Loading...
1.. SPDX-License-Identifier: GPL-2.0
2
3=========
4IP Sysctl
5=========
6
7/proc/sys/net/ipv4/* Variables
8==============================
9
10ip_forward - BOOLEAN
11 - 0 - disabled (default)
12 - not 0 - enabled
13
14 Forward Packets between interfaces.
15
16 This variable is special, its change resets all configuration
17 parameters to their default state (RFC1122 for hosts, RFC1812
18 for routers)
19
20ip_default_ttl - INTEGER
21 Default value of TTL field (Time To Live) for outgoing (but not
22 forwarded) IP packets. Should be between 1 and 255 inclusive.
23 Default: 64 (as recommended by RFC1700)
24
25ip_no_pmtu_disc - INTEGER
26 Disable Path MTU Discovery. If enabled in mode 1 and a
27 fragmentation-required ICMP is received, the PMTU to this
28 destination will be set to min_pmtu (see below). You will need
29 to raise min_pmtu to the smallest interface MTU on your system
30 manually if you want to avoid locally generated fragments.
31
32 In mode 2 incoming Path MTU Discovery messages will be
33 discarded. Outgoing frames are handled the same as in mode 1,
34 implicitly setting IP_PMTUDISC_DONT on every created socket.
35
36 Mode 3 is a hardened pmtu discover mode. The kernel will only
37 accept fragmentation-needed errors if the underlying protocol
38 can verify them besides a plain socket lookup. Current
39 protocols for which pmtu events will be honored are TCP, SCTP
40 and DCCP as they verify e.g. the sequence number or the
41 association. This mode should not be enabled globally but is
42 only intended to secure e.g. name servers in namespaces where
43 TCP path mtu must still work but path MTU information of other
44 protocols should be discarded. If enabled globally this mode
45 could break other protocols.
46
47 Possible values: 0-3
48
49 Default: FALSE
50
51min_pmtu - INTEGER
52 default 552 - minimum discovered Path MTU
53
54ip_forward_use_pmtu - BOOLEAN
55 By default we don't trust protocol path MTUs while forwarding
56 because they could be easily forged and can lead to unwanted
57 fragmentation by the router.
58 You only need to enable this if you have user-space software
59 which tries to discover path mtus by itself and depends on the
60 kernel honoring this information. This is normally not the
61 case.
62
63 Default: 0 (disabled)
64
65 Possible values:
66
67 - 0 - disabled
68 - 1 - enabled
69
70fwmark_reflect - BOOLEAN
71 Controls the fwmark of kernel-generated IPv4 reply packets that are not
72 associated with a socket for example, TCP RSTs or ICMP echo replies).
73 If unset, these packets have a fwmark of zero. If set, they have the
74 fwmark of the packet they are replying to.
75
76 Default: 0
77
78fib_multipath_use_neigh - BOOLEAN
79 Use status of existing neighbor entry when determining nexthop for
80 multipath routes. If disabled, neighbor information is not used and
81 packets could be directed to a failed nexthop. Only valid for kernels
82 built with CONFIG_IP_ROUTE_MULTIPATH enabled.
83
84 Default: 0 (disabled)
85
86 Possible values:
87
88 - 0 - disabled
89 - 1 - enabled
90
91fib_multipath_hash_policy - INTEGER
92 Controls which hash policy to use for multipath routes. Only valid
93 for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled.
94
95 Default: 0 (Layer 3)
96
97 Possible values:
98
99 - 0 - Layer 3
100 - 1 - Layer 4
101 - 2 - Layer 3 or inner Layer 3 if present
102
103fib_sync_mem - UNSIGNED INTEGER
104 Amount of dirty memory from fib entries that can be backlogged before
105 synchronize_rcu is forced.
106
107 Default: 512kB Minimum: 64kB Maximum: 64MB
108
109ip_forward_update_priority - INTEGER
110 Whether to update SKB priority from "TOS" field in IPv4 header after it
111 is forwarded. The new SKB priority is mapped from TOS field value
112 according to an rt_tos2priority table (see e.g. man tc-prio).
113
114 Default: 1 (Update priority.)
115
116 Possible values:
117
118 - 0 - Do not update priority.
119 - 1 - Update priority.
120
121route/max_size - INTEGER
122 Maximum number of routes allowed in the kernel. Increase
123 this when using large numbers of interfaces and/or routes.
124
125 From linux kernel 3.6 onwards, this is deprecated for ipv4
126 as route cache is no longer used.
127
128neigh/default/gc_thresh1 - INTEGER
129 Minimum number of entries to keep. Garbage collector will not
130 purge entries if there are fewer than this number.
131
132 Default: 128
133
134neigh/default/gc_thresh2 - INTEGER
135 Threshold when garbage collector becomes more aggressive about
136 purging entries. Entries older than 5 seconds will be cleared
137 when over this number.
138
139 Default: 512
140
141neigh/default/gc_thresh3 - INTEGER
142 Maximum number of non-PERMANENT neighbor entries allowed. Increase
143 this when using large numbers of interfaces and when communicating
144 with large numbers of directly-connected peers.
145
146 Default: 1024
147
148neigh/default/unres_qlen_bytes - INTEGER
149 The maximum number of bytes which may be used by packets
150 queued for each unresolved address by other network layers.
151 (added in linux 3.3)
152
153 Setting negative value is meaningless and will return error.
154
155 Default: SK_WMEM_MAX, (same as net.core.wmem_default).
156
157 Exact value depends on architecture and kernel options,
158 but should be enough to allow queuing 256 packets
159 of medium size.
160
161neigh/default/unres_qlen - INTEGER
162 The maximum number of packets which may be queued for each
163 unresolved address by other network layers.
164
165 (deprecated in linux 3.3) : use unres_qlen_bytes instead.
166
167 Prior to linux 3.3, the default value is 3 which may cause
168 unexpected packet loss. The current default value is calculated
169 according to default value of unres_qlen_bytes and true size of
170 packet.
171
172 Default: 101
173
174mtu_expires - INTEGER
175 Time, in seconds, that cached PMTU information is kept.
176
177min_adv_mss - INTEGER
178 The advertised MSS depends on the first hop route MTU, but will
179 never be lower than this setting.
180
181IP Fragmentation:
182
183ipfrag_high_thresh - LONG INTEGER
184 Maximum memory used to reassemble IP fragments.
185
186ipfrag_low_thresh - LONG INTEGER
187 (Obsolete since linux-4.17)
188 Maximum memory used to reassemble IP fragments before the kernel
189 begins to remove incomplete fragment queues to free up resources.
190 The kernel still accepts new fragments for defragmentation.
191
192ipfrag_time - INTEGER
193 Time in seconds to keep an IP fragment in memory.
194
195ipfrag_max_dist - INTEGER
196 ipfrag_max_dist is a non-negative integer value which defines the
197 maximum "disorder" which is allowed among fragments which share a
198 common IP source address. Note that reordering of packets is
199 not unusual, but if a large number of fragments arrive from a source
200 IP address while a particular fragment queue remains incomplete, it
201 probably indicates that one or more fragments belonging to that queue
202 have been lost. When ipfrag_max_dist is positive, an additional check
203 is done on fragments before they are added to a reassembly queue - if
204 ipfrag_max_dist (or more) fragments have arrived from a particular IP
205 address between additions to any IP fragment queue using that source
206 address, it's presumed that one or more fragments in the queue are
207 lost. The existing fragment queue will be dropped, and a new one
208 started. An ipfrag_max_dist value of zero disables this check.
209
210 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
211 result in unnecessarily dropping fragment queues when normal
212 reordering of packets occurs, which could lead to poor application
213 performance. Using a very large value, e.g. 50000, increases the
214 likelihood of incorrectly reassembling IP fragments that originate
215 from different IP datagrams, which could result in data corruption.
216 Default: 64
217
218INET peer storage
219=================
220
221inet_peer_threshold - INTEGER
222 The approximate size of the storage. Starting from this threshold
223 entries will be thrown aggressively. This threshold also determines
224 entries' time-to-live and time intervals between garbage collection
225 passes. More entries, less time-to-live, less GC interval.
226
227inet_peer_minttl - INTEGER
228 Minimum time-to-live of entries. Should be enough to cover fragment
229 time-to-live on the reassembling side. This minimum time-to-live is
230 guaranteed if the pool size is less than inet_peer_threshold.
231 Measured in seconds.
232
233inet_peer_maxttl - INTEGER
234 Maximum time-to-live of entries. Unused entries will expire after
235 this period of time if there is no memory pressure on the pool (i.e.
236 when the number of entries in the pool is very small).
237 Measured in seconds.
238
239TCP variables
240=============
241
242somaxconn - INTEGER
243 Limit of socket listen() backlog, known in userspace as SOMAXCONN.
244 Defaults to 4096. (Was 128 before linux-5.4)
245 See also tcp_max_syn_backlog for additional tuning for TCP sockets.
246
247tcp_abort_on_overflow - BOOLEAN
248 If listening service is too slow to accept new connections,
249 reset them. Default state is FALSE. It means that if overflow
250 occurred due to a burst, connection will recover. Enable this
251 option _only_ if you are really sure that listening daemon
252 cannot be tuned to accept connections faster. Enabling this
253 option can harm clients of your server.
254
255tcp_adv_win_scale - INTEGER
256 Count buffering overhead as bytes/2^tcp_adv_win_scale
257 (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale),
258 if it is <= 0.
259
260 Possible values are [-31, 31], inclusive.
261
262 Default: 1
263
264tcp_allowed_congestion_control - STRING
265 Show/set the congestion control choices available to non-privileged
266 processes. The list is a subset of those listed in
267 tcp_available_congestion_control.
268
269 Default is "reno" and the default setting (tcp_congestion_control).
270
271tcp_app_win - INTEGER
272 Reserve max(window/2^tcp_app_win, mss) of window for application
273 buffer. Value 0 is special, it means that nothing is reserved.
274
275 Default: 31
276
277tcp_autocorking - BOOLEAN
278 Enable TCP auto corking :
279 When applications do consecutive small write()/sendmsg() system calls,
280 we try to coalesce these small writes as much as possible, to lower
281 total amount of sent packets. This is done if at least one prior
282 packet for the flow is waiting in Qdisc queues or device transmit
283 queue. Applications can still use TCP_CORK for optimal behavior
284 when they know how/when to uncork their sockets.
285
286 Default : 1
287
288tcp_available_congestion_control - STRING
289 Shows the available congestion control choices that are registered.
290 More congestion control algorithms may be available as modules,
291 but not loaded.
292
293tcp_base_mss - INTEGER
294 The initial value of search_low to be used by the packetization layer
295 Path MTU discovery (MTU probing). If MTU probing is enabled,
296 this is the initial MSS used by the connection.
297
298tcp_mtu_probe_floor - INTEGER
299 If MTU probing is enabled this caps the minimum MSS used for search_low
300 for the connection.
301
302 Default : 48
303
304tcp_min_snd_mss - INTEGER
305 TCP SYN and SYNACK messages usually advertise an ADVMSS option,
306 as described in RFC 1122 and RFC 6691.
307
308 If this ADVMSS option is smaller than tcp_min_snd_mss,
309 it is silently capped to tcp_min_snd_mss.
310
311 Default : 48 (at least 8 bytes of payload per segment)
312
313tcp_congestion_control - STRING
314 Set the congestion control algorithm to be used for new
315 connections. The algorithm "reno" is always available, but
316 additional choices may be available based on kernel configuration.
317 Default is set as part of kernel configuration.
318 For passive connections, the listener congestion control choice
319 is inherited.
320
321 [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ]
322
323tcp_dsack - BOOLEAN
324 Allows TCP to send "duplicate" SACKs.
325
326tcp_early_retrans - INTEGER
327 Tail loss probe (TLP) converts RTOs occurring due to tail
328 losses into fast recovery (draft-ietf-tcpm-rack). Note that
329 TLP requires RACK to function properly (see tcp_recovery below)
330
331 Possible values:
332
333 - 0 disables TLP
334 - 3 or 4 enables TLP
335
336 Default: 3
337
338tcp_ecn - INTEGER
339 Control use of Explicit Congestion Notification (ECN) by TCP.
340 ECN is used only when both ends of the TCP connection indicate
341 support for it. This feature is useful in avoiding losses due
342 to congestion by allowing supporting routers to signal
343 congestion before having to drop packets.
344
345 Possible values are:
346
347 = =====================================================
348 0 Disable ECN. Neither initiate nor accept ECN.
349 1 Enable ECN when requested by incoming connections and
350 also request ECN on outgoing connection attempts.
351 2 Enable ECN when requested by incoming connections
352 but do not request ECN on outgoing connections.
353 = =====================================================
354
355 Default: 2
356
357tcp_ecn_fallback - BOOLEAN
358 If the kernel detects that ECN connection misbehaves, enable fall
359 back to non-ECN. Currently, this knob implements the fallback
360 from RFC3168, section 6.1.1.1., but we reserve that in future,
361 additional detection mechanisms could be implemented under this
362 knob. The value is not used, if tcp_ecn or per route (or congestion
363 control) ECN settings are disabled.
364
365 Default: 1 (fallback enabled)
366
367tcp_fack - BOOLEAN
368 This is a legacy option, it has no effect anymore.
369
370tcp_fin_timeout - INTEGER
371 The length of time an orphaned (no longer referenced by any
372 application) connection will remain in the FIN_WAIT_2 state
373 before it is aborted at the local end. While a perfectly
374 valid "receive only" state for an un-orphaned connection, an
375 orphaned connection in FIN_WAIT_2 state could otherwise wait
376 forever for the remote to close its end of the connection.
377
378 Cf. tcp_max_orphans
379
380 Default: 60 seconds
381
382tcp_frto - INTEGER
383 Enables Forward RTO-Recovery (F-RTO) defined in RFC5682.
384 F-RTO is an enhanced recovery algorithm for TCP retransmission
385 timeouts. It is particularly beneficial in networks where the
386 RTT fluctuates (e.g., wireless). F-RTO is sender-side only
387 modification. It does not require any support from the peer.
388
389 By default it's enabled with a non-zero value. 0 disables F-RTO.
390
391tcp_fwmark_accept - BOOLEAN
392 If set, incoming connections to listening sockets that do not have a
393 socket mark will set the mark of the accepting socket to the fwmark of
394 the incoming SYN packet. This will cause all packets on that connection
395 (starting from the first SYNACK) to be sent with that fwmark. The
396 listening socket's mark is unchanged. Listening sockets that already
397 have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are
398 unaffected.
399
400 Default: 0
401
402tcp_invalid_ratelimit - INTEGER
403 Limit the maximal rate for sending duplicate acknowledgments
404 in response to incoming TCP packets that are for an existing
405 connection but that are invalid due to any of these reasons:
406
407 (a) out-of-window sequence number,
408 (b) out-of-window acknowledgment number, or
409 (c) PAWS (Protection Against Wrapped Sequence numbers) check failure
410
411 This can help mitigate simple "ack loop" DoS attacks, wherein
412 a buggy or malicious middlebox or man-in-the-middle can
413 rewrite TCP header fields in manner that causes each endpoint
414 to think that the other is sending invalid TCP segments, thus
415 causing each side to send an unterminating stream of duplicate
416 acknowledgments for invalid segments.
417
418 Using 0 disables rate-limiting of dupacks in response to
419 invalid segments; otherwise this value specifies the minimal
420 space between sending such dupacks, in milliseconds.
421
422 Default: 500 (milliseconds).
423
424tcp_keepalive_time - INTEGER
425 How often TCP sends out keepalive messages when keepalive is enabled.
426 Default: 2hours.
427
428tcp_keepalive_probes - INTEGER
429 How many keepalive probes TCP sends out, until it decides that the
430 connection is broken. Default value: 9.
431
432tcp_keepalive_intvl - INTEGER
433 How frequently the probes are send out. Multiplied by
434 tcp_keepalive_probes it is time to kill not responding connection,
435 after probes started. Default value: 75sec i.e. connection
436 will be aborted after ~11 minutes of retries.
437
438tcp_l3mdev_accept - BOOLEAN
439 Enables child sockets to inherit the L3 master device index.
440 Enabling this option allows a "global" listen socket to work
441 across L3 master domains (e.g., VRFs) with connected sockets
442 derived from the listen socket to be bound to the L3 domain in
443 which the packets originated. Only valid when the kernel was
444 compiled with CONFIG_NET_L3_MASTER_DEV.
445
446 Default: 0 (disabled)
447
448tcp_low_latency - BOOLEAN
449 This is a legacy option, it has no effect anymore.
450
451tcp_max_orphans - INTEGER
452 Maximal number of TCP sockets not attached to any user file handle,
453 held by system. If this number is exceeded orphaned connections are
454 reset immediately and warning is printed. This limit exists
455 only to prevent simple DoS attacks, you _must_ not rely on this
456 or lower the limit artificially, but rather increase it
457 (probably, after increasing installed memory),
458 if network conditions require more than default value,
459 and tune network services to linger and kill such states
460 more aggressively. Let me to remind again: each orphan eats
461 up to ~64K of unswappable memory.
462
463tcp_max_syn_backlog - INTEGER
464 Maximal number of remembered connection requests (SYN_RECV),
465 which have not received an acknowledgment from connecting client.
466
467 This is a per-listener limit.
468
469 The minimal value is 128 for low memory machines, and it will
470 increase in proportion to the memory of machine.
471
472 If server suffers from overload, try increasing this number.
473
474 Remember to also check /proc/sys/net/core/somaxconn
475 A SYN_RECV request socket consumes about 304 bytes of memory.
476
477tcp_max_tw_buckets - INTEGER
478 Maximal number of timewait sockets held by system simultaneously.
479 If this number is exceeded time-wait socket is immediately destroyed
480 and warning is printed. This limit exists only to prevent
481 simple DoS attacks, you _must_ not lower the limit artificially,
482 but rather increase it (probably, after increasing installed memory),
483 if network conditions require more than default value.
484
485tcp_mem - vector of 3 INTEGERs: min, pressure, max
486 min: below this number of pages TCP is not bothered about its
487 memory appetite.
488
489 pressure: when amount of memory allocated by TCP exceeds this number
490 of pages, TCP moderates its memory consumption and enters memory
491 pressure mode, which is exited when memory consumption falls
492 under "min".
493
494 max: number of pages allowed for queueing by all TCP sockets.
495
496 Defaults are calculated at boot time from amount of available
497 memory.
498
499tcp_min_rtt_wlen - INTEGER
500 The window length of the windowed min filter to track the minimum RTT.
501 A shorter window lets a flow more quickly pick up new (higher)
502 minimum RTT when it is moved to a longer path (e.g., due to traffic
503 engineering). A longer window makes the filter more resistant to RTT
504 inflations such as transient congestion. The unit is seconds.
505
506 Possible values: 0 - 86400 (1 day)
507
508 Default: 300
509
510tcp_moderate_rcvbuf - BOOLEAN
511 If set, TCP performs receive buffer auto-tuning, attempting to
512 automatically size the buffer (no greater than tcp_rmem[2]) to
513 match the size required by the path for full throughput. Enabled by
514 default.
515
516tcp_mtu_probing - INTEGER
517 Controls TCP Packetization-Layer Path MTU Discovery. Takes three
518 values:
519
520 - 0 - Disabled
521 - 1 - Disabled by default, enabled when an ICMP black hole detected
522 - 2 - Always enabled, use initial MSS of tcp_base_mss.
523
524tcp_probe_interval - UNSIGNED INTEGER
525 Controls how often to start TCP Packetization-Layer Path MTU
526 Discovery reprobe. The default is reprobing every 10 minutes as
527 per RFC4821.
528
529tcp_probe_threshold - INTEGER
530 Controls when TCP Packetization-Layer Path MTU Discovery probing
531 will stop in respect to the width of search range in bytes. Default
532 is 8 bytes.
533
534tcp_no_metrics_save - BOOLEAN
535 By default, TCP saves various connection metrics in the route cache
536 when the connection closes, so that connections established in the
537 near future can use these to set initial conditions. Usually, this
538 increases overall performance, but may sometimes cause performance
539 degradation. If set, TCP will not cache metrics on closing
540 connections.
541
542tcp_no_ssthresh_metrics_save - BOOLEAN
543 Controls whether TCP saves ssthresh metrics in the route cache.
544
545 Default is 1, which disables ssthresh metrics.
546
547tcp_orphan_retries - INTEGER
548 This value influences the timeout of a locally closed TCP connection,
549 when RTO retransmissions remain unacknowledged.
550 See tcp_retries2 for more details.
551
552 The default value is 8.
553
554 If your machine is a loaded WEB server,
555 you should think about lowering this value, such sockets
556 may consume significant resources. Cf. tcp_max_orphans.
557
558tcp_recovery - INTEGER
559 This value is a bitmap to enable various experimental loss recovery
560 features.
561
562 ========= =============================================================
563 RACK: 0x1 enables the RACK loss detection for fast detection of lost
564 retransmissions and tail drops. It also subsumes and disables
565 RFC6675 recovery for SACK connections.
566
567 RACK: 0x2 makes RACK's reordering window static (min_rtt/4).
568
569 RACK: 0x4 disables RACK's DUPACK threshold heuristic
570 ========= =============================================================
571
572 Default: 0x1
573
574tcp_reordering - INTEGER
575 Initial reordering level of packets in a TCP stream.
576 TCP stack can then dynamically adjust flow reordering level
577 between this initial value and tcp_max_reordering
578
579 Default: 3
580
581tcp_max_reordering - INTEGER
582 Maximal reordering level of packets in a TCP stream.
583 300 is a fairly conservative value, but you might increase it
584 if paths are using per packet load balancing (like bonding rr mode)
585
586 Default: 300
587
588tcp_retrans_collapse - BOOLEAN
589 Bug-to-bug compatibility with some broken printers.
590 On retransmit try to send bigger packets to work around bugs in
591 certain TCP stacks.
592
593tcp_retries1 - INTEGER
594 This value influences the time, after which TCP decides, that
595 something is wrong due to unacknowledged RTO retransmissions,
596 and reports this suspicion to the network layer.
597 See tcp_retries2 for more details.
598
599 RFC 1122 recommends at least 3 retransmissions, which is the
600 default.
601
602tcp_retries2 - INTEGER
603 This value influences the timeout of an alive TCP connection,
604 when RTO retransmissions remain unacknowledged.
605 Given a value of N, a hypothetical TCP connection following
606 exponential backoff with an initial RTO of TCP_RTO_MIN would
607 retransmit N times before killing the connection at the (N+1)th RTO.
608
609 The default value of 15 yields a hypothetical timeout of 924.6
610 seconds and is a lower bound for the effective timeout.
611 TCP will effectively time out at the first RTO which exceeds the
612 hypothetical timeout.
613
614 RFC 1122 recommends at least 100 seconds for the timeout,
615 which corresponds to a value of at least 8.
616
617tcp_rfc1337 - BOOLEAN
618 If set, the TCP stack behaves conforming to RFC1337. If unset,
619 we are not conforming to RFC, but prevent TCP TIME_WAIT
620 assassination.
621
622 Default: 0
623
624tcp_rmem - vector of 3 INTEGERs: min, default, max
625 min: Minimal size of receive buffer used by TCP sockets.
626 It is guaranteed to each TCP socket, even under moderate memory
627 pressure.
628
629 Default: 4K
630
631 default: initial size of receive buffer used by TCP sockets.
632 This value overrides net.core.rmem_default used by other protocols.
633 Default: 87380 bytes. This value results in window of 65535 with
634 default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit
635 less for default tcp_app_win. See below about these variables.
636
637 max: maximal size of receive buffer allowed for automatically
638 selected receiver buffers for TCP socket. This value does not override
639 net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables
640 automatic tuning of that socket's receive buffer size, in which
641 case this value is ignored.
642 Default: between 87380B and 6MB, depending on RAM size.
643
644tcp_sack - BOOLEAN
645 Enable select acknowledgments (SACKS).
646
647tcp_comp_sack_delay_ns - LONG INTEGER
648 TCP tries to reduce number of SACK sent, using a timer
649 based on 5% of SRTT, capped by this sysctl, in nano seconds.
