[[linux:sysctl]]
Trace: sysctl
Show pagesource
AdminRecent ChangesSitemap

This is an old revision of the document!

Linux sysctl options

linux as router

  1. The ARP behaviour can be fixed by using arp_ignore and arp_announce on the WAN interface:
  2. If you have multiple interfaces on the same subnet, you may also want to enable arp_filter
    • This prevents the ARP entry for an interface to fluctuate between two or more MAC addresses. However, you need to use source routing to make this work correctly. From the Documentation/networking/ip-sysctl-2.6.txt file in the kernel source
  3. The ARP cache timeout on Linux-based routers should be changed from the default, especially if you have a large number of peers. This parameter can be tuned by setting the appropriate procfs variable through the sysctl interface
    • change it so it's between 2 and 6 hours, and not 30 min as default.
  4. You may need to turn off the Reverse Path Filter (rp_filter) functionality on a Linux-based router to allow asymmetric routing, particularly on your WAN interface.

/etc/sysctl.conf 

 # These settings should be duplicated for all interfaces that are
 # on a peering LAN.
   
 ### Typical stuff you really want on a router
 
 # Fix the "promiscuous ARP" thing...
 net/ipv4/conf/ifname/arp_ignore=1
 net/ipv4/conf/ifname/arp_announce=1
 
 # Turn off RP filtering to allow asymmetric routing:
 net/ipv4/conf/ifname/rp_filter=0
 
 # Multiple (non-aggregated) interfaces on the same peering LAN.
 # READ THE MANUAL FIRST!
 #net/ipv4/conf/ifname/arp_filter=1
 
 ### Keep the AMS-IX ARP Police happy. :-)
 
 net/ipv4/neigh/ifname/base_reachable_time=14400
 net/ipv6/neigh/ifname/base_reachable_time=14400

2.6 net/ipv4 options

more detailed: /proc/net/ipv4 and Linux TCP tunning

Reboot on kernel panic

kernel.panic = 0
argv comment
0 won't reboot on kernel panic
n number of seconds to wait before reboot

Linux 2.6 has only 32Mb shared memory

kernel.shmmax = 67108864

ip_conntrack: maximum limit of XXX entries exceeded

If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, …).

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory! Your kernel will crash for sure, althouh routing/forwarding should still be “working”.

To increase this limit to e.g. 8192, type: 

 echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.

Example (with 1023 buckets): 

 modprobe ip_conntrack hashsize=1023

http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7

GrSecurity options

About GrSecurity see this page

TNT's default sysctl.conf

Download sysctl.conf

linux/sysctl.1161810091.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pagesourceOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready