The kernel has lots of parameters which can be tuned for different circumstances. While, as usual, the default parameters serve 99% of installations very well, we don't call this the Advanced HOWTO for the fun of it!
The interesting bits are in /proc/sys/net, take a look there. Not everything will be documented here initially, but we're working on it.
By default, routers route everything, even packets which 'obviously' don't belong on your network. A common example is private IP space escaping onto the internet. If you have an interface with a route of 195.96.96.0/24 to it, you do not expect packets from 212.64.94.1 to arrive there.
Lots of people will want to turn this feature off, so the kernel hackers have made it easy. There are files in /proc where you can tell the kernel to do this for you. The method is called "Reverse Path Filtering". Basically, if the reply to this packet wouldn't go out the interface this packet came in, then this is a bogus packet and should be ignored.
The following fragment will turn this on for all current and future interfaces.
# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
> echo 2 > $i
> done
Going by the example above, if a packet arrived on the Linux router on eth1 claiming to come from the Office+ISP subnet, it would be dropped. Similarly, if a packet came from the Office subnet, claiming to be from somewhere outside your firewall, it would be dropped also.
The above is full reverse path filtering. The default is to only filter based on IPs that are on directly connected networks. This is because the full filtering breaks in the case of asymmetric routing (where packets come in one way and go out another, like satellite traffic, or if you have dynamic (bgp, ospf, rip) routes in your network. The data comes down through the satellite dish and replies go back through normal land-lines).
If this exception applies to you (and you'll probably know if it does) you can simply turn off the rp_filter on the interface where the satellite data comes in. If you want to see if any packets are being dropped, the log_martians file in the same directory will tell the kernel to log them to your syslog.
# echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians
FIXME: is setting the conf/{default,all}/* files enough? - martijn
Ok, there are a lot of parameters which can be modified. We try to list them all. Also documented (partly) in Documentation/ip-sysctl.txt.
Some of these settings have different defaults based on wether you answered 'Yes' to 'Configure as router and not host' while compiling your kernel.
As a generic note, most rate limiting features don't work on loopback, so don't test them locally. The limits are supplied in 'jiffies', and are enforced using the earlier mentioned token bucket filter.
The kernel has an internal clock which runs at 'HZ' ticks (or 'jiffies') per second. On intel, 'HZ' is mostly 100. So setting a *_rate file to, say 50, would allow for 2 packets per second. The token bucket filter is also configured to allow for a burst of at most 6 packets, if enough tokens have been earned.
If the kernel decides that it can't deliver a packet, it will drop it, and send the source of the packet an ICMP notice to this effect.
Don't act on echo packets at all. Please don't set this by default, but if you are used as a relay in a DoS attack, it may be useful.
If you ping the broadcast address of a network, all hosts are supposed to respond. This makes for a dandy denial-of-service tool. Set this to 1 to ignore these broadcast messages.
The rate at which echo replies are sent to any one destination.
FIXME: fill this in
FIXME: fill this in
This the famous cause of the 'Solaris middle star' in traceroutes. Limits number of ICMP Time Exceeded messages sent.
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
Time To Live of packets. Set to a safe 64. Raise it if you have a huge network. Don't do so for fun - routing loops cause much more damage that way. You might even consider lowering it in some circumstances.
You need to set this if you use dial-on-demand with a dynamic interface address. Once your demand interface comes up, any local TCP sockets which haven't seen replies will be rebound to have the right address. This solves the problem that the connection that brings up your interface itself does not work, but the second try does.
If the kernel should attempt to forward packets. Off by default.
Range of local ports for outgoing connections. Actually quite small by default, 1024 to 4999.
Set this if you want to disable Path MTU discovery - a technique to determine the largest Maximum Transfer Unit possible on your path.
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
Use Selective ACK which can be used to signify that specific packets are missing - therefore helping fast recovery.
FIXME: fill this in
Number of SYN packets the kernel will send before giving up on the new connection.
To open the other side of the connection, the kernel sends a SYN with a piggybacked ACK on it, to acknowledge the earlier received SYN. This is part 2 of the threeway handshake. This setting determines the number of SYN+ACK packets send before the kernel gives up on the connection.
Timestamps are used, amongst other things, to protect against wrapping sequence numbers. A 1 gigabit link might conceivably re-encounter a previous sequence number with an out-of-line value, because if was of a previous generation. The timestamp will let it recognise this 'ancient packet'.
FIXME: fill this in
TCP/IP normally allows windows up to 65535 bytes big. For really fast networks, this may not be enough. The window scaling options allows for almost gigabyte windows, which is good for high bandwidth*delay products.
DEV can either stand for a real interface, or for 'all' or 'default'. Default also changes settings for interfaces yet to be created.
If a router decides that you are using it for a wrong purpose (ie, it needs to resend your packet on the same interface), it will send us a ICMP Redirect. This is a slight security risk however, so you may want to turn it off, or use secure redirects.
Not used very much anymore. You used to be able to give a packet a list of IP addresses it should visit on its way. Linux can be made to honor this IP option.
FIXME: fill this in
FIXME:
See the section on reverse path filters.
If we do multicast forwarding on this interface
If you set this to 1, all other interfaces will respond to arp queries destined for addresses on this interface. Can be very useful when building 'ip pseudo bridges'. Do take care that your netmasks are very correct before enabling this!
See the section on reverse path filters.
FIXME: fill this in
If we send the above mentioned redirects.
FIXME: fill this in
FIXME: fill this in
Dev can either stand for a real interface, or for 'all' or 'default'. Default also changes settings for interfaces yet to be created.
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in
FIXME: fill this in