The configuration method of Linux concurrent connection 500,000 _linux

Source: Internet
Author: User
Tags ack echo 7 memory usage min rfc socket system log time interval

-A Hardware/kernel bits (AMD64, opterons)
-at least 8GB of RAM
-A recent Linux kernel (2.6.x)

About tuning, I prefer to not fully disclose them because servers are targets of many attacks, so it's better not help HAC Kers.

The most touchy thing is the IP Route cache:you have to tune it or else the machine drops many

(hint:rhash_entries=. In the "boot append string)
Hints:
Echo 1 >/proc/sys/net/ipv4/route/gc_interval
Echo >/proc/sys/net/ipv4/route/gc_timeout
Echo 2 >/proc/sys/net/ipv4/route/gc_elasticity

-Use of hugetlb pages
Hint:
echo XXX >/proc/sys/vm/nr_hugepages

Tune TCP:
echo "4096 49152 131072" >/proc/sys/net/ipv4/tcp_wmem
echo xxxx >/proc/sys/net/ipv4/tcp_max_syn_backlog
echo xxxx >/proc/sys/net/core/somaxconn
echo 1200000 >/proc/sys/net/ipv4/tcp_max_tw_buckets
Echo 7 >/proc/sys/net/ipv4/tcp_retries2
echo "600000 650000 700000" >/proc/sys/net/ipv4/tcp_mem
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
echo 0 >/proc/sys/net/ipv4/tcp_sack
Echo 330000 >/proc/sys/net/ipv4/tcp_max_orphans
echo "10000 62000" >/proc/sys/net/ipv4/ip_local_port_range


Others:
Echo 1300000 >/proc/sys/fs/file-max

There are several ways to increase the number of Linux threads
1, sysctl-w kernel.threads-max=8167 Maximum threads number
2, echo 8167 >/proc/sys/kernel/threads-max

Save modified value after reboot
Edit/etc/sysctl.conf
Increase
Kernel.threads-max = 8167

#sysctl-P takes effect immediately.

/proc/sys/net/ipv4/Parameter Description

Parameter Name argument type
Parameter value (if no special callout, the unit of the memory class is byte, the unit of time is seconds)
Official details (Skylove personal experience or additional description of the parameter)

Ip_forward:boolean
0-Off (default)
Non 0 value-turn on IP forwarding
Forwards datagrams between network local interfaces. This parameter is very special, and modifications to this parameter will cause all other related configuration parameters to revert to their default values (for hosts see RFC1122, for routers see RFC1812) (In other operating systems, this parameter is not a Boolean, but an integer, set to 0 without forwarding , 1 to decide whether to forward according to the interface case, 2 is always forwarding)

Ip_default_ttl:integer
The default value is 64
Represents the time to live value of an IP datagram (in network delivery, this value is reduced by 1 for each hop, and when the TTL is 0, the packet is discarded. The larger the value, the greater the number of router devices that can be passed on the network, but the wrong package, It's also going to be a waste of the life cycle. Depending on the current situation, setting 32 is sufficient for normal network access to the Internet.

Ip_no_pmtu_disc:boolean
The default value is False (0)
Turn off Path MTU detection (typical bottleneck principle, in a successful transmission, the MTU is the most "narrow" on the network . If the IP layer has a datagram to pass, and the length of the data is larger than the MTU of the link layer, then the IP layer needs to be fragmented (fragmentation), dividing the datagram into slices so that each piece is less than the MTU.
MTU values for several common networks:


Super Channel 65535
16MB/S Licensing Network (IBM) 17914
4MB/S Token Network (IEEE 802.5) 4464
FDDI 4352
Ethernet 1500
IEEE 802.3/802.2 1492
X.25 576
Point to point (low delay) 296

Ipfrag_high_thresh:integer
The default value is 262144
The maximum amount of memory used to assemble the segmented IP packets. Two files represent the minimum and maximum memory allocations for reorganizing IP segments, and once the maximum memory allocation value is reached, the other segments are discarded until the minimum memory (Ipfrag_low_thresh) is allocated. (According to my personal understanding, is to achieve the highest, on the "Guan Mendato", until the lowest value of the time before the door and put the segmented IP packet to come in. If the highest/lowest gap is too small, it is likely to soon reach the limit and start discarding the packet; It will also cause a period of time to lose the package for too long. It is therefore appropriate to consider that the minimum/maximum value given in the default value is 3/4. In addition, kernel, the use of memory units, are in byte. When a TCP packet transfer error occurs, the defragmentation begins. Valid packets remain in memory, while corrupted packets are forwarded. I am on the 1G Memory Nat machine, set a minimum of 262144, the highest is 393216)

Ipfrag_low_thresh:integer
The default value is 196608
See Ipfrag_high_thresh.

Ipfrag_time:integer
The default value is 30
Saves the time of an IP fragment in memory.

Inet_peer_threshold:integer
The default value is 65664
INET to end memory an appropriate value, when the threshold entry is exceeded will be discarded. The valve value also determines the life time and the time interval at which the waste collection passes. The more entries, the lower the survival period? The shorter the GC interval (gc=grabage Collection waste collection? Default value 65664=65536 + 128 How did you get it? See Include/net/inetpeer.h struct Inet_peer content, is for IP Route faster, buffering each other's IP information, a record of each other's IP. The value is associated with the
Inet_peer_gc_maxtime
Inet_peer_gc_mintime
Inet_peer_maxttl
Inet_peer_minttl
Inet_peer_threshold
Parameters are used to control the size of the cache. It seems that this cache consumption is relatively large, a friend in the CU mentioned in a 26M embedded Linux, the cache used 1M more memory.

Inet_peer_minttl:integer
The default value is 120
The minimum surviving period of the entry. Sufficient fragment (fragment) survival time must be available at the recombination end. This minimum survival period must ensure that the buffer pool volume is less than inet_peer_threshold. This value is measured in jiffies units. (Each collation, will consider less than INET_PEER_MINTTL IP entries must be saved, and greater than the Inet_peer_maxttl time set of IP entries will be released)

Inet_peer_maxttl:integer
The default value is 600
The maximum lifetime of the entry. After this deadline arrives? If the buffer pool is not running out of pressure (for example, the number of entries in the buffer pool is very small), unused entries will time out. This value is measured in jiffies units.

Inet_peer_gc_mintime:integer
The default value is 10
Waste collection (GC) through the shortest interval. This interval can affect the high pressure of memory in the buffer pool. This value is measured in jiffies units. (If the long-term do not tidy, will cache a lot of items, and collation of time too often, and will cause pressure on the system, this value is to determine the minimum collation cycle interval)

Inet_peer_gc_maxtime:integer
The default value is 120
The maximum interval through which the waste collection (GC) passes, which affects the low pressure of memory in the buffer pool. This value is measured in jiffies units. Jiffie: The internal time unit used by the kernel, the size of 1/100s on the i386 system, and 1/1024s in Alpha. Hz in/usr/include/asm/param.h defines a value for a particular system.

====================TCP parameter ================

Tcp_syn_retries:integer
The default value is 5
For a new connection, the kernel has to send a few SYN connection requests before deciding to give up. should not be greater than 255, the default value is 5, corresponding to 180 seconds or so. (For a network with a large load and a good physical communication, this value is high and can be modified to 2.) This value is only for external connections, the incoming connection is determined by tcp_retries1.

Tcp_synack_retries:integer
The default value is 5
For a remote connection request SYN, the kernel sends a SYN + ACK datagram to confirm receipt of the last SYN connection request package. This is the second step of the so-called three-time handshake (threeway handshake) mechanism. This determines the number of Syn+ack the kernel sends out before abandoning the connection. should not be greater than 255, the default value is 5, corresponding to 180 seconds or so. (This value can be determined according to the tcp_syn_retries above)

Tcp_keepalive_time:integer
The default value is 7200 (2 hours)
The frequency at which TCP sends keepalive messages when KeepAlive is open. (due to the current network attacks and other factors, resulting in the use of this attack is very frequent, once a friend of Cu mentioned that if the 2-side established a connection, and then do not send any data or rst/fin messages, then the duration is 2 hours, the air connection attack? tcp_keepalive_ Time is the only way to prevent this. I personally do NAT service when the modified value is 1800 seconds.

Tcp_keepalive_probes:integer
The default value is 9
TCP sends a KeepAlive probe to determine how many times the connection has been disconnected. (Note: The connection is sent only if the so_keepalive socket option is opened.) The number of defaults does not need to be modified, of course, depending on the situation can also be appropriate to shorten this value. Set to 5 more appropriate)

Tcp_keepalive_intvl:integer
The default value is 75
Probe the frequency at which a message is sent, multiplied by Tcp_keepalive_probes to get the time to kill a connection that has not responded since the start of the probe. The default value is 75 seconds, which means that no active connections will be discarded after approximately 11 minutes. (For general applications, this value is somewhat large and can be changed as small as needed.) in particular, web-class servers need to change the value, 15 is a more appropriate value.

Tcp_retries1:integer
The default value is 3
Abort the response to a TCP connection request? How many retries are required. RFC stipulates that the lowest value is 3? This is also the default value? The value of RTO is about 3 seconds to 8 minutes. (Note: This value also determines the incoming SYN connection)

Tcp_retries2:integer
The default value is 15
How many retries are required before discarding a TCP connection that activates (established communication status). The default value is 15, based on the RTO value, which is equivalent to 13-30 minutes (RFC1122 must be greater than 100 seconds). (This value is based on the current network settings, can be appropriately changed to small, my network modified to 5)

Tcp_orphan_retries:integer
The default value is 7
How many retries are to be made before the TCP connection is dropped near the end? The default value is 7? 50 seconds-16 minutes? Depending on the RTO. If your system is a heavily loaded Web server, then maybe you need to lower that value? Such sockets can be expensive. In addition, the Test Tcp_max_orphans. (In fact, when NAT, lower this value is also a significant benefit, my own network environment to reduce this value is 3)

Tcp_fin_timeout:integer
The default value is 60
For a socket connection that is disconnected from the end, TCP remains in the Fin-wait-2 state for a time. The other side may disconnect or never end the connection or the unexpected process dies. The default value is 60 seconds. It used to be 180 seconds in the 2.2 version of the kernel. Can you set this value? But you need to be aware of it? If your machine is a heavily loaded Web server, you might want to risk memory being filled with a large number of invalid datagrams? Fin-wait-2 sockets is less dangerous than fin-wait-1 because they eat up to 1.5K of RAM? But they exist longer. In addition reference Tcp_max_orphans. (In fact, when NAT, lower this value is also a significant benefit, my own network environment to reduce this value is 30)

Tcp_max_tw_buckets:integer
The default value is 180000
The number of maximum timewait sockets that the system processes at the same time. If this number is exceeded? The time-wait socket is immediately removed and a warning message is displayed. Do you want to set this limit? Just to defend against those simple DoS attacks? Do not artificially reduce this limit? If the network condition needs to be more than the default value, you can improve it (and perhaps add more memory). (In fact, it is best to add this value when doing NAT)

Tcp_tw_recycle:boolean
The default value is 0
Turn on fast time-wait sockets recycling. Unless you have advice or request from a technical expert? Please do not modify this value at will. (When doing NAT, it is recommended to open it)

Tcp_tw_reuse:boolean
The default value is 0
This file indicates whether it is allowed to reapply a socket in the time-wait state for a new TCP connection (this is very helpful for fast restarting certain services and prompting the port to be used after startup).

Tcp_max_orphans:integer
The default value is 8192
The maximum number of TCP sockets that the system can handle that is not part of any process. If this amount is exceeded, then a connection that is not part of any process is reset immediately and a warning message is displayed. Do you want to set this limit? Just to defend against those simple DoS attacks? Do not rely on this or artificially reduce this limit (this value is set to 32768 in the Redhat as version, but when many firewalls are modified, it is recommended that the value be modified to 2000)

Tcp_abort_on_overflow:boolean
The default value is 0
When the daemon is too busy to accept the new connection, it is like sending a reset message and the default value is False. This means that when the overflow is due to an accidental burst, the connection will revert to state. This option is only turned on when you are sure that the daemon is really unable to complete the connection request, which affects the customer's use. (when it comes to services that are already loaded with Sendmail,apache, this can quickly terminate the connection to the client, giving the service program the opportunity to handle existing connections, so many firewalls recommend opening it)

Tcp_syncookies:boolean
The default value is 0
Only occurs when Config_syncookies is selected at the kernel compile time. When a SYN wait queue appears overflow, it sends a syncookies like the other. The purpose is to prevent SYN flood attacks.
Note: This option must not be used for those high load servers that do not receive an attack, if the Synflood message appears in the log, but the survey found no Synflood attack, but the reason that the legitimate user's connection load is too high, you should adjust other parameters to improve server performance. Reference:
Tcp_max_syn_backlog
Tcp_synack_retries
Tcp_abort_on_overflow
Syncookie severely violates the TCP protocol and does not allow the use of TCP extensions, which can cause severe performance effects (such as SMTP forwarding) on some services. (Note that this implementation, like the TCP proxy used above BSD, violates the three handshake implementations of the RFC regarding TCP connections, but it is really useful for defense syn-flood.)

Tcp_stdurg:boolean
The default value is 0
Use the host Request interpretation feature in the TCP Urg pointer field. Most hosts use an old BSD explanation, so if you open it on Linux, it may cause you to not communicate with them properly.

Tcp_max_syn_backlog:integer
For connection requests that have not yet been confirmed by the client, you need to save the maximum number in the queue. For systems that have more than 128Mb of memory, the default value is 1024? below 128Mb is 128. If the server is often overloaded, you can try adding this number. Warning? Suppose you set this value to be greater than 1024? It is best to modify the tcp_synq_hsize in the include/net/tcp.h to maintain tcp_synq_hsize*16<=tcp_max_syn_backlog and to keep it within the core. (SYN flood attack uses TCP protocol to spread the handshake flaw, false source IP address to send a large number of Tcp-syn connected to the target system, which eventually results in the target system Socket queue resource exhaustion and cannot accept the new connection. In order to cope with this attack, modern UNIX systems commonly use a multiple-connection queue approach to buffer (rather than resolve) this attack, using a basic queue to handle the normal full connection applications (connect () and accept ()), which is to store the Half-open connection separately with another queue. This dual-queue processing and other system kernel measures (such as syn-cookies/caches) can be used effectively to mitigate the small-scale syn-flood attack (<1000p/s, it turns out). Increasing the SYN queue length can accommodate more network connections waiting to be connected, so consider increasing the value for the server.

Tcp_window_scaling:integer
The default value is 1
This file indicates whether the sliding window size for setting up a TCP/IP session is variable. The parameter value is a Boolean value and is 1 to represent a variable, and 0 to represent the immutable. TCP/IP typically uses a window of up to 65535 bytes, which may be too small for a high-speed network, and if enabled, the TCP/IP sliding window size can be increased by several orders of magnitude, increasing the ability to transfer data (RFC 1323). (for ordinary hundred m networks, closing lowers overhead, so if it's not a high-speed network, consider setting to 0)

Tcp_timestamps:boolean
The default value is 1
Timestamps used in other things? The fake sequence numbers can be prevented. A 1G broadband line may be encountering an old sequence number with a Out-of-line value (if it is due to the last time it was created). Timestamp will let it know it's an ' old bag '. (This file indicates whether the calculation of RTT is enabled in a method that is more precise than a time-out (RFC 1323), and this option should be enabled for better performance.) )

Tcp_sack:boolean
The default value is 1
Use the selective ACK? It can be used to find a specific missing datagram---thus helping to recover quickly. This file indicates whether a selective response (selective acknowledgment) is enabled, which can improve performance by selectively answering packets received in order to allow the sender to send only the missing message segments. (This option should be enabled for WAN traffic, but this will increase the CPU footprint.) )

Tcp_fack:boolean
The default value is 1
Turn on the fack congestion avoidance and fast retransmission feature. (Note that when Tcp_sack is set to 0, this value is not valid even if set to 1)

Tcp_dsack:boolean
The default value is 1
Allow TCP to send "two identical" sack.

