Difference between revisions of "Sysctl"

From ArchWiki
Jump to: navigation, search
m (Configuration: changed the "Package Official" link from kernel26-docs to linux-docs)
Line 108: Line 108:
 
net.ipv4.conf.all.secure_redirects = 1
 
net.ipv4.conf.all.secure_redirects = 1
 
</pre>
 
</pre>
 +
 +
== Troubleshooting ==
 +
=== Small periodical freezes ===
 +
 +
Set dirty bytes to small enough value (for example 4M)
 +
 +
  vm.dirty_background_bytes = 4194304
 +
  vm.dirty_bytes = 4194304
  
 
== See also ==
 
== See also ==
 
* The sysctl(8) and sysctl.conf(5) man pages
 
* The sysctl(8) and sysctl.conf(5) man pages
 
* Linux kernel documentation ({{filename|&lt;kernel source dir&gt;/Documentation/sysctl/}})
 
* Linux kernel documentation ({{filename|&lt;kernel source dir&gt;/Documentation/sysctl/}})

Revision as of 21:05, 18 November 2011

sysctl is a tool (in [core] package Template:Package Official) for examining and changing kernel parameters at runtime. sysctl is implemented in procfs, the virtual process file system at Template:Filename.

Configuration

The sysctl preload/configuration file is located at Template:Filename.

Template:File

The parameters available are those listed under Template:Filename. For example, the Template:Codeline parameter refers to the file Template:Filename on the file system. The Template:Codeline command can be used to display all values currently available.

Note: If you have the kernel documentation installed (Template:Package Official), you can find detailed information about sysctl settings in Template:Filename. It is highly recommended reading before changing sysctl settings.

Settings can be changed through file manipulation or using the sysctl utility. For example, to temporarily enable the magic sysrq key:

# sysctl kernel.sysrq=1

or:

# echo "1" > /proc/sys/kernel/sysrq

To preserve changes between reboots, add or modify the appropriate lines in Template:Filename.

Tip: After changing settings in Template:Filename, you can load them with
# sysctl -p

systemd

If you have systemd installed, you will find Template:Filename which is "a drop-in directory for kernel sysctl parameters, extending what you can already do with /etc/sysctl.conf." See The New Configuration Files and more specifically systemd's sysctl.d man page for more information.

Networking

Improving Performance

Warning: This may cause dropped frames with load-balancing and NATs, only use this for a server that communicates only over your local network.
# reuse/recycle time-wait sockets
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1

TCP/IP stack hardening

#### ipv4 networking ####

## TCP SYN cookie protection
## helps protect against SYN flood attacks
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1

## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1

## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1

## source address verification (sanity checking)
## helps protect against spoofing attacks
net.ipv4.conf.all.rp_filter = 1

## disable ALL packet forwarding (not a router, disable it)
net.ipv4.ip_forward = 0

## log martian packets
net.ipv4.conf.all.log_martians = 1

## ignore echo broadcast requests to prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

## optionally, ignore all echo requests
#net.ipv4.icmp_echo_ignore_all = 1

## ignore bogus icmp errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

## IP source routing (insecure, disable it)
net.ipv4.conf.all.accept_source_route = 0

## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0

## ICMP routing redirects (only secure)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1

Troubleshooting

Small periodical freezes

Set dirty bytes to small enough value (for example 4M)

 vm.dirty_background_bytes = 4194304
 vm.dirty_bytes = 4194304

See also

  • The sysctl(8) and sysctl.conf(5) man pages
  • Linux kernel documentation (Template:Filename)