Customized sysctl for high network loads

sysctl.conf

###################################################################
# Protected links
#
# Protects against creating or following links under certain conditions
# Debian kernels have both set to 1 (restricted)
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
#fs.protected_hardlinks=0
#fs.protected_symlinks=0
net.ipv4.ip_forward=1
#net.ipv4.ip_local_reserved_ports=30000-32767
#net.bridge.bridge-nf-call-iptables=1
#net.bridge.bridge-nf-call-arptables=1
#net.bridge.bridge-nf-call-ip6tables=1

### KERNEL TUNING ###

# Increase size of file handles and inode cache
fs.file-max = 2097152

fs.nr_open = 10000000

# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2

# Sets the time before the kernel considers migrating a proccess to another core
kernel.sched_migration_cost_ns = 5000000

# Group tasks by TTY
#kernel.sched_autogroup_enabled = 0

### GENERAL NETWORK SECURITY OPTIONS ###

# Number of times SYNACKs for passive TCP connection.
net.ipv4.tcp_synack_retries = 3

# Allowed local port range
#net.ipv4.ip_local_port_range = 2000 65535
net.ipv4.ip_local_port_range=1024 65535

# Set this to one to allow local processes to bind to an IP which is not yet
# present on the system. This is typically what happens with a shared VRRP
# address, where you want both master and backup to be started eventhough the
# IP is not yet present. Always leave it to 1. Default: 0
#
net.ipv4.ip_nonlocal_bind    = 1

# Protect Against TCP Time-Wait
net.ipv4.tcp_rfc1337 = 1

# Control Syncookies
net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_max_orphans = 262144

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

### TUNING NETWORK PERFORMANCE ###


# Default Socket Receive Buffer
net.core.rmem_default = 31457280

# Maximum Socket Receive Buffer
net.core.rmem_max = 33554432

# Default Socket Send Buffer
net.core.wmem_default = 31457280

# Maximum Socket Send Buffer
net.core.wmem_max = 33554432

# Increase number of incoming connections
#net.core.somaxconn = 65535
net.core.somaxconn = 3240000

# Increase number of incoming connections backlog
#net.core.netdev_max_backlog = 65536
net.core.netdev_max_backlog = 100000

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824

# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 786432 1048576 26777216
net.ipv4.udp_mem = 65536 131072 262144

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 33554432
net.ipv4.udp_rmem_min = 16384

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 33554432
net.ipv4.udp_wmem_min = 16384

# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 2440000
net.ipv4.tcp_tw_reuse = 1

# how many half-open connections for which the client has not yet sent an ACK response can be kept in the queue
net.ipv4.tcp_max_syn_backlog = 3240000

# CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (ARCH / 32)
net.nf_conntrack_max=1000000
net.netfilter.nf_conntrack_max=1000000
net.netfilter.nf_conntrack_tcp_timeout_time_wait=30

net.ipv4.tcp_slow_start_after_idle = 0

vm.overcommit_memory = 1


net.core.netdev_budget = 50000

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# based on this article https://medium.com/dataseries/why-are-linux-kernel-protocol-stacks-dropping-syn-packets-5ee5cab351a6
# net.ipv4.tcp_timestamps = 0
fs.suid_dumpable = 0

net.core.default_qdisc=fq

net.ipv4.tcp_congestion_control=bbr