1ip(7) Miscellaneous Information Manual ip(7)
2
6 ip - Linux IPv4 protocol implementation
7
9 #include <sys/socket.h>
10 #include <netinet/in.h>
11 #include <netinet/ip.h> /* superset of previous */
12 tcp_socket = socket(AF_INET, SOCK_STREAM, 0);
14 udp_socket = socket(AF_INET, SOCK_DGRAM, 0);
15 raw_socket = socket(AF_INET, SOCK_RAW, protocol);
16
18 Linux implements the Internet Protocol, version 4, described in RFC 791
19 and RFC 1122. ip contains a level 2 multicasting implementation con‐
20 forming to RFC 1112. It also contains an IP router including a packet
21 filter.
22 The programming interface is BSD-sockets compatible. For more informa‐
24 tion on sockets, see socket(7).
25 An IP socket is created using socket(2):
27 socket(AF_INET, socket_type, protocol);
29 Valid socket types include SOCK_STREAM to open a stream socket,
31 SOCK_DGRAM to open a datagram socket, and SOCK_RAW to open a raw(7)
32 socket to access the IP protocol directly.
33 protocol is the IP protocol in the IP header to be received or sent.
35 Valid values for protocol include:
36 • 0 and IPPROTO_TCP for tcp(7) stream sockets;
38 • 0 and IPPROTO_UDP for udp(7) datagram sockets;
40 • IPPROTO_SCTP for sctp(7) stream sockets; and
42 • IPPROTO_UDPLITE for udplite(7) datagram sockets.
44 For SOCK_RAW you may specify a valid IANA IP protocol defined in
46 RFC 1700 assigned numbers.
47 When a process wants to receive new incoming packets or connections, it
49 should bind a socket to a local interface address using bind(2). In
50 this case, only one IP socket may be bound to any given local (address,
51 port) pair. When INADDR_ANY is specified in the bind call, the socket
52 will be bound to all local interfaces. When listen(2) is called on an
53 unbound socket, the socket is automatically bound to a random free port
54 with the local address set to INADDR_ANY. When connect(2) is called on
55 an unbound socket, the socket is automatically bound to a random free
56 port or to a usable shared port with the local address set to IN‐
57 ADDR_ANY.
58 A TCP local socket address that has been bound is unavailable for some
60 time after closing, unless the SO_REUSEADDR flag has been set. Care
61 should be taken when using this flag as it makes TCP less reliable.
62 Address format
64 An IP socket address is defined as a combination of an IP interface ad‐
65 dress and a 16-bit port number. The basic IP protocol does not supply
66 port numbers, they are implemented by higher level protocols like
67 udp(7) and tcp(7). On raw sockets sin_port is set to the IP protocol.
68 struct sockaddr_in {
70 sa_family_t sin_family; /* address family: AF_INET */
71 in_port_t sin_port; /* port in network byte order */
72 struct in_addr sin_addr; /* internet address */
73 };
74 /* Internet address */
76 struct in_addr {
77 uint32_t s_addr; /* address in network byte order */
78 };
79 sin_family is always set to AF_INET. This is required; in Linux 2.2
81 most networking functions return EINVAL when this setting is missing.
82 sin_port contains the port in network byte order. The port numbers be‐
83 low 1024 are called privileged ports (or sometimes: reserved ports).
84 Only a privileged process (on Linux: a process that has the
85 CAP_NET_BIND_SERVICE capability in the user namespace governing its
86 network namespace) may bind(2) to these sockets. Note that the raw
87 IPv4 protocol as such has no concept of a port, they are implemented
88 only by higher protocols like tcp(7) and udp(7).
89 sin_addr is the IP host address. The s_addr member of struct in_addr
91 contains the host interface address in network byte order. in_addr
92 should be assigned one of the INADDR_* values (e.g., INADDR_LOOPBACK)
93 using htonl(3) or set using the inet_aton(3), inet_addr(3),
94 inet_makeaddr(3) library functions or directly with the name resolver
95 (see gethostbyname(3)).
96 IPv4 addresses are divided into unicast, broadcast, and multicast ad‐
98 dresses. Unicast addresses specify a single interface of a host,
99 broadcast addresses specify all hosts on a network, and multicast ad‐
100 dresses address all hosts in a multicast group. Datagrams to broadcast
101 addresses can be sent or received only when the SO_BROADCAST socket
102 flag is set. In the current implementation, connection-oriented sock‐
103 ets are allowed to use only unicast addresses.
104 Note that the address and the port are always stored in network byte
106 order. In particular, this means that you need to call htons(3) on the
107 number that is assigned to a port. All address/port manipulation func‐
108 tions in the standard library work in network byte order.
109 Special and reserved addresses
111 There are several special addresses:
112 INADDR_LOOPBACK (127.0.0.1)
114 always refers to the local host via the loopback device;
115 INADDR_ANY (0.0.0.0)
117 means any address for socket binding;
118 INADDR_BROADCAST (255.255.255.255)
120 has the same effect on bind(2) as INADDR_ANY for historical rea‐
121 sons. A packet addressed to INADDR_BROADCAST through a socket
122 which has SO_BROADCAST set will be broadcast to all hosts on the
123 local network segment, as long as the link is broadcast-capable.
124 Highest-numbered address
126 Lowest-numbered address
127 On any locally-attached non-point-to-point IP subnet with a link
128 type that supports broadcasts, the highest-numbered address
129 (e.g., the .255 address on a subnet with netmask 255.255.255.0)
130 is designated as a broadcast address. It cannot usefully be as‐
131 signed to an individual interface, and can only be addressed
132 with a socket on which the SO_BROADCAST option has been set.
133 Internet standards have historically also reserved the lowest-
134 numbered address (e.g., the .0 address on a subnet with netmask
135 255.255.255.0) for broadcast, though they call it "obsolete" for
136 this purpose. (Some sources also refer to this as the "network
137 address.") Since Linux 5.14, it is treated as an ordinary uni‐
138 cast address and can be assigned to an interface.
139 Internet standards have traditionally also reserved various addresses
141 for particular uses, though Linux no longer treats some of these spe‐
142 cially.
143 [0.0.0.1, 0.255.255.255]
145 [240.0.0.0, 255.255.255.254]
146 Addresses in these ranges (0/8 and 240/4) are reserved globally.
147 Since Linux 5.3 and Linux 2.6.25, respectively, the 0/8 and
148 240/4 addresses, other than INADDR_ANY and INADDR_BROADCAST, are
149 treated as ordinary unicast addresses. Systems that follow the
150 traditional behaviors may not interoperate with these histori‐
151 cally reserved addresses.
152 [127.0.0.1, 127.255.255.254]
154 Addresses in this range (127/8) are treated as loopback ad‐
155 dresses akin to the standardized local loopback address IN‐
156 ADDR_LOOPBACK (127.0.0.1);
157 [224.0.0.0, 239.255.255.255]
159 Addresses in this range (224/4) are dedicated to multicast use.
160 Socket options
162 IP supports some protocol-specific socket options that can be set with
163 setsockopt(2) and read with getsockopt(2). The socket option level for
164 IP is IPPROTO_IP. A boolean integer flag is zero when it is false,
165 otherwise true.
166 When an invalid socket option is specified, getsockopt(2) and setsock‐
168 opt(2) fail with the error ENOPROTOOPT.
169 IP_ADD_MEMBERSHIP (since Linux 1.2)
171 Join a multicast group. Argument is an ip_mreqn structure.
172 struct ip_mreqn {
174 struct in_addr imr_multiaddr; /* IP multicast group
175 address */
176 struct in_addr imr_address; /* IP address of local
177 interface */
178 int imr_ifindex; /* interface index */
179 };
180 imr_multiaddr contains the address of the multicast group the
182 application wants to join or leave. It must be a valid multi‐
183 cast address (or setsockopt(2) fails with the error EINVAL).
184 imr_address is the address of the local interface with which the
185 system should join the multicast group; if it is equal to IN‐
186 ADDR_ANY, an appropriate interface is chosen by the system.
187 imr_ifindex is the interface index of the interface that should
188 join/leave the imr_multiaddr group, or 0 to indicate any inter‐
189 face.
190 The ip_mreqn structure is available only since Linux 2.2. For
192 compatibility, the old ip_mreq structure (present since Linux
193 1.2) is still supported; it differs from ip_mreqn only by not
194 including the imr_ifindex field. (The kernel determines which
195 structure is being passed based on the size passed in optlen.)
196 IP_ADD_MEMBERSHIP is valid only for setsockopt(2).
198 IP_ADD_SOURCE_MEMBERSHIP (since Linux 2.4.22 / Linux 2.5.68)
200 Join a multicast group and allow receiving data only from a
201 specified source. Argument is an ip_mreq_source structure.
202 struct ip_mreq_source {
204 struct in_addr imr_multiaddr; /* IP multicast group
205 address */
206 struct in_addr imr_interface; /* IP address of local
207 interface */
208 struct in_addr imr_sourceaddr; /* IP address of
209 multicast source */
210 };
211 The ip_mreq_source structure is similar to ip_mreqn described
213 under IP_ADD_MEMBERSHIP. The imr_multiaddr field contains the
214 address of the multicast group the application wants to join or
215 leave. The imr_interface field is the address of the local in‐
216 terface with which the system should join the multicast group.
217 Finally, the imr_sourceaddr field contains the address of the
218 source the application wants to receive data from.
219 This option can be used multiple times to allow receiving data
221 from more than one source.
222 IP_BIND_ADDRESS_NO_PORT (since Linux 4.2)
224 Inform the kernel to not reserve an ephemeral port when using
225 bind(2) with a port number of 0. The port will later be auto‐
226 matically chosen at connect(2) time, in a way that allows shar‐
227 ing a source port as long as the 4-tuple is unique.
