From d0b461f524df02aa8766f88dde23c5f4996d8553 Mon Sep 17 00:00:00 2001
From: sullrich <sullrich@pfsense.org>
Date: Sun, 6 Dec 2009 00:48:32 -0500
Subject: Add lookup table for sysctl tunable (sysctl.inc).  Make config.xml
 values default to value 'default' Ticket #71

---
 conf.default/config.xml | 52 ++++++++++++++++++++++++-------------------------
 etc/inc/sysctl.inc      | 40 +++++++++++++++++++++++++++++++++++++
 etc/inc/system.inc      | 10 +++++++---
 3 files changed, 73 insertions(+), 29 deletions(-)
 create mode 100644 etc/inc/sysctl.inc

diff --git a/conf.default/config.xml b/conf.default/config.xml
index 3a306a3..32b4d6f 100644
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@@ -8,132 +8,132 @@
 		<item>
 			<desc>Set the ephemeral port range to be lower.</desc>
 			<tunable>net.inet.ip.portrange.first</tunable>
-			<value>1024</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Drop packets to closed TCP ports without returning a RST</desc>
 			<tunable>net.inet.tcp.blackhole</tunable>
-			<value>2</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
 			<tunable>net.inet.udp.blackhole</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
 			<tunable>net.inet.ip.random_id</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
 			<tunable>net.inet.tcp.drop_synfin</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Enable sending IPv4 redirects</desc>
 			<tunable>net.inet.ip.redirect</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Enable sending IPv6 redirects</desc>
 			<tunable>net.inet6.ip6.redirect</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
 			<tunable>net.inet.tcp.syncookies</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
 			<tunable>net.inet.tcp.recvspace</tunable>
-			<value>65228</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Maximum incoming/outgoing TCP datagram size (send)</desc>
 			<tunable>net.inet.tcp.sendspace</tunable>
-			<value>65228</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>IP Fastforwarding</desc>
 			<tunable>net.inet.ip.fastforwarding</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Do not delay ACK to try and piggyback it onto a data packet</desc>
 			<tunable>net.inet.tcp.delayed_ack</tunable>
-			<value>0</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Maximum outgoing UDP datagram size</desc>
 			<tunable>net.inet.udp.maxdgram</tunable>
-			<value>57344</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc>
 			<tunable>net.link.bridge.pfil_onlyip</tunable>
-			<value>0</value>
+			<value>default</value>
 		</item>
 		<item>
 		        <desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc>
 		        <tunable>net.link.bridge.pfil_member</tunable>
-		        <value>1</value>
+		        <value>default</value>
 		</item>
 		<item>
 		        <desc>Set to 1 to enable filtering on the bridge interface</desc>
 		        <tunable>net.link.bridge.pfil_bridge</tunable>
-		        <value>0</value>
+		        <value>default</value>
 		</item>
 		<item>
 			<desc>Allow unprivileged access to tap(4) device nodes</desc>
 			<tunable>net.link.tap.user_open</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Verbosity of the rndtest driver (0: do not display results on console)</desc>
 			<tunable>kern.rndtest.verbose</tunable>
-			<value>0</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc>
 			<tunable>kern.randompid</tunable>
-			<value>347</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Maximum size of the IP input queue</desc>
 			<tunable>net.inet.ip.intr_queue_maxlen</tunable>
-			<value>1000</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc>
 			<tunable>hw.syscons.kbd_reboot</tunable>
-			<value>0</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Enable TCP Inflight mode</desc>
 			<tunable>net.inet.tcp.inflight.enable</tunable>
-			<value>1</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Enable TCP extended debugging</desc>
 			<tunable>net.inet.tcp.log_debug</tunable>
-			<value>0</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>Set ICMP Limits</desc>
 			<tunable>net.inet.icmp.icmplim</tunable>
-			<value>750</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>TCP Offload Engine</desc>
 			<tunable>net.inet.tcp.tso</tunable>
-			<value>0</value>
+			<value>default</value>
 		</item>
 		<item>
 			<desc>TCP Offload Engine - BCE</desc>
 			<tunable>hw.bce.tso_enable</tunable>
-			<value>0</value>
+			<value>default</value>
 		</item>
 	</sysctl>
 	<system>
diff --git a/etc/inc/sysctl.inc b/etc/inc/sysctl.inc
new file mode 100644
index 0000000..c90b074
--- /dev/null
+++ b/etc/inc/sysctl.inc
@@ -0,0 +1,40 @@
+<?php
+
+$sysctls = array("net.inet.ip.portrange.first" => "1024", 
+				 "net.inet.tcp.blackhole" => "2", 
+				 "net.inet.udp.blackhole" => "1", 
+				 "net.inet.ip.random_id" => "1", 
+				 "net.inet.tcp.drop_synfin" => "1", 
+				 "net.inet.ip.redirect" => "1", 
+				 "net.inet6.ip6.redirect" => "1", 
+				 "net.inet.tcp.syncookies" => "1", 
+				 "net.inet.tcp.recvspace" => "65228", 
+				 "net.inet.tcp.sendspace" => "65228", 
+				 "net.inet.ip.fastforwarding" => "1", 
+				 "net.inet.tcp.delayed_ack" => "0", 
+				 "net.inet.udp.maxdgram" => "57344", 
+				 "net.link.bridge.pfil_onlyip" => "0", 
+				 "net.link.bridge.pfil_member" => "1", 
+				 "net.link.bridge.pfil_bridge" => "0", 
+				 "net.link.tap.user_open" => "1", 
+				 "kern.rndtest.verbose" => "0", 
+				 "kern.randompid" => "347", 
+				 "net.inet.ip.intr_queue_maxlen" => "1000", 
+				 "hw.syscons.kbd_reboot" => "0", 
+				 "net.inet.tcp.inflight.enable" => "1", 
+				 "net.inet.tcp.log_debug" => "0", 
+				 "net.inet.icmp.icmplim" => "750", 
+				 "net.inet.tcp.tso" => "0", 
+				 "hw.bce.tso_enable" => "0"
+				  );
+
+function get_default_sysctl_value($id) {
+	global $sysctls;
+	foreach($sysctls as $sysctl => $value) {
+		if($sysctl == $id)
+			return $value;
+	}
+}
+
+
+?>
\ No newline at end of file
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index dd54527..e3611ea 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -50,16 +50,20 @@ function activate_powerd() {
 
 function activate_sysctls() {
 	global $config, $g;
-	
+	require("sysctl.inc");
 	exec("/sbin/sysctl net.enc.out.ipsec_bpf_mask=0x00000001");
 	exec("/sbin/sysctl net.enc.out.ipsec_filter_mask=0x00000001");
 	exec("/sbin/sysctl net.enc.in.ipsec_bpf_mask=0x00000002");
 	exec("/sbin/sysctl net.enc.in.ipsec_filter_mask=0x00000002");
 
-	if (is_array($config['sysctl'])) 
-		foreach ($config['sysctl']['item'] as $tunable) 
+	if (is_array($config['sysctl'])) {
+		foreach ($config['sysctl']['item'] as $tunable) {
+			if($tunable['value'] == "default")
+				$tunable['value'] = get_default_sysctl_value($tunable['tunable']);
 			mwexec("sysctl " . $tunable['tunable'] . "=\"" 
 				. $tunable['value'] .  "\"");
+		}
+	}
 }
 
 function system_resolvconf_generate($dynupdate = false) {
-- 
cgit v1.1