1IP(7)                      Linux Programmer's Manual                     IP(7)


6       ip - Linux IPv4 protocol implementation


9       #include <sys/socket.h>
10       #include <netinet/in.h>
11       #include <netinet/ip.h> /* superset of previous */
13       tcp_socket = socket(AF_INET, SOCK_STREAM, 0);
14       udp_socket = socket(AF_INET, SOCK_DGRAM, 0);
15       raw_socket = socket(AF_INET, SOCK_RAW, protocol);


18       Linux implements the Internet Protocol, version 4, described in RFC 791
19       and RFC 1122.  ip contains a level 2 multicasting  implementation  con‐
20       forming  to RFC 1112.  It also contains an IP router including a packet
21       filter.
23       The programming interface is BSD-sockets compatible.  For more informa‐
24       tion on sockets, see socket(7).
26       An IP socket is created using socket(2):
28           socket(AF_INET, socket_type, protocol);
30       Valid  socket  types  include  SOCK_STREAM  to  open  a  stream socket,
31       SOCK_DGRAM to open a datagram socket, and SOCK_RAW  to  open  a  raw(7)
32       socket to access the IP protocol directly.
34       protocol  is  the  IP protocol in the IP header to be received or sent.
35       Valid values for protocol include:
37       · 0 and IPPROTO_TCP for tcp(7) stream sockets;
39       · 0 and IPPROTO_UDP for udp(7) datagram sockets;
41       · IPPROTO_SCTP for sctp(7) stream sockets; and
43       · IPPROTO_UDPLITE for udplite(7) datagram sockets.
45       For SOCK_RAW you may specify  a  valid  IANA  IP  protocol  defined  in
46       RFC 1700 assigned numbers.
48       When a process wants to receive new incoming packets or connections, it
49       should bind a socket to a local interface address  using  bind(2).   In
50       this case, only one IP socket may be bound to any given local (address,
51       port) pair.  When INADDR_ANY is specified in the bind call, the  socket
52       will  be bound to all local interfaces.  When listen(2) is called on an
53       unbound socket, the socket is automatically bound to a random free port
54       with the local address set to INADDR_ANY.  When connect(2) is called on
55       an unbound socket, the socket is automatically bound to a  random  free
56       port  or  to  a  usable  shared  port  with  the  local  address set to
57       INADDR_ANY.
59       A TCP local socket address that has been bound is unavailable for  some
60       time  after  closing,  unless the SO_REUSEADDR flag has been set.  Care
61       should be taken when using this flag as it makes TCP less reliable.
63   Address format
64       An IP socket address is defined as a combination  of  an  IP  interface
65       address  and a 16-bit port number.  The basic IP protocol does not sup‐
66       ply port numbers, they are implemented by higher level  protocols  like
67       udp(7) and tcp(7).  On raw sockets sin_port is set to the IP protocol.
69           struct sockaddr_in {
70               sa_family_t    sin_family; /* address family: AF_INET */
71               in_port_t      sin_port;   /* port in network byte order */
72               struct in_addr sin_addr;   /* internet address */
73           };
75           /* Internet address. */
76           struct in_addr {
77               uint32_t       s_addr;     /* address in network byte order */
78           };
80       sin_family  is  always  set to AF_INET.  This is required; in Linux 2.2
81       most networking functions return EINVAL when this setting  is  missing.
82       sin_port  contains  the  port  in network byte order.  The port numbers
83       below 1024 are called privileged ports (or sometimes: reserved  ports).
84       Only   a   privileged  process  (on  Linux:  a  process  that  has  the
85       CAP_NET_BIND_SERVICE capability in the  user  namespace  governing  its
86       network  namespace)  may  bind(2)  to these sockets.  Note that the raw
87       IPv4 protocol as such has no concept of a port,  they  are  implemented
88       only by higher protocols like tcp(7) and udp(7).
90       sin_addr  is  the IP host address.  The s_addr member of struct in_addr
91       contains the host interface address in  network  byte  order.   in_addr
92       should  be  assigned one of the INADDR_* values (e.g., INADDR_LOOPBACK)
93       using  htonl(3)  or   set   using   the   inet_aton(3),   inet_addr(3),
94       inet_makeaddr(3)  library  functions or directly with the name resolver
95       (see gethostbyname(3)).
97       IPv4 addresses are  divided  into  unicast,  broadcast,  and  multicast
98       addresses.   Unicast  addresses  specify  a single interface of a host,
99       broadcast addresses specify all  hosts  on  a  network,  and  multicast
100       addresses  address all hosts in a multicast group.  Datagrams to broad‐
101       cast addresses can be sent  or  received  only  when  the  SO_BROADCAST
102       socket flag is set.  In the current implementation, connection-oriented
103       sockets are allowed to use only unicast addresses.
105       Note that the address and the port are always stored  in  network  byte
106       order.  In particular, this means that you need to call htons(3) on the
107       number that is assigned to a port.  All address/port manipulation func‐
108       tions in the standard library work in network byte order.
110       There are several special addresses: INADDR_LOOPBACK ( always
111       refers to the local host via the loopback device; INADDR_ANY  (
112       means any address for binding; INADDR_BROADCAST ( means
113       any host and has the same effect on bind as INADDR_ANY  for  historical
114       reasons.
116   Socket options
117       IP  supports some protocol-specific socket options that can be set with
118       setsockopt(2) and read with getsockopt(2).  The socket option level for
119       IP  is  IPPROTO_IP.   A  boolean integer flag is zero when it is false,
120       otherwise true.
122       When an invalid socket option is specified, getsockopt(2) and  setsock‐
123       opt(2) fail with the error ENOPROTOOPT.
125       IP_ADD_MEMBERSHIP (since Linux 1.2)
126              Join a multicast group.  Argument is an ip_mreqn structure.
128           struct ip_mreqn {
129               struct in_addr imr_multiaddr; /* IP multicast group
130                                                address */
131               struct in_addr imr_address;   /* IP address of local
132                                                interface */
133               int            imr_ifindex;   /* interface index */
134           };
136       imr_multiaddr  contains the address of the multicast group the applica‐
137       tion wants to join or leave.  It must be a valid multicast address  (or
138       setsockopt(2) fails with the error EINVAL).  imr_address is the address
139       of the local interface with which the system should join the  multicast
140       group; if it is equal to INADDR_ANY, an appropriate interface is chosen
141       by the system.  imr_ifindex is the interface  index  of  the  interface
142       that  should  join/leave  the imr_multiaddr group, or 0 to indicate any
143       interface.
145              The ip_mreqn structure is available only since Linux  2.2.   For
146              compatibility,  the  old  ip_mreq structure (present since Linux
147              1.2) is still supported; it differs from ip_mreqn  only  by  not
148              including  the  imr_ifindex field.  (The kernel determines which
149              structure is being passed based on the size passed in optlen.)
151              IP_ADD_MEMBERSHIP is valid only for setsockopt(2).
153       IP_ADD_SOURCE_MEMBERSHIP (since Linux 2.4.22 / 2.5.68)
154              Join a multicast group and allow  receiving  data  only  from  a
155              specified source.  Argument is an ip_mreq_source structure.
157           struct ip_mreq_source {
158               struct in_addr imr_multiaddr;  /* IP multicast group
159                                                 address */
160               struct in_addr imr_interface;  /* IP address of local
161                                                 interface */
162               struct in_addr imr_sourceaddr; /* IP address of
163                                                 multicast source */
164           };
166       The  ip_mreq_source  structure  is  similar to ip_mreqn described under
167       IP_ADD_MEMBERSHIP.  The imr_multiaddr field contains the address of the
168       multicast group the application wants to join or leave.  The imr_inter‐
169       face field is the address of the local interface with which the  system
170       should  join  the  multicast  group.  Finally, the imr_sourceaddr field
171       contains the address of the source the  application  wants  to  receive
172       data from.
174              This  option  can be used multiple times to allow receiving data
175              from more than one source.
177       IP_BIND_ADDRESS_NO_PORT (since Linux 4.2)
178              Inform the kernel to not reserve an ephemeral  port  when  using
179              bind(2)  with  a port number of 0.  The port will later be auto‐
180              matically chosen at connect(2) time, in a way that allows  shar‐
181              ing a source port as long as the 4-tuple is unique.
183       IP_BLOCK_SOURCE (since Linux 2.4.22 / 2.5.68)
184              Stop  receiving multicast data from a specific source in a given
185              group.  This is valid only after the application has  subscribed
186              to   the  multicast  group  using  either  IP_ADD_MEMBERSHIP  or
187              IP_ADD_SOURCE_MEMBERSHIP.
189              Argument is  an  ip_mreq_source  structure  as  described  under
190              IP_ADD_SOURCE_MEMBERSHIP.
192       IP_DROP_MEMBERSHIP (since Linux 1.2)
193              Leave  a  multicast  group.   Argument is an ip_mreqn or ip_mreq
194              structure similar to IP_ADD_MEMBERSHIP.
196       IP_DROP_SOURCE_MEMBERSHIP (since Linux 2.4.22 / 2.5.68)
197              Leave a source-specific group—that is, stop receiving data  from
198              a  given  multicast group that come from a given source.  If the
199              application has subscribed to multiple sources within  the  same
200              group,  data from the remaining sources will still be delivered.
201              To  stop  receiving  data  from  all  sources   at   once,   use
202              IP_DROP_MEMBERSHIP.
204              Argument  is  an  ip_mreq_source  structure  as  described under
205              IP_ADD_SOURCE_MEMBERSHIP.
207       IP_FREEBIND (since Linux 2.4)
208              If enabled, this boolean option allows binding to an IP  address
209              that  is nonlocal or does not (yet) exist.  This permits listen‐
210              ing on a socket, without requiring the underlying network inter‐
211              face  or  the  specified dynamic IP address to be up at the time
212              that the application is trying to bind to it.   This  option  is
213              the  per-socket  equivalent of the ip_nonlocal_bind /proc inter‐
214              face described below.
216       IP_HDRINCL (since Linux 2.0)
217              If enabled, the user supplies an IP header in front of the  user
218              data.   Valid  only  for  SOCK_RAW  sockets; see raw(7) for more
219              information.  When this flag  is  enabled,  the  values  set  by
220              IP_OPTIONS, IP_TTL, and IP_TOS are ignored.
222       IP_MSFILTER (since Linux 2.4.22 / 2.5.68)
223              This option provides access to the advanced full-state filtering
224              API.  Argument is an ip_msfilter structure.
226           struct ip_msfilter {
227               struct in_addr imsf_multiaddr; /* IP multicast group
228                                                 address */
229               struct in_addr imsf_interface; /* IP address of local
230                                                 interface */
231               uint32_t       imsf_fmode;     /* Filter-mode */
233               uint32_t       imsf_numsrc;    /* Number of sources in
234                                                 the following array */
235               struct in_addr imsf_slist[1];  /* Array of source
236                                                 addresses */
237           };
239       There are two macros, MCAST_INCLUDE and  MCAST_EXCLUDE,  which  can  be
240       used  to  specify  the  filtering  mode.   Additionally,  the IP_MSFIL‐
241       TER_SIZE(n) macro exists to determine how  much  memory  is  needed  to
242       store ip_msfilter structure with n sources in the source list.
244              For  the full description of multicast source filtering refer to
245              RFC 3376.
247       IP_MTU (since Linux 2.2)
248              Retrieve the current known  path  MTU  of  the  current  socket.
249              Returns an integer.
251              IP_MTU  is valid only for getsockopt(2) and can be employed only
252              when the socket has been connected.
254       IP_MTU_DISCOVER (since Linux 2.2)
255              Set or receive the Path MTU  Discovery  setting  for  a  socket.
256              When  enabled,  Linux will perform Path MTU Discovery as defined
257              in RFC 1191 on SOCK_STREAM sockets.  For  non-SOCK_STREAM  sock‐
258              ets,  IP_PMTUDISC_DO forces the don't-fragment flag to be set on
259              all outgoing packets.  It is the user's responsibility to packe‐
260              tize  the  data in MTU-sized chunks and to do the retransmits if
261              necessary.  The kernel will  reject  (with  EMSGSIZE)  datagrams
262              that  are bigger than the known path MTU.  IP_PMTUDISC_WANT will
263              fragment a datagram if needed according to the path MTU, or will
264              set the don't-fragment flag otherwise.
266              The  system-wide default can be toggled between IP_PMTUDISC_WANT
267              and IP_PMTUDISC_DONT by writing (respectively, zero and  nonzero
268              values) to the /proc/sys/net/ipv4/ip_no_pmtu_disc file.
270              Path MTU discovery value   Meaning
271              IP_PMTUDISC_WANT           Use per-route settings.
272              IP_PMTUDISC_DONT           Never do Path MTU Discovery.
273              IP_PMTUDISC_DO             Always do Path MTU Discovery.
274              IP_PMTUDISC_PROBE          Set DF but ignore Path MTU.
276              When  PMTU  discovery is enabled, the kernel automatically keeps
277              track of the path MTU per destination host.   When  it  is  con‐
278              nected  to  a specific peer with connect(2), the currently known
279              path MTU can be retrieved conveniently using the  IP_MTU  socket
280              option  (e.g.,  after an EMSGSIZE error occurred).  The path MTU
281              may change over time.  For connectionless sockets with many des‐
282              tinations,  the  new  MTU  for  a  given destination can also be
283              accessed using the error queue (see IP_RECVERR).   A  new  error
284              will be queued for every incoming MTU update.
286              While  MTU  discovery is in progress, initial packets from data‐
287              gram sockets may be dropped.  Applications using UDP  should  be
288              aware  of  this  and  not  take it into account for their packet
289              retransmit strategy.
291              To bootstrap the path MTU discovery process on unconnected sock‐
292              ets,  it  is possible to start with a big datagram size (headers
293              up to 64 kilobytes long) and let it shrink  by  updates  of  the
294              path MTU.
296              To  get  an initial estimate of the path MTU, connect a datagram
297              socket to the destination address using connect(2) and  retrieve
298              the MTU by calling getsockopt(2) with the IP_MTU option.
300              It is possible to implement RFC 4821 MTU probing with SOCK_DGRAM
301              or SOCK_RAW sockets by  setting  a  value  of  IP_PMTUDISC_PROBE
302              (available  since Linux 2.6.22).  This is also particularly use‐
303              ful for diagnostic tools  such  as  tracepath(8)  that  wish  to
304              deliberately  send  probe  packets larger than the observed Path
305              MTU.
307       IP_MULTICAST_ALL (since Linux 2.6.31)
308              This option can be used to modify the delivery policy of  multi‐
309              cast  messages  to  sockets  bound  to  the  wildcard INADDR_ANY
310              address.  The argument is a boolean integer (defaults to 1).  If
311              set  to  1, the socket will receive messages from all the groups
312              that have been joined globally on the whole system.   Otherwise,
313              it  will  deliver  messages  only from the groups that have been
314              explicitly joined (for example via the IP_ADD_MEMBERSHIP option)
315              on this particular socket.
317       IP_MULTICAST_IF (since Linux 1.2)
318              Set  the  local device for a multicast socket.  The argument for
319              setsockopt(2) is an ip_mreqn or (since Linux 3.5) ip_mreq struc‐
320              ture  similar  to  IP_ADD_MEMBERSHIP,  or  an in_addr structure.
321              (The kernel determines which structure is being passed based  on
322              the  size passed in optlen.)  For getsockopt(2), the argument is
323              an in_addr structure.
325       IP_MULTICAST_LOOP (since Linux 1.2)
326              Set or read a boolean integer argument that  determines  whether
327              sent  multicast packets should be looped back to the local sock‐
328              ets.
330       IP_MULTICAST_TTL (since Linux 1.2)
331              Set or read the time-to-live value of outgoing multicast packets
332              for  this socket.  It is very important for multicast packets to
333              set the smallest TTL possible.  The default  is  1  which  means
334              that  multicast packets don't leave the local network unless the
335              user program explicitly requests it.  Argument is an integer.
337       IP_NODEFRAG (since Linux 2.6.36)
338              If enabled (argument is nonzero),  the  reassembly  of  outgoing
339              packets  is disabled in the netfilter layer.  The argument is an
340              integer.
342              This option is valid only for SOCK_RAW sockets.
344       IP_OPTIONS (since Linux 2.0)
345              Set or get the IP options to be sent with every packet from this
346              socket.  The arguments are a pointer to a memory buffer contain‐
347              ing the options and the option length.  The  setsockopt(2)  call
348              sets  the  IP  options  associated  with  a socket.  The maximum
349              option size for IPv4 is 40 bytes.  See RFC 791 for  the  allowed
350              options.   When  the  initial  connection  request  packet for a
351              SOCK_STREAM socket contains IP options, the IP options  will  be
352              set  automatically  to  the options from the initial packet with
353              routing headers reversed.  Incoming packets are not  allowed  to
354              change  options  after  the connection is established.  The pro‐
355              cessing of all incoming source routing options  is  disabled  by
356              default  and  can  be  enabled  by using the accept_source_route
357              /proc interface.  Other options like timestamps are  still  han‐
358              dled.   For  datagram sockets, IP options can be only set by the
359              local user.  Calling getsockopt(2) with IP_OPTIONS puts the cur‐
360              rent IP options used for sending into the supplied buffer.
362       IP_PKTINFO (since Linux 2.2)
363              Pass  an  IP_PKTINFO  ancillary  message that contains a pktinfo
364              structure that supplies  some  information  about  the  incoming
365              packet.   This  only  works  for datagram oriented sockets.  The
366              argument is a flag that tells the socket whether the  IP_PKTINFO
367              message should be passed or not.  The message itself can only be
368              sent/retrieved as control message with a packet using recvmsg(2)
369              or sendmsg(2).
371                  struct in_pktinfo {
372                      unsigned int   ipi_ifindex;  /* Interface index */
373                      struct in_addr ipi_spec_dst; /* Local address */
374                      struct in_addr ipi_addr;     /* Header Destination
375                                                      address */
376                  };
378              ipi_ifindex  is the unique index of the interface the packet was
379              received on.  ipi_spec_dst is the local address  of  the  packet
380              and  ipi_addr  is  the destination address in the packet header.
381              If IP_PKTINFO is passed to sendmsg(2) and  ipi_spec_dst  is  not
382              zero,  then it is used as the local source address for the rout‐
383              ing table lookup and for setting up  IP  source  route  options.
384              When  ipi_ifindex  is not zero, the primary local address of the
385              interface specified by the index overwrites ipi_spec_dst for the
386              routing table lookup.
388       IP_RECVERR (since Linux 2.2)
389              Enable extended reliable error message passing.  When enabled on
390              a datagram socket, all generated errors will be queued in a per-
391              socket  error  queue.   When  the  user receives an error from a
392              socket  operation,  the  errors  can  be  received  by   calling
393              recvmsg(2)    with    the    MSG_ERRQUEUE    flag    set.    The
394              sock_extended_err structure describing the error will be  passed
395              in  an  ancillary message with the type IP_RECVERR and the level
396              IPPROTO_IP.  This is  useful  for  reliable  error  handling  on
397              unconnected  sockets.   The  received  data portion of the error
398              queue contains the error packet.
400              The IP_RECVERR  control  message  contains  a  sock_extended_err
401              structure:
403                  #define SO_EE_ORIGIN_NONE    0
404                  #define SO_EE_ORIGIN_LOCAL   1
405                  #define SO_EE_ORIGIN_ICMP    2
406                  #define SO_EE_ORIGIN_ICMP6   3
408                  struct sock_extended_err {
409                      uint32_t ee_errno;   /* error number */
410                      uint8_t  ee_origin;  /* where the error originated */
411                      uint8_t  ee_type;    /* type */
412                      uint8_t  ee_code;    /* code */
413                      uint8_t  ee_pad;
414                      uint32_t ee_info;    /* additional information */
415                      uint32_t ee_data;    /* other data */
416                      /* More data may follow */
417                  };
419                  struct sockaddr *SO_EE_OFFENDER(struct sock_extended_err *);
421              ee_errno contains the errno number of the queued error.  ee_ori‐
422              gin is the origin code of where the error originated.  The other
423              fields  are protocol-specific.  The macro SO_EE_OFFENDER returns
424              a pointer to the address of the network object where  the  error
425              originated  from  given  a pointer to the ancillary message.  If
426              this address is not known, the sa_family member of the  sockaddr
427              contains  AF_UNSPEC  and  the  other  fields of the sockaddr are
428              undefined.
430              IP uses the sock_extended_err structure as follows: ee_origin is
431              set  to SO_EE_ORIGIN_ICMP for errors received as an ICMP packet,
432              or SO_EE_ORIGIN_LOCAL for  locally  generated  errors.   Unknown
433              values  should be ignored.  ee_type and ee_code are set from the
434              type and code fields of the ICMP header.  ee_info  contains  the
435              discovered  MTU  for EMSGSIZE errors.  The message also contains
436              the sockaddr_in of the node  caused  the  error,  which  can  be
437              accessed with the SO_EE_OFFENDER macro.  The sin_family field of
438              the SO_EE_OFFENDER address is  AF_UNSPEC  when  the  source  was
439              unknown.   When  the  error  originated from the network, all IP
440              options (IP_OPTIONS, IP_TTL, etc.) enabled  on  the  socket  and
441              contained  in  the  error packet are passed as control messages.
442              The payload of the packet causing the error is returned as  nor‐
443              mal  payload.  Note that TCP has no error queue; MSG_ERRQUEUE is
444              not permitted on SOCK_STREAM sockets.  IP_RECVERR is  valid  for
445              TCP,  but  all  errors are returned by socket function return or
446              SO_ERROR only.
448              For raw sockets, IP_RECVERR enables passing of all received ICMP
449              errors to the application, otherwise errors are only reported on
450              connected sockets
452              It sets  or  retrieves  an  integer  boolean  flag.   IP_RECVERR
453              defaults to off.
455       IP_RECVOPTS (since Linux 2.2)
456              Pass all incoming IP options to the user in a IP_OPTIONS control
457              message.  The routing  header  and  other  options  are  already
458              filled  in  for  the  local host.  Not supported for SOCK_STREAM
459              sockets.
461       IP_RECVORIGDSTADDR (since Linux 2.6.29)
462              This boolean option enables the IP_ORIGDSTADDR ancillary message
463              in recvmsg(2), in which the kernel returns the original destina‐
464              tion address of the datagram being received.  The ancillary mes‐
465              sage contains a struct sockaddr_in.
467       IP_RECVTOS (since Linux 2.2)
468              If enabled, the IP_TOS ancillary message is passed with incoming
469              packets.  It contains a byte which specifies the  Type  of  Ser‐
470              vice/Precedence  field  of the packet header.  Expects a boolean
471              integer flag.
473       IP_RECVTTL (since Linux 2.2)
474              When this flag is set, pass a IP_TTL control  message  with  the
475              time-to-live  field  of the received packet as a 32 bit integer.
476              Not supported for SOCK_STREAM sockets.
478       IP_RETOPTS (since Linux 2.2)
479              Identical to IP_RECVOPTS, but returns  raw  unprocessed  options
480              with  timestamp  and route record options not filled in for this
481              hop.
483       IP_ROUTER_ALERT (since Linux 2.2)
484              Pass all to-be forwarded packets with the IP Router Alert option
485              set  to  this socket.  Valid only for raw sockets.  This is use‐
486              ful, for instance, for  user-space  RSVP  daemons.   The  tapped
487              packets  are  not  forwarded  by  the  kernel;  it is the user's
488              responsibility to  send  them  out  again.   Socket  binding  is
489              ignored, such packets are only filtered by protocol.  Expects an
490              integer flag.
492       IP_TOS (since Linux 1.0)
493              Set or receive the Type-Of-Service (TOS) field that is sent with
494              every  IP  packet  originating  from this socket.  It is used to
495              prioritize packets on the network.  TOS is a  byte.   There  are
496              some  standard  TOS  flags  defined:  IPTOS_LOWDELAY to minimize
497              delays for interactive  traffic,  IPTOS_THROUGHPUT  to  optimize
498              throughput,   IPTOS_RELIABILITY  to  optimize  for  reliability,
499              IPTOS_MINCOST should be used for "filler data" where slow trans‐
500              mission  doesn't matter.  At most one of these TOS values can be
501              specified.  Other bits are invalid and shall be cleared.   Linux
502              sends  IPTOS_LOWDELAY  datagrams first by default, but the exact
503              behavior depends on the configured  queueing  discipline.   Some
504              high-priority  levels  may  require  superuser  privileges  (the
505              CAP_NET_ADMIN capability).
507       IP_TRANSPARENT (since Linux 2.6.24)
508              Setting this boolean option enables transparent proxying on this
509              socket.   This  socket  option allows the calling application to
510              bind to a nonlocal IP address and operate both as a client and a
511              server  with  the  foreign address as the local endpoint.  NOTE:
512              this requires that routing be set up in a way that packets going
513              to  the foreign address are routed through the TProxy box (i.e.,
514              the system hosting the application that employs the IP_TRANSPAR‐
515              ENT  socket option).  Enabling this socket option requires supe‐
516              ruser privileges (the CAP_NET_ADMIN capability).
518              TProxy redirection with the iptables TPROXY target also requires
519              that this option be set on the redirected socket.
521       IP_TTL (since Linux 1.0)
522              Set  or  retrieve the current time-to-live field that is used in
523              every packet sent from this socket.
525       IP_UNBLOCK_SOURCE (since Linux 2.4.22 / 2.5.68)
526              Unblock previously blocked multicast source.   Returns  EADDRNO‐
527              TAVAIL when given source is not being blocked.
529              Argument  is  an  ip_mreq_source  structure  as  described under
530              IP_ADD_SOURCE_MEMBERSHIP.
532   /proc interfaces
533       The IP protocol supports a set of /proc interfaces  to  configure  some
534       global  parameters.  The parameters can be accessed by reading or writ‐
535       ing files in the directory /proc/sys/net/ipv4/.   Interfaces  described
536       as Boolean take an integer value, with a nonzero value ("true") meaning
537       that the corresponding option is enabled, and a  zero  value  ("false")
538       meaning that the option is disabled.
540       ip_always_defrag (Boolean; since Linux 2.2.13)
541              [New with kernel 2.2.13; in earlier kernel versions this feature
542              was controlled at compile time  by  the  CONFIG_IP_ALWAYS_DEFRAG
543              option; this option is not present in 2.4.x and later]
545              When  this boolean flag is enabled (not equal 0), incoming frag‐
546              ments (parts of IP packets that arose  when  some  host  between
547              origin  and  destination decided that the packets were too large
548              and cut them into pieces)  will  be  reassembled  (defragmented)
549              before being processed, even if they are about to be forwarded.
551              Enable  only  if running either a firewall that is the sole link
552              to your network or a transparent proxy; never ever use it for  a
553              normal  router or host.  Otherwise, fragmented communication can
554              be disturbed if  the  fragments  travel  over  different  links.
555              Defragmentation also has a large memory and CPU time cost.
557              This is automagically turned on when masquerading or transparent
558              proxying are configured.
560       ip_autoconfig (since Linux 2.2 to 2.6.17)
561              Not documented.
563       ip_default_ttl (integer; default: 64; since Linux 2.2)
564              Set the default time-to-live value of  outgoing  packets.   This
565              can be changed per socket with the IP_TTL option.
567       ip_dynaddr (Boolean; default: disabled; since Linux 2.0.31)
568              Enable  dynamic  socket address and masquerading entry rewriting
569              on interface address change.  This is useful for  dialup  inter‐
570              face  with changing IP addresses.  0 means no rewriting, 1 turns
571              it on and 2 enables verbose mode.
573       ip_forward (Boolean; default: disabled; since Linux 1.2)
574              Enable IP forwarding with a boolean flag.  IP forwarding can  be
575              also set on a per-interface basis.
577       ip_local_port_range (since Linux 2.2)
578              This  file  contains  two integers that define the default local
579              port range allocated to sockets that are not explicitly bound to
580              a  port  number—that is, the range used for ephemeral ports.  An
581              ephemeral port is allocated to a socket in the following circum‐
582              stances:
584              *  the  port  number  in a socket address is specified as 0 when
585                 calling bind(2);
587              *  listen(2) is called on a stream socket that  was  not  previ‐
588                 ously bound;
590              *  connect(2)  was  called  on  a socket that was not previously
591                 bound;
593              *  sendto(2) is called on a datagram socket that was not  previ‐
594                 ously bound.
596              Allocation  of  ephemeral  ports starts with the first number in
597              ip_local_port_range and ends with the  second  number.   If  the
598              range  of ephemeral ports is exhausted, then the relevant system
599              call returns an error (but see BUGS).
601              Note that the port range in ip_local_port_range should not  con‐
602              flict  with the ports used by masquerading (although the case is
603              handled).  Also, arbitrary choices may cause problems with  some
604              firewall  packet  filters  that make assumptions about the local
605              ports in use.  The first number should be at least greater  than
606              1024,  or  better, greater than 4096, to avoid clashes with well
607              known ports and to minimize firewall problems.
609       ip_no_pmtu_disc (Boolean; default: disabled; since Linux 2.2)
610              If enabled, don't do Path  MTU  Discovery  for  TCP  sockets  by
611              default.  Path MTU discovery may fail if misconfigured firewalls
612              (that drop all ICMP packets) or misconfigured interfaces  (e.g.,
613              a  point-to-point  link  where  the both ends don't agree on the
614              MTU) are on the path.  It is better to fix the broken routers on
615              the  path  than to turn off Path MTU Discovery globally, because
616              not doing it incurs a high cost to the network.
618       ip_nonlocal_bind (Boolean; default: disabled; since Linux 2.4)
619              If set, allows processes to bind(2) to  nonlocal  IP  addresses,
620              which can be quite useful, but may break some applications.
622       ip6frag_time (integer; default: 30)
623              Time in seconds to keep an IPv6 fragment in memory.
625       ip6frag_secret_interval (integer; default: 600)
626              Regeneration  interval (in seconds) of the hash secret (or life‐
627              time for the hash secret) for IPv6 fragments.
629       ipfrag_high_thresh (integer), ipfrag_low_thresh (integer)
630              If the amount of queued IP fragments reaches ipfrag_high_thresh,
631              the  queue  is  pruned  down  to ipfrag_low_thresh.  Contains an
632              integer with the number of bytes.
634       neigh/*
635              See arp(7).
637   Ioctls
638       All ioctls described in socket(7) apply to ip.
640       Ioctls to configure generic device parameters are described  in  netde‐
641       vice(7).


