2 .\" This man page is Copyright (C) 1999 Andi Kleen <ak@muc.de>.
4 .\" %%%LICENSE_START(VERBATIM_ONE_PARA)
5 .\" Permission is granted to distribute possibly modified copies
6 .\" of this page provided the header is included verbatim,
7 .\" and in case of nontrivial modification author and date
8 .\" of the modification is added to the header.
11 .\" $Id: ip.7,v 1.19 2000/12/20 18:10:31 ak Exp $
13 .\" FIXME: The following socket options are yet to be documented
14 .\" IP_XFRM_POLICY (2.5.48)
15 .\" Needs CAP_NET_ADMIN
16 .\" IP_IPSEC_POLICY (2.5.47)
17 .\" Needs CAP_NET_ADMIN
18 .\" IP_PASSSEC (2.6.17)
20 .\" commit 2c7946a7bf45ae86736ab3b43d0085e43947945c
21 .\" Author: Catherine Zhang <cxzhang@watson.ibm.com>
22 .\" IP_MINTTL (2.6.34)
23 .\" commit d218d11133d888f9745802146a50255a4781d37a
24 .\" Author: Stephen Hemminger <shemminger@vyatta.com>
25 .\" MCAST_JOIN_GROUP (2.4.22 / 2.6)
26 .\" MCAST_BLOCK_SOURCE (2.4.22 / 2.6)
27 .\" MCAST_UNBLOCK_SOURCE (2.4.22 / 2.6)
28 .\" MCAST_LEAVE_GROUP (2.4.22 / 2.6)
29 .\" MCAST_JOIN_SOURCE_GROUP (2.4.22 / 2.6)
30 .\" MCAST_LEAVE_SOURCE_GROUP (2.4.22 / 2.6)
31 .\" MCAST_MSFILTER (2.4.22 / 2.6)
32 .\" IP_UNICAST_IF (3.4)
33 .\" commit 76e21053b5bf33a07c76f99d27a74238310e3c71
34 .\" Author: Erich E. Hoover <ehoover@mines.edu>
36 .TH IP 7 2013-09-17 "Linux" "Linux Programmer's Manual"
38 ip \- Linux IPv4 protocol implementation
40 .B #include <sys/socket.h>
42 .\" .B #include <net/netinet.h> -- does not exist anymore
43 .\" .B #include <linux/errqueue.h> -- never include <linux/foo.h>
44 .B #include <netinet/in.h>
46 .B #include <netinet/ip.h> \fR/* superset of previous */
48 .IB tcp_socket " = socket(AF_INET, SOCK_STREAM, 0);"
50 .IB udp_socket " = socket(AF_INET, SOCK_DGRAM, 0);"
52 .IB raw_socket " = socket(AF_INET, SOCK_RAW, " protocol ");"
54 Linux implements the Internet Protocol, version 4,
55 described in RFC\ 791 and RFC\ 1122.
57 contains a level 2 multicasting implementation conforming to RFC\ 1112.
58 It also contains an IP router including a packet filter.
59 .\" FIXME has someone verified that 2.1 is really 1812 compliant?
61 The programming interface is BSD-sockets compatible.
62 For more information on sockets, see
65 An IP socket is created by calling the
68 .BI "socket(AF_INET, " socket_type ", " protocol ) \fR.
69 Valid socket types are
81 socket to access the IP protocol directly.
83 is the IP protocol in the IP header to be received or sent.
84 The only valid values for
88 for TCP sockets, and 0 and
93 you may specify a valid IANA IP protocol defined in
94 RFC\ 1700 assigned numbers.
96 When a process wants to receive new incoming packets or connections, it
97 should bind a socket to a local interface address using
99 In this case, only one IP socket may be bound to any given local
100 (address, port) pair.
103 is specified in the bind call, the socket will be bound to
108 is called on an unbound socket, the socket is automatically bound
109 to a random free port with the local address set to
113 is called on an unbound socket, the socket is automatically bound
114 to a random free port or to a usable shared port with the local address
118 A TCP local socket address that has been bound is unavailable for
119 some time after closing, unless the
122 Care should be taken when using this flag as it makes TCP less reliable.
124 An IP socket address is defined as a combination of an IP interface
125 address and a 16-bit port number.
