The runtime parameters corresponding to this article are located at: /proc/sys/net/ipv4/*. "Controlling" these parameters can greatly increase your skills in solving Linux network service problems and tuning. This is the necessary knowledge for "system master".
There are two ways to temporarily change the value of a system parameter. For example, if you want to enable the IP routing and forwarding function:
echo 1 > /proc/sys/net/ipv4/ip_forward
or
sysctl -w net.ipv4.ip_forward=1
Both of the above methods can instantly enable the routing and forwarding function. But if the system restarts or the "service network restart" command is executed, the set value will be lost. If you want to keep the setting permanently, you can modify:
/etc/sysctl.conf Change net.ipv4.ip_forward=0 to net.ipv4.ip_forward=1 and execute sysctl -p.
The meaning of common parameters of system command sysctl:
-w Temporarily change the value of a specified parameter.
-a Display all system parameters.
-p Load system parameters from the specified file, and load them from /etc/sysctl.conf by default.
ICMP related service parameter configuration
Usually we use icmp packets to detect whether other protocols (such as TCP and UDP) on the target host are available. For example, the icmp package containing "destination unreachable" information is the most common icmp application.
icmp_destunreach_rate
INTEGER. Set the response rate of icmp packets whose content is "Destination Unreachable". The setting value should be an integer, in jiffies.
For example. Assuming there are two hosts, A and B, first we execute the following ipchains statement on host A: "ipchains-A input -p icmp -j REJECT", where REJECT and DENY are different, DENY will drop eligible packets as if they were not received It is the same as the package, and REJECT will send back a "Destination Unreachable" icmp to the requesting host while dropping the package. Then ping host A on host B. At this time, we will find that the response speed of the "Destination Unreachable" icmp packet is very timely. Then we execute on host A: "echo "1000"> /proc/sys/net/ipv4/icmp_destunreach_rate", that is, respond to a "Destination Unreachable" icmp packet every 10 seconds. At this time, if you ping host A from host B, you will find that the response speed of the "Destination Unreachable" icmp packet has slowed down significantly, which happens to be one response every 10 seconds.
icmp_echo_ignore_all
BOOLEAN. Set whether the system ignores all ICMP Echo requests. If a non-zero value is set, the system will ignore all ICMP Echo requests. In fact, this is an extreme case of icmp_echoreply_rate. 1: Ignore, 0: Response.
The Ping command sends an ICMP Echo request message to the computer and monitors the return of the response message to verify the connection with the remote computer or the local computer.
Setting it to 1 may prevent you from being used as a springboard for DoS attacks.
icmp_echo_ignore_broadcasts
BOOLEAN. Set whether to respond to icmp echo request broadcast, the setting value should be a boolean value, 0 means respond to icmp echo request broadcast, 1 means ignore.
This can be a very useful tool to prevent denial of service attacks. Set to 1 to ignore these subnet broadcast messages.
Note: The windows system does not respond to icmp echo request broadcast.
Example: On RedHat6.x and RedHat7, the value defaults to 0, so that when a user pings the network address of the network segment (subnet) where the two servers are located, all Linux servers will respond, so that it can also Let the user get the IP address of the server. Now you can execute "echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" to turn off this function, thereby preventing icmp storm and preventing network congestion.
icmp_echoreply_rate
INTEGER. Set the response speed of the icmp package in response to the icmp echo request.
Example: Suppose there are two hosts A and B. First, we ping host A on host B, and we can see that the response is normal, and then execute "echo "1000"> /proc/sys/net/ipv4/icmp_echoreply_rate on host A "That is to respond to an icmp echo request packet every 10 seconds. Then ping host A and you can see that the response speed has become 10 seconds.
The value of this parameter can be adjusted reasonably to prevent icmp storm.
icmp_ignore_bogus_error_responses
BOOLEAN. After setting it, you can ignore ICMP errors generated by hosts in the network that claim that the response address is a broadcast address.
icmp_paramprob_rate
INTEGER. When the system receives the damaged IP or TCP header of the datagram, it will send an icmp packet containing the error information to the source. This parameter is used to set the speed of sending such icmp packets to the source. Of course, it is rare for IP or TCP header errors to be common under normal circumstances.
icmp_timeexceed_rate
INTEGER. When a datagram is transmitted on the network, its time to live field will continue to decrease. When the time to live is 0, the router that is processing the datagram will discard the datagram and send a “time to live” field to the source host. to live exceeded" icmp package. This parameter is used to set the sending speed of this icmp packet. Of course, this is usually used as a Linux host as a router.
Leads to the famous "Solaris middle star" during traceroute.
IP related service parameter configuration
ip_autoconfig
BOOLEAN. Indicates whether the host (1) or not (0) obtains its IP configuration through RARP, BOOTP, DHCP or other mechanisms.
ip_default_ttl
INTEGER. The default value is 64. The lifetime of the packet. Setting to 64 is safe. If your network is large, increase this value. Don't do it for fun-that will create harmful routing loops. In fact, in many cases you have to consider whether you can reduce this value.
TTL is a value in the IP protocol packet, which tells the network whether the data packet has been in the network for too long and should be discarded. There are many reasons why the packet cannot be delivered to the destination within a certain period of time. The solution is to discard the packet after a period of time, and then send a message to the sender, and the sender decides whether to resend it. The initial value of TTL is usually the system default value, which is an 8-bit field in the packet header. The original idea of TTL is to determine a time range, after which the packet will be discarded. Since each router must reduce the TTL field by at least one, TTL usually indicates the maximum number of routers a packet can pass through before being discarded. When the count reaches 0, the router decides to discard the packet and send an ICMP message to the original sender.
ip_dynaddr
0 1 2 Enumeration. This parameter is usually used in the case of a dial-up connection, which enables the system to immediately change the source address of the IP packet to the IP address, and at the same time interrupt the original TCP conversation and re-send a syn request packet with the new address to start a new TCP conversation . When using IP spoofing, this parameter can immediately change the address and pretend to be a new IP address. The parameter value of this parameter can be: 1-enable the function; 2-use the redundant mode to enable the function; 0-disable the function.
Application example: When using ipchains to configure IP spoofing to drive the LAN to share a ppp connection to the Internet, sometimes it may appear that a site cannot be connected when it is just opened, and it can be connected again after refreshing. At this time, you can set the value of this parameter to 1. Therefore, this type of problem can be solved by immediately changing the fake address to a new ip address. The command is: echo "1"> /proc/sys/net/ipv4/ip_dynaddr.
ip_forward
BOOLEAN. The default value is 0. Whether the kernel forwards data packets. Disabled by default (0). Enabling (1) this parameter can make the system act as a router. Note that we can implement IP forwarding on a host with a single network card or dual network cards.
Example: Suppose we use a Linux host with dual network cards to act as a firewall. At this time, we must execute the following command to enable the IP forwarding function: "echo "1"> /proc/sys/net/ipv4/ip_forward".
ip_local_port_range
INTEGER. The port range used for external connections. By default: 1024 to 4999 (actually very small).
ip_no_pmtu_disc
BOOLEAN. The default value is 0. Set it if you want to disable "MTU discovery along the way".
"MTU discovery along the way" is a technology that can detect the maximum possible MTU (Maximum Transmission Unit) value on the transmission path.
ipfrag_high_thresh
INTEGER. The maximum memory usage for IP fragment aggregation. After allocating so many bytes of memory, once it is exhausted, the fragment handler will discard the fragment.
ipfrag_low_thresh
INTEGER. The minimum memory usage for IP fragment aggregation.
ipfrag_time
INTEGER. The retention time (in seconds) of IP fragments in memory.
ip_nonlocal_bind
BOOLEAN. The default value is 0. If you want the application to be able to bind to an address that does not belong to the local network card, set this option. This is very useful when your machine does not have a dedicated line connection (or even a dynamic connection), because even if your connection is disconnected, your service can be started and bound to a specified address.
TCP related service parameter configuration
In the TCP/IP protocol, the TCP protocol provides a reliable connection service and uses a three-way handshake to establish a connection.
The first handshake: When the connection is established, the client sends a syn packet (syn=j) to the server and enters the SYN_SEND state, waiting for the server to confirm; the
second handshake: the server receives the syn packet, and must confirm the client's SYN (ack= j+1), and at the same time send a SYN packet (syn=k), that is, SYN+ACK packet, and the server enters the SYN_RECV state at this time;
The third handshake: the client receives the SYN+ACK packet from the server, and sends an acknowledgment packet ACK (ack=k+1) to the server. After this packet is sent, both the client and the server enter the ESTABLISHED state. After the three-way handshake is completed, the client and the server Start transferring data.
tcp_abort_on_overflow
BOOLEAN. The default value is 0. When the daemon is too busy to accept new connections, it is like the other party sending a reset message (RST packet). This means that when the cause of the overflow is an accidental burst, then the connection will be restored. Only turn on this option when you are sure that the daemon can't complete the connection request. This option will affect the client's use.
For services such as sendmail and apache that are already fully loaded, opening them can quickly terminate the connection of the client and give the service program a chance to buffer the existing connections. Therefore, many firewalls recommend opening it.
RST (Reset the connection): Used to reset the TCP error connection caused by some reason, and also used to reject illegal data and requests. If the RST bit is received, some errors usually occur.
tcp_fin_timeout
INTEGER. The default value is 60. For the disconnected socket connection at the local end, this parameter determines the time it stays in the FIN-WAIT-2 state. The opposite end can make mistakes and never close the connection, or even unexpectedly crash. The default value is 60 seconds. The usual value of the Linux 2.2 kernel is 180 seconds. You can press this setting, but remember that even if your machine is a lightly loaded WEB server, it may be caused by a large number of dead sockets. The risk of memory overflow. FIN-WAIT-2 is less dangerous than FIN-WAIT-1 because it can only eat up to 1.5K of memory, but their lifetime is longer. See tcp_max_orphans.
In fact, when doing NAT, reducing the value is also significant. You can consider reducing the value to 30.
Note: The termination of TCP is achieved through the four-way handshake between both parties. The party initiating the termination performs active shutdown, and the other responding party performs passive shutdown.
The initiator changes the status to FIN_WAIT_1, closes the application process, and sends a TCP FIN segment; the
receiver receives the FIN segment, returns an ACK with a confirmation sequence number, and sends an end-of-file symbol EOF to its corresponding process and changes the status at the same time CLOSE_WAIT, the initiator changes the status to FIN_WAIT_2 after receiving the ACK; the
receiver closes the application process, changes the status to LAST_ACK, and sends a TCP FIN segment to the other party; the
initiator changes the status to TIME_WAIT after receiving the FIN, and sends this FIN's ACK confirmation. After the ACK is sent successfully (within 2MSL), the TCP status of both parties becomes CLOSED.
tcp_keepalive_time
INTEGER. The default value is 7200 seconds (2 hours). When keepalive is enabled, how often TCP sends keepalive messages.
Due to the current network attacks and other factors, the attacks using this are very frequent. If the two sides establish a connection, and then do not send any data or rst/fin messages, then the duration is 2 hours, then it will increase the risk of empty connection attacks. tcp_keepalive_time is to prevent this situation. Generally, modify this value to 1800 seconds when doing nat service.
tcp_keepalive_intvl
INTEGER. The default value is 75 seconds. When the keepalive probe is not confirmed, how often the probe message is sent. The default value of 75 seconds is multiplied by tcp_keepalive_probes to get the time to kill connections that have not responded since the probe started. That is, connections that are not active will be dropped after about 11 minutes.
For ordinary applications, this value is somewhat larger, and it can be changed to a smaller value as needed. Especially for web servers, this value needs to be reduced. 15 seconds may be a more appropriate value.
tcp_keepalive_probes
INTEGER. The default value is 9. How many TCP keepalive probe packets are sent before determining that the connection is invalid/disconnected. The default value of 9 is multiplied by tcp_keepalive_intvl to determine how long a connection can have no response after sending a keepalive (ibid.).
Note: Keep alive is only sent when the SO_KEEPALIVE socket option is turned on. The parameter does not need to be modified by default. Of course, this value can be appropriately shortened according to the situation. It may be more appropriate to set it to 5.
tcp_max_orphans
INTEGER. The default value is 8192. The maximum number of TCP sockets that the system can handle that does not belong to any process. If this number is exceeded, connections that do not belong to any process will be reset immediately and a warning message will be printed. The reason for setting this limit is purely to resist those simple DoS attacks. You must not rely too much on this parameter or artificially reduce the value of this parameter. You should increase this value (if you increase the memory).
Note: Each "orphan socket" can eat up to 64K of your non-swappable memory.
This parameter value is set to 32768 in the Redhat AS version, but when many firewalls are modified, the value is recommended to be 2000.
tcp_orphan_retries
INTEGER. The default value is 7. How many retries should be performed before the local end discards the TCP connection. The default value is 7 times, which is equivalent to 50 seconds-16 minutes, depending on the RTO. If your system is a heavily loaded Web server, you may need to lower this value, because such sockets may consume a lot of resources. Please also refer to tcp_max_orphans.
When doing NAT, reducing the value is also significant, you can try to reduce the value to 3 or less.
tcp_max_syn_backlog
INTEGER. For those connection requests that have not yet received confirmation from the client, the maximum number that needs to be stored in the queue. For systems with more than 128MB of memory, the default value is 1024; for systems with less than 128MB of memory, it is 128. If the server is frequently overloaded, you can try to increase this number.
Warning: If you set this value to greater than 1024, it is best to modify TCP_SYNQ_HSIZE in include/net/tcp.h to keep TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog and recompile the kernel.
The SYN Flood attack uses the TCP protocol to spread the flaws of the handshake, forging a fake source IP address to send a large number of TCP-SYN half-open connections to the target system, and eventually causing the target system's Sockets queue resources to exhaust and unable to accept new connections. In order to cope with this kind of attack, multi-connection queue processing is commonly used in modern Unix systems to buffer (rather than solve) this kind of attack: a basic queue is used to process normal fully connected applications (Connect() and Accept()), and Use another queue to store half-open connections separately. When this double-queue processing method is combined with other system kernel measures (such as Syn-Cookies/Caches), it can effectively mitigate small-scale SYN Flood attacks (it turns out that <1000p/s). Increase the length of the SYN queue to accommodate More network connections waiting to be connected, so consider increasing this value for Server.
tcp_max_tw_buckets
INTEGER. The default value is 180000. The maximum number of time-wait sockets that the system can handle at the same time. If this number is exceeded, the time-wait socket will be cleared immediately and a warning message will be displayed. The reason for setting this limit is purely to defend against simple DoS attacks. Do not lower this limit artificially. However, if the network conditions require more than the default value, you can increase it with increased memory.
It is best to increase this value appropriately when doing NAT.
tcp_retrans_collapse
BOOLEAN. The default value is 1. The "Wrong or Wrong" option set for compatibility with some bad printers. That is, when sending again, increase the data packet to avoid some bugs in the TCP protocol stack.
General web servers do not need this support, you can turn it off.
tcp_retries1
INTEGER. The default value is 3. How many retries are required before giving up responding to a TCP connection request (that is, identifying an error and submitting an error report to the network layer). The RFC stipulates that the lowest value is 3, which is also the default value, which is between 3 seconds and 8 minutes depending on the value of RTO.
Note: This value also determines the incoming syn connection.
tcp_retries2
INTEGER. How many retries are required before discarding the active (established communication status) TCP connection. The default value is 15, which is equivalent to 13-30 minutes depending on the value of RTO (RFC1122 stipulates that it must be greater than 100 seconds).
This value can be appropriately reduced according to the current network settings, such as 5 in the Web service network.
tcp_rfc1337
BOOLEAN. The default value is 0. This switch can initiate a fix for the "time-wait assassination crisis of tcp" described in RFC1337. When enabled, the kernel will discard those RST packets sent to the time-wait state TCP socket.
tcp_sack
BOOLEAN. The default value is 1. Whether to enable selective acknowledgment (Selective Acknowledgment), it can be used to find specific missing data packets-so it helps to quickly restore the state. This setting means that this can improve performance by selectively responding to messages received out of order (this allows the sender to send only the missing segments).
For WAN communication, this option should be enabled, but this will increase the CPU usage.
tcp_fack
BOOLEAN. The default value is 1. Enable FACK congestion avoidance and fast retransmission functions.
Note: When tcp_sack is set to 0, this value is invalid even if it is set to 1.
tcp_dsack
BOOLEAN. The default value is 1. Allow TCP to send "two identical" SACKs.
tcp_stdurg
BOOLEAN. The default value is 0. Explanation of host requirements for enabling TCP urgent pointers. Because most hosts use BSD interpretation, if you open it on Linux, it may affect the normal communication between it and other machines.
tcp_syn_retries
INTEGER. For a new connection, how many SYN connection requests the kernel has to send before deciding to give up. Should not be greater than 255, the default value is 5, which corresponds to about 180 seconds.
