美文网首页
/proc/sys/net/ipv4/* Variables:

/proc/sys/net/ipv4/* Variables:

作者: JSON_NULL | 来源:发表于2017-12-01 10:34 被阅读126次

    此文内容从网络收集,介绍了Linux系统 /proc/sys/net/ipv4/ 目录下所有内核参数的含义,由于简书每篇文章字数的限制,此文被分成了两个部分,这是第二部分。

    icmp_errors_use_inbound_ifaddr - BOOLEAN

    If zero, icmp error messages are sent with the primary address of
    the exiting interface.
    
    If non-zero, the message will be sent with the primary address of
    the interface that received the packet that caused the icmp error.
    This is the behaviour network many administrators will expect from
    a router. And it can make debugging complicated network layouts
    much easier.
    
    Note that if no primary address exists for the interface selected,
    then the primary address of the first non-loopback interface that
    has one will be used regardless of this setting.
    
    Default: 0
    

    igmp_max_memberships - INTEGER

    Change the maximum number of multicast groups we can subscribe to.
    Default: 20
    
    Theoretical maximum value is bounded by having to send a membership
    report in a single datagram (i.e. the report can't span multiple
    datagrams, or risk confusing the switch and leaving groups you don't
    intend to).
    
    The number of supported groups 'M' is bounded by the number of group
    report entries you can fit into a single datagram of 65535 bytes.
    
    M = 65536-sizeof (ip header)/(sizeof(Group record))
    
    Group records are variable length, with a minimum of 12 bytes.
    So net.ipv4.igmp_max_memberships should not be set higher than:
    
    (65536-24) / 12 = 5459
    
    The value 5459 assumes no IP header options, so in practice
    this number may be lower.
    

    igmp_max_msf - INTEGER

    Maximum number of addresses allowed in the source filter list for a
    multicast group.
    Default: 10
    

    igmp_qrv - INTEGER

    Controls the IGMP query robustness variable (see RFC2236 8.1).
    Default: 2 (as specified by RFC2236 8.1)
    Minimum: 1 (as specified by RFC6636 4.5)
    

    force_igmp_version - INTEGER

    0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback
        allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier
        Present timer expires.
    1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if
        receive IGMPv2/v3 query.
    2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive
        IGMPv1 query message. Will reply report if receive IGMPv3 query.
    3 - Enforce to use IGMP version 3. The same react with default 0.
    
    Note: this is not the same with force_mld_version because IGMPv3 RFC3376
    Security Considerations does not have clear description that we could
    ignore other version messages completely as MLDv2 RFC3810. So make
    this value as default 0 is recommended.
    

    conf/interface/* changes special settings per interface (where
    "interface" is the name of your network interface)

    conf/all/* is special, changes the settings for all interfaces

    log_martians - BOOLEAN

    Log packets with impossible addresses to kernel log.
    log_martians for the interface will be enabled if at least one of
    conf/{all,interface}/log_martians is set to TRUE,
    it will be disabled otherwise
    

    accept_redirects - BOOLEAN

    Accept ICMP redirect messages.
    accept_redirects for the interface will be enabled if:
    - both conf/{all,interface}/accept_redirects are TRUE in the case
      forwarding for the interface is enabled
    or
    - at least one of conf/{all,interface}/accept_redirects is TRUE in the
      case forwarding for the interface is disabled
    accept_redirects for the interface will be disabled otherwise
    default TRUE (host)
        FALSE (router)
    

    forwarding - BOOLEAN

    Enable IP forwarding on this interface.  This controls whether packets
    received _on_ this interface can be forwarded.
    

    mc_forwarding - BOOLEAN

    Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
    and a multicast routing daemon is required.
    conf/all/mc_forwarding must also be set to TRUE to enable multicast
    routing for the interface
    

    medium_id - INTEGER

    Integer value used to differentiate the devices by the medium they
    are attached to. Two devices can have different id values when
    the broadcast packets are received only on one of them.
    The default value 0 means that the device is the only interface
    to its medium, value of -1 means that medium is not known.
    
    Currently, it is used to change the proxy_arp behavior:
    the proxy_arp feature is enabled for packets forwarded between
    two devices attached to different media.
    

    proxy_arp - BOOLEAN

    Do proxy arp.
    proxy_arp for the interface will be enabled if at least one of
    conf/{all,interface}/proxy_arp is set to TRUE,
    it will be disabled otherwise
    

    proxy_arp_pvlan - BOOLEAN

    Private VLAN proxy arp.
    Basically allow proxy arp replies back to the same interface
    (from which the ARP request/solicitation was received).
    
    This is done to support (ethernet) switch features, like RFC
    3069, where the individual ports are NOT allowed to
    communicate with each other, but they are allowed to talk to
    the upstream router.  As described in RFC 3069, it is possible
    to allow these hosts to communicate through the upstream
    router by proxy_arp'ing. Don't need to be used together with
    proxy_arp.
    
