summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--conf.default/config.xml52
-rw-r--r--etc/inc/sysctl.inc40
-rw-r--r--etc/inc/system.inc10
3 files changed, 73 insertions, 29 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml
index 3a306a3..32b4d6f 100644
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@@ -8,132 +8,132 @@
<item>
<desc>Set the ephemeral port range to be lower.</desc>
<tunable>net.inet.ip.portrange.first</tunable>
- <value>1024</value>
+ <value>default</value>
</item>
<item>
<desc>Drop packets to closed TCP ports without returning a RST</desc>
<tunable>net.inet.tcp.blackhole</tunable>
- <value>2</value>
+ <value>default</value>
</item>
<item>
<desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
<tunable>net.inet.udp.blackhole</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
<tunable>net.inet.ip.random_id</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
<tunable>net.inet.tcp.drop_synfin</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Enable sending IPv4 redirects</desc>
<tunable>net.inet.ip.redirect</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Enable sending IPv6 redirects</desc>
<tunable>net.inet6.ip6.redirect</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
<tunable>net.inet.tcp.syncookies</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
<tunable>net.inet.tcp.recvspace</tunable>
- <value>65228</value>
+ <value>default</value>
</item>
<item>
<desc>Maximum incoming/outgoing TCP datagram size (send)</desc>
<tunable>net.inet.tcp.sendspace</tunable>
- <value>65228</value>
+ <value>default</value>
</item>
<item>
<desc>IP Fastforwarding</desc>
<tunable>net.inet.ip.fastforwarding</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Do not delay ACK to try and piggyback it onto a data packet</desc>
<tunable>net.inet.tcp.delayed_ack</tunable>
- <value>0</value>
+ <value>default</value>
</item>
<item>
<desc>Maximum outgoing UDP datagram size</desc>
<tunable>net.inet.udp.maxdgram</tunable>
- <value>57344</value>
+ <value>default</value>
</item>
<item>
<desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc>
<tunable>net.link.bridge.pfil_onlyip</tunable>
- <value>0</value>
+ <value>default</value>
</item>
<item>
<desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc>
<tunable>net.link.bridge.pfil_member</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Set to 1 to enable filtering on the bridge interface</desc>
<tunable>net.link.bridge.pfil_bridge</tunable>
- <value>0</value>
+ <value>default</value>
</item>
<item>
<desc>Allow unprivileged access to tap(4) device nodes</desc>
<tunable>net.link.tap.user_open</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Verbosity of the rndtest driver (0: do not display results on console)</desc>
<tunable>kern.rndtest.verbose</tunable>
- <value>0</value>
+ <value>default</value>
</item>
<item>
<desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc>
<tunable>kern.randompid</tunable>
- <value>347</value>
+ <value>default</value>
</item>
<item>
<desc>Maximum size of the IP input queue</desc>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
- <value>1000</value>
+ <value>default</value>
</item>
<item>
<desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc>
<tunable>hw.syscons.kbd_reboot</tunable>
- <value>0</value>
+ <value>default</value>
</item>
<item>
<desc>Enable TCP Inflight mode</desc>
<tunable>net.inet.tcp.inflight.enable</tunable>
- <value>1</value>
+ <value>default</value>
</item>
<item>
<desc>Enable TCP extended debugging</desc>
<tunable>net.inet.tcp.log_debug</tunable>
- <value>0</value>
+ <value>default</value>
</item>
<item>
<desc>Set ICMP Limits</desc>
<tunable>net.inet.icmp.icmplim</tunable>
- <value>750</value>
+ <value>default</value>
</item>
<item>
<desc>TCP Offload Engine</desc>
<tunable>net.inet.tcp.tso</tunable>
- <value>0</value>
+ <value>default</value>
</item>
<item>
<desc>TCP Offload Engine - BCE</desc>
<tunable>hw.bce.tso_enable</tunable>
- <value>0</value>
+ <value>default</value>
</item>
</sysctl>
<system>
diff --git a/etc/inc/sysctl.inc b/etc/inc/sysctl.inc
new file mode 100644
index 0000000..c90b074
--- /dev/null
+++ b/etc/inc/sysctl.inc
@@ -0,0 +1,40 @@
+<?php
+
+$sysctls = array("net.inet.ip.portrange.first" => "1024",
+ "net.inet.tcp.blackhole" => "2",
+ "net.inet.udp.blackhole" => "1",
+ "net.inet.ip.random_id" => "1",
+ "net.inet.tcp.drop_synfin" => "1",
+ "net.inet.ip.redirect" => "1",
+ "net.inet6.ip6.redirect" => "1",
+ "net.inet.tcp.syncookies" => "1",
+ "net.inet.tcp.recvspace" => "65228",
+ "net.inet.tcp.sendspace" => "65228",
+ "net.inet.ip.fastforwarding" => "1",
+ "net.inet.tcp.delayed_ack" => "0",
+ "net.inet.udp.maxdgram" => "57344",
+ "net.link.bridge.pfil_onlyip" => "0",
+ "net.link.bridge.pfil_member" => "1",
+ "net.link.bridge.pfil_bridge" => "0",
+ "net.link.tap.user_open" => "1",
+ "kern.rndtest.verbose" => "0",
+ "kern.randompid" => "347",
+ "net.inet.ip.intr_queue_maxlen" => "1000",
+ "hw.syscons.kbd_reboot" => "0",
+ "net.inet.tcp.inflight.enable" => "1",
+ "net.inet.tcp.log_debug" => "0",
+ "net.inet.icmp.icmplim" => "750",
+ "net.inet.tcp.tso" => "0",
+ "hw.bce.tso_enable" => "0"
+ );
+
+function get_default_sysctl_value($id) {
+ global $sysctls;
+ foreach($sysctls as $sysctl => $value) {
+ if($sysctl == $id)
+ return $value;
+ }
+}
+
+
+?> \ No newline at end of file
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index dd54527..e3611ea 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -50,16 +50,20 @@ function activate_powerd() {
function activate_sysctls() {
global $config, $g;
-
+ require("sysctl.inc");
exec("/sbin/sysctl net.enc.out.ipsec_bpf_mask=0x00000001");
exec("/sbin/sysctl net.enc.out.ipsec_filter_mask=0x00000001");
exec("/sbin/sysctl net.enc.in.ipsec_bpf_mask=0x00000002");
exec("/sbin/sysctl net.enc.in.ipsec_filter_mask=0x00000002");
- if (is_array($config['sysctl']))
- foreach ($config['sysctl']['item'] as $tunable)
+ if (is_array($config['sysctl'])) {
+ foreach ($config['sysctl']['item'] as $tunable) {
+ if($tunable['value'] == "default")
+ $tunable['value'] = get_default_sysctl_value($tunable['tunable']);
mwexec("sysctl " . $tunable['tunable'] . "=\""
. $tunable['value'] . "\"");
+ }
+ }
}
function system_resolvconf_generate($dynupdate = false) {
OpenPOWER on IntegriCloud