Kernel tuning for dedicated linux server. /etc/sysctl.d/60-sysctl.conf

60-sysctl.conf

# /etc/sysctl.d/60-sysctl.conf
# Generic Web + DB Server Tuning
# Based on original by Kawin Viriyaprasooksook <[email protected]>
# Apply with: sysctl --system

########################
# Kernel & Memory
########################
# Reduce console noise from kernel messages
kernel.printk = 3 4 1 3

# How aggressively the kernel will swap memory pages.
# Lower values tell the kernel to prefer dropping caches over swapping.
# 10 is a good starting point for DBs and general servers.
vm.swappiness = 10

# Maximum percentage of total system memory that can hold dirty pages
# before processes are forced to write data synchronously.
# 15% is reasonable with moderately fast storage. Consider lower (e.g., 10%) for slower disks.
vm.dirty_ratio = 15

# Percentage of total system memory where background kernel flusher threads
# will start writing dirty data to disk.
vm.dirty_background_ratio = 5

# Time in centiseconds (1/100 sec) dirty data can stay in memory before being written.
# Default 3000 (30 seconds). 1500 (15 seconds) reduces write burst size.
vm.dirty_expire_centisecs = 1500

# Time in centiseconds between background writeback cycles.
# Default 500 (5 seconds). 250 (2.5 seconds) for more frequent, smaller writes.
vm.dirty_writeback_centisecs = 250

# '1' means the kernel will always approve memory requests, potentially overcommitting.
# Useful for applications like databases that might allocate large buffers upfront.
# Monitor for OOM killer activity if memory is tight.
vm.overcommit_memory = 1

# Percentage of RAM that can be overcommitted. 200% allows 2x physical RAM.
vm.overcommit_ratio = 200

# System-wide limit for open file handles.
# 4,194,304 is very generous. 2,097,152 is also often sufficient.
# Good for web servers (many sockets) and DBs (many data files, connections).
fs.file-max = 4194304

# Maximum number of processes/threads. Useful for web servers with many workers.
# Default is often 32768. Increased for high-concurrency workloads.
kernel.pid_max = 131072

# Maximum number of threads system can create. Default is ~32768 * RAM/2GB.
kernel.threads-max = 524288

# Minimum amount of free RAM (in KB) the system should maintain.
# Prevents system from running completely out of memory for critical operations.
# 128MB is a common value. Increase for systems with very large RAM (e.g. 256MB for 128GB+ RAM)
vm.min_free_kbytes = 131072

# Controls the tendency of the kernel to reclaim memory used for caching
# directory and inode objects. 100 is default, lower values keep more cache.
vm.vfs_cache_pressure = 75

########################
# Network Core, Buffers & Qdisc
########################
# Default queuing discipline. fq_codel is excellent for reducing bufferbloat and ensuring fairness.
# If using BBR for TCP congestion control, 'fq' is its canonical partner, but fq_codel is also very good.
net.core.default_qdisc = fq_codel

# Maximum number of packets queued on the input side of a network interface
# when the interface receives packets faster than the kernel can process them.
# Increased for 10GbE+ NICs under high load.
net.core.netdev_max_backlog = 10000

# Maximum number of connection requests queued for a listening socket (listen() backlog).
# Increased for extremely busy web servers.
net.core.somaxconn = 8192

# Maximum socket option buffer in bytes.
net.core.optmem_max = 65536

# Number of packets processed in a single NAPI poll.
net.core.netdev_budget = 600

# Default and maximum socket receive buffer size (bytes).
net.core.rmem_default = 262144   # 256KB
net.core.wmem_default = 262144   # 256KB
net.core.rmem_max = 33554432     # 32MB
net.core.wmem_max = 33554432     # 32MB

########################
# TCP Tuning
########################
# Enable TCP SYN cookies to help protect against SYN flood attacks.
net.ipv4.tcp_syncookies = 1

# Maximum number of remembered connection requests not yet acknowledged (SYN_RECV state).
net.ipv4.tcp_max_syn_backlog = 8192

# Time to hold a socket in FIN-WAIT-2 state. Lowering helps free up socket resources faster.
net.ipv4.tcp_fin_timeout = 15

# Allow reusing sockets in TIME-WAIT state for new outgoing connections.
net.ipv4.tcp_tw_reuse = 1

# Enable TCP Timestamps. Required for tcp_tw_reuse and helps with RTT estimation.
net.ipv4.tcp_timestamps = 1

# TCP Keepalive settings: Detect dead connections.
net.ipv4.tcp_keepalive_time = 600   # Send first keepalive after 10 mins of idleness
net.ipv4.tcp_keepalive_intvl = 30   # Send subsequent probes every 30 seconds
net.ipv4.tcp_keepalive_probes = 6   # Declare connection dead after 6 failed probes

# Range of ephemeral ports for outgoing connections. Expands the available pool.
net.ipv4.ip_local_port_range = 1024 65535

# TCP receive and send buffer sizes (min, default, max in bytes).
net.ipv4.tcp_rmem = 4096 87380 33554432  # Max 32MB
net.ipv4.tcp_wmem = 4096 65536 33554432  # Max 32MB

# TCP congestion control algorithm. BBR often improves throughput and latency.
net.ipv4.tcp_congestion_control = bbr

# Disable restarting TCP slow start after an idle period.
net.ipv4.tcp_slow_start_after_idle = 0

# Enable Path MTU discovery probing. '1' enables after ICMP black hole detection.
net.ipv4.tcp_mtu_probing = 1

# Do not save TCP metrics from closed connections.
net.ipv4.tcp_no_metrics_save = 1

# Enable TCP window scaling for high-bandwidth, high-latency networks.
net.ipv4.tcp_window_scaling = 1

# Enable TCP Fast Open - allows data to be sent in SYN packet.
net.ipv4.tcp_fastopen = 3

# Maximum number of TIME-WAIT sockets allowed. Default is 180k+ based on RAM.
net.ipv4.tcp_max_tw_buckets = 262144

# Maximum number of orphaned TCP sockets (not attached to any file descriptor).
net.ipv4.tcp_max_orphans = 65536

# Reduce number of ACKs for duplicate packets (performance).
net.ipv4.tcp_dsack = 1

# Enable Selective ACKs - allows receiver to inform sender about missing segments.
net.ipv4.tcp_sack = 1

# Number of TCP retransmissions before giving up. Default is 15.
net.ipv4.tcp_retries2 = 8

# Protect against TIME-WAIT assassination.
net.ipv4.tcp_rfc1337 = 1

########################
# Conntrack (Netfilter Connection Tracking)
########################
net.netfilter.nf_conntrack_max = 1048576  # ~300MB RAM
net.netfilter.nf_conntrack_tcp_timeout_established = 7200    # 2 hours
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120       # >= tcp_fin_timeout
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 120
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_generic_timeout = 600

########################
# Security & Misc
########################
# Enable strict reverse path filtering to prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable acceptance of ICMP redirect messages (potential MITM vector)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Disable acceptance of source routed packets (security risk)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Secure redirects: only accept from gateways listed in default route
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.secure_redirects = 1

# Log packets with impossible source addresses (martians)
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Ignore ICMP broadcasts to prevent smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1

# ARP cache settings - reduce stale ARP entries
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.neigh.default.gc_thresh1 = 512
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048

########################
# IPv6 Security (when IPv6 is used)
########################
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

########################
# Inotify (file watching)
########################
# Maximum number of user instances. Default 128 per user.
fs.inotify.max_user_instances = 1024

# Maximum number of watches per user instance. Default 8192.
fs.inotify.max_user_watches = 524288

# Maximum number of queued events per instance. Default 16384.
fs.inotify.max_queued_events = 65536

########################
# Shared Memory (for databases)
########################
# Maximum size of shared memory segment in bytes (16GB)
kernel.shmmax = 17179869184

# Total amount of shared memory in pages (system page size dependent)
kernel.shmall = 4194304

# Maximum number of shared memory segments
kernel.shmmni = 4096

61-sysctl-old-os.conf

# /etc/sysctl.d/60-sysctl.conf
# Enhanced Web + DB Server Tuning for CentOS 6 / RHEL 6 (kernel 2.6.32)
# Apply with: sysctl -p /etc/sysctl.d/60-sysctl.conf or sysctl --system

########################
# Kernel & Memory
########################
kernel.printk = 3 4 1 3
kernel.pid_max = 65536
kernel.randomize_va_space = 2
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 1

########################
# Memory Management
########################
vm.swappiness = 10
vm.vfs_cache_pressure = 50
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5
vm.dirty_expire_centisecs = 3000
vm.dirty_writeback_centisecs = 500
vm.min_free_kbytes = 65536
vm.overcommit_memory = 1
vm.overcommit_ratio = 100

########################
# File System
########################
fs.file-max = 2097152
fs.aio-max-nr = 1048576
fs.inotify.max_user_instances = 256
fs.inotify.max_user_watches = 524288
fs.inotify.max_queued_events = 65536

########################
# Shared Memory (Databases)
########################
kernel.shmmax = 17179869184
kernel.shmall = 4194304
kernel.shmmni = 4096

########################
# CPU Scheduler (CFS)
########################
kernel.sched_min_granularity_ns = 1000000
kernel.sched_wakeup_granularity_ns = 2000000
kernel.sched_migration_cost_ns = 500000
kernel.sched_rt_period_us = 1000000
kernel.sched_rt_runtime_us = -1

########################
# Network Core
########################
net.core.somaxconn = 4096
net.core.netdev_max_backlog = 5000
net.core.optmem_max = 65536
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

########################
# TCP/IP Stack
########################
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_fin_timeout = 25
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_max_tw_buckets = 262144
net.ipv4.tcp_max_orphans = 65536
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_rfc1337 = 1

########################
# Connection Tracking
########################
net.netfilter.nf_conntrack_max = 262144
net.netfilter.nf_conntrack_tcp_timeout_established = 7200
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_generic_timeout = 600

########################
# ARP Cache
########################
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.neigh.default.gc_thresh1 = 512
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048

########################
# IPv4 Security
########################
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.default.bootp_relay = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

########################
# IPv6 Security
########################
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# To disable IPv6 entirely, uncomment:
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1
# net.ipv6.conf.lo.disable_ipv6 = 1

80-k8s.conf

# /etc/sysctl.d/80-k8s.conf
# Enhanced Kubernetes Node Network Tuning for kube-proxy nftables mode
# Based on original by Kawin Viriyaprasopsook <[email protected]>
# Apply with: sysctl --system

########################
# Kernel & Memory
########################
kernel.printk = 3 4 1 3
vm.swappiness = 10
vm.overcommit_memory = 1
vm.overcommit_ratio = 100
fs.file-max = 2097152
kernel.pid_max = 4194304

# Dirty page tuning for better I/O performance
vm.dirty_background_ratio = 5
vm.dirty_ratio = 10
vm.dirty_expire_centisecs = 3000
vm.dirty_writeback_centisecs = 500
vm.vfs_cache_pressure = 50
vm.min_free_kbytes = 131072

########################
# TCP Performance
########################
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_autocorking = 1
net.ipv4.tcp_notsent_lowat = 16384
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_retries2 = 8
net.ipv4.tcp_rfc1337 = 1
net.core.somaxconn = 65535

########################
# Network Buffers & Qdisc
########################
net.core.netdev_max_backlog = 30000
net.core.rmem_default = 1048576
net.core.wmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.optmem_max = 65536
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_moderate_rcvbuf = 1
net.core.default_qdisc = fq

########################
# IP Fragmentation
########################
net.ipv4.ipfrag_high_thresh = 4194304
net.ipv4.ipfrag_low_thresh = 3145728
net.ipv4.ipfrag_time = 30

########################
# TIME-WAIT & Keepalive
########################
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 5

########################
# Security & ICMP
########################
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_ratelimit = 100
net.ipv4.icmp_ratemask = 8800

########################
# Routing & Bridge (Essential for K8s)
########################
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-arptables = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

########################
# Conntrack (nftables mode relies on nf_conntrack)
########################
net.netfilter.nf_conntrack_max = 2097152
net.netfilter.nf_conntrack_tcp_timeout_established = 86400
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 120
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_generic_timeout = 600

########################
# ARP Cache
########################
net.ipv4.neigh.default.gc_thresh1 = 2048
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv4.neigh.default.gc_stale_time = 120

########################
# Filesystem & Inotify
########################
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288
fs.inotify.max_queued_events = 65536
fs.aio-max-nr = 1048576

########################
# Additional Performance Tunings
########################
net.core.netdev_budget = 600
net.core.netdev_budget_usecs = 5000
net.ipv4.tcp_early_demux = 1
net.ipv4.udp_early_demux = 1
net.ipv4.tcp_limit_output_bytes = 262144

########################
# Kernel Hardening
########################
kernel.randomize_va_space = 2
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 1
kernel.yama.ptrace_scope = 1
kernel.core_pattern = |/bin/false

########################
# Hugepages (configure if needed)
########################
vm.nr_hugepages = 0

80-pve.conf

# /etc/sysctl.d/80-pve.conf
# Enhanced Optimized Proxmox VE Host Tuning
# Based on original by Kawin Viriyaprasooksook <[email protected]>
# Apply with: sysctl --system

########################
# Memory & VM Caching
########################
# Reduce console noise from kernel messages
kernel.printk = 3 4 1 3

# Strongly prefer dropping caches over swapping out application (VM) memory
vm.swappiness = 10

# Tend to keep dentry/inode caches longer, good for frequent file access (VM disks)
vm.vfs_cache_pressure = 50

# Max % of total memory for dirty pages before forcing synchronous writes
vm.dirty_ratio = 10
# % of total memory for dirty pages before background kernel flusher threads start writing
vm.dirty_background_ratio = 5

# Time in centiseconds (1/100 sec) after which dirty data is old enough to be written
vm.dirty_expire_centisecs = 3000
# Time in centiseconds between wakeups of the writeback threads
vm.dirty_writeback_centisecs = 500

# Minimum amount of free RAM (in KB) the system should maintain (512MB)
# Adjust based on total RAM: 128MB for 16GB, 256MB for 32GB, 512MB for 64GB+
vm.min_free_kbytes = 524288

# Maximum number of memory map areas a process can have
# Increased for some containerized workloads (e.g., Elasticsearch) or complex applications
vm.max_map_count = 262144

########################
# File Handles & PIDs
########################
# System-wide limit for open file handles
fs.file-max = 2097152

# Maximum number of processes/threads the system can have
kernel.pid_max = 4194304
kernel.threads-max = 524288

# Inotify settings for containers and monitoring tools
fs.inotify.max_user_instances = 512
fs.inotify.max_user_watches = 524288

########################
# Networking (Bridges & Forwarding)
########################
# Enable IP forwarding for guest routing/NAT
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

# Pass bridged traffic through the host's iptables/ip6tables/arptables chains.
# REQUIRED if using Proxmox VE firewall for VMs on bridges.
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-arptables = 1

# Disable bridge netfilter for VMs that don't need firewall (performance boost)
# Comment out if using PVE firewall on all bridged networks
# net.bridge.bridge-nf-call-iptables = 0

########################
# TCP & Socket Queues
########################
# Maximum number of connection requests queued for a listening socket
net.core.somaxconn = 8192
net.ipv4.tcp_max_syn_backlog = 8192

# Maximum number of packets queued on the input side of a network interface
net.core.netdev_max_backlog = 16384

# Default and maximum TCP receive buffer size (bytes)
net.core.rmem_default = 262144
net.core.rmem_max = 33554432

# Default and maximum TCP send buffer size (bytes)
net.core.wmem_default = 262144
net.core.wmem_max = 33554432

# TCP memory limits (min, default, max in pages - typically 4KB each)
net.ipv4.tcp_mem = 65536 131072 262144

# Enable TCP SYN cookies to help protect against SYN flood attacks
net.ipv4.tcp_syncookies = 1

# Time to hold a socket in FIN-WAIT-2 state (default is 60)
net.ipv4.tcp_fin_timeout = 15

# Allow reusing sockets in TIME-WAIT state for new outgoing connections
net.ipv4.tcp_tw_reuse = 1

# Range of ephemeral ports for outgoing connections
net.ipv4.ip_local_port_range = 1024 65535

# TCP congestion control algorithm
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq

# TCP Fast Open - reduces latency for repeated connections
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0

# Disable TCP slow start after idle (better performance for long-lived connections)
net.ipv4.tcp_slow_start_after_idle = 0

# Enable Path MTU discovery
net.ipv4.tcp_mtu_probing = 1

# Reduce latency on write operations (buffer not sent before this amount)
net.ipv4.tcp_notsent_lowat = 16384

# TCP window scaling
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1

# Enable BPF JIT compiler for eBPF performance (monitoring, Cilium, etc.)
net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 2

########################
# Conntrack (Connection Tracking)
########################
# Maximum number of connection tracking entries
net.netfilter.nf_conntrack_max = 1048576

# Timeout for established TCP connections (seconds)
net.netfilter.nf_conntrack_tcp_timeout_established = 43200
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

# Timeout for UDP connections (seconds)
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 120

# Timeout for generic (non-TCP/UDP/ICMP) protocol entries (seconds)
net.netfilter.nf_conntrack_generic_timeout = 120

# Timeout for ICMP (seconds)
net.netfilter.nf_conntrack_icmp_timeout = 30

########################
# Security Hardening - IPv4
########################
# Enable strict reverse path filtering to prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable acceptance of ICMP redirect messages
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disable acceptance of source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Disable sending of ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Log packets with impossible addresses (martians)
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Disable secure redirects (ICMP redirects from gateway)
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Ignore ICMP echo broadcasts (prevent smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable protection against TCP reset attacks
net.ipv4.tcp_rfc1337 = 1

########################
# Security Hardening - IPv6
########################
# Apply similar hardening for IPv6 if actively used
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Enable IPv6 privacy extensions
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

# Prefer stable privacy addresses (86400 seconds = 24 hours)
net.ipv6.conf.all.temp_prefered_lft = 86400
net.ipv6.conf.default.temp_prefered_lft = 86400

# Ignore router advertisements
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0

########################
# Kernel Hardening
########################
# Restrict access to kernel pointers
kernel.kptr_restrict = 1

# Restrict dmesg to only root
kernel.dmesg_restrict = 1

# Restrict perf events to reduce kernel attack surface
kernel.perf_event_paranoid = 2

# Enable ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2

# Disable kernel core dumps by default
kernel.core_pattern = /dev/null

# Restrict ptrace scope (YAMA ptrace scope - only child processes can be traced)
kernel.yama.ptrace_scope = 1

########################
# System Performance
########################
# Increase maximum shared memory segment size (for VMs with large RAM)
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

# Semaphore limits (adjust based on workload)
kernel.sem = 250 32000 100 128

# Huge pages configuration (for VM memory performance)
vm.nr_hugepages = 0
# Set to non-zero value if using VMs with static hugepage backing

# Disable NMI watchdog for performance (can reduce CPU overhead)
kernel.nmi_watchdog = 0

########################
# ZFS Tuning (if using ZFS storage)
########################
# Uncomment and adjust if using ZFS
# vfs.zfs.arc_max = 10737418240  # Limit ARC to ~10GB, adjust based on RAM
# vfs.zfs.arc_min = 1073741824   # Minimum ARC size of ~1GB
# vfs.zfs.zio.use_uma = 1        # Use UMA allocator for better performance