650 The default is 1ms, based on TSO autosizing period.
651
652 Default : 1,000,000 ns (1 ms)
653
654tcp_comp_sack_slack_ns - LONG INTEGER
655 This sysctl control the slack used when arming the
656 timer used by SACK compression. This gives extra time
657 for small RTT flows, and reduces system overhead by allowing
658 opportunistic reduction of timer interrupts.
659
660 Default : 100,000 ns (100 us)
661
662tcp_comp_sack_nr - INTEGER
663 Max number of SACK that can be compressed.
664 Using 0 disables SACK compression.
665
666 Default : 44
667
668tcp_slow_start_after_idle - BOOLEAN
669 If set, provide RFC2861 behavior and time out the congestion
670 window after an idle period. An idle period is defined at
671 the current RTO. If unset, the congestion window will not
672 be timed out after an idle period.
673
674 Default: 1
675
676tcp_stdurg - BOOLEAN
677 Use the Host requirements interpretation of the TCP urgent pointer field.
678 Most hosts use the older BSD interpretation, so if you turn this on
679 Linux might not communicate correctly with them.
680
681 Default: FALSE
682
683tcp_synack_retries - INTEGER
684 Number of times SYNACKs for a passive TCP connection attempt will
685 be retransmitted. Should not be higher than 255. Default value
686 is 5, which corresponds to 31seconds till the last retransmission
687 with the current initial RTO of 1second. With this the final timeout
688 for a passive TCP connection will happen after 63seconds.
689
690tcp_syncookies - INTEGER
691 Only valid when the kernel was compiled with CONFIG_SYN_COOKIES
692 Send out syncookies when the syn backlog queue of a socket
693 overflows. This is to prevent against the common 'SYN flood attack'
694 Default: 1
695
696 Note, that syncookies is fallback facility.
697 It MUST NOT be used to help highly loaded servers to stand
698 against legal connection rate. If you see SYN flood warnings
699 in your logs, but investigation shows that they occur
700 because of overload with legal connections, you should tune
701 another parameters until this warning disappear.
702 See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
703
704 syncookies seriously violate TCP protocol, do not allow
705 to use TCP extensions, can result in serious degradation
706 of some services (f.e. SMTP relaying), visible not by you,
707 but your clients and relays, contacting you. While you see
708 SYN flood warnings in logs not being really flooded, your server
709 is seriously misconfigured.
710
711 If you want to test which effects syncookies have to your
712 network connections you can set this knob to 2 to enable
713 unconditionally generation of syncookies.
714
715tcp_fastopen - INTEGER
716 Enable TCP Fast Open (RFC7413) to send and accept data in the opening
717 SYN packet.
718
719 The client support is enabled by flag 0x1 (on by default). The client
720 then must use sendmsg() or sendto() with the MSG_FASTOPEN flag,
721 rather than connect() to send data in SYN.
722
723 The server support is enabled by flag 0x2 (off by default). Then
724 either enable for all listeners with another flag (0x400) or
725 enable individual listeners via TCP_FASTOPEN socket option with
726 the option value being the length of the syn-data backlog.
727
728 The values (bitmap) are
729
730 ===== ======== ======================================================
731 0x1 (client) enables sending data in the opening SYN on the client.
732 0x2 (server) enables the server support, i.e., allowing data in
733 a SYN packet to be accepted and passed to the
734 application before 3-way handshake finishes.
735 0x4 (client) send data in the opening SYN regardless of cookie
736 availability and without a cookie option.
737 0x200 (server) accept data-in-SYN w/o any cookie option present.
738 0x400 (server) enable all listeners to support Fast Open by
739 default without explicit TCP_FASTOPEN socket option.
740 ===== ======== ======================================================
741
742 Default: 0x1
743
744 Note that additional client or server features are only
745 effective if the basic support (0x1 and 0x2) are enabled respectively.
746
747tcp_fastopen_blackhole_timeout_sec - INTEGER
748 Initial time period in second to disable Fastopen on active TCP sockets
749 when a TFO firewall blackhole issue happens.
750 This time period will grow exponentially when more blackhole issues
751 get detected right after Fastopen is re-enabled and will reset to
752 initial value when the blackhole issue goes away.
753 0 to disable the blackhole detection.
754
755 By default, it is set to 1hr.
756
757tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs
758 The list consists of a primary key and an optional backup key. The
759 primary key is used for both creating and validating cookies, while the
760 optional backup key is only used for validating cookies. The purpose of
761 the backup key is to maximize TFO validation when keys are rotated.
762
763 A randomly chosen primary key may be configured by the kernel if
764 the tcp_fastopen sysctl is set to 0x400 (see above), or if the
765 TCP_FASTOPEN setsockopt() optname is set and a key has not been
766 previously configured via sysctl. If keys are configured via
767 setsockopt() by using the TCP_FASTOPEN_KEY optname, then those
768 per-socket keys will be used instead of any keys that are specified via
769 sysctl.
770
771 A key is specified as 4 8-digit hexadecimal integers which are separated
772 by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be
773 omitted. A primary and a backup key may be specified by separating them
774 by a comma. If only one key is specified, it becomes the primary key and
775 any previously configured backup keys are removed.
776
777tcp_syn_retries - INTEGER
778 Number of times initial SYNs for an active TCP connection attempt
779 will be retransmitted. Should not be higher than 127. Default value
780 is 6, which corresponds to 63seconds till the last retransmission
781 with the current initial RTO of 1second. With this the final timeout
782 for an active TCP connection attempt will happen after 127seconds.
783
784tcp_timestamps - INTEGER
785 Enable timestamps as defined in RFC1323.
786
787 - 0: Disabled.
788 - 1: Enable timestamps as defined in RFC1323 and use random offset for
789 each connection rather than only using the current time.
790 - 2: Like 1, but without random offsets.
791
792 Default: 1
793
794tcp_min_tso_segs - INTEGER
795 Minimal number of segments per TSO frame.
796
797 Since linux-3.12, TCP does an automatic sizing of TSO frames,
798 depending on flow rate, instead of filling 64Kbytes packets.
799 For specific usages, it's possible to force TCP to build big
800 TSO frames. Note that TCP stack might split too big TSO packets
801 if available window is too small.
802
803 Default: 2
804
805tcp_pacing_ss_ratio - INTEGER
806 sk->sk_pacing_rate is set by TCP stack using a ratio applied
807 to current rate. (current_rate = cwnd * mss / srtt)
808 If TCP is in slow start, tcp_pacing_ss_ratio is applied
809 to let TCP probe for bigger speeds, assuming cwnd can be
810 doubled every other RTT.
811
812 Default: 200
813
814tcp_pacing_ca_ratio - INTEGER
815 sk->sk_pacing_rate is set by TCP stack using a ratio applied
816 to current rate. (current_rate = cwnd * mss / srtt)
817 If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio
818 is applied to conservatively probe for bigger throughput.
819
820 Default: 120
821
822tcp_tso_win_divisor - INTEGER
823 This allows control over what percentage of the congestion window
824 can be consumed by a single TSO frame.
825 The setting of this parameter is a choice between burstiness and
826 building larger TSO frames.
827
828 Default: 3
829
830tcp_tw_reuse - INTEGER
831 Enable reuse of TIME-WAIT sockets for new connections when it is
832 safe from protocol viewpoint.
833
834 - 0 - disable
835 - 1 - global enable
836 - 2 - enable for loopback traffic only
837
838 It should not be changed without advice/request of technical
839 experts.
840
841 Default: 2
842
843tcp_window_scaling - BOOLEAN
844 Enable window scaling as defined in RFC1323.
845
846tcp_wmem - vector of 3 INTEGERs: min, default, max
847 min: Amount of memory reserved for send buffers for TCP sockets.
848 Each TCP socket has rights to use it due to fact of its birth.
849
850 Default: 4K
851
852 default: initial size of send buffer used by TCP sockets. This
853 value overrides net.core.wmem_default used by other protocols.
854
855 It is usually lower than net.core.wmem_default.
856
857 Default: 16K
858
859 max: Maximal amount of memory allowed for automatically tuned
860 send buffers for TCP sockets. This value does not override
861 net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables
862 automatic tuning of that socket's send buffer size, in which case
863 this value is ignored.
864
865 Default: between 64K and 4MB, depending on RAM size.
866
867tcp_notsent_lowat - UNSIGNED INTEGER
868 A TCP socket can control the amount of unsent bytes in its write queue,
869 thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll()
870 reports POLLOUT events if the amount of unsent bytes is below a per
871 socket value, and if the write queue is not full. sendmsg() will
872 also not add new buffers if the limit is hit.
873
874 This global variable controls the amount of unsent data for
875 sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change
876 to the global variable has immediate effect.
877
878 Default: UINT_MAX (0xFFFFFFFF)
879
880tcp_workaround_signed_windows - BOOLEAN
881 If set, assume no receipt of a window scaling option means the
882 remote TCP is broken and treats the window as a signed quantity.
883 If unset, assume the remote TCP is not broken even if we do
884 not receive a window scaling option from them.
885
886 Default: 0
887
888tcp_thin_linear_timeouts - BOOLEAN
889 Enable dynamic triggering of linear timeouts for thin streams.
890 If set, a check is performed upon retransmission by timeout to
891 determine if the stream is thin (less than 4 packets in flight).
892 As long as the stream is found to be thin, up to 6 linear
893 timeouts may be performed before exponential backoff mode is
894 initiated. This improves retransmission latency for
895 non-aggressive thin streams, often found to be time-dependent.
896 For more information on thin streams, see
897 Documentation/networking/tcp-thin.rst
898
899 Default: 0
900
901tcp_limit_output_bytes - INTEGER
902 Controls TCP Small Queue limit per tcp socket.
903 TCP bulk sender tends to increase packets in flight until it
904 gets losses notifications. With SNDBUF autotuning, this can
905 result in a large amount of packets queued on the local machine
906 (e.g.: qdiscs, CPU backlog, or device) hurting latency of other
907 flows, for typical pfifo_fast qdiscs. tcp_limit_output_bytes
908 limits the number of bytes on qdisc or device to reduce artificial
909 RTT/cwnd and reduce bufferbloat.
910
911 Default: 1048576 (16 * 65536)
912
913tcp_challenge_ack_limit - INTEGER
914 Limits number of Challenge ACK sent per second, as recommended
915 in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
916 Default: 1000
917
918tcp_rx_skb_cache - BOOLEAN
919 Controls a per TCP socket cache of one skb, that might help
920 performance of some workloads. This might be dangerous
921 on systems with a lot of TCP sockets, since it increases
922 memory usage.
923
924 Default: 0 (disabled)
925
926UDP variables
927=============
928
929udp_l3mdev_accept - BOOLEAN
930 Enabling this option allows a "global" bound socket to work
931 across L3 master domains (e.g., VRFs) with packets capable of
932 being received regardless of the L3 domain in which they
933 originated. Only valid when the kernel was compiled with
934 CONFIG_NET_L3_MASTER_DEV.
935
936 Default: 0 (disabled)
937
938udp_mem - vector of 3 INTEGERs: min, pressure, max
939 Number of pages allowed for queueing by all UDP sockets.
940
941 min: Below this number of pages UDP is not bothered about its
942 memory appetite. When amount of memory allocated by UDP exceeds
943 this number, UDP starts to moderate memory usage.
944
945 pressure: This value was introduced to follow format of tcp_mem.
946
947 max: Number of pages allowed for queueing by all UDP sockets.
948
949 Default is calculated at boot time from amount of available memory.
950
951udp_rmem_min - INTEGER
952 Minimal size of receive buffer used by UDP sockets in moderation.
953 Each UDP socket is able to use the size for receiving data, even if
954 total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
955
956 Default: 4K
957
958udp_wmem_min - INTEGER
959 Minimal size of send buffer used by UDP sockets in moderation.
960 Each UDP socket is able to use the size for sending data, even if
961 total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
962
963 Default: 4K
964
965RAW variables
966=============
967
968raw_l3mdev_accept - BOOLEAN
969 Enabling this option allows a "global" bound socket to work
970 across L3 master domains (e.g., VRFs) with packets capable of
971 being received regardless of the L3 domain in which they
972 originated. Only valid when the kernel was compiled with
973 CONFIG_NET_L3_MASTER_DEV.
974
975 Default: 1 (enabled)
976
977CIPSOv4 Variables
978=================
979
980cipso_cache_enable - BOOLEAN
981 If set, enable additions to and lookups from the CIPSO label mapping
982 cache. If unset, additions are ignored and lookups always result in a
983 miss. However, regardless of the setting the cache is still
984 invalidated when required when means you can safely toggle this on and
985 off and the cache will always be "safe".
986
987 Default: 1
988
989cipso_cache_bucket_size - INTEGER
990 The CIPSO label cache consists of a fixed size hash table with each
991 hash bucket containing a number of cache entries. This variable limits
992 the number of entries in each hash bucket; the larger the value the
993 more CIPSO label mappings that can be cached. When the number of
994 entries in a given hash bucket reaches this limit adding new entries
995 causes the oldest entry in the bucket to be removed to make room.
996
997 Default: 10
998
999cipso_rbm_optfmt - BOOLEAN
1000 Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of
1001 the CIPSO draft specification (see Documentation/netlabel for details).
1002 This means that when set the CIPSO tag will be padded with empty
1003 categories in order to make the packet data 32-bit aligned.
1004
1005 Default: 0
1006
1007cipso_rbm_structvalid - BOOLEAN
1008 If set, do a very strict check of the CIPSO option when
1009 ip_options_compile() is called. If unset, relax the checks done during
1010 ip_options_compile(). Either way is "safe" as errors are caught else
1011 where in the CIPSO processing code but setting this to 0 (False) should
1012 result in less work (i.e. it should be faster) but could cause problems
1013 with other implementations that require strict checking.
1014
1015 Default: 0
1016
1017IP Variables
1018============
1019
1020ip_local_port_range - 2 INTEGERS
1021 Defines the local port range that is used by TCP and UDP to
1022 choose the local port. The first number is the first, the
1023 second the last local port number.
1024 If possible, it is better these numbers have different parity
1025 (one even and one odd value).
1026 Must be greater than or equal to ip_unprivileged_port_start.
1027 The default values are 32768 and 60999 respectively.
1028
1029ip_local_reserved_ports - list of comma separated ranges
1030 Specify the ports which are reserved for known third-party
1031 applications. These ports will not be used by automatic port
1032 assignments (e.g. when calling connect() or bind() with port
1033 number 0). Explicit port allocation behavior is unchanged.
1034
1035 The format used for both input and output is a comma separated
1036 list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and
1037 10). Writing to the file will clear all previously reserved
1038 ports and update the current list with the one given in the
1039 input.
1040
1041 Note that ip_local_port_range and ip_local_reserved_ports
1042 settings are independent and both are considered by the kernel
1043 when determining which ports are available for automatic port
1044 assignments.
1045
1046 You can reserve ports which are not in the current
1047 ip_local_port_range, e.g.::
1048
1049 $ cat /proc/sys/net/ipv4/ip_local_port_range
1050 32000 60999
1051 $ cat /proc/sys/net/ipv4/ip_local_reserved_ports
1052 8080,9148
1053
1054 although this is redundant. However such a setting is useful
1055 if later the port range is changed to a value that will
1056 include the reserved ports.
1057
1058 Default: Empty
1059
1060ip_unprivileged_port_start - INTEGER
1061 This is a per-namespace sysctl. It defines the first
1062 unprivileged port in the network namespace. Privileged ports
1063 require root or CAP_NET_BIND_SERVICE in order to bind to them.
1064 To disable all privileged ports, set this to 0. They must not
1065 overlap with the ip_local_port_range.
1066
1067 Default: 1024
1068
1069ip_nonlocal_bind - BOOLEAN
1070 If set, allows processes to bind() to non-local IP addresses,
1071 which can be quite useful - but may break some applications.
1072
1073 Default: 0
1074
1075ip_autobind_reuse - BOOLEAN
1076 By default, bind() does not select the ports automatically even if
1077 the new socket and all sockets bound to the port have SO_REUSEADDR.
1078 ip_autobind_reuse allows bind() to reuse the port and this is useful
1079 when you use bind()+connect(), but may break some applications.
1080 The preferred solution is to use IP_BIND_ADDRESS_NO_PORT and this
1081 option should only be set by experts.
1082 Default: 0
1083
1084ip_dynaddr - BOOLEAN
1085 If set non-zero, enables support for dynamic addresses.
1086 If set to a non-zero value larger than 1, a kernel log
1087 message will be printed when dynamic address rewriting
1088 occurs.
1089
1090 Default: 0
1091
1092ip_early_demux - BOOLEAN
1093 Optimize input packet processing down to one demux for
1094 certain kinds of local sockets. Currently we only do this
1095 for established TCP and connected UDP sockets.
1096
1097 It may add an additional cost for pure routing workloads that
1098 reduces overall throughput, in such case you should disable it.
1099
1100 Default: 1
1101
1102ping_group_range - 2 INTEGERS
1103 Restrict ICMP_PROTO datagram sockets to users in the group range.
1104 The default is "1 0", meaning, that nobody (not even root) may
1105 create ping sockets. Setting it to "100 100" would grant permissions
1106 to the single group. "0 4294967295" would enable it for the world, "100
1107 4294967295" would enable it for the users, but not daemons.
1108
1109tcp_early_demux - BOOLEAN
1110 Enable early demux for established TCP sockets.
1111
1112 Default: 1
1113
1114udp_early_demux - BOOLEAN
1115 Enable early demux for connected UDP sockets. Disable this if
1116 your system could experience more unconnected load.
1117
1118 Default: 1
1119
1120icmp_echo_ignore_all - BOOLEAN
1121 If set non-zero, then the kernel will ignore all ICMP ECHO
1122 requests sent to it.
1123
1124 Default: 0
1125
1126icmp_echo_ignore_broadcasts - BOOLEAN
1127 If set non-zero, then the kernel will ignore all ICMP ECHO and
1128 TIMESTAMP requests sent to it via broadcast/multicast.
1129
1130 Default: 1
1131
1132icmp_ratelimit - INTEGER
1133 Limit the maximal rates for sending ICMP packets whose type matches
1134 icmp_ratemask (see below) to specific targets.
1135 0 to disable any limiting,
1136 otherwise the minimal space between responses in milliseconds.
1137 Note that another sysctl, icmp_msgs_per_sec limits the number
1138 of ICMP packets sent on all targets.
1139
1140 Default: 1000
1141
1142icmp_msgs_per_sec - INTEGER
1143 Limit maximal number of ICMP packets sent per second from this host.
1144 Only messages whose type matches icmp_ratemask (see below) are
1145 controlled by this limit.
1146
1147 Default: 1000
1148
1149icmp_msgs_burst - INTEGER
1150 icmp_msgs_per_sec controls number of ICMP packets sent per second,
1151 while icmp_msgs_burst controls the burst size of these packets.
1152
1153 Default: 50
1154
1155icmp_ratemask - INTEGER
1156 Mask made of ICMP types for which rates are being limited.
1157
1158 Significant bits: IHGFEDCBA9876543210
1159
1160 Default mask: 0000001100000011000 (6168)
1161
1162 Bit definitions (see include/linux/icmp.h):
1163
1164 = =========================
1165 0 Echo Reply
1166 3 Destination Unreachable [1]_
1167 4 Source Quench [1]_
1168 5 Redirect
1169 8 Echo Request
1170 B Time Exceeded [1]_
1171 C Parameter Problem [1]_
1172 D Timestamp Request
1173 E Timestamp Reply
1174 F Info Request
1175 G Info Reply
1176 H Address Mask Request
1177 I Address Mask Reply
1178 = =========================
1179
1180 .. [1] These are rate limited by default (see default mask above)
1181
1182icmp_ignore_bogus_error_responses - BOOLEAN
1183 Some routers violate RFC1122 by sending bogus responses to broadcast
1184 frames. Such violations are normally logged via a kernel warning.
1185 If this is set to TRUE, the kernel will not give such warnings, which
1186 will avoid log file clutter.
1187
1188 Default: 1
1189
1190icmp_errors_use_inbound_ifaddr - BOOLEAN
1191
1192 If zero, icmp error messages are sent with the primary address of
1193 the exiting interface.
1194
1195 If non-zero, the message will be sent with the primary address of
1196 the interface that received the packet that caused the icmp error.
1197 This is the behaviour network many administrators will expect from
1198 a router. And it can make debugging complicated network layouts
1199 much easier.
1200
1201 Note that if no primary address exists for the interface selected,
1202 then the primary address of the first non-loopback interface that
1203 has one will be used regardless of this setting.
1204
1205 Default: 0
1206
1207igmp_max_memberships - INTEGER
1208 Change the maximum number of multicast groups we can subscribe to.
1209 Default: 20
1210
1211 Theoretical maximum value is bounded by having to send a membership
1212 report in a single datagram (i.e. the report can't span multiple
1213 datagrams, or risk confusing the switch and leaving groups you don't
1214 intend to).
1215
1216 The number of supported groups 'M' is bounded by the number of group
1217 report entries you can fit into a single datagram of 65535 bytes.
1218
1219 M = 65536-sizeof (ip header)/(sizeof(Group record))
1220
1221 Group records are variable length, with a minimum of 12 bytes.
1222 So net.ipv4.igmp_max_memberships should not be set higher than:
1223
1224 (65536-24) / 12 = 5459
1225
1226 The value 5459 assumes no IP header options, so in practice
1227 this number may be lower.
1228
1229igmp_max_msf - INTEGER
1230 Maximum number of addresses allowed in the source filter list for a
1231 multicast group.
1232
1233 Default: 10
1234
1235igmp_qrv - INTEGER
1236 Controls the IGMP query robustness variable (see RFC2236 8.1).
1237
1238 Default: 2 (as specified by RFC2236 8.1)
1239
1240 Minimum: 1 (as specified by RFC6636 4.5)
1241
1242force_igmp_version - INTEGER
1243 - 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback
1244 allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier
1245 Present timer expires.
1246 - 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if
1247 receive IGMPv2/v3 query.
1248 - 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive
1249 IGMPv1 query message. Will reply report if receive IGMPv3 query.
1250 - 3 - Enforce to use IGMP version 3. The same react with default 0.
1251
1252 .. note::
1253
1254 this is not the same with force_mld_version because IGMPv3 RFC3376
1255 Security Considerations does not have clear description that we could
1256 ignore other version messages completely as MLDv2 RFC3810. So make
1257 this value as default 0 is recommended.
1258
1259``conf/interface/*``
1260 changes special settings per interface (where
1261 interface" is the name of your network interface)
1262
1263``conf/all/*``
1264 is special, changes the settings for all interfaces
1265
1266log_martians - BOOLEAN
1267 Log packets with impossible addresses to kernel log.
1268 log_martians for the interface will be enabled if at least one of
1269 conf/{all,interface}/log_martians is set to TRUE,
1270 it will be disabled otherwise
1271
1272accept_redirects - BOOLEAN
1273 Accept ICMP redirect messages.
1274 accept_redirects for the interface will be enabled if:
1275
1276 - both conf/{all,interface}/accept_redirects are TRUE in the case
1277 forwarding for the interface is enabled
1278
1279 or
1280
1281 - at least one of conf/{all,interface}/accept_redirects is TRUE in the
1282 case forwarding for the interface is disabled
1283
1284 accept_redirects for the interface will be disabled otherwise
1285
1286 default:
1287
1288 - TRUE (host)
1289 - FALSE (router)
1290
1291forwarding - BOOLEAN
1292 Enable IP forwarding on this interface. This controls whether packets
1293 received _on_ this interface can be forwarded.
1294
1295mc_forwarding - BOOLEAN
1296 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
1297 and a multicast routing daemon is required.
1298 conf/all/mc_forwarding must also be set to TRUE to enable multicast
1299 routing for the interface
1300
1301medium_id - INTEGER
1302 Integer value used to differentiate the devices by the medium they
1303 are attached to. Two devices can have different id values when
1304 the broadcast packets are received only on one of them.
1305 The default value 0 means that the device is the only interface
1306 to its medium, value of -1 means that medium is not known.
1307
1308 Currently, it is used to change the proxy_arp behavior:
1309 the proxy_arp feature is enabled for packets forwarded between
1310 two devices attached to different media.
1311
1312proxy_arp - BOOLEAN
1313 Do proxy arp.
1314
1315 proxy_arp for the interface will be enabled if at least one of
1316 conf/{all,interface}/proxy_arp is set to TRUE,
1317 it will be disabled otherwise
1318
1319proxy_arp_pvlan - BOOLEAN
1320 Private VLAN proxy arp.
1321
1322 Basically allow proxy arp replies back to the same interface
1323 (from which the ARP request/solicitation was received).
1324
1325 This is done to support (ethernet) switch features, like RFC
1326 3069, where the individual ports are NOT allowed to
1327 communicate with each other, but they are allowed to talk to
1328 the upstream router. As described in RFC 3069, it is possible
1329 to allow these hosts to communicate through the upstream
1330 router by proxy_arp'ing. Don't need to be used together with
1331 proxy_arp.
1332
1333 This technology is known by different names:
1334
1335 In RFC 3069 it is called VLAN Aggregation.
1336 Cisco and Allied Telesyn call it Private VLAN.
1337 Hewlett-Packard call it Source-Port filtering or port-isolation.
1338 Ericsson call it MAC-Forced Forwarding (RFC Draft).
1339
1340shared_media - BOOLEAN
1341 Send(router) or accept(host) RFC1620 shared media redirects.
1342 Overrides secure_redirects.
1343
1344 shared_media for the interface will be enabled if at least one of
1345 conf/{all,interface}/shared_media is set to TRUE,
1346 it will be disabled otherwise
1347
1348 default TRUE
1349
1350secure_redirects - BOOLEAN
1351 Accept ICMP redirect messages only to gateways listed in the
1352 interface's current gateway list. Even if disabled, RFC1122 redirect
1353 rules still apply.
1354
1355 Overridden by shared_media.
1356
1357 secure_redirects for the interface will be enabled if at least one of
1358 conf/{all,interface}/secure_redirects is set to TRUE,
1359 it will be disabled otherwise
1360
1361 default TRUE
1362
1363send_redirects - BOOLEAN
1364 Send redirects, if router.
1365
1366 send_redirects for the interface will be enabled if at least one of
1367 conf/{all,interface}/send_redirects is set to TRUE,
1368 it will be disabled otherwise
1369
1370 Default: TRUE
1371
1372bootp_relay - BOOLEAN
1373 Accept packets with source address 0.b.c.d destined
1374 not to this host as local ones. It is supposed, that
1375 BOOTP relay daemon will catch and forward such packets.
1376 conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay
1377 for the interface
1378
1379 default FALSE
1380
1381 Not Implemented Yet.
1382
1383accept_source_route - BOOLEAN
1384 Accept packets with SRR option.
1385 conf/all/accept_source_route must also be set to TRUE to accept packets
1386 with SRR option on the interface
1387
1388 default
1389
1390 - TRUE (router)
1391 - FALSE (host)
1392
1393accept_local - BOOLEAN
1394 Accept packets with local source addresses. In combination with
1395 suitable routing, this can be used to direct packets between two
1396 local interfaces over the wire and have them accepted properly.
1397 default FALSE
1398
1399route_localnet - BOOLEAN
1400 Do not consider loopback addresses as martian source or destination
1401 while routing. This enables the use of 127/8 for local routing purposes.
1402
1403 default FALSE
1404
1405rp_filter - INTEGER
1406 - 0 - No source validation.
1407 - 1 - Strict mode as defined in RFC3704 Strict Reverse Path
1408 Each incoming packet is tested against the FIB and if the interface
1409 is not the best reverse path the packet check will fail.
1410 By default failed packets are discarded.
1411 - 2 - Loose mode as defined in RFC3704 Loose Reverse Path
1412 Each incoming packet's source address is also tested against the FIB
1413 and if the source address is not reachable via any interface
1414 the packet check will fail.
1415
1416 Current recommended practice in RFC3704 is to enable strict mode
1417 to prevent IP spoofing from DDos attacks. If using asymmetric routing
1418 or other complicated routing, then loose mode is recommended.
1419
1420 The max value from conf/{all,interface}/rp_filter is used
1421 when doing source validation on the {interface}.
1422
1423 Default value is 0. Note that some distributions enable it
1424 in startup scripts.
1425
1426arp_filter - BOOLEAN
1427 - 1 - Allows you to have multiple network interfaces on the same
1428 subnet, and have the ARPs for each interface be answered
1429 based on whether or not the kernel would route a packet from
1430 the ARP'd IP out that interface (therefore you must use source
1431 based routing for this to work). In other words it allows control
1432 of which cards (usually 1) will respond to an arp request.
1433
1434 - 0 - (default) The kernel can respond to arp requests with addresses
1435 from other interfaces. This may seem wrong but it usually makes
1436 sense, because it increases the chance of successful communication.
1437 IP addresses are owned by the complete host on Linux, not by
1438 particular interfaces. Only for more complex setups like load-
1439 balancing, does this behaviour cause problems.
1440
1441 arp_filter for the interface will be enabled if at least one of
1442 conf/{all,interface}/arp_filter is set to TRUE,
1443 it will be disabled otherwise
1444
1445arp_announce - INTEGER
1446 Define different restriction levels for announcing the local
1447 source IP address from IP packets in ARP requests sent on
1448 interface:
1449
1450 - 0 - (default) Use any local address, configured on any interface
1451 - 1 - Try to avoid local addresses that are not in the target's
1452 subnet for this interface. This mode is useful when target
1453 hosts reachable via this interface require the source IP
1454 address in ARP requests to be part of their logical network
1455 configured on the receiving interface. When we generate the
1456 request we will check all our subnets that include the
1457 target IP and will preserve the source address if it is from
1458 such subnet. If there is no such subnet we select source
1459 address according to the rules for level 2.
1460 - 2 - Always use the best local address for this target.
1461 In this mode we ignore the source address in the IP packet
1462 and try to select local address that we prefer for talks with
1463 the target host. Such local address is selected by looking
1464 for primary IP addresses on all our subnets on the outgoing
1465 interface that include the target IP address. If no suitable
1466 local address is found we select the first local address
1467 we have on the outgoing interface or on all other interfaces,
1468 with the hope we will receive reply for our request and
1469 even sometimes no matter the source IP address we announce.
1470
1471 The max value from conf/{all,interface}/arp_announce is used.
1472
1473 Increasing the restriction level gives more chance for
1474 receiving answer from the resolved target while decreasing
1475 the level announces more valid sender's information.
1476
1477arp_ignore - INTEGER
1478 Define different modes for sending replies in response to
1479 received ARP requests that resolve local target IP addresses:
1480
1481 - 0 - (default): reply for any local target IP address, configured
1482 on any interface
1483 - 1 - reply only if the target IP address is local address
1484 configured on the incoming interface
1485 - 2 - reply only if the target IP address is local address
1486 configured on the incoming interface and both with the
1487 sender's IP address are part from same subnet on this interface
1488 - 3 - do not reply for local addresses configured with scope host,
1489 only resolutions for global and link addresses are replied
1490 - 4-7 - reserved
1491 - 8 - do not reply for all local addresses
1492
1493 The max value from conf/{all,interface}/arp_ignore is used
1494 when ARP request is received on the {interface}
1495
1496arp_notify - BOOLEAN
1497 Define mode for notification of address and device changes.
1498
1499 == ==========================================================
1500 0 (default): do nothing
1501 1 Generate gratuitous arp requests when device is brought up
1502 or hardware address changes.
1503 == ==========================================================
1504
1505arp_accept - BOOLEAN
1506 Define behavior for gratuitous ARP frames who's IP is not
1507 already present in the ARP table:
1508
1509 - 0 - don't create new entries in the ARP table
1510 - 1 - create new entries in the ARP table
1511
1512 Both replies and requests type gratuitous arp will trigger the
1513 ARP table to be updated, if this setting is on.
1514
1515 If the ARP table already contains the IP address of the
1516 gratuitous arp frame, the arp table will be updated regardless
1517 if this setting is on or off.
1518
1519mcast_solicit - INTEGER
1520 The maximum number of multicast probes in INCOMPLETE state,
1521 when the associated hardware address is unknown. Defaults
1522 to 3.
1523
1524ucast_solicit - INTEGER
1525 The maximum number of unicast probes in PROBE state, when
1526 the hardware address is being reconfirmed. Defaults to 3.
1527
1528app_solicit - INTEGER
1529 The maximum number of probes to send to the user space ARP daemon
1530 via netlink before dropping back to multicast probes (see
1531 mcast_resolicit). Defaults to 0.
1532
1533mcast_resolicit - INTEGER
1534 The maximum number of multicast probes after unicast and
1535 app probes in PROBE state. Defaults to 0.
1536
1537disable_policy - BOOLEAN
1538 Disable IPSEC policy (SPD) for this interface
1539
1540disable_xfrm - BOOLEAN
1541 Disable IPSEC encryption on this interface, whatever the policy
1542
1543igmpv2_unsolicited_report_interval - INTEGER
1544 The interval in milliseconds in which the next unsolicited
1545 IGMPv1 or IGMPv2 report retransmit will take place.
1546
1547 Default: 10000 (10 seconds)
1548
1549igmpv3_unsolicited_report_interval - INTEGER
1550 The interval in milliseconds in which the next unsolicited
1551 IGMPv3 report retransmit will take place.
1552
1553 Default: 1000 (1 seconds)
1554
1555promote_secondaries - BOOLEAN
1556 When a primary IP address is removed from this interface
1557 promote a corresponding secondary IP address instead of
1558 removing all the corresponding secondary IP addresses.
1559
1560drop_unicast_in_l2_multicast - BOOLEAN
1561 Drop any unicast IP packets that are received in link-layer
1562 multicast (or broadcast) frames.
1563
1564 This behavior (for multicast) is actually a SHOULD in RFC
1565 1122, but is disabled by default for compatibility reasons.
1566
1567 Default: off (0)
1568
1569drop_gratuitous_arp - BOOLEAN
1570 Drop all gratuitous ARP frames, for example if there's a known
1571 good ARP proxy on the network and such frames need not be used
1572 (or in the case of 802.11, must not be used to prevent attacks.)
1573
1574 Default: off (0)
1575
1576
1577tag - INTEGER
1578 Allows you to write a number, which can be used as required.
1579
1580 Default value is 0.
1581
1582xfrm4_gc_thresh - INTEGER
1583 (Obsolete since linux-4.14)
1584 The threshold at which we will start garbage collecting for IPv4
1585 destination cache entries. At twice this value the system will
1586 refuse new allocations.
1587
1588igmp_link_local_mcast_reports - BOOLEAN
1589 Enable IGMP reports for link local multicast groups in the
1590 224.0.0.X range.
1591
1592 Default TRUE
1593
1594Alexey Kuznetsov.
1595kuznet@ms2.inr.ac.ru
1596
1597Updated by:
1598
1599- Andi Kleen
1600 ak@muc.de
1601- Nicolas Delon
1602 delon.nicolas@wanadoo.fr
1603
1604
1605
1606
1607/proc/sys/net/ipv6/* Variables
1608==============================
1609
1610IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also
1611apply to IPv6 [XXX?].
1612
1613bindv6only - BOOLEAN
1614 Default value for IPV6_V6ONLY socket option,
1615 which restricts use of the IPv6 socket to IPv6 communication
1616 only.
1617
1618 - TRUE: disable IPv4-mapped address feature
1619 - FALSE: enable IPv4-mapped address feature
1620
1621 Default: FALSE (as specified in RFC3493)
1622
1623flowlabel_consistency - BOOLEAN
1624 Protect the consistency (and unicity) of flow label.
1625 You have to disable it to use IPV6_FL_F_REFLECT flag on the
1626 flow label manager.
