# 开启转发
net.ipv4.ip_forward=1
net.ipv4.ip_nonlocal_bind=1
# ddos
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.rp_filter=2
net.ipv4.conf.default.rp_filter=2
# arp
net.ipv4.conf.all.arp_announce=1
net.ipv4.conf.default.arp_announce=1
net.ipv4.conf.all.arp_ignore=2
net.ipv4.conf.default.arp_ignore=2
net.ipv4.neigh.default.gc_stale_time=60
net.ipv4.neigh.default.gc_thresh1=8192
net.ipv4.neigh.default.gc_thresh2=49152
net.ipv4.neigh.default.gc_thresh3=65536
# 禁用ipv6
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.eth0.disable_ipv6=1
# nat场景tcp和udp优化
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=60
net.netfilter.nf_conntrack_tcp_timeout_time_wait=60
net.netfilter.nf_conntrack_tcp_timeout_close_wait=15
net.netfilter.nf_conntrack_tcp_timeout_syn_sent=30
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans=60
net.netfilter.nf_conntrack_tcp_timeout_established=7200
net.netfilter.nf_conntrack_udp_timeout=15
net.netfilter.nf_conntrack_udp_timeout_stream=30
# 防火墙链接追踪
net.netfilter.nf_conntrack_buckets=524288
net.netfilter.nf_conntrack_max=2097152
# L4 Hash
net.ipv4.fib_multipath_hash_policy=1
net.ipv4.fib_multipath_use_neigh=1
# UDP
net.core.netdev_max_backlog=4096
net.core.rmem_default=262144
net.core.rmem_max=67108864
net.ipv4.udp_rmem_min=131072
net.ipv4.udp_mem=2097152 4194304 8388608
# rps, value=cpu * 4096
net.core.rps_sock_flow_entries=32768
# 防止删除主ip后，备ip也被删掉
net.ipv4.conf.all.promote_secondaries=1
# 配置物理网卡down后，忽略该链路上的路由
net.ipv4.conf.all.ignore_routes_with_linkdown=1