    This technology is known by different names:
      In RFC 3069 it is called VLAN Aggregation.
      Cisco and Allied Telesyn call it Private VLAN.
      Hewlett-Packard call it Source-Port filtering or port-isolation.
      Ericsson call it MAC-Forced Forwarding (RFC Draft).
    

    shared_media - BOOLEAN

    Send(router) or accept(host) RFC1620 shared media redirects.
    Overrides secure_redirects.
    shared_media for the interface will be enabled if at least one of
    conf/{all,interface}/shared_media is set to TRUE,
    it will be disabled otherwise
    default TRUE
    

    secure_redirects - BOOLEAN

    Accept ICMP redirect messages only to gateways listed in the
    interface's current gateway list. Even if disabled, RFC1122 redirect
    rules still apply.
    Overridden by shared_media.
    secure_redirects for the interface will be enabled if at least one of
    conf/{all,interface}/secure_redirects is set to TRUE,
    it will be disabled otherwise
    default TRUE
    

    send_redirects - BOOLEAN

    Send redirects, if router.
    send_redirects for the interface will be enabled if at least one of
    conf/{all,interface}/send_redirects is set to TRUE,
    it will be disabled otherwise
    Default: TRUE
    

    bootp_relay - BOOLEAN

    Accept packets with source address 0.b.c.d destined
    not to this host as local ones. It is supposed, that
    BOOTP relay daemon will catch and forward such packets.
    conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay
    for the interface
    default FALSE
    Not Implemented Yet.
    

    accept_source_route - BOOLEAN

    Accept packets with SRR option.
    conf/all/accept_source_route must also be set to TRUE to accept packets
    with SRR option on the interface
    default TRUE (router)
        FALSE (host)
    

    accept_local - BOOLEAN

    Accept packets with local source addresses. In combination with
    suitable routing, this can be used to direct packets between two
    local interfaces over the wire and have them accepted properly.
    default FALSE
    

    route_localnet - BOOLEAN

    Do not consider loopback addresses as martian source or destination
    while routing. This enables the use of 127/8 for local routing purposes.
    default FALSE
    

    rp_filter - INTEGER

    0 - No source validation.
    1 - Strict mode as defined in RFC3704 Strict Reverse Path
        Each incoming packet is tested against the FIB and if the interface
        is not the best reverse path the packet check will fail.
        By default failed packets are discarded.
    2 - Loose mode as defined in RFC3704 Loose Reverse Path
        Each incoming packet's source address is also tested against the FIB
        and if the source address is not reachable via any interface
        the packet check will fail.
    
    Current recommended practice in RFC3704 is to enable strict mode
    to prevent IP spoofing from DDos attacks. If using asymmetric routing
    or other complicated routing, then loose mode is recommended.
    
    The max value from conf/{all,interface}/rp_filter is used
    when doing source validation on the {interface}.
    
    Default value is 0. Note that some distributions enable it
    in startup scripts.
    

    arp_filter - BOOLEAN

    1 - Allows you to have multiple network interfaces on the same
    subnet, and have the ARPs for each interface be answered
    based on whether or not the kernel would route a packet from
    the ARP'd IP out that interface (therefore you must use source
    based routing for this to work). In other words it allows control
    of which cards (usually 1) will respond to an arp request.
    
    0 - (default) The kernel can respond to arp requests with addresses
    from other interfaces. This may seem wrong but it usually makes
    sense, because it increases the chance of successful communication.
    IP addresses are owned by the complete host on Linux, not by
    particular interfaces. Only for more complex setups like load-
    balancing, does this behaviour cause problems.
    
    arp_filter for the interface will be enabled if at least one of
    conf/{all,interface}/arp_filter is set to TRUE,
    it will be disabled otherwise
    

    arp_announce - INTEGER

    Define different restriction levels for announcing the local
    source IP address from IP packets in ARP requests sent on
    interface:
    0 - (default) Use any local address, configured on any interface
    1 - Try to avoid local addresses that are not in the target's
    subnet for this interface. This mode is useful when target
    hosts reachable via this interface require the source IP
    address in ARP requests to be part of their logical network
    configured on the receiving interface. When we generate the
    request we will check all our subnets that include the
    target IP and will preserve the source address if it is from
    such subnet. If there is no such subnet we select source
    address according to the rules for level 2.
    2 - Always use the best local address for this target.
    In this mode we ignore the source address in the IP packet
    and try to select local address that we prefer for talks with
    the target host. Such local address is selected by looking
    for primary IP addresses on all our subnets on the outgoing
    interface that include the target IP address. If no suitable
    local address is found we select the first local address
    we have on the outgoing interface or on all other interfaces,
    with the hope we will receive reply for our request and
    even sometimes no matter the source IP address we announce.
    
    The max value from conf/{all,interface}/arp_announce is used.
    
    Increasing the restriction level gives more chance for
    receiving answer from the resolved target while decreasing
    the level announces more valid sender's information.
    

    arp_ignore - INTEGER

    Define different modes for sending replies in response to
    received ARP requests that resolve local target IP addresses:
    0 - (default): reply for any local target IP address, configured
    on any interface
    1 - reply only if the target IP address is local address
    configured on the incoming interface
    2 - reply only if the target IP address is local address
    configured on the incoming interface and both with the
    sender's IP address are part from same subnet on this interface
    3 - do not reply for local addresses configured with scope host,
    only resolutions for global and link addresses are replied
    4-7 - reserved
    8 - do not reply for all local addresses
    
    The max value from conf/{all,interface}/arp_ignore is used
    when ARP request is received on the {interface}
    

    arp_notify - BOOLEAN

    Define mode for notification of address and device changes.
    0 - (default): do nothing
    1 - Generate gratuitous arp requests when device is brought up
        or hardware address changes.
    

    arp_accept - BOOLEAN

    Define behavior for gratuitous ARP frames who's IP is not
    already present in the ARP table:
    0 - don't create new entries in the ARP table
    1 - create new entries in the ARP table
    
    Both replies and requests type gratuitous arp will trigger the
    ARP table to be updated, if this setting is on.
    
