1/proc/sys/net/ipv4/* Variables: 2 3ip_forward - BOOLEAN 4 0 - disabled (default) 5 not 0 - enabled 6 7 Forward Packets between interfaces. 8 9 This variable is special, its change resets all configuration 10 parameters to their default state (RFC1122 for hosts, RFC1812 11 for routers) 12 13ip_default_ttl - INTEGER 14 default 64 15 16ip_no_pmtu_disc - BOOLEAN 17 Disable Path MTU Discovery. 18 default FALSE 19 20IP Fragmentation: 21 22ipfrag_high_thresh - INTEGER 23 Maximum memory used to reassemble IP fragments. When 24 ipfrag_high_thresh bytes of memory is allocated for this purpose, 25 the fragment handler will toss packets until ipfrag_low_thresh 26 is reached. 27 28ipfrag_low_thresh - INTEGER 29 See ipfrag_high_thresh 30 31ipfrag_time - INTEGER 32 Time in seconds to keep an IP fragment in memory. 33 34INET peer storage: 35 36inet_peer_threshold - INTEGER 37 The approximate size of the storage. Starting from this threshold 38 entries will be thrown aggressively. This threshold also determines 39 entries' time-to-live and time intervals between garbage collection 40 passes. More entries, less time-to-live, less GC interval. 41 42inet_peer_minttl - INTEGER 43 Minimum time-to-live of entries. Should be enough to cover fragment 44 time-to-live on the reassembling side. This minimum time-to-live is 45 guaranteed if the pool size is less than inet_peer_threshold. 46 Measured in jiffies(1). 47 48inet_peer_maxttl - INTEGER 49 Maximum time-to-live of entries. Unused entries will expire after 50 this period of time if there is no memory pressure on the pool (i.e. 51 when the number of entries in the pool is very small). 52 Measured in jiffies(1). 53 54inet_peer_gc_mintime - INTEGER 55 Minimum interval between garbage collection passes. This interval is 56 in effect under high memory pressure on the pool. 57 Measured in jiffies(1). 58 59inet_peer_gc_maxtime - INTEGER 60 Minimum interval between garbage collection passes. This interval is 61 in effect under low (or absent) memory pressure on the pool. 62 Measured in jiffies(1). 63 64TCP variables: 65 66tcp_syn_retries - INTEGER 67 Number of times initial SYNs for an active TCP connection attempt 68 will be retransmitted. Should not be higher than 255. Default value 69 is 5, which corresponds to ~180seconds. 70 71tcp_synack_retries - INTEGER 72 Number of times SYNACKs for a passive TCP connection attempt will 73 be retransmitted. Should not be higher than 255. Default value 74 is 5, which corresponds to ~180seconds. 75 76tcp_keepalive_time - INTEGER 77 How often TCP sends out keepalive messages when keepalive is enabled. 78 Default: 2hours. 79 80tcp_keepalive_probes - INTEGER 81 How many keepalive probes TCP sends out, until it decides that the 82 connection is broken. Default value: 9. 83 84tcp_keepalive_intvl - INTEGER 85 How frequently the probes are send out. Multiplied by 86 tcp_keepalive_probes it is time to kill not responding connection, 87 after probes started. Default value: 75sec i.e. connection 88 will be aborted after ~11 minutes of retries. 89 90tcp_retries1 - INTEGER 91 How many times to retry before deciding that something is wrong 92 and it is necessary to report this suspection to network layer. 93 Minimal RFC value is 3, it is default, which corresponds 94 to ~3sec-8min depending on RTO. 95 96tcp_retries2 - INTEGER 97 How may times to retry before killing alive TCP connection. 98 RFC1122 says that the limit should be longer than 100 sec. 99 It is too small number. Default value 15 corresponds to ~13-30min 100 depending on RTO. 101 102tcp_orphan_retries - INTEGER 103 How may times to retry before killing TCP connection, closed 104 by our side. Default value 7 corresponds to ~50sec-16min 105 depending on RTO. If you machine is loaded WEB server, 106 you should think about lowering this value, such sockets 107 may consume significant resources. Cf. tcp_max_orphans. 