man*/: Improve timestamp documentation

[man-pages.git] / man7 / ip.7

'\" t
.\" SPDX-License-Identifier: Linux-man-pages-1-para
.\"
.\" This man page is Copyright (C) 1999 Andi Kleen <ak@muc.de>.
.\"
.\" $Id: ip.7,v 1.19 2000/12/20 18:10:31 ak Exp $
.\"
.\" FIXME The following socket options are yet to be documented
.\"
.\"     IP_XFRM_POLICY (2.5.48)
.\"         Needs CAP_NET_ADMIN
.\"
.\"     IP_IPSEC_POLICY (2.5.47)
.\"         Needs CAP_NET_ADMIN
.\"
.\"     IP_MINTTL (2.6.34)
.\"         commit d218d11133d888f9745802146a50255a4781d37a
.\"         Author: Stephen Hemminger <shemminger@vyatta.com>
.\"
.\"     MCAST_JOIN_GROUP (2.4.22 / 2.6)
.\"
.\"     MCAST_BLOCK_SOURCE (2.4.22 / 2.6)
.\"
.\"     MCAST_UNBLOCK_SOURCE (2.4.22 / 2.6)
.\"
.\"     MCAST_LEAVE_GROUP (2.4.22 / 2.6)
.\"
.\"     MCAST_JOIN_SOURCE_GROUP (2.4.22 / 2.6)
.\"
.\"     MCAST_LEAVE_SOURCE_GROUP (2.4.22 / 2.6)
.\"
.\"     MCAST_MSFILTER (2.4.22 / 2.6)
.\"
.\"     IP_UNICAST_IF (3.4)
.\"         commit 76e21053b5bf33a07c76f99d27a74238310e3c71
.\"         Author: Erich E. Hoover <ehoover@mines.edu>
.\"
.TH ip 7 (date) "Linux man-pages (unreleased)"
.SH NAME
ip \- Linux IPv4 protocol implementation
.SH SYNOPSIS
.nf
.B #include <sys/socket.h>
.\" .B #include <net/netinet.h> -- does not exist anymore
.\" .B #include <linux/errqueue.h> -- never include <linux/foo.h>
.B #include <netinet/in.h>
.B #include <netinet/ip.h>        \fR/* superset of previous */
.P
.IB tcp_socket " = socket(AF_INET, SOCK_STREAM, 0);"
.IB udp_socket " = socket(AF_INET, SOCK_DGRAM, 0);"
.IB raw_socket " = socket(AF_INET, SOCK_RAW, " protocol ");"
.fi
.SH DESCRIPTION
Linux implements the Internet Protocol, version 4,
described in RFC\ 791 and RFC\ 1122.
.B ip
contains a level 2 multicasting implementation conforming to RFC\ 1112.
It also contains an IP router including a packet filter.
.P
The programming interface is BSD-sockets compatible.
For more information on sockets, see
.BR socket (7).
.P
An IP socket is created using
.BR socket (2):
.P
.in +4n
.EX
socket(AF_INET, socket_type, protocol);
.EE
.in
.P
Valid socket types include
.B SOCK_STREAM
to open a stream socket,
.B SOCK_DGRAM
to open a datagram socket, and
.B SOCK_RAW
to open a
.BR raw (7)
socket to access the IP protocol directly.
.P
.I protocol
is the IP protocol in the IP header to be received or sent.
Valid values for
.I protocol
include:
.IP \[bu] 3
0 and
.B IPPROTO_TCP
for
.BR tcp (7)
stream sockets;
.IP \[bu]
0 and
.B IPPROTO_UDP
for
.BR udp (7)
datagram sockets;
.IP \[bu]
.B IPPROTO_SCTP
for
.BR sctp (7)
stream sockets; and
.IP \[bu]
.B IPPROTO_UDPLITE
for
.BR udplite (7)
datagram sockets.
.P
For
.B SOCK_RAW
you may specify a valid IANA IP protocol defined in
RFC\ 1700 assigned numbers.
.P
When a process wants to receive new incoming packets or connections, it
should bind a socket to a local interface address using
.BR bind (2).
In this case, only one IP socket may be bound to any given local
(address, port) pair.
When
.B INADDR_ANY
is specified in the bind call, the socket will be bound to
.I all
local interfaces.
When
.BR listen (2)
is called on an unbound socket, the socket is automatically bound
to a random free port with the local address set to
.BR INADDR_ANY .
When
.BR connect (2)
is called on an unbound socket, the socket is automatically bound
to a random free port or to a usable shared port with the local address
set to
.BR INADDR_ANY .
.P
A TCP local socket address that has been bound is unavailable for
some time after closing, unless the
.B SO_REUSEADDR
flag has been set.
Care should be taken when using this flag as it makes TCP less reliable.
.SS Address format
An IP socket address is defined as a combination of an IP interface
address and a 16-bit port number.
The basic IP protocol does not supply port numbers, they
are implemented by higher level protocols like
.BR udp (7)
and
.BR tcp (7).
On raw sockets
.I sin_port
is set to the IP protocol.
.P
.in +4n
.EX
struct sockaddr_in {
    sa_family_t    sin_family; /* address family: AF_INET */
    in_port_t      sin_port;   /* port in network byte order */
    struct in_addr sin_addr;   /* internet address */
};
\&
/* Internet address */
struct in_addr {
    uint32_t       s_addr;     /* address in network byte order */
};
.EE
.in
.P
.I sin_family
is always set to
.BR AF_INET .
This is required; in Linux 2.2 most networking functions return
.B EINVAL
when this setting is missing.
.I sin_port
contains the port in network byte order.
The port numbers below 1024 are called
.I privileged ports
(or sometimes:
.IR "reserved ports" ).
Only a privileged process
(on Linux: a process that has the
.B CAP_NET_BIND_SERVICE
capability in the user namespace governing its network namespace) may
.BR bind (2)
to these sockets.
Note that the raw IPv4 protocol as such has no concept of a
port, they are implemented only by higher protocols like
.BR tcp (7)
and
.BR udp (7).
.P
.I sin_addr
is the IP host address.
The
.I s_addr
member of
.I struct in_addr
contains the host interface address in network byte order.
.I in_addr
should be assigned one of the
.B INADDR_*
values
(e.g.,
.BR INADDR_LOOPBACK )
using
.BR htonl (3)
or set using the
.BR inet_aton (3),
.BR inet_addr (3),
.BR inet_makeaddr (3)
library functions or directly with the name resolver (see
.BR gethostbyname (3)).
.P
IPv4 addresses are divided into unicast, broadcast,
and multicast addresses.
Unicast addresses specify a single interface of a host,
broadcast addresses specify all hosts on a network, and multicast
addresses address all hosts in a multicast group.
Datagrams to broadcast addresses can be sent or received only when the
.B SO_BROADCAST
socket flag is set.
In the current implementation, connection-oriented sockets are allowed
to use only unicast addresses.
.\" Leave a loophole for XTP @)
.P
Note that the address and the port are always stored in
network byte order.
In particular, this means that you need to call
.BR htons (3)
on the number that is assigned to a port.
All address/port manipulation
functions in the standard library work in network byte order.
.SS Special and reserved addresses
There are several special addresses:
.TP
.BR INADDR_LOOPBACK " (127.0.0.1)"
always refers to the local host via the loopback device;
.TP
.BR INADDR_ANY " (0.0.0.0)"
means any address for socket binding;
.TP
.BR INADDR_BROADCAST " (255.255.255.255)"
has the same effect on
.BR bind (2)
as
.B INADDR_ANY
for historical reasons.
A packet addressed to
.B INADDR_BROADCAST
through a socket which has
.B SO_BROADCAST
set will be broadcast to all hosts on the local network segment,
as long as the link is broadcast-capable.
.TP
Highest-numbered address
.TQ
Lowest-numbered address
On any locally-attached non-point-to-point IP subnet
with a link type that supports broadcasts,
the highest-numbered address
(e.g., the .255 address on a subnet with netmask 255.255.255.0)
is designated as a broadcast address.
It cannot usefully be assigned to an individual interface,
and can only be addressed with a socket on which the
.B SO_BROADCAST
option has been set.
Internet standards have historically
also reserved the lowest-numbered address
(e.g., the .0 address on a subnet with netmask 255.255.255.0)
for broadcast, though they call it "obsolete" for this purpose.
(Some sources also refer to this as the "network address.")
Since Linux 5.14,
.\" commit 58fee5fc83658aaacf60246aeab738946a9ba516
it is treated as an ordinary unicast address
and can be assigned to an interface.
.P
Internet standards have traditionally also reserved various addresses
for particular uses, though Linux no longer treats
some of these specially.
.TP
[0.0.0.1, 0.255.255.255]
.TQ
[240.0.0.0, 255.255.255.254]
Addresses in these ranges (0/8 and 240/4) are reserved globally.
Since Linux 5.3
.\" commit 96125bf9985a75db00496dd2bc9249b777d2b19b
and Linux 2.6.25,
.\" commit 1e637c74b0f84eaca02b914c0b8c6f67276e9697
respectively,
the 0/8 and 240/4 addresses, other than
.B INADDR_ANY
and
.BR INADDR_BROADCAST ,
are treated as ordinary unicast addresses.
Systems that follow the traditional behaviors may not
interoperate with these historically reserved addresses.
.TP
[127.0.0.1, 127.255.255.254]
Addresses in this range (127/8) are treated as loopback addresses
akin to the standardized local loopback address
.B INADDR_LOOPBACK
(127.0.0.1);
.TP
[224.0.0.0, 239.255.255.255]
Addresses in this range (224/4) are dedicated to multicast use.
.SS Socket options
IP supports some protocol-specific socket options that can be set with
.BR setsockopt (2)
and read with
.BR getsockopt (2).
The socket option level for IP is
.BR IPPROTO_IP .
.\" or SOL_IP on Linux
A boolean integer flag is zero when it is false, otherwise true.
.P
When an invalid socket option is specified,
.BR getsockopt (2)
and
.BR setsockopt (2)
fail with the error
.BR ENOPROTOOPT .
.TP
.BR IP_ADD_MEMBERSHIP " (since Linux 1.2)"
Join a multicast group.
Argument is an
.I ip_mreqn
structure.
.IP
.in +4n
.EX
struct ip_mreqn {
    struct in_addr imr_multiaddr; /* IP multicast group
                                     address */
    struct in_addr imr_address;   /* IP address of local
                                     interface */
    int            imr_ifindex;   /* interface index */
};
.EE
.in
.IP
.I imr_multiaddr
contains the address of the multicast group the application
wants to join or leave.
It must be a valid multicast address
.\" (i.e., within the 224.0.0.0-239.255.255.255 range)
(or
.BR setsockopt (2)
fails with the error
.BR EINVAL ).
.I imr_address
is the address of the local interface with which the system
should join the multicast group; if it is equal to
.BR INADDR_ANY ,
an appropriate interface is chosen by the system.
.I imr_ifindex
is the interface index of the interface that should join/leave the
.I imr_multiaddr
group, or 0 to indicate any interface.
.IP
The
.I ip_mreqn
structure is available only since Linux 2.2.
For compatibility, the old
.I ip_mreq
structure (present since Linux 1.2) is still supported;
it differs from
.I ip_mreqn
only by not including the
.I imr_ifindex
field.
(The kernel determines which structure is being passed based
on the size passed in
.IR optlen .)
.IP
.B IP_ADD_MEMBERSHIP
is valid only for
.BR setsockopt (2).
.\"
.TP
.BR IP_ADD_SOURCE_MEMBERSHIP " (since Linux 2.4.22 / Linux 2.5.68)"
Join a multicast group and allow receiving data only
from a specified source.
