Check out my first novel, midnight's simulacra!
Sysctl: Difference between revisions
From dankwiki
No edit summary |
No edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
User-supplied sysctls are best provided via files dropped into <tt>/etc/sysctl.d</tt> (these files must have a <tt>conf</tt> extension). Each has a corresponding entry in <tt>/proc/sys</tt>, assuming [[procfs]] is mounted. | User-supplied sysctls are best provided via files dropped into <tt>/etc/sysctl.d</tt> (these files must have a <tt>conf</tt> extension). Each has a corresponding entry in <tt>/proc/sys</tt>, assuming [[procfs]] is mounted. With or without a mounted procfs, the <tt>sysctl</tt> command line tool. | ||
There is a sysctl system call, but it has been deprecated since Linux 2.6.24, and its usage is discouraged. FreeBSD supports the system call. Supported sysctls can be enumerated using <tt>sysctl -a</tt>. | |||
==Some favorite sysctls== | ==Some favorite sysctls== | ||
| Line 11: | Line 13: | ||
* <tt>net.ipv4.tcp_syncookies=1</tt> enable TCP syncookies (see http://lwn.net/Articles/277146/) | * <tt>net.ipv4.tcp_syncookies=1</tt> enable TCP syncookies (see http://lwn.net/Articles/277146/) | ||
* <tt>net.ipv4.conf.default.rp_filter=1</tt>, <tt>net.ipv4.conf.all.rp_filter=1</tt> enable reverse path filter | * <tt>net.ipv4.conf.default.rp_filter=1</tt>, <tt>net.ipv4.conf.all.rp_filter=1</tt> enable reverse path filter | ||
* <tt>net.core.bpf_jit_enable=1</tt> enables [[EBPF|eBPF]] JIT | |||
Latest revision as of 03:21, 23 September 2019
User-supplied sysctls are best provided via files dropped into /etc/sysctl.d (these files must have a conf extension). Each has a corresponding entry in /proc/sys, assuming procfs is mounted. With or without a mounted procfs, the sysctl command line tool.
There is a sysctl system call, but it has been deprecated since Linux 2.6.24, and its usage is discouraged. FreeBSD supports the system call. Supported sysctls can be enumerated using sysctl -a.
Some favorite sysctls
- kernel.dmesg_restrict=0 allows regular users to see dmesg output
- kernel.nmi_watchdog=0 disables the NMI watchdog, freeing up a performance counter
- kernel.perf_event_paranoid=-1 allow unprivileged access to performance counters
- net.ipv4.ip_forward=1 enable IPv4 packet forwarding
- net.ipv6.conf.all.forwarding=1 enable IPv6 packet forwarding
- net.netfilter.nf_conntrack_acct=1 turn on packet/byte stats in conntrack table
- net.netfilter.nf_conntrack_timestamp=1 turn on timestamps in conntrack table
- net.ipv4.tcp_syncookies=1 enable TCP syncookies (see http://lwn.net/Articles/277146/)
- net.ipv4.conf.default.rp_filter=1, net.ipv4.conf.all.rp_filter=1 enable reverse path filter
- net.core.bpf_jit_enable=1 enables eBPF JIT
