1.. SPDX-License-Identifier: GPL-2.0
2
3=========
4IP Sysctl
5=========
6
7/proc/sys/net/ipv4/* Variables
8==============================
9
10ip_forward - BOOLEAN
11	- 0 - disabled (default)
12	- not 0 - enabled
13
14	Forward Packets between interfaces.
15
16	This variable is special, its change resets all configuration
17	parameters to their default state (RFC1122 for hosts, RFC1812
18	for routers)
19
20ip_default_ttl - INTEGER
21	Default value of TTL field (Time To Live) for outgoing (but not
22	forwarded) IP packets. Should be between 1 and 255 inclusive.
23	Default: 64 (as recommended by RFC1700)
24
25ip_no_pmtu_disc - INTEGER
26	Disable Path MTU Discovery. If enabled in mode 1 and a
27	fragmentation-required ICMP is received, the PMTU to this
28	destination will be set to min_pmtu (see below). You will need
29	to raise min_pmtu to the smallest interface MTU on your system
30	manually if you want to avoid locally generated fragments.
31
32	In mode 2 incoming Path MTU Discovery messages will be
33	discarded. Outgoing frames are handled the same as in mode 1,
34	implicitly setting IP_PMTUDISC_DONT on every created socket.
35
36	Mode 3 is a hardened pmtu discover mode. The kernel will only
37	accept fragmentation-needed errors if the underlying protocol
38	can verify them besides a plain socket lookup. Current
39	protocols for which pmtu events will be honored are TCP, SCTP
40	and DCCP as they verify e.g. the sequence number or the
41	association. This mode should not be enabled globally but is
42	only intended to secure e.g. name servers in namespaces where
43	TCP path mtu must still work but path MTU information of other
44	protocols should be discarded. If enabled globally this mode
45	could break other protocols.
46
47	Possible values: 0-3
48
49	Default: FALSE
50
51min_pmtu - INTEGER
52	default 552 - minimum discovered Path MTU
53
54ip_forward_use_pmtu - BOOLEAN
55	By default we don't trust protocol path MTUs while forwarding
56	because they could be easily forged and can lead to unwanted
57	fragmentation by the router.
58	You only need to enable this if you have user-space software
59	which tries to discover path mtus by itself and depends on the
60	kernel honoring this information. This is normally not the
61	case.
62
63	Default: 0 (disabled)
64
65	Possible values:
66
67	- 0 - disabled
68	- 1 - enabled
69
70fwmark_reflect - BOOLEAN
71	Controls the fwmark of kernel-generated IPv4 reply packets that are not
72	associated with a socket for example, TCP RSTs or ICMP echo replies).
73	If unset, these packets have a fwmark of zero. If set, they have the
74	fwmark of the packet they are replying to.
75
76	Default: 0
77
78fib_multipath_use_neigh - BOOLEAN
79	Use status of existing neighbor entry when determining nexthop for
80	multipath routes. If disabled, neighbor information is not used and
81	packets could be directed to a failed nexthop. Only valid for kernels
82	built with CONFIG_IP_ROUTE_MULTIPATH enabled.
83
84	Default: 0 (disabled)
85
86	Possible values:
87
88	- 0 - disabled
89	- 1 - enabled
90
91fib_multipath_hash_policy - INTEGER
92	Controls which hash policy to use for multipath routes. Only valid
93	for kernels built with CONFIG_IP_ROUTE_MULTIPATH enabled.
94
95	Default: 0 (Layer 3)
96
97	Possible values:
98
99	- 0 - Layer 3
100	- 1 - Layer 4
101	- 2 - Layer 3 or inner Layer 3 if present
102
103fib_sync_mem - UNSIGNED INTEGER
104	Amount of dirty memory from fib entries that can be backlogged before
105	synchronize_rcu is forced.
106
107	Default: 512kB   Minimum: 64kB   Maximum: 64MB
108
109ip_forward_update_priority - INTEGER
110	Whether to update SKB priority from "TOS" field in IPv4 header after it
111	is forwarded. The new SKB priority is mapped from TOS field value
112	according to an rt_tos2priority table (see e.g. man tc-prio).
113
114	Default: 1 (Update priority.)
115
116	Possible values:
117
118	- 0 - Do not update priority.
119	- 1 - Update priority.
120
121route/max_size - INTEGER
122	Maximum number of routes allowed in the kernel.  Increase
123	this when using large numbers of interfaces and/or routes.
124
125	From linux kernel 3.6 onwards, this is deprecated for ipv4
126	as route cache is no longer used.
127
128neigh/default/gc_thresh1 - INTEGER
129	Minimum number of entries to keep.  Garbage collector will not
130	purge entries if there are fewer than this number.
131
132	Default: 128
133
134neigh/default/gc_thresh2 - INTEGER
135	Threshold when garbage collector becomes more aggressive about
136	purging entries. Entries older than 5 seconds will be cleared
137	when over this number.
138
139	Default: 512
140
141neigh/default/gc_thresh3 - INTEGER
142	Maximum number of non-PERMANENT neighbor entries allowed.  Increase
143	this when using large numbers of interfaces and when communicating
144	with large numbers of directly-connected peers.
145
146	Default: 1024
147
148neigh/default/unres_qlen_bytes - INTEGER
149	The maximum number of bytes which may be used by packets
150	queued for each	unresolved address by other network layers.
151	(added in linux 3.3)
152
153	Setting negative value is meaningless and will return error.
154
155	Default: SK_WMEM_MAX, (same as net.core.wmem_default).
156
157		Exact value depends on architecture and kernel options,
158		but should be enough to allow queuing 256 packets
159		of medium size.
160
161neigh/default/unres_qlen - INTEGER
162	The maximum number of packets which may be queued for each
163	unresolved address by other network layers.
164
165	(deprecated in linux 3.3) : use unres_qlen_bytes instead.
166
167	Prior to linux 3.3, the default value is 3 which may cause
168	unexpected packet loss. The current default value is calculated
169	according to default value of unres_qlen_bytes and true size of
170	packet.
171
172	Default: 101
173
174mtu_expires - INTEGER
175	Time, in seconds, that cached PMTU information is kept.
176
177min_adv_mss - INTEGER
178	The advertised MSS depends on the first hop route MTU, but will
179	never be lower than this setting.
180
181IP Fragmentation:
182
183ipfrag_high_thresh - LONG INTEGER
184	Maximum memory used to reassemble IP fragments.
185
186ipfrag_low_thresh - LONG INTEGER
187	(Obsolete since linux-4.17)
188	Maximum memory used to reassemble IP fragments before the kernel
189	begins to remove incomplete fragment queues to free up resources.
190	The kernel still accepts new fragments for defragmentation.
191
192ipfrag_time - INTEGER
193	Time in seconds to keep an IP fragment in memory.
194
195ipfrag_max_dist - INTEGER
196	ipfrag_max_dist is a non-negative integer value which defines the
197	maximum "disorder" which is allowed among fragments which share a
198	common IP source address. Note that reordering of packets is
199	not unusual, but if a large number of fragments arrive from a source
200	IP address while a particular fragment queue remains incomplete, it
201	probably indicates that one or more fragments belonging to that queue
202	have been lost. When ipfrag_max_dist is positive, an additional check
203	is done on fragments before they are added to a reassembly queue - if
204	ipfrag_max_dist (or more) fragments have arrived from a particular IP
205	address between additions to any IP fragment queue using that source
206	address, it's presumed that one or more fragments in the queue are
207	lost. The existing fragment queue will be dropped, and a new one
208	started. An ipfrag_max_dist value of zero disables this check.
209
210	Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
211	result in unnecessarily dropping fragment queues when normal
212	reordering of packets occurs, which could lead to poor application
213	performance. Using a very large value, e.g. 50000, increases the
214	likelihood of incorrectly reassembling IP fragments that originate
215	from different IP datagrams, which could result in data corruption.
216	Default: 64
217
218INET peer storage
219=================
220
221inet_peer_threshold - INTEGER
222	The approximate size of the storage.  Starting from this threshold
223	entries will be thrown aggressively.  This threshold also determines
224	entries' time-to-live and time intervals between garbage collection
225	passes.  More entries, less time-to-live, less GC interval.
226
227inet_peer_minttl - INTEGER
228	Minimum time-to-live of entries.  Should be enough to cover fragment
229	time-to-live on the reassembling side.  This minimum time-to-live  is
230	guaranteed if the pool size is less than inet_peer_threshold.
231	Measured in seconds.
232
233inet_peer_maxttl - INTEGER
234	Maximum time-to-live of entries.  Unused entries will expire after
235	this period of time if there is no memory pressure on the pool (i.e.
236	when the number of entries in the pool is very small).
237	Measured in seconds.
238
239TCP variables
240=============
241
242somaxconn - INTEGER
243	Limit of socket listen() backlog, known in userspace as SOMAXCONN.
244	Defaults to 4096. (Was 128 before linux-5.4)
245	See also tcp_max_syn_backlog for additional tuning for TCP sockets.
246
247tcp_abort_on_overflow - BOOLEAN
248	If listening service is too slow to accept new connections,
249	reset them. Default state is FALSE. It means that if overflow
250	occurred due to a burst, connection will recover. Enable this
251	option _only_ if you are really sure that listening daemon
252	cannot be tuned to accept connections faster. Enabling this
253	option can harm clients of your server.
254
255tcp_adv_win_scale - INTEGER
256	Count buffering overhead as bytes/2^tcp_adv_win_scale
257	(if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale),
258	if it is <= 0.
259
260	Possible values are [-31, 31], inclusive.
261
262	Default: 1
263
264tcp_allowed_congestion_control - STRING
265	Show/set the congestion control choices available to non-privileged
266	processes. The list is a subset of those listed in
267	tcp_available_congestion_control.
268
269	Default is "reno" and the default setting (tcp_congestion_control).
270
271tcp_app_win - INTEGER
272	Reserve max(window/2^tcp_app_win, mss) of window for application
273	buffer. Value 0 is special, it means that nothing is reserved.
274
275	Default: 31
276
277tcp_autocorking - BOOLEAN
278	Enable TCP auto corking :
279	When applications do consecutive small write()/sendmsg() system calls,
280	we try to coalesce these small writes as much as possible, to lower
281	total amount of sent packets. This is done if at least one prior
282	packet for the flow is waiting in Qdisc queues or device transmit
283	queue. Applications can still use TCP_CORK for optimal behavior
284	when they know how/when to uncork their sockets.
285
286	Default : 1
287
288tcp_available_congestion_control - STRING
289	Shows the available congestion control choices that are registered.
290	More congestion control algorithms may be available as modules,
291	but not loaded.
292
293tcp_base_mss - INTEGER
294	The initial value of search_low to be used by the packetization layer
295	Path MTU discovery (MTU probing).  If MTU probing is enabled,
296	this is the initial MSS used by the connection.
297
298tcp_mtu_probe_floor - INTEGER
299	If MTU probing is enabled this caps the minimum MSS used for search_low
300	for the connection.
301
302	Default : 48
303
304tcp_min_snd_mss - INTEGER
305	TCP SYN and SYNACK messages usually advertise an ADVMSS option,
306	as described in RFC 1122 and RFC 6691.
307
308	If this ADVMSS option is smaller than tcp_min_snd_mss,
309	it is silently capped to tcp_min_snd_mss.
310
311	Default : 48 (at least 8 bytes of payload per segment)
312
313tcp_congestion_control - STRING
314	Set the congestion control algorithm to be used for new
315	connections. The algorithm "reno" is always available, but
316	additional choices may be available based on kernel configuration.
317	Default is set as part of kernel configuration.
318	For passive connections, the listener congestion control choice
319	is inherited.
320
321	[see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ]
322
323tcp_dsack - BOOLEAN
324	Allows TCP to send "duplicate" SACKs.
325
326tcp_early_retrans - INTEGER
327	Tail loss probe (TLP) converts RTOs occurring due to tail
328	losses into fast recovery (draft-ietf-tcpm-rack). Note that
329	TLP requires RACK to function properly (see tcp_recovery below)
330
331	Possible values:
332
333		- 0 disables TLP
334		- 3 or 4 enables TLP
335
336	Default: 3
337
338tcp_ecn - INTEGER
339	Control use of Explicit Congestion Notification (ECN) by TCP.
340	ECN is used only when both ends of the TCP connection indicate
341	support for it.  This feature is useful in avoiding losses due
342	to congestion by allowing supporting routers to signal
343	congestion before having to drop packets.
344
345	Possible values are:
346
347		=  =====================================================
348		0  Disable ECN.  Neither initiate nor accept ECN.
349		1  Enable ECN when requested by incoming connections and
350		   also request ECN on outgoing connection attempts.
351		2  Enable ECN when requested by incoming connections
352		   but do not request ECN on outgoing connections.
353		=  =====================================================
354
355	Default: 2
356
357tcp_ecn_fallback - BOOLEAN
358	If the kernel detects that ECN connection misbehaves, enable fall
359	back to non-ECN. Currently, this knob implements the fallback
360	from RFC3168, section 6.1.1.1., but we reserve that in future,
361	additional detection mechanisms could be implemented under this
362	knob. The value	is not used, if tcp_ecn or per route (or congestion
363	control) ECN settings are disabled.
364
365	Default: 1 (fallback enabled)
366
367tcp_fack - BOOLEAN
368	This is a legacy option, it has no effect anymore.
369
370tcp_fin_timeout - INTEGER
371	The length of time an orphaned (no longer referenced by any
372	application) connection will remain in the FIN_WAIT_2 state
373	before it is aborted at the local end.  While a perfectly
374	valid "receive only" state for an un-orphaned connection, an
375	orphaned connection in FIN_WAIT_2 state could otherwise wait
376	forever for the remote to close its end of the connection.
377
378	Cf. tcp_max_orphans
379
380	Default: 60 seconds
381
382tcp_frto - INTEGER
383	Enables Forward RTO-Recovery (F-RTO) defined in RFC5682.
384	F-RTO is an enhanced recovery algorithm for TCP retransmission
385	timeouts.  It is particularly beneficial in networks where the
386	RTT fluctuates (e.g., wireless). F-RTO is sender-side only
387	modification. It does not require any support from the peer.
388
389	By default it's enabled with a non-zero value. 0 disables F-RTO.
390
391tcp_fwmark_accept - BOOLEAN
392	If set, incoming connections to listening sockets that do not have a
393	socket mark will set the mark of the accepting socket to the fwmark of
394	the incoming SYN packet. This will cause all packets on that connection
395	(starting from the first SYNACK) to be sent with that fwmark. The
396	listening socket's mark is unchanged. Listening sockets that already
397	have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are
398	unaffected.
399
400	Default: 0
401
402tcp_invalid_ratelimit - INTEGER
403	Limit the maximal rate for sending duplicate acknowledgments
404	in response to incoming TCP packets that are for an existing
405	connection but that are invalid due to any of these reasons:
406
407	  (a) out-of-window sequence number,
408	  (b) out-of-window acknowledgment number, or
409	  (c) PAWS (Protection Against Wrapped Sequence numbers) check failure
410
411	This can help mitigate simple "ack loop" DoS attacks, wherein
412	a buggy or malicious middlebox or man-in-the-middle can
413	rewrite TCP header fields in manner that causes each endpoint
414	to think that the other is sending invalid TCP segments, thus
415	causing each side to send an unterminating stream of duplicate
416	acknowledgments for invalid segments.
417
418	Using 0 disables rate-limiting of dupacks in response to
419	invalid segments; otherwise this value specifies the minimal
420	space between sending such dupacks, in milliseconds.
421
422	Default: 500 (milliseconds).
423
424tcp_keepalive_time - INTEGER
425	How often TCP sends out keepalive messages when keepalive is enabled.
426	Default: 2hours.
427
428tcp_keepalive_probes - INTEGER
429	How many keepalive probes TCP sends out, until it decides that the
430	connection is broken. Default value: 9.
431
432tcp_keepalive_intvl - INTEGER
433	How frequently the probes are send out. Multiplied by
434	tcp_keepalive_probes it is time to kill not responding connection,
435	after probes started. Default value: 75sec i.e. connection
436	will be aborted after ~11 minutes of retries.
437
438tcp_l3mdev_accept - BOOLEAN
439	Enables child sockets to inherit the L3 master device index.
440	Enabling this option allows a "global" listen socket to work
441	across L3 master domains (e.g., VRFs) with connected sockets
442	derived from the listen socket to be bound to the L3 domain in
443	which the packets originated. Only valid when the kernel was
444	compiled with CONFIG_NET_L3_MASTER_DEV.
445
446	Default: 0 (disabled)
447
448tcp_low_latency - BOOLEAN
449	This is a legacy option, it has no effect anymore.
450
451tcp_max_orphans - INTEGER
452	Maximal number of TCP sockets not attached to any user file handle,
453	held by system.	If this number is exceeded orphaned connections are
454	reset immediately and warning is printed. This limit exists
455	only to prevent simple DoS attacks, you _must_ not rely on this
456	or lower the limit artificially, but rather increase it
457	(probably, after increasing installed memory),
458	if network conditions require more than default value,
459	and tune network services to linger and kill such states
460	more aggressively. Let me to remind again: each orphan eats
461	up to ~64K of unswappable memory.
462
463tcp_max_syn_backlog - INTEGER
464	Maximal number of remembered connection requests (SYN_RECV),
465	which have not received an acknowledgment from connecting client.
466
467	This is a per-listener limit.
468
469	The minimal value is 128 for low memory machines, and it will
470	increase in proportion to the memory of machine.
471
472	If server suffers from overload, try increasing this number.
473
474	Remember to also check /proc/sys/net/core/somaxconn
475	A SYN_RECV request socket consumes about 304 bytes of memory.
476
477tcp_max_tw_buckets - INTEGER
478	Maximal number of timewait sockets held by system simultaneously.
479	If this number is exceeded time-wait socket is immediately destroyed
480	and warning is printed. This limit exists only to prevent
481	simple DoS attacks, you _must_ not lower the limit artificially,
482	but rather increase it (probably, after increasing installed memory),
483	if network conditions require more than default value.
484
485tcp_mem - vector of 3 INTEGERs: min, pressure, max
486	min: below this number of pages TCP is not bothered about its
487	memory appetite.
488
489	pressure: when amount of memory allocated by TCP exceeds this number
490	of pages, TCP moderates its memory consumption and enters memory
491	pressure mode, which is exited when memory consumption falls
492	under "min".
493
494	max: number of pages allowed for queueing by all TCP sockets.
495
496	Defaults are calculated at boot time from amount of available
497	memory.
498
499tcp_min_rtt_wlen - INTEGER
500	The window length of the windowed min filter to track the minimum RTT.
501	A shorter window lets a flow more quickly pick up new (higher)
502	minimum RTT when it is moved to a longer path (e.g., due to traffic
503	engineering). A longer window makes the filter more resistant to RTT
504	inflations such as transient congestion. The unit is seconds.
505
506	Possible values: 0 - 86400 (1 day)
507
508	Default: 300
509
510tcp_moderate_rcvbuf - BOOLEAN
511	If set, TCP performs receive buffer auto-tuning, attempting to
512	automatically size the buffer (no greater than tcp_rmem[2]) to
513	match the size required by the path for full throughput.  Enabled by
514	default.
515
516tcp_mtu_probing - INTEGER
517	Controls TCP Packetization-Layer Path MTU Discovery.  Takes three
518	values:
519
520	- 0 - Disabled
521	- 1 - Disabled by default, enabled when an ICMP black hole detected
522	- 2 - Always enabled, use initial MSS of tcp_base_mss.
523
524tcp_probe_interval - UNSIGNED INTEGER
525	Controls how often to start TCP Packetization-Layer Path MTU
526	Discovery reprobe. The default is reprobing every 10 minutes as
527	per RFC4821.
528
529tcp_probe_threshold - INTEGER
530	Controls when TCP Packetization-Layer Path MTU Discovery probing
531	will stop in respect to the width of search range in bytes. Default
532	is 8 bytes.
533
534tcp_no_metrics_save - BOOLEAN
535	By default, TCP saves various connection metrics in the route cache
536	when the connection closes, so that connections established in the
537	near future can use these to set initial conditions.  Usually, this
538	increases overall performance, but may sometimes cause performance
539	degradation.  If set, TCP will not cache metrics on closing
540	connections.
541
542tcp_no_ssthresh_metrics_save - BOOLEAN
543	Controls whether TCP saves ssthresh metrics in the route cache.
544
545	Default is 1, which disables ssthresh metrics.
546
547tcp_orphan_retries - INTEGER
548	This value influences the timeout of a locally closed TCP connection,
549	when RTO retransmissions remain unacknowledged.
550	See tcp_retries2 for more details.
551
552	The default value is 8.
553
554	If your machine is a loaded WEB server,
555	you should think about lowering this value, such sockets
556	may consume significant resources. Cf. tcp_max_orphans.
557
558tcp_recovery - INTEGER
559	This value is a bitmap to enable various experimental loss recovery
560	features.
561
562	=========   =============================================================
563	RACK: 0x1   enables the RACK loss detection for fast detection of lost
564		    retransmissions and tail drops. It also subsumes and disables
565		    RFC6675 recovery for SACK connections.
566
567	RACK: 0x2   makes RACK's reordering window static (min_rtt/4).
568
569	RACK: 0x4   disables RACK's DUPACK threshold heuristic
570	=========   =============================================================
571
572	Default: 0x1
573
574tcp_reordering - INTEGER
575	Initial reordering level of packets in a TCP stream.
576	TCP stack can then dynamically adjust flow reordering level
577	between this initial value and tcp_max_reordering
578
579	Default: 3
580
581tcp_max_reordering - INTEGER
582	Maximal reordering level of packets in a TCP stream.
583	300 is a fairly conservative value, but you might increase it
584	if paths are using per packet load balancing (like bonding rr mode)
585
586	Default: 300
587
588tcp_retrans_collapse - BOOLEAN
589	Bug-to-bug compatibility with some broken printers.
590	On retransmit try to send bigger packets to work around bugs in
591	certain TCP stacks.
592
593tcp_retries1 - INTEGER
594	This value influences the time, after which TCP decides, that
595	something is wrong due to unacknowledged RTO retransmissions,
596	and reports this suspicion to the network layer.
597	See tcp_retries2 for more details.
598
599	RFC 1122 recommends at least 3 retransmissions, which is the
600	default.
601
602tcp_retries2 - INTEGER
603	This value influences the timeout of an alive TCP connection,
604	when RTO retransmissions remain unacknowledged.
605	Given a value of N, a hypothetical TCP connection following
606	exponential backoff with an initial RTO of TCP_RTO_MIN would
607	retransmit N times before killing the connection at the (N+1)th RTO.
608
609	The default value of 15 yields a hypothetical timeout of 924.6
610	seconds and is a lower bound for the effective timeout.
611	TCP will effectively time out at the first RTO which exceeds the
612	hypothetical timeout.
613
614	RFC 1122 recommends at least 100 seconds for the timeout,
615	which corresponds to a value of at least 8.
616
617tcp_rfc1337 - BOOLEAN
618	If set, the TCP stack behaves conforming to RFC1337. If unset,
619	we are not conforming to RFC, but prevent TCP TIME_WAIT
620	assassination.
621
622	Default: 0
623
624tcp_rmem - vector of 3 INTEGERs: min, default, max
625	min: Minimal size of receive buffer used by TCP sockets.
626	It is guaranteed to each TCP socket, even under moderate memory
627	pressure.
628
629	Default: 4K
630
631	default: initial size of receive buffer used by TCP sockets.
632	This value overrides net.core.rmem_default used by other protocols.
633	Default: 87380 bytes. This value results in window of 65535 with
634	default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit
635	less for default tcp_app_win. See below about these variables.
636
637	max: maximal size of receive buffer allowed for automatically
638	selected receiver buffers for TCP socket. This value does not override
639	net.core.rmem_max.  Calling setsockopt() with SO_RCVBUF disables
640	automatic tuning of that socket's receive buffer size, in which
641	case this value is ignored.
642	Default: between 87380B and 6MB, depending on RAM size.
643
644tcp_sack - BOOLEAN
645	Enable select acknowledgments (SACKS).
646
647tcp_comp_sack_delay_ns - LONG INTEGER
648	TCP tries to reduce number of SACK sent, using a timer
649	based on 5% of SRTT, capped by this sysctl, in nano seconds.
650	The default is 1ms, based on TSO autosizing period.
651
652	Default : 1,000,000 ns (1 ms)
653
654tcp_comp_sack_slack_ns - LONG INTEGER
655	This sysctl control the slack used when arming the
656	timer used by SACK compression. This gives extra time
657	for small RTT flows, and reduces system overhead by allowing
658	opportunistic reduction of timer interrupts.
659
660	Default : 100,000 ns (100 us)
661
662tcp_comp_sack_nr - INTEGER
663	Max number of SACK that can be compressed.
664	Using 0 disables SACK compression.
665
666	Default : 44
667
668tcp_slow_start_after_idle - BOOLEAN
669	If set, provide RFC2861 behavior and time out the congestion
670	window after an idle period.  An idle period is defined at
671	the current RTO.  If unset, the congestion window will not
672	be timed out after an idle period.
673
674	Default: 1
675
676tcp_stdurg - BOOLEAN
677	Use the Host requirements interpretation of the TCP urgent pointer field.
678	Most hosts use the older BSD interpretation, so if you turn this on
679	Linux might not communicate correctly with them.
680
681	Default: FALSE
682
683tcp_synack_retries - INTEGER
684	Number of times SYNACKs for a passive TCP connection attempt will
685	be retransmitted. Should not be higher than 255. Default value
686	is 5, which corresponds to 31seconds till the last retransmission
687	with the current initial RTO of 1second. With this the final timeout
688	for a passive TCP connection will happen after 63seconds.
689
690tcp_syncookies - INTEGER
691	Only valid when the kernel was compiled with CONFIG_SYN_COOKIES
692	Send out syncookies when the syn backlog queue of a socket
693	overflows. This is to prevent against the common 'SYN flood attack'
694	Default: 1
695
696	Note, that syncookies is fallback facility.
697	It MUST NOT be used to help highly loaded servers to stand
698	against legal connection rate. If you see SYN flood warnings
699	in your logs, but investigation	shows that they occur
700	because of overload with legal connections, you should tune
701	another parameters until this warning disappear.
702	See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
703
704	syncookies seriously violate TCP protocol, do not allow
705	to use TCP extensions, can result in serious degradation
706	of some services (f.e. SMTP relaying), visible not by you,
707	but your clients and relays, contacting you. While you see
708	SYN flood warnings in logs not being really flooded, your server
709	is seriously misconfigured.
710
711	If you want to test which effects syncookies have to your
712	network connections you can set this knob to 2 to enable
713	unconditionally generation of syncookies.
714
715tcp_fastopen - INTEGER
716	Enable TCP Fast Open (RFC7413) to send and accept data in the opening
717	SYN packet.
718
719	The client support is enabled by flag 0x1 (on by default). The client
720	then must use sendmsg() or sendto() with the MSG_FASTOPEN flag,
721	rather than connect() to send data in SYN.
722
723	The server support is enabled by flag 0x2 (off by default). Then
724	either enable for all listeners with another flag (0x400) or
725	enable individual listeners via TCP_FASTOPEN socket option with
726	the option value being the length of the syn-data backlog.
727
728	The values (bitmap) are
729
730	=====  ======== ======================================================
731	  0x1  (client) enables sending data in the opening SYN on the client.
732	  0x2  (server) enables the server support, i.e., allowing data in
733			a SYN packet to be accepted and passed to the
734			application before 3-way handshake finishes.
735	  0x4  (client) send data in the opening SYN regardless of cookie
736			availability and without a cookie option.
737	0x200  (server) accept data-in-SYN w/o any cookie option present.
738	0x400  (server) enable all listeners to support Fast Open by
739			default without explicit TCP_FASTOPEN socket option.
740	=====  ======== ======================================================
741
742	Default: 0x1
743
744	Note that additional client or server features are only
745	effective if the basic support (0x1 and 0x2) are enabled respectively.
746
747tcp_fastopen_blackhole_timeout_sec - INTEGER
748	Initial time period in second to disable Fastopen on active TCP sockets
749	when a TFO firewall blackhole issue happens.
750	This time period will grow exponentially when more blackhole issues
751	get detected right after Fastopen is re-enabled and will reset to
752	initial value when the blackhole issue goes away.
753	0 to disable the blackhole detection.
754
755	By default, it is set to 1hr.
756
757tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs
758	The list consists of a primary key and an optional backup key. The
759	primary key is used for both creating and validating cookies, while the
760	optional backup key is only used for validating cookies. The purpose of
761	the backup key is to maximize TFO validation when keys are rotated.
762
763	A randomly chosen primary key may be configured by the kernel if
764	the tcp_fastopen sysctl is set to 0x400 (see above), or if the
765	TCP_FASTOPEN setsockopt() optname is set and a key has not been
766	previously configured via sysctl. If keys are configured via
767	setsockopt() by using the TCP_FASTOPEN_KEY optname, then those
768	per-socket keys will be used instead of any keys that are specified via
769	sysctl.
770
771	A key is specified as 4 8-digit hexadecimal integers which are separated
772	by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be
773	omitted. A primary and a backup key may be specified by separating them
774	by a comma. If only one key is specified, it becomes the primary key and
775	any previously configured backup keys are removed.
776
777tcp_syn_retries - INTEGER
778	Number of times initial SYNs for an active TCP connection attempt
779	will be retransmitted. Should not be higher than 127. Default value
780	is 6, which corresponds to 63seconds till the last retransmission
781	with the current initial RTO of 1second. With this the final timeout
782	for an active TCP connection attempt will happen after 127seconds.
783
784tcp_timestamps - INTEGER
785	Enable timestamps as defined in RFC1323.
786
787	- 0: Disabled.
788	- 1: Enable timestamps as defined in RFC1323 and use random offset for
789	  each connection rather than only using the current time.
790	- 2: Like 1, but without random offsets.
791
792	Default: 1
793
794tcp_min_tso_segs - INTEGER
795	Minimal number of segments per TSO frame.
796
797	Since linux-3.12, TCP does an automatic sizing of TSO frames,
798	depending on flow rate, instead of filling 64Kbytes packets.
799	For specific usages, it's possible to force TCP to build big
800	TSO frames. Note that TCP stack might split too big TSO packets
801	if available window is too small.
802
803	Default: 2
804
805tcp_pacing_ss_ratio - INTEGER
806	sk->sk_pacing_rate is set by TCP stack using a ratio applied
807	to current rate. (current_rate = cwnd * mss / srtt)
808	If TCP is in slow start, tcp_pacing_ss_ratio is applied
809	to let TCP probe for bigger speeds, assuming cwnd can be
810	doubled every other RTT.
811
812	Default: 200
813
814tcp_pacing_ca_ratio - INTEGER
815	sk->sk_pacing_rate is set by TCP stack using a ratio applied
816	to current rate. (current_rate = cwnd * mss / srtt)
817	If TCP is in congestion avoidance phase, tcp_pacing_ca_ratio
818	is applied to conservatively probe for bigger throughput.
819
820	Default: 120
821
822tcp_tso_win_divisor - INTEGER
823	This allows control over what percentage of the congestion window
824	can be consumed by a single TSO frame.
825	The setting of this parameter is a choice between burstiness and
826	building larger TSO frames.
827
828	Default: 3
829
830tcp_tw_reuse - INTEGER
831	Enable reuse of TIME-WAIT sockets for new connections when it is
832	safe from protocol viewpoint.
833
834	- 0 - disable
835	- 1 - global enable
836	- 2 - enable for loopback traffic only
837
838	It should not be changed without advice/request of technical
839	experts.
840
841	Default: 2
842
843tcp_window_scaling - BOOLEAN
844	Enable window scaling as defined in RFC1323.
845
846tcp_wmem - vector of 3 INTEGERs: min, default, max
847	min: Amount of memory reserved for send buffers for TCP sockets.
848	Each TCP socket has rights to use it due to fact of its birth.
849
850	Default: 4K
851
852	default: initial size of send buffer used by TCP sockets.  This
853	value overrides net.core.wmem_default used by other protocols.
854
855	It is usually lower than net.core.wmem_default.
856
857	Default: 16K
858
859	max: Maximal amount of memory allowed for automatically tuned
860	send buffers for TCP sockets. This value does not override
861	net.core.wmem_max.  Calling setsockopt() with SO_SNDBUF disables
862	automatic tuning of that socket's send buffer size, in which case
863	this value is ignored.
864
865	Default: between 64K and 4MB, depending on RAM size.
866
867tcp_notsent_lowat - UNSIGNED INTEGER
868	A TCP socket can control the amount of unsent bytes in its write queue,
869	thanks to TCP_NOTSENT_LOWAT socket option. poll()/select()/epoll()
870	reports POLLOUT events if the amount of unsent bytes is below a per
871	socket value, and if the write queue is not full. sendmsg() will
872	also not add new buffers if the limit is hit.
873
874	This global variable controls the amount of unsent data for
875	sockets not using TCP_NOTSENT_LOWAT. For these sockets, a change
876	to the global variable has immediate effect.
877
878	Default: UINT_MAX (0xFFFFFFFF)
879
880tcp_workaround_signed_windows - BOOLEAN
881	If set, assume no receipt of a window scaling option means the
882	remote TCP is broken and treats the window as a signed quantity.
883	If unset, assume the remote TCP is not broken even if we do
884	not receive a window scaling option from them.
885
886	Default: 0
887
888tcp_thin_linear_timeouts - BOOLEAN
889	Enable dynamic triggering of linear timeouts for thin streams.
890	If set, a check is performed upon retransmission by timeout to
891	determine if the stream is thin (less than 4 packets in flight).
892	As long as the stream is found to be thin, up to 6 linear
893	timeouts may be performed before exponential backoff mode is
894	initiated. This improves retransmission latency for
895	non-aggressive thin streams, often found to be time-dependent.
896	For more information on thin streams, see
897	Documentation/networking/tcp-thin.rst
898
899	Default: 0
900
901tcp_limit_output_bytes - INTEGER
902	Controls TCP Small Queue limit per tcp socket.
903	TCP bulk sender tends to increase packets in flight until it
904	gets losses notifications. With SNDBUF autotuning, this can
905	result in a large amount of packets queued on the local machine
906	(e.g.: qdiscs, CPU backlog, or device) hurting latency of other
907	flows, for typical pfifo_fast qdiscs.  tcp_limit_output_bytes
908	limits the number of bytes on qdisc or device to reduce artificial
909	RTT/cwnd and reduce bufferbloat.
910
911	Default: 1048576 (16 * 65536)
912
913tcp_challenge_ack_limit - INTEGER
914	Limits number of Challenge ACK sent per second, as recommended
915	in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
916	Default: 1000
917
918tcp_rx_skb_cache - BOOLEAN
919	Controls a per TCP socket cache of one skb, that might help
920	performance of some workloads. This might be dangerous
921	on systems with a lot of TCP sockets, since it increases
922	memory usage.
923
924	Default: 0 (disabled)
925
926UDP variables
927=============
928
929udp_l3mdev_accept - BOOLEAN
930	Enabling this option allows a "global" bound socket to work
931	across L3 master domains (e.g., VRFs) with packets capable of
932	being received regardless of the L3 domain in which they
933	originated. Only valid when the kernel was compiled with
934	CONFIG_NET_L3_MASTER_DEV.
935
936	Default: 0 (disabled)
937
938udp_mem - vector of 3 INTEGERs: min, pressure, max
939	Number of pages allowed for queueing by all UDP sockets.
940
941	min: Below this number of pages UDP is not bothered about its
942	memory appetite. When amount of memory allocated by UDP exceeds
943	this number, UDP starts to moderate memory usage.
944
945	pressure: This value was introduced to follow format of tcp_mem.
946
947	max: Number of pages allowed for queueing by all UDP sockets.
948
949	Default is calculated at boot time from amount of available memory.
950
951udp_rmem_min - INTEGER
952	Minimal size of receive buffer used by UDP sockets in moderation.
953	Each UDP socket is able to use the size for receiving data, even if
954	total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
955
956	Default: 4K
957
958udp_wmem_min - INTEGER
959	Minimal size of send buffer used by UDP sockets in moderation.
960	Each UDP socket is able to use the size for sending data, even if
961	total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
962
963	Default: 4K
964
965RAW variables
966=============
967
968raw_l3mdev_accept - BOOLEAN
969	Enabling this option allows a "global" bound socket to work
970	across L3 master domains (e.g., VRFs) with packets capable of
971	being received regardless of the L3 domain in which they
972	originated. Only valid when the kernel was compiled with
973	CONFIG_NET_L3_MASTER_DEV.
974
975	Default: 1 (enabled)
976
977CIPSOv4 Variables
978=================
979
980cipso_cache_enable - BOOLEAN
981	If set, enable additions to and lookups from the CIPSO label mapping
982	cache.  If unset, additions are ignored and lookups always result in a
983	miss.  However, regardless of the setting the cache is still
984	invalidated when required when means you can safely toggle this on and
985	off and the cache will always be "safe".
986
987	Default: 1
988
989cipso_cache_bucket_size - INTEGER
990	The CIPSO label cache consists of a fixed size hash table with each
991	hash bucket containing a number of cache entries.  This variable limits
992	the number of entries in each hash bucket; the larger the value the
993	more CIPSO label mappings that can be cached.  When the number of
994	entries in a given hash bucket reaches this limit adding new entries
995	causes the oldest entry in the bucket to be removed to make room.
996
997	Default: 10
998
999cipso_rbm_optfmt - BOOLEAN
1000	Enable the "Optimized Tag 1 Format" as defined in section 3.4.2.6 of
1001	the CIPSO draft specification (see Documentation/netlabel for details).
1002	This means that when set the CIPSO tag will be padded with empty
1003	categories in order to make the packet data 32-bit aligned.
1004
1005	Default: 0
1006
1007cipso_rbm_structvalid - BOOLEAN
1008	If set, do a very strict check of the CIPSO option when
1009	ip_options_compile() is called.  If unset, relax the checks done during
1010	ip_options_compile().  Either way is "safe" as errors are caught else
1011	where in the CIPSO processing code but setting this to 0 (False) should
1012	result in less work (i.e. it should be faster) but could cause problems
1013	with other implementations that require strict checking.
1014
1015	Default: 0
1016
1017IP Variables
1018============
1019
1020ip_local_port_range - 2 INTEGERS
1021	Defines the local port range that is used by TCP and UDP to
1022	choose the local port. The first number is the first, the
1023	second the last local port number.
1024	If possible, it is better these numbers have different parity
1025	(one even and one odd value).
1026	Must be greater than or equal to ip_unprivileged_port_start.
1027	The default values are 32768 and 60999 respectively.
1028
1029ip_local_reserved_ports - list of comma separated ranges
1030	Specify the ports which are reserved for known third-party
1031	applications. These ports will not be used by automatic port
1032	assignments (e.g. when calling connect() or bind() with port
1033	number 0). Explicit port allocation behavior is unchanged.
1034
1035	The format used for both input and output is a comma separated
1036	list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and
1037	10). Writing to the file will clear all previously reserved
1038	ports and update the current list with the one given in the
1039	input.
1040
1041	Note that ip_local_port_range and ip_local_reserved_ports
1042	settings are independent and both are considered by the kernel
1043	when determining which ports are available for automatic port
1044	assignments.
1045
1046	You can reserve ports which are not in the current
1047	ip_local_port_range, e.g.::
1048
1049	    $ cat /proc/sys/net/ipv4/ip_local_port_range
1050	    32000	60999
1051	    $ cat /proc/sys/net/ipv4/ip_local_reserved_ports
1052	    8080,9148
1053
1054	although this is redundant. However such a setting is useful
1055	if later the port range is changed to a value that will
1056	include the reserved ports.
1057
1058	Default: Empty
1059
1060ip_unprivileged_port_start - INTEGER
1061	This is a per-namespace sysctl.  It defines the first
1062	unprivileged port in the network namespace.  Privileged ports
1063	require root or CAP_NET_BIND_SERVICE in order to bind to them.
1064	To disable all privileged ports, set this to 0.  They must not
1065	overlap with the ip_local_port_range.
1066
1067	Default: 1024
1068
1069ip_nonlocal_bind - BOOLEAN
1070	If set, allows processes to bind() to non-local IP addresses,
1071	which can be quite useful - but may break some applications.
1072
1073	Default: 0
1074
1075ip_autobind_reuse - BOOLEAN
1076	By default, bind() does not select the ports automatically even if
1077	the new socket and all sockets bound to the port have SO_REUSEADDR.
1078	ip_autobind_reuse allows bind() to reuse the port and this is useful
1079	when you use bind()+connect(), but may break some applications.
1080	The preferred solution is to use IP_BIND_ADDRESS_NO_PORT and this
1081	option should only be set by experts.
1082	Default: 0
1083
1084ip_dynaddr - BOOLEAN
1085	If set non-zero, enables support for dynamic addresses.
1086	If set to a non-zero value larger than 1, a kernel log
1087	message will be printed when dynamic address rewriting
1088	occurs.
1089
1090	Default: 0
1091
1092ip_early_demux - BOOLEAN
1093	Optimize input packet processing down to one demux for
1094	certain kinds of local sockets.  Currently we only do this
1095	for established TCP and connected UDP sockets.
1096
1097	It may add an additional cost for pure routing workloads that
1098	reduces overall throughput, in such case you should disable it.
1099
1100	Default: 1
1101
1102ping_group_range - 2 INTEGERS
1103	Restrict ICMP_PROTO datagram sockets to users in the group range.
1104	The default is "1 0", meaning, that nobody (not even root) may
1105	create ping sockets.  Setting it to "100 100" would grant permissions
1106	to the single group. "0 4294967295" would enable it for the world, "100
1107	4294967295" would enable it for the users, but not daemons.
1108
1109tcp_early_demux - BOOLEAN
1110	Enable early demux for established TCP sockets.
1111
1112	Default: 1
1113
1114udp_early_demux - BOOLEAN
1115	Enable early demux for connected UDP sockets. Disable this if
1116	your system could experience more unconnected load.
1117
1118	Default: 1
1119
1120icmp_echo_ignore_all - BOOLEAN
1121	If set non-zero, then the kernel will ignore all ICMP ECHO
1122	requests sent to it.
1123
1124	Default: 0
1125
1126icmp_echo_ignore_broadcasts - BOOLEAN
1127	If set non-zero, then the kernel will ignore all ICMP ECHO and
1128	TIMESTAMP requests sent to it via broadcast/multicast.
1129
1130	Default: 1
1131
1132icmp_ratelimit - INTEGER
1133	Limit the maximal rates for sending ICMP packets whose type matches
1134	icmp_ratemask (see below) to specific targets.
1135	0 to disable any limiting,
1136	otherwise the minimal space between responses in milliseconds.
1137	Note that another sysctl, icmp_msgs_per_sec limits the number
1138	of ICMP packets	sent on all targets.
1139
1140	Default: 1000
1141
1142icmp_msgs_per_sec - INTEGER
1143	Limit maximal number of ICMP packets sent per second from this host.
1144	Only messages whose type matches icmp_ratemask (see below) are
1145	controlled by this limit.
1146
1147	Default: 1000
1148
1149icmp_msgs_burst - INTEGER
1150	icmp_msgs_per_sec controls number of ICMP packets sent per second,
1151	while icmp_msgs_burst controls the burst size of these packets.
1152
1153	Default: 50
1154
1155icmp_ratemask - INTEGER
1156	Mask made of ICMP types for which rates are being limited.
1157
1158	Significant bits: IHGFEDCBA9876543210
1159
1160	Default mask:     0000001100000011000 (6168)
1161
1162	Bit definitions (see include/linux/icmp.h):
1163
1164		= =========================
1165		0 Echo Reply
1166		3 Destination Unreachable [1]_
1167		4 Source Quench [1]_
1168		5 Redirect
1169		8 Echo Request
1170		B Time Exceeded [1]_
1171		C Parameter Problem [1]_
1172		D Timestamp Request
1173		E Timestamp Reply
1174		F Info Request
1175		G Info Reply
1176		H Address Mask Request
1177		I Address Mask Reply
1178		= =========================
1179
1180	.. [1] These are rate limited by default (see default mask above)
1181
1182icmp_ignore_bogus_error_responses - BOOLEAN
1183	Some routers violate RFC1122 by sending bogus responses to broadcast
1184	frames.  Such violations are normally logged via a kernel warning.
1185	If this is set to TRUE, the kernel will not give such warnings, which
1186	will avoid log file clutter.
1187
1188	Default: 1
1189
1190icmp_errors_use_inbound_ifaddr - BOOLEAN
1191
1192	If zero, icmp error messages are sent with the primary address of
1193	the exiting interface.
1194
1195	If non-zero, the message will be sent with the primary address of
1196	the interface that received the packet that caused the icmp error.
1197	This is the behaviour network many administrators will expect from
1198	a router. And it can make debugging complicated network layouts
1199	much easier.
1200
1201	Note that if no primary address exists for the interface selected,
1202	then the primary address of the first non-loopback interface that
1203	has one will be used regardless of this setting.
1204
1205	Default: 0
1206
1207igmp_max_memberships - INTEGER
1208	Change the maximum number of multicast groups we can subscribe to.
1209	Default: 20
1210
1211	Theoretical maximum value is bounded by having to send a membership
1212	report in a single datagram (i.e. the report can't span multiple
1213	datagrams, or risk confusing the switch and leaving groups you don't
1214	intend to).
1215
1216	The number of supported groups 'M' is bounded by the number of group
1217	report entries you can fit into a single datagram of 65535 bytes.
1218
1219	M = 65536-sizeof (ip header)/(sizeof(Group record))
1220
1221	Group records are variable length, with a minimum of 12 bytes.
1222	So net.ipv4.igmp_max_memberships should not be set higher than:
1223
1224	(65536-24) / 12 = 5459
1225
1226	The value 5459 assumes no IP header options, so in practice
1227	this number may be lower.
1228
1229igmp_max_msf - INTEGER
1230	Maximum number of addresses allowed in the source filter list for a
1231	multicast group.
1232
1233	Default: 10
1234
1235igmp_qrv - INTEGER
1236	Controls the IGMP query robustness variable (see RFC2236 8.1).
1237
1238	Default: 2 (as specified by RFC2236 8.1)
1239
1240	Minimum: 1 (as specified by RFC6636 4.5)
1241
1242force_igmp_version - INTEGER
1243	- 0 - (default) No enforcement of a IGMP version, IGMPv1/v2 fallback
1244	  allowed. Will back to IGMPv3 mode again if all IGMPv1/v2 Querier
1245	  Present timer expires.
1246	- 1 - Enforce to use IGMP version 1. Will also reply IGMPv1 report if
1247	  receive IGMPv2/v3 query.
1248	- 2 - Enforce to use IGMP version 2. Will fallback to IGMPv1 if receive
1249	  IGMPv1 query message. Will reply report if receive IGMPv3 query.
1250	- 3 - Enforce to use IGMP version 3. The same react with default 0.
1251
1252	.. note::
1253
1254	   this is not the same with force_mld_version because IGMPv3 RFC3376
1255	   Security Considerations does not have clear description that we could
1256	   ignore other version messages completely as MLDv2 RFC3810. So make
1257	   this value as default 0 is recommended.
1258
1259``conf/interface/*``
1260	changes special settings per interface (where
1261	interface" is the name of your network interface)
1262
1263``conf/all/*``
1264	  is special, changes the settings for all interfaces
1265
1266log_martians - BOOLEAN
1267	Log packets with impossible addresses to kernel log.
1268	log_martians for the interface will be enabled if at least one of
1269	conf/{all,interface}/log_martians is set to TRUE,
1270	it will be disabled otherwise
1271
1272accept_redirects - BOOLEAN
1273	Accept ICMP redirect messages.
1274	accept_redirects for the interface will be enabled if:
1275
1276	- both conf/{all,interface}/accept_redirects are TRUE in the case
1277	  forwarding for the interface is enabled
1278
1279	or
1280
1281	- at least one of conf/{all,interface}/accept_redirects is TRUE in the
1282	  case forwarding for the interface is disabled
1283
1284	accept_redirects for the interface will be disabled otherwise
1285
1286	default:
1287
1288		- TRUE (host)
1289		- FALSE (router)
1290
1291forwarding - BOOLEAN
1292	Enable IP forwarding on this interface.  This controls whether packets
1293	received _on_ this interface can be forwarded.
1294
1295mc_forwarding - BOOLEAN
1296	Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
1297	and a multicast routing daemon is required.
1298	conf/all/mc_forwarding must also be set to TRUE to enable multicast
1299	routing	for the interface
1300
1301medium_id - INTEGER
1302	Integer value used to differentiate the devices by the medium they
1303	are attached to. Two devices can have different id values when
1304	the broadcast packets are received only on one of them.
1305	The default value 0 means that the device is the only interface
1306	to its medium, value of -1 means that medium is not known.
1307
1308	Currently, it is used to change the proxy_arp behavior:
1309	the proxy_arp feature is enabled for packets forwarded between
1310	two devices attached to different media.
1311
1312proxy_arp - BOOLEAN
1313	Do proxy arp.
1314
1315	proxy_arp for the interface will be enabled if at least one of
1316	conf/{all,interface}/proxy_arp is set to TRUE,
1317	it will be disabled otherwise
1318
1319proxy_arp_pvlan - BOOLEAN
1320	Private VLAN proxy arp.
1321
1322	Basically allow proxy arp replies back to the same interface
1323	(from which the ARP request/solicitation was received).
1324
1325	This is done to support (ethernet) switch features, like RFC
1326	3069, where the individual ports are NOT allowed to
1327	communicate with each other, but they are allowed to talk to
1328	the upstream router.  As described in RFC 3069, it is possible
1329	to allow these hosts to communicate through the upstream
1330	router by proxy_arp'ing. Don't need to be used together with
1331	proxy_arp.
1332
1333	This technology is known by different names:
1334
1335	  In RFC 3069 it is called VLAN Aggregation.
1336	  Cisco and Allied Telesyn call it Private VLAN.
1337	  Hewlett-Packard call it Source-Port filtering or port-isolation.
1338	  Ericsson call it MAC-Forced Forwarding (RFC Draft).
1339
1340shared_media - BOOLEAN
1341	Send(router) or accept(host) RFC1620 shared media redirects.
1342	Overrides secure_redirects.
1343
1344	shared_media for the interface will be enabled if at least one of
1345	conf/{all,interface}/shared_media is set to TRUE,
1346	it will be disabled otherwise
1347
1348	default TRUE
1349
1350secure_redirects - BOOLEAN
1351	Accept ICMP redirect messages only to gateways listed in the
1352	interface's current gateway list. Even if disabled, RFC1122 redirect
1353	rules still apply.
1354
1355	Overridden by shared_media.
1356
1357	secure_redirects for the interface will be enabled if at least one of
1358	conf/{all,interface}/secure_redirects is set to TRUE,
1359	it will be disabled otherwise
1360
1361	default TRUE
1362
1363send_redirects - BOOLEAN
1364	Send redirects, if router.
1365
1366	send_redirects for the interface will be enabled if at least one of
1367	conf/{all,interface}/send_redirects is set to TRUE,
1368	it will be disabled otherwise
1369
1370	Default: TRUE
1371
1372bootp_relay - BOOLEAN
1373	Accept packets with source address 0.b.c.d destined
1374	not to this host as local ones. It is supposed, that
1375	BOOTP relay daemon will catch and forward such packets.
1376	conf/all/bootp_relay must also be set to TRUE to enable BOOTP relay
1377	for the interface
1378
1379	default FALSE
1380
1381	Not Implemented Yet.
1382
1383accept_source_route - BOOLEAN
1384	Accept packets with SRR option.
1385	conf/all/accept_source_route must also be set to TRUE to accept packets
1386	with SRR option on the interface
1387
1388	default
1389
1390		- TRUE (router)
1391		- FALSE (host)
1392
1393accept_local - BOOLEAN
1394	Accept packets with local source addresses. In combination with
1395	suitable routing, this can be used to direct packets between two
1396	local interfaces over the wire and have them accepted properly.
1397	default FALSE
1398
1399route_localnet - BOOLEAN
1400	Do not consider loopback addresses as martian source or destination
1401	while routing. This enables the use of 127/8 for local routing purposes.
1402
1403	default FALSE
1404
1405rp_filter - INTEGER
1406	- 0 - No source validation.
1407	- 1 - Strict mode as defined in RFC3704 Strict Reverse Path
1408	  Each incoming packet is tested against the FIB and if the interface
1409	  is not the best reverse path the packet check will fail.
1410	  By default failed packets are discarded.
1411	- 2 - Loose mode as defined in RFC3704 Loose Reverse Path
1412	  Each incoming packet's source address is also tested against the FIB
1413	  and if the source address is not reachable via any interface
1414	  the packet check will fail.
1415
1416	Current recommended practice in RFC3704 is to enable strict mode
1417	to prevent IP spoofing from DDos attacks. If using asymmetric routing
1418	or other complicated routing, then loose mode is recommended.
1419
1420	The max value from conf/{all,interface}/rp_filter is used
1421	when doing source validation on the {interface}.
1422
1423	Default value is 0. Note that some distributions enable it
1424	in startup scripts.
1425
1426arp_filter - BOOLEAN
1427	- 1 - Allows you to have multiple network interfaces on the same
1428	  subnet, and have the ARPs for each interface be answered
1429	  based on whether or not the kernel would route a packet from
1430	  the ARP'd IP out that interface (therefore you must use source
1431	  based routing for this to work). In other words it allows control
1432	  of which cards (usually 1) will respond to an arp request.
1433
1434	- 0 - (default) The kernel can respond to arp requests with addresses
1435	  from other interfaces. This may seem wrong but it usually makes
1436	  sense, because it increases the chance of successful communication.
1437	  IP addresses are owned by the complete host on Linux, not by
1438	  particular interfaces. Only for more complex setups like load-
1439	  balancing, does this behaviour cause problems.
1440
1441	arp_filter for the interface will be enabled if at least one of
1442	conf/{all,interface}/arp_filter is set to TRUE,
1443	it will be disabled otherwise
1444
1445arp_announce - INTEGER
1446	Define different restriction levels for announcing the local
1447	source IP address from IP packets in ARP requests sent on
1448	interface:
1449
1450	- 0 - (default) Use any local address, configured on any interface
1451	- 1 - Try to avoid local addresses that are not in the target's
1452	  subnet for this interface. This mode is useful when target
1453	  hosts reachable via this interface require the source IP
1454	  address in ARP requests to be part of their logical network
1455	  configured on the receiving interface. When we generate the
1456	  request we will check all our subnets that include the
1457	  target IP and will preserve the source address if it is from
1458	  such subnet. If there is no such subnet we select source
1459	  address according to the rules for level 2.
1460	- 2 - Always use the best local address for this target.
1461	  In this mode we ignore the source address in the IP packet
1462	  and try to select local address that we prefer for talks with
1463	  the target host. Such local address is selected by looking
1464	  for primary IP addresses on all our subnets on the outgoing
1465	  interface that include the target IP address. If no suitable
1466	  local address is found we select the first local address
1467	  we have on the outgoing interface or on all other interfaces,
1468	  with the hope we will receive reply for our request and
1469	  even sometimes no matter the source IP address we announce.
1470
1471	The max value from conf/{all,interface}/arp_announce is used.
1472
1473	Increasing the restriction level gives more chance for
1474	receiving answer from the resolved target while decreasing
1475	the level announces more valid sender's information.
1476
1477arp_ignore - INTEGER
1478	Define different modes for sending replies in response to
1479	received ARP requests that resolve local target IP addresses:
1480
1481	- 0 - (default): reply for any local target IP address, configured
1482	  on any interface
1483	- 1 - reply only if the target IP address is local address
1484	  configured on the incoming interface
1485	- 2 - reply only if the target IP address is local address
1486	  configured on the incoming interface and both with the
1487	  sender's IP address are part from same subnet on this interface
1488	- 3 - do not reply for local addresses configured with scope host,
1489	  only resolutions for global and link addresses are replied
1490	- 4-7 - reserved
1491	- 8 - do not reply for all local addresses
1492
1493	The max value from conf/{all,interface}/arp_ignore is used
1494	when ARP request is received on the {interface}
1495
1496arp_notify - BOOLEAN
1497	Define mode for notification of address and device changes.
1498
1499	 ==  ==========================================================
1500	  0  (default): do nothing
1501	  1  Generate gratuitous arp requests when device is brought up
1502	     or hardware address changes.
1503	 ==  ==========================================================
1504
1505arp_accept - BOOLEAN
1506	Define behavior for gratuitous ARP frames who's IP is not
1507	already present in the ARP table:
1508
1509	- 0 - don't create new entries in the ARP table
1510	- 1 - create new entries in the ARP table
1511
1512	Both replies and requests type gratuitous arp will trigger the
1513	ARP table to be updated, if this setting is on.
1514
1515	If the ARP table already contains the IP address of the
1516	gratuitous arp frame, the arp table will be updated regardless
1517	if this setting is on or off.
1518
1519mcast_solicit - INTEGER
1520	The maximum number of multicast probes in INCOMPLETE state,
1521	when the associated hardware address is unknown.  Defaults
1522	to 3.
1523
1524ucast_solicit - INTEGER
1525	The maximum number of unicast probes in PROBE state, when
1526	the hardware address is being reconfirmed.  Defaults to 3.
1527
1528app_solicit - INTEGER
1529	The maximum number of probes to send to the user space ARP daemon
1530	via netlink before dropping back to multicast probes (see
1531	mcast_resolicit).  Defaults to 0.
1532
1533mcast_resolicit - INTEGER
1534	The maximum number of multicast probes after unicast and
1535	app probes in PROBE state.  Defaults to 0.
1536
1537disable_policy - BOOLEAN
1538	Disable IPSEC policy (SPD) for this interface
1539
1540disable_xfrm - BOOLEAN
1541	Disable IPSEC encryption on this interface, whatever the policy
1542
1543igmpv2_unsolicited_report_interval - INTEGER
1544	The interval in milliseconds in which the next unsolicited
1545	IGMPv1 or IGMPv2 report retransmit will take place.
1546
1547	Default: 10000 (10 seconds)
1548
1549igmpv3_unsolicited_report_interval - INTEGER
1550	The interval in milliseconds in which the next unsolicited
1551	IGMPv3 report retransmit will take place.
1552
1553	Default: 1000 (1 seconds)
1554
1555promote_secondaries - BOOLEAN
1556	When a primary IP address is removed from this interface
1557	promote a corresponding secondary IP address instead of
1558	removing all the corresponding secondary IP addresses.
1559
1560drop_unicast_in_l2_multicast - BOOLEAN
1561	Drop any unicast IP packets that are received in link-layer
1562	multicast (or broadcast) frames.
1563
1564	This behavior (for multicast) is actually a SHOULD in RFC
1565	1122, but is disabled by default for compatibility reasons.
1566
1567	Default: off (0)
1568
1569drop_gratuitous_arp - BOOLEAN
1570	Drop all gratuitous ARP frames, for example if there's a known
1571	good ARP proxy on the network and such frames need not be used
1572	(or in the case of 802.11, must not be used to prevent attacks.)
1573
1574	Default: off (0)
1575
1576
1577tag - INTEGER
1578	Allows you to write a number, which can be used as required.
1579
1580	Default value is 0.
1581
1582xfrm4_gc_thresh - INTEGER
1583	(Obsolete since linux-4.14)
1584	The threshold at which we will start garbage collecting for IPv4
1585	destination cache entries.  At twice this value the system will
1586	refuse new allocations.
1587
1588igmp_link_local_mcast_reports - BOOLEAN
1589	Enable IGMP reports for link local multicast groups in the
1590	224.0.0.X range.
1591
1592	Default TRUE
1593
1594Alexey Kuznetsov.
1595kuznet@ms2.inr.ac.ru
1596
1597Updated by:
1598
1599- Andi Kleen
1600  ak@muc.de
1601- Nicolas Delon
1602  delon.nicolas@wanadoo.fr
1603
1604
1605
1606
1607/proc/sys/net/ipv6/* Variables
1608==============================
1609
1610IPv6 has no global variables such as tcp_*.  tcp_* settings under ipv4/ also
1611apply to IPv6 [XXX?].
1612
1613bindv6only - BOOLEAN
1614	Default value for IPV6_V6ONLY socket option,
1615	which restricts use of the IPv6 socket to IPv6 communication
1616	only.
1617
1618		- TRUE: disable IPv4-mapped address feature
1619		- FALSE: enable IPv4-mapped address feature
1620
1621	Default: FALSE (as specified in RFC3493)
1622
1623flowlabel_consistency - BOOLEAN
1624	Protect the consistency (and unicity) of flow label.
1625	You have to disable it to use IPV6_FL_F_REFLECT flag on the
1626	flow label manager.
1627
1628	- TRUE: enabled
1629	- FALSE: disabled
1630
1631	Default: TRUE
1632
1633auto_flowlabels - INTEGER
1634	Automatically generate flow labels based on a flow hash of the
1635	packet. This allows intermediate devices, such as routers, to
1636	identify packet flows for mechanisms like Equal Cost Multipath
1637	Routing (see RFC 6438).
1638
1639	=  ===========================================================
1640	0  automatic flow labels are completely disabled
1641	1  automatic flow labels are enabled by default, they can be
1642	   disabled on a per socket basis using the IPV6_AUTOFLOWLABEL
1643	   socket option
1644	2  automatic flow labels are allowed, they may be enabled on a
1645	   per socket basis using the IPV6_AUTOFLOWLABEL socket option
1646	3  automatic flow labels are enabled and enforced, they cannot
1647	   be disabled by the socket option
1648	=  ===========================================================
1649
1650	Default: 1
1651
1652flowlabel_state_ranges - BOOLEAN
1653	Split the flow label number space into two ranges. 0-0x7FFFF is
1654	reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF
1655	is reserved for stateless flow labels as described in RFC6437.
1656
1657	- TRUE: enabled
1658	- FALSE: disabled
1659
1660	Default: true
1661
1662flowlabel_reflect - INTEGER
1663	Control flow label reflection. Needed for Path MTU
1664	Discovery to work with Equal Cost Multipath Routing in anycast
1665	environments. See RFC 7690 and:
1666	https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01
1667
1668	This is a bitmask.
1669
1670	- 1: enabled for established flows
1671
1672	  Note that this prevents automatic flowlabel changes, as done
1673	  in "tcp: change IPv6 flow-label upon receiving spurious retransmission"
1674	  and "tcp: Change txhash on every SYN and RTO retransmit"
1675
1676	- 2: enabled for TCP RESET packets (no active listener)
1677	  If set, a RST packet sent in response to a SYN packet on a closed
1678	  port will reflect the incoming flow label.
1679
1680	- 4: enabled for ICMPv6 echo reply messages.
1681
1682	Default: 0
1683
1684fib_multipath_hash_policy - INTEGER
1685	Controls which hash policy to use for multipath routes.
1686
1687	Default: 0 (Layer 3)
1688
1689	Possible values:
1690
1691	- 0 - Layer 3 (source and destination addresses plus flow label)
1692	- 1 - Layer 4 (standard 5-tuple)
1693	- 2 - Layer 3 or inner Layer 3 if present
1694
1695anycast_src_echo_reply - BOOLEAN
1696	Controls the use of anycast addresses as source addresses for ICMPv6
1697	echo reply
1698
1699	- TRUE:  enabled
1700	- FALSE: disabled
1701
1702	Default: FALSE
1703
1704idgen_delay - INTEGER
1705	Controls the delay in seconds after which time to retry
1706	privacy stable address generation if a DAD conflict is
1707	detected.
1708
1709	Default: 1 (as specified in RFC7217)
1710
1711idgen_retries - INTEGER
1712	Controls the number of retries to generate a stable privacy
1713	address if a DAD conflict is detected.
1714
1715	Default: 3 (as specified in RFC7217)
1716
1717mld_qrv - INTEGER
1718	Controls the MLD query robustness variable (see RFC3810 9.1).
1719
1720	Default: 2 (as specified by RFC3810 9.1)
1721
1722	Minimum: 1 (as specified by RFC6636 4.5)
1723
1724max_dst_opts_number - INTEGER
1725	Maximum number of non-padding TLVs allowed in a Destination
1726	options extension header. If this value is less than zero
1727	then unknown options are disallowed and the number of known
1728	TLVs allowed is the absolute value of this number.
1729
1730	Default: 8
1731
1732max_hbh_opts_number - INTEGER
1733	Maximum number of non-padding TLVs allowed in a Hop-by-Hop
1734	options extension header. If this value is less than zero
1735	then unknown options are disallowed and the number of known
1736	TLVs allowed is the absolute value of this number.
1737
1738	Default: 8
1739
1740max_dst_opts_length - INTEGER
1741	Maximum length allowed for a Destination options extension
1742	header.
1743
1744	Default: INT_MAX (unlimited)
1745
1746max_hbh_length - INTEGER
1747	Maximum length allowed for a Hop-by-Hop options extension
1748	header.
1749
1750	Default: INT_MAX (unlimited)
1751
1752skip_notify_on_dev_down - BOOLEAN
1753	Controls whether an RTM_DELROUTE message is generated for routes
1754	removed when a device is taken down or deleted. IPv4 does not
1755	generate this message; IPv6 does by default. Setting this sysctl
1756	to true skips the message, making IPv4 and IPv6 on par in relying
1757	on userspace caches to track link events and evict routes.
1758
1759	Default: false (generate message)
1760
1761nexthop_compat_mode - BOOLEAN
1762	New nexthop API provides a means for managing nexthops independent of
1763	prefixes. Backwards compatibilty with old route format is enabled by
1764	default which means route dumps and notifications contain the new
1765	nexthop attribute but also the full, expanded nexthop definition.
1766	Further, updates or deletes of a nexthop configuration generate route
1767	notifications for each fib entry using the nexthop. Once a system
1768	understands the new API, this sysctl can be disabled to achieve full
1769	performance benefits of the new API by disabling the nexthop expansion
1770	and extraneous notifications.
1771	Default: true (backward compat mode)
1772
1773IPv6 Fragmentation:
1774
1775ip6frag_high_thresh - INTEGER
1776	Maximum memory used to reassemble IPv6 fragments. When
1777	ip6frag_high_thresh bytes of memory is allocated for this purpose,
1778	the fragment handler will toss packets until ip6frag_low_thresh
1779	is reached.
1780
1781ip6frag_low_thresh - INTEGER
1782	See ip6frag_high_thresh
1783
1784ip6frag_time - INTEGER
1785	Time in seconds to keep an IPv6 fragment in memory.
1786
1787IPv6 Segment Routing:
1788
1789seg6_flowlabel - INTEGER
1790	Controls the behaviour of computing the flowlabel of outer
1791	IPv6 header in case of SR T.encaps
1792
1793	 == =======================================================
1794	 -1  set flowlabel to zero.
1795	  0  copy flowlabel from Inner packet in case of Inner IPv6
1796	     (Set flowlabel to 0 in case IPv4/L2)
1797	  1  Compute the flowlabel using seg6_make_flowlabel()
1798	 == =======================================================
1799
1800	Default is 0.
1801
1802``conf/default/*``:
1803	Change the interface-specific default settings.
1804
1805
1806``conf/all/*``:
1807	Change all the interface-specific settings.
1808
1809	[XXX:  Other special features than forwarding?]
1810
1811conf/all/forwarding - BOOLEAN
1812	Enable global IPv6 forwarding between all interfaces.
1813
1814	IPv4 and IPv6 work differently here; e.g. netfilter must be used
1815	to control which interfaces may forward packets and which not.
1816
1817	This also sets all interfaces' Host/Router setting
1818	'forwarding' to the specified value.  See below for details.
1819
1820	This referred to as global forwarding.
1821
1822proxy_ndp - BOOLEAN
1823	Do proxy ndp.
1824
1825fwmark_reflect - BOOLEAN
1826	Controls the fwmark of kernel-generated IPv6 reply packets that are not
1827	associated with a socket for example, TCP RSTs or ICMPv6 echo replies).
1828	If unset, these packets have a fwmark of zero. If set, they have the
1829	fwmark of the packet they are replying to.
1830
1831	Default: 0
1832
1833``conf/interface/*``:
1834	Change special settings per interface.
1835
1836	The functional behaviour for certain settings is different
1837	depending on whether local forwarding is enabled or not.
1838
1839accept_ra - INTEGER
1840	Accept Router Advertisements; autoconfigure using them.
1841
1842	It also determines whether or not to transmit Router
1843	Solicitations. If and only if the functional setting is to
1844	accept Router Advertisements, Router Solicitations will be
1845	transmitted.
1846
1847	Possible values are:
1848
1849		==  ===========================================================
1850		 0  Do not accept Router Advertisements.
1851		 1  Accept Router Advertisements if forwarding is disabled.
1852		 2  Overrule forwarding behaviour. Accept Router Advertisements
1853		    even if forwarding is enabled.
1854		==  ===========================================================
1855
1856	Functional default:
1857
1858		- enabled if local forwarding is disabled.
1859		- disabled if local forwarding is enabled.
1860
1861accept_ra_defrtr - BOOLEAN
1862	Learn default router in Router Advertisement.
1863
1864	Functional default:
1865
1866		- enabled if accept_ra is enabled.
1867		- disabled if accept_ra is disabled.
1868
1869accept_ra_from_local - BOOLEAN
1870	Accept RA with source-address that is found on local machine
1871	if the RA is otherwise proper and able to be accepted.
1872
1873	Default is to NOT accept these as it may be an un-intended
1874	network loop.
1875
1876	Functional default:
1877
1878	   - enabled if accept_ra_from_local is enabled
1879	     on a specific interface.
1880	   - disabled if accept_ra_from_local is disabled
1881	     on a specific interface.
1882
1883accept_ra_min_hop_limit - INTEGER
1884	Minimum hop limit Information in Router Advertisement.
1885
1886	Hop limit Information in Router Advertisement less than this
1887	variable shall be ignored.
1888
1889	Default: 1
1890
1891accept_ra_pinfo - BOOLEAN
1892	Learn Prefix Information in Router Advertisement.
1893
1894	Functional default:
1895
1896		- enabled if accept_ra is enabled.
1897		- disabled if accept_ra is disabled.
1898
1899accept_ra_rt_info_min_plen - INTEGER
1900	Minimum prefix length of Route Information in RA.
1901
1902	Route Information w/ prefix smaller than this variable shall
1903	be ignored.
1904
1905	Functional default:
1906
1907		* 0 if accept_ra_rtr_pref is enabled.
1908		* -1 if accept_ra_rtr_pref is disabled.
1909
1910accept_ra_rt_info_max_plen - INTEGER
1911	Maximum prefix length of Route Information in RA.
1912
1913	Route Information w/ prefix larger than this variable shall
1914	be ignored.
1915
1916	Functional default:
1917
1918		* 0 if accept_ra_rtr_pref is enabled.
1919		* -1 if accept_ra_rtr_pref is disabled.
1920
1921accept_ra_rtr_pref - BOOLEAN
1922	Accept Router Preference in RA.
1923
1924	Functional default:
1925
1926		- enabled if accept_ra is enabled.
1927		- disabled if accept_ra is disabled.
1928
1929accept_ra_mtu - BOOLEAN
1930	Apply the MTU value specified in RA option 5 (RFC4861). If
1931	disabled, the MTU specified in the RA will be ignored.
1932
1933	Functional default:
1934
1935		- enabled if accept_ra is enabled.
1936		- disabled if accept_ra is disabled.
1937
1938accept_redirects - BOOLEAN
1939	Accept Redirects.
1940
1941	Functional default:
1942
1943		- enabled if local forwarding is disabled.
1944		- disabled if local forwarding is enabled.
1945
1946accept_source_route - INTEGER
1947	Accept source routing (routing extension header).
1948
1949	- >= 0: Accept only routing header type 2.
1950	- < 0: Do not accept routing header.
1951
1952	Default: 0
1953
1954autoconf - BOOLEAN
1955	Autoconfigure addresses using Prefix Information in Router
1956	Advertisements.
1957
1958	Functional default:
1959
1960		- enabled if accept_ra_pinfo is enabled.
1961		- disabled if accept_ra_pinfo is disabled.
1962
1963dad_transmits - INTEGER
1964	The amount of Duplicate Address Detection probes to send.
1965
1966	Default: 1
1967
1968forwarding - INTEGER
1969	Configure interface-specific Host/Router behaviour.
1970
1971	.. note::
1972
1973	   It is recommended to have the same setting on all
1974	   interfaces; mixed router/host scenarios are rather uncommon.
1975
1976	Possible values are:
1977
1978		- 0 Forwarding disabled
1979		- 1 Forwarding enabled
1980
1981	**FALSE (0)**:
1982
1983	By default, Host behaviour is assumed.  This means:
1984
1985	1. IsRouter flag is not set in Neighbour Advertisements.
1986	2. If accept_ra is TRUE (default), transmit Router
1987	   Solicitations.
1988	3. If accept_ra is TRUE (default), accept Router
1989	   Advertisements (and do autoconfiguration).
1990	4. If accept_redirects is TRUE (default), accept Redirects.
