 | tcp_adv_win_scale - INTEGER |
207 | Count buffering overhead as bytes/2^tcp_adv_win_scale | |
208 | (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), | |
209 | if it is <= 0. | |
0147fc05 | 210 | Possible values are [-31, 31], inclusive. |
b49960a0 | 211 | Default: 1 |
1da177e4 | 212 | |
ef56e622 SH |
213 | tcp_allowed_congestion_control - STRING |
214 | Show/set the congestion control choices available to non-privileged | |
215 | processes. The list is a subset of those listed in | |
216 | tcp_available_congestion_control. | |
217 | Default is "reno" and the default setting (tcp_congestion_control). | |
1da177e4 | 218 | |
ef56e622 SH |
219 | tcp_app_win - INTEGER |
220 | Reserve max(window/2^tcp_app_win, mss) of window for application | |
221 | buffer. Value 0 is special, it means that nothing is reserved. | |
222 | Default: 31 | |
1da177e4 | 223 | |
f54b3111 ED |
224 | tcp_autocorking - BOOLEAN |
225 | Enable TCP auto corking : | |
226 | When applications do consecutive small write()/sendmsg() system calls, | |
227 | we try to coalesce these small writes as much as possible, to lower | |
228 | total amount of sent packets. This is done if at least one prior | |
229 | packet for the flow is waiting in Qdisc queues or device transmit | |
230 | queue. Applications can still use TCP_CORK for optimal behavior | |
231 | when they know how/when to uncork their sockets. | |
232 | Default : 1 | |
233 | ||
ef56e622 SH |
234 | tcp_available_congestion_control - STRING |
235 | Shows the available congestion control choices that are registered. | |
236 | More congestion control algorithms may be available as modules, | |
237 | but not loaded. | |
1da177e4 | 238 | |
71599cd1 | 239 | tcp_base_mss - INTEGER |
4edc2f34 SH |
240 | The initial value of search_low to be used by the packetization layer |
241 | Path MTU discovery (MTU probing). If MTU probing is enabled, | |
242 | this is the initial MSS used by the connection. | |
71599cd1 | 243 | |
ef56e622 SH |
244 | tcp_congestion_control - STRING |
245 | Set the congestion control algorithm to be used for new | |
246 | connections. The algorithm "reno" is always available, but | |
247 | additional choices may be available based on kernel configuration. | |
248 | Default is set as part of kernel configuration. | |
d8a6e65f ED |
249 | For passive connections, the listener congestion control choice |
250 | is inherited. | |
251 | [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ] | |
1da177e4 | 252 | |
ef56e622 SH |
253 | tcp_dsack - BOOLEAN |
254 | Allows TCP to send "duplicate" SACKs. | |
1da177e4 | 255 | |
eed530b6 | 256 | tcp_early_retrans - INTEGER |
bec41a11 YC |
257 | Tail loss probe (TLP) converts RTOs occurring due to tail |
258 | losses into fast recovery (draft-ietf-tcpm-rack). Note that | |
259 | TLP requires RACK to function properly (see tcp_recovery below) | |
eed530b6 | 260 | Possible values: |
bec41a11 YC |
261 | 0 disables TLP |
262 | 3 or 4 enables TLP | |
6ba8a3b1 | 263 | Default: 3 |
eed530b6 | 264 | |
34a6ef38 | 265 | tcp_ecn - INTEGER |
7e3a2dc5 RJ |
266 | Control use of Explicit Congestion Notification (ECN) by TCP. |
267 | ECN is used only when both ends of the TCP connection indicate | |
268 | support for it. This feature is useful in avoiding losses due | |
269 | to congestion by allowing supporting routers to signal | |
270 | congestion before having to drop packets. | |
255cac91 | 271 | Possible values are: |
7e3a2dc5 | 272 | 0 Disable ECN. Neither initiate nor accept ECN. |
3d55b323 VS |
273 | 1 Enable ECN when requested by incoming connections and |
274 | also request ECN on outgoing connection attempts. | |
275 | 2 Enable ECN when requested by incoming connections | |
7e3a2dc5 | 276 | but do not request ECN on outgoing connections. |
255cac91 | 277 | Default: 2 |
ef56e622 | 278 | |
49213555 DB |
279 | tcp_ecn_fallback - BOOLEAN |
280 | If the kernel detects that ECN connection misbehaves, enable fall | |
281 | back to non-ECN. Currently, this knob implements the fallback | |
282 | from RFC3168, section 6.1.1.1., but we reserve that in future, | |
283 | additional detection mechanisms could be implemented under this | |
284 | knob. The value is not used, if tcp_ecn or per route (or congestion | |
285 | control) ECN settings are disabled. | |
286 | Default: 1 (fallback enabled) | |
287 | ||
ef56e622 SH |
288 | tcp_fack - BOOLEAN |
289 | Enable FACK congestion avoidance and fast retransmission. | |
290 | The value is not used, if tcp_sack is not enabled. | |
1da177e4 LT |
291 | |
292 | tcp_fin_timeout - INTEGER | |
d825da2e RJ |
293 | The length of time an orphaned (no longer referenced by any |
294 | application) connection will remain in the FIN_WAIT_2 state | |
295 | before it is aborted at the local end. While a perfectly | |
296 | valid "receive only" state for an un-orphaned connection, an | |
297 | orphaned connection in FIN_WAIT_2 state could otherwise wait | |
298 | forever for the remote to close its end of the connection. | |
299 | Cf. tcp_max_orphans | |
300 | Default: 60 seconds | |
1da177e4 | 301 | |
89808060 | 302 | tcp_frto - INTEGER |
e33099f9 | 303 | Enables Forward RTO-Recovery (F-RTO) defined in RFC5682. |
cd99889c | 304 | F-RTO is an enhanced recovery algorithm for TCP retransmission |
e33099f9 YC |
305 | timeouts. It is particularly beneficial in networks where the |
306 | RTT fluctuates (e.g., wireless). F-RTO is sender-side only | |
307 | modification. It does not require any support from the peer. | |
308 | ||
309 | By default it's enabled with a non-zero value. 0 disables F-RTO. | |
1da177e4 | 310 | |
032ee423 NC |
311 | tcp_invalid_ratelimit - INTEGER |
312 | Limit the maximal rate for sending duplicate acknowledgments | |
313 | in response to incoming TCP packets that are for an existing | |
314 | connection but that are invalid due to any of these reasons: | |
315 | ||
316 | (a) out-of-window sequence number, | |
317 | (b) out-of-window acknowledgment number, or | |
318 | (c) PAWS (Protection Against Wrapped Sequence numbers) check failure | |
319 | ||
320 | This can help mitigate simple "ack loop" DoS attacks, wherein | |
321 | a buggy or malicious middlebox or man-in-the-middle can | |
322 | rewrite TCP header fields in manner that causes each endpoint | |
323 | to think that the other is sending invalid TCP segments, thus | |
324 | causing each side to send an unterminating stream of duplicate | |
325 | acknowledgments for invalid segments. | |
326 | ||
327 | Using 0 disables rate-limiting of dupacks in response to | |
328 | invalid segments; otherwise this value specifies the minimal | |
329 | space between sending such dupacks, in milliseconds. | |
330 | ||
331 | Default: 500 (milliseconds). | |
332 | ||
ef56e622 SH |
333 | tcp_keepalive_time - INTEGER |
334 | How often TCP sends out keepalive messages when keepalive is enabled. | |
335 | Default: 2hours. | |
1da177e4 | 336 | |
ef56e622 SH |
337 | tcp_keepalive_probes - INTEGER |
338 | How many keepalive probes TCP sends out, until it decides that the | |
339 | connection is broken. Default value: 9. | |
340 | ||
341 | tcp_keepalive_intvl - INTEGER | |
342 | How frequently the probes are send out. Multiplied by | |
343 | tcp_keepalive_probes it is time to kill not responding connection, | |
344 | after probes started. Default value: 75sec i.e. connection | |
345 | will be aborted after ~11 minutes of retries. | |
346 | ||
6dd9a14e DA |
347 | tcp_l3mdev_accept - BOOLEAN |
348 | Enables child sockets to inherit the L3 master device index. | |
349 | Enabling this option allows a "global" listen socket to work | |
350 | across L3 master domains (e.g., VRFs) with connected sockets | |
351 | derived from the listen socket to be bound to the L3 domain in | |
352 | which the packets originated. Only valid when the kernel was | |
353 | compiled with CONFIG_NET_L3_MASTER_DEV. | |
354 | ||
ef56e622 | 355 | tcp_low_latency - BOOLEAN |
b6690b14 | 356 | This is a legacy option, it has no effect anymore. |
1da177e4 LT |
357 | |
358 | tcp_max_orphans - INTEGER | |
359 | Maximal number of TCP sockets not attached to any user file handle, | |
360 | held by system. If this number is exceeded orphaned connections are | |
361 | reset immediately and warning is printed. This limit exists | |
362 | only to prevent simple DoS attacks, you _must_ not rely on this | |
363 | or lower the limit artificially, but rather increase it | |
364 | (probably, after increasing installed memory), | |
365 | if network conditions require more than default value, | |
366 | and tune network services to linger and kill such states | |
367 | more aggressively. Let me to remind again: each orphan eats | |
368 | up to ~64K of unswappable memory. | |
369 | ||
1da177e4 | 370 | tcp_max_syn_backlog - INTEGER |
99b53bdd PP |
371 | Maximal number of remembered connection requests, which have not |
372 | received an acknowledgment from connecting client. | |
373 | The minimal value is 128 for low memory machines, and it will | |
374 | increase in proportion to the memory of machine. | |
375 | If server suffers from overload, try increasing this number. | |
1da177e4 | 376 | |
ef56e622 SH |
377 | tcp_max_tw_buckets - INTEGER |
378 | Maximal number of timewait sockets held by system simultaneously. | |
379 | If this number is exceeded time-wait socket is immediately destroyed | |
380 | and warning is printed. This limit exists only to prevent | |
381 | simple DoS attacks, you _must_ not lower the limit artificially, | |
382 | but rather increase it (probably, after increasing installed memory), | |
383 | if network conditions require more than default value. | |
1da177e4 | 384 | |
ef56e622 SH |
385 | tcp_mem - vector of 3 INTEGERs: min, pressure, max |
386 | min: below this number of pages TCP is not bothered about its | |
387 | memory appetite. | |
1da177e4 | 388 | |
ef56e622 SH |
389 | pressure: when amount of memory allocated by TCP exceeds this number |
390 | of pages, TCP moderates its memory consumption and enters memory | |
391 | pressure mode, which is exited when memory consumption falls | |
392 | under "min". | |
1da177e4 | 393 | |
ef56e622 | 394 | max: number of pages allowed for queueing by all TCP sockets. |
1da177e4 | 395 | |
ef56e622 SH |
396 | Defaults are calculated at boot time from amount of available |
397 | memory. | |
1da177e4 | 398 | |
f6722583 YC |
399 | tcp_min_rtt_wlen - INTEGER |
400 | The window length of the windowed min filter to track the minimum RTT. | |
401 | A shorter window lets a flow more quickly pick up new (higher) | |
402 | minimum RTT when it is moved to a longer path (e.g., due to traffic | |
403 | engineering). A longer window makes the filter more resistant to RTT | |
404 | inflations such as transient congestion. The unit is seconds. | |
405 | Default: 300 | |
406 | ||
71599cd1 | 407 | tcp_moderate_rcvbuf - BOOLEAN |
4edc2f34 | 408 | If set, TCP performs receive buffer auto-tuning, attempting to |
71599cd1 JH |
409 | automatically size the buffer (no greater than tcp_rmem[2]) to |
410 | match the size required by the path for full throughput. Enabled by | |
411 | default. | |
412 | ||
413 | tcp_mtu_probing - INTEGER | |
414 | Controls TCP Packetization-Layer Path MTU Discovery. Takes three | |
415 | values: | |
416 | 0 - Disabled | |
