Documentation/networking/ip-sysctl.txt at v4.3-rc1

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / Documentation / networking / ip-sysctl.txt
at v4.3-rc1 1933 lines 71 kB view raw
wrap content
   1/proc/sys/net/ipv4/* Variables:
   2
   3ip_forward - BOOLEAN
   4	0 - disabled (default)
   5	not 0 - enabled
   6
   7	Forward Packets between interfaces.
   8
   9	This variable is special, its change resets all configuration
  10	parameters to their default state (RFC1122 for hosts, RFC1812
  11	for routers)
  12
  13ip_default_ttl - INTEGER
  14	Default value of TTL field (Time To Live) for outgoing (but not
  15	forwarded) IP packets. Should be between 1 and 255 inclusive.
  16	Default: 64 (as recommended by RFC1700)
  17
  18ip_no_pmtu_disc - INTEGER
  19	Disable Path MTU Discovery. If enabled in mode 1 and a
  20	fragmentation-required ICMP is received, the PMTU to this
  21	destination will be set to min_pmtu (see below). You will need
  22	to raise min_pmtu to the smallest interface MTU on your system
  23	manually if you want to avoid locally generated fragments.
  24
  25	In mode 2 incoming Path MTU Discovery messages will be
  26	discarded. Outgoing frames are handled the same as in mode 1,
  27	implicitly setting IP_PMTUDISC_DONT on every created socket.
  28
  29	Mode 3 is a hardend pmtu discover mode. The kernel will only
  30	accept fragmentation-needed errors if the underlying protocol
  31	can verify them besides a plain socket lookup. Current
  32	protocols for which pmtu events will be honored are TCP, SCTP
  33	and DCCP as they verify e.g. the sequence number or the
  34	association. This mode should not be enabled globally but is
  35	only intended to secure e.g. name servers in namespaces where
  36	TCP path mtu must still work but path MTU information of other
  37	protocols should be discarded. If enabled globally this mode
  38	could break other protocols.
  39
  40	Possible values: 0-3
  41	Default: FALSE
  42
  43min_pmtu - INTEGER
  44	default 552 - minimum discovered Path MTU
  45
  46ip_forward_use_pmtu - BOOLEAN
  47	By default we don't trust protocol path MTUs while forwarding
  48	because they could be easily forged and can lead to unwanted
  49	fragmentation by the router.
  50	You only need to enable this if you have user-space software
  51	which tries to discover path mtus by itself and depends on the
  52	kernel honoring this information. This is normally not the
  53	case.
  54	Default: 0 (disabled)
  55	Possible values:
  56	0 - disabled
  57	1 - enabled
  58
  59fwmark_reflect - BOOLEAN
  60	Controls the fwmark of kernel-generated IPv4 reply packets that are not
  61	associated with a socket for example, TCP RSTs or ICMP echo replies).
  62	If unset, these packets have a fwmark of zero. If set, they have the
  63	fwmark of the packet they are replying to.
  64	Default: 0
  65
  66route/max_size - INTEGER
  67	Maximum number of routes allowed in the kernel.  Increase
  68	this when using large numbers of interfaces and/or routes.
  69	From linux kernel 3.6 onwards, this is deprecated for ipv4
  70	as route cache is no longer used.
  71
  72neigh/default/gc_thresh1 - INTEGER
  73	Minimum number of entries to keep.  Garbage collector will not
  74	purge entries if there are fewer than this number.
  75	Default: 128
  76
  77neigh/default/gc_thresh2 - INTEGER
  78	Threshold when garbage collector becomes more aggressive about
  79	purging entries. Entries older than 5 seconds will be cleared
  80	when over this number.
  81	Default: 512
  82
  83neigh/default/gc_thresh3 - INTEGER
  84	Maximum number of neighbor entries allowed.  Increase this
  85	when using large numbers of interfaces and when communicating
  86	with large numbers of directly-connected peers.
  87	Default: 1024
  88
  89neigh/default/unres_qlen_bytes - INTEGER
  90	The maximum number of bytes which may be used by packets
  91	queued for each	unresolved address by other network layers.
  92	(added in linux 3.3)
  93	Setting negative value is meaningless and will return error.
  94	Default: 65536 Bytes(64KB)
  95
  96neigh/default/unres_qlen - INTEGER
  97	The maximum number of packets which may be queued for each
  98	unresolved address by other network layers.
  99	(deprecated in linux 3.3) : use unres_qlen_bytes instead.
 100	Prior to linux 3.3, the default value is 3 which may cause
 101	unexpected packet loss. The current default value is calculated
 102	according to default value of unres_qlen_bytes and true size of
 103	packet.
 104	Default: 31
 105
 106mtu_expires - INTEGER
 107	Time, in seconds, that cached PMTU information is kept.
 108
 109min_adv_mss - INTEGER
 110	The advertised MSS depends on the first hop route MTU, but will
 111	never be lower than this setting.
 112
 113IP Fragmentation:
 114
 115ipfrag_high_thresh - INTEGER
 116	Maximum memory used to reassemble IP fragments. When
 117	ipfrag_high_thresh bytes of memory is allocated for this purpose,
 118	the fragment handler will toss packets until ipfrag_low_thresh
 119	is reached. This also serves as a maximum limit to namespaces
 120	different from the initial one.
 121
 122ipfrag_low_thresh - INTEGER
 123	Maximum memory used to reassemble IP fragments before the kernel
 124	begins to remove incomplete fragment queues to free up resources.
 125	The kernel still accepts new fragments for defragmentation.
 126
 127ipfrag_time - INTEGER
 128	Time in seconds to keep an IP fragment in memory.
 129
 130ipfrag_max_dist - INTEGER
 131	ipfrag_max_dist is a non-negative integer value which defines the
 132	maximum "disorder" which is allowed among fragments which share a
 133	common IP source address. Note that reordering of packets is
 134	not unusual, but if a large number of fragments arrive from a source
 135	IP address while a particular fragment queue remains incomplete, it
 136	probably indicates that one or more fragments belonging to that queue
 137	have been lost. When ipfrag_max_dist is positive, an additional check
 138	is done on fragments before they are added to a reassembly queue - if
 139	ipfrag_max_dist (or more) fragments have arrived from a particular IP
 140	address between additions to any IP fragment queue using that source
 141	address, it's presumed that one or more fragments in the queue are
 142	lost. The existing fragment queue will be dropped, and a new one
 143	started. An ipfrag_max_dist value of zero disables this check.
 144
 145	Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
 146	result in unnecessarily dropping fragment queues when normal
 147	reordering of packets occurs, which could lead to poor application
 148	performance. Using a very large value, e.g. 50000, increases the
 149	likelihood of incorrectly reassembling IP fragments that originate
 150	from different IP datagrams, which could result in data corruption.
 151	Default: 64
 152
 153INET peer storage:
 154
 155inet_peer_threshold - INTEGER
 156	The approximate size of the storage.  Starting from this threshold
 157	entries will be thrown aggressively.  This threshold also determines
 158	entries' time-to-live and time intervals between garbage collection
 159	passes.  More entries, less time-to-live, less GC interval.
 160
 161inet_peer_minttl - INTEGER
 162	Minimum time-to-live of entries.  Should be enough to cover fragment
 163	time-to-live on the reassembling side.  This minimum time-to-live  is
 164	guaranteed if the pool size is less than inet_peer_threshold.
 165	Measured in seconds.
 166
 167inet_peer_maxttl - INTEGER
 168	Maximum time-to-live of entries.  Unused entries will expire after
 169	this period of time if there is no memory pressure on the pool (i.e.
 170	when the number of entries in the pool is very small).
 171	Measured in seconds.
 172
 173TCP variables:
 174
 175somaxconn - INTEGER
 176	Limit of socket listen() backlog, known in userspace as SOMAXCONN.
 177	Defaults to 128.  See also tcp_max_syn_backlog for additional tuning
 178	for TCP sockets.
 179
 180tcp_abort_on_overflow - BOOLEAN
 181	If listening service is too slow to accept new connections,
 182	reset them. Default state is FALSE. It means that if overflow
 183	occurred due to a burst, connection will recover. Enable this
 184	option _only_ if you are really sure that listening daemon
 185	cannot be tuned to accept connections faster. Enabling this
 186	option can harm clients of your server.
 187
 188tcp_adv_win_scale - INTEGER
 189	Count buffering overhead as bytes/2^tcp_adv_win_scale
 190	(if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale),
 191	if it is <= 0.
 192	Possible values are [-31, 31], inclusive.
 193	Default: 1
 194
 195tcp_allowed_congestion_control - STRING
 196	Show/set the congestion control choices available to non-privileged
 197	processes. The list is a subset of those listed in
 198	tcp_available_congestion_control.
 199	Default is "reno" and the default setting (tcp_congestion_control).
 200
 201tcp_app_win - INTEGER
 202	Reserve max(window/2^tcp_app_win, mss) of window for application
 203	buffer. Value 0 is special, it means that nothing is reserved.
 204	Default: 31
 205
 206tcp_autocorking - BOOLEAN
 207	Enable TCP auto corking :
 208	When applications do consecutive small write()/sendmsg() system calls,
 209	we try to coalesce these small writes as much as possible, to lower
 210	total amount of sent packets. This is done if at least one prior
 211	packet for the flow is waiting in Qdisc queues or device transmit
 212	queue. Applications can still use TCP_CORK for optimal behavior
 213	when they know how/when to uncork their sockets.
 214	Default : 1
 215
 216tcp_available_congestion_control - STRING
 217	Shows the available congestion control choices that are registered.
 218	More congestion control algorithms may be available as modules,
 219	but not loaded.
 220
 221tcp_base_mss - INTEGER
 222	The initial value of search_low to be used by the packetization layer
 223	Path MTU discovery (MTU probing).  If MTU probing is enabled,
 224	this is the initial MSS used by the connection.
 225
 226tcp_congestion_control - STRING
 227	Set the congestion control algorithm to be used for new
 228	connections. The algorithm "reno" is always available, but
 229	additional choices may be available based on kernel configuration.
 230	Default is set as part of kernel configuration.
 231	For passive connections, the listener congestion control choice
 232	is inherited.
 233	[see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ]
 234
 235tcp_dsack - BOOLEAN
 236	Allows TCP to send "duplicate" SACKs.
 237
 238tcp_early_retrans - INTEGER
 239	Enable Early Retransmit (ER), per RFC 5827. ER lowers the threshold
 240	for triggering fast retransmit when the amount of outstanding data is
 241	small and when no previously unsent data can be transmitted (such
 242	that limited transmit could be used). Also controls the use of
 243	Tail loss probe (TLP) that converts RTOs occurring due to tail
 244	losses into fast recovery (draft-dukkipati-tcpm-tcp-loss-probe-01).
 245	Possible values:
 246		0 disables ER
 247		1 enables ER
 248		2 enables ER but delays fast recovery and fast retransmit
 249		  by a fourth of RTT. This mitigates connection falsely
 250		  recovers when network has a small degree of reordering
 251		  (less than 3 packets).
 252		3 enables delayed ER and TLP.
 253		4 enables TLP only.
 254	Default: 3
 255
 256tcp_ecn - INTEGER
 257	Control use of Explicit Congestion Notification (ECN) by TCP.
 258	ECN is used only when both ends of the TCP connection indicate
 259	support for it.  This feature is useful in avoiding losses due
 260	to congestion by allowing supporting routers to signal
 261	congestion before having to drop packets.
 262	Possible values are:
 263		0 Disable ECN.  Neither initiate nor accept ECN.
 264		1 Enable ECN when requested by incoming connections and
 265		  also request ECN on outgoing connection attempts.
 266		2 Enable ECN when requested by incoming connections
 267		  but do not request ECN on outgoing connections.
 268	Default: 2
 269
 270tcp_ecn_fallback - BOOLEAN
 271	If the kernel detects that ECN connection misbehaves, enable fall
 272	back to non-ECN. Currently, this knob implements the fallback
 273	from RFC3168, section 6.1.1.1., but we reserve that in future,
 274	additional detection mechanisms could be implemented under this
 275	knob. The value	is not used, if tcp_ecn or per route (or congestion
 276	control) ECN settings are disabled.
 277	Default: 1 (fallback enabled)
 278
 279tcp_fack - BOOLEAN
 280	Enable FACK congestion avoidance and fast retransmission.
 281	The value is not used, if tcp_sack is not enabled.
 282
 283tcp_fin_timeout - INTEGER
 284	The length of time an orphaned (no longer referenced by any
 285	application) connection will remain in the FIN_WAIT_2 state
 286	before it is aborted at the local end.  While a perfectly
 287	valid "receive only" state for an un-orphaned connection, an
 288	orphaned connection in FIN_WAIT_2 state could otherwise wait
 289	forever for the remote to close its end of the connection.
 290	Cf. tcp_max_orphans
 291	Default: 60 seconds
 292
 293tcp_frto - INTEGER
 294	Enables Forward RTO-Recovery (F-RTO) defined in RFC5682.
 295	F-RTO is an enhanced recovery algorithm for TCP retransmission
 296	timeouts.  It is particularly beneficial in networks where the
 297	RTT fluctuates (e.g., wireless). F-RTO is sender-side only
 298	modification. It does not require any support from the peer.
 299
 300	By default it's enabled with a non-zero value. 0 disables F-RTO.
 301
 302tcp_invalid_ratelimit - INTEGER
 303	Limit the maximal rate for sending duplicate acknowledgments
 304	in response to incoming TCP packets that are for an existing
 305	connection but that are invalid due to any of these reasons:
 306
 307	  (a) out-of-window sequence number,
 308	  (b) out-of-window acknowledgment number, or
 309	  (c) PAWS (Protection Against Wrapped Sequence numbers) check failure
 310
 311	This can help mitigate simple "ack loop" DoS attacks, wherein
 312	a buggy or malicious middlebox or man-in-the-middle can
 313	rewrite TCP header fields in manner that causes each endpoint
 314	to think that the other is sending invalid TCP segments, thus
 315	causing each side to send an unterminating stream of duplicate
 316	acknowledgments for invalid segments.
 317
 318	Using 0 disables rate-limiting of dupacks in response to
 319	invalid segments; otherwise this value specifies the minimal
 320	space between sending such dupacks, in milliseconds.
 321
 322	Default: 500 (milliseconds).
 323
 324tcp_keepalive_time - INTEGER
 325	How often TCP sends out keepalive messages when keepalive is enabled.
 326	Default: 2hours.
 327
 328tcp_keepalive_probes - INTEGER
 329	How many keepalive probes TCP sends out, until it decides that the
 330	connection is broken. Default value: 9.
 331
 332tcp_keepalive_intvl - INTEGER
 333	How frequently the probes are send out. Multiplied by
 334	tcp_keepalive_probes it is time to kill not responding connection,
 335	after probes started. Default value: 75sec i.e. connection
 336	will be aborted after ~11 minutes of retries.
 337
 338tcp_low_latency - BOOLEAN
 339	If set, the TCP stack makes decisions that prefer lower
 340	latency as opposed to higher throughput.  By default, this
 341	option is not set meaning that higher throughput is preferred.
 342	An example of an application where this default should be
 343	changed would be a Beowulf compute cluster.
 344	Default: 0
 345
 346tcp_max_orphans - INTEGER
 347	Maximal number of TCP sockets not attached to any user file handle,
 348	held by system.	If this number is exceeded orphaned connections are
 349	reset immediately and warning is printed. This limit exists
 350	only to prevent simple DoS attacks, you _must_ not rely on this
 351	or lower the limit artificially, but rather increase it
 352	(probably, after increasing installed memory),
 353	if network conditions require more than default value,
 354	and tune network services to linger and kill such states
 355	more aggressively. Let me to remind again: each orphan eats
 356	up to ~64K of unswappable memory.
 357
 358tcp_max_syn_backlog - INTEGER
 359	Maximal number of remembered connection requests, which have not
 360	received an acknowledgment from connecting client.
 361	The minimal value is 128 for low memory machines, and it will
 362	increase in proportion to the memory of machine.
 363	If server suffers from overload, try increasing this number.
 364
 365tcp_max_tw_buckets - INTEGER
 366	Maximal number of timewait sockets held by system simultaneously.
 367	If this number is exceeded time-wait socket is immediately destroyed
 368	and warning is printed. This limit exists only to prevent
 369	simple DoS attacks, you _must_ not lower the limit artificially,
 370	but rather increase it (probably, after increasing installed memory),
 371	if network conditions require more than default value.
 372
 373tcp_mem - vector of 3 INTEGERs: min, pressure, max
 374	min: below this number of pages TCP is not bothered about its
 375	memory appetite.
 376
 377	pressure: when amount of memory allocated by TCP exceeds this number
 378	of pages, TCP moderates its memory consumption and enters memory
 379	pressure mode, which is exited when memory consumption falls
 380	under "min".
 381
 382	max: number of pages allowed for queueing by all TCP sockets.
 383
 384	Defaults are calculated at boot time from amount of available
 385	memory.
 386
 387tcp_moderate_rcvbuf - BOOLEAN
 388	If set, TCP performs receive buffer auto-tuning, attempting to
 389	automatically size the buffer (no greater than tcp_rmem[2]) to
 390	match the size required by the path for full throughput.  Enabled by
 391	default.
 392
 393tcp_mtu_probing - INTEGER
 394	Controls TCP Packetization-Layer Path MTU Discovery.  Takes three
 395	values:
 396	  0 - Disabled
 397	  1 - Disabled by default, enabled when an ICMP black hole detected
 398	  2 - Always enabled, use initial MSS of tcp_base_mss.
 399
 400tcp_probe_interval - INTEGER
 401	Controls how often to start TCP Packetization-Layer Path MTU
 402	Discovery reprobe. The default is reprobing every 10 minutes as
 403	per RFC4821.
 404
 405tcp_probe_threshold - INTEGER
 406	Controls when TCP Packetization-Layer Path MTU Discovery probing
 407	will stop in respect to the width of search range in bytes. Default
 408	is 8 bytes.
 409
 410tcp_no_metrics_save - BOOLEAN
 411	By default, TCP saves various connection metrics in the route cache
 412	when the connection closes, so that connections established in the
 413	near future can use these to set initial conditions.  Usually, this
 414	increases overall performance, but may sometimes cause performance
 415	degradation.  If set, TCP will not cache metrics on closing
 416	connections.
 417
 418tcp_orphan_retries - INTEGER
 419	This value influences the timeout of a locally closed TCP connection,
 420	when RTO retransmissions remain unacknowledged.
 421	See tcp_retries2 for more details.
 422
 423	The default value is 8.
 424	If your machine is a loaded WEB server,
 425	you should think about lowering this value, such sockets
 426	may consume significant resources. Cf. tcp_max_orphans.
 427
 428tcp_reordering - INTEGER
 429	Initial reordering level of packets in a TCP stream.
 430	TCP stack can then dynamically adjust flow reordering level
 431	between this initial value and tcp_max_reordering
 432	Default: 3
 433
 434tcp_max_reordering - INTEGER
 435	Maximal reordering level of packets in a TCP stream.
 436	300 is a fairly conservative value, but you might increase it
 437	if paths are using per packet load balancing (like bonding rr mode)
 438	Default: 300
 439
 440tcp_retrans_collapse - BOOLEAN
 441	Bug-to-bug compatibility with some broken printers.
 442	On retransmit try to send bigger packets to work around bugs in
 443	certain TCP stacks.
 444
 445tcp_retries1 - INTEGER
 446	This value influences the time, after which TCP decides, that
 447	something is wrong due to unacknowledged RTO retransmissions,
 448	and reports this suspicion to the network layer.
 449	See tcp_retries2 for more details.
 450
 451	RFC 1122 recommends at least 3 retransmissions, which is the
 452	default.
 453
 454tcp_retries2 - INTEGER
 455	This value influences the timeout of an alive TCP connection,
 456	when RTO retransmissions remain unacknowledged.
 457	Given a value of N, a hypothetical TCP connection following
 458	exponential backoff with an initial RTO of TCP_RTO_MIN would
 459	retransmit N times before killing the connection at the (N+1)th RTO.
 460
 461	The default value of 15 yields a hypothetical timeout of 924.6
 462	seconds and is a lower bound for the effective timeout.
 463	TCP will effectively time out at the first RTO which exceeds the
 464	hypothetical timeout.
 465
 466	RFC 1122 recommends at least 100 seconds for the timeout,
 467	which corresponds to a value of at least 8.
 468
 469tcp_rfc1337 - BOOLEAN
 470	If set, the TCP stack behaves conforming to RFC1337. If unset,
 471	we are not conforming to RFC, but prevent TCP TIME_WAIT
 472	assassination.
 473	Default: 0
 474
 475tcp_rmem - vector of 3 INTEGERs: min, default, max
 476	min: Minimal size of receive buffer used by TCP sockets.
 477	It is guaranteed to each TCP socket, even under moderate memory
 478	pressure.
 479	Default: 1 page
 480
 481	default: initial size of receive buffer used by TCP sockets.
 482	This value overrides net.core.rmem_default used by other protocols.
 483	Default: 87380 bytes. This value results in window of 65535 with
 484	default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit
 485	less for default tcp_app_win. See below about these variables.
 486
 487	max: maximal size of receive buffer allowed for automatically
 488	selected receiver buffers for TCP socket. This value does not override
 489	net.core.rmem_max.  Calling setsockopt() with SO_RCVBUF disables
 490	automatic tuning of that socket's receive buffer size, in which
 491	case this value is ignored.
 492	Default: between 87380B and 6MB, depending on RAM size.
 493
 494tcp_sack - BOOLEAN
 495	Enable select acknowledgments (SACKS).
 496
 497tcp_slow_start_after_idle - BOOLEAN
 498	If set, provide RFC2861 behavior and time out the congestion
 499	window after an idle period.  An idle period is defined at
 500	the current RTO.  If unset, the congestion window will not
 501	be timed out after an idle period.
 502	Default: 1
 503
 504tcp_stdurg - BOOLEAN
 505	Use the Host requirements interpretation of the TCP urgent pointer field.
 506	Most hosts use the older BSD interpretation, so if you turn this on
 507	Linux might not communicate correctly with them.
 508	Default: FALSE
 509
 510tcp_synack_retries - INTEGER
 511	Number of times SYNACKs for a passive TCP connection attempt will
 512	be retransmitted. Should not be higher than 255. Default value
 513	is 5, which corresponds to 31seconds till the last retransmission
 514	with the current initial RTO of 1second. With this the final timeout
 515	for a passive TCP connection will happen after 63seconds.
 516
 517tcp_syncookies - BOOLEAN
 518	Only valid when the kernel was compiled with CONFIG_SYN_COOKIES
 519	Send out syncookies when the syn backlog queue of a socket
 520	overflows. This is to prevent against the common 'SYN flood attack'
 521	Default: 1
 522
 523	Note, that syncookies is fallback facility.
 524	It MUST NOT be used to help highly loaded servers to stand
 525	against legal connection rate. If you see SYN flood warnings
 526	in your logs, but investigation	shows that they occur
 527	because of overload with legal connections, you should tune
 528	another parameters until this warning disappear.
 529	See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
 530
 531	syncookies seriously violate TCP protocol, do not allow
 532	to use TCP extensions, can result in serious degradation
 533	of some services (f.e. SMTP relaying), visible not by you,
 534	but your clients and relays, contacting you. While you see
 535	SYN flood warnings in logs not being really flooded, your server
 536	is seriously misconfigured.
 537
 538	If you want to test which effects syncookies have to your
 539	network connections you can set this knob to 2 to enable
 540	unconditionally generation of syncookies.
 541
 542tcp_fastopen - INTEGER
 543	Enable TCP Fast Open feature (draft-ietf-tcpm-fastopen) to send data
 544	in the opening SYN packet. To use this feature, the client application
 545	must use sendmsg() or sendto() with MSG_FASTOPEN flag rather than
 546	connect() to perform a TCP handshake automatically.
 547
 548	The values (bitmap) are
 549	1: Enables sending data in the opening SYN on the client w/ MSG_FASTOPEN.
 550	2: Enables TCP Fast Open on the server side, i.e., allowing data in
 551	   a SYN packet to be accepted and passed to the application before
 552	   3-way hand shake finishes.
 553	4: Send data in the opening SYN regardless of cookie availability and
 554	   without a cookie option.
 555	0x100: Accept SYN data w/o validating the cookie.
 556	0x200: Accept data-in-SYN w/o any cookie option present.
 557	0x400/0x800: Enable Fast Open on all listeners regardless of the
 558	   TCP_FASTOPEN socket option. The two different flags designate two
 559	   different ways of setting max_qlen without the TCP_FASTOPEN socket
 560	   option.
 561
 562	Default: 1
 563
 564	Note that the client & server side Fast Open flags (1 and 2
 565	respectively) must be also enabled before the rest of flags can take
 566	effect.
 567
 568	See include/net/tcp.h and the code for more details.
 569
 570tcp_syn_retries - INTEGER
 571	Number of times initial SYNs for an active TCP connection attempt
 572	will be retransmitted. Should not be higher than 255. Default value
 573	is 6, which corresponds to 63seconds till the last retransmission
 574	with the current initial RTO of 1second. With this the final timeout
 575	for an active TCP connection attempt will happen after 127seconds.
 576
 577tcp_timestamps - BOOLEAN
 578	Enable timestamps as defined in RFC1323.
 579
 580tcp_min_tso_segs - INTEGER
 581	Minimal number of segments per TSO frame.
 582	Since linux-3.12, TCP does an automatic sizing of TSO frames,
 583	depending on flow rate, instead of filling 64Kbytes packets.
 584	For specific usages, it's possible to force TCP to build big
 585	TSO frames. Note that TCP stack might split too big TSO packets
 586	if available window is too small.
 587	Default: 2
 588
 589tcp_pacing_ss_ratio - INTEGER
 590	sk->sk_pacing_rate is set by TCP stack using a ratio applied
 591	to current rate. (current_rate = cwnd * mss / srtt)
 592	If TCP is in slow start, tcp_pacing_ss_ratio is applied
 593	to let TCP probe for bigger speeds, assuming cwnd can be
 594	doubled every other RTT.
 595	Default: 200
 596
 597tcp_pacing_ca_ratio - INTEGER
 598	sk->sk_pacing_rate is set by TCP stack using a ratio applied
 599	to current rate. (current_rate = cwnd * mss / srtt)
 600	If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio
 601	is applied to conservatively probe for bigger throughput.
 602	Default: 120
 603
 604tcp_tso_win_divisor - INTEGER
 605	This allows control over what percentage of the congestion window
 606	can be consumed by a single TSO frame.
 607	The setting of this parameter is a choice between burstiness and
 608	building larger TSO frames.
 609	Default: 3
 610
 611tcp_tw_recycle - BOOLEAN
 612	Enable fast recycling TIME-WAIT sockets. Default value is 0.
 613	It should not be changed without advice/request of technical
 614	experts.
 615
 616tcp_tw_reuse - BOOLEAN
 617	Allow to reuse TIME-WAIT sockets for new connections when it is
 618	safe from protocol viewpoint. Default value is 0.
 619	It should not be changed without advice/request of technical
 620	experts.
 621
 622tcp_window_scaling - BOOLEAN
 623	Enable window scaling as defined in RFC1323.
 624
 625tcp_wmem - vector of 3 INTEGERs: min, default, max
 626	min: Amount of memory reserved for send buffers for TCP sockets.
 627	Each TCP socket has rights to use it due to fact of its birth.
 628	Default: 1 page
 629
 630	default: initial size of send buffer used by TCP sockets.  This
 631	value overrides net.core.wmem_default used by other protocols.
 632	It is usually lower than net.core.wmem_default.
 633	Default: 16K
 634
 635	max: Maximal amount of memory allowed for automatically tuned
 636	send buffers for TCP sockets. This value does not override
 637	net.core.wmem_max.  Calling setsockopt() with SO_SNDBUF disables
 638	automatic tuning of that socket's send buffer size, in which case
 639	this value is ignored.
 640	Default: between 64K and 4MB, depending on RAM size.
 641
 642tcp_notsent_lowat - UNSIGNED INTEGER
 643	A TCP socket can control the amount of unsent bytes in its write queue,
 644	thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll()
 645	reports POLLOUT events if the amount of unsent bytes is below a per
 646	socket value, and if the write queue is not full. sendmsg() will
 647	also not add new buffers if the limit is hit.
 648
 649	This global variable controls the amount of unsent data for
 650	sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change
 651	to the global variable has immediate effect.
 652
 653	Default: UINT_MAX (0xFFFFFFFF)
 654
 655tcp_workaround_signed_windows - BOOLEAN
 656	If set, assume no receipt of a window scaling option means the
 657	remote TCP is broken and treats the window as a signed quantity.
 658	If unset, assume the remote TCP is not broken even if we do
 659	not receive a window scaling option from them.
 660	Default: 0
 661
 662tcp_thin_linear_timeouts - BOOLEAN
 663	Enable dynamic triggering of linear timeouts for thin streams.
 664	If set, a check is performed upon retransmission by timeout to
 665	determine if the stream is thin (less than 4 packets in flight).
 666	As long as the stream is found to be thin, up to 6 linear
 667	timeouts may be performed before exponential backoff mode is
 668	initiated. This improves retransmission latency for
 669	non-aggressive thin streams, often found to be time-dependent.
 670	For more information on thin streams, see
 671	Documentation/networking/tcp-thin.txt
 672	Default: 0
 673
 674tcp_thin_dupack - BOOLEAN
 675	Enable dynamic triggering of retransmissions after one dupACK
 676	for thin streams. If set, a check is performed upon reception
 677	of a dupACK to determine if the stream is thin (less than 4
 678	packets in flight). As long as the stream is found to be thin,
 679	data is retransmitted on the first received dupACK. This
 680	improves retransmission latency for non-aggressive thin
 681	streams, often found to be time-dependent.
 682	For more information on thin streams, see
 683	Documentation/networking/tcp-thin.txt
 684	Default: 0
 685
 686tcp_limit_output_bytes - INTEGER
 687	Controls TCP Small Queue limit per tcp socket.
 688	TCP bulk sender tends to increase packets in flight until it
 689	gets losses notifications. With SNDBUF autotuning, this can
 690	result in a large amount of packets queued in qdisc/device
 691	on the local machine, hurting latency of other flows, for
 692	typical pfifo_fast qdiscs.
 693	tcp_limit_output_bytes limits the number of bytes on qdisc
 694	or device to reduce artificial RTT/cwnd and reduce bufferbloat.
 695	Default: 131072
 696
 697tcp_challenge_ack_limit - INTEGER
 698	Limits number of Challenge ACK sent per second, as recommended
 699	in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
 700	Default: 100
 701
 702UDP variables:
 703
 704udp_mem - vector of 3 INTEGERs: min, pressure, max
 705	Number of pages allowed for queueing by all UDP sockets.
 706
 707	min: Below this number of pages UDP is not bothered about its
 708	memory appetite. When amount of memory allocated by UDP exceeds
 709	this number, UDP starts to moderate memory usage.
 710
 711	pressure: This value was introduced to follow format of tcp_mem.
 712
 713	max: Number of pages allowed for queueing by all UDP sockets.
 714
 715	Default is calculated at boot time from amount of available memory.
 716
 717udp_rmem_min - INTEGER
 718	Minimal size of receive buffer used by UDP sockets in moderation.
 719	Each UDP socket is able to use the size for receiving data, even if
 720	total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
 721	Default: 1 page
 722
 723udp_wmem_min - INTEGER
 724	Minimal size of send buffer used by UDP sockets in moderation.
 725	Each UDP socket is able to use the size for sending data, even if
 726	total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
 727	Default: 1 page
 728
 729CIPSOv4 Variables:
 730
 731cipso_cache_enable - BOOLEAN
 732	If set, enable additions to and lookups from the CIPSO label mapping
 733	cache.  If unset, additions are ignored and lookups always result in a
 734	miss.  However, regardless of the setting the cache is still
 735	invalidated when required when means you can safely toggle this on and
 736	off and the cache will always be "safe".
 737	Default: 1
 738
 739cipso_cache_bucket_size - INTEGER
 740	The CIPSO label cache consists of a fixed size hash table with each
 741	hash bucket containing a number of cache entries.  This variable limits
 742	the number of entries in each hash bucket; the larger the value the
 743	more CIPSO label mappings that can be cached.  When the number of
 744	entries in a given hash bucket reaches this limit adding new entries
 745	causes the oldest entry in the bucket to be removed to make room.
 746	Default: 10
 747
 748cipso_rbm_optfmt - BOOLEAN
 749	Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of
 750	the CIPSO draft specification (see Documentation/netlabel for details).
 751	This means that when set the CIPSO tag will be padded with empty
 752	categories in order to make the packet data 32-bit aligned.
 753	Default: 0
 754
 755cipso_rbm_structvalid - BOOLEAN
 756	If set, do a very strict check of the CIPSO option when
 757	ip_options_compile() is called.  If unset, relax the checks done during
 758	ip_options_compile().  Either way is "safe" as errors are caught else
 759	where in the CIPSO processing code but setting this to 0 (False) should
 760	result in less work (i.e. it should be faster) but could cause problems
 761	with other implementations that require strict checking.
 762	Default: 0
 763
 764IP Variables:
 765
 766ip_local_port_range - 2 INTEGERS
 767	Defines the local port range that is used by TCP and UDP to
 768	choose the local port. The first number is the first, the
 769	second the last local port number.
 770	If possible, it is better these numbers have different parity.
 771	(one even and one odd values)
 772	The default values are 32768 and 60999 respectively.
 773
 774ip_local_reserved_ports - list of comma separated ranges
 775	Specify the ports which are reserved for known third-party
 776	applications. These ports will not be used by automatic port
 777	assignments (e.g. when calling connect() or bind() with port
 778	number 0). Explicit port allocation behavior is unchanged.
 779
 780	The format used for both input and output is a comma separated
 781	list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and
 782	10). Writing to the file will clear all previously reserved
 783	ports and update the current list with the one given in the
 784	input.
 785
 786	Note that ip_local_port_range and ip_local_reserved_ports
 787	settings are independent and both are considered by the kernel
 788	when determining which ports are available for automatic port
 789	assignments.
 790
 791	You can reserve ports which are not in the current
 792	ip_local_port_range, e.g.:
 793
 794	$ cat /proc/sys/net/ipv4/ip_local_port_range
 795	32000	60999
 796	$ cat /proc/sys/net/ipv4/ip_local_reserved_ports
 797	8080,9148
 798
 799	although this is redundant. However such a setting is useful
 800	if later the port range is changed to a value that will
 801	include the reserved ports.
 802
 803	Default: Empty
 804
 805ip_nonlocal_bind - BOOLEAN
 806	If set, allows processes to bind() to non-local IP addresses,
 807	which can be quite useful - but may break some applications.
 808	Default: 0
 809
 810ip_dynaddr - BOOLEAN
 811	If set non-zero, enables support for dynamic addresses.
 812	If set to a non-zero value larger than 1, a kernel log
 813	message will be printed when dynamic address rewriting
 814	occurs.
 815	Default: 0
 816
 817ip_early_demux - BOOLEAN
 818	Optimize input packet processing down to one demux for
 819	certain kinds of local sockets.  Currently we only do this
 820	for established TCP sockets.
 821
 822	It may add an additional cost for pure routing workloads that
 823	reduces overall throughput, in such case you should disable it.
 824	Default: 1
 825
 826icmp_echo_ignore_all - BOOLEAN
 827	If set non-zero, then the kernel will ignore all ICMP ECHO
 828	requests sent to it.
 829	Default: 0
 830
 831icmp_echo_ignore_broadcasts - BOOLEAN
 832	If set non-zero, then the kernel will ignore all ICMP ECHO and
 833	TIMESTAMP requests sent to it via broadcast/multicast.
 834	Default: 1
 835
 836icmp_ratelimit - INTEGER
 837	Limit the maximal rates for sending ICMP packets whose type matches
 838	icmp_ratemask (see below) to specific targets.
 839	0 to disable any limiting,
 840	otherwise the minimal space between responses in milliseconds.
 841	Note that another sysctl, icmp_msgs_per_sec limits the number
 842	of ICMP packets	sent on all targets.
 843	Default: 1000
 844
 845icmp_msgs_per_sec - INTEGER
 846	Limit maximal number of ICMP packets sent per second from this host.
 847	Only messages whose type matches icmp_ratemask (see below) are
 848	controlled by this limit.
 849	Default: 1000
 850
 851icmp_msgs_burst - INTEGER
 852	icmp_msgs_per_sec controls number of ICMP packets sent per second,
 853	while icmp_msgs_burst controls the burst size of these packets.
 854	Default: 50
 855
 856icmp_ratemask - INTEGER
 857	Mask made of ICMP types for which rates are being limited.
 858	Significant bits: IHGFEDCBA9876543210
 859	Default mask:     0000001100000011000 (6168)
 860
 861	Bit definitions (see include/linux/icmp.h):
 862		0 Echo Reply
 863		3 Destination Unreachable *
 864		4 Source Quench *
 865		5 Redirect
 866		8 Echo Request
 867		B Time Exceeded *
 868		C Parameter Problem *
 869		D Timestamp Request
 870		E Timestamp Reply
 871		F Info Request
 872		G Info Reply
 873		H Address Mask Request
 874		I Address Mask Reply
 875
 876	* These are rate limited by default (see default mask above)
 877
 878icmp_ignore_bogus_error_responses - BOOLEAN
 879	Some routers violate RFC1122 by sending bogus responses to broadcast
 880	frames.  Such violations are normally logged via a kernel warning.
 881	If this is set to TRUE, the kernel will not give such warnings, which
 882	will avoid log file clutter.
 883	Default: 1
 884
 885icmp_errors_use_inbound_ifaddr - BOOLEAN
 886
 887	If zero, icmp error messages are sent with the primary address of
 888	the exiting interface.
 889
 890	If non-zero, the message will be sent with the primary address of
 891	the interface that received the packet that caused the icmp error.
 892	This is the behaviour network many administrators will expect from
 893	a router. And it can make debugging complicated network layouts
 894	much easier.
 895
 896	Note that if no primary address exists for the interface selected,
 897	then the primary address of the first non-loopback interface that
 898	has one will be used regardless of this setting.
 899
 900	Default: 0
 901
 902igmp_max_memberships - INTEGER
 903	Change the maximum number of multicast groups we can subscribe to.
 904	Default: 20
 905
 906	Theoretical maximum value is bounded by having to send a membership
 907	report in a single datagram (i.e. the report can't span multiple
 908	datagrams, or risk confusing the switch and leaving groups you don't
 909	intend to).
 910
 911	The number of supported groups 'M' is bounded by the number of group
 912	report entries you can fit into a single datagram of 65535 bytes.
 913
 914	M = 65536-sizeof (ip header)/(sizeof(Group record))
 915
 916	Group records are variable length, with a minimum of 12 bytes.
 917	So net.ipv4.igmp_max_memberships should not be set higher than:
 918
 919	(65536-24) / 12 = 5459
 920
 921	The value 5459 assumes no IP header options, so in practice
 922	this number may be lower.
 923
 924	conf/interface/*  changes special settings per interface (where
 925	"interface" is the name of your network interface)
 926
 927	conf/all/*	  is special, changes the settings for all interfaces
 928
 929igmp_qrv - INTEGER
 930	 Controls the IGMP query robustness variable (see RFC2236 8.1).
 931	 Default: 2 (as specified by RFC2236 8.1)
 932	 Minimum: 1 (as specified by RFC6636 4.5)
 933
 934log_martians - BOOLEAN
 935	Log packets with impossible addresses to kernel log.
 936	log_martians for the interface will be enabled if at least one of
 937	conf/{all,interface}/log_martians is set to TRUE,
 938	it will be disabled otherwise
 939
 940accept_redirects - BOOLEAN
 941	Accept ICMP redirect messages.
 942	accept_redirects for the interface will be enabled if:
 943	- both conf/{all,interface}/accept_redirects are TRUE in the case
 944	  forwarding for the interface is enabled
 945	or
 946	- at least one of conf/{all,interface}/accept_redirects is TRUE in the
 947	  case forwarding for the interface is disabled
 948	accept_redirects for the interface will be disabled otherwise
 949	default TRUE (host)
 950		FALSE (router)
 951
 952forwarding - BOOLEAN
 953	Enable IP forwarding on this interface.
 954
 955mc_forwarding - BOOLEAN
 956	Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
 957	and a multicast routing daemon is required.
 958	conf/all/mc_forwarding must also be set to TRUE to enable multicast
 959	routing	for the interface
 960
 961medium_id - INTEGER
 962	Integer value used to differentiate the devices by the medium they
 963	are attached to. Two devices can have different id values when
 964	the broadcast packets are received only on one of them.
 965	The default value 0 means that the device is the only interface
 966	to its medium, value of -1 means that medium is not known.
 967
 968	Currently, it is used to change the proxy_arp behavior:
 969	the proxy_arp feature is enabled for packets forwarded between
 970	two devices attached to different media.
 971
 972proxy_arp - BOOLEAN
 973	Do proxy arp.
 974	proxy_arp for the interface will be enabled if at least one of
 975	conf/{all,interface}/proxy_arp is set to TRUE,
 976	it will be disabled otherwise
 977
 978proxy_arp_pvlan - BOOLEAN
 979	Private VLAN proxy arp.
 980	Basically allow proxy arp replies back to the same interface
 981	(from which the ARP request/solicitation was received).
 982
 983	This is done to support (ethernet) switch features, like RFC
 984	3069, where the individual ports are NOT allowed to
 985	communicate with each other, but they are allowed to talk to
 986	the upstream router.  As described in RFC 3069, it is possible
 987	to allow these hosts to communicate through the upstream
 988	router by proxy_arp'ing. Don't need to be used together with
 989	proxy_arp.
 990
 991	This technology is known by different names:
 992	  In RFC 3069 it is called VLAN Aggregation.
 993	  Cisco and Allied Telesyn call it Private VLAN.
 994	  Hewlett-Packard call it Source-Port filtering or port-isolation.
 995	  Ericsson call it MAC-Forced Forwarding (RFC Draft).
 996
 997shared_media - BOOLEAN
 998	Send(router) or accept(host) RFC1620 shared media redirects.
 999	Overrides ip_secure_redirects.
1000	shared_media for the interface will be enabled if at least one of
1001	conf/{all,interface}/shared_media is set to TRUE,
1002	it will be disabled otherwise
1003	default TRUE
1004
1005secure_redirects - BOOLEAN
1006	Accept ICMP redirect messages only for gateways,
1007	listed in default gateway list.
1008	secure_redirects for the interface will be enabled if at least one of
1009	conf/{all,interface}/secure_redirects is set to TRUE,
1010	it will be disabled otherwise
1011	default TRUE
1012
1013send_redirects - BOOLEAN
1014	Send redirects, if router.
1015	send_redirects for the interface will be enabled if at least one of
1016	conf/{all,interface}/send_redirects is set to TRUE,
1017	it will be disabled otherwise
1018	Default: TRUE
1019
1020bootp_relay - BOOLEAN
1021	Accept packets with source address 0.b.c.d destined
1022	not to this host as local ones. It is supposed, that
1023	BOOTP relay daemon will catch and forward such packets.
1024	conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay
1025	for the interface
1026	default FALSE
1027	Not Implemented Yet.
1028
1029accept_source_route - BOOLEAN
1030	Accept packets with SRR option.
1031	conf/all/accept_source_route must also be set to TRUE to accept packets
1032	with SRR option on the interface
1033	default TRUE (router)
1034		FALSE (host)
1035
1036accept_local - BOOLEAN
1037	Accept packets with local source addresses. In combination with
1038	suitable routing, this can be used to direct packets between two
1039	local interfaces over the wire and have them accepted properly.
1040	default FALSE
1041
1042route_localnet - BOOLEAN
1043	Do not consider loopback addresses as martian source or destination
1044	while routing. This enables the use of 127/8 for local routing purposes.
1045	default FALSE
1046
1047rp_filter - INTEGER
1048	0 - No source validation.
1049	1 - Strict mode as defined in RFC3704 Strict Reverse Path
1050	    Each incoming packet is tested against the FIB and if the interface
1051	    is not the best reverse path the packet check will fail.
1052	    By default failed packets are discarded.
1053	2 - Loose mode as defined in RFC3704 Loose Reverse Path
1054	    Each incoming packet's source address is also tested against the FIB
1055	    and if the source address is not reachable via any interface
1056	    the packet check will fail.
1057
1058	Current recommended practice in RFC3704 is to enable strict mode
1059	to prevent IP spoofing from DDos attacks. If using asymmetric routing
1060	or other complicated routing, then loose mode is recommended.
1061
1062	The max value from conf/{all,interface}/rp_filter is used
1063	when doing source validation on the {interface}.
1064
1065	Default value is 0. Note that some distributions enable it
1066	in startup scripts.
1067
1068arp_filter - BOOLEAN
1069	1 - Allows you to have multiple network interfaces on the same
1070	subnet, and have the ARPs for each interface be answered
1071	based on whether or not the kernel would route a packet from
1072	the ARP'd IP out that interface (therefore you must use source
1073	based routing for this to work). In other words it allows control
1074	of which cards (usually 1) will respond to an arp request.
1075
1076	0 - (default) The kernel can respond to arp requests with addresses
1077	from other interfaces. This may seem wrong but it usually makes
1078	sense, because it increases the chance of successful communication.
1079	IP addresses are owned by the complete host on Linux, not by
1080	particular interfaces. Only for more complex setups like load-
1081	balancing, does this behaviour cause problems.
1082
1083	arp_filter for the interface will be enabled if at least one of
1084	conf/{all,interface}/arp_filter is set to TRUE,
1085	it will be disabled otherwise
1086
1087arp_announce - INTEGER
1088	Define different restriction levels for announcing the local
1089	source IP address from IP packets in ARP requests sent on
1090	interface:
1091	0 - (default) Use any local address, configured on any interface
1092	1 - Try to avoid local addresses that are not in the target's
1093	subnet for this interface. This mode is useful when target
1094	hosts reachable via this interface require the source IP
1095	address in ARP requests to be part of their logical network
1096	configured on the receiving interface. When we generate the
1097	request we will check all our subnets that include the
1098	target IP and will preserve the source address if it is from
1099	such subnet. If there is no such subnet we select source
1100	address according to the rules for level 2.
1101	2 - Always use the best local address for this target.
1102	In this mode we ignore the source address in the IP packet
1103	and try to select local address that we prefer for talks with
1104	the target host. Such local address is selected by looking
1105	for primary IP addresses on all our subnets on the outgoing
1106	interface that include the target IP address. If no suitable
1107	local address is found we select the first local address
1108	we have on the outgoing interface or on all other interfaces,
1109	with the hope we will receive reply for our request and
1110	even sometimes no matter the source IP address we announce.
1111
1112	The max value from conf/{all,interface}/arp_announce is used.
1113
1114	Increasing the restriction level gives more chance for
1115	receiving answer from the resolved target while decreasing
1116	the level announces more valid sender's information.
1117
1118arp_ignore - INTEGER
1119	Define different modes for sending replies in response to
1120	received ARP requests that resolve local target IP addresses:
1121	0 - (default): reply for any local target IP address, configured
1122	on any interface
1123	1 - reply only if the target IP address is local address
1124	configured on the incoming interface
1125	2 - reply only if the target IP address is local address
1126	configured on the incoming interface and both with the
1127	sender's IP address are part from same subnet on this interface
1128	3 - do not reply for local addresses configured with scope host,
1129	only resolutions for global and link addresses are replied
1130	4-7 - reserved
1131	8 - do not reply for all local addresses
1132
1133	The max value from conf/{all,interface}/arp_ignore is used
1134	when ARP request is received on the {interface}
1135
1136arp_notify - BOOLEAN
1137	Define mode for notification of address and device changes.
1138	0 - (default): do nothing
1139	1 - Generate gratuitous arp requests when device is brought up
1140	    or hardware address changes.
1141
1142arp_accept - BOOLEAN
1143	Define behavior for gratuitous ARP frames who's IP is not
1144	already present in the ARP table:
1145	0 - don't create new entries in the ARP table
1146	1 - create new entries in the ARP table
1147
1148	Both replies and requests type gratuitous arp will trigger the
1149	ARP table to be updated, if this setting is on.
1150
1151	If the ARP table already contains the IP address of the
1152	gratuitous arp frame, the arp table will be updated regardless
1153	if this setting is on or off.
1154
1155mcast_solicit - INTEGER
1156	The maximum number of multicast probes in INCOMPLETE state,
1157	when the associated hardware address is unknown.  Defaults
1158	to 3.
1159
1160ucast_solicit - INTEGER
1161	The maximum number of unicast probes in PROBE state, when
1162	the hardware address is being reconfirmed.  Defaults to 3.
1163
1164app_solicit - INTEGER
1165	The maximum number of probes to send to the user space ARP daemon
1166	via netlink before dropping back to multicast probes (see
1167	mcast_resolicit).  Defaults to 0.
1168
1169mcast_resolicit - INTEGER
1170	The maximum number of multicast probes after unicast and
1171	app probes in PROBE state.  Defaults to 0.
1172
1173disable_policy - BOOLEAN
1174	Disable IPSEC policy (SPD) for this interface
1175
1176disable_xfrm - BOOLEAN
1177	Disable IPSEC encryption on this interface, whatever the policy
1178
1179igmpv2_unsolicited_report_interval - INTEGER
1180	The interval in milliseconds in which the next unsolicited
1181	IGMPv1 or IGMPv2 report retransmit will take place.
1182	Default: 10000 (10 seconds)
1183
1184igmpv3_unsolicited_report_interval - INTEGER
1185	The interval in milliseconds in which the next unsolicited
1186	IGMPv3 report retransmit will take place.
1187	Default: 1000 (1 seconds)
1188
1189promote_secondaries - BOOLEAN
1190	When a primary IP address is removed from this interface
1191	promote a corresponding secondary IP address instead of
1192	removing all the corresponding secondary IP addresses.
1193
1194
1195tag - INTEGER
1196	Allows you to write a number, which can be used as required.
1197	Default value is 0.
1198
1199xfrm4_gc_thresh - INTEGER
1200	The threshold at which we will start garbage collecting for IPv4
1201	destination cache entries.  At twice this value the system will
1202	refuse new allocations.
1203
1204igmp_link_local_mcast_reports - BOOLEAN
1205	Enable IGMP reports for link local multicast groups in the
1206	224.0.0.X range.
1207	Default TRUE
1208
1209Alexey Kuznetsov.
1210kuznet@ms2.inr.ac.ru
1211
1212Updated by:
1213Andi Kleen
1214ak@muc.de
1215Nicolas Delon
1216delon.nicolas@wanadoo.fr
1217
1218
1219
1220
1221/proc/sys/net/ipv6/* Variables:
1222
1223IPv6 has no global variables such as tcp_*.  tcp_* settings under ipv4/ also
1224apply to IPv6 [XXX?].
1225
1226bindv6only - BOOLEAN
1227	Default value for IPV6_V6ONLY socket option,
1228	which restricts use of the IPv6 socket to IPv6 communication
1229	only.
1230		TRUE: disable IPv4-mapped address feature
1231		FALSE: enable IPv4-mapped address feature
1232
1233	Default: FALSE (as specified in RFC3493)
1234
1235flowlabel_consistency - BOOLEAN
1236	Protect the consistency (and unicity) of flow label.
1237	You have to disable it to use IPV6_FL_F_REFLECT flag on the
1238	flow label manager.
1239	TRUE: enabled
1240	FALSE: disabled
1241	Default: TRUE
1242
1243auto_flowlabels - INTEGER
1244	Automatically generate flow labels based on a flow hash of the
1245	packet. This allows intermediate devices, such as routers, to
1246	identify packet flows for mechanisms like Equal Cost Multipath
1247	Routing (see RFC 6438).
1248	0: automatic flow labels are completely disabled
1249	1: automatic flow labels are enabled by default, they can be
1250	   disabled on a per socket basis using the IPV6_AUTOFLOWLABEL
1251	   socket option
1252	2: automatic flow labels are allowed, they may be enabled on a
1253	   per socket basis using the IPV6_AUTOFLOWLABEL socket option
1254	3: automatic flow labels are enabled and enforced, they cannot
1255	   be disabled by the socket option
1256	Default: 1
1257
1258flowlabel_state_ranges - BOOLEAN
1259	Split the flow label number space into two ranges. 0-0x7FFFF is
1260	reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF
1261	is reserved for stateless flow labels as described in RFC6437.
1262	TRUE: enabled
1263	FALSE: disabled
1264	Default: true
1265
1266anycast_src_echo_reply - BOOLEAN
1267	Controls the use of anycast addresses as source addresses for ICMPv6
1268	echo reply
1269	TRUE:  enabled
1270	FALSE: disabled
1271	Default: FALSE
1272
1273idgen_delay - INTEGER
1274	Controls the delay in seconds after which time to retry
1275	privacy stable address generation if a DAD conflict is
1276	detected.
1277	Default: 1 (as specified in RFC7217)
1278
1279idgen_retries - INTEGER
1280	Controls the number of retries to generate a stable privacy
1281	address if a DAD conflict is detected.
1282	Default: 3 (as specified in RFC7217)
1283
1284mld_qrv - INTEGER
1285	Controls the MLD query robustness variable (see RFC3810 9.1).
1286	Default: 2 (as specified by RFC3810 9.1)
1287	Minimum: 1 (as specified by RFC6636 4.5)
1288
1289IPv6 Fragmentation:
1290
1291ip6frag_high_thresh - INTEGER
1292	Maximum memory used to reassemble IPv6 fragments. When
1293	ip6frag_high_thresh bytes of memory is allocated for this purpose,
1294	the fragment handler will toss packets until ip6frag_low_thresh
1295	is reached.
1296
1297ip6frag_low_thresh - INTEGER
1298	See ip6frag_high_thresh
1299
1300ip6frag_time - INTEGER
1301	Time in seconds to keep an IPv6 fragment in memory.
1302
1303conf/default/*:
1304	Change the interface-specific default settings.
1305
1306
1307conf/all/*:
1308	Change all the interface-specific settings.
1309
1310	[XXX:  Other special features than forwarding?]
1311
1312conf/all/forwarding - BOOLEAN
1313	Enable global IPv6 forwarding between all interfaces.
1314
1315	IPv4 and IPv6 work differently here; e.g. netfilter must be used
1316	to control which interfaces may forward packets and which not.
1317
1318	This also sets all interfaces' Host/Router setting
1319	'forwarding' to the specified value.  See below for details.
1320
1321	This referred to as global forwarding.
1322
1323proxy_ndp - BOOLEAN
1324	Do proxy ndp.
1325
1326fwmark_reflect - BOOLEAN
1327	Controls the fwmark of kernel-generated IPv6 reply packets that are not
1328	associated with a socket for example, TCP RSTs or ICMPv6 echo replies).
1329	If unset, these packets have a fwmark of zero. If set, they have the
1330	fwmark of the packet they are replying to.
1331	Default: 0
1332
1333conf/interface/*:
1334	Change special settings per interface.
1335
1336	The functional behaviour for certain settings is different
1337	depending on whether local forwarding is enabled or not.
1338
1339accept_ra - INTEGER
1340	Accept Router Advertisements; autoconfigure using them.
1341
1342	It also determines whether or not to transmit Router
1343	Solicitations. If and only if the functional setting is to
1344	accept Router Advertisements, Router Solicitations will be
1345	transmitted.
1346
1347	Possible values are:
1348		0 Do not accept Router Advertisements.
1349		1 Accept Router Advertisements if forwarding is disabled.
1350		2 Overrule forwarding behaviour. Accept Router Advertisements
1351		  even if forwarding is enabled.
1352
1353	Functional default: enabled if local forwarding is disabled.
1354			    disabled if local forwarding is enabled.
1355
1356accept_ra_defrtr - BOOLEAN
1357	Learn default router in Router Advertisement.
1358
1359	Functional default: enabled if accept_ra is enabled.
1360			    disabled if accept_ra is disabled.
1361
1362accept_ra_from_local - BOOLEAN
1363	Accept RA with source-address that is found on local machine
1364        if the RA is otherwise proper and able to be accepted.
1365        Default is to NOT accept these as it may be an un-intended
1366        network loop.
1367
1368	Functional default:
1369           enabled if accept_ra_from_local is enabled
1370               on a specific interface.
1371	   disabled if accept_ra_from_local is disabled
1372               on a specific interface.
1373
1374accept_ra_min_hop_limit - INTEGER
1375	Minimum hop limit Information in Router Advertisement.
1376
1377	Hop limit Information in Router Advertisement less than this
1378	variable shall be ignored.
1379
1380	Default: 1
1381
1382accept_ra_pinfo - BOOLEAN
1383	Learn Prefix Information in Router Advertisement.
1384
1385	Functional default: enabled if accept_ra is enabled.
1386			    disabled if accept_ra is disabled.
1387
1388accept_ra_rt_info_max_plen - INTEGER
1389	Maximum prefix length of Route Information in RA.
1390
1391	Route Information w/ prefix larger than or equal to this
1392	variable shall be ignored.
1393
1394	Functional default: 0 if accept_ra_rtr_pref is enabled.
1395			    -1 if accept_ra_rtr_pref is disabled.
1396
1397accept_ra_rtr_pref - BOOLEAN
1398	Accept Router Preference in RA.
1399
1400	Functional default: enabled if accept_ra is enabled.
1401			    disabled if accept_ra is disabled.
1402
1403accept_ra_mtu - BOOLEAN
1404	Apply the MTU value specified in RA option 5 (RFC4861). If
1405	disabled, the MTU specified in the RA will be ignored.
1406
1407	Functional default: enabled if accept_ra is enabled.
1408			    disabled if accept_ra is disabled.
1409
1410accept_redirects - BOOLEAN
1411	Accept Redirects.
1412
1413	Functional default: enabled if local forwarding is disabled.
1414			    disabled if local forwarding is enabled.
1415
1416accept_source_route - INTEGER
1417	Accept source routing (routing extension header).
1418
1419	>= 0: Accept only routing header type 2.
1420	< 0: Do not accept routing header.
1421
1422	Default: 0
1423
1424autoconf - BOOLEAN
1425	Autoconfigure addresses using Prefix Information in Router
1426	Advertisements.
1427
1428	Functional default: enabled if accept_ra_pinfo is enabled.
1429			    disabled if accept_ra_pinfo is disabled.
1430
1431dad_transmits - INTEGER
1432	The amount of Duplicate Address Detection probes to send.
1433	Default: 1
1434
1435forwarding - INTEGER
1436	Configure interface-specific Host/Router behaviour.
1437
1438	Note: It is recommended to have the same setting on all
1439	interfaces; mixed router/host scenarios are rather uncommon.
1440
1441	Possible values are:
1442		0 Forwarding disabled
1443		1 Forwarding enabled
1444
1445	FALSE (0):
1446
1447	By default, Host behaviour is assumed.  This means:
1448
1449	1. IsRouter flag is not set in Neighbour Advertisements.
1450	2. If accept_ra is TRUE (default), transmit Router
1451	   Solicitations.
1452	3. If accept_ra is TRUE (default), accept Router
1453	   Advertisements (and do autoconfiguration).
1454	4. If accept_redirects is TRUE (default), accept Redirects.
1455
1456	TRUE (1):
1457
1458	If local forwarding is enabled, Router behaviour is assumed.
1459	This means exactly the reverse from the above:
1460
1461	1. IsRouter flag is set in Neighbour Advertisements.
1462	2. Router Solicitations are not sent unless accept_ra is 2.
1463	3. Router Advertisements are ignored unless accept_ra is 2.
1464	4. Redirects are ignored.
1465
1466	Default: 0 (disabled) if global forwarding is disabled (default),
1467		 otherwise 1 (enabled).
1468
1469hop_limit - INTEGER
1470	Default Hop Limit to set.
1471	Default: 64
1472
1473mtu - INTEGER
1474	Default Maximum Transfer Unit
1475	Default: 1280 (IPv6 required minimum)
1476
1477ip_nonlocal_bind - BOOLEAN
1478	If set, allows processes to bind() to non-local IPv6 addresses,
1479	which can be quite useful - but may break some applications.
1480	Default: 0
1481
1482router_probe_interval - INTEGER
1483	Minimum interval (in seconds) between Router Probing described
1484	in RFC4191.
1485
1486	Default: 60
1487
1488router_solicitation_delay - INTEGER
1489	Number of seconds to wait after interface is brought up
1490	before sending Router Solicitations.
1491	Default: 1
1492
1493router_solicitation_interval - INTEGER
1494	Number of seconds to wait between Router Solicitations.
1495	Default: 4
1496
1497router_solicitations - INTEGER
1498	Number of Router Solicitations to send until assuming no
1499	routers are present.
1500	Default: 3
1501
1502use_oif_addrs_only - BOOLEAN
1503	When enabled, the candidate source addresses for destinations
1504	routed via this interface are restricted to the set of addresses
1505	configured on this interface (vis. RFC 6724, section 4).
1506
1507	Default: false
1508
1509use_tempaddr - INTEGER
1510	Preference for Privacy Extensions (RFC3041).
1511	  <= 0 : disable Privacy Extensions
1512	  == 1 : enable Privacy Extensions, but prefer public
1513	         addresses over temporary addresses.
1514	  >  1 : enable Privacy Extensions and prefer temporary
1515	         addresses over public addresses.
1516	Default:  0 (for most devices)
1517		 -1 (for point-to-point devices and loopback devices)
1518
1519temp_valid_lft - INTEGER
1520	valid lifetime (in seconds) for temporary addresses.
1521	Default: 604800 (7 days)
1522
1523temp_prefered_lft - INTEGER
1524	Preferred lifetime (in seconds) for temporary addresses.
1525	Default: 86400 (1 day)
1526
1527max_desync_factor - INTEGER
1528	Maximum value for DESYNC_FACTOR, which is a random value
1529	that ensures that clients don't synchronize with each
1530	other and generate new addresses at exactly the same time.
1531	value is in seconds.
1532	Default: 600
1533
1534regen_max_retry - INTEGER
1535	Number of attempts before give up attempting to generate
1536	valid temporary addresses.
1537	Default: 5
1538
1539max_addresses - INTEGER
1540	Maximum number of autoconfigured addresses per interface.  Setting
1541	to zero disables the limitation.  It is not recommended to set this
1542	value too large (or to zero) because it would be an easy way to
1543	crash the kernel by allowing too many addresses to be created.
1544	Default: 16
1545
1546disable_ipv6 - BOOLEAN
1547	Disable IPv6 operation.  If accept_dad is set to 2, this value
1548	will be dynamically set to TRUE if DAD fails for the link-local
1549	address.
1550	Default: FALSE (enable IPv6 operation)
1551
1552	When this value is changed from 1 to 0 (IPv6 is being enabled),
1553	it will dynamically create a link-local address on the given
1554	interface and start Duplicate Address Detection, if necessary.
1555
1556	When this value is changed from 0 to 1 (IPv6 is being disabled),
1557	it will dynamically delete all address on the given interface.
1558
1559accept_dad - INTEGER
1560	Whether to accept DAD (Duplicate Address Detection).
1561	0: Disable DAD
1562	1: Enable DAD (default)
1563	2: Enable DAD, and disable IPv6 operation if MAC-based duplicate
1564	   link-local address has been found.
1565
1566force_tllao - BOOLEAN
1567	Enable sending the target link-layer address option even when
1568	responding to a unicast neighbor solicitation.
1569	Default: FALSE
1570
1571	Quoting from RFC 2461, section 4.4, Target link-layer address:
1572
1573	"The option MUST be included for multicast solicitations in order to
1574	avoid infinite Neighbor Solicitation "recursion" when the peer node
1575	does not have a cache entry to return a Neighbor Advertisements
1576	message.  When responding to unicast solicitations, the option can be
1577	omitted since the sender of the solicitation has the correct link-
1578	layer address; otherwise it would not have be able to send the unicast
1579	solicitation in the first place. However, including the link-layer
1580	address in this case adds little overhead and eliminates a potential
1581	race condition where the sender deletes the cached link-layer address
1582	prior to receiving a response to a previous solicitation."
1583
1584ndisc_notify - BOOLEAN
1585	Define mode for notification of address and device changes.
1586	0 - (default): do nothing
1587	1 - Generate unsolicited neighbour advertisements when device is brought
1588	    up or hardware address changes.
1589
1590mldv1_unsolicited_report_interval - INTEGER
1591	The interval in milliseconds in which the next unsolicited
1592	MLDv1 report retransmit will take place.
1593	Default: 10000 (10 seconds)
1594
1595mldv2_unsolicited_report_interval - INTEGER
1596	The interval in milliseconds in which the next unsolicited
1597	MLDv2 report retransmit will take place.
1598	Default: 1000 (1 second)
1599
1600force_mld_version - INTEGER
1601	0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed
1602	1 - Enforce to use MLD version 1
1603	2 - Enforce to use MLD version 2
1604
1605suppress_frag_ndisc - INTEGER
1606	Control RFC 6980 (Security Implications of IPv6 Fragmentation
1607	with IPv6 Neighbor Discovery) behavior:
1608	1 - (default) discard fragmented neighbor discovery packets
1609	0 - allow fragmented neighbor discovery packets
1610
1611optimistic_dad - BOOLEAN
1612	Whether to perform Optimistic Duplicate Address Detection (RFC 4429).
1613		0: disabled (default)
1614		1: enabled
1615
1616use_optimistic - BOOLEAN
1617	If enabled, do not classify optimistic addresses as deprecated during
1618	source address selection.  Preferred addresses will still be chosen
1619	before optimistic addresses, subject to other ranking in the source
1620	address selection algorithm.
1621		0: disabled (default)
1622		1: enabled
1623
1624stable_secret - IPv6 address
1625	This IPv6 address will be used as a secret to generate IPv6
1626	addresses for link-local addresses and autoconfigured
1627	ones. All addresses generated after setting this secret will
1628	be stable privacy ones by default. This can be changed via the
1629	addrgenmode ip-link. conf/default/stable_secret is used as the
1630	secret for the namespace, the interface specific ones can
1631	overwrite that. Writes to conf/all/stable_secret are refused.
1632
1633	It is recommended to generate this secret during installation
1634	of a system and keep it stable after that.
1635
1636	By default the stable secret is unset.
1637
1638icmp/*:
1639ratelimit - INTEGER
1640	Limit the maximal rates for sending ICMPv6 packets.
1641	0 to disable any limiting,
1642	otherwise the minimal space between responses in milliseconds.
1643	Default: 1000
1644
1645xfrm6_gc_thresh - INTEGER
1646	The threshold at which we will start garbage collecting for IPv6
1647	destination cache entries.  At twice this value the system will
1648	refuse new allocations.
1649
1650
1651IPv6 Update by:
1652Pekka Savola <pekkas@netcore.fi>
1653YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org>
1654
1655
1656/proc/sys/net/bridge/* Variables:
1657
1658bridge-nf-call-arptables - BOOLEAN
1659	1 : pass bridged ARP traffic to arptables' FORWARD chain.
1660	0 : disable this.
1661	Default: 1
1662
1663bridge-nf-call-iptables - BOOLEAN
1664	1 : pass bridged IPv4 traffic to iptables' chains.
1665	0 : disable this.
1666	Default: 1
1667
1668bridge-nf-call-ip6tables - BOOLEAN
1669	1 : pass bridged IPv6 traffic to ip6tables' chains.
1670	0 : disable this.
1671	Default: 1
1672
1673bridge-nf-filter-vlan-tagged - BOOLEAN
1674	1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables.
1675	0 : disable this.
1676	Default: 0
1677
1678bridge-nf-filter-pppoe-tagged - BOOLEAN
1679	1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
1680	0 : disable this.
1681	Default: 0
1682
1683bridge-nf-pass-vlan-input-dev - BOOLEAN
1684	1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan
1685	interface on the bridge and set the netfilter input device to the vlan.
1686	This allows use of e.g. "iptables -i br0.1" and makes the REDIRECT
1687	target work with vlan-on-top-of-bridge interfaces.  When no matching
1688	vlan interface is found, or this switch is off, the input device is
1689	set to the bridge interface.
1690	0: disable bridge netfilter vlan interface lookup.
1691	Default: 0
1692
1693proc/sys/net/sctp/* Variables:
1694
1695addip_enable - BOOLEAN
1696	Enable or disable extension of  Dynamic Address Reconfiguration
1697	(ADD-IP) functionality specified in RFC5061.  This extension provides
1698	the ability to dynamically add and remove new addresses for the SCTP
1699	associations.
1700
1701	1: Enable extension.
1702
1703	0: Disable extension.
1704
1705	Default: 0
1706
1707addip_noauth_enable - BOOLEAN
1708	Dynamic Address Reconfiguration (ADD-IP) requires the use of
1709	authentication to protect the operations of adding or removing new
1710	addresses.  This requirement is mandated so that unauthorized hosts
1711	would not be able to hijack associations.  However, older
1712	implementations may not have implemented this requirement while
1713	allowing the ADD-IP extension.  For reasons of interoperability,
1714	we provide this variable to control the enforcement of the
1715	authentication requirement.
1716
1717	1: Allow ADD-IP extension to be used without authentication.  This
1718	   should only be set in a closed environment for interoperability
1719	   with older implementations.
1720
1721	0: Enforce the authentication requirement
1722
1723	Default: 0
1724
1725auth_enable - BOOLEAN
1726	Enable or disable Authenticated Chunks extension.  This extension
1727	provides the ability to send and receive authenticated chunks and is
1728	required for secure operation of Dynamic Address Reconfiguration
1729	(ADD-IP) extension.
1730
1731	1: Enable this extension.
1732	0: Disable this extension.
1733
1734	Default: 0
1735
1736prsctp_enable - BOOLEAN
1737	Enable or disable the Partial Reliability extension (RFC3758) which
1738	is used to notify peers that a given DATA should no longer be expected.
1739
1740	1: Enable extension
1741	0: Disable
1742
1743	Default: 1
1744
1745max_burst - INTEGER
1746	The limit of the number of new packets that can be initially sent.  It
1747	controls how bursty the generated traffic can be.
1748
1749	Default: 4
1750
1751association_max_retrans - INTEGER
1752	Set the maximum number for retransmissions that an association can
1753	attempt deciding that the remote end is unreachable.  If this value
1754	is exceeded, the association is terminated.
1755
1756	Default: 10
1757
1758max_init_retransmits - INTEGER
1759	The maximum number of retransmissions of INIT and COOKIE-ECHO chunks
1760	that an association will attempt before declaring the destination
1761	unreachable and terminating.
1762
1763	Default: 8
1764
1765path_max_retrans - INTEGER
1766	The maximum number of retransmissions that will be attempted on a given
1767	path.  Once this threshold is exceeded, the path is considered
1768	unreachable, and new traffic will use a different path when the
1769	association is multihomed.
1770
1771	Default: 5
1772
1773pf_retrans - INTEGER
1774	The number of retransmissions that will be attempted on a given path
1775	before traffic is redirected to an alternate transport (should one
1776	exist).  Note this is distinct from path_max_retrans, as a path that
1777	passes the pf_retrans threshold can still be used.  Its only
1778	deprioritized when a transmission path is selected by the stack.  This
1779	setting is primarily used to enable fast failover mechanisms without
1780	having to reduce path_max_retrans to a very low value.  See:
1781	http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt
1782	for details.  Note also that a value of pf_retrans > path_max_retrans
1783	disables this feature
1784
1785	Default: 0
1786
1787rto_initial - INTEGER
1788	The initial round trip timeout value in milliseconds that will be used
1789	in calculating round trip times.  This is the initial time interval
1790	for retransmissions.
1791
1792	Default: 3000
1793
1794rto_max - INTEGER
1795	The maximum value (in milliseconds) of the round trip timeout.  This
1796	is the largest time interval that can elapse between retransmissions.
1797
1798	Default: 60000
1799
1800rto_min - INTEGER
1801	The minimum value (in milliseconds) of the round trip timeout.  This
1802	is the smallest time interval the can elapse between retransmissions.
1803
1804	Default: 1000
1805
1806hb_interval - INTEGER
1807	The interval (in milliseconds) between HEARTBEAT chunks.  These chunks
1808	are sent at the specified interval on idle paths to probe the state of
1809	a given path between 2 associations.
1810
1811	Default: 30000
1812
1813sack_timeout - INTEGER
1814	The amount of time (in milliseconds) that the implementation will wait
1815	to send a SACK.
1816
1817	Default: 200
1818
1819valid_cookie_life - INTEGER
1820	The default lifetime of the SCTP cookie (in milliseconds).  The cookie
1821	is used during association establishment.
1822
1823	Default: 60000
1824
1825cookie_preserve_enable - BOOLEAN
1826	Enable or disable the ability to extend the lifetime of the SCTP cookie
1827	that is used during the establishment phase of SCTP association
1828
1829	1: Enable cookie lifetime extension.
1830	0: Disable
1831
1832	Default: 1
1833
1834cookie_hmac_alg - STRING
1835	Select the hmac algorithm used when generating the cookie value sent by
1836	a listening sctp socket to a connecting client in the INIT-ACK chunk.
1837	Valid values are:
1838	* md5
1839	* sha1
1840	* none
1841	Ability to assign md5 or sha1 as the selected alg is predicated on the
1842	configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and
1843	CONFIG_CRYPTO_SHA1).
1844
1845	Default: Dependent on configuration.  MD5 if available, else SHA1 if
1846	available, else none.
1847
1848rcvbuf_policy - INTEGER
1849	Determines if the receive buffer is attributed to the socket or to
1850	association.   SCTP supports the capability to create multiple
1851	associations on a single socket.  When using this capability, it is
1852	possible that a single stalled association that's buffering a lot
1853	of data may block other associations from delivering their data by
1854	consuming all of the receive buffer space.  To work around this,
1855	the rcvbuf_policy could be set to attribute the receiver buffer space
1856	to each association instead of the socket.  This prevents the described
1857	blocking.
1858
1859	1: rcvbuf space is per association
1860	0: rcvbuf space is per socket
1861
1862	Default: 0
1863
1864sndbuf_policy - INTEGER
1865	Similar to rcvbuf_policy above, this applies to send buffer space.
1866
1867	1: Send buffer is tracked per association
1868	0: Send buffer is tracked per socket.
1869
1870	Default: 0
1871
1872sctp_mem - vector of 3 INTEGERs: min, pressure, max
1873	Number of pages allowed for queueing by all SCTP sockets.
1874
1875	min: Below this number of pages SCTP is not bothered about its
1876	memory appetite. When amount of memory allocated by SCTP exceeds
1877	this number, SCTP starts to moderate memory usage.
1878
1879	pressure: This value was introduced to follow format of tcp_mem.
1880
1881	max: Number of pages allowed for queueing by all SCTP sockets.
1882
1883	Default is calculated at boot time from amount of available memory.
1884
1885sctp_rmem - vector of 3 INTEGERs: min, default, max
1886	Only the first value ("min") is used, "default" and "max" are
1887	ignored.
1888
1889	min: Minimal size of receive buffer used by SCTP socket.
1890	It is guaranteed to each SCTP socket (but not association) even
1891	under moderate memory pressure.
1892
1893	Default: 1 page
1894
1895sctp_wmem  - vector of 3 INTEGERs: min, default, max
1896	Currently this tunable has no effect.
1897
1898addr_scope_policy - INTEGER
1899	Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00
1900
1901	0   - Disable IPv4 address scoping
1902	1   - Enable IPv4 address scoping
1903	2   - Follow draft but allow IPv4 private addresses
1904	3   - Follow draft but allow IPv4 link local addresses
1905
1906	Default: 1
1907
1908
1909/proc/sys/net/core/*
1910	Please see: Documentation/sysctl/net.txt for descriptions of these entries.
1911
1912
1913/proc/sys/net/unix/*
1914max_dgram_qlen - INTEGER
1915	The maximum length of dgram socket receive queue
1916
1917	Default: 10
1918
1919
1920UNDOCUMENTED:
1921
1922/proc/sys/net/irda/*
1923	fast_poll_increase FIXME
1924	warn_noreply_time FIXME
1925	discovery_slots FIXME
1926	slot_timeout FIXME
1927	max_baud_rate FIXME
1928	discovery_timeout FIXME
1929	lap_keepalive_time FIXME
1930	max_noreply_time FIXME
1931	max_tx_data_size FIXME
1932	max_tx_window FIXME
1933	min_tx_turn_time FIXME