sysctl.conf 是位于 /etc/sysctl.conf 的配置文件，用于 sysctl，并在启动时配置内核参数。您可以使用以下命令加载配置文件：

sysctl -p

或者简单地重启。

本文并非详尽列表，但涵盖了一些要点。当然，您可能希望更改某些设置以适应您的环境。配置示例已进行了充分注释，应该提供您所需的所有信息。如果需要任何进一步的信息，请在此页面或“讨论”区域中注明。

下面示例中显示的一些选项可能在您的发行版中已是默认设置。请使用以下命令检查：

sysctl -a|grep <somestring>

以井号“#”开头的行是注释，因此在删除“#”之前不会被读取。

IPv6

虽然 IPv6 在 /etc/network/interfaces 中配置，但更高级的选项在 /etc/sysctl.conf 中配置。

####Turn off IPv6 Routing####
## if not functioning as a router, there is no need
## to accept redirects or source routes
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
## Number of Router Solicitations to send until assuming no routers are present.
## This is a host and not router
net.ipv6.conf.default.router_solicitations = 2

## Router advertisements can cause the system to assign a global 
## unicast address to an interface
## Turn on/off below (default is 1, on)
#net.ipv6.conf.default.autoconf = 0
## How many global unicast IPv6 addresses can be assigned to each interface?
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.default.max_addresses = 1

##Force IPv6 off
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.eth0.disable_ipv6 = 1

通用网络和性能

除非您清楚自己在做什么，否则不要启用（取消注释）任何这些选项！！请准备好进行彻底的测试，并可能破坏某些东西！

### Disable routing
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0

## log martian packets
#net.ipv4.conf.all.log_martians = 1

### Memory and buffer changes. See https://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php {{Dead link}} for more information.
## Increase maximum amount of memory allocated to shm
#kernel.shmmax = 1073741824 
## Improve file system performance 
#vm.bdflush = 100 1200 128 512 15 5000 500 1884 2 
## This will increase the amount of memory available for socket input/output queues 
#net.ipv4.tcp_rmem = 4096 87380 524288  
#net.core.rmem_max = 1048576 
#net.core.rmem_default = 524288 
#net.ipv4.tcp_wmem = 4096 65536 524288
#net.core.wmem_max = 1048576
#net.core.wmem_default = 524288 
#net.core.optmem_max = 25165824

## Increase system file descriptor limit    
fs.file-max = 65535

## Allow for more PID's
kernel.pid_max = 65536

## Swapping too much or not enough? Disks spinning up when you'd
## rather they didn't? Tweak these.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

## Set small dirty bytes values (overcomes random short system freezes)
## If you uncomment the below, it is set to 4MB
#vm.dirty_background_bytes = 4194304
#vm.dirty_bytes = 4194304

## reuse/recycle time-wait sockets (this is often needed on busy servers)
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1

## Controls the number of syn retries (default is 6)
#net.ipv4.tcp_syn_retries = 3
## Controls the number of tcp syn-ack retries (default is 5)
#net.ipv4.tcp_synack_retries = 3

## Change the time default value for tcp_fin_timeout connection 
## (i.e. time to hold socket in FIN-WAIT-2 if it was closed by us)
## Default is 60 seconds
#net.ipv4.tcp_fin_timeout = 15 
## Decrease the time default value for tcp_keepalive_time connection
## (i.e. how often to send TCP keepalive message)
## Default is 2 hours! 
#net.ipv4.tcp_keepalive_time = 360 
## Turn on tcp_window_scaling 
#net.ipv4.tcp_window_scaling = 1 
## Turn on the tcp_sack 
#net.ipv4.tcp_sack = 1 
## tcp_fack should be on because of sack 
#net.ipv4.tcp_fack = 1 

## Set the port range used for outgoing connections
#net.ipv4.ip_local_port_range = 1200    65000

## the number of packets to queue on input when they arrive faster
## than they can be processed by the kernel (the socket queue)
#net.core.netdev_max_backlog = 3000

## Maximum number of remembered connection requests which have not
## received an ack from connecting client.  Increases in proportion
## to available memory.  Set it manually below
#net.ipv4.tcp_max_syn_backlog = 1000

#Don't penalize programs for using split locks. Marginally speeds up the steam and Google Chrome flatpaks.
kernel.split_lock_mitigate = 0

安全

## Disable magic-sysrq key
kernel.sysrq = 0

## Restrict dmesg access to root
kernel.dmesg_restrict = 1

## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1

## Don't expose kernel memory addresses in procfs
kernel.kptr_restrict = 2

## Restrict access to kernel performance events
kernel.perf_event_paranoid = 2

## Restrict unprivileged access to eBPF
kernel.unprivileged_bpf_disabled = 1

## Enable JIT hardening techniques for eBPF
net.core.bpf_jit_harden = 2

## Disable core dumps
kernel.core_pattern=|/bin/false

## Restrict access to the ptrace() syscall
## a value of 3 disables ptrace() entirely
kernel.yama.ptrace_scope = 2

## Increase bits of entropy for ASLR
## these values are compatible with x86, but other archs may differ
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# Heavily restrict writing to FIFOs; they must be owned, not in sticky dirs...                                                                                                                                                                       
fs.protected_fifos = 2
# don't allow O_CREAT open on regular files that we don't own in world/group writable sticky directories,
# unless they are owned by the owner of the directory.
fs.protected_regular = 2