| Message ID | 20180213204041.17528-1-tim@tn-x.org |
|---|---|
| State | Superseded |
| Headers | show |
diff --git a/bsp/default/root_file_system/etc/sysctl.conf b/bsp/default/root_file_system/etc/sysctl.conf index f6d85a7..34ce708 100644 --- a/bsp/default/root_file_system/etc/sysctl.conf +++ b/bsp/default/root_file_system/etc/sysctl.conf @@ -1,71 +1 @@ kernel.panic=3 -net.ipv4.conf.default.arp_ignore=1 -net.ipv4.conf.all.arp_ignore=1 -net.ipv4.conf.all.forwarding=0 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.tcp_ecn=0 -net.ipv4.tcp_fin_timeout=30 -net.ipv4.tcp_keepalive_time=120 -net.ipv4.tcp_syncookies=1 -net.ipv4.tcp_timestamps=0 -net.ipv4.netfilter.ip_conntrack_checksum=0 -net.ipv4.netfilter.ip_conntrack_max=16384 -net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 -net.ipv4.netfilter.ip_conntrack_udp_timeout=60 -net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 -net.core.netdev_max_backlog=30 -net.netfilter.nf_conntrack_checksum=0 - -#Controls source route verification -net.ipv4.conf.default.rp_filter=1 - -#Do not accept source routing -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.icmp_echo_ignore_broadcasts=1 -net.ipv4.icmp_ignore_bogus_error_responses=1 -net.ipv4.ip_forward=0 -# net.ipv6.conf.all.forwarding=1 - -# disable bridge firewalling by default -net.bridge.bridge-nf-call-arptables=0 -net.bridge.bridge-nf-call-ip6tables=0 -net.bridge.bridge-nf-call-iptables=0 - -net.ipv6.conf.default.accept_dad=0 -net.ipv6.conf.default.accept_ra=0 -net.ipv6.conf.default.accept_redirects=0 -net.ipv6.conf.all.accept_dad=0 -net.ipv6.conf.all.accept_ra=1 -net.ipv6.conf.all.accept_redirects=0 - -# Number of Router Solicitations to send until assuming no routers are present. -# This is host and not router -net.ipv6.conf.default.router_solicitations = 0 -net.ipv6.conf.all.router_solicitations = 0 - -# Accept Router Preference in RA? -net.ipv6.conf.default.accept_ra_rtr_pref = 0 -net.ipv6.conf.all.accept_ra_rtr_pref = 1 - -# Learn Prefix Information in Router Advertisement -net.ipv6.conf.default.accept_ra_pinfo = 0 -net.ipv6.conf.all.accept_ra_pinfo = 1 - -# Setting controls whether the system will accept Hop Limit settings from a router advertisement -net.ipv6.conf.default.accept_ra_defrtr = 0 -net.ipv6.conf.all.accept_ra_defrtr = 1 - -#router advertisements can cause the system to assign a global unicast address to an interface -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.all.autoconf = 1 - -#how many neighbor solicitations to send out per address? -net.ipv6.conf.default.dad_transmits = 3 -net.ipv6.conf.all.dad_transmits = 3 - -# How many global unicast IPv6 addresses can be assigned to each interface? -net.ipv6.conf.default.max_addresses = 0 -net.ipv6.conf.all.max_addresses = 0 \ No newline at end of file diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf new file mode 100644 index 0000000..5c61a73 --- /dev/null +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf @@ -0,0 +1,70 @@ +net.ipv4.conf.default.arp_ignore=1 +net.ipv4.conf.all.arp_ignore=1 +net.ipv4.conf.all.forwarding=0 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.tcp_ecn=0 +net.ipv4.tcp_fin_timeout=30 +net.ipv4.tcp_keepalive_time=120 +net.ipv4.tcp_syncookies=1 +net.ipv4.tcp_timestamps=0 +net.ipv4.netfilter.ip_conntrack_checksum=0 +net.ipv4.netfilter.ip_conntrack_max=16384 +net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 +net.ipv4.netfilter.ip_conntrack_udp_timeout=60 +net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 +net.core.netdev_max_backlog=30 +net.netfilter.nf_conntrack_checksum=0 + +#Controls source route verification +net.ipv4.conf.default.rp_filter=1 + +#Do not accept source routing +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.icmp_echo_ignore_broadcasts=1 +net.ipv4.icmp_ignore_bogus_error_responses=1 +net.ipv4.ip_forward=0 +# net.ipv6.conf.all.forwarding=1 + +# disable bridge firewalling by default +net.bridge.bridge-nf-call-arptables=0 +net.bridge.bridge-nf-call-ip6tables=0 +net.bridge.bridge-nf-call-iptables=0 + +net.ipv6.conf.default.accept_dad=0 +net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.default.accept_redirects=0 +net.ipv6.conf.all.accept_dad=0 +net.ipv6.conf.all.accept_ra=1 +net.ipv6.conf.all.accept_redirects=0 + +# Number of Router Solicitations to send until assuming no routers are present. +# This is host and not router +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.all.router_solicitations = 0 + +# Accept Router Preference in RA? +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.all.accept_ra_rtr_pref = 1 + +# Learn Prefix Information in Router Advertisement +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.all.accept_ra_pinfo = 1 + +# Setting controls whether the system will accept Hop Limit settings from a router advertisement +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.all.accept_ra_defrtr = 1 + +#router advertisements can cause the system to assign a global unicast address to an interface +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.all.autoconf = 1 + +#how many neighbor solicitations to send out per address? +net.ipv6.conf.default.dad_transmits = 3 +net.ipv6.conf.all.dad_transmits = 3 + +# How many global unicast IPv6 addresses can be assigned to each interface? +net.ipv6.conf.default.max_addresses = 0 +net.ipv6.conf.all.max_addresses = 0
Hallo Tim, mir gefaellt das Patchset. Hier z.B. kommt zusammen, was zusammen gehoert. Ein paar Anmerkungen zu 2 und 5 hab ich noch. Robert Am 13.02.2018 um 21:40 schrieb Tim Niemeyer: > Signed-off-by: Tim Niemeyer <tim@tn-x.org> > --- > > bsp/default/root_file_system/etc/sysctl.conf | 70 ---------------------- > .../files/etc/sysctl.d/50-fff-network.conf | 70 ++++++++++++++++++++++ > 2 files changed, 70 insertions(+), 70 deletions(-) > create mode 100644 src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf > > diff --git a/bsp/default/root_file_system/etc/sysctl.conf b/bsp/default/root_file_system/etc/sysctl.conf > index f6d85a7..34ce708 100644 > --- a/bsp/default/root_file_system/etc/sysctl.conf > +++ b/bsp/default/root_file_system/etc/sysctl.conf > @@ -1,71 +1 @@ > kernel.panic=3 > -net.ipv4.conf.default.arp_ignore=1 > -net.ipv4.conf.all.arp_ignore=1 > -net.ipv4.conf.all.forwarding=0 > -net.ipv4.conf.all.send_redirects=0 > -net.ipv4.tcp_ecn=0 > -net.ipv4.tcp_fin_timeout=30 > -net.ipv4.tcp_keepalive_time=120 > -net.ipv4.tcp_syncookies=1 > -net.ipv4.tcp_timestamps=0 > -net.ipv4.netfilter.ip_conntrack_checksum=0 > -net.ipv4.netfilter.ip_conntrack_max=16384 > -net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 > -net.ipv4.netfilter.ip_conntrack_udp_timeout=60 > -net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 > -net.core.netdev_max_backlog=30 > -net.netfilter.nf_conntrack_checksum=0 > - > -#Controls source route verification > -net.ipv4.conf.default.rp_filter=1 > - > -#Do not accept source routing > -net.ipv4.conf.all.accept_source_route=0 > -net.ipv4.conf.all.accept_redirects=0 > -net.ipv4.conf.default.accept_source_route=0 > -net.ipv4.conf.default.accept_redirects=0 > -net.ipv4.icmp_echo_ignore_broadcasts=1 > -net.ipv4.icmp_ignore_bogus_error_responses=1 > -net.ipv4.ip_forward=0 > -# net.ipv6.conf.all.forwarding=1 > - > -# disable bridge firewalling by default > -net.bridge.bridge-nf-call-arptables=0 > -net.bridge.bridge-nf-call-ip6tables=0 > -net.bridge.bridge-nf-call-iptables=0 > - > -net.ipv6.conf.default.accept_dad=0 > -net.ipv6.conf.default.accept_ra=0 > -net.ipv6.conf.default.accept_redirects=0 > -net.ipv6.conf.all.accept_dad=0 > -net.ipv6.conf.all.accept_ra=1 > -net.ipv6.conf.all.accept_redirects=0 > - > -# Number of Router Solicitations to send until assuming no routers are present. > -# This is host and not router > -net.ipv6.conf.default.router_solicitations = 0 > -net.ipv6.conf.all.router_solicitations = 0 > - > -# Accept Router Preference in RA? > -net.ipv6.conf.default.accept_ra_rtr_pref = 0 > -net.ipv6.conf.all.accept_ra_rtr_pref = 1 > - > -# Learn Prefix Information in Router Advertisement > -net.ipv6.conf.default.accept_ra_pinfo = 0 > -net.ipv6.conf.all.accept_ra_pinfo = 1 > - > -# Setting controls whether the system will accept Hop Limit settings from a router advertisement > -net.ipv6.conf.default.accept_ra_defrtr = 0 > -net.ipv6.conf.all.accept_ra_defrtr = 1 > - > -#router advertisements can cause the system to assign a global unicast address to an interface > -net.ipv6.conf.default.autoconf = 0 > -net.ipv6.conf.all.autoconf = 1 > - > -#how many neighbor solicitations to send out per address? > -net.ipv6.conf.default.dad_transmits = 3 > -net.ipv6.conf.all.dad_transmits = 3 > - > -# How many global unicast IPv6 addresses can be assigned to each interface? > -net.ipv6.conf.default.max_addresses = 0 > -net.ipv6.conf.all.max_addresses = 0 > \ No newline at end of file > diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf > new file mode 100644 > index 0000000..5c61a73 > --- /dev/null > +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf > @@ -0,0 +1,70 @@ > +net.ipv4.conf.default.arp_ignore=1 > +net.ipv4.conf.all.arp_ignore=1 > +net.ipv4.conf.all.forwarding=0 > +net.ipv4.conf.all.send_redirects=0 > +net.ipv4.tcp_ecn=0 > +net.ipv4.tcp_fin_timeout=30 > +net.ipv4.tcp_keepalive_time=120 > +net.ipv4.tcp_syncookies=1 > +net.ipv4.tcp_timestamps=0 > +net.ipv4.netfilter.ip_conntrack_checksum=0 > +net.ipv4.netfilter.ip_conntrack_max=16384 > +net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 > +net.ipv4.netfilter.ip_conntrack_udp_timeout=60 > +net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 > +net.core.netdev_max_backlog=30 > +net.netfilter.nf_conntrack_checksum=0 > + > +#Controls source route verification > +net.ipv4.conf.default.rp_filter=1 > + > +#Do not accept source routing > +net.ipv4.conf.all.accept_source_route=0 > +net.ipv4.conf.all.accept_redirects=0 > +net.ipv4.conf.default.accept_source_route=0 > +net.ipv4.conf.default.accept_redirects=0 > +net.ipv4.icmp_echo_ignore_broadcasts=1 > +net.ipv4.icmp_ignore_bogus_error_responses=1 > +net.ipv4.ip_forward=0 > +# net.ipv6.conf.all.forwarding=1 > + > +# disable bridge firewalling by default > +net.bridge.bridge-nf-call-arptables=0 > +net.bridge.bridge-nf-call-ip6tables=0 > +net.bridge.bridge-nf-call-iptables=0 > + > +net.ipv6.conf.default.accept_dad=0 > +net.ipv6.conf.default.accept_ra=0 > +net.ipv6.conf.default.accept_redirects=0 > +net.ipv6.conf.all.accept_dad=0 > +net.ipv6.conf.all.accept_ra=1 > +net.ipv6.conf.all.accept_redirects=0 > + > +# Number of Router Solicitations to send until assuming no routers are present. > +# This is host and not router > +net.ipv6.conf.default.router_solicitations = 0 > +net.ipv6.conf.all.router_solicitations = 0 > + > +# Accept Router Preference in RA? > +net.ipv6.conf.default.accept_ra_rtr_pref = 0 > +net.ipv6.conf.all.accept_ra_rtr_pref = 1 > + > +# Learn Prefix Information in Router Advertisement > +net.ipv6.conf.default.accept_ra_pinfo = 0 > +net.ipv6.conf.all.accept_ra_pinfo = 1 > + > +# Setting controls whether the system will accept Hop Limit settings from a router advertisement > +net.ipv6.conf.default.accept_ra_defrtr = 0 > +net.ipv6.conf.all.accept_ra_defrtr = 1 > + > +#router advertisements can cause the system to assign a global unicast address to an interface > +net.ipv6.conf.default.autoconf = 0 > +net.ipv6.conf.all.autoconf = 1 > + > +#how many neighbor solicitations to send out per address? > +net.ipv6.conf.default.dad_transmits = 3 > +net.ipv6.conf.all.dad_transmits = 3 > + > +# How many global unicast IPv6 addresses can be assigned to each interface? > +net.ipv6.conf.default.max_addresses = 0 > +net.ipv6.conf.all.max_addresses = 0
Hallo, aus meinem älteren Patch erinnere ich mich, dass man sysctl.conf per install-overlay überschreiben musste, d.h. das File existiert in LEDE bereits. Wenn wir es nun nicht mehr überschreiben, sollte man mal nachsehen, was da drin steht, da das ja ggf. dann aktiv wird ... Grüße Adrian > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of robert > Sent: Mittwoch, 14. Februar 2018 11:05 > To: franken-dev@freifunk.net > Subject: Re: [RFC PATCH 1/5] bsp/default: move network sysctl's to fff- > network > > Hallo Tim, > > mir gefaellt das Patchset. Hier z.B. kommt zusammen, was zusammen > gehoert. > > Ein paar Anmerkungen zu 2 und 5 hab ich noch. > > Robert > > > Am 13.02.2018 um 21:40 schrieb Tim Niemeyer: > > Signed-off-by: Tim Niemeyer <tim@tn-x.org> > > --- > > > > bsp/default/root_file_system/etc/sysctl.conf | 70 ---------------------- > > .../files/etc/sysctl.d/50-fff-network.conf | 70 > ++++++++++++++++++++++ > > 2 files changed, 70 insertions(+), 70 deletions(-) create mode > > 100644 > > src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf > > [...]
Hi, Am 14.02.2018 um 11:45 schrieb Adrian Schmutzler: > Hallo, > > aus meinem älteren Patch erinnere ich mich, dass man sysctl.conf per > install-overlay überschreiben musste, d.h. das File existiert in LEDE > bereits. Wenn wir es nun nicht mehr überschreiben, sollte man mal nachsehen, > was da drin steht, da das ja ggf. dann aktiv wird ... root@rola9:~# cat /etc/sysctl.conf kernel.panic=3 Ist ja noch ein kleiner Rest im bsp Robert > > Grüße > > Adrian > >> -----Original Message----- >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf >> Of robert >> Sent: Mittwoch, 14. Februar 2018 11:05 >> To: franken-dev@freifunk.net >> Subject: Re: [RFC PATCH 1/5] bsp/default: move network sysctl's to fff- >> network >> >> Hallo Tim, >> >> mir gefaellt das Patchset. Hier z.B. kommt zusammen, was zusammen >> gehoert. >> >> Ein paar Anmerkungen zu 2 und 5 hab ich noch. >> >> Robert >> >> >> Am 13.02.2018 um 21:40 schrieb Tim Niemeyer: >>> Signed-off-by: Tim Niemeyer <tim@tn-x.org> >>> --- >>> >>> bsp/default/root_file_system/etc/sysctl.conf | 70 > ---------------------- >>> .../files/etc/sysctl.d/50-fff-network.conf | 70 >> ++++++++++++++++++++++ >>> 2 files changed, 70 insertions(+), 70 deletions(-) create mode >>> 100644 >>> src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >>> > [...] >
Hi Am 14. Februar 2018 11:45:40 MEZ schrieb Adrian Schmutzler <mail@adrianschmutzler.de>: >Hallo, > >aus meinem älteren Patch erinnere ich mich, dass man sysctl.conf per >install-overlay überschreiben musste, d.h. das File existiert in LEDE >bereits. Wenn wir es nun nicht mehr überschreiben Es ist nicht leer. Wir über schreiben weiterhin. Tim >, sollte man mal >nachsehen, >was da drin steht, da das ja ggf. dann aktiv wird ... >Grüße > >Adrian > >> -----Original Message----- >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf >> Of robert >> Sent: Mittwoch, 14. Februar 2018 11:05 >> To: franken-dev@freifunk.net >> Subject: Re: [RFC PATCH 1/5] bsp/default: move network sysctl's to >fff- >> network >> >> Hallo Tim, >> >> mir gefaellt das Patchset. Hier z.B. kommt zusammen, was zusammen >> gehoert. >> >> Ein paar Anmerkungen zu 2 und 5 hab ich noch. >> >> Robert >> >> >> Am 13.02.2018 um 21:40 schrieb Tim Niemeyer: >> > Signed-off-by: Tim Niemeyer <tim@tn-x.org> >> > --- >> > >> > bsp/default/root_file_system/etc/sysctl.conf | 70 >---------------------- >> > .../files/etc/sysctl.d/50-fff-network.conf | 70 >> ++++++++++++++++++++++ >> > 2 files changed, 70 insertions(+), 70 deletions(-) create mode >> > 100644 >> > src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf >> > > >[...]
Fact. Hab ich übersehen ... Sorry Adrian > -----Original Message----- > From: Tim Niemeyer [mailto:tim@tn-x.org] > Sent: Mittwoch, 14. Februar 2018 12:10 > To: Adrian Schmutzler <mail@adrianschmutzler.de>; franken- > dev@freifunk.net > Subject: RE: [RFC PATCH 1/5] bsp/default: move network sysctl's to fff- > network > > Hi > > Am 14. Februar 2018 11:45:40 MEZ schrieb Adrian Schmutzler > <mail@adrianschmutzler.de>: > >Hallo, > > > >aus meinem älteren Patch erinnere ich mich, dass man sysctl.conf per > >install-overlay überschreiben musste, d.h. das File existiert in LEDE > >bereits. Wenn wir es nun nicht mehr überschreiben > > Es ist nicht leer. Wir über schreiben weiterhin. > > Tim > > >, sollte man mal > >nachsehen, > >was da drin steht, da das ja ggf. dann aktiv wird ... > >Grüße > > > >Adrian > > > >> -----Original Message----- > >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On > Behalf > >> Of robert > >> Sent: Mittwoch, 14. Februar 2018 11:05 > >> To: franken-dev@freifunk.net > >> Subject: Re: [RFC PATCH 1/5] bsp/default: move network sysctl's to > >fff- > >> network > >> > >> Hallo Tim, > >> > >> mir gefaellt das Patchset. Hier z.B. kommt zusammen, was zusammen > >> gehoert. > >> > >> Ein paar Anmerkungen zu 2 und 5 hab ich noch. > >> > >> Robert > >> > >> > >> Am 13.02.2018 um 21:40 schrieb Tim Niemeyer: > >> > Signed-off-by: Tim Niemeyer <tim@tn-x.org> > >> > --- > >> > > >> > bsp/default/root_file_system/etc/sysctl.conf | 70 > >---------------------- > >> > .../files/etc/sysctl.d/50-fff-network.conf | 70 > >> ++++++++++++++++++++++ > >> > 2 files changed, 70 insertions(+), 70 deletions(-) create mode > >> > 100644 > >> > src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf > >> > > > > >[...]
Signed-off-by: Tim Niemeyer <tim@tn-x.org> --- bsp/default/root_file_system/etc/sysctl.conf | 70 ---------------------- .../files/etc/sysctl.d/50-fff-network.conf | 70 ++++++++++++++++++++++ 2 files changed, 70 insertions(+), 70 deletions(-) create mode 100644 src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf