| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aFfRw_bpP4ZNU6Pf@archie.me>
Date: Sun, 22 Jun 2025 16:49:55 +0700
From: Bagas Sanjaya <bagasdotme@...il.com>
To: Abdelrahman Fekry <abdelrahmanfekry375@...il.com>, corbet@....net,
davem@...emloft.net, edumazet@...gle.com, horms@...nel.org,
kuba@...nel.org, pabeni@...hat.com
Cc: linux-doc@...r.kernel.org, linux-kernel-mentees@...ts.linux.dev,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
skhan@...uxfoundation.com, jacob.e.keller@...el.com,
alok.a.tiwari@...cle.com
Subject: Re: [PATCH net-next v5] docs: net: sysctl documentation cleanup
On Sun, Jun 22, 2025 at 12:07:20PM +0300, Abdelrahman Fekry wrote:
> diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
> index 466bc3f5186e..c47c506c0e17 100644
> --- a/Documentation/networking/ip-sysctl.rst
> +++ b/Documentation/networking/ip-sysctl.rst
> @@ -8,15 +8,19 @@ IP Sysctl
> ==============================
>
> ip_forward - BOOLEAN
> - - 0 - disabled (default)
> - - not 0 - enabled
> -
> Forward Packets between interfaces.
>
> This variable is special, its change resets all configuration
> parameters to their default state (RFC1122 for hosts, RFC1812
> for routers)
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> ip_default_ttl - INTEGER
> Default value of TTL field (Time To Live) for outgoing (but not
> forwarded) IP packets. Should be between 1 and 255 inclusive.
> @@ -62,20 +66,25 @@ ip_forward_use_pmtu - BOOLEAN
> kernel honoring this information. This is normally not the
> case.
>
> - Default: 0 (disabled)
> -
> Possible values:
>
> - - 0 - disabled
> - - 1 - enabled
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> fwmark_reflect - BOOLEAN
> Controls the fwmark of kernel-generated IPv4 reply packets that are not
> associated with a socket for example, TCP RSTs or ICMP echo replies).
> - If unset, these packets have a fwmark of zero. If set, they have the
> + If disabled, these packets have a fwmark of zero. If enabled, they have the
> fwmark of the packet they are replying to.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> fib_multipath_use_neigh - BOOLEAN
> Use status of existing neighbor entry when determining nexthop for
> @@ -83,12 +92,12 @@ fib_multipath_use_neigh - BOOLEAN
> packets could be directed to a failed nexthop. Only valid for kernels
> built with CONFIG_IP_ROUTE_MULTIPATH enabled.
>
> - Default: 0 (disabled)
> -
> Possible values:
>
> - - 0 - disabled
> - - 1 - enabled
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> fib_multipath_hash_policy - INTEGER
> Controls which hash policy to use for multipath routes. Only valid
> @@ -368,7 +377,12 @@ tcp_autocorking - BOOLEAN
> queue. Applications can still use TCP_CORK for optimal behavior
> when they know how/when to uncork their sockets.
>
> - Default : 1
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> tcp_available_congestion_control - STRING
> Shows the available congestion control choices that are registered.
> @@ -408,6 +422,13 @@ tcp_congestion_control - STRING
> tcp_dsack - BOOLEAN
> Allows TCP to send "duplicate" SACKs.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
> +
> tcp_early_retrans - INTEGER
> Tail loss probe (TLP) converts RTOs occurring due to tail
> losses into fast recovery (draft-ietf-tcpm-rack). Note that
> @@ -447,7 +468,12 @@ tcp_ecn_fallback - BOOLEAN
> knob. The value is not used, if tcp_ecn or per route (or congestion
> control) ECN settings are disabled.
>
> - Default: 1 (fallback enabled)
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> tcp_fack - BOOLEAN
> This is a legacy option, it has no effect anymore.
> @@ -474,7 +500,7 @@ tcp_frto - INTEGER
> By default it's enabled with a non-zero value. 0 disables F-RTO.
>
> tcp_fwmark_accept - BOOLEAN
> - If set, incoming connections to listening sockets that do not have a
> + If enabled, incoming connections to listening sockets that do not have a
> socket mark will set the mark of the accepting socket to the fwmark of
> the incoming SYN packet. This will cause all packets on that connection
> (starting from the first SYNACK) to be sent with that fwmark. The
> @@ -482,7 +508,12 @@ tcp_fwmark_accept - BOOLEAN
> have a fwmark set via setsockopt(SOL_SOCKET, SO_MARK, ...) are
> unaffected.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> tcp_invalid_ratelimit - INTEGER
> Limit the maximal rate for sending duplicate acknowledgments
> @@ -528,6 +559,11 @@ tcp_l3mdev_accept - BOOLEAN
> which the packets originated. Only valid when the kernel was
> compiled with CONFIG_NET_L3_MASTER_DEV.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> Default: 0 (disabled)
>
> tcp_low_latency - BOOLEAN
> @@ -593,10 +629,16 @@ tcp_min_rtt_wlen - INTEGER
> Default: 300
>
> tcp_moderate_rcvbuf - BOOLEAN
> - If set, TCP performs receive buffer auto-tuning, attempting to
> + If enabled, TCP performs receive buffer auto-tuning, attempting to
> automatically size the buffer (no greater than tcp_rmem[2]) to
> - match the size required by the path for full throughput. Enabled by
> - default.
> + match the size required by the path for full throughput.
> +
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> tcp_mtu_probing - INTEGER
> Controls TCP Packetization-Layer Path MTU Discovery. Takes three
> @@ -621,13 +663,26 @@ tcp_no_metrics_save - BOOLEAN
> when the connection closes, so that connections established in the
> near future can use these to set initial conditions. Usually, this
> increases overall performance, but may sometimes cause performance
> - degradation. If set, TCP will not cache metrics on closing
> + degradation. If enabled, TCP will not cache metrics on closing
> connections.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> tcp_no_ssthresh_metrics_save - BOOLEAN
> Controls whether TCP saves ssthresh metrics in the route cache.
> + If enabled, ssthresh metrics are disabled.
> +
> + Possible values:
>
> - Default is 1, which disables ssthresh metrics.
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> tcp_orphan_retries - INTEGER
> This value influences the timeout of a locally closed TCP connection,
> @@ -666,6 +721,11 @@ tcp_reflect_tos - BOOLEAN
>
> This options affects both IPv4 and IPv6.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> Default: 0 (disabled)
>
> tcp_reordering - INTEGER
> @@ -687,6 +747,13 @@ tcp_retrans_collapse - BOOLEAN
> On retransmit try to send bigger packets to work around bugs in
> certain TCP stacks.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
> +
> tcp_retries1 - INTEGER
> This value influences the time, after which TCP decides, that
> something is wrong due to unacknowledged RTO retransmissions,
> @@ -714,11 +781,16 @@ tcp_retries2 - INTEGER
> which corresponds to a value of at least 8.
>
> tcp_rfc1337 - BOOLEAN
> - If set, the TCP stack behaves conforming to RFC1337. If unset,
> + If enabled, the TCP stack behaves conforming to RFC1337. If unset,
> we are not conforming to RFC, but prevent TCP TIME_WAIT
> assassination.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> tcp_rmem - vector of 3 INTEGERs: min, default, max
> min: Minimal size of receive buffer used by TCP sockets.
> @@ -742,6 +814,13 @@ tcp_rmem - vector of 3 INTEGERs: min, default, max
> tcp_sack - BOOLEAN
> Enable select acknowledgments (SACKS).
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
> +
> tcp_comp_sack_delay_ns - LONG INTEGER
> TCP tries to reduce number of SACK sent, using a timer
> based on 5% of SRTT, capped by this sysctl, in nano seconds.
> @@ -764,26 +843,41 @@ tcp_comp_sack_nr - INTEGER
> Default : 44
>
> tcp_backlog_ack_defer - BOOLEAN
> - If set, user thread processing socket backlog tries sending
> + If enabled, user thread processing socket backlog tries sending
> one ACK for the whole queue. This helps to avoid potential
> long latencies at end of a TCP socket syscall.
>
> - Default : true
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> tcp_slow_start_after_idle - BOOLEAN
> - If set, provide RFC2861 behavior and time out the congestion
> + If enabled, provide RFC2861 behavior and time out the congestion
> window after an idle period. An idle period is defined at
> the current RTO. If unset, the congestion window will not
> be timed out after an idle period.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> tcp_stdurg - BOOLEAN
> Use the Host requirements interpretation of the TCP urgent pointer field.
> - Most hosts use the older BSD interpretation, so if you turn this on
> + Most hosts use the older BSD interpretation, so if enabled,
> Linux might not communicate correctly with them.