    If the ARP table already contains the IP address of the
    gratuitous arp frame, the arp table will be updated regardless
    if this setting is on or off.
    

    mcast_solicit - INTEGER

    The maximum number of multicast probes in INCOMPLETE state,
    when the associated hardware address is unknown.  Defaults
    to 3.
    

    ucast_solicit - INTEGER

    The maximum number of unicast probes in PROBE state, when
    the hardware address is being reconfirmed.  Defaults to 3.
    

    app_solicit - INTEGER

    The maximum number of probes to send to the user space ARP daemon
    via netlink before dropping back to multicast probes (see
    mcast_resolicit).  Defaults to 0.
    

    mcast_resolicit - INTEGER

    The maximum number of multicast probes after unicast and
    app probes in PROBE state.  Defaults to 0.
    

    disable_policy - BOOLEAN

    Disable IPSEC policy (SPD) for this interface
    

    disable_xfrm - BOOLEAN

    Disable IPSEC encryption on this interface, whatever the policy
    

    igmpv2_unsolicited_report_interval - INTEGER

    The interval in milliseconds in which the next unsolicited
    IGMPv1 or IGMPv2 report retransmit will take place.
    Default: 10000 (10 seconds)
    

    igmpv3_unsolicited_report_interval - INTEGER
    The interval in milliseconds in which the next unsolicited
    IGMPv3 report retransmit will take place.
    Default: 1000 (1 seconds)

    promote_secondaries - BOOLEAN

    When a primary IP address is removed from this interface
    promote a corresponding secondary IP address instead of
    removing all the corresponding secondary IP addresses.
    

    drop_unicast_in_l2_multicast - BOOLEAN

    Drop any unicast IP packets that are received in link-layer
    multicast (or broadcast) frames.
    This behavior (for multicast) is actually a SHOULD in RFC
    1122, but is disabled by default for compatibility reasons.
    Default: off (0)
    

    drop_gratuitous_arp - BOOLEAN

    Drop all gratuitous ARP frames, for example if there's a known
    good ARP proxy on the network and such frames need not be used
    (or in the case of 802.11, must not be used to prevent attacks.)
    Default: off (0)
    

    tag - INTEGER

    Allows you to write a number, which can be used as required.
    Default value is 0.
    

    xfrm4_gc_thresh - INTEGER

    The threshold at which we will start garbage collecting for IPv4
    destination cache entries.  At twice this value the system will
    refuse new allocations.
    

    igmp_link_local_mcast_reports - BOOLEAN

    Enable IGMP reports for link local multicast groups in the
    224.0.0.X range.
    Default TRUE
    

    Alexey Kuznetsov.
    kuznet@ms2.inr.ac.ru

    Updated by:
    Andi Kleen
    ak@muc.de
    Nicolas Delon
    delon.nicolas@wanadoo.fr

    /proc/sys/net/ipv6/* Variables:

    IPv6 has no global variables such as tcp_. tcp_ settings under ipv4/ also
    apply to IPv6 [XXX?].

    bindv6only - BOOLEAN

    Default value for IPV6_V6ONLY socket option,
    which restricts use of the IPv6 socket to IPv6 communication
    only.
        TRUE: disable IPv4-mapped address feature
        FALSE: enable IPv4-mapped address feature
    
    Default: FALSE (as specified in RFC3493)
    

    flowlabel_consistency - BOOLEAN

    Protect the consistency (and unicity) of flow label.
    You have to disable it to use IPV6_FL_F_REFLECT flag on the
    flow label manager.
    TRUE: enabled
    FALSE: disabled
    Default: TRUE
    

    auto_flowlabels - INTEGER

    Automatically generate flow labels based on a flow hash of the
    packet. This allows intermediate devices, such as routers, to
    identify packet flows for mechanisms like Equal Cost Multipath
    Routing (see RFC 6438).
    0: automatic flow labels are completely disabled
    1: automatic flow labels are enabled by default, they can be
       disabled on a per socket basis using the IPV6_AUTOFLOWLABEL
       socket option
    2: automatic flow labels are allowed, they may be enabled on a
       per socket basis using the IPV6_AUTOFLOWLABEL socket option
    3: automatic flow labels are enabled and enforced, they cannot
       be disabled by the socket option
    Default: 1
    

    flowlabel_state_ranges - BOOLEAN

    Split the flow label number space into two ranges. 0-0x7FFFF is
    reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF
    is reserved for stateless flow labels as described in RFC6437.
    TRUE: enabled
    FALSE: disabled
    Default: true
    

    flowlabel_reflect - BOOLEAN

    Automatically reflect the flow label. Needed for Path MTU
    Discovery to work with Equal Cost Multipath Routing in anycast
    environments. See RFC 7690 and:
    https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01
    TRUE: enabled
    FALSE: disabled
    Default: FALSE
    

