diff options
-rw-r--r-- | conf.default/config.xml | 52 | ||||
-rw-r--r-- | etc/inc/sysctl.inc | 40 | ||||
-rw-r--r-- | etc/inc/system.inc | 10 |
3 files changed, 73 insertions, 29 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 3a306a3..32b4d6f 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -8,132 +8,132 @@ <item> <desc>Set the ephemeral port range to be lower.</desc> <tunable>net.inet.ip.portrange.first</tunable> - <value>1024</value> + <value>default</value> </item> <item> <desc>Drop packets to closed TCP ports without returning a RST</desc> <tunable>net.inet.tcp.blackhole</tunable> - <value>2</value> + <value>default</value> </item> <item> <desc>Do not send ICMP port unreachable messages for closed UDP ports</desc> <tunable>net.inet.udp.blackhole</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc> <tunable>net.inet.ip.random_id</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc> <tunable>net.inet.tcp.drop_synfin</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Enable sending IPv4 redirects</desc> <tunable>net.inet.ip.redirect</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Enable sending IPv6 redirects</desc> <tunable>net.inet6.ip6.redirect</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Generate SYN cookies for outbound SYN-ACK packets</desc> <tunable>net.inet.tcp.syncookies</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Maximum incoming/outgoing TCP datagram size (receive)</desc> <tunable>net.inet.tcp.recvspace</tunable> - <value>65228</value> + <value>default</value> </item> <item> <desc>Maximum incoming/outgoing TCP datagram size (send)</desc> <tunable>net.inet.tcp.sendspace</tunable> - <value>65228</value> + <value>default</value> </item> <item> <desc>IP Fastforwarding</desc> <tunable>net.inet.ip.fastforwarding</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Do not delay ACK to try and piggyback it onto a data packet</desc> <tunable>net.inet.tcp.delayed_ack</tunable> - <value>0</value> + <value>default</value> </item> <item> <desc>Maximum outgoing UDP datagram size</desc> <tunable>net.inet.udp.maxdgram</tunable> - <value>57344</value> + <value>default</value> </item> <item> <desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc> <tunable>net.link.bridge.pfil_onlyip</tunable> - <value>0</value> + <value>default</value> </item> <item> <desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc> <tunable>net.link.bridge.pfil_member</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Set to 1 to enable filtering on the bridge interface</desc> <tunable>net.link.bridge.pfil_bridge</tunable> - <value>0</value> + <value>default</value> </item> <item> <desc>Allow unprivileged access to tap(4) device nodes</desc> <tunable>net.link.tap.user_open</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Verbosity of the rndtest driver (0: do not display results on console)</desc> <tunable>kern.rndtest.verbose</tunable> - <value>0</value> + <value>default</value> </item> <item> <desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc> <tunable>kern.randompid</tunable> - <value>347</value> + <value>default</value> </item> <item> <desc>Maximum size of the IP input queue</desc> <tunable>net.inet.ip.intr_queue_maxlen</tunable> - <value>1000</value> + <value>default</value> </item> <item> <desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc> <tunable>hw.syscons.kbd_reboot</tunable> - <value>0</value> + <value>default</value> </item> <item> <desc>Enable TCP Inflight mode</desc> <tunable>net.inet.tcp.inflight.enable</tunable> - <value>1</value> + <value>default</value> </item> <item> <desc>Enable TCP extended debugging</desc> <tunable>net.inet.tcp.log_debug</tunable> - <value>0</value> + <value>default</value> </item> <item> <desc>Set ICMP Limits</desc> <tunable>net.inet.icmp.icmplim</tunable> - <value>750</value> + <value>default</value> </item> <item> <desc>TCP Offload Engine</desc> <tunable>net.inet.tcp.tso</tunable> - <value>0</value> + <value>default</value> </item> <item> <desc>TCP Offload Engine - BCE</desc> <tunable>hw.bce.tso_enable</tunable> - <value>0</value> + <value>default</value> </item> </sysctl> <system> diff --git a/etc/inc/sysctl.inc b/etc/inc/sysctl.inc new file mode 100644 index 0000000..c90b074 --- /dev/null +++ b/etc/inc/sysctl.inc @@ -0,0 +1,40 @@ +<?php + +$sysctls = array("net.inet.ip.portrange.first" => "1024", + "net.inet.tcp.blackhole" => "2", + "net.inet.udp.blackhole" => "1", + "net.inet.ip.random_id" => "1", + "net.inet.tcp.drop_synfin" => "1", + "net.inet.ip.redirect" => "1", + "net.inet6.ip6.redirect" => "1", + "net.inet.tcp.syncookies" => "1", + "net.inet.tcp.recvspace" => "65228", + "net.inet.tcp.sendspace" => "65228", + "net.inet.ip.fastforwarding" => "1", + "net.inet.tcp.delayed_ack" => "0", + "net.inet.udp.maxdgram" => "57344", + "net.link.bridge.pfil_onlyip" => "0", + "net.link.bridge.pfil_member" => "1", + "net.link.bridge.pfil_bridge" => "0", + "net.link.tap.user_open" => "1", + "kern.rndtest.verbose" => "0", + "kern.randompid" => "347", + "net.inet.ip.intr_queue_maxlen" => "1000", + "hw.syscons.kbd_reboot" => "0", + "net.inet.tcp.inflight.enable" => "1", + "net.inet.tcp.log_debug" => "0", + "net.inet.icmp.icmplim" => "750", + "net.inet.tcp.tso" => "0", + "hw.bce.tso_enable" => "0" + ); + +function get_default_sysctl_value($id) { + global $sysctls; + foreach($sysctls as $sysctl => $value) { + if($sysctl == $id) + return $value; + } +} + + +?>
\ No newline at end of file diff --git a/etc/inc/system.inc b/etc/inc/system.inc index dd54527..e3611ea 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -50,16 +50,20 @@ function activate_powerd() { function activate_sysctls() { global $config, $g; - + require("sysctl.inc"); exec("/sbin/sysctl net.enc.out.ipsec_bpf_mask=0x00000001"); exec("/sbin/sysctl net.enc.out.ipsec_filter_mask=0x00000001"); exec("/sbin/sysctl net.enc.in.ipsec_bpf_mask=0x00000002"); exec("/sbin/sysctl net.enc.in.ipsec_filter_mask=0x00000002"); - if (is_array($config['sysctl'])) - foreach ($config['sysctl']['item'] as $tunable) + if (is_array($config['sysctl'])) { + foreach ($config['sysctl']['item'] as $tunable) { + if($tunable['value'] == "default") + $tunable['value'] = get_default_sysctl_value($tunable['tunable']); mwexec("sysctl " . $tunable['tunable'] . "=\"" . $tunable['value'] . "\""); + } + } } function system_resolvconf_generate($dynupdate = false) { |