Tcp_ecn:boolean
The default value is 0
Turn on TCP's direct congestion notification feature.

Tcp_reordering:integer
The default value is 3
The maximum number of reorder datagrams in the TCP stream. (generally see the recommendation to adjust this number slightly larger, such as 5)

Tcp_retrans_collapse:boolean
The default value is 1
For some bug-prone printers, provide compatibility for their bugs. (generally do not need this support, you can close it)

Tcp_wmem (3 integer variables): Min, default, max
Min: reserves the minimum memory value for sending buffers for TCP sockets. Each TCP socket can be used after it is recommended. The default value is 4096 (4K).

Default: The amount of memory that is reserved for TCP sockets to send buffers, which affects net.core.wmem_default values used by other protocols, typically below the Net.core.wmem_default value. The default value is 16384 (16K).

Max: The maximum memory value used for TCP sockets to send buffers. The value does not affect Net.core.wmem_max, and the "static" selection parameter so_sndbuf is not affected by this value. The default value is 131072 (128K). (for servers, adding the value of this parameter is helpful for sending data, in my network environment, to 51200 131072 204800)

Tcp_rmem (3 integer variables): Min, default, max
Min: The amount of memory that is reserved for the TCP socket to receive buffering, even if there is a tension in memory, the TCP socket will have at least so many memory to receive the buffer, the default value is 8K.

Default: The amount of memory that is reserved for TCP sockets to receive buffering, which affects the Net.core.wmem_default value used by the other protocols. This value determines the TCP window size of 65535 in the case of Tcp_adv_win_scale, Tcp_app_win, and tcp_app_win=0 default values. The default value is 87380

Max: The maximum memory value for the TCP socket to receive buffering. The value does not affect Net.core.wmem_max, and the "static" selection parameter so_sndbuf is not affected by this value. The default value is 128K. The default value is 87380*2 bytes. (as you can see,. Max's setting is twice times better than default, and for Nat it's mostly about adding it, and my network is 51200 131072 204800)

Tcp_mem (3 integer variables): Low, pressure, high
Low: TCP does not consider freeing memory when TCP uses a number of pages of memory that are below this value. (Ideally, this value should match the 2nd value assigned to TCP_WMEM-the 2nd value indicates that the maximum page size is multiplied by the maximum number of concurrent requests divided by the page size (131072 * 300/4096). )

Pressure: When TCP uses the number of memory pages that exceed this value, TCP attempts to stabilize its memory usage, enters pressure mode, and exits the pressure state when the memory consumption is lower than the low value. (Ideally this value should be the maximum total buffer size that TCP can use (204800 * 300/4096). )

High: The amount of pages that allow all TCP sockets to queue buffered datagrams. (If this value is exceeded, the TCP connection will be rejected, which is why it is not too conservative (512000 * 300/4096).) In this case, the value is very large, it can handle many connections, is expected to be 2.5 times times, or make the existing connection can transfer 2.5 times times the data. My network is 192000 300000 732000)

Typically these values are computed at system startup based on the amount of system memory.

Tcp_app_win:integer
The default value is 31
A window that retains the number of Max (Window/2^tcp_app_win, MSS) due to application buffering. When 0 indicates that no buffering is required.

Tcp_adv_win_scale:integer
The default value is 2
Compute the buffering overhead bytes/2^tcp_adv_win_scale (if Tcp_adv_win_scale > 0) or bytes-bytes/2^ (-tcp_adv_win_scale) (If Tcp_adv_win_ Scale <= 0).

Tcp_rfc1337:boolean
The default value is 0
This switch can initiate the repair of the "TCP time-wait assassination crisis" described in RFC1337. When enabled, the kernel discards the RST packets destined for the time-wait state TCP sockets.

