Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
1.. SPDX-License-Identifier: GPL-2.0
2
3=========
4IP Sysctl
5=========
6
7/proc/sys/net/ipv4/* Variables
8==============================
9
10ip_forward - BOOLEAN
11 Forward Packets between interfaces.
12
13 This variable is special, its change resets all configuration
14 parameters to their default state (RFC1122 for hosts, RFC1812
15 for routers)
16
17 Possible values:
18
19 - 0 (disabled)
20 - 1 (enabled)
21
22 Default: 0 (disabled)
23
24ip_default_ttl - INTEGER
25 Default value of TTL field (Time To Live) for outgoing (but not
26 forwarded) IP packets. Should be between 1 and 255 inclusive.
27 Default: 64 (as recommended by RFC1700)
28
29ip_no_pmtu_disc - INTEGER
30 Disable Path MTU Discovery. If enabled in mode 1 and a
31 fragmentation-required ICMP is received, the PMTU to this
32 destination will be set to the smallest of the old MTU to
33 this destination and min_pmtu (see below). You will need
34 to raise min_pmtu to the smallest interface MTU on your system
35 manually if you want to avoid locally generated fragments.
36
37 In mode 2 incoming Path MTU Discovery messages will be
38 discarded. Outgoing frames are handled the same as in mode 1,
39 implicitly setting IP_PMTUDISC_DONT on every created socket.
40
41 Mode 3 is a hardened pmtu discover mode. The kernel will only
42 accept fragmentation-needed errors if the underlying protocol
43 can verify them besides a plain socket lookup. Current
44 protocols for which pmtu events will be honored are TCP and
45 SCTP as they verify e.g. the sequence number or the
46 association. This mode should not be enabled globally but is
47 only intended to secure e.g. name servers in namespaces where
48 TCP path mtu must still work but path MTU information of other
49 protocols should be discarded. If enabled globally this mode
50 could break other protocols.
51
52 Possible values: 0-3
53
54 Default: FALSE
55
56min_pmtu - INTEGER
57 default 552 - minimum Path MTU. Unless this is changed manually,
58 each cached pmtu will never be lower than this setting.
59
60ip_forward_use_pmtu - BOOLEAN
61 By default we don't trust protocol path MTUs while forwarding
62 because they could be easily forged and can lead to unwanted
63 fragmentation by the router.
64 You only need to enable this if you have user-space software
65 which tries to discover path mtus by itself and depends on the
66 kernel honoring this information. This is normally not the
67 case.
68
69 Possible values:
70
71 - 0 (disabled)
72 - 1 (enabled)
73
74 Default: 0 (disabled)
75
76fwmark_reflect - BOOLEAN
77 Controls the fwmark of kernel-generated IPv4 reply packets that are not
78 associated with a socket for example, TCP RSTs or ICMP echo replies).
79 If disabled, these packets have a fwmark of zero. If enabled, they have the
80 fwmark of the packet they are replying to.
81
82 Possible values:
83
84 - 0 (disabled)
85 - 1 (enabled)
86
87 Default: 0 (disabled)
88
89fib_multipath_use_neigh - BOOLEAN
90 Use status of existing neighbor entry when determining nexthop for
91 multipath routes. If disabled, neighbor information is not used and
92 packets could be directed to a failed nexthop. Only valid for kernels
93 built with CONFIG_IP_ROUTE_MULTIPATH enabled.
94
95 Possible values:
96
97 - 0 (disabled)
98 - 1 (enabled)
99
100 Default: 0 (disabled)
101
102fib_multipath_hash_policy - INTEGER
103 Controls which hash policy to use for multipath routes. Only valid
104 for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled.
105
106 Default: 0 (Layer 3)
107
108 Possible values:
109
110 - 0 - Layer 3
111 - 1 - Layer 4
112 - 2 - Layer 3 or inner Layer 3 if present
113 - 3 - Custom multipath hash. Fields used for multipath hash calculation
114 are determined by fib_multipath_hash_fields sysctl
115
116fib_multipath_hash_fields - UNSIGNED INTEGER
117 When fib_multipath_hash_policy is set to 3 (custom multipath hash), the
118 fields used for multipath hash calculation are determined by this
119 sysctl.
120
121 This value is a bitmask which enables various fields for multipath hash
122 calculation.
123
124 Possible fields are:
125
126 ====== ============================
127 0x0001 Source IP address
128 0x0002 Destination IP address
129 0x0004 IP protocol
130 0x0008 Unused (Flow Label)
131 0x0010 Source port
132 0x0020 Destination port
133 0x0040 Inner source IP address
134 0x0080 Inner destination IP address
135 0x0100 Inner IP protocol
136 0x0200 Inner Flow Label
137 0x0400 Inner source port
138 0x0800 Inner destination port
139 ====== ============================
140
141 Default: 0x0007 (source IP, destination IP and IP protocol)
142
143fib_multipath_hash_seed - UNSIGNED INTEGER
144 The seed value used when calculating hash for multipath routes. Applies
145 to both IPv4 and IPv6 datapath. Only present for kernels built with
146 CONFIG_IP_ROUTE_MULTIPATH enabled.
147
148 When set to 0, the seed value used for multipath routing defaults to an
149 internal random-generated one.
150
151 The actual hashing algorithm is not specified -- there is no guarantee
152 that a next hop distribution effected by a given seed will keep stable
153 across kernel versions.
154
155 Default: 0 (random)
156
157fib_sync_mem - UNSIGNED INTEGER
158 Amount of dirty memory from fib entries that can be backlogged before
159 synchronize_rcu is forced.
160
161 Default: 512kB Minimum: 64kB Maximum: 64MB
162
163ip_forward_update_priority - INTEGER
164 Whether to update SKB priority from "TOS" field in IPv4 header after it
165 is forwarded. The new SKB priority is mapped from TOS field value
166 according to an rt_tos2priority table (see e.g. man tc-prio).
167
168 Default: 1 (Update priority.)
169
170 Possible values:
171
172 - 0 - Do not update priority.
173 - 1 - Update priority.
174
175route/max_size - INTEGER
176 Maximum number of routes allowed in the kernel. Increase
177 this when using large numbers of interfaces and/or routes.
178
179 From linux kernel 3.6 onwards, this is deprecated for ipv4
180 as route cache is no longer used.
181
182 From linux kernel 6.3 onwards, this is deprecated for ipv6
183 as garbage collection manages cached route entries.
184
185neigh/default/gc_thresh1 - INTEGER
186 Minimum number of entries to keep. Garbage collector will not
187 purge entries if there are fewer than this number.
188
189 Default: 128
190
191neigh/default/gc_thresh2 - INTEGER
192 Threshold when garbage collector becomes more aggressive about
193 purging entries. Entries older than 5 seconds will be cleared
194 when over this number.
195
196 Default: 512
197
198neigh/default/gc_thresh3 - INTEGER
199 Maximum number of non-PERMANENT neighbor entries allowed. Increase
200 this when using large numbers of interfaces and when communicating
201 with large numbers of directly-connected peers.
202
203 Default: 1024
204
205neigh/default/unres_qlen_bytes - INTEGER
206 The maximum number of bytes which may be used by packets
207 queued for each unresolved address by other network layers.
208 (added in linux 3.3)
209
210 Setting negative value is meaningless and will return error.
211
212 Default: SK_WMEM_DEFAULT, (same as net.core.wmem_default).
213
214 Exact value depends on architecture and kernel options,
215 but should be enough to allow queuing 256 packets
216 of medium size.
217
218neigh/default/unres_qlen - INTEGER
219 The maximum number of packets which may be queued for each
220 unresolved address by other network layers.
221
222 (deprecated in linux 3.3) : use unres_qlen_bytes instead.
223
224 Prior to linux 3.3, the default value is 3 which may cause
225 unexpected packet loss. The current default value is calculated
226 according to default value of unres_qlen_bytes and true size of
227 packet.
228
229 Default: 101
230
231neigh/default/interval_probe_time_ms - INTEGER
232 The probe interval for neighbor entries with NTF_MANAGED flag,
233 the min value is 1.
234
235 Default: 5000
236
237mtu_expires - INTEGER
238 Time, in seconds, that cached PMTU information is kept.
239
240min_adv_mss - INTEGER
241 The advertised MSS depends on the first hop route MTU, but will
242 never be lower than this setting.
243
244fib_notify_on_flag_change - INTEGER
245 Whether to emit RTM_NEWROUTE notifications whenever RTM_F_OFFLOAD/
246 RTM_F_TRAP/RTM_F_OFFLOAD_FAILED flags are changed.
247
248 After installing a route to the kernel, user space receives an
249 acknowledgment, which means the route was installed in the kernel,
250 but not necessarily in hardware.
251 It is also possible for a route already installed in hardware to change
252 its action and therefore its flags. For example, a host route that is
253 trapping packets can be "promoted" to perform decapsulation following
254 the installation of an IPinIP/VXLAN tunnel.
255 The notifications will indicate to user-space the state of the route.
256
257 Default: 0 (Do not emit notifications.)
258
259 Possible values:
260
261 - 0 - Do not emit notifications.
262 - 1 - Emit notifications.
263 - 2 - Emit notifications only for RTM_F_OFFLOAD_FAILED flag change.
264
265IP Fragmentation:
266
267ipfrag_high_thresh - LONG INTEGER
268 Maximum memory used to reassemble IP fragments.
269
270ipfrag_low_thresh - LONG INTEGER
271 (Obsolete since linux-4.17)
272 Maximum memory used to reassemble IP fragments before the kernel
273 begins to remove incomplete fragment queues to free up resources.
274 The kernel still accepts new fragments for defragmentation.
275
276ipfrag_time - INTEGER
277 Time in seconds to keep an IP fragment in memory.
278
279ipfrag_max_dist - INTEGER
280 ipfrag_max_dist is a non-negative integer value which defines the
281 maximum "disorder" which is allowed among fragments which share a
282 common IP source address. Note that reordering of packets is
283 not unusual, but if a large number of fragments arrive from a source
284 IP address while a particular fragment queue remains incomplete, it
285 probably indicates that one or more fragments belonging to that queue
286 have been lost. When ipfrag_max_dist is positive, an additional check
287 is done on fragments before they are added to a reassembly queue - if
288 ipfrag_max_dist (or more) fragments have arrived from a particular IP
289 address between additions to any IP fragment queue using that source
290 address, it's presumed that one or more fragments in the queue are
291 lost. The existing fragment queue will be dropped, and a new one
292 started. An ipfrag_max_dist value of zero disables this check.
293
294 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
295 result in unnecessarily dropping fragment queues when normal
296 reordering of packets occurs, which could lead to poor application
297 performance. Using a very large value, e.g. 50000, increases the
298 likelihood of incorrectly reassembling IP fragments that originate
299 from different IP datagrams, which could result in data corruption.
300 Default: 64
301
302bc_forwarding - INTEGER
303 bc_forwarding enables the feature described in rfc1812#section-5.3.5.2
304 and rfc2644. It allows the router to forward directed broadcast.
305 To enable this feature, the 'all' entry and the input interface entry
306 should be set to 1.
307 Default: 0
308
309INET peer storage
310=================
311
312inet_peer_threshold - INTEGER
313 The approximate size of the storage. Starting from this threshold
314 entries will be thrown aggressively. This threshold also determines
315 entries' time-to-live and time intervals between garbage collection
316 passes. More entries, less time-to-live, less GC interval.
317
318inet_peer_minttl - INTEGER
319 Minimum time-to-live of entries. Should be enough to cover fragment
320 time-to-live on the reassembling side. This minimum time-to-live is
321 guaranteed if the pool size is less than inet_peer_threshold.
322 Measured in seconds.
323
324inet_peer_maxttl - INTEGER
325 Maximum time-to-live of entries. Unused entries will expire after
326 this period of time if there is no memory pressure on the pool (i.e.
327 when the number of entries in the pool is very small).
328 Measured in seconds.
329
330TCP variables
331=============
332
333somaxconn - INTEGER
334 Limit of socket listen() backlog, known in userspace as SOMAXCONN.
335 Defaults to 4096. (Was 128 before linux-5.4)
336 See also tcp_max_syn_backlog for additional tuning for TCP sockets.
337
338tcp_abort_on_overflow - BOOLEAN
339 If listening service is too slow to accept new connections,
340 reset them. Default state is FALSE. It means that if overflow
341 occurred due to a burst, connection will recover. Enable this
342 option _only_ if you are really sure that listening daemon
343 cannot be tuned to accept connections faster. Enabling this
344 option can harm clients of your server.
345
346tcp_adv_win_scale - INTEGER
347 Obsolete since linux-6.6
348 Count buffering overhead as bytes/2^tcp_adv_win_scale
349 (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale),
350 if it is <= 0.
351
352 Possible values are [-31, 31], inclusive.
353
354 Default: 1
355
356tcp_allowed_congestion_control - STRING
357 Show/set the congestion control choices available to non-privileged
358 processes. The list is a subset of those listed in
359 tcp_available_congestion_control.
360
361 Default is "reno" and the default setting (tcp_congestion_control).
362
363tcp_app_win - INTEGER
364 Reserve max(window/2^tcp_app_win, mss) of window for application
365 buffer. Value 0 is special, it means that nothing is reserved.
366
367 Possible values are [0, 31], inclusive.
368
369 Default: 31
370
371tcp_autocorking - BOOLEAN
372 Enable TCP auto corking :
373 When applications do consecutive small write()/sendmsg() system calls,
374 we try to coalesce these small writes as much as possible, to lower
375 total amount of sent packets. This is done if at least one prior
376 packet for the flow is waiting in Qdisc queues or device transmit
377 queue. Applications can still use TCP_CORK for optimal behavior
378 when they know how/when to uncork their sockets.
379
380 Possible values:
381
382 - 0 (disabled)
383 - 1 (enabled)
384
385 Default: 1 (enabled)
386
387tcp_available_congestion_control - STRING
388 Shows the available congestion control choices that are registered.
389 More congestion control algorithms may be available as modules,
390 but not loaded.
391
392tcp_base_mss - INTEGER
393 The initial value of search_low to be used by the packetization layer
394 Path MTU discovery (MTU probing). If MTU probing is enabled,
395 this is the initial MSS used by the connection.
396
397tcp_mtu_probe_floor - INTEGER
398 If MTU probing is enabled this caps the minimum MSS used for search_low
399 for the connection.
400
401 Default : 48
402
403tcp_min_snd_mss - INTEGER
404 TCP SYN and SYNACK messages usually advertise an ADVMSS option,
405 as described in RFC 1122 and RFC 6691.
406
407 If this ADVMSS option is smaller than tcp_min_snd_mss,
408 it is silently capped to tcp_min_snd_mss.
409
410 Default : 48 (at least 8 bytes of payload per segment)
411
412tcp_congestion_control - STRING
413 Set the congestion control algorithm to be used for new
414 connections. The algorithm "reno" is always available, but
415 additional choices may be available based on kernel configuration.
416 Default is set as part of kernel configuration.
417 For passive connections, the listener congestion control choice
418 is inherited.
419
420 [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ]
421
422tcp_dsack - BOOLEAN
423 Allows TCP to send "duplicate" SACKs.
424
425 Possible values:
426
427 - 0 (disabled)
428 - 1 (enabled)
429
430 Default: 1 (enabled)
431
432tcp_early_retrans - INTEGER
433 Tail loss probe (TLP) converts RTOs occurring due to tail
434 losses into fast recovery (RFC8985). Note that
435 TLP requires RACK to function properly (see tcp_recovery below)
436
437 Possible values:
438
439 - 0 disables TLP
440 - 3 or 4 enables TLP
441
442 Default: 3
443
444tcp_ecn - INTEGER
445 Control use of Explicit Congestion Notification (ECN) by TCP.
446 ECN is used only when both ends of the TCP connection indicate support
447 for it. This feature is useful in avoiding losses due to congestion by
448 allowing supporting routers to signal congestion before having to drop
449 packets. A host that supports ECN both sends ECN at the IP layer and
450 feeds back ECN at the TCP layer. The highest variant of ECN feedback
451 that both peers support is chosen by the ECN negotiation (Accurate ECN,
452 ECN, or no ECN).
453
454 The highest negotiated variant for incoming connection requests
455 and the highest variant requested by outgoing connection
456 attempts:
457
458 ===== ==================== ====================
459 Value Incoming connections Outgoing connections
460 ===== ==================== ====================
461 0 No ECN No ECN
462 1 ECN ECN
463 2 ECN No ECN
464 3 AccECN AccECN
465 4 AccECN ECN
466 5 AccECN No ECN
467 ===== ==================== ====================
468
469 Default: 2
470
471tcp_ecn_option - INTEGER
472 Control Accurate ECN (AccECN) option sending when AccECN has been
473 successfully negotiated during handshake. Send logic inhibits
474 sending AccECN options regarless of this setting when no AccECN
475 option has been seen for the reverse direction.
476
477 Possible values are:
478
479 = ============================================================
480 0 Never send AccECN option. This also disables sending AccECN
481 option in SYN/ACK during handshake.
482 1 Send AccECN option sparingly according to the minimum option
483 rules outlined in draft-ietf-tcpm-accurate-ecn.
484 2 Send AccECN option on every packet whenever it fits into TCP
485 option space.
486 = ============================================================
487
488 Default: 2
489
490tcp_ecn_option_beacon - INTEGER
491 Control Accurate ECN (AccECN) option sending frequency per RTT and it
492 takes effect only when tcp_ecn_option is set to 2.
493
494 Default: 3 (AccECN will be send at least 3 times per RTT)
495
496tcp_ecn_fallback - BOOLEAN
497 If the kernel detects that ECN connection misbehaves, enable fall
498 back to non-ECN. Currently, this knob implements the fallback
499 from RFC3168, section 6.1.1.1., but we reserve that in future,
500 additional detection mechanisms could be implemented under this
501 knob. The value is not used, if tcp_ecn or per route (or congestion
502 control) ECN settings are disabled.
503
504 Possible values:
505
506 - 0 (disabled)
507 - 1 (enabled)
508
509 Default: 1 (enabled)
510
511tcp_fack - BOOLEAN
512 This is a legacy option, it has no effect anymore.
513
514tcp_fin_timeout - INTEGER
515 The length of time an orphaned (no longer referenced by any
516 application) connection will remain in the FIN_WAIT_2 state
517 before it is aborted at the local end. While a perfectly
518 valid "receive only" state for an un-orphaned connection, an
519 orphaned connection in FIN_WAIT_2 state could otherwise wait
520 forever for the remote to close its end of the connection.
521
522 Cf. tcp_max_orphans
523
524 Default: 60 seconds
525
526tcp_frto - INTEGER
527 Enables Forward RTO-Recovery (F-RTO) defined in RFC5682.
528 F-RTO is an enhanced recovery algorithm for TCP retransmission
529 timeouts. It is particularly beneficial in networks where the
530 RTT fluctuates (e.g., wireless). F-RTO is sender-side only
531 modification. It does not require any support from the peer.
532
533 By default it's enabled with a non-zero value. 0 disables F-RTO.
534
535tcp_fwmark_accept - BOOLEAN
536 If enabled, incoming connections to listening sockets that do not have a
537 socket mark will set the mark of the accepting socket to the fwmark of
538 the incoming SYN packet. This will cause all packets on that connection
539 (starting from the first SYNACK) to be sent with that fwmark. The
540 listening socket's mark is unchanged. Listening sockets that already
541 have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are
542 unaffected.
543
544 Possible values:
545
546 - 0 (disabled)
547 - 1 (enabled)
548
549 Default: 0 (disabled)
550
551tcp_invalid_ratelimit - INTEGER
552 Limit the maximal rate for sending duplicate acknowledgments
553 in response to incoming TCP packets that are for an existing
554 connection but that are invalid due to any of these reasons:
555
556 (a) out-of-window sequence number,
557 (b) out-of-window acknowledgment number, or
558 (c) PAWS (Protection Against Wrapped Sequence numbers) check failure
559
560 This can help mitigate simple "ack loop" DoS attacks, wherein
561 a buggy or malicious middlebox or man-in-the-middle can
562 rewrite TCP header fields in manner that causes each endpoint
563 to think that the other is sending invalid TCP segments, thus
564 causing each side to send an unterminating stream of duplicate
565 acknowledgments for invalid segments.
566
567 Using 0 disables rate-limiting of dupacks in response to
568 invalid segments; otherwise this value specifies the minimal
569 space between sending such dupacks, in milliseconds.
570
571 Default: 500 (milliseconds).
572
573tcp_keepalive_time - INTEGER
574 How often TCP sends out keepalive messages when keepalive is enabled.
575 Default: 2hours.
576
577tcp_keepalive_probes - INTEGER
578 How many keepalive probes TCP sends out, until it decides that the
579 connection is broken. Default value: 9.
580
581tcp_keepalive_intvl - INTEGER
582 How frequently the probes are send out. Multiplied by
583 tcp_keepalive_probes it is time to kill not responding connection,
584 after probes started. Default value: 75sec i.e. connection
585 will be aborted after ~11 minutes of retries.
586
587tcp_l3mdev_accept - BOOLEAN
588 Enables child sockets to inherit the L3 master device index.
589 Enabling this option allows a "global" listen socket to work
590 across L3 master domains (e.g., VRFs) with connected sockets
591 derived from the listen socket to be bound to the L3 domain in
592 which the packets originated. Only valid when the kernel was
593 compiled with CONFIG_NET_L3_MASTER_DEV.
594
595 Possible values:
596
597 - 0 (disabled)
598 - 1 (enabled)
599
600 Default: 0 (disabled)
601
602tcp_low_latency - BOOLEAN
603 This is a legacy option, it has no effect anymore.
604
605tcp_max_orphans - INTEGER
606 Maximal number of TCP sockets not attached to any user file handle,
607 held by system. If this number is exceeded orphaned connections are
608 reset immediately and warning is printed. This limit exists
609 only to prevent simple DoS attacks, you _must_ not rely on this
610 or lower the limit artificially, but rather increase it
611 (probably, after increasing installed memory),
612 if network conditions require more than default value,
613 and tune network services to linger and kill such states
614 more aggressively. Let me to remind again: each orphan eats
615 up to ~64K of unswappable memory.
616
617tcp_max_syn_backlog - INTEGER
618 Maximal number of remembered connection requests (SYN_RECV),
619 which have not received an acknowledgment from connecting client.
620
621 This is a per-listener limit.
622
623 The minimal value is 128 for low memory machines, and it will
624 increase in proportion to the memory of machine.
625
626 If server suffers from overload, try increasing this number.
627
628 Remember to also check /proc/sys/net/core/somaxconn
629 A SYN_RECV request socket consumes about 304 bytes of memory.
630
631tcp_max_tw_buckets - INTEGER
632 Maximal number of timewait sockets held by system simultaneously.
633 If this number is exceeded time-wait socket is immediately destroyed
634 and warning is printed. This limit exists only to prevent
635 simple DoS attacks, you _must_ not lower the limit artificially,
636 but rather increase it (probably, after increasing installed memory),
637 if network conditions require more than default value.
638
639tcp_mem - vector of 3 INTEGERs: min, pressure, max
640 min: below this number of pages TCP is not bothered about its
641 memory appetite.
642
643 pressure: when amount of memory allocated by TCP exceeds this number
644 of pages, TCP moderates its memory consumption and enters memory
645 pressure mode, which is exited when memory consumption falls
646 under "min".
647
648 max: number of pages allowed for queueing by all TCP sockets.
649
650 Defaults are calculated at boot time from amount of available
651 memory.
652
653tcp_min_rtt_wlen - INTEGER
654 The window length of the windowed min filter to track the minimum RTT.
655 A shorter window lets a flow more quickly pick up new (higher)
656 minimum RTT when it is moved to a longer path (e.g., due to traffic
657 engineering). A longer window makes the filter more resistant to RTT
658 inflations such as transient congestion. The unit is seconds.
659
660 Possible values: 0 - 86400 (1 day)
661
662 Default: 300
663
664tcp_moderate_rcvbuf - BOOLEAN
665 If enabled, TCP performs receive buffer auto-tuning, attempting to
666 automatically size the buffer (no greater than tcp_rmem[2]) to
667 match the size required by the path for full throughput.
668
669 Possible values:
670
671 - 0 (disabled)
672 - 1 (enabled)
673
674 Default: 1 (enabled)
675
676tcp_rcvbuf_low_rtt - INTEGER
677 rcvbuf autotuning can over estimate final socket rcvbuf, which
678 can lead to cache trashing for high throughput flows.
679
680 For small RTT flows (below tcp_rcvbuf_low_rtt usecs), we can relax
681 rcvbuf growth: Few additional ms to reach the final (and smaller)
682 rcvbuf is a good tradeoff.
683
684 Default : 1000 (1 ms)
685
686tcp_mtu_probing - INTEGER
687 Controls TCP Packetization-Layer Path MTU Discovery. Takes three
688 values:
689
690 - 0 - Disabled
691 - 1 - Disabled by default, enabled when an ICMP black hole detected
692 - 2 - Always enabled, use initial MSS of tcp_base_mss.
693
694tcp_probe_interval - UNSIGNED INTEGER
695 Controls how often to start TCP Packetization-Layer Path MTU
696 Discovery reprobe. The default is reprobing every 10 minutes as
697 per RFC4821.
698
699tcp_probe_threshold - INTEGER
700 Controls when TCP Packetization-Layer Path MTU Discovery probing
701 will stop in respect to the width of search range in bytes. Default
702 is 8 bytes.
703
704tcp_no_metrics_save - BOOLEAN
705 By default, TCP saves various connection metrics in the route cache
706 when the connection closes, so that connections established in the
707 near future can use these to set initial conditions. Usually, this
708 increases overall performance, but may sometimes cause performance
709 degradation. If enabled, TCP will not cache metrics on closing
710 connections.
711
712 Possible values:
713
714 - 0 (disabled)
715 - 1 (enabled)
716
717 Default: 0 (disabled)
718
719tcp_no_ssthresh_metrics_save - BOOLEAN
720 Controls whether TCP saves ssthresh metrics in the route cache.
721 If enabled, ssthresh metrics are disabled.
722
723 Possible values:
724
725 - 0 (disabled)
726 - 1 (enabled)
727
728 Default: 1 (enabled)
729
730tcp_orphan_retries - INTEGER
731 This value influences the timeout of a locally closed TCP connection,
732 when RTO retransmissions remain unacknowledged.
733 See tcp_retries2 for more details.
734
735 The default value is 8.
736
737 If your machine is a loaded WEB server,
738 you should think about lowering this value, such sockets
739 may consume significant resources. Cf. tcp_max_orphans.
740
741tcp_recovery - INTEGER
742 This value is a bitmap to enable various experimental loss recovery
743 features.
744
745 ========= =============================================================
746 RACK: 0x1 enables RACK loss detection, for fast detection of lost
747 retransmissions and tail drops, and resilience to
748 reordering. currently, setting this bit to 0 has no
749 effect, since RACK is the only supported loss detection
750 algorithm.
751
752 RACK: 0x2 makes RACK's reordering window static (min_rtt/4).
753
754 RACK: 0x4 disables RACK's DUPACK threshold heuristic
755 ========= =============================================================
756
757 Default: 0x1
758
759tcp_reflect_tos - BOOLEAN
760 For listening sockets, reuse the DSCP value of the initial SYN message
761 for outgoing packets. This allows to have both directions of a TCP
762 stream to use the same DSCP value, assuming DSCP remains unchanged for
763 the lifetime of the connection.
764
765 This options affects both IPv4 and IPv6.
766
767 Possible values:
768
769 - 0 (disabled)
770 - 1 (enabled)
771
772 Default: 0 (disabled)
773
774tcp_reordering - INTEGER
775 Initial reordering level of packets in a TCP stream.
776 TCP stack can then dynamically adjust flow reordering level
777 between this initial value and tcp_max_reordering
778
779 Default: 3
780
781tcp_max_reordering - INTEGER
782 Maximal reordering level of packets in a TCP stream.
783 300 is a fairly conservative value, but you might increase it
784 if paths are using per packet load balancing (like bonding rr mode)
785
786 Default: 300
787
788tcp_retrans_collapse - BOOLEAN
789 Bug-to-bug compatibility with some broken printers.
790 On retransmit try to send bigger packets to work around bugs in
791 certain TCP stacks.
792
793 Possible values:
794
795 - 0 (disabled)
796 - 1 (enabled)
797
798 Default: 1 (enabled)
799
800tcp_retries1 - INTEGER
801 This value influences the time, after which TCP decides, that
802 something is wrong due to unacknowledged RTO retransmissions,
803 and reports this suspicion to the network layer.
804 See tcp_retries2 for more details.
805
806 RFC 1122 recommends at least 3 retransmissions, which is the
807 default.
808
809tcp_retries2 - INTEGER
810 This value influences the timeout of an alive TCP connection,
811 when RTO retransmissions remain unacknowledged.
812 Given a value of N, a hypothetical TCP connection following
813 exponential backoff with an initial RTO of TCP_RTO_MIN would
814 retransmit N times before killing the connection at the (N+1)th RTO.
815
816 The default value of 15 yields a hypothetical timeout of 924.6
817 seconds and is a lower bound for the effective timeout.
818 TCP will effectively time out at the first RTO which exceeds the
819 hypothetical timeout.
820 If tcp_rto_max_ms is decreased, it is recommended to also
821 change tcp_retries2.
822
823 RFC 1122 recommends at least 100 seconds for the timeout,
824 which corresponds to a value of at least 8.
825
826tcp_rfc1337 - BOOLEAN
827 If enabled, the TCP stack behaves conforming to RFC1337. If unset,
828 we are not conforming to RFC, but prevent TCP TIME_WAIT
829 assassination.
830
831 Possible values:
832
833 - 0 (disabled)
834 - 1 (enabled)
835
836 Default: 0 (disabled)
837
838tcp_rmem - vector of 3 INTEGERs: min, default, max
839 min: Minimal size of receive buffer used by TCP sockets.
840 It is guaranteed to each TCP socket, even under moderate memory
841 pressure.
842
843 Default: 4K
844
845 default: initial size of receive buffer used by TCP sockets.
846 This value overrides net.core.rmem_default used by other protocols.
847 Default: 131072 bytes.
848 This value results in initial window of 65535.
849
850 max: maximal size of receive buffer allowed for automatically
851 selected receiver buffers for TCP socket.
852 Calling setsockopt() with SO_RCVBUF disables
853 automatic tuning of that socket's receive buffer size, in which
854 case this value is ignored.
855 Default: between 131072 and 32MB, depending on RAM size.
856
857tcp_sack - BOOLEAN
858 Enable select acknowledgments (SACKS).
859
860 Possible values:
861
862 - 0 (disabled)
863 - 1 (enabled)
864
865 Default: 1 (enabled)
866
867tcp_comp_sack_rtt_percent - INTEGER
868 Percentage of SRTT used for the compressed SACK feature.
869 See tcp_comp_sack_nr, tcp_comp_sack_delay_ns, tcp_comp_sack_slack_ns.
870
871 Possible values : 1 - 1000
872
873 Default : 33 %
874
875tcp_comp_sack_delay_ns - LONG INTEGER
876 TCP tries to reduce number of SACK sent, using a timer based
877 on tcp_comp_sack_rtt_percent of SRTT, capped by this sysctl
878 in nano seconds.
879 The default is 1ms, based on TSO autosizing period.
880
881 Default : 1,000,000 ns (1 ms)
882
883tcp_comp_sack_slack_ns - LONG INTEGER
884 This sysctl control the slack used when arming the
885 timer used by SACK compression. This gives extra time
886 for small RTT flows, and reduces system overhead by allowing
887 opportunistic reduction of timer interrupts.
888 Too big values might reduce goodput.
889
890 Default : 10,000 ns (10 us)
891
892tcp_comp_sack_nr - INTEGER
893 Max number of SACK that can be compressed.
894 Using 0 disables SACK compression.
895
896 Default : 44
897
898tcp_backlog_ack_defer - BOOLEAN
899 If enabled, user thread processing socket backlog tries sending
900 one ACK for the whole queue. This helps to avoid potential
901 long latencies at end of a TCP socket syscall.
902
903 Possible values:
904
905 - 0 (disabled)
906 - 1 (enabled)
907
908 Default: 1 (enabled)
909
910tcp_slow_start_after_idle - BOOLEAN
911 If enabled, provide RFC2861 behavior and time out the congestion
912 window after an idle period. An idle period is defined at
913 the current RTO. If unset, the congestion window will not
914 be timed out after an idle period.
915
916 Possible values:
917
918 - 0 (disabled)
919 - 1 (enabled)
920
921 Default: 1 (enabled)
922
923tcp_stdurg - BOOLEAN
924 Use the Host requirements interpretation of the TCP urgent pointer field.
925 Most hosts use the older BSD interpretation, so if enabled,
926 Linux might not communicate correctly with them.
927
928 Possible values:
929
930 - 0 (disabled)
931 - 1 (enabled)
932
933 Default: 0 (disabled)
934
935tcp_synack_retries - INTEGER
936 Number of times SYNACKs for a passive TCP connection attempt will
937 be retransmitted. Should not be higher than 255. Default value
938 is 5, which corresponds to 31seconds till the last retransmission
939 with the current initial RTO of 1second. With this the final timeout
940 for a passive TCP connection will happen after 63seconds.
941
942tcp_syncookies - INTEGER
943 Only valid when the kernel was compiled with CONFIG_SYN_COOKIES
944 Send out syncookies when the syn backlog queue of a socket
945 overflows. This is to prevent against the common 'SYN flood attack'
946 Default: 1
947
948 Note, that syncookies is fallback facility.
949 It MUST NOT be used to help highly loaded servers to stand
950 against legal connection rate. If you see SYN flood warnings
951 in your logs, but investigation shows that they occur
952 because of overload with legal connections, you should tune
953 another parameters until this warning disappear.
954 See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
955
956 syncookies seriously violate TCP protocol, do not allow
957 to use TCP extensions, can result in serious degradation
958 of some services (f.e. SMTP relaying), visible not by you,
959 but your clients and relays, contacting you. While you see
960 SYN flood warnings in logs not being really flooded, your server
961 is seriously misconfigured.
962
963 If you want to test which effects syncookies have to your
964 network connections you can set this knob to 2 to enable
965 unconditionally generation of syncookies.
966
967tcp_migrate_req - BOOLEAN
968 The incoming connection is tied to a specific listening socket when
969 the initial SYN packet is received during the three-way handshake.
970 When a listener is closed, in-flight request sockets during the
971 handshake and established sockets in the accept queue are aborted.
972
973 If the listener has SO_REUSEPORT enabled, other listeners on the
974 same port should have been able to accept such connections. This
975 option makes it possible to migrate such child sockets to another
976 listener after close() or shutdown().
977
978 The BPF_SK_REUSEPORT_SELECT_OR_MIGRATE type of eBPF program should
979 usually be used to define the policy to pick an alive listener.
980 Otherwise, the kernel will randomly pick an alive listener only if
981 this option is enabled.
982
983 Note that migration between listeners with different settings may
984 crash applications. Let's say migration happens from listener A to
985 B, and only B has TCP_SAVE_SYN enabled. B cannot read SYN data from
986 the requests migrated from A. To avoid such a situation, cancel
987 migration by returning SK_DROP in the type of eBPF program, or
988 disable this option.
989
990 Possible values:
991
992 - 0 (disabled)
993 - 1 (enabled)
994
995 Default: 0 (disabled)
996
997tcp_fastopen - INTEGER
998 Enable TCP Fast Open (RFC7413) to send and accept data in the opening
999 SYN packet.
1000
1001 The client support is enabled by flag 0x1 (on by default). The client
1002 then must use sendmsg() or sendto() with the MSG_FASTOPEN flag,
1003 rather than connect() to send data in SYN.
1004
1005 The server support is enabled by flag 0x2 (off by default). Then
1006 either enable for all listeners with another flag (0x400) or
1007 enable individual listeners via TCP_FASTOPEN socket option with
1008 the option value being the length of the syn-data backlog.
1009
1010 The values (bitmap) are
1011
1012 ===== ======== ======================================================
1013 0x1 (client) enables sending data in the opening SYN on the client.
1014 0x2 (server) enables the server support, i.e., allowing data in
1015 a SYN packet to be accepted and passed to the
1016 application before 3-way handshake finishes.
1017 0x4 (client) send data in the opening SYN regardless of cookie
1018 availability and without a cookie option.
1019 0x200 (server) accept data-in-SYN w/o any cookie option present.
1020 0x400 (server) enable all listeners to support Fast Open by
1021 default without explicit TCP_FASTOPEN socket option.
1022 ===== ======== ======================================================
1023
1024 Default: 0x1
1025
1026 Note that additional client or server features are only
1027 effective if the basic support (0x1 and 0x2) are enabled respectively.
1028
1029tcp_fastopen_blackhole_timeout_sec - INTEGER
1030 Initial time period in second to disable Fastopen on active TCP sockets
1031 when a TFO firewall blackhole issue happens.
1032 This time period will grow exponentially when more blackhole issues
1033 get detected right after Fastopen is re-enabled and will reset to
1034 initial value when the blackhole issue goes away.
1035 0 to disable the blackhole detection.
1036
1037 By default, it is set to 0 (feature is disabled).
1038
1039tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs
1040 The list consists of a primary key and an optional backup key. The
1041 primary key is used for both creating and validating cookies, while the
1042 optional backup key is only used for validating cookies. The purpose of
1043 the backup key is to maximize TFO validation when keys are rotated.
1044
1045 A randomly chosen primary key may be configured by the kernel if
1046 the tcp_fastopen sysctl is set to 0x400 (see above), or if the
1047 TCP_FASTOPEN setsockopt() optname is set and a key has not been
1048 previously configured via sysctl. If keys are configured via
1049 setsockopt() by using the TCP_FASTOPEN_KEY optname, then those
1050 per-socket keys will be used instead of any keys that are specified via
1051 sysctl.
1052
1053 A key is specified as 4 8-digit hexadecimal integers which are separated
1054 by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be
1055 omitted. A primary and a backup key may be specified by separating them
1056 by a comma. If only one key is specified, it becomes the primary key and
1057 any previously configured backup keys are removed.
1058
1059tcp_syn_retries - INTEGER
1060 Number of times initial SYNs for an active TCP connection attempt
1061 will be retransmitted. Should not be higher than 127. Default value
1062 is 6, which corresponds to 67seconds (with tcp_syn_linear_timeouts = 4)
1063 till the last retransmission with the current initial RTO of 1second.
1064 With this the final timeout for an active TCP connection attempt
1065 will happen after 131seconds.
1066
1067tcp_timestamps - INTEGER
1068 Enable timestamps as defined in RFC1323.
1069
1070 - 0: Disabled.
1071 - 1: Enable timestamps as defined in RFC1323 and use random offset for
1072 each connection rather than only using the current time.
1073 - 2: Like 1, but without random offsets.
1074
1075 Default: 1
1076
1077tcp_min_tso_segs - INTEGER
1078 Minimal number of segments per TSO frame.
1079
1080 Since linux-3.12, TCP does an automatic sizing of TSO frames,
1081 depending on flow rate, instead of filling 64Kbytes packets.
1082 For specific usages, it's possible to force TCP to build big
1083 TSO frames. Note that TCP stack might split too big TSO packets
1084 if available window is too small.
1085
1086 Default: 2
1087
1088tcp_tso_rtt_log - INTEGER
1089 Adjustment of TSO packet sizes based on min_rtt
1090
1091 Starting from linux-5.18, TCP autosizing can be tweaked
1092 for flows having small RTT.
1093
1094 Old autosizing was splitting the pacing budget to send 1024 TSO
1095 per second.
1096
1097 tso_packet_size = sk->sk_pacing_rate / 1024;
1098
1099 With the new mechanism, we increase this TSO sizing using:
1100
1101 distance = min_rtt_usec / (2^tcp_tso_rtt_log)
1102 tso_packet_size += gso_max_size >> distance;
1103
1104 This means that flows between very close hosts can use bigger
1105 TSO packets, reducing their cpu costs.
1106
1107 If you want to use the old autosizing, set this sysctl to 0.
1108
1109 Default: 9 (2^9 = 512 usec)
1110
1111tcp_pacing_ss_ratio - INTEGER
1112 sk->sk_pacing_rate is set by TCP stack using a ratio applied
1113 to current rate. (current_rate = cwnd * mss / srtt)
1114 If TCP is in slow start, tcp_pacing_ss_ratio is applied
1115 to let TCP probe for bigger speeds, assuming cwnd can be
1116 doubled every other RTT.
1117
1118 Default: 200
1119
1120tcp_pacing_ca_ratio - INTEGER
1121 sk->sk_pacing_rate is set by TCP stack using a ratio applied
1122 to current rate. (current_rate = cwnd * mss / srtt)
1123 If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio
1124 is applied to conservatively probe for bigger throughput.
1125
1126 Default: 120
1127
1128tcp_syn_linear_timeouts - INTEGER
1129 The number of times for an active TCP connection to retransmit SYNs with
1130 a linear backoff timeout before defaulting to an exponential backoff
1131 timeout. This has no effect on SYNACK at the passive TCP side.
1132
1133 With an initial RTO of 1 and tcp_syn_linear_timeouts = 4 we would
1134 expect SYN RTOs to be: 1, 1, 1, 1, 1, 2, 4, ... (4 linear timeouts,
1135 and the first exponential backoff using 2^0 * initial_RTO).
1136 Default: 4
1137
1138tcp_tso_win_divisor - INTEGER
1139 This allows control over what percentage of the congestion window
1140 can be consumed by a single TSO frame.
1141 The setting of this parameter is a choice between burstiness and
1142 building larger TSO frames.
1143
1144 Default: 3
1145
1146tcp_tw_reuse - INTEGER
1147 Enable reuse of TIME-WAIT sockets for new connections when it is
1148 safe from protocol viewpoint.
1149
1150 - 0 - disable
1151 - 1 - global enable
1152 - 2 - enable for loopback traffic only
1153
1154 It should not be changed without advice/request of technical
1155 experts.
1156
1157 Default: 2
1158
1159tcp_tw_reuse_delay - UNSIGNED INTEGER
1160 The delay in milliseconds before a TIME-WAIT socket can be reused by a
1161 new connection, if TIME-WAIT socket reuse is enabled. The actual reuse
1162 threshold is within [N, N+1] range, where N is the requested delay in
1163 milliseconds, to ensure the delay interval is never shorter than the
1164 configured value.
1165
1166 This setting contains an assumption about the other TCP timestamp clock
1167 tick interval. It should not be set to a value lower than the peer's
1168 clock tick for PAWS (Protection Against Wrapped Sequence numbers)
1169 mechanism work correctly for the reused connection.
1170
1171 Default: 1000 (milliseconds)
1172
1173tcp_window_scaling - BOOLEAN
1174 Enable window scaling as defined in RFC1323.
1175
1176 Possible values:
1177
1178 - 0 (disabled)
1179 - 1 (enabled)
1180
1181 Default: 1 (enabled)
1182
1183tcp_shrink_window - BOOLEAN
1184 This changes how the TCP receive window is calculated.
1185
1186 RFC 7323, section 2.4, says there are instances when a retracted
1187 window can be offered, and that TCP implementations MUST ensure
1188 that they handle a shrinking window, as specified in RFC 1122.
1189
1190 Possible values:
1191
1192 - 0 (disabled) - The window is never shrunk.
1193 - 1 (enabled) - The window is shrunk when necessary to remain within
1194 the memory limit set by autotuning (sk_rcvbuf).
1195 This only occurs if a non-zero receive window
1196 scaling factor is also in effect.
1197
1198 Default: 0 (disabled)
1199
1200tcp_wmem - vector of 3 INTEGERs: min, default, max
1201 min: Amount of memory reserved for send buffers for TCP sockets.
1202 Each TCP socket has rights to use it due to fact of its birth.
1203
1204 Default: 4K
1205
1206 default: initial size of send buffer used by TCP sockets. This
1207 value overrides net.core.wmem_default used by other protocols.
1208
1209 It is usually lower than net.core.wmem_default.
1210
1211 Default: 16K
1212
1213 max: Maximal amount of memory allowed for automatically tuned
1214 send buffers for TCP sockets. This value does not override
1215 net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables
1216 automatic tuning of that socket's send buffer size, in which case
1217 this value is ignored.
1218
1219 Default: between 64K and 4MB, depending on RAM size.
1220
1221tcp_notsent_lowat - UNSIGNED INTEGER
1222 A TCP socket can control the amount of unsent bytes in its write queue,
1223 thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll()
1224 reports POLLOUT events if the amount of unsent bytes is below a per
1225 socket value, and if the write queue is not full. sendmsg() will
1226 also not add new buffers if the limit is hit.
1227
1228 This global variable controls the amount of unsent data for
1229 sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change
1230 to the global variable has immediate effect.
1231
1232 Default: UINT_MAX (0xFFFFFFFF)
1233
1234tcp_workaround_signed_windows - BOOLEAN
1235 If enabled, assume no receipt of a window scaling option means the
1236 remote TCP is broken and treats the window as a signed quantity.
1237 If disabled, assume the remote TCP is not broken even if we do
1238 not receive a window scaling option from them.
1239
1240 Possible values:
1241
1242 - 0 (disabled)
1243 - 1 (enabled)
1244
1245 Default: 0 (disabled)
1246
1247tcp_thin_linear_timeouts - BOOLEAN
1248 Enable dynamic triggering of linear timeouts for thin streams.
1249 If enabled, a check is performed upon retransmission by timeout to
1250 determine if the stream is thin (less than 4 packets in flight).
1251 As long as the stream is found to be thin, up to 6 linear
1252 timeouts may be performed before exponential backoff mode is
1253 initiated. This improves retransmission latency for
1254 non-aggressive thin streams, often found to be time-dependent.
1255 For more information on thin streams, see
1256 Documentation/networking/tcp-thin.rst
1257
1258 Possible values:
1259
1260 - 0 (disabled)
1261 - 1 (enabled)
1262
1263 Default: 0 (disabled)
1264
1265tcp_limit_output_bytes - INTEGER
1266 Controls TCP Small Queue limit per tcp socket.
1267 TCP bulk sender tends to increase packets in flight until it
1268 gets losses notifications. With SNDBUF autotuning, this can
1269 result in a large amount of packets queued on the local machine
1270 (e.g.: qdiscs, CPU backlog, or device) hurting latency of other
1271 flows, for typical pfifo_fast qdiscs. tcp_limit_output_bytes
1272 limits the number of bytes on qdisc or device to reduce artificial
1273 RTT/cwnd and reduce bufferbloat.
1274
1275 Default: 4194304 (4 MB)
1276
1277tcp_challenge_ack_limit - INTEGER
1278 Limits number of Challenge ACK sent per second, as recommended
1279 in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
1280 Note that this per netns rate limit can allow some side channel
1281 attacks and probably should not be enabled.
1282 TCP stack implements per TCP socket limits anyway.
1283 Default: INT_MAX (unlimited)
1284
1285tcp_ehash_entries - INTEGER
1286 Show the number of hash buckets for TCP sockets in the current
1287 networking namespace.
1288
1289 A negative value means the networking namespace does not own its
1290 hash buckets and shares the initial networking namespace's one.
1291
1292tcp_child_ehash_entries - INTEGER
1293 Control the number of hash buckets for TCP sockets in the child
1294 networking namespace, which must be set before clone() or unshare().
1295
1296 If the value is not 0, the kernel uses a value rounded up to 2^n
1297 as the actual hash bucket size. 0 is a special value, meaning
1298 the child networking namespace will share the initial networking
1299 namespace's hash buckets.
1300
1301 Note that the child will use the global one in case the kernel
1302 fails to allocate enough memory. In addition, the global hash
1303 buckets are spread over available NUMA nodes, but the allocation
1304 of the child hash table depends on the current process's NUMA
1305 policy, which could result in performance differences.
1306
1307 Note also that the default value of tcp_max_tw_buckets and
1308 tcp_max_syn_backlog depend on the hash bucket size.
1309
1310 Possible values: 0, 2^n (n: 0 - 24 (16Mi))
1311
1312 Default: 0
1313
1314tcp_plb_enabled - BOOLEAN
1315 If enabled and the underlying congestion control (e.g. DCTCP) supports
1316 and enables PLB feature, TCP PLB (Protective Load Balancing) is
1317 enabled. PLB is described in the following paper:
1318 https://doi.org/10.1145/3544216.3544226. Based on PLB parameters,
1319 upon sensing sustained congestion, TCP triggers a change in
1320 flow label field for outgoing IPv6 packets. A change in flow label
1321 field potentially changes the path of outgoing packets for switches
1322 that use ECMP/WCMP for routing.
1323
1324 PLB changes socket txhash which results in a change in IPv6 Flow Label
1325 field, and currently no-op for IPv4 headers. It is possible
1326 to apply PLB for IPv4 with other network header fields (e.g. TCP
1327 or IPv4 options) or using encapsulation where outer header is used
1328 by switches to determine next hop. In either case, further host
1329 and switch side changes will be needed.
1330
1331 If enabled, PLB assumes that congestion signal (e.g. ECN) is made
1332 available and used by congestion control module to estimate a
1333 congestion measure (e.g. ce_ratio). PLB needs a congestion measure to
1334 make repathing decisions.
1335
1336 Possible values:
1337
1338 - 0 (disabled)
1339 - 1 (enabled)
1340
1341 Default: 0 (disabled)
1342
1343tcp_plb_idle_rehash_rounds - INTEGER
1344 Number of consecutive congested rounds (RTT) seen after which
1345 a rehash can be performed, given there are no packets in flight.
1346 This is referred to as M in PLB paper:
1347 https://doi.org/10.1145/3544216.3544226.
1348
1349 Possible Values: 0 - 31
1350
1351 Default: 3
1352
1353tcp_plb_rehash_rounds - INTEGER
1354 Number of consecutive congested rounds (RTT) seen after which
1355 a forced rehash can be performed. Be careful when setting this
1356 parameter, as a small value increases the risk of retransmissions.
1357 This is referred to as N in PLB paper:
1358 https://doi.org/10.1145/3544216.3544226.
1359
1360 Possible Values: 0 - 31
1361
1362 Default: 12
1363
1364tcp_plb_suspend_rto_sec - INTEGER
1365 Time, in seconds, to suspend PLB in event of an RTO. In order to avoid
1366 having PLB repath onto a connectivity "black hole", after an RTO a TCP
1367 connection suspends PLB repathing for a random duration between 1x and
1368 2x of this parameter. Randomness is added to avoid concurrent rehashing
1369 of multiple TCP connections. This should be set corresponding to the
1370 amount of time it takes to repair a failed link.
1371
1372 Possible Values: 0 - 255
1373
1374 Default: 60
1375
1376tcp_plb_cong_thresh - INTEGER
1377 Fraction of packets marked with congestion over a round (RTT) to
1378 tag that round as congested. This is referred to as K in the PLB paper:
1379 https://doi.org/10.1145/3544216.3544226.
1380
1381 The 0-1 fraction range is mapped to 0-256 range to avoid floating
1382 point operations. For example, 128 means that if at least 50% of
1383 the packets in a round were marked as congested then the round
1384 will be tagged as congested.
1385
1386 Setting threshold to 0 means that PLB repaths every RTT regardless
1387 of congestion. This is not intended behavior for PLB and should be
1388 used only for experimentation purpose.
1389
1390 Possible Values: 0 - 256
1391
1392 Default: 128
1393
1394tcp_pingpong_thresh - INTEGER
1395 The number of estimated data replies sent for estimated incoming data
1396 requests that must happen before TCP considers that a connection is a
1397 "ping-pong" (request-response) connection for which delayed
1398 acknowledgments can provide benefits.
1399
1400 This threshold is 1 by default, but some applications may need a higher
1401 threshold for optimal performance.
1402
1403 Possible Values: 1 - 255
1404
1405 Default: 1
1406
1407tcp_rto_min_us - INTEGER
1408 Minimal TCP retransmission timeout (in microseconds). Note that the
1409 rto_min route option has the highest precedence for configuring this
1410 setting, followed by the TCP_BPF_RTO_MIN and TCP_RTO_MIN_US socket
1411 options, followed by this tcp_rto_min_us sysctl.
1412
1413 The recommended practice is to use a value less or equal to 200000
1414 microseconds.
1415
1416 Possible Values: 1 - INT_MAX
1417
1418 Default: 200000
1419
1420tcp_rto_max_ms - INTEGER
1421 Maximal TCP retransmission timeout (in ms).
1422 Note that TCP_RTO_MAX_MS socket option has higher precedence.
1423
1424 When changing tcp_rto_max_ms, it is important to understand
1425 that tcp_retries2 might need a change.
1426
1427 Possible Values: 1000 - 120,000
1428
1429 Default: 120,000
1430
1431UDP variables
1432=============
1433
1434udp_l3mdev_accept - BOOLEAN
1435 Enabling this option allows a "global" bound socket to work
1436 across L3 master domains (e.g., VRFs) with packets capable of
1437 being received regardless of the L3 domain in which they
1438 originated. Only valid when the kernel was compiled with
1439 CONFIG_NET_L3_MASTER_DEV.
1440
1441 Possible values:
1442
1443 - 0 (disabled)
1444 - 1 (enabled)
1445
1446 Default: 0 (disabled)
1447
1448udp_mem - vector of 3 INTEGERs: min, pressure, max
1449 Number of pages allowed for queueing by all UDP sockets.
1450
1451 min: Number of pages allowed for queueing by all UDP sockets.
1452
1453 pressure: This value was introduced to follow format of tcp_mem.
1454
1455 max: This value was introduced to follow format of tcp_mem.
1456
1457 Default is calculated at boot time from amount of available memory.
1458
1459udp_rmem_min - INTEGER
1460 Minimal size of receive buffer used by UDP sockets in moderation.
1461 Each UDP socket is able to use the size for receiving data, even if
1462 total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
1463
1464 Default: 4K
1465
1466udp_wmem_min - INTEGER
1467 UDP does not have tx memory accounting and this tunable has no effect.
1468
1469udp_hash_entries - INTEGER
1470 Show the number of hash buckets for UDP sockets in the current
1471 networking namespace.
1472
1473 A negative value means the networking namespace does not own its
1474 hash buckets and shares the initial networking namespace's one.
1475
1476udp_child_hash_entries - INTEGER
1477 Control the number of hash buckets for UDP sockets in the child
1478 networking namespace, which must be set before clone() or unshare().
1479
1480 If the value is not 0, the kernel uses a value rounded up to 2^n
1481 as the actual hash bucket size. 0 is a special value, meaning
1482 the child networking namespace will share the initial networking
1483 namespace's hash buckets.
1484
1485 Note that the child will use the global one in case the kernel
1486 fails to allocate enough memory. In addition, the global hash
1487 buckets are spread over available NUMA nodes, but the allocation
1488 of the child hash table depends on the current process's NUMA
1489 policy, which could result in performance differences.
1490
1491 Possible values: 0, 2^n (n: 7 (128) - 16 (64K))
1492
1493 Default: 0
1494
1495
1496RAW variables
1497=============
1498
1499raw_l3mdev_accept - BOOLEAN
1500 Enabling this option allows a "global" bound socket to work
1501 across L3 master domains (e.g., VRFs) with packets capable of
1502 being received regardless of the L3 domain in which they
1503 originated. Only valid when the kernel was compiled with
1504 CONFIG_NET_L3_MASTER_DEV.
1505
1506 Possible values:
1507
1508 - 0 (disabled)
1509 - 1 (enabled)
1510
1511 Default: 1 (enabled)
1512
1513CIPSOv4 Variables
1514=================
1515
1516cipso_cache_enable - BOOLEAN
1517 If enabled, enable additions to and lookups from the CIPSO label mapping
1518 cache. If disabled, additions are ignored and lookups always result in a
1519 miss. However, regardless of the setting the cache is still
1520 invalidated when required when means you can safely toggle this on and
1521 off and the cache will always be "safe".
1522
1523 Possible values:
1524
1525 - 0 (disabled)
1526 - 1 (enabled)
1527
1528 Default: 1 (enabled)
1529
1530cipso_cache_bucket_size - INTEGER
1531 The CIPSO label cache consists of a fixed size hash table with each
1532 hash bucket containing a number of cache entries. This variable limits
1533 the number of entries in each hash bucket; the larger the value is, the
1534 more CIPSO label mappings that can be cached. When the number of
1535 entries in a given hash bucket reaches this limit adding new entries
1536 causes the oldest entry in the bucket to be removed to make room.
1537
1538 Default: 10
1539
1540cipso_rbm_optfmt - BOOLEAN
1541 Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of
1542 the CIPSO draft specification (see Documentation/netlabel for details).
1543 This means that when set the CIPSO tag will be padded with empty
1544 categories in order to make the packet data 32-bit aligned.
1545
1546 Possible values:
1547
1548 - 0 (disabled)
1549 - 1 (enabled)
1550
1551 Default: 0 (disabled)
1552
1553cipso_rbm_strictvalid - BOOLEAN
1554 If enabled, do a very strict check of the CIPSO option when
1555 ip_options_compile() is called. If disabled, relax the checks done during
1556 ip_options_compile(). Either way is "safe" as errors are caught else
1557 where in the CIPSO processing code but setting this to 0 (False) should
1558 result in less work (i.e. it should be faster) but could cause problems
1559 with other implementations that require strict checking.
1560
1561 Possible values:
1562
1563 - 0 (disabled)
1564 - 1 (enabled)
1565
1566 Default: 0 (disabled)
1567
1568IP Variables
1569============
1570
1571ip_local_port_range - 2 INTEGERS
1572 Defines the local port range that is used by TCP and UDP to
1573 choose the local port. The first number is the first, the
1574 second the last local port number.
1575 If possible, it is better these numbers have different parity
1576 (one even and one odd value).
1577 Must be greater than or equal to ip_unprivileged_port_start.
1578 The default values are 32768 and 60999 respectively.
1579
1580ip_local_reserved_ports - list of comma separated ranges
1581 Specify the ports which are reserved for known third-party
1582 applications. These ports will not be used by automatic port
1583 assignments (e.g. when calling connect() or bind() with port
1584 number 0). Explicit port allocation behavior is unchanged.
1585
1586 The format used for both input and output is a comma separated
1587 list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and
1588 10). Writing to the file will clear all previously reserved
1589 ports and update the current list with the one given in the
1590 input.
1591
1592 Note that ip_local_port_range and ip_local_reserved_ports
1593 settings are independent and both are considered by the kernel
1594 when determining which ports are available for automatic port
1595 assignments.
1596
1597 You can reserve ports which are not in the current
1598 ip_local_port_range, e.g.::
1599
1600 $ cat /proc/sys/net/ipv4/ip_local_port_range
1601 32000 60999
1602 $ cat /proc/sys/net/ipv4/ip_local_reserved_ports
1603 8080,9148
1604
1605 although this is redundant. However such a setting is useful
1606 if later the port range is changed to a value that will
1607 include the reserved ports. Also keep in mind, that overlapping
1608 of these ranges may affect probability of selecting ephemeral
1609 ports which are right after block of reserved ports.
1610
1611 Default: Empty
1612
1613ip_unprivileged_port_start - INTEGER
1614 This is a per-namespace sysctl. It defines the first
1615 unprivileged port in the network namespace. Privileged ports
1616 require root or CAP_NET_BIND_SERVICE in order to bind to them.
1617 To disable all privileged ports, set this to 0. They must not
1618 overlap with the ip_local_port_range.
1619
1620 Default: 1024
1621
1622ip_nonlocal_bind - BOOLEAN
1623 If enabled, allows processes to bind() to non-local IP addresses,
1624 which can be quite useful - but may break some applications.
1625
1626 Possible values:
1627
1628 - 0 (disabled)
1629 - 1 (enabled)
1630
1631 Default: 0 (disabled)
1632
1633ip_autobind_reuse - BOOLEAN
1634 By default, bind() does not select the ports automatically even if
1635 the new socket and all sockets bound to the port have SO_REUSEADDR.
1636 ip_autobind_reuse allows bind() to reuse the port and this is useful
1637 when you use bind()+connect(), but may break some applications.
1638 The preferred solution is to use IP_BIND_ADDRESS_NO_PORT and this
1639 option should only be set by experts.
1640
1641 Possible values:
1642
1643 - 0 (disabled)
1644 - 1 (enabled)
1645
1646 Default: 0 (disabled)
1647
1648ip_dynaddr - INTEGER
1649 If set non-zero, enables support for dynamic addresses.
1650 If set to a non-zero value larger than 1, a kernel log
1651 message will be printed when dynamic address rewriting
1652 occurs.
1653
1654 Default: 0
1655
1656ip_early_demux - BOOLEAN
1657 Optimize input packet processing down to one demux for
1658 certain kinds of local sockets. Currently we only do this
1659 for established TCP and connected UDP sockets.
1660
1661 It may add an additional cost for pure routing workloads that
1662 reduces overall throughput, in such case you should disable it.
1663
1664 Possible values:
1665
1666 - 0 (disabled)
1667 - 1 (enabled)
1668
1669 Default: 1 (enabled)
1670
1671ping_group_range - 2 INTEGERS
1672 Restrict ICMP_PROTO datagram sockets to users in the group range.
1673 The default is "1 0", meaning, that nobody (not even root) may
1674 create ping sockets. Setting it to "100 100" would grant permissions
1675 to the single group. "0 4294967294" would enable it for the world, "100
1676 4294967294" would enable it for the users, but not daemons.
1677
1678tcp_early_demux - BOOLEAN
1679 Enable early demux for established TCP sockets.
1680
1681 Possible values:
1682
1683 - 0 (disabled)
1684 - 1 (enabled)
1685
1686 Default: 1 (enabled)
1687
1688udp_early_demux - BOOLEAN
1689 Enable early demux for connected UDP sockets. Disable this if
1690 your system could experience more unconnected load.
1691
1692 Possible values:
1693
1694 - 0 (disabled)
1695 - 1 (enabled)
1696
1697 Default: 1 (enabled)
1698
1699icmp_echo_ignore_all - BOOLEAN
1700 If enabled, then the kernel will ignore all ICMP ECHO
1701 requests sent to it.
1702
1703 Possible values:
1704
1705 - 0 (disabled)
1706 - 1 (enabled)
1707
1708 Default: 0 (disabled)
1709
1710icmp_echo_enable_probe - BOOLEAN
1711 If enabled, then the kernel will respond to RFC 8335 PROBE
1712 requests sent to it.
1713
1714 Possible values:
1715
1716 - 0 (disabled)
1717 - 1 (enabled)
1718
1719 Default: 0 (disabled)
1720
1721icmp_echo_ignore_broadcasts - BOOLEAN
1722 If enabled, then the kernel will ignore all ICMP ECHO and
1723 TIMESTAMP requests sent to it via broadcast/multicast.
1724
1725 Possible values:
1726
1727 - 0 (disabled)
1728 - 1 (enabled)
1729
1730 Default: 1 (enabled)
1731
1732icmp_ratelimit - INTEGER
1733 Limit the maximal rates for sending ICMP packets whose type matches
1734 icmp_ratemask (see below) to specific targets.
1735 0 to disable any limiting,
1736 otherwise the minimal space between responses in milliseconds.
1737 Note that another sysctl, icmp_msgs_per_sec limits the number
1738 of ICMP packets sent on all targets.
1739
1740 Default: 1000
1741
1742icmp_msgs_per_sec - INTEGER
1743 Limit maximal number of ICMP packets sent per second from this host.
1744 Only messages whose type matches icmp_ratemask (see below) are
1745 controlled by this limit. For security reasons, the precise count
1746 of messages per second is randomized.
1747
1748 Default: 1000
1749
1750icmp_msgs_burst - INTEGER
1751 icmp_msgs_per_sec controls number of ICMP packets sent per second,
1752 while icmp_msgs_burst controls the burst size of these packets.
1753 For security reasons, the precise burst size is randomized.
1754
1755 Default: 50
1756
1757icmp_ratemask - INTEGER
1758 Mask made of ICMP types for which rates are being limited.
1759
1760 Significant bits: IHGFEDCBA9876543210
1761
1762 Default mask: 0000001100000011000 (6168)
1763
1764 Bit definitions (see include/linux/icmp.h):
1765
1766 = =========================
1767 0 Echo Reply
1768 3 Destination Unreachable [1]_
1769 4 Source Quench [1]_
1770 5 Redirect
1771 8 Echo Request
1772 B Time Exceeded [1]_
1773 C Parameter Problem [1]_
1774 D Timestamp Request
1775 E Timestamp Reply
1776 F Info Request
1777 G Info Reply
1778 H Address Mask Request
1779 I Address Mask Reply
1780 = =========================
1781
1782 .. [1] These are rate limited by default (see default mask above)
1783
1784icmp_ignore_bogus_error_responses - BOOLEAN
1785 Some routers violate RFC1122 by sending bogus responses to broadcast
1786 frames. Such violations are normally logged via a kernel warning.
1787 If enabled, the kernel will not give such warnings, which
1788 will avoid log file clutter.
1789
1790 Possible values:
1791
1792 - 0 (disabled)
1793 - 1 (enabled)
1794
1795 Default: 1 (enabled)
1796
1797icmp_errors_use_inbound_ifaddr - BOOLEAN
1798
1799 If disabled, icmp error messages are sent with the primary address of
1800 the exiting interface.
1801
1802 If enabled, the message will be sent with the primary address of
1803 the interface that received the packet that caused the icmp error.
1804 This is the behaviour many network administrators will expect from
1805 a router. And it can make debugging complicated network layouts
1806 much easier.
1807
1808 Note that if no primary address exists for the interface selected,
1809 then the primary address of the first non-loopback interface that
1810 has one will be used regardless of this setting.
1811
1812 Possible values:
1813
1814 - 0 (disabled)
1815 - 1 (enabled)
1816
1817 Default: 0 (disabled)
1818
1819icmp_errors_extension_mask - UNSIGNED INTEGER
1820 Bitmask of ICMP extensions to append to ICMPv4 error messages
1821 ("Destination Unreachable", "Time Exceeded" and "Parameter Problem").
1822 The original datagram is trimmed / padded to 128 bytes in order to be
1823 compatible with applications that do not comply with RFC 4884.
1824
1825 Possible extensions are:
1826
1827 ==== ==============================================================
1828 0x01 Incoming IP interface information according to RFC 5837.
1829 Extension will include the index, IPv4 address (if present),
1830 name and MTU of the IP interface that received the datagram
1831 which elicited the ICMP error.
1832 ==== ==============================================================
1833
1834 Default: 0x00 (no extensions)
1835
1836igmp_max_memberships - INTEGER
1837 Change the maximum number of multicast groups we can subscribe to.
1838 Default: 20
1839
1840 Theoretical maximum value is bounded by having to send a membership
1841 report in a single datagram (i.e. the report can't span multiple
1842 datagrams, or risk confusing the switch and leaving groups you don't
1843 intend to).
1844
1845 The number of supported groups 'M' is bounded by the number of group
1846 report entries you can fit into a single datagram of 65535 bytes.
1847
1848 M = 65536-sizeof (ip header)/(sizeof(Group record))
1849
1850 Group records are variable length, with a minimum of 12 bytes.
1851 So net.ipv4.igmp_max_memberships should not be set higher than:
1852
1853 (65536-24) / 12 = 5459
1854
1855 The value 5459 assumes no IP header options, so in practice
1856 this number may be lower.
1857
1858igmp_max_msf - INTEGER
1859 Maximum number of addresses allowed in the source filter list for a
1860 multicast group.
1861
1862 Default: 10
1863
1864igmp_qrv - INTEGER
1865 Controls the IGMP query robustness variable (see RFC2236 8.1).
1866
1867 Default: 2 (as specified by RFC2236 8.1)
1868
1869 Minimum: 1 (as specified by RFC6636 4.5)
1870
1871force_igmp_version - INTEGER
1872 - 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback
1873 allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier
1874 Present timer expires.
1875 - 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if
1876 receive IGMPv2/v3 query.
1877 - 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive
1878 IGMPv1 query message. Will reply report if receive IGMPv3 query.
1879 - 3 - Enforce to use IGMP version 3. The same react with default 0.
1880
1881 .. note::
1882
1883 this is not the same with force_mld_version because IGMPv3 RFC3376
1884 Security Considerations does not have clear description that we could
1885 ignore other version messages completely as MLDv2 RFC3810. So make
1886 this value as default 0 is recommended.
1887
1888``conf/interface/*``
1889 changes special settings per interface (where
1890 interface" is the name of your network interface)
1891
1892``conf/all/*``
1893 is special, changes the settings for all interfaces
1894
1895log_martians - BOOLEAN
1896 Log packets with impossible addresses to kernel log.
1897 log_martians for the interface will be enabled if at least one of
1898 conf/{all,interface}/log_martians is set to TRUE,
1899 it will be disabled otherwise
1900
1901accept_redirects - BOOLEAN
1902 Accept ICMP redirect messages.
1903 accept_redirects for the interface will be enabled if:
1904
1905 - both conf/{all,interface}/accept_redirects are TRUE in the case
1906 forwarding for the interface is enabled
1907
1908 or
1909
1910 - at least one of conf/{all,interface}/accept_redirects is TRUE in the
1911 case forwarding for the interface is disabled
1912
1913 accept_redirects for the interface will be disabled otherwise
1914
1915 default:
1916
1917 - TRUE (host)
1918 - FALSE (router)
1919
1920forwarding - BOOLEAN
1921 Enable IP forwarding on this interface. This controls whether packets
1922 received _on_ this interface can be forwarded.
1923
1924mc_forwarding - BOOLEAN
1925 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
1926 and a multicast routing daemon is required.
1927 conf/all/mc_forwarding must also be set to TRUE to enable multicast
1928 routing for the interface
1929
1930medium_id - INTEGER
1931 Integer value used to differentiate the devices by the medium they
1932 are attached to. Two devices can have different id values when
1933 the broadcast packets are received only on one of them.
1934 The default value 0 means that the device is the only interface
1935 to its medium, value of -1 means that medium is not known.
1936
1937 Currently, it is used to change the proxy_arp behavior:
1938 the proxy_arp feature is enabled for packets forwarded between
1939 two devices attached to different media.
1940
1941proxy_arp - BOOLEAN
1942 Do proxy arp.
1943
1944 proxy_arp for the interface will be enabled if at least one of
1945 conf/{all,interface}/proxy_arp is set to TRUE,
1946 it will be disabled otherwise
1947
1948proxy_arp_pvlan - BOOLEAN
1949 Private VLAN proxy arp.
1950
1951 Basically allow proxy arp replies back to the same interface
1952 (from which the ARP request/solicitation was received).
1953
1954 This is done to support (ethernet) switch features, like RFC
1955 3069, where the individual ports are NOT allowed to
1956 communicate with each other, but they are allowed to talk to
1957 the upstream router. As described in RFC 3069, it is possible
1958 to allow these hosts to communicate through the upstream
1959 router by proxy_arp'ing. Don't need to be used together with
1960 proxy_arp.
1961
1962 This technology is known by different names:
1963
1964 - In RFC 3069 it is called VLAN Aggregation.
1965 - Cisco and Allied Telesyn call it Private VLAN.
1966 - Hewlett-Packard call it Source-Port filtering or port-isolation.
1967 - Ericsson call it MAC-Forced Forwarding (RFC Draft).
1968
1969proxy_delay - INTEGER
1970 Delay proxy response.
1971
1972 Delay response to a neighbor solicitation when proxy_arp
1973 or proxy_ndp is enabled. A random value between [0, proxy_delay)
1974 will be chosen, setting to zero means reply with no delay.
1975 Value in jiffies. Defaults to 80.
1976
1977shared_media - BOOLEAN
1978 Send(router) or accept(host) RFC1620 shared media redirects.
1979 Overrides secure_redirects.
1980
1981 shared_media for the interface will be enabled if at least one of
1982 conf/{all,interface}/shared_media is set to TRUE,
1983 it will be disabled otherwise
1984
1985 default TRUE
1986
1987secure_redirects - BOOLEAN
1988 Accept ICMP redirect messages only to gateways listed in the
1989 interface's current gateway list. Even if disabled, RFC1122 redirect
1990 rules still apply.
1991
1992 Overridden by shared_media.
1993
1994 secure_redirects for the interface will be enabled if at least one of
1995 conf/{all,interface}/secure_redirects is set to TRUE,
1996 it will be disabled otherwise
1997
1998 default TRUE
1999
2000send_redirects - BOOLEAN
2001 Send redirects, if router.
2002
2003 send_redirects for the interface will be enabled if at least one of
2004 conf/{all,interface}/send_redirects is set to TRUE,
2005 it will be disabled otherwise
2006
2007 Default: TRUE
2008
2009bootp_relay - BOOLEAN
2010 Accept packets with source address 0.b.c.d destined
2011 not to this host as local ones. It is supposed, that
2012 BOOTP relay daemon will catch and forward such packets.
2013 conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay
2014 for the interface
2015
2016 default FALSE
2017
2018 Not Implemented Yet.
2019
2020accept_source_route - BOOLEAN
2021 Accept packets with SRR option.
2022 conf/all/accept_source_route must also be set to TRUE to accept packets
2023 with SRR option on the interface
2024
2025 default
2026
2027 - TRUE (router)
2028 - FALSE (host)
2029
2030accept_local - BOOLEAN
2031 Accept packets with local source addresses. In combination with
2032 suitable routing, this can be used to direct packets between two
2033 local interfaces over the wire and have them accepted properly.
2034 default FALSE
2035
2036route_localnet - BOOLEAN
2037 Do not consider loopback addresses as martian source or destination
2038 while routing. This enables the use of 127/8 for local routing purposes.
2039
2040 default FALSE
2041
2042rp_filter - INTEGER
2043 - 0 - No source validation.
2044 - 1 - Strict mode as defined in RFC3704 Strict Reverse Path
2045 Each incoming packet is tested against the FIB and if the interface
2046 is not the best reverse path the packet check will fail.
2047 By default failed packets are discarded.
2048 - 2 - Loose mode as defined in RFC3704 Loose Reverse Path
2049 Each incoming packet's source address is also tested against the FIB
2050 and if the source address is not reachable via any interface
2051 the packet check will fail.
2052
2053 Current recommended practice in RFC3704 is to enable strict mode
2054 to prevent IP spoofing from DDos attacks. If using asymmetric routing
2055 or other complicated routing, then loose mode is recommended.
2056
2057 The max value from conf/{all,interface}/rp_filter is used
2058 when doing source validation on the {interface}.
2059
2060 Default value is 0. Note that some distributions enable it
2061 in startup scripts.
2062
2063src_valid_mark - BOOLEAN
2064 - 0 - The fwmark of the packet is not included in reverse path
2065 route lookup. This allows for asymmetric routing configurations
2066 utilizing the fwmark in only one direction, e.g., transparent
2067 proxying.
2068
2069 - 1 - The fwmark of the packet is included in reverse path route
2070 lookup. This permits rp_filter to function when the fwmark is
2071 used for routing traffic in both directions.
2072
2073 This setting also affects the utilization of fmwark when
2074 performing source address selection for ICMP replies, or
2075 determining addresses stored for the IPOPT_TS_TSANDADDR and
2076 IPOPT_RR IP options.
2077
2078 The max value from conf/{all,interface}/src_valid_mark is used.
2079
2080 Default value is 0.
2081
2082arp_filter - BOOLEAN
2083 - 1 - Allows you to have multiple network interfaces on the same
2084 subnet, and have the ARPs for each interface be answered
2085 based on whether or not the kernel would route a packet from
2086 the ARP'd IP out that interface (therefore you must use source
2087 based routing for this to work). In other words it allows control
2088 of which cards (usually 1) will respond to an arp request.
2089
2090 - 0 - (default) The kernel can respond to arp requests with addresses
2091 from other interfaces. This may seem wrong but it usually makes
2092 sense, because it increases the chance of successful communication.
2093 IP addresses are owned by the complete host on Linux, not by
2094 particular interfaces. Only for more complex setups like load-
2095 balancing, does this behaviour cause problems.
2096
2097 arp_filter for the interface will be enabled if at least one of
2098 conf/{all,interface}/arp_filter is set to TRUE,
2099 it will be disabled otherwise
2100
2101arp_announce - INTEGER
2102 Define different restriction levels for announcing the local
2103 source IP address from IP packets in ARP requests sent on
2104 interface:
2105
2106 - 0 - (default) Use any local address, configured on any interface
2107 - 1 - Try to avoid local addresses that are not in the target's
2108 subnet for this interface. This mode is useful when target
2109 hosts reachable via this interface require the source IP
2110 address in ARP requests to be part of their logical network
2111 configured on the receiving interface. When we generate the
2112 request we will check all our subnets that include the
2113 target IP and will preserve the source address if it is from
2114 such subnet. If there is no such subnet we select source
2115 address according to the rules for level 2.
2116 - 2 - Always use the best local address for this target.
2117 In this mode we ignore the source address in the IP packet
2118 and try to select local address that we prefer for talks with
2119 the target host. Such local address is selected by looking
2120 for primary IP addresses on all our subnets on the outgoing
2121 interface that include the target IP address. If no suitable
2122 local address is found we select the first local address
2123 we have on the outgoing interface or on all other interfaces,
2124 with the hope we will receive reply for our request and
2125 even sometimes no matter the source IP address we announce.
2126
2127 The max value from conf/{all,interface}/arp_announce is used.
2128
2129 Increasing the restriction level gives more chance for
2130 receiving answer from the resolved target while decreasing
2131 the level announces more valid sender's information.
2132
2133arp_ignore - INTEGER
2134 Define different modes for sending replies in response to
2135 received ARP requests that resolve local target IP addresses:
2136
2137 - 0 - (default): reply for any local target IP address, configured
2138 on any interface
2139 - 1 - reply only if the target IP address is local address
2140 configured on the incoming interface
2141 - 2 - reply only if the target IP address is local address
2142 configured on the incoming interface and both with the
2143 sender's IP address are part from same subnet on this interface
2144 - 3 - do not reply for local addresses configured with scope host,
2145 only resolutions for global and link addresses are replied
2146 - 4-7 - reserved
2147 - 8 - do not reply for all local addresses
2148
2149 The max value from conf/{all,interface}/arp_ignore is used
2150 when ARP request is received on the {interface}
2151
2152arp_notify - BOOLEAN
2153 Define mode for notification of address and device changes.
2154
2155 == ==========================================================
2156 0 (default): do nothing
2157 1 Generate gratuitous arp requests when device is brought up
2158 or hardware address changes.
2159 == ==========================================================
2160
2161arp_accept - INTEGER
2162 Define behavior for accepting gratuitous ARP (garp) frames from devices
2163 that are not already present in the ARP table:
2164
2165 - 0 - don't create new entries in the ARP table
2166 - 1 - create new entries in the ARP table
2167 - 2 - create new entries only if the source IP address is in the same
2168 subnet as an address configured on the interface that received the
2169 garp message.
2170
2171 Both replies and requests type gratuitous arp will trigger the
2172 ARP table to be updated, if this setting is on.
2173
2174 If the ARP table already contains the IP address of the
2175 gratuitous arp frame, the arp table will be updated regardless
2176 if this setting is on or off.
2177
2178arp_evict_nocarrier - BOOLEAN
2179 Clears the ARP cache on NOCARRIER events. This option is important for
2180 wireless devices where the ARP cache should not be cleared when roaming
2181 between access points on the same network. In most cases this should
2182 remain as the default (1).
2183
2184 Possible values:
2185
2186 - 0 (disabled) - Do not clear ARP cache on NOCARRIER events
2187 - 1 (enabled) - Clear the ARP cache on NOCARRIER events
2188
2189 Default: 1 (enabled)
2190
2191mcast_solicit - INTEGER
2192 The maximum number of multicast probes in INCOMPLETE state,
2193 when the associated hardware address is unknown. Defaults
2194 to 3.
2195
2196ucast_solicit - INTEGER
2197 The maximum number of unicast probes in PROBE state, when
2198 the hardware address is being reconfirmed. Defaults to 3.
2199
2200app_solicit - INTEGER
2201 The maximum number of probes to send to the user space ARP daemon
2202 via netlink before dropping back to multicast probes (see
2203 mcast_resolicit). Defaults to 0.
2204
2205mcast_resolicit - INTEGER
2206 The maximum number of multicast probes after unicast and
2207 app probes in PROBE state. Defaults to 0.
2208
2209disable_policy - BOOLEAN
2210 Disable IPSEC policy (SPD) for this interface
2211
2212 Possible values:
2213
2214 - 0 (disabled)
2215 - 1 (enabled)
2216
2217 Default: 0 (disabled)
2218
2219disable_xfrm - BOOLEAN
2220 Disable IPSEC encryption on this interface, whatever the policy
2221
2222 Possible values:
2223
2224 - 0 (disabled)
2225 - 1 (enabled)
2226
2227 Default: 0 (disabled)
2228
2229igmpv2_unsolicited_report_interval - INTEGER
2230 The interval in milliseconds in which the next unsolicited
2231 IGMPv1 or IGMPv2 report retransmit will take place.
2232
2233 Default: 10000 (10 seconds)
2234
2235igmpv3_unsolicited_report_interval - INTEGER
2236 The interval in milliseconds in which the next unsolicited
2237 IGMPv3 report retransmit will take place.
2238
2239 Default: 1000 (1 seconds)
2240
2241ignore_routes_with_linkdown - BOOLEAN
2242 Ignore routes whose link is down when performing a FIB lookup.
2243
2244 Possible values:
2245
2246 - 0 (disabled)
2247 - 1 (enabled)
2248
2249 Default: 0 (disabled)
2250
2251promote_secondaries - BOOLEAN
2252 When a primary IP address is removed from this interface
2253 promote a corresponding secondary IP address instead of
2254 removing all the corresponding secondary IP addresses.
2255
2256 Possible values:
2257
2258 - 0 (disabled)
2259 - 1 (enabled)
2260
2261 Default: 0 (disabled)
2262
2263drop_unicast_in_l2_multicast - BOOLEAN
2264 Drop any unicast IP packets that are received in link-layer
2265 multicast (or broadcast) frames.
2266
2267 This behavior (for multicast) is actually a SHOULD in RFC
2268 1122, but is disabled by default for compatibility reasons.
2269
2270 Possible values:
2271
2272 - 0 (disabled)
2273 - 1 (enabled)
2274
2275 Default: 0 (disabled)
2276
2277drop_gratuitous_arp - BOOLEAN
2278 Drop all gratuitous ARP frames, for example if there's a known
2279 good ARP proxy on the network and such frames need not be used
2280 (or in the case of 802.11, must not be used to prevent attacks.)
2281
2282 Possible values:
2283
2284 - 0 (disabled)
2285 - 1 (enabled)
2286
2287 Default: 0 (disabled)
2288
2289
2290tag - INTEGER
2291 Allows you to write a number, which can be used as required.
2292
2293 Default value is 0.
2294
2295xfrm4_gc_thresh - INTEGER
2296 (Obsolete since linux-4.14)
2297 The threshold at which we will start garbage collecting for IPv4
2298 destination cache entries. At twice this value the system will
2299 refuse new allocations.
2300
2301igmp_link_local_mcast_reports - BOOLEAN
2302 Enable IGMP reports for link local multicast groups in the
2303 224.0.0.X range.
2304
2305 Default TRUE
2306
2307Alexey Kuznetsov.
2308kuznet@ms2.inr.ac.ru
2309
2310Updated by:
2311
2312- Andi Kleen
2313 ak@muc.de
2314- Nicolas Delon
2315 delon.nicolas@wanadoo.fr
2316
2317
2318
2319
2320/proc/sys/net/ipv6/* Variables
2321==============================
2322
2323IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also
2324apply to IPv6 [XXX?].
2325
2326bindv6only - BOOLEAN
2327 Default value for IPV6_V6ONLY socket option,
2328 which restricts use of the IPv6 socket to IPv6 communication
2329 only.
2330
2331 Possible values:
2332
2333 - 0 (disabled) - enable IPv4-mapped address feature
2334 - 1 (enabled) - disable IPv4-mapped address feature
2335
2336 Default: 0 (disabled)
2337
2338flowlabel_consistency - BOOLEAN
2339 Protect the consistency (and unicity) of flow label.
2340 You have to disable it to use IPV6_FL_F_REFLECT flag on the
2341 flow label manager.
2342
2343 Possible values:
2344
2345 - 0 (disabled)
2346 - 1 (enabled)
2347
2348 Default: 1 (enabled)
2349
2350auto_flowlabels - INTEGER
2351 Automatically generate flow labels based on a flow hash of the
2352 packet. This allows intermediate devices, such as routers, to
2353 identify packet flows for mechanisms like Equal Cost Multipath
2354 Routing (see RFC 6438).
2355
2356 = ===========================================================
2357 0 automatic flow labels are completely disabled
2358 1 automatic flow labels are enabled by default, they can be
2359 disabled on a per socket basis using the IPV6_AUTOFLOWLABEL
2360 socket option
2361 2 automatic flow labels are allowed, they may be enabled on a
2362 per socket basis using the IPV6_AUTOFLOWLABEL socket option
2363 3 automatic flow labels are enabled and enforced, they cannot
2364 be disabled by the socket option
2365 = ===========================================================
2366
2367 Default: 1
2368
2369flowlabel_state_ranges - BOOLEAN
2370 Split the flow label number space into two ranges. 0-0x7FFFF is
2371 reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF
2372 is reserved for stateless flow labels as described in RFC6437.
2373
2374 Possible values:
2375
2376 - 0 (disabled)
2377 - 1 (enabled)
2378
2379 Default: 1 (enabled)
2380
2381
2382flowlabel_reflect - INTEGER
2383 Control flow label reflection. Needed for Path MTU
2384 Discovery to work with Equal Cost Multipath Routing in anycast
2385 environments. See RFC 7690 and:
2386 https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01
2387
2388 This is a bitmask.
2389
2390 - 1: enabled for established flows
2391
2392 Note that this prevents automatic flowlabel changes, as done
2393 in "tcp: change IPv6 flow-label upon receiving spurious retransmission"
2394 and "tcp: Change txhash on every SYN and RTO retransmit"
2395
2396 - 2: enabled for TCP RESET packets (no active listener)
2397 If set, a RST packet sent in response to a SYN packet on a closed
2398 port will reflect the incoming flow label.
2399
2400 - 4: enabled for ICMPv6 echo reply messages.
2401
2402 Default: 0
2403
2404fib_multipath_hash_policy - INTEGER
2405 Controls which hash policy to use for multipath routes.
2406
2407 Default: 0 (Layer 3)
2408
2409 Possible values:
2410
2411 - 0 - Layer 3 (source and destination addresses plus flow label)
2412 - 1 - Layer 4 (standard 5-tuple)
2413 - 2 - Layer 3 or inner Layer 3 if present
2414 - 3 - Custom multipath hash. Fields used for multipath hash calculation
2415 are determined by fib_multipath_hash_fields sysctl
2416
2417fib_multipath_hash_fields - UNSIGNED INTEGER
2418 When fib_multipath_hash_policy is set to 3 (custom multipath hash), the
2419 fields used for multipath hash calculation are determined by this
2420 sysctl.
2421
2422 This value is a bitmask which enables various fields for multipath hash
2423 calculation.
2424
2425 Possible fields are:
2426
2427 ====== ============================
2428 0x0001 Source IP address
2429 0x0002 Destination IP address
2430 0x0004 IP protocol
2431 0x0008 Flow Label
2432 0x0010 Source port
2433 0x0020 Destination port
2434 0x0040 Inner source IP address
2435 0x0080 Inner destination IP address
2436 0x0100 Inner IP protocol
2437 0x0200 Inner Flow Label
2438 0x0400 Inner source port
2439 0x0800 Inner destination port
2440 ====== ============================
2441
2442 Default: 0x0007 (source IP, destination IP and IP protocol)
2443
2444anycast_src_echo_reply - BOOLEAN
2445 Controls the use of anycast addresses as source addresses for ICMPv6
2446 echo reply
2447
2448 Possible values:
2449
2450 - 0 (disabled)
2451 - 1 (enabled)
2452
2453 Default: 0 (disabled)
2454
2455
2456idgen_delay - INTEGER
2457 Controls the delay in seconds after which time to retry
2458 privacy stable address generation if a DAD conflict is
2459 detected.
2460
2461 Default: 1 (as specified in RFC7217)
2462
2463idgen_retries - INTEGER
2464 Controls the number of retries to generate a stable privacy
2465 address if a DAD conflict is detected.
2466
2467 Default: 3 (as specified in RFC7217)
2468
2469mld_qrv - INTEGER
2470 Controls the MLD query robustness variable (see RFC3810 9.1).
2471
2472 Default: 2 (as specified by RFC3810 9.1)
2473
2474 Minimum: 1 (as specified by RFC6636 4.5)
2475
2476max_dst_opts_number - INTEGER
2477 Maximum number of non-padding TLVs allowed in a Destination
2478 options extension header. If this value is less than zero
2479 then unknown options are disallowed and the number of known
2480 TLVs allowed is the absolute value of this number.
2481
2482 Default: 8
2483
2484max_hbh_opts_number - INTEGER
2485 Maximum number of non-padding TLVs allowed in a Hop-by-Hop
2486 options extension header. If this value is less than zero
2487 then unknown options are disallowed and the number of known
2488 TLVs allowed is the absolute value of this number.
2489
2490 Default: 8
2491
2492max_dst_opts_length - INTEGER
2493 Maximum length allowed for a Destination options extension
2494 header.
2495
2496 Default: INT_MAX (unlimited)
2497
2498max_hbh_length - INTEGER
2499 Maximum length allowed for a Hop-by-Hop options extension
2500 header.
2501
2502 Default: INT_MAX (unlimited)
2503
2504skip_notify_on_dev_down - BOOLEAN
2505 Controls whether an RTM_DELROUTE message is generated for routes
2506 removed when a device is taken down or deleted. IPv4 does not
2507 generate this message; IPv6 does by default. Setting this sysctl
2508 to true skips the message, making IPv4 and IPv6 on par in relying
2509 on userspace caches to track link events and evict routes.
2510
2511 Possible values:
2512
2513 - 0 (disabled) - generate the message
2514 - 1 (enabled) - skip generating the message
2515
2516 Default: 0 (disabled)
2517
2518nexthop_compat_mode - BOOLEAN
2519 New nexthop API provides a means for managing nexthops independent of
2520 prefixes. Backwards compatibility with old route format is enabled by
2521 default which means route dumps and notifications contain the new
2522 nexthop attribute but also the full, expanded nexthop definition.
2523 Further, updates or deletes of a nexthop configuration generate route
2524 notifications for each fib entry using the nexthop. Once a system
2525 understands the new API, this sysctl can be disabled to achieve full
2526 performance benefits of the new API by disabling the nexthop expansion
2527 and extraneous notifications.
2528
2529 Note that as a backward-compatible mode, dumping of modern features
2530 might be incomplete or wrong. For example, resilient groups will not be
2531 shown as such, but rather as just a list of next hops. Also weights that
2532 do not fit into 8 bits will show incorrectly.
2533
2534 Default: true (backward compat mode)
2535
2536fib_notify_on_flag_change - INTEGER
2537 Whether to emit RTM_NEWROUTE notifications whenever RTM_F_OFFLOAD/
2538 RTM_F_TRAP/RTM_F_OFFLOAD_FAILED flags are changed.
2539
2540 After installing a route to the kernel, user space receives an
2541 acknowledgment, which means the route was installed in the kernel,
2542 but not necessarily in hardware.
2543 It is also possible for a route already installed in hardware to change
2544 its action and therefore its flags. For example, a host route that is
2545 trapping packets can be "promoted" to perform decapsulation following
2546 the installation of an IPinIP/VXLAN tunnel.
2547 The notifications will indicate to user-space the state of the route.
2548
2549 Default: 0 (Do not emit notifications.)
2550
2551 Possible values:
2552
2553 - 0 - Do not emit notifications.
2554 - 1 - Emit notifications.
2555 - 2 - Emit notifications only for RTM_F_OFFLOAD_FAILED flag change.
2556
2557ioam6_id - INTEGER
2558 Define the IOAM id of this node. Uses only 24 bits out of 32 in total.
2559
2560 Possible value range:
2561
2562 - Min: 0
2563 - Max: 0xFFFFFF
2564
2565 Default: 0xFFFFFF
2566
2567ioam6_id_wide - LONG INTEGER
2568 Define the wide IOAM id of this node. Uses only 56 bits out of 64 in
2569 total. Can be different from ioam6_id.
2570
2571 Possible value range:
2572
2573 - Min: 0
2574 - Max: 0xFFFFFFFFFFFFFF
2575
2576 Default: 0xFFFFFFFFFFFFFF
2577
2578IPv6 Fragmentation:
2579
2580ip6frag_high_thresh - INTEGER
2581 Maximum memory used to reassemble IPv6 fragments. When
2582 ip6frag_high_thresh bytes of memory is allocated for this purpose,
2583 the fragment handler will toss packets until ip6frag_low_thresh
2584 is reached.
2585
2586ip6frag_low_thresh - INTEGER
2587 See ip6frag_high_thresh
2588
2589ip6frag_time - INTEGER
2590 Time in seconds to keep an IPv6 fragment in memory.
2591
2592``conf/default/*``:
2593 Change the interface-specific default settings.
2594
2595 These settings would be used during creating new interfaces.
2596
2597
2598``conf/all/*``:
2599 Change all the interface-specific settings.
2600
2601 [XXX: Other special features than forwarding?]
2602
2603conf/all/disable_ipv6 - BOOLEAN
2604 Changing this value is same as changing ``conf/default/disable_ipv6``
2605 setting and also all per-interface ``disable_ipv6`` settings to the same
2606 value.
2607
2608 Reading this value does not have any particular meaning. It does not say
2609 whether IPv6 support is enabled or disabled. Returned value can be 1
2610 also in the case when some interface has ``disable_ipv6`` set to 0 and
2611 has configured IPv6 addresses.
2612
2613conf/all/forwarding - BOOLEAN
2614 Enable global IPv6 forwarding between all interfaces.
2615
2616 IPv4 and IPv6 work differently here; the ``force_forwarding`` flag must
2617 be used to control which interfaces may forward packets.
2618
2619 This also sets all interfaces' Host/Router setting
2620 'forwarding' to the specified value. See below for details.
2621
2622 This referred to as global forwarding.
2623
2624proxy_ndp - BOOLEAN
2625 Do proxy ndp.
2626
2627 Possible values:
2628
2629 - 0 (disabled)
2630 - 1 (enabled)
2631
2632 Default: 0 (disabled)
2633
2634force_forwarding - BOOLEAN
2635 Enable forwarding on this interface only -- regardless of the setting on
2636 ``conf/all/forwarding``. When setting ``conf.all.forwarding`` to 0,
2637 the ``force_forwarding`` flag will be reset on all interfaces.
2638
2639fwmark_reflect - BOOLEAN
2640 Controls the fwmark of kernel-generated IPv6 reply packets that are not
2641 associated with a socket for example, TCP RSTs or ICMPv6 echo replies).
2642 If disabled, these packets have a fwmark of zero. If enabled, they have the
2643 fwmark of the packet they are replying to.
2644
2645 Possible values:
2646
2647 - 0 (disabled)
2648 - 1 (enabled)
2649
2650 Default: 0 (disabled)
2651
2652``conf/interface/*``:
2653 Change special settings per interface.
2654
2655 The functional behaviour for certain settings is different
2656 depending on whether local forwarding is enabled or not.
2657
2658accept_ra - INTEGER
2659 Accept Router Advertisements; autoconfigure using them.
2660
2661 It also determines whether or not to transmit Router
2662 Solicitations. If and only if the functional setting is to
2663 accept Router Advertisements, Router Solicitations will be
2664 transmitted.
2665
2666 Possible values are:
2667
2668 == ===========================================================
2669 0 Do not accept Router Advertisements.
2670 1 Accept Router Advertisements if forwarding is disabled.
2671 2 Overrule forwarding behaviour. Accept Router Advertisements
2672 even if forwarding is enabled.
2673 == ===========================================================
2674
2675 Functional default:
2676
2677 - enabled if local forwarding is disabled.
2678 - disabled if local forwarding is enabled.
2679
2680accept_ra_defrtr - BOOLEAN
2681 Learn default router in Router Advertisement.
2682
2683 Functional default:
2684
2685 - enabled if accept_ra is enabled.
2686 - disabled if accept_ra is disabled.
2687
2688ra_defrtr_metric - UNSIGNED INTEGER
2689 Route metric for default route learned in Router Advertisement. This value
2690 will be assigned as metric for the default route learned via IPv6 Router
2691 Advertisement. Takes affect only if accept_ra_defrtr is enabled.
2692
2693 Possible values:
2694 1 to 0xFFFFFFFF
2695
2696 Default: IP6_RT_PRIO_USER i.e. 1024.
2697
2698accept_ra_from_local - BOOLEAN
2699 Accept RA with source-address that is found on local machine
2700 if the RA is otherwise proper and able to be accepted.
2701
2702 Default is to NOT accept these as it may be an un-intended
2703 network loop.
2704
2705 Functional default:
2706
2707 - enabled if accept_ra_from_local is enabled
2708 on a specific interface.
2709 - disabled if accept_ra_from_local is disabled
2710 on a specific interface.
2711
2712accept_ra_min_hop_limit - INTEGER
2713 Minimum hop limit Information in Router Advertisement.
2714
2715 Hop limit Information in Router Advertisement less than this
2716 variable shall be ignored.
2717
2718 Default: 1
2719
2720accept_ra_min_lft - INTEGER
2721 Minimum acceptable lifetime value in Router Advertisement.
2722
2723 RA sections with a lifetime less than this value shall be
2724 ignored. Zero lifetimes stay unaffected.
2725
2726 Default: 0
2727
2728accept_ra_pinfo - BOOLEAN
2729 Learn Prefix Information in Router Advertisement.
2730
2731 Functional default:
2732
2733 - enabled if accept_ra is enabled.
2734 - disabled if accept_ra is disabled.
2735
2736ra_honor_pio_life - BOOLEAN
2737 Whether to use RFC4862 Section 5.5.3e to determine the valid
2738 lifetime of an address matching a prefix sent in a Router
2739 Advertisement Prefix Information Option.
2740
2741 Possible values:
2742
2743 - 0 (disabled) - RFC4862 section 5.5.3e is used to determine
2744 the valid lifetime of the address.
2745 - 1 (enabled) - the PIO valid lifetime will always be honored.
2746
2747 Default: 0 (disabled)
2748
2749ra_honor_pio_pflag - BOOLEAN
2750 The Prefix Information Option P-flag indicates the network can
2751 allocate a unique IPv6 prefix per client using DHCPv6-PD.
2752 This sysctl can be enabled when a userspace DHCPv6-PD client
2753 is running to cause the P-flag to take effect: i.e. the
2754 P-flag suppresses any effects of the A-flag within the same
2755 PIO. For a given PIO, P=1 and A=1 is treated as A=0.
2756
2757 Possible values:
2758
2759 - 0 (disabled) - the P-flag is ignored.
2760 - 1 (enabled) - the P-flag will disable SLAAC autoconfiguration
2761 for the given Prefix Information Option.
2762
2763 Default: 0 (disabled)
2764
2765accept_ra_rt_info_min_plen - INTEGER
2766 Minimum prefix length of Route Information in RA.
2767
2768 Route Information w/ prefix smaller than this variable shall
2769 be ignored.
2770
2771 Functional default:
2772
2773 * 0 if accept_ra_rtr_pref is enabled.
2774 * -1 if accept_ra_rtr_pref is disabled.
2775
2776accept_ra_rt_info_max_plen - INTEGER
2777 Maximum prefix length of Route Information in RA.
2778
2779 Route Information w/ prefix larger than this variable shall
2780 be ignored.
2781
2782 Functional default:
2783
2784 * 0 if accept_ra_rtr_pref is enabled.
2785 * -1 if accept_ra_rtr_pref is disabled.
2786
2787accept_ra_rtr_pref - BOOLEAN
2788 Accept Router Preference in RA.
2789
2790 Functional default:
2791
2792 - enabled if accept_ra is enabled.
2793 - disabled if accept_ra is disabled.
2794
2795accept_ra_mtu - BOOLEAN
2796 Apply the MTU value specified in RA option 5 (RFC4861). If
2797 disabled, the MTU specified in the RA will be ignored.
2798
2799 Functional default:
2800
2801 - enabled if accept_ra is enabled.
2802 - disabled if accept_ra is disabled.
2803
2804accept_redirects - BOOLEAN
2805 Accept Redirects.
2806
2807 Functional default:
2808
2809 - enabled if local forwarding is disabled.
2810 - disabled if local forwarding is enabled.
2811
2812accept_source_route - INTEGER
2813 Accept source routing (routing extension header).
2814
2815 - >= 0: Accept only routing header type 2.
2816 - < 0: Do not accept routing header.
2817
2818 Default: 0
2819
2820autoconf - BOOLEAN
2821 Autoconfigure addresses using Prefix Information in Router
2822 Advertisements.
2823
2824 Functional default:
2825
2826 - enabled if accept_ra_pinfo is enabled.
2827 - disabled if accept_ra_pinfo is disabled.
2828
2829dad_transmits - INTEGER
2830 The amount of Duplicate Address Detection probes to send.
2831
2832 Default: 1
2833
2834forwarding - INTEGER
2835 Configure interface-specific Host/Router behaviour.
2836
2837 .. note::
2838
2839 It is recommended to have the same setting on all
2840 interfaces; mixed router/host scenarios are rather uncommon.
2841
2842 Possible values are:
2843
2844 - 0 Forwarding disabled
2845 - 1 Forwarding enabled
2846
2847 **FALSE (0)**:
2848
2849 By default, Host behaviour is assumed. This means:
2850
2851 1. IsRouter flag is not set in Neighbour Advertisements.
2852 2. If accept_ra is TRUE (default), transmit Router
2853 Solicitations.
2854 3. If accept_ra is TRUE (default), accept Router
2855 Advertisements (and do autoconfiguration).
2856 4. If accept_redirects is TRUE (default), accept Redirects.
2857
2858 **TRUE (1)**:
2859
2860 If local forwarding is enabled, Router behaviour is assumed.
2861 This means exactly the reverse from the above:
2862
2863 1. IsRouter flag is set in Neighbour Advertisements.
2864 2. Router Solicitations are not sent unless accept_ra is 2.
2865 3. Router Advertisements are ignored unless accept_ra is 2.
2866 4. Redirects are ignored.
2867
2868 Default: 0 (disabled) if global forwarding is disabled (default),
2869 otherwise 1 (enabled).
2870
2871hop_limit - INTEGER
2872 Default Hop Limit to set.
2873
2874 Default: 64
2875
2876mtu - INTEGER
2877 Default Maximum Transfer Unit
2878
2879 Default: 1280 (IPv6 required minimum)
2880
2881ip_nonlocal_bind - BOOLEAN
2882 If enabled, allows processes to bind() to non-local IPv6 addresses,
2883 which can be quite useful - but may break some applications.
2884
2885 Possible values:
2886
2887 - 0 (disabled)
2888 - 1 (enabled)
2889
2890 Default: 0 (disabled)
2891
2892router_probe_interval - INTEGER
2893 Minimum interval (in seconds) between Router Probing described
2894 in RFC4191.
2895
2896 Default: 60
2897
2898router_solicitation_delay - INTEGER
2899 Number of seconds to wait after interface is brought up
2900 before sending Router Solicitations.
2901
2902 Default: 1
2903
2904router_solicitation_interval - INTEGER
2905 Number of seconds to wait between Router Solicitations.
2906
2907 Default: 4
2908
2909router_solicitations - INTEGER
2910 Number of Router Solicitations to send until assuming no
2911 routers are present.
2912
2913 Default: 3
2914
2915use_oif_addrs_only - BOOLEAN
2916 When enabled, the candidate source addresses for destinations
2917 routed via this interface are restricted to the set of addresses
2918 configured on this interface (vis. RFC 6724, section 4).
2919
2920 Possible values:
2921
2922 - 0 (disabled)
2923 - 1 (enabled)
2924
2925 Default: 0 (disabled)
2926
2927use_tempaddr - INTEGER
2928 Preference for Privacy Extensions (RFC3041).
2929
2930 * <= 0 : disable Privacy Extensions
2931 * == 1 : enable Privacy Extensions, but prefer public
2932 addresses over temporary addresses.
2933 * > 1 : enable Privacy Extensions and prefer temporary
2934 addresses over public addresses.
2935
2936 Default:
2937
2938 * 0 (for most devices)
2939 * -1 (for point-to-point devices and loopback devices)
2940
2941temp_valid_lft - INTEGER
2942 valid lifetime (in seconds) for temporary addresses. If less than the
2943 minimum required lifetime (typically 5-7 seconds), temporary addresses
2944 will not be created.
2945
2946 Default: 172800 (2 days)
2947
2948temp_prefered_lft - INTEGER
2949 Preferred lifetime (in seconds) for temporary addresses. If
2950 temp_prefered_lft is less than the minimum required lifetime (typically
2951 5-7 seconds), the preferred lifetime is the minimum required. If
2952 temp_prefered_lft is greater than temp_valid_lft, the preferred lifetime
2953 is temp_valid_lft.
2954
2955 Default: 86400 (1 day)
2956
2957keep_addr_on_down - INTEGER
2958 Keep all IPv6 addresses on an interface down event. If set static
2959 global addresses with no expiration time are not flushed.
2960
2961 * >0 : enabled
2962 * 0 : system default
2963 * <0 : disabled
2964
2965 Default: 0 (addresses are removed)
2966
2967max_desync_factor - INTEGER
2968 Maximum value for DESYNC_FACTOR, which is a random value
2969 that ensures that clients don't synchronize with each
2970 other and generate new addresses at exactly the same time.
2971 value is in seconds.
2972
2973 Default: 600
2974
2975regen_min_advance - INTEGER
2976 How far in advance (in seconds), at minimum, to create a new temporary
2977 address before the current one is deprecated. This value is added to
2978 the amount of time that may be required for duplicate address detection
2979 to determine when to create a new address. Linux permits setting this
2980 value to less than the default of 2 seconds, but a value less than 2
2981 does not conform to RFC 8981.
2982
2983 Default: 2
2984
2985regen_max_retry - INTEGER
2986 Number of attempts before give up attempting to generate
2987 valid temporary addresses.
2988
2989 Default: 5
2990
2991max_addresses - INTEGER
2992 Maximum number of autoconfigured addresses per interface. Setting
2993 to zero disables the limitation. It is not recommended to set this
2994 value too large (or to zero) because it would be an easy way to
2995 crash the kernel by allowing too many addresses to be created.
2996
2997 Default: 16
2998
2999disable_ipv6 - BOOLEAN
3000 Disable IPv6 operation. If accept_dad is set to 2, this value
3001 will be dynamically set to TRUE if DAD fails for the link-local
3002 address.
3003
3004 Default: FALSE (enable IPv6 operation)
3005
3006 When this value is changed from 1 to 0 (IPv6 is being enabled),
3007 it will dynamically create a link-local address on the given
3008 interface and start Duplicate Address Detection, if necessary.
3009
3010 When this value is changed from 0 to 1 (IPv6 is being disabled),
3011 it will dynamically delete all addresses and routes on the given
3012 interface. From now on it will not possible to add addresses/routes
3013 to the selected interface.
3014
3015accept_dad - INTEGER
3016 Whether to accept DAD (Duplicate Address Detection).
3017
3018 == ==============================================================
3019 0 Disable DAD
3020 1 Enable DAD (default)
3021 2 Enable DAD, and disable IPv6 operation if MAC-based duplicate
3022 link-local address has been found.
3023 == ==============================================================
3024
3025 DAD operation and mode on a given interface will be selected according
3026 to the maximum value of conf/{all,interface}/accept_dad.
3027
3028force_tllao - BOOLEAN
3029 Enable sending the target link-layer address option even when
3030 responding to a unicast neighbor solicitation.
3031
3032 Default: FALSE
3033
3034 Quoting from RFC 2461, section 4.4, Target link-layer address:
3035
3036 "The option MUST be included for multicast solicitations in order to
3037 avoid infinite Neighbor Solicitation "recursion" when the peer node
3038 does not have a cache entry to return a Neighbor Advertisements
3039 message. When responding to unicast solicitations, the option can be
3040 omitted since the sender of the solicitation has the correct link-
3041 layer address; otherwise it would not have be able to send the unicast
3042 solicitation in the first place. However, including the link-layer
3043 address in this case adds little overhead and eliminates a potential
3044 race condition where the sender deletes the cached link-layer address
3045 prior to receiving a response to a previous solicitation."
3046
3047ndisc_notify - BOOLEAN
3048 Define mode for notification of address and device changes.
3049
3050 Possible values:
3051
3052 - 0 (disabled) - do nothing
3053 - 1 (enabled) - Generate unsolicited neighbour advertisements when device is brought
3054 up or hardware address changes.
3055
3056 Default: 0 (disabled)
3057
3058ndisc_tclass - INTEGER
3059 The IPv6 Traffic Class to use by default when sending IPv6 Neighbor
3060 Discovery (Router Solicitation, Router Advertisement, Neighbor
3061 Solicitation, Neighbor Advertisement, Redirect) messages.
3062 These 8 bits can be interpreted as 6 high order bits holding the DSCP
3063 value and 2 low order bits representing ECN (which you probably want
3064 to leave cleared).
3065
3066 * 0 - (default)
3067
3068ndisc_evict_nocarrier - BOOLEAN
3069 Clears the neighbor discovery table on NOCARRIER events. This option is
3070 important for wireless devices where the neighbor discovery cache should
3071 not be cleared when roaming between access points on the same network.
3072 In most cases this should remain as the default (1).
3073
3074 Possible values:
3075
3076 - 0 (disabled) - Do not clear neighbor discovery cache on NOCARRIER events.
3077 - 1 (enabled) - Clear neighbor discover cache on NOCARRIER events.
3078
3079 Default: 1 (enabled)
3080
3081mldv1_unsolicited_report_interval - INTEGER
3082 The interval in milliseconds in which the next unsolicited
3083 MLDv1 report retransmit will take place.
3084
3085 Default: 10000 (10 seconds)
3086
3087mldv2_unsolicited_report_interval - INTEGER
3088 The interval in milliseconds in which the next unsolicited
3089 MLDv2 report retransmit will take place.
3090
3091 Default: 1000 (1 second)
3092
3093force_mld_version - INTEGER
3094 * 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed
3095 * 1 - Enforce to use MLD version 1
3096 * 2 - Enforce to use MLD version 2
3097
3098suppress_frag_ndisc - INTEGER
3099 Control RFC 6980 (Security Implications of IPv6 Fragmentation
3100 with IPv6 Neighbor Discovery) behavior:
3101
3102 * 1 - (default) discard fragmented neighbor discovery packets
3103 * 0 - allow fragmented neighbor discovery packets
3104
3105optimistic_dad - BOOLEAN
3106 Whether to perform Optimistic Duplicate Address Detection (RFC 4429).
3107
3108 Optimistic Duplicate Address Detection for the interface will be enabled
3109 if at least one of conf/{all,interface}/optimistic_dad is set to 1,
3110 it will be disabled otherwise.
3111
3112 Possible values:
3113
3114 - 0 (disabled)
3115 - 1 (enabled)
3116
3117 Default: 0 (disabled)
3118
3119
3120use_optimistic - BOOLEAN
3121 If enabled, do not classify optimistic addresses as deprecated during
3122 source address selection. Preferred addresses will still be chosen
3123 before optimistic addresses, subject to other ranking in the source
3124 address selection algorithm.
3125
3126 This will be enabled if at least one of
3127 conf/{all,interface}/use_optimistic is set to 1, disabled otherwise.
3128
3129 Possible values:
3130
3131 - 0 (disabled)
3132 - 1 (enabled)
3133
3134 Default: 0 (disabled)
3135
3136stable_secret - IPv6 address
3137 This IPv6 address will be used as a secret to generate IPv6
3138 addresses for link-local addresses and autoconfigured
3139 ones. All addresses generated after setting this secret will
3140 be stable privacy ones by default. This can be changed via the
3141 addrgenmode ip-link. conf/default/stable_secret is used as the
3142 secret for the namespace, the interface specific ones can
3143 overwrite that. Writes to conf/all/stable_secret are refused.
3144
3145 It is recommended to generate this secret during installation
3146 of a system and keep it stable after that.
3147
3148 By default the stable secret is unset.
3149
3150addr_gen_mode - INTEGER
3151 Defines how link-local and autoconf addresses are generated.
3152
3153 = =================================================================
3154 0 generate address based on EUI64 (default)
3155 1 do no generate a link-local address, use EUI64 for addresses
3156 generated from autoconf
3157 2 generate stable privacy addresses, using the secret from
3158 stable_secret (RFC7217)
3159 3 generate stable privacy addresses, using a random secret if unset
3160 = =================================================================
3161
3162drop_unicast_in_l2_multicast - BOOLEAN
3163 Drop any unicast IPv6 packets that are received in link-layer
3164 multicast (or broadcast) frames.
3165
3166 Possible values:
3167
3168 - 0 (disabled)
3169 - 1 (enabled)
3170
3171 Default: 0 (disabled)
3172
3173drop_unsolicited_na - BOOLEAN
3174 Drop all unsolicited neighbor advertisements, for example if there's
3175 a known good NA proxy on the network and such frames need not be used
3176 (or in the case of 802.11, must not be used to prevent attacks.)
3177
3178 Possible values:
3179
3180 - 0 (disabled)
3181 - 1 (enabled)
3182
3183 Default: 0 (disabled).
3184
3185accept_untracked_na - INTEGER
3186 Define behavior for accepting neighbor advertisements from devices that
3187 are absent in the neighbor cache:
3188
3189 - 0 - (default) Do not accept unsolicited and untracked neighbor
3190 advertisements.
3191
3192 - 1 - Add a new neighbor cache entry in STALE state for routers on
3193 receiving a neighbor advertisement (either solicited or unsolicited)
3194 with target link-layer address option specified if no neighbor entry
3195 is already present for the advertised IPv6 address. Without this knob,
3196 NAs received for untracked addresses (absent in neighbor cache) are
3197 silently ignored.
3198
3199 This is as per router-side behavior documented in RFC9131.
3200
3201 This has lower precedence than drop_unsolicited_na.
3202
3203 This will optimize the return path for the initial off-link
3204 communication that is initiated by a directly connected host, by
3205 ensuring that the first-hop router which turns on this setting doesn't
3206 have to buffer the initial return packets to do neighbor-solicitation.
3207 The prerequisite is that the host is configured to send unsolicited
3208 neighbor advertisements on interface bringup. This setting should be
3209 used in conjunction with the ndisc_notify setting on the host to
3210 satisfy this prerequisite.
3211
3212 - 2 - Extend option (1) to add a new neighbor cache entry only if the
3213 source IP address is in the same subnet as an address configured on
3214 the interface that received the neighbor advertisement.
3215
3216enhanced_dad - BOOLEAN
3217 Include a nonce option in the IPv6 neighbor solicitation messages used for
3218 duplicate address detection per RFC7527. A received DAD NS will only signal
3219 a duplicate address if the nonce is different. This avoids any false
3220 detection of duplicates due to loopback of the NS messages that we send.
3221 The nonce option will be sent on an interface unless both of
3222 conf/{all,interface}/enhanced_dad are set to FALSE.
3223
3224 Possible values:
3225
3226 - 0 (disabled)
3227 - 1 (enabled)
3228
3229 Default: 1 (enabled)
3230
3231``icmp/*``:
3232===========
3233
3234ratelimit - INTEGER
3235 Limit the maximal rates for sending ICMPv6 messages.
3236
3237 0 to disable any limiting,
3238 otherwise the minimal space between responses in milliseconds.
3239
3240 Default: 1000
3241
3242ratemask - list of comma separated ranges
3243 For ICMPv6 message types matching the ranges in the ratemask, limit
3244 the sending of the message according to ratelimit parameter.
3245
3246 The format used for both input and output is a comma separated
3247 list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and
3248 129). Writing to the file will clear all previous ranges of ICMPv6
3249 message types and update the current list with the input.
3250
3251 Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
3252 for numerical values of ICMPv6 message types, e.g. echo request is 128
3253 and echo reply is 129.
3254
3255 Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big)
3256
3257echo_ignore_all - BOOLEAN
3258 If enabled, then the kernel will ignore all ICMP ECHO
3259 requests sent to it over the IPv6 protocol.
3260
3261 Possible values:
3262
3263 - 0 (disabled)
3264 - 1 (enabled)
3265
3266 Default: 0 (disabled)
3267
3268echo_ignore_multicast - BOOLEAN
3269 If enabled, then the kernel will ignore all ICMP ECHO
3270 requests sent to it over the IPv6 protocol via multicast.
3271
3272 Possible values:
3273
3274 - 0 (disabled)
3275 - 1 (enabled)
3276
3277 Default: 0 (disabled)
3278
3279echo_ignore_anycast - BOOLEAN
3280 If enabled, then the kernel will ignore all ICMP ECHO
3281 requests sent to it over the IPv6 protocol destined to anycast address.
3282
3283 Possible values:
3284
3285 - 0 (disabled)
3286 - 1 (enabled)
3287
3288 Default: 0 (disabled)
3289
3290error_anycast_as_unicast - BOOLEAN
3291 If enabled, then the kernel will respond with ICMP Errors
3292 resulting from requests sent to it over the IPv6 protocol destined
3293 to anycast address essentially treating anycast as unicast.
3294
3295 Possible values:
3296
3297 - 0 (disabled)
3298 - 1 (enabled)
3299
3300 Default: 0 (disabled)
3301
3302errors_extension_mask - UNSIGNED INTEGER
3303 Bitmask of ICMP extensions to append to ICMPv6 error messages
3304 ("Destination Unreachable" and "Time Exceeded"). The original datagram
3305 is trimmed / padded to 128 bytes in order to be compatible with
3306 applications that do not comply with RFC 4884.
3307
3308 Possible extensions are:
3309
3310 ==== ==============================================================
3311 0x01 Incoming IP interface information according to RFC 5837.
3312 Extension will include the index, IPv6 address (if present),
3313 name and MTU of the IP interface that received the datagram
3314 which elicited the ICMP error.
3315 ==== ==============================================================
3316
3317 Default: 0x00 (no extensions)
3318
3319xfrm6_gc_thresh - INTEGER
3320 (Obsolete since linux-4.14)
3321 The threshold at which we will start garbage collecting for IPv6
3322 destination cache entries. At twice this value the system will
3323 refuse new allocations.
3324
3325
3326IPv6 Update by:
3327Pekka Savola <pekkas@netcore.fi>
3328YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org>
3329
3330
3331/proc/sys/net/bridge/* Variables:
3332=================================
3333
3334bridge-nf-call-arptables - BOOLEAN
3335
3336 Possible values:
3337
3338 - 0 (disabled) - disable this.
3339 - 1 (enabled) - pass bridged ARP traffic to arptables' FORWARD chain.
3340
3341 Default: 1 (enabled)
3342
3343bridge-nf-call-iptables - BOOLEAN
3344
3345 Possible values:
3346
3347 - 0 (disabled) - disable this.
3348 - 1 (enabled) - pass bridged IPv4 traffic to iptables' chains.
3349
3350 Default: 1 (enabled)
3351
3352bridge-nf-call-ip6tables - BOOLEAN
3353
3354 Possible values:
3355
3356 - 0 (disabled) - disable this.
3357 - 1 (enabled) - pass bridged IPv6 traffic to ip6tables' chains.
3358
3359 Default: 1 (enabled)
3360
3361bridge-nf-filter-vlan-tagged - BOOLEAN
3362
3363 Possible values:
3364
3365 - 0 (disabled) - disable this.
3366 - 1 (enabled) - pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables
3367
3368 Default: 0 (disabled)
3369
3370bridge-nf-filter-pppoe-tagged - BOOLEAN
3371
3372 Possible values:
3373
3374 - 0 (disabled) - disable this.
3375 - 1 (enabled) - pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
3376
3377 Default: 0 (disabled)
3378
3379bridge-nf-pass-vlan-input-dev - BOOLEAN
3380 - 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan
3381 interface on the bridge and set the netfilter input device to the
3382 vlan. This allows use of e.g. "iptables -i br0.1" and makes the
3383 REDIRECT target work with vlan-on-top-of-bridge interfaces. When no
3384 matching vlan interface is found, or this switch is off, the input
3385 device is set to the bridge interface.
3386
3387 - 0: disable bridge netfilter vlan interface lookup.
3388
3389 Default: 0
3390
3391``proc/sys/net/sctp/*`` Variables:
3392==================================
3393
3394addip_enable - BOOLEAN
3395 Enable or disable extension of Dynamic Address Reconfiguration
3396 (ADD-IP) functionality specified in RFC5061. This extension provides
3397 the ability to dynamically add and remove new addresses for the SCTP
3398 associations.
3399
3400 Possible values:
3401
3402 - 0 (disabled) - disable extension.
3403 - 1 (enabled) - enable extension
3404
3405 Default: 0 (disabled)
3406
3407pf_enable - INTEGER
3408 Enable or disable pf (pf is short for potentially failed) state. A value
3409 of pf_retrans > path_max_retrans also disables pf state. That is, one of
3410 both pf_enable and pf_retrans > path_max_retrans can disable pf state.
3411 Since pf_retrans and path_max_retrans can be changed by userspace
3412 application, sometimes user expects to disable pf state by the value of
3413 pf_retrans > path_max_retrans, but occasionally the value of pf_retrans
3414 or path_max_retrans is changed by the user application, this pf state is
3415 enabled. As such, it is necessary to add this to dynamically enable
3416 and disable pf state. See:
3417 https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for
3418 details.
3419
3420 Possible values:
3421
3422 - 1: Enable pf.
3423 - 0: Disable pf.
3424
3425 Default: 1
3426
3427pf_expose - INTEGER
3428 Unset or enable/disable pf (pf is short for potentially failed) state
3429 exposure. Applications can control the exposure of the PF path state
3430 in the SCTP_PEER_ADDR_CHANGE event and access of SCTP_PF-state
3431 transport info via SCTP_GET_PEER_ADDR_INFO sockopt.
3432
3433 Possible values:
3434
3435 - 0: Unset pf state exposure (compatible with old applications). No
3436 event will be sent but the transport info can be queried.
3437 - 1: Disable pf state exposure. No event will be sent and trying to
3438 obtain transport info will return -EACCESS.
3439 - 2: Enable pf state exposure. The event will be sent for a transport
3440 becoming SCTP_PF state and transport info can be obtained.
3441
3442 Default: 0
3443
3444addip_noauth_enable - BOOLEAN
3445 Dynamic Address Reconfiguration (ADD-IP) requires the use of
3446 authentication to protect the operations of adding or removing new
3447 addresses. This requirement is mandated so that unauthorized hosts
3448 would not be able to hijack associations. However, older
3449 implementations may not have implemented this requirement while
3450 allowing the ADD-IP extension. For reasons of interoperability,
3451 we provide this variable to control the enforcement of the
3452 authentication requirement.
3453
3454 == ===============================================================
3455 1 Allow ADD-IP extension to be used without authentication. This
3456 should only be set in a closed environment for interoperability
3457 with older implementations.
3458
3459 0 Enforce the authentication requirement
3460 == ===============================================================
3461
3462 Default: 0
3463
3464auth_enable - BOOLEAN
3465 Enable or disable Authenticated Chunks extension. This extension
3466 provides the ability to send and receive authenticated chunks and is
3467 required for secure operation of Dynamic Address Reconfiguration
3468 (ADD-IP) extension.
3469
3470 Possible values:
3471
3472 - 0 (disabled) - disable extension.
3473 - 1 (enabled) - enable extension
3474
3475 Default: 0 (disabled)
3476
3477prsctp_enable - BOOLEAN
3478 Enable or disable the Partial Reliability extension (RFC3758) which
3479 is used to notify peers that a given DATA should no longer be expected.
3480
3481 Possible values:
3482
3483 - 0 (disabled) - disable extension.
3484 - 1 (enabled) - enable extension
3485
3486 Default: 1 (enabled)
3487
3488max_burst - INTEGER
3489 The limit of the number of new packets that can be initially sent. It
3490 controls how bursty the generated traffic can be.
3491
3492 Default: 4
3493
3494association_max_retrans - INTEGER
3495 Set the maximum number for retransmissions that an association can
3496 attempt deciding that the remote end is unreachable. If this value
3497 is exceeded, the association is terminated.
3498
3499 Default: 10
3500
3501max_init_retransmits - INTEGER
3502 The maximum number of retransmissions of INIT and COOKIE-ECHO chunks
3503 that an association will attempt before declaring the destination
3504 unreachable and terminating.
3505
3506 Default: 8
3507
3508path_max_retrans - INTEGER
3509 The maximum number of retransmissions that will be attempted on a given
3510 path. Once this threshold is exceeded, the path is considered
3511 unreachable, and new traffic will use a different path when the
3512 association is multihomed.
3513
3514 Default: 5
3515
3516pf_retrans - INTEGER
3517 The number of retransmissions that will be attempted on a given path
3518 before traffic is redirected to an alternate transport (should one
3519 exist). Note this is distinct from path_max_retrans, as a path that
3520 passes the pf_retrans threshold can still be used. Its only
3521 deprioritized when a transmission path is selected by the stack. This
3522 setting is primarily used to enable fast failover mechanisms without
3523 having to reduce path_max_retrans to a very low value. See:
3524 http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt
3525 for details. Note also that a value of pf_retrans > path_max_retrans
3526 disables this feature. Since both pf_retrans and path_max_retrans can
3527 be changed by userspace application, a variable pf_enable is used to
3528 disable pf state.
3529
3530 Default: 0
3531
3532ps_retrans - INTEGER
3533 Primary.Switchover.Max.Retrans (PSMR), it's a tunable parameter coming
3534 from section-5 "Primary Path Switchover" in rfc7829. The primary path
3535 will be changed to another active path when the path error counter on
3536 the old primary path exceeds PSMR, so that "the SCTP sender is allowed
3537 to continue data transmission on a new working path even when the old
3538 primary destination address becomes active again". Note this feature
3539 is disabled by initializing 'ps_retrans' per netns as 0xffff by default,
3540 and its value can't be less than 'pf_retrans' when changing by sysctl.
3541
3542 Default: 0xffff
3543
3544rto_initial - INTEGER
3545 The initial round trip timeout value in milliseconds that will be used
3546 in calculating round trip times. This is the initial time interval
3547 for retransmissions.
3548
3549 Default: 3000
3550
3551rto_max - INTEGER
3552 The maximum value (in milliseconds) of the round trip timeout. This
3553 is the largest time interval that can elapse between retransmissions.
3554
3555 Default: 60000
3556
3557rto_min - INTEGER
3558 The minimum value (in milliseconds) of the round trip timeout. This
3559 is the smallest time interval the can elapse between retransmissions.
3560
3561 Default: 1000
3562
3563hb_interval - INTEGER
3564 The interval (in milliseconds) between HEARTBEAT chunks. These chunks
3565 are sent at the specified interval on idle paths to probe the state of
3566 a given path between 2 associations.
3567
3568 Default: 30000
3569
3570sack_timeout - INTEGER
3571 The amount of time (in milliseconds) that the implementation will wait
3572 to send a SACK.
3573
3574 Default: 200
3575
3576valid_cookie_life - INTEGER
3577 The default lifetime of the SCTP cookie (in milliseconds). The cookie
3578 is used during association establishment.
3579
3580 Default: 60000
3581
3582cookie_preserve_enable - BOOLEAN
3583 Enable or disable the ability to extend the lifetime of the SCTP cookie
3584 that is used during the establishment phase of SCTP association
3585
3586 Possible values:
3587
3588 - 0 (disabled) - disable.
3589 - 1 (enabled) - enable cookie lifetime extension.
3590
3591 Default: 1 (enabled)
3592
3593cookie_hmac_alg - STRING
3594 Select the hmac algorithm used when generating the cookie value sent by
3595 a listening sctp socket to a connecting client in the INIT-ACK chunk.
3596 Valid values are:
3597
3598 * sha256
3599 * none
3600
3601 Default: sha256
3602
3603rcvbuf_policy - INTEGER
3604 Determines if the receive buffer is attributed to the socket or to
3605 association. SCTP supports the capability to create multiple
3606 associations on a single socket. When using this capability, it is
3607 possible that a single stalled association that's buffering a lot
3608 of data may block other associations from delivering their data by
3609 consuming all of the receive buffer space. To work around this,
3610 the rcvbuf_policy could be set to attribute the receiver buffer space
3611 to each association instead of the socket. This prevents the described
3612 blocking.
3613
3614 - 1: rcvbuf space is per association
3615 - 0: rcvbuf space is per socket
3616
3617 Default: 0
3618
3619sndbuf_policy - INTEGER
3620 Similar to rcvbuf_policy above, this applies to send buffer space.
3621
3622 - 1: Send buffer is tracked per association
3623 - 0: Send buffer is tracked per socket.
3624
3625 Default: 0
3626
3627sctp_mem - vector of 3 INTEGERs: min, pressure, max
3628 Number of pages allowed for queueing by all SCTP sockets.
3629
3630 * min: Below this number of pages SCTP is not bothered about its
3631 memory usage. When amount of memory allocated by SCTP exceeds
3632 this number, SCTP starts to moderate memory usage.
3633 * pressure: This value was introduced to follow format of tcp_mem.
3634 * max: Maximum number of allowed pages.
3635
3636 Default is calculated at boot time from amount of available memory.
3637
3638sctp_rmem - vector of 3 INTEGERs: min, default, max
3639 Only the first value ("min") is used, "default" and "max" are
3640 ignored.
3641
3642 * min: Minimal size of receive buffer used by SCTP socket.
3643 It is guaranteed to each SCTP socket (but not association) even
3644 under moderate memory pressure.
3645
3646 Default: 4K
3647
3648sctp_wmem - vector of 3 INTEGERs: min, default, max
3649 Only the first value ("min") is used, "default" and "max" are
3650 ignored.
3651
3652 * min: Minimum size of send buffer that can be used by SCTP sockets.
3653 It is guaranteed to each SCTP socket (but not association) even
3654 under moderate memory pressure.
3655
3656 Default: 4K
3657
3658addr_scope_policy - INTEGER
3659 Control IPv4 address scoping (see
3660 https://datatracker.ietf.org/doc/draft-stewart-tsvwg-sctp-ipv4/00/
3661 for details).
3662
3663 - 0 - Disable IPv4 address scoping
3664 - 1 - Enable IPv4 address scoping
3665 - 2 - Follow draft but allow IPv4 private addresses
3666 - 3 - Follow draft but allow IPv4 link local addresses
3667
3668 Default: 1
3669
3670udp_port - INTEGER
3671 The listening port for the local UDP tunneling sock. Normally it's
3672 using the IANA-assigned UDP port number 9899 (sctp-tunneling).
3673
3674 This UDP sock is used for processing the incoming UDP-encapsulated
3675 SCTP packets (from RFC6951), and shared by all applications in the
3676 same net namespace. This UDP sock will be closed when the value is
3677 set to 0.
3678
3679 The value will also be used to set the src port of the UDP header
3680 for the outgoing UDP-encapsulated SCTP packets. For the dest port,
3681 please refer to 'encap_port' below.
3682
3683 Default: 0
3684
3685encap_port - INTEGER
3686 The default remote UDP encapsulation port.
3687
3688 This value is used to set the dest port of the UDP header for the
3689 outgoing UDP-encapsulated SCTP packets by default. Users can also
3690 change the value for each sock/asoc/transport by using setsockopt.
3691 For further information, please refer to RFC6951.
3692
3693 Note that when connecting to a remote server, the client should set
3694 this to the port that the UDP tunneling sock on the peer server is
3695 listening to and the local UDP tunneling sock on the client also
3696 must be started. On the server, it would get the encap_port from
3697 the incoming packet's source port.
3698
3699 Default: 0
3700
3701plpmtud_probe_interval - INTEGER
3702 The time interval (in milliseconds) for the PLPMTUD probe timer,
3703 which is configured to expire after this period to receive an
3704 acknowledgment to a probe packet. This is also the time interval
3705 between the probes for the current pmtu when the probe search
3706 is done.
3707
3708 PLPMTUD will be disabled when 0 is set, and other values for it
3709 must be >= 5000.
3710
3711 Default: 0
3712
3713reconf_enable - BOOLEAN
3714 Enable or disable extension of Stream Reconfiguration functionality
3715 specified in RFC6525. This extension provides the ability to "reset"
3716 a stream, and it includes the Parameters of "Outgoing/Incoming SSN
3717 Reset", "SSN/TSN Reset" and "Add Outgoing/Incoming Streams".
3718
3719 Possible values:
3720
3721 - 0 (disabled) - Disable extension.
3722 - 1 (enabled) - Enable extension.
3723
3724 Default: 0 (disabled)
3725
3726intl_enable - BOOLEAN
3727 Enable or disable extension of User Message Interleaving functionality
3728 specified in RFC8260. This extension allows the interleaving of user
3729 messages sent on different streams. With this feature enabled, I-DATA
3730 chunk will replace DATA chunk to carry user messages if also supported
3731 by the peer. Note that to use this feature, one needs to set this option
3732 to 1 and also needs to set socket options SCTP_FRAGMENT_INTERLEAVE to 2
3733 and SCTP_INTERLEAVING_SUPPORTED to 1.
3734
3735 Possible values:
3736
3737 - 0 (disabled) - Disable extension.
3738 - 1 (enabled) - Enable extension.
3739
3740 Default: 0 (disabled)
3741
3742ecn_enable - BOOLEAN
3743 Control use of Explicit Congestion Notification (ECN) by SCTP.
3744 Like in TCP, ECN is used only when both ends of the SCTP connection
3745 indicate support for it. This feature is useful in avoiding losses
3746 due to congestion by allowing supporting routers to signal congestion
3747 before having to drop packets.
3748
3749 Possible values:
3750
3751 - 0 (disabled) - Disable ecn.
3752 - 1 (enabled) - Enable ecn.
3753
3754 Default: 1 (enabled)
3755
3756l3mdev_accept - BOOLEAN
3757 Enabling this option allows a "global" bound socket to work
3758 across L3 master domains (e.g., VRFs) with packets capable of
3759 being received regardless of the L3 domain in which they
3760 originated. Only valid when the kernel was compiled with
3761 CONFIG_NET_L3_MASTER_DEV.
3762
3763 Possible values:
3764
3765 - 0 (disabled)
3766 - 1 (enabled)
3767
3768 Default: 1 (enabled)
3769
3770
3771``/proc/sys/net/core/*``
3772========================
3773
3774 Please see: Documentation/admin-guide/sysctl/net.rst for descriptions of these entries.
3775
3776
3777``/proc/sys/net/unix/*``
3778========================
3779
3780max_dgram_qlen - INTEGER
3781 The maximum length of dgram socket receive queue
3782
3783 Default: 10
3784