内核调优参数
- vm.swappiness = 10
- net.ipv4.tcp_sack = 1
- net.ipv4.tcp_window_scaling = 1
- net.ipv4.tcp_rmem = 4096 87380 4194304
- net.ipv4.tcp_wmem = 4096 16384 4194304
- net.ipv4.tcp_fin_timeout = 1
- net.ipv4.tcp_keepalive_time = 30
- net.ipv4.route.gc_timeout = 100
- net.ipv4.ip_local_port_range = 1024 65000
- net.ipv4.tcp_tw_reuse = 1
- net.ipv4.tcp_tw_recycle = 1
- net.ipv4.tcp_syn_retries = 1
- net.ipv4.tcp_synack_retries = 1
- net.ipv4.tcp_max_syn_backlog = 262144
- net.ipv4.tcp_max_orphans = 262144
- net.ipv4.tcp_max_tw_buckets = 6000
- net.ipv4.tcp_max_syn_backlog = 262144
- net.core.somaxconn = 262144
- net.core.netdev_max_backlog = 262144
- net.core.wmem_default = 8388608
- net.core.rmem_default = 8388608
- net.core.rmem_max = 16777216
- net.core.wmem_max = 16777216
- net.ipv4.tcp_timestamps = 0
- net.ipv4.tcp_mem = 94500000 915000000 927000000
- net.ipv4.tcp_synack_retries = 2
- net.ipv4.tcp_max_tw_buckets = 50000
- # for iptables
- net.ipv4.ip_conntrack_max = 6553600
- net.ipv4.netfilter.ip_conntrack_max = 6553600
- net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300
- net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
- net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
- net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
- net.ipv4.neigh.default.gc_thresh1 = 10240
- net.ipv4.neigh.default.gc_thresh2 = 40960
- net.ipv4.neigh.default.gc_thresh3 = 81920
swappiness的值的大小对如何使用swap分区是有着很大的联系的。swappiness=0的时候表示最大限度使用物理内存,然后才是 swap空间,swappiness=100的时候表示积极的使用swap分区,并且把内存上的数据及时的搬运到swap空间里面。两个极端,对于 centos linux 5的默认设置,这个值等于60,建议修改为10。
net.ipv4.tcp_syncookies = 1
#表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
net.ipv4.tcp_tw_reuse = 1
#表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;
net.ipv4.tcp_tw_recycle = 1
#表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭。
net.ipv4.tcp_fin_timeout = 30
#表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间。
net.ipv4.tcp_keepalive_time = 1200
#表示当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时,改为20分钟。
net.ipv4.ip_local_port_range = 1024 65000
#表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为1024到65000。
net.ipv4.tcp_max_tw_buckets = 5000
#表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,
#TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000,改为5000。
#对于Apache、Nginx等服务器,上几行的参数可以很好地减少TIME_WAIT套接字数量,
#但是对于Squid,效果却不大。此项参数可以控制TIME_WAIT套接字的最大数量,避免Squid服务器被大量的TIME_WAIT套接字拖死。
- net.ipv4.conf.eth1.rp_filter = 1
- net.ipv4.conf.eth0.rp_filter = 1
- net.ipv4.conf.lo.rp_filter = 0
- net.ipv4.conf.default.rp_filter = 1
- net.ipv4.conf.all.rp_filter = 0
- rp_filter 的值的意义是:
- 814 rp_filter – INTEGER
- 815 0 – No source validation.
- 816 1 – Strict mode as defined in RFC3704 Strict Reverse Path
- 817 Each incoming packet is tested against the FIB and if the interface
- 818 is not the best reverse path the packet check will fail.
- 819 By default failed packets are discarded.
- 820 2 – Loose mode as defined in RFC3704 Loose Reverse Path
- 821 Each incoming packet’s source address is also tested against the FIB
- 822 and if the source address is not reachable via any interface
- 823 the packet check will fail.
- 0 就是对进来的包完全不作检查,这样有被dos 攻击的风险。
- 1 就是严格检查,只要不是这个interface 的包,就不返回。
- 2 就是不太严格,只要本机配置了这个ip ,还是可以返回的。