933 lines
23 KiB
HTML
933 lines
23 KiB
HTML
|
<HTML
|
|||
|
><HEAD
|
|||
|
><TITLE
|
|||
|
>Obscure settings</TITLE
|
|||
|
><META
|
|||
|
NAME="GENERATOR"
|
|||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|||
|
REL="HOME"
|
|||
|
TITLE="Linux Advanced Routing & Traffic Control HOWTO"
|
|||
|
HREF="index.html"><LINK
|
|||
|
REL="UP"
|
|||
|
TITLE="Kernel network parameters "
|
|||
|
HREF="lartc.kernel.html"><LINK
|
|||
|
REL="PREVIOUS"
|
|||
|
TITLE="Reverse Path Filtering"
|
|||
|
HREF="lartc.kernel.rpf.html"><LINK
|
|||
|
REL="NEXT"
|
|||
|
TITLE="Advanced & less common queueing disciplines"
|
|||
|
HREF="lartc.adv-qdisc.html"></HEAD
|
|||
|
><BODY
|
|||
|
CLASS="SECT1"
|
|||
|
BGCOLOR="#FFFFFF"
|
|||
|
TEXT="#000000"
|
|||
|
LINK="#0000FF"
|
|||
|
VLINK="#840084"
|
|||
|
ALINK="#0000FF"
|
|||
|
><DIV
|
|||
|
CLASS="NAVHEADER"
|
|||
|
><TABLE
|
|||
|
SUMMARY="Header navigation table"
|
|||
|
WIDTH="100%"
|
|||
|
BORDER="0"
|
|||
|
CELLPADDING="0"
|
|||
|
CELLSPACING="0"
|
|||
|
><TR
|
|||
|
><TH
|
|||
|
COLSPAN="3"
|
|||
|
ALIGN="center"
|
|||
|
>Linux Advanced Routing & Traffic Control HOWTO</TH
|
|||
|
></TR
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
WIDTH="10%"
|
|||
|
ALIGN="left"
|
|||
|
VALIGN="bottom"
|
|||
|
><A
|
|||
|
HREF="lartc.kernel.rpf.html"
|
|||
|
ACCESSKEY="P"
|
|||
|
>Prev</A
|
|||
|
></TD
|
|||
|
><TD
|
|||
|
WIDTH="80%"
|
|||
|
ALIGN="center"
|
|||
|
VALIGN="bottom"
|
|||
|
>Chapter 13. Kernel network parameters</TD
|
|||
|
><TD
|
|||
|
WIDTH="10%"
|
|||
|
ALIGN="right"
|
|||
|
VALIGN="bottom"
|
|||
|
><A
|
|||
|
HREF="lartc.adv-qdisc.html"
|
|||
|
ACCESSKEY="N"
|
|||
|
>Next</A
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
><HR
|
|||
|
ALIGN="LEFT"
|
|||
|
WIDTH="100%"></DIV
|
|||
|
><DIV
|
|||
|
CLASS="SECT1"
|
|||
|
><H1
|
|||
|
CLASS="SECT1"
|
|||
|
><A
|
|||
|
NAME="LARTC.KERNEL.OBSCURE"
|
|||
|
></A
|
|||
|
>13.2. Obscure settings</H1
|
|||
|
><P
|
|||
|
>Ok, there are a lot of parameters which can be modified. We try to list them
|
|||
|
all. Also documented (partly) in Documentation/ip-sysctl.txt.</P
|
|||
|
><P
|
|||
|
>Some of these settings have different defaults based on whether you
|
|||
|
answered 'Yes' to 'Configure as router and not host' while compiling your
|
|||
|
kernel.</P
|
|||
|
><DIV
|
|||
|
CLASS="SECT2"
|
|||
|
><H2
|
|||
|
CLASS="SECT2"
|
|||
|
><A
|
|||
|
NAME="AEN1252"
|
|||
|
></A
|
|||
|
>13.2.1. Generic ipv4</H2
|
|||
|
><P
|
|||
|
>As a generic note, most rate limiting features don't work on loopback, so
|
|||
|
don't test them locally. The limits are supplied in 'jiffies', and are
|
|||
|
enforced using the earlier mentioned token bucket filter.</P
|
|||
|
><P
|
|||
|
>The kernel has an internal clock which runs at 'HZ' ticks (or 'jiffies') per
|
|||
|
second. On Intel, 'HZ' is mostly 100. So setting a *_rate file to, say 50,
|
|||
|
would allow for 2 packets per second. The token bucket filter is also
|
|||
|
configured to allow for a burst of at most 6 packets, if enough tokens have
|
|||
|
been earned.</P
|
|||
|
><P
|
|||
|
>Several entries in the following list have been copied from
|
|||
|
/usr/src/linux/Documentation/networking/ip-sysctl.txt, written by Alexey
|
|||
|
Kuznetsov <kuznet@ms2.inr.ac.ru> and Andi Kleen <ak@muc.de>
|
|||
|
<P
|
|||
|
></P
|
|||
|
><DIV
|
|||
|
CLASS="VARIABLELIST"
|
|||
|
><DL
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/icmp_destunreach_rate</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>If the kernel decides that it can't deliver a packet, it will drop it, and
|
|||
|
send the source of the packet an ICMP notice to this effect.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/icmp_echo_ignore_all</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Don't act on echo packets at all. Please don't set this by default, but if
|
|||
|
you are used as a relay in a DoS attack, it may be useful.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>If you ping the broadcast address of a network, all hosts are supposed to
|
|||
|
respond. This makes for a dandy denial-of-service tool. Set this to 1 to
|
|||
|
ignore these broadcast messages.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/icmp_echoreply_rate</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>The rate at which echo replies are sent to any one destination.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Set this to ignore ICMP errors caused by hosts in the network reacting badly
|
|||
|
to frames sent to what they perceive to be the broadcast address.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/icmp_paramprob_rate</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>A relatively unknown ICMP message, which is sent in response to incorrect
|
|||
|
packets with broken IP or TCP headers. With this file you can control the
|
|||
|
rate at which it is sent.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/icmp_timeexceed_rate</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>This the famous cause of the 'Solaris middle star' in traceroutes. Limits
|
|||
|
number of ICMP Time Exceeded messages sent. </P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/igmp_max_memberships</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum number of listening igmp (multicast) sockets on the host.
|
|||
|
FIXME: Is this true?</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/inet_peer_gc_maxtime</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>FIXME: Add a little explanation about the inet peer storage?
|
|||
|
|
|||
|
Minimum interval between garbage collection passes. This interval is in
|
|||
|
effect under low (or absent) memory pressure on the pool. Measured in
|
|||
|
jiffies.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/inet_peer_gc_mintime</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Minimum interval between garbage collection passes. This interval is in
|
|||
|
effect under high memory pressure on the pool. Measured in jiffies.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/inet_peer_maxttl</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum time-to-live of entries. Unused entries will expire after this
|
|||
|
period of time if there is no memory pressure on the pool (i.e. when the
|
|||
|
number of entries in the pool is very small). Measured in jiffies.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/inet_peer_minttl</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Minimum time-to-live of entries. Should be enough to cover fragment
|
|||
|
time-to-live on the reassembling side. This minimum time-to-live
|
|||
|
is guaranteed if the pool size is less than inet_peer_threshold.
|
|||
|
Measured in jiffies.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/inet_peer_threshold</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>The approximate size of the INET peer storage. Starting from this threshold
|
|||
|
entries will be thrown aggressively. This threshold also determines
|
|||
|
entries' time-to-live and time intervals between garbage collection passes.
|
|||
|
More entries, less time-to-live, less GC interval.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ip_autoconfig</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>This file contains the number one if the host received its IP configuration by
|
|||
|
RARP, BOOTP, DHCP or a similar mechanism. Otherwise it is zero.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ip_default_ttl</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Time To Live of packets. Set to a safe 64. Raise it if you have a huge
|
|||
|
network. Don't do so for fun - routing loops cause much more damage that
|
|||
|
way. You might even consider lowering it in some circumstances.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ip_dynaddr</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>You need to set this if you use dial-on-demand with a dynamic interface
|
|||
|
address. Once your demand interface comes up, any local TCP sockets which haven't seen replies will be rebound to have the right address. This solves the problem that the
|
|||
|
connection that brings up your interface itself does not work, but the
|
|||
|
second try does.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ip_forward</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>If the kernel should attempt to forward packets. Off by default.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ip_local_port_range</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Range of local ports for outgoing connections. Actually quite small by
|
|||
|
default, 1024 to 4999.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ip_no_pmtu_disc</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Set this if you want to disable Path MTU discovery - a technique to
|
|||
|
determine the largest Maximum Transfer Unit possible on your path. See also
|
|||
|
the section on Path MTU discovery in the
|
|||
|
<I
|
|||
|
CLASS="CITETITLE"
|
|||
|
><A
|
|||
|
HREF="lartc.cookbook.html"
|
|||
|
>Cookbook</A
|
|||
|
></I
|
|||
|
> chapter.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ipfrag_high_thresh</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum memory used to reassemble IP fragments. When
|
|||
|
ipfrag_high_thresh bytes of memory is allocated for this purpose,
|
|||
|
the fragment handler will toss packets until ipfrag_low_thresh
|
|||
|
is reached.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ip_nonlocal_bind</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Set this if you want your applications to be able to bind to an address
|
|||
|
which doesn't belong to a device on your system. This can be useful when
|
|||
|
your machine is on a non-permanent (or even dynamic) link, so your services
|
|||
|
are able to start up and bind to a specific address when your link is down.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ipfrag_low_thresh</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Minimum memory used to reassemble IP fragments.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/ipfrag_time</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Time in seconds to keep an IP fragment in memory.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_abort_on_overflow</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>A boolean flag controlling the behaviour under lots of incoming connections.
|
|||
|
When enabled, this causes the kernel to actively send RST packets when a
|
|||
|
service is overloaded.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_fin_timeout</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer
|
|||
|
can be broken and never close its side, or even died unexpectedly. Default
|
|||
|
value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it,
|
|||
|
but remember that if your machine is even underloaded WEB server, you risk
|
|||
|
to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are
|
|||
|
less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but
|
|||
|
they tend to live longer. Cf. tcp_max_orphans.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_keepalive_time</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>How often TCP sends out keepalive messages when keepalive is enabled.
|
|||
|
|
|||
|
Default: 2hours.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_keepalive_intvl</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>How frequent probes are retransmitted, when a probe isn't acknowledged.
|
|||
|
|
|||
|
Default: 75 seconds.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_keepalive_probes</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>How many keepalive probes TCP will send, until it decides that the
|
|||
|
connection is broken.
|
|||
|
|
|||
|
Default value: 9.
|
|||
|
|
|||
|
Multiplied with tcp_keepalive_intvl, this gives the time a link can be
|
|||
|
non-responsive after a keepalive has been sent.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_max_orphans</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximal number of TCP sockets not attached to any user file handle, held by
|
|||
|
system. If this number is exceeded orphaned connections are reset
|
|||
|
immediately and warning is printed. This limit exists only to prevent simple
|
|||
|
DoS attacks, you _must_ not rely on this or lower the limit artificially,
|
|||
|
but rather increase it (probably, after increasing installed memory), if
|
|||
|
network conditions require more than default value, and tune network
|
|||
|
services to linger and kill such states more aggressively. Let me remind you
|
|||
|
again: each orphan eats up to <20>64K of unswappable memory.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_orphan_retries</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>How may times to retry before killing TCP connection, closed by our side.
|
|||
|
Default value 7 corresponds to <20>50sec-16min depending on RTO. If your machine
|
|||
|
is a loaded WEB server, you should think about lowering this value, such
|
|||
|
sockets may consume significant resources. Cf. tcp_max_orphans.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_max_syn_backlog</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximal number of remembered connection requests, which still did not
|
|||
|
receive an acknowledgment from connecting client. Default value is 1024 for
|
|||
|
systems with more than 128Mb of memory, and 128 for low memory machines. If
|
|||
|
server suffers of overload, try to increase this number. Warning! If you
|
|||
|
make it greater than 1024, it would be better to change TCP_SYNQ_HSIZE in
|
|||
|
include/net/tcp.h to keep TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog and to
|
|||
|
recompile kernel.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_max_tw_buckets</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximal number of timewait sockets held by system simultaneously. If this
|
|||
|
number is exceeded time-wait socket is immediately destroyed and warning is
|
|||
|
printed. This limit exists only to prevent simple DoS attacks, you _must_
|
|||
|
not lower the limit artificially, but rather increase it (probably, after
|
|||
|
increasing installed memory), if network conditions require more than
|
|||
|
default value.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_retrans_collapse</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Bug-to-bug compatibility with some broken printers.
|
|||
|
On retransmit try to send bigger packets to work around bugs in
|
|||
|
certain TCP stacks.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_retries1</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>How many times to retry before deciding that something is wrong
|
|||
|
and it is necessary to report this suspicion to network layer.
|
|||
|
Minimal RFC value is 3, it is default, which corresponds
|
|||
|
to <20>3sec-8min depending on RTO.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_retries2</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>How may times to retry before killing alive TCP connection.
|
|||
|
<A
|
|||
|
HREF="http://www.ietf.org/rfc/rfc1122.txt"
|
|||
|
TARGET="_top"
|
|||
|
>RFC 1122</A
|
|||
|
>
|
|||
|
says that the limit should be longer than 100 sec.
|
|||
|
It is too small number. Default value 15 corresponds to <20>13-30min
|
|||
|
depending on RTO.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_rfc1337</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>This boolean enables a fix for 'time-wait assassination hazards in tcp', described
|
|||
|
in RFC 1337. If enabled, this causes the kernel to drop RST packets for
|
|||
|
sockets in the time-wait state.
|
|||
|
|
|||
|
Default: 0</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_sack</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Use Selective ACK which can be used to signify that specific packets are
|
|||
|
missing - therefore helping fast recovery.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_stdurg</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Use the Host requirements interpretation of the TCP urg pointer
|
|||
|
field.
|
|||
|
|
|||
|
Most hosts use the older BSD interpretation, so if you turn this on
|
|||
|
Linux might not communicate correctly with them.
|
|||
|
|
|||
|
Default: FALSE </P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_syn_retries</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Number of SYN packets the kernel will send before giving up on the new
|
|||
|
connection.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_synack_retries</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>To open the other side of the connection, the kernel sends a SYN with a
|
|||
|
piggybacked ACK on it, to acknowledge the earlier received SYN. This is part
|
|||
|
2 of the threeway handshake. This setting determines the number of SYN+ACK
|
|||
|
packets sent before the kernel gives up on the connection.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_timestamps</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Timestamps are used, amongst other things, to protect against wrapping
|
|||
|
sequence numbers. A 1 gigabit link might conceivably re-encounter a previous
|
|||
|
sequence number with an out-of-line value, because it was of a previous
|
|||
|
generation. The timestamp will let it recognize this 'ancient packet'.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_tw_recycle</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Enable fast recycling TIME-WAIT sockets. Default value is 1.
|
|||
|
It should not be changed without advice/request of technical experts.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/tcp_window_scaling</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>TCP/IP normally allows windows up to 65535 bytes big. For really fast
|
|||
|
networks, this may not be enough. The window scaling options allows for
|
|||
|
almost gigabyte windows, which is good for high bandwidth*delay products.</P
|
|||
|
></DD
|
|||
|
></DL
|
|||
|
></DIV
|
|||
|
></P
|
|||
|
></DIV
|
|||
|
><DIV
|
|||
|
CLASS="SECT2"
|
|||
|
><H2
|
|||
|
CLASS="SECT2"
|
|||
|
><A
|
|||
|
NAME="AEN1433"
|
|||
|
></A
|
|||
|
>13.2.2. Per device settings</H2
|
|||
|
><P
|
|||
|
>DEV can either stand for a real interface, or for 'all' or 'default'.
|
|||
|
Default also changes settings for interfaces yet to be created.
|
|||
|
<P
|
|||
|
></P
|
|||
|
><DIV
|
|||
|
CLASS="VARIABLELIST"
|
|||
|
><DL
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/accept_redirects</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>If a router decides that you are using it for a wrong purpose (ie, it needs
|
|||
|
to resend your packet on the same interface), it will send us a ICMP
|
|||
|
Redirect. This is a slight security risk however, so you may want to turn it
|
|||
|
off, or use secure redirects.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/accept_source_route</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Not used very much anymore. You used to be able to give a packet a list of
|
|||
|
IP addresses it should visit on its way. Linux can be made to honor this IP
|
|||
|
option.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/bootp_relay</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Accept packets with source address 0.b.c.d with destinations not to this host
|
|||
|
as local ones. It is supposed that a BOOTP relay daemon will catch and forward
|
|||
|
such packets.</P
|
|||
|
><P
|
|||
|
>The default is 0, since this feature is not implemented yet (kernel version
|
|||
|
2.2.12).</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/forwarding</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Enable or disable IP forwarding on this interface.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/log_martians</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>See the section on
|
|||
|
<I
|
|||
|
CLASS="CITETITLE"
|
|||
|
><A
|
|||
|
HREF="lartc.kernel.rpf.html"
|
|||
|
>Reverse Path Filtering</A
|
|||
|
></I
|
|||
|
>.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/mc_forwarding</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>If we do multicast forwarding on this interface</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/proxy_arp</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>If you set this to 1, this interface will respond to ARP requests for
|
|||
|
addresses the kernel has routes to. Can be very useful when building 'ip
|
|||
|
pseudo bridges'. Do take care that your netmasks are very correct before
|
|||
|
enabling this! Also be aware that the rp_filter, mentioned elsewhere, also
|
|||
|
operates on ARP queries!</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/rp_filter</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>See the section on
|
|||
|
<I
|
|||
|
CLASS="CITETITLE"
|
|||
|
><A
|
|||
|
HREF="lartc.kernel.rpf.html"
|
|||
|
>Reverse Path Filtering</A
|
|||
|
></I
|
|||
|
>.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/secure_redirects</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Accept ICMP redirect messages only for gateways, listed in default gateway
|
|||
|
list. Enabled by default.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/send_redirects</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>If we send the above mentioned redirects.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/shared_media</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>If it is not set the kernel does not assume that different subnets on this
|
|||
|
device can communicate directly. Default setting is 'yes'.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/conf/DEV/tag</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>FIXME: fill this in</P
|
|||
|
></DD
|
|||
|
></DL
|
|||
|
></DIV
|
|||
|
></P
|
|||
|
></DIV
|
|||
|
><DIV
|
|||
|
CLASS="SECT2"
|
|||
|
><H2
|
|||
|
CLASS="SECT2"
|
|||
|
><A
|
|||
|
NAME="AEN1490"
|
|||
|
></A
|
|||
|
>13.2.3. Neighbor policy</H2
|
|||
|
><P
|
|||
|
>Dev can either stand for a real interface, or for 'all' or 'default'.
|
|||
|
Default also changes settings for interfaces yet to be created.
|
|||
|
<P
|
|||
|
></P
|
|||
|
><DIV
|
|||
|
CLASS="VARIABLELIST"
|
|||
|
><DL
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/anycast_delay</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum for random delay of answers to neighbor solicitation messages in
|
|||
|
jiffies (1/100 sec). Not yet implemented (Linux does not have anycast support
|
|||
|
yet).</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/app_solicit</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Determines the number of requests to send to the user level ARP daemon. Use 0
|
|||
|
to turn off.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/base_reachable_time</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>A base value used for computing the random reachable time value as specified
|
|||
|
in RFC2461.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/delay_first_probe_time</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Delay for the first time probe if the neighbor is reachable. (see
|
|||
|
gc_stale_time)</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/gc_stale_time</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Determines how often to check for stale ARP entries. After an ARP entry is
|
|||
|
stale it will be resolved again (which is useful when an IP address migrates
|
|||
|
to another machine). When ucast_solicit is greater than 0 it first tries to
|
|||
|
send an ARP packet directly to the known host When that fails and
|
|||
|
mcast_solicit is greater than 0, an ARP request is broadcast.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/locktime</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>An ARP/neighbor entry is only replaced with a new one if the old is at least
|
|||
|
locktime old. This prevents ARP cache thrashing.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/mcast_solicit</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum number of retries for multicast solicitation.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/proxy_delay</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum time (real time is random [0..proxytime]) before answering to an ARP
|
|||
|
request for which we have an proxy ARP entry. In some cases, this is used to
|
|||
|
prevent network flooding.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/proxy_qlen</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum queue length of the delayed proxy arp timer. (see proxy_delay).</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/retrans_time</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>The time, expressed in jiffies (1/100 sec), between retransmitted Neighbor
|
|||
|
Solicitation messages. Used for address resolution and to determine if a
|
|||
|
neighbor is unreachable.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/ucast_solicit</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum number of retries for unicast solicitation.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/neigh/DEV/unres_qlen</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum queue length for a pending arp request - the number of packets which
|
|||
|
are accepted from other layers while the ARP address is still resolved.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>Internet QoS: Architectures and Mechanisms for Quality of Service,
|
|||
|
Zheng Wang, ISBN 1-55860-608-4</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Hardcover textbook covering topics
|
|||
|
related to Quality of Service. Good for understanding basic concepts.</P
|
|||
|
></DD
|
|||
|
></DL
|
|||
|
></DIV
|
|||
|
></P
|
|||
|
></DIV
|
|||
|
><DIV
|
|||
|
CLASS="SECT2"
|
|||
|
><H2
|
|||
|
CLASS="SECT2"
|
|||
|
><A
|
|||
|
NAME="AEN1546"
|
|||
|
></A
|
|||
|
>13.2.4. Routing settings</H2
|
|||
|
><P
|
|||
|
><P
|
|||
|
></P
|
|||
|
><DIV
|
|||
|
CLASS="VARIABLELIST"
|
|||
|
><DL
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/error_burst</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>These parameters are used to limit the warning messages written to the kernel
|
|||
|
log from the routing code. The higher the error_cost factor is, the fewer
|
|||
|
messages will be written. Error_burst controls when messages will be dropped.
|
|||
|
The default settings limit warning messages to one every five seconds.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/error_cost</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>These parameters are used to limit the warning messages written to the kernel
|
|||
|
log from the routing code. The higher the error_cost factor is, the fewer
|
|||
|
messages will be written. Error_burst controls when messages will be dropped.