    anycast_src_echo_reply - BOOLEAN

    Controls the use of anycast addresses as source addresses for ICMPv6
    echo reply
    TRUE:  enabled
    FALSE: disabled
    Default: FALSE
    

    idgen_delay - INTEGER

    Controls the delay in seconds after which time to retry
    privacy stable address generation if a DAD conflict is
    detected.
    Default: 1 (as specified in RFC7217)
    

    idgen_retries - INTEGER

    Controls the number of retries to generate a stable privacy
    address if a DAD conflict is detected.
    Default: 3 (as specified in RFC7217)
    

    mld_qrv - INTEGER

    Controls the MLD query robustness variable (see RFC3810 9.1).
    Default: 2 (as specified by RFC3810 9.1)
    Minimum: 1 (as specified by RFC6636 4.5)
    

    max_dst_opts_cnt - INTEGER

    Maximum number of non-padding TLVs allowed in a Destination
    options extension header. If this value is less than zero
    then unknown options are disallowed and the number of known
    TLVs allowed is the absolute value of this number.
    Default: 8
    

    max_hbh_opts_cnt - INTEGER

    Maximum number of non-padding TLVs allowed in a Hop-by-Hop
    options extension header. If this value is less than zero
    then unknown options are disallowed and the number of known
    TLVs allowed is the absolute value of this number.
    Default: 8
    

    max dst_opts_len - INTEGER

    Maximum length allowed for a Destination options extension
    header.
    Default: INT_MAX (unlimited)
    

    max hbh_opts_len - INTEGER

    Maximum length allowed for a Hop-by-Hop options extension
    header.
    Default: INT_MAX (unlimited)
    

    IPv6 Fragmentation:

    ip6frag_high_thresh - INTEGER

    Maximum memory used to reassemble IPv6 fragments. When
    ip6frag_high_thresh bytes of memory is allocated for this purpose,
    the fragment handler will toss packets until ip6frag_low_thresh
    is reached.
    

    ip6frag_low_thresh - INTEGER

    See ip6frag_high_thresh
    

    ip6frag_time - INTEGER

    Time in seconds to keep an IPv6 fragment in memory.
    

    conf/default/*:

    Change the interface-specific default settings.
    

    conf/all/*:

    Change all the interface-specific settings.
    
    [XXX:  Other special features than forwarding?]
    

    conf/all/forwarding - BOOLEAN

    Enable global IPv6 forwarding between all interfaces.
    
    IPv4 and IPv6 work differently here; e.g. netfilter must be used
    to control which interfaces may forward packets and which not.
    
    This also sets all interfaces' Host/Router setting
    'forwarding' to the specified value.  See below for details.
    
    This referred to as global forwarding.
    

    proxy_ndp - BOOLEAN

    Do proxy ndp.
    

    fwmark_reflect - BOOLEAN

    Controls the fwmark of kernel-generated IPv6 reply packets that are not
    associated with a socket for example, TCP RSTs or ICMPv6 echo replies).
    If unset, these packets have a fwmark of zero. If set, they have the
    fwmark of the packet they are replying to.
    Default: 0
    

    conf/interface/*:

    Change special settings per interface.
    
    The functional behaviour for certain settings is different
    depending on whether local forwarding is enabled or not.
    

    accept_ra - INTEGER

    Accept Router Advertisements; autoconfigure using them.
    
    It also determines whether or not to transmit Router
    Solicitations. If and only if the functional setting is to
    accept Router Advertisements, Router Solicitations will be
    transmitted.
    
    Possible values are:
        0 Do not accept Router Advertisements.
        1 Accept Router Advertisements if forwarding is disabled.
        2 Overrule forwarding behaviour. Accept Router Advertisements
          even if forwarding is enabled.
    
    Functional default: enabled if local forwarding is disabled.
                disabled if local forwarding is enabled.
    

    accept_ra_defrtr - BOOLEAN

    Learn default router in Router Advertisement.
    
    Functional default: enabled if accept_ra is enabled.
                disabled if accept_ra is disabled.
    

    accept_ra_from_local - BOOLEAN

    Accept RA with source-address that is found on local machine
        if the RA is otherwise proper and able to be accepted.
        Default is to NOT accept these as it may be an un-intended
        network loop.
    
    Functional default:
           enabled if accept_ra_from_local is enabled
               on a specific interface.
       disabled if accept_ra_from_local is disabled
               on a specific interface.
    

    accept_ra_min_hop_limit - INTEGER

    Minimum hop limit Information in Router Advertisement.
    
    Hop limit Information in Router Advertisement less than this
    variable shall be ignored.
    
    Default: 1
    

    accept_ra_pinfo - BOOLEAN

    Learn Prefix Information in Router Advertisement.
    
    Functional default: enabled if accept_ra is enabled.
                disabled if accept_ra is disabled.
    

    accept_ra_rt_info_min_plen - INTEGER

    Minimum prefix length of Route Information in RA.
    
    Route Information w/ prefix smaller than this variable shall
    be ignored.
    
    Functional default: 0 if accept_ra_rtr_pref is enabled.
                -1 if accept_ra_rtr_pref is disabled.
    

    accept_ra_rt_info_max_plen - INTEGER

    Maximum prefix length of Route Information in RA.
    
    Route Information w/ prefix larger than this variable shall
    be ignored.
    
    Functional default: 0 if accept_ra_rtr_pref is enabled.
                -1 if accept_ra_rtr_pref is disabled.
    

    accept_ra_rtr_pref - BOOLEAN

    Accept Router Preference in RA.
    
    Functional default: enabled if accept_ra is enabled.
                disabled if accept_ra is disabled.
    

    accept_ra_mtu - BOOLEAN

    Apply the MTU value specified in RA option 5 (RFC4861). If
    disabled, the MTU specified in the RA will be ignored.
    
    Functional default: enabled if accept_ra is enabled.
                disabled if accept_ra is disabled.
    

    accept_redirects - BOOLEAN

    Accept Redirects.
    
    Functional default: enabled if local forwarding is disabled.
                disabled if local forwarding is enabled.
    

    accept_source_route - INTEGER

    Accept source routing (routing extension header).
    
    >= 0: Accept only routing header type 2.
    < 0: Do not accept routing header.
    
    Default: 0
    

    autoconf - BOOLEAN

    Autoconfigure addresses using Prefix Information in Router
    Advertisements.
    
    Functional default: enabled if accept_ra_pinfo is enabled.
                disabled if accept_ra_pinfo is disabled.
    

    dad_transmits - INTEGER

    The amount of Duplicate Address Detection probes to send.
    Default: 1
    

    forwarding - INTEGER

    Configure interface-specific Host/Router behaviour.
    
    Note: It is recommended to have the same setting on all
    interfaces; mixed router/host scenarios are rather uncommon.
    
    Possible values are:
        0 Forwarding disabled
        1 Forwarding enabled
    
    FALSE (0):
    
    By default, Host behaviour is assumed.  This means:
    
    1. IsRouter flag is not set in Neighbour Advertisements.
    2. If accept_ra is TRUE (default), transmit Router
       Solicitations.
    3. If accept_ra is TRUE (default), accept Router
       Advertisements (and do autoconfiguration).
    4. If accept_redirects is TRUE (default), accept Redirects.
    
    TRUE (1):
    
    If local forwarding is enabled, Router behaviour is assumed.
    This means exactly the reverse from the above:
    
    1. IsRouter flag is set in Neighbour Advertisements.
    2. Router Solicitations are not sent unless accept_ra is 2.
    3. Router Advertisements are ignored unless accept_ra is 2.
    4. Redirects are ignored.
    
    Default: 0 (disabled) if global forwarding is disabled (default),
         otherwise 1 (enabled).
    

    hop_limit - INTEGER

    Default Hop Limit to set.
    Default: 64
    

    mtu - INTEGER

    Default Maximum Transfer Unit
    Default: 1280 (IPv6 required minimum)
    

    ip_nonlocal_bind - BOOLEAN

    If set, allows processes to bind() to non-local IPv6 addresses,
    which can be quite useful - but may break some applications.
    Default: 0
    

    router_probe_interval - INTEGER

    Minimum interval (in seconds) between Router Probing described
    in RFC4191.
    
    Default: 60
    

    router_solicitation_delay - INTEGER

    Number of seconds to wait after interface is brought up
    before sending Router Solicitations.
    Default: 1
    

    router_solicitation_interval - INTEGER

    Number of seconds to wait between Router Solicitations.
    Default: 4
    

    router_solicitations - INTEGER

    Number of Router Solicitations to send until assuming no
    routers are present.
    Default: 3
    

    use_oif_addrs_only - BOOLEAN

    When enabled, the candidate source addresses for destinations
    routed via this interface are restricted to the set of addresses
    configured on this interface (vis. RFC 6724, section 4).
    
    Default: false
    

    use_tempaddr - INTEGER

    Preference for Privacy Extensions (RFC3041).
      <= 0 : disable Privacy Extensions
      == 1 : enable Privacy Extensions, but prefer public
             addresses over temporary addresses.
      >  1 : enable Privacy Extensions and prefer temporary
             addresses over public addresses.
    Default:  0 (for most devices)
         -1 (for point-to-point devices and loopback devices)
    

    temp_valid_lft - INTEGER

    valid lifetime (in seconds) for temporary addresses.
    Default: 604800 (7 days)
    

    temp_prefered_lft - INTEGER

    Preferred lifetime (in seconds) for temporary addresses.
    Default: 86400 (1 day)
    

    keep_addr_on_down - INTEGER

    Keep all IPv6 addresses on an interface down event. If set static
    global addresses with no expiration time are not flushed.
      >0 : enabled
       0 : system default
      <0 : disabled
    
    Default: 0 (addresses are removed)
    

    max_desync_factor - INTEGER

    Maximum value for DESYNC_FACTOR, which is a random value
    that ensures that clients don't synchronize with each
    other and generate new addresses at exactly the same time.
    value is in seconds.
    Default: 600
    

    regen_max_retry - INTEGER

    Number of attempts before give up attempting to generate
    valid temporary addresses.
    Default: 5
    

    max_addresses - INTEGER

    Maximum number of autoconfigured addresses per interface.  Setting
    to zero disables the limitation.  It is not recommended to set this
    value too large (or to zero) because it would be an easy way to
    crash the kernel by allowing too many addresses to be created.
    Default: 16
    

    disable_ipv6 - BOOLEAN

    Disable IPv6 operation.  If accept_dad is set to 2, this value
    will be dynamically set to TRUE if DAD fails for the link-local
    address.
    Default: FALSE (enable IPv6 operation)
    
    When this value is changed from 1 to 0 (IPv6 is being enabled),
    it will dynamically create a link-local address on the given
    interface and start Duplicate Address Detection, if necessary.
    
    When this value is changed from 0 to 1 (IPv6 is being disabled),
    it will dynamically delete all address on the given interface.
    

    accept_dad - INTEGER

    Whether to accept DAD (Duplicate Address Detection).
    0: Disable DAD
    1: Enable DAD (default)
    2: Enable DAD, and disable IPv6 operation if MAC-based duplicate
       link-local address has been found.
    
    DAD operation and mode on a given interface will be selected according
    to the maximum value of conf/{all,interface}/accept_dad.
    

    force_tllao - BOOLEAN

    Enable sending the target link-layer address option even when
    responding to a unicast neighbor solicitation.
    Default: FALSE
    
    Quoting from RFC 2461, section 4.4, Target link-layer address:
    
    "The option MUST be included for multicast solicitations in order to
    avoid infinite Neighbor Solicitation "recursion" when the peer node
    does not have a cache entry to return a Neighbor Advertisements
    message.  When responding to unicast solicitations, the option can be
    omitted since the sender of the solicitation has the correct link-
    layer address; otherwise it would not have be able to send the unicast
    solicitation in the first place. However, including the link-layer
    address in this case adds little overhead and eliminates a potential
    race condition where the sender deletes the cached link-layer address
    prior to receiving a response to a previous solicitation."
    

    ndisc_notify - BOOLEAN

    Define mode for notification of address and device changes.
    0 - (default): do nothing
    1 - Generate unsolicited neighbour advertisements when device is brought
        up or hardware address changes.
    

    ndisc_tclass - INTEGER

    The IPv6 Traffic Class to use by default when sending IPv6 Neighbor
    Discovery (Router Solicitation, Router Advertisement, Neighbor
    Solicitation, Neighbor Advertisement, Redirect) messages.
    These 8 bits can be interpreted as 6 high order bits holding the DSCP
    value and 2 low order bits representing ECN (which you probably want
    to leave cleared).
    0 - (default)
    

    mldv1_unsolicited_report_interval - INTEGER

    The interval in milliseconds in which the next unsolicited
    MLDv1 report retransmit will take place.
    Default: 10000 (10 seconds)
    

    mldv2_unsolicited_report_interval - INTEGER

    The interval in milliseconds in which the next unsolicited
    MLDv2 report retransmit will take place.
    Default: 1000 (1 second)
    

    force_mld_version - INTEGER

    0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed
    1 - Enforce to use MLD version 1
    2 - Enforce to use MLD version 2
    

    suppress_frag_ndisc - INTEGER

    Control RFC 6980 (Security Implications of IPv6 Fragmentation
    with IPv6 Neighbor Discovery) behavior:
    1 - (default) discard fragmented neighbor discovery packets
    0 - allow fragmented neighbor discovery packets
    

    optimistic_dad - BOOLEAN

    Whether to perform Optimistic Duplicate Address Detection (RFC 4429).
    0: disabled (default)
    1: enabled
    
    Optimistic Duplicate Address Detection for the interface will be enabled
    if at least one of conf/{all,interface}/optimistic_dad is set to 1,
    it will be disabled otherwise.
    

    use_optimistic - BOOLEAN

    If enabled, do not classify optimistic addresses as deprecated during
    source address selection.  Preferred addresses will still be chosen
    before optimistic addresses, subject to other ranking in the source
    address selection algorithm.
    0: disabled (default)
    1: enabled
    
    This will be enabled if at least one of
    conf/{all,interface}/use_optimistic is set to 1, disabled otherwise.
    

    stable_secret - IPv6 address

    This IPv6 address will be used as a secret to generate IPv6
    addresses for link-local addresses and autoconfigured
    ones. All addresses generated after setting this secret will
    be stable privacy ones by default. This can be changed via the
    addrgenmode ip-link. conf/default/stable_secret is used as the
    secret for the namespace, the interface specific ones can
    overwrite that. Writes to conf/all/stable_secret are refused.
    
    It is recommended to generate this secret during installation
    of a system and keep it stable after that.
    
    By default the stable secret is unset.
    

    drop_unicast_in_l2_multicast - BOOLEAN

    Drop any unicast IPv6 packets that are received in link-layer
    multicast (or broadcast) frames.
    
    By default this is turned off.
    

    drop_unsolicited_na - BOOLEAN

    Drop all unsolicited neighbor advertisements, for example if there's
    a known good NA proxy on the network and such frames need not be used
    (or in the case of 802.11, must not be used to prevent attacks.)
    
