# 网络桥接配置 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1 net.ipv4.ip_forward = 1 # 减少TIME_WAIT数量(高并发场景) net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 15 # 提升连接数和吞吐量 net.core.somaxconn = 65535 net.core.netdev_max_backlog = 32768 # 加快TCP回收和重用 (适用于短连接服务) net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_tw_reuse = 1 # 减少TIME_WAIT数量(高并发场景) net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 15 # 内存缓存优化 net.core.rmem_max = 16777216 # 接收窗口最大值 net.core.wmem_max = 16777216 # 发送窗口最大值 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 16384 16777216 vm.swappiness = 0 # 降低交换分区使用倾向 vm.dirty_ratio = 20 # 系统级脏页占比阈值 vm.dirty_background_ratio = 10 # 后台回写脏页阈值 vm.dirty_expire_centisecs = 3000 # 脏页超时回写时间(单位:厘秒) # 防止资源耗尽 kernel.pid_max = 4194303 # 支持更多进程(容器场景需要) user.max_pid_namespaces = 14336 # 适应大量容器实例 fs.file-max = 1000000 # 最大文件句柄数 fs.protected_hardlinks = 1 # 禁止恶意硬链接操作 fs.protected_symlinks = 1 # 禁止恶意软链接操作 # 限制内核信息暴露(等保要求) kernel.kptr_restrict = 2 kernel.dmesg_restrict = 1 # 禁止ICMP重定向(防中间人攻击) net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 # 开启反向路径过滤(防IP欺骗) net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.core.netdev_budget = 600 # 增加单次NAPI处理数据包数量 net.ipv4.tcp_abort_on_overflow = 1 # 拒绝超过队列的请求(防雪崩) # 加速连接回收(短连接RPC场景) net.ipv4.tcp_fastopen = 3 # 开启TFO加速(需应用层支持) net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_adv_win_scale = 2 # 增加应用层缓冲区比例 net.ipv4.tcp_app_win = 64 # 保留最后64字节数据防重叠 # 防止SYN洪水 net.ipv4.tcp_syncookies = 1 # 开启SYN Cookie net.ipv4.tcp_max_syn_backlog = 8192 # 最大SYN队列长度 net.ipv4.tcp_synack_retries = 2 # SYN-ACK重试次数 net.ipv4.tcp_syn_retries = 2 # SYN重试次数