108 109tcp_fin_timeout - INTEGER 110 Time to hold socket in state FIN-WAIT-2, if it was closed 111 by our side. Peer can be broken and never close its side, 112 or even died unexpectedly. Default value is 60sec. 113 Usual value used in 2.2 was 180 seconds, you may restore 114 it, but remember that if your machine is even underloaded WEB server, 115 you risk to overflow memory with kilotons of dead sockets, 116 FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, 117 because they eat maximum 1.5K of memory, but they tend 118 to live longer. Cf. tcp_max_orphans. 119 120tcp_max_tw_buckets - INTEGER 121 Maximal number of timewait sockets held by system simultaneously. 122 If this number is exceeded time-wait socket is immediately destroyed 123 and warning is printed. This limit exists only to prevent 124 simple DoS attacks, you _must_ not lower the limit artificially, 125 but rather increase it (probably, after increasing installed memory), 126 if network conditions require more than default value. 127 128tcp_tw_recycle - BOOLEAN 129 Enable fast recycling TIME-WAIT sockets. Default value is 0. 130 It should not be changed without advice/request of technical 131 experts. 132 133tcp_tw_reuse - BOOLEAN 134 Allow to reuse TIME-WAIT sockets for new connections when it is 135 safe from protocol viewpoint. Default value is 0. 136 It should not be changed without advice/request of technical 137 experts. 138 139tcp_max_orphans - INTEGER 140 Maximal number of TCP sockets not attached to any user file handle, 141 held by system. If this number is exceeded orphaned connections are 142 reset immediately and warning is printed. This limit exists 143 only to prevent simple DoS attacks, you _must_ not rely on this 144 or lower the limit artificially, but rather increase it 145 (probably, after increasing installed memory), 146 if network conditions require more than default value, 147 and tune network services to linger and kill such states 148 more aggressively. Let me to remind again: each orphan eats 149 up to ~64K of unswappable memory. 150 151tcp_abort_on_overflow - BOOLEAN 152 If listening service is too slow to accept new connections, 153 reset them. Default state is FALSE. It means that if overflow 154 occurred due to a burst, connection will recover. Enable this 155 option _only_ if you are really sure that listening daemon 156 cannot be tuned to accept connections faster. Enabling this 157 option can harm clients of your server. 158 159tcp_syncookies - BOOLEAN 160 Only valid when the kernel was compiled with CONFIG_SYNCOOKIES 161 Send out syncookies when the syn backlog queue of a socket 162 overflows. This is to prevent against the common 'syn flood attack' 163 Default: FALSE 164 165 Note, that syncookies is fallback facility. 166 It MUST NOT be used to help highly loaded servers to stand 167 against legal connection rate. If you see synflood warnings 168 in your logs, but investigation shows that they occur 169 because of overload with legal connections, you should tune 170 another parameters until this warning disappear. 171 See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. 172 173 syncookies seriously violate TCP protocol, do not allow 174 to use TCP extensions, can result in serious degradation 175 of some services (f.e. SMTP relaying), visible not by you, 176 but your clients and relays, contacting you. While you see 177 synflood warnings in logs not being really flooded, your server 178 is seriously misconfigured. 179 180tcp_stdurg - BOOLEAN 181 Use the Host requirements interpretation of the TCP urg pointer field. 182 Most hosts use the older BSD interpretation, so if you turn this on 183 Linux might not communicate correctly with them. 184 Default: FALSE 185 186tcp_max_syn_backlog - INTEGER 187 Maximal number of remembered connection requests, which are 188 still did not receive an acknowledgement from connecting client. 189 Default value is 1024 for systems with more than 128Mb of memory, 190 and 128 for low memory machines. If server suffers of overload, 191 try to increase this number. 192 193tcp_window_scaling - BOOLEAN 194 Enable window scaling as defined in RFC1323. 195 196tcp_timestamps - BOOLEAN 197 Enable timestamps as defined in RFC1323. 198 199tcp_sack - BOOLEAN 200 Enable select acknowledgments (SACKS). 201 202tcp_fack - BOOLEAN 203 Enable FACK congestion avoidance and fast restransmission. 204 The value is not used, if tcp_sack is not enabled. 205 206tcp_dsack - BOOLEAN 207 Allows TCP to send "duplicate" SACKs. 208 209tcp_ecn - BOOLEAN 210 Enable Explicit Congestion Notification in TCP. 211 212tcp_reordering - INTEGER 213 Maximal reordering of packets in a TCP stream. 214 Default: 3 215 216tcp_retrans_collapse - BOOLEAN 217 Bug-to-bug compatibility with some broken printers. 218 On retransmit try to send bigger packets to work around bugs in 219 certain TCP stacks. 220 221tcp_wmem - vector of 3 INTEGERs: min, default, max 222 min: Amount of memory reserved for send buffers for TCP socket. 223 Each TCP socket has rights to use it due to fact of its birth. 224 Default: 4K 225 226 default: Amount of memory allowed for send buffers for TCP socket 227 by default. This value overrides net.core.wmem_default used 228 by other protocols, it is usually lower than net.core.wmem_default. 229 Default: 16K 230 231 max: Maximal amount of memory allowed for automatically selected 232 send buffers for TCP socket. This value does not override 233 net.core.wmem_max, "static" selection via SO_SNDBUF does not use this. 234 Default: 128K 235 236tcp_rmem - vector of 3 INTEGERs: min, default, max 237 min: Minimal size of receive buffer used by TCP sockets. 238 It is guaranteed to each TCP socket, even under moderate memory 239 pressure. 240 Default: 8K 241 242 default: default size of receive buffer used by TCP sockets. 243 This value overrides net.core.rmem_default used by other protocols. 244 Default: 87380 bytes. This value results in window of 65535 with 245 default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit 246 less for default tcp_app_win. See below about these variables. 247 248 max: maximal size of receive buffer allowed for automatically 249 selected receiver buffers for TCP socket. This value does not override 250 net.core.rmem_max, "static" selection via SO_RCVBUF does not use this. 251 Default: 87380*2 bytes. 252 253tcp_mem - vector of 3 INTEGERs: min, pressure, max 254 low: below this number of pages TCP is not bothered about its 255 memory appetite. 256 257 pressure: when amount of memory allocated by TCP exceeds this number 258 of pages, TCP moderates its memory consumption and enters memory 259 pressure mode, which is exited when memory consumtion falls 260 under "low". 261 262 high: number of pages allowed for queueing by all TCP sockets. 263 264 Defaults are calculated at boot time from amount of available 265 memory. 266 267tcp_app_win - INTEGER 268 Reserve max(window/2^tcp_app_win, mss) of window for application 269 buffer. Value 0 is special, it means that nothing is reserved. 270 Default: 31 271 272tcp_adv_win_scale - INTEGER 273 Count buffering overhead as bytes/2^tcp_adv_win_scale 274 (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), 275 if it is <= 0. 276 Default: 2 277 278tcp_rfc1337 - BOOLEAN 279 If set, the TCP stack behaves conforming to RFC1337. If unset, 280 we are not conforming to RFC, but prevent TCP TIME_WAIT 281 asassination. 282 Default: 0 283 284ip_local_port_range - 2 INTEGERS 285 Defines the local port range that is used by TCP and UDP to 286 choose the local port. The first number is the first, the 287 second the last local port number. Default value depends on 288 amount of memory available on the system: 289 > 128Mb 32768-61000 290 < 128Mb 1024-4999 or even less. 291 This number defines number of active connections, which this 292 system can issue simultaneously to systems not supporting 293 TCP extensions (timestamps). With tcp_tw_recycle enabled 294 (i.e. by default) range 1024-4999 is enough to issue up to 295 2000 connections per second to systems supporting timestamps. 296 297ip_nonlocal_bind - BOOLEAN 298 If set, allows processes to bind() to non-local IP adresses, 299 which can be quite useful - but may break some applications. 300 Default: 0 301 302ip_dynaddr - BOOLEAN 303 If set non-zero, enables support for dynamic addresses. 304 If set to a non-zero value larger than 1, a kernel log 305 message will be printed when dynamic address rewriting 306 occurs. 307 Default: 0 308 309icmp_echo_ignore_all - BOOLEAN 310icmp_echo_ignore_broadcasts - BOOLEAN 311 If either is set to true, then the kernel will ignore either all 312 ICMP ECHO requests sent to it or just those to broadcast/multicast 313 addresses, respectively. 314 315icmp_ratelimit - INTEGER 316 Limit the maximal rates for sending ICMP packets whose type matches 317 icmp_ratemask (see below) to specific targets. 318 0 to disable any limiting, otherwise the maximal rate in jiffies(1) 319 Default: 100 320 321icmp_ratemask - INTEGER 322 Mask made of ICMP types for which rates are being limited. 323 Significant bits: IHGFEDCBA9876543210 324 Default mask: 0000001100000011000 (6168) 325 326 Bit definitions (see include/linux/icmp.h): 327 0 Echo Reply 328 3 Destination Unreachable * 329 4 Source Quench * 330 5 Redirect 331 8 Echo Request 332 B Time Exceeded * 333 C Parameter Problem * 334 D Timestamp Request 335 E Timestamp Reply 336 F Info Request 337 G Info Reply 338 H Address Mask Request 339 I Address Mask Reply 340 341 * These are rate limited by default (see default mask above) 342 343icmp_ignore_bogus_error_responses - BOOLEAN 344 Some routers violate RFC1122 by sending bogus responses to broadcast 345 frames. Such violations are normally logged via a kernel warning. 346 If this is set to TRUE, the kernel will not give such warnings, which 347 will avoid log file clutter. 348 Default: FALSE 349 350igmp_max_memberships - INTEGER 351 Change the maximum number of multicast groups we can subscribe to. 352 Default: 20 353 354conf/interface/*: 355conf/all/* is special and changes the settings for all interfaces. 356 Change special settings per interface. 357 358log_martians - BOOLEAN 359 Log packets with impossible addresses to kernel log. 360 361accept_redirects - BOOLEAN 362 Accept ICMP redirect messages. 363 default TRUE (host) 364 FALSE (router) 365 366forwarding - BOOLEAN 367 Enable IP forwarding on this interface. 368 369mc_forwarding - BOOLEAN 370 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE 371 and a multicast routing daemon is required. 372 373medium_id - INTEGER 374 Integer value used to differentiate the devices by the medium they 375 are attached to. Two devices can have different id values when 376 the broadcast packets are received only on one of them. 377 The default value 0 means that the device is the only interface 378 to its medium, value of -1 means that medium is not known. 379 380 Currently, it is used to change the proxy_arp behavior: 381 the proxy_arp feature is enabled for packets forwarded between 382 two devices attached to different media. 383 384proxy_arp - BOOLEAN 385 Do proxy arp. 386 387shared_media - BOOLEAN 388 Send(router) or accept(host) RFC1620 shared media redirects. 389 Overrides ip_secure_redirects. 390 default TRUE 391 392secure_redirects - BOOLEAN 393 Accept ICMP redirect messages only for gateways, 394 listed in default gateway list. 395 default TRUE 396 397send_redirects - BOOLEAN 398 Send redirects, if router. Default: TRUE 399 400bootp_relay - BOOLEAN 401 Accept packets with source address 0.b.c.d destined 402 not to this host as local ones. It is supposed, that 403 BOOTP relay daemon will catch and forward such packets. 404 405 default FALSE 406 Not Implemented Yet. 407 408accept_source_route - BOOLEAN 409 Accept packets with SRR option. 410 default TRUE (router) 411 FALSE (host) 412 413rp_filter - BOOLEAN 414 1 - do source validation by reversed path, as specified in RFC1812 415 Recommended option for single homed hosts and stub network 416 routers. Could cause troubles for complicated (not loop free) 417 networks running a slow unreliable protocol (sort of RIP), 418 or using static routes. 419 420 0 - No source validation. 421 422 Default value is 0. Note that some distributions enable it 423 in startup scripts. 424 425arp_filter - BOOLEAN 426 1 - Allows you to have multiple network interfaces on the same 427 subnet, and have the ARPs for each interface be answered 428 based on whether or not the kernel would route a packet from 429 the ARP'd IP out that interface (therefore you must use source 430 based routing for this to work). In other words it allows control 431 of which cards (usually 1) will respond to an arp request. 432 433 0 - (default) The kernel can respond to arp requests with addresses 434 from other interfaces. This may seem wrong but it usually makes 435 sense, because it increases the chance of successful communication. 436 IP addresses are owned by the complete host on Linux, not by 437 particular interfaces. Only for more complex setups like load- 438 balancing, does this behaviour cause problems. 439 440tag - INTEGER 441 Allows you to write a number, which can be used as required. 442 Default value is 0. 443 444(1) Jiffie: internal timeunit for the kernel. On the i386 1/100s, on the 445Alpha 1/1024s. See the HZ define in /usr/include/asm/param.h for the exact 446value on your system. 447 448Alexey Kuznetsov. 449kuznet@ms2.inr.ac.ru 450 451Updated by: 452Andi Kleen 453ak@muc.de 454 455 456 457 458 459 460/proc/sys/net/ipv6/* Variables: 461 462IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also 463apply to IPv6 [XXX?]. 464 465conf/default/*: 466 Change the interface-specific default settings. 467 468 469conf/all/*: 470 Change all the interface-specific settings. 471 472 [XXX: Other special features than forwarding?] 473 474conf/all/forwarding - BOOLEAN 475 Enable global IPv6 forwarding between all interfaces. 476 477 IPv4 and IPv6 work differently here; e.g. netfilter must be used 478 to control which interfaces may forward packets and which not. 479 480 This also sets all interfaces' Host/Router setting 481 'forwarding' to the specified value. See below for details. 482 483 This referred to as global forwarding. 484 485conf/interface/*: 486 Change special settings per interface. 487 488 The functional behaviour for certain settings is different 489 depending on whether local forwarding is enabled or not. 490 491accept_ra - BOOLEAN 492 Accept Router Advertisements; autoconfigure using them. 493 494 Functional default: enabled if local forwarding is disabled. 495 disabled if local forwarding is enabled. 496 497accept_redirects - BOOLEAN 498 Accept Redirects. 499 500 Functional default: enabled if local forwarding is disabled. 501 disabled if local forwarding is enabled. 502 503autoconf - BOOLEAN 504 Configure link-local addresses using L2 hardware addresses. 505 506 Default: TRUE 507 508dad_transmits - INTEGER 509 The amount of Duplicate Address Detection probes to send. 510 Default: 1 511 512forwarding - BOOLEAN 513 Configure interface-specific Host/Router behaviour. 514 515 Note: It is recommended to have the same setting on all 516 interfaces; mixed router/host scenarios are rather uncommon. 517 518 FALSE: 519 520 By default, Host behaviour is assumed. This means: 521 522 1. IsRouter flag is not set in Neighbour Advertisements. 523 2. Router Solicitations are being sent when necessary. 524 3. If accept_ra is TRUE (default), accept Router 525 Advertisements (and do autoconfiguration). 526 4. If accept_redirects is TRUE (default), accept Redirects. 527 528 TRUE: 529 530 If local forwarding is enabled, Router behaviour is assumed. 531 This means exactly the reverse from the above: 532 533 1. IsRouter flag is set in Neighbour Advertisements. 534 2. Router Solicitations are not sent. 535 3. Router Advertisements are ignored. 536 4. Redirects are ignored. 537 538 Default: FALSE if global forwarding is disabled (default), 539 otherwise TRUE. 540 541hop_limit - INTEGER 542 Default Hop Limit to set. 543 Default: 64 544 545mtu - INTEGER 546 Default Maximum Transfer Unit 547 Default: 1280 (IPv6 required minimum) 548 549router_solicitation_delay - INTEGER 550 Number of seconds to wait after interface is brought up 551 before sending Router Solicitations. 552 Default: 1 553 554router_solicitation_interval - INTEGER 555 Number of seconds to wait between Router Solicitations. 556 Default: 4 557 558router_solicitations - INTEGER 559 Number of Router Solicitations to send until assuming no 560 routers are present. 561 Default: 3 562 563IPv6 Update by: 564Pekka Savola 565pekkas@netcore.fi 566 567$Id: ip-sysctl.txt,v 1.1.1.1 2008/10/15 03:25:57 james26_jang Exp $ 568