ip-sysctl.txt 53 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508
  1. /proc/sys/net/ipv4/* Variables:
  2. ip_forward - BOOLEAN
  3. 0 - disabled (default)
  4. not 0 - enabled
  5. Forward Packets between interfaces.
  6. This variable is special, its change resets all configuration
  7. parameters to their default state (RFC1122 for hosts, RFC1812
  8. for routers)
  9. ip_default_ttl - INTEGER
  10. Default value of TTL field (Time To Live) for outgoing (but not
  11. forwarded) IP packets. Should be between 1 and 255 inclusive.
  12. Default: 64 (as recommended by RFC1700)
  13. ip_no_pmtu_disc - BOOLEAN
  14. Disable Path MTU Discovery.
  15. default FALSE
  16. min_pmtu - INTEGER
  17. default 562 - minimum discovered Path MTU
  18. route/max_size - INTEGER
  19. Maximum number of routes allowed in the kernel. Increase
  20. this when using large numbers of interfaces and/or routes.
  21. neigh/default/gc_thresh3 - INTEGER
  22. Maximum number of neighbor entries allowed. Increase this
  23. when using large numbers of interfaces and when communicating
  24. with large numbers of directly-connected peers.
  25. mtu_expires - INTEGER
  26. Time, in seconds, that cached PMTU information is kept.
  27. min_adv_mss - INTEGER
  28. The advertised MSS depends on the first hop route MTU, but will
  29. never be lower than this setting.
  30. rt_cache_rebuild_count - INTEGER
  31. The per net-namespace route cache emergency rebuild threshold.
  32. Any net-namespace having its route cache rebuilt due to
  33. a hash bucket chain being too long more than this many times
  34. will have its route caching disabled
  35. IP Fragmentation:
  36. ipfrag_high_thresh - INTEGER
  37. Maximum memory used to reassemble IP fragments. When
  38. ipfrag_high_thresh bytes of memory is allocated for this purpose,
  39. the fragment handler will toss packets until ipfrag_low_thresh
  40. is reached.
  41. ipfrag_low_thresh - INTEGER
  42. See ipfrag_high_thresh
  43. ipfrag_time - INTEGER
  44. Time in seconds to keep an IP fragment in memory.
  45. ipfrag_secret_interval - INTEGER
  46. Regeneration interval (in seconds) of the hash secret (or lifetime
  47. for the hash secret) for IP fragments.
  48. Default: 600
  49. ipfrag_max_dist - INTEGER
  50. ipfrag_max_dist is a non-negative integer value which defines the
  51. maximum "disorder" which is allowed among fragments which share a
  52. common IP source address. Note that reordering of packets is
  53. not unusual, but if a large number of fragments arrive from a source
  54. IP address while a particular fragment queue remains incomplete, it
  55. probably indicates that one or more fragments belonging to that queue
  56. have been lost. When ipfrag_max_dist is positive, an additional check
  57. is done on fragments before they are added to a reassembly queue - if
  58. ipfrag_max_dist (or more) fragments have arrived from a particular IP
  59. address between additions to any IP fragment queue using that source
  60. address, it's presumed that one or more fragments in the queue are
  61. lost. The existing fragment queue will be dropped, and a new one
  62. started. An ipfrag_max_dist value of zero disables this check.
  63. Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
  64. result in unnecessarily dropping fragment queues when normal
  65. reordering of packets occurs, which could lead to poor application
  66. performance. Using a very large value, e.g. 50000, increases the
  67. likelihood of incorrectly reassembling IP fragments that originate
  68. from different IP datagrams, which could result in data corruption.
  69. Default: 64
  70. INET peer storage:
  71. inet_peer_threshold - INTEGER
  72. The approximate size of the storage. Starting from this threshold
  73. entries will be thrown aggressively. This threshold also determines
  74. entries' time-to-live and time intervals between garbage collection
  75. passes. More entries, less time-to-live, less GC interval.
  76. inet_peer_minttl - INTEGER
  77. Minimum time-to-live of entries. Should be enough to cover fragment
  78. time-to-live on the reassembling side. This minimum time-to-live is
  79. guaranteed if the pool size is less than inet_peer_threshold.
  80. Measured in seconds.
  81. inet_peer_maxttl - INTEGER
  82. Maximum time-to-live of entries. Unused entries will expire after
  83. this period of time if there is no memory pressure on the pool (i.e.
  84. when the number of entries in the pool is very small).
  85. Measured in seconds.
  86. TCP variables:
  87. somaxconn - INTEGER
  88. Limit of socket listen() backlog, known in userspace as SOMAXCONN.
  89. Defaults to 128. See also tcp_max_syn_backlog for additional tuning
  90. for TCP sockets.
  91. tcp_abc - INTEGER
  92. Controls Appropriate Byte Count (ABC) defined in RFC3465.
  93. ABC is a way of increasing congestion window (cwnd) more slowly
  94. in response to partial acknowledgments.
  95. Possible values are:
  96. 0 increase cwnd once per acknowledgment (no ABC)
  97. 1 increase cwnd once per acknowledgment of full sized segment
  98. 2 allow increase cwnd by two if acknowledgment is
  99. of two segments to compensate for delayed acknowledgments.
  100. Default: 0 (off)
  101. tcp_abort_on_overflow - BOOLEAN
  102. If listening service is too slow to accept new connections,
  103. reset them. Default state is FALSE. It means that if overflow
  104. occurred due to a burst, connection will recover. Enable this
  105. option _only_ if you are really sure that listening daemon
  106. cannot be tuned to accept connections faster. Enabling this
  107. option can harm clients of your server.
  108. tcp_adv_win_scale - INTEGER
  109. Count buffering overhead as bytes/2^tcp_adv_win_scale
  110. (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale),
  111. if it is <= 0.
  112. Possible values are [-31, 31], inclusive.
  113. Default: 2
  114. tcp_allowed_congestion_control - STRING
  115. Show/set the congestion control choices available to non-privileged
  116. processes. The list is a subset of those listed in
  117. tcp_available_congestion_control.
  118. Default is "reno" and the default setting (tcp_congestion_control).
  119. tcp_app_win - INTEGER
  120. Reserve max(window/2^tcp_app_win, mss) of window for application
  121. buffer. Value 0 is special, it means that nothing is reserved.
  122. Default: 31
  123. tcp_available_congestion_control - STRING
  124. Shows the available congestion control choices that are registered.
  125. More congestion control algorithms may be available as modules,
  126. but not loaded.
  127. tcp_base_mss - INTEGER
  128. The initial value of search_low to be used by the packetization layer
  129. Path MTU discovery (MTU probing). If MTU probing is enabled,
  130. this is the initial MSS used by the connection.
  131. tcp_congestion_control - STRING
  132. Set the congestion control algorithm to be used for new
  133. connections. The algorithm "reno" is always available, but
  134. additional choices may be available based on kernel configuration.
  135. Default is set as part of kernel configuration.
  136. tcp_cookie_size - INTEGER
  137. Default size of TCP Cookie Transactions (TCPCT) option, that may be
  138. overridden on a per socket basis by the TCPCT socket option.
  139. Values greater than the maximum (16) are interpreted as the maximum.
  140. Values greater than zero and less than the minimum (8) are interpreted
  141. as the minimum. Odd values are interpreted as the next even value.
  142. Default: 0 (off).
  143. tcp_dsack - BOOLEAN
  144. Allows TCP to send "duplicate" SACKs.
  145. tcp_ecn - INTEGER
  146. Enable Explicit Congestion Notification (ECN) in TCP. ECN is only
  147. used when both ends of the TCP flow support it. It is useful to
  148. avoid losses due to congestion (when the bottleneck router supports
  149. ECN).
  150. Possible values are:
  151. 0 disable ECN
  152. 1 ECN enabled
  153. 2 Only server-side ECN enabled. If the other end does
  154. not support ECN, behavior is like with ECN disabled.
  155. Default: 2
  156. tcp_fack - BOOLEAN
  157. Enable FACK congestion avoidance and fast retransmission.
  158. The value is not used, if tcp_sack is not enabled.
  159. tcp_fin_timeout - INTEGER
  160. Time to hold socket in state FIN-WAIT-2, if it was closed
  161. by our side. Peer can be broken and never close its side,
  162. or even died unexpectedly. Default value is 60sec.
  163. Usual value used in 2.2 was 180 seconds, you may restore
  164. it, but remember that if your machine is even underloaded WEB server,
  165. you risk to overflow memory with kilotons of dead sockets,
  166. FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1,
  167. because they eat maximum 1.5K of memory, but they tend
  168. to live longer. Cf. tcp_max_orphans.
  169. tcp_frto - INTEGER
  170. Enables Forward RTO-Recovery (F-RTO) defined in RFC4138.
  171. F-RTO is an enhanced recovery algorithm for TCP retransmission
  172. timeouts. It is particularly beneficial in wireless environments
  173. where packet loss is typically due to random radio interference
  174. rather than intermediate router congestion. F-RTO is sender-side
  175. only modification. Therefore it does not require any support from
  176. the peer.
  177. If set to 1, basic version is enabled. 2 enables SACK enhanced
  178. F-RTO if flow uses SACK. The basic version can be used also when
  179. SACK is in use though scenario(s) with it exists where F-RTO
  180. interacts badly with the packet counting of the SACK enabled TCP
  181. flow.
  182. tcp_frto_response - INTEGER
  183. When F-RTO has detected that a TCP retransmission timeout was
  184. spurious (i.e, the timeout would have been avoided had TCP set a
  185. longer retransmission timeout), TCP has several options what to do
  186. next. Possible values are:
  187. 0 Rate halving based; a smooth and conservative response,
  188. results in halved cwnd and ssthresh after one RTT
  189. 1 Very conservative response; not recommended because even
  190. though being valid, it interacts poorly with the rest of
  191. Linux TCP, halves cwnd and ssthresh immediately
  192. 2 Aggressive response; undoes congestion control measures
  193. that are now known to be unnecessary (ignoring the
  194. possibility of a lost retransmission that would require
  195. TCP to be more cautious), cwnd and ssthresh are restored
  196. to the values prior timeout
  197. Default: 0 (rate halving based)
  198. tcp_keepalive_time - INTEGER
  199. How often TCP sends out keepalive messages when keepalive is enabled.
  200. Default: 2hours.
  201. tcp_keepalive_probes - INTEGER
  202. How many keepalive probes TCP sends out, until it decides that the
  203. connection is broken. Default value: 9.
  204. tcp_keepalive_intvl - INTEGER
  205. How frequently the probes are send out. Multiplied by
  206. tcp_keepalive_probes it is time to kill not responding connection,
  207. after probes started. Default value: 75sec i.e. connection
  208. will be aborted after ~11 minutes of retries.
  209. tcp_low_latency - BOOLEAN
  210. If set, the TCP stack makes decisions that prefer lower
  211. latency as opposed to higher throughput. By default, this
  212. option is not set meaning that higher throughput is preferred.
  213. An example of an application where this default should be
  214. changed would be a Beowulf compute cluster.
  215. Default: 0
  216. tcp_max_orphans - INTEGER
  217. Maximal number of TCP sockets not attached to any user file handle,
  218. held by system. If this number is exceeded orphaned connections are
  219. reset immediately and warning is printed. This limit exists
  220. only to prevent simple DoS attacks, you _must_ not rely on this
  221. or lower the limit artificially, but rather increase it
  222. (probably, after increasing installed memory),
  223. if network conditions require more than default value,
  224. and tune network services to linger and kill such states
  225. more aggressively. Let me to remind again: each orphan eats
  226. up to ~64K of unswappable memory.
  227. tcp_max_ssthresh - INTEGER
  228. Limited Slow-Start for TCP with large congestion windows (cwnd) defined in
  229. RFC3742. Limited slow-start is a mechanism to limit growth of the cwnd
  230. on the region where cwnd is larger than tcp_max_ssthresh. TCP increases cwnd
  231. by at most tcp_max_ssthresh segments, and by at least tcp_max_ssthresh/2
  232. segments per RTT when the cwnd is above tcp_max_ssthresh.
  233. If TCP connection increased cwnd to thousands (or tens of thousands) segments,
  234. and thousands of packets were being dropped during slow-start, you can set
  235. tcp_max_ssthresh to improve performance for new TCP connection.
  236. Default: 0 (off)
  237. tcp_max_syn_backlog - INTEGER
  238. Maximal number of remembered connection requests, which are
  239. still did not receive an acknowledgment from connecting client.
  240. Default value is 1024 for systems with more than 128Mb of memory,
  241. and 128 for low memory machines. If server suffers of overload,
  242. try to increase this number.
  243. tcp_max_tw_buckets - INTEGER
  244. Maximal number of timewait sockets held by system simultaneously.
  245. If this number is exceeded time-wait socket is immediately destroyed
  246. and warning is printed. This limit exists only to prevent
  247. simple DoS attacks, you _must_ not lower the limit artificially,
  248. but rather increase it (probably, after increasing installed memory),
  249. if network conditions require more than default value.
  250. tcp_mem - vector of 3 INTEGERs: min, pressure, max
  251. min: below this number of pages TCP is not bothered about its
  252. memory appetite.
  253. pressure: when amount of memory allocated by TCP exceeds this number
  254. of pages, TCP moderates its memory consumption and enters memory
  255. pressure mode, which is exited when memory consumption falls
  256. under "min".
  257. max: number of pages allowed for queueing by all TCP sockets.
  258. Defaults are calculated at boot time from amount of available
  259. memory.
  260. tcp_moderate_rcvbuf - BOOLEAN
  261. If set, TCP performs receive buffer auto-tuning, attempting to
  262. automatically size the buffer (no greater than tcp_rmem[2]) to
  263. match the size required by the path for full throughput. Enabled by
  264. default.
  265. tcp_mtu_probing - INTEGER
  266. Controls TCP Packetization-Layer Path MTU Discovery. Takes three
  267. values:
  268. 0 - Disabled
  269. 1 - Disabled by default, enabled when an ICMP black hole detected
  270. 2 - Always enabled, use initial MSS of tcp_base_mss.
  271. tcp_no_metrics_save - BOOLEAN
  272. By default, TCP saves various connection metrics in the route cache
  273. when the connection closes, so that connections established in the
  274. near future can use these to set initial conditions. Usually, this
  275. increases overall performance, but may sometimes cause performance
  276. degradation. If set, TCP will not cache metrics on closing
  277. connections.
  278. tcp_orphan_retries - INTEGER
  279. This value influences the timeout of a locally closed TCP connection,
  280. when RTO retransmissions remain unacknowledged.
  281. See tcp_retries2 for more details.
  282. The default value is 8.
  283. If your machine is a loaded WEB server,
  284. you should think about lowering this value, such sockets
  285. may consume significant resources. Cf. tcp_max_orphans.
  286. tcp_reordering - INTEGER
  287. Maximal reordering of packets in a TCP stream.
  288. Default: 3
  289. tcp_retrans_collapse - BOOLEAN
  290. Bug-to-bug compatibility with some broken printers.
  291. On retransmit try to send bigger packets to work around bugs in
  292. certain TCP stacks.
  293. tcp_retries1 - INTEGER
  294. This value influences the time, after which TCP decides, that
  295. something is wrong due to unacknowledged RTO retransmissions,
  296. and reports this suspicion to the network layer.
  297. See tcp_retries2 for more details.
  298. RFC 1122 recommends at least 3 retransmissions, which is the
  299. default.
  300. tcp_retries2 - INTEGER
  301. This value influences the timeout of an alive TCP connection,
  302. when RTO retransmissions remain unacknowledged.
  303. Given a value of N, a hypothetical TCP connection following
  304. exponential backoff with an initial RTO of TCP_RTO_MIN would
  305. retransmit N times before killing the connection at the (N+1)th RTO.
  306. The default value of 15 yields a hypothetical timeout of 924.6
  307. seconds and is a lower bound for the effective timeout.
  308. TCP will effectively time out at the first RTO which exceeds the
  309. hypothetical timeout.
  310. RFC 1122 recommends at least 100 seconds for the timeout,
  311. which corresponds to a value of at least 8.
  312. tcp_rfc1337 - BOOLEAN
  313. If set, the TCP stack behaves conforming to RFC1337. If unset,
  314. we are not conforming to RFC, but prevent TCP TIME_WAIT
  315. assassination.
  316. Default: 0
  317. tcp_rmem - vector of 3 INTEGERs: min, default, max
  318. min: Minimal size of receive buffer used by TCP sockets.
  319. It is guaranteed to each TCP socket, even under moderate memory
  320. pressure.
  321. Default: 1 page
  322. default: initial size of receive buffer used by TCP sockets.
  323. This value overrides net.core.rmem_default used by other protocols.
  324. Default: 87380 bytes. This value results in window of 65535 with
  325. default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit
  326. less for default tcp_app_win. See below about these variables.
  327. max: maximal size of receive buffer allowed for automatically
  328. selected receiver buffers for TCP socket. This value does not override
  329. net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables
  330. automatic tuning of that socket's receive buffer size, in which
  331. case this value is ignored.
  332. Default: between 87380B and 4MB, depending on RAM size.
  333. tcp_sack - BOOLEAN
  334. Enable select acknowledgments (SACKS).
  335. tcp_slow_start_after_idle - BOOLEAN
  336. If set, provide RFC2861 behavior and time out the congestion
  337. window after an idle period. An idle period is defined at
  338. the current RTO. If unset, the congestion window will not
  339. be timed out after an idle period.
  340. Default: 1
  341. tcp_stdurg - BOOLEAN
  342. Use the Host requirements interpretation of the TCP urgent pointer field.
  343. Most hosts use the older BSD interpretation, so if you turn this on
  344. Linux might not communicate correctly with them.
  345. Default: FALSE
  346. tcp_synack_retries - INTEGER
  347. Number of times SYNACKs for a passive TCP connection attempt will
  348. be retransmitted. Should not be higher than 255. Default value
  349. is 5, which corresponds to ~180seconds.
  350. tcp_syncookies - BOOLEAN
  351. Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
  352. Send out syncookies when the syn backlog queue of a socket
  353. overflows. This is to prevent against the common 'SYN flood attack'
  354. Default: FALSE
  355. Note, that syncookies is fallback facility.
  356. It MUST NOT be used to help highly loaded servers to stand
  357. against legal connection rate. If you see SYN flood warnings
  358. in your logs, but investigation shows that they occur
  359. because of overload with legal connections, you should tune
  360. another parameters until this warning disappear.
  361. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
  362. syncookies seriously violate TCP protocol, do not allow
  363. to use TCP extensions, can result in serious degradation
  364. of some services (f.e. SMTP relaying), visible not by you,
  365. but your clients and relays, contacting you. While you see
  366. SYN flood warnings in logs not being really flooded, your server
  367. is seriously misconfigured.
  368. tcp_syn_retries - INTEGER
  369. Number of times initial SYNs for an active TCP connection attempt
  370. will be retransmitted. Should not be higher than 255. Default value
  371. is 5, which corresponds to ~180seconds.
  372. tcp_timestamps - BOOLEAN
  373. Enable timestamps as defined in RFC1323.
  374. tcp_tso_win_divisor - INTEGER
  375. This allows control over what percentage of the congestion window
  376. can be consumed by a single TSO frame.
  377. The setting of this parameter is a choice between burstiness and
  378. building larger TSO frames.
  379. Default: 3
  380. tcp_tw_recycle - BOOLEAN
  381. Enable fast recycling TIME-WAIT sockets. Default value is 0.
  382. It should not be changed without advice/request of technical
  383. experts.
  384. tcp_tw_reuse - BOOLEAN
  385. Allow to reuse TIME-WAIT sockets for new connections when it is
  386. safe from protocol viewpoint. Default value is 0.
  387. It should not be changed without advice/request of technical
  388. experts.
  389. tcp_window_scaling - BOOLEAN
  390. Enable window scaling as defined in RFC1323.
  391. tcp_wmem - vector of 3 INTEGERs: min, default, max
  392. min: Amount of memory reserved for send buffers for TCP sockets.
  393. Each TCP socket has rights to use it due to fact of its birth.
  394. Default: 1 page
  395. default: initial size of send buffer used by TCP sockets. This
  396. value overrides net.core.wmem_default used by other protocols.
  397. It is usually lower than net.core.wmem_default.
  398. Default: 16K
  399. max: Maximal amount of memory allowed for automatically tuned
  400. send buffers for TCP sockets. This value does not override
  401. net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables
  402. automatic tuning of that socket's send buffer size, in which case
  403. this value is ignored.
  404. Default: between 64K and 4MB, depending on RAM size.
  405. tcp_workaround_signed_windows - BOOLEAN
  406. If set, assume no receipt of a window scaling option means the
  407. remote TCP is broken and treats the window as a signed quantity.
  408. If unset, assume the remote TCP is not broken even if we do
  409. not receive a window scaling option from them.
  410. Default: 0
  411. tcp_dma_copybreak - INTEGER
  412. Lower limit, in bytes, of the size of socket reads that will be
  413. offloaded to a DMA copy engine, if one is present in the system
  414. and CONFIG_NET_DMA is enabled.
  415. Default: 4096
  416. tcp_thin_linear_timeouts - BOOLEAN
  417. Enable dynamic triggering of linear timeouts for thin streams.
  418. If set, a check is performed upon retransmission by timeout to
  419. determine if the stream is thin (less than 4 packets in flight).
  420. As long as the stream is found to be thin, up to 6 linear
  421. timeouts may be performed before exponential backoff mode is
  422. initiated. This improves retransmission latency for
  423. non-aggressive thin streams, often found to be time-dependent.
  424. For more information on thin streams, see
  425. Documentation/networking/tcp-thin.txt
  426. Default: 0
  427. tcp_thin_dupack - BOOLEAN
  428. Enable dynamic triggering of retransmissions after one dupACK
  429. for thin streams. If set, a check is performed upon reception
  430. of a dupACK to determine if the stream is thin (less than 4
  431. packets in flight). As long as the stream is found to be thin,
  432. data is retransmitted on the first received dupACK. This
  433. improves retransmission latency for non-aggressive thin
  434. streams, often found to be time-dependent.
  435. For more information on thin streams, see
  436. Documentation/networking/tcp-thin.txt
  437. Default: 0
  438. UDP variables:
  439. udp_mem - vector of 3 INTEGERs: min, pressure, max
  440. Number of pages allowed for queueing by all UDP sockets.
  441. min: Below this number of pages UDP is not bothered about its
  442. memory appetite. When amount of memory allocated by UDP exceeds
  443. this number, UDP starts to moderate memory usage.
  444. pressure: This value was introduced to follow format of tcp_mem.
  445. max: Number of pages allowed for queueing by all UDP sockets.
  446. Default is calculated at boot time from amount of available memory.
  447. udp_rmem_min - INTEGER
  448. Minimal size of receive buffer used by UDP sockets in moderation.
  449. Each UDP socket is able to use the size for receiving data, even if
  450. total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
  451. Default: 1 page
  452. udp_wmem_min - INTEGER
  453. Minimal size of send buffer used by UDP sockets in moderation.
  454. Each UDP socket is able to use the size for sending data, even if
  455. total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
  456. Default: 1 page
  457. CIPSOv4 Variables:
  458. cipso_cache_enable - BOOLEAN
  459. If set, enable additions to and lookups from the CIPSO label mapping
  460. cache. If unset, additions are ignored and lookups always result in a
  461. miss. However, regardless of the setting the cache is still
  462. invalidated when required when means you can safely toggle this on and
  463. off and the cache will always be "safe".
  464. Default: 1
  465. cipso_cache_bucket_size - INTEGER
  466. The CIPSO label cache consists of a fixed size hash table with each
  467. hash bucket containing a number of cache entries. This variable limits
  468. the number of entries in each hash bucket; the larger the value the
  469. more CIPSO label mappings that can be cached. When the number of
  470. entries in a given hash bucket reaches this limit adding new entries
  471. causes the oldest entry in the bucket to be removed to make room.
  472. Default: 10
  473. cipso_rbm_optfmt - BOOLEAN
  474. Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of
  475. the CIPSO draft specification (see Documentation/netlabel for details).
  476. This means that when set the CIPSO tag will be padded with empty
  477. categories in order to make the packet data 32-bit aligned.
  478. Default: 0
  479. cipso_rbm_structvalid - BOOLEAN
  480. If set, do a very strict check of the CIPSO option when
  481. ip_options_compile() is called. If unset, relax the checks done during
  482. ip_options_compile(). Either way is "safe" as errors are caught else
  483. where in the CIPSO processing code but setting this to 0 (False) should
  484. result in less work (i.e. it should be faster) but could cause problems
  485. with other implementations that require strict checking.
  486. Default: 0
  487. IP Variables:
  488. ip_local_port_range - 2 INTEGERS
  489. Defines the local port range that is used by TCP and UDP to
  490. choose the local port. The first number is the first, the
  491. second the last local port number. Default value depends on
  492. amount of memory available on the system:
  493. > 128Mb 32768-61000
  494. < 128Mb 1024-4999 or even less.
  495. This number defines number of active connections, which this
  496. system can issue simultaneously to systems not supporting
  497. TCP extensions (timestamps). With tcp_tw_recycle enabled
  498. (i.e. by default) range 1024-4999 is enough to issue up to
  499. 2000 connections per second to systems supporting timestamps.
  500. ip_local_reserved_ports - list of comma separated ranges
  501. Specify the ports which are reserved for known third-party
  502. applications. These ports will not be used by automatic port
  503. assignments (e.g. when calling connect() or bind() with port
  504. number 0). Explicit port allocation behavior is unchanged.
  505. The format used for both input and output is a comma separated
  506. list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and
  507. 10). Writing to the file will clear all previously reserved
  508. ports and update the current list with the one given in the
  509. input.
  510. Note that ip_local_port_range and ip_local_reserved_ports
  511. settings are independent and both are considered by the kernel
  512. when determining which ports are available for automatic port
  513. assignments.
  514. You can reserve ports which are not in the current
  515. ip_local_port_range, e.g.:
  516. $ cat /proc/sys/net/ipv4/ip_local_port_range
  517. 32000 61000
  518. $ cat /proc/sys/net/ipv4/ip_local_reserved_ports
  519. 8080,9148
  520. although this is redundant. However such a setting is useful
  521. if later the port range is changed to a value that will
  522. include the reserved ports.
  523. Default: Empty
  524. ip_nonlocal_bind - BOOLEAN
  525. If set, allows processes to bind() to non-local IP addresses,
  526. which can be quite useful - but may break some applications.
  527. Default: 0
  528. ip_dynaddr - BOOLEAN
  529. If set non-zero, enables support for dynamic addresses.
  530. If set to a non-zero value larger than 1, a kernel log
  531. message will be printed when dynamic address rewriting
  532. occurs.
  533. Default: 0
  534. icmp_echo_ignore_all - BOOLEAN
  535. If set non-zero, then the kernel will ignore all ICMP ECHO
  536. requests sent to it.
  537. Default: 0
  538. icmp_echo_ignore_broadcasts - BOOLEAN
  539. If set non-zero, then the kernel will ignore all ICMP ECHO and
  540. TIMESTAMP requests sent to it via broadcast/multicast.
  541. Default: 1
  542. icmp_ratelimit - INTEGER
  543. Limit the maximal rates for sending ICMP packets whose type matches
  544. icmp_ratemask (see below) to specific targets.
  545. 0 to disable any limiting,
  546. otherwise the minimal space between responses in milliseconds.
  547. Default: 1000
  548. icmp_ratemask - INTEGER
  549. Mask made of ICMP types for which rates are being limited.
  550. Significant bits: IHGFEDCBA9876543210
  551. Default mask: 0000001100000011000 (6168)
  552. Bit definitions (see include/linux/icmp.h):
  553. 0 Echo Reply
  554. 3 Destination Unreachable *
  555. 4 Source Quench *
  556. 5 Redirect
  557. 8 Echo Request
  558. B Time Exceeded *
  559. C Parameter Problem *
  560. D Timestamp Request
  561. E Timestamp Reply
  562. F Info Request
  563. G Info Reply
  564. H Address Mask Request
  565. I Address Mask Reply
  566. * These are rate limited by default (see default mask above)
  567. icmp_ignore_bogus_error_responses - BOOLEAN
  568. Some routers violate RFC1122 by sending bogus responses to broadcast
  569. frames. Such violations are normally logged via a kernel warning.
  570. If this is set to TRUE, the kernel will not give such warnings, which
  571. will avoid log file clutter.
  572. Default: FALSE
  573. icmp_errors_use_inbound_ifaddr - BOOLEAN
  574. If zero, icmp error messages are sent with the primary address of
  575. the exiting interface.
  576. If non-zero, the message will be sent with the primary address of
  577. the interface that received the packet that caused the icmp error.
  578. This is the behaviour network many administrators will expect from
  579. a router. And it can make debugging complicated network layouts
  580. much easier.
  581. Note that if no primary address exists for the interface selected,
  582. then the primary address of the first non-loopback interface that
  583. has one will be used regardless of this setting.
  584. Default: 0
  585. igmp_max_memberships - INTEGER
  586. Change the maximum number of multicast groups we can subscribe to.
  587. Default: 20
  588. Theoretical maximum value is bounded by having to send a membership
  589. report in a single datagram (i.e. the report can't span multiple
  590. datagrams, or risk confusing the switch and leaving groups you don't
  591. intend to).
  592. The number of supported groups 'M' is bounded by the number of group
  593. report entries you can fit into a single datagram of 65535 bytes.
  594. M = 65536-sizeof (ip header)/(sizeof(Group record))
  595. Group records are variable length, with a minimum of 12 bytes.
  596. So net.ipv4.igmp_max_memberships should not be set higher than:
  597. (65536-24) / 12 = 5459
  598. The value 5459 assumes no IP header options, so in practice
  599. this number may be lower.
  600. conf/interface/* changes special settings per interface (where
  601. "interface" is the name of your network interface)
  602. conf/all/* is special, changes the settings for all interfaces
  603. log_martians - BOOLEAN
  604. Log packets with impossible addresses to kernel log.
  605. log_martians for the interface will be enabled if at least one of
  606. conf/{all,interface}/log_martians is set to TRUE,
  607. it will be disabled otherwise
  608. accept_redirects - BOOLEAN
  609. Accept ICMP redirect messages.
  610. accept_redirects for the interface will be enabled if:
  611. - both conf/{all,interface}/accept_redirects are TRUE in the case
  612. forwarding for the interface is enabled
  613. or
  614. - at least one of conf/{all,interface}/accept_redirects is TRUE in the
  615. case forwarding for the interface is disabled
  616. accept_redirects for the interface will be disabled otherwise
  617. default TRUE (host)
  618. FALSE (router)
  619. forwarding - BOOLEAN
  620. Enable IP forwarding on this interface.
  621. mc_forwarding - BOOLEAN
  622. Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
  623. and a multicast routing daemon is required.
  624. conf/all/mc_forwarding must also be set to TRUE to enable multicast
  625. routing for the interface
  626. medium_id - INTEGER
  627. Integer value used to differentiate the devices by the medium they
  628. are attached to. Two devices can have different id values when
  629. the broadcast packets are received only on one of them.
  630. The default value 0 means that the device is the only interface
  631. to its medium, value of -1 means that medium is not known.
  632. Currently, it is used to change the proxy_arp behavior:
  633. the proxy_arp feature is enabled for packets forwarded between
  634. two devices attached to different media.
  635. proxy_arp - BOOLEAN
  636. Do proxy arp.
  637. proxy_arp for the interface will be enabled if at least one of
  638. conf/{all,interface}/proxy_arp is set to TRUE,
  639. it will be disabled otherwise
  640. proxy_arp_pvlan - BOOLEAN
  641. Private VLAN proxy arp.
  642. Basically allow proxy arp replies back to the same interface
  643. (from which the ARP request/solicitation was received).
  644. This is done to support (ethernet) switch features, like RFC
  645. 3069, where the individual ports are NOT allowed to
  646. communicate with each other, but they are allowed to talk to
  647. the upstream router. As described in RFC 3069, it is possible
  648. to allow these hosts to communicate through the upstream
  649. router by proxy_arp'ing. Don't need to be used together with
  650. proxy_arp.
  651. This technology is known by different names:
  652. In RFC 3069 it is called VLAN Aggregation.
  653. Cisco and Allied Telesyn call it Private VLAN.
  654. Hewlett-Packard call it Source-Port filtering or port-isolation.
  655. Ericsson call it MAC-Forced Forwarding (RFC Draft).
  656. shared_media - BOOLEAN
  657. Send(router) or accept(host) RFC1620 shared media redirects.
  658. Overrides ip_secure_redirects.
  659. shared_media for the interface will be enabled if at least one of
  660. conf/{all,interface}/shared_media is set to TRUE,
  661. it will be disabled otherwise
  662. default TRUE
  663. secure_redirects - BOOLEAN
  664. Accept ICMP redirect messages only for gateways,
  665. listed in default gateway list.
  666. secure_redirects for the interface will be enabled if at least one of
  667. conf/{all,interface}/secure_redirects is set to TRUE,
  668. it will be disabled otherwise
  669. default TRUE
  670. send_redirects - BOOLEAN
  671. Send redirects, if router.
  672. send_redirects for the interface will be enabled if at least one of
  673. conf/{all,interface}/send_redirects is set to TRUE,
  674. it will be disabled otherwise
  675. Default: TRUE
  676. bootp_relay - BOOLEAN
  677. Accept packets with source address 0.b.c.d destined
  678. not to this host as local ones. It is supposed, that
  679. BOOTP relay daemon will catch and forward such packets.
  680. conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay
  681. for the interface
  682. default FALSE
  683. Not Implemented Yet.
  684. accept_source_route - BOOLEAN
  685. Accept packets with SRR option.
  686. conf/all/accept_source_route must also be set to TRUE to accept packets
  687. with SRR option on the interface
  688. default TRUE (router)
  689. FALSE (host)
  690. accept_local - BOOLEAN
  691. Accept packets with local source addresses. In combination with
  692. suitable routing, this can be used to direct packets between two
  693. local interfaces over the wire and have them accepted properly.
  694. default FALSE
  695. rp_filter - INTEGER
  696. 0 - No source validation.
  697. 1 - Strict mode as defined in RFC3704 Strict Reverse Path
  698. Each incoming packet is tested against the FIB and if the interface
  699. is not the best reverse path the packet check will fail.
  700. By default failed packets are discarded.
  701. 2 - Loose mode as defined in RFC3704 Loose Reverse Path
  702. Each incoming packet's source address is also tested against the FIB
  703. and if the source address is not reachable via any interface
  704. the packet check will fail.
  705. Current recommended practice in RFC3704 is to enable strict mode
  706. to prevent IP spoofing from DDos attacks. If using asymmetric routing
  707. or other complicated routing, then loose mode is recommended.
  708. The max value from conf/{all,interface}/rp_filter is used
  709. when doing source validation on the {interface}.
  710. Default value is 0. Note that some distributions enable it
  711. in startup scripts.
  712. arp_filter - BOOLEAN
  713. 1 - Allows you to have multiple network interfaces on the same
  714. subnet, and have the ARPs for each interface be answered
  715. based on whether or not the kernel would route a packet from
  716. the ARP'd IP out that interface (therefore you must use source
  717. based routing for this to work). In other words it allows control
  718. of which cards (usually 1) will respond to an arp request.
  719. 0 - (default) The kernel can respond to arp requests with addresses
  720. from other interfaces. This may seem wrong but it usually makes
  721. sense, because it increases the chance of successful communication.
  722. IP addresses are owned by the complete host on Linux, not by
  723. particular interfaces. Only for more complex setups like load-
  724. balancing, does this behaviour cause problems.
  725. arp_filter for the interface will be enabled if at least one of
  726. conf/{all,interface}/arp_filter is set to TRUE,
  727. it will be disabled otherwise
  728. arp_announce - INTEGER
  729. Define different restriction levels for announcing the local
  730. source IP address from IP packets in ARP requests sent on
  731. interface:
  732. 0 - (default) Use any local address, configured on any interface
  733. 1 - Try to avoid local addresses that are not in the target's
  734. subnet for this interface. This mode is useful when target
  735. hosts reachable via this interface require the source IP
  736. address in ARP requests to be part of their logical network
  737. configured on the receiving interface. When we generate the
  738. request we will check all our subnets that include the
  739. target IP and will preserve the source address if it is from
  740. such subnet. If there is no such subnet we select source
  741. address according to the rules for level 2.
  742. 2 - Always use the best local address for this target.
  743. In this mode we ignore the source address in the IP packet
  744. and try to select local address that we prefer for talks with
  745. the target host. Such local address is selected by looking
  746. for primary IP addresses on all our subnets on the outgoing
  747. interface that include the target IP address. If no suitable
  748. local address is found we select the first local address
  749. we have on the outgoing interface or on all other interfaces,
  750. with the hope we will receive reply for our request and
  751. even sometimes no matter the source IP address we announce.
  752. The max value from conf/{all,interface}/arp_announce is used.
  753. Increasing the restriction level gives more chance for
  754. receiving answer from the resolved target while decreasing
  755. the level announces more valid sender's information.
  756. arp_ignore - INTEGER
  757. Define different modes for sending replies in response to
  758. received ARP requests that resolve local target IP addresses:
  759. 0 - (default): reply for any local target IP address, configured
  760. on any interface
  761. 1 - reply only if the target IP address is local address
  762. configured on the incoming interface
  763. 2 - reply only if the target IP address is local address
  764. configured on the incoming interface and both with the
  765. sender's IP address are part from same subnet on this interface
  766. 3 - do not reply for local addresses configured with scope host,
  767. only resolutions for global and link addresses are replied
  768. 4-7 - reserved
  769. 8 - do not reply for all local addresses
  770. The max value from conf/{all,interface}/arp_ignore is used
  771. when ARP request is received on the {interface}
  772. arp_notify - BOOLEAN
  773. Define mode for notification of address and device changes.
  774. 0 - (default): do nothing
  775. 1 - Generate gratuitous arp requests when device is brought up
  776. or hardware address changes.
  777. arp_accept - BOOLEAN
  778. Define behavior for gratuitous ARP frames who's IP is not
  779. already present in the ARP table:
  780. 0 - don't create new entries in the ARP table
  781. 1 - create new entries in the ARP table
  782. Both replies and requests type gratuitous arp will trigger the
  783. ARP table to be updated, if this setting is on.
  784. If the ARP table already contains the IP address of the
  785. gratuitous arp frame, the arp table will be updated regardless
  786. if this setting is on or off.
  787. app_solicit - INTEGER
  788. The maximum number of probes to send to the user space ARP daemon
  789. via netlink before dropping back to multicast probes (see
  790. mcast_solicit). Defaults to 0.
  791. disable_policy - BOOLEAN
  792. Disable IPSEC policy (SPD) for this interface
  793. disable_xfrm - BOOLEAN
  794. Disable IPSEC encryption on this interface, whatever the policy
  795. tag - INTEGER
  796. Allows you to write a number, which can be used as required.
  797. Default value is 0.
  798. Alexey Kuznetsov.
  799. kuznet@ms2.inr.ac.ru
  800. Updated by:
  801. Andi Kleen
  802. ak@muc.de
  803. Nicolas Delon
  804. delon.nicolas@wanadoo.fr
  805. /proc/sys/net/ipv6/* Variables:
  806. IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also
  807. apply to IPv6 [XXX?].
  808. bindv6only - BOOLEAN
  809. Default value for IPV6_V6ONLY socket option,
  810. which restricts use of the IPv6 socket to IPv6 communication
  811. only.
  812. TRUE: disable IPv4-mapped address feature
  813. FALSE: enable IPv4-mapped address feature
  814. Default: FALSE (as specified in RFC2553bis)
  815. IPv6 Fragmentation:
  816. ip6frag_high_thresh - INTEGER
  817. Maximum memory used to reassemble IPv6 fragments. When
  818. ip6frag_high_thresh bytes of memory is allocated for this purpose,
  819. the fragment handler will toss packets until ip6frag_low_thresh
  820. is reached.
  821. ip6frag_low_thresh - INTEGER
  822. See ip6frag_high_thresh
  823. ip6frag_time - INTEGER
  824. Time in seconds to keep an IPv6 fragment in memory.
  825. ip6frag_secret_interval - INTEGER
  826. Regeneration interval (in seconds) of the hash secret (or lifetime
  827. for the hash secret) for IPv6 fragments.
  828. Default: 600
  829. conf/default/*:
  830. Change the interface-specific default settings.
  831. conf/all/*:
  832. Change all the interface-specific settings.
  833. [XXX: Other special features than forwarding?]
  834. conf/all/forwarding - BOOLEAN
  835. Enable global IPv6 forwarding between all interfaces.
  836. IPv4 and IPv6 work differently here; e.g. netfilter must be used
  837. to control which interfaces may forward packets and which not.
  838. This also sets all interfaces' Host/Router setting
  839. 'forwarding' to the specified value. See below for details.
  840. This referred to as global forwarding.
  841. proxy_ndp - BOOLEAN
  842. Do proxy ndp.
  843. conf/interface/*:
  844. Change special settings per interface.
  845. The functional behaviour for certain settings is different
  846. depending on whether local forwarding is enabled or not.
  847. accept_ra - BOOLEAN
  848. Accept Router Advertisements; autoconfigure using them.
  849. Possible values are:
  850. 0 Do not accept Router Advertisements.
  851. 1 Accept Router Advertisements if forwarding is disabled.
  852. 2 Overrule forwarding behaviour. Accept Router Advertisements
  853. even if forwarding is enabled.
  854. Functional default: enabled if local forwarding is disabled.
  855. disabled if local forwarding is enabled.
  856. accept_ra_defrtr - BOOLEAN
  857. Learn default router in Router Advertisement.
  858. Functional default: enabled if accept_ra is enabled.
  859. disabled if accept_ra is disabled.
  860. accept_ra_pinfo - BOOLEAN
  861. Learn Prefix Information in Router Advertisement.
  862. Functional default: enabled if accept_ra is enabled.
  863. disabled if accept_ra is disabled.
  864. accept_ra_rt_info_max_plen - INTEGER
  865. Maximum prefix length of Route Information in RA.
  866. Route Information w/ prefix larger than or equal to this
  867. variable shall be ignored.
  868. Functional default: 0 if accept_ra_rtr_pref is enabled.
  869. -1 if accept_ra_rtr_pref is disabled.
  870. accept_ra_rtr_pref - BOOLEAN
  871. Accept Router Preference in RA.
  872. Functional default: enabled if accept_ra is enabled.
  873. disabled if accept_ra is disabled.
  874. accept_redirects - BOOLEAN
  875. Accept Redirects.
  876. Functional default: enabled if local forwarding is disabled.
  877. disabled if local forwarding is enabled.
