From patchwork Sat Mar 3 17:11:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [v2,1/5] bsp/default: move network sysctl's to fff-network From: Tim Niemeyer X-Patchwork-Id: 798 Message-Id: <20180303171136.9423-1-tim@tn-x.org> To: franken-dev@freifunk.net Date: Sat, 3 Mar 2018 18:11:32 +0100 Signed-off-by: Tim Niemeyer Reviewed-by: Robert Langhgammer Reviewed-by: Christian Dresel Tested-by: Christian Dresel --- Changes in v2: None bsp/default/root_file_system/etc/sysctl.conf | 70 ---------------------- .../files/etc/sysctl.d/50-fff-network.conf | 70 ++++++++++++++++++++++ 2 files changed, 70 insertions(+), 70 deletions(-) create mode 100644 src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf diff --git a/bsp/default/root_file_system/etc/sysctl.conf b/bsp/default/root_file_system/etc/sysctl.conf index f6d85a7..34ce708 100644 --- a/bsp/default/root_file_system/etc/sysctl.conf +++ b/bsp/default/root_file_system/etc/sysctl.conf @@ -1,71 +1 @@ kernel.panic=3 -net.ipv4.conf.default.arp_ignore=1 -net.ipv4.conf.all.arp_ignore=1 -net.ipv4.conf.all.forwarding=0 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.tcp_ecn=0 -net.ipv4.tcp_fin_timeout=30 -net.ipv4.tcp_keepalive_time=120 -net.ipv4.tcp_syncookies=1 -net.ipv4.tcp_timestamps=0 -net.ipv4.netfilter.ip_conntrack_checksum=0 -net.ipv4.netfilter.ip_conntrack_max=16384 -net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 -net.ipv4.netfilter.ip_conntrack_udp_timeout=60 -net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 -net.core.netdev_max_backlog=30 -net.netfilter.nf_conntrack_checksum=0 - -#Controls source route verification -net.ipv4.conf.default.rp_filter=1 - -#Do not accept source routing -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.icmp_echo_ignore_broadcasts=1 -net.ipv4.icmp_ignore_bogus_error_responses=1 -net.ipv4.ip_forward=0 -# net.ipv6.conf.all.forwarding=1 - -# disable bridge firewalling by default -net.bridge.bridge-nf-call-arptables=0 -net.bridge.bridge-nf-call-ip6tables=0 -net.bridge.bridge-nf-call-iptables=0 - -net.ipv6.conf.default.accept_dad=0 -net.ipv6.conf.default.accept_ra=0 -net.ipv6.conf.default.accept_redirects=0 -net.ipv6.conf.all.accept_dad=0 -net.ipv6.conf.all.accept_ra=1 -net.ipv6.conf.all.accept_redirects=0 - -# Number of Router Solicitations to send until assuming no routers are present. -# This is host and not router -net.ipv6.conf.default.router_solicitations = 0 -net.ipv6.conf.all.router_solicitations = 0 - -# Accept Router Preference in RA? -net.ipv6.conf.default.accept_ra_rtr_pref = 0 -net.ipv6.conf.all.accept_ra_rtr_pref = 1 - -# Learn Prefix Information in Router Advertisement -net.ipv6.conf.default.accept_ra_pinfo = 0 -net.ipv6.conf.all.accept_ra_pinfo = 1 - -# Setting controls whether the system will accept Hop Limit settings from a router advertisement -net.ipv6.conf.default.accept_ra_defrtr = 0 -net.ipv6.conf.all.accept_ra_defrtr = 1 - -#router advertisements can cause the system to assign a global unicast address to an interface -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.all.autoconf = 1 - -#how many neighbor solicitations to send out per address? -net.ipv6.conf.default.dad_transmits = 3 -net.ipv6.conf.all.dad_transmits = 3 - -# How many global unicast IPv6 addresses can be assigned to each interface? -net.ipv6.conf.default.max_addresses = 0 -net.ipv6.conf.all.max_addresses = 0 \ No newline at end of file diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf new file mode 100644 index 0000000..5c61a73 --- /dev/null +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf @@ -0,0 +1,70 @@ +net.ipv4.conf.default.arp_ignore=1 +net.ipv4.conf.all.arp_ignore=1 +net.ipv4.conf.all.forwarding=0 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.tcp_ecn=0 +net.ipv4.tcp_fin_timeout=30 +net.ipv4.tcp_keepalive_time=120 +net.ipv4.tcp_syncookies=1 +net.ipv4.tcp_timestamps=0 +net.ipv4.netfilter.ip_conntrack_checksum=0 +net.ipv4.netfilter.ip_conntrack_max=16384 +net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 +net.ipv4.netfilter.ip_conntrack_udp_timeout=60 +net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 +net.core.netdev_max_backlog=30 +net.netfilter.nf_conntrack_checksum=0 + +#Controls source route verification +net.ipv4.conf.default.rp_filter=1 + +#Do not accept source routing +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.icmp_echo_ignore_broadcasts=1 +net.ipv4.icmp_ignore_bogus_error_responses=1 +net.ipv4.ip_forward=0 +# net.ipv6.conf.all.forwarding=1 + +# disable bridge firewalling by default +net.bridge.bridge-nf-call-arptables=0 +net.bridge.bridge-nf-call-ip6tables=0 +net.bridge.bridge-nf-call-iptables=0 + +net.ipv6.conf.default.accept_dad=0 +net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.default.accept_redirects=0 +net.ipv6.conf.all.accept_dad=0 +net.ipv6.conf.all.accept_ra=1 +net.ipv6.conf.all.accept_redirects=0 + +# Number of Router Solicitations to send until assuming no routers are present. +# This is host and not router +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.all.router_solicitations = 0 + +# Accept Router Preference in RA? +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.all.accept_ra_rtr_pref = 1 + +# Learn Prefix Information in Router Advertisement +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.all.accept_ra_pinfo = 1 + +# Setting controls whether the system will accept Hop Limit settings from a router advertisement +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.all.accept_ra_defrtr = 1 + +#router advertisements can cause the system to assign a global unicast address to an interface +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.all.autoconf = 1 + +#how many neighbor solicitations to send out per address? +net.ipv6.conf.default.dad_transmits = 3 +net.ipv6.conf.all.dad_transmits = 3 + +# How many global unicast IPv6 addresses can be assigned to each interface? +net.ipv6.conf.default.max_addresses = 0 +net.ipv6.conf.all.max_addresses = 0