Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-08-03 03:56:12 -04:00
Code Issues Projects Releases Packages Wiki Activity
graphene-os-server-infrastr.../etc/sysctl.d/local.conf
Daniel Micay 39b5148808 switch back to CUBIC from BBRv1 and keep ECN off 
BBRv1 significantly improves throughput in some cases but it also
significantly reduces it in others. We've run into too many network
conditions it handles quite poorly. There's also a bad interaction
between BBR and synproxy where it will cripple the initial throughput
for connections established via synproxy. This means a basic SYN flood
attack could cripple initial TCP throughput for most connections.

Android doesn't enable ECN for outbound connections yet and we don't
want to deviate from that so it mainly only gets activated for macOS
and iOS clients. Linux kernel approach to ECN hasn't been modernized and
there are fierce debates about how it should work. It can cause issues
and it seems best to avoid it until Android enables it.
2025-04-25 13:34:33 -04:00

69 lines
1.6 KiB
Text
Raw Blame History

net.ipv6.bindv6only = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0
# enforced with nftables to handle both IPv4 and IPv6 in the same way
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.*.rp_filter = 0
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_shrink_window = 1
net.ipv4.tcp_notsent_lowat = 131072
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_tw_reuse = 1
# 31s with initial 1s RTO
net.ipv4.tcp_syn_retries = 4
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 31
# 15s with initial 1s RTO
net.ipv4.tcp_synack_retries = 3
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 15
# 102.2s with minimum 0.2s RTO
net.ipv4.tcp_retries2 = 8
# 25.4s with minimum 0.2s RTO
net.ipv4.tcp_orphan_retries = 6
net.mptcp.enabled = 0
net.netfilter.nf_conntrack_tcp_loose = 0
net.netfilter.nf_conntrack_tcp_timeout_established = 14400
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
net.netfilter.nf_conntrack_udp_timeout = 15
net.netfilter.nf_conntrack_udp_timeout_stream = 15
net.netfilter.nf_conntrack_expect_max = 1
kernel.yama.ptrace_scope = 2
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
kernel.kptr_restrict = 2
kernel.unprivileged_userns_clone = 0
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
kernel.io_uring_disabled = 1
kernel.io_uring_group = 2000
kernel.kexec_load_disabled = 1
fs.protected_regular = 2
fs.protected_fifos = 2
kernel.panic = -1
kernel.panic_on_oops = 1
dev.tty.ldisc_autoload = 0
fs.binfmt_misc.status = 0
Reference in a new issue View git blame Copy permalink