Network tuning under Linux is a very complex topic, which is much more. In this special article, we mainly introduce the use of network tuning test tools and its implementable functions, which describe the network profile under Linux, and finally provide some network performance tuning methods. At the same time, the security and stability of the Linux system are improved to improve the security and stability of the Linux system, so that the system administrators further enhance the security and system stability of the system.
Tuning Linux network performance
Tuning Linux Network Performance Debug Tools
This article is the first one of the network performance of Linux system, mainly introduces the use of three network tuning test tools for Route, NetStat, TCPDump and its implementable features.
Tuning Linux network performance network configuration file details
In our understanding of the use of Route, NetStat, TCPDUMP three network tuning test tools and its implementable features. This article we will focus on the content of the network configuration file, help you read these files.
Tuning Linux Network Performance Tuning Method Overview
After we understand the use of Route, NetStat, TCPDUMP network tuning test tools, features and network profiles of the network profile, this article will introduce network performance tuning from active perspectives.
Tuning Linux Network Performance Debug Tools This article is the first article that adjusts Linux system network performance, which mainly introduces the use of three network tuning test tools for Route, NetStat, TCPDUMP and its implementable features. Route When you configure the network, you want to specify the path to the machine to receive the data package. In the Linux system, provide a command route, which can set the static route for the network card configured by the ifconfig command. This setting is usually introduced in /etc/rc.d/rc.inet1, and is performed when the system is booted. We use several examples to explain how to use the route command:
Route Add -Net 127.0.0.0
This command will add a route to the routing table to a specified address or network. Note that the network is an Class A address, the mask is set to 255.0.0.0, and the newly added entry is connected to the LO device.
Route add -net xxx.xxx.xxx.xxx Netmask 255.255.255.0 dev eth0
This command adds a route for the IP address for xxx.xxx.xxx.xxx, and its network mask is set to 255.255.255.0.
Route del -net xxx.xxx.xxx.xxx
This command will delete the route of XXX.xxx.xxx.xxx. Using the route command can easily manage routing information of the entire network, the output result is the routing table of the network. As follows:
-------------------------------------------------- ---------------
[root @ lee / root] # route
Kernel IP Routing Table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.8.224 * 255.255.255.255 UH 0 0 0 Eth0
10.10.8.0 * 255.255.255.0 U 0 0 0 Eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 LO
Default DGC8.Njupt.edu 0.0.0.0 UG 0 0 0 Eth0
Default DGC8.Njupt.edu 0.0.0.0 UG 1 0 0 Eth0
[root @ lee / root] #
-------------------------------------------------- ---------------
The meaning of each field in the output is: · Destination represents the target IP address of the route. · Gateway indicates the host name or IP address used by the gateway. "*" Output above means no gateway. Genmask indicates the network mask of the route. Before comparing it with the route target address, the kernel sets the route through the IP address of Genmask and packets. · Flags is a sign representing a route. The flag and its significance are: u indicates that the route is starting, h indicates that the target is a host, and g means using the gateway, R represents the reset setting for the dynamic routing; D represents the dynamic installation route, M represents the modification of the route,! Represents refusal to route. · Metric represents the unit overhead of routing. · REF indicates the number of other routing of this route status. · Use of Use represents the number of routing table entries. · Ifce represents the destination network of the package sent by the route. By viewing these output information, we can easily manage the routing table of the network. The NetStat NetStat command is a very useful tool for monitoring the TCP / IP network, which can display routing tables, actual network connections, and status information of each network interface device. After performing NetStat on your computer, its output is as follows: ------------------------------------ -----------------------------
[root @ lee / root] #NetStat
Active Internet Connections (W / O Servers)
Proto Recv-q Send-Q Local Address Foreign Address State
Active Unix Domain Sockets (W / O Servers)
Proto Refcnt Flags Types State I-Node Path
UNIX 5 [] DGRAM 460 / dev / log
UNIX 0 [] stream connection 173 @ 00000014
UNIX 0 [] DGRAM 662
UNIX 0 [] DGRAM 631
UNIX 0 [] DGRAM 544
UNIX 0 [] DGRAM 484
UNIX 0 [] DGRAM 470
[root @ lee / root] #
-------------------------------------------------- ---------------
From the whole, NetStat's output results can be divided into two parts: Part 1: Yes Active Internet Connections, called active TCP connection, in the above output result, indicating that there is no TCP connection. The second part: is Active Unix Domain Sockets, called an active UNIX domain set. The output is displayed by the connection of the UNIX domain set: • Proto displays the protocol used to use. · Refcnt represents the process number connected to the interface. · Types displays the type of socket. · State shows the current state of the socket. • Path represents the path name used by other processes connected to the socket. You can use NetStat -a to view the status of all sockets, which is very useful when you debug the web program. NetStat -r will display the contents of the routing table, generally specify the "-n" option at the same time, which can get the address of the digital format, or display the IP address of the default router. All network interface information will be displayed using NetStat -i. Using NetStat can also get the current network status and the topology of the network, which is very useful in actual. The TCPDUMP TCPDUMP command is used to monitor the TCP / IP connection and directly read the data link layer of the data link layer. You can specify which packets are monitored and which controls are to be displayed. For example, we must monitor all the communication on all Ethernets, perform the following command: tcpdump -i eth0
Even on a relatively calm network, there are many communications, so we may only need to get information about the packets we are interested in. In general, TCP / IP stacks are only for local host receiver, and other computer addressing on the network is ignored (unless you are using a router). When running the TCPDUMP command, it sets the TCP / IP stack to the Promiscuous mode. This mode receives all packets and makes it valid. If we care about the communication situation of our local host, a method is to use the "-p" parameter to prohibit the promiscuous mode, and there is a way to specify the host name:
TCPDUMP -I Eth0 host hostname
At this point, the system will only monitor the communication packet named hostname. The host name can be a local host or any computer on the network. The following command can read all the data sent by the host HostName:
TCPDUMP -I Eth0 SRC HOST HOSTNAME
The following command can monitor all packets sent to host hostname:
TCPDUMP -I Eth0 Dst Host Hostname
We can also monitor packets by specifying a gateway:
TCPDUMP -I Eth0 Gateway GatewayName
If you still want to monitor TCP or UDP packets addressing ports, do the following command:
TCPDUMP -I Eth0 Host Hostname and Port 80
This command will display the header from each packet and the address from the host HostName to port 80. Port 80 is the system default HTTP service port number. If we only need to list the packets sent to the 80-port, use DST port; if we only want to see the data packet returned to the 80-port, use SRC Port. Small junction This article we introduce the use of network tuning test tools and its implementable functions. In the next article, we will parse the network profile to learn about the contents of the network configuration file and how to modify the file. Tuning Linux Network Performance Network Profile Detailed in Tuning Linux Network Performance Debugging Tools, we introduce the use of Route, NetStat, TCPDUMP three network tuning test tools and its implementable features. This article we will focus on the content of the network configuration file, help you read these files /etc/modules.conf files This configuration file defines the parameter information of the modules that need to be loaded at startup, mainly focus on the configuration of the NIC . In order to reduce problems that may occur at start-up, the Linux kernel does not automatically detect multiple network cards. For systems that do not drive the network card to the kernel but as a module dynamic load, if you need to install multiple blocks, you should do a corresponding configuration in the "Modules.conf" file. If the device driver is compiled into a module (the module of the kernel): For the PCI device, the module will automatically detect all devices installed on the system; for the ISA card, you need to provide the module to the module to know where the module knows where Look for this card, which is available in "/etc/conf.modules". For example, we have two ISA bus 3C509 cards, one IO address is 0x300, and the other is 0x320. Edit "Modules.conf" files as follows: Alias Eth0 3C509
Alias Eth1 3C509
Options 3C509 IO = 0x300, 0x320
For the PCI card, only the alias command is required to associate the Ethn and the appropriate drive module name, and the IO address of the PCI card will be automatically detected. For the PCI card, edit the "modules.conf" file is as follows:
Alias Eth0 3C905
Alias Eth1 3C905
If the driver has been compiled into the kernel: The PCI detection program when the system starts will automatically find all related network cards. The ISA card can generally be automatically detected, but in some cases, the ISA card still needs to do the following configuration: In "/etc/lilo.conf", the configuration information is added, and the method is to start the parameters through the LILO program. The information is transmitted to the kernel. For the ISA card, edit the "lilo.conf" file, add the following:
Append = "ether =" 0, 0, eth0 ether = "0, 0, eth1"
/ etc / sysconfig / network-scripts / ifcfg-ethn file In Redhat, the configuration file of the system network device is saved in the "/ etc / sysconfig / network-scripts" directory, and ifcfg-eth0 contains the configuration information of the first network card. Ifcfg-eth1 includes configuration information of the second block, if you want to manually modify the network address or add a new network interface on a new interface, you can implement the corresponding file (IFCFG-ETHN) or create a new file.
Device = name name indicates the name of the physical device
IPaddr = addr addr indicates the IP address assigned to the card.
Netmask = Mask Mask means a network mask
Network = addr addr represents the network address
Broadcast = addr addr derived whether the broadcast address onboot = yes / no startup
None: No startup protocol bootp: Using the Bootp Protocol DHCP: Use the DHCP Protocol UseRCTL = YES / NO to Allow Non-root users to control the device /etc/resolv.conf file This file is parsed by the domain name parser (resolver, a host name resolution The profile of the library of IP addresses is as follows:
Search DomainName.com
Nameserver 208.164.186.1
Nameserver 208.164.186.2
"Search DomainName.com" indicates that when a host name does not include a full domain name, the suffix of DomainName.com is added after the host name; "Nameserver" means that the host specified by the address is dominated by the domain name. The domain name server is queried in the order that appears in the file. /etc/host.conf file This file specifies how to resolve the host name. Linux gets the IP address corresponding to the host name by the parser library. Here is an example of "/etc/host.conf":
ORDER BIND, HOSTS
Multi on
Ospoof on
"ORDER BIND, HOSTS" Specifies the hostname query order, which specifies the use of DNS first to parse the domain name, then query "/ etc / hosts" file (or the opposite). "Multi On" Specifies whether the host specified in the "/ etc / hosts" file can have multiple addresses, and the host with multiple IP addresses is generally referred to as a pocket host. "Nospook ON" means that the server is not allowed to deceive the server. IP spoof is a means of attacking system security, and the trust of other computers is achieved by implying IP addresses to other computers. / etc / hosts file When the machine is started, the machine needs to query some hostnames to the IP address before you can query DNS. These matching information is stored in the / etc / hosts file. In the case of a domain name server, all network programs on the system are queried by querying the file to parse the IP address corresponding to a host name. Here is an example of a "/ etc / hosts" file:
IP Address Hostname Alias
127.0.0.1 Localhost Gate.openarch.com
208.164.186.1 Gate.openarch.com Gate
.............................................................................
The leftmost list is the host IP information, and the middle one is the host name. Any back column is the alias of the host. Once the machine's network configuration file is configured, you should restart the network to make the modification take effect. Use the following command to restart the network: /etc/rc.d/init.d/network restart. The /etc/inetd.conf file is well known that as a server, the more service port is open, the more difficult system security stability is guaranteed. So the server that provides a specific service should be allowed to provide an essential port with the service, and the service that is not related to the server service is closed, such as a machine as a WWW and FTP servers, which should only open 80 and 25 ports, and will Other unrelated services such as: Finger Auth et al. To reduce system vulnerabilities. And inetd, also called "Super Server", which is the daemon of some network requests that calls the corresponding service process based on the network request to process the connection request. inetd.conf is an inetd configuration file. The inetd.conf file tells the inetD to listen to which network port is started for each port. Using the Linux system in any network environment, the first thing to do is to understand which services needed to provide the server. Unwanted services should be banned, it is best to uninstall, so hackers have less opportunities to attack the system. Check out "/etc/inetd.conf" files to find out which services are available in inetd. Use the method of incorporation (plus ## in one line), prohibit any unwanted services, send a SIGHUP signal to the inetd process: • First step: Change the license permission to 600. [root @ deskp] # chmod 600 /etc/inetd.conf
· Step 2: Confident that the owner of the file is root.
[root @ Deep] # stat /etc/inetd.conf
· Step 3: Edit "inetd.conf" file (vi /etc/inetd.conf), prohibit all unwanted services, such as: FTP, Telnet, Shell, Login, Exec, Talk, NTalk, IMAP, POP-2 , POP-3, Finger, Auth, and so on. If you think some services are useful, you can not prohibit these services. · Step 4: After changing the "inetd.conf" file, don't forget to send an SIGHUP signal (killall -hup inetd) to the inetd process.
[root @ deep / root] # killall -hup inetd
· Step 5: In order to ensure the security of the "inetd.conf" file, you can set it with the chattr command to make it an indispensable. Setting the files into non-changing as long as the following command:
[root @ deep] # chattr I /etc/inetd.conf
The file of the "i" attribute cannot be changed: can not be deleted or renamed, the link to this file cannot be created, and the data cannot be written to this file. Only the system administrator can set and clear this property. If you want to change the inetd.conf file, you must first clear this not allowed to change the logo:
[root @ Deep] # chattr -i /etc/inetd.conf
However, for services such as Sendmail, Named, WWW, because they are not like finger, telnet, etc., when the INET daemon is launched, when the system is started, the system is running as the daemon. For RedHat Linux, a LinuxConfig command is provided, which can set whether to run related services at startup in the graphical interface. You can also initiate a service when you start, such as: [root @ deep] # chkconfig -level 35 named. /etc/hosts.allow file but for telnet, FTP, etc., if it is turned off, it will be very inconvenient to the administrator needs remote management. Linux provides another more flexible and effective way to implement restrictions on service request users, so that on the basis of ensuring security, trusted users can use a variety of services. Linux provides a program called TCP Wrapper. In most published versions, this program is often default. With TCP Wrapper, you can limit some of the services mentioned earlier. And TCP Wrapper record files record all attempts to access your system. View the LOG of the program via the last command, the administrator can know who has or attempt to connect your system. In / etc directory, there are two files: hosts.deny hosts.allows You can specify which machines can use these services, which cannot be used. The correspondence between the / ETC / Services file port number and the standard service has a detailed definition in RFC 1700 "Assigned NumBers". The "/ etc / service" file enables the server and client program to convert the name of the service to the port number, which exists on each host, and its file name is "/ etc / services". Only "root" users have permissions to modify this file, and in general this file is not necessary to modify, because this file already contains the port number corresponding to the common service. In order to improve security, we can protect this file to avoid unauthorized deletions and changes. In order to protect this file, you can use the following command: [Root @ Deep] # chattr I / etc / services
/ etc / securetty file "/ etc / securetty" file allows you to specify "root" users can log in from that TTY device. The login program (usually "/ bin / login") needs to read the "/ etc / securetty" file. Its format is that the listed TTY devices are allowed to log in, comment out or in this file is not allowed to log in. The / etc / inittab file comes out of a file in the file and disables close your computer with Control-Alt-delete. This is very important if the server is not placing a safe place. Edit the inittab file (vi / etc / inittab) take this line:
Ca :: ctrlatdel: / sbin / shutdown -t3 -r now
Change to:
#ca :: ctrlatdel: / sbin / shutdown -t3 -r Now
Use the following command to make a change in effect:
[root @ deep] # / sbin / init Q
/etc/rc.d/init.d/ /etc/rc.d/init.d/ The underlying script mainly contains the script of the launch service. General users do not need to know the contents of the script file. So you should change the permissions of these script files.
[root @ deskp] # chmod -r 700 /etc/rc.d/init.d/*
This only root can read, write, and execute scripts in this directory. Summary here, we have analyzed 11 network profiles in detail. With the above content, do you have fully understood these profiles and operate in being skilled? In the next article, we will detail the tuning method of network performance in detail network tuning. Summary of tuning Linux network performance
Tuning Linux Network Performance Debugging Tools "and"
Tuning Linux Network Performance Network Profile Detailed Detailed Article, we introduced the use of three network tuning test tools for Route, NetStat, Tcpdump and its implementable features and network configuration files, this article we will be actually combat The angle introduces the method of network performance tuning.
Below, let's first introduce the first method of network performance tuning: service method selection.
Service mode
The web server must use some way to support this multitasking service mode because of the service providing services for multiple customers. Under normal circumstances, there can be three ways to select, multi-process methods, multi-threaded methods, and asynchronous methods. Among them, the server in multi-process mode uses a process to provide a service, because in the operating system, generating a process requires additional overhead such as process memory replication, which is reduced in the customer. In order to overcome additional overhead of this generating process, multithreading or asynchronous mode can be used. In multi-threaded mode, use multiple threads in the process, and due to small overhead of threads, performance will increase. In fact, there is no need for any additional ways or asynchronous mode, which uses non-blocking ways to communicate with each customer, and the server uses a process to poll. Under asynchronous mode, the scheduling between multiple tasks is done by the server program itself, and once there is a problem in one place, the entire server will have problems, not within the scope of the discussion. Increase the number of system threads: there are many factors that limit the number of threads, the main limit, the memory size limit, the limit of MUTEX / SEMAPHORE / SHM / IPC; generally increase the maximum number of processes, then expand memory In increasing the maximum number of threads, and how the maximum number of threads is simple, simply change two in GLIBC: the maximum size of the thread and the size of the thread stack area; the maximum number of threads is the process of asynchronous I / O performance is the cost; so it is necessary to balance.
Useful content in the configuration file
1. For the database, increasing the shared memory segment and the amount of semaphore, the increase of data transmission efficiency is important;
Method: Simply edit the file Linux / include / Linux / Sem.h and Linux / include / ASM-I386 / SHMPARAM.H.
2. First increase the maximum number of processes, then expand the memory, then increase the maximum number of threads, and the maximum number of threads is simple, simply change both between GLIBC: thread maximum and threading stack area ;
3. Comment on a line in the "/ etc / initTab" file is prohibited from shutting down the computer with Control-Alt-delete. This is very important if the server is not placing a safe place.
Edit the inittab file (vi / etc / inittab) take this line:
Ca :: ctrlatdel: / sbin / shutdown -t3 -r now
Change to:
#ca :: ctrlatdel: / sbin / shutdown -t3 -r Now
Use the following command to make a change in effect:
[root @ deep] # / sbin / init Q
4. The /etc/host.conf file specifies how to resolve the host name. Linux gets the IP address corresponding to the host name by the parser library. Below is an example of "/etc/host.conf": Order Bind, Hosts: Specifies the hostname query order, which specifies the use of DNS first to parse the domain name, then query "/ etc / hosts" file (or the opposite).
You can add the following two sentences after this file:
Multi ON: The specified host can have multiple addresses, and the host with multiple IP addresses is generally referred to as a pocket host.
OSPOOF ON: The server is not allowed to deceive the server to improve the security of the server. IP spoof is a means of attacking system security, and the trust of other computers is achieved by implying IP addresses to other computers.
Tunable Linux kernel network parameters
ICMP related kernel configuration parameters
Overview: Usually we use ICMP packages to detect other protocols on the host (such as TCP and UDP) available. For example, ICMP packages containing "destination unreachable" is the most common ICMP package.
(1) ICMP_DESTUNREACH_RATE: Set the response rate for the "Destination Unreachable" ICMP package. The setting value should be an integer.
Application Example: Assume that there is a host of A, B, first we do the following ipchains statements on host A:
Ipchains -a input -p icmp -j reput -p ICMP -J REJECT
Different from the Reject and Deny, DENY will drop the eligible package as if the package is not received, while the REJECT sends a "Destination Unreachable" ICMP to the requesting host while throwing the package.
Then on the host B ping host a, then we will find the response speed of the "Destination Unreachable" ICMP package is very timely. Then we execute on host A:
Echo "1000"> / Proc / Sys / Net / IPv4 / ICMP_DESTUNREACH_RATE
That is, every 10 seconds respond to ICMP packages of "Destination Unreachable".
At this time, I will find the response speed of the "Destination Unreachable" ICMP package, I am very curious, I found that it is just 10 seconds.
(2) ICMP_ECHO_IGNORE_BROADCASTS: Set whether the setting value should be broadcast in response to the ICMP ECHO request broadcast, 0 indicates that the response ICMP ECHO request broadcast, 1 means ignored.
Note: The Windows system is not responding to the ICMP ECHO request broadcast.
Applications:
In my redhat6.x and redhat7, this value is default 0, so when there is a network address of the network segment where the user ping my server, all Linux servers will respond, so that the user can get the user IP address of my server can be implemented
Echo "1"> / proc / sys / net / ipv4 / icmp_echo_ignore_broadcasts
To turn off this feature. Thereby preventing ICMP storms to prevent network obstruction.
(3) ICMP_ECHOREPLY_RATE: Set the system response to the response speed of the ICMP package requesting ICMP ECHO, the setting value is integer.
Applications:
If there is a host of A and B, first we ping the host A on the host B, you can see the response is normal, then execute the Echo "1000"> / proc / sys / net / ipv4 / icmp_ec / sys / net / ipv4 / icmp_echoreply_rate
That is, each 10 second responds to an ICMP Echo request package. Then ping the host A to see the response speed has become 10 seconds.
It is best to adjust the value of this parameter to prevent ICMP storms.
(4) ICMP_ECHO_IGNORE_ALL: Set whether the system ignores all ICMP ECHO requests, if a non-0 value is set, the system will ignore all ICMP ECHO requests. In fact, this is an extreme situation of ICMP_ECHOREPLY_RATE. The parameter value is a Boolean value, 1: Represents ignore, 0: Represents the response.
(5) ICMP_PARAMPROB_RATE: When the system receives a corrupted IP or TCP header of a datagram, an ICMP package containing the error message is sent to the source. This parameter is used to set the speed of this ICMP package to the source. Of course, it is rare to go wrong with the IP or TCP header in general. The parameter value is integer.
(6) ICMP_TIMEEXCEED_RATE: When the datagram is transmitted on the network, the Time to Live section will continue to decrease. When the survival time is 0, the router that is processing the datagram will drop the datagram, and give the source The host sends a "time to Live Exceeded" ICMP package. This parameter is used to set the speed of the transmission of this ICMP package. Of course, this is usually used to act as a Linux host of the router.
IP-related kernel configuration parameters
Configuration parameters for IP in Linux kernel network parameters are usually used to define or adjust some of the specific parameters of the IP package, and some network features of the system are defined.
(1) IP_DEFAULT_TTL: Sets the living time of the IP packet issued from the unit, the parameter value is integer, the range is 0 ~ 128, the default is 64. In a Windows system, the survival time of the IP package is usually 128. If your system gets the "time to Live Exceeded" ICMP response, you can increase the value of this parameter, but you can't be too big, because if your routing is bad, you will increase the time of the system error.
(2) IP_Dynaddr: This parameter is usually used to use the dial-up connection, so that the system can immediately change the source address of the IP package as the IP address, and interrupt the original TCP conversation and re-issue a SYN request package with the new address. Start a new TCP conversation. When using IP spoof, this parameter can immediately change the camouflage address as a new IP address. The parameter value of this parameter can be:
1: Enable this feature
2: Enable this feature using redundant mode
0: Prohibition of this function
Application example: When using the IPChains Configuring IP spoof drive LAN Sharing a PPP connection, sometimes the connection to the site is connected to a site, and then refresh and connect again. At this time, the value of this parameter can be set to 1, Thus, change the camouflage address as a new IP address, you can solve such problems. Command is:
Echo "1"> / proc / sys / net / ipv4 / ip_dynaddr
(3) ip_forward: You can enable the package forwarding function by this parameter, so that the system acts as a router. When the parameter value is 1, the IP forwarding is enabled, and IP forwarding is prohibited when 0. Note that we can implement IP forwarding on a single network card or dual network card. Applications:
Suppose we use a Linux host with dual-NIC to act as a firewall, and we must perform the following command to open the IP forwarding function:
Echo "1"> / proc / sys / net / ipv4 / ip_forward
(4) IP_LOCAL_PORT_RANGE: Sets the port range used when the local system initiates a TCP or UDP connection request. The set value is two integers, default is "1024 4999".
Applications:
Echo "1450 6000> / Proc / Sys / Net / IPv4 / IP_LOCAL_PORT_RANGE
TCP related kernel configuration parameters
Control all aspects of the TCP session through TCP configuration parameters.
(1) TCP_FIN_TIMEOUT: During a TCP session, a first send a FIN package to b, after obtaining B ACK confirmation package, A will enter the FIN WAIT2 status waiting to wait B's FIN package and then give B ACK confirmation package. This parameter is used to set a timeout time to enter the FIN WAIT2 status waiting for the other party FIN package. If time is still not received, the FIN package is not received, the session is released. The parameter value is integer, the unit is second, the default is 180 seconds.
(2) TCP_SYN_RETIRES: When sets the time to set a TCP session, retry the number of times the SYN connection request packet is sent. The parameter value is less than 255, the default is 10. If your connection speed is very fast, you can consider reducing this value to improve system response time, even if a user with a slow connection speed, the default setting is also great enough.
(3) TCP_Window_SCALING: Set whether the sliding window size of the TCP / IP session varies. The parameter value is a Boolean value, indicating variable, 0 indicates that it is not possible. TCP / IP usually used up to 65535 bytes, for high-speed networks, this value may be too small, if this feature is enabled, the TCP / IP sliding window size can increase several quantities, thereby increasing data transmission Ability.
The kernel network parameters for each network interface can specify the kernel network parameters such as Eth0, Eth1, etc., for each network interface. Note: / PROC / SYS / NET / IPv4 / Conf / ALL / under parameters will be applied to all network interfaces.
(1) accept_redirects: This parameter is located in / proc / sys / net / ipv4 / conf / dev / accept_redirects (dev / accept_redirects (DEV represents a specific network interface), if you have two routers in the network segment where your host is located, you will set it one It became the default gateway, but the gateway found that the IP package must pass another router when receiving your IP package. At this time, the router will send you a so-called "redirection" ICMP package, tell the IP package Forward to another router. The parameter value is a Boolean value, 1 indicates that this type of redirect ICMP information is received, and 0 is ignored. Default value on the Linux host acting as a router is 0, and the default value on the general Linux host is 1. It is recommended to change it to 0, or use "safe redirection" (see below) to eliminate security hidden dangers.
(2) log_martians: Record the IP packet containing illegal address information to the kernel log. The parameter value is the Boolean value.
Applications:
Above we told RP_FILTER reverse path filtering parameters, and we can do the following statement echo "1"> / proc / sys / net / ipv4 / conf / all / log_martians
Then IP packets can be recorded to / var / log / messages.
(3) Forwarding: Enables IP forwarding features for a specific network interface. The parameter value is a Boolean value, 1 indicates a record.
Applications:
Echo "1"> / proc / sys / net / ipv4 / conf / eth0 / forwarding
(4) accept_source_route: Do IP packets containing source routing information. The parameter value is a Boolean value, and 1 is accepted, 0 means it is not accepted. The default value is 1 on the Linux host acting as a gateway. The default value is 0 on the general Linux host. From the perspective of security, it is recommended that you close this feature.
(5) Secure_redirects: In front, we have mentioned the concept of "safe redirection", in fact, the so-called "security redirection" is only "redirect" ICMP package from the gateway. This parameter is used to set the "security redirection" function. The parameter value is the Boolean value, and 1 means enabled, 0 indicates the disable, the default value is enabled.
(6) Proxy_arp: Set whether it is relaying the ARP package on the network. The parameter value is a Boolean value, 1 means relay, 0 means ignored, the default value is 0. This parameter is usually only useful to the Linux host acting as a router.
Change the default parameter limit on the system
1. _SHM_ID_BITS: This value is defined in the /usr/src/linux/include/sm/shmparam.h file;
Role: Define the number of interrelated interrogation segments; its default is 7, and the variation range: 1-128;
Tuning: This value can be increased to 9. Re-compiling the kernel;
2. This value is defined in the msgmni: / proc / system / msgmni file;
Role: This value defines the maximum length of the message queue; to make DB2 (version 7.1) running normally, the minimum is 128;
For high-load DB2 servers, this value can be adjusted to> = 1024;
Tuning: For the 2.4.6 version of the kernel, the default value is 16; the following three can be used to change the value.
(1) BASH # sysctl -w kernel.msgmni = 128
(2) BASH # sysctl -w kernel.msgmni = 128
(3) If you want to change this value while the system is started, you can add the following sentences in the /etc/sysctl.conf file:
# Sets maximum number of message queues to 128
# Set this to 1024 or higher on production systems
Kernel.msgmni = 128
(Use the ipcs -l command to see the various settings of the current IPC parameter)
3. Nr_tasks: /usr/src/linux/include/linux/tasks.h file defines this
MAX_TASKS_PER_USER is defined as NR_TASKS / 2; Linux regards each instance of DB2 as a user, and each link generally uses a process, and the maximum elevator of each instance is limited to NR_TASKS / 2; although the value of 2.4 Unlimited, but there is Linux that default is still 512; tuning:> = 1024, recompile the kernel;
4. This value is defined in the semmni: /usr/src/linux/include/linux/sem.h file;
Role: This value defines the maximum semaphore identity that Linux can support;
Tuning: The default value is 128, increased to 1024;
Transition from IPv4 to IPv6
Although IPv6 has significant advanced nature than IPv4, it is impossible to upgrade all systems from Internet and Enterprise Networks in a short period of time to IPv6. To this end, as a part of IPv6 research work, IETF has developed a program that pushes IPv4 to IPv6 transition, including three mechanisms: IPv4 IPv6 address, dual IP protocol stack, and IPv6 based on IPv4 channels.
The IPv4 IPv6 address is a special IPv6 single-point broadcast address, and an IPv6 node can communicate in the IPv4 network with an IPv4 node. This address consists of 96 0-bit IPv4 addresses, for example, suppose IPv4 addresses of a node are 192.56.1.1, then the IPv4 IPv6 address is:
0: 0: 0: 0: 0: 0: C038: 101.
Dual IP protocol stack is a system (such as a host or a router) using IPv4 and IPv6 two protocol stacks. Such systems have both IPv4 addresses, and IPv6 addresses, which can be transmitted and receiving two IPv4 and IPv6 IP datagrams. That is to use two sets, use IPv4 when you need to use IPv4, you need to use IPv6 when you use IPv6.
Compared to dual IP protocol stacks, IPv4-based IPv6 is a more complex technology, which is in the IPv4 datagram, which is implemented in the current IPv4 network (such as an Internet) IPv6 IP communication between nodes and IPv4 nodes. IPv6 implementation processes based on IPv4 channels are divided into three steps: packages, universities, and channel management. Package refers to the creation of an IPv4 Baotou by the channel start point, and installs IPv6 Data into a new IPv4 datagram. Unscence means that the IPv4 header is removed from the channel endpoint, and the original IPv6 datagram is restored. Channel management refers to the configuration information of the channel start point maintenance channel. There are four options for IPv4 channels: routers to routers, hosts, hosts, hosts to hosts, and routers.
When the two hosts that communicate have IPv6 addresses, the data sender host will create a host to the host channel. Channel start point (data sender host) Determine the data receiver host is the channel endpoint, and automatically extract 32 address bits from the IPv6 address thereof to determine the IPv4 address of the channel endpoint, this type of channel is Automated tunneling.
Dual IP Protocol Stack and IPv6 network based on IPv4 channels allow IPv4 networks to migrate to IPv6 at a controlled speed. Before starting to transition to the IPv6, you must set up a new DNS server that supports IPv4 and IPv6 simultaneously. For details on setting or more details on IPv6, you can access IPv6 related websites. We are here only a simple theoretical narrative for using IPv6 under Linux.