Argument is an
.I ip_mreq_source
structure.
.IP
.in +4n
.EX
struct ip_mreq_source {
    struct in_addr imr_multiaddr;  /* IP multicast group
                                      address */
    struct in_addr imr_interface;  /* IP address of local
                                      interface */
    struct in_addr imr_sourceaddr; /* IP address of
                                      multicast source */
};
.EE
.in
.IP
The
.I ip_mreq_source
structure is similar to
.I ip_mreqn
described under
.BR IP_ADD_MEMBERSHIP .
The
.I imr_multiaddr
field contains the address of the multicast group the application
wants to join or leave.
The
.I imr_interface
field is the address of the local interface with which
the system should join the multicast group.
Finally, the
.I imr_sourceaddr
field contains the address of the source the
application wants to receive data from.
.IP
This option can be used multiple times to allow
receiving data from more than one source.
.TP
.BR IP_BIND_ADDRESS_NO_PORT " (since Linux 4.2)"
.\" commit 90c337da1524863838658078ec34241f45d8394d
Inform the kernel to not reserve an ephemeral port when using
.BR bind (2)
with a port number of 0.
The port will later be automatically chosen at
.BR connect (2)
time,
in a way that allows sharing a source port as long as the 4-tuple is unique.
.TP
.BR IP_BLOCK_SOURCE " (since Linux 2.4.22 / 2.5.68)"
Stop receiving multicast data from a specific source in a given group.
This is valid only after the application has subscribed
to the multicast group using either
.B IP_ADD_MEMBERSHIP
or
.BR IP_ADD_SOURCE_MEMBERSHIP .
.IP
Argument is an
.I ip_mreq_source
structure as described under
.BR IP_ADD_SOURCE_MEMBERSHIP .
.TP
.BR IP_DROP_MEMBERSHIP " (since Linux 1.2)"
Leave a multicast group.
Argument is an
.I ip_mreqn
or
.I ip_mreq
structure similar to
.BR IP_ADD_MEMBERSHIP .
.TP
.BR IP_DROP_SOURCE_MEMBERSHIP " (since Linux 2.4.22 / 2.5.68)"
Leave a source-specific group\[em]that is, stop receiving data from
a given multicast group that come from a given source.
If the application has subscribed to multiple sources within
the same group, data from the remaining sources will still be delivered.
To stop receiving data from all sources at once, use
.BR IP_DROP_MEMBERSHIP .
.IP
Argument is an
.I ip_mreq_source
structure as described under
.BR IP_ADD_SOURCE_MEMBERSHIP .
.TP
.BR IP_FREEBIND " (since Linux 2.4)"
.\" Precisely: since Linux 2.4.0-test10
If enabled, this boolean option allows binding to an IP address
that is nonlocal or does not (yet) exist.
This permits listening on a socket,
without requiring the underlying network interface or the
specified dynamic IP address to be up at the time that
the application is trying to bind to it.
This option is the per-socket equivalent of the
.I ip_nonlocal_bind
.I /proc
interface described below.
.TP
.BR IP_HDRINCL " (since Linux 2.0)"
If enabled,
the user supplies an IP header in front of the user data.
Valid only for
.B SOCK_RAW
sockets; see
.BR raw (7)
for more information.
When this flag is enabled, the values set by
.BR IP_OPTIONS ,
.BR IP_TTL ,
and
.B IP_TOS
are ignored.
.TP
.BR IP_LOCAL_PORT_RANGE " (since Linux 6.3)"
Set or get the per-socket default local port range.
This option can be used to clamp down the global local port range,
defined by the
.I ip_local_port_range
.I /proc
interface described below, for a given socket.
.IP
The option takes an
.I uint32_t
value with
the high 16 bits set to the upper range bound,
and the low 16 bits set to the lower range bound.
Range bounds are inclusive.
The 16-bit values should be in host byte order.
.IP
The lower bound has to be less than the upper bound
when both bounds are not zero.
Otherwise, setting the option fails with EINVAL.
.IP
If either bound is outside of the global local port range, or is zero,
then that bound has no effect.
.IP
To reset the setting,
pass zero as both the upper and the lower bound.
.TP
.BR IP_MSFILTER " (since Linux 2.4.22 / 2.5.68)"
This option provides access to the advanced full-state filtering API.
Argument is an
.I ip_msfilter
structure.
.IP
.in +4n
.EX
struct ip_msfilter {
    struct in_addr imsf_multiaddr; /* IP multicast group
                                      address */
    struct in_addr imsf_interface; /* IP address of local
                                      interface */
    uint32_t       imsf_fmode;     /* Filter\-mode */
\&
    uint32_t       imsf_numsrc;    /* Number of sources in
                                      the following array */
    struct in_addr imsf_slist[1];  /* Array of source
                                      addresses */
};
.EE
.in
.IP
There are two macros,
.B MCAST_INCLUDE
and
.BR MCAST_EXCLUDE ,
which can be used to specify the filtering mode.
Additionally, the
.BR IP_MSFILTER_SIZE (n)
macro exists to determine how much memory is needed to store
.I ip_msfilter
structure with
.I n
sources in the source list.
.IP
For the full description of multicast source filtering
refer to RFC 3376.
.TP
.BR IP_MTU " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.124
Retrieve the current known path MTU of the current socket.
Returns an integer.
.IP
.B IP_MTU
is valid only for
.BR getsockopt (2)
and can be employed only when the socket has been connected.
.TP
.BR IP_MTU_DISCOVER " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.124
Set or receive the Path MTU Discovery setting for a socket.
When enabled, Linux will perform Path MTU Discovery
as defined in RFC\ 1191 on
.B SOCK_STREAM
sockets.
For
.RB non- SOCK_STREAM
sockets,
.B IP_PMTUDISC_DO
forces the don't-fragment flag to be set on all outgoing packets.
It is the user's responsibility to packetize the data
in MTU-sized chunks and to do the retransmits if necessary.
