diff options
Diffstat (limited to 'Documentation/networking/ip-sysctl.txt')
-rw-r--r-- | Documentation/networking/ip-sysctl.txt | 118 |
1 files changed, 59 insertions, 59 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index e0b8c2c61710..7185e4c41e59 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt | |||
@@ -2,7 +2,7 @@ | |||
2 | 2 | ||
3 | ip_forward - BOOLEAN | 3 | ip_forward - BOOLEAN |
4 | 0 - disabled (default) | 4 | 0 - disabled (default) |
5 | not 0 - enabled | 5 | not 0 - enabled |
6 | 6 | ||
7 | Forward Packets between interfaces. | 7 | Forward Packets between interfaces. |
8 | 8 | ||
@@ -36,49 +36,49 @@ rt_cache_rebuild_count - INTEGER | |||
36 | IP Fragmentation: | 36 | IP Fragmentation: |
37 | 37 | ||
38 | ipfrag_high_thresh - INTEGER | 38 | ipfrag_high_thresh - INTEGER |
39 | Maximum memory used to reassemble IP fragments. When | 39 | Maximum memory used to reassemble IP fragments. When |
40 | ipfrag_high_thresh bytes of memory is allocated for this purpose, | 40 | ipfrag_high_thresh bytes of memory is allocated for this purpose, |
41 | the fragment handler will toss packets until ipfrag_low_thresh | 41 | the fragment handler will toss packets until ipfrag_low_thresh |
42 | is reached. | 42 | is reached. |
43 | 43 | ||
44 | ipfrag_low_thresh - INTEGER | 44 | ipfrag_low_thresh - INTEGER |
45 | See ipfrag_high_thresh | 45 | See ipfrag_high_thresh |
46 | 46 | ||
47 | ipfrag_time - INTEGER | 47 | ipfrag_time - INTEGER |
48 | Time in seconds to keep an IP fragment in memory. | 48 | Time in seconds to keep an IP fragment in memory. |
49 | 49 | ||
50 | ipfrag_secret_interval - INTEGER | 50 | ipfrag_secret_interval - INTEGER |
51 | Regeneration interval (in seconds) of the hash secret (or lifetime | 51 | Regeneration interval (in seconds) of the hash secret (or lifetime |
52 | for the hash secret) for IP fragments. | 52 | for the hash secret) for IP fragments. |
53 | Default: 600 | 53 | Default: 600 |
54 | 54 | ||
55 | ipfrag_max_dist - INTEGER | 55 | ipfrag_max_dist - INTEGER |
56 | ipfrag_max_dist is a non-negative integer value which defines the | 56 | ipfrag_max_dist is a non-negative integer value which defines the |
57 | maximum "disorder" which is allowed among fragments which share a | 57 | maximum "disorder" which is allowed among fragments which share a |
58 | common IP source address. Note that reordering of packets is | 58 | common IP source address. Note that reordering of packets is |
59 | not unusual, but if a large number of fragments arrive from a source | 59 | not unusual, but if a large number of fragments arrive from a source |
60 | IP address while a particular fragment queue remains incomplete, it | 60 | IP address while a particular fragment queue remains incomplete, it |
61 | probably indicates that one or more fragments belonging to that queue | 61 | probably indicates that one or more fragments belonging to that queue |
62 | have been lost. When ipfrag_max_dist is positive, an additional check | 62 | have been lost. When ipfrag_max_dist is positive, an additional check |
63 | is done on fragments before they are added to a reassembly queue - if | 63 | is done on fragments before they are added to a reassembly queue - if |
64 | ipfrag_max_dist (or more) fragments have arrived from a particular IP | 64 | ipfrag_max_dist (or more) fragments have arrived from a particular IP |
65 | address between additions to any IP fragment queue using that source | 65 | address between additions to any IP fragment queue using that source |
66 | address, it's presumed that one or more fragments in the queue are | 66 | address, it's presumed that one or more fragments in the queue are |
67 | lost. The existing fragment queue will be dropped, and a new one | 67 | lost. The existing fragment queue will be dropped, and a new one |
68 | started. An ipfrag_max_dist value of zero disables this check. | 68 | started. An ipfrag_max_dist value of zero disables this check. |
69 | 69 | ||
70 | Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can | 70 | Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can |
71 | result in unnecessarily dropping fragment queues when normal | 71 | result in unnecessarily dropping fragment queues when normal |
72 | reordering of packets occurs, which could lead to poor application | 72 | reordering of packets occurs, which could lead to poor application |
73 | performance. Using a very large value, e.g. 50000, increases the | 73 | performance. Using a very large value, e.g. 50000, increases the |
74 | likelihood of incorrectly reassembling IP fragments that originate | 74 | likelihood of incorrectly reassembling IP fragments that originate |
75 | from different IP datagrams, which could result in data corruption. | 75 | from different IP datagrams, which could result in data corruption. |
76 | Default: 64 | 76 | Default: 64 |
77 | 77 | ||
78 | INET peer storage: | 78 | INET peer storage: |
79 | 79 | ||
80 | inet_peer_threshold - INTEGER | 80 | inet_peer_threshold - INTEGER |
81 | The approximate size of the storage. Starting from this threshold | 81 | The approximate size of the storage. Starting from this threshold |
82 | entries will be thrown aggressively. This threshold also determines | 82 | entries will be thrown aggressively. This threshold also determines |
83 | entries' time-to-live and time intervals between garbage collection | 83 | entries' time-to-live and time intervals between garbage collection |
84 | passes. More entries, less time-to-live, less GC interval. | 84 | passes. More entries, less time-to-live, less GC interval. |
@@ -105,7 +105,7 @@ inet_peer_gc_maxtime - INTEGER | |||
105 | in effect under low (or absent) memory pressure on the pool. | 105 | in effect under low (or absent) memory pressure on the pool. |
106 | Measured in seconds. | 106 | Measured in seconds. |
107 | 107 | ||
108 | TCP variables: | 108 | TCP variables: |
109 | 109 | ||
110 | somaxconn - INTEGER | 110 | somaxconn - INTEGER |
111 | Limit of socket listen() backlog, known in userspace as SOMAXCONN. | 111 | Limit of socket listen() backlog, known in userspace as SOMAXCONN. |
@@ -310,7 +310,7 @@ tcp_orphan_retries - INTEGER | |||
310 | 310 | ||
311 | tcp_reordering - INTEGER | 311 | tcp_reordering - INTEGER |
312 | Maximal reordering of packets in a TCP stream. | 312 | Maximal reordering of packets in a TCP stream. |
313 | Default: 3 | 313 | Default: 3 |
314 | 314 | ||
315 | tcp_retrans_collapse - BOOLEAN | 315 | tcp_retrans_collapse - BOOLEAN |
316 | Bug-to-bug compatibility with some broken printers. | 316 | Bug-to-bug compatibility with some broken printers. |
@@ -521,7 +521,7 @@ IP Variables: | |||
521 | 521 | ||
522 | ip_local_port_range - 2 INTEGERS | 522 | ip_local_port_range - 2 INTEGERS |
523 | Defines the local port range that is used by TCP and UDP to | 523 | Defines the local port range that is used by TCP and UDP to |
524 | choose the local port. The first number is the first, the | 524 | choose the local port. The first number is the first, the |
525 | second the last local port number. Default value depends on | 525 | second the last local port number. Default value depends on |
526 | amount of memory available on the system: | 526 | amount of memory available on the system: |
527 | > 128Mb 32768-61000 | 527 | > 128Mb 32768-61000 |
@@ -594,12 +594,12 @@ icmp_errors_use_inbound_ifaddr - BOOLEAN | |||
594 | 594 | ||
595 | If zero, icmp error messages are sent with the primary address of | 595 | If zero, icmp error messages are sent with the primary address of |
596 | the exiting interface. | 596 | the exiting interface. |
597 | 597 | ||
598 | If non-zero, the message will be sent with the primary address of | 598 | If non-zero, the message will be sent with the primary address of |
599 | the interface that received the packet that caused the icmp error. | 599 | the interface that received the packet that caused the icmp error. |
600 | This is the behaviour network many administrators will expect from | 600 | This is the behaviour network many administrators will expect from |
601 | a router. And it can make debugging complicated network layouts | 601 | a router. And it can make debugging complicated network layouts |
602 | much easier. | 602 | much easier. |
603 | 603 | ||
604 | Note that if no primary address exists for the interface selected, | 604 | Note that if no primary address exists for the interface selected, |
605 | then the primary address of the first non-loopback interface that | 605 | then the primary address of the first non-loopback interface that |
@@ -611,7 +611,7 @@ igmp_max_memberships - INTEGER | |||
611 | Change the maximum number of multicast groups we can subscribe to. | 611 | Change the maximum number of multicast groups we can subscribe to. |
612 | Default: 20 | 612 | Default: 20 |
613 | 613 | ||
614 | conf/interface/* changes special settings per interface (where "interface" is | 614 | conf/interface/* changes special settings per interface (where "interface" is |
615 | the name of your network interface) | 615 | the name of your network interface) |
616 | conf/all/* is special, changes the settings for all interfaces | 616 | conf/all/* is special, changes the settings for all interfaces |
617 | 617 | ||
@@ -625,11 +625,11 @@ log_martians - BOOLEAN | |||
625 | accept_redirects - BOOLEAN | 625 | accept_redirects - BOOLEAN |
626 | Accept ICMP redirect messages. | 626 | Accept ICMP redirect messages. |
627 | accept_redirects for the interface will be enabled if: | 627 | accept_redirects for the interface will be enabled if: |
628 | - both conf/{all,interface}/accept_redirects are TRUE in the case forwarding | 628 | - both conf/{all,interface}/accept_redirects are TRUE in the case |
629 | for the interface is enabled | 629 | forwarding for the interface is enabled |
630 | or | 630 | or |
631 | - at least one of conf/{all,interface}/accept_redirects is TRUE in the case | 631 | - at least one of conf/{all,interface}/accept_redirects is TRUE in the |
632 | forwarding for the interface is disabled | 632 | case forwarding for the interface is disabled |
633 | accept_redirects for the interface will be disabled otherwise | 633 | accept_redirects for the interface will be disabled otherwise |
634 | default TRUE (host) | 634 | default TRUE (host) |
635 | FALSE (router) | 635 | FALSE (router) |
@@ -640,8 +640,8 @@ forwarding - BOOLEAN | |||
640 | mc_forwarding - BOOLEAN | 640 | mc_forwarding - BOOLEAN |
641 | Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE | 641 | Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE |
642 | and a multicast routing daemon is required. | 642 | and a multicast routing daemon is required. |
643 | conf/all/mc_forwarding must also be set to TRUE to enable multicast routing | 643 | conf/all/mc_forwarding must also be set to TRUE to enable multicast |
644 | for the interface | 644 | routing for the interface |
645 | 645 | ||
646 | medium_id - INTEGER | 646 | medium_id - INTEGER |
647 | Integer value used to differentiate the devices by the medium they | 647 | Integer value used to differentiate the devices by the medium they |
@@ -649,7 +649,7 @@ medium_id - INTEGER | |||
649 | the broadcast packets are received only on one of them. | 649 | the broadcast packets are received only on one of them. |
650 | The default value 0 means that the device is the only interface | 650 | The default value 0 means that the device is the only interface |
651 | to its medium, value of -1 means that medium is not known. | 651 | to its medium, value of -1 means that medium is not known. |
652 | 652 | ||
653 | Currently, it is used to change the proxy_arp behavior: | 653 | Currently, it is used to change the proxy_arp behavior: |
654 | the proxy_arp feature is enabled for packets forwarded between | 654 | the proxy_arp feature is enabled for packets forwarded between |
655 | two devices attached to different media. | 655 | two devices attached to different media. |
@@ -710,9 +710,9 @@ rp_filter - INTEGER | |||
710 | and if the source address is not reachable via any interface | 710 | and if the source address is not reachable via any interface |
711 | the packet check will fail. | 711 | the packet check will fail. |
712 | 712 | ||
713 | Current recommended practice in RFC3704 is to enable strict mode | 713 | Current recommended practice in RFC3704 is to enable strict mode |
714 | to prevent IP spoofing from DDos attacks. If using asymmetric routing | 714 | to prevent IP spoofing from DDos attacks. If using asymmetric routing |
715 | or other complicated routing, then loose mode is recommended. | 715 | or other complicated routing, then loose mode is recommended. |
716 | 716 | ||
717 | conf/all/rp_filter must also be set to non-zero to do source validation | 717 | conf/all/rp_filter must also be set to non-zero to do source validation |
718 | on the interface | 718 | on the interface |
@@ -835,7 +835,7 @@ apply to IPv6 [XXX?]. | |||
835 | 835 | ||
836 | bindv6only - BOOLEAN | 836 | bindv6only - BOOLEAN |
837 | Default value for IPV6_V6ONLY socket option, | 837 | Default value for IPV6_V6ONLY socket option, |
838 | which restricts use of the IPv6 socket to IPv6 communication | 838 | which restricts use of the IPv6 socket to IPv6 communication |
839 | only. | 839 | only. |
840 | TRUE: disable IPv4-mapped address feature | 840 | TRUE: disable IPv4-mapped address feature |
841 | FALSE: enable IPv4-mapped address feature | 841 | FALSE: enable IPv4-mapped address feature |
@@ -845,19 +845,19 @@ bindv6only - BOOLEAN | |||
845 | IPv6 Fragmentation: | 845 | IPv6 Fragmentation: |
846 | 846 | ||
847 | ip6frag_high_thresh - INTEGER | 847 | ip6frag_high_thresh - INTEGER |
848 | Maximum memory used to reassemble IPv6 fragments. When | 848 | Maximum memory used to reassemble IPv6 fragments. When |
849 | ip6frag_high_thresh bytes of memory is allocated for this purpose, | 849 | ip6frag_high_thresh bytes of memory is allocated for this purpose, |
850 | the fragment handler will toss packets until ip6frag_low_thresh | 850 | the fragment handler will toss packets until ip6frag_low_thresh |
851 | is reached. | 851 | is reached. |
852 | 852 | ||
853 | ip6frag_low_thresh - INTEGER | 853 | ip6frag_low_thresh - INTEGER |
854 | See ip6frag_high_thresh | 854 | See ip6frag_high_thresh |
855 | 855 | ||
856 | ip6frag_time - INTEGER | 856 | ip6frag_time - INTEGER |
857 | Time in seconds to keep an IPv6 fragment in memory. | 857 | Time in seconds to keep an IPv6 fragment in memory. |
858 | 858 | ||
859 | ip6frag_secret_interval - INTEGER | 859 | ip6frag_secret_interval - INTEGER |
860 | Regeneration interval (in seconds) of the hash secret (or lifetime | 860 | Regeneration interval (in seconds) of the hash secret (or lifetime |
861 | for the hash secret) for IPv6 fragments. | 861 | for the hash secret) for IPv6 fragments. |
862 | Default: 600 | 862 | Default: 600 |
863 | 863 | ||
@@ -866,17 +866,17 @@ conf/default/*: | |||
866 | 866 | ||
867 | 867 | ||
868 | conf/all/*: | 868 | conf/all/*: |
869 | Change all the interface-specific settings. | 869 | Change all the interface-specific settings. |
870 | 870 | ||
871 | [XXX: Other special features than forwarding?] | 871 | [XXX: Other special features than forwarding?] |
872 | 872 | ||
873 | conf/all/forwarding - BOOLEAN | 873 | conf/all/forwarding - BOOLEAN |
874 | Enable global IPv6 forwarding between all interfaces. | 874 | Enable global IPv6 forwarding between all interfaces. |
875 | 875 | ||
876 | IPv4 and IPv6 work differently here; e.g. netfilter must be used | 876 | IPv4 and IPv6 work differently here; e.g. netfilter must be used |
877 | to control which interfaces may forward packets and which not. | 877 | to control which interfaces may forward packets and which not. |
878 | 878 | ||
879 | This also sets all interfaces' Host/Router setting | 879 | This also sets all interfaces' Host/Router setting |
880 | 'forwarding' to the specified value. See below for details. | 880 | 'forwarding' to the specified value. See below for details. |
881 | 881 | ||
882 | This referred to as global forwarding. | 882 | This referred to as global forwarding. |
@@ -887,12 +887,12 @@ proxy_ndp - BOOLEAN | |||
887 | conf/interface/*: | 887 | conf/interface/*: |
888 | Change special settings per interface. | 888 | Change special settings per interface. |
889 | 889 | ||
890 | The functional behaviour for certain settings is different | 890 | The functional behaviour for certain settings is different |
891 | depending on whether local forwarding is enabled or not. | 891 | depending on whether local forwarding is enabled or not. |
892 | 892 | ||
893 | accept_ra - BOOLEAN | 893 | accept_ra - BOOLEAN |
894 | Accept Router Advertisements; autoconfigure using them. | 894 | Accept Router Advertisements; autoconfigure using them. |
895 | 895 | ||
896 | Functional default: enabled if local forwarding is disabled. | 896 | Functional default: enabled if local forwarding is disabled. |
897 | disabled if local forwarding is enabled. | 897 | disabled if local forwarding is enabled. |
898 | 898 | ||
@@ -938,7 +938,7 @@ accept_source_route - INTEGER | |||
938 | Default: 0 | 938 | Default: 0 |
939 | 939 | ||
940 | autoconf - BOOLEAN | 940 | autoconf - BOOLEAN |
