summaryrefslogtreecommitdiff
path: root/src/etc/sysctl.d
AgeCommit message (Collapse)Author
2023-12-21srv6: T591: enable SR enabled packet processing on defined interfacesChristian Breunig
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6 (cherry picked from commit 774cc97eda61eb0b91df820797fb3c705d0073d5)
2023-12-21vrf: T591: define sysctl setting for net.vrf.strict_modeChristian Breunig
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is possible to associate multiple VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a table can be associated to a single VRF device. A VRF table can be used by the VyOS CLI only once (ensured by verify()), this simply adds an additional Kernel safety net, but a requirement for IPv6 segment routing headers. (cherry picked from commit 10701108fecb36f7be7eb7ef5f1e54e63da5fb4e)
2023-11-20http: T5762: api: make API socket backend communication the one and only defaultChristian Breunig
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn backend server. https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests. While debugging those failing, it was uncovered, that uvicorn only listens on IPv4 connections vyos@vyos# netstat -tulnp | grep 8080 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - As the CLI already has an option to move the API communication from an IP to a UNIX domain socket, the best idea is to make this the default way of communication, as we never directly talk to the API server but rather use the NGINX reverse proxy. (cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
2023-10-08Change to BBR as TCP congestion control, or at least make it an config optionApachez
(cherry picked from commit ac1bd7c2f69e058f54084decbfe6b6d329df6462)
2023-09-14T5575: ARP/NDP table-size isnt set properlyApachez
(cherry picked from commit 9391fc273ce95ff92a6b40b2dee4a688d3048f9f)
2023-09-08T5489: Add sysctl TCP congestion control by default to BBRViacheslav Hletenko
Add by default sysctl TCP congestion control to BBR. Default value `cubic` is not optimal. net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr (cherry picked from commit b99ed37dd1cff3310437ff8ccf1a27cd20714c41)
2023-02-12T5001: Replace links to the phabricator siteChristian Breunig
Replace links to the phabricator site from https://phabricator.vyos.net to https://vyos.dev
2023-01-27sysctl: T4928: remove outdated conntrack_helperMartin Böh
This sysctl has been removed from kernel 6.0.X onwards but its removal was skipped when upgrading the kernel. See: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter?id=b118509076b39cc5e616c0680312b5caaca535fe
2022-09-26ethernet: T4689: support asymetric RFS configuration on multiple interfacesChristian Poessinger
The initial implementation from commit ac4e07f9 ("rfs: T4689: Support RFS (Receive Flow Steering)") always adjusted the global rps_sock_flow_entries configuration. So if RFS was enabled for one NIC but not the other - it did not work. According to the documentation: RFS is only available if the kconfig symbol CONFIG_RPS is enabled (on by default for SMP). The functionality remains disabled until explicitly configured. The number of entries in the global flow table is set through: /proc/sys/net/core/rps_sock_flow_entries The number of entries in the per-queue flow table are set through: /sys/class/net/<dev>/queues/rx-<n>/rps_flow_cnt Both of these need to be set before RFS is enabled for a receive queue. Values for both are rounded up to the nearest power of two. The suggested flow count depends on the expected number of active connections at any given time, which may be significantly less than the number of open connections. We have found that a value of 32768 for rps_sock_flow_entries works fairly well on a moderately loaded server. This commit sets rps_sock_flow_entries via sysctl on bootup leafing the RFS configuration to the interface level.
2022-07-09ip: T4517: add option to enable directed broadcast forwardingYuxiang Zhu
Directed broadcast is described in rfc1812#section-5.3.5.2 and rfc2644. By default Linux kernel doesn't forward directed broadcast packets unless both of `/proc/sys/net/ipv4/conf/all/bc_forwarding` and `/proc/sys/net/ipv4/conf/$iface/bc_forwarding` are set to 1.
2022-03-28Revert "openvpn: T4230: globally enable ip_nonlocal_bind"Daniil Baturin
This reverts commit 1cbcbf40b7721849f9696c05fac65db010a66b7c.
2022-02-17openvpn: T4230: globally enable ip_nonlocal_bindChristian Poessinger
2021-08-23container: T2216: increase sysctl inotify watchersChristian Poessinger
2021-07-31sysctl: T3716: remove IPv4/6 routes from FIB when link goes downChristian Poessinger
For more information see: * https://programmersought.com/article/62242485344/ * https://www.spinics.net/lists/netdev/msg332453.html * https://github.com/FRRouting/frr/blob/master/doc/user/Useful_Sysctl_Settings.md
2021-07-31sysctl: T671: add missing net.ipv6.route.skip_notify_on_dev_down settingChristian Poessinger
Recommended by FRR best deafults https://github.com/FRRouting/frr/blob/master/doc/user/Useful_Sysctl_Settings.md
2021-01-20sysctl: as send_redirects is enabled for all interfaces, also add defaultChristian Poessinger
2021-01-17sysctl: T671: import VyOS specific settings from vyatta-cfg-systemChristian Poessinger
2020-04-23interfaces: T2362: sysctl to not generate IPv6 link-local addreses by defaultJernej Jakob