feat: 完整TCP调优 - buffer/connection/keepalive/timeout/performance/security

2026-02-14 21:27:59 +08:00
parent 4a4ad8b821
commit cbd108d899
1 changed files with 58 additions and 3 deletions
--- a/ss-rust.sh
+++ b/ss-rust.sh
@@ -434,22 +434,77 @@ setup_bbr() {
    sed -i '/# === BBR Blast/,/# === END BBR/d' /etc/sysctl.conf 2>/dev/null || true
    cat >> /etc/sysctl.conf <<SYSCTL

-# === BBR Blast Smooth v2 (Profile: $profile) ===
+# === BBR Blast Smooth v2 + TCP Tuning (Profile: $profile) ===
+# BBR
 net.core.default_qdisc=fq
 net.ipv4.tcp_congestion_control=bbr
+
+# Buffer
 net.core.rmem_max=$rmem
 net.core.wmem_max=$wmem
+net.core.rmem_default=$((rmem/4))
+net.core.wmem_default=$((wmem/4))
 net.ipv4.tcp_rmem=$tcp_rmem
 net.ipv4.tcp_wmem=$tcp_wmem
+net.core.optmem_max=65536
+net.core.netdev_max_backlog=16384
+net.core.netdev_budget=600
+net.core.netdev_budget_usecs=20000
+
+# Connection
+net.core.somaxconn=65535
+net.ipv4.tcp_max_syn_backlog=65535
+net.ipv4.tcp_max_tw_buckets=2000000
+net.ipv4.tcp_max_orphans=65535
+net.ipv4.ip_local_port_range=1024 65535
+
+# Keepalive
+net.ipv4.tcp_keepalive_time=600
+net.ipv4.tcp_keepalive_intvl=30
+net.ipv4.tcp_keepalive_probes=5
+
+# Timeout & Reuse
 net.ipv4.tcp_fin_timeout=8
 net.ipv4.tcp_tw_reuse=1
+net.ipv4.tcp_syn_retries=3
+net.ipv4.tcp_synack_retries=3
+net.ipv4.tcp_retries2=8
+net.ipv4.tcp_orphan_retries=2
+
+# Performance
 net.ipv4.tcp_window_scaling=1
 net.ipv4.tcp_timestamps=1
 net.ipv4.tcp_sack=1
+net.ipv4.tcp_dsack=1
+net.ipv4.tcp_fack=1
 net.ipv4.tcp_no_metrics_save=1
-net.core.somaxconn=65535
-net.ipv4.tcp_max_syn_backlog=65535
 net.ipv4.tcp_fastopen=3
+net.ipv4.tcp_slow_start_after_idle=0
+net.ipv4.tcp_mtu_probing=1
+net.ipv4.tcp_ecn=0
+net.ipv4.tcp_adv_win_scale=2
+
+# Security
+net.ipv4.tcp_syncookies=1
+net.ipv4.tcp_rfc1337=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.icmp_echo_ignore_broadcasts=1
+net.ipv4.icmp_ignore_bogus_error_responses=1
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.accept_source_route=0
+
+# IPv6 (disable if not needed)
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
+
+# File descriptors
+fs.file-max=2097152
+fs.nr_open=2097152
 # === END BBR ===
 SYSCTL