Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /proc/sys/net/ipv4/* Variables: |
2 | ||
3 | ip_forward - BOOLEAN | |
4 | 0 - disabled (default) | |
e18f5feb | 5 | not 0 - enabled |
1da177e4 LT |
6 | |
7 | Forward Packets between interfaces. | |
8 | ||
9 | This variable is special, its change resets all configuration | |
10 | parameters to their default state (RFC1122 for hosts, RFC1812 | |
11 | for routers) | |
12 | ||
13 | ip_default_ttl - INTEGER | |
14 | default 64 | |
15 | ||
16 | ip_no_pmtu_disc - BOOLEAN | |
17 | Disable Path MTU Discovery. | |
18 | default FALSE | |
19 | ||
20 | min_pmtu - INTEGER | |
21 | default 562 - minimum discovered Path MTU | |
22 | ||
23 | mtu_expires - INTEGER | |
24 | Time, in seconds, that cached PMTU information is kept. | |
25 | ||
26 | min_adv_mss - INTEGER | |
27 | The advertised MSS depends on the first hop route MTU, but will | |
28 | never be lower than this setting. | |
29 | ||
1080d709 NH |
30 | rt_cache_rebuild_count - INTEGER |
31 | The per net-namespace route cache emergency rebuild threshold. | |
32 | Any net-namespace having its route cache rebuilt due to | |
33 | a hash bucket chain being too long more than this many times | |
34 | will have its route caching disabled | |
35 | ||
1da177e4 LT |
36 | IP Fragmentation: |
37 | ||
38 | ipfrag_high_thresh - INTEGER | |
e18f5feb | 39 | Maximum memory used to reassemble IP fragments. When |
1da177e4 LT |
40 | ipfrag_high_thresh bytes of memory is allocated for this purpose, |
41 | the fragment handler will toss packets until ipfrag_low_thresh | |
42 | is reached. | |
e18f5feb | 43 | |
1da177e4 | 44 | ipfrag_low_thresh - INTEGER |
e18f5feb | 45 | See ipfrag_high_thresh |
1da177e4 LT |
46 | |
47 | ipfrag_time - INTEGER | |
e18f5feb | 48 | Time in seconds to keep an IP fragment in memory. |
1da177e4 LT |
49 | |
50 | ipfrag_secret_interval - INTEGER | |
e18f5feb | 51 | Regeneration interval (in seconds) of the hash secret (or lifetime |
1da177e4 LT |
52 | for the hash secret) for IP fragments. |
53 | Default: 600 | |
54 | ||
89cee8b1 | 55 | ipfrag_max_dist - INTEGER |
e18f5feb JDB |
56 | ipfrag_max_dist is a non-negative integer value which defines the |
57 | maximum "disorder" which is allowed among fragments which share a | |
58 | common IP source address. Note that reordering of packets is | |
59 | not unusual, but if a large number of fragments arrive from a source | |
60 | IP address while a particular fragment queue remains incomplete, it | |
61 | probably indicates that one or more fragments belonging to that queue | |
62 | have been lost. When ipfrag_max_dist is positive, an additional check | |
63 | is done on fragments before they are added to a reassembly queue - if | |
64 | ipfrag_max_dist (or more) fragments have arrived from a particular IP | |
65 | address between additions to any IP fragment queue using that source | |
66 | address, it's presumed that one or more fragments in the queue are | |
67 | lost. The existing fragment queue will be dropped, and a new one | |
89cee8b1 HX |
68 | started. An ipfrag_max_dist value of zero disables this check. |
69 | ||
70 | Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can | |
71 | result in unnecessarily dropping fragment queues when normal | |
e18f5feb JDB |
72 | reordering of packets occurs, which could lead to poor application |
73 | performance. Using a very large value, e.g. 50000, increases the | |
74 | likelihood of incorrectly reassembling IP fragments that originate | |
89cee8b1 HX |
75 | from different IP datagrams, which could result in data corruption. |
76 | Default: 64 | |
77 | ||
1da177e4 LT |
78 | INET peer storage: |
79 | ||
80 | inet_peer_threshold - INTEGER | |
e18f5feb | 81 | The approximate size of the storage. Starting from this threshold |
1da177e4 LT |
82 | entries will be thrown aggressively. This threshold also determines |
83 | entries' time-to-live and time intervals between garbage collection | |
84 | passes. More entries, less time-to-live, less GC interval. | |
85 | ||
86 | inet_peer_minttl - INTEGER | |
87 | Minimum time-to-live of entries. Should be enough to cover fragment | |
88 | time-to-live on the reassembling side. This minimum time-to-live is | |
89 | guaranteed if the pool size is less than inet_peer_threshold. | |
77a538d5 | 90 | Measured in seconds. |
1da177e4 LT |
91 | |
92 | inet_peer_maxttl - INTEGER | |
93 | Maximum time-to-live of entries. Unused entries will expire after | |
94 | this period of time if there is no memory pressure on the pool (i.e. | |
95 | when the number of entries in the pool is very small). | |
77a538d5 | 96 | Measured in seconds. |
1da177e4 LT |
97 | |
98 | inet_peer_gc_mintime - INTEGER | |
99 | Minimum interval between garbage collection passes. This interval is | |
100 | in effect under high memory pressure on the pool. | |
77a538d5 | 101 | Measured in seconds. |
1da177e4 LT |
102 | |
103 | inet_peer_gc_maxtime - INTEGER | |
104 | Minimum interval between garbage collection passes. This interval is | |
105 | in effect under low (or absent) memory pressure on the pool. | |
77a538d5 | 106 | Measured in seconds. |
1da177e4 | 107 | |
e18f5feb | 108 | TCP variables: |
1da177e4 | 109 | |
ef56e622 SH |
110 | somaxconn - INTEGER |
111 | Limit of socket listen() backlog, known in userspace as SOMAXCONN. | |
112 | Defaults to 128. See also tcp_max_syn_backlog for additional tuning | |
113 | for TCP sockets. | |
114 | ||
9772efb9 | 115 | tcp_abc - INTEGER |
b3a8a40d SH |
116 | Controls Appropriate Byte Count (ABC) defined in RFC3465. |
117 | ABC is a way of increasing congestion window (cwnd) more slowly | |
118 | in response to partial acknowledgments. | |
119 | Possible values are: | |
120 | 0 increase cwnd once per acknowledgment (no ABC) | |
121 | 1 increase cwnd once per acknowledgment of full sized segment | |
122 | 2 allow increase cwnd by two if acknowledgment is | |
123 | of two segments to compensate for delayed acknowledgments. | |
124 | Default: 0 (off) | |
9772efb9 | 125 | |
ef56e622 SH |
126 | tcp_abort_on_overflow - BOOLEAN |
127 | If listening service is too slow to accept new connections, | |
128 | reset them. Default state is FALSE. It means that if overflow | |
129 | occurred due to a burst, connection will recover. Enable this | |
130 | option _only_ if you are really sure that listening daemon | |
131 | cannot be tuned to accept connections faster. Enabling this | |
132 | option can harm clients of your server. | |
1da177e4 | 133 | |
ef56e622 SH |
134 | tcp_adv_win_scale - INTEGER |
135 | Count buffering overhead as bytes/2^tcp_adv_win_scale | |
136 | (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), | |
137 | if it is <= 0. | |
138 | Default: 2 | |
1da177e4 | 139 | |
ef56e622 SH |
140 | tcp_allowed_congestion_control - STRING |
141 | Show/set the congestion control choices available to non-privileged | |
142 | processes. The list is a subset of those listed in | |
143 | tcp_available_congestion_control. | |
144 | Default is "reno" and the default setting (tcp_congestion_control). | |
1da177e4 | 145 | |
ef56e622 SH |
146 | tcp_app_win - INTEGER |
147 | Reserve max(window/2^tcp_app_win, mss) of window for application | |
148 | buffer. Value 0 is special, it means that nothing is reserved. | |
149 | Default: 31 | |
1da177e4 | 150 | |
ef56e622 SH |
151 | tcp_available_congestion_control - STRING |
152 | Shows the available congestion control choices that are registered. | |
153 | More congestion control algorithms may be available as modules, | |
154 | but not loaded. | |
1da177e4 | 155 | |
71599cd1 | 156 | tcp_base_mss - INTEGER |
4edc2f34 SH |
157 | The initial value of search_low to be used by the packetization layer |
158 | Path MTU discovery (MTU probing). If MTU probing is enabled, | |
159 | this is the initial MSS used by the connection. | |
71599cd1 | 160 | |
ef56e622 SH |
161 | tcp_congestion_control - STRING |
162 | Set the congestion control algorithm to be used for new | |
163 | connections. The algorithm "reno" is always available, but | |
164 | additional choices may be available based on kernel configuration. | |
165 | Default is set as part of kernel configuration. | |
1da177e4 | 166 | |
ef56e622 SH |
167 | tcp_dsack - BOOLEAN |
168 | Allows TCP to send "duplicate" SACKs. | |
1da177e4 | 169 | |
ef56e622 | 170 | tcp_ecn - BOOLEAN |
255cac91 IJ |
171 | Enable Explicit Congestion Notification (ECN) in TCP. ECN is only |
172 | used when both ends of the TCP flow support it. It is useful to | |
173 | avoid losses due to congestion (when the bottleneck router supports | |
174 | ECN). | |
175 | Possible values are: | |
176 | 0 disable ECN | |
177 | 1 ECN enabled | |
178 | 2 Only server-side ECN enabled. If the other end does | |
179 | not support ECN, behavior is like with ECN disabled. | |
180 | Default: 2 | |
ef56e622 SH |
181 | |
182 | tcp_fack - BOOLEAN | |
183 | Enable FACK congestion avoidance and fast retransmission. | |
184 | The value is not used, if tcp_sack is not enabled. | |
1da177e4 LT |
185 | |
186 | tcp_fin_timeout - INTEGER | |
187 | Time to hold socket in state FIN-WAIT-2, if it was closed | |
188 | by our side. Peer can be broken and never close its side, | |
189 | or even died unexpectedly. Default value is 60sec. | |
190 | Usual value used in 2.2 was 180 seconds, you may restore | |
191 | it, but remember that if your machine is even underloaded WEB server, | |
192 | you risk to overflow memory with kilotons of dead sockets, | |
193 | FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, | |
194 | because they eat maximum 1.5K of memory, but they tend | |
195 | to live longer. Cf. tcp_max_orphans. | |
196 | ||
89808060 | 197 | tcp_frto - INTEGER |
cd99889c IJ |
198 | Enables Forward RTO-Recovery (F-RTO) defined in RFC4138. |
199 | F-RTO is an enhanced recovery algorithm for TCP retransmission | |
ef56e622 SH |
200 | timeouts. It is particularly beneficial in wireless environments |
201 | where packet loss is typically due to random radio interference | |
564262c1 | 202 | rather than intermediate router congestion. F-RTO is sender-side |
4edc2f34 SH |
203 | only modification. Therefore it does not require any support from |
204 | the peer. | |
205 | ||
cd99889c IJ |
206 | If set to 1, basic version is enabled. 2 enables SACK enhanced |
207 | F-RTO if flow uses SACK. The basic version can be used also when | |
564262c1 | 208 | SACK is in use though scenario(s) with it exists where F-RTO |
cd99889c IJ |
209 | interacts badly with the packet counting of the SACK enabled TCP |
210 | flow. | |
1da177e4 | 211 | |
89808060 IJ |
212 | tcp_frto_response - INTEGER |
213 | When F-RTO has detected that a TCP retransmission timeout was | |
214 | spurious (i.e, the timeout would have been avoided had TCP set a | |
215 | longer retransmission timeout), TCP has several options what to do | |
216 | next. Possible values are: | |
217 | 0 Rate halving based; a smooth and conservative response, | |
218 | results in halved cwnd and ssthresh after one RTT | |
219 | 1 Very conservative response; not recommended because even | |
220 | though being valid, it interacts poorly with the rest of | |
221 | Linux TCP, halves cwnd and ssthresh immediately | |
222 | 2 Aggressive response; undoes congestion control measures | |
223 | that are now known to be unnecessary (ignoring the | |
224 | possibility of a lost retransmission that would require | |
225 | TCP to be more cautious), cwnd and ssthresh are restored | |
226 | to the values prior timeout | |
227 | Default: 0 (rate halving based) | |
228 | ||
ef56e622 SH |
229 | tcp_keepalive_time - INTEGER |
230 | How often TCP sends out keepalive messages when keepalive is enabled. | |
231 | Default: 2hours. | |
1da177e4 | 232 | |
ef56e622 SH |
233 | tcp_keepalive_probes - INTEGER |
234 | How many keepalive probes TCP sends out, until it decides that the | |
235 | connection is broken. Default value: 9. | |
236 | ||
237 | tcp_keepalive_intvl - INTEGER | |
238 | How frequently the probes are send out. Multiplied by | |
239 | tcp_keepalive_probes it is time to kill not responding connection, | |
240 | after probes started. Default value: 75sec i.e. connection | |
241 | will be aborted after ~11 minutes of retries. | |
242 | ||
243 | tcp_low_latency - BOOLEAN | |
244 | If set, the TCP stack makes decisions that prefer lower | |
245 | latency as opposed to higher throughput. By default, this | |
246 | option is not set meaning that higher throughput is preferred. | |
247 | An example of an application where this default should be | |
248 | changed would be a Beowulf compute cluster. | |
249 | Default: 0 | |
1da177e4 LT |
250 | |
251 | tcp_max_orphans - INTEGER | |
252 | Maximal number of TCP sockets not attached to any user file handle, | |
253 | held by system. If this number is exceeded orphaned connections are | |
254 | reset immediately and warning is printed. This limit exists | |
255 | only to prevent simple DoS attacks, you _must_ not rely on this | |
256 | or lower the limit artificially, but rather increase it | |
257 | (probably, after increasing installed memory), | |
258 | if network conditions require more than default value, | |
259 | and tune network services to linger and kill such states | |
260 | more aggressively. Let me to remind again: each orphan eats | |
261 | up to ~64K of unswappable memory. | |
262 | ||
1da177e4 LT |
263 | tcp_max_syn_backlog - INTEGER |
264 | Maximal number of remembered connection requests, which are | |
265 | still did not receive an acknowledgment from connecting client. | |
266 | Default value is 1024 for systems with more than 128Mb of memory, | |
267 | and 128 for low memory machines. If server suffers of overload, | |
268 | try to increase this number. | |
269 | ||
ef56e622 SH |
270 | tcp_max_tw_buckets - INTEGER |
271 | Maximal number of timewait sockets held by system simultaneously. | |
272 | If this number is exceeded time-wait socket is immediately destroyed | |
273 | and warning is printed. This limit exists only to prevent | |
274 | simple DoS attacks, you _must_ not lower the limit artificially, | |
275 | but rather increase it (probably, after increasing installed memory), | |
276 | if network conditions require more than default value. | |
1da177e4 | 277 | |
ef56e622 SH |
278 | tcp_mem - vector of 3 INTEGERs: min, pressure, max |
279 | min: below this number of pages TCP is not bothered about its | |
280 | memory appetite. | |
1da177e4 | 281 | |
ef56e622 SH |
282 | pressure: when amount of memory allocated by TCP exceeds this number |
283 | of pages, TCP moderates its memory consumption and enters memory | |
284 | pressure mode, which is exited when memory consumption falls | |
285 | under "min". | |
1da177e4 | 286 | |
ef56e622 | 287 | max: number of pages allowed for queueing by all TCP sockets. |
1da177e4 | 288 | |
ef56e622 SH |
289 | Defaults are calculated at boot time from amount of available |
290 | memory. | |
1da177e4 | 291 | |
71599cd1 | 292 | tcp_moderate_rcvbuf - BOOLEAN |
4edc2f34 | 293 | If set, TCP performs receive buffer auto-tuning, attempting to |
71599cd1 JH |
294 | automatically size the buffer (no greater than tcp_rmem[2]) to |
295 | match the size required by the path for full throughput. Enabled by | |
296 | default. | |
297 | ||
298 | tcp_mtu_probing - INTEGER | |
299 | Controls TCP Packetization-Layer Path MTU Discovery. Takes three | |
300 | values: | |
301 | 0 - Disabled | |
302 | 1 - Disabled by default, enabled when an ICMP black hole detected | |
303 | 2 - Always enabled, use initial MSS of tcp_base_mss. | |
304 | ||
305 | tcp_no_metrics_save - BOOLEAN | |
306 | By default, TCP saves various connection metrics in the route cache | |
307 | when the connection closes, so that connections established in the | |
308 | near future can use these to set initial conditions. Usually, this | |
309 | increases overall performance, but may sometimes cause performance | |
0f035b8e | 310 | degradation. If set, TCP will not cache metrics on closing |
71599cd1 JH |
311 | connections. |
312 | ||
ef56e622 | 313 | tcp_orphan_retries - INTEGER |
5d789229 DL |
314 | This value influences the timeout of a locally closed TCP connection, |
315 | when RTO retransmissions remain unacknowledged. | |
316 | See tcp_retries2 for more details. | |
317 | ||
318 | The default value is 7. | |
319 | If your machine is a loaded WEB server, | |
ef56e622 SH |
320 | you should think about lowering this value, such sockets |
321 | may consume significant resources. Cf. tcp_max_orphans. | |
1da177e4 LT |
322 | |
323 | tcp_reordering - INTEGER | |
324 | Maximal reordering of packets in a TCP stream. | |
e18f5feb | 325 | Default: 3 |
1da177e4 LT |
326 | |
327 | tcp_retrans_collapse - BOOLEAN | |
328 | Bug-to-bug compatibility with some broken printers. | |
329 | On retransmit try to send bigger packets to work around bugs in | |
330 | certain TCP stacks. | |
331 | ||
ef56e622 | 332 | tcp_retries1 - INTEGER |
5d789229 DL |
333 | This value influences the time, after which TCP decides, that |
334 | something is wrong due to unacknowledged RTO retransmissions, | |
335 | and reports this suspicion to the network layer. | |
336 | See tcp_retries2 for more details. | |
337 | ||
338 | RFC 1122 recommends at least 3 retransmissions, which is the | |
339 | default. | |
1da177e4 | 340 | |
ef56e622 | 341 | tcp_retries2 - INTEGER |
5d789229 DL |
342 | This value influences the timeout of an alive TCP connection, |
343 | when RTO retransmissions remain unacknowledged. | |
344 | Given a value of N, a hypothetical TCP connection following | |
345 | exponential backoff with an initial RTO of TCP_RTO_MIN would | |
346 | retransmit N times before killing the connection at the (N+1)th RTO. | |
347 | ||
348 | The default value of 15 yields a hypothetical timeout of 924.6 | |
349 | seconds and is a lower bound for the effective timeout. | |
350 | TCP will effectively time out at the first RTO which exceeds the | |
351 | hypothetical timeout. | |
352 | ||
353 | RFC 1122 recommends at least 100 seconds for the timeout, | |
354 | which corresponds to a value of at least 8. | |
1da177e4 | 355 | |
ef56e622 SH |
356 | tcp_rfc1337 - BOOLEAN |
357 | If set, the TCP stack behaves conforming to RFC1337. If unset, | |
358 | we are not conforming to RFC, but prevent TCP TIME_WAIT | |
359 | assassination. | |
360 | Default: 0 | |
1da177e4 LT |
361 | |
362 | tcp_rmem - vector of 3 INTEGERs: min, default, max | |
363 | min: Minimal size of receive buffer used by TCP sockets. | |
364 | It is guaranteed to each TCP socket, even under moderate memory | |
365 | pressure. | |
366 | Default: 8K | |
367 | ||
53025f5e | 368 | default: initial size of receive buffer used by TCP sockets. |
1da177e4 LT |
369 | This value overrides net.core.rmem_default used by other protocols. |
370 | Default: 87380 bytes. This value results in window of 65535 with | |
371 | default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit | |
372 | less for default tcp_app_win. See below about these variables. | |
373 | ||
374 | max: maximal size of receive buffer allowed for automatically | |
375 | selected receiver buffers for TCP socket. This value does not override | |
53025f5e BF |
376 | net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables |
377 | automatic tuning of that socket's receive buffer size, in which | |
378 | case this value is ignored. | |
379 | Default: between 87380B and 4MB, depending on RAM size. | |
1da177e4 | 380 | |
ef56e622 SH |
381 | tcp_sack - BOOLEAN |
382 | Enable select acknowledgments (SACKS). | |
1da177e4 | 383 | |
ef56e622 SH |
384 | tcp_slow_start_after_idle - BOOLEAN |
385 | If set, provide RFC2861 behavior and time out the congestion | |
386 | window after an idle period. An idle period is defined at | |
387 | the current RTO. If unset, the congestion window will not | |
388 | be timed out after an idle period. | |
389 | Default: 1 | |
1da177e4 | 390 | |
ef56e622 | 391 | tcp_stdurg - BOOLEAN |
4edc2f34 | 392 | Use the Host requirements interpretation of the TCP urgent pointer field. |
ef56e622 SH |
393 | Most hosts use the older BSD interpretation, so if you turn this on |
394 | Linux might not communicate correctly with them. | |
395 | Default: FALSE | |
1da177e4 | 396 | |
ef56e622 SH |
397 | tcp_synack_retries - INTEGER |
398 | Number of times SYNACKs for a passive TCP connection attempt will | |
399 | be retransmitted. Should not be higher than 255. Default value | |
400 | is 5, which corresponds to ~180seconds. | |
1da177e4 | 401 | |
ef56e622 SH |
402 | tcp_syncookies - BOOLEAN |
403 | Only valid when the kernel was compiled with CONFIG_SYNCOOKIES | |
404 | Send out syncookies when the syn backlog queue of a socket | |
4edc2f34 | 405 | overflows. This is to prevent against the common 'SYN flood attack' |
ef56e622 | 406 | Default: FALSE |
1da177e4 | 407 | |
ef56e622 SH |
408 | Note, that syncookies is fallback facility. |
409 | It MUST NOT be used to help highly loaded servers to stand | |
4edc2f34 | 410 | against legal connection rate. If you see SYN flood warnings |
ef56e622 SH |
411 | in your logs, but investigation shows that they occur |
412 | because of overload with legal connections, you should tune | |
413 | another parameters until this warning disappear. | |
414 | See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. | |
1da177e4 | 415 | |
ef56e622 SH |
416 | syncookies seriously violate TCP protocol, do not allow |
417 | to use TCP extensions, can result in serious degradation | |
418 | of some services (f.e. SMTP relaying), visible not by you, | |
419 | but your clients and relays, contacting you. While you see | |
4edc2f34 | 420 | SYN flood warnings in logs not being really flooded, your server |
ef56e622 | 421 | is seriously misconfigured. |
1da177e4 | 422 | |
ef56e622 SH |
423 | tcp_syn_retries - INTEGER |
424 | Number of times initial SYNs for an active TCP connection attempt | |
425 | will be retransmitted. Should not be higher than 255. Default value | |
426 | is 5, which corresponds to ~180seconds. | |
427 | ||
428 | tcp_timestamps - BOOLEAN | |
429 | Enable timestamps as defined in RFC1323. | |
1da177e4 | 430 | |
1da177e4 | 431 | tcp_tso_win_divisor - INTEGER |
ef56e622 SH |
432 | This allows control over what percentage of the congestion window |
433 | can be consumed by a single TSO frame. | |
434 | The setting of this parameter is a choice between burstiness and | |
435 | building larger TSO frames. | |
436 | Default: 3 | |
1da177e4 | 437 | |
ef56e622 SH |
438 | tcp_tw_recycle - BOOLEAN |
439 | Enable fast recycling TIME-WAIT sockets. Default value is 0. | |
440 | It should not be changed without advice/request of technical | |
441 | experts. | |
1da177e4 | 442 | |
ef56e622 SH |
443 | tcp_tw_reuse - BOOLEAN |
444 | Allow to reuse TIME-WAIT sockets for new connections when it is | |
445 | safe from protocol viewpoint. Default value is 0. | |
446 | It should not be changed without advice/request of technical | |
447 | experts. | |
ce7bc3bf | 448 | |
ef56e622 SH |
449 | tcp_window_scaling - BOOLEAN |
450 | Enable window scaling as defined in RFC1323. | |
3ff825b2 | 451 | |
ef56e622 | 452 | tcp_wmem - vector of 3 INTEGERs: min, default, max |
53025f5e | 453 | min: Amount of memory reserved for send buffers for TCP sockets. |
ef56e622 SH |
454 | Each TCP socket has rights to use it due to fact of its birth. |
455 | Default: 4K | |
9d7bcfc6 | 456 | |
53025f5e BF |
457 | default: initial size of send buffer used by TCP sockets. This |
458 | value overrides net.core.wmem_default used by other protocols. | |
459 | It is usually lower than net.core.wmem_default. | |
ef56e622 SH |
460 | Default: 16K |
461 | ||
53025f5e BF |
462 | max: Maximal amount of memory allowed for automatically tuned |
463 | send buffers for TCP sockets. This value does not override | |
464 | net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables | |
465 | automatic tuning of that socket's send buffer size, in which case | |
466 | this value is ignored. | |
467 | Default: between 64K and 4MB, depending on RAM size. | |
1da177e4 | 468 | |
15d99e02 RJ |
469 | tcp_workaround_signed_windows - BOOLEAN |
470 | If set, assume no receipt of a window scaling option means the | |
471 | remote TCP is broken and treats the window as a signed quantity. | |
472 | If unset, assume the remote TCP is not broken even if we do | |
473 | not receive a window scaling option from them. | |
474 | Default: 0 | |
475 | ||
72d0b7a8 CL |
476 | tcp_dma_copybreak - INTEGER |
477 | Lower limit, in bytes, of the size of socket reads that will be | |
478 | offloaded to a DMA copy engine, if one is present in the system | |
479 | and CONFIG_NET_DMA is enabled. | |
480 | Default: 4096 | |
481 | ||
95766fff HA |
482 | UDP variables: |
483 | ||
484 | udp_mem - vector of 3 INTEGERs: min, pressure, max | |
485 | Number of pages allowed for queueing by all UDP sockets. | |
486 | ||
487 | min: Below this number of pages UDP is not bothered about its | |
488 | memory appetite. When amount of memory allocated by UDP exceeds | |
489 | this number, UDP starts to moderate memory usage. | |
490 | ||
491 | pressure: This value was introduced to follow format of tcp_mem. | |
492 | ||
493 | max: Number of pages allowed for queueing by all UDP sockets. | |
494 | ||
495 | Default is calculated at boot time from amount of available memory. | |
496 | ||
497 | udp_rmem_min - INTEGER | |
498 | Minimal size of receive buffer used by UDP sockets in moderation. | |
499 | Each UDP socket is able to use the size for receiving data, even if | |
500 | total pages of UDP sockets exceed udp_mem pressure. The unit is byte. | |
501 | Default: 4096 | |
502 | ||
503 | udp_wmem_min - INTEGER | |
504 | Minimal size of send buffer used by UDP sockets in moderation. | |
505 | Each UDP socket is able to use the size for sending data, even if | |
506 | total pages of UDP sockets exceed udp_mem pressure. The unit is byte. | |
507 | Default: 4096 | |
508 | ||
8802f616 PM |
509 | CIPSOv4 Variables: |
510 | ||
511 | cipso_cache_enable - BOOLEAN | |
512 | If set, enable additions to and lookups from the CIPSO label mapping | |
513 | cache. If unset, additions are ignored and lookups always result in a | |
514 | miss. However, regardless of the setting the cache is still | |
515 | invalidated when required when means you can safely toggle this on and | |
516 | off and the cache will always be "safe". | |
517 | Default: 1 | |
518 | ||
519 | cipso_cache_bucket_size - INTEGER | |
520 | The CIPSO label cache consists of a fixed size hash table with each | |
521 | hash bucket containing a number of cache entries. This variable limits | |
522 | the number of entries in each hash bucket; the larger the value the | |
523 | more CIPSO label mappings that can be cached. When the number of | |
524 | entries in a given hash bucket reaches this limit adding new entries | |
525 | causes the oldest entry in the bucket to be removed to make room. | |
526 | Default: 10 | |
527 | ||
528 | cipso_rbm_optfmt - BOOLEAN | |
529 | Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of | |
530 | the CIPSO draft specification (see Documentation/netlabel for details). | |
531 | This means that when set the CIPSO tag will be padded with empty | |
532 | categories in order to make the packet data 32-bit aligned. | |
533 | Default: 0 | |
534 | ||
535 | cipso_rbm_structvalid - BOOLEAN | |
536 | If set, do a very strict check of the CIPSO option when | |
537 | ip_options_compile() is called. If unset, relax the checks done during | |
538 | ip_options_compile(). Either way is "safe" as errors are caught else | |
539 | where in the CIPSO processing code but setting this to 0 (False) should | |
540 | result in less work (i.e. it should be faster) but could cause problems | |
541 | with other implementations that require strict checking. | |
542 | Default: 0 | |
543 | ||
1da177e4 LT |
544 | IP Variables: |
545 | ||
546 | ip_local_port_range - 2 INTEGERS | |
547 | Defines the local port range that is used by TCP and UDP to | |
e18f5feb | 548 | choose the local port. The first number is the first, the |
1da177e4 LT |
549 | second the last local port number. Default value depends on |
550 | amount of memory available on the system: | |
551 | > 128Mb 32768-61000 | |
552 | < 128Mb 1024-4999 or even less. | |
553 | This number defines number of active connections, which this | |
554 | system can issue simultaneously to systems not supporting | |
555 | TCP extensions (timestamps). With tcp_tw_recycle enabled | |
556 | (i.e. by default) range 1024-4999 is enough to issue up to | |
557 | 2000 connections per second to systems supporting timestamps. | |
558 | ||
559 | ip_nonlocal_bind - BOOLEAN | |
560 | If set, allows processes to bind() to non-local IP addresses, | |
561 | which can be quite useful - but may break some applications. | |
562 | Default: 0 | |
563 | ||
564 | ip_dynaddr - BOOLEAN | |
565 | If set non-zero, enables support for dynamic addresses. | |
566 | If set to a non-zero value larger than 1, a kernel log | |
567 | message will be printed when dynamic address rewriting | |
568 | occurs. | |
569 | Default: 0 | |
570 | ||
571 | icmp_echo_ignore_all - BOOLEAN | |
7ce31246 DM |
572 | If set non-zero, then the kernel will ignore all ICMP ECHO |
573 | requests sent to it. | |
574 | Default: 0 | |
575 | ||
1da177e4 | 576 | icmp_echo_ignore_broadcasts - BOOLEAN |
7ce31246 DM |
577 | If set non-zero, then the kernel will ignore all ICMP ECHO and |
578 | TIMESTAMP requests sent to it via broadcast/multicast. | |
579 | Default: 1 | |
1da177e4 LT |
580 | |
581 | icmp_ratelimit - INTEGER | |
582 | Limit the maximal rates for sending ICMP packets whose type matches | |
583 | icmp_ratemask (see below) to specific targets. | |
6dbf4bca SH |
584 | 0 to disable any limiting, |
585 | otherwise the minimal space between responses in milliseconds. | |
586 | Default: 1000 | |
1da177e4 LT |
587 | |
588 | icmp_ratemask - INTEGER | |
589 | Mask made of ICMP types for which rates are being limited. | |
590 | Significant bits: IHGFEDCBA9876543210 | |
591 | Default mask: 0000001100000011000 (6168) | |
592 | ||
593 | Bit definitions (see include/linux/icmp.h): | |
594 | 0 Echo Reply | |
595 | 3 Destination Unreachable * | |
596 | 4 Source Quench * | |
597 | 5 Redirect | |
598 | 8 Echo Request | |
599 | B Time Exceeded * | |
600 | C Parameter Problem * | |
601 | D Timestamp Request | |
602 | E Timestamp Reply | |
603 | F Info Request | |
604 | G Info Reply | |
605 | H Address Mask Request | |
606 | I Address Mask Reply | |
607 | ||
608 | * These are rate limited by default (see default mask above) | |
609 | ||
610 | icmp_ignore_bogus_error_responses - BOOLEAN | |
611 | Some routers violate RFC1122 by sending bogus responses to broadcast | |
612 | frames. Such violations are normally logged via a kernel warning. | |
613 | If this is set to TRUE, the kernel will not give such warnings, which | |
614 | will avoid log file clutter. | |
615 | Default: FALSE | |
616 | ||
95f7daf1 H |
617 | icmp_errors_use_inbound_ifaddr - BOOLEAN |
618 | ||
619 | If zero, icmp error messages are sent with the primary address of | |
620 | the exiting interface. | |
e18f5feb | 621 | |
95f7daf1 H |
622 | If non-zero, the message will be sent with the primary address of |
623 | the interface that received the packet that caused the icmp error. | |
624 | This is the behaviour network many administrators will expect from | |
625 | a router. And it can make debugging complicated network layouts | |
e18f5feb | 626 | much easier. |
95f7daf1 H |
627 | |
628 | Note that if no primary address exists for the interface selected, | |
629 | then the primary address of the first non-loopback interface that | |
d6bc8ac9 | 630 | has one will be used regardless of this setting. |
95f7daf1 H |
631 | |
632 | Default: 0 | |
633 | ||
1da177e4 LT |
634 | igmp_max_memberships - INTEGER |
635 | Change the maximum number of multicast groups we can subscribe to. | |
636 | Default: 20 | |
637 | ||
e18f5feb | 638 | conf/interface/* changes special settings per interface (where "interface" is |
1da177e4 LT |
639 | the name of your network interface) |
640 | conf/all/* is special, changes the settings for all interfaces | |
641 | ||
642 | ||
643 | log_martians - BOOLEAN | |
644 | Log packets with impossible addresses to kernel log. | |
645 | log_martians for the interface will be enabled if at least one of | |
646 | conf/{all,interface}/log_martians is set to TRUE, | |
647 | it will be disabled otherwise | |
648 | ||
649 | accept_redirects - BOOLEAN | |
650 | Accept ICMP redirect messages. | |
651 | accept_redirects for the interface will be enabled if: | |
e18f5feb JDB |
652 | - both conf/{all,interface}/accept_redirects are TRUE in the case |
653 | forwarding for the interface is enabled | |
1da177e4 | 654 | or |
e18f5feb JDB |
655 | - at least one of conf/{all,interface}/accept_redirects is TRUE in the |
656 | case forwarding for the interface is disabled | |
1da177e4 LT |
657 | accept_redirects for the interface will be disabled otherwise |
658 | default TRUE (host) | |
659 | FALSE (router) | |
660 | ||
661 | forwarding - BOOLEAN | |
662 | Enable IP forwarding on this interface. | |
663 | ||
664 | mc_forwarding - BOOLEAN | |
665 | Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE | |
666 | and a multicast routing daemon is required. | |
e18f5feb JDB |
667 | conf/all/mc_forwarding must also be set to TRUE to enable multicast |
668 | routing for the interface | |
1da177e4 LT |
669 | |
670 | medium_id - INTEGER | |
671 | Integer value used to differentiate the devices by the medium they | |
672 | are attached to. Two devices can have different id values when | |
673 | the broadcast packets are received only on one of them. | |
674 | The default value 0 means that the device is the only interface | |
675 | to its medium, value of -1 means that medium is not known. | |
e18f5feb | 676 | |
1da177e4 LT |
677 | Currently, it is used to change the proxy_arp behavior: |
678 | the proxy_arp feature is enabled for packets forwarded between | |
679 | two devices attached to different media. | |
680 | ||
681 | proxy_arp - BOOLEAN | |
682 | Do proxy arp. | |
683 | proxy_arp for the interface will be enabled if at least one of | |
684 | conf/{all,interface}/proxy_arp is set to TRUE, | |
685 | it will be disabled otherwise | |
686 | ||
687 | shared_media - BOOLEAN | |
688 | Send(router) or accept(host) RFC1620 shared media redirects. | |
689 | Overrides ip_secure_redirects. | |
690 | shared_media for the interface will be enabled if at least one of | |
691 | conf/{all,interface}/shared_media is set to TRUE, | |
692 | it will be disabled otherwise | |
693 | default TRUE | |
694 | ||
695 | secure_redirects - BOOLEAN | |
696 | Accept ICMP redirect messages only for gateways, | |
697 | listed in default gateway list. | |
698 | secure_redirects for the interface will be enabled if at least one of | |
699 | conf/{all,interface}/secure_redirects is set to TRUE, | |
700 | it will be disabled otherwise | |
701 | default TRUE | |
702 | ||
703 | send_redirects - BOOLEAN | |
704 | Send redirects, if router. | |
705 | send_redirects for the interface will be enabled if at least one of | |
706 | conf/{all,interface}/send_redirects is set to TRUE, | |
707 | it will be disabled otherwise | |
708 | Default: TRUE | |
709 | ||
710 | bootp_relay - BOOLEAN | |
711 | Accept packets with source address 0.b.c.d destined | |
712 | not to this host as local ones. It is supposed, that | |
713 | BOOTP relay daemon will catch and forward such packets. | |
714 | conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay | |
715 | for the interface | |
716 | default FALSE | |
717 | Not Implemented Yet. | |
718 | ||
719 | accept_source_route - BOOLEAN | |
720 | Accept packets with SRR option. | |
721 | conf/all/accept_source_route must also be set to TRUE to accept packets | |
722 | with SRR option on the interface | |
723 | default TRUE (router) | |
724 | FALSE (host) | |
725 | ||
c1cf8422 | 726 | rp_filter - INTEGER |
1da177e4 | 727 | 0 - No source validation. |
c1cf8422 SH |
728 | 1 - Strict mode as defined in RFC3704 Strict Reverse Path |
729 | Each incoming packet is tested against the FIB and if the interface | |
730 | is not the best reverse path the packet check will fail. | |
731 | By default failed packets are discarded. | |
732 | 2 - Loose mode as defined in RFC3704 Loose Reverse Path | |
733 | Each incoming packet's source address is also tested against the FIB | |
734 | and if the source address is not reachable via any interface | |
735 | the packet check will fail. | |
736 | ||
e18f5feb | 737 | Current recommended practice in RFC3704 is to enable strict mode |
bf869c30 | 738 | to prevent IP spoofing from DDos attacks. If using asymmetric routing |
e18f5feb | 739 | or other complicated routing, then loose mode is recommended. |
c1cf8422 SH |
740 | |
741 | conf/all/rp_filter must also be set to non-zero to do source validation | |
1da177e4 LT |
742 | on the interface |
743 | ||
744 | Default value is 0. Note that some distributions enable it | |
745 | in startup scripts. | |
746 | ||
747 | arp_filter - BOOLEAN | |
748 | 1 - Allows you to have multiple network interfaces on the same | |
749 | subnet, and have the ARPs for each interface be answered | |
750 | based on whether or not the kernel would route a packet from | |
751 | the ARP'd IP out that interface (therefore you must use source | |
752 | based routing for this to work). In other words it allows control | |
753 | of which cards (usually 1) will respond to an arp request. | |
754 | ||
755 | 0 - (default) The kernel can respond to arp requests with addresses | |
756 | from other interfaces. This may seem wrong but it usually makes | |
757 | sense, because it increases the chance of successful communication. | |
758 | IP addresses are owned by the complete host on Linux, not by | |
759 | particular interfaces. Only for more complex setups like load- | |
760 | balancing, does this behaviour cause problems. | |
761 | ||
762 | arp_filter for the interface will be enabled if at least one of | |
763 | conf/{all,interface}/arp_filter is set to TRUE, | |
764 | it will be disabled otherwise | |
765 | ||
766 | arp_announce - INTEGER | |
767 | Define different restriction levels for announcing the local | |
768 | source IP address from IP packets in ARP requests sent on | |
769 | interface: | |
770 | 0 - (default) Use any local address, configured on any interface | |
771 | 1 - Try to avoid local addresses that are not in the target's | |
772 | subnet for this interface. This mode is useful when target | |
773 | hosts reachable via this interface require the source IP | |
774 | address in ARP requests to be part of their logical network | |
775 | configured on the receiving interface. When we generate the | |
776 | request we will check all our subnets that include the | |
777 | target IP and will preserve the source address if it is from | |
778 | such subnet. If there is no such subnet we select source | |
779 | address according to the rules for level 2. | |
780 | 2 - Always use the best local address for this target. | |
781 | In this mode we ignore the source address in the IP packet | |
782 | and try to select local address that we prefer for talks with | |
783 | the target host. Such local address is selected by looking | |
784 | for primary IP addresses on all our subnets on the outgoing | |
785 | interface that include the target IP address. If no suitable | |
786 | local address is found we select the first local address | |
787 | we have on the outgoing interface or on all other interfaces, | |
788 | with the hope we will receive reply for our request and | |
789 | even sometimes no matter the source IP address we announce. | |
790 | ||
791 | The max value from conf/{all,interface}/arp_announce is used. | |
792 | ||
793 | Increasing the restriction level gives more chance for | |
794 | receiving answer from the resolved target while decreasing | |
795 | the level announces more valid sender's information. | |
796 | ||
797 | arp_ignore - INTEGER | |
798 | Define different modes for sending replies in response to | |
799 | received ARP requests that resolve local target IP addresses: | |
800 | 0 - (default): reply for any local target IP address, configured | |
801 | on any interface | |
802 | 1 - reply only if the target IP address is local address | |
803 | configured on the incoming interface | |
804 | 2 - reply only if the target IP address is local address | |
805 | configured on the incoming interface and both with the | |
806 | sender's IP address are part from same subnet on this interface | |
807 | 3 - do not reply for local addresses configured with scope host, | |
808 | only resolutions for global and link addresses are replied | |
809 | 4-7 - reserved | |
810 | 8 - do not reply for all local addresses | |
811 | ||
812 | The max value from conf/{all,interface}/arp_ignore is used | |
813 | when ARP request is received on the {interface} | |
814 | ||
eefef1cf SH |
815 | arp_notify - BOOLEAN |
816 | Define mode for notification of address and device changes. | |
817 | 0 - (default): do nothing | |
818 | 1 - Generate gratuitous arp replies when device is brought up | |
819 | or hardware address changes. | |
820 | ||
c1b1bce8 NH |
821 | arp_accept - BOOLEAN |
822 | Define behavior when gratuitous arp replies are received: | |
823 | 0 - drop gratuitous arp frames | |
824 | 1 - accept gratuitous arp frames | |
825 | ||
1da177e4 LT |
826 | app_solicit - INTEGER |
827 | The maximum number of probes to send to the user space ARP daemon | |
828 | via netlink before dropping back to multicast probes (see | |
829 | mcast_solicit). Defaults to 0. | |
830 | ||
831 | disable_policy - BOOLEAN | |
832 | Disable IPSEC policy (SPD) for this interface | |
833 | ||
834 | disable_xfrm - BOOLEAN | |
835 | Disable IPSEC encryption on this interface, whatever the policy | |
836 | ||
837 | ||
838 | ||
839 | tag - INTEGER | |
840 | Allows you to write a number, which can be used as required. | |
841 | Default value is 0. | |
842 | ||
1da177e4 LT |
843 | Alexey Kuznetsov. |
844 | kuznet@ms2.inr.ac.ru | |
845 | ||
846 | Updated by: | |
847 | Andi Kleen | |
848 | ak@muc.de | |
849 | Nicolas Delon | |
850 | delon.nicolas@wanadoo.fr | |
851 | ||
852 | ||
853 | ||
854 | ||
855 | /proc/sys/net/ipv6/* Variables: | |
856 | ||
857 | IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also | |
858 | apply to IPv6 [XXX?]. | |
859 | ||
860 | bindv6only - BOOLEAN | |
861 | Default value for IPV6_V6ONLY socket option, | |
e18f5feb | 862 | which restricts use of the IPv6 socket to IPv6 communication |
1da177e4 LT |
863 | only. |
864 | TRUE: disable IPv4-mapped address feature | |
865 | FALSE: enable IPv4-mapped address feature | |
866 | ||
867 | Default: FALSE (as specified in RFC2553bis) | |
868 | ||
869 | IPv6 Fragmentation: | |
870 | ||
871 | ip6frag_high_thresh - INTEGER | |
e18f5feb | 872 | Maximum memory used to reassemble IPv6 fragments. When |
1da177e4 LT |
873 | ip6frag_high_thresh bytes of memory is allocated for this purpose, |
874 | the fragment handler will toss packets until ip6frag_low_thresh | |
875 | is reached. | |
e18f5feb | 876 | |
1da177e4 | 877 | ip6frag_low_thresh - INTEGER |
e18f5feb | 878 | See ip6frag_high_thresh |
1da177e4 LT |
879 | |
880 | ip6frag_time - INTEGER | |
881 | Time in seconds to keep an IPv6 fragment in memory. | |
882 | ||
883 | ip6frag_secret_interval - INTEGER | |
e18f5feb | 884 | Regeneration interval (in seconds) of the hash secret (or lifetime |
1da177e4 LT |
885 | for the hash secret) for IPv6 fragments. |
886 | Default: 600 | |
887 | ||
888 | conf/default/*: | |
889 | Change the interface-specific default settings. | |
890 | ||
891 | ||
892 | conf/all/*: | |
e18f5feb | 893 | Change all the interface-specific settings. |
1da177e4 LT |
894 | |
895 | [XXX: Other special features than forwarding?] | |
896 | ||
897 | conf/all/forwarding - BOOLEAN | |
e18f5feb | 898 | Enable global IPv6 forwarding between all interfaces. |
1da177e4 | 899 | |
e18f5feb | 900 | IPv4 and IPv6 work differently here; e.g. netfilter must be used |
1da177e4 LT |
901 | to control which interfaces may forward packets and which not. |
902 | ||
e18f5feb | 903 | This also sets all interfaces' Host/Router setting |
1da177e4 LT |
904 | 'forwarding' to the specified value. See below for details. |
905 | ||
906 | This referred to as global forwarding. | |
907 | ||
fbea49e1 YH |
908 | proxy_ndp - BOOLEAN |
909 | Do proxy ndp. | |
910 | ||
1da177e4 LT |
911 | conf/interface/*: |
912 | Change special settings per interface. | |
913 | ||
e18f5feb | 914 | The functional behaviour for certain settings is different |
1da177e4 LT |
915 | depending on whether local forwarding is enabled or not. |
916 | ||
917 | accept_ra - BOOLEAN | |
918 | Accept Router Advertisements; autoconfigure using them. | |
e18f5feb | 919 | |
1da177e4 LT |
920 | Functional default: enabled if local forwarding is disabled. |
921 | disabled if local forwarding is enabled. | |
922 | ||
65f5c7c1 YH |
923 | accept_ra_defrtr - BOOLEAN |
924 | Learn default router in Router Advertisement. | |
925 | ||
926 | Functional default: enabled if accept_ra is enabled. | |
927 | disabled if accept_ra is disabled. | |
928 | ||
c4fd30eb | 929 | accept_ra_pinfo - BOOLEAN |
2fe0ae78 | 930 | Learn Prefix Information in Router Advertisement. |
c4fd30eb YH |
931 | |
932 | Functional default: enabled if accept_ra is enabled. | |
933 | disabled if accept_ra is disabled. | |
934 | ||
09c884d4 YH |
935 | accept_ra_rt_info_max_plen - INTEGER |
936 | Maximum prefix length of Route Information in RA. | |
937 | ||
938 | Route Information w/ prefix larger than or equal to this | |
939 | variable shall be ignored. | |
940 | ||
941 | Functional default: 0 if accept_ra_rtr_pref is enabled. | |
942 | -1 if accept_ra_rtr_pref is disabled. | |
943 | ||
930d6ff2 YH |
944 | accept_ra_rtr_pref - BOOLEAN |
945 | Accept Router Preference in RA. | |
946 | ||
947 | Functional default: enabled if accept_ra is enabled. | |
948 | disabled if accept_ra is disabled. | |
949 | ||
1da177e4 LT |
950 | accept_redirects - BOOLEAN |
951 | Accept Redirects. | |
952 | ||
953 | Functional default: enabled if local forwarding is disabled. | |
954 | disabled if local forwarding is enabled. | |
955 | ||
0bcbc926 YH |
956 | accept_source_route - INTEGER |
957 | Accept source routing (routing extension header). | |
958 | ||
bb4dbf9e | 959 | >= 0: Accept only routing header type 2. |
0bcbc926 YH |
960 | < 0: Do not accept routing header. |
961 | ||
962 | Default: 0 | |
963 | ||
1da177e4 | 964 | autoconf - BOOLEAN |
e18f5feb | 965 | Autoconfigure addresses using Prefix Information in Router |
1da177e4 LT |
966 | Advertisements. |
967 | ||
c4fd30eb YH |
968 | Functional default: enabled if accept_ra_pinfo is enabled. |
969 | disabled if accept_ra_pinfo is disabled. | |
1da177e4 LT |
970 | |
971 | dad_transmits - INTEGER | |
972 | The amount of Duplicate Address Detection probes to send. | |
973 | Default: 1 | |
e18f5feb | 974 | |
1da177e4 | 975 | forwarding - BOOLEAN |
e18f5feb | 976 | Configure interface-specific Host/Router behaviour. |
1da177e4 | 977 | |
e18f5feb | 978 | Note: It is recommended to have the same setting on all |
1da177e4 LT |
979 | interfaces; mixed router/host scenarios are rather uncommon. |
980 | ||
981 | FALSE: | |
982 | ||
983 | By default, Host behaviour is assumed. This means: | |
984 | ||
985 | 1. IsRouter flag is not set in Neighbour Advertisements. | |
986 | 2. Router Solicitations are being sent when necessary. | |
e18f5feb | 987 | 3. If accept_ra is TRUE (default), accept Router |
1da177e4 LT |
988 | Advertisements (and do autoconfiguration). |
989 | 4. If accept_redirects is TRUE (default), accept Redirects. | |
990 | ||
991 | TRUE: | |
992 | ||
e18f5feb | 993 | If local forwarding is enabled, Router behaviour is assumed. |
1da177e4 LT |
994 | This means exactly the reverse from the above: |
995 | ||
996 | 1. IsRouter flag is set in Neighbour Advertisements. | |
997 | 2. Router Solicitations are not sent. | |
998 | 3. Router Advertisements are ignored. | |
999 | 4. Redirects are ignored. | |
1000 | ||
1001 | Default: FALSE if global forwarding is disabled (default), | |
1002 | otherwise TRUE. | |
1003 | ||
1004 | hop_limit - INTEGER | |
1005 | Default Hop Limit to set. | |
1006 | Default: 64 | |
1007 | ||
1008 | mtu - INTEGER | |
1009 | Default Maximum Transfer Unit | |
1010 | Default: 1280 (IPv6 required minimum) | |
1011 | ||
52e16356 YH |
1012 | router_probe_interval - INTEGER |
1013 | Minimum interval (in seconds) between Router Probing described | |
1014 | in RFC4191. | |
1015 | ||
1016 | Default: 60 | |
1017 | ||
1da177e4 LT |
1018 | router_solicitation_delay - INTEGER |
1019 | Number of seconds to wait after interface is brought up | |
1020 | before sending Router Solicitations. | |
1021 | Default: 1 | |
1022 | ||
1023 | router_solicitation_interval - INTEGER | |
1024 | Number of seconds to wait between Router Solicitations. | |
1025 | Default: 4 | |
1026 | ||
1027 | router_solicitations - INTEGER | |
e18f5feb | 1028 | Number of Router Solicitations to send until assuming no |
1da177e4 LT |
1029 | routers are present. |
1030 | Default: 3 | |
1031 | ||
1032 | use_tempaddr - INTEGER | |
1033 | Preference for Privacy Extensions (RFC3041). | |
1034 | <= 0 : disable Privacy Extensions | |
1035 | == 1 : enable Privacy Extensions, but prefer public | |
1036 | addresses over temporary addresses. | |
1037 | > 1 : enable Privacy Extensions and prefer temporary | |
1038 | addresses over public addresses. | |
1039 | Default: 0 (for most devices) | |
1040 | -1 (for point-to-point devices and loopback devices) | |
1041 | ||
1042 | temp_valid_lft - INTEGER | |
1043 | valid lifetime (in seconds) for temporary addresses. | |
1044 | Default: 604800 (7 days) | |
1045 | ||
1046 | temp_prefered_lft - INTEGER | |
1047 | Preferred lifetime (in seconds) for temporary addresses. | |
1048 | Default: 86400 (1 day) | |
1049 | ||
1050 | max_desync_factor - INTEGER | |
1051 | Maximum value for DESYNC_FACTOR, which is a random value | |
e18f5feb | 1052 | that ensures that clients don't synchronize with each |
1da177e4 LT |
1053 | other and generate new addresses at exactly the same time. |
1054 | value is in seconds. | |
1055 | Default: 600 | |
e18f5feb | 1056 | |
1da177e4 LT |
1057 | regen_max_retry - INTEGER |
1058 | Number of attempts before give up attempting to generate | |
1059 | valid temporary addresses. | |
1060 | Default: 5 | |
1061 | ||
1062 | max_addresses - INTEGER | |
1063 | Number of maximum addresses per interface. 0 disables limitation. | |
e18f5feb JDB |
1064 | It is recommended not set too large value (or 0) because it would |
1065 | be too easy way to crash kernel to allow to create too much of | |
1da177e4 LT |
1066 | autoconfigured addresses. |
1067 | Default: 16 | |
1068 | ||
778d80be | 1069 | disable_ipv6 - BOOLEAN |
9bdd8d40 BH |
1070 | Disable IPv6 operation. If accept_dad is set to 2, this value |
1071 | will be dynamically set to TRUE if DAD fails for the link-local | |
1072 | address. | |
778d80be YH |
1073 | Default: FALSE (enable IPv6 operation) |
1074 | ||
56d417b1 BH |
1075 | When this value is changed from 1 to 0 (IPv6 is being enabled), |
1076 | it will dynamically create a link-local address on the given | |
1077 | interface and start Duplicate Address Detection, if necessary. | |
1078 | ||
1079 | When this value is changed from 0 to 1 (IPv6 is being disabled), | |
1080 | it will dynamically delete all address on the given interface. | |
1081 | ||
1b34be74 YH |
1082 | accept_dad - INTEGER |
1083 | Whether to accept DAD (Duplicate Address Detection). | |
1084 | 0: Disable DAD | |
1085 | 1: Enable DAD (default) | |
1086 | 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate | |
1087 | link-local address has been found. | |
1088 | ||
f7734fdf OP |
1089 | force_tllao - BOOLEAN |
1090 | Enable sending the target link-layer address option even when | |
1091 | responding to a unicast neighbor solicitation. | |
1092 | Default: FALSE | |
1093 | ||
1094 | Quoting from RFC 2461, section 4.4, Target link-layer address: | |
1095 | ||
1096 | "The option MUST be included for multicast solicitations in order to | |
1097 | avoid infinite Neighbor Solicitation "recursion" when the peer node | |
1098 | does not have a cache entry to return a Neighbor Advertisements | |
1099 | message. When responding to unicast solicitations, the option can be | |
1100 | omitted since the sender of the solicitation has the correct link- | |
1101 | layer address; otherwise it would not have be able to send the unicast | |
1102 | solicitation in the first place. However, including the link-layer | |
1103 | address in this case adds little overhead and eliminates a potential | |
1104 | race condition where the sender deletes the cached link-layer address | |
1105 | prior to receiving a response to a previous solicitation." | |
1106 | ||
1da177e4 LT |
1107 | icmp/*: |
1108 | ratelimit - INTEGER | |
1109 | Limit the maximal rates for sending ICMPv6 packets. | |
6dbf4bca SH |
1110 | 0 to disable any limiting, |
1111 | otherwise the minimal space between responses in milliseconds. | |
1112 | Default: 1000 | |
1da177e4 LT |
1113 | |
1114 | ||
1115 | IPv6 Update by: | |
1116 | Pekka Savola <pekkas@netcore.fi> | |
1117 | YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org> | |
1118 | ||
1119 | ||
1120 | /proc/sys/net/bridge/* Variables: | |
1121 | ||
1122 | bridge-nf-call-arptables - BOOLEAN | |
1123 | 1 : pass bridged ARP traffic to arptables' FORWARD chain. | |
1124 | 0 : disable this. | |
1125 | Default: 1 | |
1126 | ||
1127 | bridge-nf-call-iptables - BOOLEAN | |
1128 | 1 : pass bridged IPv4 traffic to iptables' chains. | |
1129 | 0 : disable this. | |
1130 | Default: 1 | |
1131 | ||
1132 | bridge-nf-call-ip6tables - BOOLEAN | |
1133 | 1 : pass bridged IPv6 traffic to ip6tables' chains. | |
1134 | 0 : disable this. | |
1135 | Default: 1 | |
1136 | ||
1137 | bridge-nf-filter-vlan-tagged - BOOLEAN | |
516299d2 MM |
1138 | 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. |
1139 | 0 : disable this. | |
1140 | Default: 1 | |
1141 | ||
1142 | bridge-nf-filter-pppoe-tagged - BOOLEAN | |
1143 | 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. | |
1da177e4 LT |
1144 | 0 : disable this. |
1145 | Default: 1 | |
1146 | ||
1147 | ||
32e8d494 VY |
1148 | proc/sys/net/sctp/* Variables: |
1149 | ||
1150 | addip_enable - BOOLEAN | |
1151 | Enable or disable extension of Dynamic Address Reconfiguration | |
1152 | (ADD-IP) functionality specified in RFC5061. This extension provides | |
1153 | the ability to dynamically add and remove new addresses for the SCTP | |
1154 | associations. | |
1155 | ||
1156 | 1: Enable extension. | |
1157 | ||
1158 | 0: Disable extension. | |
1159 | ||
1160 | Default: 0 | |
1161 | ||
1162 | addip_noauth_enable - BOOLEAN | |
1163 | Dynamic Address Reconfiguration (ADD-IP) requires the use of | |
1164 | authentication to protect the operations of adding or removing new | |
1165 | addresses. This requirement is mandated so that unauthorized hosts | |
1166 | would not be able to hijack associations. However, older | |
1167 | implementations may not have implemented this requirement while | |
1168 | allowing the ADD-IP extension. For reasons of interoperability, | |
1169 | we provide this variable to control the enforcement of the | |
1170 | authentication requirement. | |
1171 | ||
1172 | 1: Allow ADD-IP extension to be used without authentication. This | |
1173 | should only be set in a closed environment for interoperability | |
1174 | with older implementations. | |
1175 | ||
1176 | 0: Enforce the authentication requirement | |
1177 | ||
1178 | Default: 0 | |
1179 | ||
1180 | auth_enable - BOOLEAN | |
1181 | Enable or disable Authenticated Chunks extension. This extension | |
1182 | provides the ability to send and receive authenticated chunks and is | |
1183 | required for secure operation of Dynamic Address Reconfiguration | |
1184 | (ADD-IP) extension. | |
1185 | ||
1186 | 1: Enable this extension. | |
1187 | 0: Disable this extension. | |
1188 | ||
1189 | Default: 0 | |
1190 | ||
1191 | prsctp_enable - BOOLEAN | |
1192 | Enable or disable the Partial Reliability extension (RFC3758) which | |
1193 | is used to notify peers that a given DATA should no longer be expected. | |
1194 | ||
1195 | 1: Enable extension | |
1196 | 0: Disable | |
1197 | ||
1198 | Default: 1 | |
1199 | ||
1200 | max_burst - INTEGER | |
1201 | The limit of the number of new packets that can be initially sent. It | |
1202 | controls how bursty the generated traffic can be. | |
1203 | ||
1204 | Default: 4 | |
1205 | ||
1206 | association_max_retrans - INTEGER | |
1207 | Set the maximum number for retransmissions that an association can | |
1208 | attempt deciding that the remote end is unreachable. If this value | |
1209 | is exceeded, the association is terminated. | |
1210 | ||
1211 | Default: 10 | |
1212 | ||
1213 | max_init_retransmits - INTEGER | |
1214 | The maximum number of retransmissions of INIT and COOKIE-ECHO chunks | |
1215 | that an association will attempt before declaring the destination | |
1216 | unreachable and terminating. | |
1217 | ||
1218 | Default: 8 | |
1219 | ||
1220 | path_max_retrans - INTEGER | |
1221 | The maximum number of retransmissions that will be attempted on a given | |
1222 | path. Once this threshold is exceeded, the path is considered | |
1223 | unreachable, and new traffic will use a different path when the | |
1224 | association is multihomed. | |
1225 | ||
1226 | Default: 5 | |
1227 | ||
1228 | rto_initial - INTEGER | |
1229 | The initial round trip timeout value in milliseconds that will be used | |
1230 | in calculating round trip times. This is the initial time interval | |
1231 | for retransmissions. | |
1232 | ||
1233 | Default: 3000 | |
1da177e4 | 1234 | |
32e8d494 VY |
1235 | rto_max - INTEGER |
1236 | The maximum value (in milliseconds) of the round trip timeout. This | |
1237 | is the largest time interval that can elapse between retransmissions. | |
1238 | ||
1239 | Default: 60000 | |
1240 | ||
1241 | rto_min - INTEGER | |
1242 | The minimum value (in milliseconds) of the round trip timeout. This | |
1243 | is the smallest time interval the can elapse between retransmissions. | |
1244 | ||
1245 | Default: 1000 | |
1246 | ||
1247 | hb_interval - INTEGER | |
1248 | The interval (in milliseconds) between HEARTBEAT chunks. These chunks | |
1249 | are sent at the specified interval on idle paths to probe the state of | |
1250 | a given path between 2 associations. | |
1251 | ||
1252 | Default: 30000 | |
1253 | ||
1254 | sack_timeout - INTEGER | |
1255 | The amount of time (in milliseconds) that the implementation will wait | |
1256 | to send a SACK. | |
1257 | ||
1258 | Default: 200 | |
1259 | ||
1260 | valid_cookie_life - INTEGER | |
1261 | The default lifetime of the SCTP cookie (in milliseconds). The cookie | |
1262 | is used during association establishment. | |
1263 | ||
1264 | Default: 60000 | |
1265 | ||
1266 | cookie_preserve_enable - BOOLEAN | |
1267 | Enable or disable the ability to extend the lifetime of the SCTP cookie | |
1268 | that is used during the establishment phase of SCTP association | |
1269 | ||
1270 | 1: Enable cookie lifetime extension. | |
1271 | 0: Disable | |
1272 | ||
1273 | Default: 1 | |
1274 | ||
1275 | rcvbuf_policy - INTEGER | |
1276 | Determines if the receive buffer is attributed to the socket or to | |
1277 | association. SCTP supports the capability to create multiple | |
1278 | associations on a single socket. When using this capability, it is | |
1279 | possible that a single stalled association that's buffering a lot | |
1280 | of data may block other associations from delivering their data by | |
1281 | consuming all of the receive buffer space. To work around this, | |
1282 | the rcvbuf_policy could be set to attribute the receiver buffer space | |
1283 | to each association instead of the socket. This prevents the described | |
1284 | blocking. | |
1285 | ||
1286 | 1: rcvbuf space is per association | |
1287 | 0: recbuf space is per socket | |
1288 | ||
1289 | Default: 0 | |
1290 | ||
1291 | sndbuf_policy - INTEGER | |
1292 | Similar to rcvbuf_policy above, this applies to send buffer space. | |
1293 | ||
1294 | 1: Send buffer is tracked per association | |
1295 | 0: Send buffer is tracked per socket. | |
1296 | ||
1297 | Default: 0 | |
1298 | ||
1299 | sctp_mem - vector of 3 INTEGERs: min, pressure, max | |
1300 | Number of pages allowed for queueing by all SCTP sockets. | |
1301 | ||
1302 | min: Below this number of pages SCTP is not bothered about its | |
1303 | memory appetite. When amount of memory allocated by SCTP exceeds | |
1304 | this number, SCTP starts to moderate memory usage. | |
1305 | ||
1306 | pressure: This value was introduced to follow format of tcp_mem. | |
1307 | ||
1308 | max: Number of pages allowed for queueing by all SCTP sockets. | |
1309 | ||
1310 | Default is calculated at boot time from amount of available memory. | |
1311 | ||
1312 | sctp_rmem - vector of 3 INTEGERs: min, default, max | |
1313 | See tcp_rmem for a description. | |
1314 | ||
1315 | sctp_wmem - vector of 3 INTEGERs: min, default, max | |
1316 | See tcp_wmem for a description. | |
1317 | ||
72388433 BD |
1318 | addr_scope_policy - INTEGER |
1319 | Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00 | |
1320 | ||
1321 | 0 - Disable IPv4 address scoping | |
1322 | 1 - Enable IPv4 address scoping | |
1323 | 2 - Follow draft but allow IPv4 private addresses | |
1324 | 3 - Follow draft but allow IPv4 link local addresses | |
1325 | ||
1326 | Default: 1 | |
1327 | ||
1da177e4 | 1328 | |
4edc2f34 | 1329 | /proc/sys/net/core/* |
705efc3b WT |
1330 | dev_weight - INTEGER |
1331 | The maximum number of packets that kernel can handle on a NAPI | |
1332 | interrupt, it's a Per-CPU variable. | |
1333 | ||
1334 | Default: 64 | |
4edc2f34 SH |
1335 | |
1336 | /proc/sys/net/unix/* | |
705efc3b WT |
1337 | max_dgram_qlen - INTEGER |
1338 | The maximum length of dgram socket receive queue | |
1339 | ||
1340 | Default: 10 | |
1341 | ||
1342 | ||
1343 | UNDOCUMENTED: | |
4edc2f34 SH |
1344 | |
1345 | /proc/sys/net/irda/* | |
1346 | fast_poll_increase FIXME | |
1347 | warn_noreply_time FIXME | |
1348 | discovery_slots FIXME | |
1349 | slot_timeout FIXME | |
1350 | max_baud_rate FIXME | |
1351 | discovery_timeout FIXME | |
1352 | lap_keepalive_time FIXME | |
1353 | max_noreply_time FIXME | |
1354 | max_tx_data_size FIXME | |
1355 | max_tx_window FIXME | |
1356 | min_tx_turn_time FIXME |