diff options
author | Stig Thormodsrud <stig@vyatta.com> | 2010-01-19 17:01:49 -0800 |
---|---|---|
committer | Stig Thormodsrud <stig@vyatta.com> | 2010-01-19 17:01:49 -0800 |
commit | 87f79c9d17a9295e8a890576cb0d8442a3711546 (patch) | |
tree | 57d31e77e2e0a9e544b6a2c6a014667f4318cd73 | |
parent | dfcecc70a00da8d70f9e4b7d365385a9b5212070 (diff) | |
parent | 6feb00807447d77299236a758f76c134f2b30f5b (diff) | |
download | vyatta-cfg-system-87f79c9d17a9295e8a890576cb0d8442a3711546.tar.gz vyatta-cfg-system-87f79c9d17a9295e8a890576cb0d8442a3711546.zip |
Merge branch 'kenwood' of http://git.vyatta.com/vyatta-cfg-system into kenwood
-rw-r--r-- | debian/changelog | 13 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 2 | ||||
-rwxr-xr-x | scripts/rl-system.init | 30 | ||||
-rw-r--r-- | sysconf/vyatta-sysctl.conf | 26 |
4 files changed, 35 insertions, 36 deletions
diff --git a/debian/changelog b/debian/changelog index ffabf34f..fff93718 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +vyatta-cfg-system (0.16.18) unstable; urgency=low + + [ Stephen Hemminger ] + * Restrict radius-server timeout value + + [ Robert Bays ] + * fix bug 5226: Hostname does not allow number as first char + + [ Stephen Hemminger ] + * Change how IPV4/IPV6 configuration values are done + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Tue, 19 Jan 2010 17:00:39 -0800 + vyatta-cfg-system (0.16.17) unstable; urgency=low * Fix snmp trap-source diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index c2b374c8..1e77d69d 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -129,6 +129,8 @@ EOF # Install pamradius config (should come with radius client eventually) cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius + + cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf fi if [ "$sysconfdir" != "/opt/vyatta/etc" ]; then diff --git a/scripts/rl-system.init b/scripts/rl-system.init index ee113ff6..d37e651c 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -137,29 +137,19 @@ create_ssh_host_keys () { set_ipv6_params () { - # default values for ipv6 parameters do not take effect for interfaces at - # boot time, so copy over default values to their interface specific - # parameter - + # diffcult to set new default values for IPV6 earlier if [ ! -d /proc/sys/net/ipv6 ]; then # Skip it if IPv6 is not loaded return fi - ipv6_params=(accept_source_route accept_redirects) - num_ipv6_params=${#ipv6_params[*]} - i=0 - while [ $i -lt $num_ipv6_params ]; do - default_val=`cat /proc/sys/net/ipv6/conf/default/${ipv6_params[$i]}` - array=(`ls /proc/sys/net/ipv6/conf/`) - array_len=${#array[*]} - j=0 - while [ $j -lt $array_len ]; do - sudo sh -c "echo $default_val > \ - /proc/sys/net/ipv6/conf/${array[$j]}/${ipv6_params[$i]}" - let j++ - done - let i++ + # These values all should be disabled + for p in accept_source_route accept_redirects address_flush + do + for d in /proc/sys/net/ipv6/conf/* + do + echo 0 > $d/$p + done done } @@ -188,10 +178,10 @@ start () { setup_ntp_config_file add_new_serial_if || \ log_failure_msg "can\'t add serial interfaces" - sysctl -q -e -p /opt/vyatta/etc/vyatta-sysctl.conf || - log_failure_msg "can\'t configure kernel settings" + set_ipv6_params pam_reset + update_version_info ## Clear out apt config file--it will be filled in by rtrmgr diff --git a/sysconf/vyatta-sysctl.conf b/sysconf/vyatta-sysctl.conf index 01d2f390..928cd6fb 100644 --- a/sysconf/vyatta-sysctl.conf +++ b/sysconf/vyatta-sysctl.conf @@ -9,12 +9,13 @@ kernel.panic_on_oops=1 # Timeout before rebooting on panic kernel.panic=60 -# Only answer ARP requests on same subnet -net.ipv4.conf.default.arp_filter=1 -net.ipv4.conf.default.arp_ignore=1 - -# avoid local addresses that are not in the target's subnet for this interface -net.ipv4.conf.default.arp_announce=1 +# ARP configuration +# arp_filter - allow multiple network interfaces on same subnet +# arp_announce - avoid local addresses no on target's subnet +# arp_ignore - reply only if target IP is local_address on the interface +net.ipv4.conf.all.arp_filter=1 +net.ipv4.conf.all.arp_ignore=1 +net.ipv4.conf.all.arp_announce=1 # Enable packet forwarding for IPv4 net.ipv4.ip_forward=1 @@ -40,6 +41,7 @@ net.ipv4.icmp_echo_ignore_all=0 # Disable source validation by default net.ipv4.conf.all.rp_filter=0 +net.ipv4.conf.default.rp_filter=0 # Enable tcp syn-cookies by default net.ipv4.tcp_syncookies=1 @@ -48,10 +50,12 @@ net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.accept_redirects=0 # Disable accept_redirects by default for any interface +net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 # Disable accept_source_route by default net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 # Enable send_redirects by default net.ipv4.conf.all.send_redirects=1 @@ -60,13 +64,3 @@ net.ipv4.conf.all.send_redirects=1 # Enable packet forwarding for IPv6 net.ipv6.conf.all.forwarding=1 - -# Disable ipv6 accept_source_route by default -net.ipv6.conf.default.accept_source_route=-1 - -# Disable ipv6 accept_redirects by default -net.ipv6.conf.default.accept_redirects=0 - -# Keep address when interface goes down -net.ipv6.conf.default.address_flush=0 - |