본문 바로가기
Research/Linux

Ipsysctl tutorial 1.0.4

by sunnyan 2005. 10. 24.
728x90
http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html

Ipsysctl tutorial 1.0.4

Oskar Andreasson

     oan@frozentux.net
    

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all sub-sections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License.

These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA



Dedications

This document is dedicated to all of you who send me reports of bugs and errors in what I have written, and to everyone else for that matter who reads this and other documentations in order to find errors and report them to the maintainers. This document is in other words dedicated to everyone who uses what others produce and release for free under the Free Licenses that are available.

I would also like to dedicate this to my family who has understood me when I didn't deserve it, who whacked my head off for being a bum when I deserved it, and for being a generally nice bunch of people with a lot of humour.

Table of Contents
Preface
1. Why this document
2. Intended audience & prerequisite knowledge
3. How to read
4. Conventions used in this document
5. Acknowledgements
1. Introduction
1.1. Virtual filesystems
1.2. The /proc filesystem
1.3. A brief /proc walkthrough
2. How to set variables
2.1. With the sysctl application
2.2. With /proc
3. IPv4 variable reference
3.1. IP Variables
3.1.1. ip_autoconfig
3.1.2. ip_default_ttl
3.1.3. ip_dynaddr
3.1.4. ip_forward
3.1.5. ip_local_port_range
3.1.6. ip_no_pmtu_disc
3.1.7. ip_nonlocal_bind
3.1.8. ipfrag_high_thresh
3.1.9. ipfrag_low_thresh
3.1.10. ipfrag_time
3.2. Inet peer storage
3.2.1. inet_peer_gc_maxtime
3.2.2. inet_peer_gc_mintime
3.2.3. inet_peer_maxttl
3.2.4. inet_peer_minttl
3.2.5. inet_peer_threshold
3.3. TCP Variables
3.3.1. tcp_abort_on_overflow
3.3.2. tcp_adv_win_scale
3.3.3. tcp_app_win
3.3.4. tcp_dsack
3.3.5. tcp_ecn
3.3.6. tcp_fack
3.3.7. tcp_fin_timeout
3.3.8. tcp_keepalive_intvl
3.3.9. tcp_keepalive_probes
3.3.10. tcp_keepalive_time
3.3.11. tcp_max_orphans
3.3.12. tcp_max_syn_backlog
3.3.13. tcp_max_tw_buckets
3.3.14. tcp_mem
3.3.15. tcp_orphan_retries
3.3.16. tcp_reordering
3.3.17. tcp_retrans_collapse
3.3.18. tcp_retries1
3.3.19. tcp_retries2
3.3.20. tcp_rfc1337
3.3.21. tcp_rmem
3.3.22. tcp_sack
3.3.23. tcp_stdurg
3.3.24. tcp_syn_retries
3.3.25. tcp_synack_retries
3.3.26. tcp_syncookies
3.3.27. tcp_timestamps
3.3.28. tcp_tw_recycle
3.3.29. tcp_window_scaling
3.3.30. tcp_wmem
3.4. ICMP Variables
3.4.1. icmp_echo_ignore_all
3.4.2. icmp_echo_ignore_broadcasts
3.4.3. icmp_ignore_bogus_error_responses
3.4.4. icmp_ratelimit
3.4.5. icmp_ratemask
3.4.6. igmp_max_memberships
3.5. The conf/ variables
3.5.1. conf/DEV/, conf/all/ and conf/default/ differences
3.5.2. accept_redirects
3.5.3. accept_source_route
3.5.4. arp_filter
3.5.5. bootp_relay
3.5.6. forwarding
3.5.7. log_martians
3.5.8. mc_forwarding
3.5.9. proxy_arp
3.5.10. rp_filter
3.5.11. secure_redirects
3.5.12. send_redirects
3.5.13. shared_media
3.6. Neigh reference
3.7. Netfilter reference
3.7.1. ip_ct_generic_timeout
3.7.2. ip_ct_icmp_timeout
3.7.3. ip_ct_tcp_be_liberal
3.7.4. ip_ct_tcp_log_invalid_scale
3.7.5. ip_ct_tcp_log_out_of_window
3.7.6. ip_ct_tcp_timeout_close
3.7.7. ip_ct_tcp_timeout_close_wait
3.7.8. ip_ct_tcp_timeout_established
3.7.9. ip_ct_tcp_timeout_fin_wait
3.7.10. ip_ct_tcp_timeout_last_ack
3.7.11. ip_ct_tcp_timeout_listen
3.7.12. ip_ct_tcp_timeout_none
3.7.13. ip_ct_tcp_timeout_syn_recv
3.7.14. ip_ct_tcp_timeout_syn_sent
3.7.15. ip_ct_tcp_timeout_time_wait
3.7.16. ip_ct_udp_timeout
3.7.17. ip_ct_udp_timeout_stream
3.8. Route reference
3.8.1. error_burst
3.8.2. error_cost
3.8.3. flush
3.8.4. gc_elasticity
3.8.5. gc_interval
3.8.6. gc_min_interval
3.8.7. gc_thresh
3.8.8. gc_timeout
3.8.9. max_delay
3.8.10. max_size
3.8.11. min_adv_mss
3.8.12. min_delay
3.8.13. min_pmtu
3.8.14. mtu_expires
3.8.15. redirect_load
3.8.16. redirect_number
3.8.17. redirect_silence
A. Measurements used in kernel
A.1. Jiffies
B. Other resources
C. History
D. GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
E. GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
List of Tables
A-1. Jiffies on different hardware

Preface

1. Why this document

I started writing this documentation in the hopes that it would help people understand the IP options provided by Linux 2.4, and what you can do with these options. This is a plain text documentation, hoping to give the necessary understanding and help to configure your kernel on the fly, and to get it up and running in a way that suites you. A lot of these options can also be used to increase performance, as well as strengthen the security. We will not discuss all the different sections of the sysctl in this document, but instead focus on the network sections of the system control, or sysctl as it is called. Hopefully this documentation will fill a gap in the documentation, and if you're reading this, it probably has. Mainly, there are no really good documentations detailing the whole structure of all the ipsysctl from what I have seen that documents all the networking options, except the ip-sysctl.txt file in the linux kernel documentation, which is really really brief in explaining what the options could be used for.

I believe there is a lot of documentation out there detailing the usage of these options and variables, however, none of them brings them together and describes them in detail. If you found this document to be a good read, or interesting in general, feel free to donate, help out, translate, or whatever you feel like. The main thing of all however, send bugreports so I can update the document and see to it that there is no stale errors or problems due to changes in the kernel etcetera. If you find an sysctl command that has not been documented here, or is not listed, send me a mail and I will try to get it inserted as soon as possible.


2. Intended audience & prerequisite knowledge

This document is intended for evyerone with an intermediate through advanced understanding of TCP/IP as well as the Linux operating system. You should understand TCP/IP fairly well, as well as understand what a packet header is and what parts it consists of. You will also need a lot of understanding of routing and the core of TCP/IP networking.

In general, this document was not intended for the novice Linux user, but you may have some luck checking through this document if you are experiencing specific needs. Be absolutely 100% certain that you have understood the variables in question before you do change them though, since some of them may cause really interesting results.

This document should be readable by anyone who has a interest in computers and computer networks in specific, and prerequisite knowledge. It is aimed at giving a basic understanding of the different variables available through the ipsysctl, but also to make it easier to go even further in understanding what each specific variable do.


3. How to read

This documentation can be read any way you want. If there are specific sections you are interested in, read those. If you have never set a kernel variable in linux before in your life, read the first chapter after this and then read the sections you feel intrigued by. If you feel like reading it from top to bottom, do that. If you feel like reading it backwards to find hidden messages, do that. If you feel like reading in encrypted format, well, nothing is stopping you.

What I am trying to say is the following, read the sections that you want to read and that you think would be informative to you, and if there is something you do not understand, read the corresponding bits either here or in some other document. I will not tell you how to read this document since everyone will probably have bits and pieces they already know how they work.


4. Conventions used in this document

The following conventions are used in this document when it comes to commands, files and other specific information.

  • Code excerpts and commandoutputs are printed like this, with all output in fixed width font and userwritten commands in bold typeface:

    [blueflux@work1 neigh]$ ls
    default  eth0  lo
    [blueflux@work1 neigh]$
        
  • All commands and program names in the tutorial are shown in bold typeface.

  • All system items such as hardware, and also kernel internals or abstract system items such as the loopback interface are all shown in an italic typeface.

  • computeroutput is formatted in this way in the text.

  • filenames and paths in the filesystem are shown like /proc/sys/net.


5. Acknowledgements

This document is loosely based upon the documentation found in /usr/src/linux/Documentation/networking/ip-sysctl.txt. Before I say anything else, I would like to thank the people who took the time to write that document. People who read both documents will find that this document has borrowed some structure from it.

I would like to acknowledge the work done by all the people working on the networking stack and the timeconsuming job they are putting into the Linux operating system. I hope I can give something back by writing this, and other documents, to the community and by giving the coders a little relief by maintaining documentation for what they have written.

I would also like to acknowledge Fabrice Marie for the wonderful help and support with documentation standards and giving me a nudge in the right direction when there is something I did not get to work. Also, a huge thanks to all of the people at the netfilter mailing list for helping out with problems and questions, and the linuxsecurity people for listening to all of my rants and waiting for all of my excuses for not getting things published in time.

In other words, a huge thanks to everyone for helping me out when I have problems and questions.


Chapter 1. Introduction

The /proc filesystem is a virtual filesystem, which means that it doesn't really exist except in the "head" of the Linux kernel. The /proc filesystem as described here is specific to the Linux kernel, even though it may very well be present in other operating systems as well, but with a different functionality and a different meaning.


1.1. Virtual filesystems

By virtual filesystem, we simply mean that there is no trace of it on top of any of your harddrives, which all filesystems would normally leave. Nothing that you ever do to a virtual filesystem will ever do any changes to the actual harddrives themselves, but only in the primary memory. Virtual filesystems are created "on the fly" by the kernel during bootup, and it is always updated every single time you enter the filesystem, or do anything within it.

Note

Virtual filesystems may take several other incarnations as well. One such is a simple RAM Harddrive, where you will be able to save files while the machine is running. On diskless Amigas this was often used to move files from one floppy to another floppy by first moving the original file to the RAM memory and then swap floppies and copy it to the new floppy. However, these files would disappear as soon as you reset or restarted the machine.


1.2. The /proc filesystem

The virtual filesystem that we call /proc contains loads and loads of different datastructures and information gathered from the kernel at runtime, and updated whenever you try to list or view the information. The information is all gathered and shown as a normal filesystem, and hence you can read files, traverse catalog structures, etcetera. Everything that you can do in a normal filesystem in other words. However, most of the files available through the /proc filesystem are only available read only, which means they can't be changed. This is because they only supply us with informational data.

One section is read-writable on the other hand, and that section is placed within the /proc/sys. All of the variables located in this directory and subdirectories are writable as well as readable.

This document will focus on the Internet Protocol version 4 (IPv4) section of the /proc located in /proc/sys/net/ipv4 which contains all the configurable settings for the IPv4 stack, including TCP, UDP, ICMP and ARP tunable settings


1.3. A brief /proc walkthrough

The /proc filesystem contains a few basic directories and entries, which we will describe a little bit closer in this section before we go on to the ipv4 system.

First of all, the filesystem contains a huge set of numbered directories that come and go. Each and one of these numbered directories contains information pertaining to all of the currently active processes on the machine. When a new process is started, a new directory is created in the /proc filesystem for it, and a lot of data is created within it regarding the process, such as the commandline with which the program was started with, a link to the "current working directory", environment variables, where the executable is located, and so on.

Except this, we also have quite a few files as well as directories in the root of the /proc filesystem. This is a complete listing of them all:

[blueflux@work1 ]$ ls -l /proc
total 0
....
-r--r--r--    1 root     root            0 Sep 19 18:09 apm
dr-xr-xr-x    4 root     root            0 Sep 19 10:52 bus
-r--r--r--    1 root     root            0 Sep 19 18:09 cmdline
-r--r--r--    1 root     root            0 Sep 19 18:09 cpuinfo
-r--r--r--    1 root     root            0 Sep 19 18:09 devices
-r--r--r--    1 root     root            0 Sep 19 18:09 dma
dr-xr-xr-x    4 root     root            0 Sep 19 18:09 driver
-r--r--r--    1 root     root            0 Sep 19 18:09 execdomains
-r--r--r--    1 root     root            0 Sep 19 18:09 fb
-r--r--r--    1 root     root            0 Sep 19 18:09 filesystems
dr-xr-xr-x    2 root     root            0 Sep 19 18:09 fs
dr-xr-xr-x    4 root     root            0 Sep 19 18:09 ide
-r--r--r--    1 root     root            0 Sep 19 18:09 interrupts
-r--r--r--    1 root     root            0 Sep 19 18:09 iomem
-r--r--r--    1 root     root            0 Sep 19 18:09 ioports
dr-xr-xr-x   18 root     root            0 Sep 19 18:09 irq
-r--------    1 root     root     268374016 Sep 19 18:09 kcore
-r--------    1 root     root            0 Sep 19 10:52 kmsg
-r--r--r--    1 root     root            0 Sep 19 18:09 ksyms
-r--r--r--    1 root     root            0 Sep 19 18:09 loadavg
-r--r--r--    1 root     root            0 Sep 19 18:09 locks
-r--r--r--    1 root     root            0 Sep 19 18:09 mdstat
-r--r--r--    1 root     root            0 Sep 19 18:09 meminfo
-r--r--r--    1 root     root            0 Sep 19 18:09 misc
-r--r--r--    1 root     root            0 Sep 19 18:09 modules
lrwxrwxrwx    1 root     root           11 Sep 19 18:09 mounts -> self/mounts
-rw-r--r--    1 root     root          208 Sep 19 11:02 mtrr
dr-xr-xr-x    3 root     root            0 Sep 19 18:09 net
dr-xr-xr-x    2 root     root            0 Sep 19 18:09 nv
-r--r--r--    1 root     root            0 Sep 19 18:09 partitions
-r--r--r--    1 root     root            0 Sep 19 18:09 pci
dr-xr-xr-x    3 root     root            0 Sep 19 18:09 scsi
lrwxrwxrwx    1 root     root           64 Sep 19 12:01 self -> 2864
-rw-r--r--    1 root     root            0 Sep 19 18:09 slabinfo
-r--r--r--    1 root     root            0 Sep 19 18:09 stat
-r--r--r--    1 root     root            0 Sep 19 18:09 swaps
dr-xr-xr-x   10 root     root            0 Sep 19 14:39 sys
dr-xr-xr-x    2 root     root            0 Sep 19 18:09 sysvipc
dr-xr-xr-x    4 root     root            0 Sep 19 18:09 tty
-r--r--r--    1 root     root            0 Sep 19 18:09 uptime
-r--r--r--    1 root     root            0 Sep 19 18:09 version
[blueflux@work1 proc]$
  

Most of the information in the files are rather "human readable", except a few of them. However, a few of them you should not touch, such as the kcore file. The kcore file contains debugging information regarding the kernel, and if you try to 'cat' it, your system may very well hang up and die. If you try to copy it to a real file on the harddrive, you will very soon have filled up your whole partition, and so on. What all of this tells you is to be very careful. Mostly, none of the variables or entries in the /proc filesystem is not dangerous to watch, but a few of them are. A brief walkthrough of the most important files:

  • cmdline - The command line issued when starting the kernel.

  • cpuinfo - Information about the Central Processing Unit, who made it, known bugs, flags etcetera.

  • dma - Contains information about all DMA channels available, and which driver is using it.

  • filesystems - Contains short information about every single filesystem that the kernel supports.

  • interrupts - Gives you a brief listing of all IRQ channels, how many interrupts they have seen and what driver is actually using it.

  • iomem - A brief file containing all IO memory mappings used by different drivers.

  • ioports - Contains a brief listing of all IO ports used by different drivers.

  • kcore - Contains a complete memory dump. Do not cat or anything like that, you may freeze your system. Mainly used to debug the system.

  • kmsg - Contains messages sent by kernel, is not and should not be readable by users since it may contain vital information. Main usage is to debug the system.

  • ksyms - This contains the kernel symbol table, which is mainly used to debug the kernel.

  • loadavg - Gives the load average of the system during the last 1, 5 and 15 minutes.

  • meminfo - Contains information about memory usage on the system.

  • modules - Contains information about all currently loaded modules in the kernel.

  • mounts - Symlink to another file in the /proc filesystem which contains information about all mounted filesystems.

  • partitions - Contains information about all partitions found on all drives in the system.

  • pci - Gives tons of hardware information about all PCI devices on the system, also includes AGP devices and built in devices which are connected to the PCI bus.

  • swaps - Contains information about all swap partitions mounted.

  • uptime - Gives you the uptime of the computer since it was last rebooted in seconds.

  • version - Gives the exact version string of the kernel currently running, including build date and gcc versions etcetera.

And here is a list of the main directories and what you can expect to find in there:

  • bus - Contains information about all the buses, hardware-wise, such as USB, PCI and ISA buses.

  • ide - Contains information about all of the IDE buses on systems that has IDE buses.

  • net - Some basic information and statistics about the different network systems compiled into the system.

  • scsi - This directory contains information about SCSI buses on SCSI systems.

  • sys - Contains lots of variables that may be changed, including the /proc/sys/net/ipv4 which will be deeply discussed in this document.

As you can see, there is literally hundreds of files in the /proc filesystem that may be read and checked for information, and we haven't looked at half of them here. As has already been said, we will only look closer on the ipv4 part and the variables that are tunable through the sysctl inside the /proc filesystem.


Chapter 2. How to set variables

The ipsysctl variables may be set in two different ways which entails two totally different methods. The first one is via the sysctl application provided with most distributions per default these days. The other way entails using the /proc filesystem, which should come with any linux installation as long as you have a kernel that has /proc filesystem turned on. In other words, any linux system you find should contain the /proc filesystem).

The sysctl command is a bit more complex than the /proc filesystem, depending on how you see things. Also, as already mentioned, if you use the sysctl application you need more than just the kernel which is almost all that is required via the /proc filesystem. One of the better things with the sysctl command is that it is much easier to maintain a larger listing of changes that we may want to do. All of the changes that we want to use on the system can then be saved into a special configuration file which contains all of the variables and their values. This way of doing things is in other words more suitable for setting variables that we want to use under all circumstances.

The /proc filesystem way of doing things is a little bit easier while tweaking around with settings. When we finally have figured out the proper setting, we may as well set it in the sysctl.conf file and see to it that sysctl is run upon boot, and we will always have our settings set to kernel. Command lines in a script which sets variables through the /proc filesystem will look much worse than sysctl commands and they are generally less readable. Therefore, if you are planning to implement a huge set of ipsysctl settings in a script or another, or if you figure out that you need to set a lot of them, then you should generally try to use the sysctl command instead.


2.1. With the sysctl application

The sysctl application can be used to either set variables through the command line, or to set a larger set of variables through a configuration file as previously described. sysctl may also set several variables through the command line at once if need be, and it may also be used to list all variables and their respective values. First of all, to list all variables possible you could issue the following command:

sysctl -a

This should list all the variables and their values separated by a "=" sign. The -a or -A sign will display all possible variables and their values. The -a option will list all variables separated from the values with a "=", while -A will show the variables and values in a table form. As of writing this, -A does not work, but should hopefully do so in the close future.

As you can see there are a lot of variables really, but most of them do not pertain to ipsysctl in specific. Also note the dotted notation of the variables. In sysctl, variables switch the "/" sign for the "." sign to separate different levels. sysctl will accept "/" instead of "." and there should be no problem really with this, but just as a note on how things look. If you would only like to read a specific variable, you would do the following:

sysctl net.ipv4.tcp_sack

If we would like to set a value with sysctl we would send the -w option to the command and then the variable we would like to write to and the new value separated by an equal sign. This would then look like this:

sysctl -w net.ipv4.tcp_sack=0

This will set the tcp_sack value to 0, then print the variable with its new value and exit. Nothing strange in other words. If we would instead like to load the configuration file as explained previously, we would run the following command:

sysctl -p

This will load all of the settings we have in the /etc/sysctl.conf file. If we would instead like to use another file than the default one, we would specify the file we would like to use after the -p option, like this:

sysctl -p /etc/testsysctl.conf

This would then load the testsysctl.conf configuration options instead of our default file. The sysctl.conf file is very basic and don't take a lot of settings. First of all, a line starting with a ; or # is a comment as usual, and all commands starts with the path to the variable, including the variable name, and then an equal sign followed by the value to set the variable to. The path to the variable is relative to /proc/sys as with all of these settings. An example sysctl.conf file would look like this:

# This is a comment
net.ipv4.ip_forward = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 0
  

This file will set net.ipv4.ip_forward to 0, or in other words turn it off, which means that no IP packets will be forwarded between interfaces, if you want to share your internet connection to one or more other computers, this should be turned on. net.ipv4.conf.all.rp_filter will turn on routing policy filters. This setting tells the kernel to automatically filter packets based on their source address depending on where they come from.

Finally, kernel.sysrq does not have anything to do with networking really, it is a setting that turns off the sysrq key combination that can be used if the system has crashed. This value was added to show that there exist a lot of other settings than the ipsysctl settings in sysctl.


2.2. With /proc

The proc filesystem may very well be used to set all values in ipsysctl, however, this way of setting and reading variables should probably be more suitable for experimenting, and when we do not have access to the sysctl tool. This is also very good when we are dealing with certain variables that should not be turned on before a specific time in bootup. For example, it may be a very bad idea to turn on ip_forward before we have all the firewall rules and routes up and running.

All you need to use this method of reading and setting variables is the cat and echo commands as well as a standard shell such as bash. It is highly unlikely that you do not have any of these since all distributions carry these and should be more or less impossible to not install with the installation process.

First of all, all variables that may be used to change the default behaviour on your system resides in the /proc/sys/ directory. The settings that we are interested in during this tutorial are all placed within the /proc/sys/net/ipv4 directory. In other words, all you need to do to go there is the following command

cd /proc/sys/net/ipv4

To see all the variables available, issue the following command

ls

In other words, you should know about all of this already. If you don't, you are probably reading the wrong documentation. To see the setting in a specific variable, you would issue the cat ip_forward command. This would look something like this:

[blueflux@work1 ipv4]$ cat ip_forward
0
[blueflux@work1 ipv4]$
   

As you can see, these variables can be read by anyone who has an account on the machine in question. This could pose as a small security problem since anyone who gets on to your linux computer will be able to figure out all of your exact settings without too much hassle.

Caution

It is unfortunately impossible to block read access to the /proc filesystem as of writing this. The problem is that all read/write permissions are hardcoded within the /proc filesystem itself. and because of this, it is impossible to change the settings manually. If you really really need to change these settings, you can do it for the whole system from within the linux/fs/proc directory, which contains the source code for the Linux /proc filesystem.

If we would like to change the above setting we would use the echo command. The echo command will normally echo any line we provide it with back to us on the screen. However, this could be piped via pretty much any standard shell to the file that we would like to save it in. This could then look like the following in bash:

[root@work1 ipv4]# echo "1" > ip_forward
[root@work1 ipv4]#
   

As you can see, this time around we need to have root access to set the variable value. If we do not have root access, we would get the following error message:

[blueflux@work1 ipv4]$ echo "1" > ip_forward
bash: ip_forward: Permission denied
[blueflux@work1 ipv4]$
   

Do note that all the above examples takes into account that we are already within the the correct directory in the proc filesystem. This is the reason why we have not written the complete path to the variables.


Chapter 3. IPv4 variable reference

This chapter will go through each and one of the IPv4 variables possible to set via sysctl or the proc filesystem. You will be provided with a basic explanation on what behaviour the variable will change and how, as well as default behaviour, if possible, and what values the variable may be set to. We will not go into any deeper discussion about why each variable should be changed unless there are any very normal reasons to change the values. The structure used within this reference chapter will follow the same structure as the structure used within ipsysctl structure, as well as the default ipv4 directory being further structured due to its large size and mix of many different variables.


3.1. IP Variables

This list contains all of the variables available in a standard 2.4.x kernel that pertains to the IP settings. As you will see, there is a huge set of them, and some should be properly set from the beginning for you, and others may not be so properly set. Most of them should look quite proper, however, some do require some extra configuration depending on your needs, but most should be decently set for you as is.


3.1.2. ip_default_ttl

The ip_default_ttl variable tells the kernel what Time To Live to set as default on packets that leaves this host. This tells how long the packets may live on the internet before they are dropped. Each time the packet passes a router, firewall, computer, etcetera, the TTL is decremented with one step.

The default value for ip_default_ttl is 64, which is a fairly good TTL which will not cause too much trouble. It is very unlikely to time out in transit to the host in question. This variable takes an unsigned integer, but the actual TTL field is only 8 bit long. The value may in other words be as high as 255 and as low as 0, however 255 could be considered rude and 0 wouldn't leave your computer at all. 64 is a good value, unless you are trying to connect to computers extremely far away counted in hops or jumps. These would then time out. As it looks today, I have pretty much never seen a host that lives more than 30 hops away on the internet, so I don't think there is any need to make this value higher than the default value for now.

Setting the TTL to 255 would be considered rude since this would make a packet live an extremely long time on the internet. If there would be a glitch in 2 routers, this packet could bounce back and forth for a huge amount of time, eating away on the bandwidth without any reason at all. Normally, don't set this value higher than 100 or something alike.


3.1.3. ip_dynaddr

The ip_dynaddr variable is used to allow a few problems with dynamic addressing to be fixed. This allows diald oneshot connections to get established by dynamically changing packet source address, and sockets if local processes. This option was implemented for TCP diald-box connections and Masquerading connections. Masquerading will in other words work 100% with this option, letting Masquerading switch source adress of packets if the boxes own address change.

This option takes an integer, but only makes use of 3 possible states, 0, 1 or 2.

  • 0 means that this option is turned off, which is also the default behaviour.

  • 1 means that the option is enabled and running.

  • Any non 0 or 1 values means that we have turned on verbose mode, which in turn will add extra debugging messages that you may use to get things to work properly.

If this variable is turned on and forwarding interface changes, this is what may happen

  • Socket and packet source address is rewritten on retransmissions while in SYN_SENT state. This is the diald-box processes.

  • Outbound masqueraded source address changes on output, when internal host does retransmission, until a packet from the outside is received by the tunnel.

This is especially helpful for auto-dialup links (diald), where the actual outgoing address is unknown at the moment the link is going up. This enables the same, local and masqueraded, connection requests that brought the link up to actually establish their connections. This means that we will not have to first issue an connection request just to bring the connection up, and then have to issue the "real" connection request when we have actually established the connection.


3.1.4. ip_forward

The ip_forward variable is used to turn IP forwarding on or off. This means that we can turn off the functions for forwarding packets between interfaces, which lets the computer act as a firewall, or router. Note that this is an extremely important variable for Network Address Translation, firewalling, routing, masquerading, and all other things where we actually let packets through the box to another network, as you can understand.

This is an boolean variable. In other words, it will take a 1 or a 0. The default value for this variable is 0, or disabled. As you can understand, 0 means disabled and 1 means enabled.

Note that this is an very special variable since it will reset all configuration parameters to their default states if it is changed. For a complete list of the exact states, look closer at RFC1122 for hosts and RFC1812 for routers.


3.1.5. ip_local_port_range

The ip_local_port_range variable consists of two integers which tells the kernel which ports to use for client connections. This means, all connections going from our box to some other box and where we are the client. The first port is the lower bound and the second one is the upper bound.

The default value in this variable depends on how much memory you have. If you have more than 128 megabytes of physical memory, the lower bound will be 32768 and the upper bound will be 61000. If the computer has less than 128 megabytes of physical memory, the lower bound will be 1024 and the upper bound will be 4999, or even less.

This number defines the possible active connections which this system can issue simultaneously (ie, at the same time) to other systems that does not support the TCP extension timestamps.

If you have tcp_tw_recycle enabled (the default behaviour) range 1024-4999 is enough to issue up to 2000 connections per second to systems supporting timestamps. In other words, this should be more than enough for most of us.


3.1.6. ip_no_pmtu_disc

The ip_no_pmtu_disc disables PMTU (Path Maximum Transfer Unit) discovery if enabled. In most cases this is good, so it is per default set to FALSE (ie, Path Maximum Transfer Unit is used). However, in some cases this is bad and may lead to broken connectivity. If you are experiencing problems like this, you should turn this option off and set your MTU to a reasonable value yourself.

Do note that MTU and PMTU are two different things. MTU tells the kernel the maximum transfer unit for our connection, but not over the whole connection to the other end. PMTU discovery tries to discover the maximum transfer unit to specific hosts, including all the intermediate hops on the way there.

The default value is that the ip_no_pmtu_disc is FALSE, as already stated. If this is set to TRUE, PMTU discovery is turned off. The ip_no_pmtu_disc takes a boolean value, in other words either an 1 or a 0, where 1 is on and 0 is off.


3.1.7. ip_nonlocal_bind

The ip_nonlocal_bind variable allows us to set if local processes should be able to bind to non-local IP addresses. This could be quite useful, in such cases where we want specific programs or applications to be able to listen to non-local IP adresses, such as sniffing for traffic to a specific host which may commit bad things, etcetera. The variable may, however, break some applications and they will no longer work.

The ip_nonlocal_bind variable takes a boolean value which can be set to 1 or 0. If the variable is set to 0, this option is turned off and if it is set to 1 it is turned on. The default value is to turn this option off, or 0 in other words.


3.1.8. ipfrag_high_thresh

The ipfrag_high_thresh tells the kernel the maximum amount of memory to use to reassemble IP fragments. When and if the high threshold is reached, the fragment handler will toss all packets until the memory usage reaches ipfrag_low_thresh instead. This means that all fragments that reached us during this time will have to be retransmitted.

Packets are fragmented if they are too large to pass through a certain pipe. If they are to large, the box that is trying to transmit them breaks them down into smaller pieces and send each piece one by one. When these fragments reaches their destination, they need to be defragmented (ie, put together again) to be read properly. Note that IP Fragmentation are in general a good thing, but there are a lot of people that do bad things with them since fragments are inherently a security problem.

The ipfrag_high_thresh variable takes an integer value, which would mean 0 through 2147483647 bytes can be assigned to be the upper limit of this function. The default value is 262144 bytes, or 256 kilobytes, which should work well in even the most extreme cases.


3.1.9. ipfrag_low_thresh

This option has a lot to do with the ipfrag_high_thresh option. The ipfrag_low_thresh is the lower limit at which packets should start being assembled again. What this means, all in all, is that our fragmentation handler has an queue that grows larger the more packets are waiting in the queue to be defragmentized, when this queue grows to ipfrag_high_thresh byte size, the fragmentation handler queue will stop queueing any further fragments until we reach the ipfrag_low_thresh again. This stops our system from being overloaded with fragmentized packets and may stop certain Denial of Service attacks.

This variable takes an integer value between 0 and 2147483647, and refers to the amount of bytes used at which the fragmentation handler should resume the receiving of IP fragments again. Per default it is set to 196608 bytes, or 192 kilobytes which should be a reasonable amount of memory set aside for this task even in the hardest of attacks. This value should be lower than ipfrag_high_thresh, or else it will be invalid.


3.1.10. ipfrag_time

The ipfrag_time variable tells the IP fragmentation handler how long to keep an IP fragment in memory, counted in seconds. This only refers to fragments that has been impossible to reassemble since fragments that has been assembled most probably has already been sent on to either the next layer, or to the next host.

The ipfrag_time variable takes an integer as its input and the value is counted as seconds. In other words, if you input 5 to this variable, it counts as 5 seconds.


3.2. Inet peer storage

The inet peer storage contains information pertaining to specific peers, or nodes on the Internet. However, it only contains information with a long life expectancy, and information that is not dependant upon routes. For the moment, this means that it only contains information about the ID field for the next outgoing packet. There are a few variables that changes the behaviour of the inet peer storage today, mainly how often garbage collecting is done, as well as how long time to live each peer has in the storage.


3.2.1. inet_peer_gc_maxtime

The inet_peer_gc_maxtime variable tells the garbage collector how often to pass over the inet peer storage memory pool during low, or absent, memory pressure. This value is in effect under the reversed conditions of the inet_peer_gc_mintime in other words. It works exactly the same as the inet_peer_gc_mintime, except for the fact that it will be in effect under different system loads. This variable is also measured in jiffies, which is explained closer in appendix A.

The inet_peer_gc_maxtime variable takes an integer value and has a default value of 120 jiffies. 120 jiffies should be a good value for most workstations and servers.


3.2.2. inet_peer_gc_mintime

The inet_peer_gc_mintime variable sets the minimum time between garbage collections (gc) passes in the inet peer storage under heavy memory pressure. If the system is under heavy utilization and there is a lot of constraints on the memory pool, this timer is used to tell the garbage collector how often to pass over the memory pool used by the inet peer storage, in jiffies. For a complete explanation of jiffies, see appendix A.

The inet_peer_gc_mintime variable takes an integer value and has a default value of 10 jiffies. This should be a fairly good value for most users and servers.


3.2.3. inet_peer_maxttl

This is the maximum time to live for the inet peer entries. Unused entries will expire after this period of time if there is no memory pressure on the pool. This would in other words mean when the number of entries in the pool is very small, and likely situations.

The inet_peer_maxttl variable takes an integer value, and is measured in jiffies. For a complete explanation of jiffies, see appendix A.


3.2.4. inet_peer_minttl

This is the minimum time to live for inet peer entries. This should be set to an high enough value to cover fragment time to live in the reassembling side of fragmented packets. The minimum time to live is guaranteed if the pool size is less than inet_peer_threshold.

The inet_peer_minttl variable takes an integer value, and is measured in jiffies. For a complete explanation of jiffies, see appendix A.


3.2.5. inet_peer_threshold

The inet_peer_threshold variable tells the approximate size of the inet peer storage. When this limit is reached, peer entries will be thrown away agressively, using the inet_peer_gc_mintime timeout. This threshold will also determine how long an entry may "live" in the peer storage, in other word it is one of the parts which decides the entries time to live. To put it simple, the higher this value is, the longer the time to live within your system.

This variable takes an integer and defaults to the value 65664 bytes.


3.3. TCP Variables

This section will take a brief look at the variables that changes the behaviour of the TCP variables. These variables are normally set to a pretty good value per default and most of them should never ever be touched, except when asked by authoritative developers! They are mainly described here, only for those who are curious about their basic meaning.


3.3.1. tcp_abort_on_overflow

The tcp_abort_on_overflow variable tells the kernel to reset new connections if the system is currently overflowed with new connection attempts that the daemon(s) can not handle. What this means, is that if the system is overflowed with 1000 large requests in a burst, connections may be reset since we can not handle them if this variable is turned on. If it is not set, the system will try to recover and handle all requests.

This variable takes an boolean value (ie, 1 or 0) and is per default set to 0 or FALSE. Avoid enabling this option except as a last resort since it most definitely harm your clients. Before considering using this variable you should try to tune up your daemons to accept connections faster.


3.3.2. tcp_adv_win_scale

This variable is used to tell the kernel how much of the socket buffer space should be used for TCP window size, and how much to save for an application buffer. If tcp_adv_win_scale is negative, the following equation is used to calculate the buffer overhead for window scaling:

Where bytes are the amount of bytes in the window. If the tcp_adv_win_scale value is positive, the following equation is used to calculate the buffer overhead:

The tcp_adv_win_scale variable takes an integer value and is per default set to 2. This in turn means that the application buffer is 1/4th of the total buffer space specified in the tcp_rmem variable.


3.3.3. tcp_app_win

This variable tells the kernel how many bytes to reserve for a specific TCP window in the TCP sockets memory buffer where the specific TCP window is transfered in. This value is used in a calculation that specifies how much of the buffer space to reserve that looks as the following:

As you may understand from the above calculation, the larger this value gets, the smaller will the buffer space be for the specific window. The only exception to this calculation is 0, which tells the kernel to reserve no space for this specific connection. The default value for this variable is 31 and should in general be a good value. Do not change this value unless you know what you are doing.


3.3.4. tcp_dsack

This option is required to send duplicate SACKs which was briefly described in the tcp_sack variable explanation. This is described in detail within the RFC 2883. This RFC document explains in detail how to handle situations where a packet is received twice or out of order. D-SACK is an extension to standard SACK and is used to tell the sender when a packet was received twice (ie, it was duplicated). The D-SACK data can then be used by the transmitter to improve network settings and so on. This should be 100% backwards compatible with older implementations as long as the previous implementors have not tried to implement this into the old SACK option in their own fashion. This is extremely rare and should not be a problem for anyone.

The tcp_dsack variable uses a boolean value and is per default set to 1, or turned on. Of course, this behaviour is only used if tcp_sack is turned on since tcp_dsack is heavily dependant upon tcp_sack. In almost all cases this should be a good idea to have turned on.


3.3.5. tcp_ecn

The tcp_ecn variable turns on Explicit Congestion Notification in TCP connections. This is used to automatically tell the host when there are congestions in a route to a specific host or a network. This can be used to throttle the transmitters to send packets in a slower rate over that specific router or firewall. Explicit Congestion Notification (ECN) is explained in detail in the

728x90