Linux kernel settings can be read using
sysctl and written using
sysctl -w. They can be made permanent / configured on boot, by adding an entry to
For a Linux host to operate as an IP Router, IP forwarding must be enabled.
/etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1
By default a Linux host will operate as an IPv4/IPv6 dual stack node. See RFC 4038: 4.2. IPv6 Applications in a Dual-Stack Node.
This means that when
flockd binds to an IPv6 socket, IPv4 requests will also be serviced. To restrict IPv6 sockets to only service IPv6 requests, the
IPV6_V6ONLY socket option needs to be set.
/etc/sysctl.conf net.ipv6.bindv6only = 1
Some protocols (most notably BGPv4) and the Operation API rely on a TCP transport. The Linux kernel has two parameters to control how many TCP connections can simultaneously be formed.
tcp_max_syn_backlog: Max TCP connections waiting for final ACK (of the TCP three way handshake)
flock@flocknet:/proc/sys/net/ipv4$ cat tcp_max_syn_backlog 256
somaxconn: Max TCP connections with completed TCP three way handshake waiting for
accept() to be called.
flock@flocknet:/proc/sys/net$ sudo cat core/somaxconn 128
If these limits are exceeded the Linux kernel decides it is under a SYN DoS attack and will prevent further connections. Under these conditions this message is logged in
"TCP: request_sock_TCP: Possible SYN flooding on port 179. Sending cookies."
In a production network it is very unlikely these limits will be reached (unless the router is under a SYN DoS attack). Even with 1000's of BGP neighbors it is unlikely that there will be greater than 128 TCP connections waiting to be
accepted. However in the lab using a traffic generator this limit can be hit.
By default the Flock Networks Routing Suite is configured to be able to handle up to 1024 simultaneous BGPv4 TCP connections. To reach this scale the Linux kernel defaults need to be updated to match.
/etc/sysctl.conf net.ipv4.tcp_max_syn_backlog=1024 net.core.somaxconn=1024