From ff8c4aacff4e26b6cea43beeec184412369c5085 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 27 May 2021 08:32:34 +0200 Subject: T3579: migrate sysctl settings to vyos-1x --- .../system/conntrack/expect-table-size/node.def | 31 ---------------- templates-cfg/system/conntrack/hash-size/node.def | 18 --------- templates-cfg/system/conntrack/node.def | 24 ------------ templates-cfg/system/conntrack/table-size/node.def | 32 ---------------- .../conntrack/tcp/half-open-connections/node.def | 13 ------- templates-cfg/system/conntrack/tcp/loose/node.def | 43 ---------------------- .../system/conntrack/tcp/max-retrans/node.def | 13 ------- templates-cfg/system/conntrack/tcp/node.def | 1 - .../system/conntrack/timeout/icmp/node.def | 13 ------- templates-cfg/system/conntrack/timeout/node.def | 1 - .../system/conntrack/timeout/other/node.def | 13 ------- .../conntrack/timeout/tcp/close-wait/node.def | 13 ------- .../system/conntrack/timeout/tcp/close/node.def | 13 ------- .../conntrack/timeout/tcp/established/node.def | 13 ------- .../system/conntrack/timeout/tcp/fin-wait/node.def | 13 ------- .../system/conntrack/timeout/tcp/last-ack/node.def | 13 ------- .../system/conntrack/timeout/tcp/node.def | 1 - .../system/conntrack/timeout/tcp/syn-recv/node.def | 13 ------- .../system/conntrack/timeout/tcp/syn-sent/node.def | 13 ------- .../conntrack/timeout/tcp/time-wait/node.def | 13 ------- .../system/conntrack/timeout/udp/node.def | 1 - .../system/conntrack/timeout/udp/other/node.def | 13 ------- .../system/conntrack/timeout/udp/stream/node.def | 13 ------- 23 files changed, 334 deletions(-) delete mode 100644 templates-cfg/system/conntrack/expect-table-size/node.def delete mode 100644 templates-cfg/system/conntrack/hash-size/node.def delete mode 100644 templates-cfg/system/conntrack/node.def delete mode 100644 templates-cfg/system/conntrack/table-size/node.def delete mode 100644 templates-cfg/system/conntrack/tcp/half-open-connections/node.def delete mode 100644 templates-cfg/system/conntrack/tcp/loose/node.def delete mode 100644 templates-cfg/system/conntrack/tcp/max-retrans/node.def delete mode 100644 templates-cfg/system/conntrack/tcp/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/icmp/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/other/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/close/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/established/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/udp/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/udp/other/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/udp/stream/node.def diff --git a/templates-cfg/system/conntrack/expect-table-size/node.def b/templates-cfg/system/conntrack/expect-table-size/node.def deleted file mode 100644 index 9ff72c7..0000000 --- a/templates-cfg/system/conntrack/expect-table-size/node.def +++ /dev/null @@ -1,31 +0,0 @@ -# -# Config template for: system conntrack expect-table-size -# -# This is the table of expectations. Connection tracking expectations are -# the mechanism used to "expect" RELATED connections to existing ones. -# Expectations are generally used by "connection tracking helpers" (sometimes -# called application level gateways [ALGs]) for more complex protocols such as -# FTP, SIP, H.323. -# -# default value: 2048 -# - -type: u32 - -help: Size of connection tracking expect table - -default: 2048 - -val_help: u32: 1-50000000; Number of entries allowed in connection tracking expect table - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000" - -update: - sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=$VAR(@) - - - - - - - diff --git a/templates-cfg/system/conntrack/hash-size/node.def b/templates-cfg/system/conntrack/hash-size/node.def deleted file mode 100644 index 8e702c7..0000000 --- a/templates-cfg/system/conntrack/hash-size/node.def +++ /dev/null @@ -1,18 +0,0 @@ -help: Hash size for connection tracking table -type: u32 - -default: 32768 - -val_help: u32:1-50000000; Size of hash to use for connection tracking table - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000" - -update: - if ! grep -q "nf_conntrack hashsize=$VAR(@)$" /etc/modprobe.d/vyatta_nf_conntrack.conf - then - sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \ - /etc/modprobe.d/vyatta_nf_conntrack.conf" - sudo sh -c "echo options nf_conntrack hashsize=$VAR(@) nf_conntrack_helper=1 >> \ - /etc/modprobe.d/vyatta_nf_conntrack.conf" - echo "Updated conntrack hash size. This change will take affect when the system is rebooted." - fi diff --git a/templates-cfg/system/conntrack/node.def b/templates-cfg/system/conntrack/node.def deleted file mode 100644 index f66d77d..0000000 --- a/templates-cfg/system/conntrack/node.def +++ /dev/null @@ -1,24 +0,0 @@ -help: Connection tracking engine options - -priority: 218 # before NAT and conntrack-sync are configured - -delete: # set conntrack table size to standard 262144 entries if conntrack settings are removed - sudo sysctl -q -w net/nf_conntrack_max=262144 - - # set conntrack expect table size to standard 2048 entries if conntrack settings are removed - sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=2048 - - # set conntrack hash size to standard 32768 - if ! grep -q "nf_conntrack hashsize=32768$" /etc/modprobe.d/vyatta_nf_conntrack.conf - then - sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \ - /etc/modprobe.d/vyatta_nf_conntrack.conf" - sudo sh -c "echo options nf_conntrack hashsize=32768 nf_conntrack_helper=1 >> \ - /etc/modprobe.d/vyatta_nf_conntrack.conf" - echo "Conntrack hash size set to default 32768. This change will take effect when the system is rebooted." - fi - - # need to restart conntrackd with updated conntrack table size - if cli-shell-api existsActive service conntrack-sync; then - /usr/libexec/vyos/conf_mode/conntrack_sync.py - fi diff --git a/templates-cfg/system/conntrack/table-size/node.def b/templates-cfg/system/conntrack/table-size/node.def deleted file mode 100644 index 9f4da3f..0000000 --- a/templates-cfg/system/conntrack/table-size/node.def +++ /dev/null @@ -1,32 +0,0 @@ -# -# Config template for: system conntrack table-size -# -# Sets the size of the TCP connection tracking table in the netfilter -# nf_conntrack module, which is used by firewall and NAT. The size of -# this table determines how many TCP connections can be simultaneously -# tracked. If new connections arrive and the table is full, older -# connections will be dropped out of the table. System administrators -# must set the connection tracking table size based on the number of -# connections they expect their system to track. The connection -# tracking table consumes kernel memory, so the size selected should -# be no larger than necessary. -# -# default value: 16384 -# - -type: u32 - -help: Size of connection tracking table - -default: 262144 - -val_help: u32:1-50000000; Number of entries allowed in connection tracking table - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000" - -update: - sudo sysctl -q -w net/nf_conntrack_max=$VAR(@) - # need to restart conntrackd with updated conntrack table size - if cli-shell-api existsActive service conntrack-sync; then - /usr/libexec/vyos/conf_mode/conntrack_sync.py - fi diff --git a/templates-cfg/system/conntrack/tcp/half-open-connections/node.def b/templates-cfg/system/conntrack/tcp/half-open-connections/node.def deleted file mode 100644 index 9474463..0000000 --- a/templates-cfg/system/conntrack/tcp/half-open-connections/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: Maximum number of TCP half-open connections - -default: 512 - -val_help: u32:1-2147483647; Generic connection timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647" - -update: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=$VAR(@) - -delete: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=512 diff --git a/templates-cfg/system/conntrack/tcp/loose/node.def b/templates-cfg/system/conntrack/tcp/loose/node.def deleted file mode 100644 index f84b786..0000000 --- a/templates-cfg/system/conntrack/tcp/loose/node.def +++ /dev/null @@ -1,43 +0,0 @@ -# -# This parameter directs the netfilter TCP connection tracking modules -# (nf_conntrack, and others) to either allow or disallow the tracking -# of TCP connections which are "previously established". This -# includes all cases where the three-way connection opening handshake -# was not seen by this machine. That includes the case the connection -# was opened before this machine booted. It also includes cases where -# the packets comprising the three-way handshake were routed via some -# other router. -# -# If this parameter is set to "enable", tracking such connections is -# allowed. If disabled, such tracking is disabled. -# default value - 1 - -type: txt - -help: Policy to track previously established connections - -val_help: enable; Allow tracking of previously established connections -val_help: disable; Do not allow tracking of previously established connections - -default: "enable" - -syntax:expression: $VAR(@) in "enable", "disable"; "must be either enable or disable" - -update: - if [ ! -e /proc/sys/net/netfilter/nf_conntrack_tcp_loose ]; then - sudo modprobe nf_conntrack_ipv4 - fi - if [ "$VAR(@)" = "enable" ]; then - sudo sysctl -q -w net.netfilter.nf_conntrack_tcp_loose=1 - elif [ "$VAR(@)" = "disable" ]; then - sudo sysctl -q -w net.netfilter.nf_conntrack_tcp_loose=0 - else - echo "Invalid parameter: $VAR(@)" - exit 1 - fi - -delete: - if [ ! -e /proc/sys/net/netfilter/nf_conntrack_tcp_loose ]; then - sudo modprobe nf_conntrack_ipv4 - fi - sudo sysctl -q -w net.netfilter.nf_conntrack_tcp_loose=1 diff --git a/templates-cfg/system/conntrack/tcp/max-retrans/node.def b/templates-cfg/system/conntrack/tcp/max-retrans/node.def deleted file mode 100644 index bf56f1f..0000000 --- a/templates-cfg/system/conntrack/tcp/max-retrans/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP maximum retransmit attempts - -default: 3 - -val_help: u32:1-2147483647; Generic connection timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=3 diff --git a/templates-cfg/system/conntrack/tcp/node.def b/templates-cfg/system/conntrack/tcp/node.def deleted file mode 100644 index c04af19..0000000 --- a/templates-cfg/system/conntrack/tcp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TCP options diff --git a/templates-cfg/system/conntrack/timeout/icmp/node.def b/templates-cfg/system/conntrack/timeout/icmp/node.def deleted file mode 100644 index 952178e..0000000 --- a/templates-cfg/system/conntrack/timeout/icmp/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: ICMP timeout in seconds - -default: 30 - -val_help: u32:1-21474836; ICMP timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=30 diff --git a/templates-cfg/system/conntrack/timeout/node.def b/templates-cfg/system/conntrack/timeout/node.def deleted file mode 100644 index 8696247..0000000 --- a/templates-cfg/system/conntrack/timeout/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Connection timeout options diff --git a/templates-cfg/system/conntrack/timeout/other/node.def b/templates-cfg/system/conntrack/timeout/other/node.def deleted file mode 100644 index a794bb7..0000000 --- a/templates-cfg/system/conntrack/timeout/other/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: Generic connection timeout in seconds - -default: 600 - -val_help: u32:1-21474836; Generic connection timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=600 diff --git a/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def deleted file mode 100644 index 0491b68..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP CLOSE-WAIT timeout in seconds - -default: 60 - -val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=60 diff --git a/templates-cfg/system/conntrack/timeout/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/tcp/close/node.def deleted file mode 100644 index 38317d5..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/close/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP CLOSE timeout in seconds - -default: 10 - -val_help: u32:1-21474836; TCP CLOSE timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=10 diff --git a/templates-cfg/system/conntrack/timeout/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/tcp/established/node.def deleted file mode 100644 index 9e47f1e..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/established/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP ESTABLISHED timeout in seconds - -default: 432000 - -val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=432000 diff --git a/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def deleted file mode 100644 index 985a6a4..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP FIN-WAIT timeout in seconds - -default: 120 - -val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def deleted file mode 100644 index 3e07fe4..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP LAST-ACK timeout in seconds - -default: 30 - -val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=30 diff --git a/templates-cfg/system/conntrack/timeout/tcp/node.def b/templates-cfg/system/conntrack/timeout/tcp/node.def deleted file mode 100644 index fd1c34f..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TCP connection timeout options diff --git a/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def deleted file mode 100644 index 50c5512..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP SYN-RECEIVED timeout in seconds - -default: 60 - -val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=60 diff --git a/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def deleted file mode 100644 index 5856ba7..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP SYN-SENT timeout in seconds - -default: 120 - -val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=120 diff --git a/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def deleted file mode 100644 index f6bd1c8..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP TIME-WAIT timeout in seconds - -default: 120 - -val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/udp/node.def b/templates-cfg/system/conntrack/timeout/udp/node.def deleted file mode 100644 index c6586b7..0000000 --- a/templates-cfg/system/conntrack/timeout/udp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: UDP timeout diff --git a/templates-cfg/system/conntrack/timeout/udp/other/node.def b/templates-cfg/system/conntrack/timeout/udp/other/node.def deleted file mode 100644 index 0018f1c..0000000 --- a/templates-cfg/system/conntrack/timeout/udp/other/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: UDP generic timeout in seconds - -default: 30 - -val_help: u32:1-21474836; UDP generic timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=30 diff --git a/templates-cfg/system/conntrack/timeout/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/udp/stream/node.def deleted file mode 100644 index d86e683..0000000 --- a/templates-cfg/system/conntrack/timeout/udp/stream/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: UDP stream timeout in seconds - -default: 180 - -val_help: u32:1-21474836; UDP stream timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=180 -- cgit v1.2.3