Tcp_low_latency:boolean
The default value is 0
Allow the TCP/IP stack to accommodate low latency in high throughput situations; This option is typically disabled. (but it's helpful to open it when building a Beowulf cluster)

Tcp_westwood:boolean
The default value is 0
Enables a sender-side congestion control algorithm that maintains an evaluation of throughput and attempts to optimize the overall bandwidth utilization; This option should be enabled for WAN traffic.

Tcp_bic:boolean
The default value is 0
Enable Binary increase congestion for fast long-distance networks so that you can make better use of links that operate at GB speeds; This option should be enabled for WAN traffic.

==============ip, icmp===========

Ip_local_port_range: (Two integer)
The local port range to use for TCP and UDP, the first number is the start, the second number is the last port number, and the default value depends on the amount of memory available on the system:
> 128Mb 32768-61000
< 128Mb 1024-4999 or even less.
This value determines the number of active connections, that is, the number of connections the system can make (when NAT is done, I set it up for 1024 65530 to work properly)

Ip_nonlocal_bind:boolean
The default value is 0
If you want your application to be bundled to an address that does not belong to the system, you need to set this up? (When the machine makes
When you use a non fixed/dynamic network connection, or when you debug your program offline, when the line is disconnected? The service is still active and bundled to a specific address. )

Ip_dynaddr:boolean
The default value is 0
If it is not even a value of 0, then the dynamic address will be supported. If the value is set to >1, a kernel message will be sent when the dynamic address is overwritten. (If you want to use dynamic interface address to do Dail-on-demand?) then set it. Once the interface is requested
After? All local TCP sockets that do not see a response are bundled (rebound) to obtain the correct address.
What if the connection to the Web interface doesn't work? But what if you try again? Set this to solve this
A problem. )

Icmp_echo_ignore_all:boolean
Icmp_echo_ignore_broadcasts:boolean
The default value is 0
If any of the settings are true (>0) the system ignores all requests sent to its own ICMP echo request or those broadcast addresses. (now many viruses/Trojans on the network automatically initiate an infection attack is to use ICMP Echo method to determine whether the other side is alive, so open this value, will reduce the likelihood of some harassment.) However, because of the ban on ICMP, can not ping to the machine, so the network administrator can not determine whether the machine survived, so consider using Netfilter/iptables to complete the work will be more selective targeted. Icmp_echo_ignore_all is to prohibit all ICMP packets, while icmp_echo_ignore_broadcasts is banning all broadcast packets)

Icmp_ratelimit:integer
The default value is Jiffie
Limits the maximum rate of ICMP datagrams sent to a specific target for a matching icmp_ratemask. 0 means that there are no restrictions, otherwise the number of Jiffies data units is allowed to be sent. (If the flag bit mask for Echo request is set to 1 in Icmp_ratemask, then the speed limit of ping response can be easily achieved)

Icmp_ratemask:integer
Here the matching ICMP is icmp_ratelimit the parameter limit rate.
Matching flag bit: IHGFEDCBA9876543210
Default Mask Value: 0000001100000011000 (6168)
For the setting of the flag bit, refer to the source program directory/include/linux/icmp.h


0 Echo Reply
3 Destination Unreachable *
4 Source Quench *
5 Redirect
8 Echo Request
B Time Exceeded *
C Parameter Problem *
D Timestamp Request
E Timestamp Reply
F Info Request
G Info Reply
H Address Mask Request
I Address Mask Reply

* number is the default speed limit (see table mask)

Icmp_ignore_bogus_error_responses:boolean
The default value is 0
Some routers violate the RFC1122 standard and respond to broadcast frames by sending bogus responses. This violation is usually recorded in the system log in the form of an alert. If this option is set to true, this warning message is not logged by the kernel. (I personally recommend setting to 1)

=========== network Interface interface (such as lo,eth0,eth1) parameters ===========

/proc/sys/net/ipv4/conf/{interface}/*:
In the/proc/sys/net/ipv4/conf/can be found similar to All,eth0,eth1,default,lo, such as network interface interface, each is a directory, their subordinate files, each file on the interface should be set under some of the option settings. (All/is a specific, used to modify the settings of all interfaces, default/represents the default setting, lo/represents the local interface settings, eth0/represents the first network card, and eth1/represents the 2nd card.) Note: The following parameters are required for all and the interface under the same time for the ture to take effect, And some of them just need the interface to be true, pay attention to the difference!!

Log_martians:boolean
Record the check-in kernel log with the disallowed address. all/or {interface}/at least one of the following is true to take effect.

Accept_redirects:boolean
Default to True for host, false for use as router
Send and receive ICMP Redirect messages. All/and {interface}/are both true before they can take effect.
(If you are unfamiliar with the structure of your network. Recommended not to modify, because when there are more than one export network, if there are 2 export routers, as a host when the default only identify a gateway, export routing may have a policy setting to another router.)

Forwarding:boolean
In this interface to turn on the forwarding function (in 3 or more of the network card is very practical, sometimes just want to let one of the outside, another piece to do the service, you can make the service network card does not forward data access)

Mc_forwarding:boolean
Whether to perform multicast routing. Only the kernel compiles with config_mroute and there are routing service programs running this parameter to be valid.

Medium_id:integer
The default value is 0
Typically, this parameter is used to differentiate between different mediums. Two network devices can use different values so that only one of them receives a broadcast packet. The default value of 0 means that each network media accepts media on their own media, and a value of 1 indicates that the media is unknown. Typically, this parameter is used in conjunction with PROXY_ARP to implement ROXY_ARP features that allow ARP messages to be forwarded in two different network media. (The first segment of Integer value used to differentiate the devices by the medium they
are attached to. Two devices can have different ID values when
The broadcast packets are received only on one of them.
The default value 0 means that the device are the only interface
To its medium, the value of-1 means that medium is not known. Don't read, go to CU ask people, later corrections)

Proxy_arp:boolean
Open the ARP proxy feature. all/or {interface}/At least one is true to take effect

Shared_media:boolean
The default is True
Send (Router) or receive (host) RFC1620 shared media redirection. Overrides the Ip_secure_redirects value. all/or {interface}/At least one is true to take effect

Secure_redirects:boolean
The default is True
Only receive ICMP Redirect messages to gateways in the default gateway list, the default value is true. all/or {interface}/at least one of the following is true to take effect. (This parameter general situation please do not modify, can effectively prevent the non-gateway machine from the same network segment to send out malicious ICMP redirect attack behavior)

Send_redirects:boolean
The default is True
If it is router, it is allowed to send a redirect message. all/or {interface}/at least one of the following is true to take effect. (According to the network, if it is to do NAT, and the net only this one gateway, in fact, it can be turned off it, in fact, at present, IP redirects is the TCP/IP protocol early in order to solve the network continuity of a method proposed, It turns out that this kind of measure is not very practical and has a great security risk, which can cause various possible network risks-denial of service attack, intermediary attack, session hijacking, etc., so many security documents are recommended to close it.

Bootp_relay:boolean
Default to False
The receiving source address is 0.B.C.D and the destination address is not a local datagram. is used to support the BOOTP forwarding service process, which captures and forwards the packet. is not yet implemented.

Accept_source_route:boolean
Default to False for hosts, true for the default value when used as a router
Receives a datagram with the SRR option. All/and {interface}/are both true before they can take effect. (IP source routing option, which is also an early implementation flaw in the TCP/IP protocol, allows the IP packet itself to carry routing options, which will allow attackers to bypass certain security-checking gateways or be used to detect network environments.) On the corporate gateway it is strongly recommended to set off or over green discard IP Source routing option packets. This feature is useful when debugging a network, but in real applications it can cause some problems and dangers.

Rp_filter:boolean
The default value is False
1-source address verification through reverse path backtracking (defined in RFC1812). This option is recommended for single point hosts and stub network routers.
0-Source address verification is not performed through reverse path backtracking.
The default value is 0, but some publications are automatically opened when they are started. (Router will route everything by default?) even if the packet ' obviously ' does not belong to our network. A common example is not to leak private IP to the Internet. What if an interface is set up on the network address segment?
195.96.96.0/24? Then theoretically there will be no 212.64.94.1 such an address block will arrive at this interface. Many people do not want to forward data packets that are not part of the network? So the key designers opened the door. Are there files in/proc? You can make the core through them you do this. This method is called? "Reverse Path Filtering (Reverse path filtering)". Basically, what if the response to this package is not sent out through the interface? Then it is ignored. )

Arp_filter:boolean
The default value is False
1-Allows multiple network media to be located within the same subnet segment each network interface is routed through this interface to determine whether to answer the ARP query (this implementation is determined by the source address to determine the route), in other words, to allow control to use a single network card (usually the first block) to respond to ARP inquiries. (When doing load balancing, you can consider using
Echo 1 >/proc/sys/net/ipv4/conf/all/arp_filter
Such a way can be solved, of course, to use
Echo 2/proc/sys/net/ipv4/conf/all/arp_announce
Echo 1 >/proc/sys/net/ipv4/conf/all/arp_ignore
The two commands work better because arp_announce and Arp_ignore appear to be implementations of more detailed control of Arp_filter. )

0-Default value, the kernel sets each network interface to answer the ARP query on its address. This seemingly erroneous setting can often be very effective because it increases the chances of successful communication. On Linux hosts, each IP address is independent of the network interface, not a composite interface. Only when there are special settings, such as load balancing, can cause trouble.
all/or {interface}/at least one of the following is true to take effect. (In simple terms, is the same Linux, if for some reason, there are 2 network cards must be set to the same network segment, then by default, there will be a work, and the other piece does not work or the kernel frequently reported errors, this time need to open this option)

Arp_announce:integer
Default is 0
The appropriate level of restriction on the ARP response to the local IP address on the network interface is given:

Determine varying degrees of limitation, declaring an interface that sends an ARP request from a local source IP address
0-(default) Any local address on any network interface
1-try to avoid local addresses that are not in the subnet segment of the network interface. It is useful to initiate an ARP request when the source IP address is set to reach this network interface through routing. The visit IP is checked for one of the IP in the subnet segment on all interfaces. If you change your visit IP does not belong to a subnet segment on each network interface, then the Level 2 approach is used.
2-Use the most appropriate local address for the query target. This mode ignores the source address of this IP packet and attempts to select a local address that can communicate with the address. The first is to select the local address in the subnet of all network interfaces that contains the destination IP address. If no suitable address is found, the current send network interface or other network interface that is likely to receive the ARP response will be selected for sending

All/and {interface}/are both compared, taking a larger value into effect.

Increasing the level of constraint is beneficial to receiving a response from a specified target, while a lower level can give more ARP respondents feedback (about the ARP proxy this section of my general translation is not good, to chew the TCP/IP Bible Volume One, and then translate it)

Arp_ignore:integer
Default is 0
Defines a different response pattern for ARP queries with the destination address as the local IP

0-(default): Respond to any ARP query request for any local IP address on any network interface (such as ETH0=192.168.0.1/24,ETH1=10.1.1.1/24, so that even if eth0 receives the address from 10.1.1.2, the 10.1.1.1 ARP query also responds--and the original request appears on the eth1, and there's a eth1 response.

1-Only the target IP address is the ARP query request for the local address of the visiting network interface (such as ETH0=192.168.0.1/24,ETH1=10.1.1.1/24, then even if Eth0 receives a query from 192.168.0.1 from 10.1.1.2, and the ARP query for 10.1.1.1 does not respond.
2-only the target IP address is the ARP query request of the local address of the visiting network interface, and the visiting IP must be within the subnet segment of the network interface (such as ETH0=192.168.0.1/24, ETH1=10.1.1.1/24, Eth1 received a query to 192.168.0.1 from 10.1.1.2 such an address, and the ARP query against 192.168.0.1 that was initiated against 192.168.0.2 will respond)
3-The ARP Request for the network interface is not returned, but only the unique and connected address of the setting is answered (do not reply for local addresses configured with scope Host,only resolutions for GLOB Al and link addresses are replied translation does not seem to be good, this I go to ask people
4-7-Leave unused
8-do not respond to all (local address) ARP queries

All/and {interface}/are both compared, taking a larger value into effect.

Tag:integer
Default is 0

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.