1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
/proc/sys/net/ipv4/* variables:
ip_forwarding - "SNMP" BOOLEAN
2 - disabled (default)
1 - enabled
This variable is special, its change resets all configuration
parameters to their default state (RFC1122 for hosts, RFC1812
for routers)
ip_default_ttl - INTEGER
default 64
ip_log_martians - BOOLEAN
log packets with strange or impossible addresses.
default TRUE (router)
FALSE (host)
ip_accept_redirects - BOOLEAN
Accept ICMP redirect messages.
default TRUE (host)
FALSE (router)
ip_secure_redirects - BOOLEAN
Accept ICMP redirect messages only for gateways,
listed in default gateway list.
default TRUE
ip_addrmask_agent - BOOLEAN
Reply to ICMP ADDRESS MASK requests.
default TRUE (router)
FALSE (host)
ip_rfc1620_redirects - BOOLEAN
Send(router) or accept(host) RFC1620 shared media redirects.
Overrides ip_secure_redirects.
default TRUE (should be FALSE for distributed version,
but I use it...)
ip_bootp_agent - BOOLEAN
Accept packets with source address of sort 0.b.c.d
and destined to this host, broadcast or multicast.
Such packets are silently ignored otherwise.
default FALSE
ip_bootp_relay - BOOLEAN
Accept packets with source address 0.b.c.d destined
not to this host as local ones. It is supposed, that
BOOTP relay deamon will catch and forward such packets.
default FASLE
Not Implemented Yet.
ip_source_route - BOOLEAN
Accept packets with SRR option.
default TRUE (router)
FALSE (host)
ip_no_pmtu_disc - BOOLEAN
Disable Path MTU Discovery.
default FALSE
ip_rfc1812_filter - INTEGER
2 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
that look as sourced at a directly connected interface, but
were input from another interface.
0 - No source validation.
NOTE: do not disable this option! All BSD derived routing software
(sort of gated, routed etc. etc.) is confused by such packets,
even if they are valid.
NOTE: this option is turned on per default only when ip_forwarding
is on. For non-forwarding hosts it doesn't make much sense and
makes some legal multihoming configurations impossible.
ip_fib_model - INTEGER
0 - (DEFAULT) Standard model. All routes are in class MAIN.
1 - default routes go to class DEFAULT. This mode should
be very convenient for small ISPs making policy routing.
2 - RFC1812 compliant model.
Interface routes are in class MAIN.
Gateway routes are in class DEFAULT.
IP Fragmentation:
ipfrag_high_thresh - INTEGER
Maximum memory used to reassemble IP fragments. When
ipfrag_high_thresh bytes of memory is allocated for this purpose,
the fragment handler will toss packets until ipfrag_low_thresh
is reached.
ipfrag_low_thresh - INTEGER
See ipfrag_high_thresh
ipfrag_time - INTEGER
Time in seconds to keep an IP fragment in memory.
TCP variables:
tcp_syn_retries - INTEGER
Number of times initial SYNs for an TCP connection attempt will
be retransmitted. Should not be higher that 255.
tcp_keepalive_time - INTEGER
How often TCP sends out keepalive messages when keepalive is enabled.
Default: 2hours.
tcp_keepalive_probes - INTEGER
How many keepalive probes TCP sends out, until it decides that the
connection is broken.
tcp_retries1 - INTEGER
tcp_retries2 - INTEGER
tcp_max_delay_acks - INTEGER
tcp_fin_timeout - INTEGER
tcp_max_ka_probes - INTEGER
Undocumented for now.
tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common 'syn flood attack'
Default: FALSE
tcp_stdurg - BOOLEAN
Use the Host requirements interpretation of the TCP urg pointer field.
Most hosts use the older BSD interpretation, so if you turn this on
Linux might not communicate correctly with them.
Default: FALSE
tcp_syn_taildrop - BOOLEAN
tcp_max_syn_backlog - INTEGER
Undocumented (work in progress)
ip_local_port_range - 2 INTEGERS
Defines the local port range that is used by TCP and UDP to
choose the local port. The first number is the first, the
second the last local port number. For high-usage systems
change this to 32768-61000.
icmp_echo_ignore_all - BOOLEAN
icmp_echo_ignore_broadcasts - BOOLEAN
If either is set to true, then the kernel will ignore either all
ICMP ECHO requests sent to it or just those to broadcast/multicast
addresses, respectively.
Alexey Kuznetsov.
kuznet@ms2.inr.ac.ru
Updated by:
Andi Kleen
ak@muc.de
$Id: ip-sysctl.txt,v 1.5 1997/10/17 03:58:23 tdyas Exp $
|
