aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/networking
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/networking')
-rw-r--r--Documentation/networking/ip-sysctl.txt118
1 files changed, 59 insertions, 59 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index e0b8c2c61710..7185e4c41e59 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -2,7 +2,7 @@
2 2
3ip_forward - BOOLEAN 3ip_forward - BOOLEAN
4 0 - disabled (default) 4 0 - disabled (default)
5 not 0 - enabled 5 not 0 - enabled
6 6
7 Forward Packets between interfaces. 7 Forward Packets between interfaces.
8 8
@@ -36,49 +36,49 @@ rt_cache_rebuild_count - INTEGER
36IP Fragmentation: 36IP Fragmentation:
37 37
38ipfrag_high_thresh - INTEGER 38ipfrag_high_thresh - INTEGER
39 Maximum memory used to reassemble IP fragments. When 39 Maximum memory used to reassemble IP fragments. When
40 ipfrag_high_thresh bytes of memory is allocated for this purpose, 40 ipfrag_high_thresh bytes of memory is allocated for this purpose,
41 the fragment handler will toss packets until ipfrag_low_thresh 41 the fragment handler will toss packets until ipfrag_low_thresh
42 is reached. 42 is reached.
43 43
44ipfrag_low_thresh - INTEGER 44ipfrag_low_thresh - INTEGER
45 See ipfrag_high_thresh 45 See ipfrag_high_thresh
46 46
47ipfrag_time - INTEGER 47ipfrag_time - INTEGER
48 Time in seconds to keep an IP fragment in memory. 48 Time in seconds to keep an IP fragment in memory.
49 49
50ipfrag_secret_interval - INTEGER 50ipfrag_secret_interval - INTEGER
51 Regeneration interval (in seconds) of the hash secret (or lifetime 51 Regeneration interval (in seconds) of the hash secret (or lifetime
52 for the hash secret) for IP fragments. 52 for the hash secret) for IP fragments.
53 Default: 600 53 Default: 600
54 54
55ipfrag_max_dist - INTEGER 55ipfrag_max_dist - INTEGER
56 ipfrag_max_dist is a non-negative integer value which defines the 56 ipfrag_max_dist is a non-negative integer value which defines the
57 maximum "disorder" which is allowed among fragments which share a 57 maximum "disorder" which is allowed among fragments which share a
58 common IP source address. Note that reordering of packets is 58 common IP source address. Note that reordering of packets is
59 not unusual, but if a large number of fragments arrive from a source 59 not unusual, but if a large number of fragments arrive from a source
60 IP address while a particular fragment queue remains incomplete, it 60 IP address while a particular fragment queue remains incomplete, it
61 probably indicates that one or more fragments belonging to that queue 61 probably indicates that one or more fragments belonging to that queue
62 have been lost. When ipfrag_max_dist is positive, an additional check 62 have been lost. When ipfrag_max_dist is positive, an additional check
63 is done on fragments before they are added to a reassembly queue - if 63 is done on fragments before they are added to a reassembly queue - if
64 ipfrag_max_dist (or more) fragments have arrived from a particular IP 64 ipfrag_max_dist (or more) fragments have arrived from a particular IP
65 address between additions to any IP fragment queue using that source 65 address between additions to any IP fragment queue using that source
66 address, it's presumed that one or more fragments in the queue are 66 address, it's presumed that one or more fragments in the queue are
67 lost. The existing fragment queue will be dropped, and a new one 67 lost. The existing fragment queue will be dropped, and a new one
68 started. An ipfrag_max_dist value of zero disables this check. 68 started. An ipfrag_max_dist value of zero disables this check.
