|
@@ -0,0 +1,52 @@
|
|
|
+#
|
|
|
+# Sysctls for FFHO router nodes (Salt managed)
|
|
|
+#
|
|
|
+
|
|
|
+
|
|
|
+#
|
|
|
+# Activate IP Unicast Routing
|
|
|
+net.ipv4.ip_forward=1
|
|
|
+net.ipv6.conf.all.forwarding=1
|
|
|
+
|
|
|
+#
|
|
|
+# Increase ARP garbage collector thresholds
|
|
|
+net.ipv4.neigh.default.gc_thresh1 = 1024
|
|
|
+net.ipv4.neigh.default.gc_thresh2 = 2048
|
|
|
+net.ipv4.neigh.default.gc_thresh3 = 4096
|
|
|
+
|
|
|
+net.ipv6.neigh.default.gc_thresh1 = 1024
|
|
|
+net.ipv6.neigh.default.gc_thresh2 = 2048
|
|
|
+net.ipv6.neigh.default.gc_thresh3 = 4096
|
|
|
+
|
|
|
+
|
|
|
+#
|
|
|
+# If non-zero, the message will be sent with the primary address of
|
|
|
+# the interface that received the packet that caused the icmp error.
|
|
|
+# This is the behaviour network many administrators will expect from
|
|
|
+# a router. And it can make debugging complicated network layouts
|
|
|
+# much easier.
|
|
|
+#
|
|
|
+# Note that if no primary address exists for the interface selected,
|
|
|
+# then the primary address of the first non-loopback interface that
|
|
|
+# has one will be used regardless of this setting.
|
|
|
+net.ipv4.icmp_errors_use_inbound_ifaddr = 1
|
|
|
+
|
|
|
+
|
|
|
+#
|
|
|
+# "Be conservative in what you do,
|
|
|
+# be liberal in what you accept from others."
|
|
|
+# If it's non-zero, we mark only out of window RST segments as INVALID.
|
|
|
+# -- net/netfilter/nf_conntrack_proto_tcp.c
|
|
|
+#
|
|
|
+net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1
|
|
|
+
|
|
|
+#
|
|
|
+# Increase conntrack table size (default 32k)
|
|
|
+net.ipv4.netfilter.ip_conntrack_max = 16777216
|
|
|
+
|
|
|
+
|
|
|
+#
|
|
|
+# Don't filter packet passing a bridge and not being routed on this host.
|
|
|
+net.bridge.bridge-nf-call-iptables = 0
|
|
|
+net.bridge.bridge-nf-call-ip6tables = 0
|
|
|
+net.bridge.bridge-nf-call-arptables = 0
|