Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what is the proc/sys/net directory in Linux", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "what is the proc/sys/net directory in Linux" this article.

Linux has developed rapidly in recent years and has launched many versions. It dazzles us, but in every Linux distribution, there is a / proc/ directory, which is the Linux system directory. Some also call it the Proc file system. For those network administrators, you must master the Linux system directory.

This directory includes some special files that can not only reflect the current state of the kernel and view hardware information, but also allow users to modify their contents to adjust the current working state of the kernel, such as files in the / proc/sys/ subdirectory.

Unlike other directories in the / proc/ directory, the files in the / proc/sys/ directory not only provide information about the system, but also allow users to immediately stop or turn on some features and functions of the kernel. The / proc/sys/net/ subdirectory in the / proc/sys/ directory is closely related to the network. We can enable special features related to network applications by setting some files in this directory. At the same time, we can also protect our network security by setting some files in this directory. Therefore, as a network administrator under Linux, it is necessary to understand in detail the various functions and settings of the files in the / proc/sys/net/ directory so that it can work better for us.

1. / proc/sys/net/ directory description.

The / proc/sys/net/ directory mainly includes many network-related topics, such as appletalk/,ethernet/,ipv4/,ipx/, and ipv6/. By changing the files in these directories, the network administrator can adjust the relevant network parameters while the system is running. Although there are many network configuration methods in Linux, it is very helpful for network applications to be familiar with the relevant contents of this directory.

There are two directories under the / proc/sys/net/ directory, which are closely related to the operation of the current IPV4 network. Adjusting the parameters of some files under these two directories can bring unexpected results for our network applications. These two directories are the / proc/sys/net/core/ directory and / proc/sys/net/ipv4/ directory. Below, the author will make a detailed description of the important files in these two directories.

1. / proc/sys/net/core/ directory.

This directory includes a number of settings that control how the Linux kernel interacts with the network layer, that is, how the kernel reacts when the network moves.

Among them are some important documents as follows:

(1), message_burst: sets the number of request warnings written every ten seconds; this setting can be used to prevent DOS***, from being set to 50 by default

(2), message_cost: set the metric for each warning. Default is 5, and set to 0 when used to prevent DOS***

(3), netdev_max_backlog: sets the maximum packet sequence allowed when individual interfaces receive packets faster than the kernel processing speed. Default is 300.

(4), optmem_max: set the maximum subsidy cache size for each socket

(5), rmem_default: sets the default cache size for receiving socket (in bytes)

(6), rmem_max: sets the maximum cache size for receiving socket (in bytes)

(7), wmem_default: sets the default cache size of the socket sent (in bytes)

(8), wmem_max: sets the maximum socket cache size sent (in bytes).

2. / proc/sys/net/ipv4/ directory.

The contents of this directory are used to add network settings, many of which can be used to block * * to the system, or to set the routing function of the system.

Among them are the following important documents:

(1), icmp_destunreach_rate, icmp_echoreply_rate, icmp_paramprob_rate, icmp_timeexeed_rate: set the maximum icmp packet rate for sending and responding, preferably not 0

(2), icmp_echo_ignore_all and icmp_echo_ignore_broadcasts: set the kernel not to answer the icmp echo packet, or the specified broadcast. A value of 0 is allowed to respond, and a value of 1 is disabled.

(3), ip_default_ttl: set the default time to live (TTL) of the IP package. Increasing its value can reduce system overhead.

(4), ip_forward: sets whether the API can forward packets. Default is 0, and set to 1 allows network to forward packets.

(5), ip_local_port_range: specify a TCP or UDP port range when a port is needed locally. The first number is low port, the second number is high port

(6) tcp_syn_retries: provides a limit on the number of SYN packets that resend responses when a connection is established

(7), tcp_retries1: set the number of times the response is connected and resent. The default is 3.

(8), tcp_retries2: sets the number of TCP packets allowed to be resent. The default is 15.

Second, the setting method of files in / proc/sys/net/ directory.

After understanding the meaning and function of some important files in the / proc/sys/net/core/ directory and / proc/sys/net/ipv4/ directory, let's talk about how to set up these important files in these two directories to work for us.

Readers should understand that in the Linux system, to change the working status and function of a service or device is mainly achieved by using command and directly modifying its configuration files. For files in these two directories, we can also modify the values in the contents of these files in these two ways to make them work according to our intention.

Before setting up, it should be noted that when you decide to modify the current value of a file, make sure that the format and value of the command entered are correct, because any wrong setting will cause kernel instability. If you accidentally cause this problem, you will have to reboot the system. In the following explanation, the author will pay attention to the special description.

