1.. SPDX-License-Identifier: GPL-2.0 2 3========= 4IP Sysctl 5========= 6 7/proc/sys/net/ipv4/* Variables 8============================== 9 10ip_forward - BOOLEAN 11 - 0 - disabled (default) 12 - not 0 - enabled 13 14 Forward Packets between interfaces. 15 16 This variable is special, its change resets all configuration 17 parameters to their default state (RFC1122 for hosts, RFC1812 18 for routers) 19 20ip_default_ttl - INTEGER 21 Default value of TTL field (Time To Live) for outgoing (but not 22 forwarded) IP packets. Should be between 1 and 255 inclusive. 23 Default: 64 (as recommended by RFC1700) 24 25ip_no_pmtu_disc - INTEGER 26 Disable Path MTU Discovery. If enabled in mode 1 and a 27 fragmentation-required ICMP is received, the PMTU to this 28 destination will be set to min_pmtu (see below). You will need 29 to raise min_pmtu to the smallest interface MTU on your system 30 manually if you want to avoid locally generated fragments. 31 32 In mode 2 incoming Path MTU Discovery messages will be 33 discarded. Outgoing frames are handled the same as in mode 1, 34 implicitly setting IP_PMTUDISC_DONT on every created socket. 35 36 Mode 3 is a hardened pmtu discover mode. The kernel will only 37 accept fragmentation-needed errors if the underlying protocol 38 can verify them besides a plain socket lookup. Current 39 protocols for which pmtu events will be honored are TCP, SCTP 40 and DCCP as they verify e.g. the sequence number or the 41 association. This mode should not be enabled globally but is 42 only intended to secure e.g. name servers in namespaces where 43 TCP path mtu must still work but path MTU information of other 44 protocols should be discarded. If enabled globally this mode 45 could break other protocols. 46 47 Possible values: 0-3 48 49 Default: FALSE 50 51min_pmtu - INTEGER 52 default 552 - minimum discovered Path MTU 53 54ip_forward_use_pmtu - BOOLEAN 55 By default we don't trust protocol path MTUs while forwarding 56 because they could be easily forged and can lead to unwanted 57 fragmentation by the router. 58 You only need to enable this if you have user-space software 59 which tries to discover path mtus by itself and depends on the 60 kernel honoring this information. This is normally not the 61 case. 62 63 Default: 0 (disabled) 64 65 Possible values: 66 67 - 0 - disabled 68 - 1 - enabled 69 70fwmark_reflect - BOOLEAN 71 Controls the fwmark of kernel-generated IPv4 reply packets that are not 72 associated with a socket for example, TCP RSTs or ICMP echo replies). 73 If unset, these packets have a fwmark of zero. If set, they have the 74 fwmark of the packet they are replying to. 75 76 Default: 0 77 78fib_multipath_use_neigh - BOOLEAN 79 Use status of existing neighbor entry when determining nexthop for 80 multipath routes. If disabled, neighbor information is not used and 81 packets could be directed to a failed nexthop. Only valid for kernels 82 built with CONFIG_IP_ROUTE_MULTIPATH enabled. 83 84 Default: 0 (disabled) 85 86 Possible values: 87 88 - 0 - disabled 89 - 1 - enabled 90 91fib_multipath_hash_policy - INTEGER 92 Controls which hash policy to use for multipath routes. Only valid 93 for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. 94 95 Default: 0 (Layer 3) 96 97 Possible values: 98 99 - 0 - Layer 3 100 - 1 - Layer 4 101 - 2 - Layer 3 or inner Layer 3 if present 102 103fib_sync_mem - UNSIGNED INTEGER 104 Amount of dirty memory from fib entries that can be backlogged before 105 synchronize_rcu is forced. 106 107 Default: 512kB Minimum: 64kB Maximum: 64MB 108 109ip_forward_update_priority - INTEGER 110 Whether to update SKB priority from "TOS" field in IPv4 header after it 111 is forwarded. The new SKB priority is mapped from TOS field value 112 according to an rt_tos2priority table (see e.g. man tc-prio). 113 114 Default: 1 (Update priority.) 115 116 Possible values: 117 118 - 0 - Do not update priority. 119 - 1 - Update priority. 120 121route/max_size - INTEGER 122 Maximum number of routes allowed in the kernel. Increase 123 this when using large numbers of interfaces and/or routes. 124 125 From linux kernel 3.6 onwards, this is deprecated for ipv4 126 as route cache is no longer used. 127 128neigh/default/gc_thresh1 - INTEGER 129 Minimum number of entries to keep. Garbage collector will not 130 purge entries if there are fewer than this number. 131 132 Default: 128 133 134neigh/default/gc_thresh2 - INTEGER 135 Threshold when garbage collector becomes more aggressive about 136 purging entries. Entries older than 5 seconds will be cleared 137 when over this number. 138 139 Default: 512 140 141neigh/default/gc_thresh3 - INTEGER 142 Maximum number of non-PERMANENT neighbor entries allowed. Increase 143 this when using large numbers of interfaces and when communicating 144 with large numbers of directly-connected peers. 145 146 Default: 1024 147 148neigh/default/unres_qlen_bytes - INTEGER 149 The maximum number of bytes which may be used by packets 150 queued for each unresolved address by other network layers. 151 (added in linux 3.3) 152 153 Setting negative value is meaningless and will return error. 154 155 Default: SK_WMEM_MAX, (same as net.core.wmem_default). 156 157 Exact value depends on architecture and kernel options, 158 but should be enough to allow queuing 256 packets 159 of medium size. 160 161neigh/default/unres_qlen - INTEGER 162 The maximum number of packets which may be queued for each 163 unresolved address by other network layers. 164 165 (deprecated in linux 3.3) : use unres_qlen_bytes instead. 166 167 Prior to linux 3.3, the default value is 3 which may cause 168 unexpected packet loss. The current default value is calculated 169 according to default value of unres_qlen_bytes and true size of 170 packet. 171 172 Default: 101 173 174mtu_expires - INTEGER 175 Time, in seconds, that cached PMTU information is kept. 176 177min_adv_mss - INTEGER 178 The advertised MSS depends on the first hop route MTU, but will 179 never be lower than this setting. 180 181IP Fragmentation: 182 183ipfrag_high_thresh - LONG INTEGER 184 Maximum memory used to reassemble IP fragments. 185 186ipfrag_low_thresh - LONG INTEGER 187 (Obsolete since linux-4.17) 188 Maximum memory used to reassemble IP fragments before the kernel 189 begins to remove incomplete fragment queues to free up resources. 190 The kernel still accepts new fragments for defragmentation. 191 192ipfrag_time - INTEGER 193 Time in seconds to keep an IP fragment in memory. 194 195ipfrag_max_dist - INTEGER 196 ipfrag_max_dist is a non-negative integer value which defines the 197 maximum "disorder" which is allowed among fragments which share a 198 common IP source address. Note that reordering of packets is 199 not unusual, but if a large number of fragments arrive from a source 200 IP address while a particular fragment queue remains incomplete, it 201 probably indicates that one or more fragments belonging to that queue 202 have been lost. When ipfrag_max_dist is positive, an additional check 203 is done on fragments before they are added to a reassembly queue - if 204 ipfrag_max_dist (or more) fragments have arrived from a particular IP 205 address between additions to any IP fragment queue using that source 206 address, it's presumed that one or more fragments in the queue are 207 lost. The existing fragment queue will be dropped, and a new one 208 started. An ipfrag_max_dist value of zero disables this check. 209 210 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can 211 result in unnecessarily dropping fragment queues when normal 212 reordering of packets occurs, which could lead to poor application 213 performance. Using a very large value, e.g. 50000, increases the 214 likelihood of incorrectly reassembling IP fragments that originate 215 from different IP datagrams, which could result in data corruption. 216 Default: 64 217 218INET peer storage 219================= 220 221inet_peer_threshold - INTEGER 222 The approximate size of the storage. Starting from this threshold 223 entries will be thrown aggressively. This threshold also determines 224 entries' time-to-live and time intervals between garbage collection 225 passes. More entries, less time-to-live, less GC interval. 226 227inet_peer_minttl - INTEGER 228 Minimum time-to-live of entries. Should be enough to cover fragment 229 time-to-live on the reassembling side. This minimum time-to-live is 230 guaranteed if the pool size is less than inet_peer_threshold. 231 Measured in seconds. 232 233inet_peer_maxttl - INTEGER 234 Maximum time-to-live of entries. Unused entries will expire after 235 this period of time if there is no memory pressure on the pool (i.e. 236 when the number of entries in the pool is very small). 237 Measured in seconds. 238 239TCP variables 240============= 241 242somaxconn - INTEGER 243 Limit of socket listen() backlog, known in userspace as SOMAXCONN. 244 Defaults to 4096. (Was 128 before linux-5.4) 245 See also tcp_max_syn_backlog for additional tuning for TCP sockets. 246 247tcp_abort_on_overflow - BOOLEAN 248 If listening service is too slow to accept new connections, 249 reset them. Default state is FALSE. It means that if overflow 250 occurred due to a burst, connection will recover. Enable this 251 option _only_ if you are really sure that listening daemon 252 cannot be tuned to accept connections faster. Enabling this 253 option can harm clients of your server. 254 255tcp_adv_win_scale - INTEGER 256 Count buffering overhead as bytes/2^tcp_adv_win_scale 257 (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), 258 if it is <= 0. 259 260 Possible values are [-31, 31], inclusive. 261 262 Default: 1 263 264tcp_allowed_congestion_control - STRING 265 Show/set the congestion control choices available to non-privileged 266 processes. The list is a subset of those listed in 267 tcp_available_congestion_control. 268 269 Default is "reno" and the default setting (tcp_congestion_control). 270 271tcp_app_win - INTEGER 272 Reserve max(window/2^tcp_app_win, mss) of window for application 273 buffer. Value 0 is special, it means that nothing is reserved. 274 275 Default: 31 276 277tcp_autocorking - BOOLEAN 278 Enable TCP auto corking : 279 When applications do consecutive small write()/sendmsg() system calls, 280 we try to coalesce these small writes as much as possible, to lower 281 total amount of sent packets. This is done if at least one prior 282 packet for the flow is waiting in Qdisc queues or device transmit 283 queue. Applications can still use TCP_CORK for optimal behavior 284 when they know how/when to uncork their sockets. 285 286 Default : 1 287 288tcp_available_congestion_control - STRING 289 Shows the available congestion control choices that are registered. 290 More congestion control algorithms may be available as modules, 291 but not loaded. 292 293tcp_base_mss - INTEGER 294 The initial value of search_low to be used by the packetization layer 295 Path MTU discovery (MTU probing). If MTU probing is enabled, 296 this is the initial MSS used by the connection. 297 298tcp_mtu_probe_floor - INTEGER 299 If MTU probing is enabled this caps the minimum MSS used for search_low 300 for the connection. 301 302 Default : 48 303 304tcp_min_snd_mss - INTEGER 305 TCP SYN and SYNACK messages usually advertise an ADVMSS option, 306 as described in RFC 1122 and RFC 6691. 307 308 If this ADVMSS option is smaller than tcp_min_snd_mss, 309 it is silently capped to tcp_min_snd_mss. 310 311 Default : 48 (at least 8 bytes of payload per segment) 312 313tcp_congestion_control - STRING 314 Set the congestion control algorithm to be used for new 315 connections. The algorithm "reno" is always available, but 316 additional choices may be available based on kernel configuration. 317 Default is set as part of kernel configuration. 318 For passive connections, the listener congestion control choice 319 is inherited. 320 321 [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ] 322 323tcp_dsack - BOOLEAN 324 Allows TCP to send "duplicate" SACKs. 325 326tcp_early_retrans - INTEGER 327 Tail loss probe (TLP) converts RTOs occurring due to tail 328 losses into fast recovery (draft-ietf-tcpm-rack). Note that 329 TLP requires RACK to function properly (see tcp_recovery below) 330 331 Possible values: 332 333 - 0 disables TLP 334 - 3 or 4 enables TLP 335 336 Default: 3 337 338tcp_ecn - INTEGER 339 Control use of Explicit Congestion Notification (ECN) by TCP. 340 ECN is used only when both ends of the TCP connection indicate 341 support for it. This feature is useful in avoiding losses due 342 to congestion by allowing supporting routers to signal 343 congestion before having to drop packets. 