From 6eb5483bb5bba3cb4efcc8d306724840c80ccb33 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 19 Jan 2010 16:47:21 -0800 Subject: Change how IPV4/IPV6 configuration values are done 1. Move vyatta-sysctl.conf from rl-system.init to procps This makes configuration happen early (before networking) 2. Do IPV6 configuration for address_flush in rl-system.init (after IPV6 is loaded) 3. Cleanup shell code for ipv6_params: * no sudo needed in startup scripts * use cleaner iteration --- debian/vyatta-cfg-system.postinst.in | 2 ++ scripts/rl-system.init | 30 ++++++++++-------------------- sysconf/vyatta-sysctl.conf | 26 ++++++++++---------------- 3 files changed, 22 insertions(+), 36 deletions(-) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index c2b374c8..1e77d69d 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -129,6 +129,8 @@ EOF # Install pamradius config (should come with radius client eventually) cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius + + cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf fi if [ "$sysconfdir" != "/opt/vyatta/etc" ]; then diff --git a/scripts/rl-system.init b/scripts/rl-system.init index ee113ff6..d37e651c 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -137,29 +137,19 @@ create_ssh_host_keys () { set_ipv6_params () { - # default values for ipv6 parameters do not take effect for interfaces at - # boot time, so copy over default values to their interface specific - # parameter - + # diffcult to set new default values for IPV6 earlier if [ ! -d /proc/sys/net/ipv6 ]; then # Skip it if IPv6 is not loaded return fi - ipv6_params=(accept_source_route accept_redirects) - num_ipv6_params=${#ipv6_params[*]} - i=0 - while [ $i -lt $num_ipv6_params ]; do - default_val=`cat /proc/sys/net/ipv6/conf/default/${ipv6_params[$i]}` - array=(`ls /proc/sys/net/ipv6/conf/`) - array_len=${#array[*]} - j=0 - while [ $j -lt $array_len ]; do - sudo sh -c "echo $default_val > \ - /proc/sys/net/ipv6/conf/${array[$j]}/${ipv6_params[$i]}" - let j++ - done - let i++ + # These values all should be disabled + for p in accept_source_route accept_redirects address_flush + do + for d in /proc/sys/net/ipv6/conf/* + do + echo 0 > $d/$p + done done } @@ -188,10 +178,10 @@ start () { setup_ntp_config_file add_new_serial_if || \ log_failure_msg "can\'t add serial interfaces" - sysctl -q -e -p /opt/vyatta/etc/vyatta-sysctl.conf || - log_failure_msg "can\'t configure kernel settings" + set_ipv6_params pam_reset + update_version_info ## Clear out apt config file--it will be filled in by rtrmgr diff --git a/sysconf/vyatta-sysctl.conf b/sysconf/vyatta-sysctl.conf index 01d2f390..928cd6fb 100644 --- a/sysconf/vyatta-sysctl.conf +++ b/sysconf/vyatta-sysctl.conf @@ -9,12 +9,13 @@ kernel.panic_on_oops=1 # Timeout before rebooting on panic kernel.panic=60 -# Only answer ARP requests on same subnet -net.ipv4.conf.default.arp_filter=1 -net.ipv4.conf.default.arp_ignore=1 - -# avoid local addresses that are not in the target's subnet for this interface -net.ipv4.conf.default.arp_announce=1 +# ARP configuration +# arp_filter - allow multiple network interfaces on same subnet +# arp_announce - avoid local addresses no on target's subnet +# arp_ignore - reply only if target IP is local_address on the interface +net.ipv4.conf.all.arp_filter=1 +net.ipv4.conf.all.arp_ignore=1 +net.ipv4.conf.all.arp_announce=1 # Enable packet forwarding for IPv4 net.ipv4.ip_forward=1 @@ -40,6 +41,7 @@ net.ipv4.icmp_echo_ignore_all=0 # Disable source validation by default net.ipv4.conf.all.rp_filter=0 +net.ipv4.conf.default.rp_filter=0 # Enable tcp syn-cookies by default net.ipv4.tcp_syncookies=1 @@ -48,10 +50,12 @@ net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.accept_redirects=0 # Disable accept_redirects by default for any interface +net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 # Disable accept_source_route by default net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 # Enable send_redirects by default net.ipv4.conf.all.send_redirects=1 @@ -60,13 +64,3 @@ net.ipv4.conf.all.send_redirects=1 # Enable packet forwarding for IPv6 net.ipv6.conf.all.forwarding=1 - -# Disable ipv6 accept_source_route by default -net.ipv6.conf.default.accept_source_route=-1 - -# Disable ipv6 accept_redirects by default -net.ipv6.conf.default.accept_redirects=0 - -# Keep address when interface goes down -net.ipv6.conf.default.address_flush=0 - -- cgit v1.2.3