Linux Kernel Settings

IP forwarding

For a Linux host to operate as an IP Router, IP forwarding must be enabled.

View IP Forwarding state

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

Turn on IP Forwarding

# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Turn on IP forwarding permanently / on system boot

# nano /etc/sysctl.conf
net.ipv4.ip_forward = 1

BGP / TCP Termination at scale

Some protocols (most notably BGPv4) and the Operation API rely on a TCP transport. The Linux kernel has two parameters to control how many TCP connections can simultaneously be formed.

tcp_max_syn_backlog: Max TCP connections waiting for final ACK (of the TCP three way handshake)

flock@flocknet:/proc/sys/net/ipv4$ cat tcp_max_syn_backlog

somaxconn: Max TCP connections with completed TCP three way handshake waiting for accept() to be called.

flock@flocknet:/proc/sys/net$ sudo cat core/somaxconn

If these limits are exceeded the Linux kernel decides it is under a SYN DoS attack and will prevent further connections. Under these conditions this message is logged in /var/log/messages

"TCP: request_sock_TCP: Possible SYN flooding on port 179. Sending cookies."

In a production network it is very unlikely these limits will be reached (unless the router is under a SYN DoS attack). Even with 1000's of BGP neighbors it is unlikely that there will be greater than 128 TCP connections waiting to be accepted. However in the lab using a traffic generator this limit can be hit.

By default the Flock Networks Routing Suite is configured to be able to handle up to 1024 simultaneous BGPv4 TCP connections. To reach this scale the Linux kernel defaults need to be updated to match.

flock@flocknet:~$ sudo sysctl -w net.ipv4.tcp_max_syn_backlog=1024
flock@flocknet:~$ sudo sysctl -w net.core.somaxconn=1024