proc.txt

ARM 嵌入式 系统 设计与实例开发 实验教材 二源码

-------------------------------------------------------

There are  only  two  files  in this subdirectory. They control the delays for
deleting and destroying socket descriptors.

2.8 /proc/sys/net/ipv4 - IPV4 settings
--------------------------------------

IP version  4  is  still the most used protocol in Unix networking. It will be
replaced by  IP version 6 in the next couple of years, but for the moment it's
the de  facto  standard  for  the  internet  and  is  used  in most networking
environments around  the  world.  Because  of the importance of this protocol,
we'll have a deeper look into the subtree controlling the behavior of the IPv4
subsystem of the Linux kernel.

Let's start with the entries in /proc/sys/net/ipv4.

ICMP settings
-------------

icmp_echo_ignore_all and icmp_echo_ignore_broadcasts
----------------------------------------------------

Turn on (1) or off (0), if the kernel should ignore all ICMP ECHO requests, or
just those to broadcast and multicast addresses.

Please note that if you accept ICMP echo requests with a broadcast/multi\-cast
destination address  your  network  may  be  used as an exploder for denial of
service packet flooding attacks to other hosts.

icmp_destunreach_rate, icmp_echoreply_rate, icmp_paramprob_rate and icmp_timeexeed_rate
---------------------------------------------------------------------------------------

Sets limits  for  sending  ICMP  packets  to specific targets. A value of zero
disables all  limiting.  Any  positive  value sets the maximum package rate in
hundredth of a second (on Intel systems).

IP settings
-----------

ip_autoconfig
-------------

This file contains the number one if the host received its IP configuration by
RARP, BOOTP, DHCP or a similar mechanism. Otherwise it is zero.

ip_default_ttl
--------------

TTL (Time  To  Live) for IPv4 interfaces. This is simply the maximum number of
hops a packet may travel.

ip_dynaddr
----------

Enable dynamic  socket  address rewriting on interface address change. This is
useful for dialup interface with changing IP addresses.

ip_forward
----------

Enable or  disable forwarding of IP packages between interfaces. Changing this
value resets  all other parameters to their default values. They differ if the
kernel is configured as host or router.

ip_local_port_range
-------------------

Range of  ports  used  by  TCP  and UDP to choose the local port. Contains two
numbers, the  first  number  is the lowest port, the second number the highest
local port.  Default  is  1024-4999.  Should  be  changed  to  32768-61000 for
high-usage systems.

ip_no_pmtu_disc
---------------

Global switch  to  turn  path  MTU  discovery off. It can also be set on a per
socket basis by the applications or on a per route basis.

ip_masq_debug
-------------

Enable/disable debugging of IP masquerading.

IP fragmentation settings
-------------------------

ipfrag_high_trash and ipfrag_low_trash
--------------------------------------

Maximum memory  used to reassemble IP fragments. When ipfrag_high_thresh bytes
of memory  is  allocated  for  this  purpose,  the  fragment handler will toss
packets until ipfrag_low_thresh is reached.

ipfrag_time
-----------

Time in seconds to keep an IP fragment in memory.

TCP settings
------------

tcp_ecn
-------

This file controls the use of the ECN bit in the IPv4 headers, this is a new
feature about Explicit Congestion Notification, but some routers and firewalls
block trafic that has this bit set, so it could be necessary to echo 0 to
/proc/sys/net/ipv4/tcp_ecn, if you want to talk to this sites. For more info
you could read RFC2481.

tcp_retrans_collapse
--------------------

Bug-to-bug compatibility with some broken printers. On retransmit, try to send
larger packets to work around bugs in certain TCP stacks. Can be turned off by
setting it to zero.

tcp_keepalive_probes
--------------------

Number of  keep  alive  probes  TCP  sends  out,  until  it  decides  that the
connection is broken.

tcp_keepalive_time
------------------

How often  TCP  sends out keep alive messages, when keep alive is enabled. The
default is 2 hours.

tcp_syn_retries
---------------

Number of  times  initial  SYNs  for  a  TCP  connection  attempt  will  be
retransmitted. Should  not  be  higher  than 255. This is only the timeout for
outgoing connections,  for  incoming  connections the number of retransmits is
defined by tcp_retries1.

tcp_sack
--------

Enable select acknowledgments after RFC2018.

tcp_timestamps
--------------

Enable timestamps as defined in RFC1323.

tcp_stdurg
----------

Enable the  strict  RFC793 interpretation of the TCP urgent pointer field. The
default is  to  use  the  BSD  compatible interpretation of the urgent pointer
pointing to the first byte after the urgent data. The RFC793 interpretation is
to have  it  point  to  the last byte of urgent data. Enabling this option may
lead to interoperatibility problems. Disabled by default.

tcp_syncookies
--------------

Only valid  when  the  kernel  was  compiled  with CONFIG_SYNCOOKIES. Send out
syncookies when  the  syn backlog queue of a socket overflows. This is to ward
off the common 'syn flood attack'. Disabled by default.

Note that  the  concept  of a socket backlog is abandoned. This means the peer
may not  receive  reliable  error  messages  from  an  over loaded server with
syncookies enabled.

tcp_window_scaling
------------------

Enable window scaling as defined in RFC1323.

tcp_fin_timeout
---------------

The length  of  time  in  seconds  it  takes to receive a final FIN before the
socket is  always  closed.  This  is  strictly  a  violation  of  the  TCP
specification, but required to prevent denial-of-service attacks.

tcp_max_ka_probes
-----------------

Indicates how  many  keep alive probes are sent per slow timer run. Should not
be set too high to prevent bursts.

tcp_max_syn_backlog
-------------------

Length of  the per socket backlog queue. Since Linux 2.2 the backlog specified
in listen(2)  only  specifies  the  length  of  the  backlog  queue of already
established sockets. When more connection requests arrive Linux starts to drop
packets. When  syncookies  are  enabled the packets are still answered and the
maximum queue is effectively ignored.

tcp_retries1
------------

Defines how  often  an  answer  to  a  TCP connection request is retransmitted
before giving up.

tcp_retries2
------------

Defines how often a TCP packet is retransmitted before giving up.

Interface specific settings
---------------------------

In the directory /proc/sys/net/ipv4/conf you'll find one subdirectory for each
interface the  system  knows about and one directory calls all. Changes in the
all subdirectory  affect  all  interfaces,  whereas  changes  in  the  other
subdirectories affect  only  one  interface.  All  directories  have  the same
entries:

accept_redirects
----------------

This switch  decides  if the kernel accepts ICMP redirect messages or not. The
default is 'yes' if the kernel is configured for a regular host and 'no' for a
router configuration.

accept_source_route
-------------------

Should source  routed  packages  be  accepted  or  declined.  The  default  is
dependent on  the  kernel  configuration.  It's 'yes' for routers and 'no' for
hosts.

bootp_relay
~~~~~~~~~~~

Accept packets  with source address 0.b.c.d with destinations not to this host
as local ones. It is supposed that a BOOTP relay daemon will catch and forward
such packets.

The default  is  0,  since this feature is not implemented yet (kernel version
2.2.12).

forwarding
----------

Enable or disable IP forwarding on this interface.

log_martians
------------

Log packets with source addresses with no known route to kernel log.

mc_forwarding
-------------

Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE and a
multicast routing daemon is required.

proxy_arp
---------

Does (1) or does not (0) perform proxy ARP.

rp_filter
---------

Integer value determines if a source validation should be made. 1 means yes, 0
means no.  Disabled by default, but local/broadcast address spoofing is always
on.

If you  set this to 1 on a router that is the only connection for a network to
the net,  it  will  prevent  spoofing  attacks  against your internal networks
(external addresses  can  still  be  spoofed), without the need for additional
firewall rules.

secure_redirects
----------------

Accept ICMP  redirect  messages  only  for gateways, listed in default gateway
list. Enabled by default.

shared_media
------------

If it  is  not  set  the kernel does not assume that different subnets on this
device can communicate directly. Default setting is 'yes'.

send_redirects
--------------

Determines whether to send ICMP redirects to other hosts.

Routing settings
----------------

The directory  /proc/sys/net/ipv4/route  contains  several  file  to  control
routing issues.

error_burst and error_cost
--------------------------

These parameters  are used to limit the warning messages written to the kernel
log from  the  routing  code.  The  higher the error_cost factor is, the fewer
messages will  be written. Error_burst controls when messages will be dropped.
The default settings limit warning messages to one every five seconds.

flush
-----

Writing to this file results in a flush of the routing cache.

gc_elastic, gc_interval, gc_min_interval, gc_tresh, gc_timeout
--------------------------------------------------------------

Values to  control  the  frequency  and  behavior  of  the  garbage collection
algorithm for the routing cache.

max_size
--------

Maximum size  of  the routing cache. Old entries will be purged once the cache
reached has this size.

max_delay, min_delay
--------------------

Delays for flushing the routing cache.