For a network with heavy load and good physical communication, this value is too high and can be modified to 2. This value is only for external connections, for incoming connections, it is determined by tcp_retries1.
tcp_synack_retries
INTEGER. The default value is 5. For the remote connection request SYN, the kernel will send a SYN + ACK datagram to confirm receipt of the last SYN connection request packet. This is the second step of the so-called threeway handshake mechanism. This determines the number of SYN+ACKs sent by the kernel before giving up the connection. Should not be greater than 255, the default value is 5, which corresponds to about 180 seconds.
This value can be determined according to the tcp_syn_retries above.
tcp_timestamps
BOOLEAN. The default value is 1. The time stamp can avoid the winding of the serial number. Can prevent those forged sequence numbers. A 1G broadband line may encounter the old sequence number with out-of-line value again (provided it was generated last time). The timestamp will let it know that this is an "old packet".
This configuration indicates whether to enable the calculation of RTT in a more accurate method (RFC 1323) than retransmission over time. In order to achieve better performance, this option should be enabled.
tcp_tw_recycle
BOOLEAN. The default value is 0. Open fast TIME-WAIT sockets collection. Unless you are advised or required by technical experts, please do not modify this value at will.
When doing NAT, it is recommended to turn it on.
tcp_tw_reuse
BOOLEAN. The default value is 0. This configuration indicates whether the socket in the TIME-WAIT state is allowed to be reused for a new TCP connection.
This is very helpful for quickly restarting certain services and prompting that the port has been used after startup, such as Web application services.
tcp_window_scaling
BOOLEAN. The default value is 1. This configuration indicates whether the sliding window size of the tcp/ip session is variable. The parameter value is a Boolean value. When it is 1, it means it is variable, and when it is 0 it means it is not changeable. The window usually used by tcp/ip can reach up to 65535 bytes. For high-speed networks, the value may be too small. If this function is enabled at this time, the size of the tcp/ip sliding window can be increased by several orders of magnitude, thereby improving data transmission Capabilities (RFC 1323).
For an ordinary 100M network, shutting down will reduce overhead, so if it is not a high-speed network, you can consider setting it to 0.
Once the kernel thinks it cannot send a packet, it will discard the packet and send an ICMP notification to the host that sent the packet.
tcp_syncookies
BOOLEAN. The default value is 0. It will work only when CONFIG_SYNCOOKIES is selected when the kernel is compiled. When the syn waiting queue overflows, send syncookies like the other party. The purpose is to prevent synflood attacks.
Note: This option must not be used for high-load servers that have not been attacked. If synflood messages appear in the log, but the investigation found that no synflood attack has been received, it is the reason why the connection load of legitimate users is too high, you should adjust Other parameters to improve server performance. Reference: tcp_max_syn_backlog / tcp_synack_retries / tcp_abort_on_overflow.
syncookie seriously violates the TCP protocol and does not allow the use of TCP extensions, which may cause serious performance impacts on some services (such as SMTP forwarding). This implementation is the same as the tcp proxy used on BSD, which violates the three-way handshake implementation of the TCP connection in the RFC, but it is really useful for defending against synflood attacks.
tcp_ecn
BOOLEAN. The default value is 0. Open TCP's direct congestion notification function.
tcp_reordering
INTEGER. The default value is 3. The maximum number of reordered datagrams in a TCP stream.
It is recommended to adjust this value slightly larger, such as 5.
tcp_wmem
Three INTEGER enumerations: min default max.
min: The minimum memory reserved for sending buffers for TCP sockets. The default value is 4K (4096 bytes).
default: The default amount of memory reserved for sending buffers for TCP sockets. This value will affect the net.core.wmem_default value used by other protocols, and is generally lower than the net.core.wmem_default value. The default value is 16K (16384 bytes).
max: The maximum memory used for TCP socket sending buffer. This value will not affect the value of net.core.wmem_max, and the "static" selection parameter SO_SNDBUF is not affected by this value. The default value is 128K (131072 bytes). For the server, increasing the value of this parameter is very helpful for sending data. For example, in a Web service network environment (memory 8G), modify it to: "4096 16384 4194304".
tcp_rmem
Three INTEGER enumerations: min default max.
min: The amount of memory reserved for receiving buffer for TCP socket. Even if the memory is tight, tcp socket will have at least this amount of memory for receiving buffer. The default value is 8K.
default: The default amount of memory reserved for receiving buffers for TCP sockets. This value will affect the net.core.wmem_default value used by other protocols. This value determines the TCP window size when tcp_adv_win_scale and tcp_app_win are equal to the default value of 0 Is 65535. The default value is 87380.
max: The maximum memory used for TCP socket receiving buffer. This value will not affect the value of net.core.wmem_max, and the "static" selection parameter SO_SNDBUF is not affected by this value. The default value is 128K. The max setting is generally twice the default. It should be increased for NAT applications. For example, in a web service network environment (memory 8G), modify it to "4096 87380 4194304".
tcp_mem
Three INTEGER lists: low pressure high.
low: When TCP uses a "number of memory pages" lower than this value, TCP does not consider releasing memory. Ideally, this value should match the third value assigned to tcp_wmem-according to this third value, the maximum page size multiplied by the maximum number of concurrent requests divided by the page size: 131072 * 300 / 4096.
pressure: When TCP uses the "number of memory pages" exceeding this value, TCP tries to stabilize its memory usage and enters the pressure mode. When the memory consumption is lower than the low value, it exits the pressure state. Ideally, this value should be the maximum total buffer size that TCP can use: 204800 * 300 / 4096.
high: The "number of memory pages" allowed for all tcp sockets to queue and buffer datagrams. If this value is exceeded, the TCP connection will be rejected, which is why you should not make it too conservative. In this case, the value of increasing this value is great, it can handle many connections, 2.5 times the expected, or enable existing connections to transfer 2.5 times the data. In general, these values are calculated based on the amount of system memory when the system is started. For example, in a Web service network environment (memory 8G), modify it to "196608 262144 393216".
tcp_app_win
INTEGER. The default value is 31. Keep max (window/2^tcp_app_win, mss) number of windows in order to apply buffering. When it is 0, it means no buffering is required.
tcp_adv_win_scale
INTEGER. The default value is 2. Calculate the buffer overhead bytes/2^tcp_adv_win_scale (if tcp_adv_win_scale> 0) or bytes-bytes/2^(-tcp_adv_win_scale) (if tcp_adv_win_scale <= 0).
tcp_low_latency
BOOLEAN. The default value is 0. Allow the TCP/IP stack to adapt to high throughput and low latency; this option is generally disabled, but it is helpful to enable it when building a Beowulf cluster.
tcp_westwood
BOOLEAN. The default value is 0. Enable the congestion control algorithm on the sender's side, which can maintain the assessment of throughput and try to optimize the overall utilization of bandwidth; this option should be enabled for WAN communication.
tcp_bic
BOOLEAN. The default value is 0. Enable "Binary Increase Congestion" for fast and long-distance networks, so that you can make better use of links that operate at GB speed; this option should be enabled for WAN communications.
IGMP related service parameter configuration
That is, the Internet Group Management Protocol (Internet Group Management Protocol or IGMP for short) is a communication protocol used to manage the members of the Internet Protocol multicast group. IP hosts and neighboring routers use IGMP to establish group members of the multicast group. Like ICMP for unicast connections, IGMP is also an integral part of the IP multicast specification.
igmp_max_memberships
INTEGER. The maximum number of igmp (multicast) sockets on the host to monitor.
INET related service parameter configuration
inet_peer_gc_maxtime
INTEGER. The default value is 120. The garbage collection (Garbage Collector, GC) ignores the frequency of the storage memory pool under low memory pressure.
inet_peer_gc_mintime
INTEGER. The default value is 10, in jiffies (X86/Linux, about 10ms). The minimum time interval between each Garbage Collector. When the server load is heavy (the memory pressure is high), adjusting this interval is very effective.
inet_peer_maxttl
INTEGER. The default value is 600, calculated in jiffies. The maximum lifetime of the Inet entrance. When there is no memory pressure in the pool (for example, when the number of Inet entries in the pool is small), the unused Inet entries will expire after a period of time.
inet_peer_minttl
INTEGER. The default value is 120, calculated in jiffies. The minimum lifetime of the Inet entry. This time must be less than the net.ipv4.inet_peer_threshold parameter.
inet_peer_threshold
INTEGER. The default value is 65644. Set the storage capacity of Inet. When this limit is reached, the Inet entry will be discarded. Use net.ipv4.inet_peer_gc_mintime to limit the timeout.