La valeur par défaut est de 10 segments (paquets) avec FreeBSD 11.2, donc même valeur que sous Linux.
Exemple de sysctl optimisé par "Reks" qui modifie la valeur en la mettant à 44 avec
net.inet.tcp.initcwnd_segments=44
Le sysctl complet :
kern.ipc.maxsockbuf=16777216 # (wscale 9)
kern.ipc.nmbclusters=16687532 #reks
net.inet.tcp.recvbuf_inc=4194304 # reks 65536 # (default 16384)
net.inet.tcp.recvbuf_max=16777216 #reks 4194304 # (default 2097152)
net.inet.tcp.recvspace=4194304 #reks 65536 # (default 65536)
net.inet.tcp.sendbuf_inc=4194304 #reks 65536 # (default 8192)
net.inet.tcp.sendbuf_max=16777216 #reks 4194304 # (default 2097152)
net.inet.tcp.sendspace=4194304 #reks 65536 # (default 32768)
net.link.ether.inet.log_arp_movements=0 # reks to dodal
net.inet.tcp.cc.algorithm=cdg # (default newreno)
net.inet.tcp.cc.cdg.alpha_inc=1 # (default 0, experimental mode disabled)
net.inet.tcp.mssdflt=1448 #reks 1460 # Option 1 (default 536)
net.inet.tcp.minmss=536 # (default 216)
net.inet.tcp.cc.abe=1 # (default 0, disabled)
net.inet.tcp.rfc6675_pipe=1 # (default 0)
net.inet.tcp.syncache.rexmtlimit=0 # (default 3)
net.inet.ip.maxfragpackets=0 # (default 63474)
net.inet.ip.maxfragsperpacket=0 # (default 16)
net.inet6.ip6.maxfragpackets=0 # (default 507715)
net.inet6.ip6.maxfrags=0 # (default 507715)
net.inet.tcp.abc_l_var=44 # (default 2) if net.inet.tcp.mssdflt = 1460
net.inet.tcp.initcwnd_segments=44 # (default 10 for FreeBSD 11.2) if net.inet.tcp.mssdflt = 1460
net.inet.tcp.syncookies=0 # (default 1)
net.inet.tcp.isn_reseed_interval=4500 # (default 0, disabled)
net.inet.tcp.tso=0 # (default 1)
dev.igb.0.fc=0 # (default 3)
dev.igb.0.iflib.rx_budget=65535 # (default 0, which is 16 frames)
dev.igb.1.iflib.rx_budget=65535 # (default 0, which is 16 frames)
kern.random.fortuna.minpoolsize=128 # (default 64)
kern.random.harvest.mask=65887 # (default 66047, FreeBSD 12 with Intel Secure Key RNG)
hw.kbd.keymap_restrict_change=4 # disallow keymap changes for non-privileged users (default 0)
kern.ipc.shm_use_phys=1 # lock shared memory into RAM and prevent it from being paged out to swap (default 0, disabled)
kern.msgbuf_show_timestamp=1 # display timestamp in msgbuf (default 0)
kern.randompid=1 # calculate PIDs by the modulus of an integer, set to one(1) to auto random (default 0)
net.bpf.optimize_writers=1 # bpf is write-only unless program explicitly specifies the read filter (default 0)
net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0)
net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0)
net.inet.ip.portrange.first=32768 # use ports 32768 to portrange.last for outgoing connections (default 10000)
net.inet.ip.portrange.randomcps=9999 # use random port allocation if less than this many ports per second are allocated (default 10)
net.inet.ip.portrange.randomtime=1 # seconds to use sequental port allocation before switching back to random (default 45 secs)
net.inet.ip.random_id=1 # assign a random IP id to each packet leaving the system (default 0)
net.inet.ip.redirect=0 # do not send IP redirects (default 1)
net.inet.sctp.blackhole=2 # drop stcp packets destined for closed ports (default 0)
net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0)
net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0)
net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly, helps against DoS, but may cause false RST (default 0)
net.inet.tcp.fastopen.client_enable=0 # disable TCP Fast Open client side, enforce three way TCP handshake (default 1, enabled)
net.inet.tcp.fastopen.server_enable=0 # disable TCP Fast Open server side, enforce three way TCP handshake (default 0)
net.inet.tcp.finwait2_timeout=1000 # TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close (default 60000, 60 sec)
net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.keepcnt=2 # amount of tcp keep alive probe failures before socket is forced closed (default 8)
net.inet.tcp.keepidle=62000 # time before starting tcp keep alive probes on an idle, TCP connection (default 7200000, 7200 secs)
net.inet.tcp.keepinit=5000 # tcp keep alive client reply timeout (default 75000, 75 secs)
net.inet.tcp.msl=2500 # Maximum Segment Lifetime, time the connection spends in TIME_WAIT state (default 30000, 2*MSL = 60 sec)
net.inet.tcp.path_mtu_discovery=0 # disable for mtu=1500 as most hosts drop ICMP type 3 packets, but keep enabled for mtu=9000 (default 1)
net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0)
security.bsd.hardlink_check_gid=1 # unprivileged processes may not create hard links to files owned by other groups, DISABLE for mailman (default 0)
security.bsd.hardlink_check_uid=1 # unprivileged processes may not create hard links to files owned by other users, DISABLE for mailman (default 0)
security.bsd.see_other_gids=0 # groups only see their own processes. root can see all (default 1)
security.bsd.see_other_uids=0 # users only see their own processes. root can see all (default 1)
security.bsd.stack_guard_page=1 # insert a stack guard page ahead of growable segments, stack smashing protection (SSP) (default 0)
security.bsd.unprivileged_proc_debug=0 # unprivileged processes may not use process debugging (default 1)
security.bsd.unprivileged_read_msgbuf=0 # unprivileged processes may not read the kernel message buffer (default 1)
net.inet.ip.process_options=0
vfs.zfs.delay_min_dirty_percent=96 # write throttle when dirty "modified" data reaches 96% of dirty_data_max (default 60%)
vfs.zfs.dirty_data_max=12884901888 # dirty_data can use up to 12GB RAM, equal to dirty_data_max_max (default, 10% of RAM or up to 4GB)
vfs.zfs.dirty_data_sync=12348030976 # force commit Transaction Group (TXG) if dirty_data reaches 11.5GB (default 67108864, 64MB)
vfs.zfs.min_auto_ashift=12 # newly created pool ashift, set to 12 for 4K and 13 for 8k alignment, zdb (default 9, 512 byte, ashift=9)
vfs.zfs.top_maxinflight=128 # max number of outstanding I/Os per top-level vdev (default 32)
vfs.zfs.trim.txg_delay=2 # delay TRIMs by up to this many TXGs, trim.txg_delay * txg.timeout ~= 180 secs (default 32, 32*5secs=160 secs)
vfs.zfs.txg.timeout=90 # force commit Transaction Group (TXG) at 90 secs, increase to aggregated more data (default 5 sec)
vfs.zfs.vdev.aggregation_limit=1048576 # aggregated eight(8) TXGs into a single sequential TXG, make divisible by largest pool recordsize (default 131072, 128KB)
vfs.zfs.vdev.write_gap_limit=0 # max gap between any two aggregated writes, 0 to minimize frags (default 4096, 4KB)
#hw.hn.enable_udp4cs=1 # Offload UDP/IPv4 checksum to network card (default 1)
#hw.hn.enable_udp6cs=1 # Offload UDP/IPv6 checksum to network card (default 1)
#hw.ixl.enable_tx_fc_filter=1 # filter out Ethertype 0x8808, flow control frames (default 1)
#net.bpf.optimize_writers=0 # bpf are write-only unless program explicitly specifies the read filter (default 0)
#net.bpf.zerocopy_enable=0 # zero-copy BPF buffers, breaks dhcpd ! (default 0)
#net.inet.icmp.bmcastecho=0 # do not respond to ICMP packets sent to IP broadcast addresses (default 0)
#net.inet.icmp.log_redirect=0 # do not log redirected ICMP packet attempts (default 0)
#net.inet.icmp.maskfake=0 # do not fake reply to ICMP Address Mask Request packets (default 0)
#net.inet.icmp.maskrepl=0 # replies are not sent for ICMP address mask requests (default 0)
#net.inet.ip.accept_sourceroute=0 # drop source routed packets since they can not be trusted (default 0)
#net.inet.ip.portrange.randomized=1 # randomize outgoing upper ports (default 1)
#net.inet.ip.process_options=1 # process IP options in the incoming packets (default 1)
#net.inet.ip.sourceroute=0 # if source routed packets are accepted the route data is ignored (default 0)
#net.inet.ip.stealth=0 # do not reduce the TTL by one(1) when a packets goes through the firewall (default 0)
#net.inet.tcp.always_keepalive=1 # tcp keep alive detection for dead peers, keepalive can be spoofed (default 1)
#net.inet.tcp.ecn.enable=1 # Explicit Congestion Notification (ECN) allowed for incoming and outgoing connections (default 2)
#net.inet.tcp.keepintvl=75000 # time between tcp.keepcnt keep alive probes (default 75000, 75 secs)
#net.inet.tcp.maxtcptw=50000 # max number of tcp time_wait states for closing connections (default ~27767)
#net.inet.tcp.nolocaltimewait=0 # remove TIME_WAIT states for the loopback interface (default 0)
#net.inet.tcp.reass.maxqueuelen=100 # Max number of TCP Segments per Reassembly Queue (default 100)
#net.inet.tcp.rexmit_min=30 # reduce unnecessary TCP retransmissions by increasing timeout, min+slop (default 30 ms)
#net.inet.tcp.rexmit_slop=200 # reduce the TCP retransmit timer, min+slop (default 200ms)
#net.inet.udp.maxdgram=16384 # Maximum outgoing UDP datagram size to match MTU of localhost (default 9216)
#net.inet.udp.recvspace=262144 # UDP recieve space, HTTP/3 webserver, "netstat -sn -p udp" and increase if full socket buffers (default 42080)
#net.inet.tcp.functions_default=rack # (default freebsd)
#net.inet.tcp.rack.tlpmethod=3 # (default 2, 0=no-de-ack-comp, 1=ID, 2=2.1, 3=2.2)
#net.inet.tcp.rack.data_after_close=0 # (default 1)
#net.inet.tcp.cc.algorithm=htcp # (default newreno)
#net.inet.tcp.cc.htcp.adaptive_backoff=1 # (default 0 ; disabled)
#net.inet.tcp.cc.htcp.rtt_scaling=1 # (default 0 ; disabled)
#net.inet.tcp.cc.algorithm=cubic # (default newreno)
#net.inet.ip.forwarding=1 # (default 0)
#net.inet.ip.fastforwarding=1 # (default 0) FreeBSD 11 enabled fastforwarding by default
#net.inet6.ip6.forwarding=1 # (default 0)
#net.inet.raw.maxdgram=16384 # (default 9216)
#net.inet.raw.recvspace=16384 # (default 9216)
#net.local.stream.sendspace=16384 # (default 8192)
#net.local.stream.recvspace=16384 # (default 8192)
# net.inet.tcp.persmax=60000 # (default 60000)
# net.inet.tcp.persmin=5000 # (default 5000)
# net.inet.tcp.rexmit_drop_options=0 # (default 0)
# net.inet.tcp.do_tcpdrain=1 # (default 1)
#hw.mxge.max_slices="1" # (default 1, which uses a single cpu core)
#hw.mxge.rss_hash_type="4" # (default 4)
#hw.mxge.flow_control_enabled=0 # (default 1, enabled)
net.inet.ip.intr_queue_maxlen=2048 #reks ## # (default 256)
net.route.netisr_maxqlen=2048 #reks ## # (default 256)
#dev.igb.0.rx_processing_limit=-1 # (default 100)
#dev.igb.1.rx_processing_limit=-1 # (default 100)
#dev.igb.0.eee_disabled=1 # (default 0, enabled)
#dev.igb.1.eee_disabled=1 # (default 0, enabled)
#net.inet.ip.rtexpire=10 # (default 3600)
#net.inet.ip.rtminexpire=10 # (default 10 )
#net.inet.ip.rtmaxcache=128 # (default 128 )
kern.ipc.soacceptqueue=256 #reks 1024 # (default 128 ; same as kern.ipc.somaxconn)
#net.inet.tcp.rfc1323=1 # (default 1)
#net.inet.tcp.rfc3042=1 # (default 1)
#net.inet.tcp.rfc3390=1 # (default 1)
#net.inet.icmp.icmplim=1 # (default 200)
#net.inet.icmp.icmplim_output=0 # (default 1)
#net.inet.tcp.sack.enable=1 # (default 1)
#net.inet.tcp.hostcache.expire=3900 # (default 3600)
net.inet.tcp.delayed_ack=1 #reks 0 # (default 1)
#net.inet.tcp.delacktime=20 # (default 100)
#security.jail.allow_raw_sockets=1 # (default 0)
#security.jail.enforce_statfs=2 # (default 2)
#security.jail.set_hostname_allowed=0 # (default 1)
#security.jail.socket_unixiproute_only=1 # (default 1)
#security.jail.sysvipc_allowed=0 # (default 0)
#security.jail.chflags_allowed=0 # (default 0)
#kern.sched.interact=5 # (default 30)
#kern.sched.slice=3 # (default 12)
#kern.threads.max_threads_per_proc=9000
#kern.coredump=1 # (default 1)
#kern.sugid_coredump=1 # (default 0)
#kern.corefile="/tmp/%N.core" # (default %N.core)
#net.inet.tcp.keepidle=10000 # (default 7200000 )
#net.inet.tcp.keepintvl=5000 # (default 75000 )
#net.inet.tcp.always_keepalive=1 # (default 1)
#vfs.read_max=128
#kern.ipc.maxsockets = 25600
#net.inet.tcp.per_cpu_timers = 0
#kern.random.yarrow.gengateinterval=10 # default 10 [4..64]
#kern.random.yarrow.bins=10 # default 10 [2..16]
#kern.random.yarrow.fastthresh=192 # default 192 [64..256]
#kern.random.yarrow.slowthresh=256 # default 256 [64..256]
#kern.random.yarrow.slowoverthresh=2 # default 2 [1..5]
#kern.random.sys.seeded=1 # default 1
#kern.random.sys.harvest.ethernet=1 # default 1
#kern.random.sys.harvest.point_to_point=1 # default 1
#kern.random.sys.harvest.interrupt=1 # default 1
#kern.random.sys.harvest.swi=0 # default 0 and actually does nothing when enabled
#net.inet6.icmp6.nodeinfo=0
#net.inet6.ip6.use_tempaddr=1
#net.inet6.ip6.prefer_tempaddr=1
#net.inet6.icmp6.rediraccept=0
##net.inet6.ip6.accept_rtadv=0
##net.inet6.ip6.auto_linklocal=0