# # Vyatta router specific sysctl settings. # See sysctl.conf (5) for information. # # Panic on OOPS kernel.panic_on_oops=1 # Timeout before rebooting on panic kernel.panic=60 # Send all core files to /var/core/core.program.pid.time kernel.core_pattern=/var/core/core-%e-%p-%t # ARP configuration # arp_filter - allow multiple network interfaces on same subnet # arp_announce - avoid local addresses no on target's subnet # arp_ignore - reply only if target IP is local_address on the interface # arp_filter defaults to 1 so set all to 0 so vrrp interfaces can override it. net.ipv4.conf.all.arp_filter=0 # https://phabricator.vyos.net/T300 net.ipv4.conf.all.arp_ignore=0 net.ipv4.conf.all.arp_announce=2 # Enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # if a primary address is removed from an interface promote the # secondary address if available net.ipv4.conf.all.promote_secondaries=1 # Ignore ICMP broadcasts sent to broadcast/multicast net.ipv4.icmp_echo_ignore_broadcasts=1 # Ignore bogus ICMP errors net.ipv4.icmp_ignore_bogus_error_responses=1 # Send ICMP responses with primary address of exiting interface net.ipv4.icmp_errors_use_inbound_ifaddr=1 # Log packets with impossible addresses to kernel log net.ipv4.conf.all.log_martians=1 # Do not ignore all ICMP ECHO requests by default net.ipv4.icmp_echo_ignore_all=0 # Disable source validation by default net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 # Enable tcp syn-cookies by default net.ipv4.tcp_syncookies=1 # Disable accept_redirects for all net.ipv4.conf.all.accept_redirects=0 # Disable accept_redirects by default for any interface net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 # Disable accept_source_route by default net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 # Enable send_redirects by default net.ipv4.conf.all.send_redirects=1 # Increase size of buffer for netlink net.core.rmem_max=2097152 # Do not forget IPv6 addresses when a link goes down net.ipv6.conf.default.keep_addr_on_down=1 net.ipv6.conf.all.keep_addr_on_down=1 # Default value of 20 seems to interfere with larger OSPF and VRRP setups net.ipv4.igmp_max_memberships = 512 # Enable conntrack helper by default net.netfilter.nf_conntrack_helper=1 # Increase default garbage collection thresholds net.ipv4.neigh.default.gc_thresh1 = 1024 net.ipv4.neigh.default.gc_thresh2 = 4096 net.ipv4.neigh.default.gc_thresh3 = 8192 # net.ipv6.neigh.default.gc_thresh1 = 1024 net.ipv6.neigh.default.gc_thresh2 = 4096 net.ipv6.neigh.default.gc_thresh3 = 8192