Description of common parameters in sysctl. conf in linux

This article will introduce you to the common parameters in the sysctl. conf file in linux. Here we will explain each parameter in Chinese and hope to help you.

 

I recently found that many kernel optimization parameters cannot be remembered. I wrote an article to record it for later viewing.

Edit the/etc/sysctl. conf file and add the following content to it: (with comments)
 
# Maximum buffer space for TCP data to be sent
Net. inet. tcp. sendspace = 65536
 
# Maximum accept TCP buffer space
Net. inet. tcp. recvspace = 65536
 
# Maximum accept UDP buffer size
. Net. inet. udp. sendspace = 65535
 
# Maximum size of the buffer for sending UDP data
Net. inet. udp. maxdgram = 65535
 
# Data sending space connected by local socket
Net. local. stream. sendspace = 65535
 
# Protocol for accelerating network performance
Net. inet. tcp. rfc1323 = 1
Net. inet. tcp. rfc1644 = 1
Net. inet. tcp. rfc3042 = 1
Net. inet. tcp. rfc3390 = 1
 
# Maximum Socket buffer
Kern. ipc. maxsockbuf = 2097152
 
# Maximum number of files allowed in the system
Kern. maxfiles = 65536
 
# Maximum number of files that each process can open simultaneously
Kern. maxfilesperproc = 32768
 
# When a computer initiates a TCP connection request, the system will respond to the ACK response packet. This option sets whether to delay the ACK response packet and sends it together with the data packet.

The performance will be slightly improved in the case of high-speed network and low load, but when the network connection is poor, the other computer will continue to initiate connection requests, but will decrease the performance.

Yes.
Net. inet. tcp. delayed_ack = 0
 
# Blocking ICMP redirection
Net. inet. icmp. drop_redirect = 1
Net. inet. icmp. log_redirect = 1
Net. inet. ip. redirect = 0
Net. inet6.ip6. redirect = 0
 
# Prevent ICMP broadcast storms
Net. inet. icmp. bmcastecho = 0
Net. inet. icmp. maskrepl = 0
 
# Limit the system's ICMP sending rate
Net. inet. icmp. icmplim = 100
 
# Security parameter. options TCP_DROP_SYNFIN is added during kernel compilation.
Net. inet. icmp. icmplim_output = 0
Net. inet. tcp. drop_synfin = 1
 
# Setting 1 will help the system clear TCP connections that are not normally disconnected. This increases the usage of some network bandwidth, but some dead connections can be identified and cleared. Dead TCP Connection

The connection is a special problem of the system accessed by the dial-up user, because the user often disconnects the modem and does not properly close the active connection.
Net. inet. tcp. always_keepalive = 1
 
# If net. inet. ip. intr_queue_drops is increasing, you need to increase net. inet. ip. intr_queue_maxlen, preferably 0.
Net. inet. ip. intr_queue_maxlen = 1000
 
# Prevent DOS attacks. The default value is 30000.
Net. inet. tcp. msl = 7500
 
# Receive all packets sent from a closed port and drop them directly. If it is set to 1, it is only for TCP packets.
Net. inet. tcp. blackhole = 2
 
# Directly drop all UDP packets sent from a closed port
Net. inet. udp. blackhole = 1
 
# Provide a buffer for network data connection
Net. inet. tcp. inflight. enable = 1
 
# If it is enabled, the data of each target address will be recorded in the route table and arp data table once it is forwarded successfully, saving the route computing time, but requiring a large amount of kernel memory

Space to save the route table
Net. inet. ip. fastforwarding = 0
 
# Enable the options POLLING function in kernel compilation. It is not recommended that SMP be used together with polling for high load scenarios.
# Kern. polling. enable = 1
 
# Number of concurrent connections. The default value is 128. The recommended value is between and. The larger the number, the larger the memory usage.
Kern. ipc. somaxconn = 32768
 
# Prohibiting users from viewing other users' Processes
Security. bsd. see_other_uids = 0
 
# Setting the kernel Security Level
Kern. securelevel = 0
 
# Record any TCP connections
Net. inet. tcp. log_in_vain = 1
 
# Record any UDP connections
Net. inet. udp. log_in_vain = 1
 
# Prevent incorrect udp packet attacks
Net. inet. udp. checksum = 1
 
# Prevent DOS Attacks
Net. inet. tcp. syncookies = 1
 
# Physical memory is only supported by threads, and more than 256 MB of memory is required
Kern. ipc. shm_use_phys = 1
 
# Maximum shared memory available for threads
Kern. ipc. shmmax = 67108864
 
# Maximum number of threads
Kern. ipc. shmall = 32768
 
# Not recorded during program crash
Kern. coredump = 0
 
# Lo local data stream receiving and sending Space
Net. local. stream. recvspace = 65536
. Net. local. dgram. maxdgram = 16384
Net. local. dgram. recvspace = 65536
 
# The Data Segment Size of the data packet. The value of ADSL is 1452.
Net. inet. tcp. mssdflt = 1460
 
# Provide a buffer for network data connection
Net. inet. tcp. inflight_enable = 1
 
# Minimum value of the Data Segment of the data packet. The value of ADSL is 1452.
Net. inet. tcp. minmss = 1460
 
# Maximum number of local data
Net. inet. raw. maxdgram = 65536
 
# Local data stream receiving space
Net. inet. raw. recvspace = 65536
 
# Number of Dynamic Rules of ipfw firewall. The default value is 4096. Increasing this value can prevent some viruses from sending a large number of TCP connections, resulting in failure to establish a normal connection.
Net. inet. ip. fw. dyn_max = 65535
 
