Skip to content

Commit

Permalink
system: and another one for opnsense#7440
Browse files Browse the repository at this point in the history
  • Loading branch information
@fichtner
fichtner committed Feb 14, 2025
1 parent 6cae0ba commit 6a48c7f
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 121 deletions.
55 changes: 0 additions & 55 deletions src/etc/config.xml.sample
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,6 @@
<trigger_initial_wizard/>
<theme>opnsense</theme>
<sysctl>
<item>
<descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
<tunable>net.inet.tcp.syncookies</tunable>
Expand All @@ -28,66 +23,16 @@
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set to 1 to additionally filter on the physical interface for locally destined packets]]></descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Enable TCP extended debugging]]></descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set ICMP Limits]]></descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[TCP Offload Engine]]></descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[UDP Checksums]]></descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Maximum socket buffer size]]></descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Page Table Isolation (Meltdown mitigation, requires reboot.)]]></descr>
<tunable>vm.pmap.pti</tunable>
Expand Down
22 changes: 11 additions & 11 deletions src/etc/inc/system.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,18 +73,18 @@ function system_sysctl_defaults()
'debug.kassert.warn_only' => [ 'default' => '1', 'description' => 'KASSERT triggers a panic (0) or just a warning (1)', 'type' => 'w' ],
'hw.ibrs_disable' => [ 'default' => '0', 'optional' => true ],
'hw.ixl.enable_head_writeback' => [ 'default' => '0' ],
'hw.syscons.kbd_reboot' => [ 'default' => '0', 'optional' => true ],
'hw.syscons.kbd_reboot' => [ 'default' => '0' ],
'hw.uart.console' => [ 'default' => 'io:0x3f8,br:' . system_console_speed(), 'type' => 't', 'optional' => true ], /* XXX support comconsole_port if needed */
'hw.vtnet.csum_disable' => [ 'default' => '1' ],
'kern.coredump' => [ 'default' => '0' ],
'kern.ipc.maxsockbuf' => [ 'default' => '4262144', 'optional' => true ],
'kern.randompid' => [ 'default' => '1', 'optional' => true ],
'kern.ipc.maxsockbuf' => [ 'default' => '4262144' ],
'kern.randompid' => [ 'default' => '1' ],
'net.enc.in.ipsec_bpf_mask' => [ 'default' => '2' ], /* after processing */
'net.enc.in.ipsec_filter_mask' => [ 'default' => '2' ], /* after processing */
'net.enc.out.ipsec_bpf_mask' => [ 'default' => '1' ], /* before processing */
'net.enc.out.ipsec_filter_mask' => [ 'default' => '1' ], /* before processing */
'net.inet.icmp.drop_redirect' => [ 'default' => '1' ],
'net.inet.icmp.icmplim' => [ 'default' => '0', 'optional' => true ],
'net.inet.icmp.icmplim' => [ 'default' => '0' ],
'net.inet.icmp.log_redirect' => [ 'default' => '0' ],
'net.inet.icmp.reply_from_interface' => [ 'default' => '1' ],
'net.inet.ip.accept_sourceroute' => [ 'default' => '0' ],
Expand All @@ -96,14 +96,14 @@ function system_sysctl_defaults()
'net.inet.ip.sourceroute' => [ 'default' => '0' ],
'net.inet.tcp.blackhole' => [ 'default' => '2' ],
'net.inet.tcp.delayed_ack' => [ 'default' => '0', 'optional' => true ],
'net.inet.tcp.drop_synfin' => [ 'default' => '1', 'optional' => true ],
'net.inet.tcp.drop_synfin' => [ 'default' => '1' ],
'net.inet.tcp.log_debug' => [ 'default' => '0', 'optional' => true ],
'net.inet.tcp.recvspace' => [ 'default' => '65228', 'optional' => true ],
'net.inet.tcp.sendspace' => [ 'default' => '65228' , 'optional' => true],
'net.inet.tcp.syncookies' => [ 'default' => '1', 'optional' => true ],
'net.inet.tcp.tso' => [ 'default' => '1', 'optional' => true ],
'net.inet.udp.blackhole' => [ 'default' => '1' ],
'net.inet.udp.checksum' => [ 'default' => 1, 'optional' => true ],
'net.inet.udp.checksum' => [ 'default' => 1 ],
'net.inet.udp.maxdgram' => [ 'default' => '57344' ],
'net.inet6.ip6.accept_rtadv' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0' ],
'net.inet6.ip6.forwarding' => [ 'default' => '1' ],
Expand All @@ -113,13 +113,13 @@ function system_sysctl_defaults()
'net.inet6.ip6.redirect' => [ 'default' => '0' ],
'net.inet6.ip6.rfc6204w3' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0' ],
'net.inet6.ip6.use_tempaddr' => [ 'default' => '0' ],
'net.link.bridge.pfil_bridge' => [ 'default' => '0', 'optional' => true ],
'net.link.bridge.pfil_local_phys' => [ 'default' => '0', 'optional' => true ],
'net.link.bridge.pfil_member' => [ 'default' => '1', 'optional' => true ],
'net.link.bridge.pfil_onlyip' => [ 'default' => '0', 'optional' => true ],
'net.link.bridge.pfil_bridge' => [ 'default' => '0' ],
'net.link.bridge.pfil_local_phys' => [ 'default' => '0' ],
'net.link.bridge.pfil_member' => [ 'default' => '1' ],
'net.link.bridge.pfil_onlyip' => [ 'default' => '0' ],
'net.link.ether.inet.log_arp_movements' => [ 'default' => isset($config['system']['sharednet']) ? '0' : '1' ],
'net.link.ether.inet.log_arp_wrong_iface' => [ 'default' => isset($config['system']['sharednet']) ? '0' : '1' ],
'net.link.tap.user_open' => [ 'default' => '1', 'optional' => true ],
'net.link.tap.user_open' => [ 'default' => '1' ],
'net.link.vlan.mtag_pcp' => [ 'default' => '1' ],
'net.local.dgram.maxdgram' => [ 'default' => '8192' ],
'net.pf.share_forward' => [ 'default' => !empty($config['system']['pf_share_forward']) ? '1' : '0' ],
Expand Down
55 changes: 0 additions & 55 deletions src/opnsense/mvc/tests/app/models/OPNsense/ACL/AclConfig/config.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,6 @@
<trigger_initial_wizard/>
<theme>opnsense</theme>
<sysctl>
<item>
<descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
<tunable>net.inet.tcp.syncookies</tunable>
Expand All @@ -28,66 +23,16 @@
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set to 1 to additionally filter on the physical interface for locally destined packets]]></descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Enable TCP extended debugging]]></descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set ICMP Limits]]></descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[TCP Offload Engine]]></descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[UDP Checksums]]></descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Maximum socket buffer size]]></descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Page Table Isolation (Meltdown mitigation, requires reboot.)]]></descr>
<tunable>vm.pmap.pti</tunable>
Expand Down

0 comments on commit 6a48c7f

Please sign in to comment.