The kernel will reject (with
.BR EMSGSIZE )
datagrams that are bigger than the known path MTU.
.B IP_PMTUDISC_WANT
will fragment a datagram if needed according to the path MTU,
or will set the don't-fragment flag otherwise.
.IP
The system-wide default can be toggled between
.B IP_PMTUDISC_WANT
and
.B IP_PMTUDISC_DONT
by writing (respectively, zero and nonzero values) to the
.I /proc/sys/net/ipv4/ip_no_pmtu_disc
file.
.TS
tab(:);
c l
l l.
Path MTU discovery value:Meaning
IP_PMTUDISC_WANT:Use per-route settings.
IP_PMTUDISC_DONT:Never do Path MTU Discovery.
IP_PMTUDISC_DO:Always do Path MTU Discovery.
IP_PMTUDISC_PROBE:Set DF but ignore Path MTU.
.TE
.IP
When PMTU discovery is enabled, the kernel automatically keeps track of
the path MTU per destination host.
When it is connected to a specific peer with
.BR connect (2),
the currently known path MTU can be retrieved conveniently using the
.B IP_MTU
socket option (e.g., after an
.B EMSGSIZE
error occurred).
The path MTU may change over time.
For connectionless sockets with many destinations,
the new MTU for a given destination can also be accessed using the
error queue (see
.BR IP_RECVERR ).
A new error will be queued for every incoming MTU update.
.IP
While MTU discovery is in progress, initial packets from datagram sockets
may be dropped.
Applications using UDP should be aware of this and not
take it into account for their packet retransmit strategy.
.IP
To bootstrap the path MTU discovery process on unconnected sockets, it
is possible to start with a big datagram size
(headers up to 64 kilobytes long) and let it shrink by updates of the path MTU.
.IP
To get an initial estimate of the
path MTU, connect a datagram socket to the destination address using
.BR connect (2)
and retrieve the MTU by calling
.BR getsockopt (2)
with the
.B IP_MTU
option.
.IP
It is possible to implement RFC 4821 MTU probing with
.B SOCK_DGRAM
or
.B SOCK_RAW
sockets by setting a value of
.B IP_PMTUDISC_PROBE
(available since Linux 2.6.22).
This is also particularly useful for diagnostic tools such as
.BR tracepath (8)
that wish to deliberately send probe packets larger than
the observed Path MTU.
.TP
.BR IP_MULTICAST_ALL " (since Linux 2.6.31)"
This option can be used to modify the delivery policy of multicast messages.
The argument is a boolean integer (defaults to 1).
If set to 1,
the socket will receive messages from all the groups that have been joined
globally on the whole system.
Otherwise, it will deliver messages only from
the groups that have been explicitly joined (for example via the
.B IP_ADD_MEMBERSHIP
option) on this particular socket.
.TP
.BR IP_MULTICAST_IF " (since Linux 1.2)"
Set the local device for a multicast socket.
The argument for
.BR setsockopt (2)
is an
.I ip_mreqn
or
.\" net: IP_MULTICAST_IF setsockopt now recognizes struct mreq
.\" Commit: 3a084ddb4bf299a6e898a9a07c89f3917f0713f7
(since Linux 3.5)
.I ip_mreq
structure similar to
.BR IP_ADD_MEMBERSHIP ,
or an
.I in_addr
structure.
(The kernel determines which structure is being passed based
on the size passed in
.IR optlen .)
For
.BR getsockopt (2),
the argument is an
.I in_addr
structure.
.TP
.BR IP_MULTICAST_LOOP " (since Linux 1.2)"
Set or read a boolean integer argument that determines whether
sent multicast packets should be looped back to the local sockets.
.TP
.BR IP_MULTICAST_TTL " (since Linux 1.2)"
Set or read the time-to-live value of outgoing multicast packets for this
socket.
It is very important for multicast packets to set the smallest TTL possible.
The default is 1 which means that multicast packets don't leave the local
network unless the user program explicitly requests it.
Argument is an integer.
.TP
.BR IP_NODEFRAG " (since Linux 2.6.36)"
If enabled (argument is nonzero),
the reassembly of outgoing packets is disabled in the netfilter layer.
The argument is an integer.
.IP
This option is valid only for
.B SOCK_RAW
sockets.
.TP
.BR IP_OPTIONS " (since Linux 2.0)"
.\" Precisely: since Linux 1.3.30
Set or get the IP options to be sent with every packet from this socket.
The arguments are a pointer to a memory buffer containing the options
and the option length.
The
.BR setsockopt (2)
call sets the IP options associated with a socket.
The maximum option size for IPv4 is 40 bytes.
See RFC\ 791 for the allowed options.
When the initial connection request packet for a
.B SOCK_STREAM
socket contains IP options, the IP options will be set automatically
to the options from the initial packet with routing headers reversed.
Incoming packets are not allowed to change options after the connection
is established.
The processing of all incoming source routing options
is disabled by default and can be enabled by using the
.I accept_source_route
.I /proc
interface.
Other options like timestamps are still handled.
For datagram sockets, IP options can be set only by the local user.
Calling
.BR getsockopt (2)
with
.B IP_OPTIONS
puts the current IP options used for sending into the supplied buffer.
.TP
.BR IP_PASSSEC " (since Linux 2.6.17)"
.\" commit 2c7946a7bf45ae86736ab3b43d0085e43947945c
If labeled IPSEC or NetLabel is configured on the sending and receiving
hosts, this option enables receiving of the security context of the peer
socket in an ancillary message of type
.B SCM_SECURITY
retrieved using
.BR recvmsg (2).
This option is supported only for UDP sockets; for TCP or SCTP sockets,
see the description of the
.B SO_PEERSEC
option below.
.IP
The value given as an argument to
.BR setsockopt (2)
and returned as the result of
.BR getsockopt (2)
is an integer boolean flag.
.IP
The security context returned in the
.B SCM_SECURITY
ancillary message
is of the same format as the one described under the
.B SO_PEERSEC
option below.
.IP
Note: the reuse of the
.B SCM_SECURITY
message type for the
.B IP_PASSSEC
socket option was likely a mistake, since other IP control messages use
their own numbering scheme in the IP namespace and often use the
socket option value as the message type.
There is no conflict currently since the IP option with the same value as
.B SCM_SECURITY
is
.B IP_HDRINCL
and this is never used for a control message type.
.TP
.BR IP_PKTINFO " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.68
Pass an
.B IP_PKTINFO
ancillary message that contains a
.I pktinfo
structure that supplies some information about the incoming packet.
This works only for datagram oriented sockets.
The argument is a flag that tells the socket whether the
.B IP_PKTINFO
message should be passed or not.
The message itself can be sent/retrieved
only as a control message with a packet using
.BR recvmsg (2)
or
.BR sendmsg (2).
.IP
.in +4n
.EX
struct in_pktinfo {
    unsigned int   ipi_ifindex;  /* Interface index */
    struct in_addr ipi_spec_dst; /* Local address */
    struct in_addr ipi_addr;     /* Header Destination
                                    address */
};
.EE
.in
.IP
.I ipi_ifindex
is the unique index of the interface the packet was received on.
.I ipi_spec_dst
is the local address of the packet and
.I ipi_addr
is the destination address in the packet header.
If
.B IP_PKTINFO
is passed to
.BR sendmsg (2)
and
.\" This field is grossly misnamed
.I ipi_spec_dst
is not zero, then it is used as the local source address for the routing
table lookup and for setting up IP source route options.
When
.I ipi_ifindex
is not zero, the primary local address of the interface specified by the
index overwrites
.I ipi_spec_dst
for the routing table lookup.
.TP
.BR IP_RECVERR " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.15
Enable extended reliable error message passing.
When enabled on a datagram socket, all
generated errors will be queued in a per-socket error queue.
When the user receives an error from a socket operation,
the errors can be received by calling
.BR recvmsg (2)
with the
.B MSG_ERRQUEUE
flag set.
The
.I sock_extended_err
structure describing the error will be passed in an ancillary message with
the type
.B IP_RECVERR
and the level
.BR IPPROTO_IP .
.\" or SOL_IP on Linux
This is useful for reliable error handling on unconnected sockets.
The received data portion of the error queue contains the error packet.
.IP
The
.B IP_RECVERR
control message contains a
.I sock_extended_err
structure:
.IP
.in +4n
.EX
#define SO_EE_ORIGIN_NONE    0
#define SO_EE_ORIGIN_LOCAL   1
#define SO_EE_ORIGIN_ICMP    2
#define SO_EE_ORIGIN_ICMP6   3
\&
struct sock_extended_err {
    uint32_t ee_errno;   /* error number */
    uint8_t  ee_origin;  /* where the error originated */
    uint8_t  ee_type;    /* type */
    uint8_t  ee_code;    /* code */
    uint8_t  ee_pad;
    uint32_t ee_info;    /* additional information */
    uint32_t ee_data;    /* other data */
    /* More data may follow */
};
\&
struct sockaddr *SO_EE_OFFENDER(struct sock_extended_err *);
.EE
.in
.IP
.I ee_errno
contains the
.I errno
number of the queued error.
.I ee_origin
is the origin code of where the error originated.
The other fields are protocol-specific.
The macro
.B SO_EE_OFFENDER
returns a pointer to the address of the network object
where the error originated from given a pointer to the ancillary message.
If this address is not known, the
.I sa_family
member of the
.I sockaddr
contains
.B AF_UNSPEC
and the other fields of the
.I sockaddr
are undefined.
.IP
IP uses the
.I sock_extended_err
structure as follows:
.I ee_origin
is set to
.B SO_EE_ORIGIN_ICMP
for errors received as an ICMP packet, or
.B SO_EE_ORIGIN_LOCAL
for locally generated errors.
Unknown values should be ignored.
.I ee_type
and
.I ee_code
are set from the type and code fields of the ICMP header.
.I ee_info
contains the discovered MTU for
.B EMSGSIZE
errors.
The message also contains the
.I sockaddr_in of the node
caused the error, which can be accessed with the
.B SO_EE_OFFENDER
macro.
The
.I sin_family
field of the
.B SO_EE_OFFENDER
address is
.B AF_UNSPEC
when the source was unknown.
When the error originated from the network, all IP options
.RB ( IP_OPTIONS ", " IP_TTL ,
etc.) enabled on the socket and contained in the
error packet are passed as control messages.
The payload of the packet causing the error is returned as normal payload.
.\" FIXME . Is it a good idea to document that? It is a dubious feature.
.\" On
.\" .B SOCK_STREAM
.\" sockets,
.\" .B IP_RECVERR
.\" has slightly different semantics. Instead of
.\" saving the errors for the next timeout, it passes all incoming
.\" errors immediately to the user.
.\" This might be useful for very short-lived TCP connections which
.\" need fast error handling. Use this option with care:
.\" it makes TCP unreliable
.\" by not allowing it to recover properly from routing
.\" shifts and other normal
.\" conditions and breaks the protocol specification.
Note that TCP has no error queue;
.B MSG_ERRQUEUE
is not permitted on
.B SOCK_STREAM
sockets.
.B IP_RECVERR
is valid for TCP, but all errors are returned by socket function return or
.B SO_ERROR
only.
.IP
For raw sockets,
.B IP_RECVERR
enables passing of all received ICMP errors to the
application, otherwise errors are reported only on connected sockets
.IP
It sets or retrieves an integer boolean flag.
.B IP_RECVERR
defaults to off.
.TP
.BR IP_RECVOPTS " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.15
Pass all incoming IP options to the user in a
.B IP_OPTIONS
control message.
The routing header and other options are already filled in
for the local host.
Not supported for
.B SOCK_STREAM
sockets.
.TP
.BR IP_RECVORIGDSTADDR " (since Linux 2.6.29)"
.\" commit e8b2dfe9b4501ed0047459b2756ba26e5a940a69
This boolean option enables the
.B IP_ORIGDSTADDR
ancillary message in
.BR recvmsg (2),
in which the kernel returns the original destination address
of the datagram being received.
The ancillary message contains a
.IR "struct sockaddr_in" .
.TP
.BR IP_RECVTOS " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.68
If enabled, the
.B IP_TOS
ancillary message is passed with incoming packets.
It contains a byte which specifies the Type of Service/Precedence
field of the packet header.
Expects a boolean integer flag.
.TP
.BR IP_RECVTTL " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.68
When this flag is set, pass a
.B IP_TTL
control message with the time-to-live
field of the received packet as a 32 bit integer.
Not supported for
.B SOCK_STREAM
sockets.
.TP
.BR IP_RETOPTS " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.15
Identical to
.BR IP_RECVOPTS ,
but returns raw unprocessed options with timestamp and route record
options not filled in for this hop.
.TP
.BR IP_ROUTER_ALERT " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.68
Pass all to-be forwarded packets with the
IP Router Alert option set to this socket.
Valid only for raw sockets.
This is useful, for instance, for user-space RSVP daemons.
The tapped packets are not forwarded by the kernel; it is
the user's responsibility to send them out again.
Socket binding is ignored,
such packets are filtered only by protocol.
Expects an integer flag.
.TP
.BR IP_TOS " (since Linux 1.0)"
Set or receive the Type-Of-Service (TOS) field that is sent
with every IP packet originating from this socket.
It is used to prioritize packets on the network.
TOS is a byte.
There are some standard TOS flags defined:
.B IPTOS_LOWDELAY
to minimize delays for interactive traffic,
.B IPTOS_THROUGHPUT
to optimize throughput,
.B IPTOS_RELIABILITY
to optimize for reliability,
.B IPTOS_MINCOST
should be used for "filler data" where slow transmission doesn't matter.
At most one of these TOS values can be specified.
Other bits are invalid and shall be cleared.
Linux sends
.B IPTOS_LOWDELAY
datagrams first by default,
but the exact behavior depends on the configured queueing discipline.
.\" FIXME elaborate on this
Some high-priority levels may require superuser privileges (the
.B CAP_NET_ADMIN
capability).
.\" The priority can also be set in a protocol-independent way by the
.\" .RB ( SOL_SOCKET ", " SO_PRIORITY )
.\" socket option (see
.\" .BR socket (7)).
.TP
.BR IP_TRANSPARENT " (since Linux 2.6.24)"
.\" commit f5715aea4564f233767ea1d944b2637a5fd7cd2e
.\"     This patch introduces the IP_TRANSPARENT socket option: enabling that
.\"     will make the IPv4 routing omit the non-local source address check on
.\"     output. Setting IP_TRANSPARENT requires NET_ADMIN capability.
.\" http://lwn.net/Articles/252545/
Setting this boolean option enables transparent proxying on this socket.
This socket option allows
the calling application to bind to a nonlocal IP address and operate
both as a client and a server with the foreign address as the local endpoint.
NOTE: this requires that routing be set up in a way that
packets going to the foreign address are routed through the TProxy box
(i.e., the system hosting the application that employs the
.B IP_TRANSPARENT
socket option).
Enabling this socket option requires superuser privileges
(the
.B CAP_NET_ADMIN
capability).
.IP
TProxy redirection with the iptables TPROXY target also requires that
this option be set on the redirected socket.
.TP
.BR IP_TTL " (since Linux 1.0)"
Set or retrieve the current time-to-live field that is used in every packet
sent from this socket.
.TP
.BR IP_UNBLOCK_SOURCE " (since Linux 2.4.22 / 2.5.68)"
Unblock previously blocked multicast source.
Returns
.B EADDRNOTAVAIL
when given source is not being blocked.
.IP
Argument is an
.I ip_mreq_source
structure as described under
.BR IP_ADD_SOURCE_MEMBERSHIP .
.TP
.BR SO_PEERSEC " (since Linux 2.6.17)"
If labeled IPSEC or NetLabel is configured on both the sending and
receiving hosts, this read-only socket option returns the security
context of the peer socket connected to this socket.
By default,
this will be the same as the security context of the process that created
the peer socket unless overridden by the policy or by a process with
the required permissions.
.IP
The argument to
.BR getsockopt (2)
is a pointer to a buffer of the specified length in bytes
into which the security context string will be copied.
If the buffer length is less than the length of the security
context string, then
.BR getsockopt (2)
returns \-1, sets
.I errno
to
.BR ERANGE ,
and returns the required length via
.IR optlen .
The caller should allocate at least
.B NAME_MAX
bytes for the buffer initially, although this is not guaranteed
to be sufficient.
Resizing the buffer to the returned length
and retrying may be necessary.
.IP
The security context string may include a terminating null character
in the returned length, but is not guaranteed to do so: a security
context "foo" might be represented as either {'f','o','o'} of length 3
or {'f','o','o','\\0'} of length 4, which are considered to be
interchangeable.
The string is printable, does not contain non-terminating null characters,
and is in an unspecified encoding (in particular, it
is not guaranteed to be ASCII or UTF-8).
.IP
The use of this option for sockets in the
.B AF_INET
address family is supported since Linux 2.6.17
.\" commit 2c7946a7bf45ae86736ab3b43d0085e43947945c
for TCP sockets, and since Linux 4.17
.\" commit d452930fd3b9031e59abfeddb2fa383f1403d61a
for SCTP sockets.
.IP
For SELinux, NetLabel conveys only the MLS portion of the security
context of the peer across the wire, defaulting the rest of the
security context to the values defined in the policy for the
netmsg initial security identifier (SID).
However, NetLabel can
be configured to pass full security contexts over loopback.
Labeled IPSEC always passes full security contexts as part of establishing
the security association (SA) and looks them up based on the association
for each packet.
.\"
.SS /proc interfaces
The IP protocol
supports a set of
.I /proc
interfaces to configure some global parameters.
The parameters can be accessed by reading or writing files in the directory
.IR /proc/sys/net/ipv4/ .
.\" FIXME As at 2.6.12, 14 Jun 2005, the following are undocumented:
.\"  ip_queue_maxlen
.\"  ip_conntrack_max
Interfaces described as
.I Boolean
take an integer value, with a nonzero value ("true") meaning that
the corresponding option is enabled, and a zero value ("false")
meaning that the option is disabled.
.\"
.TP
.IR ip_always_defrag " (Boolean; since Linux 2.2.13)"
[New with Linux 2.2.13; in earlier kernel versions this feature
was controlled at compile time by the
.B CONFIG_IP_ALWAYS_DEFRAG
option; this option is not present in Linux 2.4.x and later]
.IP
When this boolean flag is enabled (not equal 0), incoming fragments
(parts of IP packets
that arose when some host between origin and destination decided
that the packets were too large and cut them into pieces) will be
reassembled (defragmented) before being processed, even if they are
about to be forwarded.
.IP
Enable only if running either a firewall that is the sole link
to your network or a transparent proxy; never ever use it for a
normal router or host.
Otherwise, fragmented communication can be disturbed
if the fragments travel over different links.
Defragmentation also has a large memory and CPU time cost.
.IP
This is automagically turned on when masquerading or transparent
proxying are configured.
.\"
.TP
.IR ip_autoconfig " (since Linux 2.2 to Linux 2.6.17)"
.\" Precisely: since Linux 2.1.68
.\" FIXME document ip_autoconfig
Not documented.
.\"
.TP
.IR ip_default_ttl " (integer; default: 64; since Linux 2.2)"
.\" Precisely: since Linux 2.1.15
Set the default time-to-live value of outgoing packets.
This can be changed per socket with the
.B IP_TTL
option.
.\"
.TP
.IR ip_dynaddr " (Boolean; default: disabled; since Linux 2.0.31)"
Enable dynamic socket address and masquerading entry rewriting on interface
address change.
This is useful for dialup interface with changing IP addresses.
0 means no rewriting, 1 turns it on and 2 enables verbose mode.
.\"
.TP
.IR ip_forward " (Boolean; default: disabled; since Linux 1.2)"
Enable IP forwarding with a boolean flag.
IP forwarding can be also set on a per-interface basis.
.\"
.TP
.IR ip_local_port_range " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.68
This file contains two integers that define the default local port range
allocated to sockets that are not explicitly bound to a port number\[em]that
is, the range used for
.IR "ephemeral ports" .
An ephemeral port is allocated to a socket in the following circumstances:
.RS
.IP \[bu] 3
the port number in a socket address is specified as 0 when calling
.BR bind (2);
.IP \[bu]
.BR listen (2)
is called on a stream socket that was not previously bound;
.IP \[bu]
.BR connect (2)
was called on a socket that was not previously bound;
.IP \[bu]
.BR sendto (2)
is called on a datagram socket that was not previously bound.
.RE
.IP
Allocation of ephemeral ports starts with the first number in
.I ip_local_port_range
and ends with the second number.
If the range of ephemeral ports is exhausted,
then the relevant system call returns an error (but see BUGS).
.IP
Note that the port range in
.I ip_local_port_range
should not conflict with the ports used by masquerading
(although the case is handled).
Also, arbitrary choices may cause problems with some firewall packet
filters that make assumptions about the local ports in use.
The first number should be at least greater than 1024,
or better, greater than 4096, to avoid clashes
with well known ports and to minimize firewall problems.
.\"
.TP
.IR ip_no_pmtu_disc " (Boolean; default: disabled; since Linux 2.2)"
.\" Precisely: 2.1.15
If enabled, don't do Path MTU Discovery for TCP sockets by default.
Path MTU discovery may fail if misconfigured firewalls (that drop
all ICMP packets) or misconfigured interfaces (e.g., a point-to-point
link where the both ends don't agree on the MTU) are on the path.
It is better to fix the broken routers on the path than to turn off
Path MTU Discovery globally, because not doing it incurs a high cost
to the network.
.\"
.\" The following is from Linux 2.6.12: Documentation/networking/ip-sysctl.txt
.TP
.IR ip_nonlocal_bind " (Boolean; default: disabled; since Linux 2.4)"
.\" Precisely: patch-2.4.0-test10
If set, allows processes to
.BR bind (2)
to nonlocal IP addresses,
which can be quite useful, but may break some applications.
.\"
.\" The following is from Linux 2.6.12: Documentation/networking/ip-sysctl.txt
.TP
.IR ip6frag_time " (integer; default: 30)"
Time in seconds to keep an IPv6 fragment in memory.
.\"
.\" The following is from Linux 2.6.12: Documentation/networking/ip-sysctl.txt
.TP
.IR ip6frag_secret_interval " (integer; default: 600)"
Regeneration interval (in seconds) of the hash secret (or lifetime
for the hash secret) for IPv6 fragments.
.TP
.IR ipfrag_high_thresh " (integer)"
.TQ
.IR ipfrag_low_thresh " (integer)"
If the amount of queued IP fragments reaches
.IR ipfrag_high_thresh ,
the queue is pruned down to
.IR ipfrag_low_thresh .
Contains an integer with the number of bytes.
.TP
.I neigh/*
See
.BR arp (7).
.\" FIXME Document the conf/*/* interfaces
.\"
.\" FIXME Document the route/* interfaces
.SS Ioctls
All ioctls described in
.BR socket (7)
apply to
.BR ip .
.P
Ioctls to configure generic device parameters are described in
.BR netdevice (7).
.\" FIXME Add a discussion of multicasting
.SH ERRORS
.\" FIXME document all errors.
.\"     We should really fix the kernels to give more uniform
.\"     error returns (ENOMEM vs ENOBUFS, EPERM vs EACCES etc.)
.TP
.B EACCES
The user tried to execute an operation without the necessary permissions.
These include:
sending a packet to a broadcast address without having the
.B SO_BROADCAST
flag set;
sending a packet via a
.I prohibit
route;
modifying firewall settings without superuser privileges (the
.B CAP_NET_ADMIN
capability);
binding to a privileged port without superuser privileges (the
.B CAP_NET_BIND_SERVICE
capability).
.TP
.B EADDRINUSE
Tried to bind to an address already in use.
.TP
.B EADDRNOTAVAIL
A nonexistent interface was requested or the requested source
address was not local.
.TP
.B EAGAIN
Operation on a nonblocking socket would block.
.TP
.B EALREADY
A connection operation on a nonblocking socket is already in progress.
.TP
.B ECONNABORTED
A connection was closed during an
.BR accept (2).
.TP
.B EHOSTUNREACH
No valid routing table entry matches the destination address.
This error can be caused by an ICMP message from a remote router or
for the local routing table.
.TP
.B EINVAL
Invalid argument passed.
For send operations this can be caused by sending to a
.I blackhole
route.
.TP
.B EISCONN
.BR connect (2)
was called on an already connected socket.
.TP
.B EMSGSIZE
Datagram is bigger than an MTU on the path and it cannot be fragmented.
.TP
.B ENOBUFS
.TQ
.B ENOMEM
Not enough free memory.
This often means that the memory allocation is limited by the socket
buffer limits, not by the system memory, but this is not 100% consistent.
.TP
.B ENOENT
.B SIOCGSTAMP
was called on a socket where no packet arrived.
.TP
.B ENOPKG
A kernel subsystem was not configured.
.TP
.BR ENOPROTOOPT " and " EOPNOTSUPP
Invalid socket option passed.
.TP
.B ENOTCONN
The operation is defined only on a connected socket, but the socket wasn't
connected.
.TP
.B EPERM
User doesn't have permission to set high priority, change configuration,
or send signals to the requested process or group.
.TP
.B EPIPE
The connection was unexpectedly closed or shut down by the other end.
.TP
.B ESOCKTNOSUPPORT
The socket is not configured or an unknown socket type was requested.
.P
Other errors may be generated by the overlaying protocols; see
.BR tcp (7),
.BR raw (7),
.BR udp (7),
and
.BR socket (7).
.SH NOTES
.BR IP_FREEBIND ,
.BR IP_MSFILTER ,
.BR IP_MTU ,
.BR IP_MTU_DISCOVER ,
.BR IP_RECVORIGDSTADDR ,
.BR IP_PASSSEC ,
.BR IP_PKTINFO ,
.BR IP_RECVERR ,
.BR IP_ROUTER_ALERT ,
and
.B IP_TRANSPARENT
are Linux-specific.
.\" IP_XFRM_POLICY is Linux-specific
.\" IP_IPSEC_POLICY is a nonstandard extension, also present on some BSDs
.P
Be very careful with the
.B SO_BROADCAST
option \- it is not privileged in Linux.
It is easy to overload the network
with careless broadcasts.
For new application protocols
it is better to use a multicast group instead of broadcasting.
Broadcasting is discouraged.
See RFC 6762 for an example of a protocol (mDNS)
using the more modern multicast approach
to communicating with an open-ended
group of hosts on the local network.
.P
Some other BSD sockets implementations provide
.B IP_RCVDSTADDR
and
.B IP_RECVIF
socket options to get the destination address and the interface of
received datagrams.
Linux has the more general
.B IP_PKTINFO
for the same task.
.P
Some BSD sockets implementations also provide an
.B IP_RECVTTL
option, but an ancillary message with type
.B IP_RECVTTL
is passed with the incoming packet.
This is different from the
.B IP_TTL
option used in Linux.
.P
Using the
.B SOL_IP
socket options level isn't portable; BSD-based stacks use the
.B IPPROTO_IP
level.
.P
.B INADDR_ANY
(0.0.0.0) and
.B INADDR_BROADCAST
(255.255.255.255) are byte-order-neutral.
This means
.BR htonl (3)
has no effect on them.
.SS Compatibility
For compatibility with Linux 2.0, the obsolete
.BI "socket(AF_INET, SOCK_PACKET, " protocol )
syntax is still supported to open a
.BR packet (7)
socket.
This is deprecated and should be replaced by
.BI "socket(AF_PACKET, SOCK_RAW, " protocol )
instead.
The main difference is the new
.I sockaddr_ll
address structure for generic link layer information instead of the old
.BR sockaddr_pkt .
.SH BUGS
There are too many inconsistent error values.
.P
The error used to diagnose exhaustion of the ephemeral port range differs
across the various system calls
.RB ( connect (2),
.BR bind (2),
.BR listen (2),
.BR sendto (2))
that can assign ephemeral ports.
.P
The ioctls to configure IP-specific interface options and ARP tables are
not described.
.\" .P
.\" Some versions of glibc forget to declare
.\" .IR in_pktinfo .
.\" Workaround currently is to copy it into your program from this man page.
.P
Receiving the original destination address with
.B MSG_ERRQUEUE
in
.I msg_name
by
.BR recvmsg (2)
does not work in some Linux 2.2 kernels.
.\" .SH AUTHORS
.\" This man page was written by Andi Kleen.
.SH SEE ALSO
.BR recvmsg (2),
.BR sendmsg (2),
.BR byteorder (3),
.BR capabilities (7),
.BR icmp (7),
.BR ipv6 (7),
.BR netdevice (7),
.BR netlink (7),
.BR raw (7),
.BR socket (7),
.BR tcp (7),
.BR udp (7),
.BR ip (8)
.P
The kernel source file
.IR Documentation/networking/ip\-sysctl.txt .
.P
RFC\ 791 for the original IP specification.
RFC\ 1122 for the IPv4 host requirements.
RFC\ 1812 for the IPv4 router requirements.