  878. accept_source_route - INTEGER
  879. Accept source routing (routing extension header).
  880. >= 0: Accept only routing header type 2.
  881. < 0: Do not accept routing header.
  882. Default: 0
  883. autoconf - BOOLEAN
  884. Autoconfigure addresses using Prefix Information in Router
  885. Advertisements.
  886. Functional default: enabled if accept_ra_pinfo is enabled.
  887. disabled if accept_ra_pinfo is disabled.
  888. dad_transmits - INTEGER
  889. The amount of Duplicate Address Detection probes to send.
  890. Default: 1
  891. forwarding - BOOLEAN
  892. Configure interface-specific Host/Router behaviour.
  893. Note: It is recommended to have the same setting on all
  894. interfaces; mixed router/host scenarios are rather uncommon.
  895. Possible values are:
  896. 0 Forwarding disabled
  897. 1 Forwarding enabled
  898. 2 Forwarding enabled (Hybrid Mode)
  899. FALSE (0):
  900. By default, Host behaviour is assumed. This means:
  901. 1. IsRouter flag is not set in Neighbour Advertisements.
  902. 2. Router Solicitations are being sent when necessary.
  903. 3. If accept_ra is TRUE (default), accept Router
  904. Advertisements (and do autoconfiguration).
  905. 4. If accept_redirects is TRUE (default), accept Redirects.
  906. TRUE (1):
  907. If local forwarding is enabled, Router behaviour is assumed.
  908. This means exactly the reverse from the above:
  909. 1. IsRouter flag is set in Neighbour Advertisements.
  910. 2. Router Solicitations are not sent.
  911. 3. Router Advertisements are ignored unless accept_ra is 2.
  912. 4. Redirects are ignored.
  913. TRUE (2):
  914. Hybrid mode. Same behaviour as TRUE, except for:
  915. 2. Router Solicitations are being sent when necessary.
  916. Default: 0 (disabled) if global forwarding is disabled (default),
  917. otherwise 1 (enabled).
  918. hop_limit - INTEGER
  919. Default Hop Limit to set.
  920. Default: 64
  921. mtu - INTEGER
  922. Default Maximum Transfer Unit
  923. Default: 1280 (IPv6 required minimum)
  924. router_probe_interval - INTEGER
  925. Minimum interval (in seconds) between Router Probing described
  926. in RFC4191.
  927. Default: 60
  928. router_solicitation_delay - INTEGER
  929. Number of seconds to wait after interface is brought up
  930. before sending Router Solicitations.
  931. Default: 1
  932. router_solicitation_interval - INTEGER
  933. Number of seconds to wait between Router Solicitations.
  934. Default: 4
  935. router_solicitations - INTEGER
  936. Number of Router Solicitations to send until assuming no
  937. routers are present.
  938. Default: 3
  939. use_tempaddr - INTEGER
  940. Preference for Privacy Extensions (RFC3041).
  941. <= 0 : disable Privacy Extensions
  942. == 1 : enable Privacy Extensions, but prefer public
  943. addresses over temporary addresses.
  944. > 1 : enable Privacy Extensions and prefer temporary
  945. addresses over public addresses.
  946. Default: 0 (for most devices)
  947. -1 (for point-to-point devices and loopback devices)
  948. temp_valid_lft - INTEGER
  949. valid lifetime (in seconds) for temporary addresses.
  950. Default: 604800 (7 days)
  951. temp_prefered_lft - INTEGER
  952. Preferred lifetime (in seconds) for temporary addresses.
  953. Default: 86400 (1 day)
  954. max_desync_factor - INTEGER
  955. Maximum value for DESYNC_FACTOR, which is a random value
  956. that ensures that clients don't synchronize with each
  957. other and generate new addresses at exactly the same time.
  958. value is in seconds.
  959. Default: 600
  960. regen_max_retry - INTEGER
  961. Number of attempts before give up attempting to generate
  962. valid temporary addresses.
  963. Default: 5
  964. max_addresses - INTEGER
  965. Maximum number of autoconfigured addresses per interface. Setting
  966. to zero disables the limitation. It is not recommended to set this
  967. value too large (or to zero) because it would be an easy way to
  968. crash the kernel by allowing too many addresses to be created.
  969. Default: 16
  970. disable_ipv6 - BOOLEAN
  971. Disable IPv6 operation. If accept_dad is set to 2, this value
  972. will be dynamically set to TRUE if DAD fails for the link-local
  973. address.
  974. Default: FALSE (enable IPv6 operation)
  975. When this value is changed from 1 to 0 (IPv6 is being enabled),
  976. it will dynamically create a link-local address on the given
  977. interface and start Duplicate Address Detection, if necessary.
  978. When this value is changed from 0 to 1 (IPv6 is being disabled),
  979. it will dynamically delete all address on the given interface.
  980. accept_dad - INTEGER
  981. Whether to accept DAD (Duplicate Address Detection).
  982. 0: Disable DAD
  983. 1: Enable DAD (default)
  984. 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate
  985. link-local address has been found.
  986. force_tllao - BOOLEAN
  987. Enable sending the target link-layer address option even when
  988. responding to a unicast neighbor solicitation.
  989. Default: FALSE
  990. Quoting from RFC 2461, section 4.4, Target link-layer address:
  991. "The option MUST be included for multicast solicitations in order to
  992. avoid infinite Neighbor Solicitation "recursion" when the peer node
  993. does not have a cache entry to return a Neighbor Advertisements
  994. message. When responding to unicast solicitations, the option can be
  995. omitted since the sender of the solicitation has the correct link-
  996. layer address; otherwise it would not have be able to send the unicast
  997. solicitation in the first place. However, including the link-layer
  998. address in this case adds little overhead and eliminates a potential
  999. race condition where the sender deletes the cached link-layer address
  1000. prior to receiving a response to a previous solicitation."
  1001. icmp/*:
  1002. ratelimit - INTEGER
  1003. Limit the maximal rates for sending ICMPv6 packets.
  1004. 0 to disable any limiting,
  1005. otherwise the minimal space between responses in milliseconds.
  1006. Default: 1000
  1007. IPv6 Update by:
  1008. Pekka Savola <pekkas@netcore.fi>
  1009. YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org>
  1010. /proc/sys/net/bridge/* Variables:
  1011. bridge-nf-call-arptables - BOOLEAN
  1012. 1 : pass bridged ARP traffic to arptables' FORWARD chain.
  1013. 0 : disable this.
  1014. Default: 1
  1015. bridge-nf-call-iptables - BOOLEAN
  1016. 1 : pass bridged IPv4 traffic to iptables' chains.
  1017. 0 : disable this.
  1018. Default: 1
  1019. bridge-nf-call-ip6tables - BOOLEAN
  1020. 1 : pass bridged IPv6 traffic to ip6tables' chains.
  1021. 0 : disable this.
  1022. Default: 1
  1023. bridge-nf-filter-vlan-tagged - BOOLEAN
  1024. 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables.
  1025. 0 : disable this.
  1026. Default: 1
  1027. bridge-nf-filter-pppoe-tagged - BOOLEAN
  1028. 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
  1029. 0 : disable this.