644       EACCES The  user  tried  to  execute an operation without the necessary
645              permissions.  These include: sending a  packet  to  a  broadcast
646              address  without  having  the  SO_BROADCAST  flag set; sending a
647              packet via a prohibit route; modifying firewall settings without
648              superuser  privileges (the CAP_NET_ADMIN capability); binding to
649              a   privileged   port   without   superuser   privileges    (the
650              CAP_NET_BIND_SERVICE capability).
652       EADDRINUSE
653              Tried to bind to an address already in use.
656              A  nonexistent  interface  was requested or the requested source
657              address was not local.
659       EAGAIN Operation on a nonblocking socket would block.
661       EALREADY
662              A connection operation on a nonblocking  socket  is  already  in
663              progress.
666              A connection was closed during an accept(2).
669              No  valid  routing  table entry matches the destination address.
670              This error can be caused by an ICMP message from a remote router
671              or for the local routing table.
673       EINVAL Invalid argument passed.  For send operations this can be caused
674              by sending to a blackhole route.
676       EISCONN
677              connect(2) was called on an already connected socket.
679       EMSGSIZE
680              Datagram is bigger than an MTU on the  path  and  it  cannot  be
681              fragmented.
684              Not  enough free memory.  This often means that the memory allo‐
685              cation is limited by the socket buffer limits, not by the system
686              memory, but this is not 100% consistent.
688       ENOENT SIOCGSTAMP was called on a socket where no packet arrived.
690       ENOPKG A kernel subsystem was not configured.
693              Invalid socket option passed.
695       ENOTCONN
696              The  operation  is  defined  only on a connected socket, but the
697              socket wasn't connected.
699       EPERM  User doesn't have permission to set high priority,  change  con‐
700              figuration, or send signals to the requested process or group.
702       EPIPE  The connection was unexpectedly closed or shut down by the other
703              end.
706              The socket is not configured  or  an  unknown  socket  type  was
707              requested.
709       Other  errors may be generated by the overlaying protocols; see tcp(7),
710       raw(7), udp(7), and socket(7).


715       specific.
717       Be very careful with the SO_BROADCAST option - it is not privileged  in
718       Linux.   It  is  easy to overload the network with careless broadcasts.
719       For new application protocols it is better to  use  a  multicast  group
720       instead of broadcasting.  Broadcasting is discouraged.
722       Some  other  BSD  sockets  implementations  provide  IP_RCVDSTADDR  and
723       IP_RECVIF socket options to get the destination address and the  inter‐
724       face  of received datagrams.  Linux has the more general IP_PKTINFO for
725       the same task.
727       Some BSD sockets implementations also provide an IP_RECVTTL option, but
728       an  ancillary  message with type IP_RECVTTL is passed with the incoming
729       packet.  This is different from the IP_TTL option used in Linux.
731       Using the SOL_IP socket options level isn't portable; BSD-based  stacks
732       use the IPPROTO_IP level.
734       INADDR_ANY  (  and INADDR_BROADCAST ( are byte-
735       order-neutral.
736        This means htonl(3) has no effect on them.
738   Compatibility
739       For  compatibility  with  Linux  2.0,  the   obsolete   socket(AF_INET,
740       SOCK_PACKET,  protocol)  syntax  is still supported to open a packet(7)
741       socket.  This is deprecated and should be replaced by socket(AF_PACKET,
742       SOCK_RAW,  protocol)  instead.   The  main  difference is the new sock‐
743       addr_ll address structure for generic link layer information instead of
744       the old sockaddr_pkt.


747       There are too many inconsistent error values.
749       The  error used to diagnose exhaustion of the ephemeral port range dif‐
750       fers across the various system calls (connect(2),  bind(2),  listen(2),
751       sendto(2)) that can assign ephemeral ports.
753       The  ioctls  to  configure IP-specific interface options and ARP tables
754       are not described.
756       Receiving  the  original  destination  address  with  MSG_ERRQUEUE   in
757       msg_name by recvmsg(2) does not work in some 2.2 kernels.


760       recvmsg(2),   sendmsg(2),   byteorder(3),   ipfw(4),   capabilities(7),
761       icmp(7), ipv6(7), netdevice(7), netlink(7), raw(7), socket(7),  tcp(7),
762       udp(7), ip(8)
764       The kernel source file Documentation/networking/ip-sysctl.txt.
766       RFC 791  for the original IP specification.  RFC 1122 for the IPv4 host
767       requirements.  RFC 1812 for the IPv4 router requirements.


770       This page is part of release 5.07 of the Linux  man-pages  project.   A
771       description  of  the project, information about reporting bugs, and the
772       latest    version    of    this    page,    can     be     found     at
773       https://www.kernel.org/doc/man-pages/.
777Linux                             2020-06-09                             IP(7)