This chapter discusses various important aspects of networking-related kernel configurations on which we will rely heavily as we advance throughout this book. Some of these features need to be enabled at kernel compile time, some utilize loadable kernel modules, and others require user-space configuration tools and utilities such as the firewall or virtual local-area network (VLAN) configuration tasks. In the context of kernel parameters, the sysctl utility is introduced and thoroughly discussed.
This chapter does not cover physical interfaces; Chapter 5, "Ethernet and VLANs," covers them in detail. Essentially, all topics covered here are discussed in greater detail in later chapters. They are presented in this chapter in abbreviated form because you will require this information to prepare your kernel for the labs to come.
The kernel configurations discussed in this chapter represent only some network-relevant parameters and settings. Full configurations for OpenBSD, FreeBSD, NetBSD, and Linux are provided in Appendix A, "UNIX Kernel Configuration Files." I strongly recommend reading this current chapter in parallel with Appendix A.
The sysctl Facility
The sysctl utility retrieves and allows modification of fine-grained kernel parameters on running systems. Parameters can be placed in /etc/sysctl.conf to be set at boot time. Consult the manual page sysctl(8) for further details.
Example 3-1 shows an example output of sysctl and how to alter variables (assign a value). As you can derive from reading the man pages, sysctl works only slightly differently on BSD systems.
Example 3-1. UNIX sysctl Utility
[root@castor:#] sysctl -a | grep ipsec
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 1
net.inet.ipsec.esp_randpad: -1
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 1
net.inet6.ipsec6.esp_randpad: -1
[root@castor:~#] sysctl net.inet.ipsec.dfbit=0
net.inet.ipsec.dfbit: 0 -> 0
[root@callisto:~#] sysctl -w net.ipv4.ip_forward=1