projects / linux-2.6-block.git / blame
| Commit | Line | Data |
|---|---|---|
| 1da177e4 LT |
1 | /proc/sys/net/ipv4/* Variables: |
| 2 | ||
| 3 | ip_forward - BOOLEAN | |
| 4 | 0 - disabled (default) | |
| e18f5feb | 5 | not 0 - enabled |
| 1da177e4 LT |
6 | |
| 7 | Forward Packets between interfaces. | |
| 8 | ||
| 9 | This variable is special, its change resets all configuration | |
| 10 | parameters to their default state (RFC1122 for hosts, RFC1812 | |
| 11 | for routers) | |
| 12 | ||
| 13 | ip_default_ttl - INTEGER | |
| cc6f02dd ED |
14 | Default value of TTL field (Time To Live) for outgoing (but not |
| 15 | forwarded) IP packets. Should be between 1 and 255 inclusive. | |
| 16 | Default: 64 (as recommended by RFC1700) | |
| 1da177e4 | 17 | |
| cd174e67 HFS |
18 | ip_no_pmtu_disc - INTEGER |
| 19 | Disable Path MTU Discovery. If enabled in mode 1 and a | |
| 188b04d5 HFS |
20 | fragmentation-required ICMP is received, the PMTU to this |
| 21 | destination will be set to min_pmtu (see below). You will need | |
| 22 | to raise min_pmtu to the smallest interface MTU on your system | |
| 23 | manually if you want to avoid locally generated fragments. | |
| cd174e67 HFS |
24 | |
| 25 | In mode 2 incoming Path MTU Discovery messages will be | |
| 26 | discarded. Outgoing frames are handled the same as in mode 1, | |
| 27 | implicitly setting IP_PMTUDISC_DONT on every created socket. | |
| 28 | ||
| bb38ccce | 29 | Mode 3 is a hardened pmtu discover mode. The kernel will only |
| 8ed1dc44 HFS |
30 | accept fragmentation-needed errors if the underlying protocol |
| 31 | can verify them besides a plain socket lookup. Current | |
| 32 | protocols for which pmtu events will be honored are TCP, SCTP | |
| 33 | and DCCP as they verify e.g. the sequence number or the | |
| 34 | association. This mode should not be enabled globally but is | |
| 35 | only intended to secure e.g. name servers in namespaces where | |
| 36 | TCP path mtu must still work but path MTU information of other | |
| 37 | protocols should be discarded. If enabled globally this mode | |
| 38 | could break other protocols. | |
| 39 | ||
| 40 | Possible values: 0-3 | |
| 188b04d5 | 41 | Default: FALSE |
| 1da177e4 LT |
42 | |
| 43 | min_pmtu - INTEGER | |
| 20db93c3 | 44 | default 552 - minimum discovered Path MTU |
| 1da177e4 | 45 | |
| f87c10a8 HFS |
46 | ip_forward_use_pmtu - BOOLEAN |
| 47 | By default we don't trust protocol path MTUs while forwarding | |
| 48 | because they could be easily forged and can lead to unwanted | |
| 49 | fragmentation by the router. | |
| 50 | You only need to enable this if you have user-space software | |
| 51 | which tries to discover path mtus by itself and depends on the | |
| 52 | kernel honoring this information. This is normally not the | |
| 53 | case. | |
| 54 | Default: 0 (disabled) | |
| 55 | Possible values: | |
| 56 | 0 - disabled | |
| 57 | 1 - enabled | |
| 58 | ||
| 219b5f29 LV |
59 | fwmark_reflect - BOOLEAN |
| 60 | Controls the fwmark of kernel-generated IPv4 reply packets that are not | |
| 61 | associated with a socket for example, TCP RSTs or ICMP echo replies). | |
| 62 | If unset, these packets have a fwmark of zero. If set, they have the | |
| 63 | fwmark of the packet they are replying to. | |
| 64 | Default: 0 | |
| 65 | ||
| a6db4494 DA |
66 | fib_multipath_use_neigh - BOOLEAN |
| 67 | Use status of existing neighbor entry when determining nexthop for | |
| 68 | multipath routes. If disabled, neighbor information is not used and | |
| 69 | packets could be directed to a failed nexthop. Only valid for kernels | |
| 70 | built with CONFIG_IP_ROUTE_MULTIPATH enabled. | |
| 71 | Default: 0 (disabled) | |
| 72 | Possible values: | |
| 73 | 0 - disabled | |
| 74 | 1 - enabled | |
| 75 | ||
| bf4e0a3d NA |
76 | fib_multipath_hash_policy - INTEGER |
| 77 | Controls which hash policy to use for multipath routes. Only valid | |
| 78 | for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. | |
| 79 | Default: 0 (Layer 3) | |
| 80 | Possible values: | |
| 81 | 0 - Layer 3 | |
| 82 | 1 - Layer 4 | |
| 83 | ||
| 9ab948a9 DA |
84 | fib_sync_mem - UNSIGNED INTEGER |
| 85 | Amount of dirty memory from fib entries that can be backlogged before | |
| 86 | synchronize_rcu is forced. | |
| 87 | Default: 512kB Minimum: 64kB Maximum: 64MB | |
| 88 | ||
| 432e05d3 PM |
89 | ip_forward_update_priority - INTEGER |
| 90 | Whether to update SKB priority from "TOS" field in IPv4 header after it | |
| 91 | is forwarded. The new SKB priority is mapped from TOS field value | |
| 92 | according to an rt_tos2priority table (see e.g. man tc-prio). | |
| 93 | Default: 1 (Update priority.) | |
| 94 | Possible values: | |
| 95 | 0 - Do not update priority. | |
| 96 | 1 - Update priority. | |
| 97 | ||
| cbaf087a BG |
98 | route/max_size - INTEGER |
| 99 | Maximum number of routes allowed in the kernel. Increase | |
| 100 | this when using large numbers of interfaces and/or routes. | |
| 25050c63 AS |
101 | From linux kernel 3.6 onwards, this is deprecated for ipv4 |
| 102 | as route cache is no longer used. | |
| cbaf087a | 103 | |
| 2724680b YH |
104 | neigh/default/gc_thresh1 - INTEGER |
| 105 | Minimum number of entries to keep. Garbage collector will not | |
| 106 | purge entries if there are fewer than this number. | |
| b66c66dc | 107 | Default: 128 |
| 2724680b | 108 | |
| a3d12146 | 109 | neigh/default/gc_thresh2 - INTEGER |
| 110 | Threshold when garbage collector becomes more aggressive about | |
| 111 | purging entries. Entries older than 5 seconds will be cleared | |
| 112 | when over this number. | |
| 113 | Default: 512 | |
| 114 | ||
| cbaf087a | 115 | neigh/default/gc_thresh3 - INTEGER |
| 58956317 DA |
116 | Maximum number of non-PERMANENT neighbor entries allowed. Increase |
| 117 | this when using large numbers of interfaces and when communicating | |
| cbaf087a | 118 | with large numbers of directly-connected peers. |
| cc868028 | 119 | Default: 1024 |
| cbaf087a | 120 | |
| 8b5c171b ED |
121 | neigh/default/unres_qlen_bytes - INTEGER |
| 122 | The maximum number of bytes which may be used by packets | |
| 123 | queued for each unresolved address by other network layers. | |
| 124 | (added in linux 3.3) | |
| 3b09adcb | 125 | Setting negative value is meaningless and will return error. |
| eaa72dc4 ED |
126 | Default: SK_WMEM_MAX, (same as net.core.wmem_default). |
| 127 | Exact value depends on architecture and kernel options, | |
| 128 | but should be enough to allow queuing 256 packets | |
| 129 | of medium size. | |
| 8b5c171b ED |
130 | |
| 131 | neigh/default/unres_qlen - INTEGER | |
| 132 | The maximum number of packets which may be queued for each | |
| 133 | unresolved address by other network layers. | |
| 134 | (deprecated in linux 3.3) : use unres_qlen_bytes instead. | |
| cc868028 | 135 | Prior to linux 3.3, the default value is 3 which may cause |
| 5d248c49 | 136 | unexpected packet loss. The current default value is calculated |
| cc868028 SW |
137 | according to default value of unres_qlen_bytes and true size of |
| 138 | packet. | |
| eaa72dc4 | 139 | Default: 101 |
| 8b5c171b | 140 | |
| 1da177e4 LT |
141 | mtu_expires - INTEGER |
| 142 | Time, in seconds, that cached PMTU information is kept. | |
| 143 | ||
| 144 | min_adv_mss - INTEGER | |
| 145 | The advertised MSS depends on the first hop route MTU, but will | |
| 146 | never be lower than this setting. | |
| 147 | ||
| 148 | IP Fragmentation: | |
| 149 | ||
| 3e67f106 | 150 | ipfrag_high_thresh - LONG INTEGER |
| 648700f7 | 151 | Maximum memory used to reassemble IP fragments. |
| e18f5feb | 152 | |
| 3e67f106 | 153 | ipfrag_low_thresh - LONG INTEGER |
| 648700f7 | 154 | (Obsolete since linux-4.17) |
| b13d3cbf FW |
155 | Maximum memory used to reassemble IP fragments before the kernel |
| 156 | begins to remove incomplete fragment queues to free up resources. | |
| 157 | The kernel still accepts new fragments for defragmentation. | |
| 1da177e4 LT |
158 | |
| 159 | ipfrag_time - INTEGER | |
| e18f5feb | 160 | Time in seconds to keep an IP fragment in memory. |
| 1da177e4 | 161 | |
| 89cee8b1 | 162 | ipfrag_max_dist - INTEGER |
| e18f5feb JDB |
163 | ipfrag_max_dist is a non-negative integer value which defines the |
| 164 | maximum "disorder" which is allowed among fragments which share a | |
| 165 | common IP source address. Note that reordering of packets is | |
| 166 | not unusual, but if a large number of fragments arrive from a source | |
| 167 | IP address while a particular fragment queue remains incomplete, it | |
| 168 | probably indicates that one or more fragments belonging to that queue | |
| 169 | have been lost. When ipfrag_max_dist is positive, an additional check | |
| 170 | is done on fragments before they are added to a reassembly queue - if | |
| 171 | ipfrag_max_dist (or more) fragments have arrived from a particular IP | |
| 172 | address between additions to any IP fragment queue using that source | |
| 173 | address, it's presumed that one or more fragments in the queue are | |
| 174 | lost. The existing fragment queue will be dropped, and a new one | |
| 89cee8b1 HX |
175 | started. An ipfrag_max_dist value of zero disables this check. |
| 176 | ||
| 177 | Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can | |
| 178 | result in unnecessarily dropping fragment queues when normal | |
| e18f5feb JDB |
179 | reordering of packets occurs, which could lead to poor application |
| 180 | performance. Using a very large value, e.g. 50000, increases the | |
| 181 | likelihood of incorrectly reassembling IP fragments that originate | |
| 89cee8b1 HX |
182 | from different IP datagrams, which could result in data corruption. |
| 183 | Default: 64 | |
| 184 | ||
| 1da177e4 LT |
185 | INET peer storage: |
| 186 | ||
| 187 | inet_peer_threshold - INTEGER | |
| e18f5feb | 188 | The approximate size of the storage. Starting from this threshold |
| 1da177e4 LT |
189 | entries will be thrown aggressively. This threshold also determines |
| 190 | entries' time-to-live and time intervals between garbage collection | |
| 191 | passes. More entries, less time-to-live, less GC interval. | |
| 192 | ||
| 193 | inet_peer_minttl - INTEGER | |
| 194 | Minimum time-to-live of entries. Should be enough to cover fragment | |
| 195 | time-to-live on the reassembling side. This minimum time-to-live is | |
| 196 | guaranteed if the pool size is less than inet_peer_threshold. | |
| 77a538d5 | 197 | Measured in seconds. |
| 1da177e4 LT |
198 | |
| 199 | inet_peer_maxttl - INTEGER | |
| 200 | Maximum time-to-live of entries. Unused entries will expire after | |
| 201 | this period of time if there is no memory pressure on the pool (i.e. | |
| 202 | when the number of entries in the pool is very small). | |
| 77a538d5 | 203 | Measured in seconds. |
| 1da177e4 | 204 | |
| e18f5feb | 205 | TCP variables: |
| 1da177e4 | 206 | |
| ef56e622 SH |
207 | somaxconn - INTEGER |
| 208 | Limit of socket listen() backlog, known in userspace as SOMAXCONN. | |
| 209 | Defaults to 128. See also tcp_max_syn_backlog for additional tuning | |
| 210 | for TCP sockets. | |
| 211 | ||
| ef56e622 SH |
212 | tcp_abort_on_overflow - BOOLEAN |
| 213 | If listening service is too slow to accept new connections, | |
| 214 | reset them. Default state is FALSE. It means that if overflow | |
| 215 | occurred due to a burst, connection will recover. Enable this | |
| 216 | option _only_ if you are really sure that listening daemon | |
| 217 | cannot be tuned to accept connections faster. Enabling this | |
| 218 | option can harm clients of your server. | |
| 1da177e4 | 219 | |
| ef56e622 SH |
220 | tcp_adv_win_scale - INTEGER |
| 221 | Count buffering overhead as bytes/2^tcp_adv_win_scale | |
| 222 | (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), | |
| 223 | if it is <= 0. | |
| 0147fc05 | 224 | Possible values are [-31, 31], inclusive. |
| b49960a0 | 225 | Default: 1 |
| 1da177e4 | 226 | |
| ef56e622 SH |
227 | tcp_allowed_congestion_control - STRING |
| 228 | Show/set the congestion control choices available to non-privileged | |
| 229 | processes. The list is a subset of those listed in | |
| 230 | tcp_available_congestion_control. | |
| 231 | Default is "reno" and the default setting (tcp_congestion_control). | |
| 1da177e4 | 232 | |
| ef56e622 SH |
233 | tcp_app_win - INTEGER |
| 234 | Reserve max(window/2^tcp_app_win, mss) of window for application | |
| 235 | buffer. Value 0 is special, it means that nothing is reserved. | |
| 236 | Default: 31 | |
| 1da177e4 | 237 | |
| f54b3111 ED |
238 | tcp_autocorking - BOOLEAN |
| 239 | Enable TCP auto corking : | |
| 240 | When applications do consecutive small write()/sendmsg() system calls, | |
| 241 | we try to coalesce these small writes as much as possible, to lower | |
| 242 | total amount of sent packets. This is done if at least one prior | |
| 243 | packet for the flow is waiting in Qdisc queues or device transmit | |
| 244 | queue. Applications can still use TCP_CORK for optimal behavior | |
| 245 | when they know how/when to uncork their sockets. | |
| 246 | Default : 1 | |
| 247 | ||
| ef56e622 SH |
248 | tcp_available_congestion_control - STRING |
| 249 | Shows the available congestion control choices that are registered. | |
| 250 | More congestion control algorithms may be available as modules, | |
| 251 | but not loaded. | |
| 1da177e4 | 252 | |
| 71599cd1 | 253 | tcp_base_mss - INTEGER |
| 4edc2f34 SH |
254 | The initial value of search_low to be used by the packetization layer |
| 255 | Path MTU discovery (MTU probing). If MTU probing is enabled, | |
| 256 | this is the initial MSS used by the connection. | |
| 71599cd1 | 257 | |
| ef56e622 SH |
258 | tcp_congestion_control - STRING |
| 259 | Set the congestion control algorithm to be used for new | |
| 260 | connections. The algorithm "reno" is always available, but | |
| 261 | additional choices may be available based on kernel configuration. | |
| 262 | Default is set as part of kernel configuration. | |
| d8a6e65f ED |
263 | For passive connections, the listener congestion control choice |
| 264 | is inherited. | |
| 265 | [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ] | |
| 1da177e4 | 266 | |
| ef56e622 SH |
267 | tcp_dsack - BOOLEAN |
| 268 | Allows TCP to send "duplicate" SACKs. | |
| 1da177e4 | 269 | |
| eed530b6 | 270 | tcp_early_retrans - INTEGER |
| bec41a11 YC |
271 | Tail loss probe (TLP) converts RTOs occurring due to tail |
| 272 | losses into fast recovery (draft-ietf-tcpm-rack). Note that | |
| 273 | TLP requires RACK to function properly (see tcp_recovery below) | |
| eed530b6 | 274 | Possible values: |
| bec41a11 YC |
275 | 0 disables TLP |
| 276 | 3 or 4 enables TLP | |
| 6ba8a3b1 | 277 | Default: 3 |
| eed530b6 | 278 | |
| 34a6ef38 | 279 | tcp_ecn - INTEGER |
| 7e3a2dc5 RJ |
280 | Control use of Explicit Congestion Notification (ECN) by TCP. |
| 281 | ECN is used only when both ends of the TCP connection indicate | |
| 282 | support for it. This feature is useful in avoiding losses due | |
| 283 | to congestion by allowing supporting routers to signal | |
| 284 | congestion before having to drop packets. | |
| 255cac91 | 285 | Possible values are: |
| 7e3a2dc5 | 286 | 0 Disable ECN. Neither initiate nor accept ECN. |
| 3d55b323 VS |
287 | 1 Enable ECN when requested by incoming connections and |
| 288 | also request ECN on outgoing connection attempts. | |
| 289 | 2 Enable ECN when requested by incoming connections | |
| 7e3a2dc5 | 290 | but do not request ECN on outgoing connections. |
| 255cac91 | 291 | Default: 2 |
| ef56e622 | 292 | |
| 49213555 DB |
293 | tcp_ecn_fallback - BOOLEAN |
| 294 | If the kernel detects that ECN connection misbehaves, enable fall | |
| 295 | back to non-ECN. Currently, this knob implements the fallback | |
| 296 | from RFC3168, section 6.1.1.1., but we reserve that in future, | |
| 297 | additional detection mechanisms could be implemented under this | |
| 298 | knob. The value is not used, if tcp_ecn or per route (or congestion | |
| 299 | control) ECN settings are disabled. | |
| 300 | Default: 1 (fallback enabled) | |
| 301 | ||
| ef56e622 | 302 | tcp_fack - BOOLEAN |
| 713bafea | 303 | This is a legacy option, it has no effect anymore. |
| 1da177e4 LT |
304 | |
| 305 | tcp_fin_timeout - INTEGER | |
| d825da2e RJ |
306 | The length of time an orphaned (no longer referenced by any |
| 307 | application) connection will remain in the FIN_WAIT_2 state | |
| 308 | before it is aborted at the local end. While a perfectly | |
| 309 | valid "receive only" state for an un-orphaned connection, an | |
| 310 | orphaned connection in FIN_WAIT_2 state could otherwise wait | |
| 311 | forever for the remote to close its end of the connection. | |
| 312 | Cf. tcp_max_orphans | |
| 313 | Default: 60 seconds | |
| 1da177e4 | 314 | |
| 89808060 | 315 | tcp_frto - INTEGER |
| e33099f9 | 316 | Enables Forward RTO-Recovery (F-RTO) defined in RFC5682. |
| cd99889c | 317 | F-RTO is an enhanced recovery algorithm for TCP retransmission |
| e33099f9 YC |
318 | timeouts. It is particularly beneficial in networks where the |
| 319 | RTT fluctuates (e.g., wireless). F-RTO is sender-side only | |
| 320 | modification. It does not require any support from the peer. | |
| 321 | ||
| 322 | By default it's enabled with a non-zero value. 0 disables F-RTO. | |
| 1da177e4 | 323 | |
| e2d00e62 LC |
324 | tcp_fwmark_accept - BOOLEAN |
| 325 | If set, incoming connections to listening sockets that do not have a | |
| 326 | socket mark will set the mark of the accepting socket to the fwmark of | |
| 327 | the incoming SYN packet. This will cause all packets on that connection | |
| 328 | (starting from the first SYNACK) to be sent with that fwmark. The | |
| 329 | listening socket's mark is unchanged. Listening sockets that already | |
| 330 | have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are | |
| 331 | unaffected. | |
| 332 | ||
| 333 | Default: 0 | |
| 334 | ||
| 032ee423 NC |
335 | tcp_invalid_ratelimit - INTEGER |
| 336 | Limit the maximal rate for sending duplicate acknowledgments | |
| 337 | in response to incoming TCP packets that are for an existing | |
| 338 | connection but that are invalid due to any of these reasons: | |
| 339 | ||
| 340 | (a) out-of-window sequence number, | |
| 341 | (b) out-of-window acknowledgment number, or | |
| 342 | (c) PAWS (Protection Against Wrapped Sequence numbers) check failure | |
| 343 | ||
| 344 | This can help mitigate simple "ack loop" DoS attacks, wherein | |
| 345 | a buggy or malicious middlebox or man-in-the-middle can | |
| 346 | rewrite TCP header fields in manner that causes each endpoint | |
| 347 | to think that the other is sending invalid TCP segments, thus | |
| 348 | causing each side to send an unterminating stream of duplicate | |
| 349 | acknowledgments for invalid segments. | |
| 350 | ||
| 351 | Using 0 disables rate-limiting of dupacks in response to | |
| 352 | invalid segments; otherwise this value specifies the minimal | |
| 353 | space between sending such dupacks, in milliseconds. | |
| 354 | ||
| 355 | Default: 500 (milliseconds). | |
| 356 | ||
| ef56e622 SH |
357 | tcp_keepalive_time - INTEGER |
| 358 | How often TCP sends out keepalive messages when keepalive is enabled. | |
| 359 | Default: 2hours. | |
| 1da177e4 | 360 | |
| ef56e622 SH |
361 | tcp_keepalive_probes - INTEGER |
| 362 | How many keepalive probes TCP sends out, until it decides that the | |
| 363 | connection is broken. Default value: 9. | |
| 364 | ||
| 365 | tcp_keepalive_intvl - INTEGER | |
| 366 | How frequently the probes are send out. Multiplied by | |
| 367 | tcp_keepalive_probes it is time to kill not responding connection, | |
| 368 | after probes started. Default value: 75sec i.e. connection | |
| 369 | will be aborted after ~11 minutes of retries. | |
| 370 | ||
| 6dd9a14e DA |
371 | tcp_l3mdev_accept - BOOLEAN |
| 372 | Enables child sockets to inherit the L3 master device index. | |
| 373 | Enabling this option allows a "global" listen socket to work | |
| 374 | across L3 master domains (e.g., VRFs) with connected sockets | |
| 375 | derived from the listen socket to be bound to the L3 domain in | |
| 376 | which the packets originated. Only valid when the kernel was | |
| 377 | compiled with CONFIG_NET_L3_MASTER_DEV. | |
| 6897445f | 378 | Default: 0 (disabled) |
| 6dd9a14e | 379 | |
| ef56e622 | 380 | tcp_low_latency - BOOLEAN |
| b6690b14 | 381 | This is a legacy option, it has no effect anymore. |
| 1da177e4 LT |
382 | |
| 383 | tcp_max_orphans - INTEGER | |
| 384 | Maximal number of TCP sockets not attached to any user file handle, | |
| 385 | held by system. If this number is exceeded orphaned connections are | |
| 386 | reset immediately and warning is printed. This limit exists | |
| 387 | only to prevent simple DoS attacks, you _must_ not rely on this | |
| 388 | or lower the limit artificially, but rather increase it | |
| 389 | (probably, after increasing installed memory), | |
| 390 | if network conditions require more than default value, | |
| 391 | and tune network services to linger and kill such states | |
| 392 | more aggressively. Let me to remind again: each orphan eats | |
| 393 | up to ~64K of unswappable memory. | |
| 394 | ||
| 1da177e4 | 395 | tcp_max_syn_backlog - INTEGER |
| 99b53bdd PP |
396 | Maximal number of remembered connection requests, which have not |
| 397 | received an acknowledgment from connecting client. | |
| 398 | The minimal value is 128 for low memory machines, and it will | |
| 399 | increase in proportion to the memory of machine. | |
| 400 | If server suffers from overload, try increasing this number. | |
| 1da177e4 | 401 | |
| ef56e622 SH |
402 | tcp_max_tw_buckets - INTEGER |
| 403 | Maximal number of timewait sockets held by system simultaneously. | |
| 404 | If this number is exceeded time-wait socket is immediately destroyed | |
| 405 | and warning is printed. This limit exists only to prevent | |
| 406 | simple DoS attacks, you _must_ not lower the limit artificially, | |
| 407 | but rather increase it (probably, after increasing installed memory), | |
| 408 | if network conditions require more than default value. | |
| 1da177e4 | 409 | |
| ef56e622 SH |
410 | tcp_mem - vector of 3 INTEGERs: min, pressure, max |
| 411 | min: below this number of pages TCP is not bothered about its | |
| 412 | memory appetite. | |
| 1da177e4 | 413 | |
| ef56e622 SH |
414 | pressure: when amount of memory allocated by TCP exceeds this number |
| 415 | of pages, TCP moderates its memory consumption and enters memory | |
| 416 | pressure mode, which is exited when memory consumption falls | |
| 417 | under "min". | |
| 1da177e4 | 418 | |
| ef56e622 | 419 | max: number of pages allowed for queueing by all TCP sockets. |
| 1da177e4 | 420 | |
| ef56e622 SH |
421 | Defaults are calculated at boot time from amount of available |
| 422 | memory. | |
| 1da177e4 | 423 | |
| f6722583 YC |
424 | tcp_min_rtt_wlen - INTEGER |
| 425 | The window length of the windowed min filter to track the minimum RTT. | |
| 426 | A shorter window lets a flow more quickly pick up new (higher) | |
| 427 | minimum RTT when it is moved to a longer path (e.g., due to traffic | |
| 428 | engineering). A longer window makes the filter more resistant to RTT | |
| 429 | inflations such as transient congestion. The unit is seconds. | |
| 430 | Default: 300 | |
| 431 | ||
| 71599cd1 | 432 | tcp_moderate_rcvbuf - BOOLEAN |
| 4edc2f34 | 433 | If set, TCP performs receive buffer auto-tuning, attempting to |
| 71599cd1 JH |
434 | automatically size the buffer (no greater than tcp_rmem[2]) to |
| 435 | match the size required by the path for full throughput. Enabled by | |
| 436 | default. | |
| 437 | ||
| 438 | tcp_mtu_probing - INTEGER | |
| 439 | Controls TCP Packetization-Layer Path MTU Discovery. Takes three | |
| 440 | values: | |
| 441 | 0 - Disabled | |
| 442 | 1 - Disabled by default, enabled when an ICMP black hole detected | |
| 443 | 2 - Always enabled, use initial MSS of tcp_base_mss. | |
| 444 | ||
| d4ce5808 | 445 | tcp_probe_interval - UNSIGNED INTEGER |
| fab42760 FD |
446 | Controls how often to start TCP Packetization-Layer Path MTU |
| 447 | Discovery reprobe. The default is reprobing every 10 minutes as | |
| 448 | per RFC4821. | |
| 449 | ||
| 450 | tcp_probe_threshold - INTEGER | |
| 451 | Controls when TCP Packetization-Layer Path MTU Discovery probing | |
| 452 | will stop in respect to the width of search range in bytes. Default | |
| 453 | is 8 bytes. | |
| 454 | ||
| 71599cd1 JH |
455 | tcp_no_metrics_save - BOOLEAN |
| 456 | By default, TCP saves various connection metrics in the route cache | |
| 457 | when the connection closes, so that connections established in the | |
| 458 | near future can use these to set initial conditions. Usually, this | |
| 459 | increases overall performance, but may sometimes cause performance | |
| 0f035b8e | 460 | degradation. If set, TCP will not cache metrics on closing |
| 71599cd1 JH |
461 | connections. |
| 462 | ||
| ef56e622 | 463 | tcp_orphan_retries - INTEGER |
| 5d789229 DL |
464 | This value influences the timeout of a locally closed TCP connection, |
| 465 | when RTO retransmissions remain unacknowledged. | |
| 466 | See tcp_retries2 for more details. | |
| 467 | ||
| 06b8fc5d | 468 | The default value is 8. |
| 5d789229 | 469 | If your machine is a loaded WEB server, |
| ef56e622 SH |
470 | you should think about lowering this value, such sockets |
| 471 | may consume significant resources. Cf. tcp_max_orphans. | |
| 1da177e4 | 472 | |
| 4f41b1c5 YC |
473 | tcp_recovery - INTEGER |
| 474 | This value is a bitmap to enable various experimental loss recovery | |
| 475 | features. | |
| 476 | ||
| 477 | RACK: 0x1 enables the RACK loss detection for fast detection of lost | |
| b38a51fe YC |
478 | retransmissions and tail drops. It also subsumes and disables |
| 479 | RFC6675 recovery for SACK connections. | |
| 1f255691 | 480 | RACK: 0x2 makes RACK's reordering window static (min_rtt/4). |
| 20b654df | 481 | RACK: 0x4 disables RACK's DUPACK threshold heuristic |
| 4f41b1c5 YC |
482 | |
| 483 | Default: 0x1 | |
| 484 | ||
| 1da177e4 | 485 | tcp_reordering - INTEGER |
| dca145ff ED |
486 | Initial reordering level of packets in a TCP stream. |
| 487 | TCP stack can then dynamically adjust flow reordering level | |
| 488 | between this initial value and tcp_max_reordering | |
| e18f5feb | 489 | Default: 3 |
| 1da177e4 | 490 | |
| dca145ff ED |
491 | tcp_max_reordering - INTEGER |
| 492 | Maximal reordering level of packets in a TCP stream. | |
| 493 | 300 is a fairly conservative value, but you might increase it | |
| 494 | if paths are using per packet load balancing (like bonding rr mode) | |
| 495 | Default: 300 | |
| 496 | ||
| 1da177e4 LT |
497 | tcp_retrans_collapse - BOOLEAN |
| 498 | Bug-to-bug compatibility with some broken printers. | |
| 499 | On retransmit try to send bigger packets to work around bugs in | |
| 500 | certain TCP stacks. | |
| 501 | ||
| ef56e622 | 502 | tcp_retries1 - INTEGER |
| 5d789229 DL |
503 | This value influences the time, after which TCP decides, that |
| 504 | something is wrong due to unacknowledged RTO retransmissions, | |
| 505 | and reports this suspicion to the network layer. | |
| 506 | See tcp_retries2 for more details. | |
| 507 | ||
| 508 | RFC 1122 recommends at least 3 retransmissions, which is the | |
| 509 | default. | |
| 1da177e4 | 510 | |
| ef56e622 | 511 | tcp_retries2 - INTEGER |
| 5d789229 DL |
512 | This value influences the timeout of an alive TCP connection, |
| 513 | when RTO retransmissions remain unacknowledged. | |
| 514 | Given a value of N, a hypothetical TCP connection following | |
| 515 | exponential backoff with an initial RTO of TCP_RTO_MIN would | |
| 516 | retransmit N times before killing the connection at the (N+1)th RTO. | |
| 517 | ||
| 518 | The default value of 15 yields a hypothetical timeout of 924.6 | |
| 519 | seconds and is a lower bound for the effective timeout. | |
| 520 | TCP will effectively time out at the first RTO which exceeds the | |
| 521 | hypothetical timeout. | |
| 522 | ||
| 523 | RFC 1122 recommends at least 100 seconds for the timeout, | |
| 524 | which corresponds to a value of at least 8. | |
| 1da177e4 | 525 | |
| ef56e622 SH |
526 | tcp_rfc1337 - BOOLEAN |
| 527 | If set, the TCP stack behaves conforming to RFC1337. If unset, | |
| 528 | we are not conforming to RFC, but prevent TCP TIME_WAIT | |
| 529 | assassination. | |
| 530 | Default: 0 | |
| 1da177e4 LT |
531 | |
| 532 | tcp_rmem - vector of 3 INTEGERs: min, default, max | |
| 533 | min: Minimal size of receive buffer used by TCP sockets. | |
| 534 | It is guaranteed to each TCP socket, even under moderate memory | |
| 535 | pressure. | |
| a61a86f8 | 536 | Default: 4K |
| 1da177e4 | 537 | |
| 53025f5e | 538 | default: initial size of receive buffer used by TCP sockets. |
| 1da177e4 LT |
539 | This value overrides net.core.rmem_default used by other protocols. |
| 540 | Default: 87380 bytes. This value results in window of 65535 with | |
| 541 | default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit | |
| 542 | less for default tcp_app_win. See below about these variables. | |
| 543 | ||
| 544 | max: maximal size of receive buffer allowed for automatically | |
| 545 | selected receiver buffers for TCP socket. This value does not override | |
| 53025f5e BF |
546 | net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables |
| 547 | automatic tuning of that socket's receive buffer size, in which | |
| 548 | case this value is ignored. | |
| b49960a0 | 549 | Default: between 87380B and 6MB, depending on RAM size. |
| 1da177e4 | 550 | |
| ef56e622 SH |
551 | tcp_sack - BOOLEAN |
| 552 | Enable select acknowledgments (SACKS). | |
| 1da177e4 | 553 | |
| 6d82aa24 ED |
554 | tcp_comp_sack_delay_ns - LONG INTEGER |
| 555 | TCP tries to reduce number of SACK sent, using a timer | |
| 556 | based on 5% of SRTT, capped by this sysctl, in nano seconds. | |
| 557 | The default is 1ms, based on TSO autosizing period. | |
| 558 | ||
| 559 | Default : 1,000,000 ns (1 ms) | |
| 560 | ||
| 9c21d2fc ED |
561 | tcp_comp_sack_nr - INTEGER |
| 562 | Max numer of SACK that can be compressed. | |
| 563 | Using 0 disables SACK compression. | |
| 564 | ||
| 565 | Detault : 44 | |
| 566 | ||
| ef56e622 SH |
567 | tcp_slow_start_after_idle - BOOLEAN |
| 568 | If set, provide RFC2861 behavior and time out the congestion | |
| 569 | window after an idle period. An idle period is defined at | |
| 570 | the current RTO. If unset, the congestion window will not | |
| 571 | be timed out after an idle period. | |
| 572 | Default: 1 | |
| 1da177e4 | 573 | |
| ef56e622 | 574 | tcp_stdurg - BOOLEAN |
| 4edc2f34 | 575 | Use the Host requirements interpretation of the TCP urgent pointer field. |
| ef56e622 SH |
576 | Most hosts use the older BSD interpretation, so if you turn this on |
| 577 | Linux might not communicate correctly with them. | |
| 578 | Default: FALSE | |
| 1da177e4 | 579 | |
| ef56e622 SH |
580 | tcp_synack_retries - INTEGER |
| 581 | Number of times SYNACKs for a passive TCP connection attempt will | |
| 582 | be retransmitted. Should not be higher than 255. Default value | |
| 6c9ff979 AB |
583 | is 5, which corresponds to 31seconds till the last retransmission |
| 584 | with the current initial RTO of 1second. With this the final timeout | |
| 585 | for a passive TCP connection will happen after 63seconds. | |
| 1da177e4 | 586 | |
| ef56e622 | 587 | tcp_syncookies - BOOLEAN |
| a3c910d2 | 588 | Only valid when the kernel was compiled with CONFIG_SYN_COOKIES |
| ef56e622 | 589 | Send out syncookies when the syn backlog queue of a socket |
| 4edc2f34 | 590 | overflows. This is to prevent against the common 'SYN flood attack' |
| a3c910d2 | 591 | Default: 1 |
| 1da177e4 | 592 | |
| ef56e622 SH |
593 | Note, that syncookies is fallback facility. |
| 594 | It MUST NOT be used to help highly loaded servers to stand | |
| 4edc2f34 | 595 | against legal connection rate. If you see SYN flood warnings |
| ef56e622 SH |
596 | in your logs, but investigation shows that they occur |
| 597 | because of overload with legal connections, you should tune | |
| 598 | another parameters until this warning disappear. | |
| 599 | See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. | |
| 1da177e4 | 600 | |
| ef56e622 SH |
601 | syncookies seriously violate TCP protocol, do not allow |
| 602 | to use TCP extensions, can result in serious degradation | |
| 603 | of some services (f.e. SMTP relaying), visible not by you, | |
| 604 | but your clients and relays, contacting you. While you see | |
| 4edc2f34 | 605 | SYN flood warnings in logs not being really flooded, your server |
| ef56e622 | 606 | is seriously misconfigured. |
| 1da177e4 | 607 | |
| 5ad37d5d HFS |
608 | If you want to test which effects syncookies have to your |
| 609 | network connections you can set this knob to 2 to enable | |
| 610 | unconditionally generation of syncookies. | |
| 611 | ||
| cf60af03 | 612 | tcp_fastopen - INTEGER |
| cebc5cba YC |
613 | Enable TCP Fast Open (RFC7413) to send and accept data in the opening |
| 614 | SYN packet. | |
| 10467163 | 615 | |
| cebc5cba YC |
616 | The client support is enabled by flag 0x1 (on by default). The client |
| 617 | then must use sendmsg() or sendto() with the MSG_FASTOPEN flag, | |
| 618 | rather than connect() to send data in SYN. | |
| cf60af03 | 619 | |
| cebc5cba YC |
620 | The server support is enabled by flag 0x2 (off by default). Then |
| 621 | either enable for all listeners with another flag (0x400) or | |
| 622 | enable individual listeners via TCP_FASTOPEN socket option with | |
| 623 | the option value being the length of the syn-data backlog. | |
| cf60af03 | 624 | |
| cebc5cba YC |
625 | The values (bitmap) are |
| 626 | 0x1: (client) enables sending data in the opening SYN on the client. | |
| 627 | 0x2: (server) enables the server support, i.e., allowing data in | |
| 628 | a SYN packet to be accepted and passed to the | |
| 629 | application before 3-way handshake finishes. | |
| 630 | 0x4: (client) send data in the opening SYN regardless of cookie | |
| 631 | availability and without a cookie option. | |
| 632 | 0x200: (server) accept data-in-SYN w/o any cookie option present. | |
| 633 | 0x400: (server) enable all listeners to support Fast Open by | |
| 634 | default without explicit TCP_FASTOPEN socket option. | |
| 635 | ||
| 636 | Default: 0x1 | |
| 10467163 | 637 | |
| cebc5cba YC |
638 | Note that that additional client or server features are only |
| 639 | effective if the basic support (0x1 and 0x2) are enabled respectively. | |
| 10467163 | 640 | |
| cf1ef3f0 WW |
641 | tcp_fastopen_blackhole_timeout_sec - INTEGER |
| 642 | Initial time period in second to disable Fastopen on active TCP sockets | |
| 643 | when a TFO firewall blackhole issue happens. | |
| 644 | This time period will grow exponentially when more blackhole issues | |
| 645 | get detected right after Fastopen is re-enabled and will reset to | |
| 646 | initial value when the blackhole issue goes away. | |
| 7268586b | 647 | 0 to disable the blackhole detection. |
| cf1ef3f0 WW |
648 | By default, it is set to 1hr. |
| 649 | ||
| ef56e622 SH |
650 | tcp_syn_retries - INTEGER |
| 651 | Number of times initial SYNs for an active TCP connection attempt | |
| bffae697 | 652 | will be retransmitted. Should not be higher than 127. Default value |
| 3b09adcb | 653 | is 6, which corresponds to 63seconds till the last retransmission |
| 6c9ff979 AB |
654 | with the current initial RTO of 1second. With this the final timeout |
| 655 | for an active TCP connection attempt will happen after 127seconds. | |
| ef56e622 | 656 | |
| 25429d7b FW |
657 | tcp_timestamps - INTEGER |
| 658 | Enable timestamps as defined in RFC1323. | |
| 659 | 0: Disabled. | |
| 660 | 1: Enable timestamps as defined in RFC1323 and use random offset for | |
| 661 | each connection rather than only using the current time. | |
| 662 | 2: Like 1, but without random offsets. | |
| 663 | Default: 1 | |
| 1da177e4 | 664 | |
| 95bd09eb ED |
665 | tcp_min_tso_segs - INTEGER |
| 666 | Minimal number of segments per TSO frame. | |
| 667 | Since linux-3.12, TCP does an automatic sizing of TSO frames, | |
| 668 | depending on flow rate, instead of filling 64Kbytes packets. | |
| 669 | For specific usages, it's possible to force TCP to build big | |
| 670 | TSO frames. Note that TCP stack might split too big TSO packets | |
| 671 | if available window is too small. | |
| 672 | Default: 2 | |
| 673 | ||
| 43e122b0 ED |
674 | tcp_pacing_ss_ratio - INTEGER |
| 675 | sk->sk_pacing_rate is set by TCP stack using a ratio applied | |
| 676 | to current rate. (current_rate = cwnd * mss / srtt) | |
| 677 | If TCP is in slow start, tcp_pacing_ss_ratio is applied | |
| 678 | to let TCP probe for bigger speeds, assuming cwnd can be | |
| 679 | doubled every other RTT. | |
| 680 | Default: 200 | |
| 681 | ||
| 682 | tcp_pacing_ca_ratio - INTEGER | |
| 683 | sk->sk_pacing_rate is set by TCP stack using a ratio applied | |
| 684 | to current rate. (current_rate = cwnd * mss / srtt) | |
| 685 | If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio | |
| 686 | is applied to conservatively probe for bigger throughput. | |
| 687 | Default: 120 | |
| 688 | ||
| 1da177e4 | 689 | tcp_tso_win_divisor - INTEGER |
| ef56e622 SH |
690 | This allows control over what percentage of the congestion window |
| 691 | can be consumed by a single TSO frame. | |
| 692 | The setting of this parameter is a choice between burstiness and | |
| 693 | building larger TSO frames. | |
| 694 | Default: 3 | |
| 1da177e4 | 695 | |
| 79e9fed4 MŻ |
696 | tcp_tw_reuse - INTEGER |
| 697 | Enable reuse of TIME-WAIT sockets for new connections when it is | |
| 698 | safe from protocol viewpoint. | |
| 699 | 0 - disable | |
| 700 | 1 - global enable | |
| 701 | 2 - enable for loopback traffic only | |
| ef56e622 SH |
702 | It should not be changed without advice/request of technical |
| 703 | experts. | |
| 79e9fed4 | 704 | Default: 2 |
| ce7bc3bf | 705 | |
| ef56e622 SH |
706 | tcp_window_scaling - BOOLEAN |
| 707 | Enable window scaling as defined in RFC1323. | |
| 3ff825b2 | 708 | |
| ef56e622 | 709 | tcp_wmem - vector of 3 INTEGERs: min, default, max |
| 53025f5e | 710 | min: Amount of memory reserved for send buffers for TCP sockets. |
| ef56e622 | 711 | Each TCP socket has rights to use it due to fact of its birth. |
| a61a86f8 | 712 | Default: 4K |
| 9d7bcfc6 | 713 | |
| 53025f5e BF |
714 | default: initial size of send buffer used by TCP sockets. This |
| 715 | value overrides net.core.wmem_default used by other protocols. | |
| 716 | It is usually lower than net.core.wmem_default. | |
| ef56e622 SH |
717 | Default: 16K |
| 718 | ||
| 53025f5e BF |
719 | max: Maximal amount of memory allowed for automatically tuned |
| 720 | send buffers for TCP sockets. This value does not override | |
| 721 | net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables | |
| 722 | automatic tuning of that socket's send buffer size, in which case | |
| 723 | this value is ignored. | |
| 724 | Default: between 64K and 4MB, depending on RAM size. | |
| 1da177e4 | 725 | |
| c9bee3b7 ED |
726 | tcp_notsent_lowat - UNSIGNED INTEGER |
| 727 | A TCP socket can control the amount of unsent bytes in its write queue, | |
| 728 | thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll() | |
| 729 | reports POLLOUT events if the amount of unsent bytes is below a per | |
| 730 | socket value, and if the write queue is not full. sendmsg() will | |
| 731 | also not add new buffers if the limit is hit. | |
| 732 | ||
| 733 | This global variable controls the amount of unsent data for | |
| 734 | sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change | |
| 735 | to the global variable has immediate effect. | |
| 736 | ||
| 737 | Default: UINT_MAX (0xFFFFFFFF) | |
| 738 | ||
| 15d99e02 RJ |
739 | tcp_workaround_signed_windows - BOOLEAN |
| 740 | If set, assume no receipt of a window scaling option means the | |
| 741 | remote TCP is broken and treats the window as a signed quantity. | |
| 742 | If unset, assume the remote TCP is not broken even if we do | |
| 743 | not receive a window scaling option from them. | |
| 744 | Default: 0 | |
| 745 | ||
| 36e31b0a AP |
746 | tcp_thin_linear_timeouts - BOOLEAN |
| 747 | Enable dynamic triggering of linear timeouts for thin streams. | |
| 748 | If set, a check is performed upon retransmission by timeout to | |
| 749 | determine if the stream is thin (less than 4 packets in flight). | |
| 750 | As long as the stream is found to be thin, up to 6 linear | |
| 751 | timeouts may be performed before exponential backoff mode is | |
| 752 | initiated. This improves retransmission latency for | |
| 753 | non-aggressive thin streams, often found to be time-dependent. | |
| 754 | For more information on thin streams, see | |
| 755 | Documentation/networking/tcp-thin.txt | |
| 756 | Default: 0 | |
| 757 | ||
| 46d3ceab ED |
758 | tcp_limit_output_bytes - INTEGER |
| 759 | Controls TCP Small Queue limit per tcp socket. | |
| 760 | TCP bulk sender tends to increase packets in flight until it | |
| 761 | gets losses notifications. With SNDBUF autotuning, this can | |
| 9c4c3252 FL |
762 | result in a large amount of packets queued on the local machine |
| 763 | (e.g.: qdiscs, CPU backlog, or device) hurting latency of other | |
| 764 | flows, for typical pfifo_fast qdiscs. tcp_limit_output_bytes | |
| 765 | limits the number of bytes on qdisc or device to reduce artificial | |
| 766 | RTT/cwnd and reduce bufferbloat. | |
| c73e5807 | 767 | Default: 1048576 (16 * 65536) |
| 46d3ceab | 768 | |
| 282f23c6 ED |
769 | tcp_challenge_ack_limit - INTEGER |
| 770 | Limits number of Challenge ACK sent per second, as recommended | |
| 771 | in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) | |
| 772 | Default: 100 | |
| 773 | ||
| 95766fff HA |
774 | UDP variables: |
| 775 | ||
| 63a6fff3 RS |
776 | udp_l3mdev_accept - BOOLEAN |
