1.. SPDX-License-Identifier: GPL-2.0 2 3========= 4IP Sysctl 5========= 6 7/proc/sys/net/ipv4/* Variables 8============================== 9 10ip_forward - BOOLEAN 11 Forward Packets between interfaces. 12 13 This variable is special, its change resets all configuration 14 parameters to their default state (RFC1122 for hosts, RFC1812 15 for routers) 16 17 Possible values: 18 19 - 0 (disabled) 20 - 1 (enabled) 21 22 Default: 0 (disabled) 23 24ip_default_ttl - INTEGER 25 Default value of TTL field (Time To Live) for outgoing (but not 26 forwarded) IP packets. Should be between 1 and 255 inclusive. 27 Default: 64 (as recommended by RFC1700) 28 29ip_no_pmtu_disc - INTEGER 30 Disable Path MTU Discovery. If enabled in mode 1 and a 31 fragmentation-required ICMP is received, the PMTU to this 32 destination will be set to the smallest of the old MTU to 33 this destination and min_pmtu (see below). You will need 34 to raise min_pmtu to the smallest interface MTU on your system 35 manually if you want to avoid locally generated fragments. 36 37 In mode 2 incoming Path MTU Discovery messages will be 38 discarded. Outgoing frames are handled the same as in mode 1, 39 implicitly setting IP_PMTUDISC_DONT on every created socket. 40 41 Mode 3 is a hardened pmtu discover mode. The kernel will only 42 accept fragmentation-needed errors if the underlying protocol 43 can verify them besides a plain socket lookup. Current 44 protocols for which pmtu events will be honored are TCP and 45 SCTP as they verify e.g. the sequence number or the 46 association. This mode should not be enabled globally but is 47 only intended to secure e.g. name servers in namespaces where 48 TCP path mtu must still work but path MTU information of other 49 protocols should be discarded. If enabled globally this mode 50 could break other protocols. 51 52 Possible values: 0-3 53 54 Default: FALSE 55 56min_pmtu - INTEGER 57 default 552 - minimum Path MTU. Unless this is changed manually, 58 each cached pmtu will never be lower than this setting. 59 60ip_forward_use_pmtu - BOOLEAN 61 By default we don't trust protocol path MTUs while forwarding 62 because they could be easily forged and can lead to unwanted 63 fragmentation by the router. 64 You only need to enable this if you have user-space software 65 which tries to discover path mtus by itself and depends on the 66 kernel honoring this information. This is normally not the 67 case. 68 69 Possible values: 70 71 - 0 (disabled) 72 - 1 (enabled) 73 74 Default: 0 (disabled) 75 76fwmark_reflect - BOOLEAN 77 Controls the fwmark of kernel-generated IPv4 reply packets that are not 78 associated with a socket for example, TCP RSTs or ICMP echo replies). 79 If disabled, these packets have a fwmark of zero. If enabled, they have the 80 fwmark of the packet they are replying to. 81 82 Possible values: 83 84 - 0 (disabled) 85 - 1 (enabled) 86 87 Default: 0 (disabled) 88 89fib_multipath_use_neigh - BOOLEAN 90 Use status of existing neighbor entry when determining nexthop for 91 multipath routes. If disabled, neighbor information is not used and 92 packets could be directed to a failed nexthop. Only valid for kernels 93 built with CONFIG_IP_ROUTE_MULTIPATH enabled. 94 95 Possible values: 96 97 - 0 (disabled) 98 - 1 (enabled) 99 100 Default: 0 (disabled) 101 102fib_multipath_hash_policy - INTEGER 103 Controls which hash policy to use for multipath routes. Only valid 104 for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. 105 106 Default: 0 (Layer 3) 107 108 Possible values: 109 110 - 0 - Layer 3 111 - 1 - Layer 4 112 - 2 - Layer 3 or inner Layer 3 if present 113 - 3 - Custom multipath hash. Fields used for multipath hash calculation 114 are determined by fib_multipath_hash_fields sysctl 115 116fib_multipath_hash_fields - UNSIGNED INTEGER 117 When fib_multipath_hash_policy is set to 3 (custom multipath hash), the 118 fields used for multipath hash calculation are determined by this 119 sysctl. 120 121 This value is a bitmask which enables various fields for multipath hash 122 calculation. 123 124 Possible fields are: 125 126 ====== ============================ 127 0x0001 Source IP address 128 0x0002 Destination IP address 129 0x0004 IP protocol 130 0x0008 Unused (Flow Label) 131 0x0010 Source port 132 0x0020 Destination port 133 0x0040 Inner source IP address 134 0x0080 Inner destination IP address 135 0x0100 Inner IP protocol 136 0x0200 Inner Flow Label 137 0x0400 Inner source port 138 0x0800 Inner destination port 139 ====== ============================ 140 141 Default: 0x0007 (source IP, destination IP and IP protocol) 142 143fib_multipath_hash_seed - UNSIGNED INTEGER 144 The seed value used when calculating hash for multipath routes. Applies 145 to both IPv4 and IPv6 datapath. Only present for kernels built with 146 CONFIG_IP_ROUTE_MULTIPATH enabled. 147 148 When set to 0, the seed value used for multipath routing defaults to an 149 internal random-generated one. 150 151 The actual hashing algorithm is not specified -- there is no guarantee 152 that a next hop distribution effected by a given seed will keep stable 153 across kernel versions. 154 155 Default: 0 (random) 156 157fib_sync_mem - UNSIGNED INTEGER 158 Amount of dirty memory from fib entries that can be backlogged before 159 synchronize_rcu is forced. 160 161 Default: 512kB Minimum: 64kB Maximum: 64MB 162 163ip_forward_update_priority - INTEGER 164 Whether to update SKB priority from "TOS" field in IPv4 header after it 165 is forwarded. The new SKB priority is mapped from TOS field value 166 according to an rt_tos2priority table (see e.g. man tc-prio). 167 168 Default: 1 (Update priority.) 169 170 Possible values: 171 172 - 0 - Do not update priority. 173 - 1 - Update priority. 174 175route/max_size - INTEGER 176 Maximum number of routes allowed in the kernel. Increase 177 this when using large numbers of interfaces and/or routes. 178 179 From linux kernel 3.6 onwards, this is deprecated for ipv4 180 as route cache is no longer used. 181 182 From linux kernel 6.3 onwards, this is deprecated for ipv6 183 as garbage collection manages cached route entries. 184 185neigh/default/gc_thresh1 - INTEGER 186 Minimum number of entries to keep. Garbage collector will not 187 purge entries if there are fewer than this number. 188 189 Default: 128 190 191neigh/default/gc_thresh2 - INTEGER 192 Threshold when garbage collector becomes more aggressive about 193 purging entries. Entries older than 5 seconds will be cleared 194 when over this number. 195 196 Default: 512 197 198neigh/default/gc_thresh3 - INTEGER 199 Maximum number of non-PERMANENT neighbor entries allowed. Increase 200 this when using large numbers of interfaces and when communicating 201 with large numbers of directly-connected peers. 202 203 Default: 1024 204 205neigh/default/gc_interval - INTEGER 206 Specifies how often the garbage collector for neighbor entries 207 should run. This value applies to the entire table, not 208 individual entries. Unused since kernel v2.6.8. 209 210 Default: 30 seconds 211 212neigh/default/gc_stale_time - INTEGER 213 Determines how long a neighbor entry can remain unused before it is 214 considered stale and eligible for garbage collection. Entries that have 215 not been used for longer than this time will be removed by the garbage 216 collector, unless they have active references, are marked as PERMANENT, 217 or carry the NTF_EXT_LEARNED or NTF_EXT_VALIDATED flag. Stale entries 218 are only removed by the periodic GC when there are at least gc_thresh1 219 neighbors in the table. 220 221 Default: 60 seconds 222 223neigh/default/unres_qlen_bytes - INTEGER 224 The maximum number of bytes which may be used by packets 225 queued for each unresolved address by other network layers. 226 (added in linux 3.3) 227 228 Setting negative value is meaningless and will return error. 229 230 Default: SK_WMEM_DEFAULT, (same as net.core.wmem_default). 231 232 Exact value depends on architecture and kernel options, 233 but should be enough to allow queuing 256 packets 234 of medium size. 235 236neigh/default/unres_qlen - INTEGER 237 The maximum number of packets which may be queued for each 238 unresolved address by other network layers. 239 240 (deprecated in linux 3.3) : use unres_qlen_bytes instead. 241 242 Prior to linux 3.3, the default value is 3 which may cause 243 unexpected packet loss. The current default value is calculated 244 according to default value of unres_qlen_bytes and true size of 245 packet. 246 247 Default: 101 248 249neigh/default/interval_probe_time_ms - INTEGER 250 The probe interval for neighbor entries with NTF_MANAGED flag, 251 the min value is 1. 252 253 Default: 5000 254 255mtu_expires - INTEGER 256 Time, in seconds, that cached PMTU information is kept. 257 258min_adv_mss - INTEGER 259 The advertised MSS depends on the first hop route MTU, but will 260 never be lower than this setting. 261 262fib_notify_on_flag_change - INTEGER 263 Whether to emit RTM_NEWROUTE notifications whenever RTM_F_OFFLOAD/ 264 RTM_F_TRAP/RTM_F_OFFLOAD_FAILED flags are changed. 265 266 After installing a route to the kernel, user space receives an 267 acknowledgment, which means the route was installed in the kernel, 268 but not necessarily in hardware. 269 It is also possible for a route already installed in hardware to change 270 its action and therefore its flags. For example, a host route that is 271 trapping packets can be "promoted" to perform decapsulation following 272 the installation of an IPinIP/VXLAN tunnel. 273 The notifications will indicate to user-space the state of the route. 274 275 Default: 0 (Do not emit notifications.) 276 277 Possible values: 278 279 - 0 - Do not emit notifications. 280 - 1 - Emit notifications. 281 - 2 - Emit notifications only for RTM_F_OFFLOAD_FAILED flag change. 282 283IP Fragmentation: 284 285ipfrag_high_thresh - LONG INTEGER 286 Maximum memory used to reassemble IP fragments. 287 288ipfrag_low_thresh - LONG INTEGER 289 (Obsolete since linux-4.17) 290 Maximum memory used to reassemble IP fragments before the kernel 291 begins to remove incomplete fragment queues to free up resources. 292 The kernel still accepts new fragments for defragmentation. 293 294ipfrag_time - INTEGER 295 Time in seconds to keep an IP fragment in memory. 296 297ipfrag_max_dist - INTEGER 298 ipfrag_max_dist is a non-negative integer value which defines the 299 maximum "disorder" which is allowed among fragments which share a 300 common IP source address. Note that reordering of packets is 301 not unusual, but if a large number of fragments arrive from a source 302 IP address while a particular fragment queue remains incomplete, it 303 probably indicates that one or more fragments belonging to that queue 304 have been lost. When ipfrag_max_dist is positive, an additional check 305 is done on fragments before they are added to a reassembly queue - if 306 ipfrag_max_dist (or more) fragments have arrived from a particular IP 307 address between additions to any IP fragment queue using that source 308 address, it's presumed that one or more fragments in the queue are 309 lost. The existing fragment queue will be dropped, and a new one 310 started. An ipfrag_max_dist value of zero disables this check. 311 312 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can 313 result in unnecessarily dropping fragment queues when normal 314 reordering of packets occurs, which could lead to poor application 315 performance. Using a very large value, e.g. 50000, increases the 316 likelihood of incorrectly reassembling IP fragments that originate 317 from different IP datagrams, which could result in data corruption. 318 Default: 64 319 320bc_forwarding - INTEGER 321 bc_forwarding enables the feature described in rfc1812#section-5.3.5.2 322 and rfc2644. It allows the router to forward directed broadcast. 323 To enable this feature, the 'all' entry and the input interface entry 324 should be set to 1. 325 Default: 0 326 327INET peer storage 328================= 329 330inet_peer_threshold - INTEGER 331 The approximate size of the storage. Starting from this threshold 332 entries will be thrown aggressively. This threshold also determines 333 entries' time-to-live and time intervals between garbage collection 334 passes. More entries, less time-to-live, less GC interval. 335 336inet_peer_minttl - INTEGER 337 Minimum time-to-live of entries. Should be enough to cover fragment 338 time-to-live on the reassembling side. This minimum time-to-live is 339 guaranteed if the pool size is less than inet_peer_threshold. 340 Measured in seconds. 341 342inet_peer_maxttl - INTEGER 343 Maximum time-to-live of entries. Unused entries will expire after 344 this period of time if there is no memory pressure on the pool (i.e. 345 when the number of entries in the pool is very small). 346 Measured in seconds. 347 348TCP variables 349============= 350 351somaxconn - INTEGER 352 Limit of socket listen() backlog, known in userspace as SOMAXCONN. 353 Defaults to 4096. (Was 128 before linux-5.4) 354 See also tcp_max_syn_backlog for additional tuning for TCP sockets. 355 356tcp_abort_on_overflow - BOOLEAN 357 If listening service is too slow to accept new connections, 358 reset them. Default state is FALSE. It means that if overflow 359 occurred due to a burst, connection will recover. Enable this 360 option _only_ if you are really sure that listening daemon 361 cannot be tuned to accept connections faster. Enabling this 362 option can harm clients of your server. 363 364tcp_adv_win_scale - INTEGER 365 Obsolete since linux-6.6 366 Count buffering overhead as bytes/2^tcp_adv_win_scale 367 (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), 368 if it is <= 0. 369 370 Possible values are [-31, 31], inclusive. 371 372 Default: 1 373 374tcp_allowed_congestion_control - STRING 375 Show/set the congestion control choices available to non-privileged 376 processes. The list is a subset of those listed in 377 tcp_available_congestion_control. 378 379 Default is "reno" and the default setting (tcp_congestion_control). 380 381tcp_app_win - INTEGER 382 Reserve max(window/2^tcp_app_win, mss) of window for application 383 buffer. Value 0 is special, it means that nothing is reserved. 384 385 Possible values are [0, 31], inclusive. 386 387 Default: 31 388 389tcp_autocorking - BOOLEAN 390 Enable TCP auto corking : 391 When applications do consecutive small write()/sendmsg() system calls, 392 we try to coalesce these small writes as much as possible, to lower 393 total amount of sent packets. This is done if at least one prior 394 packet for the flow is waiting in Qdisc queues or device transmit 395 queue. Applications can still use TCP_CORK for optimal behavior 396 when they know how/when to uncork their sockets. 397 398 Possible values: 399 400 - 0 (disabled) 401 - 1 (enabled) 402 403 Default: 1 (enabled) 404 405tcp_available_congestion_control - STRING 406 Shows the available congestion control choices that are registered. 407 More congestion control algorithms may be available as modules, 408 but not loaded. 409 410tcp_base_mss - INTEGER 411 The initial value of search_low to be used by the packetization layer 412 Path MTU discovery (MTU probing). If MTU probing is enabled, 413 this is the initial MSS used by the connection. 414 415tcp_mtu_probe_floor - INTEGER 416 If MTU probing is enabled this caps the minimum MSS used for search_low 417 for the connection. 418 419 Default : 48 420 421tcp_min_snd_mss - INTEGER 422 TCP SYN and SYNACK messages usually advertise an ADVMSS option, 423 as described in RFC 1122 and RFC 6691. 424 425 If this ADVMSS option is smaller than tcp_min_snd_mss, 426 it is silently capped to tcp_min_snd_mss. 427 428 Default : 48 (at least 8 bytes of payload per segment) 429 430tcp_congestion_control - STRING 431 Set the congestion control algorithm to be used for new 432 connections. The algorithm "reno" is always available, but 433 additional choices may be available based on kernel configuration. 434 Default is set as part of kernel configuration. 435 For passive connections, the listener congestion control choice 436 is inherited. 437 438 [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ] 439 440tcp_dsack - BOOLEAN 441 Allows TCP to send "duplicate" SACKs. 442 443 Possible values: 444 445 - 0 (disabled) 446 - 1 (enabled) 447 448 Default: 1 (enabled) 449 450tcp_early_retrans - INTEGER 451 Tail loss probe (TLP) converts RTOs occurring due to tail 452 losses into fast recovery (RFC8985). Note that 453 TLP requires RACK to function properly (see tcp_recovery below) 454 455 Possible values: 456 457 - 0 disables TLP 458 - 3 or 4 enables TLP 459 460 Default: 3 461 462tcp_ecn - INTEGER 463 Control use of Explicit Congestion Notification (ECN) by TCP. 464 ECN is used only when both ends of the TCP connection indicate support 465 for it. This feature is useful in avoiding losses due to congestion by 466 allowing supporting routers to signal congestion before having to drop 467 packets. A host that supports ECN both sends ECN at the IP layer and 468 feeds back ECN at the TCP layer. The highest variant of ECN feedback 469 that both peers support is chosen by the ECN negotiation (Accurate ECN, 470 ECN, or no ECN). 471 472 The highest negotiated variant for incoming connection requests 473 and the highest variant requested by outgoing connection 474 attempts: 475 476 ===== ==================== ==================== 477 Value Incoming connections Outgoing connections 478 ===== ==================== ==================== 479 0 No ECN No ECN 480 1 ECN ECN 481 2 ECN No ECN 482 3 AccECN AccECN 483 4 AccECN ECN 484 5 AccECN No ECN 485 ===== ==================== ==================== 486 487 Default: 2 488 489tcp_ecn_option - INTEGER 490 Control Accurate ECN (AccECN) option sending when AccECN has been 491 successfully negotiated during handshake. Send logic inhibits 492 sending AccECN options regarless of this setting when no AccECN 493 option has been seen for the reverse direction. 494 495 Possible values are: 496 497 = ============================================================ 498 0 Never send AccECN option. This also disables sending AccECN 499 option in SYN/ACK during handshake. 500 1 Send AccECN option sparingly according to the minimum option 501 rules outlined in draft-ietf-tcpm-accurate-ecn. 502 2 Send AccECN option on every packet whenever it fits into TCP 503 option space except when AccECN fallback is triggered. 504 3 Send AccECN option on every packet whenever it fits into TCP 505 option space even when AccECN fallback is triggered. 506 = ============================================================ 507 508 Default: 2 509 510tcp_ecn_option_beacon - INTEGER 511 Control Accurate ECN (AccECN) option sending frequency per RTT and it 512 takes effect only when tcp_ecn_option is set to 2. 513 514 Default: 3 (AccECN will be send at least 3 times per RTT) 515 516tcp_ecn_fallback - BOOLEAN 517 If the kernel detects that ECN connection misbehaves, enable fall 518 back to non-ECN. Currently, this knob implements the fallback 519 from RFC3168, section 6.1.1.1., but we reserve that in future, 520 additional detection mechanisms could be implemented under this 521 knob. The value is not used, if tcp_ecn or per route (or congestion 522 control) ECN settings are disabled. 523 524 Possible values: 525 526 - 0 (disabled) 527 - 1 (enabled) 528 529 Default: 1 (enabled) 530 531tcp_fack - BOOLEAN 532 This is a legacy option, it has no effect anymore. 533 534tcp_fin_timeout - INTEGER 535 The length of time an orphaned (no longer referenced by any 536 application) connection will remain in the FIN_WAIT_2 state 537 before it is aborted at the local end. While a perfectly 538 valid "receive only" state for an un-orphaned connection, an 539 orphaned connection in FIN_WAIT_2 state could otherwise wait 540 forever for the remote to close its end of the connection. 541 542 Cf. tcp_max_orphans 543 544 Default: 60 seconds 545 546tcp_frto - INTEGER 547 Enables Forward RTO-Recovery (F-RTO) defined in RFC5682. 548 F-RTO is an enhanced recovery algorithm for TCP retransmission 549 timeouts. It is particularly beneficial in networks where the 550 RTT fluctuates (e.g., wireless). F-RTO is sender-side only 551 modification. It does not require any support from the peer. 552 553 By default it's enabled with a non-zero value. 0 disables F-RTO. 554 555tcp_fwmark_accept - BOOLEAN 556 If enabled, incoming connections to listening sockets that do not have a 557 socket mark will set the mark of the accepting socket to the fwmark of 558 the incoming SYN packet. This will cause all packets on that connection 559 (starting from the first SYNACK) to be sent with that fwmark. The 560 listening socket's mark is unchanged. Listening sockets that already 561 have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are 562 unaffected. 563 564 Possible values: 565 566 - 0 (disabled) 567 - 1 (enabled) 568 569 Default: 0 (disabled) 570 571tcp_invalid_ratelimit - INTEGER 572 Limit the maximal rate for sending duplicate acknowledgments 573 in response to incoming TCP packets that are for an existing 574 connection but that are invalid due to any of these reasons: 575 576 (a) out-of-window sequence number, 577 (b) out-of-window acknowledgment number, or 578 (c) PAWS (Protection Against Wrapped Sequence numbers) check failure 579 580 This can help mitigate simple "ack loop" DoS attacks, wherein 581 a buggy or malicious middlebox or man-in-the-middle can 582 rewrite TCP header fields in manner that causes each endpoint 583 to think that the other is sending invalid TCP segments, thus 584 causing each side to send an unterminating stream of duplicate 585 acknowledgments for invalid segments. 586 587 Using 0 disables rate-limiting of dupacks in response to 588 invalid segments; otherwise this value specifies the minimal 589 space between sending such dupacks, in milliseconds. 590 591 Default: 500 (milliseconds). 592 593tcp_keepalive_time - INTEGER 594 How often TCP sends out keepalive messages when keepalive is enabled. 595 Default: 2hours. 596 597tcp_keepalive_probes - INTEGER 598 How many keepalive probes TCP sends out, until it decides that the 599 connection is broken. Default value: 9. 600 601tcp_keepalive_intvl - INTEGER 602 How frequently the probes are send out. Multiplied by 603 tcp_keepalive_probes it is time to kill not responding connection, 604 after probes started. Default value: 75sec i.e. connection 605 will be aborted after ~11 minutes of retries. 606 607tcp_l3mdev_accept - BOOLEAN 608 Enables child sockets to inherit the L3 master device index. 609 Enabling this option allows a "global" listen socket to work 610 across L3 master domains (e.g., VRFs) with connected sockets 611 derived from the listen socket to be bound to the L3 domain in 612 which the packets originated. Only valid when the kernel was 613 compiled with CONFIG_NET_L3_MASTER_DEV. 614 615 Possible values: 616 617 - 0 (disabled) 618 - 1 (enabled) 619 620 Default: 0 (disabled) 621 622tcp_low_latency - BOOLEAN 623 This is a legacy option, it has no effect anymore. 624 625tcp_max_orphans - INTEGER 626 Maximal number of TCP sockets not attached to any user file handle, 627 held by system. If this number is exceeded orphaned connections are 628 reset immediately and warning is printed. This limit exists 629 only to prevent simple DoS attacks, you _must_ not rely on this 630 or lower the limit artificially, but rather increase it 631 (probably, after increasing installed memory), 632 if network conditions require more than default value, 633 and tune network services to linger and kill such states 634 more aggressively. Let me to remind again: each orphan eats 635 up to ~64K of unswappable memory. 636 637tcp_max_syn_backlog - INTEGER 638 Maximal number of remembered connection requests (SYN_RECV), 639 which have not received an acknowledgment from connecting client. 640 641 This is a per-listener limit. 642 643 The minimal value is 128 for low memory machines, and it will 644 increase in proportion to the memory of machine. 645 646 If server suffers from overload, try increasing this number. 647 648 Remember to also check /proc/sys/net/core/somaxconn 649 A SYN_RECV request socket consumes about 304 bytes of memory. 650 651tcp_max_tw_buckets - INTEGER 652 Maximal number of timewait sockets held by system simultaneously. 653 If this number is exceeded time-wait socket is immediately destroyed 654 and warning is printed. This limit exists only to prevent 655 simple DoS attacks, you _must_ not lower the limit artificially, 656 but rather increase it (probably, after increasing installed memory), 657 if network conditions require more than default value. 658 659tcp_mem - vector of 3 INTEGERs: min, pressure, max 660 min: below this number of pages TCP is not bothered about its 661 memory appetite. 662 663 pressure: when amount of memory allocated by TCP exceeds this number 664 of pages, TCP moderates its memory consumption and enters memory 665 pressure mode, which is exited when memory consumption falls 666 under "min". 667 668 max: number of pages allowed for queueing by all TCP sockets. 669 670 Defaults are calculated at boot time from amount of available 671 memory. 672 673tcp_min_rtt_wlen - INTEGER 674 The window length of the windowed min filter to track the minimum RTT. 675 A shorter window lets a flow more quickly pick up new (higher) 676 minimum RTT when it is moved to a longer path (e.g., due to traffic 677 engineering). A longer window makes the filter more resistant to RTT 678 inflations such as transient congestion. The unit is seconds. 679 680 Possible values: 0 - 86400 (1 day) 681 682 Default: 300 683 684tcp_moderate_rcvbuf - BOOLEAN 685 If enabled, TCP performs receive buffer auto-tuning, attempting to 686 automatically size the buffer (no greater than tcp_rmem[2]) to 687 match the size required by the path for full throughput. 688 689 Possible values: 690 691 - 0 (disabled) 692 - 1 (enabled) 693 694 Default: 1 (enabled) 695 696tcp_rcvbuf_low_rtt - INTEGER 697 rcvbuf autotuning can over estimate final socket rcvbuf, which 698 can lead to cache trashing for high throughput flows. 699 700 For small RTT flows (below tcp_rcvbuf_low_rtt usecs), we can relax 701 rcvbuf growth: Few additional ms to reach the final (and smaller) 702 rcvbuf is a good tradeoff. 703 704 Default : 1000 (1 ms) 705 706tcp_mtu_probing - INTEGER 707 Controls TCP Packetization-Layer Path MTU Discovery. Takes three 708 values: 709 710 - 0 - Disabled 711 - 1 - Disabled by default, enabled when an ICMP black hole detected 712 - 2 - Always enabled, use initial MSS of tcp_base_mss. 713 714tcp_probe_interval - UNSIGNED INTEGER 715 Controls how often to start TCP Packetization-Layer Path MTU 716 Discovery reprobe. The default is reprobing every 10 minutes as 717 per RFC4821. 718 719tcp_probe_threshold - INTEGER 720 Controls when TCP Packetization-Layer Path MTU Discovery probing 721 will stop in respect to the width of search range in bytes. Default 722 is 8 bytes. 723 724tcp_no_metrics_save - BOOLEAN 725 By default, TCP saves various connection metrics in the route cache 726 when the connection closes, so that connections established in the 727 near future can use these to set initial conditions. Usually, this 728 increases overall performance, but may sometimes cause performance 729 degradation. If enabled, TCP will not cache metrics on closing 730 connections. 731 732 Possible values: 733 734 - 0 (disabled) 735 - 1 (enabled) 736 737 Default: 0 (disabled) 738 739tcp_no_ssthresh_metrics_save - BOOLEAN 740 Controls whether TCP saves ssthresh metrics in the route cache. 741 If enabled, ssthresh metrics are disabled. 742 743 Possible values: 744 745 - 0 (disabled) 746 - 1 (enabled) 747 748 Default: 1 (enabled) 749 750tcp_orphan_retries - INTEGER 751 This value influences the timeout of a locally closed TCP connection, 752 when RTO retransmissions remain unacknowledged. 753 See tcp_retries2 for more details. 754 755 The default value is 8. 756 757 If your machine is a loaded WEB server, 758 you should think about lowering this value, such sockets 759 may consume significant resources. Cf. tcp_max_orphans. 760 761tcp_recovery - INTEGER 762 This value is a bitmap to enable various experimental loss recovery 763 features. 764 765 ========= ============================================================= 766 RACK: 0x1 enables RACK loss detection, for fast detection of lost 767 retransmissions and tail drops, and resilience to 768 reordering. currently, setting this bit to 0 has no 769 effect, since RACK is the only supported loss detection 770 algorithm. 771 772 RACK: 0x2 makes RACK's reordering window static (min_rtt/4). 773 774 RACK: 0x4 disables RACK's DUPACK threshold heuristic 775 ========= ============================================================= 776 777 Default: 0x1 778 779tcp_reflect_tos - BOOLEAN 780 For listening sockets, reuse the DSCP value of the initial SYN message 781 for outgoing packets. This allows to have both directions of a TCP 782 stream to use the same DSCP value, assuming DSCP remains unchanged for 783 the lifetime of the connection. 784 785 This options affects both IPv4 and IPv6. 786 787 Possible values: 788 789 - 0 (disabled) 790 - 1 (enabled) 791 792 Default: 0 (disabled) 793 794tcp_reordering - INTEGER 795 Initial reordering level of packets in a TCP stream. 796 TCP stack can then dynamically adjust flow reordering level 797 between this initial value and tcp_max_reordering 798 799 Default: 3 800 801tcp_max_reordering - INTEGER 802 Maximal reordering level of packets in a TCP stream. 803 300 is a fairly conservative value, but you might increase it 804 if paths are using per packet load balancing (like bonding rr mode) 805 806 Default: 300 807 808tcp_retrans_collapse - BOOLEAN 809 Bug-to-bug compatibility with some broken printers. 810 On retransmit try to send bigger packets to work around bugs in 811 certain TCP stacks. 812 813 Possible values: 814 815 - 0 (disabled) 816 - 1 (enabled) 817 818 Default: 1 (enabled) 819 820tcp_retries1 - INTEGER 821 This value influences the time, after which TCP decides, that 822 something is wrong due to unacknowledged RTO retransmissions, 823 and reports this suspicion to the network layer. 824 See tcp_retries2 for more details. 825 826 RFC 1122 recommends at least 3 retransmissions, which is the 827 default. 828 829tcp_retries2 - INTEGER 830 This value influences the timeout of an alive TCP connection, 831 when RTO retransmissions remain unacknowledged. 832 Given a value of N, a hypothetical TCP connection following 833 exponential backoff with an initial RTO of TCP_RTO_MIN would 834 retransmit N times before killing the connection at the (N+1)th RTO. 835 836 The default value of 15 yields a hypothetical timeout of 924.6 837 seconds and is a lower bound for the effective timeout. 838 TCP will effectively time out at the first RTO which exceeds the 839 hypothetical timeout. 840 If tcp_rto_max_ms is decreased, it is recommended to also 841 change tcp_retries2. 842 843 RFC 1122 recommends at least 100 seconds for the timeout, 844 which corresponds to a value of at least 8. 845 846tcp_rfc1337 - BOOLEAN 847 If enabled, the TCP stack behaves conforming to RFC1337. If unset, 848 we are not conforming to RFC, but prevent TCP TIME_WAIT 849 assassination. 850 851 Possible values: 852 853 - 0 (disabled) 854 - 1 (enabled) 855 856 Default: 0 (disabled) 857 858tcp_rmem - vector of 3 INTEGERs: min, default, max 859 min: Minimal size of receive buffer used by TCP sockets. 860 It is guaranteed to each TCP socket, even under moderate memory 861 pressure. 862 863 Default: 4K 864 865 default: initial size of receive buffer used by TCP sockets. 866 This value overrides net.core.rmem_default used by other protocols. 867 Default: 131072 bytes. 868 This value results in initial window of 65535. 869 870 max: maximal size of receive buffer allowed for automatically 871 selected receiver buffers for TCP socket. 872 Calling setsockopt() with SO_RCVBUF disables 873 automatic tuning of that socket's receive buffer size, in which 874 case this value is ignored. 875 Default: between 131072 and 32MB, depending on RAM size. 876 877tcp_sack - BOOLEAN 878 Enable select acknowledgments (SACKS). 879 880 Possible values: 881 882 - 0 (disabled) 883 - 1 (enabled) 884 885 Default: 1 (enabled) 886 887tcp_comp_sack_rtt_percent - INTEGER 888 Percentage of SRTT used for the compressed SACK feature. 889 See tcp_comp_sack_nr, tcp_comp_sack_delay_ns, tcp_comp_sack_slack_ns. 890 891 Possible values : 1 - 1000 892 893 Default : 33 % 894 895tcp_comp_sack_delay_ns - LONG INTEGER 896 TCP tries to reduce number of SACK sent, using a timer based 897 on tcp_comp_sack_rtt_percent of SRTT, capped by this sysctl 898 in nano seconds. 899 The default is 1ms, based on TSO autosizing period. 900 901 Default : 1,000,000 ns (1 ms) 902 903tcp_comp_sack_slack_ns - LONG INTEGER 904 This sysctl control the slack used when arming the 905 timer used by SACK compression. This gives extra time 906 for small RTT flows, and reduces system overhead by allowing 907 opportunistic reduction of timer interrupts. 908 Too big values might reduce goodput. 909 910 Default : 10,000 ns (10 us) 911 912tcp_comp_sack_nr - INTEGER 913 Max number of SACK that can be compressed. 914 Using 0 disables SACK compression. 915 916 Default : 44 917 918tcp_backlog_ack_defer - BOOLEAN 919 If enabled, user thread processing socket backlog tries sending 920 one ACK for the whole queue. This helps to avoid potential 921 long latencies at end of a TCP socket syscall. 922 923 Possible values: 924 925 - 0 (disabled) 926 - 1 (enabled) 927 928 Default: 1 (enabled) 929 930tcp_slow_start_after_idle - BOOLEAN 931 If enabled, provide RFC2861 behavior and time out the congestion 932 window after an idle period. An idle period is defined at 933 the current RTO. If unset, the congestion window will not 934 be timed out after an idle period. 935 936 Possible values: 937 938 - 0 (disabled) 939 - 1 (enabled) 940 941 Default: 1 (enabled) 942 943tcp_stdurg - BOOLEAN 944 Use the Host requirements interpretation of the TCP urgent pointer field. 945 Most hosts use the older BSD interpretation, so if enabled, 946 Linux might not communicate correctly with them. 947 948 Possible values: 949 950 - 0 (disabled) 951 - 1 (enabled) 952 953 Default: 0 (disabled) 954 955tcp_synack_retries - INTEGER 956 Number of times SYNACKs for a passive TCP connection attempt will 957 be retransmitted. Should not be higher than 255. Default value 958 is 5, which corresponds to 31seconds till the last retransmission 959 with the current initial RTO of 1second. With this the final timeout 960 for a passive TCP connection will happen after 63seconds. 961 962tcp_syncookies - INTEGER 963 Only valid when the kernel was compiled with CONFIG_SYN_COOKIES 964 Send out syncookies when the syn backlog queue of a socket 965 overflows. This is to prevent against the common 'SYN flood attack' 966 Default: 1 967 968 Note, that syncookies is fallback facility. 969 It MUST NOT be used to help highly loaded servers to stand 970 against legal connection rate. If you see SYN flood warnings 971 in your logs, but investigation shows that they occur 972 because of overload with legal connections, you should tune 973 another parameters until this warning disappear. 974 See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. 975 976 syncookies seriously violate TCP protocol, do not allow 977 to use TCP extensions, can result in serious degradation 978 of some services (f.e. SMTP relaying), visible not by you, 979 but your clients and relays, contacting you. While you see 980 SYN flood warnings in logs not being really flooded, your server 981 is seriously misconfigured. 982 983 If you want to test which effects syncookies have to your 984 network connections you can set this knob to 2 to enable 985 unconditionally generation of syncookies. 986 987tcp_migrate_req - BOOLEAN 988 The incoming connection is tied to a specific listening socket when 989 the initial SYN packet is received during the three-way handshake. 990 When a listener is closed, in-flight request sockets during the 991 handshake and established sockets in the accept queue are aborted. 992 993 If the listener has SO_REUSEPORT enabled, other listeners on the 994 same port should have been able to accept such connections. This 995 option makes it possible to migrate such child sockets to another 996 listener after close() or shutdown(). 997 998 The BPF_SK_REUSEPORT_SELECT_OR_MIGRATE type of eBPF program should 999 usually be used to define the policy to pick an alive listener. 1000 Otherwise, the kernel will randomly pick an alive listener only if 1001 this option is enabled. 1002 1003 Note that migration between listeners with different settings may 1004 crash applications. Let's say migration happens from listener A to 1005 B, and only B has TCP_SAVE_SYN enabled. B cannot read SYN data from 1006 the requests migrated from A. To avoid such a situation, cancel 1007 migration by returning SK_DROP in the type of eBPF program, or 1008 disable this option. 1009 1010 Possible values: 1011 1012 - 0 (disabled) 1013 - 1 (enabled) 1014 1015 Default: 0 (disabled) 1016 1017tcp_fastopen - INTEGER 1018 Enable TCP Fast Open (RFC7413) to send and accept data in the opening 1019 SYN packet. 1020 1021 The client support is enabled by flag 0x1 (on by default). The client 1022 then must use sendmsg() or sendto() with the MSG_FASTOPEN flag, 1023 rather than connect() to send data in SYN. 1024 1025 The server support is enabled by flag 0x2 (off by default). Then 1026 either enable for all listeners with another flag (0x400) or 1027 enable individual listeners via TCP_FASTOPEN socket option with 1028 the option value being the length of the syn-data backlog. 1029 1030 The values (bitmap) are 1031 1032 ===== ======== ====================================================== 1033 0x1 (client) enables sending data in the opening SYN on the client. 1034 0x2 (server) enables the server support, i.e., allowing data in 1035 a SYN packet to be accepted and passed to the 1036 application before 3-way handshake finishes. 1037 0x4 (client) send data in the opening SYN regardless of cookie 1038 availability and without a cookie option. 1039 0x200 (server) accept data-in-SYN w/o any cookie option present. 1040 0x400 (server) enable all listeners to support Fast Open by 1041 default without explicit TCP_FASTOPEN socket option. 1042 ===== ======== ====================================================== 1043 1044 Default: 0x1 1045 1046 Note that additional client or server features are only 1047 effective if the basic support (0x1 and 0x2) are enabled respectively. 1048 1049tcp_fastopen_blackhole_timeout_sec - INTEGER 1050 Initial time period in second to disable Fastopen on active TCP sockets 1051 when a TFO firewall blackhole issue happens. 1052 This time period will grow exponentially when more blackhole issues 1053 get detected right after Fastopen is re-enabled and will reset to 1054 initial value when the blackhole issue goes away. 1055 0 to disable the blackhole detection. 1056 1057 By default, it is set to 0 (feature is disabled). 1058 1059tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs 1060 The list consists of a primary key and an optional backup key. The 1061 primary key is used for both creating and validating cookies, while the 1062 optional backup key is only used for validating cookies. The purpose of 1063 the backup key is to maximize TFO validation when keys are rotated. 1064 1065 A randomly chosen primary key may be configured by the kernel if 1066 the tcp_fastopen sysctl is set to 0x400 (see above), or if the 1067 TCP_FASTOPEN setsockopt() optname is set and a key has not been 1068 previously configured via sysctl. If keys are configured via 1069 setsockopt() by using the TCP_FASTOPEN_KEY optname, then those 1070 per-socket keys will be used instead of any keys that are specified via 1071 sysctl. 1072 1073 A key is specified as 4 8-digit hexadecimal integers which are separated 1074 by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be 1075 omitted. A primary and a backup key may be specified by separating them 1076 by a comma. If only one key is specified, it becomes the primary key and 1077 any previously configured backup keys are removed. 1078 1079tcp_syn_retries - INTEGER 1080 Number of times initial SYNs for an active TCP connection attempt 1081 will be retransmitted. Should not be higher than 127. Default value 1082 is 6, which corresponds to 67seconds (with tcp_syn_linear_timeouts = 4) 1083 till the last retransmission with the current initial RTO of 1second. 1084 With this the final timeout for an active TCP connection attempt 1085 will happen after 131seconds. 1086 1087tcp_timestamps - INTEGER 1088 Enable timestamps as defined in RFC1323. 1089 1090 - 0: Disabled. 1091 - 1: Enable timestamps as defined in RFC1323 and use random offset for 1092 each connection rather than only using the current time. 1093 - 2: Like 1, but without random offsets. 1094 1095 Default: 1 1096 1097tcp_min_tso_segs - INTEGER 1098 Minimal number of segments per TSO frame. 1099 1100 Since linux-3.12, TCP does an automatic sizing of TSO frames, 1101 depending on flow rate, instead of filling 64Kbytes packets. 1102 For specific usages, it's possible to force TCP to build big 1103 TSO frames. Note that TCP stack might split too big TSO packets 1104 if available window is too small. 1105 1106 Default: 2 1107 1108tcp_tso_rtt_log - INTEGER 1109 Adjustment of TSO packet sizes based on min_rtt 1110 1111 Starting from linux-5.18, TCP autosizing can be tweaked 1112 for flows having small RTT. 1113 1114 Old autosizing was splitting the pacing budget to send 1024 TSO 1115 per second. 1116 1117 tso_packet_size = sk->sk_pacing_rate / 1024; 1118 1119 With the new mechanism, we increase this TSO sizing using: 1120 1121 distance = min_rtt_usec / (2^tcp_tso_rtt_log) 1122 tso_packet_size += gso_max_size >> distance; 1123 1124 This means that flows between very close hosts can use bigger 1125 TSO packets, reducing their cpu costs. 1126 1127 If you want to use the old autosizing, set this sysctl to 0. 1128 1129 Default: 9 (2^9 = 512 usec) 1130 1131tcp_pacing_ss_ratio - INTEGER 1132 sk->sk_pacing_rate is set by TCP stack using a ratio applied 1133 to current rate. (current_rate = cwnd * mss / srtt) 1134 If TCP is in slow start, tcp_pacing_ss_ratio is applied 1135 to let TCP probe for bigger speeds, assuming cwnd can be 1136 doubled every other RTT. 1137 1138 Default: 200 1139 1140tcp_pacing_ca_ratio - INTEGER 1141 sk->sk_pacing_rate is set by TCP stack using a ratio applied 1142 to current rate. (current_rate = cwnd * mss / srtt) 1143 If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio 1144 is applied to conservatively probe for bigger throughput. 1145 1146 Default: 120 1147 1148tcp_syn_linear_timeouts - INTEGER 1149 The number of times for an active TCP connection to retransmit SYNs with 1150 a linear backoff timeout before defaulting to an exponential backoff 1151 timeout. This has no effect on SYNACK at the passive TCP side. 1152 1153 With an initial RTO of 1 and tcp_syn_linear_timeouts = 4 we would 1154 expect SYN RTOs to be: 1, 1, 1, 1, 1, 2, 4, ... (4 linear timeouts, 1155 and the first exponential backoff using 2^0 * initial_RTO). 1156 Default: 4 1157 1158tcp_tso_win_divisor - INTEGER 1159 This allows control over what percentage of the congestion window 1160 can be consumed by a single TSO frame. 1161 The setting of this parameter is a choice between burstiness and 1162 building larger TSO frames. 1163 1164 Default: 3 1165 1166tcp_tw_reuse - INTEGER 1167 Enable reuse of TIME-WAIT sockets for new connections when it is 1168 safe from protocol viewpoint. 1169 1170 - 0 - disable 1171 - 1 - global enable 1172 - 2 - enable for loopback traffic only 1173 1174 It should not be changed without advice/request of technical 1175 experts. 1176 1177 Default: 2 1178 1179tcp_tw_reuse_delay - UNSIGNED INTEGER 1180 The delay in milliseconds before a TIME-WAIT socket can be reused by a 1181 new connection, if TIME-WAIT socket reuse is enabled. The actual reuse 1182 threshold is within [N, N+1] range, where N is the requested delay in 1183 milliseconds, to ensure the delay interval is never shorter than the 1184 configured value. 1185 1186 This setting contains an assumption about the other TCP timestamp clock 1187 tick interval. It should not be set to a value lower than the peer's 1188 clock tick for PAWS (Protection Against Wrapped Sequence numbers) 1189 mechanism work correctly for the reused connection. 1190 1191 Default: 1000 (milliseconds) 1192 1193tcp_window_scaling - BOOLEAN 1194 Enable window scaling as defined in RFC1323. 1195 1196 Possible values: 1197 1198 - 0 (disabled) 1199 - 1 (enabled) 1200 1201 Default: 1 (enabled) 1202 1203tcp_shrink_window - BOOLEAN 1204 This changes how the TCP receive window is calculated. 1205 1206 RFC 7323, section 2.4, says there are instances when a retracted 1207 window can be offered, and that TCP implementations MUST ensure 1208 that they handle a shrinking window, as specified in RFC 1122. 1209 1210 Possible values: 1211 1212 - 0 (disabled) - The window is never shrunk. 1213 - 1 (enabled) - The window is shrunk when necessary to remain within 1214 the memory limit set by autotuning (sk_rcvbuf). 1215 This only occurs if a non-zero receive window 1216 scaling factor is also in effect. 1217 1218 Default: 0 (disabled) 1219 1220tcp_wmem - vector of 3 INTEGERs: min, default, max 1221 min: Amount of memory reserved for send buffers for TCP sockets. 1222 Each TCP socket has rights to use it due to fact of its birth. 1223 1224 Default: 4K 1225 1226 default: initial size of send buffer used by TCP sockets. This 1227 value overrides net.core.wmem_default used by other protocols. 1228 1229 It is usually lower than net.core.wmem_default. 1230 1231 Default: 16K 1232 1233 max: Maximal amount of memory allowed for automatically tuned 1234 send buffers for TCP sockets. This value does not override 1235 net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables 1236 automatic tuning of that socket's send buffer size, in which case 1237 this value is ignored. 1238 1239 Default: between 64K and 4MB, depending on RAM size. 1240 1241tcp_notsent_lowat - UNSIGNED INTEGER 1242 A TCP socket can control the amount of unsent bytes in its write queue, 1243 thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll() 1244 reports POLLOUT events if the amount of unsent bytes is below a per 1245 socket value, and if the write queue is not full. sendmsg() will 1246 also not add new buffers if the limit is hit. 1247 1248 This global variable controls the amount of unsent data for 1249 sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change 1250 to the global variable has immediate effect. 1251 1252 Default: UINT_MAX (0xFFFFFFFF) 1253 1254tcp_workaround_signed_windows - BOOLEAN 1255 If enabled, assume no receipt of a window scaling option means the 1256 remote TCP is broken and treats the window as a signed quantity. 1257 If disabled, assume the remote TCP is not broken even if we do 1258 not receive a window scaling option from them. 1259 1260 Possible values: 1261 1262 - 0 (disabled) 1263 - 1 (enabled) 1264 1265 Default: 0 (disabled) 1266 1267tcp_thin_linear_timeouts - BOOLEAN 1268 Enable dynamic triggering of linear timeouts for thin streams. 1269 If enabled, a check is performed upon retransmission by timeout to 1270 determine if the stream is thin (less than 4 packets in flight). 1271 As long as the stream is found to be thin, up to 6 linear 1272 timeouts may be performed before exponential backoff mode is 1273 initiated. This improves retransmission latency for 1274 non-aggressive thin streams, often found to be time-dependent. 1275 For more information on thin streams, see 1276 Documentation/networking/tcp-thin.rst 1277 1278 Possible values: 1279 1280 - 0 (disabled) 1281 - 1 (enabled) 1282 1283 Default: 0 (disabled) 1284 1285tcp_limit_output_bytes - INTEGER 1286 Controls TCP Small Queue limit per tcp socket. 1287 TCP bulk sender tends to increase packets in flight until it 1288 gets losses notifications. With SNDBUF autotuning, this can 1289 result in a large amount of packets queued on the local machine 1290 (e.g.: qdiscs, CPU backlog, or device) hurting latency of other 1291 flows, for typical pfifo_fast qdiscs. tcp_limit_output_bytes 1292 limits the number of bytes on qdisc or device to reduce artificial 1293 RTT/cwnd and reduce bufferbloat. 1294 1295 Default: 4194304 (4 MB) 1296 1297tcp_challenge_ack_limit - INTEGER 1298 Limits number of Challenge ACK sent per second, as recommended 1299 in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) 1300 Note that this per netns rate limit can allow some side channel 1301 attacks and probably should not be enabled. 1302 TCP stack implements per TCP socket limits anyway. 1303 Default: INT_MAX (unlimited) 1304 1305tcp_ehash_entries - INTEGER 1306 Show the number of hash buckets for TCP sockets in the current 1307 networking namespace. 1308 1309 A negative value means the networking namespace does not own its 1310 hash buckets and shares the initial networking namespace's one. 1311 1312tcp_child_ehash_entries - INTEGER 1313 Control the number of hash buckets for TCP sockets in the child 1314 networking namespace, which must be set before clone() or unshare(). 1315 1316 If the value is not 0, the kernel uses a value rounded up to 2^n 1317 as the actual hash bucket size. 0 is a special value, meaning 1318 the child networking namespace will share the initial networking 1319 namespace's hash buckets. 1320 1321 Note that the child will use the global one in case the kernel 1322 fails to allocate enough memory. In addition, the global hash 1323 buckets are spread over available NUMA nodes, but the allocation 1324 of the child hash table depends on the current process's NUMA 1325 policy, which could result in performance differences. 1326 1327 Note also that the default value of tcp_max_tw_buckets and 1328 tcp_max_syn_backlog depend on the hash bucket size. 1329 1330 Possible values: 0, 2^n (n: 0 - 24 (16Mi)) 1331 1332 Default: 0 1333 1334tcp_plb_enabled - BOOLEAN 1335 If enabled and the underlying congestion control (e.g. DCTCP) supports 1336 and enables PLB feature, TCP PLB (Protective Load Balancing) is 1337 enabled. PLB is described in the following paper: 1338 https://doi.org/10.1145/3544216.3544226. Based on PLB parameters, 1339 upon sensing sustained congestion, TCP triggers a change in 1340 flow label field for outgoing IPv6 packets. A change in flow label 1341 field potentially changes the path of outgoing packets for switches 1342 that use ECMP/WCMP for routing. 1343 1344 PLB changes socket txhash which results in a change in IPv6 Flow Label 1345 field, and currently no-op for IPv4 headers. It is possible 1346 to apply PLB for IPv4 with other network header fields (e.g. TCP 1347 or IPv4 options) or using encapsulation where outer header is used 1348 by switches to determine next hop. In either case, further host 1349 and switch side changes will be needed. 1350 1351 If enabled, PLB assumes that congestion signal (e.g. ECN) is made 1352 available and used by congestion control module to estimate a 1353 congestion measure (e.g. ce_ratio). PLB needs a congestion measure to 1354 make repathing decisions. 1355 1356 Possible values: 1357 1358 - 0 (disabled) 1359 - 1 (enabled) 1360 1361 Default: 0 (disabled) 1362 1363tcp_plb_idle_rehash_rounds - INTEGER 1364 Number of consecutive congested rounds (RTT) seen after which 1365 a rehash can be performed, given there are no packets in flight. 1366 This is referred to as M in PLB paper: 1367 https://doi.org/10.1145/3544216.3544226. 