| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/C/Linux/Documentation/networking/ (Open Source Betriebssystem Version 6.17.9©) Datei vom 24.10.2025 mit Größe 118 kB |
|
Quelle ip-sysctl.rst Sprache: unbekannt |
|
|
.. SPDX-License-Identifier: GPL-2.0
========= IP Sysctl ========= /proc/sys/net/ipv4/* Variables ============================== ip_forward - BOOLEAN Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers) Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) ip_default_ttl - INTEGER Default value of TTL field (Time To Live) for outgoing (but not forwarded) IP packets. Should be between 1 and 255 inclusive. Default: 64 (as recommended by RFC1700) ip_no_pmtu_disc - INTEGER Disable Path MTU Discovery. If enabled in mode 1 and a fragmentation-required ICMP is received, the PMTU to this destination will be set to the smallest of the old MTU to this destination and min_pmtu (see below). You will need to raise min_pmtu to the smallest interface MTU on your system manually if you want to avoid locally generated fragments. In mode 2 incoming Path MTU Discovery messages will be discarded. Outgoing frames are handled the same as in mode 1, implicitly setting IP_PMTUDISC_DONT on every created socket. Mode 3 is a hardened pmtu discover mode. The kernel will only accept fragmentation-needed errors if the underlying protocol can verify them besides a plain socket lookup. Current protocols for which pmtu events will be honored are TCP and SCTP as they verify e.g. the sequence number or the association. This mode should not be enabled globally but is only intended to secure e.g. name servers in namespaces where TCP path mtu must still work but path MTU information of other protocols should be discarded. If enabled globally this mode could break other protocols. Possible values: 0-3 Default: FALSE min_pmtu - INTEGER default 552 - minimum Path MTU. Unless this is changed manually, each cached pmtu will never be lower than this setting. ip_forward_use_pmtu - BOOLEAN By default we don't trust protocol path MTUs while forwarding because they could be easily forged and can lead to unwanted fragmentation by the router. You only need to enable this if you have user-space software which tries to discover path mtus by itself and depends on the kernel honoring this information. This is normally not the case. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) fwmark_reflect - BOOLEAN Controls the fwmark of kernel-generated IPv4 reply packets that are not associated with a socket for example, TCP RSTs or ICMP echo replies). If disabled, these packets have a fwmark of zero. If enabled, they have the fwmark of the packet they are replying to. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) fib_multipath_use_neigh - BOOLEAN Use status of existing neighbor entry when determining nexthop for multipath routes. If disabled, neighbor information is not used and packets could be directed to a failed nexthop. Only valid for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) fib_multipath_hash_policy - INTEGER Controls which hash policy to use for multipath routes. Only valid for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. Default: 0 (Layer 3) Possible values: - 0 - Layer 3 - 1 - Layer 4 - 2 - Layer 3 or inner Layer 3 if present - 3 - Custom multipath hash. Fields used for multipath hash calculation are determined by fib_multipath_hash_fields sysctl fib_multipath_hash_fields - UNSIGNED INTEGER When fib_multipath_hash_policy is set to 3 (custom multipath hash), the fields used for multipath hash calculation are determined by this sysctl. This value is a bitmask which enables various fields for multipath hash calculation. Possible fields are: ====== ============================ 0x0001 Source IP address 0x0002 Destination IP address 0x0004 IP protocol 0x0008 Unused (Flow Label) 0x0010 Source port 0x0020 Destination port 0x0040 Inner source IP address 0x0080 Inner destination IP address 0x0100 Inner IP protocol 0x0200 Inner Flow Label 0x0400 Inner source port 0x0800 Inner destination port ====== ============================ Default: 0x0007 (source IP, destination IP and IP protocol) fib_multipath_hash_seed - UNSIGNED INTEGER The seed value used when calculating hash for multipath routes. Applies to both IPv4 and IPv6 datapath. Only present for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled. When set to 0, the seed value used for multipath routing defaults to an internal random-generated one. The actual hashing algorithm is not specified -- there is no guarantee that a next hop distribution effected by a given seed will keep stable across kernel versions. Default: 0 (random) fib_sync_mem - UNSIGNED INTEGER Amount of dirty memory from fib entries that can be backlogged before synchronize_rcu is forced. Default: 512kB Minimum: 64kB Maximum: 64MB ip_forward_update_priority - INTEGER Whether to update SKB priority from "TOS" field in IPv4 header after it is forwarded. The new SKB priority is mapped from TOS field value according to an rt_tos2priority table (see e.g. man tc-prio). Default: 1 (Update priority.) Possible values: - 0 - Do not update priority. - 1 - Update priority. route/max_size - INTEGER Maximum number of routes allowed in the kernel. Increase this when using large numbers of interfaces and/or routes. From linux kernel 3.6 onwards, this is deprecated for ipv4 as route cache is no longer used. From linux kernel 6.3 onwards, this is deprecated for ipv6 as garbage collection manages cached route entries. neigh/default/gc_thresh1 - INTEGER Minimum number of entries to keep. Garbage collector will not purge entries if there are fewer than this number. Default: 128 neigh/default/gc_thresh2 - INTEGER Threshold when garbage collector becomes more aggressive about purging entries. Entries older than 5 seconds will be cleared when over this number. Default: 512 neigh/default/gc_thresh3 - INTEGER Maximum number of non-PERMANENT neighbor entries allowed. Increase this when using large numbers of interfaces and when communicating with large numbers of directly-connected peers. Default: 1024 neigh/default/unres_qlen_bytes - INTEGER The maximum number of bytes which may be used by packets queued for each unresolved address by other network layers. (added in linux 3.3) Setting negative value is meaningless and will return error. Default: SK_WMEM_MAX, (same as net.core.wmem_default). Exact value depends on architecture and kernel options, but should be enough to allow queuing 256 packets of medium size. neigh/default/unres_qlen - INTEGER The maximum number of packets which may be queued for each unresolved address by other network layers. (deprecated in linux 3.3) : use unres_qlen_bytes instead. Prior to linux 3.3, the default value is 3 which may cause unexpected packet loss. The current default value is calculated according to default value of unres_qlen_bytes and true size of packet. Default: 101 neigh/default/interval_probe_time_ms - INTEGER The probe interval for neighbor entries with NTF_MANAGED flag, the min value is 1. Default: 5000 mtu_expires - INTEGER Time, in seconds, that cached PMTU information is kept. min_adv_mss - INTEGER The advertised MSS depends on the first hop route MTU, but will never be lower than this setting. fib_notify_on_flag_change - INTEGER Whether to emit RTM_NEWROUTE notifications whenever RTM_F_OFFLOAD/ RTM_F_TRAP/RTM_F_OFFLOAD_FAILED flags are changed. After installing a route to the kernel, user space receives an acknowledgment, which means the route was installed in the kernel, but not necessarily in hardware. It is also possible for a route already installed in hardware to change its action and therefore its flags. For example, a host route that is trapping packets can be "promoted" to perform decapsulation following the installation of an IPinIP/VXLAN tunnel. The notifications will indicate to user-space the state of the route. Default: 0 (Do not emit notifications.) Possible values: - 0 - Do not emit notifications. - 1 - Emit notifications. - 2 - Emit notifications only for RTM_F_OFFLOAD_FAILED flag change. IP Fragmentation: ipfrag_high_thresh - LONG INTEGER Maximum memory used to reassemble IP fragments. ipfrag_low_thresh - LONG INTEGER (Obsolete since linux-4.17) Maximum memory used to reassemble IP fragments before the kernel begins to remove incomplete fragment queues to free up resources. The kernel still accepts new fragments for defragmentation. ipfrag_time - INTEGER Time in seconds to keep an IP fragment in memory. ipfrag_max_dist - INTEGER ipfrag_max_dist is a non-negative integer value which defines the maximum "disorder" which is allowed among fragments which share a common IP source address. Note that reordering of packets is not unusual, but if a large number of fragments arrive from a source IP address while a particular fragment queue remains incomplete, it probably indicates that one or more fragments belonging to that queue have been lost. When ipfrag_max_dist is positive, an additional check is done on fragments before they are added to a reassembly queue - if ipfrag_max_dist (or more) fragments have arrived from a particular IP address between additions to any IP fragment queue using that source address, it's presumed that one or more fragments in the queue are lost. The existing fragment queue will be dropped, and a new one started. An ipfrag_max_dist value of zero disables this check. Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can result in unnecessarily dropping fragment queues when normal reordering of packets occurs, which could lead to poor application performance. Using a very large value, e.g. 50000, increases the likelihood of incorrectly reassembling IP fragments that originate from different IP datagrams, which could result in data corruption. Default: 64 bc_forwarding - INTEGER bc_forwarding enables the feature described in rfc1812#section-5.3.5.2 and rfc2644. It allows the router to forward directed broadcast. To enable this feature, the 'all' entry and the input interface entry should be set to 1. Default: 0 INET peer storage ================= inet_peer_threshold - INTEGER The approximate size of the storage. Starting from this threshold entries will be thrown aggressively. This threshold also determines entries' time-to-live and time intervals between garbage collection passes. More entries, less time-to-live, less GC interval. inet_peer_minttl - INTEGER Minimum time-to-live of entries. Should be enough to cover fragment time-to-live on the reassembling side. This minimum time-to-live is guaranteed if the pool size is less than inet_peer_threshold. Measured in seconds. inet_peer_maxttl - INTEGER Maximum time-to-live of entries. Unused entries will expire after this period of time if there is no memory pressure on the pool (i.e. when the number of entries in the pool is very small). Measured in seconds. TCP variables ============= somaxconn - INTEGER Limit of socket listen() backlog, known in userspace as SOMAXCONN. Defaults to 4096. (Was 128 before linux-5.4) See also tcp_max_syn_backlog for additional tuning for TCP sockets. tcp_abort_on_overflow - BOOLEAN If listening service is too slow to accept new connections, reset them. Default state is FALSE. It means that if overflow occurred due to a burst, connection will recover. Enable this option _only_ if you are really sure that listening daemon cannot be tuned to accept connections faster. Enabling this option can harm clients of your server. tcp_adv_win_scale - INTEGER Obsolete since linux-6.6 Count buffering overhead as bytes/2^tcp_adv_win_scale (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), if it is <= 0. Possible values are [-31, 31], inclusive. Default: 1 tcp_allowed_congestion_control - STRING Show/set the congestion control choices available to non-privileged processes. The list is a subset of those listed in tcp_available_congestion_control. Default is "reno" and the default setting (tcp_congestion_control). tcp_app_win - INTEGER Reserve max(window/2^tcp_app_win, mss) of window for application buffer. Value 0 is special, it means that nothing is reserved. Possible values are [0, 31], inclusive. Default: 31 tcp_autocorking - BOOLEAN Enable TCP auto corking : When applications do consecutive small write()/sendmsg() system calls, we try to coalesce these small writes as much as possible, to lower total amount of sent packets. This is done if at least one prior packet for the flow is waiting in Qdisc queues or device transmit queue. Applications can still use TCP_CORK for optimal behavior when they know how/when to uncork their sockets. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_available_congestion_control - STRING Shows the available congestion control choices that are registered. More congestion control algorithms may be available as modules, but not loaded. tcp_base_mss - INTEGER The initial value of search_low to be used by the packetization layer Path MTU discovery (MTU probing). If MTU probing is enabled, this is the initial MSS used by the connection. tcp_mtu_probe_floor - INTEGER If MTU probing is enabled this caps the minimum MSS used for search_low for the connection. Default : 48 tcp_min_snd_mss - INTEGER TCP SYN and SYNACK messages usually advertise an ADVMSS option, as described in RFC 1122 and RFC 6691. If this ADVMSS option is smaller than tcp_min_snd_mss, it is silently capped to tcp_min_snd_mss. Default : 48 (at least 8 bytes of payload per segment) tcp_congestion_control - STRING Set the congestion control algorithm to be used for new connections. The algorithm "reno" is always available, but additional choices may be available based on kernel configuration. Default is set as part of kernel configuration. For passive connections, the listener congestion control choice is inherited. [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ] tcp_dsack - BOOLEAN Allows TCP to send "duplicate" SACKs. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_early_retrans - INTEGER Tail loss probe (TLP) converts RTOs occurring due to tail losses into fast recovery (RFC8985). Note that TLP requires RACK to function properly (see tcp_recovery below) Possible values: - 0 disables TLP - 3 or 4 enables TLP Default: 3 tcp_ecn - INTEGER Control use of Explicit Congestion Notification (ECN) by TCP. ECN is used only when both ends of the TCP connection indicate support for it. This feature is useful in avoiding losses due to congestion by allowing supporting routers to signal congestion before having to drop packets. Possible values are: = ===================================================== 0 Disable ECN. Neither initiate nor accept ECN. 1 Enable ECN when requested by incoming connections and also request ECN on outgoing connection attempts. 2 Enable ECN when requested by incoming connections but do not request ECN on outgoing connections. = ===================================================== Default: 2 tcp_ecn_fallback - BOOLEAN If the kernel detects that ECN connection misbehaves, enable fall back to non-ECN. Currently, this knob implements the fallback from RFC3168, section 6.1.1.1., but we reserve that in future, additional detection mechanisms could be implemented under this knob. The value is not used, if tcp_ecn or per route (or congestion control) ECN settings are disabled. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_fack - BOOLEAN This is a legacy option, it has no effect anymore. tcp_fin_timeout - INTEGER The length of time an orphaned (no longer referenced by any application) connection will remain in the FIN_WAIT_2 state before it is aborted at the local end. While a perfectly valid "receive only" state for an un-orphaned connection, an orphaned connection in FIN_WAIT_2 state could otherwise wait forever for the remote to close its end of the connection. Cf. tcp_max_orphans Default: 60 seconds tcp_frto - INTEGER Enables Forward RTO-Recovery (F-RTO) defined in RFC5682. F-RTO is an enhanced recovery algorithm for TCP retransmission timeouts. It is particularly beneficial in networks where the RTT fluctuates (e.g., wireless). F-RTO is sender-side only modification. It does not require any support from the peer. By default it's enabled with a non-zero value. 0 disables F-RTO. tcp_fwmark_accept - BOOLEAN If enabled, incoming connections to listening sockets that do not have a socket mark will set the mark of the accepting socket to the fwmark of the incoming SYN packet. This will cause all packets on that connection (starting from the first SYNACK) to be sent with that fwmark. The listening socket's mark is unchanged. Listening sockets that already have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are unaffected. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_invalid_ratelimit - INTEGER Limit the maximal rate for sending duplicate acknowledgments in response to incoming TCP packets that are for an existing connection but that are invalid due to any of these reasons: (a) out-of-window sequence number, (b) out-of-window acknowledgment number, or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure This can help mitigate simple "ack loop" DoS attacks, wherein a buggy or malicious middlebox or man-in-the-middle can rewrite TCP header fields in manner that causes each endpoint to think that the other is sending invalid TCP segments, thus causing each side to send an unterminating stream of duplicate acknowledgments for invalid segments. Using 0 disables rate-limiting of dupacks in response to invalid segments; otherwise this value specifies the minimal space between sending such dupacks, in milliseconds. Default: 500 (milliseconds). tcp_keepalive_time - INTEGER How often TCP sends out keepalive messages when keepalive is enabled. Default: 2hours. tcp_keepalive_probes - INTEGER How many keepalive probes TCP sends out, until it decides that the connection is broken. Default value: 9. tcp_keepalive_intvl - INTEGER How frequently the probes are send out. Multiplied by tcp_keepalive_probes it is time to kill not responding connection, after probes started. Default value: 75sec i.e. connection will be aborted after ~11 minutes of retries. tcp_l3mdev_accept - BOOLEAN Enables child sockets to inherit the L3 master device index. Enabling this option allows a "global" listen socket to work across L3 master domains (e.g., VRFs) with connected sockets derived from the listen socket to be bound to the L3 domain in which the packets originated. Only valid when the kernel was compiled with CONFIG_NET_L3_MASTER_DEV. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_low_latency - BOOLEAN This is a legacy option, it has no effect anymore. tcp_max_orphans - INTEGER Maximal number of TCP sockets not attached to any user file handle, held by system. If this number is exceeded orphaned connections are reset immediately and warning is printed. This limit exists only to prevent simple DoS attacks, you _must_ not rely on this or lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than default value, and tune network services to linger and kill such states more aggressively. Let me to remind again: each orphan eats up to ~64K of unswappable memory. tcp_max_syn_backlog - INTEGER Maximal number of remembered connection requests (SYN_RECV), which have not received an acknowledgment from connecting client. This is a per-listener limit. The minimal value is 128 for low memory machines, and it will increase in proportion to the memory of machine. If server suffers from overload, try increasing this number. Remember to also check /proc/sys/net/core/somaxconn A SYN_RECV request socket consumes about 304 bytes of memory. tcp_max_tw_buckets - INTEGER Maximal number of timewait sockets held by system simultaneously. If this number is exceeded time-wait socket is immediately destroyed and warning is printed. This limit exists only to prevent simple DoS attacks, you _must_ not lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than default value. tcp_mem - vector of 3 INTEGERs: min, pressure, max min: below this number of pages TCP is not bothered about its memory appetite. pressure: when amount of memory allocated by TCP exceeds this number of pages, TCP moderates its memory consumption and enters memory pressure mode, which is exited when memory consumption falls under "min". max: number of pages allowed for queueing by all TCP sockets. Defaults are calculated at boot time from amount of available memory. tcp_min_rtt_wlen - INTEGER The window length of the windowed min filter to track the minimum RTT. A shorter window lets a flow more quickly pick up new (higher) minimum RTT when it is moved to a longer path (e.g., due to traffic engineering). A longer window makes the filter more resistant to RTT inflations such as transient congestion. The unit is seconds. Possible values: 0 - 86400 (1 day) Default: 300 tcp_moderate_rcvbuf - BOOLEAN If enabled, TCP performs receive buffer auto-tuning, attempting to automatically size the buffer (no greater than tcp_rmem[2]) to match the size required by the path for full throughput. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_mtu_probing - INTEGER Controls TCP Packetization-Layer Path MTU Discovery. Takes three values: - 0 - Disabled - 1 - Disabled by default, enabled when an ICMP black hole detected - 2 - Always enabled, use initial MSS of tcp_base_mss. tcp_probe_interval - UNSIGNED INTEGER Controls how often to start TCP Packetization-Layer Path MTU Discovery reprobe. The default is reprobing every 10 minutes as per RFC4821. tcp_probe_threshold - INTEGER Controls when TCP Packetization-Layer Path MTU Discovery probing will stop in respect to the width of search range in bytes. Default is 8 bytes. tcp_no_metrics_save - BOOLEAN By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. If enabled, TCP will not cache metrics on closing connections. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_no_ssthresh_metrics_save - BOOLEAN Controls whether TCP saves ssthresh metrics in the route cache. If enabled, ssthresh metrics are disabled. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_orphan_retries - INTEGER This value influences the timeout of a locally closed TCP connection, when RTO retransmissions remain unacknowledged. See tcp_retries2 for more details. The default value is 8. If your machine is a loaded WEB server, you should think about lowering this value, such sockets may consume significant resources. Cf. tcp_max_orphans. tcp_recovery - INTEGER This value is a bitmap to enable various experimental loss recovery features. ========= ============================================================= RACK: 0x1 enables RACK loss detection, for fast detection of lost retransmissions and tail drops, and resilience to reordering. currently, setting this bit to 0 has no effect, since RACK is the only supported loss detection algorithm. RACK: 0x2 makes RACK's reordering window static (min_rtt/4). RACK: 0x4 disables RACK's DUPACK threshold heuristic ========= ============================================================= Default: 0x1 tcp_reflect_tos - BOOLEAN For listening sockets, reuse the DSCP value of the initial SYN message for outgoing packets. This allows to have both directions of a TCP stream to use the same DSCP value, assuming DSCP remains unchanged for the lifetime of the connection. This options affects both IPv4 and IPv6. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_reordering - INTEGER Initial reordering level of packets in a TCP stream. TCP stack can then dynamically adjust flow reordering level between this initial value and tcp_max_reordering Default: 3 tcp_max_reordering - INTEGER Maximal reordering level of packets in a TCP stream. 300 is a fairly conservative value, but you might increase it if paths are using per packet load balancing (like bonding rr mode) Default: 300 tcp_retrans_collapse - BOOLEAN Bug-to-bug compatibility with some broken printers. On retransmit try to send bigger packets to work around bugs in certain TCP stacks. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_retries1 - INTEGER This value influences the time, after which TCP decides, that something is wrong due to unacknowledged RTO retransmissions, and reports this suspicion to the network layer. See tcp_retries2 for more details. RFC 1122 recommends at least 3 retransmissions, which is the default. tcp_retries2 - INTEGER This value influences the timeout of an alive TCP connection, when RTO retransmissions remain unacknowledged. Given a value of N, a hypothetical TCP connection following exponential backoff with an initial RTO of TCP_RTO_MIN would retransmit N times before killing the connection at the (N+1)th RTO. The default value of 15 yields a hypothetical timeout of 924.6 seconds and is a lower bound for the effective timeout. TCP will effectively time out at the first RTO which exceeds the hypothetical timeout. If tcp_rto_max_ms is decreased, it is recommended to also change tcp_retries2. RFC 1122 recommends at least 100 seconds for the timeout, which corresponds to a value of at least 8. tcp_rfc1337 - BOOLEAN If enabled, the TCP stack behaves conforming to RFC1337. If unset, we are not conforming to RFC, but prevent TCP TIME_WAIT assassination. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_rmem - vector of 3 INTEGERs: min, default, max min: Minimal size of receive buffer used by TCP sockets. It is guaranteed to each TCP socket, even under moderate memory pressure. Default: 4K default: initial size of receive buffer used by TCP sockets. This value overrides net.core.rmem_default used by other protocols. Default: 131072 bytes. This value results in initial window of 65535. max: maximal size of receive buffer allowed for automatically selected receiver buffers for TCP socket. This value does not override net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables automatic tuning of that socket's receive buffer size, in which case this value is ignored. Default: between 131072 and 32MB, depending on RAM size. tcp_sack - BOOLEAN Enable select acknowledgments (SACKS). Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_comp_sack_delay_ns - LONG INTEGER TCP tries to reduce number of SACK sent, using a timer based on 5% of SRTT, capped by this sysctl, in nano seconds. The default is 1ms, based on TSO autosizing period. Default : 1,000,000 ns (1 ms) tcp_comp_sack_slack_ns - LONG INTEGER This sysctl control the slack used when arming the timer used by SACK compression. This gives extra time for small RTT flows, and reduces system overhead by allowing opportunistic reduction of timer interrupts. Default : 100,000 ns (100 us) tcp_comp_sack_nr - INTEGER Max number of SACK that can be compressed. Using 0 disables SACK compression. Default : 44 tcp_backlog_ack_defer - BOOLEAN If enabled, user thread processing socket backlog tries sending one ACK for the whole queue. This helps to avoid potential long latencies at end of a TCP socket syscall. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_slow_start_after_idle - BOOLEAN If enabled, provide RFC2861 behavior and time out the congestion window after an idle period. An idle period is defined at the current RTO. If unset, the congestion window will not be timed out after an idle period. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_stdurg - BOOLEAN Use the Host requirements interpretation of the TCP urgent pointer field. Most hosts use the older BSD interpretation, so if enabled, Linux might not communicate correctly with them. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_synack_retries - INTEGER Number of times SYNACKs for a passive TCP connection attempt will be retransmitted. Should not be higher than 255. Default value is 5, which corresponds to 31seconds till the last retransmission with the current initial RTO of 1second. With this the final timeout for a passive TCP connection will happen after 63seconds. tcp_syncookies - INTEGER Only valid when the kernel was compiled with CONFIG_SYN_COOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack' Default: 1 Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see SYN flood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see SYN flood warnings in logs not being really flooded, your server is seriously misconfigured. If you want to test which effects syncookies have to your network connections you can set this knob to 2 to enable unconditionally generation of syncookies. tcp_migrate_req - BOOLEAN The incoming connection is tied to a specific listening socket when the initial SYN packet is received during the three-way handshake. When a listener is closed, in-flight request sockets during the handshake and established sockets in the accept queue are aborted. If the listener has SO_REUSEPORT enabled, other listeners on the same port should have been able to accept such connections. This option makes it possible to migrate such child sockets to another listener after close() or shutdown(). The BPF_SK_REUSEPORT_SELECT_OR_MIGRATE type of eBPF program should usually be used to define the policy to pick an alive listener. Otherwise, the kernel will randomly pick an alive listener only if this option is enabled. Note that migration between listeners with different settings may crash applications. Let's say migration happens from listener A to B, and only B has TCP_SAVE_SYN enabled. B cannot read SYN data from the requests migrated from A. To avoid such a situation, cancel migration by returning SK_DROP in the type of eBPF program, or disable this option. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_fastopen - INTEGER Enable TCP Fast Open (RFC7413) to send and accept data in the opening SYN packet. The client support is enabled by flag 0x1 (on by default). The client then must use sendmsg() or sendto() with the MSG_FASTOPEN flag, rather than connect() to send data in SYN. The server support is enabled by flag 0x2 (off by default). Then either enable for all listeners with another flag (0x400) or enable individual listeners via TCP_FASTOPEN socket option with the option value being the length of the syn-data backlog. The values (bitmap) are ===== ======== ====================================================== 0x1 (client) enables sending data in the opening SYN on the client. 0x2 (server) enables the server support, i.e., allowing data in a SYN packet to be accepted and passed to the application before 3-way handshake finishes. 0x4 (client) send data in the opening SYN regardless of cookie availability and without a cookie option. 0x200 (server) accept data-in-SYN w/o any cookie option present. 0x400 (server) enable all listeners to support Fast Open by default without explicit TCP_FASTOPEN socket option. ===== ======== ====================================================== Default: 0x1 Note that additional client or server features are only effective if the basic support (0x1 and 0x2) are enabled respectively. tcp_fastopen_blackhole_timeout_sec - INTEGER Initial time period in second to disable Fastopen on active TCP sockets when a TFO firewall blackhole issue happens. This time period will grow exponentially when more blackhole issues get detected right after Fastopen is re-enabled and will reset to initial value when the blackhole issue goes away. 0 to disable the blackhole detection. By default, it is set to 0 (feature is disabled). tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs The list consists of a primary key and an optional backup key. The primary key is used for both creating and validating cookies, while the optional backup key is only used for validating cookies. The purpose of the backup key is to maximize TFO validation when keys are rotated. A randomly chosen primary key may be configured by the kernel if the tcp_fastopen sysctl is set to 0x400 (see above), or if the TCP_FASTOPEN setsockopt() optname is set and a key has not been previously configured via sysctl. If keys are configured via setsockopt() by using the TCP_FASTOPEN_KEY optname, then those per-socket keys will be used instead of any keys that are specified via sysctl. A key is specified as 4 8-digit hexadecimal integers which are separated by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be omitted. A primary and a backup key may be specified by separating them by a comma. If only one key is specified, it becomes the primary key and any previously configured backup keys are removed. tcp_syn_retries - INTEGER Number of times initial SYNs for an active TCP connection attempt will be retransmitted. Should not be higher than 127. Default value is 6, which corresponds to 67seconds (with tcp_syn_linear_timeouts = 4) till the last retransmission with the current initial RTO of 1second. With this the final timeout for an active TCP connection attempt will happen after 131seconds. tcp_timestamps - INTEGER Enable timestamps as defined in RFC1323. - 0: Disabled. - 1: Enable timestamps as defined in RFC1323 and use random offset for each connection rather than only using the current time. - 2: Like 1, but without random offsets. Default: 1 tcp_min_tso_segs - INTEGER Minimal number of segments per TSO frame. Since linux-3.12, TCP does an automatic sizing of TSO frames, depending on flow rate, instead of filling 64Kbytes packets. For specific usages, it's possible to force TCP to build big TSO frames. Note that TCP stack might split too big TSO packets if available window is too small. Default: 2 tcp_tso_rtt_log - INTEGER Adjustment of TSO packet sizes based on min_rtt Starting from linux-5.18, TCP autosizing can be tweaked for flows having small RTT. Old autosizing was splitting the pacing budget to send 1024 TSO per second. tso_packet_size = sk->sk_pacing_rate / 1024; With the new mechanism, we increase this TSO sizing using: distance = min_rtt_usec / (2^tcp_tso_rtt_log) tso_packet_size += gso_max_size >> distance; This means that flows between very close hosts can use bigger TSO packets, reducing their cpu costs. If you want to use the old autosizing, set this sysctl to 0. Default: 9 (2^9 = 512 usec) tcp_pacing_ss_ratio - INTEGER sk->sk_pacing_rate is set by TCP stack using a ratio applied to current rate. (current_rate = cwnd * mss / srtt) If TCP is in slow start, tcp_pacing_ss_ratio is applied to let TCP probe for bigger speeds, assuming cwnd can be doubled every other RTT. Default: 200 tcp_pacing_ca_ratio - INTEGER sk->sk_pacing_rate is set by TCP stack using a ratio applied to current rate. (current_rate = cwnd * mss / srtt) If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio is applied to conservatively probe for bigger throughput. Default: 120 tcp_syn_linear_timeouts - INTEGER The number of times for an active TCP connection to retransmit SYNs with a linear backoff timeout before defaulting to an exponential backoff timeout. This has no effect on SYNACK at the passive TCP side. With an initial RTO of 1 and tcp_syn_linear_timeouts = 4 we would expect SYN RTOs to be: 1, 1, 1, 1, 1, 2, 4, ... (4 linear timeouts, and the first exponential backoff using 2^0 * initial_RTO). Default: 4 tcp_tso_win_divisor - INTEGER This allows control over what percentage of the congestion window can be consumed by a single TSO frame. The setting of this parameter is a choice between burstiness and building larger TSO frames. Default: 3 tcp_tw_reuse - INTEGER Enable reuse of TIME-WAIT sockets for new connections when it is safe from protocol viewpoint. - 0 - disable - 1 - global enable - 2 - enable for loopback traffic only It should not be changed without advice/request of technical experts. Default: 2 tcp_tw_reuse_delay - UNSIGNED INTEGER The delay in milliseconds before a TIME-WAIT socket can be reused by a new connection, if TIME-WAIT socket reuse is enabled. The actual reuse threshold is within [N, N+1] range, where N is the requested delay in milliseconds, to ensure the delay interval is never shorter than the configured value. This setting contains an assumption about the other TCP timestamp clock tick interval. It should not be set to a value lower than the peer's clock tick for PAWS (Protection Against Wrapped Sequence numbers) mechanism work correctly for the reused connection. Default: 1000 (milliseconds) tcp_window_scaling - BOOLEAN Enable window scaling as defined in RFC1323. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) tcp_shrink_window - BOOLEAN This changes how the TCP receive window is calculated. RFC 7323, section 2.4, says there are instances when a retracted window can be offered, and that TCP implementations MUST ensure that they handle a shrinking window, as specified in RFC 1122. Possible values: - 0 (disabled) - The window is never shrunk. - 1 (enabled) - The window is shrunk when necessary to remain within the memory limit set by autotuning (sk_rcvbuf). This only occurs if a non-zero receive window scaling factor is also in effect. Default: 0 (disabled) tcp_wmem - vector of 3 INTEGERs: min, default, max min: Amount of memory reserved for send buffers for TCP sockets. Each TCP socket has rights to use it due to fact of its birth. Default: 4K default: initial size of send buffer used by TCP sockets. This value overrides net.core.wmem_default used by other protocols. It is usually lower than net.core.wmem_default. Default: 16K max: Maximal amount of memory allowed for automatically tuned send buffers for TCP sockets. This value does not override net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables automatic tuning of that socket's send buffer size, in which case this value is ignored. Default: between 64K and 4MB, depending on RAM size. tcp_notsent_lowat - UNSIGNED INTEGER A TCP socket can control the amount of unsent bytes in its write queue, thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll() reports POLLOUT events if the amount of unsent bytes is below a per socket value, and if the write queue is not full. sendmsg() will also not add new buffers if the limit is hit. This global variable controls the amount of unsent data for sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change to the global variable has immediate effect. Default: UINT_MAX (0xFFFFFFFF) tcp_workaround_signed_windows - BOOLEAN If enabled, assume no receipt of a window scaling option means the remote TCP is broken and treats the window as a signed quantity. If disabled, assume the remote TCP is not broken even if we do not receive a window scaling option from them. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_thin_linear_timeouts - BOOLEAN Enable dynamic triggering of linear timeouts for thin streams. If enabled, a check is performed upon retransmission by timeout to determine if the stream is thin (less than 4 packets in flight). As long as the stream is found to be thin, up to 6 linear timeouts may be performed before exponential backoff mode is initiated. This improves retransmission latency for non-aggressive thin streams, often found to be time-dependent. For more information on thin streams, see Documentation/networking/tcp-thin.rst Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_limit_output_bytes - INTEGER Controls TCP Small Queue limit per tcp socket. TCP bulk sender tends to increase packets in flight until it gets losses notifications. With SNDBUF autotuning, this can result in a large amount of packets queued on the local machine (e.g.: qdiscs, CPU backlog, or device) hurting latency of other flows, for typical pfifo_fast qdiscs. tcp_limit_output_bytes limits the number of bytes on qdisc or device to reduce artificial RTT/cwnd and reduce bufferbloat. Default: 4194304 (4 MB) tcp_challenge_ack_limit - INTEGER Limits number of Challenge ACK sent per second, as recommended in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) Note that this per netns rate limit can allow some side channel attacks and probably should not be enabled. TCP stack implements per TCP socket limits anyway. Default: INT_MAX (unlimited) tcp_ehash_entries - INTEGER Show the number of hash buckets for TCP sockets in the current networking namespace. A negative value means the networking namespace does not own its hash buckets and shares the initial networking namespace's one. tcp_child_ehash_entries - INTEGER Control the number of hash buckets for TCP sockets in the child networking namespace, which must be set before clone() or unshare(). If the value is not 0, the kernel uses a value rounded up to 2^n as the actual hash bucket size. 0 is a special value, meaning the child networking namespace will share the initial networking namespace's hash buckets. Note that the child will use the global one in case the kernel fails to allocate enough memory. In addition, the global hash buckets are spread over available NUMA nodes, but the allocation of the child hash table depends on the current process's NUMA policy, which could result in performance differences. Note also that the default value of tcp_max_tw_buckets and tcp_max_syn_backlog depend on the hash bucket size. Possible values: 0, 2^n (n: 0 - 24 (16Mi)) Default: 0 tcp_plb_enabled - BOOLEAN If enabled and the underlying congestion control (e.g. DCTCP) supports and enables PLB feature, TCP PLB (Protective Load Balancing) is enabled. PLB is described in the following paper: https://doi.org/10.1145/3544216.3544226. Based on PLB parameters, upon sensing sustained congestion, TCP triggers a change in flow label field for outgoing IPv6 packets. A change in flow label field potentially changes the path of outgoing packets for switches that use ECMP/WCMP for routing. PLB changes socket txhash which results in a change in IPv6 Flow Label field, and currently no-op for IPv4 headers. It is possible to apply PLB for IPv4 with other network header fields (e.g. TCP or IPv4 options) or using encapsulation where outer header is used by switches to determine next hop. In either case, further host and switch side changes will be needed. If enabled, PLB assumes that congestion signal (e.g. ECN) is made available and used by congestion control module to estimate a congestion measure (e.g. ce_ratio). PLB needs a congestion measure to make repathing decisions. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) tcp_plb_idle_rehash_rounds - INTEGER Number of consecutive congested rounds (RTT) seen after which a rehash can be performed, given there are no packets in flight. This is referred to as M in PLB paper: https://doi.org/10.1145/3544216.3544226. Possible Values: 0 - 31 Default: 3 tcp_plb_rehash_rounds - INTEGER Number of consecutive congested rounds (RTT) seen after which a forced rehash can be performed. Be careful when setting this parameter, as a small value increases the risk of retransmissions. This is referred to as N in PLB paper: https://doi.org/10.1145/3544216.3544226. Possible Values: 0 - 31 Default: 12 tcp_plb_suspend_rto_sec - INTEGER Time, in seconds, to suspend PLB in event of an RTO. In order to avoid having PLB repath onto a connectivity "black hole", after an RTO a TCP connection suspends PLB repathing for a random duration between 1x and 2x of this parameter. Randomness is added to avoid concurrent rehashing of multiple TCP connections. This should be set corresponding to the amount of time it takes to repair a failed link. Possible Values: 0 - 255 Default: 60 tcp_plb_cong_thresh - INTEGER Fraction of packets marked with congestion over a round (RTT) to tag that round as congested. This is referred to as K in the PLB paper: https://doi.org/10.1145/3544216.3544226. The 0-1 fraction range is mapped to 0-256 range to avoid floating point operations. For example, 128 means that if at least 50% of the packets in a round were marked as congested then the round will be tagged as congested. Setting threshold to 0 means that PLB repaths every RTT regardless of congestion. This is not intended behavior for PLB and should be used only for experimentation purpose. Possible Values: 0 - 256 Default: 128 tcp_pingpong_thresh - INTEGER The number of estimated data replies sent for estimated incoming data requests that must happen before TCP considers that a connection is a "ping-pong" (request-response) connection for which delayed acknowledgments can provide benefits. This threshold is 1 by default, but some applications may need a higher threshold for optimal performance. Possible Values: 1 - 255 Default: 1 tcp_rto_min_us - INTEGER Minimal TCP retransmission timeout (in microseconds). Note that the rto_min route option has the highest precedence for configuring this setting, followed by the TCP_BPF_RTO_MIN and TCP_RTO_MIN_US socket options, followed by this tcp_rto_min_us sysctl. The recommended practice is to use a value less or equal to 200000 microseconds. Possible Values: 1 - INT_MAX Default: 200000 tcp_rto_max_ms - INTEGER Maximal TCP retransmission timeout (in ms). Note that TCP_RTO_MAX_MS socket option has higher precedence. When changing tcp_rto_max_ms, it is important to understand that tcp_retries2 might need a change. Possible Values: 1000 - 120,000 Default: 120,000 UDP variables ============= udp_l3mdev_accept - BOOLEAN Enabling this option allows a "global" bound socket to work across L3 master domains (e.g., VRFs) with packets capable of being received regardless of the L3 domain in which they originated. Only valid when the kernel was compiled with CONFIG_NET_L3_MASTER_DEV. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) udp_mem - vector of 3 INTEGERs: min, pressure, max Number of pages allowed for queueing by all UDP sockets. min: Number of pages allowed for queueing by all UDP sockets. pressure: This value was introduced to follow format of tcp_mem. max: This value was introduced to follow format of tcp_mem. Default is calculated at boot time from amount of available memory. udp_rmem_min - INTEGER Minimal size of receive buffer used by UDP sockets in moderation. Each UDP socket is able to use the size for receiving data, even if total pages of UDP sockets exceed udp_mem pressure. The unit is byte. Default: 4K udp_wmem_min - INTEGER UDP does not have tx memory accounting and this tunable has no effect. udp_hash_entries - INTEGER Show the number of hash buckets for UDP sockets in the current networking namespace. A negative value means the networking namespace does not own its hash buckets and shares the initial networking namespace's one. udp_child_hash_entries - INTEGER Control the number of hash buckets for UDP sockets in the child networking namespace, which must be set before clone() or unshare(). If the value is not 0, the kernel uses a value rounded up to 2^n as the actual hash bucket size. 0 is a special value, meaning the child networking namespace will share the initial networking namespace's hash buckets. Note that the child will use the global one in case the kernel fails to allocate enough memory. In addition, the global hash buckets are spread over available NUMA nodes, but the allocation of the child hash table depends on the current process's NUMA policy, which could result in performance differences. Possible values: 0, 2^n (n: 7 (128) - 16 (64K)) Default: 0 RAW variables ============= raw_l3mdev_accept - BOOLEAN Enabling this option allows a "global" bound socket to work across L3 master domains (e.g., VRFs) with packets capable of being received regardless of the L3 domain in which they originated. Only valid when the kernel was compiled with CONFIG_NET_L3_MASTER_DEV. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) CIPSOv4 Variables ================= cipso_cache_enable - BOOLEAN If enabled, enable additions to and lookups from the CIPSO label mapping cache. If disabled, additions are ignored and lookups always result in a miss. However, regardless of the setting the cache is still invalidated when required when means you can safely toggle this on and off and the cache will always be "safe". Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) cipso_cache_bucket_size - INTEGER The CIPSO label cache consists of a fixed size hash table with each hash bucket containing a number of cache entries. This variable limits the number of entries in each hash bucket; the larger the value is, the more CIPSO label mappings that can be cached. When the number of entries in a given hash bucket reaches this limit adding new entries causes the oldest entry in the bucket to be removed to make room. Default: 10 cipso_rbm_optfmt - BOOLEAN Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of the CIPSO draft specification (see Documentation/netlabel for details). This means that when set the CIPSO tag will be padded with empty categories in order to make the packet data 32-bit aligned. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) cipso_rbm_strictvalid - BOOLEAN If enabled, do a very strict check of the CIPSO option when ip_options_compile() is called. If disabled, relax the checks done during ip_options_compile(). Either way is "safe" as errors are caught else where in the CIPSO processing code but setting this to 0 (False) should result in less work (i.e. it should be faster) but could cause problems with other implementations that require strict checking. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) IP Variables ============ ip_local_port_range - 2 INTEGERS Defines the local port range that is used by TCP and UDP to choose the local port. The first number is the first, the second the last local port number. If possible, it is better these numbers have different parity (one even and one odd value). Must be greater than or equal to ip_unprivileged_port_start. The default values are 32768 and 60999 respectively. ip_local_reserved_ports - list of comma separated ranges Specify the ports which are reserved for known third-party applications. These ports will not be used by automatic port assignments (e.g. when calling connect() or bind() with port number 0). Explicit port allocation behavior is unchanged. The format used for both input and output is a comma separated list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and 10). Writing to the file will clear all previously reserved ports and update the current list with the one given in the input. Note that ip_local_port_range and ip_local_reserved_ports settings are independent and both are considered by the kernel when determining which ports are available for automatic port assignments. You can reserve ports which are not in the current ip_local_port_range, e.g.:: $ cat /proc/sys/net/ipv4/ip_local_port_range 32000 60999 $ cat /proc/sys/net/ipv4/ip_local_reserved_ports 8080,9148 although this is redundant. However such a setting is useful if later the port range is changed to a value that will include the reserved ports. Also keep in mind, that overlapping of these ranges may affect probability of selecting ephemeral ports which are right after block of reserved ports. Default: Empty ip_unprivileged_port_start - INTEGER This is a per-namespace sysctl. It defines the first unprivileged port in the network namespace. Privileged ports require root or CAP_NET_BIND_SERVICE in order to bind to them. To disable all privileged ports, set this to 0. They must not overlap with the ip_local_port_range. Default: 1024 ip_nonlocal_bind - BOOLEAN If enabled, allows processes to bind() to non-local IP addresses, which can be quite useful - but may break some applications. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) ip_autobind_reuse - BOOLEAN By default, bind() does not select the ports automatically even if the new socket and all sockets bound to the port have SO_REUSEADDR. ip_autobind_reuse allows bind() to reuse the port and this is useful when you use bind()+connect(), but may break some applications. The preferred solution is to use IP_BIND_ADDRESS_NO_PORT and this option should only be set by experts. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) ip_dynaddr - INTEGER If set non-zero, enables support for dynamic addresses. If set to a non-zero value larger than 1, a kernel log message will be printed when dynamic address rewriting occurs. Default: 0 ip_early_demux - BOOLEAN Optimize input packet processing down to one demux for certain kinds of local sockets. Currently we only do this for established TCP and connected UDP sockets. It may add an additional cost for pure routing workloads that reduces overall throughput, in such case you should disable it. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) ping_group_range - 2 INTEGERS Restrict ICMP_PROTO datagram sockets to users in the group range. The default is "1 0", meaning, that nobody (not even root) may create ping sockets. Setting it to "100 100" would grant permissions to the single group. "0 4294967294" would enable it for the world, "100 4294967294" would enable it for the users, but not daemons. tcp_early_demux - BOOLEAN Enable early demux for established TCP sockets. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) udp_early_demux - BOOLEAN Enable early demux for connected UDP sockets. Disable this if your system could experience more unconnected load. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) icmp_echo_ignore_all - BOOLEAN If enabled, then the kernel will ignore all ICMP ECHO requests sent to it. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) icmp_echo_enable_probe - BOOLEAN If enabled, then the kernel will respond to RFC 8335 PROBE requests sent to it. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) icmp_echo_ignore_broadcasts - BOOLEAN If enabled, then the kernel will ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) icmp_ratelimit - INTEGER Limit the maximal rates for sending ICMP packets whose type matches icmp_ratemask (see below) to specific targets. 0 to disable any limiting, otherwise the minimal space between responses in milliseconds. Note that another sysctl, icmp_msgs_per_sec limits the number of ICMP packets sent on all targets. Default: 1000 icmp_msgs_per_sec - INTEGER Limit maximal number of ICMP packets sent per second from this host. Only messages whose type matches icmp_ratemask (see below) are controlled by this limit. For security reasons, the precise count of messages per second is randomized. Default: 1000 icmp_msgs_burst - INTEGER icmp_msgs_per_sec controls number of ICMP packets sent per second, while icmp_msgs_burst controls the burst size of these packets. For security reasons, the precise burst size is randomized. Default: 50 icmp_ratemask - INTEGER Mask made of ICMP types for which rates are being limited. Significant bits: IHGFEDCBA9876543210 Default mask: 0000001100000011000 (6168) Bit definitions (see include/linux/icmp.h): = ========================= 0 Echo Reply 3 Destination Unreachable [1]_ 4 Source Quench [1]_ 5 Redirect 8 Echo Request B Time Exceeded [1]_ C Parameter Problem [1]_ D Timestamp Request E Timestamp Reply F Info Request G Info Reply H Address Mask Request I Address Mask Reply = ========================= .. [1] These are rate limited by default (see default mask above) icmp_ignore_bogus_error_responses - BOOLEAN Some routers violate RFC1122 by sending bogus responses to broadcast frames. Such violations are normally logged via a kernel warning. If enabled, the kernel will not give such warnings, which will avoid log file clutter. Possible values: - 0 (disabled) - 1 (enabled) Default: 1 (enabled) icmp_errors_use_inbound_ifaddr - BOOLEAN If disabled, icmp error messages are sent with the primary address of the exiting interface. If enabled, the message will be sent with the primary address of the interface that received the packet that caused the icmp error. This is the behaviour many network administrators will expect from a router. And it can make debugging complicated network layouts much easier. Note that if no primary address exists for the interface selected, then the primary address of the first non-loopback interface that has one will be used regardless of this setting. Possible values: - 0 (disabled) - 1 (enabled) Default: 0 (disabled) igmp_max_memberships - INTEGER Change the maximum number of multicast groups we can subscribe to. Default: 20 Theoretical maximum value is bounded by having to send a membership report in a single datagram (i.e. the report can't span multiple datagrams, or risk confusing the switch and leaving groups you don't intend to). The number of supported groups 'M' is bounded by the number of group report entries you can fit into a single datagram of 65535 bytes. M = 65536-sizeof (ip header)/(sizeof(Group record)) Group records are variable length, with a minimum of 12 bytes. So net.ipv4.igmp_max_memberships should not be set higher than: (65536-24) / 12 = 5459 The value 5459 assumes no IP header options, so in practice this number may be lower. igmp_max_msf - INTEGER Maximum number of addresses allowed in the source filter list for a multicast group. Default: 10 igmp_qrv - INTEGER Controls the IGMP query robustness variable (see RFC2236 8.1). Default: 2 (as specified by RFC2236 8.1) Minimum: 1 (as specified by RFC6636 4.5) force_igmp_version - INTEGER - 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier Present timer expires. - 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if receive IGMPv2/v3 query. - 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive IGMPv1 query message. Will reply report if receive IGMPv3 query. - 3 - Enforce to use IGMP version 3. The same react with default 0. .. note:: this is not the same with force_mld_version because IGMPv3 RFC3376 Security Considerations does not have clear description that we could ignore other version messages completely as MLDv2 RFC3810. So make this value as default 0 is recommended. ``conf/interface/*`` changes special settings per interface (where interface" is the name of your network interface) ``conf/all/*`` is special, changes the settings for all interfaces log_martians - BOOLEAN Log packets with impossible addresses to kernel log. log_martians for the interface will be enabled if at least one of conf/{all,interface}/log_martians is set to TRUE, it will be disabled otherwise accept_redirects - BOOLEAN Accept ICMP redirect messages. accept_redirects for the interface will be enabled if: - both conf/{all,interface}/accept_redirects are TRUE in the case forwarding for the interface is enabled or - at least one of conf/{all,interface}/accept_redirects is TRUE in the case forwarding for the interface is disabled accept_redirects for the interface will be disabled otherwise default: - TRUE (host) - FALSE (router) forwarding - BOOLEAN Enable IP forwarding on this interface. This controls whether packets received _on_ this interface can be forwarded. mc_forwarding - BOOLEAN Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE and a multicast routing daemon is required. conf/all/mc_forwarding must also be set to TRUE to enable multicast routing for the interface medium_id - INTEGER Integer value used to differentiate the devices by the medium they are attached to. Two devices can have different id values when the broadcast packets are received only on one of them. The default value 0 means that the device is the only interface to its medium, value of -1 means that medium is not known. Currently, it is used to change the proxy_arp behavior: the proxy_arp feature is enabled for packets forwarded between two devices attached to different media. proxy_arp - BOOLEAN Do proxy arp. proxy_arp for the interface will be enabled if at least one of conf/{all,interface}/proxy_arp is set to TRUE, it will be disabled otherwise proxy_arp_pvlan - BOOLEAN Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received). This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp'ing. Don't need to be used together with proxy_arp. This technology is known by different names: - In RFC 3069 it is called VLAN Aggregation. - Cisco and Allied Telesyn call it Private VLAN. - Hewlett-Packard call it Source-Port filtering or port-isolation. - Ericsson call it MAC-Forced Forwarding (RFC Draft). proxy_delay - INTEGER Delay proxy response. Delay response to a neighbor solicitation when proxy_arp or proxy_ndp is enabled. A random value between [0, proxy_delay) will be chosen, setting to zero means reply with no delay. Value in jiffies. Defaults to 80. shared_media - BOOLEAN Send(router) or accept(host) RFC1620 shared media redirects. Overrides secure_redirects. shared_media for the interface will be enabled if at least one of conf/{all,interface}/shared_media is set to TRUE, it will be disabled otherwise default TRUE secure_redirects - BOOLEAN Accept ICMP redirect messages only to gateways listed in the interface's current gateway list. Even if disabled, RFC1122 redirect rules still apply. Overridden by shared_media. secure_redirects for the interface will be enabled if at least one of conf/{all,interface}/secure_redirects is set to TRUE, it will be disabled otherwise default TRUE send_redirects - BOOLEAN Send redirects, if router. send_redirects for the interface will be enabled if at least one of conf/{all,interface}/send_redirects is set to TRUE, it will be disabled otherwise Default: TRUE bootp_relay - BOOLEAN Accept packets with source address 0.b.c.d destined not to this host as local ones. It is supposed, that BOOTP relay daemon will catch and forward such packets. --> -------------------- --> maximum size reached --> -------------------- [ Dauer der Verarbeitung: 0.20 Sekunden (vorverarbeitet) ] |
2026-04-04