Skip to content

Instantly share code, notes, and snippets.

@flxxyz
Forked from chenshaoju/sysctl.conf
Last active October 9, 2022 03:39
Show Gist options
  • Save flxxyz/7085ac7c292b11aabf8f42243e2c4b6a to your computer and use it in GitHub Desktop.
Save flxxyz/7085ac7c292b11aabf8f42243e2c4b6a to your computer and use it in GitHub Desktop.
sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# This line below add by user.
# 设定最大打开文件句柄数为 200000
fs.file-max = 200000
# 设定最大数据接收发送缓冲为 32MB 。
net.core.rmem_max = 33554432
net.core.wmem_max = 33554432
# 设定默认据接收发送缓冲为 256KB 。
net.core.rmem_default = 262144
net.core.wmem_default = 262144
# 将最大队列长度设定为 65535 。
net.core.netdev_max_backlog = 65535
# 将监听队列长度增加到 4096 。
net.core.somaxconn = 4096
# 设定 TCP 接收发送缓存最小、平均和最大分别为 32KB 、 256KB 、 32MB 。
net.ipv4.tcp_rmem = 32768 262144 33554432
net.ipv4.tcp_wmem = 32768 262144 33554432
# 自动检测网络是否支持巨帧包,如果已知支持请设定为 2 ;自动检测为 1 ;不支持请设定为为 0 。
net.ipv4.tcp_mtu_probing = 1
# 使用 bbr 拥塞控制算法。
# 请注意:请使用 sysctl net.ipv4.tcp_available_congestion_control 命令检查是否支持 bbr 拥塞控制算法。
# 若未出现在列表中,请使用 modprobe tcp_bbr 命令加载该模块。
# 若加载失败,说明可能需要将该模块 ( CONFIG_TCP_CONG_BBR=y ) 加入内核源码并重新编译。
# 若无法编译,可考虑使用 hybla 拥塞控制算法,请参考以上步骤确定 hybla 支持情况,然后将下行的 bbr 部分替换为 hybla 。
net.ipv4.tcp_congestion_control = bbr
# 表示开启 SYN Cookies。当出现 SYN 等待队列溢出时,启用 cookies 来处理,可防范少量 SYN 攻击,默认为 0,表示关闭。
net.ipv4.tcp_syncookies = 1
# 表示开启重用。允许将 TIME-WAIT sockets 重新用于新的 TCP 连接,默认为 0,表示关闭。
net.ipv4.tcp_tw_reuse = 1
# [在4.12内核中被移除] 此功能和处于 NAT 环境下的 Android 系统冲突,必须禁用。
#net.ipv4.tcp_tw_recycle = 0
# 修改系統默认的 TIMEOUT 时间。
net.ipv4.tcp_fin_timeout = 30
# 表示当 keepalive 启用的时候,TCP 发送 keepalive 消息的频度。缺省是 2 小时,改为 20 分钟。
net.ipv4.tcp_keepalive_time = 1200
# 表示 SYN 队列的长度,默认为 1024,加大队列长度为 8192,可以容纳更多等待连接的网络连接数。
net.ipv4.tcp_max_syn_backlog = 8192
# 启用 TCP Fast Open ,可简化 TCP 的三次握手。
# 注意,请使用 sysctl -w net.ipv4.tcp_fastopen=3 命令,如果提示 No such file or directory ,则说明内核不支持,请勿取消下面开头的 # 符号。
# 如果执行后提示 net.ipv4.tcp_fastopen = 3 ,则说明没有问题,可以取消下行的 # 号以启用 TCP Fast Open 。
#net.ipv4.tcp_fastopen = 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment