Переглянути джерело

Rework, unify and simplify sysctl config. Add tcp_l3mdev_accept and icmp_errors_use_inbound_ifaddr.

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm 8 роки тому
батько
коміт
00d9f8847b

+ 0 - 12
sysctl/NAT.conf

@@ -1,12 +0,0 @@
-#
-# /etc/sysctl.d/NAT.conf (Salt managed)
-#
-# "Be conservative in what you do,
-#  be liberal in what you accept from others."
-#  If it's non-zero, we mark only out of window RST segments as INVALID.
-#  -- net/netfilter/nf_conntrack_proto_tcp.c
-#
-net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1
-
-# Increase conntrack table size (default 32k)
-net.ipv4.netfilter.ip_conntrack_max = 16777216

+ 0 - 7
sysctl/arp_caches.conf

@@ -1,7 +0,0 @@
-net.ipv4.neigh.default.gc_thresh1 = 1024
-net.ipv4.neigh.default.gc_thresh2 = 2048
-net.ipv4.neigh.default.gc_thresh3 = 4096
-
-net.ipv6.neigh.default.gc_thresh1 = 1024
-net.ipv6.neigh.default.gc_thresh2 = 2048
-net.ipv6.neigh.default.gc_thresh3 = 4096

+ 18 - 0
sysctl/global.conf

@@ -0,0 +1,18 @@
+#
+# Sysctls for all FFHO machines (Salt managed)
+#
+
+#
+# After kernel oops wait 1 sec, than reset system
+kernel.panic_on_oops = 1
+kernel.panic = 1
+
+
+#
+# Enables child sockets to inherit the L3 master device index.
+# Enabling this option allows a "global" listen socket to work
+# across L3 master domains (e.g., VRFs) with connected sockets
+# derived from the listen socket to be bound to the L3 domain in
+# which the packets originated. Only valid when the kernel was
+# compiled with CONFIG_NET_L3_MASTER_DEV.
+net.ipv4.tcp_l3mdev_accept = 1

+ 17 - 0
sysctl/init.sls

@@ -1,6 +1,7 @@
 #
 # sysctl
 #
+{%- set roles = salt['pillar.get']('roles', []) %}
 
 # Define command to reload sysctl settings here without dependencies
 # and define inverse dependencies where useful (see sysctl.conf)
@@ -15,3 +16,19 @@ reload-sysctl:
     - source: salt://sysctl/sysctl.conf
     - watch_in:
       - cmd: reload-sysctl
+
+
+/etc/sysctl.d/global.conf:
+  file.managed:
+    - source: salt://sysctl/global.conf
+    - watch_in:
+      - cmd: reload-sysctl
+
+
+{%- if router in roles %}
+/etc/sysctl.d/global.conf:
+  file.managed:
+    - source: salt://sysctl/router.conf
+    - watch_in:
+      - cmd: reload-sysctl
+{%- endif %}

+ 0 - 2
sysctl/ip_forward.conf

@@ -1,2 +0,0 @@
-net.ipv4.ip_forward=1
-net.ipv6.conf.all.forwarding=1

+ 0 - 3
sysctl/kernel.conf

@@ -1,3 +0,0 @@
-# after kernel oops wait 1 sec, than reset system
-kernel.panic_on_oops = 1
-kernel.panic = 1

+ 0 - 4
sysctl/nf-ignore-bridge.conf

@@ -1,4 +0,0 @@
-# Don't filter packet passing a bridge and not being routed on this host.
-net.bridge.bridge-nf-call-iptables = 0
-net.bridge.bridge-nf-call-ip6tables = 0
-net.bridge.bridge-nf-call-arptables = 0

+ 52 - 0
sysctl/router.conf

@@ -0,0 +1,52 @@
+#
+# Sysctls for FFHO router nodes (Salt managed)
+#
+
+
+#
+# Activate IP Unicast Routing
+net.ipv4.ip_forward=1
+net.ipv6.conf.all.forwarding=1
+
+#
+# Increase ARP garbage collector thresholds
+net.ipv4.neigh.default.gc_thresh1 = 1024
+net.ipv4.neigh.default.gc_thresh2 = 2048
+net.ipv4.neigh.default.gc_thresh3 = 4096
+
+net.ipv6.neigh.default.gc_thresh1 = 1024
+net.ipv6.neigh.default.gc_thresh2 = 2048
+net.ipv6.neigh.default.gc_thresh3 = 4096
+
+
+#
+# If non-zero, the message will be sent with the primary address of
+# the interface that received the packet that caused the icmp error.
+# This is the behaviour network many administrators will expect from
+# a router. And it can make debugging complicated network layouts
+# much easier.
+#
+# Note that if no primary address exists for the interface selected,
+# then the primary address of the first non-loopback interface that
+# has one will be used regardless of this setting.
+net.ipv4.icmp_errors_use_inbound_ifaddr = 1
+
+
+#
+# "Be conservative in what you do,
+#  be liberal in what you accept from others."
+#  If it's non-zero, we mark only out of window RST segments as INVALID.
+#  -- net/netfilter/nf_conntrack_proto_tcp.c
+#
+net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1
+
+#
+# Increase conntrack table size (default 32k)
+net.ipv4.netfilter.ip_conntrack_max = 16777216
+
+
+#
+# Don't filter packet passing a bridge and not being routed on this host.
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-arptables = 0

+ 0 - 36
sysctl/router.sls

@@ -1,36 +0,0 @@
-#
-# Sysctl stuff for routers
-#
-
-include:
-  - sysctl
-
-/etc/sysctl.d/20-arp_caches.conf:
-  file.managed:
-    - source: salt://sysctl/arp_caches.conf
-    - watch_in:
-      - cmd: reload-sysctl
-
-/etc/sysctl.d/21-ip_forward.conf:
-  file.managed:
-    - source: salt://sysctl/ip_forward.conf
-    - watch_in:
-      - cmd: reload-sysctl
-
-/etc/sysctl.d/22-kernel.conf:
-  file.managed:
-    - source: salt://sysctl/kernel.conf
-    - watch_in:
-      - cmd: reload-sysctl
-
-/etc/sysctl.d/NAT.conf:
-  file.managed:
-    - source: salt://sysctl/NAT.conf
-    - watch_in:
-      - cmd: reload-sysctl
-
-/etc/sysctl.d/nf-ignore-bridge.conf:
-  file.managed:
-    - source: salt://sysctl/nf-ignore-bridge.conf
-    - watch_in:
-      - cmd: reload-sysctl