[RFC PATCH 1/5] bsp/default: move network sysctl's to fff-network
robert
rlanghammer at web.de
Mi Feb 14 11:05:18 CET 2018
Hallo Tim,
mir gefaellt das Patchset. Hier z.B. kommt zusammen, was zusammen gehoert.
Ein paar Anmerkungen zu 2 und 5 hab ich noch.
Robert
Am 13.02.2018 um 21:40 schrieb Tim Niemeyer:
> Signed-off-by: Tim Niemeyer <tim at tn-x.org>
> ---
>
> bsp/default/root_file_system/etc/sysctl.conf | 70 ----------------------
> .../files/etc/sysctl.d/50-fff-network.conf | 70 ++++++++++++++++++++++
> 2 files changed, 70 insertions(+), 70 deletions(-)
> create mode 100644 src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>
> diff --git a/bsp/default/root_file_system/etc/sysctl.conf b/bsp/default/root_file_system/etc/sysctl.conf
> index f6d85a7..34ce708 100644
> --- a/bsp/default/root_file_system/etc/sysctl.conf
> +++ b/bsp/default/root_file_system/etc/sysctl.conf
> @@ -1,71 +1 @@
> kernel.panic=3
> -net.ipv4.conf.default.arp_ignore=1
> -net.ipv4.conf.all.arp_ignore=1
> -net.ipv4.conf.all.forwarding=0
> -net.ipv4.conf.all.send_redirects=0
> -net.ipv4.tcp_ecn=0
> -net.ipv4.tcp_fin_timeout=30
> -net.ipv4.tcp_keepalive_time=120
> -net.ipv4.tcp_syncookies=1
> -net.ipv4.tcp_timestamps=0
> -net.ipv4.netfilter.ip_conntrack_checksum=0
> -net.ipv4.netfilter.ip_conntrack_max=16384
> -net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600
> -net.ipv4.netfilter.ip_conntrack_udp_timeout=60
> -net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
> -net.core.netdev_max_backlog=30
> -net.netfilter.nf_conntrack_checksum=0
> -
> -#Controls source route verification
> -net.ipv4.conf.default.rp_filter=1
> -
> -#Do not accept source routing
> -net.ipv4.conf.all.accept_source_route=0
> -net.ipv4.conf.all.accept_redirects=0
> -net.ipv4.conf.default.accept_source_route=0
> -net.ipv4.conf.default.accept_redirects=0
> -net.ipv4.icmp_echo_ignore_broadcasts=1
> -net.ipv4.icmp_ignore_bogus_error_responses=1
> -net.ipv4.ip_forward=0
> -# net.ipv6.conf.all.forwarding=1
> -
> -# disable bridge firewalling by default
> -net.bridge.bridge-nf-call-arptables=0
> -net.bridge.bridge-nf-call-ip6tables=0
> -net.bridge.bridge-nf-call-iptables=0
> -
> -net.ipv6.conf.default.accept_dad=0
> -net.ipv6.conf.default.accept_ra=0
> -net.ipv6.conf.default.accept_redirects=0
> -net.ipv6.conf.all.accept_dad=0
> -net.ipv6.conf.all.accept_ra=1
> -net.ipv6.conf.all.accept_redirects=0
> -
> -# Number of Router Solicitations to send until assuming no routers are present.
> -# This is host and not router
> -net.ipv6.conf.default.router_solicitations = 0
> -net.ipv6.conf.all.router_solicitations = 0
> -
> -# Accept Router Preference in RA?
> -net.ipv6.conf.default.accept_ra_rtr_pref = 0
> -net.ipv6.conf.all.accept_ra_rtr_pref = 1
> -
> -# Learn Prefix Information in Router Advertisement
> -net.ipv6.conf.default.accept_ra_pinfo = 0
> -net.ipv6.conf.all.accept_ra_pinfo = 1
> -
> -# Setting controls whether the system will accept Hop Limit settings from a router advertisement
> -net.ipv6.conf.default.accept_ra_defrtr = 0
> -net.ipv6.conf.all.accept_ra_defrtr = 1
> -
> -#router advertisements can cause the system to assign a global unicast address to an interface
> -net.ipv6.conf.default.autoconf = 0
> -net.ipv6.conf.all.autoconf = 1
> -
> -#how many neighbor solicitations to send out per address?
> -net.ipv6.conf.default.dad_transmits = 3
> -net.ipv6.conf.all.dad_transmits = 3
> -
> -# How many global unicast IPv6 addresses can be assigned to each interface?
> -net.ipv6.conf.default.max_addresses = 0
> -net.ipv6.conf.all.max_addresses = 0
> \ No newline at end of file
> diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> new file mode 100644
> index 0000000..5c61a73
> --- /dev/null
> +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> @@ -0,0 +1,70 @@
> +net.ipv4.conf.default.arp_ignore=1
> +net.ipv4.conf.all.arp_ignore=1
> +net.ipv4.conf.all.forwarding=0
> +net.ipv4.conf.all.send_redirects=0
> +net.ipv4.tcp_ecn=0
> +net.ipv4.tcp_fin_timeout=30
> +net.ipv4.tcp_keepalive_time=120
> +net.ipv4.tcp_syncookies=1
> +net.ipv4.tcp_timestamps=0
> +net.ipv4.netfilter.ip_conntrack_checksum=0
> +net.ipv4.netfilter.ip_conntrack_max=16384
> +net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600
> +net.ipv4.netfilter.ip_conntrack_udp_timeout=60
> +net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
> +net.core.netdev_max_backlog=30
> +net.netfilter.nf_conntrack_checksum=0
> +
> +#Controls source route verification
> +net.ipv4.conf.default.rp_filter=1
> +
> +#Do not accept source routing
> +net.ipv4.conf.all.accept_source_route=0
> +net.ipv4.conf.all.accept_redirects=0
> +net.ipv4.conf.default.accept_source_route=0
> +net.ipv4.conf.default.accept_redirects=0
> +net.ipv4.icmp_echo_ignore_broadcasts=1
> +net.ipv4.icmp_ignore_bogus_error_responses=1
> +net.ipv4.ip_forward=0
> +# net.ipv6.conf.all.forwarding=1
> +
> +# disable bridge firewalling by default
> +net.bridge.bridge-nf-call-arptables=0
> +net.bridge.bridge-nf-call-ip6tables=0
> +net.bridge.bridge-nf-call-iptables=0
> +
> +net.ipv6.conf.default.accept_dad=0
> +net.ipv6.conf.default.accept_ra=0
> +net.ipv6.conf.default.accept_redirects=0
> +net.ipv6.conf.all.accept_dad=0
> +net.ipv6.conf.all.accept_ra=1
> +net.ipv6.conf.all.accept_redirects=0
> +
> +# Number of Router Solicitations to send until assuming no routers are present.
> +# This is host and not router
> +net.ipv6.conf.default.router_solicitations = 0
> +net.ipv6.conf.all.router_solicitations = 0
> +
> +# Accept Router Preference in RA?
> +net.ipv6.conf.default.accept_ra_rtr_pref = 0
> +net.ipv6.conf.all.accept_ra_rtr_pref = 1
> +
> +# Learn Prefix Information in Router Advertisement
> +net.ipv6.conf.default.accept_ra_pinfo = 0
> +net.ipv6.conf.all.accept_ra_pinfo = 1
> +
> +# Setting controls whether the system will accept Hop Limit settings from a router advertisement
> +net.ipv6.conf.default.accept_ra_defrtr = 0
> +net.ipv6.conf.all.accept_ra_defrtr = 1
> +
> +#router advertisements can cause the system to assign a global unicast address to an interface
> +net.ipv6.conf.default.autoconf = 0
> +net.ipv6.conf.all.autoconf = 1
> +
> +#how many neighbor solicitations to send out per address?
> +net.ipv6.conf.default.dad_transmits = 3
> +net.ipv6.conf.all.dad_transmits = 3
> +
> +# How many global unicast IPv6 addresses can be assigned to each interface?
> +net.ipv6.conf.default.max_addresses = 0
> +net.ipv6.conf.all.max_addresses = 0
Mehr Informationen über die Mailingliste franken-dev