417 | 1 - Disabled by default, enabled when an ICMP black hole detected | |
418 | 2 - Always enabled, use initial MSS of tcp_base_mss. | |
419 | ||
fab42760 FD |
420 | tcp_probe_interval - INTEGER |
421 | Controls how often to start TCP Packetization-Layer Path MTU | |
422 | Discovery reprobe. The default is reprobing every 10 minutes as | |
423 | per RFC4821. | |
424 | ||
425 | tcp_probe_threshold - INTEGER | |
426 | Controls when TCP Packetization-Layer Path MTU Discovery probing | |
427 | will stop in respect to the width of search range in bytes. Default | |
428 | is 8 bytes. | |
429 | ||
71599cd1 JH |
430 | tcp_no_metrics_save - BOOLEAN |
431 | By default, TCP saves various connection metrics in the route cache | |
432 | when the connection closes, so that connections established in the | |
433 | near future can use these to set initial conditions. Usually, this | |
434 | increases overall performance, but may sometimes cause performance | |
0f035b8e | 435 | degradation. If set, TCP will not cache metrics on closing |
71599cd1 JH |
436 | connections. |
437 | ||
ef56e622 | 438 | tcp_orphan_retries - INTEGER |
5d789229 DL |
439 | This value influences the timeout of a locally closed TCP connection, |
440 | when RTO retransmissions remain unacknowledged. | |
441 | See tcp_retries2 for more details. | |
442 | ||
06b8fc5d | 443 | The default value is 8. |
5d789229 | 444 | If your machine is a loaded WEB server, |
ef56e622 SH |
445 | you should think about lowering this value, such sockets |
446 | may consume significant resources. Cf. tcp_max_orphans. | |
1da177e4 | 447 | |
4f41b1c5 YC |
448 | tcp_recovery - INTEGER |
449 | This value is a bitmap to enable various experimental loss recovery | |
450 | features. | |
451 | ||
452 | RACK: 0x1 enables the RACK loss detection for fast detection of lost | |
453 | retransmissions and tail drops. | |
454 | ||
455 | Default: 0x1 | |
456 | ||
1da177e4 | 457 | tcp_reordering - INTEGER |
dca145ff ED |
458 | Initial reordering level of packets in a TCP stream. |
459 | TCP stack can then dynamically adjust flow reordering level | |
460 | between this initial value and tcp_max_reordering | |
e18f5feb | 461 | Default: 3 |
1da177e4 | 462 | |
dca145ff ED |
463 | tcp_max_reordering - INTEGER |
464 | Maximal reordering level of packets in a TCP stream. | |
465 | 300 is a fairly conservative value, but you might increase it | |
466 | if paths are using per packet load balancing (like bonding rr mode) | |
467 | Default: 300 | |
468 | ||
1da177e4 LT |
469 | tcp_retrans_collapse - BOOLEAN |
470 | Bug-to-bug compatibility with some broken printers. | |
471 | On retransmit try to send bigger packets to work around bugs in | |
472 | certain TCP stacks. | |
473 | ||
ef56e622 | 474 | tcp_retries1 - INTEGER |
5d789229 DL |
475 | This value influences the time, after which TCP decides, that |
476 | something is wrong due to unacknowledged RTO retransmissions, | |
477 | and reports this suspicion to the network layer. | |
478 | See tcp_retries2 for more details. | |
479 | ||
480 | RFC 1122 recommends at least 3 retransmissions, which is the | |
481 | default. | |
1da177e4 | 482 | |
ef56e622 | 483 | tcp_retries2 - INTEGER |
5d789229 DL |
484 | This value influences the timeout of an alive TCP connection, |
485 | when RTO retransmissions remain unacknowledged. | |
486 | Given a value of N, a hypothetical TCP connection following | |
487 | exponential backoff with an initial RTO of TCP_RTO_MIN would | |
488 | retransmit N times before killing the connection at the (N+1)th RTO. | |
489 | ||
490 | The default value of 15 yields a hypothetical timeout of 924.6 | |
491 | seconds and is a lower bound for the effective timeout. | |
492 | TCP will effectively time out at the first RTO which exceeds the | |
493 | hypothetical timeout. | |
494 | ||
495 | RFC 1122 recommends at least 100 seconds for the timeout, | |
496 | which corresponds to a value of at least 8. | |
1da177e4 | 497 | |
ef56e622 SH |
498 | tcp_rfc1337 - BOOLEAN |
499 | If set, the TCP stack behaves conforming to RFC1337. If unset, | |
500 | we are not conforming to RFC, but prevent TCP TIME_WAIT | |
501 | assassination. | |
502 | Default: 0 | |
1da177e4 LT |
503 | |
504 | tcp_rmem - vector of 3 INTEGERs: min, default, max | |
505 | min: Minimal size of receive buffer used by TCP sockets. | |
506 | It is guaranteed to each TCP socket, even under moderate memory | |
507 | pressure. | |
6539fefd | 508 | Default: 1 page |
1da177e4 | 509 | |
53025f5e | 510 | default: initial size of receive buffer used by TCP sockets. |
1da177e4 LT |
511 | This value overrides net.core.rmem_default used by other protocols. |
512 | Default: 87380 bytes. This value results in window of 65535 with | |
513 | default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit | |
514 | less for default tcp_app_win. See below about these variables. | |
515 | ||
516 | max: maximal size of receive buffer allowed for automatically | |
517 | selected receiver buffers for TCP socket. This value does not override | |
53025f5e BF |
518 | net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables |
519 | automatic tuning of that socket's receive buffer size, in which | |
520 | case this value is ignored. | |
b49960a0 | 521 | Default: between 87380B and 6MB, depending on RAM size. |
1da177e4 | 522 | |
ef56e622 SH |
523 | tcp_sack - BOOLEAN |
524 | Enable select acknowledgments (SACKS). | |
1da177e4 | 525 | |
ef56e622 SH |
526 | tcp_slow_start_after_idle - BOOLEAN |
527 | If set, provide RFC2861 behavior and time out the congestion | |
528 | window after an idle period. An idle period is defined at | |
529 | the current RTO. If unset, the congestion window will not | |
530 | be timed out after an idle period. | |
531 | Default: 1 | |
1da177e4 | 532 | |
ef56e622 | 533 | tcp_stdurg - BOOLEAN |
4edc2f34 | 534 | Use the Host requirements interpretation of the TCP urgent pointer field. |
ef56e622 SH |
535 | Most hosts use the older BSD interpretation, so if you turn this on |
536 | Linux might not communicate correctly with them. | |
537 | Default: FALSE | |
1da177e4 | 538 | |
ef56e622 SH |
539 | tcp_synack_retries - INTEGER |
540 | Number of times SYNACKs for a passive TCP connection attempt will | |
541 | be retransmitted. Should not be higher than 255. Default value | |
6c9ff979 AB |
542 | is 5, which corresponds to 31seconds till the last retransmission |
543 | with the current initial RTO of 1second. With this the final timeout | |
544 | for a passive TCP connection will happen after 63seconds. | |
1da177e4 | 545 | |
ef56e622 | 546 | tcp_syncookies - BOOLEAN |
a3c910d2 | 547 | Only valid when the kernel was compiled with CONFIG_SYN_COOKIES |
ef56e622 | 548 | Send out syncookies when the syn backlog queue of a socket |
4edc2f34 | 549 | overflows. This is to prevent against the common 'SYN flood attack' |
a3c910d2 | 550 | Default: 1 |
1da177e4 | 551 | |
ef56e622 SH |
552 | Note, that syncookies is fallback facility. |
553 | It MUST NOT be used to help highly loaded servers to stand | |
4edc2f34 | 554 | against legal connection rate. If you see SYN flood warnings |
ef56e622 SH |
555 | in your logs, but investigation shows that they occur |
556 | because of overload with legal connections, you should tune | |
557 | another parameters until this warning disappear. | |
558 | See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. | |
1da177e4 | 559 | |
ef56e622 SH |
560 | syncookies seriously violate TCP protocol, do not allow |
561 | to use TCP extensions, can result in serious degradation | |
562 | of some services (f.e. SMTP relaying), visible not by you, | |
563 | but your clients and relays, contacting you. While you see | |
4edc2f34 | 564 | SYN flood warnings in logs not being really flooded, your server |
ef56e622 | 565 | is seriously misconfigured. |
1da177e4 | 566 | |
5ad37d5d HFS |
567 | If you want to test which effects syncookies have to your |
568 | network connections you can set this knob to 2 to enable | |
569 | unconditionally generation of syncookies. | |
570 | ||
cf60af03 | 571 | tcp_fastopen - INTEGER |
cebc5cba YC |
572 | Enable TCP Fast Open (RFC7413) to send and accept data in the opening |
573 | SYN packet. | |
10467163 | 574 | |
cebc5cba YC |
575 | The client support is enabled by flag 0x1 (on by default). The client |
576 | then must use sendmsg() or sendto() with the MSG_FASTOPEN flag, | |
577 | rather than connect() to send data in SYN. | |
cf60af03 | 578 | |
cebc5cba YC |
579 | The server support is enabled by flag 0x2 (off by default). Then |
580 | either enable for all listeners with another flag (0x400) or | |
581 | enable individual listeners via TCP_FASTOPEN socket option with | |
582 | the option value being the length of the syn-data backlog. | |
cf60af03 | 583 | |
cebc5cba YC |
584 | The values (bitmap) are |
585 | 0x1: (client) enables sending data in the opening SYN on the client. | |
586 | 0x2: (server) enables the server support, i.e., allowing data in | |
587 | a SYN packet to be accepted and passed to the | |
588 | application before 3-way handshake finishes. | |
589 | 0x4: (client) send data in the opening SYN regardless of cookie | |
590 | availability and without a cookie option. | |
591 | 0x200: (server) accept data-in-SYN w/o any cookie option present. | |
592 | 0x400: (server) enable all listeners to support Fast Open by | |
593 | default without explicit TCP_FASTOPEN socket option. | |
594 | ||
595 | Default: 0x1 | |
10467163 | 596 | |
cebc5cba YC |
597 | Note that that additional client or server features are only |
598 | effective if the basic support (0x1 and 0x2) are enabled respectively. | |
10467163 | 599 | |
cf1ef3f0 WW |
600 | tcp_fastopen_blackhole_timeout_sec - INTEGER |
601 | Initial time period in second to disable Fastopen on active TCP sockets | |
602 | when a TFO firewall blackhole issue happens. | |
603 | This time period will grow exponentially when more blackhole issues | |
604 | get detected right after Fastopen is re-enabled and will reset to | |
605 | initial value when the blackhole issue goes away. | |
606 | By default, it is set to 1hr. | |
607 | ||
ef56e622 SH |
608 | tcp_syn_retries - INTEGER |
609 | Number of times initial SYNs for an active TCP connection attempt | |
bffae697 | 610 | will be retransmitted. Should not be higher than 127. Default value |
3b09adcb | 611 | is 6, which corresponds to 63seconds till the last retransmission |
6c9ff979 AB |
612 | with the current initial RTO of 1second. With this the final timeout |
613 | for an active TCP connection attempt will happen after 127seconds. | |
ef56e622 | 614 | |
25429d7b FW |
615 | tcp_timestamps - INTEGER |
616 | Enable timestamps as defined in RFC1323. | |
617 | 0: Disabled. | |
618 | 1: Enable timestamps as defined in RFC1323 and use random offset for | |
619 | each connection rather than only using the current time. | |
620 | 2: Like 1, but without random offsets. | |
621 | Default: 1 | |
1da177e4 | 622 | |
95bd09eb ED |
623 | tcp_min_tso_segs - INTEGER |
624 | Minimal number of segments per TSO frame. | |
625 | Since linux-3.12, TCP does an automatic sizing of TSO frames, | |
626 | depending on flow rate, instead of filling 64Kbytes packets. | |
627 | For specific usages, it's possible to force TCP to build big | |
628 | TSO frames. Note that TCP stack might split too big TSO packets | |
629 | if available window is too small. | |
630 | Default: 2 | |
631 | ||
43e122b0 ED |
632 | tcp_pacing_ss_ratio - INTEGER |
633 | sk->sk_pacing_rate is set by TCP stack using a ratio applied | |
634 | to current rate. (current_rate = cwnd * mss / srtt) | |
635 | If TCP is in slow start, tcp_pacing_ss_ratio is applied | |
636 | to let TCP probe for bigger speeds, assuming cwnd can be | |
637 | doubled every other RTT. | |
638 | Default: 200 | |
639 | ||
640 | tcp_pacing_ca_ratio - INTEGER | |
641 | sk->sk_pacing_rate is set by TCP stack using a ratio applied | |
642 | to current rate. (current_rate = cwnd * mss / srtt) | |
643 | If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio | |
644 | is applied to conservatively probe for bigger throughput. | |
645 | Default: 120 | |
646 | ||
1da177e4 | 647 | tcp_tso_win_divisor - INTEGER |
ef56e622 SH |
648 | This allows control over what percentage of the congestion window |
649 | can be consumed by a single TSO frame. | |
650 | The setting of this parameter is a choice between burstiness and | |
651 | building larger TSO frames. | |
652 | Default: 3 | |
1da177e4 | 653 | |
ef56e622 SH |
654 | tcp_tw_reuse - BOOLEAN |
655 | Allow to reuse TIME-WAIT sockets for new connections when it is | |
656 | safe from protocol viewpoint. Default value is 0. | |
657 | It should not be changed without advice/request of technical | |
658 | experts. | |
ce7bc3bf | 659 | |
ef56e622 SH |
660 | tcp_window_scaling - BOOLEAN |
661 | Enable window scaling as defined in RFC1323. | |
3ff825b2 | 662 | |
ef56e622 | 663 | tcp_wmem - vector of 3 INTEGERs: min, default, max |
53025f5e | 664 | min: Amount of memory reserved for send buffers for TCP sockets. |
ef56e622 | 665 | Each TCP socket has rights to use it due to fact of its birth. |
6539fefd | 666 | Default: 1 page |
9d7bcfc6 | 667 | |
53025f5e BF |
668 | default: initial size of send buffer used by TCP sockets. This |
669 | value overrides net.core.wmem_default used by other protocols. | |
670 | It is usually lower than net.core.wmem_default. | |
ef56e622 SH |
671 | Default: 16K |
672 | ||
53025f5e BF |
673 | max: Maximal amount of memory allowed for automatically tuned |
674 | send buffers for TCP sockets. This value does not override | |
675 | net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables | |
676 | automatic tuning of that socket's send buffer size, in which case | |
677 | this value is ignored. | |
678 | Default: between 64K and 4MB, depending on RAM size. | |
1da177e4 | 679 | |
c9bee3b7 ED |
680 | tcp_notsent_lowat - UNSIGNED INTEGER |
681 | A TCP socket can control the amount of unsent bytes in its write queue, | |
682 | thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll() | |
683 | reports POLLOUT events if the amount of unsent bytes is below a per | |
684 | socket value, and if the write queue is not full. sendmsg() will | |
685 | also not add new buffers if the limit is hit. | |
686 | ||
687 | This global variable controls the amount of unsent data for | |
688 | sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change | |
689 | to the global variable has immediate effect. | |
690 | ||
691 | Default: UINT_MAX (0xFFFFFFFF) | |
692 | ||
15d99e02 RJ |
693 | tcp_workaround_signed_windows - BOOLEAN |
694 | If set, assume no receipt of a window scaling option means the | |
695 | remote TCP is broken and treats the window as a signed quantity. | |
696 | If unset, assume the remote TCP is not broken even if we do | |
697 | not receive a window scaling option from them. | |
698 | Default: 0 | |
699 | ||
36e31b0a AP |
700 | tcp_thin_linear_timeouts - BOOLEAN |
701 | Enable dynamic triggering of linear timeouts for thin streams. | |
702 | If set, a check is performed upon retransmission by timeout to | |
703 | determine if the stream is thin (less than 4 packets in flight). | |
704 | As long as the stream is found to be thin, up to 6 linear | |
705 | timeouts may be performed before exponential backoff mode is | |
706 | initiated. This improves retransmission latency for | |
707 | non-aggressive thin streams, often found to be time-dependent. | |
708 | For more information on thin streams, see | |
709 | Documentation/networking/tcp-thin.txt | |
710 | Default: 0 | |
711 | ||
46d3ceab ED |
712 | tcp_limit_output_bytes - INTEGER |
713 | Controls TCP Small Queue limit per tcp socket. | |
714 | TCP bulk sender tends to increase packets in flight until it | |
715 | gets losses notifications. With SNDBUF autotuning, this can | |
716 | result in a large amount of packets queued in qdisc/device | |
717 | on the local machine, hurting latency of other flows, for | |
718 | typical pfifo_fast qdiscs. | |
719 | tcp_limit_output_bytes limits the number of bytes on qdisc | |
720 | or device to reduce artificial RTT/cwnd and reduce bufferbloat. | |
821b4144 | 721 | Default: 262144 |
46d3ceab | 722 | |
282f23c6 ED |
723 | tcp_challenge_ack_limit - INTEGER |
724 | Limits number of Challenge ACK sent per second, as recommended | |
725 | in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) | |
726 | Default: 100 | |
727 | ||
95766fff HA |
728 | UDP variables: |
729 | ||
63a6fff3 RS |
730 | udp_l3mdev_accept - BOOLEAN |
731 | Enabling this option allows a "global" bound socket to work | |
732 | across L3 master domains (e.g., VRFs) with packets capable of | |
733 | being received regardless of the L3 domain in which they | |
734 | originated. Only valid when the kernel was compiled with | |
735 | CONFIG_NET_L3_MASTER_DEV. | |
736 | ||
95766fff HA |
737 | udp_mem - vector of 3 INTEGERs: min, pressure, max |
738 | Number of pages allowed for queueing by all UDP sockets. | |
739 | ||
740 | min: Below this number of pages UDP is not bothered about its | |
741 | memory appetite. When amount of memory allocated by UDP exceeds | |
742 | this number, UDP starts to moderate memory usage. | |
743 | ||
744 | pressure: This value was introduced to follow format of tcp_mem. | |
745 | ||
746 | max: Number of pages allowed for queueing by all UDP sockets. | |
747 | ||
748 | Default is calculated at boot time from amount of available memory. | |
749 | ||
750 | udp_rmem_min - INTEGER | |
751 | Minimal size of receive buffer used by UDP sockets in moderation. | |
752 | Each UDP socket is able to use the size for receiving data, even if | |
753 | total pages of UDP sockets exceed udp_mem pressure. The unit is byte. | |
6539fefd | 754 | Default: 1 page |
95766fff HA |
755 | |
756 | udp_wmem_min - INTEGER | |
757 | Minimal size of send buffer used by UDP sockets in moderation. | |
758 | Each UDP socket is able to use the size for sending data, even if | |
759 | total pages of UDP sockets exceed udp_mem pressure. The unit is byte. | |
6539fefd | 760 | Default: 1 page |
95766fff | 761 | |
8802f616 PM |
762 | CIPSOv4 Variables: |
763 | ||
764 | cipso_cache_enable - BOOLEAN | |
765 | If set, enable additions to and lookups from the CIPSO label mapping | |
766 | cache. If unset, additions are ignored and lookups always result in a | |
767 | miss. However, regardless of the setting the cache is still | |
768 | invalidated when required when means you can safely toggle this on and | |
769 | off and the cache will always be "safe". | |
770 | Default: 1 | |
771 | ||
772 | cipso_cache_bucket_size - INTEGER | |
773 | The CIPSO label cache consists of a fixed size hash table with each | |
774 | hash bucket containing a number of cache entries. This variable limits | |
775 | the number of entries in each hash bucket; the larger the value the | |
776 | more CIPSO label mappings that can be cached. When the number of | |
777 | entries in a given hash bucket reaches this limit adding new entries | |
778 | causes the oldest entry in the bucket to be removed to make room. | |
779 | Default: 10 | |
780 | ||
781 | cipso_rbm_optfmt - BOOLEAN | |
782 | Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of | |
783 | the CIPSO draft specification (see Documentation/netlabel for details). | |
784 | This means that when set the CIPSO tag will be padded with empty | |
785 | categories in order to make the packet data 32-bit aligned. | |
786 | Default: 0 | |
787 | ||
788 | cipso_rbm_structvalid - BOOLEAN | |
789 | If set, do a very strict check of the CIPSO option when | |
790 | ip_options_compile() is called. If unset, relax the checks done during | |
791 | ip_options_compile(). Either way is "safe" as errors are caught else | |
792 | where in the CIPSO processing code but setting this to 0 (False) should | |
793 | result in less work (i.e. it should be faster) but could cause problems | |
794 | with other implementations that require strict checking. | |
795 | Default: 0 | |
796 | ||
1da177e4 LT |
797 | IP Variables: |
798 | ||
799 | ip_local_port_range - 2 INTEGERS | |
800 | Defines the local port range that is used by TCP and UDP to | |
e18f5feb | 801 | choose the local port. The first number is the first, the |
07f4c900 ED |
802 | second the last local port number. |
803 | If possible, it is better these numbers have different parity. | |
804 | (one even and one odd values) | |
805 | The default values are 32768 and 60999 respectively. | |
1da177e4 | 806 | |
e3826f1e AW |
807 | ip_local_reserved_ports - list of comma separated ranges |
808 | Specify the ports which are reserved for known third-party | |
809 | applications. These ports will not be used by automatic port | |
810 | assignments (e.g. when calling connect() or bind() with port | |
811 | number 0). Explicit port allocation behavior is unchanged. | |
812 | ||
813 | The format used for both input and output is a comma separated | |
814 | list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and | |
815 | 10). Writing to the file will clear all previously reserved | |
816 | ports and update the current list with the one given in the | |
817 | input. | |
818 | ||
819 | Note that ip_local_port_range and ip_local_reserved_ports | |
820 | settings are independent and both are considered by the kernel | |
821 | when determining which ports are available for automatic port | |
822 | assignments. | |
823 | ||
824 | You can reserve ports which are not in the current | |
825 | ip_local_port_range, e.g.: | |
826 | ||
827 | $ cat /proc/sys/net/ipv4/ip_local_port_range | |
07f4c900 | 828 | 32000 60999 |
e3826f1e AW |
829 | $ cat /proc/sys/net/ipv4/ip_local_reserved_ports |
830 | 8080,9148 | |
831 | ||
832 | although this is redundant. However such a setting is useful | |
833 | if later the port range is changed to a value that will | |
834 | include the reserved ports. | |
835 | ||
836 | Default: Empty | |
837 | ||
4548b683 KJ |
838 | ip_unprivileged_port_start - INTEGER |
839 | This is a per-namespace sysctl. It defines the first | |
840 | unprivileged port in the network namespace. Privileged ports | |
841 | require root or CAP_NET_BIND_SERVICE in order to bind to them. | |
842 | To disable all privileged ports, set this to 0. It may not | |
843 | overlap with the ip_local_reserved_ports range. | |
844 | ||
845 | Default: 1024 | |
846 | ||
1da177e4 LT |
847 | ip_nonlocal_bind - BOOLEAN |
848 | If set, allows processes to bind() to non-local IP addresses, | |
849 | which can be quite useful - but may break some applications. | |
850 | Default: 0 | |
851 | ||
852 | ip_dynaddr - BOOLEAN | |
853 | If set non-zero, enables support for dynamic addresses. | |
854 | If set to a non-zero value larger than 1, a kernel log | |
855 | message will be printed when dynamic address rewriting | |
856 | occurs. | |
857 | Default: 0 | |
858 | ||
e3d73bce CW |
859 | ip_early_demux - BOOLEAN |
860 | Optimize input packet processing down to one demux for | |
861 | certain kinds of local sockets. Currently we only do this | |
dddb64bc | 862 | for established TCP and connected UDP sockets. |
e3d73bce CW |
863 | |
864 | It may add an additional cost for pure routing workloads that | |
865 | reduces overall throughput, in such case you should disable it. | |
866 | Default: 1 | |
867 | ||
dddb64bc SAK |
868 | tcp_early_demux - BOOLEAN |
869 | Enable early demux for established TCP sockets. | |
870 | Default: 1 | |
871 | ||
872 | udp_early_demux - BOOLEAN | |
873 | Enable early demux for connected UDP sockets. Disable this if | |
874 | your system could experience more unconnected load. | |
875 | Default: 1 | |
876 | ||
1da177e4 | 877 | icmp_echo_ignore_all - BOOLEAN |
7ce31246 DM |
878 | If set non-zero, then the kernel will ignore all ICMP ECHO |
879 | requests sent to it. | |
880 | Default: 0 | |
881 | ||
1da177e4 | 882 | icmp_echo_ignore_broadcasts - BOOLEAN |
7ce31246 DM |
883 | If set non-zero, then the kernel will ignore all ICMP ECHO and |
884 | TIMESTAMP requests sent to it via broadcast/multicast. | |
885 | Default: 1 | |
1da177e4 LT |
886 | |
887 | icmp_ratelimit - INTEGER | |
888 | Limit the maximal rates for sending ICMP packets whose type matches | |
889 | icmp_ratemask (see below) to specific targets. | |
6dbf4bca SH |
890 | 0 to disable any limiting, |
891 | otherwise the minimal space between responses in milliseconds. | |
4cdf507d ED |
892 | Note that another sysctl, icmp_msgs_per_sec limits the number |
893 | of ICMP packets sent on all targets. | |
6dbf4bca | 894 | Default: 1000 |
1da177e4 | 895 | |
4cdf507d ED |
896 | icmp_msgs_per_sec - INTEGER |
897 | Limit maximal number of ICMP packets sent per second from this host. | |
898 | Only messages whose type matches icmp_ratemask (see below) are | |
899 | controlled by this limit. | |
6dbf4bca | 900 | Default: 1000 |
1da177e4 | 901 | |
4cdf507d ED |
902 | icmp_msgs_burst - INTEGER |
903 | icmp_msgs_per_sec controls number of ICMP packets sent per second, | |
904 | while icmp_msgs_burst controls the burst size of these packets. | |
905 | Default: 50 | |
906 | ||
1da177e4 LT |
907 | icmp_ratemask - INTEGER |
908 | Mask made of ICMP types for which rates are being limited. | |
909 | Significant bits: IHGFEDCBA9876543210 | |
910 | Default mask: 0000001100000011000 (6168) | |
911 | ||
912 | Bit definitions (see include/linux/icmp.h): | |
913 | 0 Echo Reply | |
914 | 3 Destination Unreachable * | |
915 | 4 Source Quench * | |
916 | 5 Redirect | |
917 | 8 Echo Request | |
918 | B Time Exceeded * | |
919 | C Parameter Problem * | |
920 | D Timestamp Request | |
921 | E Timestamp Reply | |
922 | F Info Request | |
923 | G Info Reply | |
924 | H Address Mask Request | |
925 | I Address Mask Reply | |
926 | ||
927 | * These are rate limited by default (see default mask above) | |
928 | ||
929 | icmp_ignore_bogus_error_responses - BOOLEAN | |
930 | Some routers violate RFC1122 by sending bogus responses to broadcast | |
931 | frames. Such violations are normally logged via a kernel warning. | |
932 | If this is set to TRUE, the kernel will not give such warnings, which | |
933 | will avoid log file clutter. | |
e8b265e8 | 934 | Default: 1 |
1da177e4 | 935 | |
95f7daf1 H |
936 | icmp_errors_use_inbound_ifaddr - BOOLEAN |
937 | ||
02a6d613 PA |
938 | If zero, icmp error messages are sent with the primary address of |
939 | the exiting interface. | |
e18f5feb | 940 | |
95f7daf1 H |
941 | If non-zero, the message will be sent with the primary address of |
942 | the interface that received the packet that caused the icmp error. | |
943 | This is the behaviour network many administrators will expect from | |
944 | a router. And it can make debugging complicated network layouts | |
e18f5feb | 945 | much easier. |
95f7daf1 H |
946 | |
947 | Note that if no primary address exists for the interface selected, | |
948 | then the primary address of the first non-loopback interface that | |
d6bc8ac9 | 949 | has one will be used regardless of this setting. |
95f7daf1 H |
950 | |
951 | Default: 0 | |
952 | ||
1da177e4 LT |
953 | igmp_max_memberships - INTEGER |
954 | Change the maximum number of multicast groups we can subscribe to. | |
955 | Default: 20 | |
956 | ||
d67ef35f JE |
957 | Theoretical maximum value is bounded by having to send a membership |
958 | report in a single datagram (i.e. the report can't span multiple | |
959 | datagrams, or risk confusing the switch and leaving groups you don't | |
960 | intend to). | |
1da177e4 | 961 | |
d67ef35f JE |
962 | The number of supported groups 'M' is bounded by the number of group |
963 | report entries you can fit into a single datagram of 65535 bytes. | |
964 | ||
965 | M = 65536-sizeof (ip header)/(sizeof(Group record)) | |
966 | ||
967 | Group records are variable length, with a minimum of 12 bytes. | |
968 | So net.ipv4.igmp_max_memberships should not be set higher than: | |
969 | ||
970 | (65536-24) / 12 = 5459 | |
971 | ||
972 | The value 5459 assumes no IP header options, so in practice | |
973 | this number may be lower. | |
974 | ||
537377d3 BP |
975 | igmp_max_msf - INTEGER |
976 | Maximum number of addresses allowed in the source filter list for a | |
977 | multicast group. | |
978 | Default: 10 | |
979 | ||
a9fe8e29 | 980 | igmp_qrv - INTEGER |
537377d3 BP |
981 | Controls the IGMP query robustness variable (see RFC2236 8.1). |
982 | Default: 2 (as specified by RFC2236 8.1) | |
983 | Minimum: 1 (as specified by RFC6636 4.5) | |
a9fe8e29 | 984 | |
1af92836 HL |
985 | force_igmp_version - INTEGER |
986 | 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback | |
987 | allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier | |
988 | Present timer expires. | |
989 | 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if | |
990 | receive IGMPv2/v3 query. | |
991 | 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive | |
992 | IGMPv1 query message. Will reply report if receive IGMPv3 query. | |
993 | 3 - Enforce to use IGMP version 3. The same react with default 0. | |
994 | ||
995 | Note: this is not the same with force_mld_version because IGMPv3 RFC3376 | |
996 | Security Considerations does not have clear description that we could | |
997 | ignore other version messages completely as MLDv2 RFC3810. So make | |
998 | this value as default 0 is recommended. | |
999 | ||
6b226e2f BP |
1000 | conf/interface/* changes special settings per interface (where |
1001 | "interface" is the name of your network interface) | |
1002 | ||
1003 | conf/all/* is special, changes the settings for all interfaces | |
1004 | ||
1da177e4 LT |
1005 | log_martians - BOOLEAN |
1006 | Log packets with impossible addresses to kernel log. | |
1007 | log_martians for the interface will be enabled if at least one of | |
1008 | conf/{all,interface}/log_martians is set to TRUE, | |
1009 | it will be disabled otherwise | |
1010 | ||
1011 | accept_redirects - BOOLEAN | |
1012 | Accept ICMP redirect messages. | |
1013 | accept_redirects for the interface will be enabled if: | |
e18f5feb JDB |
1014 | - both conf/{all,interface}/accept_redirects are TRUE in the case |
1015 | forwarding for the interface is enabled | |
1da177e4 | 1016 | or |
e18f5feb JDB |
1017 | - at least one of conf/{all,interface}/accept_redirects is TRUE in the |
1018 | case forwarding for the interface is disabled | |
1da177e4 LT |
1019 | accept_redirects for the interface will be disabled otherwise |
1020 | default TRUE (host) | |
1021 | FALSE (router) | |
1022 | ||
1023 | forwarding - BOOLEAN | |
88a7cddc NJ |
1024 | Enable IP forwarding on this interface. This controls whether packets |
1025 | received _on_ this interface can be forwarded. | |
1da177e4 LT |
1026 | |
1027 | mc_forwarding - BOOLEAN | |
1028 | Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE | |
1029 | and a multicast routing daemon is required. | |
e18f5feb JDB |
1030 | conf/all/mc_forwarding must also be set to TRUE to enable multicast |
1031 | routing for the interface | |
1da177e4 LT |
1032 | |
1033 | medium_id - INTEGER | |
1034 | Integer value used to differentiate the devices by the medium they | |
1035 | are attached to. Two devices can have different id values when | |
1036 | the broadcast packets are received only on one of them. | |
1037 | The default value 0 means that the device is the only interface | |
1038 | to its medium, value of -1 means that medium is not known. | |
e18f5feb | 1039 | |
1da177e4 LT |
1040 | Currently, it is used to change the proxy_arp behavior: |
1041 | the proxy_arp feature is enabled for packets forwarded between | |
1042 | two devices attached to different media. | |
1043 | ||
1044 | proxy_arp - BOOLEAN | |
1045 | Do proxy arp. | |
1046 | proxy_arp for the interface will be enabled if at least one of | |
1047 | conf/{all,interface}/proxy_arp is set to TRUE, | |
1048 | it will be disabled otherwise | |
1049 | ||
65324144 JDB |
1050 | proxy_arp_pvlan - BOOLEAN |
1051 | Private VLAN proxy arp. | |
1052 | Basically allow proxy arp replies back to the same interface | |
1053 | (from which the ARP request/solicitation was received). | |
1054 | ||
1055 | This is done to support (ethernet) switch features, like RFC | |
1056 | 3069, where the individual ports are NOT allowed to | |
1057 | communicate with each other, but they are allowed to talk to | |
1058 | the upstream router. As described in RFC 3069, it is possible | |
1059 | to allow these hosts to communicate through the upstream | |
1060 | router by proxy_arp'ing. Don't need to be used together with | |
1061 | proxy_arp. | |
1062 | ||
1063 | This technology is known by different names: | |
1064 | In RFC 3069 it is called VLAN Aggregation. | |
1065 | Cisco and Allied Telesyn call it Private VLAN. | |
1066 | Hewlett-Packard call it Source-Port filtering or port-isolation. | |
1067 | Ericsson call it MAC-Forced Forwarding (RFC Draft). | |
1068 | ||
1da177e4 LT |
1069 | shared_media - BOOLEAN |
1070 | Send(router) or accept(host) RFC1620 shared media redirects. | |
176b346b | 1071 | Overrides secure_redirects. |
1da177e4 LT |
1072 | shared_media for the interface will be enabled if at least one of |
1073 | conf/{all,interface}/shared_media is set to TRUE, | |
1074 | it will be disabled otherwise | |
1075 | default TRUE | |
1076 | ||
1077 | secure_redirects - BOOLEAN | |
176b346b EG |
1078 | Accept ICMP redirect messages only to gateways listed in the |
1079 | interface's current gateway list. Even if disabled, RFC1122 redirect | |
1080 | rules still apply. | |
1081 | Overridden by shared_media. | |
1da177e4 LT |
1082 | secure_redirects for the interface will be enabled if at least one of |
1083 | conf/{all,interface}/secure_redirects is set to TRUE, | |
1084 | it will be disabled otherwise | |
1085 | default TRUE | |
1086 | ||
1087 | send_redirects - BOOLEAN | |
1088 | Send redirects, if router. | |
1089 | send_redirects for the interface will be enabled if at least one of | |
1090 | conf/{all,interface}/send_redirects is set to TRUE, | |
1091 | it will be disabled otherwise | |
1092 | Default: TRUE | |
1093 | ||
1094 | bootp_relay - BOOLEAN | |
1095 | Accept packets with source address 0.b.c.d destined | |
1096 | not to this host as local ones. It is supposed, that | |
1097 | BOOTP relay daemon will catch and forward such packets. | |
1098 | conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay | |
1099 | for the interface | |
1100 | default FALSE | |
1101 | Not Implemented Yet. | |
1102 | ||
1103 | accept_source_route - BOOLEAN | |
1104 | Accept packets with SRR option. | |
1105 | conf/all/accept_source_route must also be set to TRUE to accept packets | |
1106 | with SRR option on the interface | |
1107 | default TRUE (router) | |
1108 | FALSE (host) | |
1109 | ||
8153a10c | 1110 | accept_local - BOOLEAN |
72b126a4 SB |
1111 | Accept packets with local source addresses. In combination with |
1112 | suitable routing, this can be used to direct packets between two | |
1113 | local interfaces over the wire and have them accepted properly. | |
8153a10c PM |
1114 | default FALSE |
1115 | ||
d0daebc3 TG |
1116 | route_localnet - BOOLEAN |
1117 | Do not consider loopback addresses as martian source or destination | |
1118 | while routing. This enables the use of 127/8 for local routing purposes. | |
1119 | default FALSE | |
1120 | ||
c1cf8422 | 1121 | rp_filter - INTEGER |
1da177e4 | 1122 | 0 - No source validation. |
c1cf8422 SH |
1123 | 1 - Strict mode as defined in RFC3704 Strict Reverse Path |
1124 | Each incoming packet is tested against the FIB and if the interface | |
1125 | is not the best reverse path the packet check will fail. | |
1126 | By default failed packets are discarded. | |
1127 | 2 - Loose mode as defined in RFC3704 Loose Reverse Path | |
1128 | Each incoming packet's source address is also tested against the FIB | |
1129 | and if the source address is not reachable via any interface | |
1130 | the packet check will fail. | |
1131 | ||
e18f5feb | 1132 | Current recommended practice in RFC3704 is to enable strict mode |
bf869c30 | 1133 | to prevent IP spoofing from DDos attacks. If using asymmetric routing |
e18f5feb | 1134 | or other complicated routing, then loose mode is recommended. |
c1cf8422 | 1135 | |
1f5865e7 SW |
1136 | The max value from conf/{all,interface}/rp_filter is used |
1137 | when doing source validation on the {interface}. | |
1da177e4 LT |
1138 | |
1139 | Default value is 0. Note that some distributions enable it | |
1140 | in startup scripts. | |
1141 | ||
1142 | arp_filter - BOOLEAN | |
1143 | 1 - Allows you to have multiple network interfaces on the same | |
1144 | subnet, and have the ARPs for each interface be answered | |
1145 | based on whether or not the kernel would route a packet from | |
1146 | the ARP'd IP out that interface (therefore you must use source | |
1147 | based routing for this to work). In other words it allows control | |
1148 | of which cards (usually 1) will respond to an arp request. | |
1149 | ||
1150 | 0 - (default) The kernel can respond to arp requests with addresses | |
1151 | from other interfaces. This may seem wrong but it usually makes | |
1152 | sense, because it increases the chance of successful communication. | |
1153 | IP addresses are owned by the complete host on Linux, not by | |
1154 | particular interfaces. Only for more complex setups like load- | |
1155 | balancing, does this behaviour cause problems. | |
1156 | ||
1157 | arp_filter for the interface will be enabled if at least one of | |
1158 | conf/{all,interface}/arp_filter is set to TRUE, | |
1159 | it will be disabled otherwise | |
1160 | ||
1161 | arp_announce - INTEGER | |
1162 | Define different restriction levels for announcing the local | |
1163 | source IP address from IP packets in ARP requests sent on | |
1164 | interface: | |
1165 | 0 - (default) Use any local address, configured on any interface | |
1166 | 1 - Try to avoid local addresses that are not in the target's | |
1167 | subnet for this interface. This mode is useful when target | |
1168 | hosts reachable via this interface require the source IP | |
1169 | address in ARP requests to be part of their logical network | |
1170 | configured on the receiving interface. When we generate the | |
1171 | request we will check all our subnets that include the | |
1172 | target IP and will preserve the source address if it is from | |
1173 | such subnet. If there is no such subnet we select source | |
1174 | address according to the rules for level 2. | |
1175 | 2 - Always use the best local address for this target. | |
1176 | In this mode we ignore the source address in the IP packet | |
1177 | and try to select local address that we prefer for talks with | |
1178 | the target host. Such local address is selected by looking | |
1179 | for primary IP addresses on all our subnets on the outgoing | |
1180 | interface that include the target IP address. If no suitable | |
1181 | local address is found we select the first local address | |
1182 | we have on the outgoing interface or on all other interfaces, | |
1183 | with the hope we will receive reply for our request and | |
1184 | even sometimes no matter the source IP address we announce. | |
1185 | ||
1186 | The max value from conf/{all,interface}/arp_announce is used. | |
1187 | ||
1188 | Increasing the restriction level gives more chance for | |
1189 | receiving answer from the resolved target while decreasing | |
1190 | the level announces more valid sender's information. | |
1191 | ||
1192 | arp_ignore - INTEGER | |
1193 | Define different modes for sending replies in response to | |
1194 | received ARP requests that resolve local target IP addresses: | |
1195 | 0 - (default): reply for any local target IP address, configured | |
1196 | on any interface | |
1197 | 1 - reply only if the target IP address is local address | |
1198 | configured on the incoming interface | |
1199 | 2 - reply only if the target IP address is local address | |
1200 | configured on the incoming interface and both with the | |
1201 | sender's IP address are part from same subnet on this interface | |
1202 | 3 - do not reply for local addresses configured with scope host, | |
1203 | only resolutions for global and link addresses are replied | |
1204 | 4-7 - reserved | |
1205 | 8 - do not reply for all local addresses | |
1206 | ||
1207 | The max value from conf/{all,interface}/arp_ignore is used | |
1208 | when ARP request is received on the {interface} | |
1209 | ||
eefef1cf SH |
1210 | arp_notify - BOOLEAN |
1211 | Define mode for notification of address and device changes. | |
1212 | 0 - (default): do nothing | |
3f8dc236 | 1213 | 1 - Generate gratuitous arp requests when device is brought up |
eefef1cf SH |
1214 | or hardware address changes. |
1215 | ||
c1b1bce8 | 1216 | arp_accept - BOOLEAN |
6d955180 OP |
1217 | Define behavior for gratuitous ARP frames who's IP is not |
1218 | already present in the ARP table: | |
1219 | 0 - don't create new entries in the ARP table | |
1220 | 1 - create new entries in the ARP table | |
1221 | ||
1222 | Both replies and requests type gratuitous arp will trigger the | |
1223 | ARP table to be updated, if this setting is on. | |
1224 | ||
1225 | If the ARP table already contains the IP address of the | |
1226 | gratuitous arp frame, the arp table will be updated regardless | |
1227 | if this setting is on or off. | |
1228 | ||
89c69d3c YH |
1229 | mcast_solicit - INTEGER |
1230 | The maximum number of multicast probes in INCOMPLETE state, | |
1231 | when the associated hardware address is unknown. Defaults | |
1232 | to 3. | |
1233 | ||
1234 | ucast_solicit - INTEGER | |
1235 | The maximum number of unicast probes in PROBE state, when | |
1236 | the hardware address is being reconfirmed. Defaults to 3. | |
c1b1bce8 | 1237 | |
1da177e4 LT |
1238 | app_solicit - INTEGER |
1239 | The maximum number of probes to send to the user space ARP daemon | |
1240 | via netlink before dropping back to multicast probes (see | |
89c69d3c YH |
1241 | mcast_resolicit). Defaults to 0. |
1242 | ||
1243 | mcast_resolicit - INTEGER | |
1244 | The maximum number of multicast probes after unicast and | |
1245 | app probes in PROBE state. Defaults to 0. | |
1da177e4 LT |
1246 | |
1247 | disable_policy - BOOLEAN | |
1248 | Disable IPSEC policy (SPD) for this interface | |
1249 | ||
1250 | disable_xfrm - BOOLEAN | |
1251 | Disable IPSEC encryption on this interface, whatever the policy | |
1252 | ||
fc4eba58 HFS |
1253 | igmpv2_unsolicited_report_interval - INTEGER |
1254 | The interval in milliseconds in which the next unsolicited | |
1255 | IGMPv1 or IGMPv2 report retransmit will take place. | |
1256 | Default: 10000 (10 seconds) | |
1da177e4 | 1257 | |
fc4eba58 HFS |
1258 | igmpv3_unsolicited_report_interval - INTEGER |
1259 | The interval in milliseconds in which the next unsolicited | |
1260 | IGMPv3 report retransmit will take place. | |
1261 | Default: 1000 (1 seconds) | |
1da177e4 | 1262 | |
d922e1cb MS |
1263 | promote_secondaries - BOOLEAN |
1264 | When a primary IP address is removed from this interface | |
1265 | promote a corresponding secondary IP address instead of | |
1266 | removing all the corresponding secondary IP addresses. | |
1267 | ||
12b74dfa JB |
1268 | drop_unicast_in_l2_multicast - BOOLEAN |
1269 | Drop any unicast IP packets that are received in link-layer | |
1270 | multicast (or broadcast) frames. | |
1271 | This behavior (for multicast) is actually a SHOULD in RFC | |
1272 | 1122, but is disabled by default for compatibility reasons. | |
1273 | Default: off (0) | |
1274 | ||
97daf331 JB |
1275 | drop_gratuitous_arp - BOOLEAN |
1276 | Drop all gratuitous ARP frames, for example if there's a known | |
1277 | good ARP proxy on the network and such frames need not be used | |
1278 | (or in the case of 802.11, must not be used to prevent attacks.) | |
1279 | Default: off (0) | |
1280 | ||
d922e1cb | 1281 | |
1da177e4 LT |
1282 | tag - INTEGER |
1283 | Allows you to write a number, which can be used as required. | |
1284 | Default value is 0. | |
1285 | ||
e69948a0 AD |
1286 | xfrm4_gc_thresh - INTEGER |
1287 | The threshold at which we will start garbage collecting for IPv4 | |
1288 | destination cache entries. At twice this value the system will | |
3c2a89dd | 1289 | refuse new allocations. |
e69948a0 | 1290 | |
87583ebb PD |
1291 | igmp_link_local_mcast_reports - BOOLEAN |
1292 | Enable IGMP reports for link local multicast groups in the | |
1293 | 224.0.0.X range. | |
1294 | Default TRUE | |
1295 | ||
1da177e4 LT |
1296 | Alexey Kuznetsov. |
1297 | kuznet@ms2.inr.ac.ru | |
1298 | ||
1299 | Updated by: | |
1300 | Andi Kleen | |
1301 | ak@muc.de | |
1302 | Nicolas Delon | |
1303 | delon.nicolas@wanadoo.fr | |
1304 | ||
1305 | ||
1306 | ||
1307 | ||
1308 | /proc/sys/net/ipv6/* Variables: | |
1309 | ||
1310 | IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also | |
1311 | apply to IPv6 [XXX?]. | |
1312 | ||
1313 | bindv6only - BOOLEAN | |
1314 | Default value for IPV6_V6ONLY socket option, | |
e18f5feb | 1315 | which restricts use of the IPv6 socket to IPv6 communication |
1da177e4 LT |
1316 | only. |
1317 | TRUE: disable IPv4-mapped address feature | |
1318 | FALSE: enable IPv4-mapped address feature | |
1319 | ||
d5c073ca | 1320 | Default: FALSE (as specified in RFC3493) |
1da177e4 | 1321 | |
6444f72b FF |
1322 | flowlabel_consistency - BOOLEAN |
1323 | Protect the consistency (and unicity) of flow label. | |
1324 | You have to disable it to use IPV6_FL_F_REFLECT flag on the | |
1325 | flow label manager. | |
1326 | TRUE: enabled | |
1327 | FALSE: disabled | |
1328 | Default: TRUE | |
1329 | ||
42240901 TH |
1330 | auto_flowlabels - INTEGER |
1331 | Automatically generate flow labels based on a flow hash of the | |
1332 | packet. This allows intermediate devices, such as routers, to | |
1333 | identify packet flows for mechanisms like Equal Cost Multipath | |
cb1ce2ef | 1334 | Routing (see RFC 6438). |
42240901 TH |
1335 | 0: automatic flow labels are completely disabled |
1336 | 1: automatic flow labels are enabled by default, they can be | |
1337 | disabled on a per socket basis using the IPV6_AUTOFLOWLABEL | |
1338 | socket option | |
1339 | 2: automatic flow labels are allowed, they may be enabled on a | |
1340 | per socket basis using the IPV6_AUTOFLOWLABEL socket option | |
1341 | 3: automatic flow labels are enabled and enforced, they cannot | |
1342 | be disabled by the socket option | |
b5677416 | 1343 | Default: 1 |
cb1ce2ef | 1344 | |
82a584b7 TH |
1345 | flowlabel_state_ranges - BOOLEAN |
1346 | Split the flow label number space into two ranges. 0-0x7FFFF is | |
1347 | reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF | |
1348 | is reserved for stateless flow labels as described in RFC6437. | |
1349 | TRUE: enabled | |
1350 | FALSE: disabled | |
1351 | Default: true | |
1352 | ||
22b6722b JS |
1353 | flowlabel_reflect - BOOLEAN |
1354 | Automatically reflect the flow label. Needed for Path MTU | |
1355 | Discovery to work with Equal Cost Multipath Routing in anycast | |
1356 | environments. See RFC 7690 and: | |
1357 | https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01 | |
1358 | TRUE: enabled | |
1359 | FALSE: disabled | |
1360 | Default: FALSE | |
1361 | ||
509aba3b FLB |
1362 | anycast_src_echo_reply - BOOLEAN |
1363 | Controls the use of anycast addresses as source addresses for ICMPv6 | |
1364 | echo reply | |
1365 | TRUE: enabled | |
1366 | FALSE: disabled | |
1367 | Default: FALSE | |
1368 | ||
9f0761c1 HFS |
1369 | idgen_delay - INTEGER |
1370 | Controls the delay in seconds after which time to retry | |
1371 | privacy stable address generation if a DAD conflict is | |
1372 | detected. | |
1373 | Default: 1 (as specified in RFC7217) | |
1374 | ||
1375 | idgen_retries - INTEGER | |
1376 | Controls the number of retries to generate a stable privacy | |
1377 | address if a DAD conflict is detected. | |
1378 | Default: 3 (as specified in RFC7217) | |
1379 | ||
2f711939 HFS |
1380 | mld_qrv - INTEGER |
1381 | Controls the MLD query robustness variable (see RFC3810 9.1). | |
1382 | Default: 2 (as specified by RFC3810 9.1) | |
1383 | Minimum: 1 (as specified by RFC6636 4.5) | |
1384 | ||
1da177e4 LT |
1385 | IPv6 Fragmentation: |
1386 | ||
1387 | ip6frag_high_thresh - INTEGER | |
e18f5feb | 1388 | Maximum memory used to reassemble IPv6 fragments. When |
1da177e4 LT |
1389 | ip6frag_high_thresh bytes of memory is allocated for this purpose, |
1390 | the fragment handler will toss packets until ip6frag_low_thresh | |
1391 | is reached. | |
e18f5feb | 1392 | |
1da177e4 | 1393 | ip6frag_low_thresh - INTEGER |
e18f5feb | 1394 | See ip6frag_high_thresh |
1da177e4 LT |
1395 | |
1396 | ip6frag_time - INTEGER | |
1397 | Time in seconds to keep an IPv6 fragment in memory. | |
1398 | ||
1da177e4 LT |
1399 | conf/default/*: |
1400 | Change the interface-specific default settings. | |
1401 | ||
1402 | ||
1403 | conf/all/*: | |
e18f5feb | 1404 | Change all the interface-specific settings. |
1da177e4 LT |
1405 | |
1406 | [XXX: Other special features than forwarding?] | |
1407 | ||
1408 | conf/all/forwarding - BOOLEAN | |
e18f5feb | 1409 | Enable global IPv6 forwarding between all interfaces. |
1da177e4 | 1410 | |
e18f5feb | 1411 | IPv4 and IPv6 work differently here; e.g. netfilter must be used |
1da177e4 LT |
1412 | to control which interfaces may forward packets and which not. |
1413 | ||
e18f5feb | 1414 | This also sets all interfaces' Host/Router setting |
1da177e4 LT |
1415 | 'forwarding' to the specified value. See below for details. |
1416 | ||
1417 | This referred to as global forwarding. | |
1418 | ||
fbea49e1 YH |
1419 | proxy_ndp - BOOLEAN |
1420 | Do proxy ndp. | |
1421 | ||
219b5f29 LV |
1422 | fwmark_reflect - BOOLEAN |
1423 | Controls the fwmark of kernel-generated IPv6 reply packets that are not | |
1424 | associated with a socket for example, TCP RSTs or ICMPv6 echo replies). | |
1425 | If unset, these packets have a fwmark of zero. If set, they have the | |
1426 | fwmark of the packet they are replying to. | |
1427 | Default: 0 | |
1428 | ||
1da177e4 LT |
1429 | conf/interface/*: |
1430 | Change special settings per interface. | |
1431 | ||
e18f5feb | 1432 | The functional behaviour for certain settings is different |
1da177e4 LT |
1433 | depending on whether local forwarding is enabled or not. |
1434 | ||
605b91c8 | 1435 | accept_ra - INTEGER |
1da177e4 | 1436 | Accept Router Advertisements; autoconfigure using them. |
e18f5feb | 1437 | |
026359bc TA |
1438 | It also determines whether or not to transmit Router |
1439 | Solicitations. If and only if the functional setting is to | |
1440 | accept Router Advertisements, Router Solicitations will be | |
1441 | transmitted. | |
1442 | ||
ae8abfa0 TG |
1443 | Possible values are: |
1444 | 0 Do not accept Router Advertisements. | |
1445 | 1 Accept Router Advertisements if forwarding is disabled. | |
1446 | 2 Overrule forwarding behaviour. Accept Router Advertisements | |
1447 | even if forwarding is enabled. | |
1448 | ||
1da177e4 LT |
1449 | Functional default: enabled if local forwarding is disabled. |
1450 | disabled if local forwarding is enabled. | |
1451 | ||
65f5c7c1 YH |
1452 | accept_ra_defrtr - BOOLEAN |
1453 | Learn default router in Router Advertisement. | |
1454 | ||
1455 | Functional default: enabled if accept_ra is enabled. | |
1456 | disabled if accept_ra is disabled. | |
1457 | ||
d9333196 BG |
1458 | accept_ra_from_local - BOOLEAN |
1459 | Accept RA with source-address that is found on local machine | |
1460 | if the RA is otherwise proper and able to be accepted. | |
1461 | Default is to NOT accept these as it may be an un-intended | |
1462 | network loop. | |
1463 | ||
1464 | Functional default: | |
1465 | enabled if accept_ra_from_local is enabled | |
1466 | on a specific interface. | |
1467 | disabled if accept_ra_from_local is disabled | |
1468 | on a specific interface. | |
1469 | ||
8013d1d7 HL |
1470 | accept_ra_min_hop_limit - INTEGER |
1471 | Minimum hop limit Information in Router Advertisement. | |
1472 | ||
1473 | Hop limit Information in Router Advertisement less than this | |
1474 | variable shall be ignored. | |
1475 | ||
1476 | Default: 1 | |
1477 | ||
c4fd30eb | 1478 | accept_ra_pinfo - BOOLEAN |
2fe0ae78 | 1479 | Learn Prefix Information in Router Advertisement. |
c4fd30eb YH |
1480 | |
1481 | Functional default: enabled if accept_ra is enabled. | |
1482 | disabled if accept_ra is disabled. | |
1483 | ||
bbea124b JS |
1484 | accept_ra_rt_info_min_plen - INTEGER |
1485 | Minimum prefix length of Route Information in RA. | |
1486 | ||
1487 | Route Information w/ prefix smaller than this variable shall | |
1488 | be ignored. | |
1489 | ||
1490 | Functional default: 0 if accept_ra_rtr_pref is enabled. | |
1491 | -1 if accept_ra_rtr_pref is disabled. | |
1492 | ||
09c884d4 YH |
1493 | accept_ra_rt_info_max_plen - INTEGER |
1494 | Maximum prefix length of Route Information in RA. | |
1495 | ||
bbea124b JS |
1496 | Route Information w/ prefix larger than this variable shall |
1497 | be ignored. | |
09c884d4 YH |
1498 | |
1499 | Functional default: 0 if accept_ra_rtr_pref is enabled. | |
1500 | -1 if accept_ra_rtr_pref is disabled. | |
1501 | ||
930d6ff2 YH |
1502 | accept_ra_rtr_pref - BOOLEAN |
1503 | Accept Router Preference in RA. | |
1504 | ||
1505 | Functional default: enabled if accept_ra is enabled. | |
1506 | disabled if accept_ra is disabled. | |
1507 | ||
c2943f14 HH |
1508 | accept_ra_mtu - BOOLEAN |
1509 | Apply the MTU value specified in RA option 5 (RFC4861). If | |
1510 | disabled, the MTU specified in the RA will be ignored. | |
1511 | ||
1512 | Functional default: enabled if accept_ra is enabled. | |
1513 | disabled if accept_ra is disabled. | |
1514 | ||
1da177e4 LT |
1515 | accept_redirects - BOOLEAN |
1516 | Accept Redirects. | |
1517 | ||
1518 | Functional default: enabled if local forwarding is disabled. | |
1519 | disabled if local forwarding is enabled. | |
1520 | ||
0bcbc926 YH |
1521 | accept_source_route - INTEGER |
1522 | Accept source routing (routing extension header). | |
1523 | ||
bb4dbf9e | 1524 | >= 0: Accept only routing header type 2. |
0bcbc926 YH |
1525 | < 0: Do not accept routing header. |
1526 | ||
1527 | Default: 0 | |
1528 | ||
1da177e4 | 1529 | autoconf - BOOLEAN |
e18f5feb | 1530 | Autoconfigure addresses using Prefix Information in Router |
1da177e4 LT |
1531 | Advertisements. |
1532 | ||
c4fd30eb YH |
1533 | Functional default: enabled if accept_ra_pinfo is enabled. |
1534 | disabled if accept_ra_pinfo is disabled. | |
1da177e4 LT |
1535 | |
1536 | dad_transmits - INTEGER | |
1537 | The amount of Duplicate Address Detection probes to send. | |
1538 | Default: 1 | |
e18f5feb | 1539 | |
605b91c8 | 1540 | forwarding - INTEGER |
e18f5feb | 1541 | Configure interface-specific Host/Router behaviour. |
1da177e4 | 1542 | |
e18f5feb | 1543 | Note: It is recommended to have the same setting on all |
1da177e4 LT |
1544 | interfaces; mixed router/host scenarios are rather uncommon. |
1545 | ||
ae8abfa0 TG |
1546 | Possible values are: |
1547 | 0 Forwarding disabled | |
1548 | 1 Forwarding enabled | |
ae8abfa0 TG |
1549 | |
1550 | FALSE (0): | |
1da177e4 LT |
1551 | |
1552 | By default, Host behaviour is assumed. This means: | |
1553 | ||
1554 | 1. IsRouter flag is not set in Neighbour Advertisements. | |
026359bc TA |
1555 | 2. If accept_ra is TRUE (default), transmit Router |
1556 | Solicitations. | |
e18f5feb | 1557 | 3. If accept_ra is TRUE (default), accept Router |
1da177e4 LT |
1558 | Advertisements (and do autoconfiguration). |
1559 | 4. If accept_redirects is TRUE (default), accept Redirects. | |
1560 | ||
ae8abfa0 | 1561 | TRUE (1): |
1da177e4 | 1562 | |
e18f5feb | 1563 | If local forwarding is enabled, Router behaviour is assumed. |
1da177e4 LT |
1564 | This means exactly the reverse from the above: |
1565 | ||
1566 | 1. IsRouter flag is set in Neighbour Advertisements. | |
026359bc | 1567 | 2. Router Solicitations are not sent unless accept_ra is 2. |
ae8abfa0 | 1568 | 3. Router Advertisements are ignored unless accept_ra is 2. |
1da177e4 LT |
1569 | 4. Redirects are ignored. |
1570 | ||
ae8abfa0 TG |
1571 | Default: 0 (disabled) if global forwarding is disabled (default), |
1572 | otherwise 1 (enabled). | |
1da177e4 LT |
1573 | |
1574 | hop_limit - INTEGER | |
1575 | Default Hop Limit to set. | |
1576 | Default: 64 | |
1577 | ||
1578 | mtu - INTEGER | |
1579 | Default Maximum Transfer Unit | |
1580 | Default: 1280 (IPv6 required minimum) | |
1581 | ||
35a256fe TH |
