tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

docs: networking: convert ip-sysctl.txt to ReST

- add SPDX header;
- adjust titles and chapters, adding proper markups;
- mark code blocks and literals as such;
- mark lists as such;
- mark tables as such;
- use footnote markup;
- adjust identation, whitespaces and blank lines;
- add to networking/index.rst.

Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Mauro Carvalho Chehab and committed by
David S. Miller 1cec2cac 355e656e

+559 -283
+1 -1
Documentation/admin-guide/kernel-parameters.txt
··· 4910 4910 Set the number of tcp_metrics_hash slots. 4911 4911 Default value is 8192 or 16384 depending on total 4912 4912 ram pages. This is used to specify the TCP metrics 4913 - cache size. See Documentation/networking/ip-sysctl.txt 4913 + cache size. See Documentation/networking/ip-sysctl.rst 4914 4914 "tcp_no_metrics_save" section for more details. 4915 4915 4916 4916 tdfx= [HW,DRM]
+1 -1
Documentation/admin-guide/sysctl/net.rst
··· 353 353 354 354 3. /proc/sys/net/ipv4 - IPV4 settings 355 355 ------------------------------------- 356 - Please see: Documentation/networking/ip-sysctl.txt and ipvs-sysctl.txt for 356 + Please see: Documentation/networking/ip-sysctl.rst and ipvs-sysctl.txt for 357 357 descriptions of these entries. 358 358 359 359
+1
Documentation/networking/index.rst
··· 69 69 ip_dynaddr 70 70 iphase 71 71 ipsec 72 + ip-sysctl 72 73 73 74 .. only:: subproject and html 74 75
+552 -277
Documentation/networking/ip-sysctl.txt Documentation/networking/ip-sysctl.rst
··· 1 - /proc/sys/net/ipv4/* Variables: 1 + .. SPDX-License-Identifier: GPL-2.0 2 + 3 + ========= 4 + IP Sysctl 5 + ========= 6 + 7 + /proc/sys/net/ipv4/* Variables 8 + ============================== 2 9 3 10 ip_forward - BOOLEAN 4 - 0 - disabled (default) 5 - not 0 - enabled 11 + - 0 - disabled (default) 12 + - not 0 - enabled 6 13 7 14 Forward Packets between interfaces. 8 15 ··· 45 38 could break other protocols. 46 39 47 40 Possible values: 0-3 41 + 48 42 Default: FALSE 49 43 50 44 min_pmtu - INTEGER ··· 59 51 which tries to discover path mtus by itself and depends on the 60 52 kernel honoring this information. This is normally not the 61 53 case. 54 + 62 55 Default: 0 (disabled) 56 + 63 57 Possible values: 64 - 0 - disabled 65 - 1 - enabled 58 + 59 + - 0 - disabled 60 + - 1 - enabled 66 61 67 62 fwmark_reflect - BOOLEAN 68 63 Controls the fwmark of kernel-generated IPv4 reply packets that are not 69 64 associated with a socket for example, TCP RSTs or ICMP echo replies). 70 65 If unset, these packets have a fwmark of zero. If set, they have the 71 66 fwmark of the packet they are replying to. 67 + 72 68 Default: 0 73 69 74 70 fib_multipath_use_neigh - BOOLEAN ··· 80 68 multipath routes. If disabled, neighbor information is not used and 81 69 packets could be directed to a failed nexthop. Only valid for kernels 82 70 built with CONFIG_IP_ROUTE_MULTIPATH enabled. 71 + 83 72 Default: 0 (disabled) 73 + 84 74 Possible values: 85 - 0 - disabled 86 - 1 - enabled 75 + 76 + - 0 - disabled 77 + - 1 - enabled 87 78 88 79 fib_multipath_hash_policy - INTEGER 89 80 Controls which hash policy to use for multipath routes. Only valid 90 81 for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. 82 + 91 83 Default: 0 (Layer 3) 84 + 92 85 Possible values: 93 - 0 - Layer 3 94 - 1 - Layer 4 95 - 2 - Layer 3 or inner Layer 3 if present 86 + 87 + - 0 - Layer 3 88 + - 1 - Layer 4 89 + - 2 - Layer 3 or inner Layer 3 if present 96 90 97 91 fib_sync_mem - UNSIGNED INTEGER 98 92 Amount of dirty memory from fib entries that can be backlogged before 99 93 synchronize_rcu is forced. 100 - Default: 512kB Minimum: 64kB Maximum: 64MB 94 + 95 + Default: 512kB Minimum: 64kB Maximum: 64MB 101 96 102 97 ip_forward_update_priority - INTEGER 103 98 Whether to update SKB priority from "TOS" field in IPv4 header after it 104 99 is forwarded. The new SKB priority is mapped from TOS field value 105 100 according to an rt_tos2priority table (see e.g. man tc-prio). 101 + 106 102 Default: 1 (Update priority.) 103 + 107 104 Possible values: 108 - 0 - Do not update priority. 109 - 1 - Update priority. 105 + 106 + - 0 - Do not update priority. 107 + - 1 - Update priority. 110 108 111 109 route/max_size - INTEGER 112 110 Maximum number of routes allowed in the kernel. Increase 113 111 this when using large numbers of interfaces and/or routes. 112 + 114 113 From linux kernel 3.6 onwards, this is deprecated for ipv4 115 114 as route cache is no longer used. 116 115 117 116 neigh/default/gc_thresh1 - INTEGER 118 117 Minimum number of entries to keep. Garbage collector will not 119 118 purge entries if there are fewer than this number. 119 + 120 120 Default: 128 121 121 122 122 neigh/default/gc_thresh2 - INTEGER 123 123 Threshold when garbage collector becomes more aggressive about 124 124 purging entries. Entries older than 5 seconds will be cleared 125 125 when over this number. 126 + 126 127 Default: 512 127 128 128 129 neigh/default/gc_thresh3 - INTEGER 129 130 Maximum number of non-PERMANENT neighbor entries allowed. Increase 130 131 this when using large numbers of interfaces and when communicating 131 132 with large numbers of directly-connected peers. 133 + 132 134 Default: 1024 133 135 134 136 neigh/default/unres_qlen_bytes - INTEGER 135 137 The maximum number of bytes which may be used by packets 136 138 queued for each unresolved address by other network layers. 137 139 (added in linux 3.3) 140 + 138 141 Setting negative value is meaningless and will return error. 142 + 139 143 Default: SK_WMEM_MAX, (same as net.core.wmem_default). 144 + 140 145 Exact value depends on architecture and kernel options, 141 146 but should be enough to allow queuing 256 packets 142 147 of medium size. ··· 161 132 neigh/default/unres_qlen - INTEGER 162 133 The maximum number of packets which may be queued for each 163 134 unresolved address by other network layers. 135 + 164 136 (deprecated in linux 3.3) : use unres_qlen_bytes instead. 137 + 165 138 Prior to linux 3.3, the default value is 3 which may cause 166 139 unexpected packet loss. The current default value is calculated 167 140 according to default value of unres_qlen_bytes and true size of 168 141 packet. 142 + 169 143 Default: 101 170 144 171 145 mtu_expires - INTEGER ··· 215 183 from different IP datagrams, which could result in data corruption. 216 184 Default: 64 217 185 218 - INET peer storage: 186 + INET peer storage 187 + ================= 219 188 220 189 inet_peer_threshold - INTEGER 221 190 The approximate size of the storage. Starting from this threshold ··· 236 203 when the number of entries in the pool is very small). 237 204 Measured in seconds. 238 205 239 - TCP variables: 206 + TCP variables 207 + ============= 240 208 241 209 somaxconn - INTEGER 242 210 Limit of socket listen() backlog, known in userspace as SOMAXCONN. ··· 256 222 Count buffering overhead as bytes/2^tcp_adv_win_scale 257 223 (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), 258 224 if it is <= 0. 225 + 259 226 Possible values are [-31, 31], inclusive. 227 + 260 228 Default: 1 261 229 262 230 tcp_allowed_congestion_control - STRING 263 231 Show/set the congestion control choices available to non-privileged 264 232 processes. The list is a subset of those listed in 265 233 tcp_available_congestion_control. 234 + 266 235 Default is "reno" and the default setting (tcp_congestion_control). 267 236 268 237 tcp_app_win - INTEGER 269 238 Reserve max(window/2^tcp_app_win, mss) of window for application 270 239 buffer. Value 0 is special, it means that nothing is reserved. 240 + 271 241 Default: 31 272 242 273 243 tcp_autocorking - BOOLEAN ··· 282 244 packet for the flow is waiting in Qdisc queues or device transmit 283 245 queue. Applications can still use TCP_CORK for optimal behavior 284 246 when they know how/when to uncork their sockets. 247 + 285 248 Default : 1 286 249 287 250 tcp_available_congestion_control - STRING ··· 304 265 tcp_min_snd_mss - INTEGER 305 266 TCP SYN and SYNACK messages usually advertise an ADVMSS option, 306 267 as described in RFC 1122 and RFC 6691. 268 + 307 269 If this ADVMSS option is smaller than tcp_min_snd_mss, 308 270 it is silently capped to tcp_min_snd_mss. 309 271 ··· 317 277 Default is set as part of kernel configuration. 318 278 For passive connections, the listener congestion control choice 319 279 is inherited. 280 + 320 281 [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ] 321 282 322 283 tcp_dsack - BOOLEAN ··· 327 286 Tail loss probe (TLP) converts RTOs occurring due to tail 328 287 losses into fast recovery (draft-ietf-tcpm-rack). Note that 329 288 TLP requires RACK to function properly (see tcp_recovery below) 289 + 330 290 Possible values: 331 - 0 disables TLP 332 - 3 or 4 enables TLP 291 + 292 + - 0 disables TLP 293 + - 3 or 4 enables TLP 294 + 333 295 Default: 3 334 296 335 297 tcp_ecn - INTEGER ··· 341 297 support for it. This feature is useful in avoiding losses due 342 298 to congestion by allowing supporting routers to signal 343 299 congestion before having to drop packets. 300 + 344 301 Possible values are: 345 - 0 Disable ECN. Neither initiate nor accept ECN. 346 - 1 Enable ECN when requested by incoming connections and 347 - also request ECN on outgoing connection attempts. 348 - 2 Enable ECN when requested by incoming connections 349 - but do not request ECN on outgoing connections. 302 + 303 + = ===================================================== 304 + 0 Disable ECN. Neither initiate nor accept ECN. 305 + 1 Enable ECN when requested by incoming connections and 306 + also request ECN on outgoing connection attempts. 307 + 2 Enable ECN when requested by incoming connections 308 + but do not request ECN on outgoing connections. 309 + = ===================================================== 310 + 350 311 Default: 2 351 312 352 313 tcp_ecn_fallback - BOOLEAN ··· 361 312 additional detection mechanisms could be implemented under this 362 313 knob. The value is not used, if tcp_ecn or per route (or congestion 363 314 control) ECN settings are disabled. 315 + 364 316 Default: 1 (fallback enabled) 365 317 366 318 tcp_fack - BOOLEAN ··· 374 324 valid "receive only" state for an un-orphaned connection, an 375 325 orphaned connection in FIN_WAIT_2 state could otherwise wait 376 326 forever for the remote to close its end of the connection. 327 + 377 328 Cf. tcp_max_orphans 329 + 378 330 Default: 60 seconds 379 331 380 332 tcp_frto - INTEGER ··· 442 390 derived from the listen socket to be bound to the L3 domain in 443 391 which the packets originated. Only valid when the kernel was 444 392 compiled with CONFIG_NET_L3_MASTER_DEV. 445 - Default: 0 (disabled) 393 + 394 + Default: 0 (disabled) 446 395 447 396 tcp_low_latency - BOOLEAN 448 397 This is a legacy option, it has no effect anymore. ··· 463 410 tcp_max_syn_backlog - INTEGER 464 411 Maximal number of remembered connection requests (SYN_RECV), 465 412 which have not received an acknowledgment from connecting client. 413 + 466 414 This is a per-listener limit. 415 + 467 416 The minimal value is 128 for low memory machines, and it will 468 417 increase in proportion to the memory of machine. 418 + 469 419 If server suffers from overload, try increasing this number. 420 + 470 421 Remember to also check /proc/sys/net/core/somaxconn 471 422 A SYN_RECV request socket consumes about 304 bytes of memory. 472 423 ··· 502 445 minimum RTT when it is moved to a longer path (e.g., due to traffic 503 446 engineering). A longer window makes the filter more resistant to RTT 504 447 inflations such as transient congestion. The unit is seconds. 448 + 505 449 Possible values: 0 - 86400 (1 day) 450 + 506 451 Default: 300 507 452 508 453 tcp_moderate_rcvbuf - BOOLEAN ··· 516 457 tcp_mtu_probing - INTEGER 517 458 Controls TCP Packetization-Layer Path MTU Discovery. Takes three 518 459 values: 519 - 0 - Disabled 520 - 1 - Disabled by default, enabled when an ICMP black hole detected 521 - 2 - Always enabled, use initial MSS of tcp_base_mss. 460 + 461 + - 0 - Disabled 462 + - 1 - Disabled by default, enabled when an ICMP black hole detected 463 + - 2 - Always enabled, use initial MSS of tcp_base_mss. 522 464 523 465 tcp_probe_interval - UNSIGNED INTEGER 524 466 Controls how often to start TCP Packetization-Layer Path MTU ··· 541 481 542 482 tcp_no_ssthresh_metrics_save - BOOLEAN 543 483 Controls whether TCP saves ssthresh metrics in the route cache. 484 + 544 485 Default is 1, which disables ssthresh metrics. 545 486 546 487 tcp_orphan_retries - INTEGER ··· 550 489 See tcp_retries2 for more details. 551 490 552 491 The default value is 8. 492 + 553 493 If your machine is a loaded WEB server, 554 494 you should think about lowering this value, such sockets 555 495 may consume significant resources. Cf. tcp_max_orphans. ··· 559 497 This value is a bitmap to enable various experimental loss recovery 560 498 features. 561 499 562 - RACK: 0x1 enables the RACK loss detection for fast detection of lost 563 - retransmissions and tail drops. It also subsumes and disables 564 - RFC6675 recovery for SACK connections. 565 - RACK: 0x2 makes RACK's reordering window static (min_rtt/4). 566 - RACK: 0x4 disables RACK's DUPACK threshold heuristic 500 + ========= ============================================================= 501 + RACK: 0x1 enables the RACK loss detection for fast detection of lost 502 + retransmissions and tail drops. It also subsumes and disables 503 + RFC6675 recovery for SACK connections. 504 + 505 + RACK: 0x2 makes RACK's reordering window static (min_rtt/4). 506 + 507 + RACK: 0x4 disables RACK's DUPACK threshold heuristic 508 + ========= ============================================================= 567 509 568 510 Default: 0x1 569 511 ··· 575 509 Initial reordering level of packets in a TCP stream. 576 510 TCP stack can then dynamically adjust flow reordering level 577 511 between this initial value and tcp_max_reordering 512 + 578 513 Default: 3 579 514 580 515 tcp_max_reordering - INTEGER 581 516 Maximal reordering level of packets in a TCP stream. 582 517 300 is a fairly conservative value, but you might increase it 583 518 if paths are using per packet load balancing (like bonding rr mode) 519 + 584 520 Default: 300 585 521 586 522 tcp_retrans_collapse - BOOLEAN ··· 618 550 If set, the TCP stack behaves conforming to RFC1337. If unset, 619 551 we are not conforming to RFC, but prevent TCP TIME_WAIT 620 552 assassination. 553 + 621 554 Default: 0 622 555 623 556 tcp_rmem - vector of 3 INTEGERs: min, default, max 624 557 min: Minimal size of receive buffer used by TCP sockets. 625 558 It is guaranteed to each TCP socket, even under moderate memory 626 559 pressure. 560 + 627 561 Default: 4K 628 562 629 563 default: initial size of receive buffer used by TCP sockets. ··· 662 592 window after an idle period. An idle period is defined at 663 593 the current RTO. If unset, the congestion window will not 664 594 be timed out after an idle period. 595 + 665 596 Default: 1 666 597 667 598 tcp_stdurg - BOOLEAN 668 599 Use the Host requirements interpretation of the TCP urgent pointer field. 669 600 Most hosts use the older BSD interpretation, so if you turn this on 670 601 Linux might not communicate correctly with them. 602 + 671 603 Default: FALSE 672 604 673 605 tcp_synack_retries - INTEGER ··· 718 646 the option value being the length of the syn-data backlog. 719 647 720 648 The values (bitmap) are 721 - 0x1: (client) enables sending data in the opening SYN on the client. 722 - 0x2: (server) enables the server support, i.e., allowing data in 649 + 650 + ===== ======== ====================================================== 651 + 0x1 (client) enables sending data in the opening SYN on the client. 652 + 0x2 (server) enables the server support, i.e., allowing data in 723 653 a SYN packet to be accepted and passed to the 724 654 application before 3-way handshake finishes. 725 - 0x4: (client) send data in the opening SYN regardless of cookie 655 + 0x4 (client) send data in the opening SYN regardless of cookie 726 656 availability and without a cookie option. 727 - 0x200: (server) accept data-in-SYN w/o any cookie option present. 728 - 0x400: (server) enable all listeners to support Fast Open by 657 + 0x200 (server) accept data-in-SYN w/o any cookie option present. 658 + 0x400 (server) enable all listeners to support Fast Open by 729 659 default without explicit TCP_FASTOPEN socket option. 660 + ===== ======== ====================================================== 730 661 731 662 Default: 0x1 732 663 ··· 743 668 get detected right after Fastopen is re-enabled and will reset to 744 669 initial value when the blackhole issue goes away. 745 670 0 to disable the blackhole detection. 671 + 746 672 By default, it is set to 1hr. 747 673 748 674 tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs ··· 774 698 for an active TCP connection attempt will happen after 127seconds. 775 699 776 700 tcp_timestamps - INTEGER 777 - Enable timestamps as defined in RFC1323. 778 - 0: Disabled. 779 - 1: Enable timestamps as defined in RFC1323 and use random offset for 780 - each connection rather than only using the current time. 781 - 2: Like 1, but without random offsets. 701 + Enable timestamps as defined in RFC1323. 702 + 703 + - 0: Disabled. 704 + - 1: Enable timestamps as defined in RFC1323 and use random offset for 705 + each connection rather than only using the current time. 706 + - 2: Like 1, but without random offsets. 707 + 782 708 Default: 1 783 709 784 710 tcp_min_tso_segs - INTEGER 785 711 Minimal number of segments per TSO frame. 712 + 786 713 Since linux-3.12, TCP does an automatic sizing of TSO frames, 787 714 depending on flow rate, instead of filling 64Kbytes packets. 788 715 For specific usages, it's possible to force TCP to build big 789 716 TSO frames. Note that TCP stack might split too big TSO packets 790 717 if available window is too small. 718 + 791 719 Default: 2 792 720 793 721 tcp_pacing_ss_ratio - INTEGER ··· 800 720 If TCP is in slow start, tcp_pacing_ss_ratio is applied 801 721 to let TCP probe for bigger speeds, assuming cwnd can be 802 722 doubled every other RTT. 723 + 803 724 Default: 200 804 725 805 726 tcp_pacing_ca_ratio - INTEGER ··· 808 727 to current rate. (current_rate = cwnd * mss / srtt) 809 728 If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio 810 729 is applied to conservatively probe for bigger throughput. 730 + 811 731 Default: 120 812 732 813 733 tcp_tso_win_divisor - INTEGER ··· 816 734 can be consumed by a single TSO frame. 817 735 The setting of this parameter is a choice between burstiness and 818 736 building larger TSO frames. 737 + 819 738 Default: 3 820 739 821 740 tcp_tw_reuse - INTEGER 822 741 Enable reuse of TIME-WAIT sockets for new connections when it is 823 742 safe from protocol viewpoint. 824 - 0 - disable 825 - 1 - global enable 826 - 2 - enable for loopback traffic only 743 + 744 + - 0 - disable 745 + - 1 - global enable 746 + - 2 - enable for loopback traffic only 747 + 827 748 It should not be changed without advice/request of technical 828 749 experts. 750 + 829 751 Default: 2 830 752 831 753 tcp_window_scaling - BOOLEAN ··· 838 752 tcp_wmem - vector of 3 INTEGERs: min, default, max 839 753 min: Amount of memory reserved for send buffers for TCP sockets. 840 754 Each TCP socket has rights to use it due to fact of its birth. 755 + 841 756 Default: 4K 842 757 843 758 default: initial size of send buffer used by TCP sockets. This 844 759 value overrides net.core.wmem_default used by other protocols. 760 + 845 761 It is usually lower than net.core.wmem_default. 762 + 846 763 Default: 16K 847 764 848 765 max: Maximal amount of memory allowed for automatically tuned ··· 853 764 net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables 854 765 automatic tuning of that socket's send buffer size, in which case 855 766 this value is ignored. 767 + 856 768 Default: between 64K and 4MB, depending on RAM size. 857 769 858 770 tcp_notsent_lowat - UNSIGNED INTEGER ··· 874 784 remote TCP is broken and treats the window as a signed quantity. 875 785 If unset, assume the remote TCP is not broken even if we do 876 786 not receive a window scaling option from them. 787 + 877 788 Default: 0 878 789 879 790 tcp_thin_linear_timeouts - BOOLEAN ··· 887 796 non-aggressive thin streams, often found to be time-dependent. 888 797 For more information on thin streams, see 889 798 Documentation/networking/tcp-thin.txt 799 + 890 800 Default: 0 891 801 892 802 tcp_limit_output_bytes - INTEGER ··· 899 807 flows, for typical pfifo_fast qdiscs. tcp_limit_output_bytes 900 808 limits the number of bytes on qdisc or device to reduce artificial 901 809 RTT/cwnd and reduce bufferbloat. 810 + 902 811 Default: 1048576 (16 * 65536) 903 812 904 813 tcp_challenge_ack_limit - INTEGER ··· 915 822 916 823 Default: 0 (disabled) 917 824 918 - UDP variables: 825 + UDP variables 826 + ============= 919 827 920 828 udp_l3mdev_accept - BOOLEAN 921 829 Enabling this option allows a "global" bound socket to work ··· 924 830 being received regardless of the L3 domain in which they 925 831 originated. Only valid when the kernel was compiled with 926 832 CONFIG_NET_L3_MASTER_DEV. 927 - Default: 0 (disabled) 833 + 834 + Default: 0 (disabled) 928 835 929 836 udp_mem - vector of 3 INTEGERs: min, pressure, max 930 837 Number of pages allowed for queueing by all UDP sockets. ··· 944 849 Minimal size of receive buffer used by UDP sockets in moderation. 945 850 Each UDP socket is able to use the size for receiving data, even if 946 851 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 852 + 947 853 Default: 4K 948 854 949 855 udp_wmem_min - INTEGER 950 856 Minimal size of send buffer used by UDP sockets in moderation. 951 857 Each UDP socket is able to use the size for sending data, even if 952 858 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 859 + 953 860 Default: 4K 954 861 955 - RAW variables: 862 + RAW variables 863 + ============= 956 864 957 865 raw_l3mdev_accept - BOOLEAN 958 866 Enabling this option allows a "global" bound socket to work ··· 963 865 being received regardless of the L3 domain in which they 964 866 originated. Only valid when the kernel was compiled with 965 867 CONFIG_NET_L3_MASTER_DEV. 868 + 966 869 Default: 1 (enabled) 967 870 968 - CIPSOv4 Variables: 871 + CIPSOv4 Variables 872 + ================= 969 873 970 874 cipso_cache_enable - BOOLEAN 971 875 If set, enable additions to and lookups from the CIPSO label mapping ··· 975 875 miss. However, regardless of the setting the cache is still 976 876 invalidated when required when means you can safely toggle this on and 977 877 off and the cache will always be "safe". 878 + 978 879 Default: 1 979 880 980 881 cipso_cache_bucket_size - INTEGER ··· 985 884 more CIPSO label mappings that can be cached. When the number of 986 885 entries in a given hash bucket reaches this limit adding new entries 987 886 causes the oldest entry in the bucket to be removed to make room. 887 + 988 888 Default: 10 989 889 990 890 cipso_rbm_optfmt - BOOLEAN ··· 993 891 the CIPSO draft specification (see Documentation/netlabel for details). 994 892 This means that when set the CIPSO tag will be padded with empty 995 893 categories in order to make the packet data 32-bit aligned. 894 + 996 895 Default: 0 997 896 998 897 cipso_rbm_structvalid - BOOLEAN ··· 1003 900 where in the CIPSO processing code but setting this to 0 (False) should 1004 901 result in less work (i.e. it should be faster) but could cause problems 1005 902 with other implementations that require strict checking. 903 + 1006 904 Default: 0 1007 905 1008 - IP Variables: 906 + IP Variables 907 + ============ 1009 908 1010 909 ip_local_port_range - 2 INTEGERS 1011 910 Defines the local port range that is used by TCP and UDP to ··· 1036 931 assignments. 1037 932 1038 933 You can reserve ports which are not in the current 1039 - ip_local_port_range, e.g.: 934 + ip_local_port_range, e.g.:: 1040 935 1041 - $ cat /proc/sys/net/ipv4/ip_local_port_range 1042 - 32000 60999 1043 - $ cat /proc/sys/net/ipv4/ip_local_reserved_ports 1044 - 8080,9148 936 + $ cat /proc/sys/net/ipv4/ip_local_port_range 937 + 32000 60999 938 + $ cat /proc/sys/net/ipv4/ip_local_reserved_ports 939 + 8080,9148 1045 940 1046 941 although this is redundant. However such a setting is useful 1047 942 if later the port range is changed to a value that will ··· 1061 956 ip_nonlocal_bind - BOOLEAN 1062 957 If set, allows processes to bind() to non-local IP addresses, 1063 958 which can be quite useful - but may break some applications. 959 + 1064 960 Default: 0 1065 961 1066 962 ip_autobind_reuse - BOOLEAN ··· 1078 972 If set to a non-zero value larger than 1, a kernel log 1079 973 message will be printed when dynamic address rewriting 1080 974 occurs. 975 + 1081 976 Default: 0 1082 977 1083 978 ip_early_demux - BOOLEAN ··· 1088 981 1089 982 It may add an additional cost for pure routing workloads that 1090 983 reduces overall throughput, in such case you should disable it. 984 + 1091 985 Default: 1 1092 986 1093 987 ping_group_range - 2 INTEGERS ··· 1100 992 1101 993 tcp_early_demux - BOOLEAN 1102 994 Enable early demux for established TCP sockets. 995 + 1103 996 Default: 1 1104 997 1105 998 udp_early_demux - BOOLEAN 1106 999 Enable early demux for connected UDP sockets. Disable this if 1107 1000 your system could experience more unconnected load. 1001 + 1108 1002 Default: 1 1109 1003 1110 1004 icmp_echo_ignore_all - BOOLEAN 1111 1005 If set non-zero, then the kernel will ignore all ICMP ECHO 1112 1006 requests sent to it. 1007 + 1113 1008 Default: 0 1114 1009 1115 1010 icmp_echo_ignore_broadcasts - BOOLEAN 1116 1011 If set non-zero, then the kernel will ignore all ICMP ECHO and 1117 1012 TIMESTAMP requests sent to it via broadcast/multicast. 1013 + 1118 1014 Default: 1 1119 1015 1120 1016 icmp_ratelimit - INTEGER ··· 1128 1016 otherwise the minimal space between responses in milliseconds. 1129 1017 Note that another sysctl, icmp_msgs_per_sec limits the number 1130 1018 of ICMP packets sent on all targets. 1019 + 1131 1020 Default: 1000 1132 1021 1133 1022 icmp_msgs_per_sec - INTEGER 1134 1023 Limit maximal number of ICMP packets sent per second from this host. 1135 1024 Only messages whose type matches icmp_ratemask (see below) are 1136 1025 controlled by this limit. 1026 + 1137 1027 Default: 1000 1138 1028 1139 1029 icmp_msgs_burst - INTEGER 1140 1030 icmp_msgs_per_sec controls number of ICMP packets sent per second, 1141 1031 while icmp_msgs_burst controls the burst size of these packets. 1032 + 1142 1033 Default: 50 1143 1034 1144 1035 icmp_ratemask - INTEGER 1145 1036 Mask made of ICMP types for which rates are being limited. 1037 + 1146 1038 Significant bits: IHGFEDCBA9876543210 1039 + 1147 1040 Default mask: 0000001100000011000 (6168) 1148 1041 1149 1042 Bit definitions (see include/linux/icmp.h): 1043 + 1044 + = ========================= 1150 1045 0 Echo Reply 1151 - 3 Destination Unreachable * 1152 - 4 Source Quench * 1046 + 3 Destination Unreachable [1]_ 1047 + 4 Source Quench [1]_ 1153 1048 5 Redirect 1154 1049 8 Echo Request 1155 - B Time Exceeded * 1156 - C Parameter Problem * 1050 + B Time Exceeded [1]_ 1051 + C Parameter Problem [1]_ 1157 1052 D Timestamp Request 1158 1053 E Timestamp Reply 1159 1054 F Info Request 1160 1055 G Info Reply 1161 1056 H Address Mask Request 1162 1057 I Address Mask Reply 1058 + = ========================= 1163 1059 1164 - * These are rate limited by default (see default mask above) 1060 + .. [1] These are rate limited by default (see default mask above) 1165 1061 1166 1062 icmp_ignore_bogus_error_responses - BOOLEAN 1167 1063 Some routers violate RFC1122 by sending bogus responses to broadcast 1168 1064 frames. Such violations are normally logged via a kernel warning. 1169 1065 If this is set to TRUE, the kernel will not give such warnings, which 1170 1066 will avoid log file clutter. 1067 + 1171 1068 Default: 1 1172 1069 1173 1070 icmp_errors_use_inbound_ifaddr - BOOLEAN ··· 1221 1100 igmp_max_msf - INTEGER 1222 1101 Maximum number of addresses allowed in the source filter list for a 1223 1102 multicast group. 1103 + 1224 1104 Default: 10 1225 1105 1226 1106 igmp_qrv - INTEGER 1227 1107 Controls the IGMP query robustness variable (see RFC2236 8.1). 1108 + 1228 1109 Default: 2 (as specified by RFC2236 8.1) 1110 + 1229 1111 Minimum: 1 (as specified by RFC6636 4.5) 1230 1112 1231 1113 force_igmp_version - INTEGER 1232 - 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback 1233 - allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier 1234 - Present timer expires. 1235 - 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if 1236 - receive IGMPv2/v3 query. 