1991
1992	**TRUE (1)**:
1993
1994	If local forwarding is enabled, Router behaviour is assumed.
1995	This means exactly the reverse from the above:
1996
1997	1. IsRouter flag is set in Neighbour Advertisements.
1998	2. Router Solicitations are not sent unless accept_ra is 2.
1999	3. Router Advertisements are ignored unless accept_ra is 2.
2000	4. Redirects are ignored.
2001
2002	Default: 0 (disabled) if global forwarding is disabled (default),
2003	otherwise 1 (enabled).
2004
2005hop_limit - INTEGER
2006	Default Hop Limit to set.
2007
2008	Default: 64
2009
2010mtu - INTEGER
2011	Default Maximum Transfer Unit
2012
2013	Default: 1280 (IPv6 required minimum)
2014
2015ip_nonlocal_bind - BOOLEAN
2016	If set, allows processes to bind() to non-local IPv6 addresses,
2017	which can be quite useful - but may break some applications.
2018
2019	Default: 0
2020
2021router_probe_interval - INTEGER
2022	Minimum interval (in seconds) between Router Probing described
2023	in RFC4191.
2024
2025	Default: 60
2026
2027router_solicitation_delay - INTEGER
2028	Number of seconds to wait after interface is brought up
2029	before sending Router Solicitations.
2030
2031	Default: 1
2032
2033router_solicitation_interval - INTEGER
2034	Number of seconds to wait between Router Solicitations.
2035
2036	Default: 4
2037
2038router_solicitations - INTEGER
2039	Number of Router Solicitations to send until assuming no
2040	routers are present.
2041
2042	Default: 3
2043
2044use_oif_addrs_only - BOOLEAN
2045	When enabled, the candidate source addresses for destinations
2046	routed via this interface are restricted to the set of addresses
2047	configured on this interface (vis. RFC 6724, section 4).
2048
2049	Default: false
2050
2051use_tempaddr - INTEGER
2052	Preference for Privacy Extensions (RFC3041).
2053
2054	  * <= 0 : disable Privacy Extensions
2055	  * == 1 : enable Privacy Extensions, but prefer public
2056	    addresses over temporary addresses.
2057	  * >  1 : enable Privacy Extensions and prefer temporary
2058	    addresses over public addresses.
2059
2060	Default:
2061
2062		* 0 (for most devices)
2063		* -1 (for point-to-point devices and loopback devices)
2064
2065temp_valid_lft - INTEGER
2066	valid lifetime (in seconds) for temporary addresses.
2067
2068	Default: 172800 (2 days)
2069
2070temp_prefered_lft - INTEGER
2071	Preferred lifetime (in seconds) for temporary addresses.
2072
2073	Default: 86400 (1 day)
2074
2075keep_addr_on_down - INTEGER
2076	Keep all IPv6 addresses on an interface down event. If set static
2077	global addresses with no expiration time are not flushed.
2078
2079	*   >0 : enabled
2080	*    0 : system default
2081	*   <0 : disabled
2082
2083	Default: 0 (addresses are removed)
2084
2085max_desync_factor - INTEGER
2086	Maximum value for DESYNC_FACTOR, which is a random value
2087	that ensures that clients don't synchronize with each
2088	other and generate new addresses at exactly the same time.
2089	value is in seconds.
2090
2091	Default: 600
2092
2093regen_max_retry - INTEGER
2094	Number of attempts before give up attempting to generate
2095	valid temporary addresses.
2096
2097	Default: 5
2098
2099max_addresses - INTEGER
2100	Maximum number of autoconfigured addresses per interface.  Setting
2101	to zero disables the limitation.  It is not recommended to set this
2102	value too large (or to zero) because it would be an easy way to
2103	crash the kernel by allowing too many addresses to be created.
2104
2105	Default: 16
2106
2107disable_ipv6 - BOOLEAN
2108	Disable IPv6 operation.  If accept_dad is set to 2, this value
2109	will be dynamically set to TRUE if DAD fails for the link-local
2110	address.
2111
2112	Default: FALSE (enable IPv6 operation)
2113
2114	When this value is changed from 1 to 0 (IPv6 is being enabled),
2115	it will dynamically create a link-local address on the given
2116	interface and start Duplicate Address Detection, if necessary.
2117
2118	When this value is changed from 0 to 1 (IPv6 is being disabled),
2119	it will dynamically delete all addresses and routes on the given
2120	interface. From now on it will not possible to add addresses/routes
2121	to the selected interface.
2122
2123accept_dad - INTEGER
2124	Whether to accept DAD (Duplicate Address Detection).
2125
2126	 == ==============================================================
2127	  0  Disable DAD
2128	  1  Enable DAD (default)
2129	  2  Enable DAD, and disable IPv6 operation if MAC-based duplicate
2130	     link-local address has been found.
2131	 == ==============================================================
2132
2133	DAD operation and mode on a given interface will be selected according
2134	to the maximum value of conf/{all,interface}/accept_dad.
2135
2136force_tllao - BOOLEAN
2137	Enable sending the target link-layer address option even when
2138	responding to a unicast neighbor solicitation.
2139
2140	Default: FALSE
2141
2142	Quoting from RFC 2461, section 4.4, Target link-layer address:
2143
2144	"The option MUST be included for multicast solicitations in order to
2145	avoid infinite Neighbor Solicitation "recursion" when the peer node
2146	does not have a cache entry to return a Neighbor Advertisements
2147	message.  When responding to unicast solicitations, the option can be
2148	omitted since the sender of the solicitation has the correct link-
2149	layer address; otherwise it would not have be able to send the unicast
2150	solicitation in the first place. However, including the link-layer
2151	address in this case adds little overhead and eliminates a potential
2152	race condition where the sender deletes the cached link-layer address
2153	prior to receiving a response to a previous solicitation."
2154
2155ndisc_notify - BOOLEAN
2156	Define mode for notification of address and device changes.
2157
2158	* 0 - (default): do nothing
2159	* 1 - Generate unsolicited neighbour advertisements when device is brought
2160	  up or hardware address changes.
2161
2162ndisc_tclass - INTEGER
2163	The IPv6 Traffic Class to use by default when sending IPv6 Neighbor
2164	Discovery (Router Solicitation, Router Advertisement, Neighbor
2165	Solicitation, Neighbor Advertisement, Redirect) messages.
2166	These 8 bits can be interpreted as 6 high order bits holding the DSCP
2167	value and 2 low order bits representing ECN (which you probably want
2168	to leave cleared).
2169
2170	* 0 - (default)
2171
2172mldv1_unsolicited_report_interval - INTEGER
2173	The interval in milliseconds in which the next unsolicited
2174	MLDv1 report retransmit will take place.
2175
2176	Default: 10000 (10 seconds)
2177
2178mldv2_unsolicited_report_interval - INTEGER
2179	The interval in milliseconds in which the next unsolicited
2180	MLDv2 report retransmit will take place.
2181
2182	Default: 1000 (1 second)
2183
2184force_mld_version - INTEGER
2185	* 0 - (default) No enforcement of a MLD version, MLDv1 fallback allowed
2186	* 1 - Enforce to use MLD version 1
2187	* 2 - Enforce to use MLD version 2
2188
2189suppress_frag_ndisc - INTEGER
2190	Control RFC 6980 (Security Implications of IPv6 Fragmentation
2191	with IPv6 Neighbor Discovery) behavior:
2192
2193	* 1 - (default) discard fragmented neighbor discovery packets
2194	* 0 - allow fragmented neighbor discovery packets
2195
2196optimistic_dad - BOOLEAN
2197	Whether to perform Optimistic Duplicate Address Detection (RFC 4429).
2198
2199	* 0: disabled (default)
2200	* 1: enabled
2201
2202	Optimistic Duplicate Address Detection for the interface will be enabled
2203	if at least one of conf/{all,interface}/optimistic_dad is set to 1,
2204	it will be disabled otherwise.
2205
2206use_optimistic - BOOLEAN
2207	If enabled, do not classify optimistic addresses as deprecated during
2208	source address selection.  Preferred addresses will still be chosen
2209	before optimistic addresses, subject to other ranking in the source
2210	address selection algorithm.
2211
2212	* 0: disabled (default)
2213	* 1: enabled
2214
2215	This will be enabled if at least one of
2216	conf/{all,interface}/use_optimistic is set to 1, disabled otherwise.
2217
2218stable_secret - IPv6 address
2219	This IPv6 address will be used as a secret to generate IPv6
2220	addresses for link-local addresses and autoconfigured
2221	ones. All addresses generated after setting this secret will
2222	be stable privacy ones by default. This can be changed via the
2223	addrgenmode ip-link. conf/default/stable_secret is used as the
2224	secret for the namespace, the interface specific ones can
2225	overwrite that. Writes to conf/all/stable_secret are refused.
2226
2227	It is recommended to generate this secret during installation
2228	of a system and keep it stable after that.
2229
2230	By default the stable secret is unset.
2231
2232addr_gen_mode - INTEGER
2233	Defines how link-local and autoconf addresses are generated.
2234
2235	=  =================================================================
2236	0  generate address based on EUI64 (default)
2237	1  do no generate a link-local address, use EUI64 for addresses
2238	   generated from autoconf
2239	2  generate stable privacy addresses, using the secret from
2240	   stable_secret (RFC7217)
2241	3  generate stable privacy addresses, using a random secret if unset
2242	=  =================================================================
2243
2244drop_unicast_in_l2_multicast - BOOLEAN
2245	Drop any unicast IPv6 packets that are received in link-layer
2246	multicast (or broadcast) frames.
2247
2248	By default this is turned off.
2249
2250drop_unsolicited_na - BOOLEAN
2251	Drop all unsolicited neighbor advertisements, for example if there's
2252	a known good NA proxy on the network and such frames need not be used
2253	(or in the case of 802.11, must not be used to prevent attacks.)
2254
2255	By default this is turned off.
2256
2257enhanced_dad - BOOLEAN
2258	Include a nonce option in the IPv6 neighbor solicitation messages used for
2259	duplicate address detection per RFC7527. A received DAD NS will only signal
2260	a duplicate address if the nonce is different. This avoids any false
2261	detection of duplicates due to loopback of the NS messages that we send.
2262	The nonce option will be sent on an interface unless both of
2263	conf/{all,interface}/enhanced_dad are set to FALSE.
2264
2265	Default: TRUE
2266
2267``icmp/*``:
2268===========
2269
2270ratelimit - INTEGER
2271	Limit the maximal rates for sending ICMPv6 messages.
2272
2273	0 to disable any limiting,
2274	otherwise the minimal space between responses in milliseconds.
2275
2276	Default: 1000
2277
2278ratemask - list of comma separated ranges
2279	For ICMPv6 message types matching the ranges in the ratemask, limit
2280	the sending of the message according to ratelimit parameter.
2281
2282	The format used for both input and output is a comma separated
2283	list of ranges (e.g. "0-127,129" for ICMPv6 message type 0 to 127 and
2284	129). Writing to the file will clear all previous ranges of ICMPv6
2285	message types and update the current list with the input.
2286
2287	Refer to: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
2288	for numerical values of ICMPv6 message types, e.g. echo request is 128
2289	and echo reply is 129.
2290
2291	Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big)
2292
2293echo_ignore_all - BOOLEAN
2294	If set non-zero, then the kernel will ignore all ICMP ECHO
2295	requests sent to it over the IPv6 protocol.
2296
2297	Default: 0
2298
2299echo_ignore_multicast - BOOLEAN
2300	If set non-zero, then the kernel will ignore all ICMP ECHO
2301	requests sent to it over the IPv6 protocol via multicast.
2302
2303	Default: 0
2304
2305echo_ignore_anycast - BOOLEAN
2306	If set non-zero, then the kernel will ignore all ICMP ECHO
2307	requests sent to it over the IPv6 protocol destined to anycast address.
2308
2309	Default: 0
2310
2311xfrm6_gc_thresh - INTEGER
2312	(Obsolete since linux-4.14)
2313	The threshold at which we will start garbage collecting for IPv6
2314	destination cache entries.  At twice this value the system will
2315	refuse new allocations.
2316
2317
2318IPv6 Update by:
2319Pekka Savola <pekkas@netcore.fi>
2320YOSHIFUJI Hideaki / USAGI Project <yoshfuji@linux-ipv6.org>
2321
2322
2323/proc/sys/net/bridge/* Variables:
2324=================================
2325
2326bridge-nf-call-arptables - BOOLEAN
2327	- 1 : pass bridged ARP traffic to arptables' FORWARD chain.
2328	- 0 : disable this.
2329
2330	Default: 1
2331
2332bridge-nf-call-iptables - BOOLEAN
2333	- 1 : pass bridged IPv4 traffic to iptables' chains.
2334	- 0 : disable this.
2335
2336	Default: 1
2337
2338bridge-nf-call-ip6tables - BOOLEAN
2339	- 1 : pass bridged IPv6 traffic to ip6tables' chains.
2340	- 0 : disable this.
2341
2342	Default: 1
2343
2344bridge-nf-filter-vlan-tagged - BOOLEAN
2345	- 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables.
2346	- 0 : disable this.
2347
2348	Default: 0
2349
2350bridge-nf-filter-pppoe-tagged - BOOLEAN
2351	- 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
2352	- 0 : disable this.
2353
2354	Default: 0
2355
2356bridge-nf-pass-vlan-input-dev - BOOLEAN
2357	- 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan
2358	  interface on the bridge and set the netfilter input device to the
2359	  vlan. This allows use of e.g. "iptables -i br0.1" and makes the
2360	  REDIRECT target work with vlan-on-top-of-bridge interfaces.  When no
2361	  matching vlan interface is found, or this switch is off, the input
2362	  device is set to the bridge interface.
2363
2364	- 0: disable bridge netfilter vlan interface lookup.
2365
2366	Default: 0
2367
2368``proc/sys/net/sctp/*`` Variables:
2369==================================
2370
2371addip_enable - BOOLEAN
2372	Enable or disable extension of  Dynamic Address Reconfiguration
2373	(ADD-IP) functionality specified in RFC5061.  This extension provides
2374	the ability to dynamically add and remove new addresses for the SCTP
2375	associations.
2376
2377	1: Enable extension.
2378
2379	0: Disable extension.
2380
2381	Default: 0
2382
2383pf_enable - INTEGER
2384	Enable or disable pf (pf is short for potentially failed) state. A value
2385	of pf_retrans > path_max_retrans also disables pf state. That is, one of
2386	both pf_enable and pf_retrans > path_max_retrans can disable pf state.
2387	Since pf_retrans and path_max_retrans can be changed by userspace
2388	application, sometimes user expects to disable pf state by the value of
2389	pf_retrans > path_max_retrans, but occasionally the value of pf_retrans
2390	or path_max_retrans is changed by the user application, this pf state is
2391	enabled. As such, it is necessary to add this to dynamically enable
2392	and disable pf state. See:
2393	https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-failover for
2394	details.
2395
2396	1: Enable pf.
2397
2398	0: Disable pf.
2399
2400	Default: 1
2401
2402pf_expose - INTEGER
2403	Unset or enable/disable pf (pf is short for potentially failed) state
2404	exposure.  Applications can control the exposure of the PF path state
2405	in the SCTP_PEER_ADDR_CHANGE event and the SCTP_GET_PEER_ADDR_INFO
2406	sockopt.   When it's unset, no SCTP_PEER_ADDR_CHANGE event with
2407	SCTP_ADDR_PF state will be sent and a SCTP_PF-state transport info
2408	can be got via SCTP_GET_PEER_ADDR_INFO sockopt;  When it's enabled,
2409	a SCTP_PEER_ADDR_CHANGE event will be sent for a transport becoming
2410	SCTP_PF state and a SCTP_PF-state transport info can be got via
2411	SCTP_GET_PEER_ADDR_INFO sockopt;  When it's diabled, no
2412	SCTP_PEER_ADDR_CHANGE event will be sent and it returns -EACCES when
2413	trying to get a SCTP_PF-state transport info via SCTP_GET_PEER_ADDR_INFO
2414	sockopt.
2415
2416	0: Unset pf state exposure, Compatible with old applications.
2417
2418	1: Disable pf state exposure.
2419
2420	2: Enable pf state exposure.
2421
2422	Default: 0
2423
2424addip_noauth_enable - BOOLEAN
2425	Dynamic Address Reconfiguration (ADD-IP) requires the use of
2426	authentication to protect the operations of adding or removing new
2427	addresses.  This requirement is mandated so that unauthorized hosts
2428	would not be able to hijack associations.  However, older
2429	implementations may not have implemented this requirement while
2430	allowing the ADD-IP extension.  For reasons of interoperability,
2431	we provide this variable to control the enforcement of the
2432	authentication requirement.
2433
2434	== ===============================================================
2435	1  Allow ADD-IP extension to be used without authentication.  This
2436	   should only be set in a closed environment for interoperability
2437	   with older implementations.
2438
2439	0  Enforce the authentication requirement
2440	== ===============================================================
2441
2442	Default: 0
2443
2444auth_enable - BOOLEAN
2445	Enable or disable Authenticated Chunks extension.  This extension
2446	provides the ability to send and receive authenticated chunks and is
2447	required for secure operation of Dynamic Address Reconfiguration
2448	(ADD-IP) extension.
2449
2450	- 1: Enable this extension.
2451	- 0: Disable this extension.
2452
2453	Default: 0
2454
2455prsctp_enable - BOOLEAN
2456	Enable or disable the Partial Reliability extension (RFC3758) which
2457	is used to notify peers that a given DATA should no longer be expected.
2458
2459	- 1: Enable extension
2460	- 0: Disable
2461
2462	Default: 1
2463
2464max_burst - INTEGER
2465	The limit of the number of new packets that can be initially sent.  It
2466	controls how bursty the generated traffic can be.
2467
2468	Default: 4
2469
2470association_max_retrans - INTEGER
2471	Set the maximum number for retransmissions that an association can
2472	attempt deciding that the remote end is unreachable.  If this value
2473	is exceeded, the association is terminated.
2474
2475	Default: 10
2476
2477max_init_retransmits - INTEGER
2478	The maximum number of retransmissions of INIT and COOKIE-ECHO chunks
2479	that an association will attempt before declaring the destination
2480	unreachable and terminating.
2481
2482	Default: 8
2483
2484path_max_retrans - INTEGER
2485	The maximum number of retransmissions that will be attempted on a given
2486	path.  Once this threshold is exceeded, the path is considered
2487	unreachable, and new traffic will use a different path when the
2488	association is multihomed.
2489
2490	Default: 5
2491
2492pf_retrans - INTEGER
2493	The number of retransmissions that will be attempted on a given path
2494	before traffic is redirected to an alternate transport (should one
2495	exist).  Note this is distinct from path_max_retrans, as a path that
2496	passes the pf_retrans threshold can still be used.  Its only
2497	deprioritized when a transmission path is selected by the stack.  This
2498	setting is primarily used to enable fast failover mechanisms without
2499	having to reduce path_max_retrans to a very low value.  See:
2500	http://www.ietf.org/id/draft-nishida-tsvwg-sctp-failover-05.txt
2501	for details.  Note also that a value of pf_retrans > path_max_retrans
2502	disables this feature. Since both pf_retrans and path_max_retrans can
2503	be changed by userspace application, a variable pf_enable is used to
2504	disable pf state.
2505
2506	Default: 0
2507
2508ps_retrans - INTEGER
2509	Primary.Switchover.Max.Retrans (PSMR), it's a tunable parameter coming
2510	from section-5 "Primary Path Switchover" in rfc7829.  The primary path
2511	will be changed to another active path when the path error counter on
2512	the old primary path exceeds PSMR, so that "the SCTP sender is allowed
2513	to continue data transmission on a new working path even when the old
2514	primary destination address becomes active again".   Note this feature
2515	is disabled by initializing 'ps_retrans' per netns as 0xffff by default,
2516	and its value can't be less than 'pf_retrans' when changing by sysctl.
2517
2518	Default: 0xffff
2519
2520rto_initial - INTEGER
2521	The initial round trip timeout value in milliseconds that will be used
2522	in calculating round trip times.  This is the initial time interval
2523	for retransmissions.
2524
2525	Default: 3000
2526
2527rto_max - INTEGER
2528	The maximum value (in milliseconds) of the round trip timeout.  This
2529	is the largest time interval that can elapse between retransmissions.
2530
2531	Default: 60000
2532
2533rto_min - INTEGER
2534	The minimum value (in milliseconds) of the round trip timeout.  This
2535	is the smallest time interval the can elapse between retransmissions.
2536
2537	Default: 1000
2538
2539hb_interval - INTEGER
2540	The interval (in milliseconds) between HEARTBEAT chunks.  These chunks
2541	are sent at the specified interval on idle paths to probe the state of
2542	a given path between 2 associations.
2543
2544	Default: 30000
2545
2546sack_timeout - INTEGER
2547	The amount of time (in milliseconds) that the implementation will wait
2548	to send a SACK.
2549
2550	Default: 200
2551
2552valid_cookie_life - INTEGER
2553	The default lifetime of the SCTP cookie (in milliseconds).  The cookie
2554	is used during association establishment.
2555
2556	Default: 60000
2557
2558cookie_preserve_enable - BOOLEAN
2559	Enable or disable the ability to extend the lifetime of the SCTP cookie
2560	that is used during the establishment phase of SCTP association
2561
2562	- 1: Enable cookie lifetime extension.
2563	- 0: Disable
2564
2565	Default: 1
2566
2567cookie_hmac_alg - STRING
2568	Select the hmac algorithm used when generating the cookie value sent by
2569	a listening sctp socket to a connecting client in the INIT-ACK chunk.
2570	Valid values are:
2571
2572	* md5
2573	* sha1
2574	* none
2575
2576	Ability to assign md5 or sha1 as the selected alg is predicated on the
2577	configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and
2578	CONFIG_CRYPTO_SHA1).
2579
2580	Default: Dependent on configuration.  MD5 if available, else SHA1 if
2581	available, else none.
2582
2583rcvbuf_policy - INTEGER
2584	Determines if the receive buffer is attributed to the socket or to
2585	association.   SCTP supports the capability to create multiple
2586	associations on a single socket.  When using this capability, it is
2587	possible that a single stalled association that's buffering a lot
2588	of data may block other associations from delivering their data by
2589	consuming all of the receive buffer space.  To work around this,
2590	the rcvbuf_policy could be set to attribute the receiver buffer space
2591	to each association instead of the socket.  This prevents the described
2592	blocking.
2593
2594	- 1: rcvbuf space is per association
2595	- 0: rcvbuf space is per socket
2596
2597	Default: 0
2598
2599sndbuf_policy - INTEGER
2600	Similar to rcvbuf_policy above, this applies to send buffer space.
2601
2602	- 1: Send buffer is tracked per association
2603	- 0: Send buffer is tracked per socket.
2604
2605	Default: 0
2606
2607sctp_mem - vector of 3 INTEGERs: min, pressure, max
2608	Number of pages allowed for queueing by all SCTP sockets.
2609
2610	min: Below this number of pages SCTP is not bothered about its
2611	memory appetite. When amount of memory allocated by SCTP exceeds
2612	this number, SCTP starts to moderate memory usage.
2613
2614	pressure: This value was introduced to follow format of tcp_mem.
2615
2616	max: Number of pages allowed for queueing by all SCTP sockets.
2617
2618	Default is calculated at boot time from amount of available memory.
2619
2620sctp_rmem - vector of 3 INTEGERs: min, default, max
2621	Only the first value ("min") is used, "default" and "max" are
2622	ignored.
2623
2624	min: Minimal size of receive buffer used by SCTP socket.
2625	It is guaranteed to each SCTP socket (but not association) even
2626	under moderate memory pressure.
2627
2628	Default: 4K
2629
2630sctp_wmem  - vector of 3 INTEGERs: min, default, max
2631	Currently this tunable has no effect.
2632
2633addr_scope_policy - INTEGER
2634	Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00
2635
2636	- 0   - Disable IPv4 address scoping
2637	- 1   - Enable IPv4 address scoping
2638	- 2   - Follow draft but allow IPv4 private addresses
2639	- 3   - Follow draft but allow IPv4 link local addresses
2640
2641	Default: 1
2642
2643
2644``/proc/sys/net/core/*``
2645========================
2646
2647	Please see: Documentation/admin-guide/sysctl/net.rst for descriptions of these entries.
2648
2649
2650``/proc/sys/net/unix/*``
2651========================
2652
2653max_dgram_qlen - INTEGER
2654	The maximum length of dgram socket receive queue
2655
2656	Default: 10
2657
2658