settings
ip/settings
Type: Settings Directory
This menu allows you to configure various IPv4 and IPv6-related kernel and system-wide network parameters. These settings control how the operating system handles IP traffic and network communications.
| Argument | Type | Description |
|---|---|---|
| ip-forward | bool | Enable or disable packet forwarding between interfaces. Resets all configuration parameters to defaults according to RFC 1812 for routers. |
| send-redirects | bool | Send ICMP redirects. Enable this on routers. |
| accept-source-route | bool | Accept packets with the SRR option. Enable this on routers. |
| accept-redirects | bool | Accept ICMP redirect messages. Enable on hosts and disable on routers. |
| secure-redirects | bool | Accept ICMP redirect messages only for gateways listed in the default gateway list. |
| rp-filter | enum (no | strict | loose) | Enable or disable source validation.
RFC 3704 recommends enabling strict mode to prevent IP spoofing from DDoS attacks. If you use asymmetric routing, complex routing, or VRRP, enable loose mode instead. Warning: Strict mode does not work with routing tables. |
| ipv4-multipath-hash-policy | enum (l3 | l4 | l3-inner) | IPv4 hash policy used for ECMP routing.
|
| tcp-syncookies | bool | Send syncookies when the SYN backlog queue of a socket overflows. This helps prevent SYN flood attacks. However, syncookies violate the TCP protocol and prevent the use of TCP extensions, which can degrade some services (for example, SMTP relaying). This degradation may be visible to your clients and relays contacting you. |
| tcp-timestamps | enum (disabled | random-offset | enabled) | Enable or disable TCP timestamps, or add a random offset to TCP timestamps (default behavior). Disabling timestamps can help reduce performance drop spikes. |
| max-neighbor-entries | num | Sets Linux
The ARP cache stores ARP entries, and if some of these entries are incomplete, they can stay in the cache for an indefinite period of time. This will only happen if the number of entries in the cache is less than one-fourth of the maximum number allowed. The reason for this is to prevent the unnecessary running of the garbage-collector when the ARP table is not close to being full. |
| arp-timeout | time | Sets Linux base_reachable_time (base_reachable_time_ms) on all interfaces that use ARP. The initial validity of the ARP entry is picked from the interval [timeout/2 - 3\*timeout/2] (default from 15s to 45s) after the neighbor was found. Can use postfix ms, s, m, h, d for milliseconds, seconds, minutes, hours, or days. If no postfix is set then seconds (s) are used. The parameter means how long a valid ARP record will be considered complete if no one communicates with the specific MAC/IP during this time. The parameter does not represent a time when an ARP entry is removed from the ARP cache (see max-neighbor-entries setting). |
| icmp-rate-limit | num | Limit the maximum rates for sending ICMP packets whose type matches icmp-rate-mask to specific targets. Value of 0 disables any limiting, other values indicate the minimum space between responses in milliseconds. |
| icmp-rate-mask | num | Mask of ICMP types for which rates are limited. For more information, see the Linux man pages. |
| icmp-errors-use-inbound-interface-address | bool | When enabled, send ICMP error message replies with a source address equal to the primary address of the receiving interface that caused the error. Use this for complex network debugging. |
| ipv4-high-fragment-thresh | num | |
| ipv4-fragment-time | num | |
| allow-fast-path | bool | Allows Fast Path |
| Read-only Argument | Type | Description |
|---|---|---|
| ipv4-fast-path-active | bool | Indicates whether fast-path is active. |
| ipv4-fast-path-packets | num | Amount of fast-pathed packets. |
| ipv4-fast-path-bytes | num | Amount of fast-pathed bytes. |
| ipv4-fasttrack-active | bool | Indicates whether fasttrack is active. |
| ipv4-fasttrack-packets | num | Amount of fasttracked packets. |
| ipv4-fasttrack-bytes | num | Amount of fasttracked bytes. |