#
# Sysctls for FFHO router nodes (Salt managed)
#


#
# Activate IP Unicast Routing
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

#
# Increase ARP garbage collector thresholds
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096

net.ipv6.neigh.default.gc_thresh1 = 1024
net.ipv6.neigh.default.gc_thresh2 = 2048
net.ipv6.neigh.default.gc_thresh3 = 4096


#
# If non-zero, the message will be sent with the primary address of
# the interface that received the packet that caused the icmp error.
# This is the behaviour network many administrators will expect from
# a router. And it can make debugging complicated network layouts
# much easier.
#
# Note that if no primary address exists for the interface selected,
# then the primary address of the first non-loopback interface that
# has one will be used regardless of this setting.
net.ipv4.icmp_errors_use_inbound_ifaddr = 1


#
# "Be conservative in what you do,
#  be liberal in what you accept from others."
#  If it's non-zero, we mark only out of window RST segments as INVALID.
#  -- net/netfilter/nf_conntrack_proto_tcp.c
#
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1

#
# Increase conntrack table size (default 32k)
net.netfilter.nf_conntrack_max = 16777216


#
# Don't filter packet passing a bridge and not being routed on this host.
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-arptables = 0