From: Http://blog.51cto.com/lijichao/308509/proc/sys/net/ipv4/icmp_timeexceed_rate
This led to the famous "Solaris Middle Star" when traceroute. This file controls the rate at which ICMP Time Exceeded messages are sent.
/proc/sys/net/ipv4/igmp_max_memberships
The maximum number of IGMP (multicast) sockets on the host to listen to.
/proc/sys/net/ipv4/inet_peer_gc_maxtime
Help: Add A little explanation about the inet peer storage? Minimum interval between garbage collection passes. This interval are in effect under low (or absent) memory pressure on the pool. Measured in jiffies. /proc/sys/net/ipv4/inet_peer_gc_mintime
The minimum interval between fragments collected each time. When the memory pressure is larger, adjusting this interval is very effective. In Jiffies.
/proc/sys/net/ipv4/inet_peer_maxttl
Maximum lifetime of the entries. In the event that the pool has no memory pressure (for example, when the number of entries in the pool is small), unused entries expire over a period of time. In Jiffies.
/proc/sys/net/ipv4/inet_peer_minttl
Minimum lifetime of the entries. Should be no less than the lifetime of the aggregation end shard. This minimum lifetime must be guaranteed when the pool size is not greater than inet_peer_threshold. In Jiffies.
/proc/sys/net/ipv4/inet_peer_threshold
The approximate size of the INET peer storage. Starting from this threshold entries'll be thrown aggressively. This threshold also determines entries ' time-to-live and time intervals between garbage collection passes. More entries, less time-to-live, less GC interval. /proc/sys/net/ipv4/ip_autoconfig
This file contains a number that indicates whether the host obtains its IP configuration through RARP, BOOTP, DHCP, or other mechanisms. Otherwise it's 0.
/proc/sys/net/ipv4/ip_default_ttl
The lifetime of the packet. Setting to 64 is safe. Increase this value if your network is large. Do not do this for fun--that will create a harmful routing loop. In fact, in many cases you have to consider whether you can reduce this value.
/proc/sys/net/ipv4/ip_dynaddr/proc/sys/net/ipv4/icmp_destunreach_rate If you have an auto-dial interface with a dynamic address, you have to set it up. When your auto-dial interface is activated, all TCP sockets that are not answered locally are re-bound to the correct address. This resolves a problem that raises the dial-up socket itself and does not work again.
/proc/sys/net/ipv4/ip_forward
Whether the kernel forwards packets. Forbidden by default.
/proc/sys/net/ipv4/ip_local_port_range
The range of ports used for the outward connection. By default, it's actually small: 1024 to 4999.
/proc/sys/net/ipv4/ip_no_pmtu_disc
If you want to disable MTU discovery along the way, set it up. MTU Discovery along the way is a technique that detects the maximum possible MTU value on the transmission path. See the section on "MTU Discovery along the Way" in the cookbook chapter.
/proc/sys/net/ipv4/ipfrag_high_thresh
Maximum memory usage for IP shard aggregation. Once you have allocated so many bytes of memory, the Shard handler discards the Shard once it is exhausted. When Ipfrag_high_thresh bytes of memory are allocated for this purpose, the fragment handler would toss packets until Ipfrag _low_thresh is reached. /proc/sys/net/ipv4/ip_nonlocal_bind
Set this option if you want your application to be able to bind to an address that is not part of the local network card. If your machine does not have a dedicated connection (or even a dynamic connection) it is very useful, even if your connection is disconnected, your service can be started and tied to a specified address.
/proc/sys/net/ipv4/ipfrag_low_thresh
The minimum memory usage for IP shard aggregation.
/proc/sys/net/ipv4/ipfrag_time
The amount of time (in seconds) that IP shards are retained in memory.
/proc/sys/net/ipv4/tcp_abort_on_overflow
A Boolean type flag that controls the behavior of the kernel when there are many connection requests. If enabled, if the service is overloaded, the kernel will proactively send the RST package.
/proc/sys/net/ipv4/tcp_fin_timeout
If the socket is closed by the local side, this parameter determines how long it remains in the fin-wait-2 state. The peer can make an error and never shut down the connection, or even accidentally become a machine. The default value is 60 seconds. 2.2 The normal value of the kernel is 180 seconds, you can press this setting, but remember that even if your machine is a light-load Web server, there is a large number of dead sockets and memory overflow risk, fin-wait-2 is less dangerous than fin-wait-1, Because it can only eat up to 1.5K of memory, but they have a longer lifetime. See Tcp_max_orphans. /proc/sys/net/ipv4/tcp_keepalive_time
When KeepAlive is employed, the frequency at which TCP sends keepalive messages. The default is 2 hours.
/proc/sys/net/ipv4/tcp_keepalive_intvl
When the probe is not confirmed, the frequency of the probe is resent. The default is 75 seconds.
/proc/sys/net/ipv4/tcp_keepalive_probes
How many TCP keepalive probe packets are sent before the connection is determined to fail. The default value is 9. This value, multiplied by TCP_KEEPALIVE_INTVL, determines how much time a connection can have without a response after sending a keepalive.
/proc/sys/net/ipv4/tcp_max_orphans
The maximum number of TCP sockets in the system are not associated with any one of the user file handles. If this number is exceeded, the orphan connection is immediately reset and a warning message is printed. This limitation is only to prevent a simple Dos attack, you must not rely too much on it or artificially reduce the value, it should increase this value (if the memory is increased). This limit exists-only to prevent-simple DoS attacks, you _must_ not rely on this or lower the limit artificially, but rat She increase it (probably, after increasing installed memory), if network conditions require more than default value, and Tune network services to linger and kill such states more aggressively. Let me remind you again that each orphan socket can eat up to 64K of non-exchangeable memory.
/proc/sys/net/ipv4/tcp_orphan_retries
How many retries are attempted before the local side attempts to close the TCP connection. The default value is 7, which is equivalent to 50 seconds ~16 minutes (depending on RTO). If your machine is an overloaded Web server, you should consider reducing this value because such a socket consumes a lot of important resources. See Tcp_max_orphans.
/proc/sys/net/ipv4/tcp_max_syn_backlog
Record the maximum number of connection requests that have not received the client acknowledgment information. For systems with 128M of memory, the default value is 1024, and the small memory system is 128. If the server is overwhelmed, try raising this value. Attention! If you set this value to be greater than 1024, it is best to adjust the tcp_synq_hsize in Include/net/tcp.h at the same time to ensure Tcp_synq_hsize*16≤tcp_max_syn_backlo and then recompile the kernel.
/proc/sys/net/ipv4/tcp_max_tw_buckets
The system maintains the maximum number of timewait sockets at the same time. If this number is exceeded, the time-wait socket is immediately cleared and a warning message is printed. This limitation is only to prevent a simple Dos attack, you must not rely too much on it or artificially reduce this value, if the network actually needs greater than the default value, it should increase this value (if the memory is increased).
/proc/sys/net/ipv4/tcp_retrans_collapse
The "will wrong" option is set for compatibility with some bad printers. When sending again, increase the packets to avoid some TCP protocol stack bugs. /proc/sys/net/ipv4/tcp_retries1
Retry many times before you identify an error and submit an error report to the network layer. The default setting is the minimum value of RFC: 3, which is equivalent to 3 seconds to minutes (depending on Rio).
/proc/sys/net/ipv4/tcp_retries2
How many times to retry before killing an active TCP connection. RFC 1122 stipulates that this limit should be longer than 100 seconds. This value is too small. The default value is 15, which is equivalent to 13-30 minutes (depending on Rio).
/proc/sys/net/ipv4/tcp_rfc1337
This switch can initiate a fix for the "TCP time-wait assassination crisis" described in RFC1337. When enabled, the kernel discards those RST packets destined for the time-wait state TCP socket. But the province is 0.
/proc/sys/net/ipv4/tcp_sack
Use selective ACK specifically for lost packets, which can help you recover quickly.
/proc/sys/net/ipv4/tcp_stdurg
Host demand interpretation using TCP emergency pointers. Because most hosts are BSD-interpreted, if you open it on Linux, it may affect normal communication with other machines. The default is False.
/proc/sys/net/ipv4/tcp_syn_retries
The number of SYN packets sent before the kernel abandons the connection.
/proc/sys/net/ipv4/tcp_synack_retries
In order to open the connection to the end, the kernel sends a SYN and comes with an ACK that responds to the previous syn. The second handshake in the so-called three-time handshake. This setting determines the number of Syn+ack packets sent before the kernel abandons the connection.
/proc/sys/net/ipv4/tcp_timestamps
Timestamps can prevent the winding of serial numbers. A 1Gbps link will definitely encounter a previously used serial number. Timestamps allow the kernel to accept this "exception" packet.
/proc/sys/net/ipv4/tcp_tw_recycle
Time-wait sockets can be recycled more quickly. The default value is 1. Modifications should not be made unless the advice and requirements of the technical experts are available.
/proc/sys/net/ipv4/tcp_window_scaling
In general, TCP/IP allows the window size to reach 65535 bytes. This value may still be too small for a network that is really high speed. This option allows you to set the size of the upper G-byte window for use in environments where bandwidth * latency is large.
Once the kernel considers that it cannot be contracted, it discards the package and sends ICMP notifications to the host.
/proc/sys/net/ipv4/icmp_echo_ignore_all
Do not respond to the echo package at all. Please do not set the default, it may be useful when you are being exploited as a springboard for DOS attacks.
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]
If you ping subnet addresses of subnets, all machines should respond. This can be a very useful denial of service attack tool. Set to ignore these subnet broadcast messages.
/proc/sys/net/ipv4/icmp_echoreply_rate
Sets the rate at which echo requests are responded to any host.
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
After you set it, you can ignore ICMP errors generated by hosts in the network that claim that the address is a broadcast address.
/proc/sys/net/ipv4/icmp_paramprob_rate
A relatively ambiguous ICMP message that responds to an exception packet that is corrupted by the IP header or TCP header. You can control the sending rate of messages through this file.
tcp_syn_retries: INTEGER
The default value is 5
For a new connection, the kernel will send a number of SYN connection requests before deciding to discard. should not be greater than 255, the default value is 5, which corresponds to about 180 seconds of time. (This value is high for networks with good physical communication for heavy loads and can be modified to 2.) This value is only for external connections, the connection to the incoming, is the
tcp_retries1Decision)
tcp_synack_retries: INTEGER
The default value is 5
For a remote connection request SYN, the kernel sends a SYN + ACK datagram to confirm receipt of the last SYN connection request packet. This is the second step of the so-called three-time handshake (threeway handshake) mechanism. This determines the number of syn+ack that the kernel sends before discarding the connection. should not be greater than 255, the default value is 5, which corresponds to about 180 seconds of time. (Can be based on the above
tcp_syn_retriesTo determine this value)
Tcp_keepalive_time: INTEGER
The default value is 7200 (2 hours)
The frequency at which TCP sends keepalive messages when KeepAlive is turned on. (as a result of the current cyber attacks, the attacks are very frequent,
once also has the CU friend mentioned, said if 2 side establishes the connection, then does not send any data or Rst/fin message, then the duration is is 2 hours, the empty connection attack?
