Properties

NDMaxSolicitation

Maximum number of address resolution queries, per second and interface. (Default: 1000)

NDMaxUnreachProbe

Maximum number of Unreachability probes, per second and interface. (Default: 300)

NDMaxUnreachHost

Maximum number of replies to Unreachability probes, per host and second. (Default: 3)

NDMaxUnreachReply

Maximum number of replies to Unreachability probes, per second and interface. (Default: 300)

NDMaxResolvReply

Maximum number of replies to address resolution queries, per second and interface. (Default: 100)

NDMaxDupReply

Maximum number of replies to Duplicate Address probes, per second and interface. (Default: 1000)

NDCacheSizeEther

Maximum number of Ethernet ND entries in cache, total. (Default: 512)

NDMaxMulticastSolicit

Maximum number of Neighbor Solicitation messages before giving up address resolution. (Default: 3)

NDMaxUnicastSolicit

Maximum number of Unreachability probes before giving up on a stale ND entry. (Default: 3)

MaxAnycastDelayTime

Randomized time (0.5 - 1.5) in milliseconds to delay proxied and anycast advertisements. (Default: 100)

DelayFirstProbeTime

Time to wait (for a response) in hundred'th of seconds after any message being sent to a stale ND entry address, before it is subject to Dead Peer detection. (Default: 100)

NDBaseReachableTime

Basically the lifetime of an ND entry, in seconds. More precisely: Multiple of a random factor (0.5 - 1.5), yielding the number of seconds before an ND entry is considered stale. (Default: 30)

NDZombieTime

Maximum number of seconds before a stale ND entry is being subject to Dead Peer detection. (Default: 3600)

NDRetransTimer

Ten'th of seconds between each Neighbor Solicitation during address resolution and Dead Peer detection. (Default: 10)

NDVerifyTimer

Time in seconds after a seemingly successful address resolution, during which the system will treat later incoming and conflicting advertisements differently. The system will randomly decide whether to trust the first or the later information. In both cases the IP will be logged as suspicious. Outside of this time, conflicting advertisements will be accepted in accordance to NDChanges. (Default: 1)

NDNoiseThreshold

Directly after a seemingly successful address resolution, and For the duration of the Verify Timer: Treat more than this amount of advertisements for the same IP to be suspicious (not counting those with the override flag cleared), even if they provide the same information. (Default: 2)

NDMatchL2Sender

The hardware Sender address matching the hardware address in the ND Source/Target 'Link-layer Address' Options. (Default: DropLog)

NDValidation

What to do when a severely broken ND packet arrives. (Default: DropLog)

StaticNDChanges

ND packets that would cause static entries to be changed. (Default: DropLog)

NDChanges

ND packets that would cause an entry to be changed. (Default: FavourOldLog)

NDSenderIP

The IP Source address in ND packets. (Default: Validate)

NDDupFlavor

Send replies to Duplicate Address probes to this destination (DAD probes does not contain a source address to which replies can be sent, and the RFC does not clearly specify where to send replies). (Default: AllNodes)

NDMulticastFlavor

How to resolve IPv6 multicast into L2 multicast (note that the default is the only RFC-compliant alternative). (Default: RFC2460)

NDClearOFlag

Clear the Override Flag on proxy and anycast ND advertisements (as required by the RFC). (Default: Yes)

NDLogRatelimitDelay

Whether to log when the rate limit settings prevent outgoing ND messages from being sent. (Default: Yes)

NDLogOutOfEntries

Whether to log when there are not enough neighbor entries in the firewall to perform IP address resolution (this will cause old entries to be recycled). (Default: Yes)

NDLogResolveFailure

Log when address resolution fail. (Default: Yes)