2 .\" This man page is Copyright (C) 1999 Andi Kleen <ak@muc.de>.
4 .\" %%%LICENSE_START(VERBATIM_ONE_PARA)
5 .\" Permission is granted to distribute possibly modified copies
6 .\" of this page provided the header is included verbatim,
7 .\" and in case of nontrivial modification author and date
8 .\" of the modification is added to the header.
11 .\" $Id: ip.7,v 1.19 2000/12/20 18:10:31 ak Exp $
13 .\" FIXME The following socket options are yet to be documented
14 .\" IP_XFRM_POLICY (2.5.48)
15 .\" Needs CAP_NET_ADMIN
16 .\" IP_IPSEC_POLICY (2.5.47)
17 .\" Needs CAP_NET_ADMIN
18 .\" IP_PASSSEC (2.6.17)
20 .\" commit 2c7946a7bf45ae86736ab3b43d0085e43947945c
21 .\" Author: Catherine Zhang <cxzhang@watson.ibm.com>
22 .\" IP_MINTTL (2.6.34)
23 .\" commit d218d11133d888f9745802146a50255a4781d37a
24 .\" Author: Stephen Hemminger <shemminger@vyatta.com>
25 .\" MCAST_JOIN_GROUP (2.4.22 / 2.6)
26 .\" MCAST_BLOCK_SOURCE (2.4.22 / 2.6)
27 .\" MCAST_UNBLOCK_SOURCE (2.4.22 / 2.6)
28 .\" MCAST_LEAVE_GROUP (2.4.22 / 2.6)
29 .\" MCAST_JOIN_SOURCE_GROUP (2.4.22 / 2.6)
30 .\" MCAST_LEAVE_SOURCE_GROUP (2.4.22 / 2.6)
31 .\" MCAST_MSFILTER (2.4.22 / 2.6)
32 .\" IP_UNICAST_IF (3.4)
33 .\" commit 76e21053b5bf33a07c76f99d27a74238310e3c71
34 .\" Author: Erich E. Hoover <ehoover@mines.edu>
36 .TH IP 7 2016-10-08 "Linux" "Linux Programmer's Manual"
38 ip \- Linux IPv4 protocol implementation
40 .B #include <sys/socket.h>
42 .\" .B #include <net/netinet.h> -- does not exist anymore
43 .\" .B #include <linux/errqueue.h> -- never include <linux/foo.h>
44 .B #include <netinet/in.h>
46 .B #include <netinet/ip.h> \fR/* superset of previous */
48 .IB tcp_socket " = socket(AF_INET, SOCK_STREAM, 0);"
50 .IB udp_socket " = socket(AF_INET, SOCK_DGRAM, 0);"
52 .IB raw_socket " = socket(AF_INET, SOCK_RAW, " protocol ");"
54 Linux implements the Internet Protocol, version 4,
55 described in RFC\ 791 and RFC\ 1122.
57 contains a level 2 multicasting implementation conforming to RFC\ 1112.
58 It also contains an IP router including a packet filter.
59 .\" FIXME . has someone verified that 2.1 is really 1812 compliant?
61 The programming interface is BSD-sockets compatible.
62 For more information on sockets, see
65 An IP socket is created using
68 socket(AF_INET, socket_type, protocol);
70 Valid socket types are
82 socket to access the IP protocol directly.
84 is the IP protocol in the IP header to be received or sent.
85 The only valid values for
89 for TCP sockets, and 0 and
94 you may specify a valid IANA IP protocol defined in
95 RFC\ 1700 assigned numbers.
97 When a process wants to receive new incoming packets or connections, it
98 should bind a socket to a local interface address using
100 In this case, only one IP socket may be bound to any given local
101 (address, port) pair.
104 is specified in the bind call, the socket will be bound to
109 is called on an unbound socket, the socket is automatically bound
110 to a random free port with the local address set to
114 is called on an unbound socket, the socket is automatically bound
115 to a random free port or to a usable shared port with the local address
119 A TCP local socket address that has been bound is unavailable for
120 some time after closing, unless the
123 Care should be taken when using this flag as it makes TCP less reliable.
125 An IP socket address is defined as a combination of an IP interface
126 address and a 16-bit port number.
127 The basic IP protocol does not supply port numbers, they
128 are implemented by higher level protocols like
134 is set to the IP protocol.
139 sa_family_t sin_family; /* address family: AF_INET */
140 in_port_t sin_port; /* port in network byte order */
141 struct in_addr sin_addr; /* internet address */
144 /* Internet address. */
146 uint32_t s_addr; /* address in network byte order */
154 This is required; in Linux 2.2 most networking functions return
156 when this setting is missing.
158 contains the port in network byte order.
159 The port numbers below 1024 are called
160 .IR "privileged ports"
162 .IR "reserved ports" ).
163 Only a privileged process
164 (on Linux: a process that has the
165 .B CAP_NET_BIND_SERVICE
166 capability in the user namespace governing its network namespace) may
169 Note that the raw IPv4 protocol as such has no concept of a
170 port, they are implemented only by higher protocols like
176 is the IP host address.
181 contains the host interface address in network byte order.
183 should be assigned one of the
190 .BR inet_makeaddr (3)
191 library functions or directly with the name resolver (see
192 .BR gethostbyname (3)).
194 IPv4 addresses are divided into unicast, broadcast,
195 and multicast addresses.
196 Unicast addresses specify a single interface of a host,
197 broadcast addresses specify all hosts on a network, and multicast
198 addresses address all hosts in a multicast group.
199 Datagrams to broadcast addresses can be sent or received only when the
202 In the current implementation, connection-oriented sockets are allowed
203 to use only unicast addresses.
204 .\" Leave a loophole for XTP @)
206 Note that the address and the port are always stored in
208 In particular, this means that you need to call
210 on the number that is assigned to a port.
211 All address/port manipulation
212 functions in the standard library work in network byte order.
214 There are several special addresses:
217 always refers to the local host via the loopback device;
220 means any address for binding;
223 means any host and has the same effect on bind as
225 for historical reasons.
227 IP supports some protocol-specific socket options that can be set with
231 The socket option level for IP is
233 .\" or SOL_IP on Linux
234 A boolean integer flag is zero when it is false, otherwise true.
236 When an invalid socket option is specified,
243 .BR IP_ADD_MEMBERSHIP " (since Linux 1.2)"
244 Join a multicast group.
252 struct in_addr imr_multiaddr; /* IP multicast group
254 struct in_addr imr_address; /* IP address of local
256 int imr_ifindex; /* interface index */
262 contains the address of the multicast group the application
263 wants to join or leave.
264 It must be a valid multicast address
265 .\" (i.e., within the 224.0.0.0-239.255.255.255 range)
271 is the address of the local interface with which the system
272 should join the multicast group; if it is equal to
274 an appropriate interface is chosen by the system.
276 is the interface index of the interface that should join/leave the
278 group, or 0 to indicate any interface.
282 structure is available only since Linux 2.2.
283 For compatibility, the old
285 structure (present since Linux 1.2) is still supported;
288 only by not including the
291 (The kernel determines which structure is being passed based
292 on the size passed in
300 .BR IP_ADD_SOURCE_MEMBERSHIP " (since Linux 2.4.22 / 2.5.68)"
301 Join a multicast group and allow receiving data only
302 from a specified source.
309 struct ip_mreq_source {
310 struct in_addr imr_multiaddr; /* IP multicast group
312 struct in_addr imr_interface; /* IP address of local
314 struct in_addr imr_sourceaddr; /* IP address of
322 structure is similar to
325 .BR IP_ADD_MEMBERSIP .
328 field contains the address of the multicast group the application
329 wants to join or leave.
332 field is the address of the local interface with which
333 the system should join the multicast group.
336 field contains the address of the source the
337 application wants to receive data from.
339 This option can be used multiple times to allow
340 receiving data from more than one source.
342 .BR IP_BIND_ADDRESS_NO_PORT " (since Linux 4.2)"
343 .\" commit 90c337da1524863838658078ec34241f45d8394d
344 Inform the kernel to not reserve an ephemeral port when using
346 with a port number of 0.
347 The port will later be automatically chosen at
350 in a way that allows sharing a source port as long as the 4-tuple is unique.
352 .BR IP_BLOCK_SOURCE " (since Linux 2.4.22 / 2.5.68)"
353 Stop receiving multicast data from a specific source in a given group.
354 This is valid only after the application has subscribed
355 to the multicast group using either
356 .BR IP_ADD_MEMBERSHIP
358 .BR IP_ADD_SOURCE_MEMBERSHIP .
362 structure as described under
363 .BR IP_ADD_SOURCE_MEMBERSHIP .
365 .BR IP_DROP_MEMBERSHIP " (since Linux 1.2)"
366 Leave a multicast group.
372 .BR IP_ADD_MEMBERSHIP .
374 .BR IP_DROP_SOURCE_MEMBERSHIP " (since Linux 2.4.22 / 2.5.68)"
375 Leave a source-specific group\(emthat is, stop receiving data from
376 a given multicast group that come from a given source.
377 If the application has subscribed to multiple sources within
378 the same group, data from the remaining sources will still be delivered.
379 To stop receiving data from all sources at once, use
380 .BR IP_DROP_MEMBERSHIP .
384 structure as described under
385 .BR IP_ADD_SOURCE_MEMBERSHIP .
387 .BR IP_FREEBIND " (since Linux 2.4)"
388 .\" Precisely: 2.4.0-test10
389 If enabled, this boolean option allows binding to an IP address
390 that is nonlocal or does not (yet) exist.
391 This permits listening on a socket,
392 without requiring the underlying network interface or the
393 specified dynamic IP address to be up at the time that
394 the application is trying to bind to it.
395 This option is the per-socket equivalent of the
398 interface described below.
400 .BR IP_HDRINCL " (since Linux 2.0)"
402 the user supplies an IP header in front of the user data.
407 for more information.
408 When this flag is enabled, the values set by
415 .BR IP_MSFILTER " (since Linux 2.4.22 / 2.5.68)"
416 This option provides access to the advanced full-state filtering API.
424 struct in_addr imsf_multiaddr; /* IP multicast group
426 struct in_addr imsf_interface; /* IP address of local
428 uint32_t imsf_fmode; /* Filter-mode */
430 uint32_t imsf_numsrc; /* Number of sources in
431 the following array */
432 struct in_addr imsf_slist[1]; /* Array of source
438 There are two macros,
442 which can be used to specify the filtering mode.
444 .BR IP_MSFILTER_SIZE (n)
445 macro exists to determine how much memory is needed to store
449 sources in the source list.
451 For the full description of multicast source filtering
454 .BR IP_MTU " (since Linux 2.2)"
455 .\" Precisely: 2.1.124
456 Retrieve the current known path MTU of the current socket.
462 and can be employed only when the socket has been connected.
464 .BR IP_MTU_DISCOVER " (since Linux 2.2)"
465 .\" Precisely: 2.1.124
466 Set or receive the Path MTU Discovery setting for a socket.
467 When enabled, Linux will perform Path MTU Discovery
468 as defined in RFC\ 1191 on
475 forces the don't-fragment flag to be set on all outgoing packets.
476 It is the user's responsibility to packetize the data
477 in MTU-sized chunks and to do the retransmits if necessary.
478 The kernel will reject (with
480 datagrams that are bigger than the known path MTU.
482 will fragment a datagram if needed according to the path MTU,
483 or will set the don't-fragment flag otherwise.
485 The system-wide default can be toggled between
489 by writing (respectively, zero and nonzero values) to the
490 .I /proc/sys/net/ipv4/ip_no_pmtu_disc
496 Path MTU discovery value:Meaning
497 IP_PMTUDISC_WANT:Use per-route settings.
498 IP_PMTUDISC_DONT:Never do Path MTU Discovery.
499 IP_PMTUDISC_DO:Always do Path MTU Discovery.
500 IP_PMTUDISC_PROBE:Set DF but ignore Path MTU.
503 When PMTU discovery is enabled, the kernel automatically keeps track of
504 the path MTU per destination host.
505 When it is connected to a specific peer with
507 the currently known path MTU can be retrieved conveniently using the
509 socket option (e.g., after an
512 The path MTU may change over time.
513 For connectionless sockets with many destinations,
514 the new MTU for a given destination can also be accessed using the
517 A new error will be queued for every incoming MTU update.
519 While MTU discovery is in progress, initial packets from datagram sockets
521 Applications using UDP should be aware of this and not
522 take it into account for their packet retransmit strategy.
524 To bootstrap the path MTU discovery process on unconnected sockets, it
525 is possible to start with a big datagram size
526 (up to 64K-headers bytes long) and let it shrink by updates of the path MTU.
527 .\" FIXME . this is an ugly hack
529 To get an initial estimate of the
530 path MTU, connect a datagram socket to the destination address using
532 and retrieve the MTU by calling
538 It is possible to implement RFC 4821 MTU probing with
542 sockets by setting a value of
543 .BR IP_PMTUDISC_PROBE
544 (available since Linux 2.6.22).
545 This is also particularly useful for diagnostic tools such as
547 that wish to deliberately send probe packets larger than
548 the observed Path MTU.
550 .BR IP_MULTICAST_ALL " (since Linux 2.6.31)"
551 This option can be used to modify the delivery policy of multicast messages
552 to sockets bound to the wildcard
555 The argument is a boolean integer (defaults to 1).
557 the socket will receive messages from all the groups that have been joined
558 globally on the whole system.
559 Otherwise, it will deliver messages only from
560 the groups that have been explicitly joined (for example via the
562 option) on this particular socket.
564 .BR IP_MULTICAST_IF " (since Linux 1.2)"
565 Set the local device for a multicast socket.
571 .\" net: IP_MULTICAST_IF setsockopt now recognizes struct mreq
572 .\" Commit: 3a084ddb4bf299a6e898a9a07c89f3917f0713f7
576 .BR IP_ADD_MEMBERSHIP ,
580 (The kernel determines which structure is being passed based
581 on the size passed in
589 .BR IP_MULTICAST_LOOP " (since Linux 1.2)"
590 Set or read a boolean integer argument that determines whether
591 sent multicast packets should be looped back to the local sockets.
593 .BR IP_MULTICAST_TTL " (since Linux 1.2)"
594 Set or read the time-to-live value of outgoing multicast packets for this
596 It is very important for multicast packets to set the smallest TTL possible.
597 The default is 1 which means that multicast packets don't leave the local
598 network unless the user program explicitly requests it.
599 Argument is an integer.
601 .BR IP_NODEFRAG " (since Linux 2.6.36)"
602 If enabled (argument is nonzero),
603 the reassembly of outgoing packets is disabled in the netfilter layer.
604 The argument is an integer.
606 This option is valid only for
610 .BR IP_OPTIONS " (since Linux 2.0)"
611 .\" Precisely: 1.3.30
612 Set or get the IP options to be sent with every packet from this socket.
613 The arguments are a pointer to a memory buffer containing the options
614 and the option length.
617 call sets the IP options associated with a socket.
618 The maximum option size for IPv4 is 40 bytes.
619 See RFC\ 791 for the allowed options.
620 When the initial connection request packet for a
622 socket contains IP options, the IP options will be set automatically
623 to the options from the initial packet with routing headers reversed.
624 Incoming packets are not allowed to change options after the connection
626 The processing of all incoming source routing options
627 is disabled by default and can be enabled by using the
628 .I accept_source_route
631 Other options like timestamps are still handled.
632 For datagram sockets, IP options can be only set by the local user.
637 puts the current IP options used for sending into the supplied buffer.
639 .BR IP_PKTINFO " (since Linux 2.2)"
640 .\" Precisely: 2.1.68
643 ancillary message that contains a
645 structure that supplies some information about the incoming packet.
646 This only works for datagram oriented sockets.
647 The argument is a flag that tells the socket whether the
649 message should be passed or not.
650 The message itself can only be sent/retrieved
651 as control message with a packet using
659 unsigned int ipi_ifindex; /* Interface index */
660 struct in_addr ipi_spec_dst; /* Local address */
661 struct in_addr ipi_addr; /* Header Destination
667 .\" FIXME . elaborate on that.
669 is the unique index of the interface the packet was received on.
671 is the local address of the packet and
673 is the destination address in the packet header.
679 .\" This field is grossly misnamed
681 is not zero, then it is used as the local source address for the routing
682 table lookup and for setting up IP source route options.
685 is not zero, the primary local address of the interface specified by the
688 for the routing table lookup.
690 .BR IP_RECVERR " (since Linux 2.2)"
691 .\" Precisely: 2.1.15
692 Enable extended reliable error message passing.
693 When enabled on a datagram socket, all
694 generated errors will be queued in a per-socket error queue.
695 When the user receives an error from a socket operation,
696 the errors can be received by calling
703 structure describing the error will be passed in an ancillary message with
708 .\" or SOL_IP on Linux
709 This is useful for reliable error handling on unconnected sockets.
710 The received data portion of the error queue contains the error packet.
714 control message contains a
721 #define SO_EE_ORIGIN_NONE 0
722 #define SO_EE_ORIGIN_LOCAL 1
723 #define SO_EE_ORIGIN_ICMP 2
724 #define SO_EE_ORIGIN_ICMP6 3
726 struct sock_extended_err {
727 uint32_t ee_errno; /* error number */
728 uint8_t ee_origin; /* where the error originated */
729 uint8_t ee_type; /* type */
730 uint8_t ee_code; /* code */
732 uint32_t ee_info; /* additional information */
733 uint32_t ee_data; /* other data */
734 /* More data may follow */
737 struct sockaddr *SO_EE_OFFENDER(struct sock_extended_err *);
744 number of the queued error.
746 is the origin code of where the error originated.
747 The other fields are protocol-specific.
750 returns a pointer to the address of the network object
751 where the error originated from given a pointer to the ancillary message.
752 If this address is not known, the
758 and the other fields of the
764 structure as follows:
768 for errors received as an ICMP packet, or
769 .B SO_EE_ORIGIN_LOCAL
770 for locally generated errors.
771 Unknown values should be ignored.
775 are set from the type and code fields of the ICMP header.
777 contains the discovered MTU for
780 The message also contains the
781 .I sockaddr_in of the node
782 caused the error, which can be accessed with the
791 when the source was unknown.
792 When the error originated from the network, all IP options
793 .RB ( IP_OPTIONS ", " IP_TTL ", "
794 etc.) enabled on the socket and contained in the
795 error packet are passed as control messages.
796 The payload of the packet causing the error is returned as normal payload.
797 .\" FIXME . Is it a good idea to document that? It is a dubious feature.
802 .\" has slightly different semantics. Instead of
803 .\" saving the errors for the next timeout, it passes all incoming
804 .\" errors immediately to the user.
805 .\" This might be useful for very short-lived TCP connections which
806 .\" need fast error handling. Use this option with care:
807 .\" it makes TCP unreliable
808 .\" by not allowing it to recover properly from routing
809 .\" shifts and other normal
810 .\" conditions and breaks the protocol specification.
811 Note that TCP has no error queue;
817 is valid for TCP, but all errors are returned by socket function return or
823 enables passing of all received ICMP errors to the
824 application, otherwise errors are only reported on connected sockets
826 It sets or retrieves an integer boolean flag.
830 .BR IP_RECVOPTS " (since Linux 2.2)"
831 .\" Precisely: 2.1.15
832 Pass all incoming IP options to the user in a
835 The routing header and other options are already filled in
841 .BR IP_RECVORIGDSTADDR " (since Linux 2.6.29)"
842 .\" commit e8b2dfe9b4501ed0047459b2756ba26e5a940a69
843 This boolean option enables the
847 in which the kernel returns the original destination address
848 of the datagram being received.
849 The ancillary message contains a
850 .IR "struct sockaddr_in" .
852 .BR IP_RECVTOS " (since Linux 2.2)"
853 .\" Precisely: 2.1.68
856 ancillary message is passed with incoming packets.
857 It contains a byte which specifies the Type of Service/Precedence
858 field of the packet header.
859 Expects a boolean integer flag.
861 .BR IP_RECVTTL " (since Linux 2.2)"
862 .\" Precisely: 2.1.68
863 When this flag is set, pass a
865 control message with the time-to-live
866 field of the received packet as a byte.
871 .BR IP_RETOPTS " (since Linux 2.2)"
872 .\" Precisely: 2.1.15
875 but returns raw unprocessed options with timestamp and route record
876 options not filled in for this hop.
878 .BR IP_ROUTER_ALERT " (since Linux 2.2)"
879 .\" Precisely: 2.1.68
880 Pass all to-be forwarded packets with the
881 IP Router Alert option set to this socket.
882 Valid only for raw sockets.
883 This is useful, for instance, for user-space RSVP daemons.
884 The tapped packets are not forwarded by the kernel; it is
885 the user's responsibility to send them out again.
886 Socket binding is ignored,
887 such packets are only filtered by protocol.
888 Expects an integer flag.
890 .BR IP_TOS " (since Linux 1.0)"
891 Set or receive the Type-Of-Service (TOS) field that is sent
892 with every IP packet originating from this socket.
893 It is used to prioritize packets on the network.
895 There are some standard TOS flags defined:
897 to minimize delays for interactive traffic,
899 to optimize throughput,
901 to optimize for reliability,
903 should be used for "filler data" where slow transmission doesn't matter.
904 At most one of these TOS values can be specified.
905 Other bits are invalid and shall be cleared.
908 datagrams first by default,
909 but the exact behavior depends on the configured queueing discipline.
910 .\" FIXME elaborate on this
911 Some high-priority levels may require superuser privileges (the
914 .\" The priority can also be set in a protocol-independent way by the
915 .\" .RB ( SOL_SOCKET ", " SO_PRIORITY )
916 .\" socket option (see
919 .BR IP_TRANSPARENT " (since Linux 2.6.24)"
920 .\" commit f5715aea4564f233767ea1d944b2637a5fd7cd2e
921 .\" This patch introduces the IP_TRANSPARENT socket option: enabling that
922 .\" will make the IPv4 routing omit the non-local source address check on
923 .\" output. Setting IP_TRANSPARENT requires NET_ADMIN capability.
924 .\" http://lwn.net/Articles/252545/
925 Setting this boolean option enables transparent proxying on this socket.
926 This socket option allows
927 the calling application to bind to a nonlocal IP address and operate
928 both as a client and a server with the foreign address as the local endpoint.
929 NOTE: this requires that routing be set up in a way that
930 packets going to the foreign address are routed through the TProxy box
931 (i.e., the system hosting the application that employs the
934 Enabling this socket option requires superuser privileges
939 TProxy redirection with the iptables TPROXY target also requires that
940 this option be set on the redirected socket.
942 .BR IP_TTL " (since Linux 1.0)"
943 Set or retrieve the current time-to-live field that is used in every packet
944 sent from this socket.
946 .BR IP_UNBLOCK_SOURCE " (since Linux 2.4.22 / 2.5.68)"
947 Unblock previously blocked multicast source.
950 when given source is not being blocked.
954 structure as described under
955 .BR IP_ADD_SOURCE_MEMBERSHIP .
960 interfaces to configure some global parameters.
961 The parameters can be accessed by reading or writing files in the directory
962 .IR /proc/sys/net/ipv4/ .
963 .\" FIXME As at 2.6.12, 14 Jun 2005, the following are undocumented:
966 Interfaces described as
968 take an integer value, with a nonzero value ("true") meaning that
969 the corresponding option is enabled, and a zero value ("false")
970 meaning that the option is disabled.
973 .IR ip_always_defrag " (Boolean; since Linux 2.2.13)"
974 [New with kernel 2.2.13; in earlier kernel versions this feature
975 was controlled at compile time by the
976 .B CONFIG_IP_ALWAYS_DEFRAG
977 option; this option is not present in 2.4.x and later]
979 When this boolean flag is enabled (not equal 0), incoming fragments
981 that arose when some host between origin and destination decided
982 that the packets were too large and cut them into pieces) will be
983 reassembled (defragmented) before being processed, even if they are
984 about to be forwarded.
986 Only enable if running either a firewall that is the sole link
987 to your network or a transparent proxy; never ever use it for a
988 normal router or host.
989 Otherwise, fragmented communication can be disturbed
990 if the fragments travel over different links.
991 Defragmentation also has a large memory and CPU time cost.
993 This is automagically turned on when masquerading or transparent
994 proxying are configured.
997 .IR ip_autoconfig " (since Linux 2.2 to 2.6.17)"
998 .\" Precisely: since 2.1.68
999 .\" FIXME document ip_autoconfig
1003 .IR ip_default_ttl " (integer; default: 64; since Linux 2.2)"
1004 .\" Precisely: 2.1.15
1005 Set the default time-to-live value of outgoing packets.
1006 This can be changed per socket with the
1011 .IR ip_dynaddr " (Boolean; default: disabled; since Linux 2.0.31)"
1012 Enable dynamic socket address and masquerading entry rewriting on interface
1014 This is useful for dialup interface with changing IP addresses.
1015 0 means no rewriting, 1 turns it on and 2 enables verbose mode.
1018 .IR ip_forward " (Boolean; default: disabled; since Linux 1.2)"
1019 Enable IP forwarding with a boolean flag.
1020 IP forwarding can be also set on a per-interface basis.
1023 .IR ip_local_port_range " (since Linux 2.2)"
1024 .\" Precisely: since 2.1.68
1025 This file contains two integers that define the default local port range
1026 allocated to sockets that are not explicitly bound to a port number\(emthat
1027 is, the range used for
1028 .IR "ephemeral ports" .
1029 An ephemeral port is allocated to a socket in the following circumstances:
1032 the port number in a socket address is specified as 0 when calling
1036 is called on a stream socket that was not previously bound;
1039 was called on a socket that was not previously bound;
1042 is called on a datagram socket that was not previously bound.
1045 Allocation of ephemeral ports starts with the first number in
1046 .IR ip_local_port_range
1047 and ends with the second number.
1048 If the range of ephemeral ports is exhausted,
1049 then the relevant system call returns an error (but see BUGS).
1051 Note that the port range in
1052 .IR ip_local_port_range
1053 should not conflict with the ports used by masquerading
1054 (although the case is handled).
1055 Also, arbitrary choices may cause problems with some firewall packet
1056 filters that make assumptions about the local ports in use.
1057 The first number should be at least greater than 1024,
1058 or better, greater than 4096, to avoid clashes
1059 with well known ports and to minimize firewall problems.
1062 .IR ip_no_pmtu_disc " (Boolean; default: disabled; since Linux 2.2)"
1063 .\" Precisely: 2.1.15
1064 If enabled, don't do Path MTU Discovery for TCP sockets by default.
1065 Path MTU discovery may fail if misconfigured firewalls (that drop
1066 all ICMP packets) or misconfigured interfaces (e.g., a point-to-point
1067 link where the both ends don't agree on the MTU) are on the path.
1068 It is better to fix the broken routers on the path than to turn off
1069 Path MTU Discovery globally, because not doing it incurs a high cost
1072 .\" The following is from 2.6.12: Documentation/networking/ip-sysctl.txt
1074 .IR ip_nonlocal_bind " (Boolean; default: disabled; since Linux 2.4)"
1075 .\" Precisely: patch-2.4.0-test10
1076 If set, allows processes to
1078 to nonlocal IP addresses,
1079 which can be quite useful, but may break some applications.
1081 .\" The following is from 2.6.12: Documentation/networking/ip-sysctl.txt
1083 .IR ip6frag_time " (integer; default: 30)"
1084 Time in seconds to keep an IPv6 fragment in memory.
1086 .\" The following is from 2.6.12: Documentation/networking/ip-sysctl.txt
1088 .IR ip6frag_secret_interval " (integer; default: 600)"
1089 Regeneration interval (in seconds) of the hash secret (or lifetime
1090 for the hash secret) for IPv6 fragments.
1092 .IR ipfrag_high_thresh " (integer), " ipfrag_low_thresh " (integer)"
1093 If the amount of queued IP fragments reaches
1094 .IR ipfrag_high_thresh ,
1095 the queue is pruned down to
1096 .IR ipfrag_low_thresh .
1097 Contains an integer with the number of bytes.
1102 .\" FIXME Document the conf/*/* interfaces
1104 .\" FIXME Document the route/* interfaces
1106 All ioctls described in
1111 .\" commented out the following because ipchains is obsolete
1113 .\" The ioctls to configure firewalling are documented in
1119 Ioctls to configure generic device parameters are described in
1121 .\" FIXME Add a discussion of multicasting
1123 .\" FIXME document all errors.
1124 .\" We should really fix the kernels to give more uniform
1125 .\" error returns (ENOMEM vs ENOBUFS, EPERM vs EACCES etc.)
1128 The user tried to execute an operation without the necessary permissions.
1130 sending a packet to a broadcast address without having the
1133 sending a packet via a
1136 modifying firewall settings without superuser privileges (the
1139 binding to a privileged port without superuser privileges (the
1140 .B CAP_NET_BIND_SERVICE
1144 Tried to bind to an address already in use.
1147 A nonexistent interface was requested or the requested source
1148 address was not local.
1151 Operation on a nonblocking socket would block.
1154 A connection operation on a nonblocking socket is already in progress.
1157 A connection was closed during an
1161 No valid routing table entry matches the destination address.
1162 This error can be caused by a ICMP message from a remote router or
1163 for the local routing table.
1166 Invalid argument passed.
1167 For send operations this can be caused by sending to a
1173 was called on an already connected socket.
1176 Datagram is bigger than an MTU on the path and it cannot be fragmented.
1178 .BR ENOBUFS ", " ENOMEM
1179 Not enough free memory.
1180 This often means that the memory allocation is limited by the socket
1181 buffer limits, not by the system memory, but this is not 100% consistent.
1185 was called on a socket where no packet arrived.
1188 A kernel subsystem was not configured.
1190 .BR ENOPROTOOPT " and " EOPNOTSUPP
1191 Invalid socket option passed.
1194 The operation is defined only on a connected socket, but the socket wasn't
1198 User doesn't have permission to set high priority, change configuration,
1199 or send signals to the requested process or group.
1202 The connection was unexpectedly closed or shut down by the other end.
1205 The socket is not configured or an unknown socket type was requested.
1207 Other errors may be generated by the overlaying protocols; see
1217 .BR IP_MTU_DISCOVER ,
1218 .BR IP_RECVORIGDSTADDR ,
1221 .BR IP_ROUTER_ALERT ,
1225 .\" IP_PASSSEC is Linux-specific
1226 .\" IP_XFRM_POLICY is Linux-specific
1227 .\" IP_IPSEC_POLICY is a nonstandard extension, also present on some BSDs
1229 Be very careful with the
1231 option \- it is not privileged in Linux.
1232 It is easy to overload the network
1233 with careless broadcasts.
1234 For new application protocols
1235 it is better to use a multicast group instead of broadcasting.
1236 Broadcasting is discouraged.
1238 Some other BSD sockets implementations provide
1242 socket options to get the destination address and the interface of
1244 Linux has the more general
1248 Some BSD sockets implementations also provide an
1250 option, but an ancillary message with type
1252 is passed with the incoming packet.
1253 This is different from the
1255 option used in Linux.
1259 socket options level isn't portable; BSD-based stacks use the
1263 For compatibility with Linux 2.0, the obsolete
1264 .BI "socket(AF_INET, SOCK_PACKET, " protocol )
1265 syntax is still supported to open a
1268 This is deprecated and should be replaced by
1269 .BI "socket(AF_PACKET, SOCK_RAW, " protocol )
1271 The main difference is the new
1273 address structure for generic link layer information instead of the old
1276 There are too many inconsistent error values.
1278 The error used to diagnose exhaustion of the ephemeral port range differs
1279 across the various system calls
1284 that can assign ephemeral ports.
1286 The ioctls to configure IP-specific interface options and ARP tables are
1289 .\" Some versions of glibc forget to declare
1290 .\" .IR in_pktinfo .
1291 .\" Workaround currently is to copy it into your program from this man page.
1293 Receiving the original destination address with
1299 does not work in some 2.2 kernels.
1301 .\" This man page was written by Andi Kleen.
1307 .BR capabilities (7),
1316 RFC\ 791 for the original IP specification.
1317 RFC\ 1122 for the IPv4 host requirements.
1318 RFC\ 1812 for the IPv4 router requirements.