icmp - Linux IPv4 ICMP kernel module.
This kernel protocol module implements the Internet Control Message Protocol
defined in RFC 792. It is used to signal error conditions and for
diagnosis. The user doesn't interact directly with this module; instead it
communicates with the other protocols in the kernel and these pass the ICMP
errors to the application layers. The kernel ICMP module also answers ICMP
A user protocol may receive ICMP packets for all local sockets by opening a raw
socket with the protocol IPPROTO_ICMP
. See raw
(7) for more
information. The types of ICMP packets passed to the socket can be filtered
using the ICMP_FILTER
socket option. ICMP packets are always processed
by the kernel too, even when passed to a user socket.
Linux limits the rate of ICMP error packets to each destination.
are also limited by the
destination route of the incoming packets.
ICMP supports a set of /proc
interfaces to configure some global IP
parameters. The parameters can be accessed by reading or writing files in the
. Most of these parameters are rate
limitations for specific ICMP types. Linux 2.2 uses a token bucket filter to
limit ICMPs. The value is the timeout in jiffies until the token bucket filter
is cleared after a burst. A jiffy is a system dependent unit, usually 10ms on
i386 and about 1ms on alpha and ia64.
- icmp_destunreach_rate (Linux 2.2 to 2.4.9)
- Maximum rate to send ICMP Destination Unreachable packets. This limits the
rate at which packets are sent to any individual route or destination. The
limit does not affect sending of ICMP_FRAG_NEEDED packets needed
for path MTU discovery.
- icmp_echo_ignore_all (since Linux 2.2)
- If this value is nonzero, Linux will ignore all ICMP_ECHO
- icmp_echo_ignore_broadcasts (since Linux 2.2)
- If this value is nonzero, Linux will ignore all ICMP_ECHO packets
sent to broadcast addresses.
- icmp_echoreply_rate (Linux 2.2 to 2.4.9)
- Maximum rate for sending ICMP_ECHOREPLY packets in response to
- icmp_errors_use_inbound_ifaddr (Boolean; default: disabled; since
- If disabled, ICMP error messages are sent with the primary address of the
- If enabled, the message will be sent with the primary address of the
interface that received the packet that caused the ICMP error. This is the
behavior that many network administrators will expect from a router. And
it can make debugging complicated network layouts much easier.
- Note that if no primary address exists for the interface selected, then
the primary address of the first non-loopback interface that has one will
be used regardless of this setting.
- icmp_ignore_bogus_error_responses (Boolean; default: disabled;
since Linux 2.2)
- Some routers violate RFC1122 by sending bogus responses to broadcast
frames. Such violations are normally logged via a kernel warning. If this
parameter is enabled, the kernel will not give such warnings, which will
avoid log file clutter.
- icmp_paramprob_rate (Linux 2.2 to 2.4.9)
- Maximum rate for sending ICMP_PARAMETERPROB packets. These packets
are sent when a packet arrives with an invalid IP header.
- icmp_ratelimit (integer; default: 1000; since Linux 2.4.10)
- Limit the maximum rates for sending ICMP packets whose type matches
icmp_ratemask (see below) to specific targets. 0 to disable any
limiting, otherwise the minimum space between responses in
- icmp_ratemask (integer; default: see below; since Linux
- Mask made of ICMP types for which rates are being limited.
- Significant bits: IHGFEDCBA9876543210
Default mask: 0000001100000011000 (0x1818)
- Bit definitions (see the Linux kernel source file
|0 Echo Reply
|3 Destination Unreachable *
|4 Source Quench *
|8 Echo Request
|B Time Exceeded *
|C Parameter Problem *
|D Timestamp Request
|E Timestamp Reply
|F Info Request
|G Info Reply
|H Address Mask Request
|I Address Mask Reply
The bits marked with an asterisk are rate limited by default (see the default
- icmp_timeexceed_rate (Linux 2.2 to 2.4.9)
- Maximum rate for sending ICMP_TIME_EXCEEDED packets. These packets
are sent to prevent loops when a packet has crossed too many hops.
- ping_group_range (two integers; default: see below; since Linux
- Range of the group IDs (minimum and maximum group IDs, inclusive) that are
allowed to create ICMP Echo sockets. The default is "1 0", which
means no group is allowed to create ICMP Echo sockets.
Support for the ICMP_ADDRESS
request was removed in 2.2.
Support for ICMP_SOURCE_QUENCH
was removed in Linux 2.2.
As many other implementations don't support IPPROTO_ICMP
this feature should not be relied on in portable programs.
packets are not sent when Linux is not acting as a router.
They are also accepted only from the old gateway defined in the routing table
and the redirect routes are expired after some time.
The 64-bit timestamp returned by ICMP_TIMESTAMP
is in milliseconds since
the Epoch, 1970-01-01 00:00:00 +0000 (UTC).
Linux ICMP internally uses a raw socket to send ICMPs. This raw socket may
appear in netstat
(8) output with a zero inode.
RFC 792 for a description of the ICMP protocol.