inconfig(ADMN)

Synopsis

Description

inconfig reads a configuration file to obtain the list of kernel parameters and their values. This file is normally /etc/inet/inet.dfl, but a different file can be specified with the -f option. See ``Parameters'' for a description of the parameters.

For each parameter listed in the configuration file, inconfig initializes the parameter to the specified value.

The current value of a single parameter can be retrieved by specifying only the parameter name as an argument to inconfig.

If a ``parameter value'' pair is specified, the associated kernel parameter is modified. The configuration file is also updated so that the parameter will be correctly initialized the next time the system is restarted. The -n option causes the configuration file to remain unchanged. This is useful when turning on debugging messages that are not desired in normal operation.

Each configuration parameter has a minimum and a maximum allowable value enforced by the kernel. Attempts to set the parameter to a value outside of the allowable range will be disallowed.

inconfig goes to great lengths to preserve the current configuration in the event of an I/O error. Before the new configuration is generated, file is renamed to file.bak. If the configuration cannot be updated, inconfig will attempt to restore the old one. If the restore fails, the configuration is left in file.bak. If the new configuration is successfully saved, the backup file will be deleted. inconfig blocks SIGHUP, SIGINT, and SIGTERM while the configuration is being updated.

The -v option causes inconfig to display information about each parameter found in the configuration file as it is being processed.

If the -d option is used, neither the kernel nor the configuration file will be updated. Instead inconfig will display every change it would have made if the -d option had not been used.

The -s option displays the current configuration but does not attempt to modify it.

Only root may use this command.

Parameters

• ``Address Resolution Protocol (ARP) parameters''

• ``Internet Control Message Protocol Version 4 (ICMPv4) parameters''

• ``Internet Group Management Protocol Version 4 (IGMPv4) parameters''

• ``Internet Protocol Version 4 (IPv4) parameters''

• ``Transmission Control Protocol (TCP/IP) parameters''

• ``User Datagram Protocol (UDP) parameters''

• ``Socket parameters''

The default values of the parameters are configured to work efficiently in most situations.

Address Resolution Protocol (ARP) parameters

The following parameters control the behavior of the Address Resolution Protocol (ARP).

arpprintfs

Controls logging of warnings from the kernel ARP driver. These are displayed on the console. Logging is turned on if this parameter is set to 1. If set to 0 (the default), debugging information is not displayed.

arp_maxretries

Sets the maximum number of retries for the address resolution protocol (ARP) before it gives up. The default value is 5; the minimum and maximum configurable values are 1 and 128.

arpt_down

Sets the time to hold onto an incomplete ARP cache entry if ARP lookup fails. The default value is 20 seconds; the minimum and maximum configurable values are 1 and 600 seconds.

arpt_keep

Sets the time to keep a valid entry in the ARP cache. The default value is 1200 seconds; the minimum and maximum configurable values are 1 and 2400 seconds.

arpt_prune

Sets the interval between scanning the ARP table for stale entries. The default value is 300 seconds; the minimum and maximum configurable values are 1 and 1800 seconds.

Internet Control Message Protocol Version 4 (ICMPv4) parameters

icmp_answermask

If set to 1, the system will respond to ICMP subnet mask request messages. This parameter must be set to 1 to support certain hosts such as diskless workstations. The default value is 0, do not respond, as specified in RFC 1122.

icmp_quenchsz

Controls how many addresses to remember every 200ms when performing ICMP source quenching. If a host's address is remembered, this ensures that no more than five quench messages can be sent to it per second. The default value is 32. The minimum and maximum configurable values are 1 and 4096.

icmp_reply_broadcasts

If set to 1, the system will reply to ICMP requests that are directed to broadcast, multicast, or experimental addresses. If set to 0 (the default), the system will not reply to such requests.

icmpprintfs

Controls logging of warnings from the kernel ICMP driver. These are displayed on the console. Logging is turned on if this parameter is set to 1. If set to 0 (the default), debugging information is not displayed.

Internet Group Management Protocol Version 4 (IGMPv4) parameters

igmpprintfs

Controls logging of warnings from the kernel IGMP driver. These are displayed on the console. Logging is turned on if this parameter is set to 1. If set to 0 (the default), debugging information is not displayed.

Internet Protocol Version 4 (IPv4) parameters

in_fullsize

Controls the systemwide default TCP/IP behavior for attempting to negotiate the use of full-sized segments. If set to 1 (the default), TCP/IP attempts to use a segment size equal to the interface MTU minus the size of the TCP/IP headers. If set to 0, TCP/IP rounds the segment size down to the nearest multiple of 1KB.

in_loglimit

Controls how many bytes of the error packet to display when debugging. Note that the appropriate xxxprintfs parameter (such as tcpprintfs) must be set to a non-zero value to enable logging. The default value is 64. The minimum and maximum configurable values are 1 and 255.

in_recvspace

Sets the systemwide default size of the TCP/IP receive window in bytes. (This can be overridden by using setsockopt(SSC) to set SO_RCVBUF.) The default value is 4096 bytes. The minimum and maximum configurable values are 2048 and 65535 bytes.

in_sendspace

Sets the systemwide default size of the TCP/IP send window in bytes. This should be at least as large as the loopback MTU. (This can be overridden by using setsockopt(SSC) to set SO_SNDBUF.) The default value is 8192 bytes. The minimum and maximum configurable values are 2048 and 65535 bytes.

ip_checkbroadaddr

Controls whether IP checks whether unicast packets specify a broadcast address. If set to 1 (the default as specified in RFC 1122), IP discards non-broadcast packets sent to a link-level broadcast address. In the unlikely event that a data-link driver does not support this, packets may be discarded erroneously. If netstat -s -p ip shows that many packets cannot be forwarded, set this parameter to 0 to turn off checking.

ip_dirbroadcast

If set to 1 (the default), allows receipt of broadcast packets only if they match one of the broadcast addresses configured for the interface upon which the packet was received. If set to 0, allows receipt of broadcast packets that match any configured broadcast address.

ip_forward_broadcasts

If set to 1, received broadcast packets addressed to the broadcast address of an attached interface are forwarded for broadcasting on the interface. If set to 0 (the default), rebroadcasting is not permitted.

ip_perform_pmtu

IP performs Path Maximum Transmission Unit (Path MTU or PMTU) discovery as specified in RFC 1191 if set to 1 (the default). This causes IP to send packets with the ``do not fragment'' bit set so that routers will generate ``Fragmentation Required'' messages if they cannot forward the whole packet. Retransmission with a smaller packet size allows the minimum MTU in the path to the destination to be established. If you experience interoperability problems because intermediate routers do not support this feature, a value of 0 disables PMTU.

If you disable PMTU, you should also set tcp_offer_big_mss (described in ``Transmission Control Protocol (TCP/IP) parameters'') to 0.

ip_pmtu_decrease_age

Controls how many seconds IP will wait (while performing PMTU) after decreasing an MTU estimate before it starts raising it. The default value is 600 seconds. The maximum configurable value is 32667. If set to 0xffffffff, the estimate is never raised; this is useful if there is only one path out of your local network and its MTU is known to be constant.

ip_pmtu_increase_age

Sets the number of seconds between increasing the MTU estimate for a destination once it starts to increase. The default value is 120 seconds. The minimum and maximum configurable values are 0 and 600 seconds.

ip_settos

If set to 1 (the default), IP sets type-of service TOS information (as specified in RFC 1122) in packets that it sends down to the data-link layer. Set this to 0 if your network card link-level driver cannot handle this.

ip_subnetsarelocal

The default value of 1 specifies that other subnets of the network are to be considered as local -- that is, directly connected. TCP/IP assumes them to be connected via high-MSS paths and adjusts its idea of the MSS to be negotiated. Otherwise, TCP/IP uses the default MSS specified by tcp_mssdflt (described in ``Transmission Control Protocol (TCP/IP) parameters'') -- this is typically 512 bytes in accordance with RFC 793 and RFC 1122. By default, the parameter tcp_offer_big_mss is set to 1 so that Path MTU discovery can be used to provide the maximum benefit. If the value of tcp_offer_big_mss is set to 0, setting the value of ip_subnetsarelocal to 1 allows for good local performance even though PMTU discovery is not used.

The message ``ICMP Host Unreachable'' is generated for local subnet routing failures. When this value is set to 0, the packet size is set to 576 bytes, as specified in RFC 1122.

The default value of 1 enables this feature; if set to 0, it is disabled.

ip_ttl

Sets the time to live (TTL) of an IP packet as a number of hops. This value is used by all kernel drivers that need it (including TCP/IP). The default value is 64 as recommended by RFC 1340. The minimum and maximum configurable values are 1 and 255.

ipforwarding

ipsendredirects

If you want to use your machine as a unicast or multicast router, set both these parameters to 1.

ipforwarding controls whether the system will forward packets sent to it which are destined for another system (that is, act as a router). The default value is 0 (off) as defined by RFC 1122. A system acting as a host will still forward source-routed datagrams unless ipnonlocalsrcroute is set to 0.

ipsendredirects controls whether IP will send an ICMP redirect error message to a host when forwarding a packet out of the same interface on which it was received. The message informs the sending host which is the correct router to use in the future. This allows the sending host to adjust its routing table appropriately. This should be set to 1 if ipforwarding is set to 1.

ipnonlocalsrcroute

Controls whether source-routed datagrams will be forwarded if they are not destined for the local system. On hosts, the default value is 0 (off). If your machine is acting as a router (ipforwarding is set to 1), set the value of ipnonlocalsrcroute to 1 unless you are concerned that this may open a security hole.

ipport_reserved_high

ipport_reserved_low

ipport_userreserved_high

ipport_userreserved_low

These four parameters control the allocation and verification of reserved and ephemeral port numbers.

ipport_reserved_low (default value 512) and ipport_reserved_high (default value 1023) set the bottom and top values of the port range which the kernel considers privileged.

A process requires super user privileges to assign itself a reserved port whose number is less than or equal to ipport_reserved_high.

---

WARNING: Ports whose numbers are less than or equal to ipport_reserved_high are also assumed to be privileged when they are used by processes on remote systems.

Setting ipport_reserved_high to a value higher than the default will expose your system to attack from systems on which ports with numbers greater than 1023 and less than ipport_reserved_high are not privileged. For example, remote rlogin(TC) clients must demonstrate to the server that they have bound themselves to a reserved port as part of the authentication process. If the local value of ipport_reserved_high is set to a value greater than the default, a remote process without super user privileges, masquerading as an rlogin client, could gain access to a local user account which has a .rhosts entry that allows a remote user to log in without specifying a password. Similar attacks are also possible using bogus versions of rcp(TC) and rsh(TC).

---

ipport_userreserved_low (default value 32768) and ipport_userreserved_high (default value 65535) set the bottom and top values of the port range from which ephemeral ports will be allocated. In previous releases, these values were fixed at 1024 and 5000 respectively.

ipprintfs

Controls logging of warnings from the kernel IP driver. These are displayed on the console. Logging is turned on if this parameter is set to 1. If set to 0 (the default), debugging information is not displayed.

Transmission Control Protocol (TCP/IP) parameters

tcp_2msl

Sets the time in seconds that a TCP/IP connection will remain in the TIME_WAIT state waiting for a FIN from the remote side before being moved to the CLOSED state. The default time period is 240 seconds as defined by RFC 793. The minimum and maximum configurable values are 30 and 240 seconds.

tcp_delay_acks

Selects TCP/IP delayed acknowledgements (ACKs) if set to 1 (default), and selects immediate ACKs if set to 0. If delayed ACKs are set, TCP/IP does not send an ACK immediately on receiving data. TCP/IP normally delays sending an ACK to improve the chance that it can bundle it with transmitted data.

tcp_do_rfc1323

Control system-wide implementation of TCP/IP performance extensions including timestamps and large window scaling (as defined in RFC 1323). These features provide more efficient and reliable usage of high-bandwidth, high-latency links. If set to 1 (the default), negotiation is turned on and will permit a TCP/IP receive window size as large as 1,073,725,440 bytes (just under 1GB). If set to 0, negotiation is disabled and the largest possible window size is 65,535 bytes (64KB-1).

Window size negotiation may be disabled on a per-interface basis by specifying the -rfc1323 option to ifconfig(ADMN). This is necessary for PPP and SLIP interfaces that allow header compression.

tcp_initial_timeout

Sets the TCP/IP retransmit time for an initial SYN segment when establishing a connection. (See also the description of tcp_q0limit.) The default value is 180 seconds as defined by RFC 1122. The minimum and maximum configurable values are 1 and 7200 seconds.

tcp_keepalive_port

Selects a local TCP/IP server port for which incoming TCP/IP connections will automatically set the SO_KEEPALIVE option (see setsockopt(SSC)) to enable TCP/IP keepalives.

If keepalives are not enabled for a TCP/IP connection, the socket will not be closed should the client hang or reboot. This can lead to the number of bogus ``established'' connections building up over time on the server. These bogus connections consume system resources, and may eventually prevent new connections from being established until the system is rebooted.

If keepalives are enabled, the server will detect broken connections and close the associated sockets. See also the descriptions of tcp_keepidle, tcp_keepintvl and tcp_nkeep.

The minimum and maximum values are 0 and 65535 (0xffff). The default value of 0 means that TCP/IP keepalives are not automatically enabled for any local server port. A value of 65535 automatically enables keepalives for TCP/IP connections to all local server ports. A value from 1 to 65534 selects a single server port on which keepalives are automatically enabled.

---

NOTE: The settings of this parameter are not cumulative; it can only be used to set automatic TCP/IP keepalives on none, one, or all of the server ports. Automatic keepalives will be disabled on a server port if subsequently enabled for a different port.

A server process can call setsockopt to set SO_KEEPALIVE.

---

tcp_keepidle

Sets the idle time before TCP/IP keepalives are sent (if enabled). The default value is 7200 seconds. The minimum and maximum configurable values are 300 and 86400 seconds.

tcp_keepintvl

Sets the TCP/IP keepalive interval between keepalive packets once they start being sent. The default value is 75 seconds. The minimum and maximum configurable values are 1 and 43200 seconds.

tcp_mss_sw_threshold

Defines the small window threshold for interface MTUs. If the MTU of an interface is small enough to force TCP/IP to use an MSS smaller than this threshold, then TCP/IP will use the receive window size specified by tcp_small_recvspace. This is an optimization to avoid buffering too much data on low-speed links such as SLIP and PPP. The default value is 1024 bytes. The minimum and maximum configurable values are 512 and 4096 bytes.

tcp_mssdflt

Sets the default TCP/IP segment size to use on interfaces for which MSS and Path MTU information is not available. The default and minimum value is 512 bytes. The maximum configurable value is 32768. You should keep the value of this parameter small if possible.

tcp_nkeep

Sets the number of TCP/IP keepalives that will be sent before giving up. The default value is 8. The minimum and maximum configurable values are 1 and 256.

tcp_offer_big_mss

In order to get the maximum benefit out of Path MTU (PMTU) discovery, TCP/IP normally offers an MSS that is derived from the local interface MTU (after subtracting the packet header sizes). This allows the remote system to send the biggest segments that the network can handle. Set this parameter to 0 for systems that cannot handle this, or that do not implement PMTU discovery. This causes TCP/IP to offer a smaller MTU for non-local connections (see ip_subnetsarelocal in ``Internet Protocol Version 4 (IPv4) parameters''). The default value of 1 (offer it) allows maximum benefit to be gained from PMTU discovery; a value of 0 disables this.

tcp_q0limit

Sets the maximum length of the pending (3-way handshake incomplete) connection queue for a TCP endpoint. This protects a server against SYN flood attacks. When the pending connection queue is full and a new connection request arrives, the kernel will randomly drop an outstanding partial connection from the pending queue and add the new connection to the queue.

Setting tcp_q0limit modifies the system behavior as follows:

• The backlog parameter to listen(SSC) specifies the maximum number of established (3-way handshake complete) connections that the kernel will queue for a given socket while accept(SSC) is processing them. In previous releases, backlog specified the maximum length of both the pending and established queues for a socket.

• If a pending connection is dropped, the connection is terminated (by sending RST) and the client will receive an appropriate error (usually ECONNRESET).

• At least 800 bytes of memory are allocated to each partial connection. This implies that each listening port could potentially use tcp_q0limit800 bytes.

The default value of 0 provides the same behavior as in previous releases. The minimum and maximum configurable values are 1 and 65535. If you set tcp_q0limit to a non-zero value, it should be greater than 1. The value must be high enough to cope with peak demand by incoming connection requests. You should also set the value even higher if most of the physical links are low speed and/or high latency.

Use netstat -s -p tcp to display statistics of partial connections that have been dropped.

tcp_qlimit_scale

If set to 1 (the default), increase the listen(SSC) backlog limit for incoming connections by 50%. If set to 0, the backlog limit is not scaled as required for UNIX 95 conformance.

tcp_secret

tcp_seqbits

To protect against IP address spoofing attacks, a random element is introduced into how TCP/IP chooses the initial send sequence number and its increment.

tcp_secret seeds the random number sequence. Its value can be set to any integer from 0 through 2147483647.

tcp_seqbits selects the number of bits of tcp_secret that are used to seed the sequence number increment value. The default value of tcp_seqbits is 21; its minimum and maximum values are 16 and 26. The default value represents a compromise between security and the uniqueness of the sequence number. If the value of tcp_seqbits is small, this increases the possibility that an attacker can guess the random number. A large value for tcp_seqbits decreases the time before a given sequence number occurs again.

tcp_small_recvspace

If the MTU is less than the small window threshold, tcp_mss_sw_threshold, sets the receive window size to use on interfaces that require small windows. The default value is 4096 bytes. The minimum and maximum configurable values are 1024 and 16384 bytes.

tcp_urgbehavior

Controls how TCP/IP interprets urgent data. If set to 0, it interprets it in RFC 1122 mode; if set to 1 (the default), it interprets it in BSD mode.

tcpalldebug

If set to 1, captures trace information for all connections. The default value is 0 which causes TCP/IP to trace only those connections that set the SO_DEBUG option. This information can be retrieved using the trpt(ADMN) command, or displayed on the console if tcpconsdebug is set.

tcpconsdebug

Directs TCP/IP connection trace output to the console if set to 1 (see also tcpalldebug). The default value is 0.

tcpprintfs

Controls logging of warnings from the kernel TCP/IP driver. These are displayed on the console. Logging is turned on if this parameter is set to 1. If set to 0 (the default), debugging information is not displayed.

User Datagram Protocol (UDP) parameters

udpprintfs

Controls logging of warnings from the kernel UDP driver. These are displayed on the console. Logging is turned on if this parameter is set to 1. If set to 0 (the default), debugging information is not displayed.

Socket parameters

ss_connafunixndelay

Determines how a non-blocking connect(SSC) on a unix domain (AF_UNIX) socket will behave.

If set to 0 (default), connect returns -1 and sets EINPROGRESS in errno. However, the connection request is not aborted, and the connection is established asynchronously. Subsequent connect calls to the socket will fail if a connection has not yet been set up, and will return EALREADY in errno.

If set to 1, connect returns 0 and does not set a value in errno. The connection will complete synchronously and without appreciable delay. This ensures compatibility for applications which have been developed on operating systems where EINPROGRESS is not set.

ss_selectrdband

Determines how select(S) will behave when a socket, for which an exception descriptor set has been defined, is shut down or closed for read operations. If set to 0 (default), exception bits are not set. If set to 1, exception bits are set.

ss_uw7_compat

The value of this parameter controls how newly created sockets handle asynchronous errors and events (see sock(ADMP)):

0

Sockets created by all binaries exhibit new behavior.

1 (default)

Sockets created by binaries that have been compiled on a UnixWare^® 7 release 7.1.1 or later system exhibit new behavior. Sockets created by older binaries behave as in previous releases.

2

Sockets created by all binaries behave as in previous releases.

Files

/etc/inet/inet.dfl

configuration file

References

RFC 793, RFC 1122, RFC 1191, RFC 1323, RFC 1340