228 IP_BLOCK_SOURCE (since Linux 2.4.22 / 2.5.68)
230 Stop receiving multicast data from a specific source in a given
231 group. This is valid only after the application has subscribed
232 to the multicast group using either IP_ADD_MEMBERSHIP or
233 IP_ADD_SOURCE_MEMBERSHIP.
234 Argument is an ip_mreq_source structure as described under
236 IP_ADD_SOURCE_MEMBERSHIP.
237 IP_DROP_MEMBERSHIP (since Linux 1.2)
239 Leave a multicast group. Argument is an ip_mreqn or ip_mreq
240 structure similar to IP_ADD_MEMBERSHIP.
241 IP_DROP_SOURCE_MEMBERSHIP (since Linux 2.4.22 / 2.5.68)
243 Leave a source-specific group—that is, stop receiving data from
244 a given multicast group that come from a given source. If the
245 application has subscribed to multiple sources within the same
246 group, data from the remaining sources will still be delivered.
247 To stop receiving data from all sources at once, use
248 IP_DROP_MEMBERSHIP.
249 Argument is an ip_mreq_source structure as described under
251 IP_ADD_SOURCE_MEMBERSHIP.
252 IP_FREEBIND (since Linux 2.4)
254 If enabled, this boolean option allows binding to an IP address
255 that is nonlocal or does not (yet) exist. This permits listen‐
256 ing on a socket, without requiring the underlying network inter‐
257 face or the specified dynamic IP address to be up at the time
258 that the application is trying to bind to it. This option is
259 the per-socket equivalent of the ip_nonlocal_bind /proc inter‐
260 face described below.
261 IP_HDRINCL (since Linux 2.0)
263 If enabled, the user supplies an IP header in front of the user
264 data. Valid only for SOCK_RAW sockets; see raw(7) for more in‐
265 formation. When this flag is enabled, the values set by IP_OP‐
266 TIONS, IP_TTL, and IP_TOS are ignored.
267 IP_LOCAL_PORT_RANGE (since Linux 6.3)
269 Set or get the per-socket default local port range. This option
270 can be used to clamp down the global local port range, defined
271 by the ip_local_port_range /proc interface described below, for
272 a given socket.
273 The option takes an uint32_t value with the high 16 bits set to
275 the upper range bound, and the low 16 bits set to the lower
276 range bound. Range bounds are inclusive. The 16-bit values
277 should be in host byte order.
278 The lower bound has to be less than the upper bound when both
280 bounds are not zero. Otherwise, setting the option fails with
281 EINVAL.
282 If either bound is outside of the global local port range, or is
284 zero, then that bound has no effect.
285 To reset the setting, pass zero as both the upper and the lower
287 bound.
288 IP_MSFILTER (since Linux 2.4.22 / 2.5.68)
290 This option provides access to the advanced full-state filtering
291 API. Argument is an ip_msfilter structure.
292 struct ip_msfilter {
294 struct in_addr imsf_multiaddr; /* IP multicast group
295 address */
296 struct in_addr imsf_interface; /* IP address of local
297 interface */
298 uint32_t imsf_fmode; /* Filter-mode */
299 uint32_t imsf_numsrc; /* Number of sources in
301 the following array */
302 struct in_addr imsf_slist[1]; /* Array of source
303 addresses */
304 };
305 There are two macros, MCAST_INCLUDE and MCAST_EXCLUDE, which can
307 be used to specify the filtering mode. Additionally, the IP_MS‐
308 FILTER_SIZE(n) macro exists to determine how much memory is
309 needed to store ip_msfilter structure with n sources in the
310 source list.
311 For the full description of multicast source filtering refer to
313 RFC 3376.
314 IP_MTU (since Linux 2.2)
316 Retrieve the current known path MTU of the current socket. Re‐
317 turns an integer.
318 IP_MTU is valid only for getsockopt(2) and can be employed only
320 when the socket has been connected.
321 IP_MTU_DISCOVER (since Linux 2.2)
323 Set or receive the Path MTU Discovery setting for a socket.
324 When enabled, Linux will perform Path MTU Discovery as defined
325 in RFC 1191 on SOCK_STREAM sockets. For non-SOCK_STREAM sock‐
326 ets, IP_PMTUDISC_DO forces the don't-fragment flag to be set on
327 all outgoing packets. It is the user's responsibility to packe‐
328 tize the data in MTU-sized chunks and to do the retransmits if
329 necessary. The kernel will reject (with EMSGSIZE) datagrams
330 that are bigger than the known path MTU. IP_PMTUDISC_WANT will
331 fragment a datagram if needed according to the path MTU, or will
332 set the don't-fragment flag otherwise.
333 The system-wide default can be toggled between IP_PMTUDISC_WANT
335 and IP_PMTUDISC_DONT by writing (respectively, zero and nonzero
336 values) to the /proc/sys/net/ipv4/ip_no_pmtu_disc file.
337 Path MTU discovery value Meaning
339 IP_PMTUDISC_WANT Use per-route settings.
340 IP_PMTUDISC_DONT Never do Path MTU Discovery.
341 IP_PMTUDISC_DO Always do Path MTU Discovery.
342 IP_PMTUDISC_PROBE Set DF but ignore Path MTU.
343 When PMTU discovery is enabled, the kernel automatically keeps
345 track of the path MTU per destination host. When it is con‐
346 nected to a specific peer with connect(2), the currently known
347 path MTU can be retrieved conveniently using the IP_MTU socket
348 option (e.g., after an EMSGSIZE error occurred). The path MTU
349 may change over time. For connectionless sockets with many des‐
350 tinations, the new MTU for a given destination can also be ac‐
351 cessed using the error queue (see IP_RECVERR). A new error will
352 be queued for every incoming MTU update.
353 While MTU discovery is in progress, initial packets from data‐
355 gram sockets may be dropped. Applications using UDP should be
356 aware of this and not take it into account for their packet re‐
357 transmit strategy.
358 To bootstrap the path MTU discovery process on unconnected sock‐
360 ets, it is possible to start with a big datagram size (headers
361 up to 64 kilobytes long) and let it shrink by updates of the
362 path MTU.
363 To get an initial estimate of the path MTU, connect a datagram
365 socket to the destination address using connect(2) and retrieve
366 the MTU by calling getsockopt(2) with the IP_MTU option.
367 It is possible to implement RFC 4821 MTU probing with SOCK_DGRAM
369 or SOCK_RAW sockets by setting a value of IP_PMTUDISC_PROBE
370 (available since Linux 2.6.22). This is also particularly use‐
371 ful for diagnostic tools such as tracepath(8) that wish to de‐
372 liberately send probe packets larger than the observed Path MTU.
373 IP_MULTICAST_ALL (since Linux 2.6.31)
375 This option can be used to modify the delivery policy of multi‐
376 cast messages. The argument is a boolean integer (defaults to
377 1). If set to 1, the socket will receive messages from all the
378 groups that have been joined globally on the whole system. Oth‐
379 erwise, it will deliver messages only from the groups that have
380 been explicitly joined (for example via the IP_ADD_MEMBERSHIP
381 option) on this particular socket.
382 IP_MULTICAST_IF (since Linux 1.2)
384 Set the local device for a multicast socket. The argument for
385 setsockopt(2) is an ip_mreqn or (since Linux 3.5) ip_mreq struc‐
386 ture similar to IP_ADD_MEMBERSHIP, or an in_addr structure.
387 (The kernel determines which structure is being passed based on
388 the size passed in optlen.) For getsockopt(2), the argument is
389 an in_addr structure.
390 IP_MULTICAST_LOOP (since Linux 1.2)
392 Set or read a boolean integer argument that determines whether
393 sent multicast packets should be looped back to the local sock‐
394 ets.
395 IP_MULTICAST_TTL (since Linux 1.2)
397 Set or read the time-to-live value of outgoing multicast packets
398 for this socket. It is very important for multicast packets to
399 set the smallest TTL possible. The default is 1 which means
400 that multicast packets don't leave the local network unless the
401 user program explicitly requests it. Argument is an integer.
402 IP_NODEFRAG (since Linux 2.6.36)
404 If enabled (argument is nonzero), the reassembly of outgoing
405 packets is disabled in the netfilter layer. The argument is an
406 integer.
407 This option is valid only for SOCK_RAW sockets.
409 IP_OPTIONS (since Linux 2.0)
411 Set or get the IP options to be sent with every packet from this
412 socket. The arguments are a pointer to a memory buffer contain‐
413 ing the options and the option length. The setsockopt(2) call
414 sets the IP options associated with a socket. The maximum op‐
415 tion size for IPv4 is 40 bytes. See RFC 791 for the allowed op‐
416 tions. When the initial connection request packet for a
417 SOCK_STREAM socket contains IP options, the IP options will be
418 set automatically to the options from the initial packet with
419 routing headers reversed. Incoming packets are not allowed to
420 change options after the connection is established. The pro‐
421 cessing of all incoming source routing options is disabled by
422 default and can be enabled by using the accept_source_route
423 /proc interface. Other options like timestamps are still han‐
424 dled. For datagram sockets, IP options can be set only by the
425 local user. Calling getsockopt(2) with IP_OPTIONS puts the cur‐
426 rent IP options used for sending into the supplied buffer.
427 IP_PASSSEC (since Linux 2.6.17)
429 If labeled IPSEC or NetLabel is configured on the sending and
430 receiving hosts, this option enables receiving of the security
431 context of the peer socket in an ancillary message of type
432 SCM_SECURITY retrieved using recvmsg(2). This option is sup‐
433 ported only for UDP sockets; for TCP or SCTP sockets, see the
434 description of the SO_PEERSEC option below.
435 The value given as an argument to setsockopt(2) and returned as
437 the result of getsockopt(2) is an integer boolean flag.
438 The security context returned in the SCM_SECURITY ancillary mes‐
440 sage is of the same format as the one described under the
441 SO_PEERSEC option below.
442 Note: the reuse of the SCM_SECURITY message type for the
444 IP_PASSSEC socket option was likely a mistake, since other IP
445 control messages use their own numbering scheme in the IP name‐
446 space and often use the socket option value as the message type.
447 There is no conflict currently since the IP option with the same
448 value as SCM_SECURITY is IP_HDRINCL and this is never used for a
449 control message type.
450 IP_PKTINFO (since Linux 2.2)
452 Pass an IP_PKTINFO ancillary message that contains a pktinfo
453 structure that supplies some information about the incoming
454 packet. This works only for datagram oriented sockets. The ar‐
455 gument is a flag that tells the socket whether the IP_PKTINFO
456 message should be passed or not. The message itself can be
457 sent/retrieved only as a control message with a packet using
458 recvmsg(2) or sendmsg(2).
459 struct in_pktinfo {
461 unsigned int ipi_ifindex; /* Interface index */
462 struct in_addr ipi_spec_dst; /* Local address */
463 struct in_addr ipi_addr; /* Header Destination
464 address */
465 };
466 ipi_ifindex is the unique index of the interface the packet was
468 received on. ipi_spec_dst is the local address of the packet
469 and ipi_addr is the destination address in the packet header.
470 If IP_PKTINFO is passed to sendmsg(2) and ipi_spec_dst is not
471 zero, then it is used as the local source address for the rout‐
472 ing table lookup and for setting up IP source route options.
473 When ipi_ifindex is not zero, the primary local address of the
474 interface specified by the index overwrites ipi_spec_dst for the
475 routing table lookup.
476 IP_RECVERR (since Linux 2.2)
478 Enable extended reliable error message passing. When enabled on
479 a datagram socket, all generated errors will be queued in a per-
480 socket error queue. When the user receives an error from a
481 socket operation, the errors can be received by calling
482 recvmsg(2) with the MSG_ERRQUEUE flag set. The sock_ex‐
483 tended_err structure describing the error will be passed in an
484 ancillary message with the type IP_RECVERR and the level IP‐
485 PROTO_IP. This is useful for reliable error handling on uncon‐
486 nected sockets. The received data portion of the error queue
487 contains the error packet.
488 The IP_RECVERR control message contains a sock_extended_err
490 structure:
491 #define SO_EE_ORIGIN_NONE 0
493 #define SO_EE_ORIGIN_LOCAL 1
494 #define SO_EE_ORIGIN_ICMP 2
495 #define SO_EE_ORIGIN_ICMP6 3
496 struct sock_extended_err {
498 uint32_t ee_errno; /* error number */
499 uint8_t ee_origin; /* where the error originated */
500 uint8_t ee_type; /* type */
501 uint8_t ee_code; /* code */
502 uint8_t ee_pad;
503 uint32_t ee_info; /* additional information */
504 uint32_t ee_data; /* other data */
505 /* More data may follow */
506 };
507 struct sockaddr *SO_EE_OFFENDER(struct sock_extended_err *);
509 ee_errno contains the errno number of the queued error. ee_ori‐
511 gin is the origin code of where the error originated. The other
512 fields are protocol-specific. The macro SO_EE_OFFENDER returns
513 a pointer to the address of the network object where the error
514 originated from given a pointer to the ancillary message. If
515 this address is not known, the sa_family member of the sockaddr
516 contains AF_UNSPEC and the other fields of the sockaddr are un‐
517 defined.
518 IP uses the sock_extended_err structure as follows: ee_origin is
520 set to SO_EE_ORIGIN_ICMP for errors received as an ICMP packet,
521 or SO_EE_ORIGIN_LOCAL for locally generated errors. Unknown
522 values should be ignored. ee_type and ee_code are set from the
523 type and code fields of the ICMP header. ee_info contains the
524 discovered MTU for EMSGSIZE errors. The message also contains
525 the sockaddr_in of the node caused the error, which can be ac‐
526 cessed with the SO_EE_OFFENDER macro. The sin_family field of
527 the SO_EE_OFFENDER address is AF_UNSPEC when the source was un‐
528 known. When the error originated from the network, all IP op‐
529 tions (IP_OPTIONS, IP_TTL, etc.) enabled on the socket and con‐
530 tained in the error packet are passed as control messages. The
531 payload of the packet causing the error is returned as normal
532 payload. Note that TCP has no error queue; MSG_ERRQUEUE is not
533 permitted on SOCK_STREAM sockets. IP_RECVERR is valid for TCP,
534 but all errors are returned by socket function return or SO_ER‐
535 ROR only.
536 For raw sockets, IP_RECVERR enables passing of all received ICMP
538 errors to the application, otherwise errors are reported only on
539 connected sockets
540 It sets or retrieves an integer boolean flag. IP_RECVERR de‐
542 faults to off.
543 IP_RECVOPTS (since Linux 2.2)
545 Pass all incoming IP options to the user in a IP_OPTIONS control
546 message. The routing header and other options are already
547 filled in for the local host. Not supported for SOCK_STREAM
548 sockets.
549 IP_RECVORIGDSTADDR (since Linux 2.6.29)
551 This boolean option enables the IP_ORIGDSTADDR ancillary message
552 in recvmsg(2), in which the kernel returns the original destina‐
553 tion address of the datagram being received. The ancillary mes‐
554 sage contains a struct sockaddr_in.
555 IP_RECVTOS (since Linux 2.2)
557 If enabled, the IP_TOS ancillary message is passed with incoming
558 packets. It contains a byte which specifies the Type of Ser‐
559 vice/Precedence field of the packet header. Expects a boolean
560 integer flag.
561 IP_RECVTTL (since Linux 2.2)
563 When this flag is set, pass a IP_TTL control message with the
564 time-to-live field of the received packet as a 32 bit integer.
565 Not supported for SOCK_STREAM sockets.
566 IP_RETOPTS (since Linux 2.2)
568 Identical to IP_RECVOPTS, but returns raw unprocessed options
569 with timestamp and route record options not filled in for this
570 hop.
571 IP_ROUTER_ALERT (since Linux 2.2)
573 Pass all to-be forwarded packets with the IP Router Alert option
574 set to this socket. Valid only for raw sockets. This is use‐
575 ful, for instance, for user-space RSVP daemons. The tapped
576 packets are not forwarded by the kernel; it is the user's re‐
577 sponsibility to send them out again. Socket binding is ignored,
578 such packets are filtered only by protocol. Expects an integer
579 flag.
580 IP_TOS (since Linux 1.0)
582 Set or receive the Type-Of-Service (TOS) field that is sent with
583 every IP packet originating from this socket. It is used to
584 prioritize packets on the network. TOS is a byte. There are
585 some standard TOS flags defined: IPTOS_LOWDELAY to minimize de‐
586 lays for interactive traffic, IPTOS_THROUGHPUT to optimize
587 throughput, IPTOS_RELIABILITY to optimize for reliability, IP‐
588 TOS_MINCOST should be used for "filler data" where slow trans‐
589 mission doesn't matter. At most one of these TOS values can be
590 specified. Other bits are invalid and shall be cleared. Linux
591 sends IPTOS_LOWDELAY datagrams first by default, but the exact
592 behavior depends on the configured queueing discipline. Some
593 high-priority levels may require superuser privileges (the
594 CAP_NET_ADMIN capability).
595 IP_TRANSPARENT (since Linux 2.6.24)
597 Setting this boolean option enables transparent proxying on this
598 socket. This socket option allows the calling application to
599 bind to a nonlocal IP address and operate both as a client and a
600 server with the foreign address as the local endpoint. NOTE:
601 this requires that routing be set up in a way that packets going
602 to the foreign address are routed through the TProxy box (i.e.,
603 the system hosting the application that employs the IP_TRANSPAR‐
604 ENT socket option). Enabling this socket option requires supe‐
605 ruser privileges (the CAP_NET_ADMIN capability).
606 TProxy redirection with the iptables TPROXY target also requires
608 that this option be set on the redirected socket.
609 IP_TTL (since Linux 1.0)
611 Set or retrieve the current time-to-live field that is used in
612 every packet sent from this socket.
613 IP_UNBLOCK_SOURCE (since Linux 2.4.22 / 2.5.68)
615 Unblock previously blocked multicast source. Returns EADDRNO‐
616 TAVAIL when given source is not being blocked.
617 Argument is an ip_mreq_source structure as described under
619 IP_ADD_SOURCE_MEMBERSHIP.
620 SO_PEERSEC (since Linux 2.6.17)
622 If labeled IPSEC or NetLabel is configured on both the sending
623 and receiving hosts, this read-only socket option returns the
624 security context of the peer socket connected to this socket.
625 By default, this will be the same as the security context of the
626 process that created the peer socket unless overridden by the
627 policy or by a process with the required permissions.
628 The argument to getsockopt(2) is a pointer to a buffer of the
630 specified length in bytes into which the security context string
631 will be copied. If the buffer length is less than the length of
632 the security context string, then getsockopt(2) returns -1, sets
633 errno to ERANGE, and returns the required length via optlen.
634 The caller should allocate at least NAME_MAX bytes for the buf‐
635 fer initially, although this is not guaranteed to be sufficient.
636 Resizing the buffer to the returned length and retrying may be
637 necessary.
638 The security context string may include a terminating null char‐
640 acter in the returned length, but is not guaranteed to do so: a
641 security context "foo" might be represented as either
642 {'f','o','o'} of length 3 or {'f','o','o','\0'} of length 4,
643 which are considered to be interchangeable. The string is
644 printable, does not contain non-terminating null characters, and
645 is in an unspecified encoding (in particular, it is not guaran‐
646 teed to be ASCII or UTF-8).
647 The use of this option for sockets in the AF_INET address family
649 is supported since Linux 2.6.17 for TCP sockets, and since Linux
650 4.17 for SCTP sockets.
651 For SELinux, NetLabel conveys only the MLS portion of the secu‐
653 rity context of the peer across the wire, defaulting the rest of
654 the security context to the values defined in the policy for the
655 netmsg initial security identifier (SID). However, NetLabel can
656 be configured to pass full security contexts over loopback. La‐
657 beled IPSEC always passes full security contexts as part of es‐
658 tablishing the security association (SA) and looks them up based
659 on the association for each packet.
660 /proc interfaces
662 The IP protocol supports a set of /proc interfaces to configure some
663 global parameters. The parameters can be accessed by reading or writ‐
664 ing files in the directory /proc/sys/net/ipv4/. Interfaces described
665 as Boolean take an integer value, with a nonzero value ("true") meaning
666 that the corresponding option is enabled, and a zero value ("false")
667 meaning that the option is disabled.
668 ip_always_defrag (Boolean; since Linux 2.2.13)
670 [New with Linux 2.2.13; in earlier kernel versions this feature
671 was controlled at compile time by the CONFIG_IP_ALWAYS_DEFRAG
672 option; this option is not present in Linux 2.4.x and later]
673 When this boolean flag is enabled (not equal 0), incoming frag‐
675 ments (parts of IP packets that arose when some host between
676 origin and destination decided that the packets were too large
677 and cut them into pieces) will be reassembled (defragmented) be‐
678 fore being processed, even if they are about to be forwarded.
679 Enable only if running either a firewall that is the sole link
681 to your network or a transparent proxy; never ever use it for a
682 normal router or host. Otherwise, fragmented communication can
683 be disturbed if the fragments travel over different links. De‐
684 fragmentation also has a large memory and CPU time cost.
685 This is automagically turned on when masquerading or transparent
687 proxying are configured.
688 ip_autoconfig (since Linux 2.2 to Linux 2.6.17)
690 Not documented.
691 ip_default_ttl (integer; default: 64; since Linux 2.2)
693 Set the default time-to-live value of outgoing packets. This
694 can be changed per socket with the IP_TTL option.
695 ip_dynaddr (Boolean; default: disabled; since Linux 2.0.31)
697 Enable dynamic socket address and masquerading entry rewriting
698 on interface address change. This is useful for dialup inter‐
699 face with changing IP addresses. 0 means no rewriting, 1 turns
700 it on and 2 enables verbose mode.
701 ip_forward (Boolean; default: disabled; since Linux 1.2)
703 Enable IP forwarding with a boolean flag. IP forwarding can be
704 also set on a per-interface basis.
705 ip_local_port_range (since Linux 2.2)
707 This file contains two integers that define the default local
708 port range allocated to sockets that are not explicitly bound to
709 a port number—that is, the range used for ephemeral ports. An
710 ephemeral port is allocated to a socket in the following circum‐
711 stances:
712 • the port number in a socket address is specified as 0 when
714 calling bind(2);
715 • listen(2) is called on a stream socket that was not previ‐
717 ously bound;
718 • connect(2) was called on a socket that was not previously
720 bound;
721 • sendto(2) is called on a datagram socket that was not previ‐
723 ously bound.
724 Allocation of ephemeral ports starts with the first number in
726 ip_local_port_range and ends with the second number. If the
727 range of ephemeral ports is exhausted, then the relevant system
728 call returns an error (but see BUGS).
729 Note that the port range in ip_local_port_range should not con‐
731 flict with the ports used by masquerading (although the case is
732 handled). Also, arbitrary choices may cause problems with some
733 firewall packet filters that make assumptions about the local
734 ports in use. The first number should be at least greater than
735 1024, or better, greater than 4096, to avoid clashes with well
736 known ports and to minimize firewall problems.
737 ip_no_pmtu_disc (Boolean; default: disabled; since Linux 2.2)
739 If enabled, don't do Path MTU Discovery for TCP sockets by de‐
740 fault. Path MTU discovery may fail if misconfigured firewalls
741 (that drop all ICMP packets) or misconfigured interfaces (e.g.,
742 a point-to-point link where the both ends don't agree on the
743 MTU) are on the path. It is better to fix the broken routers on
744 the path than to turn off Path MTU Discovery globally, because
745 not doing it incurs a high cost to the network.
746 ip_nonlocal_bind (Boolean; default: disabled; since Linux 2.4)
748 If set, allows processes to bind(2) to nonlocal IP addresses,
749 which can be quite useful, but may break some applications.
750 ip6frag_time (integer; default: 30)
752 Time in seconds to keep an IPv6 fragment in memory.
753 ip6frag_secret_interval (integer; default: 600)
755 Regeneration interval (in seconds) of the hash secret (or life‐
756 time for the hash secret) for IPv6 fragments.
757 ipfrag_high_thresh (integer), ipfrag_low_thresh (integer)
759 If the amount of queued IP fragments reaches ipfrag_high_thresh,
760 the queue is pruned down to ipfrag_low_thresh. Contains an in‐
761 teger with the number of bytes.
762 neigh/*
764 See arp(7).
765 Ioctls
767 All ioctls described in socket(7) apply to ip.
768 Ioctls to configure generic device parameters are described in netde‐
770 vice(7).
771
773 EACCES The user tried to execute an operation without the necessary
774 permissions. These include: sending a packet to a broadcast ad‐
775 dress without having the SO_BROADCAST flag set; sending a packet
776 via a prohibit route; modifying firewall settings without supe‐
777 ruser privileges (the CAP_NET_ADMIN capability); binding to a
778 privileged port without superuser privileges (the
779 CAP_NET_BIND_SERVICE capability).
780 EADDRINUSE
782 Tried to bind to an address already in use.
783 EADDRNOTAVAIL
785 A nonexistent interface was requested or the requested source
786 address was not local.
787 EAGAIN Operation on a nonblocking socket would block.
789 EALREADY
791 A connection operation on a nonblocking socket is already in
792 progress.
793 ECONNABORTED
795 A connection was closed during an accept(2).
796 EHOSTUNREACH
798 No valid routing table entry matches the destination address.
799 This error can be caused by an ICMP message from a remote router
800 or for the local routing table.
801 EINVAL Invalid argument passed. For send operations this can be caused
803 by sending to a blackhole route.
804 EISCONN
806 connect(2) was called on an already connected socket.
807 EMSGSIZE
809 Datagram is bigger than an MTU on the path and it cannot be
810 fragmented.
811 ENOBUFS, ENOMEM
813 Not enough free memory. This often means that the memory allo‐
814 cation is limited by the socket buffer limits, not by the system
815 memory, but this is not 100% consistent.
816 ENOENT SIOCGSTAMP was called on a socket where no packet arrived.
818 ENOPKG A kernel subsystem was not configured.
820 ENOPROTOOPT and EOPNOTSUPP
822 Invalid socket option passed.
823 ENOTCONN
825 The operation is defined only on a connected socket, but the
826 socket wasn't connected.
827 EPERM User doesn't have permission to set high priority, change con‐
829 figuration, or send signals to the requested process or group.
830 EPIPE The connection was unexpectedly closed or shut down by the other
832 end.
833 ESOCKTNOSUPPORT
835 The socket is not configured or an unknown socket type was re‐
836 quested.
837 Other errors may be generated by the overlaying protocols; see tcp(7),
839 raw(7), udp(7), and socket(7).
840
842 IP_FREEBIND, IP_MSFILTER, IP_MTU, IP_MTU_DISCOVER, IP_RECVORIGDSTADDR,
843 IP_PASSSEC, IP_PKTINFO, IP_RECVERR, IP_ROUTER_ALERT, and IP_TRANSPARENT
844 are Linux-specific.
845 Be very careful with the SO_BROADCAST option - it is not privileged in
847 Linux. It is easy to overload the network with careless broadcasts.
848 For new application protocols it is better to use a multicast group in‐
849 stead of broadcasting. Broadcasting is discouraged. See RFC 6762 for
850 an example of a protocol (mDNS) using the more modern multicast ap‐
851 proach to communicating with an open-ended group of hosts on the local
852 network.
853 Some other BSD sockets implementations provide IP_RCVDSTADDR and
855 IP_RECVIF socket options to get the destination address and the inter‐
856 face of received datagrams. Linux has the more general IP_PKTINFO for
857 the same task.
858 Some BSD sockets implementations also provide an IP_RECVTTL option, but
860 an ancillary message with type IP_RECVTTL is passed with the incoming
861 packet. This is different from the IP_TTL option used in Linux.
862 Using the SOL_IP socket options level isn't portable; BSD-based stacks
864 use the IPPROTO_IP level.
865 INADDR_ANY (0.0.0.0) and INADDR_BROADCAST (255.255.255.255) are byte-
867 order-neutral. This means htonl(3) has no effect on them.
868 Compatibility
870 For compatibility with Linux 2.0, the obsolete socket(AF_INET,
871 SOCK_PACKET, protocol) syntax is still supported to open a packet(7)
872 socket. This is deprecated and should be replaced by socket(AF_PACKET,
873 SOCK_RAW, protocol) instead. The main difference is the new sock‐
874 addr_ll address structure for generic link layer information instead of
875 the old sockaddr_pkt.
876
878 There are too many inconsistent error values.
879 The error used to diagnose exhaustion of the ephemeral port range dif‐
881 fers across the various system calls (connect(2), bind(2), listen(2),
882 sendto(2)) that can assign ephemeral ports.
883 The ioctls to configure IP-specific interface options and ARP tables
885 are not described.
886 Receiving the original destination address with MSG_ERRQUEUE in
888 msg_name by recvmsg(2) does not work in some Linux 2.2 kernels.
889
891 recvmsg(2), sendmsg(2), byteorder(3), capabilities(7), icmp(7),
892 ipv6(7), netdevice(7), netlink(7), raw(7), socket(7), tcp(7), udp(7),
893 ip(8)
894 The kernel source file Documentation/networking/ip-sysctl.txt.
896 RFC 791 for the original IP specification. RFC 1122 for the IPv4 host
898 requirements. RFC 1812 for the IPv4 router requirements.
899Linux man-pages 6.05 2023-07-15 ip(7)