熟悉Linux 内核中的TCP 参数
/Proc/sys/net/ipv4/
存放着TCP
参数的文件,目录中的内容用来添加网络设置,在其中的许多设置,可以用来阻止对系统的攻击,或用来设置系统的路由功能。
查询命令:
[root@localhost ~]# ls /proc/sys/net/ipv4/
cipso_cache_bucket_size igmp_qrv ip_no_pmtu_disc tcp_fastopen tcp_moderate_rcvbuf tcp_thin_dupack
cipso_cache_enable inet_peer_maxttl neigh tcp_fastopen_key tcp_mtu_probing tcp_thin_linear_timeouts
cipso_rbm_optfmt inet_peer_minttl ping_group_range tcp_fin_timeout tcp_no_metrics_save tcp_timestamps
cipso_rbm_strictvalid inet_peer_threshold route tcp_frto tcp_notsent_lowat tcp_tso_win_divisor
conf ip_default_ttl tcp_abort_on_overflow tcp_invalid_ratelimit tcp_orphan_retries tcp_tw_recycle
fib_multipath_hash_policy ip_dynaddr tcp_adv_win_scale tcp_keepalive_intvl tcp_reordering tcp_tw_reuse
fwmark_reflect ip_early_demux tcp_allowed_congestion_control tcp_keepalive_probes tcp_retrans_collapse tcp_window_scaling
icmp_echo_ignore_all ip_forward tcp_app_win tcp_keepalive_time tcp_retries1 tcp_wmem
icmp_echo_ignore_broadcasts ip_forward_use_pmtu tcp_autocorking tcp_limit_output_bytes tcp_retries2 tcp_workaround_signed_windows
icmp_errors_use_inbound_ifaddr ipfrag_high_thresh tcp_available_congestion_control tcp_low_latency tcp_rfc1337 udp_mem
icmp_ignore_bogus_error_responses ipfrag_low_thresh tcp_base_mss tcp_max_orphans tcp_rmem udp_rmem_min
icmp_msgs_burst ipfrag_max_dist tcp_challenge_ack_limit tcp_max_ssthresh tcp_sack udp_wmem_min
icmp_msgs_per_sec ipfrag_secret_interval tcp_congestion_control tcp_max_syn_backlog tcp_slow_start_after_idle xfrm4_gc_thresh
icmp_ratelimit ipfrag_time tcp_dsack tcp_max_tw_buckets tcp_stdurg
icmp_ratemask ip_local_port_range tcp_early_retrans tcp_mem tcp_synack_retries
igmp_max_memberships ip_local_reserved_ports tcp_ecn tcp_min_snd_mss tcp_syncookies
igmp_max_msf ip_nonlocal_bind tcp_fack tcp_min_tso_segs tcp_syn_retries
Tcp_syn_retries
客户端发起SYN
连接,如果超时会进行重传,重传的次数
查询命令:
[root@localhost ~]# cat /proc/sys/net/ipv4/tcp_syn_retries
6
sysctl net.ipv4.tcp_syn_retries=6
把这个参数修改为3
测试一下
设置命令:
[root@localhost ~]# sysctl net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_syn_retries = 3
[root@localhost ~]# cat /proc/sys/net/ipv4/tcp_syn_retries
3
可以使用ssh进行测试,ssh也是基于tcp
并且通过wireshark进行抓包查看,可以看到重发了三次如果加上第一次那么总的有4次发送
centos安装wireshark命令:
yum install wireshark -y
抓包命令:
[root@oyyds ~]# tshark -i eth0 -f "tcp dst port 22" | grep Retransmission
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
39 15 4.210090309 10.0.12.12 → 10.16.2.164 TCP 74 [TCP Retransmission] 56122 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1610823063 TSecr=0 WS=128
20 6.258085882 10.0.12.12 → 10.16.2.164 TCP 74 [TCP Retransmission] 56122 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1610825111 TSecr=0 WS=128
32 10.290094426 10.0.12.12 → 10.16.2.164 TCP 74 [TCP Retransmission] 56122 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1610829143 TSecr=0 WS=128
测试命令:
[root@oyyds ~]# ssh 10.16.2.164
ssh: connect to host 10.16.2.164 port 22: Connection timed out
Net.ipv4.tcp_window_scaling
启用或关闭窗口扩大因子选项
查询命令:
[root@oyyds ~]# cat /proc/sys/net/ipv4/tcp_window_scaling
1
Net.ipv4.tcp_sack
启用或关闭选择确认(Selective Acknowledgement, SACK)
选项
查询命令:
[root@oyyds ~]# cat /proc/sys/net/ipv4/tcp_sack
1
/Proc/sys/net/core/
目录中包括许多设置用来控制Linux内核与网络层的交互,即当网络有什么动作时,内核做出什么样的相应反应。
查询命令:
[root@oyyds ~]# ls /proc/sys/net/core/
bpf_jit_enable busy_read fb_tunnels_only_for_init_net message_cost netdev_tstamp_prequeue somaxconn xfrm_acq_expires
bpf_jit_harden default_qdisc flow_limit_cpu_bitmap netdev_budget optmem_max tstamp_allow_data xfrm_aevent_etime
bpf_jit_kallsyms dev_weight flow_limit_table_len netdev_budget_usecs rmem_default warnings xfrm_aevent_rseqth
bpf_jit_limit dev_weight_rx_bias max_skb_frags netdev_max_backlog rmem_max wmem_default xfrm_larval_drop
busy_poll dev_weight_tx_bias message_burst netdev_rss_key rps_sock_flow_entries wmem_max
/Proc/sys/net/netfilter/ 目录的设置是 Linux 内核中进行数据包过滤,连接跟踪(Connect Track),网络地址转换(NAT)等功能的主要实现框架
查询命令:
[root@oyyds ~]# ls /proc/sys/net/netfilter/
nf_conntrack_acct nf_conntrack_expect_max nf_conntrack_sctp_timeout_established nf_conntrack_tcp_timeout_last_ack
nf_conntrack_buckets nf_conntrack_frag6_high_thresh nf_conntrack_sctp_timeout_heartbeat_acked nf_conntrack_tcp_timeout_max_retrans
nf_conntrack_checksum nf_conntrack_frag6_low_thresh nf_conntrack_sctp_timeout_heartbeat_sent nf_conntrack_tcp_timeout_syn_recv
nf_conntrack_count nf_conntrack_frag6_timeout nf_conntrack_sctp_timeout_shutdown_ack_sent nf_conntrack_tcp_timeout_syn_sent
nf_conntrack_dccp_loose nf_conntrack_generic_timeout nf_conntrack_sctp_timeout_shutdown_recd nf_conntrack_tcp_timeout_time_wait
nf_conntrack_dccp_timeout_closereq nf_conntrack_helper nf_conntrack_sctp_timeout_shutdown_sent nf_conntrack_tcp_timeout_unacknowledged
nf_conntrack_dccp_timeout_closing nf_conntrack_icmp_timeout nf_conntrack_tcp_be_liberal nf_conntrack_timestamp
nf_conntrack_dccp_timeout_open nf_conntrack_icmpv6_timeout nf_conntrack_tcp_loose nf_conntrack_udp_timeout
nf_conntrack_dccp_timeout_partopen nf_conntrack_log_invalid nf_conntrack_tcp_max_retrans nf_conntrack_udp_timeout_stream
nf_conntrack_dccp_timeout_request nf_conntrack_max nf_conntrack_tcp_timeout_close nf_flowtable_tcp_timeout
nf_conntrack_dccp_timeout_respond nf_conntrack_sctp_timeout_closed nf_conntrack_tcp_timeout_close_wait nf_flowtable_udp_timeout
nf_conntrack_dccp_timeout_timewait nf_conntrack_sctp_timeout_cookie_echoed nf_conntrack_tcp_timeout_established nf_log
nf_conntrack_events nf_conntrack_sctp_timeout_cookie_wait nf_conntrack_tcp_timeout_fin_wait nf_log_all_netns
注:
- 把参数添加到
/etc/sysctl.conf
中,然后执行sysctl -p
使参数生效。这种方式是永久有效的。 - 使用
systcl
命令进行修改,例如修改SYN重传次数sysctl net.ipv4.tcp_syn_retries=n
查看Linux系统的统计信息
查看命令:
[root@oyyds ~]# ls /sys/class/net/eth0/statistics/
collisions rx_compressed rx_errors rx_length_errors rx_over_errors tx_bytes tx_dropped tx_heartbeat_errors
multicast rx_crc_errors rx_fifo_errors rx_missed_errors rx_packets tx_carrier_errors tx_errors tx_packets
rx_bytes rx_dropped rx_frame_errors rx_nohandler tx_aborted_errors tx_compressed tx_fifo_errors tx_window_errors
sys/class/net/eth0/statistics/rx_packets 收到的数据包数量
sys/class/net/eth0/statistics/tx_packets 传输的数据包数量
sys/class/net/eth0/statistics/rx_bytes 接收的字节数
sys/class/net/eth0/statistics/tx_bytes 传输的字节数
sys/class/net/eth0/statistics/rx_dropped 收包时丢弃的数据包
sys/class/net/eth0/statistics/tx_dropped 发包时丢弃的数据包
Linux网卡的参数可以在/sys/class/net/
进入对应网卡目录去查看,比如网卡的MAC地址
,速率(speed)
,MTU
等等
查看命令:
[root@oyyds ~]# ls /sys/class/net/eth0/
addr_assign_type carrier device duplex ifindex name_assign_type phys_port_id proto_down subsystem type
address carrier_changes dev_id flags iflink napi_defer_hard_irqs phys_port_name queues testing uevent
addr_len carrier_down_count dev_port gro_flush_timeout link_mode netdev_group phys_switch_id speed threaded
broadcast carrier_up_count dormant ifalias mtu operstate power statistics tx_queue_len
翻阅资料
Linux内核详解:https://www.kernel.org/doc/html/latest/networking/nf_conntrack-sysctl.html
/proc/sys/net/ipv4/ 、/proc/sys/net/ipv4/netfilter/ 、/proc/sys/net/core/ 目录中的内核参数详解表: