Linux 2.4 Advanced Routing HOWTO: Kernel network parameters

12. Kernel network parameters

The kernel has lots of parameters which can be tuned for different circumstances. While, as usual, the default parameters serve 99% of installations very well, we don't call this the Advanced HOWTO for the fun of it!

The interesting bits are in /proc/sys/net, take a look there. Not everything will be documented here initially, but we're working on it.

12.1 Reverse Path Filtering

By default, routers route everything, even packets which 'obviously' don't belong on your network. A common example is private IP space escaping onto the internet. If you have an interface with a route of 195.96.96.0/24 to it, you do not expect packets from 212.64.94.1 to arrive there.

Lots of people will want to turn this feature off, so the kernel hackers have made it easy. There are files in /proc where you can tell the kernel to do this for you. The method is called "Reverse Path Filtering". Basically, if the reply to this packet wouldn't go out the interface this packet came in, then this is a bogus packet and should be ignored.

The following fragment will turn this on for all current and future interfaces.


# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
>  echo 2 > $i 
> done

Going by the example above, if a packet arrived on the Linux router on eth1 claiming to come from the Office+ISP subnet, it would be dropped. Similarly, if a packet came from the Office subnet, claiming to be from somewhere outside your firewall, it would be dropped also.

The above is full reverse path filtering. The default is to only filter based on IPs that are on directly connected networks. This is because the full filtering breaks in the case of asymmetric routing (where packets come in one way and go out another, like satellite traffic, or if you have dynamic (bgp, ospf, rip) routes in your network. The data comes down through the satellite dish and replies go back through normal land-lines).

If this exception applies to you (and you'll probably know if it does) you can simply turn off the rp_filter on the interface where the satellite data comes in. If you want to see if any packets are being dropped, the log_martians file in the same directory will tell the kernel to log them to your syslog.


# echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians

FIXME: is setting the conf/{default,all}/* files enough? - martijn

12.2 Obscure settings

Ok, there are a lot of parameters which can be modified. We try to list them all. Also documented (partly) in Documentation/ip-sysctl.txt.

Some of these settings have different defaults based on wether you answered 'Yes' to 'Configure as router and not host' while compiling your kernel.

Generic ipv4

As a generic note, most rate limiting features don't work on loopback, so don't test them locally.

/proc/sys/net/ipv4/icmp_destunreach_rate

FIXME: fill this in

/proc/sys/net/ipv4/icmp_echo_ignore_all

FIXME: fill this in

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]

If you ping the broadcast address of a network, all hosts are supposed to respond. This makes for a dandy denial-of-service tool. Set this to 1 to ignore these broadcast messages.

/proc/sys/net/ipv4/icmp_echoreply_rate

FIXME: fill this in

/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

FIXME: fill this in

/proc/sys/net/ipv4/icmp_paramprob_rate

FIXME: fill this in

/proc/sys/net/ipv4/icmp_timeexceed_rate

This the famous cause of the 'Solaris middle star' in traceroutes. Limits number of ICMP Time Exceeded messages sent. FIXME: Units of these rates - either I'm stupid, or this just doesn't work

/proc/sys/net/ipv4/igmp_max_memberships

FIXME: fill this in

/proc/sys/net/ipv4/inet_peer_gc_maxtime

FIXME: fill this in

/proc/sys/net/ipv4/inet_peer_gc_mintime

FIXME: fill this in

/proc/sys/net/ipv4/inet_peer_maxttl

FIXME: fill this in

/proc/sys/net/ipv4/inet_peer_minttl

FIXME: fill this in

/proc/sys/net/ipv4/inet_peer_threshold

FIXME: fill this in

/proc/sys/net/ipv4/ip_autoconfig

FIXME: fill this in

/proc/sys/net/ipv4/ip_default_ttl

Time To Live of packets. Set to a safe 64. Raise it if you have a huge network. Don't do so for fun - routing loops cause much more damage that way. You might even consider lowering it in some circumstances.

/proc/sys/net/ipv4/ip_dynaddr

You need to set this if you use dial-on-demand with a dynamic interface address. Once your demand interface comes up, any queued packets will be rebranded to have the right address. This solves the problem that the connection that brings up your interface itself does not work, but the second try does.

/proc/sys/net/ipv4/ip_forward

If the kernel should attempt to forward packets. Off by default for hosts, on by default when configured as a router.

/proc/sys/net/ipv4/ip_local_port_range

Range of local ports for outgoing connections. Actually quite small by default, 1024 to 4999.

/proc/sys/net/ipv4/ip_no_pmtu_disc

Set this if you want to disable Path MTU discovery - a technique to determince the largest Maximum Transfer Unit possible on you path.

/proc/sys/net/ipv4/ipfrag_high_thresh

FIXME: fill this in

/proc/sys/net/ipv4/ipfrag_low_thresh

FIXME: fill this in

/proc/sys/net/ipv4/ipfrag_time

FIXME: fill this in

/proc/sys/net/ipv4/tcp_abort_on_overflow

FIXME: fill this in

/proc/sys/net/ipv4/tcp_fin_timeout

FIXME: fill this in

/proc/sys/net/ipv4/tcp_keepalive_intvl

FIXME: fill this in

/proc/sys/net/ipv4/tcp_keepalive_probes

FIXME: fill this in

/proc/sys/net/ipv4/tcp_keepalive_time

FIXME: fill this in

/proc/sys/net/ipv4/tcp_max_orphans

FIXME: fill this in

/proc/sys/net/ipv4/tcp_max_syn_backlog

FIXME: fill this in

/proc/sys/net/ipv4/tcp_max_tw_buckets

FIXME: fill this in

/proc/sys/net/ipv4/tcp_orphan_retries

FIXME: fill this in

/proc/sys/net/ipv4/tcp_retrans_collapse

FIXME: fill this in

/proc/sys/net/ipv4/tcp_retries1

FIXME: fill this in

/proc/sys/net/ipv4/tcp_retries2

FIXME: fill this in

/proc/sys/net/ipv4/tcp_rfc1337

FIXME: fill this in

/proc/sys/net/ipv4/tcp_sack

Use Selective ACK which can be used to signify that only a single packet is missing - therefore helping fast recovery.

/proc/sys/net/ipv4/tcp_stdurg

FIXME: fill this in

/proc/sys/net/ipv4/tcp_syn_retries

FIXME: fill this in

/proc/sys/net/ipv4/tcp_synack_retries

FIXME: fill this in

/proc/sys/net/ipv4/tcp_timestamps

FIXME: fill this in

/proc/sys/net/ipv4/tcp_tw_recycle

FIXME: fill this in

/proc/sys/net/ipv4/tcp_window_scaling

TCP/IP normally allows windows up to 65535 bytes big. For really fast networks, this may not be enough. The window scaling options allows for almost gigabyte windows, which is good for high bandwidth*delay products.

Per device settings

DEV can either stand for a real interface, or for 'all' or 'default'. Default also changes settings for interfaces yet to be created.

/proc/sys/net/ipv4/conf/DEV/accept_redirects

If a router decides that you are using it for a wrong purpose (ie, it needs to resend your packet on the same interface), it will send us a ICMP Redirect. This is a slight security risk however, so you may want to turn it off, or use secure redirects.

/proc/sys/net/ipv4/conf/DEV/accept_source_route

Not used very much anymore. You used to be able to give a packet a list of IP addresses it should visit on its way. Linux can be made to honor this IP option.

/proc/sys/net/ipv4/conf/DEV/bootp_relay

FIXME: fill this in

/proc/sys/net/ipv4/conf/DEV/forwarding

FIXME:

/proc/sys/net/ipv4/conf/DEV/log_martians

See the section on reverse path filters.

/proc/sys/net/ipv4/conf/DEV/mc_forwarding

If we do multicast forwarding on this interface

/proc/sys/net/ipv4/conf/DEV/proxy_arp

FIXME: fill this in

/proc/sys/net/ipv4/conf/DEV/rp_filter

See the section on reverse path filters.

/proc/sys/net/ipv4/conf/DEV/secure_redirects

FIXME: fill this in

/proc/sys/net/ipv4/conf/DEV/send_redirects

If we send the above mentioned redirects.

/proc/sys/net/ipv4/conf/DEV/shared_media

FIXME: fill this in

/proc/sys/net/ipv4/conf/DEV/tag

FIXME: fill this in

Neighbor pollicy

Dev can either stand for a real interface, or for 'all' or 'default'. Default also changes settings for interfaces yet to be created.

/proc/sys/net/ipv4/neigh/DEV/anycast_delay

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/app_solicit

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/base_reachable_time

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/delay_first_probe_time

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/gc_stale_time

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/locktime

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/mcast_solicit

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/proxy_delay

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/proxy_qlen

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/retrans_time

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/ucast_solicit

FIXME: fill this in

/proc/sys/net/ipv4/neigh/DEV/unres_qlen

FIXME: fill this in

Routing settings

/proc/sys/net/ipv4/route/error_burst: FIXME: fill this in
/proc/sys/net/ipv4/route/error_cost: FIXME: fill this in
/proc/sys/net/ipv4/route/flush: FIXME: fill this in
/proc/sys/net/ipv4/route/gc_elasticity: FIXME: fill this in
/proc/sys/net/ipv4/route/gc_interval: FIXME: fill this in
/proc/sys/net/ipv4/route/gc_min_interval: FIXME: fill this in
/proc/sys/net/ipv4/route/gc_thresh: FIXME: fill this in
/proc/sys/net/ipv4/route/gc_timeout: FIXME: fill this in
/proc/sys/net/ipv4/route/max_delay: FIXME: fill this in
/proc/sys/net/ipv4/route/max_size: FIXME: fill this in
/proc/sys/net/ipv4/route/min_adv_mss: FIXME: fill this in
/proc/sys/net/ipv4/route/min_delay: FIXME: fill this in
/proc/sys/net/ipv4/route/min_pmtu: FIXME: fill this in
/proc/sys/net/ipv4/route/mtu_expires: FIXME: fill this in
/proc/sys/net/ipv4/route/redirect_load: FIXME: fill this in
/proc/sys/net/ipv4/route/redirect_number: FIXME: fill this in
/proc/sys/net/ipv4/route/redirect_silence: FIXME: fill this in

Next Previous Contents