126 The basic IP protocol does not supply port numbers, they
127 are implemented by higher level protocols like
133 is set to the IP protocol.
138 sa_family_t sin_family; /* address family: AF_INET */
139 in_port_t sin_port; /* port in network byte order */
140 struct in_addr sin_addr; /* internet address */
143 /* Internet address. */
145 uint32_t s_addr; /* address in network byte order */
153 This is required; in Linux 2.2 most networking functions return
155 when this setting is missing.
157 contains the port in network byte order.
158 The port numbers below 1024 are called
159 .IR "privileged ports"
161 .IR "reserved ports" ).
162 Only privileged processes (i.e., those having the
163 .B CAP_NET_BIND_SERVICE
167 Note that the raw IPv4 protocol as such has no concept of a
168 port, they are implemented only by higher protocols like
174 is the IP host address.
179 contains the host interface address in network byte order.
181 should be assigned one of the
188 .BR inet_makeaddr (3)
189 library functions or directly with the name resolver (see
190 .BR gethostbyname (3)).
192 IPv4 addresses are divided into unicast, broadcast
193 and multicast addresses.
194 Unicast addresses specify a single interface of a host,
195 broadcast addresses specify all hosts on a network and multicast
196 addresses address all hosts in a multicast group.
197 Datagrams to broadcast addresses can be sent or received only when the
200 In the current implementation, connection-oriented sockets are allowed
201 to use only unicast addresses.
202 .\" Leave a loophole for XTP @)
204 Note that the address and the port are always stored in
206 In particular, this means that you need to call
208 on the number that is assigned to a port.
209 All address/port manipulation
210 functions in the standard library work in network byte order.
212 There are several special addresses:
215 always refers to the local host via the loopback device;
218 means any address for binding;
221 means any host and has the same effect on bind as
223 for historical reasons.
225 IP supports some protocol-specific socket options that can be set with
229 The socket option level for IP is
231 .\" or SOL_IP on Linux
232 A boolean integer flag is zero when it is false, otherwise true.
234 .BR IP_ADD_MEMBERSHIP " (since Linux 1.2)"
235 Join a multicast group.
243 struct in_addr imr_multiaddr; /* IP multicast group
245 struct in_addr imr_address; /* IP address of local
247 int imr_ifindex; /* interface index */
253 contains the address of the multicast group the application
254 wants to join or leave.
255 It must be a valid multicast address
256 .\" (i.e., within the 224.0.0.0-239.255.255.255 range)
262 is the address of the local interface with which the system
263 should join the multicast group; if it is equal to
265 an appropriate interface is chosen by the system.
267 is the interface index of the interface that should join/leave the
269 group, or 0 to indicate any interface.
273 structure is available only since Linux 2.2.
274 For compatibility, the old
276 structure (present since Linux 1.2) is still supported;
279 only by not including the
286 .BR IP_ADD_SOURCE_MEMBERSHIP " (since Linux 2.4.22 / 2.5.68)"
287 Join a multicast group and allow receiving data only
288 from a specified source.
295 struct ip_mreq_source {
296 struct in_addr imr_multiaddr; /* IP multicast group
298 struct in_addr imr_interface; /* IP address of local
300 struct in_addr imr_sourceaddr; /* IP address of
308 structure is similar to
311 .BR IP_ADD_MEMBERSIP .
314 field contains the address of the multicast group the application
315 wants to join or leave.
318 field is the address of the local interface with which
319 the system should join the multicast group.
322 field contains the address of the source the
323 application wants to receive data from.
325 This option can be used multiple times to allow
326 receiving data from more than one source.
328 .BR IP_BLOCK_SOURCE " (since Linux 2.4.22 / 2.5.68)"
329 Stop receiving multicast data from a specific source in a given group.
330 This is valid only after the application has subscribed
331 to the multicast group using either
332 .BR IP_ADD_MEMBERSHIP
334 .BR IP_ADD_SOURCE_MEMBERSHIP .
338 structure as described under
339 .BR IP_ADD_SOURCE_MEMBERSHIP .
341 .BR IP_DROP_MEMBERSHIP " (since Linux 1.2)"
342 Leave a multicast group.
348 .BR IP_ADD_MEMBERSHIP .
350 .BR IP_DROP_SOURCE_MEMBERSHIP " (since Linux 2.4.22 / 2.5.68)"
351 Leave a source-specific group\(emthat is, stop receiving data from
352 a given multicast group that come from a given source.
353 If the application has subscribed to multiple sources within
354 the same group, data from the remaining sources will still be delivered.
355 To stop receiving data from all sources at once, use
360 structure as described under
361 .BR IP_ADD_SOURCE_MEMBERSHIP .
363 .BR IP_FREEBIND " (since Linux 2.4)"
364 .\" Precisely: 2.4.0-test10
365 If enabled, this boolean option allows binding to an IP address
366 that is nonlocal or does not (yet) exist.
367 This permits listening on a socket,
368 without requiring the underlying network interface or the
369 specified dynamic IP address to be up at the time that
370 the application is trying to bind to it.
371 This option is the per-socket equivalent of the
374 interface described below.
376 .BR IP_HDRINCL " (since Linux 2.0)"
378 the user supplies an IP header in front of the user data.
384 for more information.
385 When this flag is enabled the values set by
392 .BR IP_MSFILTER " (since Linux 2.4.22 / 2.5.68)"
393 This option provides access to the advanced full-state filtering API.
401 struct in_addr imsf_multiaddr; /* IP multicast group
403 struct in_addr imsf_interface; /* IP address of local
405 uint32_t imsf_fmode; /* Filter-mode */
407 uint32_t imsf_numsrc; /* Number of sources in
408 the following array */
409 struct in_addr imsf_slist[1]; /* Array of source
415 There are two macros,
419 which can be used to specify the filtering mode.
421 .BR IP_MSFILTER_SIZE (n)
422 macro exists to determine how much memory is needed to store
426 sources in the source list.
428 For the full description of multicast source filtering
431 .BR IP_MTU " (since Linux 2.2)"
432 .\" Precisely: 2.1.124
433 Retrieve the current known path MTU of the current socket.
434 Valid only when the socket has been connected.
439 .BR IP_MTU_DISCOVER " (since Linux 2.2)"
440 .\" Precisely: 2.1.124
441 Set or receive the Path MTU Discovery setting for a socket.
442 When enabled, Linux will perform Path MTU Discovery
443 as defined in RFC\ 1191 on
450 forces the don't-fragment flag to be set on all outgoing packets.
451 It is the user's responsibility to packetize the data
452 in MTU-sized chunks and to do the retransmits if necessary.
453 The kernel will reject (with
455 datagrams that are bigger than the known path MTU.
457 will fragment a datagram if needed according to the path MTU,
458 or will set the don't-fragment flag otherwise.
460 The system-wide default can be toggled between
464 by writing (respectively, zero and nonzero values) to the
465 .I /proc/sys/net/ipv4/ip_no_pmtu_disc
471 Path MTU discovery value:Meaning
472 IP_PMTUDISC_WANT:Use per-route settings.
473 IP_PMTUDISC_DONT:Never do Path MTU Discovery.
474 IP_PMTUDISC_DO:Always do Path MTU Discovery.
475 IP_PMTUDISC_PROBE:Set DF but ignore Path MTU.
478 When PMTU discovery is enabled, the kernel automatically keeps track of
479 the path MTU per destination host.
480 When it is connected to a specific peer with
482 the currently known path MTU can be retrieved conveniently using the
484 socket option (e.g., after an
487 The path MTU may change over time.
488 For connectionless sockets with many destinations,
489 the new MTU for a given destination can also be accessed using the
492 A new error will be queued for every incoming MTU update.
494 While MTU discovery is in progress, initial packets from datagram sockets
496 Applications using UDP should be aware of this and not
497 take it into account for their packet retransmit strategy.
499 To bootstrap the path MTU discovery process on unconnected sockets, it
500 is possible to start with a big datagram size
501 (up to 64K-headers bytes long) and let it shrink by updates of the path MTU.
502 .\" FIXME this is an ugly hack
504 To get an initial estimate of the
505 path MTU, connect a datagram socket to the destination address using
507 and retrieve the MTU by calling
513 It is possible to implement RFC 4821 MTU probing with
517 sockets by setting a value of
518 .BR IP_PMTUDISC_PROBE
519 (available since Linux 2.6.22).
520 This is also particularly useful for diagnostic tools such as
522 that wish to deliberately send probe packets larger than
523 the observed Path MTU.
525 .BR IP_MULTICAST_ALL " (since Linux 2.6.31)"
526 This option can be used to modify the delivery policy of multicast messages
527 to sockets bound to the wildcard
530 The argument is a boolean integer (defaults to 1).
532 the socket will receive messages from all the groups that have been joined
533 globally on the whole system.
534 Otherwise, it will deliver messages only from
535 the groups that have been explicitly joined (for example via the
537 option) on this particular socket.
539 .BR IP_MULTICAST_IF " (since Linux 1.2)"
540 Set the local device for a multicast socket.
545 .\" net: IP_MULTICAST_IF setsockopt now recognizes struct mreq
546 .\" Commit: 3a084ddb4bf299a6e898a9a07c89f3917f0713f7
549 .BR IP_ADD_MEMBERSHIP .
551 When an invalid socket option is passed,
555 .BR IP_MULTICAST_LOOP " (since Linux 1.2)"
556 Set or read a boolean integer argument that determines whether
557 sent multicast packets should be looped back to the local sockets.
559 .BR IP_MULTICAST_TTL " (since Linux 1.2)"
560 Set or read the time-to-live value of outgoing multicast packets for this
562 It is very important for multicast packets to set the smallest TTL possible.
563 The default is 1 which means that multicast packets don't leave the local
564 network unless the user program explicitly requests it.
565 Argument is an integer.
567 .BR IP_NODEFRAG " (since Linux 2.6.36)"
568 If enabled (argument is nonzero),
569 the reassembly of outgoing packets is disabled in the netfilter layer.
570 This option is valid only for
573 The argument is an integer.
575 .BR IP_OPTIONS " (since Linux 2.0)"
576 .\" Precisely: 1.3.30
577 Set or get the IP options to be sent with every packet from this socket.
578 The arguments are a pointer to a memory buffer containing the options
579 and the option length.
582 call sets the IP options associated with a socket.
583 The maximum option size for IPv4 is 40 bytes.
584 See RFC\ 791 for the allowed options.
585 When the initial connection request packet for a
587 socket contains IP options, the IP options will be set automatically
588 to the options from the initial packet with routing headers reversed.
589 Incoming packets are not allowed to change options after the connection
591 The processing of all incoming source routing options
592 is disabled by default and can be enabled by using the
593 .I accept_source_route
596 Other options like timestamps are still handled.
597 For datagram sockets, IP options can be only set by the local user.
602 puts the current IP options used for sending into the supplied buffer.
604 .BR IP_PKTINFO " (since Linux 2.2)"
605 .\" Precisely: 2.1.68
608 ancillary message that contains a
610 structure that supplies some information about the incoming packet.
611 This only works for datagram oriented sockets.
612 The argument is a flag that tells the socket whether the
614 message should be passed or not.
615 The message itself can only be sent/retrieved
616 as control message with a packet using
624 unsigned int ipi_ifindex; /* Interface index */
625 struct in_addr ipi_spec_dst; /* Local address */
626 struct in_addr ipi_addr; /* Header Destination
632 .\" FIXME elaborate on that.
634 is the unique index of the interface the packet was received on.
636 is the local address of the packet and
638 is the destination address in the packet header.
644 .\" This field is grossly misnamed
646 is not zero, then it is used as the local source address for the routing
647 table lookup and for setting up IP source route options.
650 is not zero, the primary local address of the interface specified by the
653 for the routing table lookup.
655 .BR IP_RECVERR " (since Linux 2.2)"
656 .\" Precisely: 2.1.15
657 Enable extended reliable error message passing.
658 When enabled on a datagram socket, all
659 generated errors will be queued in a per-socket error queue.
660 When the user receives an error from a socket operation,
661 the errors can be received by calling
668 structure describing the error will be passed in an ancillary message with
673 .\" or SOL_IP on Linux
674 This is useful for reliable error handling on unconnected sockets.
675 The received data portion of the error queue contains the error packet.
679 control message contains a
686 #define SO_EE_ORIGIN_NONE 0
687 #define SO_EE_ORIGIN_LOCAL 1
688 #define SO_EE_ORIGIN_ICMP 2
689 #define SO_EE_ORIGIN_ICMP6 3
691 struct sock_extended_err {
692 uint32_t ee_errno; /* error number */
693 uint8_t ee_origin; /* where the error originated */
694 uint8_t ee_type; /* type */
695 uint8_t ee_code; /* code */
697 uint32_t ee_info; /* additional information */
698 uint32_t ee_data; /* other data */
699 /* More data may follow */
702 struct sockaddr *SO_EE_OFFENDER(struct sock_extended_err *);
709 number of the queued error.
711 is the origin code of where the error originated.
712 The other fields are protocol-specific.
715 returns a pointer to the address of the network object
716 where the error originated from given a pointer to the ancillary message.
717 If this address is not known, the
723 and the other fields of the
729 structure as follows:
733 for errors received as an ICMP packet, or
734 .B SO_EE_ORIGIN_LOCAL
735 for locally generated errors.
736 Unknown values should be ignored.
740 are set from the type and code fields of the ICMP header.
742 contains the discovered MTU for
745 The message also contains the
746 .I sockaddr_in of the node
747 caused the error, which can be accessed with the
756 when the source was unknown.
757 When the error originated from the network, all IP options
758 .RB ( IP_OPTIONS ", " IP_TTL ", "
759 etc.) enabled on the socket and contained in the
760 error packet are passed as control messages.
761 The payload of the packet causing the error is returned as normal payload.
762 .\" FIXME . Is it a good idea to document that? It is a dubious feature.
767 .\" has slightly different semantics. Instead of
768 .\" saving the errors for the next timeout, it passes all incoming
769 .\" errors immediately to the user.
770 .\" This might be useful for very short-lived TCP connections which
771 .\" need fast error handling. Use this option with care:
772 .\" it makes TCP unreliable
773 .\" by not allowing it to recover properly from routing
774 .\" shifts and other normal
775 .\" conditions and breaks the protocol specification.
776 Note that TCP has no error queue;
782 is valid for TCP, but all errors are returned by socket function return or
788 enables passing of all received ICMP errors to the
789 application, otherwise errors are only reported on connected sockets
791 It sets or retrieves an integer boolean flag.
795 .BR IP_RECVOPTS " (since Linux 2.2)"
796 .\" Precisely: 2.1.15
797 Pass all incoming IP options to the user in a
800 The routing header and other options are already filled in
806 .BR IP_RECVORIGDSTADDR " (since Linux 2.6.29)"
807 .\" commit e8b2dfe9b4501ed0047459b2756ba26e5a940a69
808 This boolean option enables the
812 in which the kernel returns the original destination address
813 of the datagram being received.
814 The ancillary message contains a
815 .IR "struct sockaddr_in" .
817 .BR IP_RECVTOS " (since Linux 2.2)"
818 .\" Precisely: 2.1.68
821 ancillary message is passed with incoming packets.
822 It contains a byte which specifies the Type of Service/Precedence
823 field of the packet header.
824 Expects a boolean integer flag.
826 .BR IP_RECVTTL " (since Linux 2.2)"
827 .\" Precisely: 2.1.68
828 When this flag is set, pass a
830 control message with the time to live
831 field of the received packet as a byte.
836 .BR IP_RETOPTS " (since Linux 2.2)"
837 .\" Precisely: 2.1.15
840 but returns raw unprocessed options with timestamp and route record
841 options not filled in for this hop.
843 .BR IP_ROUTER_ALERT " (since Linux 2.2)"
844 .\" Precisely: 2.1.68
845 Pass all to-be forwarded packets with the
846 IP Router Alert option set to this socket.
847 Only valid for raw sockets.
848 This is useful, for instance, for user-space RSVP daemons.
849 The tapped packets are not forwarded by the kernel; it is
850 the user's responsibility to send them out again.
851 Socket binding is ignored,
852 such packets are only filtered by protocol.
853 Expects an integer flag.
855 .BR IP_TOS " (since Linux 1.0)"
856 Set or receive the Type-Of-Service (TOS) field that is sent
857 with every IP packet originating from this socket.
858 It is used to prioritize packets on the network.
860 There are some standard TOS flags defined:
862 to minimize delays for interactive traffic,
864 to optimize throughput,
866 to optimize for reliability,
868 should be used for "filler data" where slow transmission doesn't matter.
869 At most one of these TOS values can be specified.
870 Other bits are invalid and shall be cleared.
873 datagrams first by default,
874 but the exact behavior depends on the configured queueing discipline.
875 .\" FIXME elaborate on this
876 Some high priority levels may require superuser privileges (the
879 The priority can also be set in a protocol independent way by the
880 .RB ( SOL_SOCKET ", " SO_PRIORITY )
883 .\" Needs CAP_NET_ADMIN
885 .\" Since Linux 2.6.27
886 .\" Author: KOVACS Krisztian <hidden@sch.bme.hu>
887 .\" http://lwn.net/Articles/252545/
889 .BR IP_TRANSPARENT " (since Linux 2.6.24)"
890 .\" commit f5715aea4564f233767ea1d944b2637a5fd7cd2e
891 .\" This patch introduces the IP_TRANSPARENT socket option: enabling that
892 .\" will make the IPv4 routing omit the non-local source address check on
893 .\" output. Setting IP_TRANSPARENT requires NET_ADMIN capability.
894 .\" http://lwn.net/Articles/252545/
895 Setting this boolean option enables transparent proxying on this socket.
896 This socket option allows
897 the calling application to bind to a nonlocal IP address and operate
898 both as a client and a server with the foreign address as the local endpoint.
899 NOTE: this requires that routing be set up in a way that
900 packets going to the foreign address are routed through the TProxy box.
901 Enabling this socket option requires superuser privileges
906 TProxy redirection with the iptables TPROXY target also requires that
907 this option be set on the redirected socket.
909 .BR IP_TTL " (since Linux 1.0)"
910 Set or retrieve the current time-to-live field that is used in every packet
911 sent from this socket.
913 .BR IP_UNBLOCK_SOURCE " (since Linux 2.4.22 / 2.5.68)"
914 Unblock previously blocked multicast source.
917 when given source is not being blocked.
921 structure as described under
922 .BR IP_ADD_SOURCE_MEMBERSHIP .
927 interfaces to configure some global parameters.
928 The parameters can be accessed by reading or writing files in the directory
929 .IR /proc/sys/net/ipv4/ .
930 .\" FIXME As at 2.6.12, 14 Jun 2005, the following are undocumented:
933 Interfaces described as
935 take an integer value, with a nonzero value ("true") meaning that
936 the corresponding option is enabled, and a zero value ("false")
937 meaning that the option is disabled.
940 .IR ip_always_defrag " (Boolean; since Linux 2.2.13)"
941 [New with kernel 2.2.13; in earlier kernel versions this feature
942 was controlled at compile time by the
943 .B CONFIG_IP_ALWAYS_DEFRAG
944 option; this option is not present in 2.4.x and later]
946 When this boolean flag is enabled (not equal 0), incoming fragments
948 that arose when some host between origin and destination decided
949 that the packets were too large and cut them into pieces) will be
950 reassembled (defragmented) before being processed, even if they are
951 about to be forwarded.
953 Only enable if running either a firewall that is the sole link
954 to your network or a transparent proxy; never ever use it for a
955 normal router or host.
956 Otherwise fragmented communication can be disturbed
957 if the fragments travel over different links.
958 Defragmentation also has a large memory and CPU time cost.
960 This is automagically turned on when masquerading or transparent
961 proxying are configured.
964 .IR ip_autoconfig " (since Linux 2.2 to 2.6.17)"
965 .\" Precisely: since 2.1.68
966 .\" FIXME document ip_autoconfig
970 .IR ip_default_ttl " (integer; default: 64; since Linux 2.2)"
971 .\" Precisely: 2.1.15
972 Set the default time-to-live value of outgoing packets.
973 This can be changed per socket with the
978 .IR ip_dynaddr " (Boolean; default: disabled; since Linux 2.0.31)"
979 Enable dynamic socket address and masquerading entry rewriting on interface
981 This is useful for dialup interface with changing IP addresses.
982 0 means no rewriting, 1 turns it on and 2 enables verbose mode.
985 .IR ip_forward " (Boolean; default: disabled; since Linux 1.2)"
986 Enable IP forwarding with a boolean flag.
987 IP forwarding can be also set on a per-interface basis.
990 .IR ip_local_port_range " (since Linux 2.2)"
991 .\" Precisely: since 2.1.68
992 Contains two integers that define the default local port range
993 allocated to sockets.
994 Allocation starts with the first number and ends with the second number.
995 Note that these should not conflict with the ports used by masquerading
996 (although the case is handled).
997 Also arbitrary choices may cause problems with some firewall packet
998 filters that make assumptions about the local ports in use.
999 First number should be at least greater than 1024,
1000 or better, greater than 4096, to avoid clashes
1001 with well known ports and to minimize firewall problems.
1004 .IR ip_no_pmtu_disc " (Boolean; default: disabled; since Linux 2.2)"
1005 .\" Precisely: 2.1.15
1006 If enabled, don't do Path MTU Discovery for TCP sockets by default.
1007 Path MTU discovery may fail if misconfigured firewalls (that drop
1008 all ICMP packets) or misconfigured interfaces (e.g., a point-to-point
1009 link where the both ends don't agree on the MTU) are on the path.
1010 It is better to fix the broken routers on the path than to turn off
1011 Path MTU Discovery globally, because not doing it incurs a high cost
1014 .\" The following is from 2.6.12: Documentation/networking/ip-sysctl.txt
1016 .IR ip_nonlocal_bind " (Boolean; default: disabled; since Linux 2.4)"
1017 .\" Precisely: patch-2.4.0-test10
1018 If set, allows processes to
1020 to nonlocal IP addresses,
1021 which can be quite useful, but may break some applications.
1023 .\" The following is from 2.6.12: Documentation/networking/ip-sysctl.txt
1025 .IR ip6frag_time " (integer; default: 30)"
1026 Time in seconds to keep an IPv6 fragment in memory.
1028 .\" The following is from 2.6.12: Documentation/networking/ip-sysctl.txt
1030 .IR ip6frag_secret_interval " (integer; default: 600)"
1031 Regeneration interval (in seconds) of the hash secret (or lifetime
1032 for the hash secret) for IPv6 fragments.
1034 .IR ipfrag_high_thresh " (integer), " ipfrag_low_thresh " (integer)"
1035 If the amount of queued IP fragments reaches
1036 .IR ipfrag_high_thresh ,
1037 the queue is pruned down to
1038 .IR ipfrag_low_thresh .
1039 Contains an integer with the number of bytes.
1044 .\" FIXME Document the conf/*/* interfaces
1045 .\" FIXME Document the route/* interfaces
1046 .\" FIXME document them all
1048 All ioctls described in
1053 .\" commented out the following because ipchains is obsolete
1055 .\" The ioctls to configure firewalling are documented in
1061 Ioctls to configure generic device parameters are described in
1063 .\" FIXME Add a discussion of multicasting
1065 .\" FIXME document all errors.
1066 .\" We should really fix the kernels to give more uniform
1067 .\" error returns (ENOMEM vs ENOBUFS, EPERM vs EACCES etc.)
1070 The user tried to execute an operation without the necessary permissions.
1072 sending a packet to a broadcast address without having the
1075 sending a packet via a
1078 modifying firewall settings without superuser privileges (the
1081 binding to a privileged port without superuser privileges (the
1082 .B CAP_NET_BIND_SERVICE
1086 Tried to bind to an address already in use.
1089 A nonexistent interface was requested or the requested source
1090 address was not local.
1093 Operation on a nonblocking socket would block.
1096 An connection operation on a nonblocking socket is already in progress.
1099 A connection was closed during an
1103 No valid routing table entry matches the destination address.
1104 This error can be caused by a ICMP message from a remote router or
1105 for the local routing table.
1108 Invalid argument passed.
1109 For send operations this can be caused by sending to a
1115 was called on an already connected socket.
1118 Datagram is bigger than an MTU on the path and it cannot be fragmented.
1120 .BR ENOBUFS ", " ENOMEM
1121 Not enough free memory.
1122 This often means that the memory allocation is limited by the socket
1123 buffer limits, not by the system memory, but this is not 100% consistent.
1127 was called on a socket where no packet arrived.
1130 A kernel subsystem was not configured.
1132 .BR ENOPROTOOPT " and " EOPNOTSUPP
1133 Invalid socket option passed.
1136 The operation is defined only on a connected socket, but the socket wasn't
1140 User doesn't have permission to set high priority, change configuration,
1141 or send signals to the requested process or group.
1144 The connection was unexpectedly closed or shut down by the other end.
1147 The socket is not configured or an unknown socket type was requested.
1149 Other errors may be generated by the overlaying protocols; see
1159 .BR IP_MTU_DISCOVER ,
1160 .BR IP_RECVORIGDSTADDR ,
1163 .BR IP_ROUTER_ALERT ,
1167 .\" IP_PASSSEC is Linux-specific
1168 .\" IP_XFRM_POLICY is Linux-specific
1169 .\" IP_IPSEC_POLICY is a nonstandard extension, also present on some BSDs
1171 Be very careful with the
1173 option \- it is not privileged in Linux.
1174 It is easy to overload the network
1175 with careless broadcasts.
1176 For new application protocols
1177 it is better to use a multicast group instead of broadcasting.
1178 Broadcasting is discouraged.
1180 Some other BSD sockets implementations provide
1184 socket options to get the destination address and the interface of
1186 Linux has the more general
1190 Some BSD sockets implementations also provide an
1192 option, but an ancillary message with type
1194 is passed with the incoming packet.
1195 This is different from the
1197 option used in Linux.
1201 socket options level isn't portable, BSD-based stacks use
1205 For compatibility with Linux 2.0, the obsolete
1206 .BI "socket(AF_INET, SOCK_PACKET, " protocol )
1207 syntax is still supported to open a
1210 This is deprecated and should be replaced by
1211 .BI "socket(AF_PACKET, SOCK_RAW, " protocol )
1213 The main difference is the new
1215 address structure for generic link layer information instead of the old
1218 There are too many inconsistent error values.
1220 The ioctls to configure IP-specific interface options and ARP tables are
1223 Some versions of glibc forget to declare
1225 Workaround currently is to copy it into your program from this man page.
1227 Receiving the original destination address with
1233 does not work in some 2.2 kernels.
1235 .\" This man page was written by Andi Kleen.
1241 .BR capabilities (7),
1250 RFC\ 791 for the original IP specification.
1251 RFC\ 1122 for the IPv4 host requirements.
1252 RFC\ 1812 for the IPv4 router requirements.
1253 .\" FIXME autobind INADDR REUSEADDR
1255 This page is part of release 3.64 of the Linux
1258 A description of the project,
1259 and information about reporting bugs,
1261 \%http://www.kernel.org/doc/man\-pages/.