E.3.9.4. /proc/sys/net/

This directory contains subdirectories concerning various networking topics. Various configurations at the time of kernel compilation make different directories available here, such as ethernet/, ipv4/, ipx/, and ipv6/. By altering the files within these directories, system administrators are able to adjust the network configuration on a running system.
Given the wide variety of possible networking options available with Linux, only the most common /proc/sys/net/ directories are discussed.
The /proc/sys/net/core/ directory contains a variety of settings that control the interaction between the kernel and networking layers. The most important of these files are:
  • message_burst — Sets the maximum number of new warning messages to be written to the kernel log in the time interval defined by message_cost. The default value of this file is 10.
    In combination with message_cost, this setting is used to enforce a rate limit on warning messages written to the kernel log from the networking code and mitigate Denial of Service (DoS) attacks. The idea of a DoS attack is to bombard the targeted system with requests that generate errors and either fill up disk partitions with log files or require all of the system's resources to handle the error logging.
    The settings in message_burst and message_cost are designed to be modified based on the system's acceptable risk versus the need for comprehensive logging. For example, by setting message_burst to 10 and message_cost to 5, you allow the system to write the maximum number of 10 messages every 5 seconds.
  • message_cost — Sets a cost on every warning message by defining a time interval for message_burst. The higher the value is, the more likely the warning message is ignored. The default value of this file is 5.
  • netdev_max_backlog — Sets the maximum number of packets allowed to queue when a particular interface receives packets faster than the kernel can process them. The default value for this file is 1000.
  • optmem_max — Configures the maximum ancillary buffer size allowed per socket.
  • rmem_default — Sets the receive socket buffer default size in bytes.
  • rmem_max — Sets the receive socket buffer maximum size in bytes.
  • wmem_default — Sets the send socket buffer default size in bytes.
  • wmem_max — Sets the send socket buffer maximum size in bytes.
The /proc/sys/net/ipv4/ directory contains additional networking settings. Many of these settings, used in conjunction with one another, are useful in preventing attacks on the system or when using the system to act as a router.

Warning

An erroneous change to these files may affect remote connectivity to the system.
The following is a list of some of the more important files within the /proc/sys/net/ipv4/ directory:
  • icmp_echo_ignore_all and icmp_echo_ignore_broadcasts — Allows the kernel to ignore ICMP ECHO packets from every host or only those originating from broadcast and multicast addresses, respectively. A value of 0 allows the kernel to respond, while a value of 1 ignores the packets.
  • ip_default_ttl — Sets the default Time To Live (TTL), which limits the number of hops a packet may make before reaching its destination. Increasing this value can diminish system performance.
  • ip_forward — Permits interfaces on the system to forward packets. By default, this file is set to 0. Setting this file to 1 enables network packet forwarding.
  • ip_local_port_range — Specifies the range of ports to be used by TCP or UDP when a local port is needed. The first number is the lowest port to be used and the second number specifies the highest port. Any systems that expect to require more ports than the default 1024 to 4999 should use a range from 32768 to 61000.
  • tcp_syn_retries — Provides a limit on the number of times the system re-transmits a SYN packet when attempting to make a connection.
  • tcp_retries1 — Sets the number of permitted re-transmissions attempting to answer an incoming connection. Default of 3.
  • tcp_retries2 — Sets the number of permitted re-transmissions of TCP packets. Default of 15.
The /usr/share/doc/kernel-doc-kernel_version/Documentation/networking/ip-sysctl.txt file contains a list of files and options available in the /proc/sys/net/ipv4/ and /proc/sys/net/ipv6/ directories. Use the sysctl -a command to list the parameters in the sysctl key format.
A number of other directories exist within the /proc/sys/net/ipv4/ directory and each covers a different aspect of the network stack. The /proc/sys/net/ipv4/conf/ directory allows each system interface to be configured in different ways, including the use of default settings for unconfigured devices (in the /proc/sys/net/ipv4/conf/default/ subdirectory) and settings that override all special configurations (in the /proc/sys/net/ipv4/conf/all/ subdirectory).

Important

Red Hat Enterprise Linux 6 defaults to strict reverse path forwarding. Before changing the setting in the rp_filter file, see the entry on Reverse Path Forwarding in the Red Hat Enterprise Linux 6 Security Guide and The Red Hat Knowledgebase article about rp_filter.
The /proc/sys/net/ipv4/neigh/ directory contains settings for communicating with a host directly connected to the system (called a network neighbor) and also contains different settings for systems more than one hop away.
Routing over IPV4 also has its own directory, /proc/sys/net/ipv4/route/. Unlike conf/ and neigh/, the /proc/sys/net/ipv4/route/ directory contains specifications that apply to routing with any interfaces on the system. Many of these settings, such as max_size, max_delay, and min_delay, relate to controlling the size of the routing cache. To clear the routing cache, write any value to the flush file.
Additional information about these directories and the possible values for their configuration files can be found in: 
/usr/share/doc/kernel-doc-kernel_version/Documentation/filesystems/proc.txt