# Set the idle retention time for the TCP connection of ipf firewall. The default value is 8640000 (120 hours)
Net. inet. ipf. fr_tcpidletimeout = 864000

$/Proc/sys/net/core/wmem_max
Maximum buffer written by socket, which can be referenced in the optimization value: 873200
$/Proc/sys/net/core/rmem_max
Maximum socket read buffer, which can be referenced in the optimization value: 873200
$/Proc/sys/net/ipv4/tcp_wmem
TCP write buffer, which can be referenced in the optimization value: 8192 436600 873200
$/Proc/sys/net/ipv4/tcp_rmem
TCP read buffer, which can be referenced in the optimization value: 32768 436600 873200
$/Proc/sys/net/ipv4/tcp_mem
There are also three values, meaning:
Net. ipv4.tcp _ mem [0]: below this value, TCP has no memory pressure.
Net. ipv4.tcp _ mem [1]: Enter the memory pressure stage.
Net. ipv4.tcp _ mem [2]: higher than this value, TCP rejects socket allocation.
The above memory unit is page, not byte. The recommended value is 786432 1048576 1572864.
$/Proc/sys/net/core/netdev_max_backlog
Enter the maximum device queue of the package. The default value is 300. This value is too low for heavy load servers and can be adjusted to 1000.
$/Proc/sys/net/core/somaxconn
The default parameter of listen (). The maximum number of pending requests. The default value is 128. Adding this parameter to busy servers helps improve network performance. It can be adjusted to 256.
$/Proc/sys/net/core/optmem_max
The maximum initialization value of socket buffer. The default value is 10 K.
$/Proc/sys/net/ipv4/tcp_max_syn_backlog
Enter the maximum Request queue of the SYN Packet. The default value is 1024. It is advantageous to increase this value on the heavy load server. It can be adjusted to 2048.
$/Proc/sys/net/ipv4/tcp_retries2
Number of TCP retransmission failures. The default value is 15, which means that the request is completely abandoned after 15 retransmission. The value can be reduced to 5 to release kernel resources as soon as possible.
$/Proc/sys/net/ipv4/tcp_keepalive_time
$/Proc/sys/net/ipv4/tcp_keepalive_intvl
$/Proc/sys/net/ipv4/tcp_keepalive_probes
The three parameters are related to TCP KeepAlive. The default value is:
Tcp_keepalive_time = 7200 seconds (2 hours)
Tcp_keepalive_probes = 9
Tcp_keepalive_intvl = 75 seconds
This means that if a TCP connection takes two hours after idle, the kernel initiates probe. if the probe fails for 9 times (75 seconds each time), the kernel will give up completely and the connection is deemed invalid. obviously, the above value is too large for the server. adjustable:
/Proc/sys/net/ipv4/tcp_keepalive_time 1800
/Proc/sys/net/ipv4/tcp_keepalive_intvl 30
/Proc/sys/net/ipv4/tcp_keepalive_probes 3
$ Proc/sys/net/ipv4/ip_local_port_range
A configuration of the specified port range. The default value is 32768, which is large enough.
 
Net. ipv4.tcp _ syncookies = 1
Enable SYN Cookies. When a SYN wait queue overflows, cookies are enabled to prevent a small number of SYN attacks. The default value is 0, indicating that the process is disabled;

Net. ipv4.tcp _ tw_reuse = 1
Indicates that reuse is enabled. Allow TIME-WAIT sockets to be re-used for a New TCP connection. The default value is 0, indicating that the TCP connection is disabled;

Net. ipv4.tcp _ tw_recycle = 1
Enables fast recovery of TIME-WAIT sockets in TCP connections. The default value is 0, indicating that TIME-WAIT sockets is disabled.

Net. ipv4.tcp _ fin_timeout = 30
Indicates that if the socket is disabled by the local end, this parameter determines the time it remains in the FIN-WAIT-2 state.

Net. ipv4.tcp _ keepalive_time = 1200
Indicates the frequency of keepalive messages sent by TCP when keepalive is in use. The default value is 2 hours, which is changed to 20 minutes.

Net. ipv4.ip _ local_port_range = 1024 65000
Indicates the port range used for external connection. The default value is small: 32768 to 61000, Which is changed to 1024 to 65000.

Net. ipv4.tcp _ max_syn_backlog = 8192
The length of the SYN queue. The default value is 1024. The length of the queue is 8192, which can accommodate more network connections waiting for connection.

Net. ipv4.tcp _ max_tw_buckets = 5000

This indicates that the system maintains the maximum number of TIME_WAIT sockets at the same time. If this number is exceeded, the TIME_WAIT socket is immediately cleared and warning information is printed. The default value is 180000, Which is changed to 5000. For servers such as Apache and Nginx, the number of TIME_WAIT sockets can be greatly reduced by parameters in the previous lines, but the effect on Squid is not great. This parameter can control the maximum number of TIME_WAIT sockets to prevent the Squid server from being dragged to death by a large number of TIME_WAIT sockets.