344 345 Possible values are: 346 347 = ===================================================== 348 0 Disable ECN. Neither initiate nor accept ECN. 349 1 Enable ECN when requested by incoming connections and 350 also request ECN on outgoing connection attempts. 351 2 Enable ECN when requested by incoming connections 352 but do not request ECN on outgoing connections. 353 = ===================================================== 354 355 Default: 2 356 357tcp_ecn_fallback - BOOLEAN 358 If the kernel detects that ECN connection misbehaves, enable fall 359 back to non-ECN. Currently, this knob implements the fallback 360 from RFC3168, section 6.1.1.1., but we reserve that in future, 361 additional detection mechanisms could be implemented under this 362 knob. The value is not used, if tcp_ecn or per route (or congestion 363 control) ECN settings are disabled. 364 365 Default: 1 (fallback enabled) 366 367tcp_fack - BOOLEAN 368 This is a legacy option, it has no effect anymore. 369 370tcp_fin_timeout - INTEGER 371 The length of time an orphaned (no longer referenced by any 372 application) connection will remain in the FIN_WAIT_2 state 373 before it is aborted at the local end. While a perfectly 374 valid "receive only" state for an un-orphaned connection, an 375 orphaned connection in FIN_WAIT_2 state could otherwise wait 376 forever for the remote to close its end of the connection. 377 378 Cf. tcp_max_orphans 379 380 Default: 60 seconds 381 382tcp_frto - INTEGER 383 Enables Forward RTO-Recovery (F-RTO) defined in RFC5682. 384 F-RTO is an enhanced recovery algorithm for TCP retransmission 385 timeouts. It is particularly beneficial in networks where the 386 RTT fluctuates (e.g., wireless). F-RTO is sender-side only 387 modification. It does not require any support from the peer. 388 389 By default it's enabled with a non-zero value. 0 disables F-RTO. 390 391tcp_fwmark_accept - BOOLEAN 392 If set, incoming connections to listening sockets that do not have a 393 socket mark will set the mark of the accepting socket to the fwmark of 394 the incoming SYN packet. This will cause all packets on that connection 395 (starting from the first SYNACK) to be sent with that fwmark. The 396 listening socket's mark is unchanged. Listening sockets that already 397 have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are 398 unaffected. 399 400 Default: 0 401 402tcp_invalid_ratelimit - INTEGER 403 Limit the maximal rate for sending duplicate acknowledgments 404 in response to incoming TCP packets that are for an existing 405 connection but that are invalid due to any of these reasons: 406 407 (a) out-of-window sequence number, 408 (b) out-of-window acknowledgment number, or 409 (c) PAWS (Protection Against Wrapped Sequence numbers) check failure 410 411 This can help mitigate simple "ack loop" DoS attacks, wherein 412 a buggy or malicious middlebox or man-in-the-middle can 413 rewrite TCP header fields in manner that causes each endpoint 414 to think that the other is sending invalid TCP segments, thus 415 causing each side to send an unterminating stream of duplicate 416 acknowledgments for invalid segments. 417 418 Using 0 disables rate-limiting of dupacks in response to 419 invalid segments; otherwise this value specifies the minimal 420 space between sending such dupacks, in milliseconds. 421 422 Default: 500 (milliseconds). 423 424tcp_keepalive_time - INTEGER 425 How often TCP sends out keepalive messages when keepalive is enabled. 426 Default: 2hours. 427 428tcp_keepalive_probes - INTEGER 429 How many keepalive probes TCP sends out, until it decides that the 430 connection is broken. Default value: 9. 431 432tcp_keepalive_intvl - INTEGER 433 How frequently the probes are send out. Multiplied by 434 tcp_keepalive_probes it is time to kill not responding connection, 435 after probes started. Default value: 75sec i.e. connection 436 will be aborted after ~11 minutes of retries. 437 438tcp_l3mdev_accept - BOOLEAN 439 Enables child sockets to inherit the L3 master device index. 440 Enabling this option allows a "global" listen socket to work 441 across L3 master domains (e.g., VRFs) with connected sockets 442 derived from the listen socket to be bound to the L3 domain in 443 which the packets originated. Only valid when the kernel was 444 compiled with CONFIG_NET_L3_MASTER_DEV. 445 446 Default: 0 (disabled) 447 448tcp_low_latency - BOOLEAN 449 This is a legacy option, it has no effect anymore. 450 451tcp_max_orphans - INTEGER 452 Maximal number of TCP sockets not attached to any user file handle, 453 held by system. If this number is exceeded orphaned connections are 454 reset immediately and warning is printed. This limit exists 455 only to prevent simple DoS attacks, you _must_ not rely on this 456 or lower the limit artificially, but rather increase it 457 (probably, after increasing installed memory), 458 if network conditions require more than default value, 459 and tune network services to linger and kill such states 460 more aggressively. Let me to remind again: each orphan eats 461 up to ~64K of unswappable memory. 462 463tcp_max_syn_backlog - INTEGER 464 Maximal number of remembered connection requests (SYN_RECV), 465 which have not received an acknowledgment from connecting client. 466 467 This is a per-listener limit. 468 469 The minimal value is 128 for low memory machines, and it will 470 increase in proportion to the memory of machine. 471 472 If server suffers from overload, try increasing this number. 473 474 Remember to also check /proc/sys/net/core/somaxconn 475 A SYN_RECV request socket consumes about 304 bytes of memory. 476 477tcp_max_tw_buckets - INTEGER 478 Maximal number of timewait sockets held by system simultaneously. 479 If this number is exceeded time-wait socket is immediately destroyed 480 and warning is printed. This limit exists only to prevent 481 simple DoS attacks, you _must_ not lower the limit artificially, 482 but rather increase it (probably, after increasing installed memory), 483 if network conditions require more than default value. 484 485tcp_mem - vector of 3 INTEGERs: min, pressure, max 486 min: below this number of pages TCP is not bothered about its 487 memory appetite. 488 489 pressure: when amount of memory allocated by TCP exceeds this number 490 of pages, TCP moderates its memory consumption and enters memory 491 pressure mode, which is exited when memory consumption falls 492 under "min". 493 494 max: number of pages allowed for queueing by all TCP sockets. 495 496 Defaults are calculated at boot time from amount of available 497 memory. 498 499tcp_min_rtt_wlen - INTEGER 500 The window length of the windowed min filter to track the minimum RTT. 501 A shorter window lets a flow more quickly pick up new (higher) 502 minimum RTT when it is moved to a longer path (e.g., due to traffic 503 engineering). A longer window makes the filter more resistant to RTT 504 inflations such as transient congestion. The unit is seconds. 505 506 Possible values: 0 - 86400 (1 day) 507 508 Default: 300 509 510tcp_moderate_rcvbuf - BOOLEAN 511 If set, TCP performs receive buffer auto-tuning, attempting to 512 automatically size the buffer (no greater than tcp_rmem[2]) to 513 match the size required by the path for full throughput. Enabled by 514 default. 515 516tcp_mtu_probing - INTEGER 517 Controls TCP Packetization-Layer Path MTU Discovery. Takes three 518 values: 519 520 - 0 - Disabled 521 - 1 - Disabled by default, enabled when an ICMP black hole detected 522 - 2 - Always enabled, use initial MSS of tcp_base_mss. 523 524tcp_probe_interval - UNSIGNED INTEGER 525 Controls how often to start TCP Packetization-Layer Path MTU 526 Discovery reprobe. The default is reprobing every 10 minutes as 527 per RFC4821. 528 529tcp_probe_threshold - INTEGER 530 Controls when TCP Packetization-Layer Path MTU Discovery probing 531 will stop in respect to the width of search range in bytes. Default 532 is 8 bytes. 533 534tcp_no_metrics_save - BOOLEAN 535 By default, TCP saves various connection metrics in the route cache 536 when the connection closes, so that connections established in the 537 near future can use these to set initial conditions. Usually, this 538 increases overall performance, but may sometimes cause performance 539 degradation. If set, TCP will not cache metrics on closing 540 connections. 541 542tcp_no_ssthresh_metrics_save - BOOLEAN 543 Controls whether TCP saves ssthresh metrics in the route cache. 544 545 Default is 1, which disables ssthresh metrics. 546 547tcp_orphan_retries - INTEGER 548 This value influences the timeout of a locally closed TCP connection, 549 when RTO retransmissions remain unacknowledged. 550 See tcp_retries2 for more details. 551 552 The default value is 8. 553 554 If your machine is a loaded WEB server, 555 you should think about lowering this value, such sockets 556 may consume significant resources. Cf. tcp_max_orphans. 557 558tcp_recovery - INTEGER 559 This value is a bitmap to enable various experimental loss recovery 560 features. 561 562 ========= ============================================================= 563 RACK: 0x1 enables the RACK loss detection for fast detection of lost 564 retransmissions and tail drops. It also subsumes and disables 565 RFC6675 recovery for SACK connections. 566 567 RACK: 0x2 makes RACK's reordering window static (min_rtt/4). 568 569 RACK: 0x4 disables RACK's DUPACK threshold heuristic 570 ========= ============================================================= 571 572 Default: 0x1 573 574tcp_reordering - INTEGER 575 Initial reordering level of packets in a TCP stream. 576 TCP stack can then dynamically adjust flow reordering level 577 between this initial value and tcp_max_reordering 578 579 Default: 3 580 581tcp_max_reordering - INTEGER 582 Maximal reordering level of packets in a TCP stream. 583 300 is a fairly conservative value, but you might increase it 584 if paths are using per packet load balancing (like bonding rr mode) 585 586 Default: 300 587 588tcp_retrans_collapse - BOOLEAN 589 Bug-to-bug compatibility with some broken printers. 590 On retransmit try to send bigger packets to work around bugs in 591 certain TCP stacks. 592 593tcp_retries1 - INTEGER 594 This value influences the time, after which TCP decides, that 595 something is wrong due to unacknowledged RTO retransmissions, 596 and reports this suspicion to the network layer. 597 See tcp_retries2 for more details. 598 599 RFC 1122 recommends at least 3 retransmissions, which is the 600 default. 601 602tcp_retries2 - INTEGER 603 This value influences the timeout of an alive TCP connection, 604 when RTO retransmissions remain unacknowledged. 605 Given a value of N, a hypothetical TCP connection following 606 exponential backoff with an initial RTO of TCP_RTO_MIN would 607 retransmit N times before killing the connection at the (N+1)th RTO. 608 609 The default value of 15 yields a hypothetical timeout of 924.6 610 seconds and is a lower bound for the effective timeout. 611 TCP will effectively time out at the first RTO which exceeds the 612 hypothetical timeout. 613 614 RFC 1122 recommends at least 100 seconds for the timeout, 615 which corresponds to a value of at least 8. 616 617tcp_rfc1337 - BOOLEAN 618 If set, the TCP stack behaves conforming to RFC1337. If unset, 619 we are not conforming to RFC, but prevent TCP TIME_WAIT 620 assassination. 621 622 Default: 0 623 624tcp_rmem - vector of 3 INTEGERs: min, default, max 625 min: Minimal size of receive buffer used by TCP sockets. 626 It is guaranteed to each TCP socket, even under moderate memory 627 pressure. 628 629 Default: 4K 630 631 default: initial size of receive buffer used by TCP sockets. 632 This value overrides net.core.rmem_default used by other protocols. 633 Default: 131072 bytes. 634 This value results in initial window of 65535. 635 636 max: maximal size of receive buffer allowed for automatically 637 selected receiver buffers for TCP socket. This value does not override 638 net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables 639 automatic tuning of that socket's receive buffer size, in which 640 case this value is ignored. 641 Default: between 131072 and 6MB, depending on RAM size. 642 643tcp_sack - BOOLEAN 644 Enable select acknowledgments (SACKS). 645 646tcp_comp_sack_delay_ns - LONG INTEGER 647 TCP tries to reduce number of SACK sent, using a timer 648 based on 5% of SRTT, capped by this sysctl, in nano seconds. 649 The default is 1ms, based on TSO autosizing period. 650 651 Default : 1,000,000 ns (1 ms) 652 653tcp_comp_sack_slack_ns - LONG INTEGER 654 This sysctl control the slack used when arming the 655 timer used by SACK compression. This gives extra time 656 for small RTT flows, and reduces system overhead by allowing 657 opportunistic reduction of timer interrupts. 658 659 Default : 100,000 ns (100 us) 660 661tcp_comp_sack_nr - INTEGER 662 Max number of SACK that can be compressed. 663 Using 0 disables SACK compression. 664 665 Default : 44 666 667tcp_slow_start_after_idle - BOOLEAN 668 If set, provide RFC2861 behavior and time out the congestion 669 window after an idle period. An idle period is defined at 670 the current RTO. If unset, the congestion window will not 671 be timed out after an idle period. 672 673 Default: 1 674 675tcp_stdurg - BOOLEAN 676 Use the Host requirements interpretation of the TCP urgent pointer field. 677 Most hosts use the older BSD interpretation, so if you turn this on 678 Linux might not communicate correctly with them. 679 680 Default: FALSE 681 682tcp_synack_retries - INTEGER 683 Number of times SYNACKs for a passive TCP connection attempt will 684 be retransmitted. Should not be higher than 255. Default value 685 is 5, which corresponds to 31seconds till the last retransmission 686 with the current initial RTO of 1second. With this the final timeout 687 for a passive TCP connection will happen after 63seconds. 688 689tcp_syncookies - INTEGER 690 Only valid when the kernel was compiled with CONFIG_SYN_COOKIES 691 Send out syncookies when the syn backlog queue of a socket 692 overflows. This is to prevent against the common 'SYN flood attack' 693 Default: 1 694 695 Note, that syncookies is fallback facility. 696 It MUST NOT be used to help highly loaded servers to stand 697 against legal connection rate. If you see SYN flood warnings 698 in your logs, but investigation shows that they occur 699 because of overload with legal connections, you should tune 700 another parameters until this warning disappear. 701 See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. 702 703 syncookies seriously violate TCP protocol, do not allow 704 to use TCP extensions, can result in serious degradation 705 of some services (f.e. SMTP relaying), visible not by you, 706 but your clients and relays, contacting you. While you see 707 SYN flood warnings in logs not being really flooded, your server 708 is seriously misconfigured. 709 710 If you want to test which effects syncookies have to your 711 network connections you can set this knob to 2 to enable 712 unconditionally generation of syncookies. 713 714tcp_fastopen - INTEGER 715 Enable TCP Fast Open (RFC7413) to send and accept data in the opening 716 SYN packet. 717 718 The client support is enabled by flag 0x1 (on by default). The client 719 then must use sendmsg() or sendto() with the MSG_FASTOPEN flag, 720 rather than connect() to send data in SYN. 721 722 The server support is enabled by flag 0x2 (off by default). Then 723 either enable for all listeners with another flag (0x400) or 724 enable individual listeners via TCP_FASTOPEN socket option with 725 the option value being the length of the syn-data backlog. 726 727 The values (bitmap) are 728 729 ===== ======== ====================================================== 730 0x1 (client) enables sending data in the opening SYN on the client. 731 0x2 (server) enables the server support, i.e., allowing data in 732 a SYN packet to be accepted and passed to the 733 application before 3-way handshake finishes. 734 0x4 (client) send data in the opening SYN regardless of cookie 735 availability and without a cookie option. 736 0x200 (server) accept data-in-SYN w/o any cookie option present. 737 0x400 (server) enable all listeners to support Fast Open by 738 default without explicit TCP_FASTOPEN socket option. 739 ===== ======== ====================================================== 740 741 Default: 0x1 742 743 Note that additional client or server features are only 744 effective if the basic support (0x1 and 0x2) are enabled respectively. 745 746tcp_fastopen_blackhole_timeout_sec - INTEGER 747 Initial time period in second to disable Fastopen on active TCP sockets 748 when a TFO firewall blackhole issue happens. 749 This time period will grow exponentially when more blackhole issues 750 get detected right after Fastopen is re-enabled and will reset to 751 initial value when the blackhole issue goes away. 752 0 to disable the blackhole detection. 753 754 By default, it is set to 0 (feature is disabled). 755 756tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs 757 The list consists of a primary key and an optional backup key. The 758 primary key is used for both creating and validating cookies, while the 759 optional backup key is only used for validating cookies. The purpose of 760 the backup key is to maximize TFO validation when keys are rotated. 761 762 A randomly chosen primary key may be configured by the kernel if 763 the tcp_fastopen sysctl is set to 0x400 (see above), or if the 764 TCP_FASTOPEN setsockopt() optname is set and a key has not been 765 previously configured via sysctl. If keys are configured via 766 setsockopt() by using the TCP_FASTOPEN_KEY optname, then those 767 per-socket keys will be used instead of any keys that are specified via 768 sysctl. 769 770 A key is specified as 4 8-digit hexadecimal integers which are separated 771 by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be 772 omitted. A primary and a backup key may be specified by separating them 773 by a comma. If only one key is specified, it becomes the primary key and 774 any previously configured backup keys are removed. 775 776tcp_syn_retries - INTEGER 777 Number of times initial SYNs for an active TCP connection attempt 778 will be retransmitted. Should not be higher than 127. Default value 779 is 6, which corresponds to 63seconds till the last retransmission 780 with the current initial RTO of 1second. With this the final timeout 781 for an active TCP connection attempt will happen after 127seconds. 782 783tcp_timestamps - INTEGER 784 Enable timestamps as defined in RFC1323. 785 786 - 0: Disabled. 787 - 1: Enable timestamps as defined in RFC1323 and use random offset for 788 each connection rather than only using the current time. 789 - 2: Like 1, but without random offsets. 790 791 Default: 1 792 793tcp_min_tso_segs - INTEGER 794 Minimal number of segments per TSO frame. 795 796 Since linux-3.12, TCP does an automatic sizing of TSO frames, 797 depending on flow rate, instead of filling 64Kbytes packets. 798 For specific usages, it's possible to force TCP to build big 799 TSO frames. Note that TCP stack might split too big TSO packets 800 if available window is too small. 801 802 Default: 2 803 804tcp_pacing_ss_ratio - INTEGER 805 sk->sk_pacing_rate is set by TCP stack using a ratio applied 806 to current rate. (current_rate = cwnd * mss / srtt) 807 If TCP is in slow start, tcp_pacing_ss_ratio is applied 808 to let TCP probe for bigger speeds, assuming cwnd can be 809 doubled every other RTT. 810 811 Default: 200 812 813tcp_pacing_ca_ratio - INTEGER 814 sk->sk_pacing_rate is set by TCP stack using a ratio applied 815 to current rate. (current_rate = cwnd * mss / srtt) 816 If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio 817 is applied to conservatively probe for bigger throughput. 818 819 Default: 120 820 821tcp_tso_win_divisor - INTEGER 822 This allows control over what percentage of the congestion window 823 can be consumed by a single TSO frame. 824 The setting of this parameter is a choice between burstiness and 825 building larger TSO frames. 826 827 Default: 3 828 829tcp_tw_reuse - INTEGER 830 Enable reuse of TIME-WAIT sockets for new connections when it is 831 safe from protocol viewpoint. 832 833 - 0 - disable 834 - 1 - global enable 835 - 2 - enable for loopback traffic only 836 837 It should not be changed without advice/request of technical 838 experts. 839 840 Default: 2 841 842tcp_window_scaling - BOOLEAN 843 Enable window scaling as defined in RFC1323. 844 845tcp_wmem - vector of 3 INTEGERs: min, default, max 846 min: Amount of memory reserved for send buffers for TCP sockets. 847 Each TCP socket has rights to use it due to fact of its birth. 848 849 Default: 4K 850 851 default: initial size of send buffer used by TCP sockets. This 852 value overrides net.core.wmem_default used by other protocols. 853 854 It is usually lower than net.core.wmem_default. 855 856 Default: 16K 857 858 max: Maximal amount of memory allowed for automatically tuned 859 send buffers for TCP sockets. This value does not override 860 net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables 861 automatic tuning of that socket's send buffer size, in which case 862 this value is ignored. 863 864 Default: between 64K and 4MB, depending on RAM size. 865 866tcp_notsent_lowat - UNSIGNED INTEGER 867 A TCP socket can control the amount of unsent bytes in its write queue, 868 thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll() 869 reports POLLOUT events if the amount of unsent bytes is below a per 870 socket value, and if the write queue is not full. sendmsg() will 871 also not add new buffers if the limit is hit. 872 873 This global variable controls the amount of unsent data for 874 sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change 875 to the global variable has immediate effect. 876 877 Default: UINT_MAX (0xFFFFFFFF) 878 879tcp_workaround_signed_windows - BOOLEAN 880 If set, assume no receipt of a window scaling option means the 881 remote TCP is broken and treats the window as a signed quantity. 882 If unset, assume the remote TCP is not broken even if we do 883 not receive a window scaling option from them. 884 885 Default: 0 886 887tcp_thin_linear_timeouts - BOOLEAN 888 Enable dynamic triggering of linear timeouts for thin streams. 889 If set, a check is performed upon retransmission by timeout to 890 determine if the stream is thin (less than 4 packets in flight). 891 As long as the stream is found to be thin, up to 6 linear 892 timeouts may be performed before exponential backoff mode is 893 initiated. This improves retransmission latency for 894 non-aggressive thin streams, often found to be time-dependent. 895 For more information on thin streams, see 896 Documentation/networking/tcp-thin.rst 897 898 Default: 0 899 900tcp_limit_output_bytes - INTEGER 901 Controls TCP Small Queue limit per tcp socket. 902 TCP bulk sender tends to increase packets in flight until it 903 gets losses notifications. With SNDBUF autotuning, this can 904 result in a large amount of packets queued on the local machine 905 (e.g.: qdiscs, CPU backlog, or device) hurting latency of other 906 flows, for typical pfifo_fast qdiscs. tcp_limit_output_bytes 907 limits the number of bytes on qdisc or device to reduce artificial 908 RTT/cwnd and reduce bufferbloat. 909 910 Default: 1048576 (16 * 65536) 911 912tcp_challenge_ack_limit - INTEGER 913 Limits number of Challenge ACK sent per second, as recommended 914 in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) 915 Default: 1000 916 917tcp_rx_skb_cache - BOOLEAN 918 Controls a per TCP socket cache of one skb, that might help 919 performance of some workloads. This might be dangerous 920 on systems with a lot of TCP sockets, since it increases 921 memory usage. 922 923 Default: 0 (disabled) 924 925UDP variables 926============= 927 928udp_l3mdev_accept - BOOLEAN 929 Enabling this option allows a "global" bound socket to work 930 across L3 master domains (e.g., VRFs) with packets capable of 931 being received regardless of the L3 domain in which they 932 originated. Only valid when the kernel was compiled with 933 CONFIG_NET_L3_MASTER_DEV. 934 935 Default: 0 (disabled) 936 937udp_mem - vector of 3 INTEGERs: min, pressure, max 938 Number of pages allowed for queueing by all UDP sockets. 939 940 min: Below this number of pages UDP is not bothered about its 941 memory appetite. When amount of memory allocated by UDP exceeds 942 this number, UDP starts to moderate memory usage. 943 944 pressure: This value was introduced to follow format of tcp_mem. 945 946 max: Number of pages allowed for queueing by all UDP sockets. 947 948 Default is calculated at boot time from amount of available memory. 949 950udp_rmem_min - INTEGER 951 Minimal size of receive buffer used by UDP sockets in moderation. 