| 777 | Enabling this option allows a "global" bound socket to work | |
| 778 | across L3 master domains (e.g., VRFs) with packets capable of | |
| 779 | being received regardless of the L3 domain in which they | |
| 780 | originated. Only valid when the kernel was compiled with | |
| 781 | CONFIG_NET_L3_MASTER_DEV. | |
| 6897445f | 782 | Default: 0 (disabled) |
| 63a6fff3 | 783 | |
| 95766fff HA |
784 | udp_mem - vector of 3 INTEGERs: min, pressure, max |
| 785 | Number of pages allowed for queueing by all UDP sockets. | |
| 786 | ||
| 787 | min: Below this number of pages UDP is not bothered about its | |
| 788 | memory appetite. When amount of memory allocated by UDP exceeds | |
| 789 | this number, UDP starts to moderate memory usage. | |
| 790 | ||
| 791 | pressure: This value was introduced to follow format of tcp_mem. | |
| 792 | ||
| 793 | max: Number of pages allowed for queueing by all UDP sockets. | |
| 794 | ||
| 795 | Default is calculated at boot time from amount of available memory. | |
| 796 | ||
| 797 | udp_rmem_min - INTEGER | |
| 798 | Minimal size of receive buffer used by UDP sockets in moderation. | |
| 799 | Each UDP socket is able to use the size for receiving data, even if | |
| 800 | total pages of UDP sockets exceed udp_mem pressure. The unit is byte. | |
| 320bd6de | 801 | Default: 4K |
| 95766fff HA |
802 | |
| 803 | udp_wmem_min - INTEGER | |
| 804 | Minimal size of send buffer used by UDP sockets in moderation. | |
| 805 | Each UDP socket is able to use the size for sending data, even if | |
| 806 | total pages of UDP sockets exceed udp_mem pressure. The unit is byte. | |
| 320bd6de | 807 | Default: 4K |
| 95766fff | 808 | |
| 6897445f MM |
809 | RAW variables: |
| 810 | ||
| 811 | raw_l3mdev_accept - BOOLEAN | |
| 812 | Enabling this option allows a "global" bound socket to work | |
| 813 | across L3 master domains (e.g., VRFs) with packets capable of | |
| 814 | being received regardless of the L3 domain in which they | |
| 815 | originated. Only valid when the kernel was compiled with | |
| 816 | CONFIG_NET_L3_MASTER_DEV. | |
| 817 | Default: 1 (enabled) | |
| 818 | ||
| 8802f616 PM |
819 | CIPSOv4 Variables: |
| 820 | ||
| 821 | cipso_cache_enable - BOOLEAN | |
| 822 | If set, enable additions to and lookups from the CIPSO label mapping | |
| 823 | cache. If unset, additions are ignored and lookups always result in a | |
| 824 | miss. However, regardless of the setting the cache is still | |
| 825 | invalidated when required when means you can safely toggle this on and | |
| 826 | off and the cache will always be "safe". | |
| 827 | Default: 1 | |
| 828 | ||
| 829 | cipso_cache_bucket_size - INTEGER | |
| 830 | The CIPSO label cache consists of a fixed size hash table with each | |
| 831 | hash bucket containing a number of cache entries. This variable limits | |
| 832 | the number of entries in each hash bucket; the larger the value the | |
| 833 | more CIPSO label mappings that can be cached. When the number of | |
| 834 | entries in a given hash bucket reaches this limit adding new entries | |
| 835 | causes the oldest entry in the bucket to be removed to make room. | |
| 836 | Default: 10 | |
| 837 | ||
| 838 | cipso_rbm_optfmt - BOOLEAN | |
| 839 | Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of | |
| 840 | the CIPSO draft specification (see Documentation/netlabel for details). | |
| 841 | This means that when set the CIPSO tag will be padded with empty | |
| 842 | categories in order to make the packet data 32-bit aligned. | |
| 843 | Default: 0 | |
| 844 | ||
| 845 | cipso_rbm_structvalid - BOOLEAN | |
| 846 | If set, do a very strict check of the CIPSO option when | |
| 847 | ip_options_compile() is called. If unset, relax the checks done during | |
| 848 | ip_options_compile(). Either way is "safe" as errors are caught else | |
| 849 | where in the CIPSO processing code but setting this to 0 (False) should | |
| 850 | result in less work (i.e. it should be faster) but could cause problems | |
| 851 | with other implementations that require strict checking. | |
| 852 | Default: 0 | |
| 853 | ||
| 1da177e4 LT |
854 | IP Variables: |
| 855 | ||
| 856 | ip_local_port_range - 2 INTEGERS | |
| 857 | Defines the local port range that is used by TCP and UDP to | |
| e18f5feb | 858 | choose the local port. The first number is the first, the |
| 07f4c900 ED |
859 | second the last local port number. |
| 860 | If possible, it is better these numbers have different parity. | |
| 861 | (one even and one odd values) | |
| 862 | The default values are 32768 and 60999 respectively. | |
| 1da177e4 | 863 | |
| e3826f1e AW |
864 | ip_local_reserved_ports - list of comma separated ranges |
| 865 | Specify the ports which are reserved for known third-party | |
| 866 | applications. These ports will not be used by automatic port | |
| 867 | assignments (e.g. when calling connect() or bind() with port | |
| 868 | number 0). Explicit port allocation behavior is unchanged. | |
| 869 | ||
| 870 | The format used for both input and output is a comma separated | |
| 871 | list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and | |
| 872 | 10). Writing to the file will clear all previously reserved | |
| 873 | ports and update the current list with the one given in the | |
| 874 | input. | |
| 875 | ||
| 876 | Note that ip_local_port_range and ip_local_reserved_ports | |
| 877 | settings are independent and both are considered by the kernel | |
| 878 | when determining which ports are available for automatic port | |
| 879 | assignments. | |
| 880 | ||
| 881 | You can reserve ports which are not in the current | |
| 882 | ip_local_port_range, e.g.: | |
| 883 | ||
| 884 | $ cat /proc/sys/net/ipv4/ip_local_port_range | |
| 07f4c900 | 885 | 32000 60999 |
| e3826f1e AW |
886 | $ cat /proc/sys/net/ipv4/ip_local_reserved_ports |
| 887 | 8080,9148 | |
| 888 | ||
| 889 | although this is redundant. However such a setting is useful | |
| 890 | if later the port range is changed to a value that will | |
| 891 | include the reserved ports. | |
| 892 | ||
| 893 | Default: Empty | |
| 894 | ||
| 4548b683 KJ |
895 | ip_unprivileged_port_start - INTEGER |
| 896 | This is a per-namespace sysctl. It defines the first | |
| 897 | unprivileged port in the network namespace. Privileged ports | |
| 898 | require root or CAP_NET_BIND_SERVICE in order to bind to them. | |
| 899 | To disable all privileged ports, set this to 0. It may not | |
| 900 | overlap with the ip_local_reserved_ports range. | |
| 901 | ||
| 902 | Default: 1024 | |
| 903 | ||
| 1da177e4 LT |
904 | ip_nonlocal_bind - BOOLEAN |
| 905 | If set, allows processes to bind() to non-local IP addresses, | |
| 906 | which can be quite useful - but may break some applications. | |
| 907 | Default: 0 | |
| 908 | ||
| 909 | ip_dynaddr - BOOLEAN | |
| 910 | If set non-zero, enables support for dynamic addresses. | |
| 911 | If set to a non-zero value larger than 1, a kernel log | |
| 912 | message will be printed when dynamic address rewriting | |
| 913 | occurs. | |
| 914 | Default: 0 | |
| 915 | ||
| e3d73bce CW |
916 | ip_early_demux - BOOLEAN |
| 917 | Optimize input packet processing down to one demux for | |
| 918 | certain kinds of local sockets. Currently we only do this | |
| dddb64bc | 919 | for established TCP and connected UDP sockets. |
| e3d73bce CW |
920 | |
| 921 | It may add an additional cost for pure routing workloads that | |
| 922 | reduces overall throughput, in such case you should disable it. | |
| 923 | Default: 1 | |
| 924 | ||
| dddb64bc | 925 | tcp_early_demux - BOOLEAN |
| 926 | Enable early demux for established TCP sockets. | |
| 927 | Default: 1 | |
| 928 | ||
| 929 | udp_early_demux - BOOLEAN | |
| 930 | Enable early demux for connected UDP sockets. Disable this if | |
| 931 | your system could experience more unconnected load. | |
| 932 | Default: 1 | |
| 933 | ||
| 1da177e4 | 934 | icmp_echo_ignore_all - BOOLEAN |
| 7ce31246 DM |
935 | If set non-zero, then the kernel will ignore all ICMP ECHO |
| 936 | requests sent to it. | |
| 937 | Default: 0 | |
| 938 | ||
| 1da177e4 | 939 | icmp_echo_ignore_broadcasts - BOOLEAN |
| 7ce31246 DM |
940 | If set non-zero, then the kernel will ignore all ICMP ECHO and |
| 941 | TIMESTAMP requests sent to it via broadcast/multicast. | |
| 942 | Default: 1 | |
| 1da177e4 LT |
943 | |
| 944 | icmp_ratelimit - INTEGER | |
| 945 | Limit the maximal rates for sending ICMP packets whose type matches | |
| 946 | icmp_ratemask (see below) to specific targets. | |
| 6dbf4bca SH |
947 | 0 to disable any limiting, |
| 948 | otherwise the minimal space between responses in milliseconds. | |
| 4cdf507d ED |
949 | Note that another sysctl, icmp_msgs_per_sec limits the number |
| 950 | of ICMP packets sent on all targets. | |
| 6dbf4bca | 951 | Default: 1000 |
| 1da177e4 | 952 | |
| 4cdf507d ED |
953 | icmp_msgs_per_sec - INTEGER |
| 954 | Limit maximal number of ICMP packets sent per second from this host. | |
| 955 | Only messages whose type matches icmp_ratemask (see below) are | |
| 956 | controlled by this limit. | |
| 6dbf4bca | 957 | Default: 1000 |
| 1da177e4 | 958 | |
| 4cdf507d ED |
959 | icmp_msgs_burst - INTEGER |
| 960 | icmp_msgs_per_sec controls number of ICMP packets sent per second, | |
| 961 | while icmp_msgs_burst controls the burst size of these packets. | |
| 962 | Default: 50 | |
| 963 | ||
| 1da177e4 LT |
964 | icmp_ratemask - INTEGER |
| 965 | Mask made of ICMP types for which rates are being limited. | |
| 966 | Significant bits: IHGFEDCBA9876543210 | |
| 967 | Default mask: 0000001100000011000 (6168) | |
| 968 | ||
| 969 | Bit definitions (see include/linux/icmp.h): | |
| 970 | 0 Echo Reply | |
| 971 | 3 Destination Unreachable * | |
| 972 | 4 Source Quench * | |
| 973 | 5 Redirect | |
| 974 | 8 Echo Request | |
| 975 | B Time Exceeded * | |
| 976 | C Parameter Problem * | |
| 977 | D Timestamp Request | |
| 978 | E Timestamp Reply | |
| 979 | F Info Request | |
| 980 | G Info Reply | |
| 981 | H Address Mask Request | |
| 982 | I Address Mask Reply | |
| 983 | ||
| 984 | * These are rate limited by default (see default mask above) | |
| 985 | ||
| 986 | icmp_ignore_bogus_error_responses - BOOLEAN | |
| 987 | Some routers violate RFC1122 by sending bogus responses to broadcast | |
| 988 | frames. Such violations are normally logged via a kernel warning. | |
| 989 | If this is set to TRUE, the kernel will not give such warnings, which | |
| 990 | will avoid log file clutter. | |
| e8b265e8 | 991 | Default: 1 |
| 1da177e4 | 992 | |
| 95f7daf1 H |
993 | icmp_errors_use_inbound_ifaddr - BOOLEAN |
| 994 | ||
| 02a6d613 PA |
995 | If zero, icmp error messages are sent with the primary address of |
| 996 | the exiting interface. | |
| e18f5feb | 997 | |
| 95f7daf1 H |
998 | If non-zero, the message will be sent with the primary address of |
| 999 | the interface that received the packet that caused the icmp error. | |
| 1000 | This is the behaviour network many administrators will expect from | |
| 1001 | a router. And it can make debugging complicated network layouts | |
| e18f5feb | 1002 | much easier. |
| 95f7daf1 H |
1003 | |
| 1004 | Note that if no primary address exists for the interface selected, | |
| 1005 | then the primary address of the first non-loopback interface that | |
| d6bc8ac9 | 1006 | has one will be used regardless of this setting. |
| 95f7daf1 H |
1007 | |
| 1008 | Default: 0 | |
| 1009 | ||
| 1da177e4 LT |
1010 | igmp_max_memberships - INTEGER |
| 1011 | Change the maximum number of multicast groups we can subscribe to. | |
| 1012 | Default: 20 | |
| 1013 | ||
| d67ef35f JE |
1014 | Theoretical maximum value is bounded by having to send a membership |
| 1015 | report in a single datagram (i.e. the report can't span multiple | |
| 1016 | datagrams, or risk confusing the switch and leaving groups you don't | |
| 1017 | intend to). | |
| 1da177e4 | 1018 | |
| d67ef35f JE |
1019 | The number of supported groups 'M' is bounded by the number of group |
| 1020 | report entries you can fit into a single datagram of 65535 bytes. | |
| 1021 | ||
| 1022 | M = 65536-sizeof (ip header)/(sizeof(Group record)) | |
| 1023 | ||
| 1024 | Group records are variable length, with a minimum of 12 bytes. | |
| 1025 | So net.ipv4.igmp_max_memberships should not be set higher than: | |
| 1026 | ||
| 1027 | (65536-24) / 12 = 5459 | |
| 1028 | ||
| 1029 | The value 5459 assumes no IP header options, so in practice | |
| 1030 | this number may be lower. | |
| 1031 | ||
| 537377d3 BP |
1032 | igmp_max_msf - INTEGER |
| 1033 | Maximum number of addresses allowed in the source filter list for a | |
| 1034 | multicast group. | |
| 1035 | Default: 10 | |
| 1036 | ||
| a9fe8e29 | 1037 | igmp_qrv - INTEGER |
| 537377d3 BP |
1038 | Controls the IGMP query robustness variable (see RFC2236 8.1). |
| 1039 | Default: 2 (as specified by RFC2236 8.1) | |
| 1040 | Minimum: 1 (as specified by RFC6636 4.5) | |
| a9fe8e29 | 1041 | |
| 1af92836 HL |
1042 | force_igmp_version - INTEGER |
| 1043 | 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback | |
| 1044 | allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier | |
| 1045 | Present timer expires. | |
| 1046 | 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if | |
| 1047 | receive IGMPv2/v3 query. | |
| 1048 | 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive | |
| 1049 | IGMPv1 query message. Will reply report if receive IGMPv3 query. | |
| 1050 | 3 - Enforce to use IGMP version 3. The same react with default 0. | |
| 1051 | ||
| 1052 | Note: this is not the same with force_mld_version because IGMPv3 RFC3376 | |
| 1053 | Security Considerations does not have clear description that we could | |
| 1054 | ignore other version messages completely as MLDv2 RFC3810. So make | |
| 1055 | this value as default 0 is recommended. | |
| 1056 | ||
| 6b226e2f BP |
1057 | conf/interface/* changes special settings per interface (where |
| 1058 | "interface" is the name of your network interface) | |
| 1059 | ||
| 1060 | conf/all/* is special, changes the settings for all interfaces | |
| 1061 | ||
| 1da177e4 LT |
1062 | log_martians - BOOLEAN |
| 1063 | Log packets with impossible addresses to kernel log. | |
| 1064 | log_martians for the interface will be enabled if at least one of | |
| 1065 | conf/{all,interface}/log_martians is set to TRUE, | |
| 1066 | it will be disabled otherwise | |
| 1067 | ||
| 1068 | accept_redirects - BOOLEAN | |
| 1069 | Accept ICMP redirect messages. | |
| 1070 | accept_redirects for the interface will be enabled if: | |
| e18f5feb JDB |
1071 | - both conf/{all,interface}/accept_redirects are TRUE in the case |
| 1072 | forwarding for the interface is enabled | |
| 1da177e4 | 1073 | or |
| e18f5feb JDB |
1074 | - at least one of conf/{all,interface}/accept_redirects is TRUE in the |
| 1075 | case forwarding for the interface is disabled | |
| 1da177e4 LT |
1076 | accept_redirects for the interface will be disabled otherwise |
| 1077 | default TRUE (host) | |
| 1078 | FALSE (router) | |
| 1079 | ||
| 1080 | forwarding - BOOLEAN | |
| 88a7cddc NJ |
1081 | Enable IP forwarding on this interface. This controls whether packets |
| 1082 | received _on_ this interface can be forwarded. | |
| 1da177e4 LT |
1083 | |
| 1084 | mc_forwarding - BOOLEAN | |
| 1085 | Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE | |
| 1086 | and a multicast routing daemon is required. | |
| e18f5feb JDB |
1087 | conf/all/mc_forwarding must also be set to TRUE to enable multicast |
| 1088 | routing for the interface | |
| 1da177e4 LT |
1089 | |
| 1090 | medium_id - INTEGER | |
| 1091 | Integer value used to differentiate the devices by the medium they | |
| 1092 | are attached to. Two devices can have different id values when | |
| 1093 | the broadcast packets are received only on one of them. | |
| 1094 | The default value 0 means that the device is the only interface | |
| 1095 | to its medium, value of -1 means that medium is not known. | |
| e18f5feb | 1096 | |
| 1da177e4 LT |
1097 | Currently, it is used to change the proxy_arp behavior: |
| 1098 | the proxy_arp feature is enabled for packets forwarded between | |
| 1099 | two devices attached to different media. | |
| 1100 | ||
| 1101 | proxy_arp - BOOLEAN | |
| 1102 | Do proxy arp. | |
| 1103 | proxy_arp for the interface will be enabled if at least one of | |
| 1104 | conf/{all,interface}/proxy_arp is set to TRUE, | |
| 1105 | it will be disabled otherwise | |
| 1106 | ||
| 65324144 JDB |
1107 | proxy_arp_pvlan - BOOLEAN |
| 1108 | Private VLAN proxy arp. | |
| 1109 | Basically allow proxy arp replies back to the same interface | |
| 1110 | (from which the ARP request/solicitation was received). | |
| 1111 | ||
| 1112 | This is done to support (ethernet) switch features, like RFC | |
| 1113 | 3069, where the individual ports are NOT allowed to | |
| 1114 | communicate with each other, but they are allowed to talk to | |
| 1115 | the upstream router. As described in RFC 3069, it is possible | |
| 1116 | to allow these hosts to communicate through the upstream | |
| 1117 | router by proxy_arp'ing. Don't need to be used together with | |
| 1118 | proxy_arp. | |
| 1119 | ||
| 1120 | This technology is known by different names: | |
| 1121 | In RFC 3069 it is called VLAN Aggregation. | |
| 1122 | Cisco and Allied Telesyn call it Private VLAN. | |
| 1123 | Hewlett-Packard call it Source-Port filtering or port-isolation. | |
| 1124 | Ericsson call it MAC-Forced Forwarding (RFC Draft). | |
| 1125 | ||
| 1da177e4 LT |
1126 | shared_media - BOOLEAN |
| 1127 | Send(router) or accept(host) RFC1620 shared media redirects. | |
| 176b346b | 1128 | Overrides secure_redirects. |
| 1da177e4 LT |
1129 | shared_media for the interface will be enabled if at least one of |
| 1130 | conf/{all,interface}/shared_media is set to TRUE, | |
| 1131 | it will be disabled otherwise | |
| 1132 | default TRUE | |
| 1133 | ||
| 1134 | secure_redirects - BOOLEAN | |
| 176b346b EG |
1135 | Accept ICMP redirect messages only to gateways listed in the |
| 1136 | interface's current gateway list. Even if disabled, RFC1122 redirect | |
| 1137 | rules still apply. | |
| 1138 | Overridden by shared_media. | |
| 1da177e4 LT |
1139 | secure_redirects for the interface will be enabled if at least one of |
| 1140 | conf/{all,interface}/secure_redirects is set to TRUE, | |
| 1141 | it will be disabled otherwise | |
| 1142 | default TRUE | |
| 1143 | ||
| 1144 | send_redirects - BOOLEAN | |
| 1145 | Send redirects, if router. | |
| 1146 | send_redirects for the interface will be enabled if at least one of | |
| 1147 | conf/{all,interface}/send_redirects is set to TRUE, | |
| 1148 | it will be disabled otherwise | |
| 1149 | Default: TRUE | |
| 1150 | ||
| 1151 | bootp_relay - BOOLEAN | |
| 1152 | Accept packets with source address 0.b.c.d destined | |
| 1153 | not to this host as local ones. It is supposed, that | |
| 1154 | BOOTP relay daemon will catch and forward such packets. | |
| 1155 | conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay | |
| 1156 | for the interface | |
| 1157 | default FALSE | |
| 1158 | Not Implemented Yet. | |
| 1159 | ||
| 1160 | accept_source_route - BOOLEAN | |
| 1161 | Accept packets with SRR option. | |
| 1162 | conf/all/accept_source_route must also be set to TRUE to accept packets | |
| 1163 | with SRR option on the interface | |
| 1164 | default TRUE (router) | |
| 1165 | FALSE (host) | |
| 1166 | ||
| 8153a10c | 1167 | accept_local - BOOLEAN |
| 72b126a4 SB |
1168 | Accept packets with local source addresses. In combination with |
| 1169 | suitable routing, this can be used to direct packets between two | |
| 1170 | local interfaces over the wire and have them accepted properly. | |
| 8153a10c PM |
1171 | default FALSE |
| 1172 | ||
| d0daebc3 TG |
1173 | route_localnet - BOOLEAN |
| 1174 | Do not consider loopback addresses as martian source or destination | |
| 1175 | while routing. This enables the use of 127/8 for local routing purposes. | |
| 1176 | default FALSE | |
| 1177 | ||
| c1cf8422 | 1178 | rp_filter - INTEGER |
| 1da177e4 | 1179 | 0 - No source validation. |
| c1cf8422 SH |
1180 | 1 - Strict mode as defined in RFC3704 Strict Reverse Path |
| 1181 | Each incoming packet is tested against the FIB and if the interface | |
| 1182 | is not the best reverse path the packet check will fail. | |
| 1183 | By default failed packets are discarded. | |
| 1184 | 2 - Loose mode as defined in RFC3704 Loose Reverse Path | |
| 1185 | Each incoming packet's source address is also tested against the FIB | |
| 1186 | and if the source address is not reachable via any interface | |
| 1187 | the packet check will fail. | |
| 1188 | ||
| e18f5feb | 1189 | Current recommended practice in RFC3704 is to enable strict mode |
| bf869c30 | 1190 | to prevent IP spoofing from DDos attacks. If using asymmetric routing |
| e18f5feb | 1191 | or other complicated routing, then loose mode is recommended. |
| c1cf8422 | 1192 | |
| 1f5865e7 SW |
1193 | The max value from conf/{all,interface}/rp_filter is used |
| 1194 | when doing source validation on the {interface}. | |
| 1da177e4 LT |
1195 | |
| 1196 | Default value is 0. Note that some distributions enable it | |
| 1197 | in startup scripts. | |
| 1198 | ||
| 1199 | arp_filter - BOOLEAN | |
| 1200 | 1 - Allows you to have multiple network interfaces on the same | |
| 1201 | subnet, and have the ARPs for each interface be answered | |
| 1202 | based on whether or not the kernel would route a packet from | |
| 1203 | the ARP'd IP out that interface (therefore you must use source | |
| 1204 | based routing for this to work). In other words it allows control | |
| 1205 | of which cards (usually 1) will respond to an arp request. | |
| 1206 | ||
| 1207 | 0 - (default) The kernel can respond to arp requests with addresses | |
| 1208 | from other interfaces. This may seem wrong but it usually makes | |
| 1209 | sense, because it increases the chance of successful communication. | |
| 1210 | IP addresses are owned by the complete host on Linux, not by | |
| 1211 | particular interfaces. Only for more complex setups like load- | |
| 1212 | balancing, does this behaviour cause problems. | |
| 1213 | ||
| 1214 | arp_filter for the interface will be enabled if at least one of | |
| 1215 | conf/{all,interface}/arp_filter is set to TRUE, | |
| 1216 | it will be disabled otherwise | |
| 1217 | ||
| 1218 | arp_announce - INTEGER | |
| 1219 | Define different restriction levels for announcing the local | |
| 1220 | source IP address from IP packets in ARP requests sent on | |
| 1221 | interface: | |
| 1222 | 0 - (default) Use any local address, configured on any interface | |
| 1223 | 1 - Try to avoid local addresses that are not in the target's | |
| 1224 | subnet for this interface. This mode is useful when target | |
| 1225 | hosts reachable via this interface require the source IP | |
| 1226 | address in ARP requests to be part of their logical network | |
| 1227 | configured on the receiving interface. When we generate the | |
| 1228 | request we will check all our subnets that include the | |
| 1229 | target IP and will preserve the source address if it is from | |
| 1230 | such subnet. If there is no such subnet we select source | |
| 1231 | address according to the rules for level 2. | |
| 1232 | 2 - Always use the best local address for this target. | |
| 1233 | In this mode we ignore the source address in the IP packet | |
| 1234 | and try to select local address that we prefer for talks with | |
| 1235 | the target host. Such local address is selected by looking | |
| 1236 | for primary IP addresses on all our subnets on the outgoing | |
| 1237 | interface that include the target IP address. If no suitable | |
| 1238 | local address is found we select the first local address | |
| 1239 | we have on the outgoing interface or on all other interfaces, | |
| 1240 | with the hope we will receive reply for our request and | |
| 1241 | even sometimes no matter the source IP address we announce. | |
| 1242 | ||
| 1243 | The max value from conf/{all,interface}/arp_announce is used. | |
| 1244 | ||
| 1245 | Increasing the restriction level gives more chance for | |
| 1246 | receiving answer from the resolved target while decreasing | |
| 1247 | the level announces more valid sender's information. | |
| 1248 | ||
| 1249 | arp_ignore - INTEGER | |
| 1250 | Define different modes for sending replies in response to | |
| 1251 | received ARP requests that resolve local target IP addresses: | |
| 1252 | 0 - (default): reply for any local target IP address, configured | |
| 1253 | on any interface | |
| 1254 | 1 - reply only if the target IP address is local address | |
| 1255 | configured on the incoming interface | |
| 1256 | 2 - reply only if the target IP address is local address | |
| 1257 | configured on the incoming interface and both with the | |
| 1258 | sender's IP address are part from same subnet on this interface | |
| 1259 | 3 - do not reply for local addresses configured with scope host, | |
| 1260 | only resolutions for global and link addresses are replied | |
| 1261 | 4-7 - reserved | |
| 1262 | 8 - do not reply for all local addresses | |
| 1263 | ||
| 1264 | The max value from conf/{all,interface}/arp_ignore is used | |
| 1265 | when ARP request is received on the {interface} | |
| 1266 | ||
| eefef1cf SH |
1267 | arp_notify - BOOLEAN |
| 1268 | Define mode for notification of address and device changes. | |
| 1269 | 0 - (default): do nothing | |
| 3f8dc236 | 1270 | 1 - Generate gratuitous arp requests when device is brought up |
| eefef1cf SH |
1271 | or hardware address changes. |
| 1272 | ||
| c1b1bce8 | 1273 | arp_accept - BOOLEAN |
| 6d955180 OP |
1274 | Define behavior for gratuitous ARP frames who's IP is not |
| 1275 | already present in the ARP table: | |
| 1276 | 0 - don't create new entries in the ARP table | |
| 1277 | 1 - create new entries in the ARP table | |
| 1278 | ||
| 1279 | Both replies and requests type gratuitous arp will trigger the | |
| 1280 | ARP table to be updated, if this setting is on. | |
| 1281 | ||
| 1282 | If the ARP table already contains the IP address of the | |
| 1283 | gratuitous arp frame, the arp table will be updated regardless | |
| 1284 | if this setting is on or off. | |
| 1285 | ||
| 89c69d3c YH |
1286 | mcast_solicit - INTEGER |
| 1287 | The maximum number of multicast probes in INCOMPLETE state, | |
| 1288 | when the associated hardware address is unknown. Defaults | |
| 1289 | to 3. | |
| 1290 | ||
| 1291 | ucast_solicit - INTEGER | |
| 1292 | The maximum number of unicast probes in PROBE state, when | |
| 1293 | the hardware address is being reconfirmed. Defaults to 3. | |
| c1b1bce8 | 1294 | |
| 1da177e4 LT |
1295 | app_solicit - INTEGER |
| 1296 | The maximum number of probes to send to the user space ARP daemon | |
| 1297 | via netlink before dropping back to multicast probes (see | |
| 89c69d3c YH |
1298 | mcast_resolicit). Defaults to 0. |
| 1299 | ||
| 1300 | mcast_resolicit - INTEGER | |
| 1301 | The maximum number of multicast probes after unicast and | |
| 1302 | app probes in PROBE state. Defaults to 0. | |
| 1da177e4 LT |
1303 | |
| 1304 | disable_policy - BOOLEAN | |
| 1305 | Disable IPSEC policy (SPD) for this interface | |
| 1306 | ||
| 1307 | disable_xfrm - BOOLEAN | |
| 1308 | Disable IPSEC encryption on this interface, whatever the policy | |
| 1309 | ||
| fc4eba58 HFS |
1310 | igmpv2_unsolicited_report_interval - INTEGER |
| 1311 | The interval in milliseconds in which the next unsolicited | |
| 1312 | IGMPv1 or IGMPv2 report retransmit will take place. | |
| 1313 | Default: 10000 (10 seconds) | |
| 1da177e4 | 1314 | |
| fc4eba58 HFS |
1315 | igmpv3_unsolicited_report_interval - INTEGER |
| 1316 | The interval in milliseconds in which the next unsolicited | |
| 1317 | IGMPv3 report retransmit will take place. | |
| 1318 | Default: 1000 (1 seconds) | |
| 1da177e4 | 1319 | |
| d922e1cb MS |
1320 | promote_secondaries - BOOLEAN |
| 1321 | When a primary IP address is removed from this interface | |
| 1322 | promote a corresponding secondary IP address instead of | |
| 1323 | removing all the corresponding secondary IP addresses. | |
| 1324 | ||
| 12b74dfa JB |
1325 | drop_unicast_in_l2_multicast - BOOLEAN |
| 1326 | Drop any unicast IP packets that are received in link-layer | |
| 1327 | multicast (or broadcast) frames. | |
| 1328 | This behavior (for multicast) is actually a SHOULD in RFC | |
| 1329 | 1122, but is disabled by default for compatibility reasons. | |
| 1330 | Default: off (0) | |
| 1331 | ||
| 97daf331 JB |
1332 | drop_gratuitous_arp - BOOLEAN |
| 1333 | Drop all gratuitous ARP frames, for example if there's a known | |
| 1334 | good ARP proxy on the network and such frames need not be used | |
| 1335 | (or in the case of 802.11, must not be used to prevent attacks.) | |
| 1336 | Default: off (0) | |
| 1337 | ||
| d922e1cb | 1338 | |
| 1da177e4 LT |
1339 | tag - INTEGER |
| 1340 | Allows you to write a number, which can be used as required. | |
| 1341 | Default value is 0. | |
| 1342 | ||
| e69948a0 AD |
1343 | xfrm4_gc_thresh - INTEGER |
| 1344 | The threshold at which we will start garbage collecting for IPv4 | |
| 1345 | destination cache entries. At twice this value the system will | |
| 3c2a89dd | 1346 | refuse new allocations. |
| e69948a0 | 1347 | |
| 87583ebb PD |
1348 | igmp_link_local_mcast_reports - BOOLEAN |
| 1349 | Enable IGMP reports for link local multicast groups in the | |
| 1350 | 224.0.0.X range. | |
| 1351 | Default TRUE | |
| 1352 | ||
| 1da177e4 LT |
1353 | Alexey Kuznetsov. |
| 1354 | kuznet@ms2.inr.ac.ru | |
| 1355 | ||
| 1356 | Updated by: | |
| 1357 | Andi Kleen | |
| 1358 | ak@muc.de | |
| 1359 | Nicolas Delon | |
| 1360 | delon.nicolas@wanadoo.fr | |
| 1361 | ||
| 1362 | ||
| 1363 | ||
| 1364 | ||
| 1365 | /proc/sys/net/ipv6/* Variables: | |
| 1366 | ||
| 1367 | IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also | |
| 1368 | apply to IPv6 [XXX?]. | |
| 1369 | ||
| 1370 | bindv6only - BOOLEAN | |
| 1371 | Default value for IPV6_V6ONLY socket option, | |
| e18f5feb | 1372 | which restricts use of the IPv6 socket to IPv6 communication |
| 1da177e4 LT |
1373 | only. |
| 1374 | TRUE: disable IPv4-mapped address feature | |
| 1375 | FALSE: enable IPv4-mapped address feature | |
| 1376 | ||
| d5c073ca | 1377 | Default: FALSE (as specified in RFC3493) |
| 1da177e4 | 1378 | |
| 6444f72b FF |
1379 | flowlabel_consistency - BOOLEAN |
| 1380 | Protect the consistency (and unicity) of flow label. | |
| 1381 | You have to disable it to use IPV6_FL_F_REFLECT flag on the | |
| 1382 | flow label manager. | |
| 1383 | TRUE: enabled | |
| 1384 | FALSE: disabled | |
| 1385 | Default: TRUE | |
| 1386 | ||
| 42240901 TH |
1387 | auto_flowlabels - INTEGER |
| 1388 | Automatically generate flow labels based on a flow hash of the | |
| 1389 | packet. This allows intermediate devices, such as routers, to | |
| 1390 | identify packet flows for mechanisms like Equal Cost Multipath | |
| cb1ce2ef | 1391 | Routing (see RFC 6438). |
| 42240901 TH |
1392 | 0: automatic flow labels are completely disabled |
| 1393 | 1: automatic flow labels are enabled by default, they can be | |
| 1394 | disabled on a per socket basis using the IPV6_AUTOFLOWLABEL | |
| 1395 | socket option | |
| 1396 | 2: automatic flow labels are allowed, they may be enabled on a | |
| 1397 | per socket basis using the IPV6_AUTOFLOWLABEL socket option | |
| 1398 | 3: automatic flow labels are enabled and enforced, they cannot | |
| 1399 | be disabled by the socket option | |
| b5677416 | 1400 | Default: 1 |
| cb1ce2ef | 1401 | |
| 82a584b7 TH |
1402 | flowlabel_state_ranges - BOOLEAN |
| 1403 | Split the flow label number space into two ranges. 0-0x7FFFF is | |
| 1404 | reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF | |
| 1405 | is reserved for stateless flow labels as described in RFC6437. | |
| 1406 | TRUE: enabled | |
| 1407 | FALSE: disabled | |
| 1408 | Default: true | |
| 1409 | ||
| 22b6722b JS |
1410 | flowlabel_reflect - BOOLEAN |
| 1411 | Automatically reflect the flow label. Needed for Path MTU | |
| 1412 | Discovery to work with Equal Cost Multipath Routing in anycast | |
| 1413 | environments. See RFC 7690 and: | |
| 1414 | https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01 | |
| 1415 | TRUE: enabled | |
| 1416 | FALSE: disabled | |
| 1417 | Default: FALSE | |
| 1418 | ||
| b4bac172 DA |
1419 | fib_multipath_hash_policy - INTEGER |
| 1420 | Controls which hash policy to use for multipath routes. | |
| 1421 | Default: 0 (Layer 3) | |
| 1422 | Possible values: | |
| 1423 | 0 - Layer 3 (source and destination addresses plus flow label) | |
| 1424 | 1 - Layer 4 (standard 5-tuple) | |
| 1425 | ||
| 509aba3b FLB |
1426 | anycast_src_echo_reply - BOOLEAN |
| 1427 | Controls the use of anycast addresses as source addresses for ICMPv6 | |
| 1428 | echo reply | |
| 1429 | TRUE: enabled | |
| 1430 | FALSE: disabled | |
| 1431 | Default: FALSE | |
| 1432 | ||
| 9f0761c1 HFS |
1433 | idgen_delay - INTEGER |
| 1434 | Controls the delay in seconds after which time to retry | |
| 1435 | privacy stable address generation if a DAD conflict is | |
| 1436 | detected. | |
| 1437 | Default: 1 (as specified in RFC7217) | |
| 1438 | ||
| 1439 | idgen_retries - INTEGER | |
| 1440 | Controls the number of retries to generate a stable privacy | |
| 1441 | address if a DAD conflict is detected. | |
| 1442 | Default: 3 (as specified in RFC7217) | |
| 1443 | ||
| 2f711939 HFS |
1444 | mld_qrv - INTEGER |
| 1445 | Controls the MLD query robustness variable (see RFC3810 9.1). | |
| 1446 | Default: 2 (as specified by RFC3810 9.1) | |
| 1447 | Minimum: 1 (as specified by RFC6636 4.5) | |
| 1448 | ||
| ab913455 | 1449 | max_dst_opts_number - INTEGER |
| 47d3d7ac TH |
1450 | Maximum number of non-padding TLVs allowed in a Destination |
| 1451 | options extension header. If this value is less than zero | |
| 1452 | then unknown options are disallowed and the number of known | |
| 1453 | TLVs allowed is the absolute value of this number. | |
| 1454 | Default: 8 | |
| 1455 | ||
| ab913455 | 1456 | max_hbh_opts_number - INTEGER |
| 47d3d7ac TH |
1457 | Maximum number of non-padding TLVs allowed in a Hop-by-Hop |
| 1458 | options extension header. If this value is less than zero | |
| 1459 | then unknown options are disallowed and the number of known | |
| 1460 | TLVs allowed is the absolute value of this number. | |
| 1461 | Default: 8 | |
| 1462 | ||
| ab913455 | 1463 | max_dst_opts_length - INTEGER |
| 47d3d7ac TH |
1464 | Maximum length allowed for a Destination options extension |
| 1465 | header. | |
| 1466 | Default: INT_MAX (unlimited) | |
| 1467 | ||
| ab913455 | 1468 | max_hbh_length - INTEGER |
| 47d3d7ac TH |
1469 | Maximum length allowed for a Hop-by-Hop options extension |
| 1470 | header. | |
| 1471 | Default: INT_MAX (unlimited) | |
| 1472 | ||
| 7c6bb7d2 DA |
1473 | skip_notify_on_dev_down - BOOLEAN |
| 1474 | Controls whether an RTM_DELROUTE message is generated for routes | |
| 1475 | removed when a device is taken down or deleted. IPv4 does not | |
| 1476 | generate this message; IPv6 does by default. Setting this sysctl | |
| 1477 | to true skips the message, making IPv4 and IPv6 on par in relying | |
| 1478 | on userspace caches to track link events and evict routes. | |
| 1479 | Default: false (generate message) | |
| 1480 | ||
| 1da177e4 LT |
1481 | IPv6 Fragmentation: |
| 1482 | ||
| 1483 | ip6frag_high_thresh - INTEGER | |
| e18f5feb | 1484 | Maximum memory used to reassemble IPv6 fragments. When |
| 1da177e4 LT |
1485 | ip6frag_high_thresh bytes of memory is allocated for this purpose, |
| 1486 | the fragment handler will toss packets until ip6frag_low_thresh | |
| 1487 | is reached. | |
| e18f5feb | 1488 | |
| 1da177e4 | 1489 | ip6frag_low_thresh - INTEGER |
| e18f5feb | 1490 | See ip6frag_high_thresh |
| 1da177e4 LT |
1491 | |
| 1492 | ip6frag_time - INTEGER | |
| 1493 | Time in seconds to keep an IPv6 fragment in memory. | |
| 1494 | ||
| a6dc6670 AA |
1495 | IPv6 Segment Routing: |
| 1496 | ||
| 1497 | seg6_flowlabel - INTEGER | |
| 1498 | Controls the behaviour of computing the flowlabel of outer | |
| 1499 | IPv6 header in case of SR T.encaps | |
| 1500 | ||
| 1501 | -1 set flowlabel to zero. | |
| 1502 | 0 copy flowlabel from Inner packet in case of Inner IPv6 | |
| 1503 | (Set flowlabel to 0 in case IPv4/L2) | |
| 1504 | 1 Compute the flowlabel using seg6_make_flowlabel() | |
| 1505 | ||
| 1506 | Default is 0. | |
| 1507 | ||
| 1da177e4 LT |
1508 | conf/default/*: |
| 1509 | Change the interface-specific default settings. | |
| 1510 | ||
| 1511 | ||
| 1512 | conf/all/*: | |
| e18f5feb | 1513 | Change all the interface-specific settings. |
| 1da177e4 LT |
1514 | |
| 1515 | [XXX: Other special features than forwarding?] | |
| 1516 | ||
| 1517 | conf/all/forwarding - BOOLEAN | |
| e18f5feb | 1518 | Enable global IPv6 forwarding between all interfaces. |
| 1da177e4 | 1519 | |
| e18f5feb | 1520 | IPv4 and IPv6 work differently here; e.g. netfilter must be used |
| 1da177e4 LT |
1521 | to control which interfaces may forward packets and which not. |
| 1522 | ||
| e18f5feb | 1523 | This also sets all interfaces' Host/Router setting |
| 1da177e4 LT |
1524 | 'forwarding' to the specified value. See below for details. |
| 1525 | ||
| 1526 | This referred to as global forwarding. | |
| 1527 | ||
| fbea49e1 YH |
1528 | proxy_ndp - BOOLEAN |
| 1529 | Do proxy ndp. | |
| 1530 | ||
| 219b5f29 LV |
1531 | fwmark_reflect - BOOLEAN |
| 1532 | Controls the fwmark of kernel-generated IPv6 reply packets that are not | |
| 1533 | associated with a socket for example, TCP RSTs or ICMPv6 echo replies). | |
| 1534 | If unset, these packets have a fwmark of zero. If set, they have the | |
| 1535 | fwmark of the packet they are replying to. | |
| 1536 | Default: 0 | |
| 1537 | ||
| 1da177e4 LT |
1538 | conf/interface/*: |
| 1539 | Change special settings per interface. | |
| 1540 | ||
| e18f5feb | 1541 | The functional behaviour for certain settings is different |
| 1da177e4 LT |
1542 | depending on whether local forwarding is enabled or not. |
| 1543 | ||
| 605b91c8 | 1544 | accept_ra - INTEGER |
| 1da177e4 | 1545 | Accept Router Advertisements; autoconfigure using them. |
| e18f5feb | 1546 | |
| 026359bc TA |
1547 | It also determines whether or not to transmit Router |
| 1548 | Solicitations. If and only if the functional setting is to | |
| 1549 | accept Router Advertisements, Router Solicitations will be | |
| 1550 | transmitted. | |
| 1551 | ||
| ae8abfa0 TG |
1552 | Possible values are: |
| 1553 | 0 Do not accept Router Advertisements. | |
| 1554 | 1 Accept Router Advertisements if forwarding is disabled. | |
| 1555 | 2 Overrule forwarding behaviour. Accept Router Advertisements | |
| 1556 | even if forwarding is enabled. | |
| 1557 | ||
| 1da177e4 LT |
1558 | Functional default: enabled if local forwarding is disabled. |
| 1559 | disabled if local forwarding is enabled. | |
| 1560 | ||
| 65f5c7c1 YH |
1561 | accept_ra_defrtr - BOOLEAN |
| 1562 | Learn default router in Router Advertisement. | |
| 1563 | ||
| 1564 | Functional default: enabled if accept_ra is enabled. | |
| 1565 | disabled if accept_ra is disabled. | |
| 1566 | ||
| d9333196 BG |
1567 | accept_ra_from_local - BOOLEAN |
| 1568 | Accept RA with source-address that is found on local machine | |
| 1569 | if the RA is otherwise proper and able to be accepted. | |
| 1570 | Default is to NOT accept these as it may be an un-intended | |
| 1571 | network loop. | |
| 1572 | ||
| 1573 | Functional default: | |
| 1574 | enabled if accept_ra_from_local is enabled | |
| 1575 | on a specific interface. | |
| 1576 | disabled if accept_ra_from_local is disabled | |
| 1577 | on a specific interface. | |
| 1578 | ||
| 8013d1d7 HL |
1579 | accept_ra_min_hop_limit - INTEGER |
| 1580 | Minimum hop limit Information in Router Advertisement. | |
| 1581 | ||
| 1582 | Hop limit Information in Router Advertisement less than this | |
| 1583 | variable shall be ignored. | |
| 1584 | ||
| 1585 | Default: 1 | |
| 1586 | ||
| c4fd30eb | 1587 | accept_ra_pinfo - BOOLEAN |
| 2fe0ae78 | 1588 | Learn Prefix Information in Router Advertisement. |
| c4fd30eb YH |
1589 | |
| 1590 | Functional default: enabled if accept_ra is enabled. | |
| 1591 | disabled if accept_ra is disabled. | |
| 1592 | ||
| bbea124b JS |
1593 | accept_ra_rt_info_min_plen - INTEGER |
| 1594 | Minimum prefix length of Route Information in RA. | |
| 1595 | ||
| 1596 | Route Information w/ prefix smaller than this variable shall | |
| 1597 | be ignored. | |
| 1598 | ||
| 1599 | Functional default: 0 if accept_ra_rtr_pref is enabled. | |
| 1600 | -1 if accept_ra_rtr_pref is disabled. | |
| 1601 | ||
| 09c884d4 YH |
1602 | accept_ra_rt_info_max_plen - INTEGER |
| 1603 | Maximum prefix length of Route Information in RA. | |
| 1604 | ||
| bbea124b JS |
1605 | Route Information w/ prefix larger than this variable shall |
| 1606 | be ignored. | |
| 09c884d4 YH |
1607 | |
| 1608 | Functional default: 0 if accept_ra_rtr_pref is enabled. | |
| 1609 | -1 if accept_ra_rtr_pref is disabled. | |
| 1610 | ||
| 930d6ff2 YH |
1611 | accept_ra_rtr_pref - BOOLEAN |
| 1612 | Accept Router Preference in RA. | |
| 1613 | ||
| 1614 | Functional default: enabled if accept_ra is enabled. | |
| 1615 | disabled if accept_ra is disabled. | |
| 1616 | ||
| c2943f14 HH |
1617 | accept_ra_mtu - BOOLEAN |
| 1618 | Apply the MTU value specified in RA option 5 (RFC4861). If | |
| 1619 | disabled, the MTU specified in the RA will be ignored. | |
| 1620 | ||
| 1621 | Functional default: enabled if accept_ra is enabled. | |
| 1622 | disabled if accept_ra is disabled. | |
| 1623 | ||
| 1da177e4 LT |
1624 | accept_redirects - BOOLEAN |
| 1625 | Accept Redirects. | |
| 1626 | ||
| 1627 | Functional default: enabled if local forwarding is disabled. | |
| 1628 | disabled if local forwarding is enabled. | |
| 1629 | ||
| 0bcbc926 YH |
1630 | accept_source_route - INTEGER |
| 1631 | Accept source routing (routing extension header). | |
| 1632 | ||
| bb4dbf9e | 1633 | >= 0: Accept only routing header type 2. |
| 0bcbc926 YH |
1634 | < 0: Do not accept routing header. |
| 1635 | ||
| 1636 | Default: 0 | |
| 1637 | ||
| 1da177e4 | 1638 | autoconf - BOOLEAN |
| e18f5feb | 1639 | Autoconfigure addresses using Prefix Information in Router |
| 1da177e4 LT |
1640 | Advertisements. |
| 1641 | ||
| c4fd30eb YH |
1642 | Functional default: enabled if accept_ra_pinfo is enabled. |
| 1643 | disabled if accept_ra_pinfo is disabled. | |
| 1da177e4 LT |
1644 | |
| 1645 | dad_transmits - INTEGER | |
| 1646 | The amount of Duplicate Address Detection probes to send. | |
| 1647 | Default: 1 | |
| e18f5feb | 1648 | |
| 605b91c8 | 1649 | forwarding - INTEGER |
| e18f5feb | 1650 | Configure interface-specific Host/Router behaviour. |
| 1da177e4 | 1651 | |
| e18f5feb | 1652 | Note: It is recommended to have the same setting on all |
| 1da177e4 LT |
1653 | interfaces; mixed router/host scenarios are rather uncommon. |
| 1654 | ||
| ae8abfa0 TG |
1655 | Possible values are: |
| 1656 | 0 Forwarding disabled | |
| 1657 | 1 Forwarding enabled | |
| ae8abfa0 TG |
1658 | |
| 1659 | FALSE (0): | |
| 1da177e4 LT |
1660 | |
| 1661 | By default, Host behaviour is assumed. This means: | |
| 1662 | ||
| 1663 | 1. IsRouter flag is not set in Neighbour Advertisements. | |
| 026359bc TA |
1664 | 2. If accept_ra is TRUE (default), transmit Router |
| 1665 | Solicitations. | |
| e18f5feb | 1666 | 3. If accept_ra is TRUE (default), accept Router |
| 1da177e4 LT |
1667 | Advertisements (and do autoconfiguration). |
| 1668 | 4. If accept_redirects is TRUE (default), accept Redirects. | |
| 1669 | ||
| ae8abfa0 | 1670 | TRUE (1): |
| 1da177e4 | 1671 | |
| e18f5feb | 1672 | If local forwarding is enabled, Router behaviour is assumed. |
| 1da177e4 LT |
1673 | This means exactly the reverse from the above: |
| 1674 | ||
| 1675 | 1. IsRouter flag is set in Neighbour Advertisements. | |
| 026359bc | 1676 | 2. Router Solicitations are not sent unless accept_ra is 2. |
| ae8abfa0 | 1677 | 3. Router Advertisements are ignored unless accept_ra is 2. |
| 1da177e4 LT |
1678 | 4. Redirects are ignored. |
| 1679 | ||
| ae8abfa0 TG |
1680 | Default: 0 (disabled) if global forwarding is disabled (default), |
| 1681 | otherwise 1 (enabled). | |
| 1da177e4 LT |
1682 | |
| 1683 | hop_limit - INTEGER | |
| 1684 | Default Hop Limit to set. | |
| 1685 | Default: 64 | |
| 1686 | ||
| 1687 | mtu - INTEGER | |
| 1688 | Default Maximum Transfer Unit | |
| 1689 | Default: 1280 (IPv6 required minimum) | |
| 1690 | ||
| 35a256fe TH |
1691 | ip_nonlocal_bind - BOOLEAN |
| 1692 | If set, allows processes to bind() to non-local IPv6 addresses, | |
| 1693 | which can be quite useful - but may break some applications. | |
| 1694 | Default: 0 | |
| 1695 | ||
| 52e16356 YH |
1696 | router_probe_interval - INTEGER |
| 1697 | Minimum interval (in seconds) between Router Probing described | |
| 1698 | in RFC4191. | |
| 1699 | ||
| 1700 | Default: 60 | |
| 1701 | ||
| 1da177e4 LT |
1702 | router_solicitation_delay - INTEGER |
| 1703 | Number of seconds to wait after interface is brought up | |
| 1704 | before sending Router Solicitations. | |
| 1705 | Default: 1 | |
| 1706 | ||
| 1707 | router_solicitation_interval - INTEGER | |
| 1708 | Number of seconds to wait between Router Solicitations. | |
| 1709 | Default: 4 | |
| 1710 | ||
| 1711 | router_solicitations - INTEGER | |
| e18f5feb | 1712 | Number of Router Solicitations to send until assuming no |
| 1da177e4 LT |
1713 | routers are present. |
| 1714 | Default: 3 | |
| 1715 | ||
| 3985e8a3 EK |
1716 | use_oif_addrs_only - BOOLEAN |
| 1717 | When enabled, the candidate source addresses for destinations | |
| 1718 | routed via this interface are restricted to the set of addresses | |
| 1719 | configured on this interface (vis. RFC 6724, section 4). | |
| 1720 | ||
| 1721 | Default: false | |
| 1722 | ||
| 1da177e4 LT |
1723 | use_tempaddr - INTEGER |
| 1724 | Preference for Privacy Extensions (RFC3041). | |
| 1725 | <= 0 : disable Privacy Extensions | |
| 1726 | == 1 : enable Privacy Extensions, but prefer public | |
| 1727 | addresses over temporary addresses. | |
| 1728 | > 1 : enable Privacy Extensions and prefer temporary | |
| 1729 | addresses over public addresses. | |
| 1730 | Default: 0 (for most devices) | |
| 1731 | -1 (for point-to-point devices and loopback devices) | |
| 1732 | ||
| 1733 | temp_valid_lft - INTEGER | |
| 1734 | valid lifetime (in seconds) for temporary addresses. | |
| 1735 | Default: 604800 (7 days) | |
| 1736 | ||
| 1737 | temp_prefered_lft - INTEGER | |
| 1738 | Preferred lifetime (in seconds) for temporary addresses. | |
| 1739 | Default: 86400 (1 day) | |
| 1740 | ||
| f1705ec1 DA |
1741 | keep_addr_on_down - INTEGER |
| 1742 | Keep all IPv6 addresses on an interface down event. If set static | |
| 1743 | global addresses with no expiration time are not flushed. | |
| 1744 | >0 : enabled | |
| 1745 | 0 : system default | |
| 1746 | <0 : disabled | |
| 1747 | ||
| 1748 | Default: 0 (addresses are removed) | |
| 1749 | ||
| 1da177e4 LT |
1750 | max_desync_factor - INTEGER |
| 1751 | Maximum value for DESYNC_FACTOR, which is a random value | |
| e18f5feb | 1752 | that ensures that clients don't synchronize with each |
| 1da177e4 LT |
1753 | other and generate new addresses at exactly the same time. |
| 1754 | value is in seconds. | |
| 1755 | Default: 600 | |
| e18f5feb | 1756 | |
| 1da177e4 LT |
1757 | regen_max_retry - INTEGER |
| 1758 | Number of attempts before give up attempting to generate | |
| 1759 | valid temporary addresses. | |
| 1760 | Default: 5 | |
| 1761 | ||
| 1762 | max_addresses - INTEGER | |
| e79dc484 BH |
1763 | Maximum number of autoconfigured addresses per interface. Setting |
| 1764 | to zero disables the limitation. It is not recommended to set this | |
| 1765 | value too large (or to zero) because it would be an easy way to | |
| 1766 | crash the kernel by allowing too many addresses to be created. | |
| 1da177e4 LT |
1767 | Default: 16 |
| 1768 | ||
| 778d80be | 1769 | disable_ipv6 - BOOLEAN |
| 9bdd8d40 BH |
1770 | Disable IPv6 operation. If accept_dad is set to 2, this value |
| 1771 | will be dynamically set to TRUE if DAD fails for the link-local | |
| 1772 | address. | |
| 778d80be YH |
1773 | Default: FALSE (enable IPv6 operation) |
| 1774 | ||
| 56d417b1 BH |
1775 | When this value is changed from 1 to 0 (IPv6 is being enabled), |
| 1776 | it will dynamically create a link-local address on the given | |
| 1777 | interface and start Duplicate Address Detection, if necessary. | |
| 1778 | ||
| 1779 | When this value is changed from 0 to 1 (IPv6 is being disabled), | |
| 2f0aaf7f LB |
1780 | it will dynamically delete all addresses and routes on the given |
| 1781 | interface. From now on it will not possible to add addresses/routes | |
| 1782 | to the selected interface. | |
| 56d417b1 | 1783 | |
| 1b34be74 YH |
1784 | accept_dad - INTEGER |
| 1785 | Whether to accept DAD (Duplicate Address Detection). | |
| 1786 | 0: Disable DAD | |
| 1787 | 1: Enable DAD (default) | |
| 1788 | 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate | |
| 1789 | link-local address has been found. | |
| 1790 | ||
| 35e015e1 MC |
1791 | DAD operation and mode on a given interface will be selected according |
| 1792 | to the maximum value of conf/{all,interface}/accept_dad. | |
| 1793 | ||
| f7734fdf OP |
1794 | force_tllao - BOOLEAN |
| 1795 | Enable sending the target link-layer address option even when | |
| 1796 | responding to a unicast neighbor solicitation. | |
| 1797 | Default: FALSE | |
| 1798 | ||
| 1799 | Quoting from RFC 2461, section 4.4, Target link-layer address: | |
| 1800 | ||
| 1801 | "The option MUST be included for multicast solicitations in order to | |
| 1802 | avoid infinite Neighbor Solicitation "recursion" when the peer node | |
| 1803 | does not have a cache entry to return a Neighbor Advertisements | |
| 1804 | message. When responding to unicast solicitations, the option can be | |
| 1805 | omitted since the sender of the solicitation has the correct link- | |
| 1806 | layer address; otherwise it would not have be able to send the unicast | |
| 1807 | solicitation in the first place. However, including the link-layer | |
| 1808 | address in this case adds little overhead and eliminates a potential | |
| 1809 | race condition where the sender deletes the cached link-layer address | |
| 1810 | prior to receiving a response to a previous solicitation." | |
| 1811 | ||
| db2b620a HFS |
1812 | ndisc_notify - BOOLEAN |
| 1813 | Define mode for notification of address and device changes. | |
| 1814 | 0 - (default): do nothing | |
| 1815 | 1 - Generate unsolicited neighbour advertisements when device is brought | |
| 1816 | up or hardware address changes. | |
| 1817 | ||
| 2210d6b2 MŻ |
1818 | ndisc_tclass - INTEGER |
| 1819 | The IPv6 Traffic Class to use by default when sending IPv6 Neighbor | |
| 1820 | Discovery (Router Solicitation, Router Advertisement, Neighbor | |
| 1821 | Solicitation, Neighbor Advertisement, Redirect) messages. | |
| 1822 | These 8 bits can be interpreted as 6 high order bits holding the DSCP | |
| 1823 | value and 2 low order bits representing ECN (which you probably want | |
| 1824 | to leave cleared). | |
| 1825 | 0 - (default) | |
| 1826 | ||
| fc4eba58 HFS |
1827 | mldv1_unsolicited_report_interval - INTEGER |
| 1828 | The interval in milliseconds in which the next unsolicited | |
| 1829 | MLDv1 report retransmit will take place. | |
| 1830 | Default: 10000 (10 seconds) | |
| 1831 | ||
| 1832 | mldv2_unsolicited_report_interval - INTEGER | |
| 1833 | The interval in milliseconds in which the next unsolicited | |
| 1834 | MLDv2 report retransmit will take place. | |
| 1835 | Default: 1000 (1 second) | |
| 1836 | ||
| f2127810 DB |
1837 | force_mld_version - INTEGER |
| 1838 | 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed | |
| 1839 | 1 - Enforce to use MLD version 1 | |
| 1840 | 2 - Enforce to use MLD version 2 | |
| 1841 | ||
| b800c3b9 HFS |
1842 | suppress_frag_ndisc - INTEGER |
| 1843 | Control RFC 6980 (Security Implications of IPv6 Fragmentation | |
| 1844 | with IPv6 Neighbor Discovery) behavior: | |
| 1845 | 1 - (default) discard fragmented neighbor discovery packets | |
| 1846 | 0 - allow fragmented neighbor discovery packets | |
| 1847 | ||
| 7fd2561e EK |
1848 | optimistic_dad - BOOLEAN |
| 1849 | Whether to perform Optimistic Duplicate Address Detection (RFC 4429). | |
| 35e015e1 MC |
1850 | 0: disabled (default) |
| 1851 | 1: enabled | |
| 1852 | ||
| 1853 | Optimistic Duplicate Address Detection for the interface will be enabled | |
| 1854 | if at least one of conf/{all,interface}/optimistic_dad is set to 1, | |
| 1855 | it will be disabled otherwise. | |
| 7fd2561e EK |
1856 | |
| 1857 | use_optimistic - BOOLEAN | |
| 1858 | If enabled, do not classify optimistic addresses as deprecated during | |
| 1859 | source address selection. Preferred addresses will still be chosen | |
| 1860 | before optimistic addresses, subject to other ranking in the source | |
| 1861 | address selection algorithm. | |
| 35e015e1 MC |
1862 | 0: disabled (default) |
| 1863 | 1: enabled | |
| 1864 | ||
| 1865 | This will be enabled if at least one of | |
| 1866 | conf/{all,interface}/use_optimistic is set to 1, disabled otherwise. | |
| 7fd2561e | 1867 | |
| 9f0761c1 HFS |
1868 | stable_secret - IPv6 address |
| 1869 | This IPv6 address will be used as a secret to generate IPv6 | |
| 1870 | addresses for link-local addresses and autoconfigured | |
| 1871 | ones. All addresses generated after setting this secret will | |
| 1872 | be stable privacy ones by default. This can be changed via the | |
| 1873 | addrgenmode ip-link. conf/default/stable_secret is used as the | |
| 1874 | secret for the namespace, the interface specific ones can | |
| 1875 | overwrite that. Writes to conf/all/stable_secret are refused. | |
| 1876 | ||
| 1877 | It is recommended to generate this secret during installation | |
| 1878 | of a system and keep it stable after that. | |
| 1879 | ||
| 1880 | By default the stable secret is unset. | |
| 1881 | ||
| f168db5e SD |
1882 | addr_gen_mode - INTEGER |
| 1883 | Defines how link-local and autoconf addresses are generated. | |
| 1884 | ||
| 1885 | 0: generate address based on EUI64 (default) | |
| 1886 | 1: do no generate a link-local address, use EUI64 for addresses generated | |
| 1887 | from autoconf | |
| 1888 | 2: generate stable privacy addresses, using the secret from | |
| 1889 | stable_secret (RFC7217) | |
| 1890 | 3: generate stable privacy addresses, using a random secret if unset | |
| 1891 | ||
| abbc3043 JB |
1892 | drop_unicast_in_l2_multicast - BOOLEAN |
| 1893 | Drop any unicast IPv6 packets that are received in link-layer | |
| 1894 | multicast (or broadcast) frames. | |
| 1895 | ||
| 1896 | By default this is turned off. | |
| 1897 | ||
| 7a02bf89 JB |
1898 | drop_unsolicited_na - BOOLEAN |
| 1899 | Drop all unsolicited neighbor advertisements, for example if there's | |
| 1900 | a known good NA proxy on the network and such frames need not be used | |
| 1901 | (or in the case of 802.11, must not be used to prevent attacks.) | |
| 1902 | ||
| 1903 | By default this is turned off. | |
| 1904 | ||
| adc176c5 EN |
1905 | enhanced_dad - BOOLEAN |
| 1906 | Include a nonce option in the IPv6 neighbor solicitation messages used for | |
| 1907 | duplicate address detection per RFC7527. A received DAD NS will only signal | |
| 1908 | a duplicate address if the nonce is different. This avoids any false | |
| 1909 | detection of duplicates due to loopback of the NS messages that we send. | |
| 1910 | The nonce option will be sent on an interface unless both of | |
| 1911 | conf/{all,interface}/enhanced_dad are set to FALSE. | |
| 1912 | Default: TRUE | |
| 1913 | ||
| 1da177e4 LT |
1914 | icmp/*: |
| 1915 | ratelimit - INTEGER | |
| 1916 | Limit the maximal rates for sending ICMPv6 packets. | |
| 6dbf4bca SH |
1917 | 0 to disable any limiting, |
| 1918 | otherwise the minimal space between responses in milliseconds. | |
| 1919 | Default: 1000 | |
| 1da177e4 | 1920 | |
| e6f86b0f VJ |
1921 | echo_ignore_all - BOOLEAN |
| 1922 | If set non-zero, then the kernel will ignore all ICMP ECHO | |
| 1923 | requests sent to it over the IPv6 protocol. | |
| 1924 | Default: 0 | |
| 1925 | ||
| 03f1eccc SS |
1926 | echo_ignore_multicast - BOOLEAN |
| 1927 | If set non-zero, then the kernel will ignore all ICMP ECHO | |
| 1928 | requests sent to it over the IPv6 protocol via multicast. | |
| 1929 | Default: 0 | |
| 1930 | ||
| 0b03a5ca SS |
1931 | echo_ignore_anycast - BOOLEAN |
| 1932 | If set non-zero, then the kernel will ignore all ICMP ECHO | |
| 1933 | requests sent to it over the IPv6 protocol destined to anycast address. | |
| 1934 | Default: 0 | |
| 1935 | ||
| e69948a0 AD |
1936 | xfrm6_gc_thresh - INTEGER |
| 1937 | The threshold at which we will start garbage collecting for IPv6 | |
| 1938 | destination cache entries. At twice this value the system will | |
| 3c2a89dd | 1939 | refuse new allocations. |
| e69948a0 | 1940 | |
| 1da177e4 LT |
1941 | |
| 1942 | IPv6 Update by: | |
| 1943 | Pekka Savola <pekkas@netcore.fi> | |
| 1944 | YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org> | |
| 1945 | ||
| 1946 | ||
| 1947 | /proc/sys/net/bridge/* Variables: | |
| 1948 | ||
| 1949 | bridge-nf-call-arptables - BOOLEAN | |
| 1950 | 1 : pass bridged ARP traffic to arptables' FORWARD chain. | |
| 1951 | 0 : disable this. | |
| 1952 | Default: 1 | |
| 1953 | ||
| 1954 | bridge-nf-call-iptables - BOOLEAN | |
| 1955 | 1 : pass bridged IPv4 traffic to iptables' chains. | |
| 1956 | 0 : disable this. | |
| 1957 | Default: 1 | |
| 1958 | ||
| 1959 | bridge-nf-call-ip6tables - BOOLEAN | |
| 1960 | 1 : pass bridged IPv6 traffic to ip6tables' chains. | |
| 1961 | 0 : disable this. | |
| 1962 | Default: 1 | |
| 1963 | ||
| 1964 | bridge-nf-filter-vlan-tagged - BOOLEAN | |
| 516299d2 MM |
1965 | 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. |
| 1966 | 0 : disable this. | |
| 4981682c | 1967 | Default: 0 |
| 516299d2 MM |
1968 | |
| 1969 | bridge-nf-filter-pppoe-tagged - BOOLEAN | |
| 1970 | 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. | |
| 1da177e4 | 1971 | 0 : disable this. |
| 4981682c | 1972 | Default: 0 |
| 1da177e4 | 1973 | |
| 4981682c PNA |
1974 | bridge-nf-pass-vlan-input-dev - BOOLEAN |
| 1975 | 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan | |
| 1976 | interface on the bridge and set the netfilter input device to the vlan. | |
| 1977 | This allows use of e.g. "iptables -i br0.1" and makes the REDIRECT | |
| 1978 | target work with vlan-on-top-of-bridge interfaces. When no matching | |
| 1979 | vlan interface is found, or this switch is off, the input device is | |
| 1980 | set to the bridge interface. | |
| 1981 | 0: disable bridge netfilter vlan interface lookup. | |
| 1982 | Default: 0 | |
| 1da177e4 | 1983 | |
| 32e8d494 VY |
1984 | proc/sys/net/sctp/* Variables: |
| 1985 | ||
| 1986 | addip_enable - BOOLEAN | |
| 1987 | Enable or disable extension of Dynamic Address Reconfiguration | |
| 1988 | (ADD-IP) functionality specified in RFC5061. This extension provides | |
| 1989 | the ability to dynamically add and remove new addresses for the SCTP | |
| 1990 | associations. | |
| 1991 | ||
| 1992 | 1: Enable extension. | |
| 1993 | ||
| 1994 | 0: Disable extension. | |
| 1995 | ||
| 1996 | Default: 0 | |
| 1997 | ||
| 566178f8 ZY |
1998 | pf_enable - INTEGER |
| 1999 | Enable or disable pf (pf is short for potentially failed) state. A value | |
| 2000 | of pf_retrans > path_max_retrans also disables pf state. That is, one of | |
| 2001 | both pf_enable and pf_retrans > path_max_retrans can disable pf state. | |
| 2002 | Since pf_retrans and path_max_retrans can be changed by userspace | |
| 2003 | application, sometimes user expects to disable pf state by the value of | |
| 2004 | pf_retrans > path_max_retrans, but occasionally the value of pf_retrans | |
| 2005 | or path_max_retrans is changed by the user application, this pf state is | |
| 2006 | enabled. As such, it is necessary to add this to dynamically enable | |
| 2007 | and disable pf state. See: | |
| 2008 | https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for | |
| 2009 | details. | |
| 2010 | ||
| 2011 | 1: Enable pf. | |
| 2012 | ||
| 2013 | 0: Disable pf. | |
| 2014 | ||
| 2015 | Default: 1 | |
| 2016 | ||
| 32e8d494 VY |
2017 | addip_noauth_enable - BOOLEAN |
| 2018 | Dynamic Address Reconfiguration (ADD-IP) requires the use of | |
| 2019 | authentication to protect the operations of adding or removing new | |
| 2020 | addresses. This requirement is mandated so that unauthorized hosts | |
| 2021 | would not be able to hijack associations. However, older | |
| 2022 | implementations may not have implemented this requirement while | |
| 2023 | allowing the ADD-IP extension. For reasons of interoperability, | |
| 2024 | we provide this variable to control the enforcement of the | |
| 2025 | authentication requirement. | |
| 2026 | ||
| 2027 | 1: Allow ADD-IP extension to be used without authentication. This | |
| 2028 | should only be set in a closed environment for interoperability | |
| 2029 | with older implementations. | |
| 2030 | ||
| 2031 | 0: Enforce the authentication requirement | |
| 2032 | ||
| 2033 | Default: 0 | |
| 2034 | ||
| 2035 | auth_enable - BOOLEAN | |
| 2036 | Enable or disable Authenticated Chunks extension. This extension | |
| 2037 | provides the ability to send and receive authenticated chunks and is | |
| 2038 | required for secure operation of Dynamic Address Reconfiguration | |
| 2039 | (ADD-IP) extension. | |
| 2040 | ||
| 2041 | 1: Enable this extension. | |
| 2042 | 0: Disable this extension. | |
| 2043 | ||
| 2044 | Default: 0 | |
| 2045 | ||
| 2046 | prsctp_enable - BOOLEAN | |
| 2047 | Enable or disable the Partial Reliability extension (RFC3758) which | |
| 2048 | is used to notify peers that a given DATA should no longer be expected. | |
| 2049 | ||
| 2050 | 1: Enable extension | |
| 2051 | 0: Disable | |
| 2052 | ||
| 2053 | Default: 1 | |
| 2054 | ||
| 2055 | max_burst - INTEGER | |
| 2056 | The limit of the number of new packets that can be initially sent. It | |
| 2057 | controls how bursty the generated traffic can be. | |
| 2058 | ||
| 2059 | Default: 4 | |
| 2060 | ||
| 2061 | association_max_retrans - INTEGER | |
| 2062 | Set the maximum number for retransmissions that an association can | |
| 2063 | attempt deciding that the remote end is unreachable. If this value | |
| 2064 | is exceeded, the association is terminated. | |
| 2065 | ||
| 2066 | Default: 10 | |
| 2067 | ||
| 2068 | max_init_retransmits - INTEGER | |
| 2069 | The maximum number of retransmissions of INIT and COOKIE-ECHO chunks | |
| 2070 | that an association will attempt before declaring the destination | |
| 2071 | unreachable and terminating. | |
| 2072 | ||
| 2073 | Default: 8 | |
| 2074 | ||
| 2075 | path_max_retrans - INTEGER | |
| 2076 | The maximum number of retransmissions that will be attempted on a given | |
| 2077 | path. Once this threshold is exceeded, the path is considered | |
| 2078 | unreachable, and new traffic will use a different path when the | |
| 2079 | association is multihomed. | |
| 2080 | ||
| 2081 | Default: 5 | |
| 2082 | ||
| 5aa93bcf NH |
2083 | pf_retrans - INTEGER |
| 2084 | The number of retransmissions that will be attempted on a given path | |
| 2085 | before traffic is redirected to an alternate transport (should one | |
| 2086 | exist). Note this is distinct from path_max_retrans, as a path that | |
| 2087 | passes the pf_retrans threshold can still be used. Its only | |
| 2088 | deprioritized when a transmission path is selected by the stack. This | |
| 2089 | setting is primarily used to enable fast failover mechanisms without | |
| 2090 | having to reduce path_max_retrans to a very low value. See: | |
| 2091 | http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt | |
| 2092 | for details. Note also that a value of pf_retrans > path_max_retrans | |
| 566178f8 ZY |
2093 | disables this feature. Since both pf_retrans and path_max_retrans can |
| 2094 | be changed by userspace application, a variable pf_enable is used to | |
| 2095 | disable pf state. | |
| 5aa93bcf NH |
2096 | |
| 2097 | Default: 0 | |
| 2098 | ||
| 32e8d494 VY |
2099 | rto_initial - INTEGER |
| 2100 | The initial round trip timeout value in milliseconds that will be used | |
| 2101 | in calculating round trip times. This is the initial time interval | |
| 2102 | for retransmissions. | |
| 2103 | ||
| 2104 | Default: 3000 | |
| 1da177e4 | 2105 | |
| 32e8d494 VY |
2106 | rto_max - INTEGER |
| 2107 | The maximum value (in milliseconds) of the round trip timeout. This | |
| 2108 | is the largest time interval that can elapse between retransmissions. | |
| 2109 | ||
| 2110 | Default: 60000 | |
| 2111 | ||
| 2112 | rto_min - INTEGER | |
| 2113 | The minimum value (in milliseconds) of the round trip timeout. This | |
| 2114 | is the smallest time interval the can elapse between retransmissions. | |
| 2115 | ||
| 2116 | Default: 1000 | |
| 2117 | ||
| 2118 | hb_interval - INTEGER | |
| 2119 | The interval (in milliseconds) between HEARTBEAT chunks. These chunks | |
| 2120 | are sent at the specified interval on idle paths to probe the state of | |
| 2121 | a given path between 2 associations. | |
| 2122 | ||
| 2123 | Default: 30000 | |
| 2124 | ||
| 2125 | sack_timeout - INTEGER | |
| 2126 | The amount of time (in milliseconds) that the implementation will wait | |
| 2127 | to send a SACK. | |
| 2128 | ||
| 2129 | Default: 200 | |
| 2130 | ||
| 2131 | valid_cookie_life - INTEGER | |
| 2132 | The default lifetime of the SCTP cookie (in milliseconds). The cookie | |
| 2133 | is used during association establishment. | |
| 2134 | ||
| 2135 | Default: 60000 | |
| 2136 | ||
| 2137 | cookie_preserve_enable - BOOLEAN | |
| 2138 | Enable or disable the ability to extend the lifetime of the SCTP cookie | |
| 2139 | that is used during the establishment phase of SCTP association | |
| 2140 | ||
| 2141 | 1: Enable cookie lifetime extension. | |
| 2142 | 0: Disable | |
| 2143 | ||
| 2144 | Default: 1 | |
| 2145 | ||
| 3c68198e NH |
2146 | cookie_hmac_alg - STRING |
| 2147 | Select the hmac algorithm used when generating the cookie value sent by | |
| 2148 | a listening sctp socket to a connecting client in the INIT-ACK chunk. | |
| 2149 | Valid values are: | |
| 2150 | * md5 | |
| 2151 | * sha1 | |
| 2152 | * none | |
| 2153 | Ability to assign md5 or sha1 as the selected alg is predicated on the | |
| 3b09adcb | 2154 | configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and |
| 3c68198e NH |
2155 | CONFIG_CRYPTO_SHA1). |
| 2156 | ||
| 2157 | Default: Dependent on configuration. MD5 if available, else SHA1 if | |
| 2158 | available, else none. | |
| 2159 | ||
| 32e8d494 VY |
2160 | rcvbuf_policy - INTEGER |
| 2161 | Determines if the receive buffer is attributed to the socket or to | |
| 2162 | association. SCTP supports the capability to create multiple | |
| 2163 | associations on a single socket. When using this capability, it is | |
| 2164 | possible that a single stalled association that's buffering a lot | |
| 2165 | of data may block other associations from delivering their data by | |
| 2166 | consuming all of the receive buffer space. To work around this, | |
| 2167 | the rcvbuf_policy could be set to attribute the receiver buffer space | |
| 2168 | to each association instead of the socket. This prevents the described | |
| 2169 | blocking. | |
| 2170 | ||
| 2171 | 1: rcvbuf space is per association | |
| 3b09adcb | 2172 | 0: rcvbuf space is per socket |
| 32e8d494 VY |
2173 | |
| 2174 | Default: 0 | |
| 2175 | ||
| 2176 | sndbuf_policy - INTEGER | |
| 2177 | Similar to rcvbuf_policy above, this applies to send buffer space. | |
| 2178 | ||
| 2179 | 1: Send buffer is tracked per association | |
| 2180 | 0: Send buffer is tracked per socket. | |
| 2181 | ||
| 2182 | Default: 0 | |
| 2183 | ||
| 2184 | sctp_mem - vector of 3 INTEGERs: min, pressure, max | |
| 2185 | Number of pages allowed for queueing by all SCTP sockets. | |
| 2186 | ||
| 2187 | min: Below this number of pages SCTP is not bothered about its | |
| 2188 | memory appetite. When amount of memory allocated by SCTP exceeds | |
| 2189 | this number, SCTP starts to moderate memory usage. | |
| 2190 | ||
| 2191 | pressure: This value was introduced to follow format of tcp_mem. | |
| 2192 | ||
| 2193 | max: Number of pages allowed for queueing by all SCTP sockets. | |
| 2194 | ||
| 2195 | Default is calculated at boot time from amount of available memory. | |
| 2196 | ||
| 2197 | sctp_rmem - vector of 3 INTEGERs: min, default, max | |
| a6e1204b MM |
2198 | Only the first value ("min") is used, "default" and "max" are |
| 2199 | ignored. | |
| 2200 | ||
| 2201 | min: Minimal size of receive buffer used by SCTP socket. | |
| 2202 | It is guaranteed to each SCTP socket (but not association) even | |
| 2203 | under moderate memory pressure. | |
| 2204 | ||
| 320bd6de | 2205 | Default: 4K |
| 32e8d494 VY |
2206 | |
| 2207 | sctp_wmem - vector of 3 INTEGERs: min, default, max | |
| a6e1204b | 2208 | Currently this tunable has no effect. |
| 32e8d494 | 2209 | |
| 72388433 BD |
2210 | addr_scope_policy - INTEGER |
| 2211 | Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00 | |
| 2212 | ||
| 2213 | 0 - Disable IPv4 address scoping | |
| 2214 | 1 - Enable IPv4 address scoping | |
| 2215 | 2 - Follow draft but allow IPv4 private addresses | |
| 2216 | 3 - Follow draft but allow IPv4 link local addresses | |
| 2217 | ||
| 2218 | Default: 1 | |
| 2219 | ||
| 1da177e4 | 2220 | |
| 4edc2f34 | 2221 | /proc/sys/net/core/* |
| c60f6aa8 | 2222 | Please see: Documentation/sysctl/net.txt for descriptions of these entries. |
| 705efc3b | 2223 | |
| 4edc2f34 SH |
2224 | |
| 2225 | /proc/sys/net/unix/* | |
| 705efc3b WT |
2226 | max_dgram_qlen - INTEGER |
| 2227 | The maximum length of dgram socket receive queue | |
| 2228 | ||
| 2229 | Default: 10 | |
| 2230 |