First, let's take a look at how to use the command to modify the files in these two directories. We can modify the files in these two directories through the echo and sysctl commands, and the author lists the usage of these two commands respectively below.

1. The sysctl command is customized to set the files in these two directories, and it is installed in the / sbin/ directory by default. We can use this command to display and set the contents of the files in the / proc/sys/net/ directory. For example: the / sbin/sysctl-a command is used to display all the file configuration contents in this directory; the / sbin/sysctl-w command is used to modify the variable values in the specified files in this directory, such as: / sbin/sysctl-w net.ipv4.ip_forward= "1" is used to set to allow IP packet forwarding. Other parameters can be obtained by typing the / sbin/sysctl-h command, which is no longer listed here. It is important to note that the use of this command requires administrator privileges, and if the user is not logged in as an administrator, use the SU command to obtain administrative privileges before using this command.

2. The contents of the files in the / proc/sys/net/ directory can also be modified by using the echo command. For example: echo 1 > / proc/sys/net/ipv4/ip_forward is used to set to allow IP packet forwarding; echo 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all is used to set not to respond to ICMP ECHO packets. When using the echo command, you should also pay special attention to the input format of this command, that is, there must be a space between the echo command and the value, between the value and the symbol (>), and between the symbol and the file path to be modified. Also, some files in these two directories have less than one value, so if you want to pass more than one value at a time, make sure that each value is separated by a space.

At the same time, it should also be noted that using this method to modify the contents of the files in the / proc/sys/net/ directory will change all the settings to the default values after the system restarts, so if you want to set the value permanently, you can add this command directly to the / ect/rc.d/rc.local file, where the path to this file refers to the Readers of other distributions decide on a case-by-case basis. If there are too many command items, you can also write them into a script, add executable permissions, and put them in this file, so that when the system starts, it will be automatically executed according to the settings in / etc/rc.d/rc.local. If you don't want to modify the / etc/rc.d/rc.local file, I recommend you use the / sbin/sysctl command.

It is easy to set up the files in the / proc/sys/net/ directory by command, but some readers prefer to modify their configuration files directly because it is more intuitive, but it is more suitable for users who know more about the system.

Unlike other services or devices, the Linux system provides only one configuration file for the / proc/sys/net/ directory, and that is / ect/sysctl.conf. Users can directly edit the / ect/sysctl.conf configuration file to modify and increase the value of the variables in the file contents in the corresponding / proc/sys/net/ directory, so that when the system starts up, it will read the configuration contents in this file to set the corresponding items. It is very easy to edit this file with vi, and the format of the content in this file is very clear and easy to read, such as the following entry: net.ipv4.ip_forward=0, change the value to 1 and open the IP package to forward. In fact, modifying the contents of the / etc/sysctl.conf file with the / sbin/sysctl command has the same effect as editing the contents of the / sbin/sysctl file directly, so for security, it is recommended that users give priority to the / sbin/sysctl command.

At this point, the reader must have a certain understanding of the two directories / proc/sys/net/core/ and / proc/sys/net/ipv4/ in the / proc/sys/net/ directory. However, this is only the author in order to highlight the role of the / proc/ directory and IPV4 network and specifically selected to explain, in fact, in the / proc/ directory, there are many files, although can not be set by users as the two directories can be set, but these files can be used to understand the details of the system and the current operating status, readers can find a detailed description of this directory from the network.

Add:

/ proc/sys/net/ipv4/icmp_timeexceed_rate

This leads to the famous "Solaris middle star" in traceroute. This file controls the rate at which ICMP Time Exceeded messages are sent.

/ proc/sys/net/ipv4/igmp_max_memberships

The maximum number of igmp (Multicast) sockets on the host for listening.

/ proc/sys/net/ipv4/inet_peer_gc_maxtime

Ask for help: Add a little explanation about the inet peer storage? Minimum interval between garbage collection passes. This interval is in effect under low (or absent) memory pressure on the pool. Measured in jiffies.

/ proc/sys/net/ipv4/inet_peer_gc_mintime

The minimum time interval between each fragment collection. When the memory pressure is high, adjusting this interval is very effective. In jiffies.

/ proc/sys/net/ipv4/inet_peer_maxttl

The maximum lifetime of the entries. When there is no memory pressure on pool (for example, when the number of entries in pool is small), unused entries expires over time. In jiffies.

/ proc/sys/net/ipv4/inet_peer_minttl

The minimum lifetime of the entries. It should not be less than the lifetime of the aggregation end shard. When the size of the pool is not larger than the inet_peer_threshold, this minimum lifetime must be guaranteed. In jiffies.

/ proc/sys/net/ipv4/inet_peer_threshold

The approximate size of the INET peer storage. Starting from this threshold entries will be thrown aggressively. This threshold also determines entries' time-to-live and time intervals between garbage collection passes. More entries, less time-to-live, less GC interval.

/ proc/sys/net/ipv4/ip_autoconfig

This file contains a number indicating whether the host obtains its IP configuration through RARP, BOOTP, DHCP, or other mechanisms. Otherwise, it's zero.

/ proc/sys/net/ipv4/ip_default_ttl

The lifetime of the packet. A setting of 64 is safe. Increase this value if your network is large. Don't do this for fun-it can create harmful routing loops. In fact, in many cases you have to consider whether you can reduce this value.

/ proc/sys/net/ipv4/ip_dynaddr/proc/sys/net/ipv4/icmp_destunreach_rate

If you have an auto-dial interface for dynamic addresses, you have to set it up. When your auto-dial interface is activated, all local TCP sockets that do not receive a reply will be rebound to the correct address. This solves the problem that the socket that caused dialing does not work by itself, but it is possible to try again.

/ proc/sys/net/ipv4/ip_forward

Whether the kernel forwards packets. It is prohibited by default.

/ proc/sys/net/ipv4/ip_local_port_range

The range of ports used to connect outward. It's actually very small by default: 1024 to 4999.

/ proc/sys/net/ipv4/ip_no_pmtu_disc

If you want to disable "along the way MTU discovery", set it. "along the way MTU discovery" is a technology that can detect the maximum possible MTU value on the transmission path. See the chapter on "MTU Discovery along the way" in Cookbook.

/ proc/sys/net/ipv4/ipfrag_high_thresh

The maximum amount of memory used for IP fragment aggregation. After allocating so many bytes of memory, once exhausted, the shard processor will discard the shard. When ipfrag_high_thresh bytes of memory is allocated for this purpose, the fragment handler will toss packets until ipfrag_low_thresh is reached.

/ proc/sys/net/ipv4/ip_nonlocal_bind

Set this option if you want your application to be able to bind to an address that is not part of the local network card. If your machine does not have a dedicated connection (or even a dynamic connection), even if your connection is disconnected, your service can be started and bound to a specified address.

/ proc/sys/net/ipv4/ipfrag_low_thresh

The minimum amount of memory used for IP fragment aggregation.

/ proc/sys/net/ipv4/ipfrag_time

The retention time (in seconds) of IP slices in memory.

/ proc/sys/net/ipv4/tcp_abort_on_overflow

A Boolean flag that controls the behavior of the kernel when there are many connection requests. If enabled, the kernel will actively send RST packets if the service is overloaded.

/ proc/sys/net/ipv4/tcp_fin_timeout

If the socket is closed by the local request, this parameter determines how long it remains in the FIN-WAIT-2 state. The peer can make an error and never close the connection, or even crash unexpectedly. The default value is 60 seconds. 2.2 the usual value of the kernel is 180s, you can press this setting, but keep in mind that even if your machine is a light WEB server, there is a risk of memory overflow due to a large number of dead sockets. FIN-WAIT- 2 is less dangerous than FIN-WAIT-1 because it can only eat up to 1.5K of memory, but they last longer. See tcp_max_orphans.

/ proc/sys/net/ipv4/tcp_keepalive_time

The frequency at which TCP sends keepalive messages when keepalive is enabled. The default is 2 hours.

/ proc/sys/net/ipv4/tcp_keepalive_intvl

When the probe is not confirmed, the frequency of the probe is retransmitted. The default is 75 seconds.

/ proc/sys/net/ipv4/tcp_keepalive_probes

How many keepalive probe packets for TCP are sent before determining that the connection has failed. The default value is 9. Multiplying this value by tcp_keepalive_intvl determines how much time a connection can have without responding after sending a keepalive.

/ proc/sys/net/ipv4/tcp_max_orphans

The maximum number of TCP sockets in the system that are not associated to any of the user file handles. If this number is exceeded, the orphan connection will be immediately reset and a warning message will be printed. This limit is only to prevent simple DoS***, you must not rely too much on it or artificially reduce this value, but should increase this value (if you increase memory). This limit exists only to prevent simple DoS attacks, you _ must_ not rely on this or lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than default value, and tune network services to linger and kill such states more aggressively. Let me remind you again: each orphan socket can eat up to 64K of unswappable memory.

/ proc/sys/net/ipv4/tcp_orphan_retries

How many times the local side retries before trying to close the TCP connection. The default value is 7, which is equivalent to 50 seconds to 16 minutes (depending on RTO). If your machine is an overloaded WEB server, you should consider reducing this value because such sockets consume a lot of important resources. See tcp_max_orphans.

/ proc/sys/net/ipv4/tcp_max_syn_backlog

The maximum value of recorded connection requests for which the client acknowledgement has not been received. For systems with 128 megabytes of memory, the default is 1024, and for systems with small memory, it is 128. If the server is overwhelmed, try increasing this value. Be careful! If you set this value greater than 1024, it is best to adjust the TCP_SYNQ_HSIZE in include/net/tcp.h at the same time to ensure TCP_SYNQ_HSIZE*16 ≤ tcp_max_syn_backlo, and then recompile the kernel.

/ proc/sys/net/ipv4/tcp_max_tw_buckets

The system also maintains the maximum number of timewait sockets. If this number is exceeded, the time-wait socket will be cleared immediately and a warning message will be printed. This limit is only to prevent simple DoS***, you must not rely too much on it or artificially reduce this value, if the network actually needs to be greater than the default value, you should increase this value (if you increase the memory).

/ proc/sys/net/ipv4/tcp_retrans_collapse

The "make it wrong" option set for compatibility with some bad printers. When sending again, the packet is enlarged to avoid the BUG of some TCP stacks.

/ proc/sys/net/ipv4/tcp_retries1

How many times to retry before identifying the error and submitting the error report to the network layer. The default setting is the minimum value specified by RFC: 3, which is equivalent to 3 seconds to 8 minutes (depending on RIO).

/ proc/sys/net/ipv4/tcp_retries2

How many times to retry before killing an active TCP connection. RFC 1122 specifies that this limit should be longer than 100 seconds. This value is too small. The default value is 15, which is equivalent to 13 minutes and 30 minutes (depending on RIO).

/ proc/sys/net/ipv4/tcp_rfc1337

This switch initiates a fix for the "tcp's time-wait assassination crisis" problem described in RFC1337. When enabled, the kernel discards RST packets destined for time-wait stateful TCP sockets. But save it to zero.

/ proc/sys/net/ipv4/tcp_sack

Use selective ACK specifically for lost packets, which helps with fast recovery.

/ proc/sys/net/ipv4/tcp_stdurg

Explanation of host requirements using TCP emergency pointers. Because most hosts use BSD interpretation, if you open it on Linux, it may affect its normal communication with other machines. The default is FALSE.

/ proc/sys/net/ipv4/tcp_syn_retries

The number of SYN packets sent before the kernel gives up establishing a connection.

/ proc/sys/net/ipv4/tcp_synack_retries

To open a peer-to-peer connection, the kernel needs to send a SYN with an ACK that responds to the previous SYN. It is the second handshake in the so-called three-way handshake. This setting determines the number of SYN+ACK packets sent by the kernel before the connection is abandoned.

/ proc/sys/net/ipv4/tcp_timestamps

The timestamp avoids the winding of serial numbers. A 1Gbps link is sure to encounter a sequence number that has been used before. Timestamps allow the kernel to accept such "abnormal" packets.

/ proc/sys/net/ipv4/tcp_tw_recycle

TIME-WAIT sockets can be recycled more quickly. The default value is 1. It should not be modified unless there are suggestions and requirements from technical experts.

/ proc/sys/net/ipv4/tcp_window_scaling

Generally speaking, TCP/IP allows the window size to reach 65535 bytes. This value may still be too small for a network with a really high speed. This option allows you to set the window size of G bytes on it, which is useful in environments with high bandwidth * latency.

Once the kernel believes that it cannot send a packet, it discards the packet and sends an ICMP notification to the host that sent the packet.

/ proc/sys/net/ipv4/icmp_echo_ignore_all

Do not respond to the echo package at all. Please do not set it as the default, it may be useful when you are being used as a springboard for DoS***.

/ proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]

If you ping the subnet address of the subnet, all machines should respond. This can be a very useful denial of service tool. Set to 1 to ignore these subnet broadcast messages.

/ proc/sys/net/ipv4/icmp_echoreply_rate

Sets the rate at which echo requests are responded to to any host.

/ proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Once it is set, you can ignore ICMP errors generated by hosts in the network that claim that the echo address is a broadcast address.

/ proc/sys/net/ipv4/icmp_paramprob_rate

A relatively ambiguous ICMP message that responds to abnormal packets with damaged IP or TCP headers. You can control the rate of sending messages through this file.

The above is all the contents of the article "what is the proc/sys/net catalog in Linux?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.