There is a corresponding relationship between the kernel file under /proc/sys and the variables in the configuration file sysctl.conf.
Configuration instructions:
Kernel parameter parameter description
net.inet.tcp.sendspace=65536 The largest TCP data buffer space to be sent
net.inet.tcp.recvspace=65536 The largest accepted TCP buffer space
net.inet.udp.sendspace=65535 The largest accepted UDP buffer size
net.inet.udp.maxdgram=65535 Maximum sending UDP data buffer size
net.local.stream.sendspace=65535 Data sending space for local socket connection
net.inet.tcp.rfc1323=1
net. inet.tcp.rfc1644=1
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1 protocol to speed up network performance
kern.ipc.maxsockbuf=2097152 maximum socket buffer
kern.maxfiles=65536 system The maximum number of files allowed in
kern.maxfilesperproc=32768 The maximum number of files that each process can open at the same time
net.inet.tcp.delayed_ack=0 When a computer initiates a TCP connection request, the system will respond with an ACK response packet. This option sets whether to delay the ACK response data packet and send it together with the data packet containing the data. In the case of high-speed network and low load, the performance will be slightly improved, but when the network connection is poor, the other computer cannot get a response. Will continue to initiate connection requests, but will reduce performance.
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0 disable ICMP redirect function
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0 Prevent ICMP broadcast storm
net.inet.icmp.icmplim=100 Limit the system sending ICMP rate
net.inet.icmp.icmplim_output=0
net.inet.tcp.drop_synfin=1 security parameter, it can be used only when the kernel is compiled with options TCP_DROP_SYNFIN.
net.inet.tcp.always_keepalive=1 is set to 1 to help the system clear TCP connections that are not normally disconnected, which increases the use of some network bandwidth, but some dead connections can eventually be identified and cleared. Dead TCP connections are a particular problem for systems accessed by dial-up users, because users often disconnect modems and incorrectly close active connections
net.inet.ip.intr_queue_maxlen=1000 if you see net.inet.ip. Intr_queue_drops is increasing, it is necessary to increase net.inet.ip.intr_queue_maxlen, it is best when net.inet.ip.intr_queue_drops is 0.
net.inet.tcp.msl=7500 to prevent DOS attacks, the default is 30000
net.inet.tcp.blackhole=2 All packets sent from a closed port are received, directly drop, if set to 1, it is only for TCP package
net.inet.udp.blackhole=1 All UDP packets sent from a closed port are directly dropped
net.inet.tcp.inflight.enable=1 to provide buffering for network data connection
net.inet.ip.fastforwarding= 0 If it is turned on, after each destination address is successfully forwarded once, its data will be recorded into the routing table and arp data table, saving routing calculation time, but it will require a large amount of kernel memory space to save the routing table.
kern.polling.enable=1 Kernel compilation turns on the options POLLING function, and it is not recommended to use SMP with polling under high load conditions.
kern.ipc.somaxconn=32768 The number of concurrent connections, the default is 128, and the recommended range is 1024-4096. The larger the number, the larger the memory occupied.
security.bsd.see_other_uids=0 prohibits users from viewing other users' processes
kern.securelevel=0 sets the kernel security level
net.inet.tcp.log_in_vain=1 records any TCP connection
net.inet.udp.log_in_vain=1 records any UDP Connect
net.inet.udp.checksum=1 to prevent attacks from incorrect udp packets
net.inet.tcp.syncookies=1 to prevent DOS attacks
kern.ipc.shm_use_phys=1 Only provide physical memory support for threads, requiring more than 256 megabytes of memory
kern.ipc.shmmax=67108864 The maximum shared memory that a thread can use
kern.ipc.shmall=32768 Maximum number of threads
kern.coredump=0 No recording when the program crashes
net.local.stream.recvspace=65536
net.local.dgram.maxdgram=16384
net.local.dgram.recvspace=65536 lo local data Stream receiving and sending space
net.inet.tcp.mssdflt=1460 Packet data segment size, ADSL is 1452.
net.inet.tcp.inflight_enable=1 provides buffer for network data connection
net.inet.tcp.minmss=1460 The minimum value of the data packet data segment, ADSL is 1452
net.inet.raw.maxdgram=65536 The maximum number of local data
net. inet.raw.recvspace=65536 Local data stream receiving space
net.inet.ip.fw.dyn_max=65535 The number of ipfw firewall dynamic rules, the default is 4096, increasing this value can prevent some viruses from sending a large number of TCP connections, resulting in failure to establish Normally connect
net.inet.ipf.fr_tcpidletimeout=864000 Set ipf firewall TCP connection idle retention time, the default is 8640000 (120 hours)
net.ipv4.tcp_syncookies = 1 means to enable SYN Cookies. When the SYN waiting queue overflows, cookies are enabled for processing, which can prevent a small amount of SYN attacks. The default is 0, which means it is closed;
net.ipv4.tcp_tw_reuse = 1 means to enable reuse. Allow TIME-WAIT sockets to be reused for new TCP connections. The default value is 0, which means to close;
net.ipv4.tcp_tw_recycle = 1 means to enable fast recovery of TIME-WAIT sockets in TCP connections. The default is 0, which means to close.
net.ipv4.tcp_fin_timeout = 30 means that if the socket is closed by the local request, this parameter determines the time it stays in the FIN-WAIT-2 state.
net.ipv4.tcp_keepalive_time = 1200 indicates how often TCP sends keepalive messages when keepalive is enabled. The default is 2 hours, change to 20 minutes.
net.ipv4.ip_local_port_range = 1024 65000 indicates the port range used for external connections. The default is very small: 32768 to 61000, changed to 1024 to 65000.
net.ipv4.tcp_max_syn_backlog = 8192 represents the length of the SYN queue, the default is 1024, increasing the queue length to 8192, can accommodate more network connections waiting to be connected.
net.ipv4.tcp_max_tw_buckets = 5000 means that the system maintains the maximum number of TIME_WAIT sockets at the same time. If this number is exceeded, the TIME_WAIT socket will be cleared immediately and a warning message will be printed. The default is 180000, changed to 5000. For servers such as Apache and Nginx, the parameters in the first few lines can reduce the number of TIME_WAIT sockets, but for Squid, the effect is not great. This parameter can control the maximum number of TIME_WAIT sockets to prevent the Squid server from being dragged to death by a large number of TIME_WAIT sockets.
net.ipv4.tcp_timestamps enable tcp timestamp