diff options
| -rw-r--r-- | cf/conf/config.xml | 47 | ||||
| -rw-r--r-- | conf.default/config.xml | 47 | ||||
| -rw-r--r-- | etc/inc/system.inc | 14 | ||||
| -rwxr-xr-x | usr/local/www/fbegin.inc | 1 | ||||
| -rw-r--r-- | usr/local/www/firewall_system_tunables.php | 127 | ||||
| -rw-r--r-- | usr/local/www/firewall_system_tunables_edit.php | 129 | ||||
| -rwxr-xr-x | usr/local/www/guiconfig.inc | 1 |
7 files changed, 361 insertions, 5 deletions
diff --git a/cf/conf/config.xml b/cf/conf/config.xml index e505c62..a44cb41 100644 --- a/cf/conf/config.xml +++ b/cf/conf/config.xml @@ -4,6 +4,53 @@ <version>2.9</version> <lastchange></lastchange> <theme>nervecenter</theme> + <sysctl> + <item> + <desc>Maximum incoming/outgoing TCP datagram size (receive)</desc> + <tunable>net.inet.tcp.recvspace</tunable> + <value>65228</value> + </item> + <item> + <desc>Maximum incoming/outgoing TCP datagram size (send)</desc> + <tunable>net.inet.tcp.sendspace</tunable> + <value>65228</value> + </item> + <item> + <desc>IP Fastforwarding</desc> + <tunable>net.inet.ip.fastforwarding</tunable> + <value>1</value> + </item> + <item> + <desc>Do not delay ACK to try and piggyback it onto a data packet</desc> + <tunable>net.inet.tcp.delayed_ack</tunable> + <value>0</value> + </item> + <item> + <desc>Maximum outgoing UDP datagram size</desc> + <tunable>net.inet.udp.maxdgram</tunable> + <value>57344</value> + </item> + <item> + <desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc> + <tunable>net.link.bridge.pfil_onlyip</tunable> + <value>0</value> + </item> + <item> + <desc>Allow unprivileged access to tap(4) device nodes</desc> + <tunable>net.link.tap.user_open</tunable> + <value>1</value> + </item> + <item> + <desc>Verbosity of the rndtest driver (0: do not display results on console)</desc> + <tunable>kern.rndtest.verbose</tunable> + <value>0</value> + </item> + <item> + <desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc> + <tunable>kern.randompid</tunable> + <value>347</value> + </item> + </sysctl> <system> <optimization>normal</optimization> <schedulertype>priq</schedulertype> diff --git a/conf.default/config.xml b/conf.default/config.xml index 822c19b..c866332 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -4,6 +4,53 @@ <version>2.9</version> <lastchange></lastchange> <theme>nervecenter</theme> + <sysctl> + <item> + <desc>Maximum incoming/outgoing TCP datagram size (receive)</desc> + <tunable>net.inet.tcp.recvspace</tunable> + <value>65228</value> + </item> + <item> + <desc>Maximum incoming/outgoing TCP datagram size (send)</desc> + <tunable>net.inet.tcp.sendspace</tunable> + <value>65228</value> + </item> + <item> + <desc>IP Fastforwarding</desc> + <tunable>net.inet.ip.fastforwarding</tunable> + <value>1</value> + </item> + <item> + <desc>Do not delay ACK to try and piggyback it onto a data packet</desc> + <tunable>net.inet.tcp.delayed_ack</tunable> + <value>0</value> + </item> + <item> + <desc>Maximum outgoing UDP datagram size</desc> + <tunable>net.inet.udp.maxdgram</tunable> + <value>57344</value> + </item> + <item> + <desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc> + <tunable>net.link.bridge.pfil_onlyip</tunable> + <value>0</value> + </item> + <item> + <desc>Allow unprivileged access to tap(4) device nodes</desc> + <tunable>net.link.tap.user_open</tunable> + <value>1</value> + </item> + <item> + <desc>Verbosity of the rndtest driver (0: do not display results on console)</desc> + <tunable>kern.rndtest.verbose</tunable> + <value>0</value> + </item> + <item> + <desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc> + <tunable>kern.randompid</tunable> + <value>347</value> + </item> + </sysctl> <system> <optimization>normal</optimization> <hostname>pfSense</hostname> diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 8545c06..b9aa8d4 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -32,6 +32,13 @@ /* include all configuration functions */ require_once("functions.inc"); +function activate_sysctls() { + global $config, $g; + foreach ($config['sysctl']['item'] as $tunable) { + mwexec("sysctl " . $tunable['tunable'] . "=\"" . $tunable['value'] . "\""); + } +} + function opcode_cache_configuration() { global $g; if($g['platform'] == "cdrom") @@ -1202,11 +1209,8 @@ function system_setup_sysctl() { echo "system_setup_sysctl() being called $mt\n"; } - $sysctl = return_filename_as_array("/etc/sysctl.conf"); - foreach($sysctl as $sysc) { - if($sysc <> "") - mwexec("sysctl {$sysc} 2>/dev/null"); - } + activate_sysctls(); + if (isset($config['system']['sharednet'])) { system_disable_arp_wrong_if(); } diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 160c598..83f511b 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -128,6 +128,7 @@ require_once("notices.inc"); <?php endif; ?> <li><a href="/wizard.php?xml=setup_wizard.xml" class="navlnk">Setup wizard</a></li> <li><a href="/system_routes.php" class="navlnk">Static routes</a></li> + <li><a href="/firewall_system_tunables.php" class="navlnk">Tunables</a></li> <li><a href="/system_usermanager.php" class="navlnk">User Manager</a></li> </ul> </li> diff --git a/usr/local/www/firewall_system_tunables.php b/usr/local/www/firewall_system_tunables.php new file mode 100644 index 0000000..da2d886 --- /dev/null +++ b/usr/local/www/firewall_system_tunables.php @@ -0,0 +1,127 @@ +<?php +/* $Id$ */ +/* + firewall_virtual_ip.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2004-2005 Scott Ullrich <geekgod@pfsense.com>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$pgtitle = array(gettext("Firewall"),gettext("System Tunables")); + +require("guiconfig.inc"); + +if (!is_array($config['sysctl']['item'])) { + $config['sysctl']['item'] = array(); +} +$a_tunable = &$config['sysctl']['item']; + +if ($_POST) { + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + $savemsg = get_std_save_message($retval); + unlink_if_exists($d_sysctldirty_path); + } +} + +if ($_GET['act'] == "del") { + if ($a_tunable[$_GET['id']]) { + /* if this is an AJAX caller then handle via JSON */ + if(isAjax() && is_array($input_errors)) { + input_errors2Ajax($input_errors); + exit; + } + + if (!$input_errors) { + unset($a_tunable[$_GET['id']]); + write_config(); + touch($d_sysctldirty_path); + pfSenseHeader("firewall_system_tunables.php"); + exit; + } + } +} + +include("head.inc"); +include("fbegin.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php include("fbegin.inc"); ?> +<form action="firewall_virtual_ip.php" method="post"> +<div id="inputerrors"></div> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_sysctldirty_path)): ?><p> +<?php print_info_box_np(gettext("The firewall tunables have changed. You must apply the configuration to take affect."));?><br /> +<?php endif; ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="20%" class="listhdrr"><?=gettext("Tunable Name");?></td> + <td width="60%" class="listhdrr"><?=gettext("Description");?></td> + <td width="20%" class="listhdrr"><?=gettext("Value");?></td> + </tr> + <?php $i = 0; foreach ($config['sysctl']['item'] as $tunable): ?> + <tr> + <td class="listlr" ondblclick="document.location='firewall_system_tunables_edit.php?id=<?=$i;?>';"> + <?php echo $tunable['tunable']; ?> + </td> + <td class="listlr" align="left" ondblclick="document.location='firewall_system_tunables_edit.php?id=<?=$i;?>';"> + <?php echo $tunable['desc']; ?> + </td> + <td class="listlr" align="left" ondblclick="document.location='firewall_system_tunables_edit.php?id=<?=$i;?>';"> + <?php echo $tunable['value']; ?> + </td> + <td class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="firewall_system_tunables_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" alt="" /></a></td> + <td valign="middle"><a href="firewall_system_tunables.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this entry?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="" /></a></td> + </tr> + </table> + </td> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="3"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="firewall_system_tunables_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" alt="" /></a></td> + </tr> + </table> + </td> + </tr> + </table> + </div> + </table> + </form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/usr/local/www/firewall_system_tunables_edit.php b/usr/local/www/firewall_system_tunables_edit.php new file mode 100644 index 0000000..1d30083 --- /dev/null +++ b/usr/local/www/firewall_system_tunables_edit.php @@ -0,0 +1,129 @@ +<?php +/* $Id$ */ +/* + firewall_virtual_ip_edit.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2004-2005 Scott Ullrich <geekgod@pfsense.com>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$pgtitle = array(gettext("Firewall"),gettext("System Tunables"),gettext("Edit")); + +require("guiconfig.inc"); +if (!is_array($config['sysctl']['item'])) { + $config['sysctl']['item'] = array(); +} +$a_tunable = &$config['sysctl']['item']; + +if (isset($_POST['id'])) + $id = $_POST['id']; +else + $id = $_GET['id']; + +if (isset($id) && $a_tunable[$id]) { + $pconfig['tunable'] = $a_tunable[$id]['tunable']; + $pconfig['value'] = $a_tunable[$id]['value']; + $pconfig['desc'] = $a_tunable[$id]['desc']; +} + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + /* if this is an AJAX caller then handle via JSON */ + if(isAjax() && is_array($input_errors)) { + input_errors2Ajax($input_errors); + exit; + } + + if (!$input_errors) { + $tunableent = array(); + + $tunableent['tunable'] = $_POST['tunable']; + $tunableent['value'] = $_POST['value']; + $tunableent['desc'] = $_POST['desc']; + + if (isset($id) && $a_tunable[$id]) { + $a_tunable[$id] = $tunableent; + } else + $a_tunable[] = $tunableent; + + touch($d_sysctldirty_path); + + write_config(); + + pfSenseHeader("firewall_system_tunables.php"); + + exit; + } +} + +include("head.inc"); +include("fbegin.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php include("fbegin.inc"); ?> +<div id="inputerrors"></div> + +<?php if ($input_errors) print_input_errors($input_errors); ?> + + <form action="firewall_system_tunables_edit.php" method="post" name="iform" id="iform"> + <?display_topbar()?> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Tunable");?></td> + <td width="78%" class="vtable"> + <input size="55" name="tunable" value="<?php echo $pconfig['tunable']; ?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Description");?></td> + <td width="78%"> + <textarea rows="3" cols="40" name="desc"><?php echo $pconfig['desc']; ?></textarea> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Value");?></td> + <td width="78%"> + <input size="55" name="value" value="<?php echo $pconfig['value']; ?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input id="submit" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> + <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="history.back()" /> + <?php if (isset($id) && $a_tunable[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>" /> + <?php endif; ?> + </td> + </tr> + </table> +</form> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 061b228..8b96ef2 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -76,6 +76,7 @@ $d_passthrumacsdirty_path = $g['varrun_path'] . "/passthrumacs.dirty"; $d_allowedipsdirty_path = $g['varrun_path'] . "/allowedips.dirty"; $d_ovpnclidirty_path = $g['varrun_path'] . "/ovpnclient.dirty"; $d_vipconfdirty_path = $g['varrun_path'] . "/vip.conf.dirty"; +$d_sysctldirty_path = $g['varrun_path'] . "/sysctl.conf.dirty"; $d_vsconfdirty_path = $g['varrun_path'] . "/vs.conf.dirty"; $d_shaperconfdirty_path = $g['varrun_path'] . "/shaper.conf.dirty"; |
