diff options
Diffstat (limited to 'Documentation/networking/ip-sysctl.txt')
-rw-r--r-- | Documentation/networking/ip-sysctl.txt | 878 |
1 files changed, 878 insertions, 0 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt new file mode 100644 index 000000000000..a2c893a7475d --- /dev/null +++ b/Documentation/networking/ip-sysctl.txt | |||
@@ -0,0 +1,878 @@ | |||
1 | /proc/sys/net/ipv4/* Variables: | ||
2 | |||
3 | ip_forward - BOOLEAN | ||
4 | 0 - disabled (default) | ||
5 | not 0 - enabled | ||
6 | |||
7 | Forward Packets between interfaces. | ||
8 | |||
9 | This variable is special, its change resets all configuration | ||
10 | parameters to their default state (RFC1122 for hosts, RFC1812 | ||
11 | for routers) | ||
12 | |||
13 | ip_default_ttl - INTEGER | ||
14 | default 64 | ||
15 | |||
16 | ip_no_pmtu_disc - BOOLEAN | ||
17 | Disable Path MTU Discovery. | ||
18 | default FALSE | ||
19 | |||
20 | min_pmtu - INTEGER | ||
21 | default 562 - minimum discovered Path MTU | ||
22 | |||
23 | mtu_expires - INTEGER | ||
24 | Time, in seconds, that cached PMTU information is kept. | ||
25 | |||
26 | min_adv_mss - INTEGER | ||
27 | The advertised MSS depends on the first hop route MTU, but will | ||
28 | never be lower than this setting. | ||
29 | |||
30 | IP Fragmentation: | ||
31 | |||
32 | ipfrag_high_thresh - INTEGER | ||
33 | Maximum memory used to reassemble IP fragments. When | ||
34 | ipfrag_high_thresh bytes of memory is allocated for this purpose, | ||
35 | the fragment handler will toss packets until ipfrag_low_thresh | ||
36 | is reached. | ||
37 | |||
38 | ipfrag_low_thresh - INTEGER | ||
39 | See ipfrag_high_thresh | ||
40 | |||
41 | ipfrag_time - INTEGER | ||
42 | Time in seconds to keep an IP fragment in memory. | ||
43 | |||
44 | ipfrag_secret_interval - INTEGER | ||
45 | Regeneration interval (in seconds) of the hash secret (or lifetime | ||
46 | for the hash secret) for IP fragments. | ||
47 | Default: 600 | ||
48 | |||
49 | INET peer storage: | ||
50 | |||
51 | inet_peer_threshold - INTEGER | ||
52 | The approximate size of the storage. Starting from this threshold | ||
53 | entries will be thrown aggressively. This threshold also determines | ||
54 | entries' time-to-live and time intervals between garbage collection | ||
55 | passes. More entries, less time-to-live, less GC interval. | ||
56 | |||
57 | inet_peer_minttl - INTEGER | ||
58 | Minimum time-to-live of entries. Should be enough to cover fragment | ||
59 | time-to-live on the reassembling side. This minimum time-to-live is | ||
60 | guaranteed if the pool size is less than inet_peer_threshold. | ||
61 | Measured in jiffies(1). | ||
62 | |||
63 | inet_peer_maxttl - INTEGER | ||
64 | Maximum time-to-live of entries. Unused entries will expire after | ||
65 | this period of time if there is no memory pressure on the pool (i.e. | ||
66 | when the number of entries in the pool is very small). | ||
67 | Measured in jiffies(1). | ||
68 | |||
69 | inet_peer_gc_mintime - INTEGER | ||
70 | Minimum interval between garbage collection passes. This interval is | ||
71 | in effect under high memory pressure on the pool. | ||
72 | Measured in jiffies(1). | ||
73 | |||
74 | inet_peer_gc_maxtime - INTEGER | ||
75 | Minimum interval between garbage collection passes. This interval is | ||
76 | in effect under low (or absent) memory pressure on the pool. | ||
77 | Measured in jiffies(1). | ||
78 | |||
79 | TCP variables: | ||
80 | |||
81 | tcp_syn_retries - INTEGER | ||
82 | Number of times initial SYNs for an active TCP connection attempt | ||
83 | will be retransmitted. Should not be higher than 255. Default value | ||
84 | is 5, which corresponds to ~180seconds. | ||
85 | |||
86 | tcp_synack_retries - INTEGER | ||
87 | Number of times SYNACKs for a passive TCP connection attempt will | ||
88 | be retransmitted. Should not be higher than 255. Default value | ||
89 | is 5, which corresponds to ~180seconds. | ||
90 | |||
91 | tcp_keepalive_time - INTEGER | ||
92 | How often TCP sends out keepalive messages when keepalive is enabled. | ||
93 | Default: 2hours. | ||
94 | |||
95 | tcp_keepalive_probes - INTEGER | ||
96 | How many keepalive probes TCP sends out, until it decides that the | ||
97 | connection is broken. Default value: 9. | ||
98 | |||
99 | tcp_keepalive_intvl - INTEGER | ||
100 | How frequently the probes are send out. Multiplied by | ||
101 | tcp_keepalive_probes it is time to kill not responding connection, | ||
102 | after probes started. Default value: 75sec i.e. connection | ||
103 | will be aborted after ~11 minutes of retries. | ||
104 | |||
105 | tcp_retries1 - INTEGER | ||
106 | How many times to retry before deciding that something is wrong | ||
107 | and it is necessary to report this suspicion to network layer. | ||
108 | Minimal RFC value is 3, it is default, which corresponds | ||
109 | to ~3sec-8min depending on RTO. | ||
110 | |||
111 | tcp_retries2 - INTEGER | ||
112 | How may times to retry before killing alive TCP connection. | ||
113 | RFC1122 says that the limit should be longer than 100 sec. | ||
114 | It is too small number. Default value 15 corresponds to ~13-30min | ||
115 | depending on RTO. | ||
116 | |||
117 | tcp_orphan_retries - INTEGER | ||
118 | How may times to retry before killing TCP connection, closed | ||
119 | by our side. Default value 7 corresponds to ~50sec-16min | ||
120 | depending on RTO. If you machine is loaded WEB server, | ||
121 | you should think about lowering this value, such sockets | ||
122 | may consume significant resources. Cf. tcp_max_orphans. | ||
123 | |||
124 | tcp_fin_timeout - INTEGER | ||
125 | Time to hold socket in state FIN-WAIT-2, if it was closed | ||
126 | by our side. Peer can be broken and never close its side, | ||
127 | or even died unexpectedly. Default value is 60sec. | ||
128 | Usual value used in 2.2 was 180 seconds, you may restore | ||
129 | it, but remember that if your machine is even underloaded WEB server, | ||
130 | you risk to overflow memory with kilotons of dead sockets, | ||
131 | FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, | ||
132 | because they eat maximum 1.5K of memory, but they tend | ||
133 | to live longer. Cf. tcp_max_orphans. | ||
134 | |||
135 | tcp_max_tw_buckets - INTEGER | ||
136 | Maximal number of timewait sockets held by system simultaneously. | ||
137 | If this number is exceeded time-wait socket is immediately destroyed | ||
138 | and warning is printed. This limit exists only to prevent | ||
139 | simple DoS attacks, you _must_ not lower the limit artificially, | ||
140 | but rather increase it (probably, after increasing installed memory), | ||
141 | if network conditions require more than default value. | ||
142 | |||
143 | tcp_tw_recycle - BOOLEAN | ||
144 | Enable fast recycling TIME-WAIT sockets. Default value is 0. | ||
145 | It should not be changed without advice/request of technical | ||
146 | experts. | ||
147 | |||
148 | tcp_tw_reuse - BOOLEAN | ||
149 | Allow to reuse TIME-WAIT sockets for new connections when it is | ||
150 | safe from protocol viewpoint. Default value is 0. | ||
151 | It should not be changed without advice/request of technical | ||
152 | experts. | ||
153 | |||
154 | tcp_max_orphans - INTEGER | ||
155 | Maximal number of TCP sockets not attached to any user file handle, | ||
156 | held by system. If this number is exceeded orphaned connections are | ||
157 | reset immediately and warning is printed. This limit exists | ||
158 | only to prevent simple DoS attacks, you _must_ not rely on this | ||
159 | or lower the limit artificially, but rather increase it | ||
160 | (probably, after increasing installed memory), | ||
161 | if network conditions require more than default value, | ||
162 | and tune network services to linger and kill such states | ||
163 | more aggressively. Let me to remind again: each orphan eats | ||
164 | up to ~64K of unswappable memory. | ||
165 | |||
166 | tcp_abort_on_overflow - BOOLEAN | ||
167 | If listening service is too slow to accept new connections, | ||
168 | reset them. Default state is FALSE. It means that if overflow | ||
169 | occurred due to a burst, connection will recover. Enable this | ||
170 | option _only_ if you are really sure that listening daemon | ||
171 | cannot be tuned to accept connections faster. Enabling this | ||
172 | option can harm clients of your server. | ||
173 | |||
174 | tcp_syncookies - BOOLEAN | ||
175 | Only valid when the kernel was compiled with CONFIG_SYNCOOKIES | ||
176 | Send out syncookies when the syn backlog queue of a socket | ||
177 | overflows. This is to prevent against the common 'syn flood attack' | ||
178 | Default: FALSE | ||
179 | |||
180 | Note, that syncookies is fallback facility. | ||
181 | It MUST NOT be used to help highly loaded servers to stand | ||
182 | against legal connection rate. If you see synflood warnings | ||
183 | in your logs, but investigation shows that they occur | ||
184 | because of overload with legal connections, you should tune | ||
185 | another parameters until this warning disappear. | ||
186 | See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. | ||
187 | |||
188 | syncookies seriously violate TCP protocol, do not allow | ||
189 | to use TCP extensions, can result in serious degradation | ||
190 | of some services (f.e. SMTP relaying), visible not by you, | ||
191 | but your clients and relays, contacting you. While you see | ||
192 | synflood warnings in logs not being really flooded, your server | ||
193 | is seriously misconfigured. | ||
194 | |||
195 | tcp_stdurg - BOOLEAN | ||
196 | Use the Host requirements interpretation of the TCP urg pointer field. | ||
197 | Most hosts use the older BSD interpretation, so if you turn this on | ||
198 | Linux might not communicate correctly with them. | ||
199 | Default: FALSE | ||
200 | |||
201 | tcp_max_syn_backlog - INTEGER | ||
202 | Maximal number of remembered connection requests, which are | ||
203 | still did not receive an acknowledgment from connecting client. | ||
204 | Default value is 1024 for systems with more than 128Mb of memory, | ||
205 | and 128 for low memory machines. If server suffers of overload, | ||
206 | try to increase this number. | ||
207 | |||
208 | tcp_window_scaling - BOOLEAN | ||
209 | Enable window scaling as defined in RFC1323. | ||
210 | |||
211 | tcp_timestamps - BOOLEAN | ||
212 | Enable timestamps as defined in RFC1323. | ||
213 | |||
214 | tcp_sack - BOOLEAN | ||
215 | Enable select acknowledgments (SACKS). | ||
216 | |||
217 | tcp_fack - BOOLEAN | ||
218 | Enable FACK congestion avoidance and fast retransmission. | ||
219 | The value is not used, if tcp_sack is not enabled. | ||
220 | |||
221 | tcp_dsack - BOOLEAN | ||
222 | Allows TCP to send "duplicate" SACKs. | ||
223 | |||
224 | tcp_ecn - BOOLEAN | ||
225 | Enable Explicit Congestion Notification in TCP. | ||
226 | |||
227 | tcp_reordering - INTEGER | ||
228 | Maximal reordering of packets in a TCP stream. | ||
229 | Default: 3 | ||
230 | |||
231 | tcp_retrans_collapse - BOOLEAN | ||
232 | Bug-to-bug compatibility with some broken printers. | ||
233 | On retransmit try to send bigger packets to work around bugs in | ||
234 | certain TCP stacks. | ||
235 | |||
236 | tcp_wmem - vector of 3 INTEGERs: min, default, max | ||
237 | min: Amount of memory reserved for send buffers for TCP socket. | ||
238 | Each TCP socket has rights to use it due to fact of its birth. | ||
239 | Default: 4K | ||
240 | |||
241 | default: Amount of memory allowed for send buffers for TCP socket | ||
242 | by default. This value overrides net.core.wmem_default used | ||
243 | by other protocols, it is usually lower than net.core.wmem_default. | ||
244 | Default: 16K | ||
245 | |||
246 | max: Maximal amount of memory allowed for automatically selected | ||
247 | send buffers for TCP socket. This value does not override | ||
248 | net.core.wmem_max, "static" selection via SO_SNDBUF does not use this. | ||
249 | Default: 128K | ||
250 | |||
251 | tcp_rmem - vector of 3 INTEGERs: min, default, max | ||
252 | min: Minimal size of receive buffer used by TCP sockets. | ||
253 | It is guaranteed to each TCP socket, even under moderate memory | ||
254 | pressure. | ||
255 | Default: 8K | ||
256 | |||
257 | default: default size of receive buffer used by TCP sockets. | ||
258 | This value overrides net.core.rmem_default used by other protocols. | ||
259 | Default: 87380 bytes. This value results in window of 65535 with | ||
260 | default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit | ||
261 | less for default tcp_app_win. See below about these variables. | ||
262 | |||
263 | max: maximal size of receive buffer allowed for automatically | ||
264 | selected receiver buffers for TCP socket. This value does not override | ||
265 | net.core.rmem_max, "static" selection via SO_RCVBUF does not use this. | ||
266 | Default: 87380*2 bytes. | ||
267 | |||
268 | tcp_mem - vector of 3 INTEGERs: min, pressure, max | ||
269 | low: below this number of pages TCP is not bothered about its | ||
270 | memory appetite. | ||
271 | |||
272 | pressure: when amount of memory allocated by TCP exceeds this number | ||
273 | of pages, TCP moderates its memory consumption and enters memory | ||
274 | pressure mode, which is exited when memory consumption falls | ||
275 | under "low". | ||
276 | |||
277 | high: number of pages allowed for queueing by all TCP sockets. | ||
278 | |||
279 | Defaults are calculated at boot time from amount of available | ||
280 | memory. | ||
281 | |||
282 | tcp_app_win - INTEGER | ||
283 | Reserve max(window/2^tcp_app_win, mss) of window for application | ||
284 | buffer. Value 0 is special, it means that nothing is reserved. | ||
285 | Default: 31 | ||
286 | |||
287 | tcp_adv_win_scale - INTEGER | ||
288 | Count buffering overhead as bytes/2^tcp_adv_win_scale | ||
289 | (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), | ||
290 | if it is <= 0. | ||
291 | Default: 2 | ||
292 | |||
293 | tcp_rfc1337 - BOOLEAN | ||
294 | If set, the TCP stack behaves conforming to RFC1337. If unset, | ||
295 | we are not conforming to RFC, but prevent TCP TIME_WAIT | ||
296 | assassination. | ||
297 | Default: 0 | ||
298 | |||
299 | tcp_low_latency - BOOLEAN | ||
300 | If set, the TCP stack makes decisions that prefer lower | ||
301 | latency as opposed to higher throughput. By default, this | ||
302 | option is not set meaning that higher throughput is preferred. | ||
303 | An example of an application where this default should be | ||
304 | changed would be a Beowulf compute cluster. | ||
305 | Default: 0 | ||
306 | |||
307 | tcp_westwood - BOOLEAN | ||
308 | Enable TCP Westwood+ congestion control algorithm. | ||
309 | TCP Westwood+ is a sender-side only modification of the TCP Reno | ||
310 | protocol stack that optimizes the performance of TCP congestion | ||
311 | control. It is based on end-to-end bandwidth estimation to set | ||
312 | congestion window and slow start threshold after a congestion | ||
313 | episode. Using this estimation, TCP Westwood+ adaptively sets a | ||
314 | slow start threshold and a congestion window which takes into | ||
315 | account the bandwidth used at the time congestion is experienced. | ||
316 | TCP Westwood+ significantly increases fairness wrt TCP Reno in | ||
317 | wired networks and throughput over wireless links. | ||
318 | Default: 0 | ||
319 | |||
320 | tcp_vegas_cong_avoid - BOOLEAN | ||
321 | Enable TCP Vegas congestion avoidance algorithm. | ||
322 | TCP Vegas is a sender-side only change to TCP that anticipates | ||
323 | the onset of congestion by estimating the bandwidth. TCP Vegas | ||
324 | adjusts the sending rate by modifying the congestion | ||
325 | window. TCP Vegas should provide less packet loss, but it is | ||
326 | not as aggressive as TCP Reno. | ||
327 | Default:0 | ||
328 | |||
329 | tcp_bic - BOOLEAN | ||
330 | Enable BIC TCP congestion control algorithm. | ||
331 | BIC-TCP is a sender-side only change that ensures a linear RTT | ||
332 | fairness under large windows while offering both scalability and | ||
333 | bounded TCP-friendliness. The protocol combines two schemes | ||
334 | called additive increase and binary search increase. When the | ||
335 | congestion window is large, additive increase with a large | ||
336 | increment ensures linear RTT fairness as well as good | ||
337 | scalability. Under small congestion windows, binary search | ||
338 | increase provides TCP friendliness. | ||
339 | Default: 0 | ||
340 | |||
341 | tcp_bic_low_window - INTEGER | ||
342 | Sets the threshold window (in packets) where BIC TCP starts to | ||
343 | adjust the congestion window. Below this threshold BIC TCP behaves | ||
344 | the same as the default TCP Reno. | ||
345 | Default: 14 | ||
346 | |||
347 | tcp_bic_fast_convergence - BOOLEAN | ||
348 | Forces BIC TCP to more quickly respond to changes in congestion | ||
349 | window. Allows two flows sharing the same connection to converge | ||
350 | more rapidly. | ||
351 | Default: 1 | ||
352 | |||
353 | tcp_default_win_scale - INTEGER | ||
354 | Sets the minimum window scale TCP will negotiate for on all | ||
355 | conections. | ||
356 | Default: 7 | ||
357 | |||
358 | tcp_tso_win_divisor - INTEGER | ||
359 | This allows control over what percentage of the congestion window | ||
360 | can be consumed by a single TSO frame. | ||
361 | The setting of this parameter is a choice between burstiness and | ||
362 | building larger TSO frames. | ||
363 | Default: 8 | ||
364 | |||
365 | tcp_frto - BOOLEAN | ||
366 | Enables F-RTO, an enhanced recovery algorithm for TCP retransmission | ||
367 | timeouts. It is particularly beneficial in wireless environments | ||
368 | where packet loss is typically due to random radio interference | ||
369 | rather than intermediate router congestion. | ||
370 | |||
371 | somaxconn - INTEGER | ||
372 | Limit of socket listen() backlog, known in userspace as SOMAXCONN. | ||
373 | Defaults to 128. See also tcp_max_syn_backlog for additional tuning | ||
374 | for TCP sockets. | ||
375 | |||
376 | IP Variables: | ||
377 | |||
378 | ip_local_port_range - 2 INTEGERS | ||
379 | Defines the local port range that is used by TCP and UDP to | ||
380 | choose the local port. The first number is the first, the | ||
381 | second the last local port number. Default value depends on | ||
382 | amount of memory available on the system: | ||
383 | > 128Mb 32768-61000 | ||
384 | < 128Mb 1024-4999 or even less. | ||
385 | This number defines number of active connections, which this | ||
386 | system can issue simultaneously to systems not supporting | ||
387 | TCP extensions (timestamps). With tcp_tw_recycle enabled | ||
388 | (i.e. by default) range 1024-4999 is enough to issue up to | ||
389 | 2000 connections per second to systems supporting timestamps. | ||
390 | |||
391 | ip_nonlocal_bind - BOOLEAN | ||
392 | If set, allows processes to bind() to non-local IP addresses, | ||
393 | which can be quite useful - but may break some applications. | ||
394 | Default: 0 | ||
395 | |||
396 | ip_dynaddr - BOOLEAN | ||
397 | If set non-zero, enables support for dynamic addresses. | ||
398 | If set to a non-zero value larger than 1, a kernel log | ||
399 | message will be printed when dynamic address rewriting | ||
400 | occurs. | ||
401 | Default: 0 | ||
402 | |||
403 | icmp_echo_ignore_all - BOOLEAN | ||
404 | icmp_echo_ignore_broadcasts - BOOLEAN | ||
405 | If either is set to true, then the kernel will ignore either all | ||
406 | ICMP ECHO requests sent to it or just those to broadcast/multicast | ||
407 | addresses, respectively. | ||
408 | |||
409 | icmp_ratelimit - INTEGER | ||
410 | Limit the maximal rates for sending ICMP packets whose type matches | ||
411 | icmp_ratemask (see below) to specific targets. | ||
412 | 0 to disable any limiting, otherwise the maximal rate in jiffies(1) | ||
413 | Default: 100 | ||
414 | |||
415 | icmp_ratemask - INTEGER | ||
416 | Mask made of ICMP types for which rates are being limited. | ||
417 | Significant bits: IHGFEDCBA9876543210 | ||
418 | Default mask: 0000001100000011000 (6168) | ||
419 | |||
420 | Bit definitions (see include/linux/icmp.h): | ||
421 | 0 Echo Reply | ||
422 | 3 Destination Unreachable * | ||
423 | 4 Source Quench * | ||
424 | 5 Redirect | ||
425 | 8 Echo Request | ||
426 | B Time Exceeded * | ||
427 | C Parameter Problem * | ||
428 | D Timestamp Request | ||
429 | E Timestamp Reply | ||
430 | F Info Request | ||
431 | G Info Reply | ||
432 | H Address Mask Request | ||
433 | I Address Mask Reply | ||
434 | |||
435 | * These are rate limited by default (see default mask above) | ||
436 | |||
437 | icmp_ignore_bogus_error_responses - BOOLEAN | ||
438 | Some routers violate RFC1122 by sending bogus responses to broadcast | ||
439 | frames. Such violations are normally logged via a kernel warning. | ||
440 | If this is set to TRUE, the kernel will not give such warnings, which | ||
441 | will avoid log file clutter. | ||
442 | Default: FALSE | ||
443 | |||
444 | igmp_max_memberships - INTEGER | ||
445 | Change the maximum number of multicast groups we can subscribe to. | ||
446 | Default: 20 | ||
447 | |||
448 | conf/interface/* changes special settings per interface (where "interface" is | ||
449 | the name of your network interface) | ||
450 | conf/all/* is special, changes the settings for all interfaces | ||
451 | |||
452 | |||
453 | log_martians - BOOLEAN | ||
454 | Log packets with impossible addresses to kernel log. | ||
455 | log_martians for the interface will be enabled if at least one of | ||
456 | conf/{all,interface}/log_martians is set to TRUE, | ||
457 | it will be disabled otherwise | ||
458 | |||
459 | accept_redirects - BOOLEAN | ||
460 | Accept ICMP redirect messages. | ||
461 | accept_redirects for the interface will be enabled if: | ||
462 | - both conf/{all,interface}/accept_redirects are TRUE in the case forwarding | ||
463 | for the interface is enabled | ||
464 | or | ||
465 | - at least one of conf/{all,interface}/accept_redirects is TRUE in the case | ||
466 | forwarding for the interface is disabled | ||
467 | accept_redirects for the interface will be disabled otherwise | ||
468 | default TRUE (host) | ||
469 | FALSE (router) | ||
470 | |||
471 | forwarding - BOOLEAN | ||
472 | Enable IP forwarding on this interface. | ||
473 | |||
474 | mc_forwarding - BOOLEAN | ||
475 | Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE | ||
476 | and a multicast routing daemon is required. | ||
477 | conf/all/mc_forwarding must also be set to TRUE to enable multicast routing | ||
478 | for the interface | ||
479 | |||
480 | medium_id - INTEGER | ||
481 | Integer value used to differentiate the devices by the medium they | ||
482 | are attached to. Two devices can have different id values when | ||
483 | the broadcast packets are received only on one of them. | ||
484 | The default value 0 means that the device is the only interface | ||
485 | to its medium, value of -1 means that medium is not known. | ||
486 | |||
487 | Currently, it is used to change the proxy_arp behavior: | ||
488 | the proxy_arp feature is enabled for packets forwarded between | ||
489 | two devices attached to different media. | ||
490 | |||
491 | proxy_arp - BOOLEAN | ||
492 | Do proxy arp. | ||
493 | proxy_arp for the interface will be enabled if at least one of | ||
494 | conf/{all,interface}/proxy_arp is set to TRUE, | ||
495 | it will be disabled otherwise | ||
496 | |||
497 | shared_media - BOOLEAN | ||
498 | Send(router) or accept(host) RFC1620 shared media redirects. | ||
499 | Overrides ip_secure_redirects. | ||
500 | shared_media for the interface will be enabled if at least one of | ||
501 | conf/{all,interface}/shared_media is set to TRUE, | ||
502 | it will be disabled otherwise | ||
503 | default TRUE | ||
504 | |||
505 | secure_redirects - BOOLEAN | ||
506 | Accept ICMP redirect messages only for gateways, | ||
507 | listed in default gateway list. | ||
508 | secure_redirects for the interface will be enabled if at least one of | ||
509 | conf/{all,interface}/secure_redirects is set to TRUE, | ||
510 | it will be disabled otherwise | ||
511 | default TRUE | ||
512 | |||
513 | send_redirects - BOOLEAN | ||
514 | Send redirects, if router. | ||
515 | send_redirects for the interface will be enabled if at least one of | ||
516 | conf/{all,interface}/send_redirects is set to TRUE, | ||
517 | it will be disabled otherwise | ||
518 | Default: TRUE | ||
519 | |||
520 | bootp_relay - BOOLEAN | ||
521 | Accept packets with source address 0.b.c.d destined | ||
522 | not to this host as local ones. It is supposed, that | ||
523 | BOOTP relay daemon will catch and forward such packets. | ||
524 | conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay | ||
525 | for the interface | ||
526 | default FALSE | ||
527 | Not Implemented Yet. | ||
528 | |||
529 | accept_source_route - BOOLEAN | ||
530 | Accept packets with SRR option. | ||
531 | conf/all/accept_source_route must also be set to TRUE to accept packets | ||
532 | with SRR option on the interface | ||
533 | default TRUE (router) | ||
534 | FALSE (host) | ||
535 | |||
536 | rp_filter - BOOLEAN | ||
537 | 1 - do source validation by reversed path, as specified in RFC1812 | ||
538 | Recommended option for single homed hosts and stub network | ||
539 | routers. Could cause troubles for complicated (not loop free) | ||
540 | networks running a slow unreliable protocol (sort of RIP), | ||
541 | or using static routes. | ||
542 | |||
543 | 0 - No source validation. | ||
544 | |||
545 | conf/all/rp_filter must also be set to TRUE to do source validation | ||
546 | on the interface | ||
547 | |||
548 | Default value is 0. Note that some distributions enable it | ||
549 | in startup scripts. | ||
550 | |||
551 | arp_filter - BOOLEAN | ||
552 | 1 - Allows you to have multiple network interfaces on the same | ||
553 | subnet, and have the ARPs for each interface be answered | ||
554 | based on whether or not the kernel would route a packet from | ||
555 | the ARP'd IP out that interface (therefore you must use source | ||
556 | based routing for this to work). In other words it allows control | ||
557 | of which cards (usually 1) will respond to an arp request. | ||
558 | |||
559 | 0 - (default) The kernel can respond to arp requests with addresses | ||
560 | from other interfaces. This may seem wrong but it usually makes | ||
561 | sense, because it increases the chance of successful communication. | ||
562 | IP addresses are owned by the complete host on Linux, not by | ||
563 | particular interfaces. Only for more complex setups like load- | ||
564 | balancing, does this behaviour cause problems. | ||
565 | |||
566 | arp_filter for the interface will be enabled if at least one of | ||
567 | conf/{all,interface}/arp_filter is set to TRUE, | ||
568 | it will be disabled otherwise | ||
569 | |||
570 | arp_announce - INTEGER | ||
571 | Define different restriction levels for announcing the local | ||
572 | source IP address from IP packets in ARP requests sent on | ||
573 | interface: | ||
574 | 0 - (default) Use any local address, configured on any interface | ||
575 | 1 - Try to avoid local addresses that are not in the target's | ||
576 | subnet for this interface. This mode is useful when target | ||
577 | hosts reachable via this interface require the source IP | ||
578 | address in ARP requests to be part of their logical network | ||
579 | configured on the receiving interface. When we generate the | ||
580 | request we will check all our subnets that include the | ||
581 | target IP and will preserve the source address if it is from | ||
582 | such subnet. If there is no such subnet we select source | ||
583 | address according to the rules for level 2. | ||
584 | 2 - Always use the best local address for this target. | ||
585 | In this mode we ignore the source address in the IP packet | ||
586 | and try to select local address that we prefer for talks with | ||
587 | the target host. Such local address is selected by looking | ||
588 | for primary IP addresses on all our subnets on the outgoing | ||
589 | interface that include the target IP address. If no suitable | ||
590 | local address is found we select the first local address | ||
591 | we have on the outgoing interface or on all other interfaces, | ||
592 | with the hope we will receive reply for our request and | ||
593 | even sometimes no matter the source IP address we announce. | ||
594 | |||
595 | The max value from conf/{all,interface}/arp_announce is used. | ||
596 | |||
597 | Increasing the restriction level gives more chance for | ||
598 | receiving answer from the resolved target while decreasing | ||
599 | the level announces more valid sender's information. | ||
600 | |||
601 | arp_ignore - INTEGER | ||
602 | Define different modes for sending replies in response to | ||
603 | received ARP requests that resolve local target IP addresses: | ||
604 | 0 - (default): reply for any local target IP address, configured | ||
605 | on any interface | ||
606 | 1 - reply only if the target IP address is local address | ||
607 | configured on the incoming interface | ||
608 | 2 - reply only if the target IP address is local address | ||
609 | configured on the incoming interface and both with the | ||
610 | sender's IP address are part from same subnet on this interface | ||
611 | 3 - do not reply for local addresses configured with scope host, | ||
612 | only resolutions for global and link addresses are replied | ||
613 | 4-7 - reserved | ||
614 | 8 - do not reply for all local addresses | ||
615 | |||
616 | The max value from conf/{all,interface}/arp_ignore is used | ||
617 | when ARP request is received on the {interface} | ||
618 | |||
619 | app_solicit - INTEGER | ||
620 | The maximum number of probes to send to the user space ARP daemon | ||
621 | via netlink before dropping back to multicast probes (see | ||
622 | mcast_solicit). Defaults to 0. | ||
623 | |||
624 | disable_policy - BOOLEAN | ||
625 | Disable IPSEC policy (SPD) for this interface | ||
626 | |||
627 | disable_xfrm - BOOLEAN | ||
628 | Disable IPSEC encryption on this interface, whatever the policy | ||
629 | |||
630 | |||
631 | |||
632 | tag - INTEGER | ||
633 | Allows you to write a number, which can be used as required. | ||
634 | Default value is 0. | ||
635 | |||
636 | (1) Jiffie: internal timeunit for the kernel. On the i386 1/100s, on the | ||
637 | Alpha 1/1024s. See the HZ define in /usr/include/asm/param.h for the exact | ||
638 | value on your system. | ||
639 | |||
640 | Alexey Kuznetsov. | ||
641 | kuznet@ms2.inr.ac.ru | ||
642 | |||
643 | Updated by: | ||
644 | Andi Kleen | ||
645 | ak@muc.de | ||
646 | Nicolas Delon | ||
647 | delon.nicolas@wanadoo.fr | ||
648 | |||
649 | |||
650 | |||
651 | |||
652 | /proc/sys/net/ipv6/* Variables: | ||
653 | |||
654 | IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also | ||
655 | apply to IPv6 [XXX?]. | ||
656 | |||
657 | bindv6only - BOOLEAN | ||
658 | Default value for IPV6_V6ONLY socket option, | ||
659 | which restricts use of the IPv6 socket to IPv6 communication | ||
660 | only. | ||
661 | TRUE: disable IPv4-mapped address feature | ||
662 | FALSE: enable IPv4-mapped address feature | ||
663 | |||
664 | Default: FALSE (as specified in RFC2553bis) | ||
665 | |||
666 | IPv6 Fragmentation: | ||
667 | |||
668 | ip6frag_high_thresh - INTEGER | ||
669 | Maximum memory used to reassemble IPv6 fragments. When | ||
670 | ip6frag_high_thresh bytes of memory is allocated for this purpose, | ||
671 | the fragment handler will toss packets until ip6frag_low_thresh | ||
672 | is reached. | ||
673 | |||
674 | ip6frag_low_thresh - INTEGER | ||
675 | See ip6frag_high_thresh | ||
676 | |||
677 | ip6frag_time - INTEGER | ||
678 | Time in seconds to keep an IPv6 fragment in memory. | ||
679 | |||
680 | ip6frag_secret_interval - INTEGER | ||
681 | Regeneration interval (in seconds) of the hash secret (or lifetime | ||
682 | for the hash secret) for IPv6 fragments. | ||
683 | Default: 600 | ||
684 | |||
685 | conf/default/*: | ||
686 | Change the interface-specific default settings. | ||
687 | |||
688 | |||
689 | conf/all/*: | ||
690 | Change all the interface-specific settings. | ||
691 | |||
692 | [XXX: Other special features than forwarding?] | ||
693 | |||
694 | conf/all/forwarding - BOOLEAN | ||
695 | Enable global IPv6 forwarding between all interfaces. | ||
696 | |||
697 | IPv4 and IPv6 work differently here; e.g. netfilter must be used | ||
698 | to control which interfaces may forward packets and which not. | ||
699 | |||
700 | This also sets all interfaces' Host/Router setting | ||
701 | 'forwarding' to the specified value. See below for details. | ||
702 | |||
703 | This referred to as global forwarding. | ||
704 | |||
705 | conf/interface/*: | ||
706 | Change special settings per interface. | ||
707 | |||
708 | The functional behaviour for certain settings is different | ||
709 | depending on whether local forwarding is enabled or not. | ||
710 | |||
711 | accept_ra - BOOLEAN | ||
712 | Accept Router Advertisements; autoconfigure using them. | ||
713 | |||
714 | Functional default: enabled if local forwarding is disabled. | ||
715 | disabled if local forwarding is enabled. | ||
716 | |||
717 | accept_redirects - BOOLEAN | ||
718 | Accept Redirects. | ||
719 | |||
720 | Functional default: enabled if local forwarding is disabled. | ||
721 | disabled if local forwarding is enabled. | ||
722 | |||
723 | autoconf - BOOLEAN | ||
724 | Autoconfigure addresses using Prefix Information in Router | ||
725 | Advertisements. | ||
726 | |||
727 | Functional default: enabled if accept_ra is enabled. | ||
728 | disabled if accept_ra is disabled. | ||
729 | |||
730 | dad_transmits - INTEGER | ||
731 | The amount of Duplicate Address Detection probes to send. | ||
732 | Default: 1 | ||
733 | |||
734 | forwarding - BOOLEAN | ||
735 | Configure interface-specific Host/Router behaviour. | ||
736 | |||
737 | Note: It is recommended to have the same setting on all | ||
738 | interfaces; mixed router/host scenarios are rather uncommon. | ||
739 | |||
740 | FALSE: | ||
741 | |||
742 | By default, Host behaviour is assumed. This means: | ||
743 | |||
744 | 1. IsRouter flag is not set in Neighbour Advertisements. | ||
