1/proc/sys/net/ipv4/* Variables: 2 3ip_forward - BOOLEAN 4 0 - disabled (default) 5 not 0 - enabled 6 7 Forward Packets between interfaces. 8 9 This variable is special, its change resets all configuration 10 parameters to their default state (RFC1122 for hosts, RFC1812 11 for routers) 12 13ip_default_ttl - INTEGER 14 default 64 15 16ip_no_pmtu_disc - BOOLEAN 17 Disable Path MTU Discovery. 18 default FALSE 19 20min_pmtu - INTEGER 21 default 562 - minimum discovered Path MTU 22 23mtu_expires - INTEGER 24 Time, in seconds, that cached PMTU information is kept. 25 26min_adv_mss - INTEGER 27 The advertised MSS depends on the first hop route MTU, but will 28 never be lower than this setting. 29 30rt_cache_rebuild_count - INTEGER 31 The per net-namespace route cache emergency rebuild threshold. 32 Any net-namespace having its route cache rebuilt due to 33 a hash bucket chain being too long more than this many times 34 will have its route caching disabled 35 36IP Fragmentation: 37 38ipfrag_high_thresh - INTEGER 39 Maximum memory used to reassemble IP fragments. When 40 ipfrag_high_thresh bytes of memory is allocated for this purpose, 41 the fragment handler will toss packets until ipfrag_low_thresh 42 is reached. 43 44ipfrag_low_thresh - INTEGER 45 See ipfrag_high_thresh 46 47ipfrag_time - INTEGER 48 Time in seconds to keep an IP fragment in memory. 49 50ipfrag_secret_interval - INTEGER 51 Regeneration interval (in seconds) of the hash secret (or lifetime 52 for the hash secret) for IP fragments. 53 Default: 600 54 55ipfrag_max_dist - INTEGER 56 ipfrag_max_dist is a non-negative integer value which defines the 57 maximum "disorder" which is allowed among fragments which share a 58 common IP source address. Note that reordering of packets is 59 not unusual, but if a large number of fragments arrive from a source 60 IP address while a particular fragment queue remains incomplete, it 61 probably indicates that one or more fragments belonging to that queue 62 have been lost. When ipfrag_max_dist is positive, an additional check 63 is done on fragments before they are added to a reassembly queue - if 64 ipfrag_max_dist (or more) fragments have arrived from a particular IP 65 address between additions to any IP fragment queue using that source 66 address, it's presumed that one or more fragments in the queue are 67 lost. The existing fragment queue will be dropped, and a new one 68 started. An ipfrag_max_dist value of zero disables this check. 69 70 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can 71 result in unnecessarily dropping fragment queues when normal 72 reordering of packets occurs, which could lead to poor application 73 performance. Using a very large value, e.g. 50000, increases the 74 likelihood of incorrectly reassembling IP fragments that originate 75 from different IP datagrams, which could result in data corruption. 76 Default: 64 77 78INET peer storage: 79 80inet_peer_threshold - INTEGER 81 The approximate size of the storage. Starting from this threshold 82 entries will be thrown aggressively. This threshold also determines 83 entries' time-to-live and time intervals between garbage collection 84 passes. More entries, less time-to-live, less GC interval. 85 86inet_peer_minttl - INTEGER 87 Minimum time-to-live of entries. Should be enough to cover fragment 88 time-to-live on the reassembling side. This minimum time-to-live is 89 guaranteed if the pool size is less than inet_peer_threshold. 90 Measured in seconds. 91 92inet_peer_maxttl - INTEGER 93 Maximum time-to-live of entries. Unused entries will expire after 94 this period of time if there is no memory pressure on the pool (i.e. 95 when the number of entries in the pool is very small). 96 Measured in seconds. 97 98inet_peer_gc_mintime - INTEGER 99 Minimum interval between garbage collection passes. This interval is 100 in effect under high memory pressure on the pool. 101 Measured in seconds. 102 103inet_peer_gc_maxtime - INTEGER 104 Minimum interval between garbage collection passes. This interval is 105 in effect under low (or absent) memory pressure on the pool. 106 Measured in seconds. 107 108TCP variables: 109 110somaxconn - INTEGER 111 Limit of socket listen() backlog, known in userspace as SOMAXCONN. 112 Defaults to 128. See also tcp_max_syn_backlog for additional tuning 113 for TCP sockets. 114 115tcp_abc - INTEGER 116 Controls Appropriate Byte Count (ABC) defined in RFC3465. 117 ABC is a way of increasing congestion window (cwnd) more slowly 118 in response to partial acknowledgments. 119 Possible values are: 120 0 increase cwnd once per acknowledgment (no ABC) 121 1 increase cwnd once per acknowledgment of full sized segment 122 2 allow increase cwnd by two if acknowledgment is 123 of two segments to compensate for delayed acknowledgments. 124 Default: 0 (off) 125 126tcp_abort_on_overflow - BOOLEAN 127 If listening service is too slow to accept new connections, 128 reset them. Default state is FALSE. It means that if overflow 129 occurred due to a burst, connection will recover. Enable this 130 option _only_ if you are really sure that listening daemon 131 cannot be tuned to accept connections faster. Enabling this 132 option can harm clients of your server. 133 134tcp_adv_win_scale - INTEGER 135 Count buffering overhead as bytes/2^tcp_adv_win_scale 136 (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), 137 if it is <= 0. 138 Default: 2 139 140tcp_allowed_congestion_control - STRING 141 Show/set the congestion control choices available to non-privileged 142 processes. The list is a subset of those listed in 143 tcp_available_congestion_control. 144 Default is "reno" and the default setting (tcp_congestion_control). 145 146tcp_app_win - INTEGER 147 Reserve max(window/2^tcp_app_win, mss) of window for application 148 buffer. Value 0 is special, it means that nothing is reserved. 149 Default: 31 150 151tcp_available_congestion_control - STRING 152 Shows the available congestion control choices that are registered. 153 More congestion control algorithms may be available as modules, 154 but not loaded. 155 156tcp_base_mss - INTEGER 157 The initial value of search_low to be used by the packetization layer 158 Path MTU discovery (MTU probing). If MTU probing is enabled, 159 this is the initial MSS used by the connection. 160 161tcp_congestion_control - STRING 162 Set the congestion control algorithm to be used for new 163 connections. The algorithm "reno" is always available, but 164 additional choices may be available based on kernel configuration. 165 Default is set as part of kernel configuration. 166 167tcp_cookie_size - INTEGER 168 Default size of TCP Cookie Transactions (TCPCT) option, that may be 169 overridden on a per socket basis by the TCPCT socket option. 170 Values greater than the maximum (16) are interpreted as the maximum. 171 Values greater than zero and less than the minimum (8) are interpreted 172 as the minimum. Odd values are interpreted as the next even value. 173 Default: 0 (off). 174 175tcp_dsack - BOOLEAN 176 Allows TCP to send "duplicate" SACKs. 177 178tcp_ecn - BOOLEAN 179 Enable Explicit Congestion Notification (ECN) in TCP. ECN is only 180 used when both ends of the TCP flow support it. It is useful to 181 avoid losses due to congestion (when the bottleneck router supports 182 ECN). 183 Possible values are: 184 0 disable ECN 185 1 ECN enabled 186 2 Only server-side ECN enabled. If the other end does 187 not support ECN, behavior is like with ECN disabled. 188 Default: 2 189 190tcp_fack - BOOLEAN 191 Enable FACK congestion avoidance and fast retransmission. 192 The value is not used, if tcp_sack is not enabled. 193 194tcp_fin_timeout - INTEGER 195 Time to hold socket in state FIN-WAIT-2, if it was closed 196 by our side. Peer can be broken and never close its side, 197 or even died unexpectedly. Default value is 60sec. 198 Usual value used in 2.2 was 180 seconds, you may restore 199 it, but remember that if your machine is even underloaded WEB server, 200 you risk to overflow memory with kilotons of dead sockets, 201 FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, 202 because they eat maximum 1.5K of memory, but they tend 203 to live longer. Cf. tcp_max_orphans. 204 205tcp_frto - INTEGER 206 Enables Forward RTO-Recovery (F-RTO) defined in RFC4138. 207 F-RTO is an enhanced recovery algorithm for TCP retransmission 208 timeouts. It is particularly beneficial in wireless environments 209 where packet loss is typically due to random radio interference 210 rather than intermediate router congestion. F-RTO is sender-side 211 only modification. Therefore it does not require any support from 212 the peer. 213 214 If set to 1, basic version is enabled. 2 enables SACK enhanced 215 F-RTO if flow uses SACK. The basic version can be used also when 216 SACK is in use though scenario(s) with it exists where F-RTO 217 interacts badly with the packet counting of the SACK enabled TCP 218 flow. 219 220tcp_frto_response - INTEGER 221 When F-RTO has detected that a TCP retransmission timeout was 222 spurious (i.e, the timeout would have been avoided had TCP set a 223 longer retransmission timeout), TCP has several options what to do 224 next. Possible values are: 225 0 Rate halving based; a smooth and conservative response, 226 results in halved cwnd and ssthresh after one RTT 227 1 Very conservative response; not recommended because even 228 though being valid, it interacts poorly with the rest of 229 Linux TCP, halves cwnd and ssthresh immediately 230 2 Aggressive response; undoes congestion control measures 231 that are now known to be unnecessary (ignoring the 232 possibility of a lost retransmission that would require 233 TCP to be more cautious), cwnd and ssthresh are restored 234 to the values prior timeout 235 Default: 0 (rate halving based) 236 237tcp_keepalive_time - INTEGER 238 How often TCP sends out keepalive messages when keepalive is enabled. 239 Default: 2hours. 240 241tcp_keepalive_probes - INTEGER 242 How many keepalive probes TCP sends out, until it decides that the 243 connection is broken. Default value: 9. 244 245tcp_keepalive_intvl - INTEGER 246 How frequently the probes are send out. Multiplied by 247 tcp_keepalive_probes it is time to kill not responding connection, 248 after probes started. Default value: 75sec i.e. connection 249 will be aborted after ~11 minutes of retries. 250 251tcp_low_latency - BOOLEAN 252 If set, the TCP stack makes decisions that prefer lower 253 latency as opposed to higher throughput. By default, this 254 option is not set meaning that higher throughput is preferred. 255 An example of an application where this default should be 256 changed would be a Beowulf compute cluster. 257 Default: 0 258 259tcp_max_orphans - INTEGER 260 Maximal number of TCP sockets not attached to any user file handle, 261 held by system. If this number is exceeded orphaned connections are 262 reset immediately and warning is printed. This limit exists 263 only to prevent simple DoS attacks, you _must_ not rely on this 264 or lower the limit artificially, but rather increase it 265 (probably, after increasing installed memory), 266 if network conditions require more than default value, 267 and tune network services to linger and kill such states 268 more aggressively. Let me to remind again: each orphan eats 269 up to ~64K of unswappable memory. 270 271tcp_max_syn_backlog - INTEGER 272 Maximal number of remembered connection requests, which are 273 still did not receive an acknowledgment from connecting client. 274 Default value is 1024 for systems with more than 128Mb of memory, 275 and 128 for low memory machines. If server suffers of overload, 276 try to increase this number. 277 278tcp_max_tw_buckets - INTEGER 279 Maximal number of timewait sockets held by system simultaneously. 280 If this number is exceeded time-wait socket is immediately destroyed 281 and warning is printed. This limit exists only to prevent 282 simple DoS attacks, you _must_ not lower the limit artificially, 283 but rather increase it (probably, after increasing installed memory), 284 if network conditions require more than default value. 285 286tcp_mem - vector of 3 INTEGERs: min, pressure, max 287 min: below this number of pages TCP is not bothered about its 288 memory appetite. 289 290 pressure: when amount of memory allocated by TCP exceeds this number 291 of pages, TCP moderates its memory consumption and enters memory 292 pressure mode, which is exited when memory consumption falls 293 under "min". 294 295 max: number of pages allowed for queueing by all TCP sockets. 296 297 Defaults are calculated at boot time from amount of available 298 memory. 299 300tcp_moderate_rcvbuf - BOOLEAN 301 If set, TCP performs receive buffer auto-tuning, attempting to 302 automatically size the buffer (no greater than tcp_rmem[2]) to 303 match the size required by the path for full throughput. Enabled by 304 default. 305 306tcp_mtu_probing - INTEGER 307 Controls TCP Packetization-Layer Path MTU Discovery. Takes three 308 values: 309 0 - Disabled 310 1 - Disabled by default, enabled when an ICMP black hole detected 311 2 - Always enabled, use initial MSS of tcp_base_mss. 312 313tcp_no_metrics_save - BOOLEAN 314 By default, TCP saves various connection metrics in the route cache 315 when the connection closes, so that connections established in the 316 near future can use these to set initial conditions. Usually, this 317 increases overall performance, but may sometimes cause performance 318 degradation. If set, TCP will not cache metrics on closing 319 connections. 320 321tcp_orphan_retries - INTEGER 322 This value influences the timeout of a locally closed TCP connection, 323 when RTO retransmissions remain unacknowledged. 324 See tcp_retries2 for more details. 325 326 The default value is 7. 327 If your machine is a loaded WEB server, 328 you should think about lowering this value, such sockets 329 may consume significant resources. Cf. tcp_max_orphans. 330 331tcp_reordering - INTEGER 332 Maximal reordering of packets in a TCP stream. 333 Default: 3 334 335tcp_retrans_collapse - BOOLEAN 336 Bug-to-bug compatibility with some broken printers. 337 On retransmit try to send bigger packets to work around bugs in 338 certain TCP stacks. 339 340tcp_retries1 - INTEGER 341 This value influences the time, after which TCP decides, that 342 something is wrong due to unacknowledged RTO retransmissions, 343 and reports this suspicion to the network layer. 344 See tcp_retries2 for more details. 345 346 RFC 1122 recommends at least 3 retransmissions, which is the 347 default. 348 349tcp_retries2 - INTEGER 350 This value influences the timeout of an alive TCP connection, 351 when RTO retransmissions remain unacknowledged. 352 Given a value of N, a hypothetical TCP connection following 353 exponential backoff with an initial RTO of TCP_RTO_MIN would 354 retransmit N times before killing the connection at the (N+1)th RTO. 355 356 The default value of 15 yields a hypothetical timeout of 924.6 357 seconds and is a lower bound for the effective timeout. 358 TCP will effectively time out at the first RTO which exceeds the 359 hypothetical timeout. 360 361 RFC 1122 recommends at least 100 seconds for the timeout, 362 which corresponds to a value of at least 8. 363 364tcp_rfc1337 - BOOLEAN 365 If set, the TCP stack behaves conforming to RFC1337. If unset, 366 we are not conforming to RFC, but prevent TCP TIME_WAIT 367 assassination. 368 Default: 0 369 370tcp_rmem - vector of 3 INTEGERs: min, default, max 371 min: Minimal size of receive buffer used by TCP sockets. 372 It is guaranteed to each TCP socket, even under moderate memory 373 pressure. 374 Default: 8K 375 376 default: initial size of receive buffer used by TCP sockets. 377 This value overrides net.core.rmem_default used by other protocols. 378 Default: 87380 bytes. This value results in window of 65535 with 379 default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit 380 less for default tcp_app_win. See below about these variables. 381 382 max: maximal size of receive buffer allowed for automatically 383 selected receiver buffers for TCP socket. This value does not override 384 net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables 385 automatic tuning of that socket's receive buffer size, in which 386 case this value is ignored. 387 Default: between 87380B and 4MB, depending on RAM size. 388 389tcp_sack - BOOLEAN 390 Enable select acknowledgments (SACKS). 391 392tcp_slow_start_after_idle - BOOLEAN 393 If set, provide RFC2861 behavior and time out the congestion 394 window after an idle period. An idle period is defined at 395 the current RTO. If unset, the congestion window will not 396 be timed out after an idle period. 397 Default: 1 398 399tcp_stdurg - BOOLEAN 400 Use the Host requirements interpretation of the TCP urgent pointer field. 401 Most hosts use the older BSD interpretation, so if you turn this on 402 Linux might not communicate correctly with them. 403 Default: FALSE 404 405tcp_synack_retries - INTEGER 406 Number of times SYNACKs for a passive TCP connection attempt will 407 be retransmitted. Should not be higher than 255. Default value 408 is 5, which corresponds to ~180seconds. 409 410tcp_syncookies - BOOLEAN 411 Only valid when the kernel was compiled with CONFIG_SYNCOOKIES 412 Send out syncookies when the syn backlog queue of a socket 413 overflows. This is to prevent against the common 'SYN flood attack' 414 Default: FALSE 415 416 Note, that syncookies is fallback facility. 417 It MUST NOT be used to help highly loaded servers to stand 418 against legal connection rate. If you see SYN flood warnings 419 in your logs, but investigation shows that they occur 420 because of overload with legal connections, you should tune 421 another parameters until this warning disappear. 422 See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. 423 424 syncookies seriously violate TCP protocol, do not allow 425 to use TCP extensions, can result in serious degradation 426 of some services (f.e. SMTP relaying), visible not by you, 427 but your clients and relays, contacting you. While you see 428 SYN flood warnings in logs not being really flooded, your server 429 is seriously misconfigured. 430 431tcp_syn_retries - INTEGER 432 Number of times initial SYNs for an active TCP connection attempt 433 will be retransmitted. Should not be higher than 255. Default value 434 is 5, which corresponds to ~180seconds. 435 436tcp_timestamps - BOOLEAN 437 Enable timestamps as defined in RFC1323. 438 439tcp_tso_win_divisor - INTEGER 440 This allows control over what percentage of the congestion window 441 can be consumed by a single TSO frame. 442 The setting of this parameter is a choice between burstiness and 443 building larger TSO frames. 444 Default: 3 445 446tcp_tw_recycle - BOOLEAN 447 Enable fast recycling TIME-WAIT sockets. Default value is 0. 448 It should not be changed without advice/request of technical 449 experts. 450 451tcp_tw_reuse - BOOLEAN 452 Allow to reuse TIME-WAIT sockets for new connections when it is 453 safe from protocol viewpoint. Default value is 0. 454 It should not be changed without advice/request of technical 455 experts. 456 457tcp_window_scaling - BOOLEAN 458 Enable window scaling as defined in RFC1323. 459 460tcp_wmem - vector of 3 INTEGERs: min, default, max 461 min: Amount of memory reserved for send buffers for TCP sockets. 462 Each TCP socket has rights to use it due to fact of its birth. 463 Default: 4K 464 465 default: initial size of send buffer used by TCP sockets. This 466 value overrides net.core.wmem_default used by other protocols. 467 It is usually lower than net.core.wmem_default. 468 Default: 16K 469 470 max: Maximal amount of memory allowed for automatically tuned 471 send buffers for TCP sockets. This value does not override 472 net.core.wmem_max. Calling setsockopt() with SO_SNDBUF disables 473 automatic tuning of that socket's send buffer size, in which case 474 this value is ignored. 475 Default: between 64K and 4MB, depending on RAM size. 476 477tcp_workaround_signed_windows - BOOLEAN 478 If set, assume no receipt of a window scaling option means the 479 remote TCP is broken and treats the window as a signed quantity. 480 If unset, assume the remote TCP is not broken even if we do 481 not receive a window scaling option from them. 482 Default: 0 483 484tcp_dma_copybreak - INTEGER 485 Lower limit, in bytes, of the size of socket reads that will be 486 offloaded to a DMA copy engine, if one is present in the system 487 and CONFIG_NET_DMA is enabled. 488 Default: 4096 489 490tcp_thin_linear_timeouts - BOOLEAN 491 Enable dynamic triggering of linear timeouts for thin streams. 492 If set, a check is performed upon retransmission by timeout to 493 determine if the stream is thin (less than 4 packets in flight). 494 As long as the stream is found to be thin, up to 6 linear 495 timeouts may be performed before exponential backoff mode is 496 initiated. This improves retransmission latency for 497 non-aggressive thin streams, often found to be time-dependent. 498 For more information on thin streams, see 499 Documentation/networking/tcp-thin.txt 500 Default: 0 501 502tcp_thin_dupack - BOOLEAN 503 Enable dynamic triggering of retransmissions after one dupACK 504 for thin streams. If set, a check is performed upon reception 505 of a dupACK to determine if the stream is thin (less than 4 506 packets in flight). As long as the stream is found to be thin, 507 data is retransmitted on the first received dupACK. This 508 improves retransmission latency for non-aggressive thin 509 streams, often found to be time-dependent. 510 For more information on thin streams, see 511 Documentation/networking/tcp-thin.txt 512 Default: 0 513 514UDP variables: 515 516udp_mem - vector of 3 INTEGERs: min, pressure, max 517 Number of pages allowed for queueing by all UDP sockets. 518 519 min: Below this number of pages UDP is not bothered about its 520 memory appetite. When amount of memory allocated by UDP exceeds 521 this number, UDP starts to moderate memory usage. 522 523 pressure: This value was introduced to follow format of tcp_mem. 524 525 max: Number of pages allowed for queueing by all UDP sockets. 526 527 Default is calculated at boot time from amount of available memory. 528 529udp_rmem_min - INTEGER 530 Minimal size of receive buffer used by UDP sockets in moderation. 531 Each UDP socket is able to use the size for receiving data, even if 532 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 533 Default: 4096 534 535udp_wmem_min - INTEGER 536 Minimal size of send buffer used by UDP sockets in moderation. 537 Each UDP socket is able to use the size for sending data, even if 538 total pages of UDP sockets exceed udp_mem pressure. The unit is byte. 539 Default: 4096 540 541CIPSOv4 Variables: 542 543cipso_cache_enable - BOOLEAN 544 If set, enable additions to and lookups from the CIPSO label mapping 545 cache. If unset, additions are ignored and lookups always result in a 546 miss. However, regardless of the setting the cache is still 547 invalidated when required when means you can safely toggle this on and 548 off and the cache will always be "safe". 549 Default: 1 550 551cipso_cache_bucket_size - INTEGER 552 The CIPSO label cache consists of a fixed size hash table with each 553 hash bucket containing a number of cache entries. This variable limits 554 the number of entries in each hash bucket; the larger the value the 555 more CIPSO label mappings that can be cached. When the number of 556 entries in a given hash bucket reaches this limit adding new entries 557 causes the oldest entry in the bucket to be removed to make room. 558 Default: 10 559 560cipso_rbm_optfmt - BOOLEAN 561 Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of 562 the CIPSO draft specification (see Documentation/netlabel for details). 563 This means that when set the CIPSO tag will be padded with empty 564 categories in order to make the packet data 32-bit aligned. 565 Default: 0 566 567cipso_rbm_structvalid - BOOLEAN 568 If set, do a very strict check of the CIPSO option when 569 ip_options_compile() is called. If unset, relax the checks done during 570 ip_options_compile(). Either way is "safe" as errors are caught else 571 where in the CIPSO processing code but setting this to 0 (False) should 572 result in less work (i.e. it should be faster) but could cause problems 573 with other implementations that require strict checking. 574 Default: 0 575 576IP Variables: 577 578ip_local_port_range - 2 INTEGERS 579 Defines the local port range that is used by TCP and UDP to 580 choose the local port. The first number is the first, the 581 second the last local port number. Default value depends on 582 amount of memory available on the system: 583 > 128Mb 32768-61000 584 < 128Mb 1024-4999 or even less. 585 This number defines number of active connections, which this 586 system can issue simultaneously to systems not supporting 587 TCP extensions (timestamps). With tcp_tw_recycle enabled 588 (i.e. by default) range 1024-4999 is enough to issue up to 589 2000 connections per second to systems supporting timestamps. 590 591ip_nonlocal_bind - BOOLEAN 592 If set, allows processes to bind() to non-local IP addresses, 593 which can be quite useful - but may break some applications. 594 Default: 0 595 596ip_dynaddr - BOOLEAN 597 If set non-zero, enables support for dynamic addresses. 598 If set to a non-zero value larger than 1, a kernel log 599 message will be printed when dynamic address rewriting 600 occurs. 601 Default: 0 602 603icmp_echo_ignore_all - BOOLEAN 604 If set non-zero, then the kernel will ignore all ICMP ECHO 605 requests sent to it. 606 Default: 0 607 608icmp_echo_ignore_broadcasts - BOOLEAN 609 If set non-zero, then the kernel will ignore all ICMP ECHO and 610 TIMESTAMP requests sent to it via broadcast/multicast. 611 Default: 1 612 613icmp_ratelimit - INTEGER 614 Limit the maximal rates for sending ICMP packets whose type matches 615 icmp_ratemask (see below) to specific targets. 616 0 to disable any limiting, 617 otherwise the minimal space between responses in milliseconds. 618 Default: 1000 619 620icmp_ratemask - INTEGER 621 Mask made of ICMP types for which rates are being limited. 622 Significant bits: IHGFEDCBA9876543210 623 Default mask: 0000001100000011000 (6168) 624 625 Bit definitions (see include/linux/icmp.h): 626 0 Echo Reply 627 3 Destination Unreachable * 628 4 Source Quench * 629 5 Redirect 630 8 Echo Request 631 B Time Exceeded * 632 C Parameter Problem * 633 D Timestamp Request 634 E Timestamp Reply 635 F Info Request 636 G Info Reply 637 H Address Mask Request 638 I Address Mask Reply 639 640 * These are rate limited by default (see default mask above) 641 642icmp_ignore_bogus_error_responses - BOOLEAN 643 Some routers violate RFC1122 by sending bogus responses to broadcast 644 frames. Such violations are normally logged via a kernel warning. 645 If this is set to TRUE, the kernel will not give such warnings, which 646 will avoid log file clutter. 647 Default: FALSE 648 649icmp_errors_use_inbound_ifaddr - BOOLEAN 650 651 If zero, icmp error messages are sent with the primary address of 652 the exiting interface. 653 654 If non-zero, the message will be sent with the primary address of 655 the interface that received the packet that caused the icmp error. 656 This is the behaviour network many administrators will expect from 657 a router. And it can make debugging complicated network layouts 658 much easier. 659 660 Note that if no primary address exists for the interface selected, 661 then the primary address of the first non-loopback interface that 662 has one will be used regardless of this setting. 663 664 Default: 0 665 666igmp_max_memberships - INTEGER 667 Change the maximum number of multicast groups we can subscribe to. 668 Default: 20 669 670conf/interface/* changes special settings per interface (where "interface" is 671 the name of your network interface) 672conf/all/* is special, changes the settings for all interfaces 673 674 675log_martians - BOOLEAN 676 Log packets with impossible addresses to kernel log. 677 log_martians for the interface will be enabled if at least one of 678 conf/{all,interface}/log_martians is set to TRUE, 679 it will be disabled otherwise 680 681accept_redirects - BOOLEAN 682 Accept ICMP redirect messages. 683 accept_redirects for the interface will be enabled if: 684 - both conf/{all,interface}/accept_redirects are TRUE in the case 685 forwarding for the interface is enabled 686 or 687 - at least one of conf/{all,interface}/accept_redirects is TRUE in the 688 case forwarding for the interface is disabled 689 accept_redirects for the interface will be disabled otherwise 690 default TRUE (host) 691 FALSE (router) 692 693forwarding - BOOLEAN 694 Enable IP forwarding on this interface. 695 696mc_forwarding - BOOLEAN 697 Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE 698 and a multicast routing daemon is required. 699 conf/all/mc_forwarding must also be set to TRUE to enable multicast 700 routing for the interface 701 702medium_id - INTEGER 703 Integer value used to differentiate the devices by the medium they 704 are attached to. Two devices can have different id values when 705 the broadcast packets are received only on one of them. 706 The default value 0 means that the device is the only interface 707 to its medium, value of -1 means that medium is not known. 708 709 Currently, it is used to change the proxy_arp behavior: 710 the proxy_arp feature is enabled for packets forwarded between 711 two devices attached to different media. 712 713proxy_arp - BOOLEAN 714 Do proxy arp. 715 proxy_arp for the interface will be enabled if at least one of 716 conf/{all,interface}/proxy_arp is set to TRUE, 717 it will be disabled otherwise 718 719proxy_arp_pvlan - BOOLEAN 720 Private VLAN proxy arp. 721 Basically allow proxy arp replies back to the same interface 722 (from which the ARP request/solicitation was received). 723 724 This is done to support (ethernet) switch features, like RFC 725 3069, where the individual ports are NOT allowed to 726 communicate with each other, but they are allowed to talk to 727 the upstream router. As described in RFC 3069, it is possible 728 to allow these hosts to communicate through the upstream 729 router by proxy_arp'ing. Don't need to be used together with 730 proxy_arp. 731 732 This technology is known by different names: 733 In RFC 3069 it is called VLAN Aggregation. 734 Cisco and Allied Telesyn call it Private VLAN. 735 Hewlett-Packard call it Source-Port filtering or port-isolation. 736 Ericsson call it MAC-Forced Forwarding (RFC Draft). 737 738shared_media - BOOLEAN 739 Send(router) or accept(host) RFC1620 shared media redirects. 740 Overrides ip_secure_redirects. 741 shared_media for the interface will be enabled if at least one of 742 conf/{all,interface}/shared_media is set to TRUE, 743 it will be disabled otherwise 744 default TRUE 745 746secure_redirects - BOOLEAN 747 Accept ICMP redirect messages only for gateways, 748 listed in default gateway list. 749 secure_redirects for the interface will be enabled if at least one of 750 conf/{all,interface}/secure_redirects is set to TRUE, 751 it will be disabled otherwise 752 default TRUE 753 754send_redirects - BOOLEAN 755 Send redirects, if router. 756 send_redirects for the interface will be enabled if at least one of 757 conf/{all,interface}/send_redirects is set to TRUE, 758 it will be disabled otherwise 759 Default: TRUE 760 761bootp_relay - BOOLEAN 762 Accept packets with source address 0.b.c.d destined 763 not to this host as local ones. It is supposed, that 764 BOOTP relay daemon will catch and forward such packets. 765 conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay 766 for the interface 767 default FALSE 768 Not Implemented Yet. 769 770accept_source_route - BOOLEAN 771 Accept packets with SRR option. 772 conf/all/accept_source_route must also be set to TRUE to accept packets 773 with SRR option on the interface 774 default TRUE (router) 775 FALSE (host) 776 777accept_local - BOOLEAN 778 Accept packets with local source addresses. In combination with 779 suitable routing, this can be used to direct packets between two 780 local interfaces over the wire and have them accepted properly. 781 default FALSE 782 783rp_filter - INTEGER 784 0 - No source validation. 785 1 - Strict mode as defined in RFC3704 Strict Reverse Path 786 Each incoming packet is tested against the FIB and if the interface 787 is not the best reverse path the packet check will fail. 788 By default failed packets are discarded. 789 2 - Loose mode as defined in RFC3704 Loose Reverse Path 790 Each incoming packet's source address is also tested against the FIB 791 and if the source address is not reachable via any interface 792 the packet check will fail. 793 794 Current recommended practice in RFC3704 is to enable strict mode 795 to prevent IP spoofing from DDos attacks. If using asymmetric routing 796 or other complicated routing, then loose mode is recommended. 797 798 The max value from conf/{all,interface}/rp_filter is used 799 when doing source validation on the {interface}. 800 801 Default value is 0. Note that some distributions enable it 802 in startup scripts. 803 804arp_filter - BOOLEAN 805 1 - Allows you to have multiple network interfaces on the same 806 subnet, and have the ARPs for each interface be answered 807 based on whether or not the kernel would route a packet from 808 the ARP'd IP out that interface (therefore you must use source 809 based routing for this to work). In other words it allows control 810 of which cards (usually 1) will respond to an arp request. 811 812 0 - (default) The kernel can respond to arp requests with addresses 813 from other interfaces. This may seem wrong but it usually makes 814 sense, because it increases the chance of successful communication. 815 IP addresses are owned by the complete host on Linux, not by 816 particular interfaces. Only for more complex setups like load- 817 balancing, does this behaviour cause problems. 818 819 arp_filter for the interface will be enabled if at least one of 820 conf/{all,interface}/arp_filter is set to TRUE, 821 it will be disabled otherwise 822 823arp_announce - INTEGER 824 Define different restriction levels for announcing the local 825 source IP address from IP packets in ARP requests sent on 826 interface: 827 0 - (default) Use any local address, configured on any interface 828 1 - Try to avoid local addresses that are not in the target's 829 subnet for this interface. This mode is useful when target 830 hosts reachable via this interface require the source IP 831 address in ARP requests to be part of their logical network 832 configured on the receiving interface. When we generate the 833 request we will check all our subnets that include the 834 target IP and will preserve the source address if it is from 835 such subnet. If there is no such subnet we select source 836 address according to the rules for level 2. 837 2 - Always use the best local address for this target. 838 In this mode we ignore the source address in the IP packet 839 and try to select local address that we prefer for talks with 840 the target host. Such local address is selected by looking 841 for primary IP addresses on all our subnets on the outgoing 842 interface that include the target IP address. If no suitable 843 local address is found we select the first local address 844 we have on the outgoing interface or on all other interfaces, 845 with the hope we will receive reply for our request and 846 even sometimes no matter the source IP address we announce. 847 848 The max value from conf/{all,interface}/arp_announce is used. 849 850 Increasing the restriction level gives more chance for 851 receiving answer from the resolved target while decreasing 852 the level announces more valid sender's information. 853 854arp_ignore - INTEGER 855 Define different modes for sending replies in response to 856 received ARP requests that resolve local target IP addresses: 857 0 - (default): reply for any local target IP address, configured 858 on any interface 859 1 - reply only if the target IP address is local address 860 configured on the incoming interface 861 2 - reply only if the target IP address is local address 862 configured on the incoming interface and both with the 863 sender's IP address are part from same subnet on this interface 864 3 - do not reply for local addresses configured with scope host, 865 only resolutions for global and link addresses are replied 866 4-7 - reserved 867 8 - do not reply for all local addresses 868 869 The max value from conf/{all,interface}/arp_ignore is used 870 when ARP request is received on the {interface} 871 872arp_notify - BOOLEAN 873 Define mode for notification of address and device changes. 874 0 - (default): do nothing 875 1 - Generate gratuitous arp replies when device is brought up 876 or hardware address changes. 877 878arp_accept - BOOLEAN 879 Define behavior for gratuitous ARP frames who's IP is not 880 already present in the ARP table: 881 0 - don't create new entries in the ARP table 882 1 - create new entries in the ARP table 883 884 Both replies and requests type gratuitous arp will trigger the 885 ARP table to be updated, if this setting is on. 886 887 If the ARP table already contains the IP address of the 888 gratuitous arp frame, the arp table will be updated regardless 889 if this setting is on or off. 890 891 892app_solicit - INTEGER 893 The maximum number of probes to send to the user space ARP daemon 894 via netlink before dropping back to multicast probes (see 895 mcast_solicit). Defaults to 0. 896 897disable_policy - BOOLEAN 898 Disable IPSEC policy (SPD) for this interface 899 900disable_xfrm - BOOLEAN 901 Disable IPSEC encryption on this interface, whatever the policy 902 903 904 905tag - INTEGER 906 Allows you to write a number, which can be used as required. 907 Default value is 0. 908 909Alexey Kuznetsov. 910kuznet@ms2.inr.ac.ru 911 912Updated by: 913Andi Kleen 914ak@muc.de 915Nicolas Delon 916delon.nicolas@wanadoo.fr 917 918 919 920 921/proc/sys/net/ipv6/* Variables: 922 923IPv6 has no global variables such as tcp_*. tcp_* settings under ipv4/ also 924apply to IPv6 [XXX?]. 925 926bindv6only - BOOLEAN 927 Default value for IPV6_V6ONLY socket option, 928 which restricts use of the IPv6 socket to IPv6 communication 929 only. 930 TRUE: disable IPv4-mapped address feature 931 FALSE: enable IPv4-mapped address feature 932 933 Default: FALSE (as specified in RFC2553bis) 934 935IPv6 Fragmentation: 936 937ip6frag_high_thresh - INTEGER 938 Maximum memory used to reassemble IPv6 fragments. When 939 ip6frag_high_thresh bytes of memory is allocated for this purpose, 940 the fragment handler will toss packets until ip6frag_low_thresh 941 is reached. 942 943ip6frag_low_thresh - INTEGER 944 See ip6frag_high_thresh 945 946ip6frag_time - INTEGER 947 Time in seconds to keep an IPv6 fragment in memory. 948 949ip6frag_secret_interval - INTEGER 950 Regeneration interval (in seconds) of the hash secret (or lifetime 951 for the hash secret) for IPv6 fragments. 952 Default: 600 953 954conf/default/*: 955 Change the interface-specific default settings. 956 957 958conf/all/*: 959 Change all the interface-specific settings. 960 961 [XXX: Other special features than forwarding?] 962 963conf/all/forwarding - BOOLEAN 964 Enable global IPv6 forwarding between all interfaces. 965 966 IPv4 and IPv6 work differently here; e.g. netfilter must be used 967 to control which interfaces may forward packets and which not. 968 969 This also sets all interfaces' Host/Router setting 970 'forwarding' to the specified value. See below for details. 971 972 This referred to as global forwarding. 973 974proxy_ndp - BOOLEAN 975 Do proxy ndp. 976 977conf/interface/*: 978 Change special settings per interface. 979 980 The functional behaviour for certain settings is different 981 depending on whether local forwarding is enabled or not. 982 983accept_ra - BOOLEAN 984 Accept Router Advertisements; autoconfigure using them. 985 986 Functional default: enabled if local forwarding is disabled. 987 disabled if local forwarding is enabled. 988 989accept_ra_defrtr - BOOLEAN 990 Learn default router in Router Advertisement. 991 992 Functional default: enabled if accept_ra is enabled. 993 disabled if accept_ra is disabled. 994 995accept_ra_pinfo - BOOLEAN 996 Learn Prefix Information in Router Advertisement. 997 998 Functional default: enabled if accept_ra is enabled. 999 disabled if accept_ra is disabled. 1000
1001accept_ra_rt_info_max_plen - INTEGER 1002 Maximum prefix length of Route Information in RA. 1003 1004 Route Information w/ prefix larger than or equal to this 1005 variable shall be ignored. 1006 1007 Functional default: 0 if accept_ra_rtr_pref is enabled. 1008 -1 if accept_ra_rtr_pref is disabled. 1009 1010accept_ra_rtr_pref - BOOLEAN 1011 Accept Router Preference in RA. 1012 1013 Functional default: enabled if accept_ra is enabled. 1014 disabled if accept_ra is disabled. 1015 1016accept_redirects - BOOLEAN 1017 Accept Redirects. 1018 1019 Functional default: enabled if local forwarding is disabled. 1020 disabled if local forwarding is enabled. 1021 1022accept_source_route - INTEGER 1023 Accept source routing (routing extension header). 1024 1025 >= 0: Accept only routing header type 2. 1026 < 0: Do not accept routing header. 1027 1028 Default: 0 1029 1030autoconf - BOOLEAN 1031 Autoconfigure addresses using Prefix Information in Router 1032 Advertisements. 1033 1034 Functional default: enabled if accept_ra_pinfo is enabled. 1035 disabled if accept_ra_pinfo is disabled. 1036 1037dad_transmits - INTEGER 1038 The amount of Duplicate Address Detection probes to send. 1039 Default: 1 1040 1041forwarding - BOOLEAN 1042 Configure interface-specific Host/Router behaviour. 1043 1044 Note: It is recommended to have the same setting on all 1045 interfaces; mixed router/host scenarios are rather uncommon. 1046 1047 FALSE: 1048 1049 By default, Host behaviour is assumed. This means: 1050 1051 1. IsRouter flag is not set in Neighbour Advertisements. 1052 2. Router Solicitations are being sent when necessary. 1053 3. If accept_ra is TRUE (default), accept Router 1054 Advertisements (and do autoconfiguration). 1055 4. If accept_redirects is TRUE (default), accept Redirects. 1056 1057 TRUE: 1058 1059 If local forwarding is enabled, Router behaviour is assumed. 1060 This means exactly the reverse from the above: 1061 1062 1. IsRouter flag is set in Neighbour Advertisements. 1063 2. Router Solicitations are not sent. 1064 3. Router Advertisements are ignored. 1065 4. Redirects are ignored. 1066 1067 Default: FALSE if global forwarding is disabled (default), 1068 otherwise TRUE. 1069 1070hop_limit - INTEGER 1071 Default Hop Limit to set. 1072 Default: 64 1073 1074mtu - INTEGER 1075 Default Maximum Transfer Unit 1076 Default: 1280 (IPv6 required minimum) 1077 1078router_probe_interval - INTEGER 1079 Minimum interval (in seconds) between Router Probing described 1080 in RFC4191. 1081 1082 Default: 60 1083 1084router_solicitation_delay - INTEGER 1085 Number of seconds to wait after interface is brought up 1086 before sending Router Solicitations. 1087 Default: 1 1088 1089router_solicitation_interval - INTEGER 1090 Number of seconds to wait between Router Solicitations. 1091 Default: 4 1092 1093router_solicitations - INTEGER 1094 Number of Router Solicitations to send until assuming no 1095 routers are present. 1096 Default: 3 1097 1098use_tempaddr - INTEGER 1099 Preference for Privacy Extensions (RFC3041). 1100 <= 0 : disable Privacy Extensions 1101 == 1 : enable Privacy Extensions, but prefer public 1102 addresses over temporary addresses. 1103 > 1 : enable Privacy Extensions and prefer temporary 1104 addresses over public addresses. 1105 Default: 0 (for most devices) 1106 -1 (for point-to-point devices and loopback devices) 1107 1108temp_valid_lft - INTEGER 1109 valid lifetime (in seconds) for temporary addresses. 1110 Default: 604800 (7 days) 1111 1112temp_prefered_lft - INTEGER 1113 Preferred lifetime (in seconds) for temporary addresses. 1114 Default: 86400 (1 day) 1115 1116max_desync_factor - INTEGER 1117 Maximum value for DESYNC_FACTOR, which is a random value 1118 that ensures that clients don't synchronize with each 1119 other and generate new addresses at exactly the same time. 1120 value is in seconds. 1121 Default: 600 1122 1123regen_max_retry - INTEGER 1124 Number of attempts before give up attempting to generate 1125 valid temporary addresses. 1126 Default: 5 1127 1128max_addresses - INTEGER 1129 Maximum number of autoconfigured addresses per interface. Setting 1130 to zero disables the limitation. It is not recommended to set this 1131 value too large (or to zero) because it would be an easy way to 1132 crash the kernel by allowing too many addresses to be created. 1133 Default: 16 1134 1135disable_ipv6 - BOOLEAN 1136 Disable IPv6 operation. If accept_dad is set to 2, this value 1137 will be dynamically set to TRUE if DAD fails for the link-local 1138 address. 1139 Default: FALSE (enable IPv6 operation) 1140 1141 When this value is changed from 1 to 0 (IPv6 is being enabled), 1142 it will dynamically create a link-local address on the given 1143 interface and start Duplicate Address Detection, if necessary. 1144 1145 When this value is changed from 0 to 1 (IPv6 is being disabled), 1146 it will dynamically delete all address on the given interface. 1147 1148accept_dad - INTEGER 1149 Whether to accept DAD (Duplicate Address Detection). 1150 0: Disable DAD 1151 1: Enable DAD (default) 1152 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate 1153 link-local address has been found. 1154 1155force_tllao - BOOLEAN 1156 Enable sending the target link-layer address option even when 1157 responding to a unicast neighbor solicitation. 1158 Default: FALSE 1159 1160 Quoting from RFC 2461, section 4.4, Target link-layer address: 1161 1162 "The option MUST be included for multicast solicitations in order to 1163 avoid infinite Neighbor Solicitation "recursion" when the peer node 1164 does not have a cache entry to return a Neighbor Advertisements 1165 message. When responding to unicast solicitations, the option can be 1166 omitted since the sender of the solicitation has the correct link- 1167 layer address; otherwise it would not have be able to send the unicast 1168 solicitation in the first place. However, including the link-layer 1169 address in this case adds little overhead and eliminates a potential 1170 race condition where the sender deletes the cached link-layer address 1171 prior to receiving a response to a previous solicitation." 1172 1173icmp/*: 1174ratelimit - INTEGER 1175 Limit the maximal rates for sending ICMPv6 packets. 1176 0 to disable any limiting, 1177 otherwise the minimal space between responses in milliseconds. 1178 Default: 1000 1179 1180 1181IPv6 Update by: 1182Pekka Savola <pekkas@netcore.fi> 1183YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org> 1184 1185 1186/proc/sys/net/bridge/* Variables: 1187 1188bridge-nf-call-arptables - BOOLEAN 1189 1 : pass bridged ARP traffic to arptables' FORWARD chain. 1190 0 : disable this. 1191 Default: 1 1192 1193bridge-nf-call-iptables - BOOLEAN 1194 1 : pass bridged IPv4 traffic to iptables' chains. 1195 0 : disable this. 1196 Default: 1 1197 1198bridge-nf-call-ip6tables - BOOLEAN 1199 1 : pass bridged IPv6 traffic to ip6tables' chains. 1200 0 : disable this. 1201 Default: 1 1202 1203bridge-nf-filter-vlan-tagged - BOOLEAN 1204 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. 1205 0 : disable this. 1206 Default: 1 1207 1208bridge-nf-filter-pppoe-tagged - BOOLEAN 1209 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. 1210 0 : disable this. 1211 Default: 1 1212 1213 1214proc/sys/net/sctp/* Variables: 1215 1216addip_enable - BOOLEAN 1217 Enable or disable extension of Dynamic Address Reconfiguration 1218 (ADD-IP) functionality specified in RFC5061. This extension provides 1219 the ability to dynamically add and remove new addresses for the SCTP 1220 associations. 1221 1222 1: Enable extension. 1223 1224 0: Disable extension. 1225 1226 Default: 0 1227 1228addip_noauth_enable - BOOLEAN 1229 Dynamic Address Reconfiguration (ADD-IP) requires the use of 1230 authentication to protect the operations of adding or removing new 1231 addresses. This requirement is mandated so that unauthorized hosts 1232 would not be able to hijack associations. However, older 1233 implementations may not have implemented this requirement while 1234 allowing the ADD-IP extension. For reasons of interoperability, 1235 we provide this variable to control the enforcement of the 1236 authentication requirement. 1237 1238 1: Allow ADD-IP extension to be used without authentication. This 1239 should only be set in a closed environment for interoperability 1240 with older implementations. 1241 1242 0: Enforce the authentication requirement 1243 1244 Default: 0 1245 1246auth_enable - BOOLEAN 1247 Enable or disable Authenticated Chunks extension. This extension 1248 provides the ability to send and receive authenticated chunks and is 1249 required for secure operation of Dynamic Address Reconfiguration 1250 (ADD-IP) extension. 1251 1252 1: Enable this extension. 1253 0: Disable this extension. 1254 1255 Default: 0 1256 1257prsctp_enable - BOOLEAN 1258 Enable or disable the Partial Reliability extension (RFC3758) which 1259 is used to notify peers that a given DATA should no longer be expected. 1260 1261 1: Enable extension 1262 0: Disable 1263 1264 Default: 1 1265 1266max_burst - INTEGER 1267 The limit of the number of new packets that can be initially sent. It 1268 controls how bursty the generated traffic can be. 1269 1270 Default: 4 1271 1272association_max_retrans - INTEGER 1273 Set the maximum number for retransmissions that an association can 1274 attempt deciding that the remote end is unreachable. If this value 1275 is exceeded, the association is terminated. 1276 1277 Default: 10 1278 1279max_init_retransmits - INTEGER 1280 The maximum number of retransmissions of INIT and COOKIE-ECHO chunks 1281 that an association will attempt before declaring the destination 1282 unreachable and terminating. 1283 1284 Default: 8 1285 1286path_max_retrans - INTEGER 1287 The maximum number of retransmissions that will be attempted on a given 1288 path. Once this threshold is exceeded, the path is considered 1289 unreachable, and new traffic will use a different path when the 1290 association is multihomed. 1291 1292 Default: 5 1293 1294rto_initial - INTEGER 1295 The initial round trip timeout value in milliseconds that will be used 1296 in calculating round trip times. This is the initial time interval 1297 for retransmissions. 1298 1299 Default: 3000 1300 1301rto_max - INTEGER 1302 The maximum value (in milliseconds) of the round trip timeout. This 1303 is the largest time interval that can elapse between retransmissions. 1304 1305 Default: 60000 1306 1307rto_min - INTEGER 1308 The minimum value (in milliseconds) of the round trip timeout. This 1309 is the smallest time interval the can elapse between retransmissions. 1310 1311 Default: 1000 1312 1313hb_interval - INTEGER 1314 The interval (in milliseconds) between HEARTBEAT chunks. These chunks 1315 are sent at the specified interval on idle paths to probe the state of 1316 a given path between 2 associations. 1317 1318 Default: 30000 1319 1320sack_timeout - INTEGER 1321 The amount of time (in milliseconds) that the implementation will wait 1322 to send a SACK. 1323 1324 Default: 200 1325 1326valid_cookie_life - INTEGER 1327 The default lifetime of the SCTP cookie (in milliseconds). The cookie 1328 is used during association establishment. 1329 1330 Default: 60000 1331 1332cookie_preserve_enable - BOOLEAN 1333 Enable or disable the ability to extend the lifetime of the SCTP cookie 1334 that is used during the establishment phase of SCTP association 1335 1336 1: Enable cookie lifetime extension. 1337 0: Disable 1338 1339 Default: 1 1340 1341rcvbuf_policy - INTEGER 1342 Determines if the receive buffer is attributed to the socket or to 1343 association. SCTP supports the capability to create multiple 1344 associations on a single socket. When using this capability, it is 1345 possible that a single stalled association that's buffering a lot 1346 of data may block other associations from delivering their data by 1347 consuming all of the receive buffer space. To work around this, 1348 the rcvbuf_policy could be set to attribute the receiver buffer space 1349 to each association instead of the socket. This prevents the described 1350 blocking. 1351 1352 1: rcvbuf space is per association 1353 0: recbuf space is per socket 1354 1355 Default: 0 1356 1357sndbuf_policy - INTEGER 1358 Similar to rcvbuf_policy above, this applies to send buffer space. 1359 1360 1: Send buffer is tracked per association 1361 0: Send buffer is tracked per socket. 1362 1363 Default: 0 1364 1365sctp_mem - vector of 3 INTEGERs: min, pressure, max 1366 Number of pages allowed for queueing by all SCTP sockets. 1367 1368 min: Below this number of pages SCTP is not bothered about its 1369 memory appetite. When amount of memory allocated by SCTP exceeds 1370 this number, SCTP starts to moderate memory usage. 1371 1372 pressure: This value was introduced to follow format of tcp_mem. 1373 1374 max: Number of pages allowed for queueing by all SCTP sockets. 1375 1376 Default is calculated at boot time from amount of available memory. 1377 1378sctp_rmem - vector of 3 INTEGERs: min, default, max 1379 See tcp_rmem for a description. 1380 1381sctp_wmem - vector of 3 INTEGERs: min, default, max 1382 See tcp_wmem for a description. 1383 1384addr_scope_policy - INTEGER 1385 Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00 1386 1387 0 - Disable IPv4 address scoping 1388 1 - Enable IPv4 address scoping 1389 2 - Follow draft but allow IPv4 private addresses 1390 3 - Follow draft but allow IPv4 link local addresses 1391 1392 Default: 1 1393 1394 1395/proc/sys/net/core/* 1396dev_weight - INTEGER 1397 The maximum number of packets that kernel can handle on a NAPI 1398 interrupt, it's a Per-CPU variable. 1399 1400 Default: 64 1401 1402/proc/sys/net/unix/* 1403max_dgram_qlen - INTEGER 1404 The maximum length of dgram socket receive queue 1405 1406 Default: 10 1407 1408 1409UNDOCUMENTED: 1410 1411/proc/sys/net/irda/* 1412 fast_poll_increase FIXME 1413 warn_noreply_time FIXME 1414 discovery_slots FIXME 1415 slot_timeout FIXME 1416 max_baud_rate FIXME 1417 discovery_timeout FIXME 1418 lap_keepalive_time FIXME 1419 max_noreply_time FIXME 1420 max_tx_data_size FIXME 1421 max_tx_window FIXME 1422 min_tx_turn_time FIXME 1423