summaryrefslogtreecommitdiff
path: root/templates
diff options
context:
space:
mode:
Diffstat (limited to 'templates')
-rw-r--r--templates/system/conntrack/expect-table-size/node.def3
-rw-r--r--templates/system/conntrack/node.def25
-rw-r--r--templates/system/conntrack/table-size/node.def3
-rw-r--r--templates/system/conntrack/tcp-loose/node.def9
-rw-r--r--templates/system/conntrack/timeout/generic/node.def3
-rw-r--r--templates/system/conntrack/timeout/icmp/node.def3
-rw-r--r--templates/system/conntrack/timeout/tcp/close-wait/node.def3
-rw-r--r--templates/system/conntrack/timeout/tcp/close/node.def3
-rw-r--r--templates/system/conntrack/timeout/tcp/established/node.def3
-rw-r--r--templates/system/conntrack/timeout/tcp/fin-wait/node.def3
-rw-r--r--templates/system/conntrack/timeout/tcp/last-ack/node.def3
-rw-r--r--templates/system/conntrack/timeout/tcp/syn-recv/node.def3
-rw-r--r--templates/system/conntrack/timeout/tcp/syn-sent/node.def3
-rw-r--r--templates/system/conntrack/timeout/tcp/time-wait/node.def3
-rw-r--r--templates/system/conntrack/timeout/udp/generic/node.def3
-rw-r--r--templates/system/conntrack/timeout/udp/stream/node.def3
16 files changed, 41 insertions, 35 deletions
diff --git a/templates/system/conntrack/expect-table-size/node.def b/templates/system/conntrack/expect-table-size/node.def
index 889dbdbc..a62b635e 100644
--- a/templates/system/conntrack/expect-table-size/node.def
+++ b/templates/system/conntrack/expect-table-size/node.def
@@ -22,8 +22,7 @@ val_help: u32: 1-50000000; Number of entries allowed in connection tracking expe
syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50,000,000"
update:
- sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_expect_max"
+ sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=$VAR(@)
diff --git a/templates/system/conntrack/node.def b/templates/system/conntrack/node.def
index 8a5cf317..eb933bc5 100644
--- a/templates/system/conntrack/node.def
+++ b/templates/system/conntrack/node.def
@@ -1 +1,24 @@
-help: Connection tracking engine options \ No newline at end of file
+help: Connection tracking engine options
+
+priority: 218 # before NAT and conntrack-sync are configured
+
+delete: # set conntrack table size to standard 16384 entries if fw disabled
+ sudo sysctl -q -w net/nf_conntrack_max=16384
+
+ # set conntrack expect table size to standard 2048 entries if fw disabled
+ sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=2048
+
+ # set conntrack hash size to standard 4096
+ if ! grep -q "nf_conntrack hashsize=4096$" /etc/modprobe.d/vyatta_nf_conntrack.conf
+ then
+ sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \
+ /etc/modprobe.d/vyatta_nf_conntrack.conf"
+ sudo sh -c "echo options nf_conntrack hashsize=4096 >> \
+ /etc/modprobe.d/vyatta_nf_conntrack.conf"
+ echo "Conntrack hash size set to default 4096. This change will take affect when the system is rebooted."
+ fi
+
+ # need to restart conntrackd with updated conntrack table size
+ if cli-shell-api existsActive service conntrack-sync; then
+ sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+ fi \ No newline at end of file
diff --git a/templates/system/conntrack/table-size/node.def b/templates/system/conntrack/table-size/node.def
index 310b995f..16d1d45a 100644
--- a/templates/system/conntrack/table-size/node.def
+++ b/templates/system/conntrack/table-size/node.def
@@ -26,8 +26,7 @@ val_help: u32:1-50000000; Number of entries allowed in connection tracking table
syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50,000,000"
update:
- sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/nf_conntrack_max"
+ sudo sysctl -q -w net/nf_conntrack_max=$VAR(@)
# need to restart conntrackd with updated conntrack table size
if cli-shell-api existsActive service conntrack-sync; then
sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
diff --git a/templates/system/conntrack/tcp-loose/node.def b/templates/system/conntrack/tcp-loose/node.def
index 86489b72..06706a24 100644
--- a/templates/system/conntrack/tcp-loose/node.def
+++ b/templates/system/conntrack/tcp-loose/node.def
@@ -28,11 +28,9 @@ update:
sudo modprobe nf_conntrack_ipv4
fi
if [ "$VAR(@)" = "enable" ]; then
- sudo sh -c "echo 1 > \
- /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose"
+ sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=1
elif [ "$VAR(@)" = "disable" ]; then
- sudo sh -c "echo 0 > \
- /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose"
+ sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=0
else
echo "Invalid parameter: $VAR(@)"
exit 1
@@ -42,8 +40,7 @@ delete:
if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
sudo modprobe nf_conntrack_ipv4
fi
- sudo sh -c "echo 1 > \
- /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose"
+ sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=1
diff --git a/templates/system/conntrack/timeout/generic/node.def b/templates/system/conntrack/timeout/generic/node.def
index 570fbbba..52e28d56 100644
--- a/templates/system/conntrack/timeout/generic/node.def
+++ b/templates/system/conntrack/timeout/generic/node.def
@@ -4,5 +4,4 @@ help: Generic connection timeout in seconds
default: 600
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_generic_timeout" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/icmp/node.def b/templates/system/conntrack/timeout/icmp/node.def
index 4d0c025e..1e01bec2 100644
--- a/templates/system/conntrack/timeout/icmp/node.def
+++ b/templates/system/conntrack/timeout/icmp/node.def
@@ -4,5 +4,4 @@ help: ICMP timeout in seconds
default: 30
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_icmp_timeout" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/close-wait/node.def b/templates/system/conntrack/timeout/tcp/close-wait/node.def
index 1c819170..8d637a80 100644
--- a/templates/system/conntrack/timeout/tcp/close-wait/node.def
+++ b/templates/system/conntrack/timeout/tcp/close-wait/node.def
@@ -4,5 +4,4 @@ help: TCP close wait timeout in seconds
default: 60
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/close/node.def b/templates/system/conntrack/timeout/tcp/close/node.def
index 30ffad0c..06153d53 100644
--- a/templates/system/conntrack/timeout/tcp/close/node.def
+++ b/templates/system/conntrack/timeout/tcp/close/node.def
@@ -4,5 +4,4 @@ help: TCP close timeout in seconds
default: 10
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/established/node.def b/templates/system/conntrack/timeout/tcp/established/node.def
index 6b0c80fa..b1e503bc 100644
--- a/templates/system/conntrack/timeout/tcp/established/node.def
+++ b/templates/system/conntrack/timeout/tcp/established/node.def
@@ -4,5 +4,4 @@ help: TCP established timeout in seconds
default: 432000
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/fin-wait/node.def b/templates/system/conntrack/timeout/tcp/fin-wait/node.def
index 33966170..159f6dc8 100644
--- a/templates/system/conntrack/timeout/tcp/fin-wait/node.def
+++ b/templates/system/conntrack/timeout/tcp/fin-wait/node.def
@@ -4,5 +4,4 @@ help: TCP FIN wait timeout in seconds
default: 120
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/last-ack/node.def b/templates/system/conntrack/timeout/tcp/last-ack/node.def
index 767f80e7..661b26b9 100644
--- a/templates/system/conntrack/timeout/tcp/last-ack/node.def
+++ b/templates/system/conntrack/timeout/tcp/last-ack/node.def
@@ -4,5 +4,4 @@ help: TCP last ACK timeout
default: 30
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_last_ack" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/syn-recv/node.def b/templates/system/conntrack/timeout/tcp/syn-recv/node.def
index 70fe4306..0eda71e6 100644
--- a/templates/system/conntrack/timeout/tcp/syn-recv/node.def
+++ b/templates/system/conntrack/timeout/tcp/syn-recv/node.def
@@ -4,5 +4,4 @@ help: TCP SYN received timeout in seconds
default: 60
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_recv" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/syn-sent/node.def b/templates/system/conntrack/timeout/tcp/syn-sent/node.def
index 5ca64627..9cee773f 100644
--- a/templates/system/conntrack/timeout/tcp/syn-sent/node.def
+++ b/templates/system/conntrack/timeout/tcp/syn-sent/node.def
@@ -4,5 +4,4 @@ help: TCP SYN received timeout in seconds
default: 120
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_sent" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/time-wait/node.def b/templates/system/conntrack/timeout/tcp/time-wait/node.def
index d439ac6e..436553c2 100644
--- a/templates/system/conntrack/timeout/tcp/time-wait/node.def
+++ b/templates/system/conntrack/timeout/tcp/time-wait/node.def
@@ -4,5 +4,4 @@ help: TCP time wait
default: 120
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/ net/netfilter/nf_conntrack_tcp_timeout_time_wait" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/udp/generic/node.def b/templates/system/conntrack/timeout/udp/generic/node.def
index b15bc39e..f539899f 100644
--- a/templates/system/conntrack/timeout/udp/generic/node.def
+++ b/templates/system/conntrack/timeout/udp/generic/node.def
@@ -4,5 +4,4 @@ help: UDP generic timeout in seconds
default: 30
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_udp_timeout" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=$VAR(@) \ No newline at end of file
diff --git a/templates/system/conntrack/timeout/udp/stream/node.def b/templates/system/conntrack/timeout/udp/stream/node.def
index 96c67ed5..fdd62c0a 100644
--- a/templates/system/conntrack/timeout/udp/stream/node.def
+++ b/templates/system/conntrack/timeout/udp/stream/node.def
@@ -4,5 +4,4 @@ help: UDP stream timeout in seconds
default: 180
-update: sudo sh -c "echo $VAR(@) > \
- /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream" \ No newline at end of file
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=$VAR(@) \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 18:04:20 +0000