diff options
author | Ermal <eri@pfsense.org> | 2014-11-10 21:47:14 +0100 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-11-10 21:47:14 +0100 |
commit | d87fcac96b45958bd777c7ac38cc0665dbde6062 (patch) | |
tree | 599a680c39d7db4a859595b17fe65b948def3dc9 | |
parent | 24d728bb4feb848b10d42a81df0e0a92dd599764 (diff) | |
download | pfsense-d87fcac96b45958bd777c7ac38cc0665dbde6062.zip pfsense-d87fcac96b45958bd777c7ac38cc0665dbde6062.tar.gz |
Do not require the default sysctl items to be set on the config.xml but rather extract the definitions from the sysctl tree. Also to reduce config.xml size
-rw-r--r-- | conf.default/config.xml | 152 | ||||
-rw-r--r-- | etc/inc/system.inc | 39 | ||||
-rw-r--r-- | etc/inc/unbound.inc | 18 | ||||
-rw-r--r-- | usr/local/www/system_advanced_sysctl.php | 33 |
4 files changed, 69 insertions, 173 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 01b2d59..68c361a 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -4,158 +4,6 @@ <version>9.9</version> <lastchange></lastchange> <theme>pfsense_ng</theme> - <sysctl> - <item> - <descr><![CDATA[Disable the pf ftp proxy handler.]]></descr> - <tunable>debug.pfftpproxy</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html]]></descr> - <tunable>vfs.read_max</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Set the ephemeral port range to be lower.]]></descr> - <tunable>net.inet.ip.portrange.first</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr> - <tunable>net.inet.tcp.blackhole</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr> - <tunable>net.inet.udp.blackhole</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Randomize the ID field in IP packets (default is 0: sequential IP IDs)]]></descr> - <tunable>net.inet.ip.random_id</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr> - <tunable>net.inet.tcp.drop_synfin</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Enable sending IPv4 redirects]]></descr> - <tunable>net.inet.ip.redirect</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Enable sending IPv6 redirects]]></descr> - <tunable>net.inet6.ip6.redirect</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr> - <tunable>net.inet6.ip6.use_tempaddr</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr> - <tunable>net.inet6.ip6.prefer_tempaddr</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr> - <tunable>net.inet.tcp.syncookies</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Maximum incoming/outgoing TCP datagram size (receive)]]></descr> - <tunable>net.inet.tcp.recvspace</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Maximum incoming/outgoing TCP datagram size (send)]]></descr> - <tunable>net.inet.tcp.sendspace</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[IP Fastforwarding]]></descr> - <tunable>net.inet.ip.fastforwarding</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Do not delay ACK to try and piggyback it onto a data packet]]></descr> - <tunable>net.inet.tcp.delayed_ack</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Maximum outgoing UDP datagram size]]></descr> - <tunable>net.inet.udp.maxdgram</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr> - <tunable>net.link.bridge.pfil_onlyip</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr> - <tunable>net.link.bridge.pfil_member</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr> - <tunable>net.link.bridge.pfil_bridge</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr> - <tunable>net.link.tap.user_open</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr> - <tunable>kern.randompid</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Maximum size of the IP input queue]]></descr> - <tunable>net.inet.ip.intr_queue_maxlen</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr> - <tunable>hw.syscons.kbd_reboot</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Enable TCP extended debugging]]></descr> - <tunable>net.inet.tcp.log_debug</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Set ICMP Limits]]></descr> - <tunable>net.inet.icmp.icmplim</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[TCP Offload Engine]]></descr> - <tunable>net.inet.tcp.tso</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[UDP Checksums]]></descr> - <tunable>net.inet.udp.checksum</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Maximum socket buffer size]]></descr> - <tunable>kern.ipc.maxsockbuf</tunable> - <value>default</value> - </item> - <item> - <descr><![CDATA[Reply ICMP from source interface]]></descr> - <tunable>net.inet.icmp.reply_from_interface</tunable> - <value>default</value> - </item> - </sysctl> <system> <optimization>normal</optimization> <hostname>pfSense</hostname> diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 273b5a2..87bbdb2 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -72,13 +72,50 @@ function get_default_sysctl_value($id) { return $sysctls[$id]; } +function get_sysctl_descr($sysctl) { + unset($output); + $_gb = exec("/sbin/sysctl -nd {$sysctl}", $output); + + return $output[0]; +} + +function system_get_sysctls() { + global $config, $sysctls; + + $disp_sysctl = array(); + $disp_cache = array(); + if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) { + foreach($config['sysctl']['item'] as $id => $tunable) { + if ($tunable['value'] == "default") + $value = get_default_sysctl_value($tunable['tunable']); + else + $value = $tunable['value']; + + $disp_sysctl[$id] = $tunable; + $disp_sysctl[$id]['modified'] = true; + $disp_cache[$tunable['tunable']] = 'set'; + } + } + + foreach ($sysctls as $sysctl => $value) { + if (isset($disp_cache[$sysctl])) + continue; + + $disp_sysctl[$sysctl] = array('tunable' => $sysctl, 'value' => $value, 'descr' => get_sysctl_descr($sysctl)); + + + } + unset($disp_cache); + return $disp_sysctl; +} + function activate_sysctls() { global $config, $g, $sysctls; if ($g['platform'] == 'jail') return; - if (is_array($config['sysctl'])) { + if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) { foreach($config['sysctl']['item'] as $tunable) { if($tunable['value'] == "default") $value = get_default_sysctl_value($tunable['tunable']); diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc index 4088035..b047346 100644 --- a/etc/inc/unbound.inc +++ b/etc/inc/unbound.inc @@ -79,14 +79,16 @@ function unbound_optimization() { * Larger socket buffer for busy servers * Check that it is set to 4MB (by default the OS has it configured to 4MB) */ - foreach ($config['sysctl']['item'] as $tunable) { - if ($tunable['tunable'] == 'kern.ipc.maxsockbuf') { - $so = floor(($tunable['value']/1024/1024)-1); - // Check to ensure that the number is not a negative - if ($so > 0) - $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m"; - else - unset($optimization['so_rcvbuf']); + if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) { + foreach ($config['sysctl']['item'] as $tunable) { + if ($tunable['tunable'] == 'kern.ipc.maxsockbuf') { + $so = floor(($tunable['value']/1024/1024)-1); + // Check to ensure that the number is not a negative + if ($so > 0) + $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m"; + else + unset($optimization['so_rcvbuf']); + } } } // Safety check in case kern.ipc.maxsockbuf is not available. diff --git a/usr/local/www/system_advanced_sysctl.php b/usr/local/www/system_advanced_sysctl.php index 7dcf3df..51e1bf0 100644 --- a/usr/local/www/system_advanced_sysctl.php +++ b/usr/local/www/system_advanced_sysctl.php @@ -47,25 +47,32 @@ require("guiconfig.inc"); $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_advanced_sysctl.php'); +if (!is_array($config['sysctl'])) + $config['sysctl'] = array(); if (!is_array($config['sysctl']['item'])) $config['sysctl']['item'] = array(); $a_tunable = &$config['sysctl']['item']; +$tunables = system_get_sysctls(); -if (is_numericint($_GET['id'])) - $id = $_GET['id']; -if (isset($_POST['id']) && is_numericint($_POST['id'])) - $id = $_POST['id']; +if (isset($_GET['id'])) + $id = htmlspecialchars_decode($_GET['id']); +if (isset($_POST['id'])) + $id = htmlspecialchars_decode($_POST['id']); $act = $_GET['act']; if (isset($_POST['act'])) $act = $_POST['act']; if ($act == "edit") { - if ($a_tunable[$id]) { + if (isset($a_tunable[$id])) { $pconfig['tunable'] = $a_tunable[$id]['tunable']; $pconfig['value'] = $a_tunable[$id]['value']; $pconfig['descr'] = $a_tunable[$id]['descr']; + } else if (isset($tunables[$id])) { + $pconfig['tunable'] = $tunables[$id]['tunable']; + $pconfig['value'] = $tunables[$id]['value']; + $pconfig['descr'] = $tunables[$id]['descr']; } } @@ -111,7 +118,7 @@ if ($_POST) { $tunableent['value'] = $_POST['value']; $tunableent['descr'] = $_POST['descr']; - if (isset($id) && $a_tunable[$id]) + if (isset($id) && isset($a_tunable[$id])) $a_tunable[$id] = $tunableent; else $a_tunable[] = $tunableent; @@ -175,7 +182,11 @@ include("head.inc"); <td width="60%" class="listhdrr"><?=gettext("Description"); ?></td> <td width="20%" class="listhdrr"><?=gettext("Value"); ?></td> </tr> - <?php $i = 0; foreach ($config['sysctl']['item'] as $tunable): ?> + <?php foreach ($tunables as $i => $tunable): + + if (!isset($tunable['modified'])) + $i = $tunable['tunable']; + ?> <tr> <td class="listlr" ondblclick="document.location='system_advanced_sysctl.php?act=edit&id=<?=$i;?>';"> <?php echo $tunable['tunable']; ?> @@ -185,10 +196,6 @@ include("head.inc"); </td> <td class="listr" align="left" ondblclick="document.location='system_advanced_sysctl.php?act=edit&id=<?=$i;?>';"> <?php echo $tunable['value']; ?> - <?php - if($tunable['value'] == "default") - echo "(" . get_default_sysctl_value($tunable['tunable']) . ")"; - ?> </td> <td class="list nowrap"> <table border="0" cellspacing="0" cellpadding="1" summary="edit delete"> @@ -198,16 +205,18 @@ include("head.inc"); <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" alt="" /> </a> </td> + <?php if (isset($tunable['modified'])): ?> <td valign="middle"> <a href="system_advanced_sysctl.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this entry?"); ?>')"> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="" /> </a> </td> + <?php endif; ?> </tr> </table> </td> </tr> - <?php $i++; endforeach; ?> + <?php endforeach; unset($tunables); ?> <tr> <td class="list" colspan="3"> </td> |