Optimized tuning of TCP/IP and kernel parameters

There are many ways to optimize TCP/IP and kernel parameters under Linux, the configuration of parameters can greatly improve the performance of the system, and can also be optimized according to specific scenarios, such as time_wait, DDoS attacks and so on.
The following configuration is written in sysctl.conf and can be used with sysctl-p.
The relevant parameters are for reference only, the specific values also need to be based on machine performance, application scenarios and other practical conditions to make more subtle adjustments.

Net.core.netdev_max_backlog = 400000
#该参数决定了, the maximum number of packets that are allowed to be sent to a queue is when the network device receives packets at a rate that is faster than the rate at which the kernel processes these packets.

Net.core.optmem_max = 10000000
#该参数指定了每个套接字所允许的最大缓冲区的大小

Net.core.rmem_default = 10000000
#指定了接收套接字缓冲区大小的缺省值 (in bytes).

Net.core.rmem_max = 10000000
#指定了接收套接字缓冲区大小的最大值 (in bytes).

Net.core.somaxconn = 100000
#Linux kernel parameter, which indicates the upper limit of the backlog (listening queue) for the socket listener

Net.core.wmem_default = 11059200
#定义默认的发送窗口大小, this size should be larger for larger BDP.

Net.core.wmem_max = 11059200
#定义发送窗口的最大大小, this size should be larger for larger BDP.

Net.ipv4.conf.all.rp_filter = 1
Net.ipv4.conf.default.rp_filter = 1
#严谨模式 1 (recommended)
#松散模式 0

Net.ipv4.tcp_congestion_control = Bic
#默认推荐设置是 htcp

net.ipv4.tcp_window_scaling = 0
#关闭tcp_window_scaling
#启用 the window scaling defined by RFC 1323, which must be enabled to support Windows larger than 64KB.

NET.IPV4.TCP_ECN = 0
#把TCP的直接拥塞通告 (TCP_ECN) off

Net.ipv4.tcp_sack = 1
#关闭tcp_sack
#启用有选择的应答 (selective acknowledgment),
#这可以通过有选择地应答乱序接收到的报文来提高性能 (This allows the sender to send only the missing message segments);
# (for WAN communication) This option should be enabled, but this will increase CPU usage.

Net.ipv4.tcp_max_tw_buckets = 10000
#表示系统同时保持TIME_WAIT套接字的最大数量

Net.ipv4.tcp_max_syn_backlog = 8192
#表示SYN队列长度, the default of 1024, changed to 8192, can accommodate more network connections waiting for connections.

Net.ipv4.tcp_syncookies = 1
#表示开启SYN Cookies. When there is a SYN wait queue overflow, cookies are enabled to protect against a small number of SYN attacks, the default is 0, which means close;

Net.ipv4.tcp_timestamps = 1
#开启TCP时间戳
#以一种比重发超时更精确的方法 (see RFC 1323) to enable calculation of RTT; This option should be enabled for better performance.

Net.ipv4.tcp_tw_reuse = 1
#表示开启重用. Allows time-wait sockets to be re-used for new TCP connections, which defaults to 0, which means shutdown;

Net.ipv4.tcp_tw_recycle = 1
#表示开启TCP连接中TIME-wait sockets, the default is 0, which means close.

Net.ipv4.tcp_fin_timeout = 10
#表示如果套接字由本端要求关闭, this parameter determines how long it remains in the fin-wait-2 state.

Net.ipv4.tcp_keepalive_time = 1800
#表示当keepalive起用的时候, the frequency at which TCP sends keepalive messages. The default is 2 hours, which is changed to 30 minutes.

Net.ipv4.tcp_keepalive_probes = 3
#如果对方不予应答, the number of packets sent to the probe

NET.IPV4.TCP_KEEPALIVE_INTVL = 15
#keepalive探测包的发送间隔

Net.ipv4.tcp_mem
#确定 how the TCP stack should reflect memory usage; the units of each value are memory pages (usually 4KB).
#第一个值是内存使用的下限.
#第二个值是内存压力模式开始对缓冲区使用应用压力的上限.
#第三个值是内存上限. At this level, messages can be discarded, thereby reducing the use of memory. For larger BDP You can increase these values (but remember that their units are memory pages, not bytes).

Net.ipv4.tcp_rmem
#与 Tcp_wmem is similar, but it represents the value of the receive buffer used for automatic tuning.

Net.ipv4.tcp_wmem = 30000000 30000000 30000000
#为自动调优定义每个 the memory used by the socket.
The minimum number of bytes allocated #第一个值是为 the send buffer for the socket.
#第二个值是默认值 (this value is overwritten by Wmem_default), the buffer can grow to this value if the system load is not heavy.
#第三个值是发送缓冲区空间的最大字节数 (the value is overwritten by Wmem_max).

Net.ipv4.ip_local_port_range = 1024 65000
#表示用于向外连接的端口范围. Small by default: 32768 to 61000, 1024 to 65000.

net.ipv4.netfilter.ip_conntrack_max=204800
#设置系统对最大跟踪的TCP连接数的限制

Net.ipv4.tcp_slow_start_after_idle = 0
#关闭tcp的连接传输的慢启动, that is, to rest for a period of time before initializing the congestion window.

Net.ipv4.route.gc_timeout = 100
#路由缓存刷新频率, the default is 300 when one route fails to jump to another route.

Net.ipv4.tcp_syn_retries = 1
#在内核放弃建立连接之前发送SYN包的数量.

Net.ipv4.icmp_echo_ignore_broadcasts = 1
# Avoid amplification attacks

net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on malicious ICMP error message protection

Net.inet.udp.checksum=1
#防止不正确的udp包的攻击

Net.ipv4.conf.default.accept_source_route = 0
#是否接受含有源路由信息的ip包. The parameter value is a Boolean value, 1 is accepted, and 0 is not accepted.
#在充当网关的linux主机上缺省值为1, the default value is 0 on a typical Linux host.
#从安全性角度出发, it is recommended that you turn off this feature.

Optimized tuning of TCP/IP and kernel parameters