123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 |
- #
- # Sysctls for all FFHO machines (Salt managed)
- #
- #
- # After kernel oops wait 1 sec, than reset system
- kernel.panic_on_oops = 1
- kernel.panic = 1
- #
- # If non-zero, the message will be sent with the primary address of
- # the interface that received the packet that caused the icmp error.
- # This is the behaviour network many administrators will expect from
- # a router. And it can make debugging complicated network layouts
- # much easier.
- #
- # Note that if no primary address exists for the interface selected,
- # then the primary address of the first non-loopback interface that
- # has one will be used regardless of this setting.
- net.ipv4.icmp_errors_use_inbound_ifaddr = 1
- #
- # Enables child sockets to inherit the L3 master device index.
- # Enabling this option allows a "global" listen socket to work
- # across L3 master domains (e.g., VRFs) with connected sockets
- # derived from the listen socket to be bound to the L3 domain in
- # which the packets originated. Only valid when the kernel was
- # compiled with CONFIG_NET_L3_MASTER_DEV.
- net.ipv4.tcp_l3mdev_accept = 1
- #
- # Increase ARP garbage collector thresholds
- net.ipv4.neigh.default.gc_thresh1 = 1024
- net.ipv4.neigh.default.gc_thresh2 = 2048
- net.ipv4.neigh.default.gc_thresh3 = 4096
- net.ipv6.neigh.default.gc_thresh1 = 1024
- net.ipv6.neigh.default.gc_thresh2 = 2048
- net.ipv6.neigh.default.gc_thresh3 = 4096
- #
- # Increase conntrack table size (default 32k)
- net.netfilter.nf_conntrack_max = 16777216
- #
- # "Be conservative in what you do,
- # be liberal in what you accept from others."
- # If it's non-zero, we mark only out of window RST segments as INVALID.
- # -- net/netfilter/nf_conntrack_proto_tcp.c
- #
- net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1
- #
- # Don't filter packet passing a bridge and not being routed on this host.
- net.bridge.bridge-nf-call-iptables = 0
- net.bridge.bridge-nf-call-ip6tables = 0
- net.bridge.bridge-nf-call-arptables = 0
|