|
Next
Previous
Contents
The kernel has lots of parameters which can be tuned for different
circumstances. While, as usual, the default parameters serve 99% of
installations very well, we don't call this the Advanced HOWTO for the fun
of it!
The interesting bits are in /proc/sys/net, take a look there. Not everything
will be documented here initially, but we're working on it.
By default, routers route everything, even packets which 'obviously' don't
belong on your network. A common example is private IP space escaping onto
the internet. If you have an interface with a route of 195.96.96.0/24 to it,
you do not expect packets from 212.64.94.1 to arrive there.
Lots of people will want to turn this feature off, so the kernel hackers
have made it easy. There are files in /proc where you can tell
the kernel to do this for you. The method is called "Reverse Path
Filtering". Basically, if the reply to this packet wouldn't go out the
interface this packet came in, then this is a bogus packet and should be
ignored.
The following fragment will turn this on for all current and future
interfaces.
# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
> echo 2 > $i
> done
Going by the example above, if a packet arrived on the Linux router on eth1
claiming to come from the Office+ISP subnet, it would be dropped. Similarly,
if a packet came from the Office subnet, claiming to be from somewhere
outside your firewall, it would be dropped also.
The above is full reverse path filtering. The default is to only filter
based on IPs that are on directly connected networks. This is because the
full filtering breaks in the case of asymmetric routing (where packets come
in one way and go out another, like satellite traffic, or if you have
dynamic (bgp, ospf, rip) routes in your network. The data comes down
through the satellite dish and replies go back through normal land-lines).
If this exception applies to you (and you'll probably know if it does) you
can simply turn off the rp_filter on the interface where the
satellite data comes in. If you want to see if any packets are being
dropped, the log_martians file in the same directory will tell
the kernel to log them to your syslog.
# echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians
FIXME: is setting the conf/{default,all}/* files enough? - martijn
Ok, there are a lot of parameters which can be modified. We try to list them
all. Also documented (partly) in Documentation/ip-sysctl.txt.
Some of these settings have different defaults based on wether you
answered 'Yes' to 'Configure as router and not host' while compiling your
kernel.
Generic ipv4
As a generic note, most rate limiting features don't work on loopback, so
don't test them locally. The limits are supplied in 'jiffies', and are
enforced using the earlier mentioned token bucket filter.
The kernel has an internal clock which runs at 'HZ' ticks (or 'jiffies') per
second. On intel, 'HZ' is mostly 100. So setting a *_rate file to, say 50,
would allow for 2 packets per second. The token bucket filter is also
configured to allow for a burst of at most 6 packets, if enough tokens have
been earned.
- /proc/sys/net/ipv4/icmp_destunreach_rate
If the kernel decides that it can't deliver a packet, it will drop it, and
send the source of the packet an ICMP notice to this effect.
- /proc/sys/net/ipv4/icmp_echo_ignore_all
Don't act on echo packets at all. Please don't set this by default, but if
you are used as a relay in a DoS attack, it may be useful.
- /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]
If you ping the broadcast address of a network, all hosts are supposed to
respond. This makes for a dandy denial-of-service tool. Set this to 1 to
ignore these broadcast messages.
- /proc/sys/net/ipv4/icmp_echoreply_rate
The rate at which echo replies are sent to any one destination.
- /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
FIXME: fill this in
- /proc/sys/net/ipv4/icmp_paramprob_rate
FIXME: fill this in
- /proc/sys/net/ipv4/icmp_timeexceed_rate
This the famous cause of the 'Solaris middle star' in traceroutes. Limits
number of ICMP Time Exceeded messages sent.
- /proc/sys/net/ipv4/igmp_max_memberships
FIXME: fill this in
- /proc/sys/net/ipv4/inet_peer_gc_maxtime
FIXME: fill this in
- /proc/sys/net/ipv4/inet_peer_gc_mintime
FIXME: fill this in
- /proc/sys/net/ipv4/inet_peer_maxttl
FIXME: fill this in
- /proc/sys/net/ipv4/inet_peer_minttl
FIXME: fill this in
- /proc/sys/net/ipv4/inet_peer_threshold
FIXME: fill this in
- /proc/sys/net/ipv4/ip_autoconfig
FIXME: fill this in
- /proc/sys/net/ipv4/ip_default_ttl
Time To Live of packets. Set to a safe 64. Raise it if you have a huge
network. Don't do so for fun - routing loops cause much more damage that
way. You might even consider lowering it in some circumstances.
- /proc/sys/net/ipv4/ip_dynaddr
You need to set this if you use dial-on-demand with a dynamic interface
address. Once your demand interface comes up, any local TCP sockets which haven't seen replies will be rebound to have the right address. This solves the problem that the
connection that brings up your interface itself does not work, but the
second try does.
- /proc/sys/net/ipv4/ip_forward
If the kernel should attempt to forward packets. Off by default.
- /proc/sys/net/ipv4/ip_local_port_range
Range of local ports for outgoing connections. Actually quite small by
default, 1024 to 4999.
- /proc/sys/net/ipv4/ip_no_pmtu_disc
Set this if you want to disable Path MTU discovery - a technique to
determine the largest Maximum Transfer Unit possible on your path.
