/proc/sys目錄下存放着大多數內核參數,而且能夠在系統運行時進行更改,不太重新啓動機器就會失效。/etc/sysctl.conf是一個容許改變正在運行中的Linux系統的接口,它包含一些TCP/IP堆棧和虛擬內存系統的高級選項,修改內核參數永久生效。也就是說/proc/sys下內核文件與配置文件sysctl.conf中變量存在着對應關係。web
設置或從新設置聯網功能: 如IP轉發、IP碎片去除以及源路由檢查、TCP/IP堆棧和虛擬內存緩存
sysctl [-n] [-e] -w variable=value服務器
sysctl [-n] [-e] -p <filename> (default /etc/sysctl.conf)cookie
sysctl [-n] [-e] -a併發
經常使用參數的意義:app
-w 臨時改變某個指定參數的值,如 sysctl -w net.ipv4.ip_forward=1dom
-a 顯示全部的系統參數socket
-p 從指定的文件加載系統參數,如不指定即從/etc/sysctl.conf中加載tcp
若是僅僅是想臨時改變某個系統參數的值,能夠用兩種方法來實現,例如想啓用IP路由轉發功能:性能
1) #echo 1 > /proc/sys/net/ipv4/ip_forward
2) #sysctl -w net.ipv4.ip_forward=1
以上兩種方法均可能當即開啓路由功能,但若是系統重啓,或執行了
# service network restart
使用命令,所設置的值即會丟失,若是想永久保留配置,能夠修改/etc/sysctl.conf文件。將 net.ipv4.ip_forward=0改成net.ipv4.ip_forward=1
etc/systcl:內核參數說明:
net.ipv4.ip_forward = 0 # 想啓用IP路由轉發功能
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
#容許TIME-WAIT套接字數量的最大值。超過些數字,TIME-WAIT套接字將馬上被清除同時打印警告信息。默認是180000,過多的TIME-WAIT套接字會使webserver變慢
net.ipv4.tcp_max_tw_buckets = 5000
#UDP和TCP鏈接中本地端口(不包括鏈接的遠端)的取值範圍
net.ipv4.ip_local_port_range = 1024 61000
#解決TCP的SYN攻擊。與性能無關
net.ipv4.tcp_syncookies = 1
#三次握手創建階段SYN請求隊列的最大長度,默認是1024。設置大一些能夠在繁忙時未來不及處理的請求放入隊列,而不至於丟失客戶端的請求
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_synack_retries = 1
net.ipv4.conf.lo.arp_announce=2
#表示進程(例如一個worker進程)可能同時打開的最大句柄數,直接限制最大併發鏈接數
fs.file-max=65535
#當keepalive啓用時,TCP發送keepalive消息的頻率。默認是2個小時。將其調小一些,能夠更快的清除無用的鏈接.
net.ipv4.tcp_keepalive_time = 600
fs.inotify.max_user_instances = 8192
#當服務器主動關閉連接時,socket保持FN-WAIT-2狀態的最大時間
net.ipv4.tcp_fin_timeout = 30
#1表明容許將狀態爲TIME-WAIT狀態的socket鏈接從新用於新的TCP鏈接。對於服務器來講有意義,由於有大量的TIME-WAIT狀態的鏈接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.core.somaxconn = 65535
#當網卡接收的數據包的速度大於內核處理的速度時,會有一個隊列保存這些數據包。這個參數就是這個隊列的最大值。
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_max_orphans = 262144
#net.netfilter.nf_conntrack_max = 1048576
#net.netfilter.nf_conntrack_tcp_timeout_established = 1200
######Edited by wangzizhe#########################
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
#net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
#net.ipv4.conf.all.rp_filter = 1
#net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don’t act as a router
#net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
#fs.file-max = 65535
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
#net.ipv4.ip_local_port_range = 2000 65000
#TCP接收/發送緩存(用於TCP接收滑動窗口)的最小值、默認值、最大值
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
#內核套接字接收/發送緩存區的最大值
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
#內核套接字接收/發送緩存區的默認值
net.core.rmem_default = 262144
net.core.wmem_default = 262144
#net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1