Tcp_keepalive_timeis to prevent this from happening. I am personally in the NAT service when the change value is 1800 seconds)
Tcp_keepalive_probes
:INTEGER
The default value is 9
TCP sends a KeepAlive probe to determine the number of times that the connection has been disconnected. (Note: Keeping a connection is only sent if the so_keepalive socket option is turned on.) The number of times does not need to be modified by default, although this value can be shortened appropriately depending on the situation. Set to 5 more appropriate)
TCP_KEEPALIVE_INTVL: INTEGER
The default value is 75
The frequency at which the message is sent is multiplied by tcp_keepalive_probes to get the time to kill the connection that has not responded since the start of the probe. The default value is 75 seconds, which means that no active connections will be discarded after approximately 11 minutes. (For normal applications, this value is somewhat larger and can be changed as needed.) in particular, the Web Class Server needs to be smaller, 15 is a more appropriate value)
tcp_retries1: INTEGER
The default value is 3
How many retries are required before giving up a response to a TCP connection request. The RFC specifies that the lowest value is 3, which is also the default value, depending on the RTO value between 3 seconds-8 minutes. (Note: This value also determines the incoming SYN connection)
Tcp_retries2: INTEGER
The default value is 15
How many retries are required before a TCP connection that is activated (established communication state) is discarded. The default value is 15, which is determined by the RTO value, which is equivalent to 13-30 minutes (RFC1122, which must be greater than 100 seconds). (This value is based on the current network settings, can be appropriately changed to small, my network changes in order to 5)
tcp_orphan_retries: INTEGER
The default value is 7
How many retries to make before the near-end drops the TCP connection. The default value is 7, which is equivalent to 50 seconds-16 minutes, depending on the RTO. If your system is a heavily loaded Web server, you may need to lower this value, which can be a lot of resource-intensive sockets. The examination of other parameters
Tcp_max_orphans。 (In fact, when doing NAT, reducing this value is also a significant benefit, I myself in the network environment to reduce the value of 3)
Tcp_fin_timeout: INTEGER
The default value is 60
For a socket connection that is disconnected at this end, TCP remains in the Fin-wait-2 state for the time. The other person may be disconnected or have not ended the connection or the unpredictable process has died. The default value is 60 seconds. It used to be 180 seconds in the 2.2 version of the kernel. You can set this value, but be aware that if your machine is a heavily loaded Web server, you may be risking the risk of memory being filled with a large number of invalid datagrams,fin-wait-2 sockets is less dangerous than fin-wait-1, because they eat up to 1.5K of memory, But they exist for a longer period of time. Also reference
Tcp_max_orphans。 (In fact, when doing NAT, reducing this value is also a significant benefit, I myself in the network environment to reduce the value of 30)
tcp_max_tw_buckets: INTEGER
The default value is 180000
The maximum number of timewait sockets the system is processing at the same time. If this number is exceeded, the,time-wait socket is immediately removed and a warning message is displayed. The reason to set this limit is to protect against simple DoS attacks, but do not artificially reduce this limit, but if the network conditions need to be more than the default value, you can increase it (and perhaps increase the memory). (In fact, it is best to increase the value appropriately when doing NAT)
tcp_tw_recycle: BOOLEAN
The default value is 0
Turn on quick time-wait sockets recycling. Do not modify this value unless you are advised or requested by a technical expert. (It is recommended to open it when doing a NAT)
Tcp_tw_reuse: BOOLEAN
The default value is 0
This file indicates whether to allow the re-application of the socket in the time-wait state for a new TCP connection (this is very helpful in the case of a quick restart of some services and prompt port usage after startup)
Tcp_max_orphans: INTEGER
The default value is 8192
The maximum number of TCP sockets that the system can handle that is not part of any process. If this amount is exceeded, then the connection that is not part of any process is immediately reset and a warning message is displayed. The reason to set this limit, purely to protect against those simple DoS attacks, do not rely on this or artificially reduce this limit (this value Redhat as version is set to 32768, but many firewall modifications, it is recommended that the value modified to 2000)
Tcp_abort_on_overflow: BOOLEAN
The default value is 0
When the daemon is too busy to accept the new connection, as if the other party sends the reset message, the default value is False. This means that when the cause of the overflow is due to an accidental burst, then the connection will revert to the state. This option is only turned on when you are sure that the daemon is really unable to complete the connection request, which affects the customer's use. (when dealing with services such as a fully loaded Sendmail,apache, this allows the client to terminate the connection quickly, allowing the service program to handle the existing connection buffer, so many firewalls recommend opening it)
tcp_syncookies: BOOLEAN
The default value is 0
This will only occur if Config_syncookies is selected at kernel compile time. When the SYN wait queue appears overflow, the syncookies is sent like the other. The aim is to prevent SYN flood attacks.
Note: This option must not be used for high-load servers that do not receive an attack, if a Synflood message appears in the log, but the investigation finds that there is no synflood attack, but that the legitimate user's connection load is too high, you should adjust other parameters to improve server performance. Reference:
Tcp_max_syn_backlog
tcp_synack_retries
Tcp_abort_on_overflow
Syncookie serious breaches of the TCP protocol, which does not allow the use of TCP extensions, may cause serious performance impacts (such as SMTP forwarding) on some services. (Note that this implementation, like the TCP proxy used by BSD above, is a violation of the RfC's three-time handshake for TCP connections, but is really useful for defense syn-flood.)
Tcp_stdurg: BOOLEAN
The default value is 0
Use the host Request interpretation feature in the TCP Urg pointer field. Most hosts use an old BSD explanation, so if you open it on Linux, you may not be able to communicate with them correctly.
Tcp_max_syn_backlog: INTEGER
For connection requests that still do not have a client acknowledgement, the maximum number that needs to be saved in the queue. For systems that exceed 128Mb of memory, the default value is 1024, below 128Mb for 128. If the server is overloaded frequently, try increasing this number. Warning! If you set this value to greater than 1024,, it is best to modify
Include/net/tcp.hInside the
tcp_synq_hsize, to maintain
Tcp_synq_hsize*16<=tcp_max_syn_backlogand into the core. (SYN flood attack uses TCP protocol to spread the defect of handshake, fake source IP address to send a large number of Tcp-syn semi-open connection to the target system, eventually causing the target system socket queue resources exhausted and unable to accept the new connection. In order to deal with this attack, modern UNIX systems generally use multi-connection queue processing to buffer (rather than resolve) this attack, is to use a basic queue to handle the normal full-connected application (connect () and accept ()), is to use another queue to separate semi-open connections. This dual-queue approach, combined with some other system kernel measures (such as syn-cookies/caches), can be used to mitigate small-scale SYN flood attacks more effectively (facts prove <1000p/s) Increasing the SYN queue length can accommodate more network connections waiting for the connection, so you might consider increasing the value for the server.
tcp_window_scaling: INTEGER
The default value is 1
This file indicates whether the sliding window size of the TCP/IP session is set to variable. The value of the parameter is a Boolean value, 1 is variable, and 0 indicates immutable. TCP/IP typically uses a maximum of 65535 bytes of Windows, which may be too small for high-speed networks, which, if enabled, can increase the TCP/IP sliding window size by several orders of magnitude, thereby increasing the ability to transmit data (RFC 1323). (for the average hundred m network, the shutdown will reduce the overhead, so if it is not a high-speed network, you can consider setting it to 0)
Tcp_timestamps: BOOLEAN
The default value is 1
Timestamps is used in other things to guard against forged sequence numbers. A 1G broadband line may re-encounter the old sequence number with out-of-line value (if it was due to the last generation). Timestamp will let it know it's an ' old bag '. (This file indicates whether it is enabled to enable calculation of RTT in a more precise way than a time-out, RFC 1323); This option should be enabled for better performance. )
Tcp_sack: BOOLEAN
The default value is 1
Using selective ack, It can be used to find a specific missing datagram---so it helps to recover the status quickly. This file indicates whether a selective answer (selective acknowledgment) is enabled, which can improve performance by selectively answering packets received by a random order (which allows the sender to send only the missing segment). (This option should be enabled for WAN traffic, but this increases CPU usage.) )
Tcp_fack: BOOLEAN
The default value is 1
Open Fack congestion avoidance and fast retransmission function. (Note that when
Tcp_sackWhen set to 0, this value is not valid even if set to 1
Tcp_dsack: BOOLEAN
The default value is 1
Allow TCP to send "two identical" sack.
TCP_ECN: BOOLEAN
The default value is 0
Opens the TCP Direct congestion notification feature.
tcp_reordering: INTEGER
The default value is 3
The maximum number of reordered datagrams in the TCP stream. (It is generally recommended to adjust this value slightly larger, such as 5)
Tcp_retrans_collapse: BOOLEAN
The default value is 1
For some bugs, the printer provides compatibility for its bugs. (This support is generally not required, you can close it)
Tcp_wmem(3 integer variables):
min,
default,
Max
Min: reserves the minimum amount of memory used to send buffers for the TCP socket. Each TCP socket can be used after it is recommended. The default value is 4096 (4K).
default: The amount of memory reserved for a TCP socket for sending buffers, which, by default, affects the use of other protocols
Net.core.wmem_defaultValues, which are generally lower than
Net.core.wmem_defaultThe value. The default value is 16384 (16K).
Max: The maximum amount of memory used for the TCP socket send buffer. This value does not affect
Net.core.wmem_max, the "static" selection parameter so_sndbuf is not affected by this value. The default value is 131072 (128K). (for the server, increasing the value of this parameter is helpful for sending data in my network environment, modified in order to 51200 131072 204800)
Tcp_rmem(3 integer variables):
min,
default,
Max
min: The amount of memory reserved for the TCP socket to receive buffering, even if the TCP socket has at least so much memory to receive buffering in case of memory tension, the default value is 8K.
default: The amount of memory reserved for a TCP socket to receive buffering, which, by default, affects the use of other protocols
Net.core.wmem_defaultValue. This value determines the
Tcp_adv_win_scale、
Tcp_app_winAnd
Tcp_app_win=0 The default value, the TCP window size is 65535. The default value is 87380
Max: The maximum amount of memory used for the TCP socket receive buffer. This value does not affect Net.core.wmem_max, and the "static" selection parameter so_sndbuf is not affected by this value. The default value is 128K. The default value is 87380*2 bytes. (as you can see, the. Max setting is preferably twice times the default, which is the main increase for NAT, 51200 131072 204800 in My network)
Tcp_mem(3 integer variables):
Low,
pressure,
High
Low: TCP does not consider freeing memory when TCP uses a number of memory pages that are below this value. (Ideally, this value should match the 2nd value assigned to TCP_WMEM-this 2nd value indicates that the maximum page size is multiplied by the maximum number of concurrent requests divided by the page size (131072 * 300/4096).) )
pressure: When TCP uses more memory pages than this value, TCP attempts to stabilize its memory usage, enters pressure mode, and exits the pressure state when memory consumption falls below the low value. (Ideally this value should be the maximum amount of total buffer size that TCP can use (204800 * 300/4096).) )
High: Allows all TCP sockets the amount of pages used to queue buffered datagrams. (If this value is exceeded, the TCP connection will be rejected, which is why you should not make it too conservative (512000 * 300/4096).) In this case, the value provided is very large, it can handle many connections, is expected 2.5 times times, or so that the existing connection can transmit 2.5 times times the data. On my network is 192000 300000 732000)
In general, these values are calculated based on the amount of system memory at system startup.
Tcp_app_win: INTEGER
The default value is 31
Keep Max (Window/2^tcp_app_win, MSS) number of Windows due to application buffering. When 0 indicates that no buffering is required.
Tcp_adv_win_scale: INTEGER
The default value is 2
Calculate the buffering overhead bytes/2^tcp_adv_win_scale (if Tcp_adv_win_scale > 0) or bytes-bytes/2^ (-tcp_adv_win_scale) (If Tcp_adv_win_ Scale <= 0).
tcp_rfc1337: BOOLEAN
The default value is 0
This switch can initiate a fix for the "TCP time-wait assassination crisis" described in RFC1337. When enabled, the kernel discards those RST packets destined for the time-wait state TCP socket.
tcp_low_latency: BOOLEAN
The default value is 0
Allow TCP/IP stacks to accommodate low latency in high throughput situations; This option is disabled for general scenarios. (but it's helpful to open it when building a Beowulf cluster)
Tcp_westwood: BOOLEAN
The default value is 0
Enables the sender-side congestion control algorithm, which maintains the evaluation of throughput and attempts to optimize the overall utilization of bandwidth, which should be enabled for WAN traffic.
Tcp_bic: BOOLEAN
The default value is 0
Enables Binary increase congestion for fast, long-distance networks, which makes better use of links that operate at GB speed, which should be enabled for WAN traffic.
$/proc/sys/net/core/wmem_max
Maximum socket write buffer, with reference to the optimized value: 873200
$/proc/sys/net/core/rmem_max
maximum socket read buffer, with reference to optimized values: 873200
$/proc/sys/net/ipv4/tcp_wmem
TCP Write buffer, reference to optimized values: 8192 436600 873200
$/proc/sys/net/ipv4/tcp_rmem
TCP Read buffer, reference to optimized values: 32768 436600 873200
$/proc/sys/net/ipv4/tcp_mem
There are also 3 values, meaning:
NET.IPV4.TCP_MEM[0]: Below this value, TCP has no memory pressure.
NET.IPV4.TCP_MEM[1]: Under this value, enter the memory pressure phase.
NET.IPV4.TCP_MEM[2]: Above this value, TCP refuses to allocate the socket.
The above-mentioned memory units are pages, not bytes. A reference to the optimized value is: 786432 1048576 1572864
$/proc/sys/net/core/netdev_max_backlog
Enter the maximum device queue for the package. The default is 300, which is too low for heavy-duty servers to be adjusted to.
$/proc/sys/net/core/somaxconn
The default parameter of Listen (), the maximum number of pending requests. The default is 128. For busy servers, increasing this value helps network performance. Can be adjusted to the peak.
$/proc/sys/net/core/optmem_max
The maximum initialization value for socket buffer, default 10K.
$/proc/sys/net/ipv4/tcp_max_syn_backlog
Enter the maximum request queue for the SYN packet. Default 1024. For heavy-duty servers, it is obviously beneficial to increase this value. Adjustable to 2048.
$/proc/sys/net/ipv4/tcp_retries2
TCP failed retransmission, the default value of 15, meaning to focus on 15 times to completely discard. Reduce to 5 to release kernel resources as early as possible .
$/proc/sys/net/ipv4/tcp_keepalive_time
$/PROC/SYS/NET/IPV4/TCP_KEEPALIVE_INTVL
$/proc/sys/net/ipv4/tcp_keepalive_probes
These 3 parameters are related to TCP keepalive. The default value is:tcp_keepalive_time = 7200 seconds (2 hours)
Tcp_keepalive_probes = 9
TCP_KEEPALIVE_INTVL = SecondsThis means that if a TCP connection has been idle for 2 hours, the kernel will not initiate probe. If probe 9 times (75 seconds each) is unsuccessful, the kernel simply abandons it and considers the connection to be invalid. The above values are obviously too large for the server. Adjustable to:/proc/sys/net/ipv4/tcp_keepalive_time 1800
/PROC/SYS/NET/IPV4/TCP_KEEPALIVE_INTVL 30
/proc/sys/net/ipv4/tcp_keepalive_probes 3
$ proc/sys/net/ipv4/ip_local_port_range
Specifies a configuration for the port range, which defaults to 32768 61000, which is large enough.
Net.ipv4.tcp_syncookies = 1
Indicates that SYN Cookies are turned on. When there is a SYN wait queue overflow, cookies are enabled to protect against a small number of SYN attacks, the default is 0, which means close;
net.ipv4.tcp_tw_reuse = 1
means to turn on reuse. Allows time-wait sockets to be re-used for new TCP connections, which defaults to 0, which means shutdown;
net.ipv4.tcp_tw_recycle = 1
Represents a quick recycle of time-wait sockets on a TCP connection, which defaults to 0 and 1 for shutdown.
net.ipv4.tcp_fin_timeout = 30
Indicates that if the socket is closed by a local requirement, this parameter determines when it remains in the fin-wait-2 state.
net.ipv4.tcp_keepalive_time = 1200
Indicates the frequency at which TCP sends keepalive messages when KeepAlive is employed. The default is 2 hours, which is changed to 20 minutes.
Net.ipv4.ip_local_port_range = 1024 65000
Represents the range of ports used for an outward connection. Small by default: 32768 to 61000, 1024 to 65000.
net.ipv4.tcp_max_syn_backlog = 8192
Represents the length of the SYN queue, which defaults to 1024, and a larger queue length of 8192, which can accommodate more network connections waiting to be connected.
net.ipv4.tcp_max_tw_buckets = 5000
indicates that the system maintains the maximum number of time_wait sockets at the same time, and if this number is exceeded, the time_wait socket is immediately cleared and a warning message is printed. The default is 180000, which changes to 5000. For Apache, Nginx and other servers, the parameters of the last few lines can be a good way to reduce the number of time_wait sockets, but for squid, the effect is not small. This parameter controls the maximum number of time_wait sockets, preventing squid servers from being dragged to death by a large number of time_wait sockets.
The meaning of the proc/sys/net/ipv4/