Linux内核sysctl内核参数优化

  1### KERNEL ###
  2
  3# Reboot after 10sec. on kernel panic
  4kernel.panic = 10
  5
  6### IMPROVE SYSTEM MEMORY MANAGEMENT ###
  7
  8# Increase size of file handles and inode cache
  9fs.file-max = 2097152
 10
 11# Insure we always have enough memory
 12vm.min_free_kbytes = 8192
 13
 14# Do less swapping
 15vm.swappiness = 10
 16vm.dirty_ratio = 10
 17vm.dirty_background_ratio = 2
 18
 19
 20### GENERAL NETWORK SECURITY OPTIONS ###
 21
 22# Avoid a smurf attack
 23net.ipv4.icmp_echo_ignore_broadcasts = 1
 24 
 25# Turn on protection for bad icmp error messages
 26net.ipv4.icmp_ignore_bogus_error_responses = 1
 27 
 28# Turn on syncookies for SYN flood attack protection
 29net.ipv4.tcp_syncookies = 1
 30net.ipv4.tcp_max_syn_backlog = 8192
 31
 32
 33# Turn on timestamping
 34net.ipv4.tcp_timestamps = 1
 35 
 36# Turn on and log spoofed, source routed, and redirect packets
 37net.ipv4.conf.all.log_martians = 1
 38net.ipv4.conf.default.log_martians = 1
 39 
 40# No source routed packets here
 41net.ipv4.conf.all.accept_source_route = 0
 42net.ipv4.conf.default.accept_source_route = 0
 43 
 44# Turn on reverse path filtering
 45net.ipv4.conf.all.rp_filter = 1
 46net.ipv4.conf.default.rp_filter = 1
 47 
 48# Make sure no one can alter the routing tables
 49net.ipv4.conf.all.accept_redirects = 0
 50net.ipv4.conf.default.accept_redirects = 0
 51net.ipv4.conf.all.secure_redirects = 0
 52net.ipv4.conf.default.secure_redirects = 0
 53 
 54# Don't act as a router
 55net.ipv4.ip_forward = 0
 56net.ipv4.conf.all.send_redirects = 0
 57net.ipv4.conf.default.send_redirects = 0
 58
 59# Number of times SYNACKs for passive TCP connection.
 60net.ipv4.tcp_synack_retries = 2
 61
 62# Allowed local port range
 63net.ipv4.ip_local_port_range = 1024 65000
 64
 65# Protect Against TCP Time-Wait
 66net.ipv4.tcp_rfc1337 = 1
 67
 68# Decrease the time default value for tcp_fin_timeout connection
 69net.ipv4.tcp_fin_timeout = 15
 70
 71# Decrease the time default value for connections to keep alive
 72net.ipv4.tcp_keepalive_time = 300
 73net.ipv4.tcp_keepalive_probes = 5
 74net.ipv4.tcp_keepalive_intvl = 15
 75# This means that the keepalive process waits 300 seconds for socket 
 76# activity before sending the first keepalive probe, and then resend
 77# it every 15 seconds. If no ACK response is received for 5 consecutive 
 78# times (75s in this case), the connection is marked as broken.
 79
 80### TUNING NETWORK PERFORMANCE ###
 81
 82# Disable IPv6
 83net.ipv6.conf.all.disable_ipv6 = 1
 84net.ipv6.conf.default.disable_ipv6 = 1
 85net.ipv6.conf.lo.disable_ipv6 = 1
 86
 87# Default Socket Receive Buffer
 88net.core.rmem_default = 31457280
 89
 90# Maximum Socket Receive Buffer
 91net.core.rmem_max = 12582912
 92
 93# Default Socket Send Buffer
 94net.core.wmem_default = 31457280
 95
 96# Maximum Socket Send Buffer
 97net.core.wmem_max = 12582912
 98
 99# Increase number of incoming connections
100net.core.somaxconn = 5000
101
102# Increase number of incoming connections backlog
103net.core.netdev_max_backlog = 65536
104
105# Enable TCP window scaling
106net.ipv4.tcp_window_scaling = 1
107
108# Increase the maximum amount of option memory buffers
109net.core.optmem_max = 25165824
110
111
112# Increase the maximum total buffer-space allocatable
113# This is measured in units of pages (4096 bytes)
114net.ipv4.tcp_mem = 65536 131072 262144
115net.ipv4.udp_mem = 65536 131072 262144
116
117# Increase the read-buffer space allocatable
118net.ipv4.tcp_rmem = 8192 87380 16777216
119net.ipv4.udp_rmem_min = 16384
120
121# Increase the write-buffer-space allocatable
122net.ipv4.tcp_wmem = 8192 65536 16777216
123net.ipv4.udp_wmem_min = 16384
124
125
126# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
127net.ipv4.tcp_max_tw_buckets = 1800000
128
129# TIME_WAIT socket policy
130# Note: if both enabled then disable
131# net.ipv4.tcp_timestamps for servers 
132# behind NAT to prevent dropped incoming connections
133#net.ipv4.tcp_tw_recycle = 1
134net.ipv4.tcp_tw_reuse = 1
135
136# Enable TCP MTU probing (in case of Jumbo Frames enabled)
137#net.ipv4.tcp_mtu_probing = 1
138
139# Speedup retrans (Google recommended)
140net.ipv4.tcp_slow_start_after_idle = 0
141net.ipv4.tcp_early_retrans = 1
142
143# Conntrack
144# 288bytes x 131072 = 37748736 (~38MB) max memory usage
145#net.netfilter.nf_conntrack_max = 131072
146#net.netfilter.nf_conntrack_tcp_loose = 1
147
148#TCP的直接拥塞通告(tcp_ecn)关掉
149net.ipv4.tcp_ecn = 0
150
151#路由缓存刷新频率，当一个路由失败后多长时间跳到另一个路由，默认是300。
152net.ipv4.route.gc_timeout = 100
153
154#设定系统中最多允许在多少TCP套接字不被关联到任何一个用户文件句柄上。
155#如果超过这个数字，没有与用户文件句柄关联的TCP 套接字将立即被复位
156#防简单Dos
157net.ipv4.tcp_max_orphans = 655360
158
159# NOTE: Enable this if machine support it
160# -- 10gbe tuning from Intel ixgb driver README -- #
161# turn off selective ACK and timestamps
162#net.ipv4.tcp_sack = 0
163#net.ipv4.tcp_timestamps = 1