1368 1369 Possible Values: 0 - 31 1370 1371 Default: 3 1372 1373tcp_plb_rehash_rounds - INTEGER 1374 Number of consecutive congested rounds (RTT) seen after which 1375 a forced rehash can be performed. Be careful when setting this 1376 parameter, as a small value increases the risk of retransmissions. 1377 This is referred to as N in PLB paper: 1378 https://doi.org/10.1145/3544216.3544226. 1379 1380 Possible Values: 0 - 31 1381 1382 Default: 12 1383 1384tcp_plb_suspend_rto_sec - INTEGER 1385 Time, in seconds, to suspend PLB in event of an RTO. In order to avoid 1386 having PLB repath onto a connectivity "black hole", after an RTO a TCP 1387 connection suspends PLB repathing for a random duration between 1x and 1388 2x of this parameter. Randomness is added to avoid concurrent rehashing 1389 of multiple TCP connections. This should be set corresponding to the 1390 amount of time it takes to repair a failed link. 1391 1392 Possible Values: 0 - 255 1393 1394 Default: 60 1395 1396tcp_plb_cong_thresh - INTEGER 1397 Fraction of packets marked with congestion over a round (RTT) to 1398 tag that round as congested. This is referred to as K in the PLB paper: 1399 https://doi.org/10.1145/3544216.3544226. 1400 1401 The 0-1 fraction range is mapped to 0-256 range to avoid floating 1402 point operations. For example, 128 means that if at least 50% of 1403 the packets in a round were marked as congested then the round 1404 will be tagged as congested. 1405 1406 Setting threshold to 0 means that PLB repaths every RTT regardless 1407 of congestion. This is not intended behavior for PLB and should be 1408 used only for experimentation purpose. 1409 1410 Possible Values: 0 - 256 1411 1412 Default: 128 1413 1414tcp_pingpong_thresh - INTEGER 1415 The number of estimated data replies sent for estimated incoming data 1416 requests that must happen before TCP considers that a connection is a 1417 "ping-pong" (request-response) connection for which delayed 1418 acknowledgments can provide benefits. 1419 1420 This threshold is 1 by default, but some applications may need a higher 1421 threshold for optimal performance. 1422 1423 Possible Values: 1 - 255 1424 1425 Default: 1 1426 1427tcp_rto_min_us - INTEGER 1428 Minimal TCP retransmission timeout (in microseconds). Note that the 1429 rto_min route option has the highest precedence for configuring this 1430 setting, followed by the TCP_BPF_RTO_MIN and TCP_RTO_MIN_US socket 1431 options, followed by this tcp_rto_min_us sysctl. 1432 1433 The recommended practice is to use a value less or equal to 200000 1434 microseconds. 1435 1436 Possible Values: 1 - INT_MAX 1437 1438 Default: 200000 1439 1440tcp_rto_max_ms - INTEGER 1441 Maximal TCP retransmission timeout (in ms). 1442 Note that TCP_RTO_MAX_MS socket option has higher precedence. 1443 1444 When changing tcp_rto_max_ms, it is important to understand 1445 that tcp_retries2 might need a change. 1446 1447 Possible Values: 1000 - 120,000 1448 1449 Default: 120,000 1450 1451UDP variables 1452============= 1453 1454udp_l3mdev_accept - BOOLEAN 1455 Enabling this option allows a "global" bound socket to work 1456 across L3 master domains (e.g., VRFs) with packets capable of 1457 being received regardless of the L3 domain in which they 1458 originated. Only valid when the kernel was compiled with 1459 CONFIG_NET_L3_MASTER_DEV. 1460 1461 Possible values: 1462 1463 - 0 (disabled) 1464 - 1 (enabled) 1465 1466 Default: 0 (disabled) 1467 1468udp_mem - vector of 3 INTEGERs: min, pressure, max 1469 Number of pages allowed for queueing by all UDP sockets. 1470 1471 min: Number of pages allowed for queueing by all UDP sockets. 1472 1473 pressure: This value was introduced to follow format of tcp_mem. 1474 1475 max: This value was introduced to follow format of tcp_mem. 1476 1477 Default is calculated at boot time from amount of available memory. 1478 1479udp_rmem_min - INTEGER 1480 Minimal size of receive buffer used by UDP sockets in moderation. 1481 Each UDP socket is able to use the size for receiving data, even if 1482 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 1483 1484 Default: 4K 1485 1486udp_wmem_min - INTEGER 1487 UDP does not have tx memory accounting and this tunable has no effect. 1488 1489udp_hash_entries - INTEGER 1490 Show the number of hash buckets for UDP sockets in the current 1491 networking namespace. 1492 1493 A negative value means the networking namespace does not own its 1494 hash buckets and shares the initial networking namespace's one. 1495 1496udp_child_hash_entries - INTEGER 1497 Control the number of hash buckets for UDP sockets in the child 1498 networking namespace, which must be set before clone() or unshare(). 1499 1500 If the value is not 0, the kernel uses a value rounded up to 2^n 1501 as the actual hash bucket size. 0 is a special value, meaning 1502 the child networking namespace will share the initial networking 1503 namespace's hash buckets. 1504 1505 Note that the child will use the global one in case the kernel 1506 fails to allocate enough memory. In addition, the global hash 1507 buckets are spread over available NUMA nodes, but the allocation 1508 of the child hash table depends on the current process's NUMA 1509 policy, which could result in performance differences. 1510 1511 Possible values: 0, 2^n (n: 7 (128) - 16 (64K)) 1512 1513 Default: 0 1514 1515 1516RAW variables 1517============= 1518 1519raw_l3mdev_accept - BOOLEAN 1520 Enabling this option allows a "global" bound socket to work 1521 across L3 master domains (e.g., VRFs) with packets capable of 1522 being received regardless of the L3 domain in which they 1523 originated. Only valid when the kernel was compiled with 1524 CONFIG_NET_L3_MASTER_DEV. 1525 1526 Possible values: 1527 1528 - 0 (disabled) 1529 - 1 (enabled) 1530 1531 Default: 1 (enabled) 1532 1533CIPSOv4 Variables 1534================= 1535 1536cipso_cache_enable - BOOLEAN 1537 If enabled, enable additions to and lookups from the CIPSO label mapping 1538 cache. If disabled, additions are ignored and lookups always result in a 1539 miss. However, regardless of the setting the cache is still 1540 invalidated when required when means you can safely toggle this on and 1541 off and the cache will always be "safe". 1542 1543 Possible values: 1544 1545 - 0 (disabled) 1546 - 1 (enabled) 1547 1548 Default: 1 (enabled) 1549 1550cipso_cache_bucket_size - INTEGER 1551 The CIPSO label cache consists of a fixed size hash table with each 1552 hash bucket containing a number of cache entries. This variable limits 1553 the number of entries in each hash bucket; the larger the value is, the 1554 more CIPSO label mappings that can be cached. When the number of 1555 entries in a given hash bucket reaches this limit adding new entries 1556 causes the oldest entry in the bucket to be removed to make room. 1557 1558 Default: 10 1559 1560cipso_rbm_optfmt - BOOLEAN 1561 Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of 1562 the CIPSO draft specification (see Documentation/netlabel for details). 1563 This means that when set the CIPSO tag will be padded with empty 1564 categories in order to make the packet data 32-bit aligned. 1565 1566 Possible values: 1567 1568 - 0 (disabled) 1569 - 1 (enabled) 1570 1571 Default: 0 (disabled) 1572 1573cipso_rbm_strictvalid - BOOLEAN 1574 If enabled, do a very strict check of the CIPSO option when 1575 ip_options_compile() is called. If disabled, relax the checks done during 1576 ip_options_compile(). Either way is "safe" as errors are caught else 1577 where in the CIPSO processing code but setting this to 0 (False) should 1578 result in less work (i.e. it should be faster) but could cause problems 1579 with other implementations that require strict checking. 1580 1581 Possible values: 1582 1583 - 0 (disabled) 1584 - 1 (enabled) 1585 1586 Default: 0 (disabled) 1587 1588IP Variables 1589============ 1590 1591ip_local_port_range - 2 INTEGERS 1592 Defines the local port range that is used by TCP and UDP to 1593 choose the local port. The first number is the first, the 1594 second the last local port number. 1595 If possible, it is better these numbers have different parity 1596 (one even and one odd value). 1597 Must be greater than or equal to ip_unprivileged_port_start. 1598 The default values are 32768 and 60999 respectively. 1599 1600ip_local_reserved_ports - list of comma separated ranges 1601 Specify the ports which are reserved for known third-party 1602 applications. These ports will not be used by automatic port 1603 assignments (e.g. when calling connect() or bind() with port 1604 number 0). Explicit port allocation behavior is unchanged. 1605 1606 The format used for both input and output is a comma separated 1607 list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and 1608 10). Writing to the file will clear all previously reserved 1609 ports and update the current list with the one given in the 1610 input. 1611 1612 Note that ip_local_port_range and ip_local_reserved_ports 1613 settings are independent and both are considered by the kernel 1614 when determining which ports are available for automatic port 1615 assignments. 1616 1617 You can reserve ports which are not in the current 1618 ip_local_port_range, e.g.:: 1619 1620 $ cat /proc/sys/net/ipv4/ip_local_port_range 1621 32000 60999 1622 $ cat /proc/sys/net/ipv4/ip_local_reserved_ports 1623 8080,9148 1624 1625 although this is redundant. However such a setting is useful 1626 if later the port range is changed to a value that will 1627 include the reserved ports. Also keep in mind, that overlapping 1628 of these ranges may affect probability of selecting ephemeral 1629 ports which are right after block of reserved ports. 1630 1631 Default: Empty 1632 1633ip_local_port_step_width - INTEGER 1634 Defines the numerical maximum increment between successive port 1635 allocations within the ephemeral port range when an unavailable port is 1636 reached. This can be used to mitigate accumulated nodes in port 1637 distribution when reserved ports have been configured. Please note that 1638 port collisions may be more frequent in a system with a very high load. 1639 1640 It is recommended to set this value strictly larger than the largest 1641 contiguous block of ports configure in ip_local_reserved_ports. For 1642 large reserved port ranges, setting this to 3x or 4x the size of the 1643 largest block is advised. Using a value equal or greater than the local 1644 port range size completely solves the uneven port distribution problem, 1645 but it can degrade performance under port exhaustion situations. 1646 1647 Default: 0 (disabled) 1648 1649ip_unprivileged_port_start - INTEGER 1650 This is a per-namespace sysctl. It defines the first 1651 unprivileged port in the network namespace. Privileged ports 1652 require root or CAP_NET_BIND_SERVICE in order to bind to them. 1653 To disable all privileged ports, set this to 0. They must not 1654 overlap with the ip_local_port_range. 1655 1656 Default: 1024 1657 1658ip_nonlocal_bind - BOOLEAN 1659 If enabled, allows processes to bind() to non-local IP addresses, 1660 which can be quite useful - but may break some applications. 1661 1662 Possible values: 1663 1664 - 0 (disabled) 1665 - 1 (enabled) 1666 1667 Default: 0 (disabled) 1668 1669ip_autobind_reuse - BOOLEAN 1670 By default, bind() does not select the ports automatically even if 1671 the new socket and all sockets bound to the port have SO_REUSEADDR. 1672 ip_autobind_reuse allows bind() to reuse the port and this is useful 1673 when you use bind()+connect(), but may break some applications. 1674 The preferred solution is to use IP_BIND_ADDRESS_NO_PORT and this 1675 option should only be set by experts. 1676 1677 Possible values: 1678 1679 - 0 (disabled) 1680 - 1 (enabled) 1681 1682 Default: 0 (disabled) 1683 1684ip_dynaddr - INTEGER 1685 If set non-zero, enables support for dynamic addresses. 1686 If set to a non-zero value larger than 1, a kernel log 1687 message will be printed when dynamic address rewriting 1688 occurs. 1689 1690 Default: 0 1691 1692ip_early_demux - BOOLEAN 1693 Optimize input packet processing down to one demux for 1694 certain kinds of local sockets. Currently we only do this 1695 for established TCP and connected UDP sockets. 1696 1697 It may add an additional cost for pure routing workloads that 1698 reduces overall throughput, in such case you should disable it. 1699 1700 Possible values: 1701 1702 - 0 (disabled) 1703 - 1 (enabled) 1704 1705 Default: 1 (enabled) 1706 1707ping_group_range - 2 INTEGERS 1708 Restrict ICMP_PROTO datagram sockets to users in the group range. 1709 The default is "1 0", meaning, that nobody (not even root) may 1710 create ping sockets. Setting it to "100 100" would grant permissions 1711 to the single group. "0 4294967294" would enable it for the world, "100 1712 4294967294" would enable it for the users, but not daemons. 1713 1714tcp_early_demux - BOOLEAN 1715 Enable early demux for established TCP sockets. 1716 1717 Possible values: 1718 1719 - 0 (disabled) 1720 - 1 (enabled) 1721 1722 Default: 1 (enabled) 1723 1724udp_early_demux - BOOLEAN 1725 Enable early demux for connected UDP sockets. Disable this if 1726 your system could experience more unconnected load. 1727 1728 Possible values: 1729 1730 - 0 (disabled) 1731 - 1 (enabled) 1732 1733 Default: 1 (enabled) 1734 1735icmp_echo_ignore_all - BOOLEAN 1736 If enabled, then the kernel will ignore all ICMP ECHO 1737 requests sent to it. 1738 1739 Possible values: 1740 1741 - 0 (disabled) 1742 - 1 (enabled) 1743 1744 Default: 0 (disabled) 1745 1746icmp_echo_enable_probe - BOOLEAN 1747 If enabled, then the kernel will respond to RFC 8335 PROBE 1748 requests sent to it. 1749 1750 Possible values: 1751 1752 - 0 (disabled) 1753 - 1 (enabled) 1754 1755 Default: 0 (disabled) 1756 1757icmp_echo_ignore_broadcasts - BOOLEAN 1758 If enabled, then the kernel will ignore all ICMP ECHO and 1759 TIMESTAMP requests sent to it via broadcast/multicast. 1760 1761 Possible values: 1762 1763 - 0 (disabled) 1764 - 1 (enabled) 1765 1766 Default: 1 (enabled) 1767 1768icmp_ratelimit - INTEGER 1769 Limit the maximal rates for sending ICMP packets whose type matches 1770 icmp_ratemask (see below) to specific targets. 1771 0 to disable any limiting, 1772 otherwise the minimal space between responses in milliseconds. 1773 Note that another sysctl, icmp_msgs_per_sec limits the number 1774 of ICMP packets sent on all targets. 1775 1776 Default: 1000 1777 1778icmp_msgs_per_sec - INTEGER 1779 Limit maximal number of ICMP packets sent per second from this host. 1780 Only messages whose type matches icmp_ratemask (see below) are 1781 controlled by this limit. For security reasons, the precise count 1782 of messages per second is randomized. 1783 1784 Default: 10000 1785 1786icmp_msgs_burst - INTEGER 1787 icmp_msgs_per_sec controls number of ICMP packets sent per second, 1788 while icmp_msgs_burst controls the token bucket size. 1789 For security reasons, the precise burst size is randomized. 1790 1791 Default: 10000 1792 1793icmp_ratemask - INTEGER 1794 Mask made of ICMP types for which rates are being limited. 1795 1796 Significant bits: IHGFEDCBA9876543210 1797 1798 Default mask: 0000001100000011000 (6168) 1799 1800 Bit definitions (see include/linux/icmp.h): 1801 1802 = ========================= 1803 0 Echo Reply 1804 3 Destination Unreachable [1]_ 1805 4 Source Quench [1]_ 1806 5 Redirect 1807 8 Echo Request 1808 B Time Exceeded [1]_ 1809 C Parameter Problem [1]_ 1810 D Timestamp Request 1811 E Timestamp Reply 1812 F Info Request 1813 G Info Reply 1814 H Address Mask Request 1815 I Address Mask Reply 1816 = ========================= 1817 1818 .. [1] These are rate limited by default (see default mask above) 1819 1820icmp_ignore_bogus_error_responses - BOOLEAN 1821 Some routers violate RFC1122 by sending bogus responses to broadcast 1822 frames. Such violations are normally logged via a kernel warning. 1823 If enabled, the kernel will not give such warnings, which 1824 will avoid log file clutter. 1825 1826 Possible values: 1827 1828 - 0 (disabled) 1829 - 1 (enabled) 1830 1831 Default: 1 (enabled) 1832 1833icmp_errors_use_inbound_ifaddr - BOOLEAN 1834 1835 If disabled, icmp error messages are sent with the primary address of 1836 the exiting interface. 1837 1838 If enabled, the message will be sent with the primary address of 1839 the interface that received the packet that caused the icmp error. 1840 This is the behaviour many network administrators will expect from 1841 a router. And it can make debugging complicated network layouts 1842 much easier. 1843 1844 Note that if no primary address exists for the interface selected, 1845 then the primary address of the first non-loopback interface that 1846 has one will be used regardless of this setting. 1847 1848 Possible values: 1849 1850 - 0 (disabled) 1851 - 1 (enabled) 1852 1853 Default: 0 (disabled) 1854 1855icmp_errors_extension_mask - UNSIGNED INTEGER 1856 Bitmask of ICMP extensions to append to ICMPv4 error messages 1857 ("Destination Unreachable", "Time Exceeded" and "Parameter Problem"). 1858 The original datagram is trimmed / padded to 128 bytes in order to be 1859 compatible with applications that do not comply with RFC 4884. 1860 1861 Possible extensions are: 1862 1863 ==== ============================================================== 1864 0x01 Incoming IP interface information according to RFC 5837. 1865 Extension will include the index, IPv4 address (if present), 1866 name and MTU of the IP interface that received the datagram 1867 which elicited the ICMP error. 1868 ==== ============================================================== 1869 1870 Default: 0x00 (no extensions) 1871 1872igmp_max_memberships - INTEGER 1873 Change the maximum number of multicast groups we can subscribe to. 1874 Default: 20 1875 1876 Theoretical maximum value is bounded by having to send a membership 1877 report in a single datagram (i.e. the report can't span multiple 1878 datagrams, or risk confusing the switch and leaving groups you don't 1879 intend to). 1880 1881 The number of supported groups 'M' is bounded by the number of group 1882 report entries you can fit into a single datagram of 65535 bytes. 1883 1884 M = 65536-sizeof (ip header)/(sizeof(Group record)) 1885 1886 Group records are variable length, with a minimum of 12 bytes. 1887 So net.ipv4.igmp_max_memberships should not be set higher than: 1888 1889 (65536-24) / 12 = 5459 1890 1891 The value 5459 assumes no IP header options, so in practice 1892 this number may be lower. 1893 1894igmp_max_msf - INTEGER 1895 Maximum number of addresses allowed in the source filter list for a 1896 multicast group. 1897 1898 Default: 10 1899 1900igmp_qrv - INTEGER 1901 Controls the IGMP query robustness variable (see RFC2236 8.1). 1902 1903 Default: 2 (as specified by RFC2236 8.1) 1904 1905 Minimum: 1 (as specified by RFC6636 4.5) 1906 1907force_igmp_version - INTEGER 1908 - 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback 1909 allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier 1910 Present timer expires. 1911 - 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if 1912 receive IGMPv2/v3 query. 1913 - 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive 1914 IGMPv1 query message. Will reply report if receive IGMPv3 query. 1915 - 3 - Enforce to use IGMP version 3. The same react with default 0. 1916 1917 .. note:: 1918 1919 this is not the same with force_mld_version because IGMPv3 RFC3376 1920 Security Considerations does not have clear description that we could 1921 ignore other version messages completely as MLDv2 RFC3810. So make 1922 this value as default 0 is recommended. 1923 1924``conf/interface/*`` 1925 changes special settings per interface (where 1926 interface" is the name of your network interface) 1927 1928``conf/all/*`` 1929 is special, changes the settings for all interfaces 1930 1931log_martians - BOOLEAN 1932 Log packets with impossible addresses to kernel log. 1933 log_martians for the interface will be enabled if at least one of 1934 conf/{all,interface}/log_martians is set to TRUE, 1935 it will be disabled otherwise 1936 1937accept_redirects - BOOLEAN 1938 Accept ICMP redirect messages. 1939 accept_redirects for the interface will be enabled if: 1940 1941 - both conf/{all,interface}/accept_redirects are TRUE in the case 1942 forwarding for the interface is enabled 1943 1944 or 1945 1946 - at least one of conf/{all,interface}/accept_redirects is TRUE in the 1947 case forwarding for the interface is disabled 1948 1949 accept_redirects for the interface will be disabled otherwise 1950 1951 default: 1952 1953 - TRUE (host) 1954 - FALSE (router) 1955 1956forwarding - BOOLEAN 1957 Enable IP forwarding on this interface. This controls whether packets 1958 received _on_ this interface can be forwarded. 1959 1960mc_forwarding - BOOLEAN 1961 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE 1962 and a multicast routing daemon is required. 1963 conf/all/mc_forwarding must also be set to TRUE to enable multicast 1964 routing for the interface 1965 1966medium_id - INTEGER 1967 Integer value used to differentiate the devices by the medium they 1968 are attached to. Two devices can have different id values when 1969 the broadcast packets are received only on one of them. 1970 The default value 0 means that the device is the only interface 1971 to its medium, value of -1 means that medium is not known. 1972 1973 Currently, it is used to change the proxy_arp behavior: 1974 the proxy_arp feature is enabled for packets forwarded between 1975 two devices attached to different media. 1976 1977proxy_arp - BOOLEAN 1978 Do proxy arp. 1979 1980 proxy_arp for the interface will be enabled if at least one of 1981 conf/{all,interface}/proxy_arp is set to TRUE, 1982 it will be disabled otherwise 1983 1984proxy_arp_pvlan - BOOLEAN 1985 Private VLAN proxy arp. 1986 1987 Basically allow proxy arp replies back to the same interface 1988 (from which the ARP request/solicitation was received). 1989 1990 This is done to support (ethernet) switch features, like RFC 1991 3069, where the individual ports are NOT allowed to 1992 communicate with each other, but they are allowed to talk to 1993 the upstream router. As described in RFC 3069, it is possible 1994 to allow these hosts to communicate through the upstream 1995 router by proxy_arp'ing. Don't need to be used together with 1996 proxy_arp. 1997 1998 This technology is known by different names: 1999 2000 - In RFC 3069 it is called VLAN Aggregation. 2001 - Cisco and Allied Telesyn call it Private VLAN. 2002 - Hewlett-Packard call it Source-Port filtering or port-isolation. 2003 - Ericsson call it MAC-Forced Forwarding (RFC Draft). 2004 2005proxy_delay - INTEGER 2006 Delay proxy response. 2007 2008 Delay response to a neighbor solicitation when proxy_arp 2009 or proxy_ndp is enabled. A random value between [0, proxy_delay) 2010 will be chosen, setting to zero means reply with no delay. 2011 Value in jiffies. Defaults to 80. 2012 2013shared_media - BOOLEAN 2014 Send(router) or accept(host) RFC1620 shared media redirects. 2015 Overrides secure_redirects. 2016 2017 shared_media for the interface will be enabled if at least one of 2018 conf/{all,interface}/shared_media is set to TRUE, 2019 it will be disabled otherwise 2020 2021 default TRUE 2022 2023secure_redirects - BOOLEAN 2024 Accept ICMP redirect messages only to gateways listed in the 2025 interface's current gateway list. Even if disabled, RFC1122 redirect 2026 rules still apply. 2027 2028 Overridden by shared_media. 2029 2030 secure_redirects for the interface will be enabled if at least one of 2031 conf/{all,interface}/secure_redirects is set to TRUE, 2032 it will be disabled otherwise 2033 2034 default TRUE 2035 2036send_redirects - BOOLEAN 2037 Send redirects, if router. 2038 2039 send_redirects for the interface will be enabled if at least one of 2040 conf/{all,interface}/send_redirects is set to TRUE, 2041 it will be disabled otherwise 2042 2043 Default: TRUE 2044 2045bootp_relay - BOOLEAN 2046 Accept packets with source address 0.b.c.d destined 2047 not to this host as local ones. It is supposed, that 2048 BOOTP relay daemon will catch and forward such packets. 2049 conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay 2050 for the interface 2051 2052 default FALSE 2053 2054 Not Implemented Yet. 2055 2056accept_source_route - BOOLEAN 2057 Accept packets with SRR option. 2058 conf/all/accept_source_route must also be set to TRUE to accept packets 2059 with SRR option on the interface 2060 2061 default 2062 2063 - TRUE (router) 2064 - FALSE (host) 2065 2066accept_local - BOOLEAN 2067 Accept packets with local source addresses. In combination with 2068 suitable routing, this can be used to direct packets between two 2069 local interfaces over the wire and have them accepted properly. 2070 default FALSE 2071 2072route_localnet - BOOLEAN 2073 Do not consider loopback addresses as martian source or destination 2074 while routing. This enables the use of 127/8 for local routing purposes. 2075 2076 default FALSE 2077 2078rp_filter - INTEGER 2079 - 0 - No source validation. 2080 - 1 - Strict mode as defined in RFC3704 Strict Reverse Path 2081 Each incoming packet is tested against the FIB and if the interface 2082 is not the best reverse path the packet check will fail. 2083 By default failed packets are discarded. 2084 - 2 - Loose mode as defined in RFC3704 Loose Reverse Path 2085 Each incoming packet's source address is also tested against the FIB 2086 and if the source address is not reachable via any interface 2087 the packet check will fail. 2088 2089 Current recommended practice in RFC3704 is to enable strict mode 2090 to prevent IP spoofing from DDos attacks. If using asymmetric routing 2091 or other complicated routing, then loose mode is recommended. 2092 2093 The max value from conf/{all,interface}/rp_filter is used 2094 when doing source validation on the {interface}. 2095 2096 Default value is 0. Note that some distributions enable it 2097 in startup scripts. 2098 2099src_valid_mark - BOOLEAN 2100 - 0 - The fwmark of the packet is not included in reverse path 2101 route lookup. This allows for asymmetric routing configurations 2102 utilizing the fwmark in only one direction, e.g., transparent 2103 proxying. 2104 2105 - 1 - The fwmark of the packet is included in reverse path route 2106 lookup. This permits rp_filter to function when the fwmark is 2107 used for routing traffic in both directions. 2108 2109 This setting also affects the utilization of fmwark when 2110 performing source address selection for ICMP replies, or 2111 determining addresses stored for the IPOPT_TS_TSANDADDR and 2112 IPOPT_RR IP options. 2113 2114 The max value from conf/{all,interface}/src_valid_mark is used. 2115 2116 Default value is 0. 2117 2118arp_filter - BOOLEAN 2119 - 1 - Allows you to have multiple network interfaces on the same 2120 subnet, and have the ARPs for each interface be answered 2121 based on whether or not the kernel would route a packet from 2122 the ARP'd IP out that interface (therefore you must use source 2123 based routing for this to work). In other words it allows control 2124 of which cards (usually 1) will respond to an arp request. 2125 2126 - 0 - (default) The kernel can respond to arp requests with addresses 2127 from other interfaces. This may seem wrong but it usually makes 2128 sense, because it increases the chance of successful communication. 2129 IP addresses are owned by the complete host on Linux, not by 2130 particular interfaces. Only for more complex setups like load- 2131 balancing, does this behaviour cause problems. 2132 2133 arp_filter for the interface will be enabled if at least one of 2134 conf/{all,interface}/arp_filter is set to TRUE, 2135 it will be disabled otherwise 2136 2137arp_announce - INTEGER 2138 Define different restriction levels for announcing the local 2139 source IP address from IP packets in ARP requests sent on 2140 interface: 2141 2142 - 0 - (default) Use any local address, configured on any interface 2143 - 1 - Try to avoid local addresses that are not in the target's 2144 subnet for this interface. This mode is useful when target 2145 hosts reachable via this interface require the source IP 2146 address in ARP requests to be part of their logical network 2147 configured on the receiving interface. When we generate the 2148 request we will check all our subnets that include the 2149 target IP and will preserve the source address if it is from 2150 such subnet. If there is no such subnet we select source 2151 address according to the rules for level 2. 2152 - 2 - Always use the best local address for this target. 2153 In this mode we ignore the source address in the IP packet 2154 and try to select local address that we prefer for talks with 2155 the target host. Such local address is selected by looking 2156 for primary IP addresses on all our subnets on the outgoing 2157 interface that include the target IP address. If no suitable 2158 local address is found we select the first local address 2159 we have on the outgoing interface or on all other interfaces, 2160 with the hope we will receive reply for our request and 2161 even sometimes no matter the source IP address we announce. 2162 2163 The max value from conf/{all,interface}/arp_announce is used. 2164 2165 Increasing the restriction level gives more chance for 2166 receiving answer from the resolved target while decreasing 2167 the level announces more valid sender's information. 2168 2169arp_ignore - INTEGER 2170 Define different modes for sending replies in response to 2171 received ARP requests that resolve local target IP addresses: 2172 2173 - 0 - (default): reply for any local target IP address, configured 2174 on any interface 2175 - 1 - reply only if the target IP address is local address 2176 configured on the incoming interface 2177 - 2 - reply only if the target IP address is local address 2178 configured on the incoming interface and both with the 2179 sender's IP address are part from same subnet on this interface 2180 - 3 - do not reply for local addresses configured with scope host, 2181 only resolutions for global and link addresses are replied 2182 - 4-7 - reserved 2183 - 8 - do not reply for all local addresses 2184 2185 The max value from conf/{all,interface}/arp_ignore is used 2186 when ARP request is received on the {interface} 2187 2188arp_notify - BOOLEAN 2189 Define mode for notification of address and device changes. 2190 2191 == ========================================================== 2192 0 (default): do nothing 2193 1 Generate gratuitous arp requests when device is brought up 2194 or hardware address changes. 2195 == ========================================================== 2196 2197arp_accept - INTEGER 2198 Define behavior for accepting gratuitous ARP (garp) frames from devices 2199 that are not already present in the ARP table: 2200 2201 - 0 - don't create new entries in the ARP table 2202 - 1 - create new entries in the ARP table 2203 - 2 - create new entries only if the source IP address is in the same 2204 subnet as an address configured on the interface that received the 2205 garp message. 2206 2207 Both replies and requests type gratuitous arp will trigger the 2208 ARP table to be updated, if this setting is on. 2209 2210 If the ARP table already contains the IP address of the 2211 gratuitous arp frame, the arp table will be updated regardless 2212 if this setting is on or off. 2213 2214arp_evict_nocarrier - BOOLEAN 2215 Clears the ARP cache on NOCARRIER events. This option is important for 2216 wireless devices where the ARP cache should not be cleared when roaming 2217 between access points on the same network. In most cases this should 2218 remain as the default (1). 2219 2220 Possible values: 2221 2222 - 0 (disabled) - Do not clear ARP cache on NOCARRIER events 2223 - 1 (enabled) - Clear the ARP cache on NOCARRIER events 2224 2225 Default: 1 (enabled) 2226 2227mcast_solicit - INTEGER 2228 The maximum number of multicast probes in INCOMPLETE state, 2229 when the associated hardware address is unknown. Defaults 2230 to 3. 2231 2232ucast_solicit - INTEGER 2233 The maximum number of unicast probes in PROBE state, when 2234 the hardware address is being reconfirmed. Defaults to 3. 2235 2236app_solicit - INTEGER 2237 The maximum number of probes to send to the user space ARP daemon 2238 via netlink before dropping back to multicast probes (see 2239 mcast_resolicit). Defaults to 0. 2240 2241mcast_resolicit - INTEGER 2242 The maximum number of multicast probes after unicast and 2243 app probes in PROBE state. Defaults to 0. 2244 2245disable_policy - BOOLEAN 2246 Disable IPSEC policy (SPD) for this interface 2247 2248 Possible values: 2249 2250 - 0 (disabled) 2251 - 1 (enabled) 2252 2253 Default: 0 (disabled) 2254 2255disable_xfrm - BOOLEAN 2256 Disable IPSEC encryption on this interface, whatever the policy 2257 2258 Possible values: 2259 2260 - 0 (disabled) 2261 - 1 (enabled) 2262 2263 Default: 0 (disabled) 2264 2265igmpv2_unsolicited_report_interval - INTEGER 2266 The interval in milliseconds in which the next unsolicited 2267 IGMPv1 or IGMPv2 report retransmit will take place. 2268 2269 Default: 10000 (10 seconds) 2270 2271igmpv3_unsolicited_report_interval - INTEGER 2272 The interval in milliseconds in which the next unsolicited 2273 IGMPv3 report retransmit will take place. 2274 2275 Default: 1000 (1 seconds) 2276 2277ignore_routes_with_linkdown - BOOLEAN 2278 Ignore routes whose link is down when performing a FIB lookup. 2279 2280 Possible values: 2281 2282 - 0 (disabled) 2283 - 1 (enabled) 2284 2285 Default: 0 (disabled) 2286 2287promote_secondaries - BOOLEAN 2288 When a primary IP address is removed from this interface 2289 promote a corresponding secondary IP address instead of 2290 removing all the corresponding secondary IP addresses. 2291 2292 Possible values: 2293 2294 - 0 (disabled) 2295 - 1 (enabled) 2296 2297 Default: 0 (disabled) 2298 2299drop_unicast_in_l2_multicast - BOOLEAN 2300 Drop any unicast IP packets that are received in link-layer 2301 multicast (or broadcast) frames. 2302 2303 This behavior (for multicast) is actually a SHOULD in RFC 2304 1122, but is disabled by default for compatibility reasons. 2305 2306 Possible values: 2307 2308 - 0 (disabled) 2309 - 1 (enabled) 2310 2311 Default: 0 (disabled) 2312 2313drop_gratuitous_arp - BOOLEAN 2314 Drop all gratuitous ARP frames, for example if there's a known 2315 good ARP proxy on the network and such frames need not be used 2316 (or in the case of 802.11, must not be used to prevent attacks.) 2317 2318 Possible values: 2319 2320 - 0 (disabled) 2321 - 1 (enabled) 2322 2323 Default: 0 (disabled) 2324 2325 2326tag - INTEGER 2327 Allows you to write a number, which can be used as required. 2328 2329 Default value is 0. 2330 2331xfrm4_gc_thresh - INTEGER 2332 (Obsolete since linux-4.14) 2333 The threshold at which we will start garbage collecting for IPv4 2334 destination cache entries. At twice this value the system will 2335 refuse new allocations. 2336 2337igmp_link_local_mcast_reports - BOOLEAN 2338 Enable IGMP reports for link local multicast groups in the 2339 224.0.0.X range. 2340 2341 Default TRUE 2342 2343Alexey Kuznetsov. 2344kuznet@ms2.inr.ac.ru 2345 2346Updated by: 2347 2348- Andi Kleen 2349 ak@muc.de 2350- Nicolas Delon 2351 delon.nicolas@wanadoo.fr 2352 2353 2354 2355 2356/proc/sys/net/ipv6/* Variables 2357============================== 2358 2359IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also 2360apply to IPv6 [XXX?]. 2361 2362bindv6only - BOOLEAN 2363 Default value for IPV6_V6ONLY socket option, 2364 which restricts use of the IPv6 socket to IPv6 communication 2365 only. 2366 2367 Possible values: 2368 2369 - 0 (disabled) - enable IPv4-mapped address feature 2370 - 1 (enabled) - disable IPv4-mapped address feature 2371 2372 Default: 0 (disabled) 2373 2374flowlabel_consistency - BOOLEAN 2375 Protect the consistency (and unicity) of flow label. 2376 You have to disable it to use IPV6_FL_F_REFLECT flag on the 2377 flow label manager. 2378 2379 Possible values: 2380 2381 - 0 (disabled) 2382 - 1 (enabled) 2383 2384 Default: 1 (enabled) 2385 2386auto_flowlabels - INTEGER 2387 Automatically generate flow labels based on a flow hash of the 2388 packet. This allows intermediate devices, such as routers, to 2389 identify packet flows for mechanisms like Equal Cost Multipath 2390 Routing (see RFC 6438). 2391 2392 = =========================================================== 2393 0 automatic flow labels are completely disabled 2394 1 automatic flow labels are enabled by default, they can be 2395 disabled on a per socket basis using the IPV6_AUTOFLOWLABEL 2396 socket option 2397 2 automatic flow labels are allowed, they may be enabled on a 2398 per socket basis using the IPV6_AUTOFLOWLABEL socket option 2399 3 automatic flow labels are enabled and enforced, they cannot 2400 be disabled by the socket option 2401 = =========================================================== 2402 2403 Default: 1 2404 2405flowlabel_state_ranges - BOOLEAN 2406 Split the flow label number space into two ranges. 0-0x7FFFF is 2407 reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF 2408 is reserved for stateless flow labels as described in RFC6437. 2409 2410 Possible values: 2411 2412 - 0 (disabled) 2413 - 1 (enabled) 2414 2415 Default: 1 (enabled) 2416 2417 2418flowlabel_reflect - INTEGER 2419 Control flow label reflection. Needed for Path MTU 2420 Discovery to work with Equal Cost Multipath Routing in anycast 2421 environments. See RFC 7690 and: 2422 https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01 2423 2424 This is a bitmask. 2425 2426 - 1: enabled for established flows 2427 2428 Note that this prevents automatic flowlabel changes, as done 2429 in "tcp: change IPv6 flow-label upon receiving spurious retransmission" 2430 and "tcp: Change txhash on every SYN and RTO retransmit" 2431 2432 - 2: enabled for TCP RESET packets (no active listener) 2433 If set, a RST packet sent in response to a SYN packet on a closed 2434 port will reflect the incoming flow label. 2435 2436 - 4: enabled for ICMPv6 echo reply messages. 2437 2438 Default: 0 2439 2440fib_multipath_hash_policy - INTEGER 2441 Controls which hash policy to use for multipath routes. 2442 2443 Default: 0 (Layer 3) 2444 2445 Possible values: 2446 2447 - 0 - Layer 3 (source and destination addresses plus flow label) 2448 - 1 - Layer 4 (standard 5-tuple) 2449 - 2 - Layer 3 or inner Layer 3 if present 2450 - 3 - Custom multipath hash. Fields used for multipath hash calculation 2451 are determined by fib_multipath_hash_fields sysctl 2452 2453fib_multipath_hash_fields - UNSIGNED INTEGER 2454 When fib_multipath_hash_policy is set to 3 (custom multipath hash), the 2455 fields used for multipath hash calculation are determined by this 2456 sysctl. 2457 2458 This value is a bitmask which enables various fields for multipath hash 2459 calculation. 2460 2461 Possible fields are: 2462 2463 ====== ============================ 2464 0x0001 Source IP address 2465 0x0002 Destination IP address 2466 0x0004 IP protocol 2467 0x0008 Flow Label 2468 0x0010 Source port 2469 0x0020 Destination port 2470 0x0040 Inner source IP address 2471 0x0080 Inner destination IP address 2472 0x0100 Inner IP protocol 2473 0x0200 Inner Flow Label 2474 0x0400 Inner source port 2475 0x0800 Inner destination port 2476 ====== ============================ 2477 2478 Default: 0x0007 (source IP, destination IP and IP protocol) 2479 2480anycast_src_echo_reply - BOOLEAN 2481 Controls the use of anycast addresses as source addresses for ICMPv6 2482 echo reply 2483 2484 Possible values: 2485 2486 - 0 (disabled) 2487 - 1 (enabled) 2488 2489 Default: 0 (disabled) 2490 2491 2492idgen_delay - INTEGER 2493 Controls the delay in seconds after which time to retry 2494 privacy stable address generation if a DAD conflict is 2495 detected. 2496 2497 Default: 1 (as specified in RFC7217) 2498 2499idgen_retries - INTEGER 2500 Controls the number of retries to generate a stable privacy 2501 address if a DAD conflict is detected. 2502 2503 Default: 3 (as specified in RFC7217) 2504 2505mld_qrv - INTEGER 2506 Controls the MLD query robustness variable (see RFC3810 9.1). 2507 2508 Default: 2 (as specified by RFC3810 9.1) 2509 2510 Minimum: 1 (as specified by RFC6636 4.5) 2511 2512max_dst_opts_number - INTEGER 2513 Maximum number of non-padding TLVs allowed in a Destination 2514 options extension header. If this value is less than zero 2515 then unknown options are disallowed and the number of known 2516 TLVs allowed is the absolute value of this number. 2517 2518 Default: 8 2519 2520max_hbh_opts_number - INTEGER 2521 Maximum number of non-padding TLVs allowed in a Hop-by-Hop 2522 options extension header. If this value is less than zero 2523 then unknown options are disallowed and the number of known 2524 TLVs allowed is the absolute value of this number. 2525 2526 Default: 8 2527 2528max_dst_opts_length - INTEGER 2529 Maximum length allowed for a Destination options extension 2530 header. 2531 2532 Default: INT_MAX (unlimited) 2533 2534max_hbh_length - INTEGER 2535 Maximum length allowed for a Hop-by-Hop options extension 2536 header. 2537 2538 Default: INT_MAX (unlimited) 2539 2540skip_notify_on_dev_down - BOOLEAN 2541 Controls whether an RTM_DELROUTE message is generated for routes 2542 removed when a device is taken down or deleted. IPv4 does not 2543 generate this message; IPv6 does by default. Setting this sysctl 2544 to true skips the message, making IPv4 and IPv6 on par in relying 2545 on userspace caches to track link events and evict routes. 2546 2547 Possible values: 2548 2549 - 0 (disabled) - generate the message 2550 - 1 (enabled) - skip generating the message 2551 2552 Default: 0 (disabled) 2553 2554nexthop_compat_mode - BOOLEAN 2555 New nexthop API provides a means for managing nexthops independent of 2556 prefixes. Backwards compatibility with old route format is enabled by 2557 default which means route dumps and notifications contain the new 2558 nexthop attribute but also the full, expanded nexthop definition. 2559 Further, updates or deletes of a nexthop configuration generate route 2560 notifications for each fib entry using the nexthop. Once a system 2561 understands the new API, this sysctl can be disabled to achieve full 2562 performance benefits of the new API by disabling the nexthop expansion 2563 and extraneous notifications. 2564 2565 Note that as a backward-compatible mode, dumping of modern features 2566 might be incomplete or wrong. For example, resilient groups will not be 2567 shown as such, but rather as just a list of next hops. Also weights that 2568 do not fit into 8 bits will show incorrectly. 2569 2570 Default: true (backward compat mode) 2571 2572fib_notify_on_flag_change - INTEGER 2573 Whether to emit RTM_NEWROUTE notifications whenever RTM_F_OFFLOAD/ 2574 RTM_F_TRAP/RTM_F_OFFLOAD_FAILED flags are changed. 2575 2576 After installing a route to the kernel, user space receives an 2577 acknowledgment, which means the route was installed in the kernel, 2578 but not necessarily in hardware. 2579 It is also possible for a route already installed in hardware to change 2580 its action and therefore its flags. For example, a host route that is 2581 trapping packets can be "promoted" to perform decapsulation following 2582 the installation of an IPinIP/VXLAN tunnel. 2583 The notifications will indicate to user-space the state of the route. 2584 2585 Default: 0 (Do not emit notifications.) 2586 2587 Possible values: 2588 2589 - 0 - Do not emit notifications. 2590 - 1 - Emit notifications. 2591 - 2 - Emit notifications only for RTM_F_OFFLOAD_FAILED flag change. 2592 2593ioam6_id - INTEGER 2594 Define the IOAM id of this node. Uses only 24 bits out of 32 in total. 2595 2596 Possible value range: 2597 2598 - Min: 0 2599 - Max: 0xFFFFFF 2600 2601 Default: 0xFFFFFF 2602 2603ioam6_id_wide - LONG INTEGER 2604 Define the wide IOAM id of this node. Uses only 56 bits out of 64 in 2605 total. Can be different from ioam6_id. 2606 2607 Possible value range: 2608 2609 - Min: 0 2610 - Max: 0xFFFFFFFFFFFFFF 2611 2612 Default: 0xFFFFFFFFFFFFFF 2613 2614IPv6 Fragmentation: 2615 2616ip6frag_high_thresh - INTEGER 2617 Maximum memory used to reassemble IPv6 fragments. When 2618 ip6frag_high_thresh bytes of memory is allocated for this purpose, 2619 the fragment handler will toss packets until ip6frag_low_thresh 2620 is reached. 2621 2622ip6frag_low_thresh - INTEGER 2623 See ip6frag_high_thresh 2624 2625ip6frag_time - INTEGER 2626 Time in seconds to keep an IPv6 fragment in memory. 2627 2628``conf/default/*``: 2629 Change the interface-specific default settings. 2630 2631 These settings would be used during creating new interfaces. 2632 2633 2634``conf/all/*``: 2635 Change all the interface-specific settings. 2636 2637 [XXX: Other special features than forwarding?] 2638 2639conf/all/disable_ipv6 - BOOLEAN 2640 Changing this value is same as changing ``conf/default/disable_ipv6`` 2641 setting and also all per-interface ``disable_ipv6`` settings to the same 2642 value. 2643 2644 Reading this value does not have any particular meaning. It does not say 2645 whether IPv6 support is enabled or disabled. Returned value can be 1 2646 also in the case when some interface has ``disable_ipv6`` set to 0 and 2647 has configured IPv6 addresses. 2648 2649conf/all/forwarding - BOOLEAN 2650 Enable global IPv6 forwarding between all interfaces. 2651 2652 IPv4 and IPv6 work differently here; the ``force_forwarding`` flag must 2653 be used to control which interfaces may forward packets. 2654 2655 This also sets all interfaces' Host/Router setting 2656 'forwarding' to the specified value. See below for details. 2657 2658 This referred to as global forwarding. 2659 2660proxy_ndp - BOOLEAN 2661 Do proxy ndp. 2662 2663 Possible values: 2664 2665 - 0 (disabled) 2666 - 1 (enabled) 2667 2668 Default: 0 (disabled) 2669 2670force_forwarding - BOOLEAN 2671 Enable forwarding on this interface only -- regardless of the setting on 2672 ``conf/all/forwarding``. When setting ``conf.all.forwarding`` to 0, 2673 the ``force_forwarding`` flag will be reset on all interfaces. 2674 2675fwmark_reflect - BOOLEAN 2676 Controls the fwmark of kernel-generated IPv6 reply packets that are not 2677 associated with a socket for example, TCP RSTs or ICMPv6 echo replies). 2678 If disabled, these packets have a fwmark of zero. If enabled, they have the 2679 fwmark of the packet they are replying to. 2680 2681 Possible values: 2682 2683 - 0 (disabled) 2684 - 1 (enabled) 2685 2686 Default: 0 (disabled) 2687 2688``conf/interface/*``: 2689 Change special settings per interface. 2690 2691 The functional behaviour for certain settings is different 2692 depending on whether local forwarding is enabled or not. 2693 2694accept_ra - INTEGER 2695 Accept Router Advertisements; autoconfigure using them. 2696 2697 It also determines whether or not to transmit Router 2698 Solicitations. If and only if the functional setting is to 2699 accept Router Advertisements, Router Solicitations will be 2700 transmitted. 2701 2702 Possible values are: 2703 2704 == =========================================================== 2705 0 Do not accept Router Advertisements. 2706 1 Accept Router Advertisements if forwarding is disabled. 2707 2 Overrule forwarding behaviour. Accept Router Advertisements 2708 even if forwarding is enabled. 2709 == =========================================================== 2710 2711 Functional default: 2712 2713 - enabled if local forwarding is disabled. 2714 - disabled if local forwarding is enabled. 2715 2716accept_ra_defrtr - BOOLEAN 2717 Learn default router in Router Advertisement. 2718 2719 Functional default: 2720 2721 - enabled if accept_ra is enabled. 2722 - disabled if accept_ra is disabled. 2723 2724ra_defrtr_metric - UNSIGNED INTEGER 2725 Route metric for default route learned in Router Advertisement. This value 2726 will be assigned as metric for the default route learned via IPv6 Router 2727 Advertisement. Takes affect only if accept_ra_defrtr is enabled. 2728 2729 Possible values: 2730 1 to 0xFFFFFFFF 2731 2732 Default: IP6_RT_PRIO_USER i.e. 1024. 2733 2734accept_ra_from_local - BOOLEAN 2735 Accept RA with source-address that is found on local machine 2736 if the RA is otherwise proper and able to be accepted. 2737 2738 Default is to NOT accept these as it may be an un-intended 2739 network loop. 2740 2741 Functional default: 2742 2743 - enabled if accept_ra_from_local is enabled 2744 on a specific interface. 2745 - disabled if accept_ra_from_local is disabled 2746 on a specific interface. 2747 2748accept_ra_min_hop_limit - INTEGER 2749 Minimum hop limit Information in Router Advertisement. 2750 2751 Hop limit Information in Router Advertisement less than this 2752 variable shall be ignored. 2753 2754 Default: 1 2755 2756accept_ra_min_lft - INTEGER 2757 Minimum acceptable lifetime value in Router Advertisement. 2758 2759 RA sections with a lifetime less than this value shall be 2760 ignored. Zero lifetimes stay unaffected. 2761 2762 Default: 0 2763 2764accept_ra_pinfo - BOOLEAN 2765 Learn Prefix Information in Router Advertisement. 2766 2767 Functional default: 2768 2769 - enabled if accept_ra is enabled. 2770 - disabled if accept_ra is disabled. 2771 2772ra_honor_pio_life - BOOLEAN 2773 Whether to use RFC4862 Section 5.5.3e to determine the valid 2774 lifetime of an address matching a prefix sent in a Router 2775 Advertisement Prefix Information Option. 2776 2777 Possible values: 2778 2779 - 0 (disabled) - RFC4862 section 5.5.3e is used to determine 2780 the valid lifetime of the address. 2781 - 1 (enabled) - the PIO valid lifetime will always be honored. 2782 2783 Default: 0 (disabled) 2784 2785ra_honor_pio_pflag - BOOLEAN 2786 The Prefix Information Option P-flag indicates the network can 2787 allocate a unique IPv6 prefix per client using DHCPv6-PD. 2788 This sysctl can be enabled when a userspace DHCPv6-PD client 2789 is running to cause the P-flag to take effect: i.e. the 2790 P-flag suppresses any effects of the A-flag within the same 2791 PIO. For a given PIO, P=1 and A=1 is treated as A=0. 2792 2793 Possible values: 2794 2795 - 0 (disabled) - the P-flag is ignored. 2796 - 1 (enabled) - the P-flag will disable SLAAC autoconfiguration 2797 for the given Prefix Information Option. 2798 2799 Default: 0 (disabled) 2800 2801accept_ra_rt_info_min_plen - INTEGER 2802 Minimum prefix length of Route Information in RA. 2803 2804 Route Information w/ prefix smaller than this variable shall 2805 be ignored. 2806 2807 Functional default: 2808 2809 * 0 if accept_ra_rtr_pref is enabled. 2810 * -1 if accept_ra_rtr_pref is disabled. 2811 2812accept_ra_rt_info_max_plen - INTEGER 2813 Maximum prefix length of Route Information in RA. 2814 2815 Route Information w/ prefix larger than this variable shall 2816 be ignored. 2817 2818 Functional default: 2819 2820 * 0 if accept_ra_rtr_pref is enabled. 2821 * -1 if accept_ra_rtr_pref is disabled. 2822 2823accept_ra_rtr_pref - BOOLEAN 2824 Accept Router Preference in RA. 2825 2826 Functional default: 2827 2828 - enabled if accept_ra is enabled. 2829 - disabled if accept_ra is disabled. 2830 2831accept_ra_mtu - BOOLEAN 2832 Apply the MTU value specified in RA option 5 (RFC4861). If 2833 disabled, the MTU specified in the RA will be ignored. 2834 2835 Functional default: 2836 2837 - enabled if accept_ra is enabled. 2838 - disabled if accept_ra is disabled. 2839 2840accept_redirects - BOOLEAN 2841 Accept Redirects. 2842 2843 Functional default: 2844 2845 - enabled if local forwarding is disabled. 2846 - disabled if local forwarding is enabled. 2847 2848accept_source_route - INTEGER 2849 Accept source routing (routing extension header). 2850 2851 - >= 0: Accept only routing header type 2. 2852 - < 0: Do not accept routing header. 2853 2854 Default: 0 2855 2856autoconf - BOOLEAN 2857 Autoconfigure addresses using Prefix Information in Router 2858 Advertisements. 2859 2860 Functional default: 2861 2862 - enabled if accept_ra_pinfo is enabled. 2863 - disabled if accept_ra_pinfo is disabled. 2864 2865dad_transmits - INTEGER 2866 The amount of Duplicate Address Detection probes to send. 2867 2868 Default: 1 2869 2870forwarding - INTEGER 2871 Configure interface-specific Host/Router behaviour. 2872 2873 .. note:: 2874 2875 It is recommended to have the same setting on all 2876 interfaces; mixed router/host scenarios are rather uncommon. 2877 2878 Possible values are: 2879 2880 - 0 Forwarding disabled 2881 - 1 Forwarding enabled 2882 2883 **FALSE (0)**: 2884 2885 By default, Host behaviour is assumed. This means: 2886 2887 1. IsRouter flag is not set in Neighbour Advertisements. 2888 2. If accept_ra is TRUE (default), transmit Router 2889 Solicitations. 2890 3. If accept_ra is TRUE (default), accept Router 2891 Advertisements (and do autoconfiguration). 2892 4. If accept_redirects is TRUE (default), accept Redirects. 2893 2894 **TRUE (1)**: 2895 2896 If local forwarding is enabled, Router behaviour is assumed. 2897 This means exactly the reverse from the above: 2898 2899 1. IsRouter flag is set in Neighbour Advertisements. 2900 2. Router Solicitations are not sent unless accept_ra is 2. 2901 3. Router Advertisements are ignored unless accept_ra is 2. 2902 4. Redirects are ignored. 2903 2904 Default: 0 (disabled) if global forwarding is disabled (default), 2905 otherwise 1 (enabled). 2906 2907hop_limit - INTEGER 2908 Default Hop Limit to set. 2909 2910 Default: 64 2911 2912mtu - INTEGER 2913 Default Maximum Transfer Unit 2914 2915 Default: 1280 (IPv6 required minimum) 2916 2917ip_nonlocal_bind - BOOLEAN 2918 If enabled, allows processes to bind() to non-local IPv6 addresses, 2919 which can be quite useful - but may break some applications. 2920 2921 Possible values: 2922 2923 - 0 (disabled) 2924 - 1 (enabled) 2925 2926 Default: 0 (disabled) 2927 2928router_probe_interval - INTEGER 2929 Minimum interval (in seconds) between Router Probing described 2930 in RFC4191. 2931 2932 Default: 60 2933 2934router_solicitation_delay - INTEGER 2935 Number of seconds to wait after interface is brought up 2936 before sending Router Solicitations. 2937 2938 Default: 1 2939 2940router_solicitation_interval - INTEGER 2941 Number of seconds to wait between Router Solicitations. 2942 2943 Default: 4 2944 2945router_solicitations - INTEGER 2946 Number of Router Solicitations to send until assuming no 2947 routers are present. 2948 2949 Default: 3 2950 2951use_oif_addrs_only - BOOLEAN 2952 When enabled, the candidate source addresses for destinations 2953 routed via this interface are restricted to the set of addresses 2954 configured on this interface (vis. RFC 6724, section 4). 2955 2956 Possible values: 2957 2958 - 0 (disabled) 2959 - 1 (enabled) 2960 2961 Default: 0 (disabled) 2962 2963use_tempaddr - INTEGER 2964 Preference for Privacy Extensions (RFC3041). 2965 2966 * <= 0 : disable Privacy Extensions 2967 * == 1 : enable Privacy Extensions, but prefer public 2968 addresses over temporary addresses. 2969 * > 1 : enable Privacy Extensions and prefer temporary 2970 addresses over public addresses. 2971 2972 Default: 2973 2974 * 0 (for most devices) 2975 * -1 (for point-to-point devices and loopback devices) 2976 2977temp_valid_lft - INTEGER 2978 valid lifetime (in seconds) for temporary addresses. If less than the 2979 minimum required lifetime (typically 5-7 seconds), temporary addresses 2980 will not be created. 2981 2982 Default: 172800 (2 days) 2983 2984temp_prefered_lft - INTEGER 2985 Preferred lifetime (in seconds) for temporary addresses. If 2986 temp_prefered_lft is less than the minimum required lifetime (typically 2987 5-7 seconds), the preferred lifetime is the minimum required. If 2988 temp_prefered_lft is greater than temp_valid_lft, the preferred lifetime 2989 is temp_valid_lft. 2990 2991 Default: 86400 (1 day) 2992 2993keep_addr_on_down - INTEGER 2994 Keep all IPv6 addresses on an interface down event. If set static 2995 global addresses with no expiration time are not flushed. 2996 2997 * >0 : enabled 2998 * 0 : system default 2999 * <0 : disabled 3000 3001 Default: 0 (addresses are removed) 3002 3003max_desync_factor - INTEGER 3004 Maximum value for DESYNC_FACTOR, which is a random value 3005 that ensures that clients don't synchronize with each 3006 other and generate new addresses at exactly the same time. 3007 value is in seconds. 3008 3009 Default: 600 3010 3011regen_min_advance - INTEGER 3012 How far in advance (in seconds), at minimum, to create a new temporary 3013 address before the current one is deprecated. This value is added to 3014 the amount of time that may be required for duplicate address detection 3015 to determine when to create a new address. Linux permits setting this 3016 value to less than the default of 2 seconds, but a value less than 2 3017 does not conform to RFC 8981. 3018 3019 Default: 2 3020 3021regen_max_retry - INTEGER 3022 Number of attempts before give up attempting to generate 3023 valid temporary addresses. 3024 3025 Default: 5 3026 3027max_addresses - INTEGER 3028 Maximum number of autoconfigured addresses per interface. Setting 3029 to zero disables the limitation. It is not recommended to set this 3030 value too large (or to zero) because it would be an easy way to 3031 crash the kernel by allowing too many addresses to be created. 3032 3033 Default: 16 3034 3035disable_ipv6 - BOOLEAN 3036 Disable IPv6 operation. If accept_dad is set to 2, this value 3037 will be dynamically set to TRUE if DAD fails for the link-local 3038 address. 3039 3040 Default: FALSE (enable IPv6 operation) 3041 3042 When this value is changed from 1 to 0 (IPv6 is being enabled), 3043 it will dynamically create a link-local address on the given 3044 interface and start Duplicate Address Detection, if necessary. 3045 3046 When this value is changed from 0 to 1 (IPv6 is being disabled), 3047 it will dynamically delete all addresses and routes on the given 3048 interface. From now on it will not possible to add addresses/routes 3049 to the selected interface. 3050 3051accept_dad - INTEGER 3052 Whether to accept DAD (Duplicate Address Detection). 3053 3054 == ============================================================== 3055 0 Disable DAD 3056 1 Enable DAD (default) 3057 2 Enable DAD, and disable IPv6 operation if MAC-based duplicate 3058 link-local address has been found. 3059 == ============================================================== 3060 3061 DAD operation and mode on a given interface will be selected according 3062 to the maximum value of conf/{all,interface}/accept_dad. 3063 3064force_tllao - BOOLEAN 3065 Enable sending the target link-layer address option even when 3066 responding to a unicast neighbor solicitation. 3067 3068 Default: FALSE 3069 3070 Quoting from RFC 2461, section 4.4, Target link-layer address: 3071 3072 "The option MUST be included for multicast solicitations in order to 3073 avoid infinite Neighbor Solicitation "recursion" when the peer node 3074 does not have a cache entry to return a Neighbor Advertisements 3075 message. When responding to unicast solicitations, the option can be 3076 omitted since the sender of the solicitation has the correct link- 3077 layer address; otherwise it would not have be able to send the unicast 3078 solicitation in the first place. However, including the link-layer 3079 address in this case adds little overhead and eliminates a potential 3080 race condition where the sender deletes the cached link-layer address 3081 prior to receiving a response to a previous solicitation." 3082 3083ndisc_notify - BOOLEAN 3084 Define mode for notification of address and device changes. 3085 3086 Possible values: 3087 3088 - 0 (disabled) - do nothing 3089 - 1 (enabled) - Generate unsolicited neighbour advertisements when device is brought 3090 up or hardware address changes. 3091 3092 Default: 0 (disabled) 3093 3094ndisc_tclass - INTEGER 3095 The IPv6 Traffic Class to use by default when sending IPv6 Neighbor 3096 Discovery (Router Solicitation, Router Advertisement, Neighbor 3097 Solicitation, Neighbor Advertisement, Redirect) messages. 3098 These 8 bits can be interpreted as 6 high order bits holding the DSCP 3099 value and 2 low order bits representing ECN (which you probably want 3100 to leave cleared). 3101 3102 * 0 - (default) 3103 3104ndisc_evict_nocarrier - BOOLEAN 3105 Clears the neighbor discovery table on NOCARRIER events. This option is 3106 important for wireless devices where the neighbor discovery cache should 3107 not be cleared when roaming between access points on the same network. 3108 In most cases this should remain as the default (1). 3109 3110 Possible values: 3111 3112 - 0 (disabled) - Do not clear neighbor discovery cache on NOCARRIER events. 3113 - 1 (enabled) - Clear neighbor discover cache on NOCARRIER events. 3114 3115 Default: 1 (enabled) 3116 3117mldv1_unsolicited_report_interval - INTEGER 3118 The interval in milliseconds in which the next unsolicited 3119 MLDv1 report retransmit will take place. 3120 3121 Default: 10000 (10 seconds) 3122 3123mldv2_unsolicited_report_interval - INTEGER 3124 The interval in milliseconds in which the next unsolicited 3125 MLDv2 report retransmit will take place. 3126 3127 Default: 1000 (1 second) 3128 3129force_mld_version - INTEGER 3130 * 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed 3131 * 1 - Enforce to use MLD version 1 3132 * 2 - Enforce to use MLD version 2 3133 3134suppress_frag_ndisc - INTEGER 3135 Control RFC 6980 (Security Implications of IPv6 Fragmentation 3136 with IPv6 Neighbor Discovery) behavior: 3137 3138 * 1 - (default) discard fragmented neighbor discovery packets 3139 * 0 - allow fragmented neighbor discovery packets 3140 3141optimistic_dad - BOOLEAN 3142 Whether to perform Optimistic Duplicate Address Detection (RFC 4429). 3143 3144 Optimistic Duplicate Address Detection for the interface will be enabled 3145 if at least one of conf/{all,interface}/optimistic_dad is set to 1, 3146 it will be disabled otherwise. 3147 3148 Possible values: 3149 3150 - 0 (disabled) 3151 - 1 (enabled) 3152 3153 Default: 0 (disabled) 3154 3155 3156use_optimistic - BOOLEAN 3157 If enabled, do not classify optimistic addresses as deprecated during 3158 source address selection. Preferred addresses will still be chosen 3159 before optimistic addresses, subject to other ranking in the source 3160 address selection algorithm. 3161 3162 This will be enabled if at least one of 3163 conf/{all,interface}/use_optimistic is set to 1, disabled otherwise. 3164 3165 Possible values: 3166 3167 - 0 (disabled) 3168 - 1 (enabled) 3169 3170 Default: 0 (disabled) 3171 3172stable_secret - IPv6 address 3173 This IPv6 address will be used as a secret to generate IPv6 3174 addresses for link-local addresses and autoconfigured 3175 ones. All addresses generated after setting this secret will 3176 be stable privacy ones by default. This can be changed via the 3177 addrgenmode ip-link. conf/default/stable_secret is used as the 3178 secret for the namespace, the interface specific ones can 3179 overwrite that. Writes to conf/all/stable_secret are refused. 3180 3181 It is recommended to generate this secret during installation 3182 of a system and keep it stable after that. 3183 3184 By default the stable secret is unset. 3185 3186addr_gen_mode - INTEGER 3187 Defines how link-local and autoconf addresses are generated. 3188 3189 = ================================================================= 3190 0 generate address based on EUI64 (default) 3191 1 do no generate a link-local address, use EUI64 for addresses 3192 generated from autoconf 3193 2 generate stable privacy addresses, using the secret from 3194 stable_secret (RFC7217) 3195 3 generate stable privacy addresses, using a random secret if unset 3196 = ================================================================= 3197 3198drop_unicast_in_l2_multicast - BOOLEAN 3199 Drop any unicast IPv6 packets that are received in link-layer 3200 multicast (or broadcast) frames. 3201 3202 Possible values: 3203 3204 - 0 (disabled) 3205 - 1 (enabled) 3206 3207 Default: 0 (disabled) 3208 3209drop_unsolicited_na - BOOLEAN 3210 Drop all unsolicited neighbor advertisements, for example if there's 3211 a known good NA proxy on the network and such frames need not be used 3212 (or in the case of 802.11, must not be used to prevent attacks.) 3213 3214 Possible values: 3215 3216 - 0 (disabled) 3217 - 1 (enabled) 3218 3219 Default: 0 (disabled). 3220 3221accept_untracked_na - INTEGER 3222 Define behavior for accepting neighbor advertisements from devices that 3223 are absent in the neighbor cache: 3224 3225 - 0 - (default) Do not accept unsolicited and untracked neighbor 3226 advertisements. 3227 3228 - 1 - Add a new neighbor cache entry in STALE state for routers on 3229 receiving a neighbor advertisement (either solicited or unsolicited) 3230 with target link-layer address option specified if no neighbor entry 3231 is already present for the advertised IPv6 address. Without this knob, 3232 NAs received for untracked addresses (absent in neighbor cache) are 3233 silently ignored. 3234 3235 This is as per router-side behavior documented in RFC9131. 3236 3237 This has lower precedence than drop_unsolicited_na. 3238 3239 This will optimize the return path for the initial off-link 3240 communication that is initiated by a directly connected host, by 3241 ensuring that the first-hop router which turns on this setting doesn't 3242 have to buffer the initial return packets to do neighbor-solicitation. 3243 The prerequisite is that the host is configured to send unsolicited 3244 neighbor advertisements on interface bringup. This setting should be 3245 used in conjunction with the ndisc_notify setting on the host to 3246 satisfy this prerequisite. 3247 3248 - 2 - Extend option (1) to add a new neighbor cache entry only if the 3249 source IP address is in the same subnet as an address configured on 3250 the interface that received the neighbor advertisement. 3251 3252enhanced_dad - BOOLEAN 3253 Include a nonce option in the IPv6 neighbor solicitation messages used for 3254 duplicate address detection per RFC7527. A received DAD NS will only signal 3255 a duplicate address if the nonce is different. This avoids any false 3256 detection of duplicates due to loopback of the NS messages that we send. 3257 The nonce option will be sent on an interface unless both of 3258 conf/{all,interface}/enhanced_dad are set to FALSE. 3259 3260 Possible values: 3261 3262 - 0 (disabled) 3263 - 1 (enabled) 3264 3265 Default: 1 (enabled) 3266 3267``icmp/*``: 3268=========== 3269 3270ratelimit - INTEGER 3271 Limit the maximal rates for sending ICMPv6 messages to a particular 3272 peer. 3273 3274 0 to disable any limiting, 3275 otherwise the space between responses in milliseconds. 3276 3277 Default: 100 3278 3279ratemask - list of comma separated ranges 3280 For ICMPv6 message types matching the ranges in the ratemask, limit 3281 the sending of the message according to ratelimit parameter. 3282 3283 The format used for both input and output is a comma separated 3284 list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and 3285 129). Writing to the file will clear all previous ranges of ICMPv6 3286 message types and update the current list with the input. 3287 3288 Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml 3289 for numerical values of ICMPv6 message types, e.g. echo request is 128 3290 and echo reply is 129. 3291 3292 Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big) 3293 3294echo_ignore_all - BOOLEAN 3295 If enabled, then the kernel will ignore all ICMP ECHO 3296 requests sent to it over the IPv6 protocol. 3297 3298 Possible values: 3299 3300 - 0 (disabled) 3301 - 1 (enabled) 3302 3303 Default: 0 (disabled) 3304 3305echo_ignore_multicast - BOOLEAN 3306 If enabled, then the kernel will ignore all ICMP ECHO 3307 requests sent to it over the IPv6 protocol via multicast. 3308 3309 Possible values: 3310 3311 - 0 (disabled) 3312 - 1 (enabled) 3313 3314 Default: 0 (disabled) 3315 3316echo_ignore_anycast - BOOLEAN 3317 If enabled, then the kernel will ignore all ICMP ECHO 3318 requests sent to it over the IPv6 protocol destined to anycast address. 3319 3320 Possible values: 3321 3322 - 0 (disabled) 3323 - 1 (enabled) 3324 3325 Default: 0 (disabled) 3326 3327error_anycast_as_unicast - BOOLEAN 3328 If enabled, then the kernel will respond with ICMP Errors 3329 resulting from requests sent to it over the IPv6 protocol destined 3330 to anycast address essentially treating anycast as unicast. 3331 3332 Possible values: 3333 3334 - 0 (disabled) 3335 - 1 (enabled) 3336 3337 Default: 0 (disabled) 3338 3339errors_extension_mask - UNSIGNED INTEGER 3340 Bitmask of ICMP extensions to append to ICMPv6 error messages 3341 ("Destination Unreachable" and "Time Exceeded"). The original datagram 3342 is trimmed / padded to 128 bytes in order to be compatible with 3343 applications that do not comply with RFC 4884. 3344 3345 Possible extensions are: 3346 3347 ==== ============================================================== 3348 0x01 Incoming IP interface information according to RFC 5837. 3349 Extension will include the index, IPv6 address (if present), 3350 name and MTU of the IP interface that received the datagram 3351 which elicited the ICMP error. 3352 ==== ============================================================== 3353 3354 Default: 0x00 (no extensions) 3355 3356xfrm6_gc_thresh - INTEGER 3357 (Obsolete since linux-4.14) 3358 The threshold at which we will start garbage collecting for IPv6 3359 destination cache entries. At twice this value the system will 3360 refuse new allocations. 3361 3362 3363IPv6 Update by: 3364Pekka Savola <pekkas@netcore.fi> 3365YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org> 3366 3367 3368/proc/sys/net/bridge/* Variables: 3369================================= 3370 3371bridge-nf-call-arptables - BOOLEAN 3372 3373 Possible values: 3374 3375 - 0 (disabled) - disable this. 3376 - 1 (enabled) - pass bridged ARP traffic to arptables' FORWARD chain. 3377 3378 Default: 1 (enabled) 3379 3380bridge-nf-call-iptables - BOOLEAN 3381 3382 Possible values: 3383 3384 - 0 (disabled) - disable this. 3385 - 1 (enabled) - pass bridged IPv4 traffic to iptables' chains. 3386 3387 Default: 1 (enabled) 3388 3389bridge-nf-call-ip6tables - BOOLEAN 3390 3391 Possible values: 3392 3393 - 0 (disabled) - disable this. 3394 - 1 (enabled) - pass bridged IPv6 traffic to ip6tables' chains. 3395 3396 Default: 1 (enabled) 3397 3398bridge-nf-filter-vlan-tagged - BOOLEAN 3399 3400 Possible values: 3401 3402 - 0 (disabled) - disable this. 3403 - 1 (enabled) - pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables 3404 3405 Default: 0 (disabled) 3406 3407bridge-nf-filter-pppoe-tagged - BOOLEAN 3408 3409 Possible values: 3410 3411 - 0 (disabled) - disable this. 3412 - 1 (enabled) - pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. 3413 3414 Default: 0 (disabled) 3415 3416bridge-nf-pass-vlan-input-dev - BOOLEAN 3417 - 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan 3418 interface on the bridge and set the netfilter input device to the 3419 vlan. This allows use of e.g. "iptables -i br0.1" and makes the 3420 REDIRECT target work with vlan-on-top-of-bridge interfaces. When no 3421 matching vlan interface is found, or this switch is off, the input 3422 device is set to the bridge interface. 3423 3424 - 0: disable bridge netfilter vlan interface lookup. 3425 3426 Default: 0 3427 3428``proc/sys/net/sctp/*`` Variables: 3429================================== 3430 3431addip_enable - BOOLEAN 3432 Enable or disable extension of Dynamic Address Reconfiguration 3433 (ADD-IP) functionality specified in RFC5061. This extension provides 3434 the ability to dynamically add and remove new addresses for the SCTP 3435 associations. 3436 3437 Possible values: 3438 3439 - 0 (disabled) - disable extension. 3440 - 1 (enabled) - enable extension 3441 3442 Default: 0 (disabled) 3443 3444pf_enable - INTEGER 3445 Enable or disable pf (pf is short for potentially failed) state. A value 3446 of pf_retrans > path_max_retrans also disables pf state. That is, one of 3447 both pf_enable and pf_retrans > path_max_retrans can disable pf state. 3448 Since pf_retrans and path_max_retrans can be changed by userspace 3449 application, sometimes user expects to disable pf state by the value of 3450 pf_retrans > path_max_retrans, but occasionally the value of pf_retrans 3451 or path_max_retrans is changed by the user application, this pf state is 3452 enabled. As such, it is necessary to add this to dynamically enable 3453 and disable pf state. See: 3454 https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for 3455 details. 3456 3457 Possible values: 3458 3459 - 1: Enable pf. 3460 - 0: Disable pf. 3461 3462 Default: 1 3463 3464pf_expose - INTEGER 3465 Unset or enable/disable pf (pf is short for potentially failed) state 3466 exposure. Applications can control the exposure of the PF path state 3467 in the SCTP_PEER_ADDR_CHANGE event and access of SCTP_PF-state 3468 transport info via SCTP_GET_PEER_ADDR_INFO sockopt. 3469 3470 Possible values: 3471 3472 - 0: Unset pf state exposure (compatible with old applications). No 3473 event will be sent but the transport info can be queried. 3474 - 1: Disable pf state exposure. No event will be sent and trying to 3475 obtain transport info will return -EACCESS. 3476 - 2: Enable pf state exposure. The event will be sent for a transport 3477 becoming SCTP_PF state and transport info can be obtained. 3478 3479 Default: 0 3480 3481addip_noauth_enable - BOOLEAN 3482 Dynamic Address Reconfiguration (ADD-IP) requires the use of 3483 authentication to protect the operations of adding or removing new 3484 addresses. This requirement is mandated so that unauthorized hosts 3485 would not be able to hijack associations. However, older 3486 implementations may not have implemented this requirement while 3487 allowing the ADD-IP extension. For reasons of interoperability, 3488 we provide this variable to control the enforcement of the 3489 authentication requirement. 3490 3491 == =============================================================== 3492 1 Allow ADD-IP extension to be used without authentication. This 3493 should only be set in a closed environment for interoperability 3494 with older implementations. 3495 3496 0 Enforce the authentication requirement 3497 == =============================================================== 3498 3499 Default: 0 3500 3501auth_enable - BOOLEAN 3502 Enable or disable Authenticated Chunks extension. This extension 3503 provides the ability to send and receive authenticated chunks and is 3504 required for secure operation of Dynamic Address Reconfiguration 3505 (ADD-IP) extension. 3506 3507 Possible values: 3508 3509 - 0 (disabled) - disable extension. 3510 - 1 (enabled) - enable extension 3511 3512 Default: 0 (disabled) 3513 3514prsctp_enable - BOOLEAN 3515 Enable or disable the Partial Reliability extension (RFC3758) which 3516 is used to notify peers that a given DATA should no longer be expected. 3517 3518 Possible values: 3519 3520 - 0 (disabled) - disable extension. 3521 - 1 (enabled) - enable extension 3522 3523 Default: 1 (enabled) 3524 3525max_burst - INTEGER 3526 The limit of the number of new packets that can be initially sent. It 3527 controls how bursty the generated traffic can be. 3528 3529 Default: 4 3530 3531association_max_retrans - INTEGER 3532 Set the maximum number for retransmissions that an association can 3533 attempt deciding that the remote end is unreachable. If this value 3534 is exceeded, the association is terminated. 3535 3536 Default: 10 3537 3538max_init_retransmits - INTEGER 3539 The maximum number of retransmissions of INIT and COOKIE-ECHO chunks 3540 that an association will attempt before declaring the destination 3541 unreachable and terminating. 3542 3543 Default: 8 3544 3545path_max_retrans - INTEGER 3546 The maximum number of retransmissions that will be attempted on a given 3547 path. Once this threshold is exceeded, the path is considered 3548 unreachable, and new traffic will use a different path when the 3549 association is multihomed. 3550 3551 Default: 5 3552 3553pf_retrans - INTEGER 3554 The number of retransmissions that will be attempted on a given path 3555 before traffic is redirected to an alternate transport (should one 3556 exist). Note this is distinct from path_max_retrans, as a path that 3557 passes the pf_retrans threshold can still be used. Its only 3558 deprioritized when a transmission path is selected by the stack. This 3559 setting is primarily used to enable fast failover mechanisms without 3560 having to reduce path_max_retrans to a very low value. See: 3561 http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt 3562 for details. Note also that a value of pf_retrans > path_max_retrans 3563 disables this feature. Since both pf_retrans and path_max_retrans can 3564 be changed by userspace application, a variable pf_enable is used to 3565 disable pf state. 3566 3567 Default: 0 3568 3569ps_retrans - INTEGER 3570 Primary.Switchover.Max.Retrans (PSMR), it's a tunable parameter coming 3571 from section-5 "Primary Path Switchover" in rfc7829. The primary path 3572 will be changed to another active path when the path error counter on 3573 the old primary path exceeds PSMR, so that "the SCTP sender is allowed 3574 to continue data transmission on a new working path even when the old 3575 primary destination address becomes active again". Note this feature 3576 is disabled by initializing 'ps_retrans' per netns as 0xffff by default, 3577 and its value can't be less than 'pf_retrans' when changing by sysctl. 3578 3579 Default: 0xffff 3580 3581rto_initial - INTEGER 3582 The initial round trip timeout value in milliseconds that will be used 3583 in calculating round trip times. This is the initial time interval 3584 for retransmissions. 3585 3586 Default: 3000 3587 3588rto_max - INTEGER 3589 The maximum value (in milliseconds) of the round trip timeout. This 3590 is the largest time interval that can elapse between retransmissions. 3591 3592 Default: 60000 3593 3594rto_min - INTEGER 3595 The minimum value (in milliseconds) of the round trip timeout. This 3596 is the smallest time interval the can elapse between retransmissions. 3597 3598 Default: 1000 3599 3600hb_interval - INTEGER 3601 The interval (in milliseconds) between HEARTBEAT chunks. These chunks 3602 are sent at the specified interval on idle paths to probe the state of 3603 a given path between 2 associations. 3604 3605 Default: 30000 3606 3607sack_timeout - INTEGER 3608 The amount of time (in milliseconds) that the implementation will wait 3609 to send a SACK. 3610 3611 Default: 200 3612 3613valid_cookie_life - INTEGER 3614 The default lifetime of the SCTP cookie (in milliseconds). The cookie 3615 is used during association establishment. 3616 3617 Default: 60000 3618 3619cookie_preserve_enable - BOOLEAN 3620 Enable or disable the ability to extend the lifetime of the SCTP cookie 3621 that is used during the establishment phase of SCTP association 3622 3623 Possible values: 3624 3625 - 0 (disabled) - disable. 3626 - 1 (enabled) - enable cookie lifetime extension. 3627 3628 Default: 1 (enabled) 3629 3630cookie_hmac_alg - STRING 3631 Select the hmac algorithm used when generating the cookie value sent by 3632 a listening sctp socket to a connecting client in the INIT-ACK chunk. 3633 Valid values are: 3634 3635 * sha256 3636 * none 3637 3638 Default: sha256 3639 3640rcvbuf_policy - INTEGER 3641 Determines if the receive buffer is attributed to the socket or to 3642 association. SCTP supports the capability to create multiple 3643 associations on a single socket. When using this capability, it is 3644 possible that a single stalled association that's buffering a lot 3645 of data may block other associations from delivering their data by 3646 consuming all of the receive buffer space. To work around this, 3647 the rcvbuf_policy could be set to attribute the receiver buffer space 3648 to each association instead of the socket. This prevents the described 3649 blocking. 3650 3651 - 1: rcvbuf space is per association 3652 - 0: rcvbuf space is per socket 3653 3654 Default: 0 3655 3656sndbuf_policy - INTEGER 3657 Similar to rcvbuf_policy above, this applies to send buffer space. 3658 3659 - 1: Send buffer is tracked per association 3660 - 0: Send buffer is tracked per socket. 3661 3662 Default: 0 3663 3664sctp_mem - vector of 3 INTEGERs: min, pressure, max 3665 Number of pages allowed for queueing by all SCTP sockets. 3666 3667 * min: Below this number of pages SCTP is not bothered about its 3668 memory usage. When amount of memory allocated by SCTP exceeds 3669 this number, SCTP starts to moderate memory usage. 3670 * pressure: This value was introduced to follow format of tcp_mem. 3671 * max: Maximum number of allowed pages. 3672 3673 Default is calculated at boot time from amount of available memory. 3674 3675sctp_rmem - vector of 3 INTEGERs: min, default, max 3676 Only the first value ("min") is used, "default" and "max" are 3677 ignored. 3678 3679 * min: Minimal size of receive buffer used by SCTP socket. 3680 It is guaranteed to each SCTP socket (but not association) even 3681 under moderate memory pressure. 3682 3683 Default: 4K 3684 3685sctp_wmem - vector of 3 INTEGERs: min, default, max 3686 Only the first value ("min") is used, "default" and "max" are 3687 ignored. 3688 3689 * min: Minimum size of send buffer that can be used by SCTP sockets. 3690 It is guaranteed to each SCTP socket (but not association) even 3691 under moderate memory pressure. 3692 3693 Default: 4K 3694 3695addr_scope_policy - INTEGER 3696 Control IPv4 address scoping (see 3697 https://datatracker.ietf.org/doc/draft-stewart-tsvwg-sctp-ipv4/00/ 3698 for details). 3699 3700 - 0 - Disable IPv4 address scoping 3701 - 1 - Enable IPv4 address scoping 3702 - 2 - Follow draft but allow IPv4 private addresses 3703 - 3 - Follow draft but allow IPv4 link local addresses 3704 3705 Default: 1 3706 3707udp_port - INTEGER 3708 The listening port for the local UDP tunneling sock. Normally it's 3709 using the IANA-assigned UDP port number 9899 (sctp-tunneling). 3710 3711 This UDP sock is used for processing the incoming UDP-encapsulated 3712 SCTP packets (from RFC6951), and shared by all applications in the 3713 same net namespace. This UDP sock will be closed when the value is 3714 set to 0. 3715 3716 The value will also be used to set the src port of the UDP header 3717 for the outgoing UDP-encapsulated SCTP packets. For the dest port, 3718 please refer to 'encap_port' below. 3719 3720 Default: 0 3721 3722encap_port - INTEGER 3723 The default remote UDP encapsulation port. 3724 3725 This value is used to set the dest port of the UDP header for the 3726 outgoing UDP-encapsulated SCTP packets by default. Users can also 3727 change the value for each sock/asoc/transport by using setsockopt. 3728 For further information, please refer to RFC6951. 3729 3730 Note that when connecting to a remote server, the client should set 3731 this to the port that the UDP tunneling sock on the peer server is 3732 listening to and the local UDP tunneling sock on the client also 3733 must be started. On the server, it would get the encap_port from 3734 the incoming packet's source port. 3735 3736 Default: 0 3737 3738plpmtud_probe_interval - INTEGER 3739 The time interval (in milliseconds) for the PLPMTUD probe timer, 3740 which is configured to expire after this period to receive an 3741 acknowledgment to a probe packet. This is also the time interval 3742 between the probes for the current pmtu when the probe search 3743 is done. 3744 3745 PLPMTUD will be disabled when 0 is set, and other values for it 3746 must be >= 5000. 3747 3748 Default: 0 3749 3750reconf_enable - BOOLEAN 3751 Enable or disable extension of Stream Reconfiguration functionality 3752 specified in RFC6525. This extension provides the ability to "reset" 3753 a stream, and it includes the Parameters of "Outgoing/Incoming SSN 3754 Reset", "SSN/TSN Reset" and "Add Outgoing/Incoming Streams". 3755 3756 Possible values: 3757 3758 - 0 (disabled) - Disable extension. 3759 - 1 (enabled) - Enable extension. 3760 3761 Default: 0 (disabled) 3762 3763intl_enable - BOOLEAN 3764 Enable or disable extension of User Message Interleaving functionality 3765 specified in RFC8260. This extension allows the interleaving of user 3766 messages sent on different streams. With this feature enabled, I-DATA 3767 chunk will replace DATA chunk to carry user messages if also supported 3768 by the peer. Note that to use this feature, one needs to set this option 3769 to 1 and also needs to set socket options SCTP_FRAGMENT_INTERLEAVE to 2 3770 and SCTP_INTERLEAVING_SUPPORTED to 1. 3771 3772 Possible values: 3773 3774 - 0 (disabled) - Disable extension. 3775 - 1 (enabled) - Enable extension. 3776 3777 Default: 0 (disabled) 3778 3779ecn_enable - BOOLEAN 3780 Control use of Explicit Congestion Notification (ECN) by SCTP. 3781 Like in TCP, ECN is used only when both ends of the SCTP connection 3782 indicate support for it. This feature is useful in avoiding losses 3783 due to congestion by allowing supporting routers to signal congestion 3784 before having to drop packets. 3785 3786 Possible values: 3787 3788 - 0 (disabled) - Disable ecn. 3789 - 1 (enabled) - Enable ecn. 3790 3791 Default: 1 (enabled) 3792 3793l3mdev_accept - BOOLEAN 3794 Enabling this option allows a "global" bound socket to work 3795 across L3 master domains (e.g., VRFs) with packets capable of 3796 being received regardless of the L3 domain in which they 3797 originated. Only valid when the kernel was compiled with 3798 CONFIG_NET_L3_MASTER_DEV. 3799 3800 Possible values: 3801 3802 - 0 (disabled) 3803 - 1 (enabled) 3804 3805 Default: 1 (enabled) 3806 3807 3808``/proc/sys/net/core/*`` 3809======================== 3810 3811 Please see: Documentation/admin-guide/sysctl/net.rst for descriptions of these entries. 3812 3813 3814``/proc/sys/net/unix/*`` 3815======================== 3816 3817max_dgram_qlen - INTEGER 3818 The maximum length of dgram socket receive queue 3819 3820 Default: 10 3821 3822