952 Each UDP socket is able to use the size for receiving data, even if 953 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 954 955 Default: 4K 956 957udp_wmem_min - INTEGER 958 Minimal size of send buffer used by UDP sockets in moderation. 959 Each UDP socket is able to use the size for sending data, even if 960 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 961 962 Default: 4K 963 964RAW variables 965============= 966 967raw_l3mdev_accept - BOOLEAN 968 Enabling this option allows a "global" bound socket to work 969 across L3 master domains (e.g., VRFs) with packets capable of 970 being received regardless of the L3 domain in which they 971 originated. Only valid when the kernel was compiled with 972 CONFIG_NET_L3_MASTER_DEV. 973 974 Default: 1 (enabled) 975 976CIPSOv4 Variables 977================= 978 979cipso_cache_enable - BOOLEAN 980 If set, enable additions to and lookups from the CIPSO label mapping 981 cache. If unset, additions are ignored and lookups always result in a 982 miss. However, regardless of the setting the cache is still 983 invalidated when required when means you can safely toggle this on and 984 off and the cache will always be "safe". 985 986 Default: 1 987 988cipso_cache_bucket_size - INTEGER 989 The CIPSO label cache consists of a fixed size hash table with each 990 hash bucket containing a number of cache entries. This variable limits 991 the number of entries in each hash bucket; the larger the value is, the 992 more CIPSO label mappings that can be cached. When the number of 993 entries in a given hash bucket reaches this limit adding new entries 994 causes the oldest entry in the bucket to be removed to make room. 995 996 Default: 10 997 998cipso_rbm_optfmt - BOOLEAN 999 Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of 1000 the CIPSO draft specification (see Documentation/netlabel for details). 1001 This means that when set the CIPSO tag will be padded with empty 1002 categories in order to make the packet data 32-bit aligned. 1003 1004 Default: 0 1005 1006cipso_rbm_structvalid - BOOLEAN 1007 If set, do a very strict check of the CIPSO option when 1008 ip_options_compile() is called. If unset, relax the checks done during 1009 ip_options_compile(). Either way is "safe" as errors are caught else 1010 where in the CIPSO processing code but setting this to 0 (False) should 1011 result in less work (i.e. it should be faster) but could cause problems 1012 with other implementations that require strict checking. 1013 1014 Default: 0 1015 1016IP Variables 1017============ 1018 1019ip_local_port_range - 2 INTEGERS 1020 Defines the local port range that is used by TCP and UDP to 1021 choose the local port. The first number is the first, the 1022 second the last local port number. 1023 If possible, it is better these numbers have different parity 1024 (one even and one odd value). 1025 Must be greater than or equal to ip_unprivileged_port_start. 1026 The default values are 32768 and 60999 respectively. 1027 1028ip_local_reserved_ports - list of comma separated ranges 1029 Specify the ports which are reserved for known third-party 1030 applications. These ports will not be used by automatic port 1031 assignments (e.g. when calling connect() or bind() with port 1032 number 0). Explicit port allocation behavior is unchanged. 1033 1034 The format used for both input and output is a comma separated 1035 list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and 1036 10). Writing to the file will clear all previously reserved 1037 ports and update the current list with the one given in the 1038 input. 1039 1040 Note that ip_local_port_range and ip_local_reserved_ports 1041 settings are independent and both are considered by the kernel 1042 when determining which ports are available for automatic port 1043 assignments. 1044 1045 You can reserve ports which are not in the current 1046 ip_local_port_range, e.g.:: 1047 1048 $ cat /proc/sys/net/ipv4/ip_local_port_range 1049 32000 60999 1050 $ cat /proc/sys/net/ipv4/ip_local_reserved_ports 1051 8080,9148 1052 1053 although this is redundant. However such a setting is useful 1054 if later the port range is changed to a value that will 1055 include the reserved ports. 1056 1057 Default: Empty 1058 1059ip_local_unbindable_ports - list of comma separated ranges 1060 Specify the ports which are not directly bind()able. 1061 1062 Usually you would use this to block the use of ports which 1063 are invalid due to something outside of the control of the 1064 kernel. For example a port stolen by the nic for serial 1065 console, remote power management or debugging. 1066 1067 There's a relatively high chance you will also want to list 1068 these ports in 'ip_local_reserved_ports' to prevent autobinding. 1069 1070 Default: Empty 1071 1072ip_unprivileged_port_start - INTEGER 1073 This is a per-namespace sysctl. It defines the first 1074 unprivileged port in the network namespace. Privileged ports 1075 require root or CAP_NET_BIND_SERVICE in order to bind to them. 1076 To disable all privileged ports, set this to 0. They must not 1077 overlap with the ip_local_port_range. 1078 1079 Default: 1024 1080 1081ip_nonlocal_bind - BOOLEAN 1082 If set, allows processes to bind() to non-local IP addresses, 1083 which can be quite useful - but may break some applications. 1084 1085 Default: 0 1086 1087ip_autobind_reuse - BOOLEAN 1088 By default, bind() does not select the ports automatically even if 1089 the new socket and all sockets bound to the port have SO_REUSEADDR. 1090 ip_autobind_reuse allows bind() to reuse the port and this is useful 1091 when you use bind()+connect(), but may break some applications. 1092 The preferred solution is to use IP_BIND_ADDRESS_NO_PORT and this 1093 option should only be set by experts. 1094 Default: 0 1095 1096ip_dynaddr - INTEGER 1097 If set non-zero, enables support for dynamic addresses. 1098 If set to a non-zero value larger than 1, a kernel log 1099 message will be printed when dynamic address rewriting 1100 occurs. 1101 1102 Default: 0 1103 1104ip_early_demux - BOOLEAN 1105 Optimize input packet processing down to one demux for 1106 certain kinds of local sockets. Currently we only do this 1107 for established TCP and connected UDP sockets. 1108 1109 It may add an additional cost for pure routing workloads that 1110 reduces overall throughput, in such case you should disable it. 1111 1112 Default: 1 1113 1114ping_group_range - 2 INTEGERS 1115 Restrict ICMP_PROTO datagram sockets to users in the group range. 1116 The default is "1 0", meaning, that nobody (not even root) may 1117 create ping sockets. Setting it to "100 100" would grant permissions 1118 to the single group. "0 4294967295" would enable it for the world, "100 1119 4294967295" would enable it for the users, but not daemons. 1120 1121tcp_early_demux - BOOLEAN 1122 Enable early demux for established TCP sockets. 1123 1124 Default: 1 1125 1126udp_early_demux - BOOLEAN 1127 Enable early demux for connected UDP sockets. Disable this if 1128 your system could experience more unconnected load. 1129 1130 Default: 1 1131 1132icmp_echo_ignore_all - BOOLEAN 1133 If set non-zero, then the kernel will ignore all ICMP ECHO 1134 requests sent to it. 1135 1136 Default: 0 1137 1138icmp_echo_ignore_broadcasts - BOOLEAN 1139 If set non-zero, then the kernel will ignore all ICMP ECHO and 1140 TIMESTAMP requests sent to it via broadcast/multicast. 1141 1142 Default: 1 1143 1144icmp_ratelimit - INTEGER 1145 Limit the maximal rates for sending ICMP packets whose type matches 1146 icmp_ratemask (see below) to specific targets. 1147 0 to disable any limiting, 1148 otherwise the minimal space between responses in milliseconds. 1149 Note that another sysctl, icmp_msgs_per_sec limits the number 1150 of ICMP packets sent on all targets. 1151 1152 Default: 1000 1153 1154icmp_msgs_per_sec - INTEGER 1155 Limit maximal number of ICMP packets sent per second from this host. 1156 Only messages whose type matches icmp_ratemask (see below) are 1157 controlled by this limit. For security reasons, the precise count 1158 of messages per second is randomized. 1159 1160 Default: 1000 1161 1162icmp_msgs_burst - INTEGER 1163 icmp_msgs_per_sec controls number of ICMP packets sent per second, 1164 while icmp_msgs_burst controls the burst size of these packets. 1165 For security reasons, the precise burst size is randomized. 1166 1167 Default: 50 1168 1169icmp_ratemask - INTEGER 1170 Mask made of ICMP types for which rates are being limited. 1171 1172 Significant bits: IHGFEDCBA9876543210 1173 1174 Default mask: 0000001100000011000 (6168) 1175 1176 Bit definitions (see include/linux/icmp.h): 1177 1178 = ========================= 1179 0 Echo Reply 1180 3 Destination Unreachable [1]_ 1181 4 Source Quench [1]_ 1182 5 Redirect 1183 8 Echo Request 1184 B Time Exceeded [1]_ 1185 C Parameter Problem [1]_ 1186 D Timestamp Request 1187 E Timestamp Reply 1188 F Info Request 1189 G Info Reply 1190 H Address Mask Request 1191 I Address Mask Reply 1192 = ========================= 1193 1194 .. [1] These are rate limited by default (see default mask above) 1195 1196icmp_ignore_bogus_error_responses - BOOLEAN 1197 Some routers violate RFC1122 by sending bogus responses to broadcast 1198 frames. Such violations are normally logged via a kernel warning. 1199 If this is set to TRUE, the kernel will not give such warnings, which 1200 will avoid log file clutter. 1201 1202 Default: 1 1203 1204icmp_errors_use_inbound_ifaddr - BOOLEAN 1205 1206 If zero, icmp error messages are sent with the primary address of 1207 the exiting interface. 1208 1209 If non-zero, the message will be sent with the primary address of 1210 the interface that received the packet that caused the icmp error. 1211 This is the behaviour network many administrators will expect from 1212 a router. And it can make debugging complicated network layouts 1213 much easier. 1214 1215 Note that if no primary address exists for the interface selected, 1216 then the primary address of the first non-loopback interface that 1217 has one will be used regardless of this setting. 1218 1219 Default: 0 1220 1221igmp_max_memberships - INTEGER 1222 Change the maximum number of multicast groups we can subscribe to. 1223 Default: 20 1224 1225 Theoretical maximum value is bounded by having to send a membership 1226 report in a single datagram (i.e. the report can't span multiple 1227 datagrams, or risk confusing the switch and leaving groups you don't 1228 intend to). 1229 1230 The number of supported groups 'M' is bounded by the number of group 1231 report entries you can fit into a single datagram of 65535 bytes. 1232 1233 M = 65536-sizeof (ip header)/(sizeof(Group record)) 1234 1235 Group records are variable length, with a minimum of 12 bytes. 1236 So net.ipv4.igmp_max_memberships should not be set higher than: 1237 1238 (65536-24) / 12 = 5459 1239 1240 The value 5459 assumes no IP header options, so in practice 1241 this number may be lower. 1242 1243igmp_max_msf - INTEGER 1244 Maximum number of addresses allowed in the source filter list for a 1245 multicast group. 1246 1247 Default: 10 1248 1249igmp_qrv - INTEGER 1250 Controls the IGMP query robustness variable (see RFC2236 8.1). 1251 1252 Default: 2 (as specified by RFC2236 8.1) 1253 1254 Minimum: 1 (as specified by RFC6636 4.5) 1255 1256force_igmp_version - INTEGER 1257 - 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback 1258 allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier 1259 Present timer expires. 1260 - 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if 1261 receive IGMPv2/v3 query. 1262 - 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive 1263 IGMPv1 query message. Will reply report if receive IGMPv3 query. 1264 - 3 - Enforce to use IGMP version 3. The same react with default 0. 1265 1266 .. note:: 1267 1268 this is not the same with force_mld_version because IGMPv3 RFC3376 1269 Security Considerations does not have clear description that we could 1270 ignore other version messages completely as MLDv2 RFC3810. So make 1271 this value as default 0 is recommended. 1272 1273``conf/interface/*`` 1274 changes special settings per interface (where 1275 interface" is the name of your network interface) 1276 1277``conf/all/*`` 1278 is special, changes the settings for all interfaces 1279 1280log_martians - BOOLEAN 1281 Log packets with impossible addresses to kernel log. 1282 log_martians for the interface will be enabled if at least one of 1283 conf/{all,interface}/log_martians is set to TRUE, 1284 it will be disabled otherwise 1285 1286accept_redirects - BOOLEAN 1287 Accept ICMP redirect messages. 