69 69
70 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can 70 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
71 result in unnecessarily dropping fragment queues when normal 71 result in unnecessarily dropping fragment queues when normal
72 reordering of packets occurs, which could lead to poor application 72 reordering of packets occurs, which could lead to poor application
73 performance. Using a very large value, e.g. 50000, increases the 73 performance. Using a very large value, e.g. 50000, increases the
74 likelihood of incorrectly reassembling IP fragments that originate 74 likelihood of incorrectly reassembling IP fragments that originate
75 from different IP datagrams, which could result in data corruption. 75 from different IP datagrams, which could result in data corruption.
76 Default: 64 76 Default: 64
77 77
78INET peer storage: 78INET peer storage:
79 79
80inet_peer_threshold - INTEGER 80inet_peer_threshold - INTEGER
81 The approximate size of the storage. Starting from this threshold 81 The approximate size of the storage. Starting from this threshold
82 entries will be thrown aggressively. This threshold also determines 82 entries will be thrown aggressively. This threshold also determines
83 entries' time-to-live and time intervals between garbage collection 83 entries' time-to-live and time intervals between garbage collection
84 passes. More entries, less time-to-live, less GC interval. 84 passes. More entries, less time-to-live, less GC interval.
@@ -105,7 +105,7 @@ inet_peer_gc_maxtime - INTEGER
105 in effect under low (or absent) memory pressure on the pool. 105 in effect under low (or absent) memory pressure on the pool.
106 Measured in seconds. 106 Measured in seconds.
107 107
108TCP variables: 108TCP variables:
109 109
110somaxconn - INTEGER 110somaxconn - INTEGER
111 Limit of socket listen() backlog, known in userspace as SOMAXCONN. 111 Limit of socket listen() backlog, known in userspace as SOMAXCONN.
@@ -310,7 +310,7 @@ tcp_orphan_retries - INTEGER
310 310
311tcp_reordering - INTEGER 311tcp_reordering - INTEGER
312 Maximal reordering of packets in a TCP stream. 312 Maximal reordering of packets in a TCP stream.
313 Default: 3 313 Default: 3
314 314
315tcp_retrans_collapse - BOOLEAN 315tcp_retrans_collapse - BOOLEAN
316 Bug-to-bug compatibility with some broken printers. 316 Bug-to-bug compatibility with some broken printers.
@@ -521,7 +521,7 @@ IP Variables:
521 521
522ip_local_port_range - 2 INTEGERS 522ip_local_port_range - 2 INTEGERS
523 Defines the local port range that is used by TCP and UDP to 523 Defines the local port range that is used by TCP and UDP to
524 choose the local port. The first number is the first, the 524 choose the local port. The first number is the first, the
525 second the last local port number. Default value depends on 525 second the last local port number. Default value depends on
526 amount of memory available on the system: 526 amount of memory available on the system:
527 > 128Mb 32768-61000 527 > 128Mb 32768-61000
@@ -594,12 +594,12 @@ icmp_errors_use_inbound_ifaddr - BOOLEAN
594 594
595 If zero, icmp error messages are sent with the primary address of 595 If zero, icmp error messages are sent with the primary address of
596 the exiting interface. 596 the exiting interface.
597 597
598 If non-zero, the message will be sent with the primary address of 598 If non-zero, the message will be sent with the primary address of
599 the interface that received the packet that caused the icmp error. 599 the interface that received the packet that caused the icmp error.
600 This is the behaviour network many administrators will expect from 600 This is the behaviour network many administrators will expect from
601 a router. And it can make debugging complicated network layouts 601 a router. And it can make debugging complicated network layouts
602 much easier. 602 much easier.
603 603
604 Note that if no primary address exists for the interface selected, 604 Note that if no primary address exists for the interface selected,
605 then the primary address of the first non-loopback interface that 605 then the primary address of the first non-loopback interface that
@@ -611,7 +611,7 @@ igmp_max_memberships - INTEGER
611 Change the maximum number of multicast groups we can subscribe to. 611 Change the maximum number of multicast groups we can subscribe to.
612 Default: 20 612 Default: 20
613 613
614conf/interface/* changes special settings per interface (where "interface" is 614conf/interface/* changes special settings per interface (where "interface" is
615 the name of your network interface) 615 the name of your network interface)
616conf/all/* is special, changes the settings for all interfaces 616conf/all/* is special, changes the settings for all interfaces
617 617
@@ -625,11 +625,11 @@ log_martians - BOOLEAN
625accept_redirects - BOOLEAN 625accept_redirects - BOOLEAN
626 Accept ICMP redirect messages. 626 Accept ICMP redirect messages.
627 accept_redirects for the interface will be enabled if: 627 accept_redirects for the interface will be enabled if:
628 - both conf/{all,interface}/accept_redirects are TRUE in the case forwarding 628 - both conf/{all,interface}/accept_redirects are TRUE in the case
629 for the interface is enabled 629 forwarding for the interface is enabled
630 or 630 or
631 - at least one of conf/{all,interface}/accept_redirects is TRUE in the case 631 - at least one of conf/{all,interface}/accept_redirects is TRUE in the
632 forwarding for the interface is disabled 632 case forwarding for the interface is disabled
633 accept_redirects for the interface will be disabled otherwise 633 accept_redirects for the interface will be disabled otherwise
634 default TRUE (host) 634 default TRUE (host)
635 FALSE (router) 635 FALSE (router)
@@ -640,8 +640,8 @@ forwarding - BOOLEAN
640mc_forwarding - BOOLEAN 640mc_forwarding - BOOLEAN
641 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE 641 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
642 and a multicast routing daemon is required. 642 and a multicast routing daemon is required.
643 conf/all/mc_forwarding must also be set to TRUE to enable multicast routing 643 conf/all/mc_forwarding must also be set to TRUE to enable multicast
644 for the interface 644 routing for the interface
645 645
646medium_id - INTEGER 646medium_id - INTEGER
647 Integer value used to differentiate the devices by the medium they 647 Integer value used to differentiate the devices by the medium they
@@ -649,7 +649,7 @@ medium_id - INTEGER
649 the broadcast packets are received only on one of them. 649 the broadcast packets are received only on one of them.
650 The default value 0 means that the device is the only interface 650 The default value 0 means that the device is the only interface
651 to its medium, value of -1 means that medium is not known. 651 to its medium, value of -1 means that medium is not known.
652 652
653 Currently, it is used to change the proxy_arp behavior: 653 Currently, it is used to change the proxy_arp behavior:
654 the proxy_arp feature is enabled for packets forwarded between 654 the proxy_arp feature is enabled for packets forwarded between
655 two devices attached to different media. 655 two devices attached to different media.
@@ -710,9 +710,9 @@ rp_filter - INTEGER
710 and if the source address is not reachable via any interface 710 and if the source address is not reachable via any interface
711 the packet check will fail. 711 the packet check will fail.
712 712
713 Current recommended practice in RFC3704 is to enable strict mode 713 Current recommended practice in RFC3704 is to enable strict mode
714 to prevent IP spoofing from DDos attacks. If using asymmetric routing 714 to prevent IP spoofing from DDos attacks. If using asymmetric routing
715 or other complicated routing, then loose mode is recommended. 715 or other complicated routing, then loose mode is recommended.
716 716
717 conf/all/rp_filter must also be set to non-zero to do source validation 717 conf/all/rp_filter must also be set to non-zero to do source validation
718 on the interface 718 on the interface
@@ -835,7 +835,7 @@ apply to IPv6 [XXX?].
835 835
836bindv6only - BOOLEAN 836bindv6only - BOOLEAN
837 Default value for IPV6_V6ONLY socket option, 837 Default value for IPV6_V6ONLY socket option,
838 which restricts use of the IPv6 socket to IPv6 communication 838 which restricts use of the IPv6 socket to IPv6 communication
839 only. 839 only.
840 TRUE: disable IPv4-mapped address feature 840 TRUE: disable IPv4-mapped address feature
841 FALSE: enable IPv4-mapped address feature 841 FALSE: enable IPv4-mapped address feature
@@ -845,19 +845,19 @@ bindv6only - BOOLEAN
845IPv6 Fragmentation: 845IPv6 Fragmentation:
846 846
847ip6frag_high_thresh - INTEGER 847ip6frag_high_thresh - INTEGER
848 Maximum memory used to reassemble IPv6 fragments. When 848 Maximum memory used to reassemble IPv6 fragments. When
849 ip6frag_high_thresh bytes of memory is allocated for this purpose, 849 ip6frag_high_thresh bytes of memory is allocated for this purpose,
850 the fragment handler will toss packets until ip6frag_low_thresh 850 the fragment handler will toss packets until ip6frag_low_thresh
851 is reached. 851 is reached.
852 852
853ip6frag_low_thresh - INTEGER 853ip6frag_low_thresh - INTEGER
854 See ip6frag_high_thresh 854 See ip6frag_high_thresh
855 855
856ip6frag_time - INTEGER 856ip6frag_time - INTEGER
857 Time in seconds to keep an IPv6 fragment in memory. 857 Time in seconds to keep an IPv6 fragment in memory.
858 858
859ip6frag_secret_interval - INTEGER 859ip6frag_secret_interval - INTEGER
860 Regeneration interval (in seconds) of the hash secret (or lifetime 860 Regeneration interval (in seconds) of the hash secret (or lifetime
861 for the hash secret) for IPv6 fragments. 861 for the hash secret) for IPv6 fragments.
862 Default: 600 862 Default: 600
863 863
@@ -866,17 +866,17 @@ conf/default/*:
866 866
867 867
868conf/all/*: 868conf/all/*:
869 Change all the interface-specific settings. 869 Change all the interface-specific settings.
870 870
871 [XXX: Other special features than forwarding?] 871 [XXX: Other special features than forwarding?]
872 872
873conf/all/forwarding - BOOLEAN 873conf/all/forwarding - BOOLEAN
874 Enable global IPv6 forwarding between all interfaces. 874 Enable global IPv6 forwarding between all interfaces.
875 875
876 IPv4 and IPv6 work differently here; e.g. netfilter must be used 876 IPv4 and IPv6 work differently here; e.g. netfilter must be used
877 to control which interfaces may forward packets and which not. 877 to control which interfaces may forward packets and which not.
878 878
879 This also sets all interfaces' Host/Router setting 879 This also sets all interfaces' Host/Router setting
880 'forwarding' to the specified value. See below for details. 880 'forwarding' to the specified value. See below for details.
881 881
882 This referred to as global forwarding. 882 This referred to as global forwarding.
@@ -887,12 +887,12 @@ proxy_ndp - BOOLEAN
887conf/interface/*: 887conf/interface/*:
888 Change special settings per interface. 888 Change special settings per interface.
889 889
890 The functional behaviour for certain settings is different 890 The functional behaviour for certain settings is different
891 depending on whether local forwarding is enabled or not. 891 depending on whether local forwarding is enabled or not.
892 892
893accept_ra - BOOLEAN 893accept_ra - BOOLEAN
894 Accept Router Advertisements; autoconfigure using them. 894 Accept Router Advertisements; autoconfigure using them.
895 895
896 Functional default: enabled if local forwarding is disabled. 896 Functional default: enabled if local forwarding is disabled.
897 disabled if local forwarding is enabled. 897 disabled if local forwarding is enabled.
898 898
@@ -938,7 +938,7 @@ accept_source_route - INTEGER
938 Default: 0 938 Default: 0
939 939
940autoconf - BOOLEAN 940autoconf - BOOLEAN
941 Autoconfigure addresses using Prefix Information in Router 941 Autoconfigure addresses using Prefix Information in Router
942 Advertisements. 942 Advertisements.
943 943
944 Functional default: enabled if accept_ra_pinfo is enabled. 944 Functional default: enabled if accept_ra_pinfo is enabled.
@@ -947,11 +947,11 @@ autoconf - BOOLEAN
947dad_transmits - INTEGER 947dad_transmits - INTEGER
948 The amount of Duplicate Address Detection probes to send. 948 The amount of Duplicate Address Detection probes to send.
949 Default: 1 949 Default: 1
950 950
951forwarding - BOOLEAN 951forwarding - BOOLEAN
952 Configure interface-specific Host/Router behaviour. 952 Configure interface-specific Host/Router behaviour.
953 953
954 Note: It is recommended to have the same setting on all 954 Note: It is recommended to have the same setting on all
955 interfaces; mixed router/host scenarios are rather uncommon. 955 interfaces; mixed router/host scenarios are rather uncommon.
956 956
957 FALSE: 957 FALSE:
@@ -960,13 +960,13 @@ forwarding - BOOLEAN
960 960
961 1. IsRouter flag is not set in Neighbour Advertisements. 961 1. IsRouter flag is not set in Neighbour Advertisements.
962 2. Router Solicitations are being sent when necessary. 962 2. Router Solicitations are being sent when necessary.
963 3. If accept_ra is TRUE (default), accept Router 963 3. If accept_ra is TRUE (default), accept Router
964 Advertisements (and do autoconfiguration). 964 Advertisements (and do autoconfiguration).
965 4. If accept_redirects is TRUE (default), accept Redirects. 965 4. If accept_redirects is TRUE (default), accept Redirects.
966 966
967 TRUE: 967 TRUE:
968 968
969 If local forwarding is enabled, Router behaviour is assumed. 969 If local forwarding is enabled, Router behaviour is assumed.
970 This means exactly the reverse from the above: 970 This means exactly the reverse from the above:
971 971
972 1. IsRouter flag is set in Neighbour Advertisements. 972 1. IsRouter flag is set in Neighbour Advertisements.
@@ -1001,7 +1001,7 @@ router_solicitation_interval - INTEGER
1001 Default: 4 1001 Default: 4
1002 1002
1003router_solicitations - INTEGER 1003router_solicitations - INTEGER
1004 Number of Router Solicitations to send until assuming no 1004 Number of Router Solicitations to send until assuming no
1005 routers are present. 1005 routers are present.
1006 Default: 3 1006 Default: 3
1007 1007
@@ -1025,11 +1025,11 @@ temp_prefered_lft - INTEGER
1025 1025
1026max_desync_factor - INTEGER 1026max_desync_factor - INTEGER
1027 Maximum value for DESYNC_FACTOR, which is a random value 1027 Maximum value for DESYNC_FACTOR, which is a random value
1028 that ensures that clients don't synchronize with each 1028 that ensures that clients don't synchronize with each
1029 other and generate new addresses at exactly the same time. 1029 other and generate new addresses at exactly the same time.
1030 value is in seconds. 1030 value is in seconds.
1031 Default: 600 1031 Default: 600
1032 1032
1033regen_max_retry - INTEGER 1033regen_max_retry - INTEGER
1034 Number of attempts before give up attempting to generate 1034 Number of attempts before give up attempting to generate
1035 valid temporary addresses. 1035 valid temporary addresses.
@@ -1037,8 +1037,8 @@ regen_max_retry - INTEGER
1037 1037
1038max_addresses - INTEGER 1038max_addresses - INTEGER
1039 Number of maximum addresses per interface. 0 disables limitation. 1039 Number of maximum addresses per interface. 0 disables limitation.
1040 It is recommended not set too large value (or 0) because it would 1040 It is recommended not set too large value (or 0) because it would
1041 be too easy way to crash kernel to allow to create too much of 1041 be too easy way to crash kernel to allow to create too much of
1042 autoconfigured addresses. 1042 autoconfigured addresses.
1043 Default: 16 1043 Default: 16
1044 1044