1237 - 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive 1238 - IGMPv1 query message. Will reply report if receive IGMPv3 query. 1239 - 3 - Enforce to use IGMP version 3. The same react with default 0. 1114 + - 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback 1115 + allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier 1116 + Present timer expires. 1117 + - 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if 1118 + receive IGMPv2/v3 query. 1119 + - 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive 1120 + IGMPv1 query message. Will reply report if receive IGMPv3 query. 1121 + - 3 - Enforce to use IGMP version 3. The same react with default 0. 1240 1122 1241 - Note: this is not the same with force_mld_version because IGMPv3 RFC3376 1242 - Security Considerations does not have clear description that we could 1243 - ignore other version messages completely as MLDv2 RFC3810. So make 1244 - this value as default 0 is recommended. 1123 + .. note:: 1245 1124 1246 - conf/interface/* changes special settings per interface (where 1247 - "interface" is the name of your network interface) 1125 + this is not the same with force_mld_version because IGMPv3 RFC3376 1126 + Security Considerations does not have clear description that we could 1127 + ignore other version messages completely as MLDv2 RFC3810. So make 1128 + this value as default 0 is recommended. 1248 1129 1249 - conf/all/* is special, changes the settings for all interfaces 1130 + ``conf/interface/*`` 1131 + changes special settings per interface (where 1132 + interface" is the name of your network interface) 1133 + 1134 + ``conf/all/*`` 1135 + is special, changes the settings for all interfaces 1250 1136 1251 1137 log_martians - BOOLEAN 1252 1138 Log packets with impossible addresses to kernel log. ··· 1264 1136 accept_redirects - BOOLEAN 1265 1137 Accept ICMP redirect messages. 1266 1138 accept_redirects for the interface will be enabled if: 1139 + 1267 1140 - both conf/{all,interface}/accept_redirects are TRUE in the case 1268 1141 forwarding for the interface is enabled 1142 + 1269 1143 or 1144 + 1270 1145 - at least one of conf/{all,interface}/accept_redirects is TRUE in the 1271 1146 case forwarding for the interface is disabled 1147 + 1272 1148 accept_redirects for the interface will be disabled otherwise 1273 - default TRUE (host) 1274 - FALSE (router) 1149 + 1150 + default: 1151 + 1152 + - TRUE (host) 1153 + - FALSE (router) 1275 1154 1276 1155 forwarding - BOOLEAN 1277 1156 Enable IP forwarding on this interface. This controls whether packets ··· 1303 1168 1304 1169 proxy_arp - BOOLEAN 1305 1170 Do proxy arp. 1171 + 1306 1172 proxy_arp for the interface will be enabled if at least one of 1307 1173 conf/{all,interface}/proxy_arp is set to TRUE, 1308 1174 it will be disabled otherwise 1309 1175 1310 1176 proxy_arp_pvlan - BOOLEAN 1311 1177 Private VLAN proxy arp. 1178 + 1312 1179 Basically allow proxy arp replies back to the same interface 1313 1180 (from which the ARP request/solicitation was received). 1314 1181 ··· 1323 1186 proxy_arp. 1324 1187 1325 1188 This technology is known by different names: 1189 + 1326 1190 In RFC 3069 it is called VLAN Aggregation. 1327 1191 Cisco and Allied Telesyn call it Private VLAN. 1328 1192 Hewlett-Packard call it Source-Port filtering or port-isolation. ··· 1332 1194 shared_media - BOOLEAN 1333 1195 Send(router) or accept(host) RFC1620 shared media redirects. 1334 1196 Overrides secure_redirects. 1197 + 1335 1198 shared_media for the interface will be enabled if at least one of 1336 1199 conf/{all,interface}/shared_media is set to TRUE, 1337 1200 it will be disabled otherwise 1201 + 1338 1202 default TRUE 1339 1203 1340 1204 secure_redirects - BOOLEAN 1341 1205 Accept ICMP redirect messages only to gateways listed in the 1342 1206 interface's current gateway list. Even if disabled, RFC1122 redirect 1343 1207 rules still apply. 1208 + 1344 1209 Overridden by shared_media. 1210 + 1345 1211 secure_redirects for the interface will be enabled if at least one of 1346 1212 conf/{all,interface}/secure_redirects is set to TRUE, 1347 1213 it will be disabled otherwise 1214 + 1348 1215 default TRUE 1349 1216 1350 1217 send_redirects - BOOLEAN 1351 1218 Send redirects, if router. 1219 + 1352 1220 send_redirects for the interface will be enabled if at least one of 1353 1221 conf/{all,interface}/send_redirects is set to TRUE, 1354 1222 it will be disabled otherwise 1223 + 1355 1224 Default: TRUE 1356 1225 1357 1226 bootp_relay - BOOLEAN ··· 1367 1222 BOOTP relay daemon will catch and forward such packets. 1368 1223 conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay 1369 1224 for the interface 1225 + 1370 1226 default FALSE 1227 + 1371 1228 Not Implemented Yet. 1372 1229 1373 1230 accept_source_route - BOOLEAN 1374 1231 Accept packets with SRR option. 1375 1232 conf/all/accept_source_route must also be set to TRUE to accept packets 1376 1233 with SRR option on the interface 1377 - default TRUE (router) 1378 - FALSE (host) 1234 + 1235 + default 1236 + 1237 + - TRUE (router) 1238 + - FALSE (host) 1379 1239 1380 1240 accept_local - BOOLEAN 1381 1241 Accept packets with local source addresses. In combination with ··· 1391 1241 route_localnet - BOOLEAN 1392 1242 Do not consider loopback addresses as martian source or destination 1393 1243 while routing. This enables the use of 127/8 for local routing purposes. 1244 + 1394 1245 default FALSE 1395 1246 1396 1247 rp_filter - INTEGER 1397 - 0 - No source validation. 1398 - 1 - Strict mode as defined in RFC3704 Strict Reverse Path 1399 - Each incoming packet is tested against the FIB and if the interface 1400 - is not the best reverse path the packet check will fail. 1401 - By default failed packets are discarded. 1402 - 2 - Loose mode as defined in RFC3704 Loose Reverse Path 1403 - Each incoming packet's source address is also tested against the FIB 1404 - and if the source address is not reachable via any interface 1405 - the packet check will fail. 1248 + - 0 - No source validation. 1249 + - 1 - Strict mode as defined in RFC3704 Strict Reverse Path 1250 + Each incoming packet is tested against the FIB and if the interface 1251 + is not the best reverse path the packet check will fail. 1252 + By default failed packets are discarded. 1253 + - 2 - Loose mode as defined in RFC3704 Loose Reverse Path 1254 + Each incoming packet's source address is also tested against the FIB 1255 + and if the source address is not reachable via any interface 1256 + the packet check will fail. 1406 1257 1407 1258 Current recommended practice in RFC3704 is to enable strict mode 1408 1259 to prevent IP spoofing from DDos attacks. If using asymmetric routing ··· 1416 1265 in startup scripts. 1417 1266 1418 1267 arp_filter - BOOLEAN 1419 - 1 - Allows you to have multiple network interfaces on the same 1420 - subnet, and have the ARPs for each interface be answered 1421 - based on whether or not the kernel would route a packet from 1422 - the ARP'd IP out that interface (therefore you must use source 1423 - based routing for this to work). In other words it allows control 1424 - of which cards (usually 1) will respond to an arp request. 1268 + - 1 - Allows you to have multiple network interfaces on the same 1269 + subnet, and have the ARPs for each interface be answered 1270 + based on whether or not the kernel would route a packet from 1271 + the ARP'd IP out that interface (therefore you must use source 1272 + based routing for this to work). In other words it allows control 1273 + of which cards (usually 1) will respond to an arp request. 1425 1274 1426 - 0 - (default) The kernel can respond to arp requests with addresses 1427 - from other interfaces. This may seem wrong but it usually makes 1428 - sense, because it increases the chance of successful communication. 1429 - IP addresses are owned by the complete host on Linux, not by 1430 - particular interfaces. Only for more complex setups like load- 1431 - balancing, does this behaviour cause problems. 1275 + - 0 - (default) The kernel can respond to arp requests with addresses 1276 + from other interfaces. This may seem wrong but it usually makes 1277 + sense, because it increases the chance of successful communication. 1278 + IP addresses are owned by the complete host on Linux, not by 1279 + particular interfaces. Only for more complex setups like load- 1280 + balancing, does this behaviour cause problems. 1432 1281 1433 1282 arp_filter for the interface will be enabled if at least one of 1434 1283 conf/{all,interface}/arp_filter is set to TRUE, ··· 1438 1287 Define different restriction levels for announcing the local 1439 1288 source IP address from IP packets in ARP requests sent on 1440 1289 interface: 1441 - 0 - (default) Use any local address, configured on any interface 1442 - 1 - Try to avoid local addresses that are not in the target's 1443 - subnet for this interface. This mode is useful when target 1444 - hosts reachable via this interface require the source IP 1445 - address in ARP requests to be part of their logical network 1446 - configured on the receiving interface. When we generate the 1447 - request we will check all our subnets that include the 1448 - target IP and will preserve the source address if it is from 1449 - such subnet. If there is no such subnet we select source 1450 - address according to the rules for level 2. 1451 - 2 - Always use the best local address for this target. 1452 - In this mode we ignore the source address in the IP packet 1453 - and try to select local address that we prefer for talks with 1454 - the target host. Such local address is selected by looking 1455 - for primary IP addresses on all our subnets on the outgoing 1456 - interface that include the target IP address. If no suitable 1457 - local address is found we select the first local address 1458 - we have on the outgoing interface or on all other interfaces, 1459 - with the hope we will receive reply for our request and 1460 - even sometimes no matter the source IP address we announce. 1290 + 1291 + - 0 - (default) Use any local address, configured on any interface 1292 + - 1 - Try to avoid local addresses that are not in the target's 1293 + subnet for this interface. This mode is useful when target 1294 + hosts reachable via this interface require the source IP 1295 + address in ARP requests to be part of their logical network 1296 + configured on the receiving interface. When we generate the 1297 + request we will check all our subnets that include the 1298 + target IP and will preserve the source address if it is from 1299 + such subnet. If there is no such subnet we select source 1300 + address according to the rules for level 2. 1301 + - 2 - Always use the best local address for this target. 1302 + In this mode we ignore the source address in the IP packet 1303 + and try to select local address that we prefer for talks with 1304 + the target host. Such local address is selected by looking 1305 + for primary IP addresses on all our subnets on the outgoing 1306 + interface that include the target IP address. If no suitable 1307 + local address is found we select the first local address 1308 + we have on the outgoing interface or on all other interfaces, 1309 + with the hope we will receive reply for our request and 1310 + even sometimes no matter the source IP address we announce. 1461 1311 1462 1312 The max value from conf/{all,interface}/arp_announce is used. 1463 1313 ··· 1469 1317 arp_ignore - INTEGER 1470 1318 Define different modes for sending replies in response to 1471 1319 received ARP requests that resolve local target IP addresses: 1472 - 0 - (default): reply for any local target IP address, configured 1473 - on any interface 1474 - 1 - reply only if the target IP address is local address 1475 - configured on the incoming interface 1476 - 2 - reply only if the target IP address is local address 1477 - configured on the incoming interface and both with the 1478 - sender's IP address are part from same subnet on this interface 1479 - 3 - do not reply for local addresses configured with scope host, 1480 - only resolutions for global and link addresses are replied 1481 - 4-7 - reserved 1482 - 8 - do not reply for all local addresses 1320 + 1321 + - 0 - (default): reply for any local target IP address, configured 1322 + on any interface 1323 + - 1 - reply only if the target IP address is local address 1324 + configured on the incoming interface 1325 + - 2 - reply only if the target IP address is local address 1326 + configured on the incoming interface and both with the 1327 + sender's IP address are part from same subnet on this interface 1328 + - 3 - do not reply for local addresses configured with scope host, 1329 + only resolutions for global and link addresses are replied 1330 + - 4-7 - reserved 1331 + - 8 - do not reply for all local addresses 1483 1332 1484 1333 The max value from conf/{all,interface}/arp_ignore is used 1485 1334 when ARP request is received on the {interface} 1486 1335 1487 1336 arp_notify - BOOLEAN 1488 1337 Define mode for notification of address and device changes. 1489 - 0 - (default): do nothing 1490 - 1 - Generate gratuitous arp requests when device is brought up 1491 - or hardware address changes. 1338 + 1339 + == ========================================================== 1340 + 0 (default): do nothing 1341 + 1 Generate gratuitous arp requests when device is brought up 1342 + or hardware address changes. 1343 + == ========================================================== 1492 1344 1493 1345 arp_accept - BOOLEAN 1494 1346 Define behavior for gratuitous ARP frames who's IP is not 1495 1347 already present in the ARP table: 1496 - 0 - don't create new entries in the ARP table 1497 - 1 - create new entries in the ARP table 1348 + 1349 + - 0 - don't create new entries in the ARP table 1350 + - 1 - create new entries in the ARP table 1498 1351 1499 1352 Both replies and requests type gratuitous arp will trigger the 1500 1353 ARP table to be updated, if this setting is on. ··· 1535 1378 igmpv2_unsolicited_report_interval - INTEGER 1536 1379 The interval in milliseconds in which the next unsolicited 1537 1380 IGMPv1 or IGMPv2 report retransmit will take place. 1381 + 1538 1382 Default: 10000 (10 seconds) 1539 1383 1540 1384 igmpv3_unsolicited_report_interval - INTEGER 1541 1385 The interval in milliseconds in which the next unsolicited 1542 1386 IGMPv3 report retransmit will take place. 1387 + 1543 1388 Default: 1000 (1 seconds) 1544 1389 1545 1390 promote_secondaries - BOOLEAN ··· 1552 1393 drop_unicast_in_l2_multicast - BOOLEAN 1553 1394 Drop any unicast IP packets that are received in link-layer 1554 1395 multicast (or broadcast) frames. 1396 + 1555 1397 This behavior (for multicast) is actually a SHOULD in RFC 1556 1398 1122, but is disabled by default for compatibility reasons. 1399 + 1557 1400 Default: off (0) 1558 1401 1559 1402 drop_gratuitous_arp - BOOLEAN 1560 1403 Drop all gratuitous ARP frames, for example if there's a known 1561 1404 good ARP proxy on the network and such frames need not be used 1562 1405 (or in the case of 802.11, must not be used to prevent attacks.) 1406 + 1563 1407 Default: off (0) 1564 1408 1565 1409 1566 1410 tag - INTEGER 1567 1411 Allows you to write a number, which can be used as required. 1412 + 1568 1413 Default value is 0. 1569 1414 1570 1415 xfrm4_gc_thresh - INTEGER ··· 1580 1417 igmp_link_local_mcast_reports - BOOLEAN 1581 1418 Enable IGMP reports for link local multicast groups in the 1582 1419 224.0.0.X range. 1420 + 1583 1421 Default TRUE 1584 1422 1585 1423 Alexey Kuznetsov. 1586 1424 kuznet@ms2.inr.ac.ru 1587 1425 1588 1426 Updated by: 1589 - Andi Kleen 1590 - ak@muc.de 1591 - Nicolas Delon 1592 - delon.nicolas@wanadoo.fr 1427 + 1428 + - Andi Kleen 1429 + ak@muc.de 1430 + - Nicolas Delon 1431 + delon.nicolas@wanadoo.fr 1593 1432 1594 1433 1595 1434 1596 1435 1597 - /proc/sys/net/ipv6/* Variables: 1436 + /proc/sys/net/ipv6/* Variables 1437 + ============================== 1598 1438 1599 1439 IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also 1600 1440 apply to IPv6 [XXX?]. ··· 1606 1440 Default value for IPV6_V6ONLY socket option, 1607 1441 which restricts use of the IPv6 socket to IPv6 communication 1608 1442 only. 1609 - TRUE: disable IPv4-mapped address feature 1610 - FALSE: enable IPv4-mapped address feature 1443 + 1444 + - TRUE: disable IPv4-mapped address feature 1445 + - FALSE: enable IPv4-mapped address feature 1611 1446 1612 1447 Default: FALSE (as specified in RFC3493) 1613 1448 ··· 1616 1449 Protect the consistency (and unicity) of flow label. 1617 1450 You have to disable it to use IPV6_FL_F_REFLECT flag on the 1618 1451 flow label manager. 1619 - TRUE: enabled 1620 - FALSE: disabled 1452 + 1453 + - TRUE: enabled 1454 + - FALSE: disabled 1455 + 1621 1456 Default: TRUE 1622 1457 1623 1458 auto_flowlabels - INTEGER ··· 1627 1458 packet. This allows intermediate devices, such as routers, to 1628 1459 identify packet flows for mechanisms like Equal Cost Multipath 1629 1460 Routing (see RFC 6438). 1630 - 0: automatic flow labels are completely disabled 1631 - 1: automatic flow labels are enabled by default, they can be 1461 + 1462 + = =========================================================== 1463 + 0 automatic flow labels are completely disabled 1464 + 1 automatic flow labels are enabled by default, they can be 1632 1465 disabled on a per socket basis using the IPV6_AUTOFLOWLABEL 1633 1466 socket option 1634 - 2: automatic flow labels are allowed, they may be enabled on a 1467 + 2 automatic flow labels are allowed, they may be enabled on a 1635 1468 per socket basis using the IPV6_AUTOFLOWLABEL socket option 1636 - 3: automatic flow labels are enabled and enforced, they cannot 1469 + 3 automatic flow labels are enabled and enforced, they cannot 1637 1470 be disabled by the socket option 1471 + = =========================================================== 1472 + 1638 1473 Default: 1 1639 1474 1640 1475 flowlabel_state_ranges - BOOLEAN 1641 1476 Split the flow label number space into two ranges. 0-0x7FFFF is 1642 1477 reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF 1643 1478 is reserved for stateless flow labels as described in RFC6437. 1644 - TRUE: enabled 1645 - FALSE: disabled 1479 + 1480 + - TRUE: enabled 1481 + - FALSE: disabled 1482 + 1646 1483 Default: true 1647 1484 1648 1485 flowlabel_reflect - INTEGER ··· 1658 1483 https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01 1659 1484 1660 1485 This is a bitmask. 1661 - 1: enabled for established flows 1662 1486 1663 - Note that this prevents automatic flowlabel changes, as done 1664 - in "tcp: change IPv6 flow-label upon receiving spurious retransmission" 1665 - and "tcp: Change txhash on every SYN and RTO retransmit" 1487 + - 1: enabled for established flows 1666 1488 1667 - 2: enabled for TCP RESET packets (no active listener) 1668 - If set, a RST packet sent in response to a SYN packet on a closed 1669 - port will reflect the incoming flow label. 1489 + Note that this prevents automatic flowlabel changes, as done 1490 + in "tcp: change IPv6 flow-label upon receiving spurious retransmission" 1491 + and "tcp: Change txhash on every SYN and RTO retransmit" 1670 1492 1671 - 4: enabled for ICMPv6 echo reply messages. 1493 + - 2: enabled for TCP RESET packets (no active listener) 1494 + If set, a RST packet sent in response to a SYN packet on a closed 1495 + port will reflect the incoming flow label. 1496 + 1497 + - 4: enabled for ICMPv6 echo reply messages. 1672 1498 1673 1499 Default: 0 1674 1500 1675 1501 fib_multipath_hash_policy - INTEGER 1676 1502 Controls which hash policy to use for multipath routes. 1503 + 1677 1504 Default: 0 (Layer 3) 1505 + 1678 1506 Possible values: 1679 - 0 - Layer 3 (source and destination addresses plus flow label) 1680 - 1 - Layer 4 (standard 5-tuple) 1681 - 2 - Layer 3 or inner Layer 3 if present 1507 + 1508 + - 0 - Layer 3 (source and destination addresses plus flow label) 1509 + - 1 - Layer 4 (standard 5-tuple) 1510 + - 2 - Layer 3 or inner Layer 3 if present 1682 1511 1683 1512 anycast_src_echo_reply - BOOLEAN 1684 1513 Controls the use of anycast addresses as source addresses for ICMPv6 1685 1514 echo reply 1686 - TRUE: enabled 1687 - FALSE: disabled 1515 + 1516 + - TRUE: enabled 1517 + - FALSE: disabled 1518 + 1688 1519 Default: FALSE 1689 1520 1690 1521 idgen_delay - INTEGER 1691 1522 Controls the delay in seconds after which time to retry 1692 1523 privacy stable address generation if a DAD conflict is 1693 1524 detected. 1525 + 1694 1526 Default: 1 (as specified in RFC7217) 1695 1527 1696 1528 idgen_retries - INTEGER 1697 1529 Controls the number of retries to generate a stable privacy 1698 1530 address if a DAD conflict is detected. 1531 + 1699 1532 Default: 3 (as specified in RFC7217) 1700 1533 1701 1534 mld_qrv - INTEGER 1702 1535 Controls the MLD query robustness variable (see RFC3810 9.1). 1536 + 1703 1537 Default: 2 (as specified by RFC3810 9.1) 1538 + 1704 1539 Minimum: 1 (as specified by RFC6636 4.5) 1705 1540 1706 1541 max_dst_opts_number - INTEGER ··· 1718 1533 options extension header. If this value is less than zero 1719 1534 then unknown options are disallowed and the number of known 1720 1535 TLVs allowed is the absolute value of this number. 1536 + 1721 1537 Default: 8 1722 1538 1723 1539 max_hbh_opts_number - INTEGER ··· 1726 1540 options extension header. If this value is less than zero 1727 1541 then unknown options are disallowed and the number of known 1728 1542 TLVs allowed is the absolute value of this number. 1543 + 1729 1544 Default: 8 1730 1545 1731 1546 max_dst_opts_length - INTEGER 1732 1547 Maximum length allowed for a Destination options extension 1733 1548 header. 1549 + 1734 1550 Default: INT_MAX (unlimited) 1735 1551 1736 1552 max_hbh_length - INTEGER 1737 1553 Maximum length allowed for a Hop-by-Hop options extension 1738 1554 header. 1555 + 1739 1556 Default: INT_MAX (unlimited) 1740 1557 1741 1558 skip_notify_on_dev_down - BOOLEAN ··· 1747 1558 generate this message; IPv6 does by default. Setting this sysctl 1748 1559 to true skips the message, making IPv4 and IPv6 on par in relying 1749 1560 on userspace caches to track link events and evict routes. 1561 + 1750 1562 Default: false (generate message) 1751 1563 1752 1564 nexthop_compat_mode - BOOLEAN ··· 1782 1592 Controls the behaviour of computing the flowlabel of outer 1783 1593 IPv6 header in case of SR T.encaps 1784 1594 1785 - -1 set flowlabel to zero. 1786 - 0 copy flowlabel from Inner packet in case of Inner IPv6 1787 - (Set flowlabel to 0 in case IPv4/L2) 1788 - 1 Compute the flowlabel using seg6_make_flowlabel() 1595 + == ======================================================= 1596 + -1 set flowlabel to zero. 1597 + 0 copy flowlabel from Inner packet in case of Inner IPv6 1598 + (Set flowlabel to 0 in case IPv4/L2) 1599 + 1 Compute the flowlabel using seg6_make_flowlabel() 1600 + == ======================================================= 1789 1601 1790 1602 Default is 0. 1791 1603 1792 - conf/default/*: 1604 + ``conf/default/*``: 1793 1605 Change the interface-specific default settings. 1794 1606 1795 1607 1796 - conf/all/*: 1608 + ``conf/all/*``: 1797 1609 Change all the interface-specific settings. 1798 1610 1799 1611 [XXX: Other special features than forwarding?] ··· 1819 1627 associated with a socket for example, TCP RSTs or ICMPv6 echo replies). 1820 1628 If unset, these packets have a fwmark of zero. If set, they have the 1821 1629 fwmark of the packet they are replying to. 1630 + 1822 1631 Default: 0 1823 1632 1824 - conf/interface/*: 1633 + ``conf/interface/*``: 1825 1634 Change special settings per interface. 1826 1635 1827 1636 The functional behaviour for certain settings is different ··· 1837 1644 transmitted. 1838 1645 1839 1646 Possible values are: 1840 - 0 Do not accept Router Advertisements. 1841 - 1 Accept Router Advertisements if forwarding is disabled. 1842 - 2 Overrule forwarding behaviour. Accept Router Advertisements 1843 - even if forwarding is enabled. 1844 1647 1845 - Functional default: enabled if local forwarding is disabled. 1846 - disabled if local forwarding is enabled. 1648 + == =========================================================== 1649 + 0 Do not accept Router Advertisements. 1650 + 1 Accept Router Advertisements if forwarding is disabled. 1651 + 2 Overrule forwarding behaviour. Accept Router Advertisements 1652 + even if forwarding is enabled. 1653 + == =========================================================== 1654 + 1655 + Functional default: 1656 + 1657 + - enabled if local forwarding is disabled. 1658 + - disabled if local forwarding is enabled. 1847 1659 1848 1660 accept_ra_defrtr - BOOLEAN 1849 1661 Learn default router in Router Advertisement. 1850 1662 1851 - Functional default: enabled if accept_ra is enabled. 1852 - disabled if accept_ra is disabled. 1663 + Functional default: 1664 + 1665 + - enabled if accept_ra is enabled. 1666 + - disabled if accept_ra is disabled. 1853 1667 1854 1668 accept_ra_from_local - BOOLEAN 1855 1669 Accept RA with source-address that is found on local machine 1856 - if the RA is otherwise proper and able to be accepted. 1857 - Default is to NOT accept these as it may be an un-intended 1858 - network loop. 1670 + if the RA is otherwise proper and able to be accepted. 1671 + 1672 + Default is to NOT accept these as it may be an un-intended 1673 + network loop. 1859 1674 1860 1675 Functional default: 1861 - enabled if accept_ra_from_local is enabled 1862 - on a specific interface. 1863 - disabled if accept_ra_from_local is disabled 1864 - on a specific interface. 1676 + 1677 + - enabled if accept_ra_from_local is enabled 1678 + on a specific interface. 1679 + - disabled if accept_ra_from_local is disabled 1680 + on a specific interface. 1865 1681 1866 1682 accept_ra_min_hop_limit - INTEGER 1867 1683 Minimum hop limit Information in Router Advertisement. ··· 1883 1681 accept_ra_pinfo - BOOLEAN 1884 1682 Learn Prefix Information in Router Advertisement. 1885 1683 1886 - Functional default: enabled if accept_ra is enabled. 1887 - disabled if accept_ra is disabled. 1684 + Functional default: 1685 + 1686 + - enabled if accept_ra is enabled. 1687 + - disabled if accept_ra is disabled. 1888 1688 1889 1689 accept_ra_rt_info_min_plen - INTEGER 1890 1690 Minimum prefix length of Route Information in RA. ··· 1894 1690 Route Information w/ prefix smaller than this variable shall 1895 1691 be ignored. 1896 1692 1897 - Functional default: 0 if accept_ra_rtr_pref is enabled. 1898 - -1 if accept_ra_rtr_pref is disabled. 1693 + Functional default: 1694 + 1695 + * 0 if accept_ra_rtr_pref is enabled. 1696 + * -1 if accept_ra_rtr_pref is disabled. 1899 1697 1900 1698 accept_ra_rt_info_max_plen - INTEGER 1901 1699 Maximum prefix length of Route Information in RA. ··· 1905 1699 Route Information w/ prefix larger than this variable shall 1906 1700 be ignored. 1907 1701 1908 - Functional default: 0 if accept_ra_rtr_pref is enabled. 1909 - -1 if accept_ra_rtr_pref is disabled. 1702 + Functional default: 1703 + 1704 + * 0 if accept_ra_rtr_pref is enabled. 1705 + * -1 if accept_ra_rtr_pref is disabled. 1910 1706 1911 1707 accept_ra_rtr_pref - BOOLEAN 1912 1708 Accept Router Preference in RA. 1913 1709 1914 - Functional default: enabled if accept_ra is enabled. 1915 - disabled if accept_ra is disabled. 1710 + Functional default: 1711 + 1712 + - enabled if accept_ra is enabled. 1713 + - disabled if accept_ra is disabled. 1916 1714 1917 1715 accept_ra_mtu - BOOLEAN 1918 1716 Apply the MTU value specified in RA option 5 (RFC4861). If 1919 1717 disabled, the MTU specified in the RA will be ignored. 1920 1718 1921 - Functional default: enabled if accept_ra is enabled. 1922 - disabled if accept_ra is disabled. 1719 + Functional default: 1720 + 1721 + - enabled if accept_ra is enabled. 1722 + - disabled if accept_ra is disabled. 1923 1723 1924 1724 accept_redirects - BOOLEAN 1925 1725 Accept Redirects. 1926 1726 1927 - Functional default: enabled if local forwarding is disabled. 1928 - disabled if local forwarding is enabled. 1727 + Functional default: 1728 + 1729 + - enabled if local forwarding is disabled. 1730 + - disabled if local forwarding is enabled. 1929 1731 1930 1732 accept_source_route - INTEGER 1931 1733 Accept source routing (routing extension header). 1932 1734 1933 - >= 0: Accept only routing header type 2. 1934 - < 0: Do not accept routing header. 1735 + - >= 0: Accept only routing header type 2. 1736 + - < 0: Do not accept routing header. 1935 1737 1936 1738 Default: 0 1937 1739 ··· 1947 1733 Autoconfigure addresses using Prefix Information in Router 1948 1734 Advertisements. 1949 1735 1950 - Functional default: enabled if accept_ra_pinfo is enabled. 1951 - disabled if accept_ra_pinfo is disabled. 1736 + Functional default: 1737 + 1738 + - enabled if accept_ra_pinfo is enabled. 1739 + - disabled if accept_ra_pinfo is disabled. 1952 1740 1953 1741 dad_transmits - INTEGER 1954 1742 The amount of Duplicate Address Detection probes to send. 1743 + 1955 1744 Default: 1 1956 1745 1957 1746 forwarding - INTEGER 1958 1747 Configure interface-specific Host/Router behaviour. 1959 1748 1960 - Note: It is recommended to have the same setting on all 1961 - interfaces; mixed router/host scenarios are rather uncommon. 1749 + .. note:: 1750 + 1751 + It is recommended to have the same setting on all 1752 + interfaces; mixed router/host scenarios are rather uncommon. 1962 1753 1963 1754 Possible values are: 1964 - 0 Forwarding disabled 1965 - 1 Forwarding enabled 1966 1755 1967 - FALSE (0): 1756 + - 0 Forwarding disabled 1757 + - 1 Forwarding enabled 1758 + 1759 + **FALSE (0)**: 1968 1760 1969 1761 By default, Host behaviour is assumed. This means: 1970 1762 ··· 1981 1761 Advertisements (and do autoconfiguration). 1982 1762 4. If accept_redirects is TRUE (default), accept Redirects. 1983 1763 1984 - TRUE (1): 1764 + **TRUE (1)**: 1985 1765 1986 1766 If local forwarding is enabled, Router behaviour is assumed. 1987 1767 This means exactly the reverse from the above: ··· 1992 1772 4. Redirects are ignored. 1993 1773 1994 1774 Default: 0 (disabled) if global forwarding is disabled (default), 1995 - otherwise 1 (enabled). 1775 + otherwise 1 (enabled). 1996 1776 1997 1777 hop_limit - INTEGER 1998 1778 Default Hop Limit to set. 1779 + 1999 1780 Default: 64 2000 1781 2001 1782 mtu - INTEGER 2002 1783 Default Maximum Transfer Unit 1784 + 2003 1785 Default: 1280 (IPv6 required minimum) 2004 1786 2005 1787 ip_nonlocal_bind - BOOLEAN 2006 1788 If set, allows processes to bind() to non-local IPv6 addresses, 2007 1789 which can be quite useful - but may break some applications. 1790 + 2008 1791 Default: 0 2009 1792 2010 1793 router_probe_interval - INTEGER ··· 2019 1796 router_solicitation_delay - INTEGER 2020 1797 Number of seconds to wait after interface is brought up 2021 1798 before sending Router Solicitations. 1799 + 2022 1800 Default: 1 2023 1801 2024 1802 router_solicitation_interval - INTEGER 2025 1803 Number of seconds to wait between Router Solicitations. 1804 + 2026 1805 Default: 4 2027 1806 2028 1807 router_solicitations - INTEGER 2029 1808 Number of Router Solicitations to send until assuming no 2030 1809 routers are present. 1810 + 2031 1811 Default: 3 2032 1812 2033 1813 use_oif_addrs_only - BOOLEAN ··· 2042 1816 2043 1817 use_tempaddr - INTEGER 2044 1818 Preference for Privacy Extensions (RFC3041). 2045 - <= 0 : disable Privacy Extensions 2046 - == 1 : enable Privacy Extensions, but prefer public 2047 - addresses over temporary addresses. 2048 - > 1 : enable Privacy Extensions and prefer temporary 2049 - addresses over public addresses. 2050 - Default: 0 (for most devices) 2051 - -1 (for point-to-point devices and loopback devices) 1819 + 1820 + * <= 0 : disable Privacy Extensions 1821 + * == 1 : enable Privacy Extensions, but prefer public 1822 + addresses over temporary addresses. 1823 + * > 1 : enable Privacy Extensions and prefer temporary 1824 + addresses over public addresses. 1825 + 1826 + Default: 1827 + 1828 + * 0 (for most devices) 1829 + * -1 (for point-to-point devices and loopback devices) 2052 1830 2053 1831 temp_valid_lft - INTEGER 2054 1832 valid lifetime (in seconds) for temporary addresses. 1833 + 2055 1834 Default: 604800 (7 days) 2056 1835 2057 1836 temp_prefered_lft - INTEGER 2058 1837 Preferred lifetime (in seconds) for temporary addresses. 1838 + 2059 1839 Default: 86400 (1 day) 2060 1840 2061 1841 keep_addr_on_down - INTEGER 2062 1842 Keep all IPv6 addresses on an interface down event. If set static 2063 1843 global addresses with no expiration time are not flushed. 2064 - >0 : enabled 2065 - 0 : system default 2066 - <0 : disabled 1844 + 1845 + * >0 : enabled 1846 + * 0 : system default 1847 + * <0 : disabled 2067 1848 2068 1849 Default: 0 (addresses are removed) 2069 1850 ··· 2079 1846 that ensures that clients don't synchronize with each 2080 1847 other and generate new addresses at exactly the same time. 2081 1848 value is in seconds. 1849 + 2082 1850 Default: 600 2083 1851 2084 1852 regen_max_retry - INTEGER 2085 1853 Number of attempts before give up attempting to generate 2086 1854 valid temporary addresses. 1855 + 2087 1856 Default: 5 2088 1857 2089 1858 max_addresses - INTEGER ··· 2093 1858 to zero disables the limitation. It is not recommended to set this 2094 1859 value too large (or to zero) because it would be an easy way to 2095 1860 crash the kernel by allowing too many addresses to be created. 1861 + 2096 1862 Default: 16 2097 1863 2098 1864 disable_ipv6 - BOOLEAN 2099 1865 Disable IPv6 operation. If accept_dad is set to 2, this value 2100 1866 will be dynamically set to TRUE if DAD fails for the link-local 2101 1867 address. 1868 + 2102 1869 Default: FALSE (enable IPv6 operation) 2103 1870 2104 1871 When this value is changed from 1 to 0 (IPv6 is being enabled), ··· 2114 1877 2115 1878 accept_dad - INTEGER 2116 1879 Whether to accept DAD (Duplicate Address Detection). 2117 - 0: Disable DAD 2118 - 1: Enable DAD (default) 2119 - 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate 2120 - link-local address has been found. 1880 + 1881 + == ============================================================== 1882 + 0 Disable DAD 1883 + 1 Enable DAD (default) 1884 + 2 Enable DAD, and disable IPv6 operation if MAC-based duplicate 1885 + link-local address has been found. 1886 + == ============================================================== 2121 1887 2122 1888 DAD operation and mode on a given interface will be selected according 2123 1889 to the maximum value of conf/{all,interface}/accept_dad. ··· 2128 1888 force_tllao - BOOLEAN 2129 1889 Enable sending the target link-layer address option even when 2130 1890 responding to a unicast neighbor solicitation. 1891 + 2131 1892 Default: FALSE 2132 1893 2133 1894 Quoting from RFC 2461, section 4.4, Target link-layer address: ··· 2146 1905 2147 1906 ndisc_notify - BOOLEAN 2148 1907 Define mode for notification of address and device changes. 2149 - 0 - (default): do nothing 2150 - 1 - Generate unsolicited neighbour advertisements when device is brought 2151 - up or hardware address changes. 1908 + 1909 + * 0 - (default): do nothing 1910 + * 1 - Generate unsolicited neighbour advertisements when device is brought 1911 + up or hardware address changes. 2152 1912 2153 1913 ndisc_tclass - INTEGER 2154 1914 The IPv6 Traffic Class to use by default when sending IPv6 Neighbor ··· 2158 1916 These 8 bits can be interpreted as 6 high order bits holding the DSCP 2159 1917 value and 2 low order bits representing ECN (which you probably want 2160 1918 to leave cleared). 2161 - 0 - (default) 1919 + 1920 + * 0 - (default) 2162 1921 2163 1922 mldv1_unsolicited_report_interval - INTEGER 2164 1923 The interval in milliseconds in which the next unsolicited 2165 1924 MLDv1 report retransmit will take place. 1925 + 2166 1926 Default: 10000 (10 seconds) 2167 1927 2168 1928 mldv2_unsolicited_report_interval - INTEGER 2169 1929 The interval in milliseconds in which the next unsolicited 2170 1930 MLDv2 report retransmit will take place. 1931 + 2171 1932 Default: 1000 (1 second) 2172 1933 2173 1934 force_mld_version - INTEGER 2174 - 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed 2175 - 1 - Enforce to use MLD version 1 2176 - 2 - Enforce to use MLD version 2 1935 + * 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed 1936 + * 1 - Enforce to use MLD version 1 1937 + * 2 - Enforce to use MLD version 2 2177 1938 2178 1939 suppress_frag_ndisc - INTEGER 2179 1940 Control RFC 6980 (Security Implications of IPv6 Fragmentation 2180 1941 with IPv6 Neighbor Discovery) behavior: 2181 - 1 - (default) discard fragmented neighbor discovery packets 2182 - 0 - allow fragmented neighbor discovery packets 1942 + 1943 + * 1 - (default) discard fragmented neighbor discovery packets 1944 + * 0 - allow fragmented neighbor discovery packets 2183 1945 2184 1946 optimistic_dad - BOOLEAN 2185 1947 Whether to perform Optimistic Duplicate Address Detection (RFC 4429). 2186 - 0: disabled (default) 2187 - 1: enabled 1948 + 1949 + * 0: disabled (default) 1950 + * 1: enabled 2188 1951 2189 1952 Optimistic Duplicate Address Detection for the interface will be enabled 2190 1953 if at least one of conf/{all,interface}/optimistic_dad is set to 1, ··· 2200 1953 source address selection. Preferred addresses will still be chosen 2201 1954 before optimistic addresses, subject to other ranking in the source 2202 1955 address selection algorithm. 2203 - 0: disabled (default) 2204 - 1: enabled 1956 + 1957 + * 0: disabled (default) 1958 + * 1: enabled 2205 1959 2206 1960 This will be enabled if at least one of 2207 1961 conf/{all,interface}/use_optimistic is set to 1, disabled otherwise. ··· 2224 1976 addr_gen_mode - INTEGER 2225 1977 Defines how link-local and autoconf addresses are generated. 2226 1978 2227 - 0: generate address based on EUI64 (default) 2228 - 1: do no generate a link-local address, use EUI64 for addresses generated 2229 - from autoconf 2230 - 2: generate stable privacy addresses, using the secret from 1979 + = ================================================================= 1980 + 0 generate address based on EUI64 (default) 1981 + 1 do no generate a link-local address, use EUI64 for addresses 1982 + generated from autoconf 1983 + 2 generate stable privacy addresses, using the secret from 2231 1984 stable_secret (RFC7217) 2232 - 3: generate stable privacy addresses, using a random secret if unset 1985 + 3 generate stable privacy addresses, using a random secret if unset 1986 + = ================================================================= 2233 1987 2234 1988 drop_unicast_in_l2_multicast - BOOLEAN 2235 1989 Drop any unicast IPv6 packets that are received in link-layer ··· 2253 2003 detection of duplicates due to loopback of the NS messages that we send. 2254 2004 The nonce option will be sent on an interface unless both of 2255 2005 conf/{all,interface}/enhanced_dad are set to FALSE. 2006 + 2256 2007 Default: TRUE 2257 2008 2258 - icmp/*: 2009 + ``icmp/*``: 2010 + =========== 2011 + 2259 2012 ratelimit - INTEGER 2260 2013 Limit the maximal rates for sending ICMPv6 messages. 2014 + 2261 2015 0 to disable any limiting, 2262 2016 otherwise the minimal space between responses in milliseconds. 2017 + 2263 2018 Default: 1000 2264 2019 2265 2020 ratemask - list of comma separated ranges ··· 2285 2030 echo_ignore_all - BOOLEAN 2286 2031 If set non-zero, then the kernel will ignore all ICMP ECHO 2287 2032 requests sent to it over the IPv6 protocol. 2033 + 2288 2034 Default: 0 2289 2035 2290 2036 echo_ignore_multicast - BOOLEAN 2291 2037 If set non-zero, then the kernel will ignore all ICMP ECHO 2292 2038 requests sent to it over the IPv6 protocol via multicast. 2039 + 2293 2040 Default: 0 2294 2041 2295 2042 echo_ignore_anycast - BOOLEAN 2296 2043 If set non-zero, then the kernel will ignore all ICMP ECHO 2297 2044 requests sent to it over the IPv6 protocol destined to anycast address. 2045 + 2298 2046 Default: 0 2299 2047 2300 2048 xfrm6_gc_thresh - INTEGER ··· 2313 2055 2314 2056 2315 2057 /proc/sys/net/bridge/* Variables: 2058 + ================================= 2316 2059 2317 2060 bridge-nf-call-arptables - BOOLEAN 2318 - 1 : pass bridged ARP traffic to arptables' FORWARD chain. 2319 - 0 : disable this. 2061 + - 1 : pass bridged ARP traffic to arptables' FORWARD chain. 2062 + - 0 : disable this. 2063 + 2320 2064 Default: 1 2321 2065 2322 2066 bridge-nf-call-iptables - BOOLEAN 2323 - 1 : pass bridged IPv4 traffic to iptables' chains. 2324 - 0 : disable this. 2067 + - 1 : pass bridged IPv4 traffic to iptables' chains. 2068 + - 0 : disable this. 2069 + 2325 2070 Default: 1 2326 2071 2327 2072 bridge-nf-call-ip6tables - BOOLEAN 2328 - 1 : pass bridged IPv6 traffic to ip6tables' chains. 2329 - 0 : disable this. 2073 + - 1 : pass bridged IPv6 traffic to ip6tables' chains. 2074 + - 0 : disable this. 2075 + 2330 2076 Default: 1 2331 2077 2332 2078 bridge-nf-filter-vlan-tagged - BOOLEAN 2333 - 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. 2334 - 0 : disable this. 2079 + - 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. 2080 + - 0 : disable this. 2081 + 2335 2082 Default: 0 2336 2083 2337 2084 bridge-nf-filter-pppoe-tagged - BOOLEAN 2338 - 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. 2339 - 0 : disable this. 2085 + - 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. 2086 + - 0 : disable this. 2087 + 2340 2088 Default: 0 2341 2089 2342 2090 bridge-nf-pass-vlan-input-dev - BOOLEAN 2343 - 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan 2344 - interface on the bridge and set the netfilter input device to the vlan. 2345 - This allows use of e.g. "iptables -i br0.1" and makes the REDIRECT 2346 - target work with vlan-on-top-of-bridge interfaces. When no matching 2347 - vlan interface is found, or this switch is off, the input device is 2348 - set to the bridge interface. 2349 - 0: disable bridge netfilter vlan interface lookup. 2091 + - 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan 2092 + interface on the bridge and set the netfilter input device to the 2093 + vlan. This allows use of e.g. "iptables -i br0.1" and makes the 2094 + REDIRECT target work with vlan-on-top-of-bridge interfaces. When no 2095 + matching vlan interface is found, or this switch is off, the input 2096 + device is set to the bridge interface. 2097 + 2098 + - 0: disable bridge netfilter vlan interface lookup. 2099 + 2350 2100 Default: 0 2351 2101 2352 - proc/sys/net/sctp/* Variables: 2102 + ``proc/sys/net/sctp/*`` Variables: 2103 + ================================== 2353 2104 2354 2105 addip_enable - BOOLEAN 2355 2106 Enable or disable extension of Dynamic Address Reconfiguration ··· 2423 2156 we provide this variable to control the enforcement of the 2424 2157 authentication requirement. 2425 2158 2426 - 1: Allow ADD-IP extension to be used without authentication. This 2159 + == =============================================================== 2160 + 1 Allow ADD-IP extension to be used without authentication. This 2427 2161 should only be set in a closed environment for interoperability 2428 2162 with older implementations. 2429 2163 2430 - 0: Enforce the authentication requirement 2164 + 0 Enforce the authentication requirement 2165 + == =============================================================== 2431 2166 2432 2167 Default: 0 2433 2168 ··· 2439 2170 required for secure operation of Dynamic Address Reconfiguration 2440 2171 (ADD-IP) extension. 2441 2172 2442 - 1: Enable this extension. 2443 - 0: Disable this extension. 2173 + - 1: Enable this extension. 2174 + - 0: Disable this extension. 2444 2175 2445 2176 Default: 0 2446 2177 ··· 2448 2179 Enable or disable the Partial Reliability extension (RFC3758) which 2449 2180 is used to notify peers that a given DATA should no longer be expected. 2450 2181 2451 - 1: Enable extension 2452 - 0: Disable 2182 + - 1: Enable extension 2183 + - 0: Disable 2453 2184 2454 2185 Default: 1 2455 2186 ··· 2551 2282 Enable or disable the ability to extend the lifetime of the SCTP cookie 2552 2283 that is used during the establishment phase of SCTP association 2553 2284 2554 - 1: Enable cookie lifetime extension. 2555 - 0: Disable 2285 + - 1: Enable cookie lifetime extension. 2286 + - 0: Disable 2556 2287 2557 2288 Default: 1 2558 2289 ··· 2560 2291 Select the hmac algorithm used when generating the cookie value sent by 2561 2292 a listening sctp socket to a connecting client in the INIT-ACK chunk. 2562 2293 Valid values are: 2294 + 2563 2295 * md5 2564 2296 * sha1 2565 2297 * none 2298 + 2566 2299 Ability to assign md5 or sha1 as the selected alg is predicated on the 2567 2300 configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and 2568 2301 CONFIG_CRYPTO_SHA1). ··· 2583 2312 to each association instead of the socket. This prevents the described 2584 2313 blocking. 2585 2314 2586 - 1: rcvbuf space is per association 2587 - 0: rcvbuf space is per socket 2315 + - 1: rcvbuf space is per association 2316 + - 0: rcvbuf space is per socket 2588 2317 2589 2318 Default: 0 2590 2319 2591 2320 sndbuf_policy - INTEGER 2592 2321 Similar to rcvbuf_policy above, this applies to send buffer space. 2593 2322 2594 - 1: Send buffer is tracked per association 2595 - 0: Send buffer is tracked per socket. 2323 + - 1: Send buffer is tracked per association 2324 + - 0: Send buffer is tracked per socket. 2596 2325 2597 2326 Default: 0 2598 2327 ··· 2625 2354 addr_scope_policy - INTEGER 2626 2355 Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00 2627 2356 2628 - 0 - Disable IPv4 address scoping 2629 - 1 - Enable IPv4 address scoping 2630 - 2 - Follow draft but allow IPv4 private addresses 2631 - 3 - Follow draft but allow IPv4 link local addresses 2357 + - 0 - Disable IPv4 address scoping 2358 + - 1 - Enable IPv4 address scoping 2359 + - 2 - Follow draft but allow IPv4 private addresses 2360 + - 3 - Follow draft but allow IPv4 link local addresses 2632 2361 2633 2362 Default: 1 2634 2363 2635 2364 2636 - /proc/sys/net/core/* 2365 + ``/proc/sys/net/core/*`` 2366 + ======================== 2367 + 2637 2368 Please see: Documentation/admin-guide/sysctl/net.rst for descriptions of these entries. 2638 2369 2639 2370 2640 - /proc/sys/net/unix/* 2371 + ``/proc/sys/net/unix/*`` 2372 + ======================== 2373 + 2641 2374 max_dgram_qlen - INTEGER 2642 2375 The maximum length of dgram socket receive queue 2643 2376
+1 -1
Documentation/networking/snmp_counter.rst
··· 792 792 would only be skipped if the received packet is either a SYN packet or 793 793 it has no data. 794 794 795 - .. _sysctl document: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt 795 + .. _sysctl document: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst 796 796 797 797 * TcpExtTCPACKSkippedSynRecv 798 798
+1 -1
net/Kconfig
··· 86 86 "Sysctl support" below, you can change various aspects of the 87 87 behavior of the TCP/IP code by writing to the (virtual) files in 88 88 /proc/sys/net/ipv4/*; the options are explained in the file 89 - <file:Documentation/networking/ip-sysctl.txt>. 89 + <file:Documentation/networking/ip-sysctl.rst>. 90 90 91 91 Short answer: say Y. 92 92
+1 -1
net/ipv4/Kconfig
··· 49 49 50 50 Note that some distributions enable it in startup scripts. 51 51 For details about rp_filter strict and loose mode read 52 - <file:Documentation/networking/ip-sysctl.txt>. 52 + <file:Documentation/networking/ip-sysctl.rst>. 53 53 54 54 If unsure, say N here. 55 55
+1 -1
net/ipv4/icmp.c
··· 853 853 case ICMP_FRAG_NEEDED: 854 854 /* for documentation of the ip_no_pmtu_disc 855 855 * values please see 856 - * Documentation/networking/ip-sysctl.txt 856 + * Documentation/networking/ip-sysctl.rst 857 857 */ 858 858 switch (net->ipv4.sysctl_ip_no_pmtu_disc) { 859 859 default: