Advanced Linux Routing and Traffic Control: Kernel network parameters

The kernel has many parameters that can be adjusted in different environments. Typically, the default defaults can meet 99% of the environmental requirements, we don ' t call the http://www.aliyun.com/zixun/aggregation/3415.html ' >advanced HOWTO for the Fun of it!

There is a very interesting place:/proc/sys/net, you should see. It didn't get all the content in the first place, but we're trying to do it.

Sometimes you need to look at Linux's kernel source code and read Documentation/filesystems/proc.txt. Most of the features are explained there.

1. Reverse Path filtering

By default, routers route all packets, even though some packets "obviously" do not belong to your network. A simple example is a private IP space overflow onto the internet. If you have a network card with a route to 195.96.96.0/24, you will not expect to receive packets from 212.64.94.1 from here.
A lot of people want to turn this off, so the kernel writers are doing it. You can use some of the files in/proc to configure whether the kernel uses this feature. This method is called "Reverse path Filtering". Basically, if a packet's response packet is not sent out from its network card, it is considered a fake packet and should be discarded.

The following fragment will enable this feature on all (including future) network adapters:

# for I in/proc/sys/net/ipv4/conf/*/rp_filter; Do
> Echo 2 > $i
> Done

According to the example above, if a source address is a packet from the Office+isp subnet and arrives from the eth1 port of the Linux router, it is discarded. Similarly, if a packet from an office subnet declares that it came from somewhere outside the firewall, it is discarded as well.

It says full reverse path filtering. But the province situation is only based on the network interface directly with the subnet address filtering. This is because complete reverse path filtering destroys asymmetric routing (that is, the packet is moving from one path to the other)-for example, you are using dynamic routing in the Network (BGP, OSPF, RIP, or satellite communications, data from the satellite down to the router, uplink data is transmitted through the ground line. )。

If you have these conditions, you can simply turn off the satellite downlink data to enter the Rp_filter of the network card. If you want to see which packages are discarded, you can notify the kernel to write logs to your syslog via the Log_martians file in the same directory.

# echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians

2. Deep setting

There are many parameters that can be modified. We hope to be able to list them all. There are also some records in Documentation/ip-sysctl.txt.

Some of the defaults in these settings depend on whether you selected the Configure as router and not host when the kernel was configured.

Oskar Andreasson also has a page that is more detailed than the one we discussed: http://ipsysctl-tutorial.frozentux.net/