>
> - Default: FALSE
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> tcp_synack_retries - INTEGER
> Number of times SYNACKs for a passive TCP connection attempt will
> @@ -840,7 +934,12 @@ tcp_migrate_req - BOOLEAN
> migration by returning SK_DROP in the type of eBPF program, or
> disable this option.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> tcp_fastopen - INTEGER
> Enable TCP Fast Open (RFC7413) to send and accept data in the opening
> @@ -1021,6 +1120,13 @@ tcp_tw_reuse_delay - UNSIGNED INTEGER
> tcp_window_scaling - BOOLEAN
> Enable window scaling as defined in RFC1323.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
> +
> tcp_shrink_window - BOOLEAN
> This changes how the TCP receive window is calculated.
>
> @@ -1028,13 +1134,15 @@ tcp_shrink_window - BOOLEAN
> window can be offered, and that TCP implementations MUST ensure
> that they handle a shrinking window, as specified in RFC 1122.
>
> - - 0 - Disabled. The window is never shrunk.
> - - 1 - Enabled. The window is shrunk when necessary to remain within
> - the memory limit set by autotuning (sk_rcvbuf).
> - This only occurs if a non-zero receive window
> - scaling factor is also in effect.
> + Possible values:
>
> - Default: 0
> + - 0 (disabled) - The window is never shrunk.
> + - 1 (enabled) - The window is shrunk when necessary to remain within
> + the memory limit set by autotuning (sk_rcvbuf).
> + This only occurs if a non-zero receive window
> + scaling factor is also in effect.
> +
> + Default: 0 (disabled)
>
> tcp_wmem - vector of 3 INTEGERs: min, default, max
> min: Amount of memory reserved for send buffers for TCP sockets.
> @@ -1071,16 +1179,21 @@ tcp_notsent_lowat - UNSIGNED INTEGER
> Default: UINT_MAX (0xFFFFFFFF)
>
> tcp_workaround_signed_windows - BOOLEAN
> - If set, assume no receipt of a window scaling option means the
> + If enabled, assume no receipt of a window scaling option means the
> remote TCP is broken and treats the window as a signed quantity.
> - If unset, assume the remote TCP is not broken even if we do
> + If disabled, assume the remote TCP is not broken even if we do
> not receive a window scaling option from them.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> tcp_thin_linear_timeouts - BOOLEAN
> Enable dynamic triggering of linear timeouts for thin streams.
> - If set, a check is performed upon retransmission by timeout to
> + If enabled, a check is performed upon retransmission by timeout to
> determine if the stream is thin (less than 4 packets in flight).
> As long as the stream is found to be thin, up to 6 linear
> timeouts may be performed before exponential backoff mode is
> @@ -1089,7 +1202,12 @@ tcp_thin_linear_timeouts - BOOLEAN
> For more information on thin streams, see
> Documentation/networking/tcp-thin.rst
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> tcp_limit_output_bytes - INTEGER
> Controls TCP Small Queue limit per tcp socket.
> @@ -1141,7 +1259,7 @@ tcp_child_ehash_entries - INTEGER
> Default: 0
>
> tcp_plb_enabled - BOOLEAN
> - If set and the underlying congestion control (e.g. DCTCP) supports
> + If enabled and the underlying congestion control (e.g. DCTCP) supports
> and enables PLB feature, TCP PLB (Protective Load Balancing) is
> enabled. PLB is described in the following paper:
> https://doi.org/10.1145/3544216.3544226. Based on PLB parameters,
> @@ -1157,12 +1275,17 @@ tcp_plb_enabled - BOOLEAN
> by switches to determine next hop. In either case, further host
> and switch side changes will be needed.
>
> - When set, PLB assumes that congestion signal (e.g. ECN) is made
> + If enabled, PLB assumes that congestion signal (e.g. ECN) is made
> available and used by congestion control module to estimate a
> congestion measure (e.g. ce_ratio). PLB needs a congestion measure to
> make repathing decisions.
>
> - Default: FALSE
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> tcp_plb_idle_rehash_rounds - INTEGER
> Number of consecutive congested rounds (RTT) seen after which
> @@ -1262,6 +1385,11 @@ udp_l3mdev_accept - BOOLEAN
> originated. Only valid when the kernel was compiled with
> CONFIG_NET_L3_MASTER_DEV.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> Default: 0 (disabled)
>
> udp_mem - vector of 3 INTEGERs: min, pressure, max
> @@ -1322,19 +1450,29 @@ raw_l3mdev_accept - BOOLEAN
> originated. Only valid when the kernel was compiled with
> CONFIG_NET_L3_MASTER_DEV.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> Default: 1 (enabled)
>
> CIPSOv4 Variables
> =================
>
> cipso_cache_enable - BOOLEAN
> - If set, enable additions to and lookups from the CIPSO label mapping
> - cache. If unset, additions are ignored and lookups always result in a
> + If enabled, enable additions to and lookups from the CIPSO label mapping
> + cache. If disabled, additions are ignored and lookups always result in a
> miss. However, regardless of the setting the cache is still
> invalidated when required when means you can safely toggle this on and
> off and the cache will always be "safe".
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> cipso_cache_bucket_size - INTEGER
> The CIPSO label cache consists of a fixed size hash table with each
> @@ -1352,17 +1490,27 @@ cipso_rbm_optfmt - BOOLEAN
> This means that when set the CIPSO tag will be padded with empty
> categories in order to make the packet data 32-bit aligned.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> -cipso_rbm_structvalid - BOOLEAN
> - If set, do a very strict check of the CIPSO option when
> - ip_options_compile() is called. If unset, relax the checks done during
> +cipso_rbm_strictvalid - BOOLEAN
> + If enabled, do a very strict check of the CIPSO option when
> + ip_options_compile() is called. If disabled, relax the checks done during
> ip_options_compile(). Either way is "safe" as errors are caught else
> where in the CIPSO processing code but setting this to 0 (False) should
> result in less work (i.e. it should be faster) but could cause problems
> with other implementations that require strict checking.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> IP Variables
> ============
> @@ -1419,10 +1567,15 @@ ip_unprivileged_port_start - INTEGER
> Default: 1024
>
> ip_nonlocal_bind - BOOLEAN
> - If set, allows processes to bind() to non-local IP addresses,
> + If enabled, allows processes to bind() to non-local IP addresses,
> which can be quite useful - but may break some applications.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> ip_autobind_reuse - BOOLEAN
> By default, bind() does not select the ports automatically even if
> @@ -1431,7 +1584,13 @@ ip_autobind_reuse - BOOLEAN
> when you use bind()+connect(), but may break some applications.
> The preferred solution is to use IP_BIND_ADDRESS_NO_PORT and this
> option should only be set by experts.
> - Default: 0
> +
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> ip_dynaddr - INTEGER
> If set non-zero, enables support for dynamic addresses.
> @@ -1449,7 +1608,12 @@ ip_early_demux - BOOLEAN
> It may add an additional cost for pure routing workloads that
> reduces overall throughput, in such case you should disable it.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> ping_group_range - 2 INTEGERS
> Restrict ICMP_PROTO datagram sockets to users in the group range.
> @@ -1461,31 +1625,56 @@ ping_group_range - 2 INTEGERS
> tcp_early_demux - BOOLEAN
> Enable early demux for established TCP sockets.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> udp_early_demux - BOOLEAN
> Enable early demux for connected UDP sockets. Disable this if
> your system could experience more unconnected load.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> icmp_echo_ignore_all - BOOLEAN
> - If set non-zero, then the kernel will ignore all ICMP ECHO
> + If enabled, then the kernel will ignore all ICMP ECHO
> requests sent to it.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> icmp_echo_enable_probe - BOOLEAN
> - If set to one, then the kernel will respond to RFC 8335 PROBE
> + If enabled, then the kernel will respond to RFC 8335 PROBE
> requests sent to it.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> icmp_echo_ignore_broadcasts - BOOLEAN
> - If set non-zero, then the kernel will ignore all ICMP ECHO and
> + If enabled, then the kernel will ignore all ICMP ECHO and
> TIMESTAMP requests sent to it via broadcast/multicast.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> icmp_ratelimit - INTEGER
> Limit the maximal rates for sending ICMP packets whose type matches
> @@ -1542,17 +1731,22 @@ icmp_ratemask - INTEGER
> icmp_ignore_bogus_error_responses - BOOLEAN
> Some routers violate RFC1122 by sending bogus responses to broadcast
> frames. Such violations are normally logged via a kernel warning.
> - If this is set to TRUE, the kernel will not give such warnings, which
> + If enabled, the kernel will not give such warnings, which
> will avoid log file clutter.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> icmp_errors_use_inbound_ifaddr - BOOLEAN
>
> - If zero, icmp error messages are sent with the primary address of
> + If disabled, icmp error messages are sent with the primary address of
> the exiting interface.
>
> - If non-zero, the message will be sent with the primary address of
> + If enabled, the message will be sent with the primary address of
> the interface that received the packet that caused the icmp error.
> This is the behaviour many network administrators will expect from
> a router. And it can make debugging complicated network layouts
> @@ -1562,7 +1756,12 @@ icmp_errors_use_inbound_ifaddr - BOOLEAN
> then the primary address of the first non-loopback interface that
> has one will be used regardless of this setting.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> igmp_max_memberships - INTEGER
> Change the maximum number of multicast groups we can subscribe to.
> @@ -1912,8 +2111,12 @@ arp_evict_nocarrier - BOOLEAN
> between access points on the same network. In most cases this should
> remain as the default (1).
>
> - - 1 - (default): Clear the ARP cache on NOCARRIER events
> - - 0 - Do not clear ARP cache on NOCARRIER events
> + Possible values:
> +
> + - 0 (disabled) - Do not clear ARP cache on NOCARRIER events
> + - 1 (enabled) - Clear the ARP cache on NOCARRIER events
> +
> + Default: 1 (enabled)
>
> mcast_solicit - INTEGER
> The maximum number of multicast probes in INCOMPLETE state,
> @@ -1936,9 +2139,23 @@ mcast_resolicit - INTEGER
> disable_policy - BOOLEAN
> Disable IPSEC policy (SPD) for this interface
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> disable_xfrm - BOOLEAN
> Disable IPSEC encryption on this interface, whatever the policy
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> igmpv2_unsolicited_report_interval - INTEGER
> The interval in milliseconds in which the next unsolicited
> IGMPv1 or IGMPv2 report retransmit will take place.
> @@ -1954,11 +2171,25 @@ igmpv3_unsolicited_report_interval - INTEGER
> ignore_routes_with_linkdown - BOOLEAN
> Ignore routes whose link is down when performing a FIB lookup.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> promote_secondaries - BOOLEAN
> When a primary IP address is removed from this interface
> promote a corresponding secondary IP address instead of
> removing all the corresponding secondary IP addresses.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> drop_unicast_in_l2_multicast - BOOLEAN
> Drop any unicast IP packets that are received in link-layer
> multicast (or broadcast) frames.
> @@ -1966,14 +2197,24 @@ drop_unicast_in_l2_multicast - BOOLEAN
> This behavior (for multicast) is actually a SHOULD in RFC
> 1122, but is disabled by default for compatibility reasons.
>
> - Default: off (0)
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> drop_gratuitous_arp - BOOLEAN
> Drop all gratuitous ARP frames, for example if there's a known
> good ARP proxy on the network and such frames need not be used
> (or in the case of 802.11, must not be used to prevent attacks.)
>
> - Default: off (0)
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
>
> tag - INTEGER
> @@ -2017,20 +2258,24 @@ bindv6only - BOOLEAN
> which restricts use of the IPv6 socket to IPv6 communication
> only.
>
> - - TRUE: disable IPv4-mapped address feature
> - - FALSE: enable IPv4-mapped address feature
> + Possible values:
>
> - Default: FALSE (as specified in RFC3493)
> + - 0 (disabled) - enable IPv4-mapped address feature
> + - 1 (enabled) - disable IPv4-mapped address feature
> +
> + Default: 0 (disabled)
>
> flowlabel_consistency - BOOLEAN
> Protect the consistency (and unicity) of flow label.
> You have to disable it to use IPV6_FL_F_REFLECT flag on the
> flow label manager.
>
> - - TRUE: enabled
> - - FALSE: disabled
> + Possible values:
>
> - Default: TRUE
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> auto_flowlabels - INTEGER
> Automatically generate flow labels based on a flow hash of the
> @@ -2056,10 +2301,13 @@ flowlabel_state_ranges - BOOLEAN
> reserved for the IPv6 flow manager facility, 0x80000-0xFFFFF
> is reserved for stateless flow labels as described in RFC6437.
>
> - - TRUE: enabled
> - - FALSE: disabled
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> - Default: true
>
> flowlabel_reflect - INTEGER
> Control flow label reflection. Needed for Path MTU
> @@ -2127,10 +2375,13 @@ anycast_src_echo_reply - BOOLEAN
> Controls the use of anycast addresses as source addresses for ICMPv6
> echo reply
>
> - - TRUE: enabled
> - - FALSE: disabled
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> - Default: FALSE
>
> idgen_delay - INTEGER
> Controls the delay in seconds after which time to retry
> @@ -2187,7 +2438,12 @@ skip_notify_on_dev_down - BOOLEAN
> to true skips the message, making IPv4 and IPv6 on par in relying
> on userspace caches to track link events and evict routes.
>
> - Default: false (generate message)
> + Possible values:
> +
> + - 0 (disabled) - generate the message
> + - 1 (enabled) - skip generating the message
> +
> + Default: 0 (disabled)
>
> nexthop_compat_mode - BOOLEAN
> New nexthop API provides a means for managing nexthops independent of
> @@ -2294,13 +2550,26 @@ conf/all/forwarding - BOOLEAN
> proxy_ndp - BOOLEAN
> Do proxy ndp.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> +
> fwmark_reflect - BOOLEAN
> Controls the fwmark of kernel-generated IPv6 reply packets that are not
> associated with a socket for example, TCP RSTs or ICMPv6 echo replies).
> - If unset, these packets have a fwmark of zero. If set, they have the
> + If disabled, these packets have a fwmark of zero. If enabled, they have the
> fwmark of the packet they are replying to.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> ``conf/interface/*``:
> Change special settings per interface.
> @@ -2391,9 +2660,11 @@ ra_honor_pio_life - BOOLEAN
> lifetime of an address matching a prefix sent in a Router
> Advertisement Prefix Information Option.
>
> - - If enabled, the PIO valid lifetime will always be honored.
> - - If disabled, RFC4862 section 5.5.3e is used to determine
> + Possible values:
> +
> + - 0 (disabled) - RFC4862 section 5.5.3e is used to determine
> the valid lifetime of the address.
> + - 1 (enabled) - the PIO valid lifetime will always be honored.
>
> Default: 0 (disabled)
>
> @@ -2405,8 +2676,10 @@ ra_honor_pio_pflag - BOOLEAN
> P-flag suppresses any effects of the A-flag within the same
> PIO. For a given PIO, P=1 and A=1 is treated as A=0.
>
> - - If disabled, the P-flag is ignored.
> - - If enabled, the P-flag will disable SLAAC autoconfiguration
> + Possible values:
> +
> + - 0 (disabled) - the P-flag is ignored.
> + - 1 (enabled) - the P-flag will disable SLAAC autoconfiguration
> for the given Prefix Information Option.
>
> Default: 0 (disabled)
> @@ -2528,10 +2801,15 @@ mtu - INTEGER
> Default: 1280 (IPv6 required minimum)
>
> ip_nonlocal_bind - BOOLEAN
> - If set, allows processes to bind() to non-local IPv6 addresses,
> + If enabled, allows processes to bind() to non-local IPv6 addresses,
> which can be quite useful - but may break some applications.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> router_probe_interval - INTEGER
> Minimum interval (in seconds) between Router Probing described
> @@ -2561,7 +2839,12 @@ use_oif_addrs_only - BOOLEAN
> routed via this interface are restricted to the set of addresses
> configured on this interface (vis. RFC 6724, section 4).
>
> - Default: false
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> use_tempaddr - INTEGER
> Preference for Privacy Extensions (RFC3041).
> @@ -2686,10 +2969,14 @@ force_tllao - BOOLEAN
> ndisc_notify - BOOLEAN
> Define mode for notification of address and device changes.
>
> - * 0 - (default): do nothing
> - * 1 - Generate unsolicited neighbour advertisements when device is brought
> + Possible values:
> +
> + - 0 (disabled) - do nothing
> + - 1 (enabled) - Generate unsolicited neighbour advertisements when device is brought
> up or hardware address changes.
>
> + Default: 0 (disabled)
> +
> ndisc_tclass - INTEGER
> The IPv6 Traffic Class to use by default when sending IPv6 Neighbor
> Discovery (Router Solicitation, Router Advertisement, Neighbor
> @@ -2706,8 +2993,12 @@ ndisc_evict_nocarrier - BOOLEAN
> not be cleared when roaming between access points on the same network.
> In most cases this should remain as the default (1).
>
> - - 1 - (default): Clear neighbor discover cache on NOCARRIER events.
> - - 0 - Do not clear neighbor discovery cache on NOCARRIER events.
> + Possible values:
> +
> + - 0 (disabled) - Do not clear neighbor discovery cache on NOCARRIER events.
> + - 1 (enabled) - Clear neighbor discover cache on NOCARRIER events.
> +
> + Default: 1 (enabled)
>
> mldv1_unsolicited_report_interval - INTEGER
> The interval in milliseconds in which the next unsolicited
> @@ -2736,25 +3027,34 @@ suppress_frag_ndisc - INTEGER
> optimistic_dad - BOOLEAN
> Whether to perform Optimistic Duplicate Address Detection (RFC 4429).
>
> - * 0: disabled (default)
> - * 1: enabled
> -
> Optimistic Duplicate Address Detection for the interface will be enabled
> if at least one of conf/{all,interface}/optimistic_dad is set to 1,
> it will be disabled otherwise.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> +
> use_optimistic - BOOLEAN
> If enabled, do not classify optimistic addresses as deprecated during
> source address selection. Preferred addresses will still be chosen
> before optimistic addresses, subject to other ranking in the source
> address selection algorithm.
>
> - * 0: disabled (default)
> - * 1: enabled
> -
> This will be enabled if at least one of
> conf/{all,interface}/use_optimistic is set to 1, disabled otherwise.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
> +
> stable_secret - IPv6 address
> This IPv6 address will be used as a secret to generate IPv6
> addresses for link-local addresses and autoconfigured
> @@ -2785,14 +3085,24 @@ drop_unicast_in_l2_multicast - BOOLEAN
> Drop any unicast IPv6 packets that are received in link-layer
> multicast (or broadcast) frames.
>
> - By default this is turned off.
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> drop_unsolicited_na - BOOLEAN
> Drop all unsolicited neighbor advertisements, for example if there's
> a known good NA proxy on the network and such frames need not be used
> (or in the case of 802.11, must not be used to prevent attacks.)
>
> - By default this is turned off.
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled).
>
> accept_untracked_na - INTEGER
> Define behavior for accepting neighbor advertisements from devices that
> @@ -2833,7 +3143,12 @@ enhanced_dad - BOOLEAN
> The nonce option will be sent on an interface unless both of
> conf/{all,interface}/enhanced_dad are set to FALSE.
>
> - Default: TRUE
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 1 (enabled)
>
> ``icmp/*``:
> ===========
> @@ -2862,29 +3177,49 @@ ratemask - list of comma separated ranges
> Default: 0-1,3-127 (rate limit ICMPv6 errors except Packet Too Big)
>
> echo_ignore_all - BOOLEAN
> - If set non-zero, then the kernel will ignore all ICMP ECHO
> + If enabled, then the kernel will ignore all ICMP ECHO
> requests sent to it over the IPv6 protocol.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> echo_ignore_multicast - BOOLEAN
> - If set non-zero, then the kernel will ignore all ICMP ECHO
> + If enabled, then the kernel will ignore all ICMP ECHO
> requests sent to it over the IPv6 protocol via multicast.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> echo_ignore_anycast - BOOLEAN
> - If set non-zero, then the kernel will ignore all ICMP ECHO
> + If enabled, then the kernel will ignore all ICMP ECHO
> requests sent to it over the IPv6 protocol destined to anycast address.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> error_anycast_as_unicast - BOOLEAN
> - If set to 1, then the kernel will respond with ICMP Errors
> + If enabled, then the kernel will respond with ICMP Errors
> resulting from requests sent to it over the IPv6 protocol destined
> to anycast address essentially treating anycast as unicast.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> + Default: 0 (disabled)
>
> xfrm6_gc_thresh - INTEGER
> (Obsolete since linux-4.14)
> @@ -2902,34 +3237,49 @@ YOSHIFUJI Hideaki / USAGI Project <yoshfuji@...ux-ipv6.org>
> =================================
>
> bridge-nf-call-arptables - BOOLEAN
> - - 1 : pass bridged ARP traffic to arptables' FORWARD chain.
> - - 0 : disable this.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled) - disable this.
> + - 1 (enabled) - pass bridged ARP traffic to arptables' FORWARD chain.
> +
> + Default: 1 (enabled)
>
> bridge-nf-call-iptables - BOOLEAN
> - - 1 : pass bridged IPv4 traffic to iptables' chains.
> - - 0 : disable this.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled) - disable this.
> + - 1 (enabled) - pass bridged IPv4 traffic to iptables' chains.
> +
> + Default: 1 (enabled)
>
> bridge-nf-call-ip6tables - BOOLEAN
> - - 1 : pass bridged IPv6 traffic to ip6tables' chains.
> - - 0 : disable this.
>
> - Default: 1
> + Possible values:
> +
> + - 0 (disabled) - disable this.
> + - 1 (enabled) - pass bridged IPv6 traffic to ip6tables' chains.
> +
> + Default: 1 (enabled)
>
> bridge-nf-filter-vlan-tagged - BOOLEAN
> - - 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables.
> - - 0 : disable this.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled) - disable this.
> + - 1 (enabled) - pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables
> +
> + Default: 0 (disabled)
>
> bridge-nf-filter-pppoe-tagged - BOOLEAN
> - - 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
> - - 0 : disable this.
>
> - Default: 0
> + Possible values:
> +
> + - 0 (disabled) - disable this.
> + - 1 (enabled) - pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
> +
> + Default: 0 (disabled)
>
> bridge-nf-pass-vlan-input-dev - BOOLEAN
> - 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan
> @@ -2952,11 +3302,12 @@ addip_enable - BOOLEAN
> the ability to dynamically add and remove new addresses for the SCTP
> associations.
>
> - 1: Enable extension.
> + Possible values:
>
> - 0: Disable extension.
> + - 0 (disabled) - disable extension.
> + - 1 (enabled) - enable extension
>
> - Default: 0
> + Default: 0 (disabled)
>
> pf_enable - INTEGER
> Enable or disable pf (pf is short for potentially failed) state. A value
> @@ -3025,19 +3376,23 @@ auth_enable - BOOLEAN
> required for secure operation of Dynamic Address Reconfiguration
> (ADD-IP) extension.
>
> - - 1: Enable this extension.
> - - 0: Disable this extension.
> + Possible values:
>
> - Default: 0
> + - 0 (disabled) - disable extension.
> + - 1 (enabled) - enable extension
> +
> + Default: 0 (disabled)
>
> prsctp_enable - BOOLEAN
> Enable or disable the Partial Reliability extension (RFC3758) which
> is used to notify peers that a given DATA should no longer be expected.
>
> - - 1: Enable extension
> - - 0: Disable
> + Possible values:
>
> - Default: 1
> + - 0 (disabled) - disable extension.
> + - 1 (enabled) - enable extension
> +
> + Default: 1 (enabled)
>
> max_burst - INTEGER
> The limit of the number of new packets that can be initially sent. It
> @@ -3137,10 +3492,12 @@ cookie_preserve_enable - BOOLEAN
> Enable or disable the ability to extend the lifetime of the SCTP cookie
> that is used during the establishment phase of SCTP association
>
> - - 1: Enable cookie lifetime extension.
> - - 0: Disable
> + Possible values:
> +
> + - 0 (disabled) - disable.
> + - 1 (enabled) - enable cookie lifetime extension.
>
> - Default: 1
> + Default: 1 (enabled)
>
> cookie_hmac_alg - STRING
> Select the hmac algorithm used when generating the cookie value sent by
> @@ -3274,10 +3631,12 @@ reconf_enable - BOOLEAN
> a stream, and it includes the Parameters of "Outgoing/Incoming SSN
> Reset", "SSN/TSN Reset" and "Add Outgoing/Incoming Streams".
>
> - - 1: Enable extension.
> - - 0: Disable extension.
> + Possible values:
>
> - Default: 0
> + - 0 (disabled) - Disable extension.
> + - 1 (enabled) - Enable extension.
> +
> + Default: 0 (disabled)
>
> intl_enable - BOOLEAN
> Enable or disable extension of User Message Interleaving functionality
> @@ -3288,10 +3647,12 @@ intl_enable - BOOLEAN
> to 1 and also needs to set socket options SCTP_FRAGMENT_INTERLEAVE to 2
> and SCTP_INTERLEAVING_SUPPORTED to 1.
>
> - - 1: Enable extension.
> - - 0: Disable extension.
> + Possible values:
>
> - Default: 0
> + - 0 (disabled) - Disable extension.
> + - 1 (enabled) - Enable extension.
> +
> + Default: 0 (disabled)
>
> ecn_enable - BOOLEAN
> Control use of Explicit Congestion Notification (ECN) by SCTP.
> @@ -3300,10 +3661,12 @@ ecn_enable - BOOLEAN
> due to congestion by allowing supporting routers to signal congestion
> before having to drop packets.
>
> - 1: Enable ecn.
> - 0: Disable ecn.
> + Possible values:
>
> - Default: 1
> + - 0 (disabled) - Disable ecn.
> + - 1 (enabled) - Enable ecn.
> +
> + Default: 1 (enabled)
>
> l3mdev_accept - BOOLEAN
> Enabling this option allows a "global" bound socket to work
> @@ -3312,6 +3675,11 @@ l3mdev_accept - BOOLEAN
> originated. Only valid when the kernel was compiled with
> CONFIG_NET_L3_MASTER_DEV.
>
> + Possible values:
> +
> + - 0 (disabled)
> + - 1 (enabled)
> +
> Default: 1 (enabled)
>
>
LGTM, thanks!
Reviewed-by: Bagas Sanjaya <bagasdotme@...il.com>
--
An old man doll... just what I always wanted! - Clara
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists