1/proc/sys/net/ipv4/* Variables: 2 3ip_forward - BOOLEAN 4 0 - disabled (default) 5 not 0 - enabled 6 7 Forward Packets between interfaces. 8 9 This variable is special, its change resets all configuration 10 parameters to their default state (RFC1122 for hosts, RFC1812 11 for routers) 12 13ip_default_ttl - INTEGER 14 Default value of TTL field (Time To Live) for outgoing (but not 15 forwarded) IP packets. Should be between 1 and 255 inclusive. 16 Default: 64 (as recommended by RFC1700) 17 18ip_no_pmtu_disc - INTEGER 19 Disable Path MTU Discovery. If enabled in mode 1 and a 20 fragmentation-required ICMP is received, the PMTU to this 21 destination will be set to min_pmtu (see below). You will need 22 to raise min_pmtu to the smallest interface MTU on your system 23 manually if you want to avoid locally generated fragments. 24 25 In mode 2 incoming Path MTU Discovery messages will be 26 discarded. Outgoing frames are handled the same as in mode 1, 27 implicitly setting IP_PMTUDISC_DONT on every created socket. 28 29 Mode 3 is a hardened pmtu discover mode. The kernel will only 30 accept fragmentation-needed errors if the underlying protocol 31 can verify them besides a plain socket lookup. Current 32 protocols for which pmtu events will be honored are TCP, SCTP 33 and DCCP as they verify e.g. the sequence number or the 34 association. This mode should not be enabled globally but is 35 only intended to secure e.g. name servers in namespaces where 36 TCP path mtu must still work but path MTU information of other 37 protocols should be discarded. If enabled globally this mode 38 could break other protocols. 39 40 Possible values: 0-3 41 Default: FALSE 42 43min_pmtu - INTEGER 44 default 552 - minimum discovered Path MTU 45 46ip_forward_use_pmtu - BOOLEAN 47 By default we don't trust protocol path MTUs while forwarding 48 because they could be easily forged and can lead to unwanted 49 fragmentation by the router. 50 You only need to enable this if you have user-space software 51 which tries to discover path mtus by itself and depends on the 52 kernel honoring this information. This is normally not the 53 case. 54 Default: 0 (disabled) 55 Possible values: 56 0 - disabled 57 1 - enabled 58 59fwmark_reflect - BOOLEAN 60 Controls the fwmark of kernel-generated IPv4 reply packets that are not 61 associated with a socket for example, TCP RSTs or ICMP echo replies). 62 If unset, these packets have a fwmark of zero. If set, they have the 63 fwmark of the packet they are replying to. 64 Default: 0 65 66fib_multipath_use_neigh - BOOLEAN 67 Use status of existing neighbor entry when determining nexthop for 68 multipath routes. If disabled, neighbor information is not used and 69 packets could be directed to a failed nexthop. Only valid for kernels 70 built with CONFIG_IP_ROUTE_MULTIPATH enabled. 71 Default: 0 (disabled) 72 Possible values: 73 0 - disabled 74 1 - enabled 75 76fib_multipath_hash_policy - INTEGER 77 Controls which hash policy to use for multipath routes. Only valid 78 for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. 79 Default: 0 (Layer 3) 80 Possible values: 81 0 - Layer 3 82 1 - Layer 4 83 2 - Layer 3 or inner Layer 3 if present 84 85fib_sync_mem - UNSIGNED INTEGER 86 Amount of dirty memory from fib entries that can be backlogged before 87 synchronize_rcu is forced. 88 Default: 512kB Minimum: 64kB Maximum: 64MB 89 90ip_forward_update_priority - INTEGER 91 Whether to update SKB priority from "TOS" field in IPv4 header after it 92 is forwarded. The new SKB priority is mapped from TOS field value 93 according to an rt_tos2priority table (see e.g. man tc-prio). 94 Default: 1 (Update priority.) 95 Possible values: 96 0 - Do not update priority. 97 1 - Update priority. 98 99route/max_size - INTEGER 100 Maximum number of routes allowed in the kernel. Increase 101 this when using large numbers of interfaces and/or routes. 102 From linux kernel 3.6 onwards, this is deprecated for ipv4 103 as route cache is no longer used. 104 105neigh/default/gc_thresh1 - INTEGER 106 Minimum number of entries to keep. Garbage collector will not 107 purge entries if there are fewer than this number. 108 Default: 128 109 110neigh/default/gc_thresh2 - INTEGER 111 Threshold when garbage collector becomes more aggressive about 112 purging entries. Entries older than 5 seconds will be cleared 113 when over this number. 114 Default: 512 115 116neigh/default/gc_thresh3 - INTEGER 117 Maximum number of non-PERMANENT neighbor entries allowed. Increase 118 this when using large numbers of interfaces and when communicating 119 with large numbers of directly-connected peers. 120 Default: 1024 121 122neigh/default/unres_qlen_bytes - INTEGER 123 The maximum number of bytes which may be used by packets 124 queued for each unresolved address by other network layers. 125 (added in linux 3.3) 126 Setting negative value is meaningless and will return error. 127 Default: SK_WMEM_MAX, (same as net.core.wmem_default). 128 Exact value depends on architecture and kernel options, 129 but should be enough to allow queuing 256 packets 130 of medium size. 131 132neigh/default/unres_qlen - INTEGER 133 The maximum number of packets which may be queued for each 134 unresolved address by other network layers. 135 (deprecated in linux 3.3) : use unres_qlen_bytes instead. 136 Prior to linux 3.3, the default value is 3 which may cause 137 unexpected packet loss. The current default value is calculated 138 according to default value of unres_qlen_bytes and true size of 139 packet. 140 Default: 101 141 142mtu_expires - INTEGER 143 Time, in seconds, that cached PMTU information is kept. 144 145min_adv_mss - INTEGER 146 The advertised MSS depends on the first hop route MTU, but will 147 never be lower than this setting. 148 149IP Fragmentation: 150 151ipfrag_high_thresh - LONG INTEGER 152 Maximum memory used to reassemble IP fragments. 153 154ipfrag_low_thresh - LONG INTEGER 155 (Obsolete since linux-4.17) 156 Maximum memory used to reassemble IP fragments before the kernel 157 begins to remove incomplete fragment queues to free up resources. 158 The kernel still accepts new fragments for defragmentation. 159 160ipfrag_time - INTEGER 161 Time in seconds to keep an IP fragment in memory. 162 163ipfrag_max_dist - INTEGER 164 ipfrag_max_dist is a non-negative integer value which defines the 165 maximum "disorder" which is allowed among fragments which share a 166 common IP source address. Note that reordering of packets is 167 not unusual, but if a large number of fragments arrive from a source 168 IP address while a particular fragment queue remains incomplete, it 169 probably indicates that one or more fragments belonging to that queue 170 have been lost. When ipfrag_max_dist is positive, an additional check 171 is done on fragments before they are added to a reassembly queue - if 172 ipfrag_max_dist (or more) fragments have arrived from a particular IP 173 address between additions to any IP fragment queue using that source 174 address, it's presumed that one or more fragments in the queue are 175 lost. The existing fragment queue will be dropped, and a new one 176 started. An ipfrag_max_dist value of zero disables this check. 177 178 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can 179 result in unnecessarily dropping fragment queues when normal 180 reordering of packets occurs, which could lead to poor application 181 performance. Using a very large value, e.g. 50000, increases the 182 likelihood of incorrectly reassembling IP fragments that originate 183 from different IP datagrams, which could result in data corruption. 184 Default: 64 185 186INET peer storage: 187 188inet_peer_threshold - INTEGER 189 The approximate size of the storage. Starting from this threshold 190 entries will be thrown aggressively. This threshold also determines 191 entries' time-to-live and time intervals between garbage collection 192 passes. More entries, less time-to-live, less GC interval. 193 194inet_peer_minttl - INTEGER 195 Minimum time-to-live of entries. Should be enough to cover fragment 196 time-to-live on the reassembling side. This minimum time-to-live is 197 guaranteed if the pool size is less than inet_peer_threshold. 198 Measured in seconds. 199 200inet_peer_maxttl - INTEGER 201 Maximum time-to-live of entries. Unused entries will expire after 202 this period of time if there is no memory pressure on the pool (i.e. 203 when the number of entries in the pool is very small). 204 Measured in seconds. 205 206TCP variables: 207 208somaxconn - INTEGER 209 Limit of socket listen() backlog, known in userspace as SOMAXCONN. 210 Defaults to 4096. (Was 128 before linux-5.4) 211 See also tcp_max_syn_backlog for additional tuning for TCP sockets. 212 213tcp_abort_on_overflow - BOOLEAN 214 If listening service is too slow to accept new connections, 215 reset them. Default state is FALSE. It means that if overflow 216 occurred due to a burst, connection will recover. Enable this 217 option _only_ if you are really sure that listening daemon 218 cannot be tuned to accept connections faster. Enabling this 219 option can harm clients of your server. 220 221tcp_adv_win_scale - INTEGER 222 Count buffering overhead as bytes/2^tcp_adv_win_scale 223 (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), 224 if it is <= 0. 225 Possible values are [-31, 31], inclusive. 226 Default: 1 227 228tcp_allowed_congestion_control - STRING 229 Show/set the congestion control choices available to non-privileged 230 processes. The list is a subset of those listed in 231 tcp_available_congestion_control. 232 Default is "reno" and the default setting (tcp_congestion_control). 233 234tcp_app_win - INTEGER 235 Reserve max(window/2^tcp_app_win, mss) of window for application 236 buffer. Value 0 is special, it means that nothing is reserved. 237 Default: 31 238 239tcp_autocorking - BOOLEAN 240 Enable TCP auto corking : 241 When applications do consecutive small write()/sendmsg() system calls, 242 we try to coalesce these small writes as much as possible, to lower 243 total amount of sent packets. This is done if at least one prior 244 packet for the flow is waiting in Qdisc queues or device transmit 245 queue. Applications can still use TCP_CORK for optimal behavior 246 when they know how/when to uncork their sockets. 247 Default : 1 248 249tcp_available_congestion_control - STRING 250 Shows the available congestion control choices that are registered. 251 More congestion control algorithms may be available as modules, 252 but not loaded. 253 254tcp_base_mss - INTEGER 255 The initial value of search_low to be used by the packetization layer 256 Path MTU discovery (MTU probing). If MTU probing is enabled, 257 this is the initial MSS used by the connection. 258 259tcp_mtu_probe_floor - INTEGER 260 If MTU probing is enabled this caps the minimum MSS used for search_low 261 for the connection. 262 263 Default : 48 264 265tcp_min_snd_mss - INTEGER 266 TCP SYN and SYNACK messages usually advertise an ADVMSS option, 267 as described in RFC 1122 and RFC 6691. 268 If this ADVMSS option is smaller than tcp_min_snd_mss, 269 it is silently capped to tcp_min_snd_mss. 270 271 Default : 48 (at least 8 bytes of payload per segment) 272 273tcp_congestion_control - STRING 274 Set the congestion control algorithm to be used for new 275 connections. The algorithm "reno" is always available, but 276 additional choices may be available based on kernel configuration. 277 Default is set as part of kernel configuration. 278 For passive connections, the listener congestion control choice 279 is inherited. 280 [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ] 281 282tcp_dsack - BOOLEAN 283 Allows TCP to send "duplicate" SACKs. 284 285tcp_early_retrans - INTEGER 286 Tail loss probe (TLP) converts RTOs occurring due to tail 287 losses into fast recovery (draft-ietf-tcpm-rack). Note that 288 TLP requires RACK to function properly (see tcp_recovery below) 289 Possible values: 290 0 disables TLP 291 3 or 4 enables TLP 292 Default: 3 293 294tcp_ecn - INTEGER 295 Control use of Explicit Congestion Notification (ECN) by TCP. 296 ECN is used only when both ends of the TCP connection indicate 297 support for it. This feature is useful in avoiding losses due 298 to congestion by allowing supporting routers to signal 299 congestion before having to drop packets. 300 Possible values are: 301 0 Disable ECN. Neither initiate nor accept ECN. 302 1 Enable ECN when requested by incoming connections and 303 also request ECN on outgoing connection attempts. 304 2 Enable ECN when requested by incoming connections 305 but do not request ECN on outgoing connections. 306 Default: 2 307 308tcp_ecn_fallback - BOOLEAN 309 If the kernel detects that ECN connection misbehaves, enable fall 310 back to non-ECN. Currently, this knob implements the fallback 311 from RFC3168, section 6.1.1.1., but we reserve that in future, 312 additional detection mechanisms could be implemented under this 313 knob. The value is not used, if tcp_ecn or per route (or congestion 314 control) ECN settings are disabled. 315 Default: 1 (fallback enabled) 316 317tcp_fack - BOOLEAN 318 This is a legacy option, it has no effect anymore. 319 320tcp_fin_timeout - INTEGER 321 The length of time an orphaned (no longer referenced by any 322 application) connection will remain in the FIN_WAIT_2 state 323 before it is aborted at the local end. While a perfectly 324 valid "receive only" state for an un-orphaned connection, an 325 orphaned connection in FIN_WAIT_2 state could otherwise wait 326 forever for the remote to close its end of the connection. 327 Cf. tcp_max_orphans 328 Default: 60 seconds 329 330tcp_frto - INTEGER 331 Enables Forward RTO-Recovery (F-RTO) defined in RFC5682. 332 F-RTO is an enhanced recovery algorithm for TCP retransmission 333 timeouts. It is particularly beneficial in networks where the 334 RTT fluctuates (e.g., wireless). F-RTO is sender-side only 335 modification. It does not require any support from the peer. 336 337 By default it's enabled with a non-zero value. 0 disables F-RTO. 338 339tcp_fwmark_accept - BOOLEAN 340 If set, incoming connections to listening sockets that do not have a 341 socket mark will set the mark of the accepting socket to the fwmark of 342 the incoming SYN packet. This will cause all packets on that connection 343 (starting from the first SYNACK) to be sent with that fwmark. The 344 listening socket's mark is unchanged. Listening sockets that already 345 have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are 346 unaffected. 347 348 Default: 0 349 350tcp_invalid_ratelimit - INTEGER 351 Limit the maximal rate for sending duplicate acknowledgments 352 in response to incoming TCP packets that are for an existing 353 connection but that are invalid due to any of these reasons: 354 355 (a) out-of-window sequence number, 356 (b) out-of-window acknowledgment number, or 357 (c) PAWS (Protection Against Wrapped Sequence numbers) check failure 358 359 This can help mitigate simple "ack loop" DoS attacks, wherein 360 a buggy or malicious middlebox or man-in-the-middle can 361 rewrite TCP header fields in manner that causes each endpoint 362 to think that the other is sending invalid TCP segments, thus 363 causing each side to send an unterminating stream of duplicate 364 acknowledgments for invalid segments. 365 366 Using 0 disables rate-limiting of dupacks in response to 367 invalid segments; otherwise this value specifies the minimal 368 space between sending such dupacks, in milliseconds. 369 370 Default: 500 (milliseconds). 371 372tcp_keepalive_time - INTEGER 373 How often TCP sends out keepalive messages when keepalive is enabled. 374 Default: 2hours. 375 376tcp_keepalive_probes - INTEGER 377 How many keepalive probes TCP sends out, until it decides that the 378 connection is broken. Default value: 9. 379 380tcp_keepalive_intvl - INTEGER 381 How frequently the probes are send out. Multiplied by 382 tcp_keepalive_probes it is time to kill not responding connection, 383 after probes started. Default value: 75sec i.e. connection 384 will be aborted after ~11 minutes of retries. 385 386tcp_l3mdev_accept - BOOLEAN 387 Enables child sockets to inherit the L3 master device index. 388 Enabling this option allows a "global" listen socket to work 389 across L3 master domains (e.g., VRFs) with connected sockets 390 derived from the listen socket to be bound to the L3 domain in 391 which the packets originated. Only valid when the kernel was 392 compiled with CONFIG_NET_L3_MASTER_DEV. 393 Default: 0 (disabled) 394 395tcp_low_latency - BOOLEAN 396 This is a legacy option, it has no effect anymore. 397 398tcp_max_orphans - INTEGER 399 Maximal number of TCP sockets not attached to any user file handle, 400 held by system. If this number is exceeded orphaned connections are 401 reset immediately and warning is printed. This limit exists 402 only to prevent simple DoS attacks, you _must_ not rely on this 403 or lower the limit artificially, but rather increase it 404 (probably, after increasing installed memory), 405 if network conditions require more than default value, 406 and tune network services to linger and kill such states 407 more aggressively. Let me to remind again: each orphan eats 408 up to ~64K of unswappable memory. 409 410tcp_max_syn_backlog - INTEGER 411 Maximal number of remembered connection requests (SYN_RECV), 412 which have not received an acknowledgment from connecting client. 413 This is a per-listener limit. 414 The minimal value is 128 for low memory machines, and it will 415 increase in proportion to the memory of machine. 416 If server suffers from overload, try increasing this number. 417 Remember to also check /proc/sys/net/core/somaxconn 418 A SYN_RECV request socket consumes about 304 bytes of memory. 419 420tcp_max_tw_buckets - INTEGER 421 Maximal number of timewait sockets held by system simultaneously. 422 If this number is exceeded time-wait socket is immediately destroyed 423 and warning is printed. This limit exists only to prevent 424 simple DoS attacks, you _must_ not lower the limit artificially, 425 but rather increase it (probably, after increasing installed memory), 426 if network conditions require more than default value. 427 428tcp_mem - vector of 3 INTEGERs: min, pressure, max 429 min: below this number of pages TCP is not bothered about its 430 memory appetite. 431 432 pressure: when amount of memory allocated by TCP exceeds this number 433 of pages, TCP moderates its memory consumption and enters memory 434 pressure mode, which is exited when memory consumption falls 435 under "min". 436 437 max: number of pages allowed for queueing by all TCP sockets. 438 439 Defaults are calculated at boot time from amount of available 440 memory. 441 442tcp_min_rtt_wlen - INTEGER 443 The window length of the windowed min filter to track the minimum RTT. 444 A shorter window lets a flow more quickly pick up new (higher) 445 minimum RTT when it is moved to a longer path (e.g., due to traffic 446 engineering). A longer window makes the filter more resistant to RTT 447 inflations such as transient congestion. The unit is seconds. 448 Possible values: 0 - 86400 (1 day) 449 Default: 300 450 451tcp_moderate_rcvbuf - BOOLEAN 452 If set, TCP performs receive buffer auto-tuning, attempting to 453 automatically size the buffer (no greater than tcp_rmem[2]) to 454 match the size required by the path for full throughput. Enabled by 455 default. 456 457tcp_mtu_probing - INTEGER 458 Controls TCP Packetization-Layer Path MTU Discovery. Takes three 459 values: 460 0 - Disabled 461 1 - Disabled by default, enabled when an ICMP black hole detected 462 2 - Always enabled, use initial MSS of tcp_base_mss. 463 464tcp_probe_interval - UNSIGNED INTEGER 465 Controls how often to start TCP Packetization-Layer Path MTU 466 Discovery reprobe. The default is reprobing every 10 minutes as 467 per RFC4821. 468 469tcp_probe_threshold - INTEGER 470 Controls when TCP Packetization-Layer Path MTU Discovery probing 471 will stop in respect to the width of search range in bytes. Default 472 is 8 bytes. 473 474tcp_no_metrics_save - BOOLEAN 475 By default, TCP saves various connection metrics in the route cache 476 when the connection closes, so that connections established in the 477 near future can use these to set initial conditions. Usually, this 478 increases overall performance, but may sometimes cause performance 479 degradation. If set, TCP will not cache metrics on closing 480 connections. 481 482tcp_orphan_retries - INTEGER 483 This value influences the timeout of a locally closed TCP connection, 484 when RTO retransmissions remain unacknowledged. 485 See tcp_retries2 for more details. 486 487 The default value is 8. 488 If your machine is a loaded WEB server, 489 you should think about lowering this value, such sockets 490 may consume significant resources. Cf. tcp_max_orphans. 491 492tcp_recovery - INTEGER 493 This value is a bitmap to enable various experimental loss recovery 494 features. 495 496 RACK: 0x1 enables the RACK loss detection for fast detection of lost 497 retransmissions and tail drops. It also subsumes and disables 498 RFC6675 recovery for SACK connections. 499 RACK: 0x2 makes RACK's reordering window static (min_rtt/4). 500 RACK: 0x4 disables RACK's DUPACK threshold heuristic 501 502 Default: 0x1 503 504tcp_reordering - INTEGER 505 Initial reordering level of packets in a TCP stream. 506 TCP stack can then dynamically adjust flow reordering level 507 between this initial value and tcp_max_reordering 508 Default: 3 509 510tcp_max_reordering - INTEGER 511 Maximal reordering level of packets in a TCP stream. 512 300 is a fairly conservative value, but you might increase it 513 if paths are using per packet load balancing (like bonding rr mode) 514 Default: 300 515 516tcp_retrans_collapse - BOOLEAN 517 Bug-to-bug compatibility with some broken printers. 518 On retransmit try to send bigger packets to work around bugs in 519 certain TCP stacks. 520 521tcp_retries1 - INTEGER 522 This value influences the time, after which TCP decides, that 523 something is wrong due to unacknowledged RTO retransmissions, 524 and reports this suspicion to the network layer. 525 See tcp_retries2 for more details. 526 527 RFC 1122 recommends at least 3 retransmissions, which is the 528 default. 529 530tcp_retries2 - INTEGER 531 This value influences the timeout of an alive TCP connection, 532 when RTO retransmissions remain unacknowledged. 533 Given a value of N, a hypothetical TCP connection following 534 exponential backoff with an initial RTO of TCP_RTO_MIN would 535 retransmit N times before killing the connection at the (N+1)th RTO. 536 537 The default value of 15 yields a hypothetical timeout of 924.6 538 seconds and is a lower bound for the effective timeout. 539 TCP will effectively time out at the first RTO which exceeds the 540 hypothetical timeout. 541 542 RFC 1122 recommends at least 100 seconds for the timeout, 543 which corresponds to a value of at least 8. 544 545tcp_rfc1337 - BOOLEAN 546 If set, the TCP stack behaves conforming to RFC1337. If unset, 547 we are not conforming to RFC, but prevent TCP TIME_WAIT 548 assassination. 549 Default: 0 550 551tcp_rmem - vector of 3 INTEGERs: min, default, max 552 min: Minimal size of receive buffer used by TCP sockets. 553 It is guaranteed to each TCP socket, even under moderate memory 554 pressure. 555 Default: 4K 556 557 default: initial size of receive buffer used by TCP sockets. 558 This value overrides net.core.rmem_default used by other protocols. 559 Default: 87380 bytes. This value results in window of 65535 with 560 default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit 561 less for default tcp_app_win. See below about these variables. 562 563 max: maximal size of receive buffer allowed for automatically 564 selected receiver buffers for TCP socket. This value does not override 565 net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables 566 automatic tuning of that socket's receive buffer size, in which 567 case this value is ignored. 568 Default: between 87380B and 6MB, depending on RAM size. 569 570tcp_sack - BOOLEAN 571 Enable select acknowledgments (SACKS). 572 573tcp_comp_sack_delay_ns - LONG INTEGER 574 TCP tries to reduce number of SACK sent, using a timer 575 based on 5% of SRTT, capped by this sysctl, in nano seconds. 576 The default is 1ms, based on TSO autosizing period. 577 578 Default : 1,000,000 ns (1 ms) 579 580tcp_comp_sack_nr - INTEGER 581 Max number of SACK that can be compressed. 582 Using 0 disables SACK compression. 583 584 Default : 44 585 586tcp_slow_start_after_idle - BOOLEAN 587 If set, provide RFC2861 behavior and time out the congestion 588 window after an idle period. An idle period is defined at 589 the current RTO. If unset, the congestion window will not 590 be timed out after an idle period. 591 Default: 1 592 593tcp_stdurg - BOOLEAN 594 Use the Host requirements interpretation of the TCP urgent pointer field. 595 Most hosts use the older BSD interpretation, so if you turn this on 596 Linux might not communicate correctly with them. 597 Default: FALSE 598 599tcp_synack_retries - INTEGER 600 Number of times SYNACKs for a passive TCP connection attempt will 601 be retransmitted. Should not be higher than 255. Default value 602 is 5, which corresponds to 31seconds till the last retransmission 603 with the current initial RTO of 1second. With this the final timeout 604 for a passive TCP connection will happen after 63seconds. 605 606tcp_syncookies - BOOLEAN 607 Only valid when the kernel was compiled with CONFIG_SYN_COOKIES 608 Send out syncookies when the syn backlog queue of a socket 609 overflows. This is to prevent against the common 'SYN flood attack' 610 Default: 1 611 612 Note, that syncookies is fallback facility. 613 It MUST NOT be used to help highly loaded servers to stand 614 against legal connection rate. If you see SYN flood warnings 615 in your logs, but investigation shows that they occur 616 because of overload with legal connections, you should tune 617 another parameters until this warning disappear. 618 See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. 619 620 syncookies seriously violate TCP protocol, do not allow 621 to use TCP extensions, can result in serious degradation 622 of some services (f.e. SMTP relaying), visible not by you, 623 but your clients and relays, contacting you. While you see 624 SYN flood warnings in logs not being really flooded, your server 625 is seriously misconfigured. 626 627 If you want to test which effects syncookies have to your 628 network connections you can set this knob to 2 to enable 629 unconditionally generation of syncookies. 630 631tcp_fastopen - INTEGER 632 Enable TCP Fast Open (RFC7413) to send and accept data in the opening 633 SYN packet. 634 635 The client support is enabled by flag 0x1 (on by default). The client 636 then must use sendmsg() or sendto() with the MSG_FASTOPEN flag, 637 rather than connect() to send data in SYN. 638 639 The server support is enabled by flag 0x2 (off by default). Then 640 either enable for all listeners with another flag (0x400) or 641 enable individual listeners via TCP_FASTOPEN socket option with 642 the option value being the length of the syn-data backlog. 643 644 The values (bitmap) are 645 0x1: (client) enables sending data in the opening SYN on the client. 646 0x2: (server) enables the server support, i.e., allowing data in 647 a SYN packet to be accepted and passed to the 648 application before 3-way handshake finishes. 649 0x4: (client) send data in the opening SYN regardless of cookie 650 availability and without a cookie option. 651 0x200: (server) accept data-in-SYN w/o any cookie option present. 652 0x400: (server) enable all listeners to support Fast Open by 653 default without explicit TCP_FASTOPEN socket option. 654 655 Default: 0x1 656 657 Note that that additional client or server features are only 658 effective if the basic support (0x1 and 0x2) are enabled respectively. 659 660tcp_fastopen_blackhole_timeout_sec - INTEGER 661 Initial time period in second to disable Fastopen on active TCP sockets 662 when a TFO firewall blackhole issue happens. 663 This time period will grow exponentially when more blackhole issues 664 get detected right after Fastopen is re-enabled and will reset to 665 initial value when the blackhole issue goes away. 666 0 to disable the blackhole detection. 667 By default, it is set to 1hr. 668 669tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs 670 The list consists of a primary key and an optional backup key. The 671 primary key is used for both creating and validating cookies, while the 672 optional backup key is only used for validating cookies. The purpose of 673 the backup key is to maximize TFO validation when keys are rotated. 674 675 A randomly chosen primary key may be configured by the kernel if 676 the tcp_fastopen sysctl is set to 0x400 (see above), or if the 677 TCP_FASTOPEN setsockopt() optname is set and a key has not been 678 previously configured via sysctl. If keys are configured via 679 setsockopt() by using the TCP_FASTOPEN_KEY optname, then those 680 per-socket keys will be used instead of any keys that are specified via 681 sysctl. 682 683 A key is specified as 4 8-digit hexadecimal integers which are separated 684 by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be 685 omitted. A primary and a backup key may be specified by separating them 686 by a comma. If only one key is specified, it becomes the primary key and 687 any previously configured backup keys are removed. 688 689tcp_syn_retries - INTEGER 690 Number of times initial SYNs for an active TCP connection attempt 691 will be retransmitted. Should not be higher than 127. Default value 692 is 6, which corresponds to 63seconds till the last retransmission 693 with the current initial RTO of 1second. With this the final timeout 694 for an active TCP connection attempt will happen after 127seconds. 695 696tcp_timestamps - INTEGER 697Enable timestamps as defined in RFC1323. 698 0: Disabled. 699 1: Enable timestamps as defined in RFC1323 and use random offset for 700 each connection rather than only using the current time. 701 2: Like 1, but without random offsets. 702 Default: 1 703 704tcp_min_tso_segs - INTEGER 705 Minimal number of segments per TSO frame. 706 Since linux-3.12, TCP does an automatic sizing of TSO frames, 707 depending on flow rate, instead of filling 64Kbytes packets. 708 For specific usages, it's possible to force TCP to build big 709 TSO frames. Note that TCP stack might split too big TSO packets 710 if available window is too small. 711 Default: 2 712 713tcp_pacing_ss_ratio - INTEGER 714 sk->sk_pacing_rate is set by TCP stack using a ratio applied 715 to current rate. (current_rate = cwnd * mss / srtt) 716 If TCP is in slow start, tcp_pacing_ss_ratio is applied 717 to let TCP probe for bigger speeds, assuming cwnd can be 718 doubled every other RTT. 719 Default: 200 720 721tcp_pacing_ca_ratio - INTEGER 722 sk->sk_pacing_rate is set by TCP stack using a ratio applied 723 to current rate. (current_rate = cwnd * mss / srtt) 724 If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio 725 is applied to conservatively probe for bigger throughput. 726 Default: 120 727 728tcp_tso_win_divisor - INTEGER 729 This allows control over what percentage of the congestion window 730 can be consumed by a single TSO frame. 731 The setting of this parameter is a choice between burstiness and 732 building larger TSO frames. 733 Default: 3 734 735tcp_tw_reuse - INTEGER 736 Enable reuse of TIME-WAIT sockets for new connections when it is 737 safe from protocol viewpoint. 738 0 - disable 739 1 - global enable 740 2 - enable for loopback traffic only 741 It should not be changed without advice/request of technical 742 experts. 743 Default: 2 744 745tcp_window_scaling - BOOLEAN 746 Enable window scaling as defined in RFC1323. 747 748tcp_wmem - vector of 3 INTEGERs: min, default, max 749 min: Amount of memory reserved for send buffers for TCP sockets. 750 Each TCP socket has rights to use it due to fact of its birth. 751 Default: 4K 752 753 default: initial size of send buffer used by TCP sockets. This 754 value overrides net.core.wmem_default used by other protocols. 755 It is usually lower than net.core.wmem_default. 756 Default: 16K 757 758 max: Maximal amount of memory allowed for automatically tuned 759 send buffers for TCP sockets. This value does not override 760 net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables 761 automatic tuning of that socket's send buffer size, in which case 762 this value is ignored. 763 Default: between 64K and 4MB, depending on RAM size. 764 765tcp_notsent_lowat - UNSIGNED INTEGER 766 A TCP socket can control the amount of unsent bytes in its write queue, 767 thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll() 768 reports POLLOUT events if the amount of unsent bytes is below a per 769 socket value, and if the write queue is not full. sendmsg() will 770 also not add new buffers if the limit is hit. 771 772 This global variable controls the amount of unsent data for 773 sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change 774 to the global variable has immediate effect. 775 776 Default: UINT_MAX (0xFFFFFFFF) 777 778tcp_workaround_signed_windows - BOOLEAN 779 If set, assume no receipt of a window scaling option means the 780 remote TCP is broken and treats the window as a signed quantity. 781 If unset, assume the remote TCP is not broken even if we do 782 not receive a window scaling option from them. 783 Default: 0 784 785tcp_thin_linear_timeouts - BOOLEAN 786 Enable dynamic triggering of linear timeouts for thin streams. 787 If set, a check is performed upon retransmission by timeout to 788 determine if the stream is thin (less than 4 packets in flight). 789 As long as the stream is found to be thin, up to 6 linear 790 timeouts may be performed before exponential backoff mode is 791 initiated. This improves retransmission latency for 792 non-aggressive thin streams, often found to be time-dependent. 793 For more information on thin streams, see 794 Documentation/networking/tcp-thin.txt 795 Default: 0 796 797tcp_limit_output_bytes - INTEGER 798 Controls TCP Small Queue limit per tcp socket. 799 TCP bulk sender tends to increase packets in flight until it 800 gets losses notifications. With SNDBUF autotuning, this can 801 result in a large amount of packets queued on the local machine 802 (e.g.: qdiscs, CPU backlog, or device) hurting latency of other 803 flows, for typical pfifo_fast qdiscs. tcp_limit_output_bytes 804 limits the number of bytes on qdisc or device to reduce artificial 805 RTT/cwnd and reduce bufferbloat. 806 Default: 1048576 (16 * 65536) 807 808tcp_challenge_ack_limit - INTEGER 809 Limits number of Challenge ACK sent per second, as recommended 810 in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) 811 Default: 100 812 813tcp_rx_skb_cache - BOOLEAN 814 Controls a per TCP socket cache of one skb, that might help 815 performance of some workloads. This might be dangerous 816 on systems with a lot of TCP sockets, since it increases 817 memory usage. 818 819 Default: 0 (disabled) 820 821UDP variables: 822 823udp_l3mdev_accept - BOOLEAN 824 Enabling this option allows a "global" bound socket to work 825 across L3 master domains (e.g., VRFs) with packets capable of 826 being received regardless of the L3 domain in which they 827 originated. Only valid when the kernel was compiled with 828 CONFIG_NET_L3_MASTER_DEV. 829 Default: 0 (disabled) 830 831udp_mem - vector of 3 INTEGERs: min, pressure, max 832 Number of pages allowed for queueing by all UDP sockets. 833 834 min: Below this number of pages UDP is not bothered about its 835 memory appetite. When amount of memory allocated by UDP exceeds 836 this number, UDP starts to moderate memory usage. 837 838 pressure: This value was introduced to follow format of tcp_mem. 839 840 max: Number of pages allowed for queueing by all UDP sockets. 841 842 Default is calculated at boot time from amount of available memory. 843 844udp_rmem_min - INTEGER 845 Minimal size of receive buffer used by UDP sockets in moderation. 846 Each UDP socket is able to use the size for receiving data, even if 847 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 848 Default: 4K 849 850udp_wmem_min - INTEGER 851 Minimal size of send buffer used by UDP sockets in moderation. 852 Each UDP socket is able to use the size for sending data, even if 853 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 854 Default: 4K 855 856RAW variables: 857 858raw_l3mdev_accept - BOOLEAN 859 Enabling this option allows a "global" bound socket to work 860 across L3 master domains (e.g., VRFs) with packets capable of 861 being received regardless of the L3 domain in which they 862 originated. Only valid when the kernel was compiled with 863 CONFIG_NET_L3_MASTER_DEV. 864 Default: 1 (enabled) 865 866CIPSOv4 Variables: 867 868cipso_cache_enable - BOOLEAN 869 If set, enable additions to and lookups from the CIPSO label mapping 870 cache. If unset, additions are ignored and lookups always result in a 871 miss. However, regardless of the setting the cache is still 872 invalidated when required when means you can safely toggle this on and 873 off and the cache will always be "safe". 874 Default: 1 875 876cipso_cache_bucket_size - INTEGER 877 The CIPSO label cache consists of a fixed size hash table with each 878 hash bucket containing a number of cache entries. This variable limits 879 the number of entries in each hash bucket; the larger the value the 880 more CIPSO label mappings that can be cached. When the number of 881 entries in a given hash bucket reaches this limit adding new entries 882 causes the oldest entry in the bucket to be removed to make room. 883 Default: 10 884 885cipso_rbm_optfmt - BOOLEAN 886 Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of 887 the CIPSO draft specification (see Documentation/netlabel for details). 888 This means that when set the CIPSO tag will be padded with empty 889 categories in order to make the packet data 32-bit aligned. 890 Default: 0 891 892cipso_rbm_structvalid - BOOLEAN 893 If set, do a very strict check of the CIPSO option when 894 ip_options_compile() is called. If unset, relax the checks done during 895 ip_options_compile(). Either way is "safe" as errors are caught else 896 where in the CIPSO processing code but setting this to 0 (False) should 897 result in less work (i.e. it should be faster) but could cause problems 898 with other implementations that require strict checking. 899 Default: 0 900 901IP Variables: 902 903ip_local_port_range - 2 INTEGERS 904 Defines the local port range that is used by TCP and UDP to 905 choose the local port. The first number is the first, the 906 second the last local port number. 907 If possible, it is better these numbers have different parity. 908 (one even and one odd values) 909 The default values are 32768 and 60999 respectively. 910 911ip_local_reserved_ports - list of comma separated ranges 912 Specify the ports which are reserved for known third-party 913 applications. These ports will not be used by automatic port 914 assignments (e.g. when calling connect() or bind() with port 915 number 0). Explicit port allocation behavior is unchanged. 916 917 The format used for both input and output is a comma separated 918 list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and 919 10). Writing to the file will clear all previously reserved 920 ports and update the current list with the one given in the 921 input. 922 923 Note that ip_local_port_range and ip_local_reserved_ports 924 settings are independent and both are considered by the kernel 925 when determining which ports are available for automatic port 926 assignments. 927 928 You can reserve ports which are not in the current 929 ip_local_port_range, e.g.: 930 931 $ cat /proc/sys/net/ipv4/ip_local_port_range 932 32000 60999 933 $ cat /proc/sys/net/ipv4/ip_local_reserved_ports 934 8080,9148 935 936 although this is redundant. However such a setting is useful 937 if later the port range is changed to a value that will 938 include the reserved ports. 939 940 Default: Empty 941 942ip_local_unbindable_ports - list of comma separated ranges 943 Specify the ports which are not directly bind()able. 944 945 Usually you would use this to block the use of ports which 946 are invalid due to something outside of the control of the 947 kernel. For example a port stolen by the nic for serial 948 console, remote power management or debugging. 949 950 There's a relatively high chance you will also want to list 951 these ports in 'ip_local_reserved_ports' to prevent autobinding. 952 953 Default: Empty 954 955ip_unprivileged_port_start - INTEGER 956 This is a per-namespace sysctl. It defines the first 957 unprivileged port in the network namespace. Privileged ports 958 require root or CAP_NET_BIND_SERVICE in order to bind to them. 959 To disable all privileged ports, set this to 0. It may not 960 overlap with the ip_local_reserved_ports range. 961 962 Default: 1024 963 964ip_nonlocal_bind - BOOLEAN 965 If set, allows processes to bind() to non-local IP addresses, 966 which can be quite useful - but may break some applications. 967 Default: 0 968 969ip_dynaddr - BOOLEAN 970 If set non-zero, enables support for dynamic addresses. 971 If set to a non-zero value larger than 1, a kernel log 972 message will be printed when dynamic address rewriting 973 occurs. 974 Default: 0 975 976ip_early_demux - BOOLEAN 977 Optimize input packet processing down to one demux for 978 certain kinds of local sockets. Currently we only do this 979 for established TCP and connected UDP sockets. 980 981 It may add an additional cost for pure routing workloads that 982 reduces overall throughput, in such case you should disable it. 983 Default: 1 984 985tcp_early_demux - BOOLEAN 986 Enable early demux for established TCP sockets. 987 Default: 1 988 989udp_early_demux - BOOLEAN 990 Enable early demux for connected UDP sockets. Disable this if 991 your system could experience more unconnected load. 992 Default: 1 993 994icmp_echo_ignore_all - BOOLEAN 995 If set non-zero, then the kernel will ignore all ICMP ECHO 996 requests sent to it. 997 Default: 0 998 999icmp_echo_ignore_broadcasts - BOOLEAN 1000 If set non-zero, then the kernel will ignore all ICMP ECHO and 1001 TIMESTAMP requests sent to it via broadcast/multicast. 1002 Default: 1 1003 1004icmp_ratelimit - INTEGER 1005 Limit the maximal rates for sending ICMP packets whose type matches 1006 icmp_ratemask (see below) to specific targets. 1007 0 to disable any limiting, 1008 otherwise the minimal space between responses in milliseconds. 1009 Note that another sysctl, icmp_msgs_per_sec limits the number 1010 of ICMP packets sent on all targets. 1011 Default: 1000 1012 1013icmp_msgs_per_sec - INTEGER 1014 Limit maximal number of ICMP packets sent per second from this host. 1015 Only messages whose type matches icmp_ratemask (see below) are 1016 controlled by this limit. 1017 Default: 1000 1018 1019icmp_msgs_burst - INTEGER 1020 icmp_msgs_per_sec controls number of ICMP packets sent per second, 1021 while icmp_msgs_burst controls the burst size of these packets. 1022 Default: 50 1023 1024icmp_ratemask - INTEGER 1025 Mask made of ICMP types for which rates are being limited. 1026 Significant bits: IHGFEDCBA9876543210 1027 Default mask: 0000001100000011000 (6168) 1028 1029 Bit definitions (see include/linux/icmp.h): 1030 0 Echo Reply 1031 3 Destination Unreachable * 1032 4 Source Quench * 1033 5 Redirect 1034 8 Echo Request 1035 B Time Exceeded * 1036 C Parameter Problem * 1037 D Timestamp Request 1038 E Timestamp Reply 1039 F Info Request 1040 G Info Reply 1041 H Address Mask Request 1042 I Address Mask Reply 1043 1044 * These are rate limited by default (see default mask above) 1045 1046icmp_ignore_bogus_error_responses - BOOLEAN 1047 Some routers violate RFC1122 by sending bogus responses to broadcast 1048 frames. Such violations are normally logged via a kernel warning. 1049 If this is set to TRUE, the kernel will not give such warnings, which 1050 will avoid log file clutter. 1051 Default: 1 1052 1053icmp_errors_use_inbound_ifaddr - BOOLEAN 1054 1055 If zero, icmp error messages are sent with the primary address of 1056 the exiting interface. 1057 1058 If non-zero, the message will be sent with the primary address of 1059 the interface that received the packet that caused the icmp error. 1060 This is the behaviour network many administrators will expect from 1061 a router. And it can make debugging complicated network layouts 1062 much easier. 1063 1064 Note that if no primary address exists for the interface selected, 1065 then the primary address of the first non-loopback interface that 1066 has one will be used regardless of this setting. 1067 1068 Default: 0 1069 1070igmp_max_memberships - INTEGER 1071 Change the maximum number of multicast groups we can subscribe to. 1072 Default: 20 1073 1074 Theoretical maximum value is bounded by having to send a membership 1075 report in a single datagram (i.e. the report can't span multiple 1076 datagrams, or risk confusing the switch and leaving groups you don't 1077 intend to). 1078 1079 The number of supported groups 'M' is bounded by the number of group 1080 report entries you can fit into a single datagram of 65535 bytes. 1081 1082 M = 65536-sizeof (ip header)/(sizeof(Group record)) 1083 1084 Group records are variable length, with a minimum of 12 bytes. 1085 So net.ipv4.igmp_max_memberships should not be set higher than: 1086 1087 (65536-24) / 12 = 5459 1088 1089 The value 5459 assumes no IP header options, so in practice 1090 this number may be lower. 1091 1092igmp_max_msf - INTEGER 1093 Maximum number of addresses allowed in the source filter list for a 1094 multicast group. 1095 Default: 10 1096 1097igmp_qrv - INTEGER 1098 Controls the IGMP query robustness variable (see RFC2236 8.1). 1099 Default: 2 (as specified by RFC2236 8.1) 1100 Minimum: 1 (as specified by RFC6636 4.5) 1101 1102force_igmp_version - INTEGER 1103 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback 1104 allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier 1105 Present timer expires. 1106 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if 1107 receive IGMPv2/v3 query. 1108 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive 1109 IGMPv1 query message. Will reply report if receive IGMPv3 query. 1110 3 - Enforce to use IGMP version 3. The same react with default 0. 1111 1112 Note: this is not the same with force_mld_version because IGMPv3 RFC3376 1113 Security Considerations does not have clear description that we could 1114 ignore other version messages completely as MLDv2 RFC3810. So make 1115 this value as default 0 is recommended. 1116 1117conf/interface/* changes special settings per interface (where 1118"interface" is the name of your network interface) 1119 1120conf/all/* is special, changes the settings for all interfaces 1121 1122log_martians - BOOLEAN 1123 Log packets with impossible addresses to kernel log. 1124 log_martians for the interface will be enabled if at least one of 1125 conf/{all,interface}/log_martians is set to TRUE, 1126 it will be disabled otherwise 1127 1128accept_redirects - BOOLEAN 1129 Accept ICMP redirect messages. 1130 accept_redirects for the interface will be enabled if: 1131 - both conf/{all,interface}/accept_redirects are TRUE in the case 1132 forwarding for the interface is enabled 1133 or 1134 - at least one of conf/{all,interface}/accept_redirects is TRUE in the 1135 case forwarding for the interface is disabled 1136 accept_redirects for the interface will be disabled otherwise 1137 default TRUE (host) 1138 FALSE (router) 1139 1140forwarding - BOOLEAN 1141 Enable IP forwarding on this interface. This controls whether packets 1142 received _on_ this interface can be forwarded. 1143 1144mc_forwarding - BOOLEAN 1145 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE 1146 and a multicast routing daemon is required. 1147 conf/all/mc_forwarding must also be set to TRUE to enable multicast 1148 routing for the interface 1149 1150medium_id - INTEGER 1151 Integer value used to differentiate the devices by the medium they 1152 are attached to. Two devices can have different id values when 1153 the broadcast packets are received only on one of them. 1154 The default value 0 means that the device is the only interface 1155 to its medium, value of -1 means that medium is not known. 1156 1157 Currently, it is used to change the proxy_arp behavior: 1158 the proxy_arp feature is enabled for packets forwarded between 1159 two devices attached to different media. 1160 1161proxy_arp - BOOLEAN 1162 Do proxy arp. 1163 proxy_arp for the interface will be enabled if at least one of 1164 conf/{all,interface}/proxy_arp is set to TRUE, 1165 it will be disabled otherwise 1166 1167proxy_arp_pvlan - BOOLEAN 1168 Private VLAN proxy arp. 1169 Basically allow proxy arp replies back to the same interface 1170 (from which the ARP request/solicitation was received). 1171 1172 This is done to support (ethernet) switch features, like RFC 1173 3069, where the individual ports are NOT allowed to 1174 communicate with each other, but they are allowed to talk to 1175 the upstream router. As described in RFC 3069, it is possible 1176 to allow these hosts to communicate through the upstream 1177 router by proxy_arp'ing. Don't need to be used together with 1178 proxy_arp. 1179 1180 This technology is known by different names: 1181 In RFC 3069 it is called VLAN Aggregation. 1182 Cisco and Allied Telesyn call it Private VLAN. 1183 Hewlett-Packard call it Source-Port filtering or port-isolation. 1184 Ericsson call it MAC-Forced Forwarding (RFC Draft). 1185 1186shared_media - BOOLEAN 1187 Send(router) or accept(host) RFC1620 shared media redirects. 1188 Overrides secure_redirects. 1189 shared_media for the interface will be enabled if at least one of 1190 conf/{all,interface}/shared_media is set to TRUE, 1191 it will be disabled otherwise 1192 default TRUE 1193 1194secure_redirects - BOOLEAN 1195 Accept ICMP redirect messages only to gateways listed in the 1196 interface's current gateway list. Even if disabled, RFC1122 redirect 1197 rules still apply. 1198 Overridden by shared_media. 1199 secure_redirects for the interface will be enabled if at least one of 1200 conf/{all,interface}/secure_redirects is set to TRUE, 1201 it will be disabled otherwise 1202 default TRUE 1203 1204send_redirects - BOOLEAN 1205 Send redirects, if router. 1206 send_redirects for the interface will be enabled if at least one of 1207 conf/{all,interface}/send_redirects is set to TRUE, 1208 it will be disabled otherwise 1209 Default: TRUE 1210 1211bootp_relay - BOOLEAN 1212 Accept packets with source address 0.b.c.d destined 1213 not to this host as local ones. It is supposed, that 1214 BOOTP relay daemon will catch and forward such packets. 1215 conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay 1216 for the interface 1217 default FALSE 1218 Not Implemented Yet. 1219 1220accept_source_route - BOOLEAN 1221 Accept packets with SRR option. 1222 conf/all/accept_source_route must also be set to TRUE to accept packets 1223 with SRR option on the interface 1224 default TRUE (router) 1225 FALSE (host) 1226 1227accept_local - BOOLEAN 1228 Accept packets with local source addresses. In combination with 1229 suitable routing, this can be used to direct packets between two 1230 local interfaces over the wire and have them accepted properly. 1231 default FALSE 1232 1233route_localnet - BOOLEAN 1234 Do not consider loopback addresses as martian source or destination 1235 while routing. This enables the use of 127/8 for local routing purposes. 1236 default FALSE 1237 1238rp_filter - INTEGER 1239 0 - No source validation. 1240 1 - Strict mode as defined in RFC3704 Strict Reverse Path 1241 Each incoming packet is tested against the FIB and if the interface 1242 is not the best reverse path the packet check will fail. 1243 By default failed packets are discarded. 1244 2 - Loose mode as defined in RFC3704 Loose Reverse Path 1245 Each incoming packet's source address is also tested against the FIB 1246 and if the source address is not reachable via any interface 1247 the packet check will fail. 1248 1249 Current recommended practice in RFC3704 is to enable strict mode 1250 to prevent IP spoofing from DDos attacks. If using asymmetric routing 1251 or other complicated routing, then loose mode is recommended. 1252 1253 The max value from conf/{all,interface}/rp_filter is used 1254 when doing source validation on the {interface}. 1255 1256 Default value is 0. Note that some distributions enable it 1257 in startup scripts. 1258 1259arp_filter - BOOLEAN 1260 1 - Allows you to have multiple network interfaces on the same 1261 subnet, and have the ARPs for each interface be answered 1262 based on whether or not the kernel would route a packet from 1263 the ARP'd IP out that interface (therefore you must use source 1264 based routing for this to work). In other words it allows control 1265 of which cards (usually 1) will respond to an arp request. 1266 1267 0 - (default) The kernel can respond to arp requests with addresses 1268 from other interfaces. This may seem wrong but it usually makes 1269 sense, because it increases the chance of successful communication. 1270 IP addresses are owned by the complete host on Linux, not by 1271 particular interfaces. Only for more complex setups like load- 1272 balancing, does this behaviour cause problems. 1273 1274 arp_filter for the interface will be enabled if at least one of 1275 conf/{all,interface}/arp_filter is set to TRUE, 1276 it will be disabled otherwise 1277 1278arp_announce - INTEGER 1279 Define different restriction levels for announcing the local 1280 source IP address from IP packets in ARP requests sent on 1281 interface: 1282 0 - (default) Use any local address, configured on any interface 1283 1 - Try to avoid local addresses that are not in the target's 1284 subnet for this interface. This mode is useful when target 1285 hosts reachable via this interface require the source IP 1286 address in ARP requests to be part of their logical network 1287 configured on the receiving interface. When we generate the 1288 request we will check all our subnets that include the 1289 target IP and will preserve the source address if it is from 1290 such subnet. If there is no such subnet we select source 1291 address according to the rules for level 2. 1292 2 - Always use the best local address for this target. 1293 In this mode we ignore the source address in the IP packet 1294 and try to select local address that we prefer for talks with 1295 the target host. Such local address is selected by looking 1296 for primary IP addresses on all our subnets on the outgoing 1297 interface that include the target IP address. If no suitable 1298 local address is found we select the first local address 1299 we have on the outgoing interface or on all other interfaces, 1300 with the hope we will receive reply for our request and 1301 even sometimes no matter the source IP address we announce. 1302 1303 The max value from conf/{all,interface}/arp_announce is used. 1304 1305 Increasing the restriction level gives more chance for 1306 receiving answer from the resolved target while decreasing 1307 the level announces more valid sender's information. 1308 1309arp_ignore - INTEGER 1310 Define different modes for sending replies in response to 1311 received ARP requests that resolve local target IP addresses: 1312 0 - (default): reply for any local target IP address, configured 1313 on any interface 1314 1 - reply only if the target IP address is local address 1315 configured on the incoming interface 1316 2 - reply only if the target IP address is local address 1317 configured on the incoming interface and both with the 1318 sender's IP address are part from same subnet on this interface 1319 3 - do not reply for local addresses configured with scope host, 1320 only resolutions for global and link addresses are replied 1321 4-7 - reserved 1322 8 - do not reply for all local addresses 1323 1324 The max value from conf/{all,interface}/arp_ignore is used 1325 when ARP request is received on the {interface} 1326 1327arp_notify - BOOLEAN 1328 Define mode for notification of address and device changes. 1329 0 - (default): do nothing 1330 1 - Generate gratuitous arp requests when device is brought up 1331 or hardware address changes. 1332 1333arp_accept - BOOLEAN 1334 Define behavior for gratuitous ARP frames who's IP is not 1335 already present in the ARP table: 1336 0 - don't create new entries in the ARP table 1337 1 - create new entries in the ARP table 1338 1339 Both replies and requests type gratuitous arp will trigger the 1340 ARP table to be updated, if this setting is on. 1341 1342 If the ARP table already contains the IP address of the 1343 gratuitous arp frame, the arp table will be updated regardless 1344 if this setting is on or off. 1345 1346mcast_solicit - INTEGER 1347 The maximum number of multicast probes in INCOMPLETE state, 1348 when the associated hardware address is unknown. Defaults 1349 to 3. 1350 1351ucast_solicit - INTEGER 1352 The maximum number of unicast probes in PROBE state, when 1353 the hardware address is being reconfirmed. Defaults to 3. 1354 1355app_solicit - INTEGER 1356 The maximum number of probes to send to the user space ARP daemon 1357 via netlink before dropping back to multicast probes (see 1358 mcast_resolicit). Defaults to 0. 1359 1360mcast_resolicit - INTEGER 1361 The maximum number of multicast probes after unicast and 1362 app probes in PROBE state. Defaults to 0. 1363 1364disable_policy - BOOLEAN 1365 Disable IPSEC policy (SPD) for this interface 1366 1367disable_xfrm - BOOLEAN 1368 Disable IPSEC encryption on this interface, whatever the policy 1369 1370igmpv2_unsolicited_report_interval - INTEGER 1371 The interval in milliseconds in which the next unsolicited 1372 IGMPv1 or IGMPv2 report retransmit will take place. 1373 Default: 10000 (10 seconds) 1374 1375igmpv3_unsolicited_report_interval - INTEGER 1376 The interval in milliseconds in which the next unsolicited 1377 IGMPv3 report retransmit will take place. 1378 Default: 1000 (1 seconds) 1379 1380promote_secondaries - BOOLEAN 1381 When a primary IP address is removed from this interface 1382 promote a corresponding secondary IP address instead of 1383 removing all the corresponding secondary IP addresses. 1384 1385drop_unicast_in_l2_multicast - BOOLEAN 1386 Drop any unicast IP packets that are received in link-layer 1387 multicast (or broadcast) frames. 1388 This behavior (for multicast) is actually a SHOULD in RFC 1389 1122, but is disabled by default for compatibility reasons. 1390 Default: off (0) 1391 1392drop_gratuitous_arp - BOOLEAN 1393 Drop all gratuitous ARP frames, for example if there's a known 1394 good ARP proxy on the network and such frames need not be used 1395 (or in the case of 802.11, must not be used to prevent attacks.) 1396 Default: off (0) 1397 1398 1399tag - INTEGER 1400 Allows you to write a number, which can be used as required. 1401 Default value is 0. 1402 1403xfrm4_gc_thresh - INTEGER 1404 (Obsolete since linux-4.14) 1405 The threshold at which we will start garbage collecting for IPv4 1406 destination cache entries. At twice this value the system will 1407 refuse new allocations. 1408 1409igmp_link_local_mcast_reports - BOOLEAN 1410 Enable IGMP reports for link local multicast groups in the 1411 224.0.0.X range. 1412 Default TRUE 1413 1414Alexey Kuznetsov. 1415kuznet@ms2.inr.ac.ru 1416 1417Updated by: 1418Andi Kleen 1419ak@muc.de 1420Nicolas Delon 1421delon.nicolas@wanadoo.fr 1422 1423 1424 1425 1426/proc/sys/net/ipv6/* Variables: 1427 1428IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also 1429apply to IPv6 [XXX?]. 1430 1431bindv6only - BOOLEAN 1432 Default value for IPV6_V6ONLY socket option, 1433 which restricts use of the IPv6 socket to IPv6 communication 1434 only. 1435 TRUE: disable IPv4-mapped address feature 1436 FALSE: enable IPv4-mapped address feature 1437 1438 Default: FALSE (as specified in RFC3493) 1439 1440flowlabel_consistency - BOOLEAN 1441 Protect the consistency (and unicity) of flow label. 1442 You have to disable it to use IPV6_FL_F_REFLECT flag on the 1443 flow label manager. 1444 TRUE: enabled 1445 FALSE: disabled 1446 Default: TRUE 1447 1448auto_flowlabels - INTEGER 1449 Automatically generate flow labels based on a flow hash of the 1450 packet. This allows intermediate devices, such as routers, to 1451 identify packet flows for mechanisms like Equal Cost Multipath 1452 Routing (see RFC 6438). 1453 0: automatic flow labels are completely disabled 1454 1: automatic flow labels are enabled by default, they can be 1455 disabled on a per socket basis using the IPV6_AUTOFLOWLABEL 1456 socket option 1457 2: automatic flow labels are allowed, they may be enabled on a 1458 per socket basis using the IPV6_AUTOFLOWLABEL socket option 1459 3: automatic flow labels are enabled and enforced, they cannot 1460 be disabled by the socket option 1461 Default: 1 1462 1463flowlabel_state_ranges - BOOLEAN 1464 Split the flow label number space into two ranges. 0-0x7FFFF is 1465 reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF 1466 is reserved for stateless flow labels as described in RFC6437. 1467 TRUE: enabled 1468 FALSE: disabled 1469 Default: true 1470 1471flowlabel_reflect - INTEGER 1472 Control flow label reflection. Needed for Path MTU 1473 Discovery to work with Equal Cost Multipath Routing in anycast 1474 environments. See RFC 7690 and: 1475 https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01 1476 1477 This is a bitmask. 1478 1: enabled for established flows 1479 1480 Note that this prevents automatic flowlabel changes, as done 1481 in "tcp: change IPv6 flow-label upon receiving spurious retransmission" 1482 and "tcp: Change txhash on every SYN and RTO retransmit" 1483 1484 2: enabled for TCP RESET packets (no active listener) 1485 If set, a RST packet sent in response to a SYN packet on a closed 1486 port will reflect the incoming flow label. 1487 1488 4: enabled for ICMPv6 echo reply messages. 1489 1490 Default: 0 1491 1492fib_multipath_hash_policy - INTEGER 1493 Controls which hash policy to use for multipath routes. 1494 Default: 0 (Layer 3) 1495 Possible values: 1496 0 - Layer 3 (source and destination addresses plus flow label) 1497 1 - Layer 4 (standard 5-tuple) 1498 2 - Layer 3 or inner Layer 3 if present 1499 1500anycast_src_echo_reply - BOOLEAN 1501 Controls the use of anycast addresses as source addresses for ICMPv6 1502 echo reply 1503 TRUE: enabled 1504 FALSE: disabled 1505 Default: FALSE 1506 1507idgen_delay - INTEGER 1508 Controls the delay in seconds after which time to retry 1509 privacy stable address generation if a DAD conflict is 1510 detected. 1511 Default: 1 (as specified in RFC7217) 1512 1513idgen_retries - INTEGER 1514 Controls the number of retries to generate a stable privacy 1515 address if a DAD conflict is detected. 1516 Default: 3 (as specified in RFC7217) 1517 1518mld_qrv - INTEGER 1519 Controls the MLD query robustness variable (see RFC3810 9.1). 1520 Default: 2 (as specified by RFC3810 9.1) 1521 Minimum: 1 (as specified by RFC6636 4.5) 1522 1523max_dst_opts_number - INTEGER 1524 Maximum number of non-padding TLVs allowed in a Destination 1525 options extension header. If this value is less than zero 1526 then unknown options are disallowed and the number of known 1527 TLVs allowed is the absolute value of this number. 1528 Default: 8 1529 1530max_hbh_opts_number - INTEGER 1531 Maximum number of non-padding TLVs allowed in a Hop-by-Hop 1532 options extension header. If this value is less than zero 1533 then unknown options are disallowed and the number of known 1534 TLVs allowed is the absolute value of this number. 1535 Default: 8 1536 1537max_dst_opts_length - INTEGER 1538 Maximum length allowed for a Destination options extension 1539 header. 1540 Default: INT_MAX (unlimited) 1541 1542max_hbh_length - INTEGER 1543 Maximum length allowed for a Hop-by-Hop options extension 1544 header. 1545 Default: INT_MAX (unlimited) 1546 1547skip_notify_on_dev_down - BOOLEAN 1548 Controls whether an RTM_DELROUTE message is generated for routes 1549 removed when a device is taken down or deleted. IPv4 does not 1550 generate this message; IPv6 does by default. Setting this sysctl 1551 to true skips the message, making IPv4 and IPv6 on par in relying 1552 on userspace caches to track link events and evict routes. 1553 Default: false (generate message) 1554 1555IPv6 Fragmentation: 1556 1557ip6frag_high_thresh - INTEGER 1558 Maximum memory used to reassemble IPv6 fragments. When 1559 ip6frag_high_thresh bytes of memory is allocated for this purpose, 1560 the fragment handler will toss packets until ip6frag_low_thresh 1561 is reached. 1562 1563ip6frag_low_thresh - INTEGER 1564 See ip6frag_high_thresh 1565 1566ip6frag_time - INTEGER 1567 Time in seconds to keep an IPv6 fragment in memory. 1568 1569IPv6 Segment Routing: 1570 1571seg6_flowlabel - INTEGER 1572 Controls the behaviour of computing the flowlabel of outer 1573 IPv6 header in case of SR T.encaps 1574 1575 -1 set flowlabel to zero. 1576 0 copy flowlabel from Inner packet in case of Inner IPv6 1577 (Set flowlabel to 0 in case IPv4/L2) 1578 1 Compute the flowlabel using seg6_make_flowlabel() 1579 1580 Default is 0. 1581 1582conf/default/*: 1583 Change the interface-specific default settings. 1584 1585 1586conf/all/*: 1587 Change all the interface-specific settings. 1588 1589 [XXX: Other special features than forwarding?] 1590 1591conf/all/forwarding - BOOLEAN 1592 Enable global IPv6 forwarding between all interfaces. 1593 1594 IPv4 and IPv6 work differently here; e.g. netfilter must be used 1595 to control which interfaces may forward packets and which not. 1596 1597 This also sets all interfaces' Host/Router setting 1598 'forwarding' to the specified value. See below for details. 1599 1600 This referred to as global forwarding. 1601 1602proxy_ndp - BOOLEAN 1603 Do proxy ndp. 1604 1605fwmark_reflect - BOOLEAN 1606 Controls the fwmark of kernel-generated IPv6 reply packets that are not 1607 associated with a socket for example, TCP RSTs or ICMPv6 echo replies). 1608 If unset, these packets have a fwmark of zero. If set, they have the 1609 fwmark of the packet they are replying to. 1610 Default: 0 1611 1612conf/interface/*: 1613 Change special settings per interface. 1614 1615 The functional behaviour for certain settings is different 1616 depending on whether local forwarding is enabled or not. 1617 1618accept_ra - INTEGER 1619 Accept Router Advertisements; autoconfigure using them. 1620 1621 It also determines whether or not to transmit Router 1622 Solicitations. If and only if the functional setting is to 1623 accept Router Advertisements, Router Solicitations will be 1624 transmitted. 1625 1626 Possible values are: 1627 0 Do not accept Router Advertisements. 1628 1 Accept Router Advertisements if forwarding is disabled. 1629 2 Overrule forwarding behaviour. Accept Router Advertisements 1630 even if forwarding is enabled. 1631 1632 Functional default: enabled if local forwarding is disabled. 1633 disabled if local forwarding is enabled. 1634 1635accept_ra_defrtr - BOOLEAN 1636 Learn default router in Router Advertisement. 1637 1638 Functional default: enabled if accept_ra is enabled. 1639 disabled if accept_ra is disabled. 1640 1641accept_ra_from_local - BOOLEAN 1642 Accept RA with source-address that is found on local machine 1643 if the RA is otherwise proper and able to be accepted. 1644 Default is to NOT accept these as it may be an un-intended 1645 network loop. 1646 1647 Functional default: 1648 enabled if accept_ra_from_local is enabled 1649 on a specific interface. 1650 disabled if accept_ra_from_local is disabled 1651 on a specific interface. 1652 1653accept_ra_min_hop_limit - INTEGER 1654 Minimum hop limit Information in Router Advertisement. 1655 1656 Hop limit Information in Router Advertisement less than this 1657 variable shall be ignored. 1658 1659 Default: 1 1660 1661accept_ra_pinfo - BOOLEAN 1662 Learn Prefix Information in Router Advertisement. 1663 1664 Functional default: enabled if accept_ra is enabled. 1665 disabled if accept_ra is disabled. 1666 1667accept_ra_rt_info_min_plen - INTEGER 1668 Minimum prefix length of Route Information in RA. 1669 1670 Route Information w/ prefix smaller than this variable shall 1671 be ignored. 1672 1673 Functional default: 0 if accept_ra_rtr_pref is enabled. 1674 -1 if accept_ra_rtr_pref is disabled. 1675 1676accept_ra_rt_info_max_plen - INTEGER 1677 Maximum prefix length of Route Information in RA. 1678 1679 Route Information w/ prefix larger than this variable shall 1680 be ignored. 1681 1682 Functional default: 0 if accept_ra_rtr_pref is enabled. 1683 -1 if accept_ra_rtr_pref is disabled. 1684 1685accept_ra_rtr_pref - BOOLEAN 1686 Accept Router Preference in RA. 1687 1688 Functional default: enabled if accept_ra is enabled. 1689 disabled if accept_ra is disabled. 1690 1691accept_ra_mtu - BOOLEAN 1692 Apply the MTU value specified in RA option 5 (RFC4861). If 1693 disabled, the MTU specified in the RA will be ignored. 1694 1695 Functional default: enabled if accept_ra is enabled. 1696 disabled if accept_ra is disabled. 1697 1698accept_redirects - BOOLEAN 1699 Accept Redirects. 1700 1701 Functional default: enabled if local forwarding is disabled. 1702 disabled if local forwarding is enabled. 1703 1704accept_source_route - INTEGER 1705 Accept source routing (routing extension header). 1706 1707 >= 0: Accept only routing header type 2. 1708 < 0: Do not accept routing header. 1709 1710 Default: 0 1711 1712autoconf - BOOLEAN 1713 Autoconfigure addresses using Prefix Information in Router 1714 Advertisements. 1715 1716 Functional default: enabled if accept_ra_pinfo is enabled. 1717 disabled if accept_ra_pinfo is disabled. 1718 1719dad_transmits - INTEGER 1720 The amount of Duplicate Address Detection probes to send. 1721 Default: 1 1722 1723forwarding - INTEGER 1724 Configure interface-specific Host/Router behaviour. 1725 1726 Note: It is recommended to have the same setting on all 1727 interfaces; mixed router/host scenarios are rather uncommon. 1728 1729 Possible values are: 1730 0 Forwarding disabled 1731 1 Forwarding enabled 1732 1733 FALSE (0): 1734 1735 By default, Host behaviour is assumed. This means: 1736 1737 1. IsRouter flag is not set in Neighbour Advertisements. 1738 2. If accept_ra is TRUE (default), transmit Router 1739 Solicitations. 1740 3. If accept_ra is TRUE (default), accept Router 1741 Advertisements (and do autoconfiguration). 1742 4. If accept_redirects is TRUE (default), accept Redirects. 1743 1744 TRUE (1): 1745 1746 If local forwarding is enabled, Router behaviour is assumed. 1747 This means exactly the reverse from the above: 1748 1749 1. IsRouter flag is set in Neighbour Advertisements. 1750 2. Router Solicitations are not sent unless accept_ra is 2. 1751 3. Router Advertisements are ignored unless accept_ra is 2. 1752 4. Redirects are ignored. 1753 1754 Default: 0 (disabled) if global forwarding is disabled (default), 1755 otherwise 1 (enabled). 1756 1757hop_limit - INTEGER 1758 Default Hop Limit to set. 1759 Default: 64 1760 1761mtu - INTEGER 1762 Default Maximum Transfer Unit 1763 Default: 1280 (IPv6 required minimum) 1764 1765ip_nonlocal_bind - BOOLEAN 1766 If set, allows processes to bind() to non-local IPv6 addresses, 1767 which can be quite useful - but may break some applications. 1768 Default: 0 1769 1770router_probe_interval - INTEGER 1771 Minimum interval (in seconds) between Router Probing described 1772 in RFC4191. 1773 1774 Default: 60 1775 1776router_solicitation_delay - INTEGER 1777 Number of seconds to wait after interface is brought up 1778 before sending Router Solicitations. 1779 Default: 1 1780 1781router_solicitation_interval - INTEGER 1782 Number of seconds to wait between Router Solicitations. 1783 Default: 4 1784 1785router_solicitations - INTEGER 1786 Number of Router Solicitations to send until assuming no 1787 routers are present. 1788 Default: 3 1789 1790use_oif_addrs_only - BOOLEAN 1791 When enabled, the candidate source addresses for destinations 1792 routed via this interface are restricted to the set of addresses 1793 configured on this interface (vis. RFC 6724, section 4). 1794 1795 Default: false 1796 1797use_tempaddr - INTEGER 1798 Preference for Privacy Extensions (RFC3041). 1799 <= 0 : disable Privacy Extensions 1800 == 1 : enable Privacy Extensions, but prefer public 1801 addresses over temporary addresses. 1802 > 1 : enable Privacy Extensions and prefer temporary 1803 addresses over public addresses. 1804 Default: 0 (for most devices) 1805 -1 (for point-to-point devices and loopback devices) 1806 1807temp_valid_lft - INTEGER 1808 valid lifetime (in seconds) for temporary addresses. 1809 Default: 604800 (7 days) 1810 1811temp_prefered_lft - INTEGER 1812 Preferred lifetime (in seconds) for temporary addresses. 1813 Default: 86400 (1 day) 1814 1815keep_addr_on_down - INTEGER 1816 Keep all IPv6 addresses on an interface down event. If set static 1817 global addresses with no expiration time are not flushed. 1818 >0 : enabled 1819 0 : system default 1820 <0 : disabled 1821 1822 Default: 0 (addresses are removed) 1823 1824max_desync_factor - INTEGER 1825 Maximum value for DESYNC_FACTOR, which is a random value 1826 that ensures that clients don't synchronize with each 1827 other and generate new addresses at exactly the same time. 1828 value is in seconds. 1829 Default: 600 1830 1831regen_max_retry - INTEGER 1832 Number of attempts before give up attempting to generate 1833 valid temporary addresses. 1834 Default: 5 1835 1836max_addresses - INTEGER 1837 Maximum number of autoconfigured addresses per interface. Setting 1838 to zero disables the limitation. It is not recommended to set this 1839 value too large (or to zero) because it would be an easy way to 1840 crash the kernel by allowing too many addresses to be created. 1841 Default: 16 1842 1843disable_ipv6 - BOOLEAN 1844 Disable IPv6 operation. If accept_dad is set to 2, this value 1845 will be dynamically set to TRUE if DAD fails for the link-local 1846 address. 1847 Default: FALSE (enable IPv6 operation) 1848 1849 When this value is changed from 1 to 0 (IPv6 is being enabled), 1850 it will dynamically create a link-local address on the given 1851 interface and start Duplicate Address Detection, if necessary. 1852 1853 When this value is changed from 0 to 1 (IPv6 is being disabled), 1854 it will dynamically delete all addresses and routes on the given 1855 interface. From now on it will not possible to add addresses/routes 1856 to the selected interface. 1857 1858accept_dad - INTEGER 1859 Whether to accept DAD (Duplicate Address Detection). 1860 0: Disable DAD 1861 1: Enable DAD (default) 1862 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate 1863 link-local address has been found. 1864 1865 DAD operation and mode on a given interface will be selected according 1866 to the maximum value of conf/{all,interface}/accept_dad. 1867 1868force_tllao - BOOLEAN 1869 Enable sending the target link-layer address option even when 1870 responding to a unicast neighbor solicitation. 1871 Default: FALSE 1872 1873 Quoting from RFC 2461, section 4.4, Target link-layer address: 1874 1875 "The option MUST be included for multicast solicitations in order to 1876 avoid infinite Neighbor Solicitation "recursion" when the peer node 1877 does not have a cache entry to return a Neighbor Advertisements 1878 message. When responding to unicast solicitations, the option can be 1879 omitted since the sender of the solicitation has the correct link- 1880 layer address; otherwise it would not have be able to send the unicast 1881 solicitation in the first place. However, including the link-layer 1882 address in this case adds little overhead and eliminates a potential 1883 race condition where the sender deletes the cached link-layer address 1884 prior to receiving a response to a previous solicitation." 1885 1886ndisc_notify - BOOLEAN 1887 Define mode for notification of address and device changes. 1888 0 - (default): do nothing 1889 1 - Generate unsolicited neighbour advertisements when device is brought 1890 up or hardware address changes. 1891 1892ndisc_tclass - INTEGER 1893 The IPv6 Traffic Class to use by default when sending IPv6 Neighbor 1894 Discovery (Router Solicitation, Router Advertisement, Neighbor 1895 Solicitation, Neighbor Advertisement, Redirect) messages. 1896 These 8 bits can be interpreted as 6 high order bits holding the DSCP 1897 value and 2 low order bits representing ECN (which you probably want 1898 to leave cleared). 1899 0 - (default) 1900 1901mldv1_unsolicited_report_interval - INTEGER 1902 The interval in milliseconds in which the next unsolicited 1903 MLDv1 report retransmit will take place. 1904 Default: 10000 (10 seconds) 1905 1906mldv2_unsolicited_report_interval - INTEGER 1907 The interval in milliseconds in which the next unsolicited 1908 MLDv2 report retransmit will take place. 1909 Default: 1000 (1 second) 1910 1911force_mld_version - INTEGER 1912 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed 1913 1 - Enforce to use MLD version 1 1914 2 - Enforce to use MLD version 2 1915 1916suppress_frag_ndisc - INTEGER 1917 Control RFC 6980 (Security Implications of IPv6 Fragmentation 1918 with IPv6 Neighbor Discovery) behavior: 1919 1 - (default) discard fragmented neighbor discovery packets 1920 0 - allow fragmented neighbor discovery packets 1921 1922optimistic_dad - BOOLEAN 1923 Whether to perform Optimistic Duplicate Address Detection (RFC 4429). 1924 0: disabled (default) 1925 1: enabled 1926 1927 Optimistic Duplicate Address Detection for the interface will be enabled 1928 if at least one of conf/{all,interface}/optimistic_dad is set to 1, 1929 it will be disabled otherwise. 1930 1931use_optimistic - BOOLEAN 1932 If enabled, do not classify optimistic addresses as deprecated during 1933 source address selection. Preferred addresses will still be chosen 1934 before optimistic addresses, subject to other ranking in the source 1935 address selection algorithm. 1936 0: disabled (default) 1937 1: enabled 1938 1939 This will be enabled if at least one of 1940 conf/{all,interface}/use_optimistic is set to 1, disabled otherwise. 1941 1942stable_secret - IPv6 address 1943 This IPv6 address will be used as a secret to generate IPv6 1944 addresses for link-local addresses and autoconfigured 1945 ones. All addresses generated after setting this secret will 1946 be stable privacy ones by default. This can be changed via the 1947 addrgenmode ip-link. conf/default/stable_secret is used as the 1948 secret for the namespace, the interface specific ones can 1949 overwrite that. Writes to conf/all/stable_secret are refused. 1950 1951 It is recommended to generate this secret during installation 1952 of a system and keep it stable after that. 1953 1954 By default the stable secret is unset. 1955 1956addr_gen_mode - INTEGER 1957 Defines how link-local and autoconf addresses are generated. 1958 1959 0: generate address based on EUI64 (default) 1960 1: do no generate a link-local address, use EUI64 for addresses generated 1961 from autoconf 1962 2: generate stable privacy addresses, using the secret from 1963 stable_secret (RFC7217) 1964 3: generate stable privacy addresses, using a random secret if unset 1965 1966drop_unicast_in_l2_multicast - BOOLEAN 1967 Drop any unicast IPv6 packets that are received in link-layer 1968 multicast (or broadcast) frames. 1969 1970 By default this is turned off. 1971 1972drop_unsolicited_na - BOOLEAN 1973 Drop all unsolicited neighbor advertisements, for example if there's 1974 a known good NA proxy on the network and such frames need not be used 1975 (or in the case of 802.11, must not be used to prevent attacks.) 1976 1977 By default this is turned off. 1978 1979enhanced_dad - BOOLEAN 1980 Include a nonce option in the IPv6 neighbor solicitation messages used for 1981 duplicate address detection per RFC7527. A received DAD NS will only signal 1982 a duplicate address if the nonce is different. This avoids any false 1983 detection of duplicates due to loopback of the NS messages that we send. 1984 The nonce option will be sent on an interface unless both of 1985 conf/{all,interface}/enhanced_dad are set to FALSE. 1986 Default: TRUE 1987 1988icmp/*: 1989ratelimit - INTEGER 1990 Limit the maximal rates for sending ICMPv6 messages. 1991 0 to disable any limiting, 1992 otherwise the minimal space between responses in milliseconds. 1993 Default: 1000 1994 1995ratemask - list of comma separated ranges 1996 For ICMPv6 message types matching the ranges in the ratemask, limit 1997 the sending of the message according to ratelimit parameter. 1998 1999 The format used for both input and output is a comma separated 2000 list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and 2001 129). Writing to the file will clear all previous ranges of ICMPv6 2002 message types and update the current list with the input. 2003 2004 Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml 2005 for numerical values of ICMPv6 message types, e.g. echo request is 128 2006 and echo reply is 129. 2007 2008 Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big) 2009 2010echo_ignore_all - BOOLEAN 2011 If set non-zero, then the kernel will ignore all ICMP ECHO 2012 requests sent to it over the IPv6 protocol. 2013 Default: 0 2014 2015echo_ignore_multicast - BOOLEAN 2016 If set non-zero, then the kernel will ignore all ICMP ECHO 2017 requests sent to it over the IPv6 protocol via multicast. 2018 Default: 0 2019 2020echo_ignore_anycast - BOOLEAN 2021 If set non-zero, then the kernel will ignore all ICMP ECHO 2022 requests sent to it over the IPv6 protocol destined to anycast address. 2023 Default: 0 2024 2025xfrm6_gc_thresh - INTEGER 2026 (Obsolete since linux-4.14) 2027 The threshold at which we will start garbage collecting for IPv6 2028 destination cache entries. At twice this value the system will 2029 refuse new allocations. 2030 2031 2032IPv6 Update by: 2033Pekka Savola <pekkas@netcore.fi> 2034YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org> 2035 2036 2037/proc/sys/net/bridge/* Variables: 2038 2039bridge-nf-call-arptables - BOOLEAN 2040 1 : pass bridged ARP traffic to arptables' FORWARD chain. 2041 0 : disable this. 2042 Default: 1 2043 2044bridge-nf-call-iptables - BOOLEAN 2045 1 : pass bridged IPv4 traffic to iptables' chains. 2046 0 : disable this. 2047 Default: 1 2048 2049bridge-nf-call-ip6tables - BOOLEAN 2050 1 : pass bridged IPv6 traffic to ip6tables' chains. 2051 0 : disable this. 2052 Default: 1 2053 2054bridge-nf-filter-vlan-tagged - BOOLEAN 2055 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. 2056 0 : disable this. 2057 Default: 0 2058 2059bridge-nf-filter-pppoe-tagged - BOOLEAN 2060 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. 2061 0 : disable this. 2062 Default: 0 2063 2064bridge-nf-pass-vlan-input-dev - BOOLEAN 2065 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan 2066 interface on the bridge and set the netfilter input device to the vlan. 2067 This allows use of e.g. "iptables -i br0.1" and makes the REDIRECT 2068 target work with vlan-on-top-of-bridge interfaces. When no matching 2069 vlan interface is found, or this switch is off, the input device is 2070 set to the bridge interface. 2071 0: disable bridge netfilter vlan interface lookup. 2072 Default: 0 2073 2074proc/sys/net/sctp/* Variables: 2075 2076addip_enable - BOOLEAN 2077 Enable or disable extension of Dynamic Address Reconfiguration 2078 (ADD-IP) functionality specified in RFC5061. This extension provides 2079 the ability to dynamically add and remove new addresses for the SCTP 2080 associations. 2081 2082 1: Enable extension. 2083 2084 0: Disable extension. 2085 2086 Default: 0 2087 2088pf_enable - INTEGER 2089 Enable or disable pf (pf is short for potentially failed) state. A value 2090 of pf_retrans > path_max_retrans also disables pf state. That is, one of 2091 both pf_enable and pf_retrans > path_max_retrans can disable pf state. 2092 Since pf_retrans and path_max_retrans can be changed by userspace 2093 application, sometimes user expects to disable pf state by the value of 2094 pf_retrans > path_max_retrans, but occasionally the value of pf_retrans 2095 or path_max_retrans is changed by the user application, this pf state is 2096 enabled. As such, it is necessary to add this to dynamically enable 2097 and disable pf state. See: 2098 https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for 2099 details. 2100 2101 1: Enable pf. 2102 2103 0: Disable pf. 2104 2105 Default: 1 2106 2107addip_noauth_enable - BOOLEAN 2108 Dynamic Address Reconfiguration (ADD-IP) requires the use of 2109 authentication to protect the operations of adding or removing new 2110 addresses. This requirement is mandated so that unauthorized hosts 2111 would not be able to hijack associations. However, older 2112 implementations may not have implemented this requirement while 2113 allowing the ADD-IP extension. For reasons of interoperability, 2114 we provide this variable to control the enforcement of the 2115 authentication requirement. 2116 2117 1: Allow ADD-IP extension to be used without authentication. This 2118 should only be set in a closed environment for interoperability 2119 with older implementations. 2120 2121 0: Enforce the authentication requirement 2122 2123 Default: 0 2124 2125auth_enable - BOOLEAN 2126 Enable or disable Authenticated Chunks extension. This extension 2127 provides the ability to send and receive authenticated chunks and is 2128 required for secure operation of Dynamic Address Reconfiguration 2129 (ADD-IP) extension. 2130 2131 1: Enable this extension. 2132 0: Disable this extension. 2133 2134 Default: 0 2135 2136prsctp_enable - BOOLEAN 2137 Enable or disable the Partial Reliability extension (RFC3758) which 2138 is used to notify peers that a given DATA should no longer be expected. 2139 2140 1: Enable extension 2141 0: Disable 2142 2143 Default: 1 2144 2145max_burst - INTEGER 2146 The limit of the number of new packets that can be initially sent. It 2147 controls how bursty the generated traffic can be. 2148 2149 Default: 4 2150 2151association_max_retrans - INTEGER 2152 Set the maximum number for retransmissions that an association can 2153 attempt deciding that the remote end is unreachable. If this value 2154 is exceeded, the association is terminated. 2155 2156 Default: 10 2157 2158max_init_retransmits - INTEGER 2159 The maximum number of retransmissions of INIT and COOKIE-ECHO chunks 2160 that an association will attempt before declaring the destination 2161 unreachable and terminating. 2162 2163 Default: 8 2164 2165path_max_retrans - INTEGER 2166 The maximum number of retransmissions that will be attempted on a given 2167 path. Once this threshold is exceeded, the path is considered 2168 unreachable, and new traffic will use a different path when the 2169 association is multihomed. 2170 2171 Default: 5 2172 2173pf_retrans - INTEGER 2174 The number of retransmissions that will be attempted on a given path 2175 before traffic is redirected to an alternate transport (should one 2176 exist). Note this is distinct from path_max_retrans, as a path that 2177 passes the pf_retrans threshold can still be used. Its only 2178 deprioritized when a transmission path is selected by the stack. This 2179 setting is primarily used to enable fast failover mechanisms without 2180 having to reduce path_max_retrans to a very low value. See: 2181 http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt 2182 for details. Note also that a value of pf_retrans > path_max_retrans 2183 disables this feature. Since both pf_retrans and path_max_retrans can 2184 be changed by userspace application, a variable pf_enable is used to 2185 disable pf state. 2186 2187 Default: 0 2188 2189rto_initial - INTEGER 2190 The initial round trip timeout value in milliseconds that will be used 2191 in calculating round trip times. This is the initial time interval 2192 for retransmissions. 2193 2194 Default: 3000 2195 2196rto_max - INTEGER 2197 The maximum value (in milliseconds) of the round trip timeout. This 2198 is the largest time interval that can elapse between retransmissions. 2199 2200 Default: 60000 2201 2202rto_min - INTEGER 2203 The minimum value (in milliseconds) of the round trip timeout. This 2204 is the smallest time interval the can elapse between retransmissions. 2205 2206 Default: 1000 2207 2208hb_interval - INTEGER 2209 The interval (in milliseconds) between HEARTBEAT chunks. These chunks 2210 are sent at the specified interval on idle paths to probe the state of 2211 a given path between 2 associations. 2212 2213 Default: 30000 2214 2215sack_timeout - INTEGER 2216 The amount of time (in milliseconds) that the implementation will wait 2217 to send a SACK. 2218 2219 Default: 200 2220 2221valid_cookie_life - INTEGER 2222 The default lifetime of the SCTP cookie (in milliseconds). The cookie 2223 is used during association establishment. 2224 2225 Default: 60000 2226 2227cookie_preserve_enable - BOOLEAN 2228 Enable or disable the ability to extend the lifetime of the SCTP cookie 2229 that is used during the establishment phase of SCTP association 2230 2231 1: Enable cookie lifetime extension. 2232 0: Disable 2233 2234 Default: 1 2235 2236cookie_hmac_alg - STRING 2237 Select the hmac algorithm used when generating the cookie value sent by 2238 a listening sctp socket to a connecting client in the INIT-ACK chunk. 2239 Valid values are: 2240 * md5 2241 * sha1 2242 * none 2243 Ability to assign md5 or sha1 as the selected alg is predicated on the 2244 configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and 2245 CONFIG_CRYPTO_SHA1). 2246 2247 Default: Dependent on configuration. MD5 if available, else SHA1 if 2248 available, else none. 2249 2250rcvbuf_policy - INTEGER 2251 Determines if the receive buffer is attributed to the socket or to 2252 association. SCTP supports the capability to create multiple 2253 associations on a single socket. When using this capability, it is 2254 possible that a single stalled association that's buffering a lot 2255 of data may block other associations from delivering their data by 2256 consuming all of the receive buffer space. To work around this, 2257 the rcvbuf_policy could be set to attribute the receiver buffer space 2258 to each association instead of the socket. This prevents the described 2259 blocking. 2260 2261 1: rcvbuf space is per association 2262 0: rcvbuf space is per socket 2263 2264 Default: 0 2265 2266sndbuf_policy - INTEGER 2267 Similar to rcvbuf_policy above, this applies to send buffer space. 2268 2269 1: Send buffer is tracked per association 2270 0: Send buffer is tracked per socket. 2271 2272 Default: 0 2273 2274sctp_mem - vector of 3 INTEGERs: min, pressure, max 2275 Number of pages allowed for queueing by all SCTP sockets. 2276 2277 min: Below this number of pages SCTP is not bothered about its 2278 memory appetite. When amount of memory allocated by SCTP exceeds 2279 this number, SCTP starts to moderate memory usage. 2280 2281 pressure: This value was introduced to follow format of tcp_mem. 2282 2283 max: Number of pages allowed for queueing by all SCTP sockets. 2284 2285 Default is calculated at boot time from amount of available memory. 2286 2287sctp_rmem - vector of 3 INTEGERs: min, default, max 2288 Only the first value ("min") is used, "default" and "max" are 2289 ignored. 2290 2291 min: Minimal size of receive buffer used by SCTP socket. 2292 It is guaranteed to each SCTP socket (but not association) even 2293 under moderate memory pressure. 2294 2295 Default: 4K 2296 2297sctp_wmem - vector of 3 INTEGERs: min, default, max 2298 Currently this tunable has no effect. 2299 2300addr_scope_policy - INTEGER 2301 Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00 2302 2303 0 - Disable IPv4 address scoping 2304 1 - Enable IPv4 address scoping 2305 2 - Follow draft but allow IPv4 private addresses 2306 3 - Follow draft but allow IPv4 link local addresses 2307 2308 Default: 1 2309 2310 2311/proc/sys/net/core/* 2312 Please see: Documentation/admin-guide/sysctl/net.rst for descriptions of these entries. 2313 2314 2315/proc/sys/net/unix/* 2316max_dgram_qlen - INTEGER 2317 The maximum length of dgram socket receive queue 2318 2319 Default: 10 2320 2321