941 | Autoconfigure addresses using Prefix Information in Router | 941 | Autoconfigure addresses using Prefix Information in Router |
942 | Advertisements. | 942 | Advertisements. |
943 | 943 | ||
944 | Functional default: enabled if accept_ra_pinfo is enabled. | 944 | Functional default: enabled if accept_ra_pinfo is enabled. |
@@ -947,11 +947,11 @@ autoconf - BOOLEAN | |||
947 | dad_transmits - INTEGER | 947 | dad_transmits - INTEGER |
948 | The amount of Duplicate Address Detection probes to send. | 948 | The amount of Duplicate Address Detection probes to send. |
949 | Default: 1 | 949 | Default: 1 |
950 | 950 | ||
951 | forwarding - BOOLEAN | 951 | forwarding - BOOLEAN |
952 | Configure interface-specific Host/Router behaviour. | 952 | Configure interface-specific Host/Router behaviour. |
953 | 953 | ||
954 | Note: It is recommended to have the same setting on all | 954 | Note: It is recommended to have the same setting on all |
955 | interfaces; mixed router/host scenarios are rather uncommon. | 955 | interfaces; mixed router/host scenarios are rather uncommon. |
956 | 956 | ||
957 | FALSE: | 957 | FALSE: |
@@ -960,13 +960,13 @@ forwarding - BOOLEAN | |||
960 | 960 | ||
961 | 1. IsRouter flag is not set in Neighbour Advertisements. | 961 | 1. IsRouter flag is not set in Neighbour Advertisements. |
962 | 2. Router Solicitations are being sent when necessary. | 962 | 2. Router Solicitations are being sent when necessary. |
963 | 3. If accept_ra is TRUE (default), accept Router | 963 | 3. If accept_ra is TRUE (default), accept Router |
964 | Advertisements (and do autoconfiguration). | 964 | Advertisements (and do autoconfiguration). |
965 | 4. If accept_redirects is TRUE (default), accept Redirects. | 965 | 4. If accept_redirects is TRUE (default), accept Redirects. |
966 | 966 | ||
967 | TRUE: | 967 | TRUE: |
968 | 968 | ||
969 | If local forwarding is enabled, Router behaviour is assumed. | 969 | If local forwarding is enabled, Router behaviour is assumed. |
970 | This means exactly the reverse from the above: | 970 | This means exactly the reverse from the above: |
971 | 971 | ||
972 | 1. IsRouter flag is set in Neighbour Advertisements. | 972 | 1. IsRouter flag is set in Neighbour Advertisements. |
@@ -1001,7 +1001,7 @@ router_solicitation_interval - INTEGER | |||
1001 | Default: 4 | 1001 | Default: 4 |
1002 | 1002 | ||
1003 | router_solicitations - INTEGER | 1003 | router_solicitations - INTEGER |
1004 | Number of Router Solicitations to send until assuming no | 1004 | Number of Router Solicitations to send until assuming no |
1005 | routers are present. | 1005 | routers are present. |
1006 | Default: 3 | 1006 | Default: 3 |
1007 | 1007 | ||
@@ -1025,11 +1025,11 @@ temp_prefered_lft - INTEGER | |||
1025 | 1025 | ||
1026 | max_desync_factor - INTEGER | 1026 | max_desync_factor - INTEGER |
1027 | Maximum value for DESYNC_FACTOR, which is a random value | 1027 | Maximum value for DESYNC_FACTOR, which is a random value |
1028 | that ensures that clients don't synchronize with each | 1028 | that ensures that clients don't synchronize with each |
1029 | other and generate new addresses at exactly the same time. | 1029 | other and generate new addresses at exactly the same time. |
1030 | value is in seconds. | 1030 | value is in seconds. |
1031 | Default: 600 | 1031 | Default: 600 |
1032 | 1032 | ||
1033 | regen_max_retry - INTEGER | 1033 | regen_max_retry - INTEGER |
1034 | Number of attempts before give up attempting to generate | 1034 | Number of attempts before give up attempting to generate |
1035 | valid temporary addresses. | 1035 | valid temporary addresses. |
@@ -1037,8 +1037,8 @@ regen_max_retry - INTEGER | |||
1037 | 1037 | ||
1038 | max_addresses - INTEGER | 1038 | max_addresses - INTEGER |
1039 | Number of maximum addresses per interface. 0 disables limitation. | 1039 | Number of maximum addresses per interface. 0 disables limitation. |
1040 | It is recommended not set too large value (or 0) because it would | 1040 | It is recommended not set too large value (or 0) because it would |
1041 | be too easy way to crash kernel to allow to create too much of | 1041 | be too easy way to crash kernel to allow to create too much of |
1042 | autoconfigured addresses. | 1042 | autoconfigured addresses. |
1043 | Default: 16 | 1043 | Default: 16 |
1044 | 1044 | ||