1582 | ip_nonlocal_bind - BOOLEAN |
1583 | If set, allows processes to bind() to non-local IPv6 addresses, | |
1584 | which can be quite useful - but may break some applications. | |
1585 | Default: 0 | |
1586 | ||
52e16356 YH |
1587 | router_probe_interval - INTEGER |
1588 | Minimum interval (in seconds) between Router Probing described | |
1589 | in RFC4191. | |
1590 | ||
1591 | Default: 60 | |
1592 | ||
1da177e4 LT |
1593 | router_solicitation_delay - INTEGER |
1594 | Number of seconds to wait after interface is brought up | |
1595 | before sending Router Solicitations. | |
1596 | Default: 1 | |
1597 | ||
1598 | router_solicitation_interval - INTEGER | |
1599 | Number of seconds to wait between Router Solicitations. | |
1600 | Default: 4 | |
1601 | ||
1602 | router_solicitations - INTEGER | |
e18f5feb | 1603 | Number of Router Solicitations to send until assuming no |
1da177e4 LT |
1604 | routers are present. |
1605 | Default: 3 | |
1606 | ||
3985e8a3 EK |
1607 | use_oif_addrs_only - BOOLEAN |
1608 | When enabled, the candidate source addresses for destinations | |
1609 | routed via this interface are restricted to the set of addresses | |
1610 | configured on this interface (vis. RFC 6724, section 4). | |
1611 | ||
1612 | Default: false | |
1613 | ||
1da177e4 LT |
1614 | use_tempaddr - INTEGER |
1615 | Preference for Privacy Extensions (RFC3041). | |
1616 | <= 0 : disable Privacy Extensions | |
1617 | == 1 : enable Privacy Extensions, but prefer public | |
1618 | addresses over temporary addresses. | |
1619 | > 1 : enable Privacy Extensions and prefer temporary | |
1620 | addresses over public addresses. | |
1621 | Default: 0 (for most devices) | |
1622 | -1 (for point-to-point devices and loopback devices) | |
1623 | ||
1624 | temp_valid_lft - INTEGER | |
1625 | valid lifetime (in seconds) for temporary addresses. | |
1626 | Default: 604800 (7 days) | |
1627 | ||
1628 | temp_prefered_lft - INTEGER | |
1629 | Preferred lifetime (in seconds) for temporary addresses. | |
1630 | Default: 86400 (1 day) | |
1631 | ||
f1705ec1 DA |
1632 | keep_addr_on_down - INTEGER |
1633 | Keep all IPv6 addresses on an interface down event. If set static | |
1634 | global addresses with no expiration time are not flushed. | |
1635 | >0 : enabled | |
1636 | 0 : system default | |
1637 | <0 : disabled | |
1638 | ||
1639 | Default: 0 (addresses are removed) | |
1640 | ||
1da177e4 LT |
1641 | max_desync_factor - INTEGER |
1642 | Maximum value for DESYNC_FACTOR, which is a random value | |
e18f5feb | 1643 | that ensures that clients don't synchronize with each |
1da177e4 LT |
1644 | other and generate new addresses at exactly the same time. |
1645 | value is in seconds. | |
1646 | Default: 600 | |
e18f5feb | 1647 | |
1da177e4 LT |
1648 | regen_max_retry - INTEGER |
1649 | Number of attempts before give up attempting to generate | |
1650 | valid temporary addresses. | |
1651 | Default: 5 | |
1652 | ||
1653 | max_addresses - INTEGER | |
e79dc484 BH |
1654 | Maximum number of autoconfigured addresses per interface. Setting |
1655 | to zero disables the limitation. It is not recommended to set this | |
1656 | value too large (or to zero) because it would be an easy way to | |
1657 | crash the kernel by allowing too many addresses to be created. | |
1da177e4 LT |
1658 | Default: 16 |
1659 | ||
778d80be | 1660 | disable_ipv6 - BOOLEAN |
9bdd8d40 BH |
1661 | Disable IPv6 operation. If accept_dad is set to 2, this value |
1662 | will be dynamically set to TRUE if DAD fails for the link-local | |
1663 | address. | |
778d80be YH |
1664 | Default: FALSE (enable IPv6 operation) |
1665 | ||
56d417b1 BH |
1666 | When this value is changed from 1 to 0 (IPv6 is being enabled), |
1667 | it will dynamically create a link-local address on the given | |
1668 | interface and start Duplicate Address Detection, if necessary. | |
1669 | ||
1670 | When this value is changed from 0 to 1 (IPv6 is being disabled), | |
1671 | it will dynamically delete all address on the given interface. | |
1672 | ||
1b34be74 YH |
1673 | accept_dad - INTEGER |
1674 | Whether to accept DAD (Duplicate Address Detection). | |
1675 | 0: Disable DAD | |
1676 | 1: Enable DAD (default) | |
1677 | 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate | |
1678 | link-local address has been found. | |
1679 | ||
f7734fdf OP |
1680 | force_tllao - BOOLEAN |
1681 | Enable sending the target link-layer address option even when | |
1682 | responding to a unicast neighbor solicitation. | |
1683 | Default: FALSE | |
1684 | ||
1685 | Quoting from RFC 2461, section 4.4, Target link-layer address: | |
1686 | ||
1687 | "The option MUST be included for multicast solicitations in order to | |
1688 | avoid infinite Neighbor Solicitation "recursion" when the peer node | |
1689 | does not have a cache entry to return a Neighbor Advertisements | |
1690 | message. When responding to unicast solicitations, the option can be | |
1691 | omitted since the sender of the solicitation has the correct link- | |
1692 | layer address; otherwise it would not have be able to send the unicast | |
1693 | solicitation in the first place. However, including the link-layer | |
1694 | address in this case adds little overhead and eliminates a potential | |
1695 | race condition where the sender deletes the cached link-layer address | |
1696 | prior to receiving a response to a previous solicitation." | |
1697 | ||
db2b620a HFS |
1698 | ndisc_notify - BOOLEAN |
1699 | Define mode for notification of address and device changes. | |
1700 | 0 - (default): do nothing | |
1701 | 1 - Generate unsolicited neighbour advertisements when device is brought | |
1702 | up or hardware address changes. | |
1703 | ||
fc4eba58 HFS |
1704 | mldv1_unsolicited_report_interval - INTEGER |
1705 | The interval in milliseconds in which the next unsolicited | |
1706 | MLDv1 report retransmit will take place. | |
1707 | Default: 10000 (10 seconds) | |
1708 | ||
1709 | mldv2_unsolicited_report_interval - INTEGER | |
1710 | The interval in milliseconds in which the next unsolicited | |
1711 | MLDv2 report retransmit will take place. | |
1712 | Default: 1000 (1 second) | |
1713 | ||
f2127810 DB |
1714 | force_mld_version - INTEGER |
1715 | 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed | |
1716 | 1 - Enforce to use MLD version 1 | |
1717 | 2 - Enforce to use MLD version 2 | |
1718 | ||
b800c3b9 HFS |
1719 | suppress_frag_ndisc - INTEGER |
1720 | Control RFC 6980 (Security Implications of IPv6 Fragmentation | |
1721 | with IPv6 Neighbor Discovery) behavior: | |
1722 | 1 - (default) discard fragmented neighbor discovery packets | |
1723 | 0 - allow fragmented neighbor discovery packets | |
1724 | ||
7fd2561e EK |
1725 | optimistic_dad - BOOLEAN |
1726 | Whether to perform Optimistic Duplicate Address Detection (RFC 4429). | |
1727 | 0: disabled (default) | |
1728 | 1: enabled | |
1729 | ||
1730 | use_optimistic - BOOLEAN | |
1731 | If enabled, do not classify optimistic addresses as deprecated during | |
1732 | source address selection. Preferred addresses will still be chosen | |
1733 | before optimistic addresses, subject to other ranking in the source | |
1734 | address selection algorithm. | |
1735 | 0: disabled (default) | |
1736 | 1: enabled | |
1737 | ||
9f0761c1 HFS |
1738 | stable_secret - IPv6 address |
1739 | This IPv6 address will be used as a secret to generate IPv6 | |
1740 | addresses for link-local addresses and autoconfigured | |
1741 | ones. All addresses generated after setting this secret will | |
1742 | be stable privacy ones by default. This can be changed via the | |
1743 | addrgenmode ip-link. conf/default/stable_secret is used as the | |
1744 | secret for the namespace, the interface specific ones can | |
1745 | overwrite that. Writes to conf/all/stable_secret are refused. | |
1746 | ||
1747 | It is recommended to generate this secret during installation | |
1748 | of a system and keep it stable after that. | |
1749 | ||
1750 | By default the stable secret is unset. | |
1751 | ||
abbc3043 JB |
1752 | drop_unicast_in_l2_multicast - BOOLEAN |
1753 | Drop any unicast IPv6 packets that are received in link-layer | |
1754 | multicast (or broadcast) frames. | |
1755 | ||
1756 | By default this is turned off. | |
1757 | ||
7a02bf89 JB |
1758 | drop_unsolicited_na - BOOLEAN |
1759 | Drop all unsolicited neighbor advertisements, for example if there's | |
1760 | a known good NA proxy on the network and such frames need not be used | |
1761 | (or in the case of 802.11, must not be used to prevent attacks.) | |
1762 | ||
1763 | By default this is turned off. | |
1764 | ||
adc176c5 EN |
1765 | enhanced_dad - BOOLEAN |
1766 | Include a nonce option in the IPv6 neighbor solicitation messages used for | |
1767 | duplicate address detection per RFC7527. A received DAD NS will only signal | |
1768 | a duplicate address if the nonce is different. This avoids any false | |
1769 | detection of duplicates due to loopback of the NS messages that we send. | |
1770 | The nonce option will be sent on an interface unless both of | |
1771 | conf/{all,interface}/enhanced_dad are set to FALSE. | |
1772 | Default: TRUE | |
1773 | ||
1da177e4 LT |
1774 | icmp/*: |
1775 | ratelimit - INTEGER | |
1776 | Limit the maximal rates for sending ICMPv6 packets. | |
6dbf4bca SH |
1777 | 0 to disable any limiting, |
1778 | otherwise the minimal space between responses in milliseconds. | |
1779 | Default: 1000 | |
1da177e4 | 1780 | |
e69948a0 AD |
1781 | xfrm6_gc_thresh - INTEGER |
1782 | The threshold at which we will start garbage collecting for IPv6 | |
1783 | destination cache entries. At twice this value the system will | |
3c2a89dd | 1784 | refuse new allocations. |
e69948a0 | 1785 | |
1da177e4 LT |
1786 | |
1787 | IPv6 Update by: | |
1788 | Pekka Savola <pekkas@netcore.fi> | |
1789 | YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org> | |
1790 | ||
1791 | ||
1792 | /proc/sys/net/bridge/* Variables: | |
1793 | ||
1794 | bridge-nf-call-arptables - BOOLEAN | |
1795 | 1 : pass bridged ARP traffic to arptables' FORWARD chain. | |
1796 | 0 : disable this. | |
1797 | Default: 1 | |
1798 | ||
1799 | bridge-nf-call-iptables - BOOLEAN | |
1800 | 1 : pass bridged IPv4 traffic to iptables' chains. | |
1801 | 0 : disable this. | |
1802 | Default: 1 | |
1803 | ||
1804 | bridge-nf-call-ip6tables - BOOLEAN | |
1805 | 1 : pass bridged IPv6 traffic to ip6tables' chains. | |
1806 | 0 : disable this. | |
1807 | Default: 1 | |
1808 | ||
1809 | bridge-nf-filter-vlan-tagged - BOOLEAN | |
516299d2 MM |
1810 | 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. |
1811 | 0 : disable this. | |
4981682c | 1812 | Default: 0 |
516299d2 MM |
1813 | |
1814 | bridge-nf-filter-pppoe-tagged - BOOLEAN | |
1815 | 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. | |
1da177e4 | 1816 | 0 : disable this. |
4981682c | 1817 | Default: 0 |
1da177e4 | 1818 | |
4981682c PNA |
1819 | bridge-nf-pass-vlan-input-dev - BOOLEAN |
1820 | 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan | |
1821 | interface on the bridge and set the netfilter input device to the vlan. | |
1822 | This allows use of e.g. "iptables -i br0.1" and makes the REDIRECT | |
1823 | target work with vlan-on-top-of-bridge interfaces. When no matching | |
1824 | vlan interface is found, or this switch is off, the input device is | |