  1030. Default: 1
  1031. proc/sys/net/sctp/* Variables:
  1032. addip_enable - BOOLEAN
  1033. Enable or disable extension of Dynamic Address Reconfiguration
  1034. (ADD-IP) functionality specified in RFC5061. This extension provides
  1035. the ability to dynamically add and remove new addresses for the SCTP
  1036. associations.
  1037. 1: Enable extension.
  1038. 0: Disable extension.
  1039. Default: 0
  1040. addip_noauth_enable - BOOLEAN
  1041. Dynamic Address Reconfiguration (ADD-IP) requires the use of
  1042. authentication to protect the operations of adding or removing new
  1043. addresses. This requirement is mandated so that unauthorized hosts
  1044. would not be able to hijack associations. However, older
  1045. implementations may not have implemented this requirement while
  1046. allowing the ADD-IP extension. For reasons of interoperability,
  1047. we provide this variable to control the enforcement of the
  1048. authentication requirement.
  1049. 1: Allow ADD-IP extension to be used without authentication. This
  1050. should only be set in a closed environment for interoperability
  1051. with older implementations.
  1052. 0: Enforce the authentication requirement
  1053. Default: 0
  1054. auth_enable - BOOLEAN
  1055. Enable or disable Authenticated Chunks extension. This extension
  1056. provides the ability to send and receive authenticated chunks and is
  1057. required for secure operation of Dynamic Address Reconfiguration
  1058. (ADD-IP) extension.
  1059. 1: Enable this extension.
  1060. 0: Disable this extension.
  1061. Default: 0
  1062. prsctp_enable - BOOLEAN
  1063. Enable or disable the Partial Reliability extension (RFC3758) which
  1064. is used to notify peers that a given DATA should no longer be expected.
  1065. 1: Enable extension
  1066. 0: Disable
  1067. Default: 1
  1068. max_burst - INTEGER
  1069. The limit of the number of new packets that can be initially sent. It
  1070. controls how bursty the generated traffic can be.
  1071. Default: 4
  1072. association_max_retrans - INTEGER
  1073. Set the maximum number for retransmissions that an association can
  1074. attempt deciding that the remote end is unreachable. If this value
  1075. is exceeded, the association is terminated.
  1076. Default: 10
  1077. max_init_retransmits - INTEGER
  1078. The maximum number of retransmissions of INIT and COOKIE-ECHO chunks
  1079. that an association will attempt before declaring the destination
  1080. unreachable and terminating.
  1081. Default: 8
  1082. path_max_retrans - INTEGER
  1083. The maximum number of retransmissions that will be attempted on a given
  1084. path. Once this threshold is exceeded, the path is considered
  1085. unreachable, and new traffic will use a different path when the
  1086. association is multihomed.
  1087. Default: 5
  1088. rto_initial - INTEGER
  1089. The initial round trip timeout value in milliseconds that will be used
  1090. in calculating round trip times. This is the initial time interval
  1091. for retransmissions.
  1092. Default: 3000
  1093. rto_max - INTEGER
  1094. The maximum value (in milliseconds) of the round trip timeout. This
  1095. is the largest time interval that can elapse between retransmissions.
  1096. Default: 60000
  1097. rto_min - INTEGER
  1098. The minimum value (in milliseconds) of the round trip timeout. This
  1099. is the smallest time interval the can elapse between retransmissions.
  1100. Default: 1000
  1101. hb_interval - INTEGER
  1102. The interval (in milliseconds) between HEARTBEAT chunks. These chunks
  1103. are sent at the specified interval on idle paths to probe the state of
  1104. a given path between 2 associations.
  1105. Default: 30000
  1106. sack_timeout - INTEGER
  1107. The amount of time (in milliseconds) that the implementation will wait
  1108. to send a SACK.
  1109. Default: 200
  1110. valid_cookie_life - INTEGER
  1111. The default lifetime of the SCTP cookie (in milliseconds). The cookie
  1112. is used during association establishment.
  1113. Default: 60000
  1114. cookie_preserve_enable - BOOLEAN
  1115. Enable or disable the ability to extend the lifetime of the SCTP cookie
  1116. that is used during the establishment phase of SCTP association
  1117. 1: Enable cookie lifetime extension.
  1118. 0: Disable
  1119. Default: 1
  1120. rcvbuf_policy - INTEGER
  1121. Determines if the receive buffer is attributed to the socket or to
  1122. association. SCTP supports the capability to create multiple
  1123. associations on a single socket. When using this capability, it is
  1124. possible that a single stalled association that's buffering a lot
  1125. of data may block other associations from delivering their data by
  1126. consuming all of the receive buffer space. To work around this,
  1127. the rcvbuf_policy could be set to attribute the receiver buffer space
  1128. to each association instead of the socket. This prevents the described
  1129. blocking.
  1130. 1: rcvbuf space is per association
  1131. 0: recbuf space is per socket
  1132. Default: 0
  1133. sndbuf_policy - INTEGER
  1134. Similar to rcvbuf_policy above, this applies to send buffer space.
  1135. 1: Send buffer is tracked per association
  1136. 0: Send buffer is tracked per socket.
  1137. Default: 0
  1138. sctp_mem - vector of 3 INTEGERs: min, pressure, max
  1139. Number of pages allowed for queueing by all SCTP sockets.
  1140. min: Below this number of pages SCTP is not bothered about its
  1141. memory appetite. When amount of memory allocated by SCTP exceeds
  1142. this number, SCTP starts to moderate memory usage.
  1143. pressure: This value was introduced to follow format of tcp_mem.
  1144. max: Number of pages allowed for queueing by all SCTP sockets.
  1145. Default is calculated at boot time from amount of available memory.
  1146. sctp_rmem - vector of 3 INTEGERs: min, default, max
  1147. Only the first value ("min") is used, "default" and "max" are
  1148. ignored.
  1149. min: Minimal size of receive buffer used by SCTP socket.
  1150. It is guaranteed to each SCTP socket (but not association) even
  1151. under moderate memory pressure.
  1152. Default: 1 page
  1153. sctp_wmem - vector of 3 INTEGERs: min, default, max
  1154. Currently this tunable has no effect.
  1155. addr_scope_policy - INTEGER
  1156. Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00
  1157. 0 - Disable IPv4 address scoping
  1158. 1 - Enable IPv4 address scoping
  1159. 2 - Follow draft but allow IPv4 private addresses
  1160. 3 - Follow draft but allow IPv4 link local addresses
  1161. Default: 1
  1162. /proc/sys/net/core/*
  1163. dev_weight - INTEGER
  1164. The maximum number of packets that kernel can handle on a NAPI
  1165. interrupt, it's a Per-CPU variable.
  1166. Default: 64
  1167. /proc/sys/net/unix/*
  1168. max_dgram_qlen - INTEGER
  1169. The maximum length of dgram socket receive queue
  1170. Default: 10
  1171. UNDOCUMENTED:
  1172. /proc/sys/net/irda/*
  1173. fast_poll_increase FIXME
  1174. warn_noreply_time FIXME
  1175. discovery_slots FIXME
  1176. slot_timeout FIXME
  1177. max_baud_rate FIXME
  1178. discovery_timeout FIXME
  1179. lap_keepalive_time FIXME
  1180. max_noreply_time FIXME
  1181. max_tx_data_size FIXME
  1182. max_tx_window FIXME
  1183. min_tx_turn_time FIXME