    By default this is turned off.
    

    enhanced_dad - BOOLEAN

    Include a nonce option in the IPv6 neighbor solicitation messages used for
    duplicate address detection per RFC7527. A received DAD NS will only signal
    a duplicate address if the nonce is different. This avoids any false
    detection of duplicates due to loopback of the NS messages that we send.
    The nonce option will be sent on an interface unless both of
    conf/{all,interface}/enhanced_dad are set to FALSE.
    Default: TRUE
    

    icmp/*:
    ratelimit - INTEGER

    Limit the maximal rates for sending ICMPv6 packets.
    0 to disable any limiting,
    otherwise the minimal space between responses in milliseconds.
    Default: 1000
    

    xfrm6_gc_thresh - INTEGER

    The threshold at which we will start garbage collecting for IPv6
    destination cache entries.  At twice this value the system will
    refuse new allocations.
    

    IPv6 Update by:
    Pekka Savola pekkas@netcore.fi
    YOSHIFUJI Hideaki / USAGI Project yoshfuji@linux-ipv6.org

    /proc/sys/net/bridge/* Variables:

    bridge-nf-call-arptables - BOOLEAN

    1 : pass bridged ARP traffic to arptables' FORWARD chain.
    0 : disable this.
    Default: 1
    

    bridge-nf-call-iptables - BOOLEAN

    1 : pass bridged IPv4 traffic to iptables' chains.
    0 : disable this.
    Default: 1
    

    bridge-nf-call-ip6tables - BOOLEAN

    1 : pass bridged IPv6 traffic to ip6tables' chains.
    0 : disable this.
    Default: 1
    

    bridge-nf-filter-vlan-tagged - BOOLEAN

    1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables.
    0 : disable this.
    Default: 0
    

    bridge-nf-filter-pppoe-tagged - BOOLEAN

    1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
    0 : disable this.
    Default: 0
    

    bridge-nf-pass-vlan-input-dev - BOOLEAN

    1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan
    interface on the bridge and set the netfilter input device to the vlan.
    This allows use of e.g. "iptables -i br0.1" and makes the REDIRECT
    target work with vlan-on-top-of-bridge interfaces.  When no matching
    vlan interface is found, or this switch is off, the input device is
    set to the bridge interface.
    0: disable bridge netfilter vlan interface lookup.
    Default: 0
    

    proc/sys/net/sctp/* Variables:

    addip_enable - BOOLEAN

    Enable or disable extension of  Dynamic Address Reconfiguration
    (ADD-IP) functionality specified in RFC5061.  This extension provides
    the ability to dynamically add and remove new addresses for the SCTP
    associations.
    
    1: Enable extension.
    
    0: Disable extension.
    
    Default: 0
    

    pf_enable - INTEGER

    Enable or disable pf (pf is short for potentially failed) state. A value
    of pf_retrans > path_max_retrans also disables pf state. That is, one of
    both pf_enable and pf_retrans > path_max_retrans can disable pf state.
    Since pf_retrans and path_max_retrans can be changed by userspace
    application, sometimes user expects to disable pf state by the value of
    pf_retrans > path_max_retrans, but occasionally the value of pf_retrans
    or path_max_retrans is changed by the user application, this pf state is
    enabled. As such, it is necessary to add this to dynamically enable
    and disable pf state. See:
    https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for
    details.
    
    1: Enable pf.
    
    0: Disable pf.
    
    Default: 1
    

    addip_noauth_enable - BOOLEAN

    Dynamic Address Reconfiguration (ADD-IP) requires the use of
    authentication to protect the operations of adding or removing new
    addresses.  This requirement is mandated so that unauthorized hosts
    would not be able to hijack associations.  However, older
    implementations may not have implemented this requirement while
    allowing the ADD-IP extension.  For reasons of interoperability,
    we provide this variable to control the enforcement of the
    authentication requirement.
    
    1: Allow ADD-IP extension to be used without authentication.  This
       should only be set in a closed environment for interoperability
       with older implementations.
    
    0: Enforce the authentication requirement
    
    Default: 0
    

    auth_enable - BOOLEAN

    Enable or disable Authenticated Chunks extension.  This extension
    provides the ability to send and receive authenticated chunks and is
    required for secure operation of Dynamic Address Reconfiguration
    (ADD-IP) extension.
    
    1: Enable this extension.
    0: Disable this extension.
    
    Default: 0
    

    prsctp_enable - BOOLEAN

    Enable or disable the Partial Reliability extension (RFC3758) which
    is used to notify peers that a given DATA should no longer be expected.
    
    1: Enable extension
    0: Disable
    
    Default: 1
    

    max_burst - INTEGER

    The limit of the number of new packets that can be initially sent.  It
    controls how bursty the generated traffic can be.
    
    Default: 4
    

    association_max_retrans - INTEGER

    Set the maximum number for retransmissions that an association can
    attempt deciding that the remote end is unreachable.  If this value
    is exceeded, the association is terminated.
    
    Default: 10
    

    max_init_retransmits - INTEGER

    The maximum number of retransmissions of INIT and COOKIE-ECHO chunks
    that an association will attempt before declaring the destination
    unreachable and terminating.
    
    Default: 8
    

    path_max_retrans - INTEGER

    The maximum number of retransmissions that will be attempted on a given
    path.  Once this threshold is exceeded, the path is considered
    unreachable, and new traffic will use a different path when the
    association is multihomed.
    
    Default: 5
    

    pf_retrans - INTEGER

    The number of retransmissions that will be attempted on a given path
    before traffic is redirected to an alternate transport (should one
    exist).  Note this is distinct from path_max_retrans, as a path that
    passes the pf_retrans threshold can still be used.  Its only
    deprioritized when a transmission path is selected by the stack.  This
    setting is primarily used to enable fast failover mechanisms without
    having to reduce path_max_retrans to a very low value.  See:
    http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt
    for details.  Note also that a value of pf_retrans > path_max_retrans
    disables this feature. Since both pf_retrans and path_max_retrans can
    be changed by userspace application, a variable pf_enable is used to
    disable pf state.
    
    Default: 0
    

    rto_initial - INTEGER

    The initial round trip timeout value in milliseconds that will be used
    in calculating round trip times.  This is the initial time interval
    for retransmissions.
    
    Default: 3000
    

    rto_max - INTEGER

    The maximum value (in milliseconds) of the round trip timeout.  This
    is the largest time interval that can elapse between retransmissions.
    
    Default: 60000
    

    rto_min - INTEGER

    The minimum value (in milliseconds) of the round trip timeout.  This
    is the smallest time interval the can elapse between retransmissions.
    
    Default: 1000
    

    hb_interval - INTEGER

    The interval (in milliseconds) between HEARTBEAT chunks.  These chunks
    are sent at the specified interval on idle paths to probe the state of
    a given path between 2 associations.
    
    Default: 30000
    

    sack_timeout - INTEGER

    The amount of time (in milliseconds) that the implementation will wait
    to send a SACK.
    
    Default: 200
    

    valid_cookie_life - INTEGER

    The default lifetime of the SCTP cookie (in milliseconds).  The cookie
    is used during association establishment.
    
    Default: 60000
    

    cookie_preserve_enable - BOOLEAN

    Enable or disable the ability to extend the lifetime of the SCTP cookie
    that is used during the establishment phase of SCTP association
    
    1: Enable cookie lifetime extension.
    0: Disable
    
    Default: 1
    

    cookie_hmac_alg - STRING

    Select the hmac algorithm used when generating the cookie value sent by
    a listening sctp socket to a connecting client in the INIT-ACK chunk.
    Valid values are:
    * md5
    * sha1
    * none
    Ability to assign md5 or sha1 as the selected alg is predicated on the
    configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and
    CONFIG_CRYPTO_SHA1).
    
    Default: Dependent on configuration.  MD5 if available, else SHA1 if
    available, else none.
    

    rcvbuf_policy - INTEGER

    Determines if the receive buffer is attributed to the socket or to
    association.   SCTP supports the capability to create multiple
    associations on a single socket.  When using this capability, it is
    possible that a single stalled association that's buffering a lot
    of data may block other associations from delivering their data by
    consuming all of the receive buffer space.  To work around this,
    the rcvbuf_policy could be set to attribute the receiver buffer space
    to each association instead of the socket.  This prevents the described
    blocking.
    
    1: rcvbuf space is per association
    0: rcvbuf space is per socket
    
    Default: 0
    

    sndbuf_policy - INTEGER

    Similar to rcvbuf_policy above, this applies to send buffer space.
    
    1: Send buffer is tracked per association
    0: Send buffer is tracked per socket.
    
    Default: 0
    

    sctp_mem - vector of 3 INTEGERs: min, pressure, max

    Number of pages allowed for queueing by all SCTP sockets.
    
    min: Below this number of pages SCTP is not bothered about its
    memory appetite. When amount of memory allocated by SCTP exceeds
    this number, SCTP starts to moderate memory usage.
    
    pressure: This value was introduced to follow format of tcp_mem.
    
    max: Number of pages allowed for queueing by all SCTP sockets.
    
    Default is calculated at boot time from amount of available memory.
    

    sctp_rmem - vector of 3 INTEGERs: min, default, max

    Only the first value ("min") is used, "default" and "max" are
    ignored.
    
    min: Minimal size of receive buffer used by SCTP socket.
    It is guaranteed to each SCTP socket (but not association) even
    under moderate memory pressure.
    
    Default: 1 page
    

    sctp_wmem - vector of 3 INTEGERs: min, default, max
    Currently this tunable has no effect.

    addr_scope_policy - INTEGER

    Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00
    
    0   - Disable IPv4 address scoping
    1   - Enable IPv4 address scoping
    2   - Follow draft but allow IPv4 private addresses
    3   - Follow draft but allow IPv4 link local addresses
    
    Default: 1
    

    /proc/sys/net/core/*
    Please see: Documentation/sysctl/net.txt for descriptions of these entries.

    /proc/sys/net/unix/*
    max_dgram_qlen - INTEGER

    The maximum length of dgram socket receive queue
    
    Default: 10
    

    UNDOCUMENTED:

    /proc/sys/net/irda/*

    fast_poll_increase FIXME
    warn_noreply_time FIXME
    discovery_slots FIXME
    slot_timeout FIXME
    max_baud_rate FIXME
    discovery_timeout FIXME
    lap_keepalive_time FIXME
    max_noreply_time FIXME
    max_tx_data_size FIXME
    max_tx_window FIXME
    min_tx_turn_time FIXME

    相关文章

      网友评论

          本文标题:/proc/sys/net/ipv4/* Variables:

          本文链接:https://www.haomeiwen.com/subject/gqmibxtx.html