zoukankan      html  css  js  c++  java
  • Linux的sysctl 命令参数详解

    Linux内核通过/proc虚拟文件系统向用户导出内核信息,用户也可以通过/proc文件系统或通过sysctl命令动态配置内核。比如,如果我们想启动NAT,除了加载模块、配置防火墙外,还需要启动内核转发功能。我们有三种方法:

    1. 直接写/proc文件系统 # echo 1 > /proc/sys/net/ipv4/ip_forward

    2. 利用sysctl命令 # sysctl -w net.ipv4.ip_forward=1 sysctl -a可以查看内核所有导出的变量

    3. 编辑/etc/sysctl.conf 添加如下一行,这样系统每次启动后,该变量的值就是1 net.ipv4.ip_forward = 1

    sysctl是procfs软件中的命令,该软件包还提供了w, ps, vmstat, pgrep, pkill, top, slabtop等命令。

    sysctl配置与显示在/proc/sys目录中的内核参数.可以用sysctl来设置或重新设置联网功能,如IP转发、IP碎片去除以及源路由检查等。用户只需要编辑/etc/sysctl.conf文件,即可手工或自动执行由sysctl控制的功能。

        命令格式:    sysctl [-n] [-e] -w variable=value    sysctl [-n] [-e] -p <filename> (default /etc/sysctl.conf)    sysctl [-n] [-e] -a    常用参数的意义:    -w   临时改变某个指定参数的值,如         sysctl -w net.ipv4.ip_forward=1    -a   显示所有的系统参数    -p   从指定的文件加载系统参数,如不指定即从/etc/sysctl.conf中加载    如果仅仅是想临时改变某个系统参数的值,可以用两种方法来实现,例如想启用IP路由转发功能:    1) #echo 1 > /proc/sys/net/ipv4/ip_forward    2) #sysctl -w net.ipv4.ip_forward=1    以上两种方法都可能立即开启路由功能,但如果系统重启,或执行了     # service network restart命令,所设置的值即会丢失,如果想永久保留配置,可以修改/etc/sysctl.conf文件将 net.ipv4.ip_forward=0改为net.ipv4.ip_forward=1

    sysctl是一个允许您改变正在运行中的Linux系统的接口。它包含一些 TCP/IP 堆栈和虚拟内存系统的高级选项, 这可以让有经验的管理员提高引人注目的系统性能。用sysctl可以读取设置超过五百个系统变量。基于这点,sysctl(8) 提供两个功能:读取和修改系统设置。 查看所有可读变量: % sysctl -a 读一个指定的变量,例如 kern.maxproc: % sysctl kern.maxproc kern.maxproc: 1044 要设置一个指定的变量,直接用 variable=value 这样的语法: # sysctl kern.maxfiles=5000 kern.maxfiles: 2088 -> 5000 您可以使用sysctl修改系统变量,也可以通过编辑sysctl.conf文件来修改系统变量。sysctl.conf 看起来很像 rc.conf。它用 variable=value 的形式来设定值。指定的值在系统进入多用户模式之后被设定。并不是所有的变量都可以在这个模式下设定。 sysctl 变量的设置通常是字符串、数字或者布尔型。 (布尔型用 1 来表示'yes',用 0 来表示'no')。

    sysctl -w kernel.sysrq=0 sysctl -w kernel.core_uses_pid=1 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv4.conf.default.rp_filter=1 sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.tcp_max_syn_backlog=2048 sysctl -w net.ipv4.tcp_fin_timeout=30 sysctl -w net.ipv4.tcp_synack_retries=2 sysctl -w net.ipv4.tcp_keepalive_time=3600 sysctl -w net.ipv4.tcp_window_scaling=1 sysctl -w net.ipv4.tcp_sack=1

    配置sysctl

    编辑此文件:

    vi /etc/sysctl.conf

    如果该文件为空,则输入以下内容,否则请根据情况自己做调整:

    # Controls source route verification # Default should work for all interfaces net.ipv4.conf.default.rp_filter = 1 # net.ipv4.conf.all.rp_filter = 1 # net.ipv4.conf.lo.rp_filter = 1 # net.ipv4.conf.eth0.rp_filter = 1

    # Disables IP source routing # Default should work for all interfaces net.ipv4.conf.default.accept_source_route = 0 # net.ipv4.conf.all.accept_source_route = 0 # net.ipv4.conf.lo.accept_source_route = 0 # net.ipv4.conf.eth0.accept_source_route = 0

    # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0

    # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1

    # Increase maximum amount of memory allocated to shm # Only uncomment if needed! # kernel.shmmax = 67108864

    # Disable ICMP Redirect Acceptance # Default should work for all interfaces net.ipv4.conf.default.accept_redirects = 0 # net.ipv4.conf.all.accept_redirects = 0 # net.ipv4.conf.lo.accept_redirects = 0 # net.ipv4.conf.eth0.accept_redirects = 0

    # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets # Default should work for all interfaces net.ipv4.conf.default.log_martians = 1 # net.ipv4.conf.all.log_martians = 1 # net.ipv4.conf.lo.log_martians = 1 # net.ipv4.conf.eth0.log_martians = 1

    # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 25

    # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1200

    # Turn on the tcp_window_scaling net.ipv4.tcp_window_scaling = 1

    # Turn on the tcp_sack net.ipv4.tcp_sack = 1

    # tcp_fack should be on because of sack net.ipv4.tcp_fack = 1

    # Turn on the tcp_timestamps net.ipv4.tcp_timestamps = 1

    # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1

    # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1

    # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1

    # Make more local ports available # net.ipv4.ip_local_port_range = 1024 65000

    # Set TCP Re-Ordering value in kernel to ‘5′ net.ipv4.tcp_reordering = 5

    # Lower syn retry rates net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 3

    # Set Max SYN Backlog to ‘2048′ net.ipv4.tcp_max_syn_backlog = 2048

    # Various Settings net.core.netdev_max_backlog = 1024

    # Increase the maximum number of skb-heads to be cached net.core.hot_list_length = 256

    # Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 360000

    # This will increase the amount of memory available for socket input/output queues net.core.rmem_default = 65535 net.core.rmem_max = 8388608 net.ipv4.tcp_rmem = 4096 87380 8388608 net.core.wmem_default = 65535 net.core.wmem_max = 8388608 net.ipv4.tcp_wmem = 4096 65535 8388608 net.ipv4.tcp_mem = 8388608 8388608 8388608 net.core.optmem_max = 40960

    如果希望屏蔽别人 ping 你的主机,则加入以下代码:

    # Disable ping requests net.ipv4.icmp_echo_ignore_all = 1

    编辑完成后,请执行以下命令使变动立即生效:

    /sbin/sysctl -p /sbin/sysctl -w net.ipv4.route.flush=1

    我们常常在 Linux 的 /proc/sys 目录下,手动设定一些 kernel 的参数或是直接 echo 特定的值给一个 proc下的虚拟档案,俾利某些档案之开启,常见的例如设定开机时自动启动 IP Forwarding: echo “1” > /proc/sys/net/ipv4/ip_forward

    其实,在 Linux 我们还可以用 sysctl command 便可以简易的去检视、设定或自动配置 特定的 kernel 设定。我们可以在系统提示符号下输入「sysctl -a」,摘要如后:abi.defhandler_coff = 117440515

    dev.raid.speed_limit_max = 100000

    net.ipv4.conf.default.send_redirects = 1

    net.ipv4.conf.default.secure_redirects = 1

    net.ipv4.conf.default.accept_redirects = 1

    net.ipv4.conf.default.mc_forwarding = 0

    net.ipv4.neigh.lo.delay_first_probe_time = 5

    net.ipv4.neigh.lo.base_reachable_time = 30

    net.ipv4.icmp_ratelimit = 100

    net.ipv4.inet_peer_gc_mintime = 10

    net.ipv4.igmp_max_memberships = 20

    net.ipv4.ip_no_pmtu_disc = 0

    net.core.no_cong_thresh = 20

    net.core.netdev_max_backlog = 300

    net.core.rmem_default = 65535

    net.core.wmem_max = 65535

    vm.kswapd = 512 32 8

    vm.overcommit_memory = 0

    vm.bdflush = 30 64 64 256 500 3000 60 0 0

    vm.freepages = 351 702 1053

    kernel.sem = 250 32000 32 128

    kernel.panic = 0

    kernel.domainname = (none)

    kernel.hostname = pc02.shinewave.com.tw

    kernel.version = #1 Tue Oct 30 20:11:04 EST 2001

    kernel.osrelease = 2.4.9-13

    kernel.ostype = Linux

    fs.dentry-state = 1611 969 45 0 0 0

    fs.file-nr = 1121 73 8192

    fs.inode-state = 1333 523 0 0 0 0 0  

  • 相关阅读:
    反向代理实例
    nginx常用命令和配置
    nginx的安装
    Can Live View boot up images acquired from 64bit OS evidence?
    What is the behavior of lnk files?
    EnCase v7 search hits in compound files?
    How to search compound files
    iOS 8.3 JB ready
    Sunglasses
    现代福尔摩斯
  • 原文地址:https://www.cnblogs.com/kabi/p/7182101.html
Copyright © 2011-2022 走看看