SBC Kernel Parameters

In order to give the capability to assign Real-time scheduling (SCHED_FIFO) to SWe_NP threads inside the pod, this value should be set to -1 (unlimited).

This setting removes the limits on the CPU capacity available to the Real-Time threads.

By default, RT tasks may consume 95%CPU/sec, leaving 5%CPU/sec or 0.05s to be used by SCHED_OTHER tasks.

The default value is 950000 (µs).

To handle high CPS and high throughput, the Socket Send Buffer size should be big enough.

The value set for this parameter is the max that the Socket can use when setting SO_SNDBUF.

To handle high CPS and high throughput, the Socket Send Buffer size should be big enough.

This is the default value for socket send buffer size.

It is helpful in cases where the Application has not explicitly set the send buffer size using SO_SNDBUF.

If the setting is at a lower value, it may impact the max throughput of applications not expressly setting the socket send buffer size (including third-party libraries that use sockets for communication).

To handle high CPS and throughput, the Socket Receive Buffer size should be big enough.

The value set for this parameter is the max that the Socket can use when setting SO_RCVBUF.

To handle high CPS and throughput, the Socket Send Buffer size should be big enough.

This is the default value for the socket send buffer size.

It is helpful in cases where the Application has not explicitly set the receive buffer size using SO_RCVBUF.

If the setting is at a lower value, it may impact the max throughput of applications that do not explicitly set socket receive buffer size (including third-party libraries that use sockets for communication).

Disable IPSEC encryption on this interface, whatever the policy.

This is the default value of IPsec in SBC. As IPsec is applied at the per-interface group level, it should be kept as 1.

Disable IPSEC policy (SPD) for this interface.

This is to change the default value to disable the IPsec policy in SBC. IPsec is applied at the per-interface group level and should be kept at 1

The kernel flusher threads periodically wake up and write old data out to disk. This tunable expresses the interval between those wakeups, in 100ths of a second.

Setting this to zero disables periodic writeback altogether.

Please keep it at default (500). A high value or disabling may leave stale data on the disk for longer, which is undesirable. Setting it to a low value may cause more frequent disk access by kernel threads.

(https://docs.kernel.org/admin-guide/sysctl/vm.html)

Defines when dirty data is old enough to be eligible for writeout by the kernel flusher threads. It is expressed in 100ths of a second. Data that is dirty in memory for longer than this interval will be written out the next time a flusher thread wakes up.

High values may leave stale data on the disk for longer, which is not desirable. Setting it to a low value may cause kernel threads to access disks more frequently. 

(https://docs.kernel.org/admin-guide/sysctl/vm.html#dirty-expire-centisecs)

(https://docs.kernel.org/admin-guide/sysctl/vm.html#dirty-background-bytes):

(https://docs.kernel.org/admin-guide/sysctl/vm.html#dirty-bytes)

Drop packets until the key manager resolves IPsec rules/SAs.

Use the Linux default value.

Minimum number of entries to keep. The garbage collector will not purge entries if fewer than this number exists.

The value is set to support the published limits.

Threshold when the garbage collector becomes more aggressive about purging entries. Entries older than 5 seconds will be cleared when over this number.

The value is set to support the published limits.

Maximum number of neighbor entries allowed. Increase this when using large numbers of interfaces and communicating with large numbers of directly connected peers.

The value is set to support the published limits.

Minimum number of entries to keep. The garbage collector will not purge entries if fewer than this number exists.

Default 128

The value is set to support the published limits.

Threshold when the garbage collector becomes more aggressive about purging entries. Entries older than 5 seconds will be cleared when over this number.

Default: 512

The value is set to support the published limits.

Maximum number of neighbor entries allowed. Increase this when using large numbers of interfaces and communicating with large numbers of directly connected peers.

Default: 1024

The value is set to support the published limits.

Send redirects, if router. send_redirects for the interface will be enabled if at least one of conf/{all, interface/send_redirects is set to TRUE; it will be disabled otherwise.

Default: TRUE

The SBC is not a router.

Send redirects, if router. send_redirects for the interface will be enabled if at least one of conf/{all, interface}/send_redirects is set to TRUE; it will be disabled otherwise.

Default: TRUE

The SBC is not a router.

Accept Redirects.

Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled.

The SBC is not a router.

Accept Redirects.

Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled.

The SBC is not a router.

Accept Redirects.

Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled.

The SBC is not a router.

Accept Redirects.

Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled.

The SBC is not a router.

Accept ICMP redirect messages only to gateways in the interface's current gateway list.

Even if disabled, RFC1122 redirect rules still apply.

Overridden by shared_media.

secure_redirects for the interface will be enabled if at least one of conf/{all, interface}/secure_redirects is set to TRUE; it will be disabled otherwise.

Accept ICMP redirect messages only to gateways in the interface's current gateway list.

Even if disabled, RFC1122 redirect rules still apply.

Overridden by shared_media.

secure_redirects for the interface will be enabled if at least one of conf/{all, interface}/secure_redirects is set to TRUE; it will be disabled otherwise.

The SBC is not a router.

Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly.

Default FALSE.

Use the Linux default value.

Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly.

Default FALSE.

Using the Linux default value.

Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly.

Default FALSE.

Using the Linux default value.

Unlikely to be useful for SBC functionality.

It should be left to the discretion of the container host admin.

Unlikely to be useful for SBC functionality.

It should be left to the discretion of the container host admin.

If set  to non-zero, the kernel will ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast.

Using the Linux default value.

Some routers violate RFC1122 by sending bogus responses to broadcast frames. Such violations are typically logged via a kernel warning. If this is set to TRUE, the kernel will not give such warnings, avoiding log file clutter.

Using the Linux default value.

Send out syncookies when the syn backlog queue of a socket overflows.
This is to prevent the common SYN flood attack.

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state.

Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, enabling the system to continue servicing valid connection requests.

Default value: 1

• 0: No source validation. (default)
• 1: Strict mode as defined in RFC3704 Strict Reverse Path
  Each incoming packet is tested against the FIB, and if the interface is not the best reverse path, the packet check will fail.
  By default, failed packets are discarded.
• 2: Loose mode as defined in RFC3704 Loose Reverse Path
  Each incoming packet's source address is also tested against the FIB; the packet check will fail if the source address is not reachable via any interface.

The recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. Loose mode is recommended if using asymmetric routing or other complicated routing.

The SBC uses interface group routing and can use asymmetric routing. Thus, Loose mode is required.

• 0: No source validation. (default)
• 1: Strict mode as defined in RFC3704 Strict Reverse Path
  Each incoming packet is tested against the FIB, and if the interface is not the best reverse path, the packet check will fail.
  By default, failed packets are discarded.
• 2: Loose mode as defined in RFC3704 Loose Reverse Path

Each incoming packet's source address is also tested against the FIB, and if the source address is not reachable via any interface, the packet check will fail.

The recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. Loose mode is recommended if using asymmetric routing or other complicated routing.

The SBC uses interface group routing and can use asymmetric routing. Thus, Loose mode is required.

sk->sk_pacing_rate is set by the TCP stack using a ratio applied to the current rate. (current_rate = cwnd * mss / srtt)

If the TCP is in slow start, tcp_pacing_ss_ratio is applied to let the TCP probe for bigger speeds, assuming cwnd can be doubled every other RTT.

Default: 200

Forward Packets between interfaces.

• 0: disabled (default)
• not 0: enabled

The SBC is not a router.

Value 0 is primarily intended for H/W & SWe SBCs).

Disabling timer_migration helps prevent timers from migrating in real-time systems with multiple sockets.

Enabling timer_migration allows timers to be migrated to busy CPUs, which are the CPUs running the DPDK threads.

This causes interruptions to DPDK threads.

Default value is 1

SHMMAX is a kernel parameter that defines the maximum size of a single shared memory segment a Linux process can allocate.

Default: 32MB

Ribbon sets this value to 265MB.

Defines the local port range that TCP and UDP use to choose the local port. The first number is the first, and the second is the last local port number.
These numbers should have different parity. (one even and one odd value)

The default values are 32768 and 60999, respectively.

Use a wider port range to support the published session limits.

Only valid when the kernel was compiled with CONFIG_SYN_COOKIES

Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent the common SYN flood attack.

Use the Linux default value.

Autoconfigure addresses using Prefix Information in Router Advertisements.

The value must be set to 0 since SBC uses static IPv6 configuration.

Autoconfigure addresses using Prefix Information in Router Advertisements.

The value must be set to 0 since the SBC uses a static IPv6 configuration.

Autoconfigure addresses using Prefix Information in Router Advertisements.

The value must be set to 0 since the SBC uses a static IPv6 configuration.

Autoconfigure addresses using Prefix Information in Router Advertisements.

The value must be set to 0 since the SBC uses a static IPv6 configuration.