More Sysctls for everyone.

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>

sysctl/global.conf

@@ -8,6 +8,19 @@ kernel.panic_on_oops = 1
 kernel.panic = 1
 
 
+#
+# If non-zero, the message will be sent with the primary address of
+# the interface that received the packet that caused the icmp error.
+# This is the behaviour network many administrators will expect from
+# a router. And it can make debugging complicated network layouts
+# much easier.
+#
+# Note that if no primary address exists for the interface selected,
+# then the primary address of the first non-loopback interface that
+# has one will be used regardless of this setting.
+net.ipv4.icmp_errors_use_inbound_ifaddr = 1
+
+
 #
 # Enables child sockets to inherit the L3 master device index.
 # Enabling this option allows a "global" listen socket to work
@@ -16,3 +29,35 @@ kernel.panic = 1
 # which the packets originated. Only valid when the kernel was
 # compiled with CONFIG_NET_L3_MASTER_DEV.
 net.ipv4.tcp_l3mdev_accept = 1
+
+
+#
+# Increase ARP garbage collector thresholds
+net.ipv4.neigh.default.gc_thresh1 = 1024
+net.ipv4.neigh.default.gc_thresh2 = 2048
+net.ipv4.neigh.default.gc_thresh3 = 4096
+
+net.ipv6.neigh.default.gc_thresh1 = 1024
+net.ipv6.neigh.default.gc_thresh2 = 2048
+net.ipv6.neigh.default.gc_thresh3 = 4096
+
+
+#
+# Increase conntrack table size (default 32k)
+net.netfilter.nf_conntrack_max = 16777216
+
+
+#
+# "Be conservative in what you do,
+#  be liberal in what you accept from others."
+#  If it's non-zero, we mark only out of window RST segments as INVALID.
+#  -- net/netfilter/nf_conntrack_proto_tcp.c
+#
+net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1
+
+
+#
+# Don't filter packet passing a bridge and not being routed on this host.
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-arptables = 0

sysctl/router.conf

@@ -7,46 +7,3 @@
 # Activate IP Unicast Routing
 net.ipv4.ip_forward=1
 net.ipv6.conf.all.forwarding=1
-
-#
-# Increase ARP garbage collector thresholds
-net.ipv4.neigh.default.gc_thresh1 = 1024
-net.ipv4.neigh.default.gc_thresh2 = 2048
-net.ipv4.neigh.default.gc_thresh3 = 4096
-
-net.ipv6.neigh.default.gc_thresh1 = 1024
-net.ipv6.neigh.default.gc_thresh2 = 2048
-net.ipv6.neigh.default.gc_thresh3 = 4096
-
-
-#
-# If non-zero, the message will be sent with the primary address of
-# the interface that received the packet that caused the icmp error.
-# This is the behaviour network many administrators will expect from
-# a router. And it can make debugging complicated network layouts
-# much easier.
-#
-# Note that if no primary address exists for the interface selected,
-# then the primary address of the first non-loopback interface that
-# has one will be used regardless of this setting.
-net.ipv4.icmp_errors_use_inbound_ifaddr = 1
-
-
-#
-# "Be conservative in what you do,
-#  be liberal in what you accept from others."
-#  If it's non-zero, we mark only out of window RST segments as INVALID.
-#  -- net/netfilter/nf_conntrack_proto_tcp.c
-#
-net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1
-
-#
-# Increase conntrack table size (default 32k)
-net.netfilter.nf_conntrack_max = 16777216
-
-
-#
-# Don't filter packet passing a bridge and not being routed on this host.
-net.bridge.bridge-nf-call-iptables = 0
-net.bridge.bridge-nf-call-ip6tables = 0
-net.bridge.bridge-nf-call-arptables = 0