sysctl

/proc/sys目錄下存放着大多數內核參數，而且能夠在系統運行時進行更改，不太重新啓動機器就會失效。/etc/sysctl.conf是一個容許改變正在運行中的Linux系統的接口，它包含一些TCP/IP堆棧和虛擬內存系統的高級選項，修改內核參數永久生效。也就是說/proc/sys下內核文件與配置文件sysctl.conf中變量存在着對應關係。

設置或從新設置聯網功能: 如IP轉發、IP碎片去除以及源路由檢查、TCP/IP堆棧和虛擬內存

 sysctl [-n] [-e] -w variable=value

 sysctl [-n] [-e] -p <filename> (default /etc/sysctl.conf)

sysctl [-n] [-e] -a

    經常使用參數的意義：

    -w   臨時改變某個指定參數的值，如 sysctl -w net.ipv4.ip_forward=1

    -a   顯示全部的系統參數

    -p   從指定的文件加載系統參數，如不指定即從/etc/sysctl.conf中加載

    若是僅僅是想臨時改變某個系統參數的值，能夠用兩種方法來實現,例如想啓用IP路由轉發功能：

    1) #echo 1 > /proc/sys/net/ipv4/ip_forward

    2) #sysctl -w net.ipv4.ip_forward=1

    以上兩種方法均可能當即開啓路由功能，但若是系統重啓，或執行了

    # service network restart

 使用命令，所設置的值即會丟失，若是想永久保留配置，能夠修改/etc/sysctl.conf文件。將 net.ipv4.ip_forward=0改成net.ipv4.ip_forward=1

 

 etc/systcl:內核參數說明：

 

net.ipv4.ip_forward = 0 # 想啓用IP路由轉發功能

# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 0

 

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

 

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 1

  

# Disable netfilter on bridges.

#net.bridge.bridge-nf-call-ip6tables = 0

#net.bridge.bridge-nf-call-iptables = 0

#net.bridge.bridge-nf-call-arptables = 0

 

# Controls the default maxmimum size of a mesage queue

kernel.msgmnb = 65536

 

# Controls the maximum size of a message, in bytes

kernel.msgmax = 65536

 

# Controls the maximum shared segment size, in bytes

kernel.shmmax = 68719476736

 

# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 4294967296

 

vm.swappiness = 0

net.ipv4.neigh.default.gc_stale_time=120

net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.default.rp_filter=1

net.ipv4.conf.default.arp_announce = 2

net.ipv4.conf.all.arp_announce=2

#容許TIME-WAIT套接字數量的最大值。超過些數字，TIME-WAIT套接字將馬上被清除同時打印警告信息。默認是180000，過多的TIME-WAIT套接字會使webserver變慢 

net.ipv4.tcp_max_tw_buckets = 5000

#UDP和TCP鏈接中本地端口（不包括鏈接的遠端）的取值範圍
net.ipv4.ip_local_port_range = 1024　　61000

#解決TCP的SYN攻擊。與性能無關

net.ipv4.tcp_syncookies = 1

#三次握手創建階段SYN請求隊列的最大長度，默認是1024。設置大一些能夠在繁忙時未來不及處理的請求放入隊列，而不至於丟失客戶端的請求

net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_synack_retries = 1

net.ipv4.conf.lo.arp_announce=2

#表示進程（例如一個worker進程）可能同時打開的最大句柄數，直接限制最大併發鏈接數

fs.file-max=65535

#當keepalive啓用時，TCP發送keepalive消息的頻率。默認是2個小時。將其調小一些，能夠更快的清除無用的鏈接.
net.ipv4.tcp_keepalive_time = 600

fs.inotify.max_user_instances = 8192

#當服務器主動關閉連接時，socket保持FN-WAIT-2狀態的最大時間

net.ipv4.tcp_fin_timeout = 30

#1表明容許將狀態爲TIME-WAIT狀態的socket鏈接從新用於新的TCP鏈接。對於服務器來講有意義，由於有大量的TIME-WAIT狀態的鏈接

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.ip_local_port_range = 1024 65000

 

 

net.ipv4.route.gc_timeout = 100

net.ipv4.tcp_syn_retries = 1

net.core.somaxconn = 65535

 

#當網卡接收的數據包的速度大於內核處理的速度時，會有一個隊列保存這些數據包。這個參數就是這個隊列的最大值。

net.core.netdev_max_backlog = 262144

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_max_orphans = 262144

#net.netfilter.nf_conntrack_max = 1048576

#net.netfilter.nf_conntrack_tcp_timeout_established = 1200

 

 

######Edited by wangzizhe#########################

# Avoid a smurf attack

net.ipv4.icmp_echo_ignore_broadcasts = 1

 

# Turn on protection for bad icmp error messages

net.ipv4.icmp_ignore_bogus_error_responses = 1

 

 

# Turn on and log spoofed, source routed, and redirect packets

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1

 

# No source routed packets here

net.ipv4.conf.all.accept_source_route = 0

#net.ipv4.conf.default.accept_source_route = 0

 

# Turn on reverse path filtering

#net.ipv4.conf.all.rp_filter = 1

#net.ipv4.conf.default.rp_filter = 1

 

# Make sure no one can alter the routing tables

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

 

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

 

# Don’t act as a router

#net.ipv4.ip_forward = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

 

# Turn on execshild

kernel.exec-shield = 1

kernel.randomize_va_space = 1

 

# Optimization for port usefor LBs

# Increase system file descriptor limit

#fs.file-max = 65535

 

# Allow for more PIDs (to reduce rollover problems); may break some programs 32768

kernel.pid_max = 65536

 

# Increase system IP port limits

#net.ipv4.ip_local_port_range = 2000 65000

 

#TCP接收/發送緩存（用於TCP接收滑動窗口）的最小值、默認值、最大值

net.ipv4.tcp_rmem = 4096 87380 8388608

net.ipv4.tcp_wmem = 4096 87380 8388608

 

# Increase Linux auto tuning TCP buffer limits

# min, default, and max number of bytes to use

# set max to at least 4MB, or higher if you use very high BDP paths

 

# Tcp Windows etc

 

#內核套接字接收/發送緩存區的最大值

net.core.rmem_max = 8388608

net.core.wmem_max = 8388608

#內核套接字接收/發送緩存區的默認值
net.core.rmem_default = 262144
net.core.wmem_default = 262144

#net.core.netdev_max_backlog = 5000

net.ipv4.tcp_window_scaling = 1