- /proc/sys/net/ipv4/ipfrag_high_thresh
FIXME: fill this in
- /proc/sys/net/ipv4/ipfrag_low_thresh
FIXME: fill this in
- /proc/sys/net/ipv4/ipfrag_time
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_abort_on_overflow
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_fin_timeout
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_keepalive_intvl
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_keepalive_probes
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_keepalive_time
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_max_orphans
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_max_syn_backlog
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_max_tw_buckets
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_orphan_retries
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_retrans_collapse
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_retries1
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_retries2
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_rfc1337
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_sack
Use Selective ACK which can be used to signify that specific packets are
missing - therefore helping fast recovery.
- /proc/sys/net/ipv4/tcp_stdurg
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_syn_retries
Number of SYN packets the kernel will send before giving up on the new
connection.
- /proc/sys/net/ipv4/tcp_synack_retries
To open the other side of the connection, the kernel sends a SYN with a
piggybacked ACK on it, to acknowledge the earlier received SYN. This is part
2 of the threeway handshake. This setting determines the number of SYN+ACK
packets send before the kernel gives up on the connection.
- /proc/sys/net/ipv4/tcp_timestamps
Timestamps are used, amongst other things, to protect against wrapping
sequence numbers. A 1 gigabit link might conceivably re-encounter a previous
sequence number with an out-of-line value, because if was of a previous
generation. The timestamp will let it recognise this 'ancient packet'.
- /proc/sys/net/ipv4/tcp_tw_recycle
FIXME: fill this in
- /proc/sys/net/ipv4/tcp_window_scaling
TCP/IP normally allows windows up to 65535 bytes big. For really fast
networks, this may not be enough. The window scaling options allows for
almost gigabyte windows, which is good for high bandwidth*delay products.
Per device settings
DEV can either stand for a real interface, or for 'all' or 'default'.
Default also changes settings for interfaces yet to be created.
- /proc/sys/net/ipv4/conf/DEV/accept_redirects
If a router decides that you are using it for a wrong purpose (ie, it needs
to resend your packet on the same interface), it will send us a ICMP
Redirect. This is a slight security risk however, so you may want to turn it
off, or use secure redirects.
- /proc/sys/net/ipv4/conf/DEV/accept_source_route
Not used very much anymore. You used to be able to give a packet a list of
IP addresses it should visit on its way. Linux can be made to honor this IP
option.
- /proc/sys/net/ipv4/conf/DEV/bootp_relay
FIXME: fill this in
- /proc/sys/net/ipv4/conf/DEV/forwarding
FIXME:
- /proc/sys/net/ipv4/conf/DEV/log_martians
See the section on reverse path filters.
- /proc/sys/net/ipv4/conf/DEV/mc_forwarding
If we do multicast forwarding on this interface
- /proc/sys/net/ipv4/conf/DEV/proxy_arp
If you set this to 1, all other interfaces will respond to arp queries
destined for addresses on this interface. Can be very useful when building 'ip
pseudo bridges'. Do take care that your netmasks are very correct before
enabling this!
- /proc/sys/net/ipv4/conf/DEV/rp_filter
See the section on reverse path filters.
- /proc/sys/net/ipv4/conf/DEV/secure_redirects
FIXME: fill this in
- /proc/sys/net/ipv4/conf/DEV/send_redirects
If we send the above mentioned redirects.
- /proc/sys/net/ipv4/conf/DEV/shared_media
FIXME: fill this in
- /proc/sys/net/ipv4/conf/DEV/tag
FIXME: fill this in
Neighbor pollicy
Dev can either stand for a real interface, or for 'all' or 'default'.
Default also changes settings for interfaces yet to be created.
- /proc/sys/net/ipv4/neigh/DEV/anycast_delay
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/app_solicit
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/base_reachable_time
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/delay_first_probe_time
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/gc_stale_time
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/locktime
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/mcast_solicit
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/proxy_delay
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/proxy_qlen
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/retrans_time
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/ucast_solicit
FIXME: fill this in
- /proc/sys/net/ipv4/neigh/DEV/unres_qlen
FIXME: fill this in
Routing settings
- /proc/sys/net/ipv4/route/error_burst
FIXME: fill this in
- /proc/sys/net/ipv4/route/error_cost
FIXME: fill this in
- /proc/sys/net/ipv4/route/flush
FIXME: fill this in
- /proc/sys/net/ipv4/route/gc_elasticity
FIXME: fill this in
- /proc/sys/net/ipv4/route/gc_interval
FIXME: fill this in
- /proc/sys/net/ipv4/route/gc_min_interval
FIXME: fill this in
- /proc/sys/net/ipv4/route/gc_thresh
FIXME: fill this in
- /proc/sys/net/ipv4/route/gc_timeout
FIXME: fill this in
- /proc/sys/net/ipv4/route/max_delay
FIXME: fill this in
- /proc/sys/net/ipv4/route/max_size
FIXME: fill this in
- /proc/sys/net/ipv4/route/min_adv_mss
FIXME: fill this in
- /proc/sys/net/ipv4/route/min_delay
FIXME: fill this in
- /proc/sys/net/ipv4/route/min_pmtu
FIXME: fill this in
- /proc/sys/net/ipv4/route/mtu_expires
FIXME: fill this in
- /proc/sys/net/ipv4/route/redirect_load
FIXME: fill this in
- /proc/sys/net/ipv4/route/redirect_number
FIXME: fill this in
- /proc/sys/net/ipv4/route/redirect_silence
FIXME: fill this in
Next
Previous
Contents
|