|
|||
|
The default settings limit warning messages to one every five seconds.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/flush</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Writing to this file results in a flush of the routing cache.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/gc_elasticity</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Values to control the frequency and behavior of the garbage collection
|
|||
|
algorithm for the routing cache. This can be important for when doing
|
|||
|
fail over. At least gc_timeout seconds will elapse before Linux will skip
|
|||
|
to another route because the previous one has died. By default set to 300,
|
|||
|
you may want to lower it if you want to have a speedy fail over.</P
|
|||
|
><P
|
|||
|
>Also see <A
|
|||
|
HREF="http://mailman.ds9a.nl/pipermail/lartc/2002q1/002667.html"
|
|||
|
TARGET="_top"
|
|||
|
>this post</A
|
|||
|
> by Ard van Breemen.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/gc_interval</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>See /proc/sys/net/ipv4/route/gc_elasticity.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/gc_min_interval</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>See /proc/sys/net/ipv4/route/gc_elasticity.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/gc_thresh</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>See /proc/sys/net/ipv4/route/gc_elasticity.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/gc_timeout</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>See /proc/sys/net/ipv4/route/gc_elasticity.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/max_delay</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Delays for flushing the routing cache.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/max_size</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Maximum size of the routing cache. Old entries will be purged once the cache
|
|||
|
reached has this size.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/min_adv_mss</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>FIXME: fill this in</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/min_delay</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Delays for flushing the routing cache.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/min_pmtu</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>FIXME: fill this in</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/mtu_expires</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>FIXME: fill this in</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/redirect_load</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Factors which determine if more ICMP redirects should be sent to a specific
|
|||
|
host. No redirects will be sent once the load limit or the maximum number of
|
|||
|
redirects has been reached.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/redirect_number</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>See /proc/sys/net/ipv4/route/redirect_load.</P
|
|||
|
></DD
|
|||
|
><DT
|
|||
|
>/proc/sys/net/ipv4/route/redirect_silence</DT
|
|||
|
><DD
|
|||
|
><P
|
|||
|
>Timeout for redirects. After this period redirects will be sent again, even if
|
|||
|
this has been stopped, because the load or number limit has been reached.</P
|
|||
|
></DD
|
|||
|
></DL
|
|||
|
></DIV
|
|||
|
></P
|
|||
|
></DIV
|
|||
|
></DIV
|
|||
|
><DIV
|
|||
|
CLASS="NAVFOOTER"
|
|||
|
><HR
|
|||
|
ALIGN="LEFT"
|
|||
|
WIDTH="100%"><TABLE
|
|||
|
SUMMARY="Footer navigation table"
|
|||
|
WIDTH="100%"
|
|||
|
BORDER="0"
|
|||
|
CELLPADDING="0"
|
|||
|
CELLSPACING="0"
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
WIDTH="33%"
|
|||
|
ALIGN="left"
|
|||
|
VALIGN="top"
|
|||
|
><A
|
|||
|
HREF="lartc.kernel.rpf.html"
|
|||
|
ACCESSKEY="P"
|
|||
|
>Prev</A
|
|||
|
></TD
|
|||
|
><TD
|
|||
|
WIDTH="34%"
|
|||
|
ALIGN="center"
|
|||
|
VALIGN="top"
|
|||
|
><A
|
|||
|
HREF="index.html"
|
|||
|
ACCESSKEY="H"
|
|||
|
>Home</A
|
|||
|
></TD
|
|||
|
><TD
|
|||
|
WIDTH="33%"
|
|||
|
ALIGN="right"
|
|||
|
VALIGN="top"
|
|||
|
><A
|
|||
|
HREF="lartc.adv-qdisc.html"
|
|||
|
ACCESSKEY="N"
|
|||
|
>Next</A
|
|||
|
></TD
|
|||
|
></TR
|
|||
|
><TR
|
|||
|
><TD
|
|||
|
WIDTH="33%"
|
|||
|
ALIGN="left"
|
|||
|
VALIGN="top"
|
|||
|
>Reverse Path Filtering</TD
|
|||
|
><TD
|
|||
|
WIDTH="34%"
|
|||
|
ALIGN="center"
|
|||
|
VALIGN="top"
|
|||
|
><A
|
|||
|
HREF="lartc.kernel.html"
|
|||
|
ACCESSKEY="U"
|
|||
|
>Up</A
|
|||
|
></TD
|
|||
|
><TD
|
|||
|
WIDTH="33%"
|
|||
|
ALIGN="right"
|
|||
|
VALIGN="top"
|
|||
|
>Advanced & less common queueing disciplines</TD
|
|||
|
></TR
|
|||
|
></TABLE
|
|||
|
></DIV
|
|||
|
></BODY
|
|||
|
></HTML
|
|||
|
>
|