1825 | set to the bridge interface. | |
1826 | 0: disable bridge netfilter vlan interface lookup. | |
1827 | Default: 0 | |
1da177e4 | 1828 | |
32e8d494 VY |
1829 | proc/sys/net/sctp/* Variables: |
1830 | ||
1831 | addip_enable - BOOLEAN | |
1832 | Enable or disable extension of Dynamic Address Reconfiguration | |
1833 | (ADD-IP) functionality specified in RFC5061. This extension provides | |
1834 | the ability to dynamically add and remove new addresses for the SCTP | |
1835 | associations. | |
1836 | ||
1837 | 1: Enable extension. | |
1838 | ||
1839 | 0: Disable extension. | |
1840 | ||
1841 | Default: 0 | |
1842 | ||
566178f8 ZY |
1843 | pf_enable - INTEGER |
1844 | Enable or disable pf (pf is short for potentially failed) state. A value | |
1845 | of pf_retrans > path_max_retrans also disables pf state. That is, one of | |
1846 | both pf_enable and pf_retrans > path_max_retrans can disable pf state. | |
1847 | Since pf_retrans and path_max_retrans can be changed by userspace | |
1848 | application, sometimes user expects to disable pf state by the value of | |
1849 | pf_retrans > path_max_retrans, but occasionally the value of pf_retrans | |
1850 | or path_max_retrans is changed by the user application, this pf state is | |
1851 | enabled. As such, it is necessary to add this to dynamically enable | |
1852 | and disable pf state. See: | |
1853 | https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for | |
1854 | details. | |
1855 | ||
1856 | 1: Enable pf. | |
1857 | ||
1858 | 0: Disable pf. | |
1859 | ||
1860 | Default: 1 | |
1861 | ||
32e8d494 VY |
1862 | addip_noauth_enable - BOOLEAN |
1863 | Dynamic Address Reconfiguration (ADD-IP) requires the use of | |
1864 | authentication to protect the operations of adding or removing new | |
1865 | addresses. This requirement is mandated so that unauthorized hosts | |
1866 | would not be able to hijack associations. However, older | |
1867 | implementations may not have implemented this requirement while | |
1868 | allowing the ADD-IP extension. For reasons of interoperability, | |
1869 | we provide this variable to control the enforcement of the | |
1870 | authentication requirement. | |
1871 | ||
1872 | 1: Allow ADD-IP extension to be used without authentication. This | |
1873 | should only be set in a closed environment for interoperability | |
1874 | with older implementations. | |
1875 | ||
1876 | 0: Enforce the authentication requirement | |
1877 | ||
1878 | Default: 0 | |
1879 | ||
1880 | auth_enable - BOOLEAN | |
1881 | Enable or disable Authenticated Chunks extension. This extension | |
1882 | provides the ability to send and receive authenticated chunks and is | |
1883 | required for secure operation of Dynamic Address Reconfiguration | |
1884 | (ADD-IP) extension. | |
1885 | ||
1886 | 1: Enable this extension. | |
1887 | 0: Disable this extension. | |
1888 | ||
1889 | Default: 0 | |
1890 | ||
1891 | prsctp_enable - BOOLEAN | |
1892 | Enable or disable the Partial Reliability extension (RFC3758) which | |
1893 | is used to notify peers that a given DATA should no longer be expected. | |
1894 | ||
1895 | 1: Enable extension | |
1896 | 0: Disable | |
1897 | ||
1898 | Default: 1 | |
1899 | ||
1900 | max_burst - INTEGER | |
1901 | The limit of the number of new packets that can be initially sent. It | |
1902 | controls how bursty the generated traffic can be. | |
1903 | ||
1904 | Default: 4 | |
1905 | ||
1906 | association_max_retrans - INTEGER | |
1907 | Set the maximum number for retransmissions that an association can | |
1908 | attempt deciding that the remote end is unreachable. If this value | |
1909 | is exceeded, the association is terminated. | |
1910 | ||
1911 | Default: 10 | |
1912 | ||
1913 | max_init_retransmits - INTEGER | |
1914 | The maximum number of retransmissions of INIT and COOKIE-ECHO chunks | |
1915 | that an association will attempt before declaring the destination | |
1916 | unreachable and terminating. | |
1917 | ||
1918 | Default: 8 | |
1919 | ||
1920 | path_max_retrans - INTEGER | |
1921 | The maximum number of retransmissions that will be attempted on a given | |
1922 | path. Once this threshold is exceeded, the path is considered | |
1923 | unreachable, and new traffic will use a different path when the | |
1924 | association is multihomed. | |
1925 | ||
1926 | Default: 5 | |
1927 | ||
5aa93bcf NH |
1928 | pf_retrans - INTEGER |
1929 | The number of retransmissions that will be attempted on a given path | |
1930 | before traffic is redirected to an alternate transport (should one | |
1931 | exist). Note this is distinct from path_max_retrans, as a path that | |
1932 | passes the pf_retrans threshold can still be used. Its only | |
1933 | deprioritized when a transmission path is selected by the stack. This | |
1934 | setting is primarily used to enable fast failover mechanisms without | |
1935 | having to reduce path_max_retrans to a very low value. See: | |
1936 | http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt | |
1937 | for details. Note also that a value of pf_retrans > path_max_retrans | |
566178f8 ZY |
1938 | disables this feature. Since both pf_retrans and path_max_retrans can |
1939 | be changed by userspace application, a variable pf_enable is used to | |
1940 | disable pf state. | |
5aa93bcf NH |
1941 | |
1942 | Default: 0 | |
1943 | ||
32e8d494 VY |
1944 | rto_initial - INTEGER |
1945 | The initial round trip timeout value in milliseconds that will be used | |
1946 | in calculating round trip times. This is the initial time interval | |
1947 | for retransmissions. | |
1948 | ||
1949 | Default: 3000 | |
1da177e4 | 1950 | |
32e8d494 VY |
1951 | rto_max - INTEGER |
1952 | The maximum value (in milliseconds) of the round trip timeout. This | |
1953 | is the largest time interval that can elapse between retransmissions. | |
1954 | ||
1955 | Default: 60000 | |
1956 | ||
1957 | rto_min - INTEGER | |
1958 | The minimum value (in milliseconds) of the round trip timeout. This | |
1959 | is the smallest time interval the can elapse between retransmissions. | |
1960 | ||
1961 | Default: 1000 | |
1962 | ||
1963 | hb_interval - INTEGER | |
1964 | The interval (in milliseconds) between HEARTBEAT chunks. These chunks | |
1965 | are sent at the specified interval on idle paths to probe the state of | |
1966 | a given path between 2 associations. | |
1967 | ||
1968 | Default: 30000 | |
1969 | ||
1970 | sack_timeout - INTEGER | |
1971 | The amount of time (in milliseconds) that the implementation will wait | |
1972 | to send a SACK. | |
1973 | ||
1974 | Default: 200 | |
1975 | ||
1976 | valid_cookie_life - INTEGER | |
1977 | The default lifetime of the SCTP cookie (in milliseconds). The cookie | |
1978 | is used during association establishment. | |
1979 | ||
1980 | Default: 60000 | |
1981 | ||
1982 | cookie_preserve_enable - BOOLEAN | |
1983 | Enable or disable the ability to extend the lifetime of the SCTP cookie | |
1984 | that is used during the establishment phase of SCTP association | |
1985 | ||
1986 | 1: Enable cookie lifetime extension. | |
1987 | 0: Disable | |
1988 | ||
1989 | Default: 1 | |
1990 | ||
3c68198e NH |
1991 | cookie_hmac_alg - STRING |
1992 | Select the hmac algorithm used when generating the cookie value sent by | |
1993 | a listening sctp socket to a connecting client in the INIT-ACK chunk. | |
1994 | Valid values are: | |
1995 | * md5 | |
1996 | * sha1 | |
1997 | * none | |
1998 | Ability to assign md5 or sha1 as the selected alg is predicated on the | |
3b09adcb | 1999 | configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and |
3c68198e NH |
2000 | CONFIG_CRYPTO_SHA1). |
2001 | ||
2002 | Default: Dependent on configuration. MD5 if available, else SHA1 if | |
2003 | available, else none. | |
2004 | ||
32e8d494 VY |
2005 | rcvbuf_policy - INTEGER |
2006 | Determines if the receive buffer is attributed to the socket or to | |
2007 | association. SCTP supports the capability to create multiple | |
2008 | associations on a single socket. When using this capability, it is | |
2009 | possible that a single stalled association that's buffering a lot | |
2010 | of data may block other associations from delivering their data by | |
2011 | consuming all of the receive buffer space. To work around this, | |
2012 | the rcvbuf_policy could be set to attribute the receiver buffer space | |
2013 | to each association instead of the socket. This prevents the described | |
2014 | blocking. | |
2015 | ||
2016 | 1: rcvbuf space is per association | |
3b09adcb | 2017 | 0: rcvbuf space is per socket |
32e8d494 VY |
2018 | |
2019 | Default: 0 | |
2020 | ||
2021 | sndbuf_policy - INTEGER | |
2022 | Similar to rcvbuf_policy above, this applies to send buffer space. | |
2023 | ||
2024 | 1: Send buffer is tracked per association | |
2025 | 0: Send buffer is tracked per socket. | |
2026 | ||
2027 | Default: 0 | |
2028 | ||
2029 | sctp_mem - vector of 3 INTEGERs: min, pressure, max | |
2030 | Number of pages allowed for queueing by all SCTP sockets. | |
2031 | ||
2032 | min: Below this number of pages SCTP is not bothered about its | |
2033 | memory appetite. When amount of memory allocated by SCTP exceeds | |
2034 | this number, SCTP starts to moderate memory usage. | |
2035 | ||
2036 | pressure: This value was introduced to follow format of tcp_mem. | |
2037 | ||
2038 | max: Number of pages allowed for queueing by all SCTP sockets. | |
2039 | ||
2040 | Default is calculated at boot time from amount of available memory. | |
2041 | ||
2042 | sctp_rmem - vector of 3 INTEGERs: min, default, max | |
a6e1204b MM |
2043 | Only the first value ("min") is used, "default" and "max" are |
2044 | ignored. | |
2045 | ||
2046 | min: Minimal size of receive buffer used by SCTP socket. | |
2047 | It is guaranteed to each SCTP socket (but not association) even | |
2048 | under moderate memory pressure. | |
2049 | ||
2050 | Default: 1 page | |
32e8d494 VY |
2051 | |
2052 | sctp_wmem - vector of 3 INTEGERs: min, default, max | |
a6e1204b | 2053 | Currently this tunable has no effect. |
32e8d494 | 2054 | |
72388433 BD |
2055 | addr_scope_policy - INTEGER |
2056 | Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00 | |
2057 | ||
2058 | 0 - Disable IPv4 address scoping | |
2059 | 1 - Enable IPv4 address scoping | |
2060 | 2 - Follow draft but allow IPv4 private addresses | |
2061 | 3 - Follow draft but allow IPv4 link local addresses | |
2062 | ||
2063 | Default: 1 | |
2064 | ||
1da177e4 | 2065 | |
4edc2f34 | 2066 | /proc/sys/net/core/* |
c60f6aa8 | 2067 | Please see: Documentation/sysctl/net.txt for descriptions of these entries. |
705efc3b | 2068 | |
4edc2f34 SH |
2069 | |
2070 | /proc/sys/net/unix/* | |
705efc3b WT |
2071 | max_dgram_qlen - INTEGER |
2072 | The maximum length of dgram socket receive queue | |
2073 | ||
2074 | Default: 10 | |
2075 | ||
2076 | ||
2077 | UNDOCUMENTED: | |
4edc2f34 SH |
2078 | |
2079 | /proc/sys/net/irda/* | |
2080 | fast_poll_increase FIXME | |
2081 | warn_noreply_time FIXME | |
2082 | discovery_slots FIXME | |
2083 | slot_timeout FIXME | |
2084 | max_baud_rate FIXME | |
2085 | discovery_timeout FIXME | |
2086 | lap_keepalive_time FIXME | |
2087 | max_noreply_time FIXME | |
2088 | max_tx_data_size FIXME | |
2089 | max_tx_window FIXME | |
2090 | min_tx_turn_time FIXME |