This is an old revision of the document!
Linux sysctl options
linux as router
- The ARP behaviour can be fixed by using
arp_ignore
andarp_announce
on the WAN interface: - If you have multiple interfaces on the same subnet, you may also want to enable
arp_filter
- This prevents the ARP entry for an interface to fluctuate between two or more MAC addresses. However, you need to use source routing to make this work correctly. From the Documentation/networking/ip-sysctl-2.6.txt file in the kernel source
- The ARP cache timeout on Linux-based routers should be changed from the default, especially if you have a large number of peers. This parameter can be tuned by setting the appropriate procfs variable through the sysctl interface
- change it so it's between 2 and 6 hours, and not 30 min as default.
- You may need to turn off the Reverse Path Filter (
rp_filter
) functionality on a Linux-based router to allow asymmetric routing, particularly on your WAN interface.
/etc/sysctl.conf
# These settings should be duplicated for all interfaces that are # on a peering LAN. ### Typical stuff you really want on a router # Fix the "promiscuous ARP" thing... net/ipv4/conf/ifname/arp_ignore=1 net/ipv4/conf/ifname/arp_announce=1 # Turn off RP filtering to allow asymmetric routing: net/ipv4/conf/ifname/rp_filter=0 # Multiple (non-aggregated) interfaces on the same peering LAN. # READ THE MANUAL FIRST! #net/ipv4/conf/ifname/arp_filter=1 ### Keep the AMS-IX ARP Police happy. :-) net/ipv4/neigh/ifname/base_reachable_time=14400 net/ipv6/neigh/ifname/base_reachable_time=14400
2.6 net/ipv4 options
more detailed: /proc/net/ipv4 and Linux TCP tunning
Reboot on kernel panic
kernel.panic = 0
argv | comment |
---|---|
0 | won't reboot on kernel panic |
n | number of seconds to wait before reboot |
Linux 2.6 has only 32Mb shared memory
kernel.shmmax = 67108864
ip_conntrack: maximum limit of XXX entries exceeded
If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, …).
You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory! Your kernel will crash for sure, althouh routing/forwarding should still be “working”.
To increase this limit to e.g. 8192, type:
echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.
Example (with 1023 buckets):
modprobe ip_conntrack hashsize=1023
http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7
GrSecurity options
About GrSecurity see this page
TNT's default sysctl.conf
Download sysctl.conf