745 | 2. Router Solicitations are being sent when necessary. | ||
746 | 3. If accept_ra is TRUE (default), accept Router | ||
747 | Advertisements (and do autoconfiguration). | ||
748 | 4. If accept_redirects is TRUE (default), accept Redirects. | ||
749 | |||
750 | TRUE: | ||
751 | |||
752 | If local forwarding is enabled, Router behaviour is assumed. | ||
753 | This means exactly the reverse from the above: | ||
754 | |||
755 | 1. IsRouter flag is set in Neighbour Advertisements. | ||
756 | 2. Router Solicitations are not sent. | ||
757 | 3. Router Advertisements are ignored. | ||
758 | 4. Redirects are ignored. | ||
759 | |||
760 | Default: FALSE if global forwarding is disabled (default), | ||
761 | otherwise TRUE. | ||
762 | |||
763 | hop_limit - INTEGER | ||
764 | Default Hop Limit to set. | ||
765 | Default: 64 | ||
766 | |||
767 | mtu - INTEGER | ||
768 | Default Maximum Transfer Unit | ||
769 | Default: 1280 (IPv6 required minimum) | ||
770 | |||
771 | router_solicitation_delay - INTEGER | ||
772 | Number of seconds to wait after interface is brought up | ||
773 | before sending Router Solicitations. | ||
774 | Default: 1 | ||
775 | |||
776 | router_solicitation_interval - INTEGER | ||
777 | Number of seconds to wait between Router Solicitations. | ||
778 | Default: 4 | ||
779 | |||
780 | router_solicitations - INTEGER | ||
781 | Number of Router Solicitations to send until assuming no | ||
782 | routers are present. | ||
783 | Default: 3 | ||
784 | |||
785 | use_tempaddr - INTEGER | ||
786 | Preference for Privacy Extensions (RFC3041). | ||
787 | <= 0 : disable Privacy Extensions | ||
788 | == 1 : enable Privacy Extensions, but prefer public | ||
789 | addresses over temporary addresses. | ||
790 | > 1 : enable Privacy Extensions and prefer temporary | ||
791 | addresses over public addresses. | ||
792 | Default: 0 (for most devices) | ||
793 | -1 (for point-to-point devices and loopback devices) | ||
794 | |||
795 | temp_valid_lft - INTEGER | ||
796 | valid lifetime (in seconds) for temporary addresses. | ||
797 | Default: 604800 (7 days) | ||
798 | |||
799 | temp_prefered_lft - INTEGER | ||
800 | Preferred lifetime (in seconds) for temporary addresses. | ||
801 | Default: 86400 (1 day) | ||
802 | |||
803 | max_desync_factor - INTEGER | ||
804 | Maximum value for DESYNC_FACTOR, which is a random value | ||
805 | that ensures that clients don't synchronize with each | ||
806 | other and generate new addresses at exactly the same time. | ||
807 | value is in seconds. | ||
808 | Default: 600 | ||
809 | |||
810 | regen_max_retry - INTEGER | ||
811 | Number of attempts before give up attempting to generate | ||
812 | valid temporary addresses. | ||
813 | Default: 5 | ||
814 | |||
815 | max_addresses - INTEGER | ||
816 | Number of maximum addresses per interface. 0 disables limitation. | ||
817 | It is recommended not set too large value (or 0) because it would | ||
818 | be too easy way to crash kernel to allow to create too much of | ||
819 | autoconfigured addresses. | ||
820 | Default: 16 | ||
821 | |||
822 | icmp/*: | ||
823 | ratelimit - INTEGER | ||
824 | Limit the maximal rates for sending ICMPv6 packets. | ||
825 | 0 to disable any limiting, otherwise the maximal rate in jiffies(1) | ||
826 | Default: 100 | ||
827 | |||
828 | |||
829 | IPv6 Update by: | ||
830 | Pekka Savola <pekkas@netcore.fi> | ||
831 | YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org> | ||
832 | |||
833 | |||
834 | /proc/sys/net/bridge/* Variables: | ||
835 | |||
836 | bridge-nf-call-arptables - BOOLEAN | ||
837 | 1 : pass bridged ARP traffic to arptables' FORWARD chain. | ||
838 | 0 : disable this. | ||
839 | Default: 1 | ||
840 | |||
841 | bridge-nf-call-iptables - BOOLEAN | ||
842 | 1 : pass bridged IPv4 traffic to iptables' chains. | ||
843 | 0 : disable this. | ||
844 | Default: 1 | ||
845 | |||
846 | bridge-nf-call-ip6tables - BOOLEAN | ||
847 | 1 : pass bridged IPv6 traffic to ip6tables' chains. | ||
848 | 0 : disable this. | ||
849 | Default: 1 | ||
850 | |||
851 | bridge-nf-filter-vlan-tagged - BOOLEAN | ||
852 | 1 : pass bridged vlan-tagged ARP/IP traffic to arptables/iptables. | ||
853 | 0 : disable this. | ||
854 | Default: 1 | ||
855 | |||
856 | |||
857 | UNDOCUMENTED: | ||
858 | |||
859 | dev_weight FIXME | ||
860 | discovery_slots FIXME | ||
861 | discovery_timeout FIXME | ||
862 | fast_poll_increase FIXME | ||
863 | ip6_queue_maxlen FIXME | ||
864 | lap_keepalive_time FIXME | ||
865 | lo_cong FIXME | ||
866 | max_baud_rate FIXME | ||
867 | max_dgram_qlen FIXME | ||
868 | max_noreply_time FIXME | ||
869 | max_tx_data_size FIXME | ||
870 | max_tx_window FIXME | ||
871 | min_tx_turn_time FIXME | ||
872 | mod_cong FIXME | ||
873 | no_cong FIXME | ||
874 | no_cong_thresh FIXME | ||
875 | slot_timeout FIXME | ||
876 | warn_noreply_time FIXME | ||
877 | |||
878 | $Id: ip-sysctl.txt,v 1.20 2001/12/13 09:00:18 davem Exp $ | ||