1627
1628 - TRUE: enabled
1629 - FALSE: disabled
1630
1631 Default: TRUE
1632
1633auto_flowlabels - INTEGER
1634 Automatically generate flow labels based on a flow hash of the
1635 packet. This allows intermediate devices, such as routers, to
1636 identify packet flows for mechanisms like Equal Cost Multipath
1637 Routing (see RFC 6438).
1638
1639 = ===========================================================
1640 0 automatic flow labels are completely disabled
1641 1 automatic flow labels are enabled by default, they can be
1642 disabled on a per socket basis using the IPV6_AUTOFLOWLABEL
1643 socket option
1644 2 automatic flow labels are allowed, they may be enabled on a
1645 per socket basis using the IPV6_AUTOFLOWLABEL socket option
1646 3 automatic flow labels are enabled and enforced, they cannot
1647 be disabled by the socket option
1648 = ===========================================================
1649
1650 Default: 1
1651
1652flowlabel_state_ranges - BOOLEAN
1653 Split the flow label number space into two ranges. 0-0x7FFFF is
1654 reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF
1655 is reserved for stateless flow labels as described in RFC6437.
1656
1657 - TRUE: enabled
1658 - FALSE: disabled
1659
1660 Default: true
1661
1662flowlabel_reflect - INTEGER
1663 Control flow label reflection. Needed for Path MTU
1664 Discovery to work with Equal Cost Multipath Routing in anycast
1665 environments. See RFC 7690 and:
1666 https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01
1667
1668 This is a bitmask.
1669
1670 - 1: enabled for established flows
1671
1672 Note that this prevents automatic flowlabel changes, as done
1673 in "tcp: change IPv6 flow-label upon receiving spurious retransmission"
1674 and "tcp: Change txhash on every SYN and RTO retransmit"
1675
1676 - 2: enabled for TCP RESET packets (no active listener)
1677 If set, a RST packet sent in response to a SYN packet on a closed
1678 port will reflect the incoming flow label.
1679
1680 - 4: enabled for ICMPv6 echo reply messages.
1681
1682 Default: 0
1683
1684fib_multipath_hash_policy - INTEGER
1685 Controls which hash policy to use for multipath routes.
1686
1687 Default: 0 (Layer 3)
1688
1689 Possible values:
1690
1691 - 0 - Layer 3 (source and destination addresses plus flow label)
1692 - 1 - Layer 4 (standard 5-tuple)
1693 - 2 - Layer 3 or inner Layer 3 if present
1694
1695anycast_src_echo_reply - BOOLEAN
1696 Controls the use of anycast addresses as source addresses for ICMPv6
1697 echo reply
1698
1699 - TRUE: enabled
1700 - FALSE: disabled
1701
1702 Default: FALSE
1703
1704idgen_delay - INTEGER
1705 Controls the delay in seconds after which time to retry
1706 privacy stable address generation if a DAD conflict is
1707 detected.
1708
1709 Default: 1 (as specified in RFC7217)
1710
1711idgen_retries - INTEGER
1712 Controls the number of retries to generate a stable privacy
1713 address if a DAD conflict is detected.
1714
1715 Default: 3 (as specified in RFC7217)
1716
1717mld_qrv - INTEGER
1718 Controls the MLD query robustness variable (see RFC3810 9.1).
1719
1720 Default: 2 (as specified by RFC3810 9.1)
1721
1722 Minimum: 1 (as specified by RFC6636 4.5)
1723
1724max_dst_opts_number - INTEGER
1725 Maximum number of non-padding TLVs allowed in a Destination
1726 options extension header. If this value is less than zero
1727 then unknown options are disallowed and the number of known
1728 TLVs allowed is the absolute value of this number.
1729
1730 Default: 8
1731
1732max_hbh_opts_number - INTEGER
1733 Maximum number of non-padding TLVs allowed in a Hop-by-Hop
1734 options extension header. If this value is less than zero
1735 then unknown options are disallowed and the number of known
1736 TLVs allowed is the absolute value of this number.
1737
1738 Default: 8
1739
1740max_dst_opts_length - INTEGER
1741 Maximum length allowed for a Destination options extension
1742 header.
1743
1744 Default: INT_MAX (unlimited)
1745
1746max_hbh_length - INTEGER
1747 Maximum length allowed for a Hop-by-Hop options extension
1748 header.
1749
1750 Default: INT_MAX (unlimited)
1751
1752skip_notify_on_dev_down - BOOLEAN
1753 Controls whether an RTM_DELROUTE message is generated for routes
1754 removed when a device is taken down or deleted. IPv4 does not
1755 generate this message; IPv6 does by default. Setting this sysctl
1756 to true skips the message, making IPv4 and IPv6 on par in relying
1757 on userspace caches to track link events and evict routes.
1758
1759 Default: false (generate message)
1760
1761nexthop_compat_mode - BOOLEAN
1762 New nexthop API provides a means for managing nexthops independent of
1763 prefixes. Backwards compatibilty with old route format is enabled by
1764 default which means route dumps and notifications contain the new
1765 nexthop attribute but also the full, expanded nexthop definition.
1766 Further, updates or deletes of a nexthop configuration generate route
1767 notifications for each fib entry using the nexthop. Once a system
1768 understands the new API, this sysctl can be disabled to achieve full
1769 performance benefits of the new API by disabling the nexthop expansion
1770 and extraneous notifications.
1771 Default: true (backward compat mode)
1772
1773IPv6 Fragmentation:
1774
1775ip6frag_high_thresh - INTEGER
1776 Maximum memory used to reassemble IPv6 fragments. When
1777 ip6frag_high_thresh bytes of memory is allocated for this purpose,
1778 the fragment handler will toss packets until ip6frag_low_thresh
1779 is reached.
1780
1781ip6frag_low_thresh - INTEGER
1782 See ip6frag_high_thresh
1783
1784ip6frag_time - INTEGER
1785 Time in seconds to keep an IPv6 fragment in memory.
1786
1787IPv6 Segment Routing:
1788
1789seg6_flowlabel - INTEGER
1790 Controls the behaviour of computing the flowlabel of outer
1791 IPv6 header in case of SR T.encaps
1792
1793 == =======================================================
1794 -1 set flowlabel to zero.
1795 0 copy flowlabel from Inner packet in case of Inner IPv6
1796 (Set flowlabel to 0 in case IPv4/L2)
1797 1 Compute the flowlabel using seg6_make_flowlabel()
1798 == =======================================================
1799
1800 Default is 0.
1801
1802``conf/default/*``:
1803 Change the interface-specific default settings.
1804
1805
1806``conf/all/*``:
1807 Change all the interface-specific settings.
1808
1809 [XXX: Other special features than forwarding?]
1810
1811conf/all/forwarding - BOOLEAN
1812 Enable global IPv6 forwarding between all interfaces.
1813
1814 IPv4 and IPv6 work differently here; e.g. netfilter must be used
1815 to control which interfaces may forward packets and which not.
1816
1817 This also sets all interfaces' Host/Router setting
1818 'forwarding' to the specified value. See below for details.
1819
1820 This referred to as global forwarding.
1821
1822proxy_ndp - BOOLEAN
1823 Do proxy ndp.
1824
1825fwmark_reflect - BOOLEAN
1826 Controls the fwmark of kernel-generated IPv6 reply packets that are not
1827 associated with a socket for example, TCP RSTs or ICMPv6 echo replies).
1828 If unset, these packets have a fwmark of zero. If set, they have the
1829 fwmark of the packet they are replying to.
1830
1831 Default: 0
1832
1833``conf/interface/*``:
1834 Change special settings per interface.
1835
1836 The functional behaviour for certain settings is different
1837 depending on whether local forwarding is enabled or not.
1838
1839accept_ra - INTEGER
1840 Accept Router Advertisements; autoconfigure using them.
1841
1842 It also determines whether or not to transmit Router
1843 Solicitations. If and only if the functional setting is to
1844 accept Router Advertisements, Router Solicitations will be
1845 transmitted.
1846
1847 Possible values are:
1848
1849 == ===========================================================
1850 0 Do not accept Router Advertisements.
1851 1 Accept Router Advertisements if forwarding is disabled.
1852 2 Overrule forwarding behaviour. Accept Router Advertisements
1853 even if forwarding is enabled.
1854 == ===========================================================
1855
1856 Functional default:
1857
1858 - enabled if local forwarding is disabled.
1859 - disabled if local forwarding is enabled.
1860
1861accept_ra_defrtr - BOOLEAN
1862 Learn default router in Router Advertisement.
1863
1864 Functional default:
1865
1866 - enabled if accept_ra is enabled.
1867 - disabled if accept_ra is disabled.
1868
1869accept_ra_from_local - BOOLEAN
1870 Accept RA with source-address that is found on local machine
1871 if the RA is otherwise proper and able to be accepted.
1872
1873 Default is to NOT accept these as it may be an un-intended
1874 network loop.
1875
1876 Functional default:
1877
1878 - enabled if accept_ra_from_local is enabled
1879 on a specific interface.
1880 - disabled if accept_ra_from_local is disabled
1881 on a specific interface.
1882
1883accept_ra_min_hop_limit - INTEGER
1884 Minimum hop limit Information in Router Advertisement.
1885
1886 Hop limit Information in Router Advertisement less than this
1887 variable shall be ignored.
1888
1889 Default: 1
1890
1891accept_ra_pinfo - BOOLEAN
1892 Learn Prefix Information in Router Advertisement.
1893
1894 Functional default:
1895
1896 - enabled if accept_ra is enabled.
1897 - disabled if accept_ra is disabled.
1898
1899accept_ra_rt_info_min_plen - INTEGER
1900 Minimum prefix length of Route Information in RA.
1901
1902 Route Information w/ prefix smaller than this variable shall
1903 be ignored.
1904
1905 Functional default:
1906
1907 * 0 if accept_ra_rtr_pref is enabled.
1908 * -1 if accept_ra_rtr_pref is disabled.
1909
1910accept_ra_rt_info_max_plen - INTEGER
1911 Maximum prefix length of Route Information in RA.
1912
1913 Route Information w/ prefix larger than this variable shall
1914 be ignored.
1915
1916 Functional default:
1917
1918 * 0 if accept_ra_rtr_pref is enabled.
1919 * -1 if accept_ra_rtr_pref is disabled.
1920
1921accept_ra_rtr_pref - BOOLEAN
1922 Accept Router Preference in RA.
1923
1924 Functional default:
1925
1926 - enabled if accept_ra is enabled.
1927 - disabled if accept_ra is disabled.
1928
1929accept_ra_mtu - BOOLEAN
1930 Apply the MTU value specified in RA option 5 (RFC4861). If
1931 disabled, the MTU specified in the RA will be ignored.
1932
1933 Functional default:
1934
1935 - enabled if accept_ra is enabled.
1936 - disabled if accept_ra is disabled.
1937
1938accept_redirects - BOOLEAN
1939 Accept Redirects.
1940
1941 Functional default:
1942
1943 - enabled if local forwarding is disabled.
1944 - disabled if local forwarding is enabled.
1945
1946accept_source_route - INTEGER
1947 Accept source routing (routing extension header).
1948
1949 - >= 0: Accept only routing header type 2.
1950 - < 0: Do not accept routing header.
1951
1952 Default: 0
1953
1954autoconf - BOOLEAN
1955 Autoconfigure addresses using Prefix Information in Router
1956 Advertisements.
1957
1958 Functional default:
1959
1960 - enabled if accept_ra_pinfo is enabled.
1961 - disabled if accept_ra_pinfo is disabled.
1962
1963dad_transmits - INTEGER
1964 The amount of Duplicate Address Detection probes to send.
1965
1966 Default: 1
1967
1968forwarding - INTEGER
1969 Configure interface-specific Host/Router behaviour.
1970
1971 .. note::
1972
1973 It is recommended to have the same setting on all
1974 interfaces; mixed router/host scenarios are rather uncommon.
1975
1976 Possible values are:
1977
1978 - 0 Forwarding disabled
1979 - 1 Forwarding enabled
1980
1981 **FALSE (0)**:
1982
1983 By default, Host behaviour is assumed. This means:
1984
1985 1. IsRouter flag is not set in Neighbour Advertisements.
1986 2. If accept_ra is TRUE (default), transmit Router
1987 Solicitations.
1988 3. If accept_ra is TRUE (default), accept Router
1989 Advertisements (and do autoconfiguration).
1990 4. If accept_redirects is TRUE (default), accept Redirects.
1991
1992 **TRUE (1)**:
1993
1994 If local forwarding is enabled, Router behaviour is assumed.
1995 This means exactly the reverse from the above:
1996
1997 1. IsRouter flag is set in Neighbour Advertisements.
1998 2. Router Solicitations are not sent unless accept_ra is 2.
1999 3. Router Advertisements are ignored unless accept_ra is 2.
2000 4. Redirects are ignored.
2001
2002 Default: 0 (disabled) if global forwarding is disabled (default),
2003 otherwise 1 (enabled).
2004
2005hop_limit - INTEGER
2006 Default Hop Limit to set.
2007
2008 Default: 64
2009
2010mtu - INTEGER
2011 Default Maximum Transfer Unit
2012
2013 Default: 1280 (IPv6 required minimum)
2014
2015ip_nonlocal_bind - BOOLEAN
2016 If set, allows processes to bind() to non-local IPv6 addresses,
2017 which can be quite useful - but may break some applications.
2018
2019 Default: 0
2020
2021router_probe_interval - INTEGER
2022 Minimum interval (in seconds) between Router Probing described
2023 in RFC4191.
2024
2025 Default: 60
2026
2027router_solicitation_delay - INTEGER
2028 Number of seconds to wait after interface is brought up
2029 before sending Router Solicitations.
2030
2031 Default: 1
2032
2033router_solicitation_interval - INTEGER
2034 Number of seconds to wait between Router Solicitations.
2035
2036 Default: 4
2037
2038router_solicitations - INTEGER
2039 Number of Router Solicitations to send until assuming no
2040 routers are present.
2041
2042 Default: 3
2043
2044use_oif_addrs_only - BOOLEAN
2045 When enabled, the candidate source addresses for destinations
2046 routed via this interface are restricted to the set of addresses
2047 configured on this interface (vis. RFC 6724, section 4).
2048
2049 Default: false
2050
2051use_tempaddr - INTEGER
2052 Preference for Privacy Extensions (RFC3041).
2053
2054 * <= 0 : disable Privacy Extensions
2055 * == 1 : enable Privacy Extensions, but prefer public
2056 addresses over temporary addresses.
2057 * > 1 : enable Privacy Extensions and prefer temporary
2058 addresses over public addresses.
2059
2060 Default:
2061
2062 * 0 (for most devices)
2063 * -1 (for point-to-point devices and loopback devices)
2064
2065temp_valid_lft - INTEGER
2066 valid lifetime (in seconds) for temporary addresses.
2067
2068 Default: 172800 (2 days)
2069
2070temp_prefered_lft - INTEGER
2071 Preferred lifetime (in seconds) for temporary addresses.
2072
2073 Default: 86400 (1 day)
2074
2075keep_addr_on_down - INTEGER
2076 Keep all IPv6 addresses on an interface down event. If set static
2077 global addresses with no expiration time are not flushed.
2078
2079 * >0 : enabled
2080 * 0 : system default
2081 * <0 : disabled
2082
2083 Default: 0 (addresses are removed)
2084
2085max_desync_factor - INTEGER
2086 Maximum value for DESYNC_FACTOR, which is a random value
2087 that ensures that clients don't synchronize with each
2088 other and generate new addresses at exactly the same time.
2089 value is in seconds.
2090
2091 Default: 600
2092
2093regen_max_retry - INTEGER
2094 Number of attempts before give up attempting to generate
2095 valid temporary addresses.
2096
2097 Default: 5
2098
2099max_addresses - INTEGER
2100 Maximum number of autoconfigured addresses per interface. Setting
2101 to zero disables the limitation. It is not recommended to set this
2102 value too large (or to zero) because it would be an easy way to
2103 crash the kernel by allowing too many addresses to be created.
2104
2105 Default: 16
2106
2107disable_ipv6 - BOOLEAN
2108 Disable IPv6 operation. If accept_dad is set to 2, this value
2109 will be dynamically set to TRUE if DAD fails for the link-local
2110 address.
2111
2112 Default: FALSE (enable IPv6 operation)
2113
2114 When this value is changed from 1 to 0 (IPv6 is being enabled),
2115 it will dynamically create a link-local address on the given
2116 interface and start Duplicate Address Detection, if necessary.
2117
2118 When this value is changed from 0 to 1 (IPv6 is being disabled),
2119 it will dynamically delete all addresses and routes on the given
2120 interface. From now on it will not possible to add addresses/routes
2121 to the selected interface.
2122
2123accept_dad - INTEGER
2124 Whether to accept DAD (Duplicate Address Detection).
2125
2126 == ==============================================================
2127 0 Disable DAD
2128 1 Enable DAD (default)
2129 2 Enable DAD, and disable IPv6 operation if MAC-based duplicate
2130 link-local address has been found.
2131 == ==============================================================
2132
2133 DAD operation and mode on a given interface will be selected according
2134 to the maximum value of conf/{all,interface}/accept_dad.
2135
2136force_tllao - BOOLEAN
2137 Enable sending the target link-layer address option even when
2138 responding to a unicast neighbor solicitation.
2139
2140 Default: FALSE
2141
2142 Quoting from RFC 2461, section 4.4, Target link-layer address:
2143
2144 "The option MUST be included for multicast solicitations in order to
2145 avoid infinite Neighbor Solicitation "recursion" when the peer node
2146 does not have a cache entry to return a Neighbor Advertisements
2147 message. When responding to unicast solicitations, the option can be
2148 omitted since the sender of the solicitation has the correct link-
2149 layer address; otherwise it would not have be able to send the unicast
2150 solicitation in the first place. However, including the link-layer
2151 address in this case adds little overhead and eliminates a potential
2152 race condition where the sender deletes the cached link-layer address
2153 prior to receiving a response to a previous solicitation."
2154
2155ndisc_notify - BOOLEAN
2156 Define mode for notification of address and device changes.
2157
2158 * 0 - (default): do nothing
2159 * 1 - Generate unsolicited neighbour advertisements when device is brought
2160 up or hardware address changes.
2161
2162ndisc_tclass - INTEGER
2163 The IPv6 Traffic Class to use by default when sending IPv6 Neighbor
2164 Discovery (Router Solicitation, Router Advertisement, Neighbor
2165 Solicitation, Neighbor Advertisement, Redirect) messages.
2166 These 8 bits can be interpreted as 6 high order bits holding the DSCP
2167 value and 2 low order bits representing ECN (which you probably want
2168 to leave cleared).
2169
2170 * 0 - (default)
2171
2172mldv1_unsolicited_report_interval - INTEGER
2173 The interval in milliseconds in which the next unsolicited
2174 MLDv1 report retransmit will take place.
2175
2176 Default: 10000 (10 seconds)
2177
2178mldv2_unsolicited_report_interval - INTEGER
2179 The interval in milliseconds in which the next unsolicited
2180 MLDv2 report retransmit will take place.
2181
2182 Default: 1000 (1 second)
2183
2184force_mld_version - INTEGER
2185 * 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed
2186 * 1 - Enforce to use MLD version 1
2187 * 2 - Enforce to use MLD version 2
2188
2189suppress_frag_ndisc - INTEGER
2190 Control RFC 6980 (Security Implications of IPv6 Fragmentation
2191 with IPv6 Neighbor Discovery) behavior:
2192
2193 * 1 - (default) discard fragmented neighbor discovery packets
2194 * 0 - allow fragmented neighbor discovery packets
2195
2196optimistic_dad - BOOLEAN
2197 Whether to perform Optimistic Duplicate Address Detection (RFC 4429).
2198
2199 * 0: disabled (default)
2200 * 1: enabled
2201
2202 Optimistic Duplicate Address Detection for the interface will be enabled
2203 if at least one of conf/{all,interface}/optimistic_dad is set to 1,
2204 it will be disabled otherwise.
2205
2206use_optimistic - BOOLEAN
2207 If enabled, do not classify optimistic addresses as deprecated during
2208 source address selection. Preferred addresses will still be chosen
2209 before optimistic addresses, subject to other ranking in the source
2210 address selection algorithm.
2211
2212 * 0: disabled (default)
2213 * 1: enabled
2214
2215 This will be enabled if at least one of
2216 conf/{all,interface}/use_optimistic is set to 1, disabled otherwise.
2217
2218stable_secret - IPv6 address
2219 This IPv6 address will be used as a secret to generate IPv6
2220 addresses for link-local addresses and autoconfigured
2221 ones. All addresses generated after setting this secret will
2222 be stable privacy ones by default. This can be changed via the
2223 addrgenmode ip-link. conf/default/stable_secret is used as the
2224 secret for the namespace, the interface specific ones can
2225 overwrite that. Writes to conf/all/stable_secret are refused.
2226
2227 It is recommended to generate this secret during installation
2228 of a system and keep it stable after that.
2229
2230 By default the stable secret is unset.
2231
2232addr_gen_mode - INTEGER
2233 Defines how link-local and autoconf addresses are generated.
2234
2235 = =================================================================
2236 0 generate address based on EUI64 (default)
2237 1 do no generate a link-local address, use EUI64 for addresses
2238 generated from autoconf
2239 2 generate stable privacy addresses, using the secret from
2240 stable_secret (RFC7217)
2241 3 generate stable privacy addresses, using a random secret if unset
2242 = =================================================================
2243
2244drop_unicast_in_l2_multicast - BOOLEAN
2245 Drop any unicast IPv6 packets that are received in link-layer
2246 multicast (or broadcast) frames.
2247
2248 By default this is turned off.
2249
2250drop_unsolicited_na - BOOLEAN
2251 Drop all unsolicited neighbor advertisements, for example if there's
2252 a known good NA proxy on the network and such frames need not be used
2253 (or in the case of 802.11, must not be used to prevent attacks.)
2254
2255 By default this is turned off.
2256
2257enhanced_dad - BOOLEAN
2258 Include a nonce option in the IPv6 neighbor solicitation messages used for
2259 duplicate address detection per RFC7527. A received DAD NS will only signal
2260 a duplicate address if the nonce is different. This avoids any false
2261 detection of duplicates due to loopback of the NS messages that we send.
2262 The nonce option will be sent on an interface unless both of
2263 conf/{all,interface}/enhanced_dad are set to FALSE.
2264
2265 Default: TRUE
2266
2267``icmp/*``:
2268===========
2269
2270ratelimit - INTEGER
2271 Limit the maximal rates for sending ICMPv6 messages.
2272
2273 0 to disable any limiting,
2274 otherwise the minimal space between responses in milliseconds.
2275
2276 Default: 1000
2277
2278ratemask - list of comma separated ranges
2279 For ICMPv6 message types matching the ranges in the ratemask, limit
2280 the sending of the message according to ratelimit parameter.
2281
2282 The format used for both input and output is a comma separated
2283 list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and
2284 129). Writing to the file will clear all previous ranges of ICMPv6
2285 message types and update the current list with the input.
2286
2287 Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
2288 for numerical values of ICMPv6 message types, e.g. echo request is 128
2289 and echo reply is 129.
2290
2291 Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big)
2292
2293echo_ignore_all - BOOLEAN
2294 If set non-zero, then the kernel will ignore all ICMP ECHO
2295 requests sent to it over the IPv6 protocol.
2296
2297 Default: 0
2298
2299echo_ignore_multicast - BOOLEAN
2300 If set non-zero, then the kernel will ignore all ICMP ECHO
2301 requests sent to it over the IPv6 protocol via multicast.
2302
2303 Default: 0
2304
2305echo_ignore_anycast - BOOLEAN
2306 If set non-zero, then the kernel will ignore all ICMP ECHO
2307 requests sent to it over the IPv6 protocol destined to anycast address.
2308
2309 Default: 0
2310
2311xfrm6_gc_thresh - INTEGER
2312 (Obsolete since linux-4.14)
2313 The threshold at which we will start garbage collecting for IPv6
2314 destination cache entries. At twice this value the system will
2315 refuse new allocations.
2316
2317
2318IPv6 Update by:
2319Pekka Savola <pekkas@netcore.fi>
2320YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org>
2321
2322
2323/proc/sys/net/bridge/* Variables:
2324=================================
2325
2326bridge-nf-call-arptables - BOOLEAN
2327 - 1 : pass bridged ARP traffic to arptables' FORWARD chain.
2328 - 0 : disable this.
2329
2330 Default: 1
2331
2332bridge-nf-call-iptables - BOOLEAN
2333 - 1 : pass bridged IPv4 traffic to iptables' chains.
2334 - 0 : disable this.
2335
2336 Default: 1
2337
2338bridge-nf-call-ip6tables - BOOLEAN
2339 - 1 : pass bridged IPv6 traffic to ip6tables' chains.
2340 - 0 : disable this.
2341
2342 Default: 1
2343
2344bridge-nf-filter-vlan-tagged - BOOLEAN
2345 - 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables.
2346 - 0 : disable this.
2347
2348 Default: 0
2349
2350bridge-nf-filter-pppoe-tagged - BOOLEAN
2351 - 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
2352 - 0 : disable this.
2353
2354 Default: 0
2355
2356bridge-nf-pass-vlan-input-dev - BOOLEAN
2357 - 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan
2358 interface on the bridge and set the netfilter input device to the
2359 vlan. This allows use of e.g. "iptables -i br0.1" and makes the
2360 REDIRECT target work with vlan-on-top-of-bridge interfaces. When no
2361 matching vlan interface is found, or this switch is off, the input
2362 device is set to the bridge interface.
2363
2364 - 0: disable bridge netfilter vlan interface lookup.
2365
2366 Default: 0
2367
2368``proc/sys/net/sctp/*`` Variables:
2369==================================
2370
2371addip_enable - BOOLEAN
2372 Enable or disable extension of Dynamic Address Reconfiguration
2373 (ADD-IP) functionality specified in RFC5061. This extension provides
2374 the ability to dynamically add and remove new addresses for the SCTP
2375 associations.
2376
2377 1: Enable extension.
2378
2379 0: Disable extension.
2380
2381 Default: 0
2382
2383pf_enable - INTEGER
2384 Enable or disable pf (pf is short for potentially failed) state. A value
2385 of pf_retrans > path_max_retrans also disables pf state. That is, one of
2386 both pf_enable and pf_retrans > path_max_retrans can disable pf state.
2387 Since pf_retrans and path_max_retrans can be changed by userspace
2388 application, sometimes user expects to disable pf state by the value of
2389 pf_retrans > path_max_retrans, but occasionally the value of pf_retrans
2390 or path_max_retrans is changed by the user application, this pf state is
2391 enabled. As such, it is necessary to add this to dynamically enable
2392 and disable pf state. See:
2393 https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for
2394 details.
2395
2396 1: Enable pf.
2397
2398 0: Disable pf.
2399
2400 Default: 1
2401
2402pf_expose - INTEGER
2403 Unset or enable/disable pf (pf is short for potentially failed) state
2404 exposure. Applications can control the exposure of the PF path state
2405 in the SCTP_PEER_ADDR_CHANGE event and the SCTP_GET_PEER_ADDR_INFO
2406 sockopt. When it's unset, no SCTP_PEER_ADDR_CHANGE event with
2407 SCTP_ADDR_PF state will be sent and a SCTP_PF-state transport info
2408 can be got via SCTP_GET_PEER_ADDR_INFO sockopt; When it's enabled,
2409 a SCTP_PEER_ADDR_CHANGE event will be sent for a transport becoming
2410 SCTP_PF state and a SCTP_PF-state transport info can be got via
2411 SCTP_GET_PEER_ADDR_INFO sockopt; When it's diabled, no
2412 SCTP_PEER_ADDR_CHANGE event will be sent and it returns -EACCES when
2413 trying to get a SCTP_PF-state transport info via SCTP_GET_PEER_ADDR_INFO
2414 sockopt.
2415
2416 0: Unset pf state exposure, Compatible with old applications.
2417
2418 1: Disable pf state exposure.
2419
2420 2: Enable pf state exposure.
2421
2422 Default: 0
2423
2424addip_noauth_enable - BOOLEAN
2425 Dynamic Address Reconfiguration (ADD-IP) requires the use of
2426 authentication to protect the operations of adding or removing new
2427 addresses. This requirement is mandated so that unauthorized hosts
2428 would not be able to hijack associations. However, older
2429 implementations may not have implemented this requirement while
2430 allowing the ADD-IP extension. For reasons of interoperability,
2431 we provide this variable to control the enforcement of the
2432 authentication requirement.
2433
2434 == ===============================================================
2435 1 Allow ADD-IP extension to be used without authentication. This
2436 should only be set in a closed environment for interoperability
2437 with older implementations.
2438
2439 0 Enforce the authentication requirement
2440 == ===============================================================
2441
2442 Default: 0
2443
2444auth_enable - BOOLEAN
2445 Enable or disable Authenticated Chunks extension. This extension
2446 provides the ability to send and receive authenticated chunks and is
2447 required for secure operation of Dynamic Address Reconfiguration
2448 (ADD-IP) extension.
2449
2450 - 1: Enable this extension.
2451 - 0: Disable this extension.
2452
2453 Default: 0
2454
2455prsctp_enable - BOOLEAN
2456 Enable or disable the Partial Reliability extension (RFC3758) which
2457 is used to notify peers that a given DATA should no longer be expected.
2458
2459 - 1: Enable extension
2460 - 0: Disable
2461
2462 Default: 1
2463
2464max_burst - INTEGER
2465 The limit of the number of new packets that can be initially sent. It
2466 controls how bursty the generated traffic can be.
2467
2468 Default: 4
2469
2470association_max_retrans - INTEGER
2471 Set the maximum number for retransmissions that an association can
2472 attempt deciding that the remote end is unreachable. If this value
2473 is exceeded, the association is terminated.
2474
2475 Default: 10
2476
2477max_init_retransmits - INTEGER
2478 The maximum number of retransmissions of INIT and COOKIE-ECHO chunks
2479 that an association will attempt before declaring the destination
2480 unreachable and terminating.
2481
2482 Default: 8
2483
2484path_max_retrans - INTEGER
2485 The maximum number of retransmissions that will be attempted on a given
2486 path. Once this threshold is exceeded, the path is considered
2487 unreachable, and new traffic will use a different path when the
2488 association is multihomed.
2489
2490 Default: 5
2491
2492pf_retrans - INTEGER
2493 The number of retransmissions that will be attempted on a given path
2494 before traffic is redirected to an alternate transport (should one
2495 exist). Note this is distinct from path_max_retrans, as a path that
2496 passes the pf_retrans threshold can still be used. Its only
2497 deprioritized when a transmission path is selected by the stack. This
2498 setting is primarily used to enable fast failover mechanisms without
2499 having to reduce path_max_retrans to a very low value. See:
2500 http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt
2501 for details. Note also that a value of pf_retrans > path_max_retrans
2502 disables this feature. Since both pf_retrans and path_max_retrans can
2503 be changed by userspace application, a variable pf_enable is used to
2504 disable pf state.
2505
2506 Default: 0
2507
2508ps_retrans - INTEGER
2509 Primary.Switchover.Max.Retrans (PSMR), it's a tunable parameter coming
2510 from section-5 "Primary Path Switchover" in rfc7829. The primary path
2511 will be changed to another active path when the path error counter on
2512 the old primary path exceeds PSMR, so that "the SCTP sender is allowed
2513 to continue data transmission on a new working path even when the old
2514 primary destination address becomes active again". Note this feature
2515 is disabled by initializing 'ps_retrans' per netns as 0xffff by default,
2516 and its value can't be less than 'pf_retrans' when changing by sysctl.
2517
2518 Default: 0xffff
2519
2520rto_initial - INTEGER
2521 The initial round trip timeout value in milliseconds that will be used
2522 in calculating round trip times. This is the initial time interval
2523 for retransmissions.
2524
2525 Default: 3000
2526
2527rto_max - INTEGER
2528 The maximum value (in milliseconds) of the round trip timeout. This
2529 is the largest time interval that can elapse between retransmissions.
2530
2531 Default: 60000
2532
2533rto_min - INTEGER
2534 The minimum value (in milliseconds) of the round trip timeout. This
2535 is the smallest time interval the can elapse between retransmissions.
2536
2537 Default: 1000
2538
2539hb_interval - INTEGER
2540 The interval (in milliseconds) between HEARTBEAT chunks. These chunks
2541 are sent at the specified interval on idle paths to probe the state of
2542 a given path between 2 associations.
2543
2544 Default: 30000
2545
2546sack_timeout - INTEGER
2547 The amount of time (in milliseconds) that the implementation will wait
2548 to send a SACK.
2549
2550 Default: 200
2551
2552valid_cookie_life - INTEGER
2553 The default lifetime of the SCTP cookie (in milliseconds). The cookie
2554 is used during association establishment.
2555
2556 Default: 60000
2557
2558cookie_preserve_enable - BOOLEAN
2559 Enable or disable the ability to extend the lifetime of the SCTP cookie
2560 that is used during the establishment phase of SCTP association
2561
2562 - 1: Enable cookie lifetime extension.
2563 - 0: Disable
2564
2565 Default: 1
2566
2567cookie_hmac_alg - STRING
2568 Select the hmac algorithm used when generating the cookie value sent by
2569 a listening sctp socket to a connecting client in the INIT-ACK chunk.
2570 Valid values are:
2571
2572 * md5
2573 * sha1
2574 * none
2575
2576 Ability to assign md5 or sha1 as the selected alg is predicated on the
2577 configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and
2578 CONFIG_CRYPTO_SHA1).
2579
2580 Default: Dependent on configuration. MD5 if available, else SHA1 if
2581 available, else none.
2582
2583rcvbuf_policy - INTEGER
2584 Determines if the receive buffer is attributed to the socket or to
2585 association. SCTP supports the capability to create multiple
2586 associations on a single socket. When using this capability, it is
2587 possible that a single stalled association that's buffering a lot
2588 of data may block other associations from delivering their data by
2589 consuming all of the receive buffer space. To work around this,
2590 the rcvbuf_policy could be set to attribute the receiver buffer space
2591 to each association instead of the socket. This prevents the described
2592 blocking.
2593
2594 - 1: rcvbuf space is per association
2595 - 0: rcvbuf space is per socket
2596
2597 Default: 0
2598
2599sndbuf_policy - INTEGER
2600 Similar to rcvbuf_policy above, this applies to send buffer space.
2601
2602 - 1: Send buffer is tracked per association
2603 - 0: Send buffer is tracked per socket.
2604
2605 Default: 0
2606
2607sctp_mem - vector of 3 INTEGERs: min, pressure, max
2608 Number of pages allowed for queueing by all SCTP sockets.
2609
2610 min: Below this number of pages SCTP is not bothered about its
2611 memory appetite. When amount of memory allocated by SCTP exceeds
2612 this number, SCTP starts to moderate memory usage.
2613
2614 pressure: This value was introduced to follow format of tcp_mem.
2615
2616 max: Number of pages allowed for queueing by all SCTP sockets.
2617
2618 Default is calculated at boot time from amount of available memory.
2619
2620sctp_rmem - vector of 3 INTEGERs: min, default, max
2621 Only the first value ("min") is used, "default" and "max" are
2622 ignored.
2623
2624 min: Minimal size of receive buffer used by SCTP socket.
2625 It is guaranteed to each SCTP socket (but not association) even
2626 under moderate memory pressure.
2627
2628 Default: 4K
2629
2630sctp_wmem - vector of 3 INTEGERs: min, default, max
2631 Currently this tunable has no effect.
2632
2633addr_scope_policy - INTEGER
2634 Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00
2635
2636 - 0 - Disable IPv4 address scoping
2637 - 1 - Enable IPv4 address scoping
2638 - 2 - Follow draft but allow IPv4 private addresses
2639 - 3 - Follow draft but allow IPv4 link local addresses
2640
2641 Default: 1
2642
2643
2644``/proc/sys/net/core/*``
2645========================
2646
2647 Please see: Documentation/admin-guide/sysctl/net.rst for descriptions of these entries.
2648
2649
2650``/proc/sys/net/unix/*``
2651========================
2652
2653max_dgram_qlen - INTEGER
2654 The maximum length of dgram socket receive queue
2655
2656 Default: 10
2657