|
| 1 | +Many of the defaults here are are taken from the Frr recommendations [1]. |
| 2 | +Below are relevant excerpts from the kernel documentation. |
| 3 | + |
| 4 | + |
| 5 | +accept_ra, accept Router Advertisements; autoconfigure using them, also |
| 6 | + determines whether or not to transmit Router Solicitations. |
| 7 | + If and only if the functional setting is to accept Router |
| 8 | + Advertisements, Router Solicitations will be transmitted. |
| 9 | + |
| 10 | + 0 - Do not accept Router Advertisements. |
| 11 | + |
| 12 | + 1 - Accept Router Advertisements if forwarding is disabled. |
| 13 | + |
| 14 | + 2 - Overrule forwarding behaviour. Accept Router Advertisements even |
| 15 | + if forwarding is enabled. |
| 16 | + |
| 17 | + Default: |
| 18 | + - enabled if local forwarding is disabled |
| 19 | + - disabled if local forwarding is enabled |
| 20 | + |
| 21 | + |
| 22 | +accept_ra_pinfo, learn Prefix Information in Router Advertisement. |
| 23 | + |
| 24 | + Default: |
| 25 | + - enabled if accept_ra is enabled |
| 26 | + - disabled if accept_ra is disabled |
| 27 | + |
| 28 | + |
| 29 | +autoconf, autoconfigure IPv6 addresses using Prefix Information in |
| 30 | + Router Advertisements. |
| 31 | + |
| 32 | + Default: |
| 33 | + - enabled if accept_ra_pinfo is enabled |
| 34 | + - disabled if accept_ra_pinfo is disabled |
| 35 | + |
| 36 | + |
| 37 | +arp_announce, define restriction level for announcing the local source |
| 38 | + address from IP packets in ARP requests sent on interface: |
| 39 | + |
| 40 | + 0 - (default) Use any local address, configured on any interface |
| 41 | + |
| 42 | + 1 - Try to avoid local addresses that are not in the target’s subnet |
| 43 | + for this interface. Useful when target hosts reachable via this |
| 44 | + interface require the source IP address in ARP requests to be part |
| 45 | + of their logical network configured on the receiving interface. |
| 46 | + When we generate the request we will check all our subnets that |
| 47 | + include the target IP and will preserve the source address if it |
| 48 | + is from such subnet. If there is no such subnet we select source |
| 49 | + address according to the rules for level 2. |
| 50 | + |
| 51 | + 2 - Always use the best local address for this target. In this mode we |
| 52 | + ignore the source address in the IP packet and try to select local |
| 53 | + address that we prefer for talks with the target host. Such local |
| 54 | + address is selected by looking for primary IP addresses on all our |
| 55 | + subnets on the outgoing interface that include the target address. |
| 56 | + If no suitable local address is found we select the first local |
| 57 | + address we have on the outgoing interface or on all other |
| 58 | + interfaces, with the hope we will receive reply for our request |
| 59 | + and even sometimes no matter the source IP address we announce. |
| 60 | + |
| 61 | + |
| 62 | +arp_notify, define mode for notification of address and device changes. |
| 63 | + |
| 64 | + 0 - (default): do nothing |
| 65 | + 1 - generate gratuitous arp requests when device is brought up or |
| 66 | + hardware address changes. |
| 67 | + |
| 68 | + |
| 69 | +arp_ignore, define different modes for sending replies in response to |
| 70 | + received ARP requests that resolve local target addresses: |
| 71 | + |
| 72 | + 0 - (default): reply for any local target IP address, configured on |
| 73 | + any interface |
| 74 | + |
| 75 | + 1 - reply only if the target IP address is a local address configured |
| 76 | + on the incoming interface |
| 77 | + |
| 78 | + 2 - reply only if the target IP address is local address configured on |
| 79 | + the incoming interface and both with the sender’s IP address are part |
| 80 | + from same subnet on this interface |
| 81 | + |
| 82 | + 3 - do not reply for local addresses configured with scope host, only |
| 83 | + resolutions for global and link addresses are replied |
| 84 | + |
| 85 | + 4-7 - reserved |
| 86 | + |
| 87 | + 8 - do not reply for all local addresses |
| 88 | + |
| 89 | + |
| 90 | +arp_accept, define behavior for accepting gratuitous ARP (garp) frames |
| 91 | + from devices that are not already present in the ARP table: |
| 92 | + |
| 93 | + 0 - don’t create new entries in the ARP table |
| 94 | + |
| 95 | + 1 - create new entries in the ARP table |
| 96 | + |
| 97 | + 2 - create new entries only if the source IP address is in the same |
| 98 | + subnet as an address configured on the interface that received |
| 99 | + the garp message. |
| 100 | + |
| 101 | + Both replies and requests type gratuitous arp will trigger the ARP |
| 102 | + table to be updated, if this setting is on. If the ARP table already |
| 103 | + contains the IP address of the gratuitous arp frame, the arp table |
| 104 | + will be updated regardless if this setting is on or off. |
| 105 | + |
| 106 | + |
| 107 | +icmp_errors_use_inbound_ifaddr |
| 108 | + |
| 109 | + 0 - (default): icmp error messages are sent with the primary address |
| 110 | + of the exiting interface. |
| 111 | + |
| 112 | + 1 - the message will be sent with the primary address of the interface |
| 113 | + that received the packet that caused the icmp error. This is the |
| 114 | + behaviour many network administrators will expect from a router. |
| 115 | + And it can make debugging complicated network layouts much easier. |
| 116 | + |
| 117 | + Note, if no primary address exists for the interface selected, then |
| 118 | + the primary address of the first non-loopback interface that has one |
| 119 | + will be used regardless of this setting. |
| 120 | + |
| 121 | + |
| 122 | +rp_filter, reverse path source filtering: |
| 123 | + |
| 124 | + 0 - (default): no source validation. |
| 125 | + |
| 126 | + 1 - Strict mode as defined in RFC3704, 'Strict Reverse Path'. Each |
| 127 | + incoming packet is tested against the FIB and if the interface is |
| 128 | + not the best reverse path the packet check will fail. By default |
| 129 | + failed packets are discarded. |
| 130 | + |
| 131 | + 2 - Loose mode as defined in RFC3704, 'Loose Reverse Path'. Each |
| 132 | + incoming packet’s source address is also tested against the FIB |
| 133 | + and if the source address is not reachable via any interface the |
| 134 | + packet check will fail. |
| 135 | + |
| 136 | + Current recommended practice in RFC3704 is to enable strict mode to |
| 137 | + prevent IP spoofing from DDos attacks. If using asymmetric routing or |
| 138 | + other complicated routing, then loose mode is recommended. |
| 139 | + |
| 140 | + The max value from conf/{all,interface}/rp_filter is used when doing |
| 141 | + source validation on the {interface}. |
| 142 | + |
| 143 | + |
| 144 | + |
| 145 | +[1]: https://github.com/FRRouting/frr/blob/master/doc/user/Useful_Sysctl_Settings.md |
0 commit comments