Next file: linux/Documentation/networking/smctr.txt
Previous file: linux/Documentation/filesystems/udf.txt
Back to the patch index
Back to the overall index
- Lines: 171
Sat Jan 22 11:54:56 2000
- Orig file:
- Orig date:
Tue Jan 11 22:31:36 2000
diff -u --recursive --new-file v2.3.40/linux/Documentation/networking/ip-sysctl.txt linux/Documentation/networking/ip-sysctl.txt
@@ -64,8 +64,14 @@
tcp_syn_retries - INTEGER
- Number of times initial SYNs for an TCP connection attempt will
- be retransmitted. Should not be higher than 255.
+ Number of times initial SYNs for an active TCP connection attempt
+ will be retransmitted. Should not be higher than 255. Default value
+ is 5, which corresponds to ~180seconds.
+tcp_synack_retries - INTEGER
+ Number of times SYNACKs for a passive TCP connection attempt will
+ be retransmitted. Should not be higher than 255. Default value
+ is 5, which corresponds to ~180seconds.
tcp_keepalive_time - INTEGER
How often TCP sends out keepalive messages when keepalive is enabled.
@@ -73,15 +79,76 @@
tcp_keepalive_probes - INTEGER
How many keepalive probes TCP sends out, until it decides that the
- connection is broken.
+ connection is broken. Default value: 9.
+tcp_keepalive_interval - INTEGER
+ How frequently the probes are send out. Multiplied by
+ tcp_keepalive_probes it is time to kill not responding connection,
+ after probes started. Default value: 75sec i.e. connection
+ will be aborted after ~11 minutes of retries.
tcp_retries1 - INTEGER
+ How many times to retry before deciding that somethig is wrong
+ and it is necessary to report this suspection to network layer.
+ Minimal RFC value is 3, it is default, which corresponds
+ to ~3sec-8min depending on RTO.
tcp_retries2 - INTEGER
-tcp_max_delay_acks - INTEGER
+ How may times to retry before killing alive TCP connection.
+ RFC1122 says that the limit should be longer than 100 sec.
+ It is too small number. Default value 15 corresponds to ~13-30min
+ depending on RTO.
+tcp_orphan_retries - INTEGER
+ How may times to retry before killing TCP connection, closed
+ by our side. Default value 7 corresponds to ~50sec-16min
+ depending on RTO. If you machine is loaded WEB server,
+ you should think about lowering this value, such sockets
+ may consume significant resources. Cf. tcp_max_orphans.
tcp_fin_timeout - INTEGER
-tcp_max_ka_probes - INTEGER
-tcp_hoe_retransmits - INTEGER
- Undocumented for now.
+ Time to hold socket in state FIN-WAIT-2, if it was closed
+ by our side. Peer can be broken and never close its side,
+ or even died unexpectedly. Default value is 60sec.
+ Usual value used in 2.2 was 180 seconds, you may restore
+ it, but remember that if your machine is even underloaded WEB server,
+ you risk to overflow memory with kilotons of dead sockets,
+ FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1,
+ because they eat maximum 1.5K of memory, but they tend
+ to live longer. Cf. tcp_max_orphans.
+tcp_max_tw_buckets - INTEGER
+ Maximal number of timewait sockets held by system simultaneously.
+ If this number is exceeded time-wait socket is immediately destroyed
+ and warning is printed. This limit exists only to prevent
+ simple DoS attacks, you _must_ not lower the limit artificially,
+ but rather increase it (probably, after increasing installed memory),
+ if network conditions require more than default value.
+tcp_tw_recycle - BOOLEAN
+ Enable fast recycling TIME-WAIT sockets. Default value is 1.
+ It should not be changed without advice/request of technical
+tcp_max_orphans - INTEGER
+ Maximal number of TCP sockets not attached to any user file handle,
+ held by system. If this number is exceeded orphaned connections are
+ reset immediately and warning is printed. This limit exists
+ only to prevent simple DoS attacks, you _must_ not rely on this
+ or lower the limit artificially, but rather increase it
+ (probably, after increasing installed memory),
+ if network conditions require more than default value,
+ and tune network services to linger and kill such states
+ more aggressivley. Let me to remind again: each orphan eats
+ up to ~64K of unswappable memory.
+tcp_abort_on_overflow - BOOLEAN
+ If listening service is too slow to accept new connections,
+ reset them. Default state is FALSE. It means that if overflow
+ occured due to a burst, connection will recover. Enable this
+ option _only_ if you are really sure that listening daemon
+ cannot be tuned to accept connections faster. Enabling this
+ option can harm clients of your server.
tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
@@ -89,15 +156,36 @@
overflows. This is to prevent against the common 'syn flood attack'
+ Note, that syncookies is fallback facility.
+ It MUST NOT be used to help highly loaded servers to stand
+ against legal connection rate. If you see synflood warnings
+ in your logs, but investigation shows that they occur
+ because of overload with legal connections, you should tune
+ another parameters until this warning disappear.
+ See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
+ syncookies seriously violate TCP protocol, do not allow
+ to use TCP extensions, can result in serious degradation
+ of some services (f.e. SMTP relaying), visible not by you,
+ but your clients and relays, contacting you. While you see
+ synflood warnings in logs not being really flooded, your server
+ is seriously misconfigured.
tcp_stdurg - BOOLEAN
Use the Host requirements interpretation of the TCP urg pointer field.
Most hosts use the older BSD interpretation, so if you turn this on
Linux might not communicate correctly with them.
-tcp_syn_taildrop - BOOLEAN
tcp_max_syn_backlog - INTEGER
- Undocumented (work in progress)
+ Maximal number of remembered connection requests, which are
+ still did not receive an acknowldgement from connecting client.
+ Default value is 1024 for systems with more than 128Mb of memory,
+ and 128 for low memory machines. If server suffers of overload,
+ try to increase this number. Warning! If you make it greater
+ than 1024, it would be better to change TCP_SYNQ_HSIZE in
+ include/net/tcp.h to keep TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog
+ and to recompile kernel.
tcp_window_scaling - BOOLEAN
Enable window scaling as defined in RFC1323.
@@ -116,8 +204,15 @@
ip_local_port_range - 2 INTEGERS
Defines the local port range that is used by TCP and UDP to
choose the local port. The first number is the first, the
- second the last local port number. For high-usage systems
- change this to 32768-61000.
+ second the last local port number. Default value depends on
+ amount of memory available on the system:
+ > 128Mb 32768-61000
+ < 128Mb 1024-4999 or even less.
+ This number defines number of active connections, which this
+ system can issue simultaneously to systems not supporting
+ TCP extensions (timestamps). With tcp_tw_recycle enabled
+ (i.e. by default) range 1024-4999 is enough to issue up to
+ 2000 connections per second to systems supporting timestamps.
icmp_echo_ignore_all - BOOLEAN
icmp_echo_ignore_broadcasts - BOOLEAN
@@ -201,7 +296,7 @@
0 - No source validation.
- Default value is 0. Note that some distribution enable it
+ Default value is 0. Note that some distributions enable it
in startip scripts.
@@ -210,4 +305,4 @@
-$Id: ip-sysctl.txt,v 1.11 2000/01/08 20:32:41 davem Exp $
+$Id: ip-sysctl.txt,v 1.13 2000/01/18 08:24:09 davem Exp $
FUNET's LINUX-ADM group, firstname.lastname@example.org
TCL-scripts by Sam Shen (who was at: email@example.com)