1288 accept_redirects for the interface will be enabled if: 1289 1290 - both conf/{all,interface}/accept_redirects are TRUE in the case 1291 forwarding for the interface is enabled 1292 1293 or 1294 1295 - at least one of conf/{all,interface}/accept_redirects is TRUE in the 1296 case forwarding for the interface is disabled 1297 1298 accept_redirects for the interface will be disabled otherwise 1299 1300 default: 1301 1302 - TRUE (host) 1303 - FALSE (router) 1304 1305forwarding - BOOLEAN 1306 Enable IP forwarding on this interface. This controls whether packets 1307 received _on_ this interface can be forwarded. 1308 1309mc_forwarding - BOOLEAN 1310 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE 1311 and a multicast routing daemon is required. 1312 conf/all/mc_forwarding must also be set to TRUE to enable multicast 1313 routing for the interface 1314 1315medium_id - INTEGER 1316 Integer value used to differentiate the devices by the medium they 1317 are attached to. Two devices can have different id values when 1318 the broadcast packets are received only on one of them. 1319 The default value 0 means that the device is the only interface 1320 to its medium, value of -1 means that medium is not known. 1321 1322 Currently, it is used to change the proxy_arp behavior: 1323 the proxy_arp feature is enabled for packets forwarded between 1324 two devices attached to different media. 1325 1326proxy_arp - BOOLEAN 1327 Do proxy arp. 1328 1329 proxy_arp for the interface will be enabled if at least one of 1330 conf/{all,interface}/proxy_arp is set to TRUE, 1331 it will be disabled otherwise 1332 1333proxy_arp_pvlan - BOOLEAN 1334 Private VLAN proxy arp. 1335 1336 Basically allow proxy arp replies back to the same interface 1337 (from which the ARP request/solicitation was received). 1338 1339 This is done to support (ethernet) switch features, like RFC 1340 3069, where the individual ports are NOT allowed to 1341 communicate with each other, but they are allowed to talk to 1342 the upstream router. As described in RFC 3069, it is possible 1343 to allow these hosts to communicate through the upstream 1344 router by proxy_arp'ing. Don't need to be used together with 1345 proxy_arp. 1346 1347 This technology is known by different names: 1348 1349 In RFC 3069 it is called VLAN Aggregation. 1350 Cisco and Allied Telesyn call it Private VLAN. 1351 Hewlett-Packard call it Source-Port filtering or port-isolation. 1352 Ericsson call it MAC-Forced Forwarding (RFC Draft). 1353 1354shared_media - BOOLEAN 1355 Send(router) or accept(host) RFC1620 shared media redirects. 1356 Overrides secure_redirects. 1357 1358 shared_media for the interface will be enabled if at least one of 1359 conf/{all,interface}/shared_media is set to TRUE, 1360 it will be disabled otherwise 1361 1362 default TRUE 1363 1364secure_redirects - BOOLEAN 1365 Accept ICMP redirect messages only to gateways listed in the 1366 interface's current gateway list. Even if disabled, RFC1122 redirect 1367 rules still apply. 1368 1369 Overridden by shared_media. 1370 1371 secure_redirects for the interface will be enabled if at least one of 1372 conf/{all,interface}/secure_redirects is set to TRUE, 1373 it will be disabled otherwise 1374 1375 default TRUE 1376 1377send_redirects - BOOLEAN 1378 Send redirects, if router. 1379 1380 send_redirects for the interface will be enabled if at least one of 1381 conf/{all,interface}/send_redirects is set to TRUE, 1382 it will be disabled otherwise 1383 1384 Default: TRUE 1385 1386bootp_relay - BOOLEAN 1387 Accept packets with source address 0.b.c.d destined 1388 not to this host as local ones. It is supposed, that 1389 BOOTP relay daemon will catch and forward such packets. 1390 conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay 1391 for the interface 1392 1393 default FALSE 1394 1395 Not Implemented Yet. 1396 1397accept_source_route - BOOLEAN 1398 Accept packets with SRR option. 1399 conf/all/accept_source_route must also be set to TRUE to accept packets 1400 with SRR option on the interface 1401 1402 default 1403 1404 - TRUE (router) 1405 - FALSE (host) 1406 1407accept_local - BOOLEAN 1408 Accept packets with local source addresses. In combination with 1409 suitable routing, this can be used to direct packets between two 1410 local interfaces over the wire and have them accepted properly. 1411 default FALSE 1412 1413route_localnet - BOOLEAN 1414 Do not consider loopback addresses as martian source or destination 1415 while routing. This enables the use of 127/8 for local routing purposes. 1416 1417 default FALSE 1418 1419rp_filter - INTEGER 1420 - 0 - No source validation. 1421 - 1 - Strict mode as defined in RFC3704 Strict Reverse Path 1422 Each incoming packet is tested against the FIB and if the interface 1423 is not the best reverse path the packet check will fail. 1424 By default failed packets are discarded. 1425 - 2 - Loose mode as defined in RFC3704 Loose Reverse Path 1426 Each incoming packet's source address is also tested against the FIB 1427 and if the source address is not reachable via any interface 1428 the packet check will fail. 1429 1430 Current recommended practice in RFC3704 is to enable strict mode 1431 to prevent IP spoofing from DDos attacks. If using asymmetric routing 1432 or other complicated routing, then loose mode is recommended. 1433 1434 The max value from conf/{all,interface}/rp_filter is used 1435 when doing source validation on the {interface}. 1436 1437 Default value is 0. Note that some distributions enable it 1438 in startup scripts. 1439 1440arp_filter - BOOLEAN 1441 - 1 - Allows you to have multiple network interfaces on the same 1442 subnet, and have the ARPs for each interface be answered 1443 based on whether or not the kernel would route a packet from 1444 the ARP'd IP out that interface (therefore you must use source 1445 based routing for this to work). In other words it allows control 1446 of which cards (usually 1) will respond to an arp request. 1447 1448 - 0 - (default) The kernel can respond to arp requests with addresses 1449 from other interfaces. This may seem wrong but it usually makes 1450 sense, because it increases the chance of successful communication. 1451 IP addresses are owned by the complete host on Linux, not by 1452 particular interfaces. Only for more complex setups like load- 1453 balancing, does this behaviour cause problems. 1454 1455 arp_filter for the interface will be enabled if at least one of 1456 conf/{all,interface}/arp_filter is set to TRUE, 1457 it will be disabled otherwise 1458 1459arp_announce - INTEGER 1460 Define different restriction levels for announcing the local 1461 source IP address from IP packets in ARP requests sent on 1462 interface: 1463 1464 - 0 - (default) Use any local address, configured on any interface 1465 - 1 - Try to avoid local addresses that are not in the target's 1466 subnet for this interface. This mode is useful when target 1467 hosts reachable via this interface require the source IP 1468 address in ARP requests to be part of their logical network 1469 configured on the receiving interface. When we generate the 1470 request we will check all our subnets that include the 1471 target IP and will preserve the source address if it is from 1472 such subnet. If there is no such subnet we select source 1473 address according to the rules for level 2. 1474 - 2 - Always use the best local address for this target. 1475 In this mode we ignore the source address in the IP packet 1476 and try to select local address that we prefer for talks with 1477 the target host. Such local address is selected by looking 1478 for primary IP addresses on all our subnets on the outgoing 1479 interface that include the target IP address. If no suitable 1480 local address is found we select the first local address 1481 we have on the outgoing interface or on all other interfaces, 1482 with the hope we will receive reply for our request and 1483 even sometimes no matter the source IP address we announce. 1484 1485 The max value from conf/{all,interface}/arp_announce is used. 1486 1487 Increasing the restriction level gives more chance for 1488 receiving answer from the resolved target while decreasing 1489 the level announces more valid sender's information. 1490 1491arp_ignore - INTEGER 1492 Define different modes for sending replies in response to 1493 received ARP requests that resolve local target IP addresses: 1494 1495 - 0 - (default): reply for any local target IP address, configured 1496 on any interface 1497 - 1 - reply only if the target IP address is local address 1498 configured on the incoming interface 1499 - 2 - reply only if the target IP address is local address 1500 configured on the incoming interface and both with the 1501 sender's IP address are part from same subnet on this interface 1502 - 3 - do not reply for local addresses configured with scope host, 1503 only resolutions for global and link addresses are replied 1504 - 4-7 - reserved 1505 - 8 - do not reply for all local addresses 1506 1507 The max value from conf/{all,interface}/arp_ignore is used 1508 when ARP request is received on the {interface} 1509 1510arp_notify - BOOLEAN 1511 Define mode for notification of address and device changes. 1512 1513 == ========================================================== 1514 0 (default): do nothing 1515 1 Generate gratuitous arp requests when device is brought up 1516 or hardware address changes. 1517 == ========================================================== 1518 1519arp_accept - BOOLEAN 1520 Define behavior for gratuitous ARP frames who's IP is not 1521 already present in the ARP table: 1522 1523 - 0 - don't create new entries in the ARP table 1524 - 1 - create new entries in the ARP table 1525 1526 Both replies and requests type gratuitous arp will trigger the 1527 ARP table to be updated, if this setting is on. 1528 1529 If the ARP table already contains the IP address of the 1530 gratuitous arp frame, the arp table will be updated regardless 1531 if this setting is on or off. 1532 1533mcast_solicit - INTEGER 1534 The maximum number of multicast probes in INCOMPLETE state, 1535 when the associated hardware address is unknown. Defaults 1536 to 3. 1537 1538ucast_solicit - INTEGER 1539 The maximum number of unicast probes in PROBE state, when 1540 the hardware address is being reconfirmed. Defaults to 3. 1541 1542app_solicit - INTEGER 1543 The maximum number of probes to send to the user space ARP daemon 1544 via netlink before dropping back to multicast probes (see 1545 mcast_resolicit). Defaults to 0. 1546 1547mcast_resolicit - INTEGER 1548 The maximum number of multicast probes after unicast and 1549 app probes in PROBE state. Defaults to 0. 1550 1551disable_policy - BOOLEAN 1552 Disable IPSEC policy (SPD) for this interface 1553 1554disable_xfrm - BOOLEAN 1555 Disable IPSEC encryption on this interface, whatever the policy 1556 1557igmpv2_unsolicited_report_interval - INTEGER 1558 The interval in milliseconds in which the next unsolicited 1559 IGMPv1 or IGMPv2 report retransmit will take place. 1560 1561 Default: 10000 (10 seconds) 1562 1563igmpv3_unsolicited_report_interval - INTEGER 1564 The interval in milliseconds in which the next unsolicited 1565 IGMPv3 report retransmit will take place. 1566 1567 Default: 1000 (1 seconds) 1568 1569promote_secondaries - BOOLEAN 1570 When a primary IP address is removed from this interface 1571 promote a corresponding secondary IP address instead of 1572 removing all the corresponding secondary IP addresses. 1573 1574drop_unicast_in_l2_multicast - BOOLEAN 1575 Drop any unicast IP packets that are received in link-layer 1576 multicast (or broadcast) frames. 1577 1578 This behavior (for multicast) is actually a SHOULD in RFC 1579 1122, but is disabled by default for compatibility reasons. 1580 1581 Default: off (0) 1582 1583drop_gratuitous_arp - BOOLEAN 1584 Drop all gratuitous ARP frames, for example if there's a known 1585 good ARP proxy on the network and such frames need not be used 1586 (or in the case of 802.11, must not be used to prevent attacks.) 1587 1588 Default: off (0) 1589 1590 1591tag - INTEGER 1592 Allows you to write a number, which can be used as required. 1593 1594 Default value is 0. 1595 1596xfrm4_gc_thresh - INTEGER 1597 (Obsolete since linux-4.14) 1598 The threshold at which we will start garbage collecting for IPv4 1599 destination cache entries. At twice this value the system will 1600 refuse new allocations. 1601 1602igmp_link_local_mcast_reports - BOOLEAN 1603 Enable IGMP reports for link local multicast groups in the 1604 224.0.0.X range. 1605 1606 Default TRUE 1607 1608Alexey Kuznetsov. 1609kuznet@ms2.inr.ac.ru 1610 1611Updated by: 1612 1613- Andi Kleen 1614 ak@muc.de 1615- Nicolas Delon 1616 delon.nicolas@wanadoo.fr 1617 1618 1619 1620 1621/proc/sys/net/ipv6/* Variables 1622============================== 1623 1624IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also 1625apply to IPv6 [XXX?]. 1626 1627bindv6only - BOOLEAN 1628 Default value for IPV6_V6ONLY socket option, 1629 which restricts use of the IPv6 socket to IPv6 communication 1630 only. 1631 1632 - TRUE: disable IPv4-mapped address feature 1633 - FALSE: enable IPv4-mapped address feature 1634 1635 Default: FALSE (as specified in RFC3493) 1636 1637flowlabel_consistency - BOOLEAN 1638 Protect the consistency (and unicity) of flow label. 1639 You have to disable it to use IPV6_FL_F_REFLECT flag on the 1640 flow label manager. 1641 1642 - TRUE: enabled 1643 - FALSE: disabled 1644 1645 Default: TRUE 1646 1647auto_flowlabels - INTEGER 1648 Automatically generate flow labels based on a flow hash of the 1649 packet. This allows intermediate devices, such as routers, to 1650 identify packet flows for mechanisms like Equal Cost Multipath 1651 Routing (see RFC 6438). 1652 1653 = =========================================================== 1654 0 automatic flow labels are completely disabled 1655 1 automatic flow labels are enabled by default, they can be 1656 disabled on a per socket basis using the IPV6_AUTOFLOWLABEL 1657 socket option 1658 2 automatic flow labels are allowed, they may be enabled on a 1659 per socket basis using the IPV6_AUTOFLOWLABEL socket option 1660 3 automatic flow labels are enabled and enforced, they cannot 1661 be disabled by the socket option 1662 = =========================================================== 1663 1664 Default: 1 1665 1666flowlabel_state_ranges - BOOLEAN 1667 Split the flow label number space into two ranges. 0-0x7FFFF is 1668 reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF 1669 is reserved for stateless flow labels as described in RFC6437. 1670 1671 - TRUE: enabled 1672 - FALSE: disabled 1673 1674 Default: true 1675 1676flowlabel_reflect - INTEGER 1677 Control flow label reflection. Needed for Path MTU 1678 Discovery to work with Equal Cost Multipath Routing in anycast 1679 environments. See RFC 7690 and: 1680 https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01 1681 1682 This is a bitmask. 1683 1684 - 1: enabled for established flows 1685 1686 Note that this prevents automatic flowlabel changes, as done 1687 in "tcp: change IPv6 flow-label upon receiving spurious retransmission" 1688 and "tcp: Change txhash on every SYN and RTO retransmit" 1689 1690 - 2: enabled for TCP RESET packets (no active listener) 1691 If set, a RST packet sent in response to a SYN packet on a closed 1692 port will reflect the incoming flow label. 1693 1694 - 4: enabled for ICMPv6 echo reply messages. 1695 1696 Default: 0 1697 1698fib_multipath_hash_policy - INTEGER 1699 Controls which hash policy to use for multipath routes. 1700 1701 Default: 0 (Layer 3) 1702 1703 Possible values: 1704 1705 - 0 - Layer 3 (source and destination addresses plus flow label) 1706 - 1 - Layer 4 (standard 5-tuple) 1707 - 2 - Layer 3 or inner Layer 3 if present 1708 1709anycast_src_echo_reply - BOOLEAN 1710 Controls the use of anycast addresses as source addresses for ICMPv6 1711 echo reply 1712 1713 - TRUE: enabled 1714 - FALSE: disabled 1715 1716 Default: FALSE 1717 1718idgen_delay - INTEGER 1719 Controls the delay in seconds after which time to retry 1720 privacy stable address generation if a DAD conflict is 1721 detected. 1722 1723 Default: 1 (as specified in RFC7217) 1724 1725idgen_retries - INTEGER 1726 Controls the number of retries to generate a stable privacy 1727 address if a DAD conflict is detected. 1728 1729 Default: 3 (as specified in RFC7217) 1730 1731mld_qrv - INTEGER 1732 Controls the MLD query robustness variable (see RFC3810 9.1). 1733 1734 Default: 2 (as specified by RFC3810 9.1) 1735 1736 Minimum: 1 (as specified by RFC6636 4.5) 1737 1738max_dst_opts_number - INTEGER 1739 Maximum number of non-padding TLVs allowed in a Destination 1740 options extension header. If this value is less than zero 1741 then unknown options are disallowed and the number of known 1742 TLVs allowed is the absolute value of this number. 1743 1744 Default: 8 1745 1746max_hbh_opts_number - INTEGER 1747 Maximum number of non-padding TLVs allowed in a Hop-by-Hop 1748 options extension header. If this value is less than zero 1749 then unknown options are disallowed and the number of known 1750 TLVs allowed is the absolute value of this number. 1751 1752 Default: 8 1753 1754max_dst_opts_length - INTEGER 1755 Maximum length allowed for a Destination options extension 1756 header. 1757 1758 Default: INT_MAX (unlimited) 1759 1760max_hbh_length - INTEGER 1761 Maximum length allowed for a Hop-by-Hop options extension 1762 header. 1763 1764 Default: INT_MAX (unlimited) 1765 1766skip_notify_on_dev_down - BOOLEAN 1767 Controls whether an RTM_DELROUTE message is generated for routes 1768 removed when a device is taken down or deleted. IPv4 does not 1769 generate this message; IPv6 does by default. Setting this sysctl 1770 to true skips the message, making IPv4 and IPv6 on par in relying 1771 on userspace caches to track link events and evict routes. 1772 1773 Default: false (generate message) 1774 1775nexthop_compat_mode - BOOLEAN 1776 New nexthop API provides a means for managing nexthops independent of 1777 prefixes. Backwards compatibilty with old route format is enabled by 1778 default which means route dumps and notifications contain the new 1779 nexthop attribute but also the full, expanded nexthop definition. 1780 Further, updates or deletes of a nexthop configuration generate route 1781 notifications for each fib entry using the nexthop. Once a system 1782 understands the new API, this sysctl can be disabled to achieve full 1783 performance benefits of the new API by disabling the nexthop expansion 1784 and extraneous notifications. 1785 Default: true (backward compat mode) 1786 1787IPv6 Fragmentation: 1788 1789ip6frag_high_thresh - INTEGER 1790 Maximum memory used to reassemble IPv6 fragments. When 1791 ip6frag_high_thresh bytes of memory is allocated for this purpose, 1792 the fragment handler will toss packets until ip6frag_low_thresh 1793 is reached. 1794 1795ip6frag_low_thresh - INTEGER 1796 See ip6frag_high_thresh 1797 1798ip6frag_time - INTEGER 1799 Time in seconds to keep an IPv6 fragment in memory. 1800 1801IPv6 Segment Routing: 1802 1803seg6_flowlabel - INTEGER 1804 Controls the behaviour of computing the flowlabel of outer 1805 IPv6 header in case of SR T.encaps 1806 1807 == ======================================================= 1808 -1 set flowlabel to zero. 1809 0 copy flowlabel from Inner packet in case of Inner IPv6 1810 (Set flowlabel to 0 in case IPv4/L2) 1811 1 Compute the flowlabel using seg6_make_flowlabel() 1812 == ======================================================= 1813 1814 Default is 0. 1815 1816``conf/default/*``: 1817 Change the interface-specific default settings. 1818 1819 1820``conf/all/*``: 1821 Change all the interface-specific settings. 1822 1823 [XXX: Other special features than forwarding?] 1824 1825conf/all/forwarding - BOOLEAN 1826 Enable global IPv6 forwarding between all interfaces. 1827 1828 IPv4 and IPv6 work differently here; e.g. netfilter must be used 1829 to control which interfaces may forward packets and which not. 1830 1831 This also sets all interfaces' Host/Router setting 1832 'forwarding' to the specified value. See below for details. 1833 1834 This referred to as global forwarding. 1835 1836proxy_ndp - BOOLEAN 1837 Do proxy ndp. 1838 1839fwmark_reflect - BOOLEAN 1840 Controls the fwmark of kernel-generated IPv6 reply packets that are not 1841 associated with a socket for example, TCP RSTs or ICMPv6 echo replies). 1842 If unset, these packets have a fwmark of zero. If set, they have the 1843 fwmark of the packet they are replying to. 1844 1845 Default: 0 1846 1847``conf/interface/*``: 1848 Change special settings per interface. 1849 1850 The functional behaviour for certain settings is different 1851 depending on whether local forwarding is enabled or not. 1852 1853accept_ra - INTEGER 1854 Accept Router Advertisements; autoconfigure using them. 1855 1856 It also determines whether or not to transmit Router 1857 Solicitations. If and only if the functional setting is to 1858 accept Router Advertisements, Router Solicitations will be 1859 transmitted. 1860 1861 Possible values are: 1862 1863 == =========================================================== 1864 0 Do not accept Router Advertisements. 1865 1 Accept Router Advertisements if forwarding is disabled. 1866 2 Overrule forwarding behaviour. Accept Router Advertisements 1867 even if forwarding is enabled. 1868 == =========================================================== 1869 1870 Functional default: 1871 1872 - enabled if local forwarding is disabled. 1873 - disabled if local forwarding is enabled. 1874 1875accept_ra_defrtr - BOOLEAN 1876 Learn default router in Router Advertisement. 1877 1878 Functional default: 1879 1880 - enabled if accept_ra is enabled. 1881 - disabled if accept_ra is disabled. 1882 1883accept_ra_from_local - BOOLEAN 1884 Accept RA with source-address that is found on local machine 1885 if the RA is otherwise proper and able to be accepted. 1886 1887 Default is to NOT accept these as it may be an un-intended 1888 network loop. 1889 1890 Functional default: 1891 1892 - enabled if accept_ra_from_local is enabled 1893 on a specific interface. 1894 - disabled if accept_ra_from_local is disabled 1895 on a specific interface. 1896 1897accept_ra_min_hop_limit - INTEGER 1898 Minimum hop limit Information in Router Advertisement. 1899 1900 Hop limit Information in Router Advertisement less than this 1901 variable shall be ignored. 1902 1903 Default: 1 1904 1905accept_ra_min_lft - INTEGER 1906 Minimum acceptable lifetime value in Router Advertisement. 1907 1908 RA sections with a lifetime less than this value shall be 1909 ignored. Zero lifetimes stay unaffected. 1910 1911 Default: 0 1912 1913accept_ra_pinfo - BOOLEAN 1914 Learn Prefix Information in Router Advertisement. 1915 1916 Functional default: 1917 1918 - enabled if accept_ra is enabled. 1919 - disabled if accept_ra is disabled. 1920 1921accept_ra_rt_info_min_plen - INTEGER 1922 Minimum prefix length of Route Information in RA. 1923 1924 Route Information w/ prefix smaller than this variable shall 1925 be ignored. 1926 1927 Functional default: 1928 1929 * 0 if accept_ra_rtr_pref is enabled. 1930 * -1 if accept_ra_rtr_pref is disabled. 1931 1932accept_ra_rt_info_max_plen - INTEGER 1933 Maximum prefix length of Route Information in RA. 1934 1935 Route Information w/ prefix larger than this variable shall 1936 be ignored. 1937 1938 Functional default: 1939 1940 * 0 if accept_ra_rtr_pref is enabled. 1941 * -1 if accept_ra_rtr_pref is disabled. 1942 1943accept_ra_rtr_pref - BOOLEAN 1944 Accept Router Preference in RA. 1945 1946 Functional default: 1947 1948 - enabled if accept_ra is enabled. 1949 - disabled if accept_ra is disabled. 1950 1951accept_ra_mtu - BOOLEAN 1952 Apply the MTU value specified in RA option 5 (RFC4861). If 1953 disabled, the MTU specified in the RA will be ignored. 1954 1955 Functional default: 1956 1957 - enabled if accept_ra is enabled. 1958 - disabled if accept_ra is disabled. 1959 1960accept_redirects - BOOLEAN 1961 Accept Redirects. 1962 1963 Functional default: 1964 1965 - enabled if local forwarding is disabled. 1966 - disabled if local forwarding is enabled. 1967 1968accept_source_route - INTEGER 1969 Accept source routing (routing extension header). 1970 1971 - >= 0: Accept only routing header type 2. 1972 - < 0: Do not accept routing header. 1973 1974 Default: 0 1975 1976autoconf - BOOLEAN 1977 Autoconfigure addresses using Prefix Information in Router 1978 Advertisements. 1979 1980 Functional default: 1981 1982 - enabled if accept_ra_pinfo is enabled. 1983 - disabled if accept_ra_pinfo is disabled. 1984 1985dad_transmits - INTEGER 1986 The amount of Duplicate Address Detection probes to send. 1987 1988 Default: 1 1989 1990forwarding - INTEGER 1991 Configure interface-specific Host/Router behaviour. 1992 1993 .. note:: 1994 1995 It is recommended to have the same setting on all 1996 interfaces; mixed router/host scenarios are rather uncommon. 1997 1998 Possible values are: 1999 2000 - 0 Forwarding disabled 2001 - 1 Forwarding enabled 2002 2003 **FALSE (0)**: 2004 2005 By default, Host behaviour is assumed. This means: 2006 2007 1. IsRouter flag is not set in Neighbour Advertisements. 2008 2. If accept_ra is TRUE (default), transmit Router 2009 Solicitations. 2010 3. If accept_ra is TRUE (default), accept Router 2011 Advertisements (and do autoconfiguration). 2012 4. If accept_redirects is TRUE (default), accept Redirects. 2013 2014 **TRUE (1)**: 2015 2016 If local forwarding is enabled, Router behaviour is assumed. 2017 This means exactly the reverse from the above: 2018 2019 1. IsRouter flag is set in Neighbour Advertisements. 2020 2. Router Solicitations are not sent unless accept_ra is 2. 2021 3. Router Advertisements are ignored unless accept_ra is 2. 2022 4. Redirects are ignored. 2023 2024 Default: 0 (disabled) if global forwarding is disabled (default), 2025 otherwise 1 (enabled). 2026 2027hop_limit - INTEGER 2028 Default Hop Limit to set. 2029 2030 Default: 64 2031 2032mtu - INTEGER 2033 Default Maximum Transfer Unit 2034 2035 Default: 1280 (IPv6 required minimum) 2036 2037ip_nonlocal_bind - BOOLEAN 2038 If set, allows processes to bind() to non-local IPv6 addresses, 2039 which can be quite useful - but may break some applications. 2040 2041 Default: 0 2042 2043router_probe_interval - INTEGER 2044 Minimum interval (in seconds) between Router Probing described 2045 in RFC4191. 2046 2047 Default: 60 2048 2049router_solicitation_delay - INTEGER 2050 Number of seconds to wait after interface is brought up 2051 before sending Router Solicitations. 2052 2053 Default: 1 2054 2055router_solicitation_interval - INTEGER 2056 Number of seconds to wait between Router Solicitations. 2057 2058 Default: 4 2059 2060router_solicitations - INTEGER 2061 Number of Router Solicitations to send until assuming no 2062 routers are present. 2063 2064 Default: 3 2065 2066use_oif_addrs_only - BOOLEAN 2067 When enabled, the candidate source addresses for destinations 2068 routed via this interface are restricted to the set of addresses 2069 configured on this interface (vis. RFC 6724, section 4). 2070 2071 Default: false 2072 2073use_tempaddr - INTEGER 2074 Preference for Privacy Extensions (RFC3041). 2075 2076 * <= 0 : disable Privacy Extensions 2077 * == 1 : enable Privacy Extensions, but prefer public 2078 addresses over temporary addresses. 2079 * > 1 : enable Privacy Extensions and prefer temporary 2080 addresses over public addresses. 2081 2082 Default: 2083 2084 * 0 (for most devices) 2085 * -1 (for point-to-point devices and loopback devices) 2086 2087temp_valid_lft - INTEGER 2088 valid lifetime (in seconds) for temporary addresses. 2089 2090 Default: 172800 (2 days) 2091 2092temp_prefered_lft - INTEGER 2093 Preferred lifetime (in seconds) for temporary addresses. 2094 2095 Default: 86400 (1 day) 2096 2097keep_addr_on_down - INTEGER 2098 Keep all IPv6 addresses on an interface down event. If set static 2099 global addresses with no expiration time are not flushed. 2100 2101 * >0 : enabled 2102 * 0 : system default 2103 * <0 : disabled 2104 2105 Default: 0 (addresses are removed) 2106 2107max_desync_factor - INTEGER 2108 Maximum value for DESYNC_FACTOR, which is a random value 2109 that ensures that clients don't synchronize with each 2110 other and generate new addresses at exactly the same time. 2111 value is in seconds. 2112 2113 Default: 600 2114 2115regen_max_retry - INTEGER 2116 Number of attempts before give up attempting to generate 2117 valid temporary addresses. 2118 2119 Default: 5 2120 2121max_addresses - INTEGER 2122 Maximum number of autoconfigured addresses per interface. Setting 2123 to zero disables the limitation. It is not recommended to set this 2124 value too large (or to zero) because it would be an easy way to 2125 crash the kernel by allowing too many addresses to be created. 2126 2127 Default: 16 2128 2129disable_ipv6 - BOOLEAN 2130 Disable IPv6 operation. If accept_dad is set to 2, this value 2131 will be dynamically set to TRUE if DAD fails for the link-local 2132 address. 2133 2134 Default: FALSE (enable IPv6 operation) 2135 2136 When this value is changed from 1 to 0 (IPv6 is being enabled), 2137 it will dynamically create a link-local address on the given 2138 interface and start Duplicate Address Detection, if necessary. 2139 2140 When this value is changed from 0 to 1 (IPv6 is being disabled), 2141 it will dynamically delete all addresses and routes on the given 2142 interface. From now on it will not possible to add addresses/routes 2143 to the selected interface. 2144 2145accept_dad - INTEGER 2146 Whether to accept DAD (Duplicate Address Detection). 2147 2148 == ============================================================== 2149 0 Disable DAD 2150 1 Enable DAD (default) 2151 2 Enable DAD, and disable IPv6 operation if MAC-based duplicate 2152 link-local address has been found. 2153 == ============================================================== 2154 2155 DAD operation and mode on a given interface will be selected according 2156 to the maximum value of conf/{all,interface}/accept_dad. 2157 2158force_tllao - BOOLEAN 2159 Enable sending the target link-layer address option even when 2160 responding to a unicast neighbor solicitation. 2161 2162 Default: FALSE 2163 2164 Quoting from RFC 2461, section 4.4, Target link-layer address: 2165 2166 "The option MUST be included for multicast solicitations in order to 2167 avoid infinite Neighbor Solicitation "recursion" when the peer node 2168 does not have a cache entry to return a Neighbor Advertisements 2169 message. When responding to unicast solicitations, the option can be 2170 omitted since the sender of the solicitation has the correct link- 2171 layer address; otherwise it would not have be able to send the unicast 2172 solicitation in the first place. However, including the link-layer 2173 address in this case adds little overhead and eliminates a potential 2174 race condition where the sender deletes the cached link-layer address 2175 prior to receiving a response to a previous solicitation." 2176 2177ndisc_notify - BOOLEAN 2178 Define mode for notification of address and device changes. 2179 2180 * 0 - (default): do nothing 2181 * 1 - Generate unsolicited neighbour advertisements when device is brought 2182 up or hardware address changes. 2183 2184ndisc_tclass - INTEGER 2185 The IPv6 Traffic Class to use by default when sending IPv6 Neighbor 2186 Discovery (Router Solicitation, Router Advertisement, Neighbor 2187 Solicitation, Neighbor Advertisement, Redirect) messages. 2188 These 8 bits can be interpreted as 6 high order bits holding the DSCP 2189 value and 2 low order bits representing ECN (which you probably want 2190 to leave cleared). 2191 2192 * 0 - (default) 2193 2194mldv1_unsolicited_report_interval - INTEGER 2195 The interval in milliseconds in which the next unsolicited 2196 MLDv1 report retransmit will take place. 2197 2198 Default: 10000 (10 seconds) 2199 2200mldv2_unsolicited_report_interval - INTEGER 2201 The interval in milliseconds in which the next unsolicited 2202 MLDv2 report retransmit will take place. 2203 2204 Default: 1000 (1 second) 2205 2206force_mld_version - INTEGER 2207 * 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed 2208 * 1 - Enforce to use MLD version 1 2209 * 2 - Enforce to use MLD version 2 2210 2211suppress_frag_ndisc - INTEGER 2212 Control RFC 6980 (Security Implications of IPv6 Fragmentation 2213 with IPv6 Neighbor Discovery) behavior: 2214 2215 * 1 - (default) discard fragmented neighbor discovery packets 2216 * 0 - allow fragmented neighbor discovery packets 2217 2218optimistic_dad - BOOLEAN 2219 Whether to perform Optimistic Duplicate Address Detection (RFC 4429). 2220 2221 * 0: disabled (default) 2222 * 1: enabled 2223 2224 Optimistic Duplicate Address Detection for the interface will be enabled 2225 if at least one of conf/{all,interface}/optimistic_dad is set to 1, 2226 it will be disabled otherwise. 2227 2228use_optimistic - BOOLEAN 2229 If enabled, do not classify optimistic addresses as deprecated during 2230 source address selection. Preferred addresses will still be chosen 2231 before optimistic addresses, subject to other ranking in the source 2232 address selection algorithm. 2233 2234 * 0: disabled (default) 2235 * 1: enabled 2236 2237 This will be enabled if at least one of 2238 conf/{all,interface}/use_optimistic is set to 1, disabled otherwise. 2239 2240stable_secret - IPv6 address 2241 This IPv6 address will be used as a secret to generate IPv6 2242 addresses for link-local addresses and autoconfigured 2243 ones. All addresses generated after setting this secret will 2244 be stable privacy ones by default. This can be changed via the 2245 addrgenmode ip-link. conf/default/stable_secret is used as the 2246 secret for the namespace, the interface specific ones can 2247 overwrite that. Writes to conf/all/stable_secret are refused. 2248 2249 It is recommended to generate this secret during installation 2250 of a system and keep it stable after that. 2251 2252 By default the stable secret is unset. 2253 2254addr_gen_mode - INTEGER 2255 Defines how link-local and autoconf addresses are generated. 2256 2257 = ================================================================= 2258 0 generate address based on EUI64 (default) 2259 1 do no generate a link-local address, use EUI64 for addresses 2260 generated from autoconf 2261 2 generate stable privacy addresses, using the secret from 2262 stable_secret (RFC7217) 2263 3 generate stable privacy addresses, using a random secret if unset 2264 = ================================================================= 2265 2266drop_unicast_in_l2_multicast - BOOLEAN 2267 Drop any unicast IPv6 packets that are received in link-layer 2268 multicast (or broadcast) frames. 2269 2270 By default this is turned off. 2271 2272drop_unsolicited_na - BOOLEAN 2273 Drop all unsolicited neighbor advertisements, for example if there's 2274 a known good NA proxy on the network and such frames need not be used 2275 (or in the case of 802.11, must not be used to prevent attacks.) 2276 2277 By default this is turned off. 2278 2279enhanced_dad - BOOLEAN 2280 Include a nonce option in the IPv6 neighbor solicitation messages used for 2281 duplicate address detection per RFC7527. A received DAD NS will only signal 2282 a duplicate address if the nonce is different. This avoids any false 2283 detection of duplicates due to loopback of the NS messages that we send. 2284 The nonce option will be sent on an interface unless both of 2285 conf/{all,interface}/enhanced_dad are set to FALSE. 2286 2287 Default: TRUE 2288 2289``icmp/*``: 2290=========== 2291 2292ratelimit - INTEGER 2293 Limit the maximal rates for sending ICMPv6 messages. 2294 2295 0 to disable any limiting, 2296 otherwise the minimal space between responses in milliseconds. 2297 2298 Default: 1000 2299 2300ratemask - list of comma separated ranges 2301 For ICMPv6 message types matching the ranges in the ratemask, limit 2302 the sending of the message according to ratelimit parameter. 2303 2304 The format used for both input and output is a comma separated 2305 list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and 2306 129). Writing to the file will clear all previous ranges of ICMPv6 2307 message types and update the current list with the input. 2308 2309 Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml 2310 for numerical values of ICMPv6 message types, e.g. echo request is 128 2311 and echo reply is 129. 2312 2313 Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big) 2314 2315echo_ignore_all - BOOLEAN 2316 If set non-zero, then the kernel will ignore all ICMP ECHO 2317 requests sent to it over the IPv6 protocol. 2318 2319 Default: 0 2320 2321echo_ignore_multicast - BOOLEAN 2322 If set non-zero, then the kernel will ignore all ICMP ECHO 2323 requests sent to it over the IPv6 protocol via multicast. 2324 2325 Default: 0 2326 2327echo_ignore_anycast - BOOLEAN 2328 If set non-zero, then the kernel will ignore all ICMP ECHO 2329 requests sent to it over the IPv6 protocol destined to anycast address. 2330 2331 Default: 0 2332 2333xfrm6_gc_thresh - INTEGER 2334 (Obsolete since linux-4.14) 2335 The threshold at which we will start garbage collecting for IPv6 2336 destination cache entries. At twice this value the system will 2337 refuse new allocations. 2338 2339 2340IPv6 Update by: 2341Pekka Savola <pekkas@netcore.fi> 2342YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org> 2343 2344 2345/proc/sys/net/bridge/* Variables: 2346================================= 2347 2348bridge-nf-call-arptables - BOOLEAN 2349 - 1 : pass bridged ARP traffic to arptables' FORWARD chain. 2350 - 0 : disable this. 2351 2352 Default: 1 2353 2354bridge-nf-call-iptables - BOOLEAN 2355 - 1 : pass bridged IPv4 traffic to iptables' chains. 2356 - 0 : disable this. 2357 2358 Default: 1 2359 2360bridge-nf-call-ip6tables - BOOLEAN 2361 - 1 : pass bridged IPv6 traffic to ip6tables' chains. 2362 - 0 : disable this. 2363 2364 Default: 1 2365 2366bridge-nf-filter-vlan-tagged - BOOLEAN 2367 - 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. 2368 - 0 : disable this. 2369 2370 Default: 0 2371 2372bridge-nf-filter-pppoe-tagged - BOOLEAN 2373 - 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. 2374 - 0 : disable this. 2375 2376 Default: 0 2377 2378bridge-nf-pass-vlan-input-dev - BOOLEAN 2379 - 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan 2380 interface on the bridge and set the netfilter input device to the 2381 vlan. This allows use of e.g. "iptables -i br0.1" and makes the 2382 REDIRECT target work with vlan-on-top-of-bridge interfaces. When no 2383 matching vlan interface is found, or this switch is off, the input 2384 device is set to the bridge interface. 2385 2386 - 0: disable bridge netfilter vlan interface lookup. 2387 2388 Default: 0 2389 2390``proc/sys/net/sctp/*`` Variables: 2391================================== 2392 2393addip_enable - BOOLEAN 2394 Enable or disable extension of Dynamic Address Reconfiguration 2395 (ADD-IP) functionality specified in RFC5061. This extension provides 2396 the ability to dynamically add and remove new addresses for the SCTP 2397 associations. 2398 2399 1: Enable extension. 2400 2401 0: Disable extension. 2402 2403 Default: 0 2404 2405pf_enable - INTEGER 2406 Enable or disable pf (pf is short for potentially failed) state. A value 2407 of pf_retrans > path_max_retrans also disables pf state. That is, one of 2408 both pf_enable and pf_retrans > path_max_retrans can disable pf state. 2409 Since pf_retrans and path_max_retrans can be changed by userspace 2410 application, sometimes user expects to disable pf state by the value of 2411 pf_retrans > path_max_retrans, but occasionally the value of pf_retrans 2412 or path_max_retrans is changed by the user application, this pf state is 2413 enabled. As such, it is necessary to add this to dynamically enable 2414 and disable pf state. See: 2415 https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for 2416 details. 2417 2418 1: Enable pf. 2419 2420 0: Disable pf. 2421 2422 Default: 1 2423 2424pf_expose - INTEGER 2425 Unset or enable/disable pf (pf is short for potentially failed) state 2426 exposure. Applications can control the exposure of the PF path state 2427 in the SCTP_PEER_ADDR_CHANGE event and the SCTP_GET_PEER_ADDR_INFO 2428 sockopt. When it's unset, no SCTP_PEER_ADDR_CHANGE event with 2429 SCTP_ADDR_PF state will be sent and a SCTP_PF-state transport info 2430 can be got via SCTP_GET_PEER_ADDR_INFO sockopt; When it's enabled, 2431 a SCTP_PEER_ADDR_CHANGE event will be sent for a transport becoming 2432 SCTP_PF state and a SCTP_PF-state transport info can be got via 2433 SCTP_GET_PEER_ADDR_INFO sockopt; When it's diabled, no 2434 SCTP_PEER_ADDR_CHANGE event will be sent and it returns -EACCES when 2435 trying to get a SCTP_PF-state transport info via SCTP_GET_PEER_ADDR_INFO 2436 sockopt. 2437 2438 0: Unset pf state exposure, Compatible with old applications. 2439 2440 1: Disable pf state exposure. 2441 2442 2: Enable pf state exposure. 2443 2444 Default: 0 2445 2446addip_noauth_enable - BOOLEAN 2447 Dynamic Address Reconfiguration (ADD-IP) requires the use of 2448 authentication to protect the operations of adding or removing new 2449 addresses. This requirement is mandated so that unauthorized hosts 2450 would not be able to hijack associations. However, older 2451 implementations may not have implemented this requirement while 2452 allowing the ADD-IP extension. For reasons of interoperability, 2453 we provide this variable to control the enforcement of the 2454 authentication requirement. 2455 2456 == =============================================================== 2457 1 Allow ADD-IP extension to be used without authentication. This 2458 should only be set in a closed environment for interoperability 2459 with older implementations. 2460 2461 0 Enforce the authentication requirement 2462 == =============================================================== 2463 2464 Default: 0 2465 2466auth_enable - BOOLEAN 2467 Enable or disable Authenticated Chunks extension. This extension 2468 provides the ability to send and receive authenticated chunks and is 2469 required for secure operation of Dynamic Address Reconfiguration 2470 (ADD-IP) extension. 2471 2472 - 1: Enable this extension. 2473 - 0: Disable this extension. 2474 2475 Default: 0 2476 2477prsctp_enable - BOOLEAN 2478 Enable or disable the Partial Reliability extension (RFC3758) which 2479 is used to notify peers that a given DATA should no longer be expected. 2480 2481 - 1: Enable extension 2482 - 0: Disable 2483 2484 Default: 1 2485 2486max_burst - INTEGER 2487 The limit of the number of new packets that can be initially sent. It 2488 controls how bursty the generated traffic can be. 2489 2490 Default: 4 2491 2492association_max_retrans - INTEGER 2493 Set the maximum number for retransmissions that an association can 2494 attempt deciding that the remote end is unreachable. If this value 2495 is exceeded, the association is terminated. 2496 2497 Default: 10 2498 2499max_init_retransmits - INTEGER 2500 The maximum number of retransmissions of INIT and COOKIE-ECHO chunks 2501 that an association will attempt before declaring the destination 2502 unreachable and terminating. 2503 2504 Default: 8 2505 2506path_max_retrans - INTEGER 2507 The maximum number of retransmissions that will be attempted on a given 2508 path. Once this threshold is exceeded, the path is considered 2509 unreachable, and new traffic will use a different path when the 2510 association is multihomed. 2511 2512 Default: 5 2513 2514pf_retrans - INTEGER 2515 The number of retransmissions that will be attempted on a given path 2516 before traffic is redirected to an alternate transport (should one 2517 exist). Note this is distinct from path_max_retrans, as a path that 2518 passes the pf_retrans threshold can still be used. Its only 2519 deprioritized when a transmission path is selected by the stack. This 2520 setting is primarily used to enable fast failover mechanisms without 2521 having to reduce path_max_retrans to a very low value. See: 2522 http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt 2523 for details. Note also that a value of pf_retrans > path_max_retrans 2524 disables this feature. Since both pf_retrans and path_max_retrans can 2525 be changed by userspace application, a variable pf_enable is used to 2526 disable pf state. 2527 2528 Default: 0 2529 2530ps_retrans - INTEGER 2531 Primary.Switchover.Max.Retrans (PSMR), it's a tunable parameter coming 2532 from section-5 "Primary Path Switchover" in rfc7829. The primary path 2533 will be changed to another active path when the path error counter on 2534 the old primary path exceeds PSMR, so that "the SCTP sender is allowed 2535 to continue data transmission on a new working path even when the old 2536 primary destination address becomes active again". Note this feature 2537 is disabled by initializing 'ps_retrans' per netns as 0xffff by default, 2538 and its value can't be less than 'pf_retrans' when changing by sysctl. 2539 2540 Default: 0xffff 2541 2542rto_initial - INTEGER 2543 The initial round trip timeout value in milliseconds that will be used 2544 in calculating round trip times. This is the initial time interval 2545 for retransmissions. 2546 2547 Default: 3000 2548 2549rto_max - INTEGER 2550 The maximum value (in milliseconds) of the round trip timeout. This 2551 is the largest time interval that can elapse between retransmissions. 2552 2553 Default: 60000 2554 2555rto_min - INTEGER 2556 The minimum value (in milliseconds) of the round trip timeout. This 2557 is the smallest time interval the can elapse between retransmissions. 2558 2559 Default: 1000 2560 2561hb_interval - INTEGER 2562 The interval (in milliseconds) between HEARTBEAT chunks. These chunks 2563 are sent at the specified interval on idle paths to probe the state of 2564 a given path between 2 associations. 2565 2566 Default: 30000 2567 2568sack_timeout - INTEGER 2569 The amount of time (in milliseconds) that the implementation will wait 2570 to send a SACK. 2571 2572 Default: 200 2573 2574valid_cookie_life - INTEGER 2575 The default lifetime of the SCTP cookie (in milliseconds). The cookie 2576 is used during association establishment. 2577 2578 Default: 60000 2579 2580cookie_preserve_enable - BOOLEAN 2581 Enable or disable the ability to extend the lifetime of the SCTP cookie 2582 that is used during the establishment phase of SCTP association 2583 2584 - 1: Enable cookie lifetime extension. 2585 - 0: Disable 2586 2587 Default: 1 2588 2589cookie_hmac_alg - STRING 2590 Select the hmac algorithm used when generating the cookie value sent by 2591 a listening sctp socket to a connecting client in the INIT-ACK chunk. 2592 Valid values are: 2593 2594 * md5 2595 * sha1 2596 * none 2597 2598 Ability to assign md5 or sha1 as the selected alg is predicated on the 2599 configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and 2600 CONFIG_CRYPTO_SHA1). 2601 2602 Default: Dependent on configuration. MD5 if available, else SHA1 if 2603 available, else none. 2604 2605rcvbuf_policy - INTEGER 2606 Determines if the receive buffer is attributed to the socket or to 2607 association. SCTP supports the capability to create multiple 2608 associations on a single socket. When using this capability, it is 2609 possible that a single stalled association that's buffering a lot 2610 of data may block other associations from delivering their data by 2611 consuming all of the receive buffer space. To work around this, 2612 the rcvbuf_policy could be set to attribute the receiver buffer space 2613 to each association instead of the socket. This prevents the described 2614 blocking. 2615 2616 - 1: rcvbuf space is per association 2617 - 0: rcvbuf space is per socket 2618 2619 Default: 0 2620 2621sndbuf_policy - INTEGER 2622 Similar to rcvbuf_policy above, this applies to send buffer space. 2623 2624 - 1: Send buffer is tracked per association 2625 - 0: Send buffer is tracked per socket. 2626 2627 Default: 0 2628 2629sctp_mem - vector of 3 INTEGERs: min, pressure, max 2630 Number of pages allowed for queueing by all SCTP sockets. 2631 2632 min: Below this number of pages SCTP is not bothered about its 2633 memory appetite. When amount of memory allocated by SCTP exceeds 2634 this number, SCTP starts to moderate memory usage. 2635 2636 pressure: This value was introduced to follow format of tcp_mem. 2637 2638 max: Number of pages allowed for queueing by all SCTP sockets. 2639 2640 Default is calculated at boot time from amount of available memory. 2641 2642sctp_rmem - vector of 3 INTEGERs: min, default, max 2643 Only the first value ("min") is used, "default" and "max" are 2644 ignored. 2645 2646 min: Minimal size of receive buffer used by SCTP socket. 2647 It is guaranteed to each SCTP socket (but not association) even 2648 under moderate memory pressure. 2649 2650 Default: 4K 2651 2652sctp_wmem - vector of 3 INTEGERs: min, default, max 2653 Only the first value ("min") is used, "default" and "max" are 2654 ignored. 2655 2656 min: Minimum size of send buffer that can be used by SCTP sockets. 2657 It is guaranteed to each SCTP socket (but not association) even 2658 under moderate memory pressure. 2659 2660 Default: 4K 2661 2662addr_scope_policy - INTEGER 2663 Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00 2664 2665 - 0 - Disable IPv4 address scoping 2666 - 1 - Enable IPv4 address scoping 2667 - 2 - Follow draft but allow IPv4 private addresses 2668 - 3 - Follow draft but allow IPv4 link local addresses 2669 2670 Default: 1 2671 2672 2673``/proc/sys/net/core/*`` 2674======================== 2675 2676 Please see: Documentation/admin-guide/sysctl/net.rst for descriptions of these entries. 2677 2678 2679``/proc/sys/net/unix/*`` 2680======================== 2681 2682max_dgram_qlen - INTEGER 2683 The maximum length of dgram socket receive queue 2684 2685 Default: 10 2686 2687