diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2024-07-12 15:20:54 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-07-12 15:20:54 -0400 |
| commit | 241833b7f320e7fca84ba226f1ecbb0c963534f7 (patch) | |
| tree | ee9839af8bee6ec9c5cac08306e3167634babcec /scripts/os/freebsd/10-sysctls | |
| parent | 8ec6df0afeb4ef69fa64de5516d16f4be48e0549 (diff) | |
| download | infrastructure-241833b7f320e7fca84ba226f1ecbb0c963534f7.tar.gz | |
initial commit of hypervisor configs
Diffstat (limited to 'scripts/os/freebsd/10-sysctls')
| -rw-r--r-- | scripts/os/freebsd/10-sysctls | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/scripts/os/freebsd/10-sysctls b/scripts/os/freebsd/10-sysctls new file mode 100644 index 0000000..a59d54f --- /dev/null +++ b/scripts/os/freebsd/10-sysctls @@ -0,0 +1,80 @@ +#!/bin/sh + +case $BOXCONF_OS_VERSION in + 13.*) + set_sysctl \ + net.inet.ip.check_interface=1 \ + net.inet.tcp.rfc6675_pipe=1 + ;; + *) + set_sysctl \ + net.inet.ip.rfc1122_strong_es=1 + ;; +esac + +load_kernel_module cc_htcp + +set_sysctl \ + net.inet.icmp.drop_redirect=1 \ + net.inet.ip.process_options=0 \ + net.inet.ip.random_id=1 \ + net.inet.ip.redirect=0 \ + net.inet.tcp.abc_l_var=44 \ + net.inet.tcp.always_keepalive=0 \ + net.inet.tcp.cc.abe=1 \ + net.inet.tcp.cc.algorithm=htcp \ + net.inet.tcp.cc.htcp.adaptive_backoff=1 \ + net.inet.tcp.cc.htcp.rtt_scaling=1 \ + net.inet.tcp.drop_synfin=1 \ + net.inet.tcp.ecn.enable=1 \ + net.inet.tcp.fastopen.server_enable=1 \ + net.inet.tcp.icmp_may_rst=0 \ + net.inet.tcp.initcwnd_segments=44 \ + net.inet.tcp.minmss=536 \ + net.inet.tcp.msl=2500 \ + net.inet.tcp.mssdflt=1448 \ + net.inet.tcp.nolocaltimewait=1 \ + net.inet.tcp.path_mtu_discovery=0 \ + net.inet.tcp.recvbuf_max="$tcp_buffer_size" \ + net.inet.tcp.recvspace=65536 \ + net.inet.tcp.sendbuf_inc=65536 \ + net.inet.tcp.sendbuf_max="$tcp_buffer_size" \ + net.inet.tcp.sendspace=65536 \ + net.inet.tcp.syncookies=0 \ + net.inet6.ip6.redirect=0 \ + security.bsd.unprivileged_proc_debug="$allow_proc_debug" + +# Some sysctls cannot be set within jails. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then + set_sysctl \ + hw.kbd.keymap_restrict_change=4 \ + kern.coredump=0 \ + kern.elf32.allow_wx="$allow_wx" \ + kern.elf32.aslr.pie_enable=1 \ + kern.elf64.allow_wx="$allow_wx" \ + kern.ipc.maxsockbuf="$tcp_buffer_size" \ + kern.ipc.shm_use_phys=1 \ + kern.ipc.soacceptqueue=1024 \ + kern.ipc.somaxconn=1024 \ + kern.random.fortuna.minpoolsize=128 \ + kern.randompid=1 \ + net.inet.tcp.fast_finwait2_recycle=1 \ + net.inet.tcp.finwait2_timeout=5000 \ + net.inet.tcp.keepcnt=2 \ + net.inet.tcp.keepidle=62000 \ + net.inet.tcp.keepinit=5000 \ + net.inet.tcp.minmss=536 \ + net.inet.tcp.minmss=536 \ + security.bsd.hardlink_check_gid=0 \ + security.bsd.hardlink_check_uid=0 \ + security.bsd.see_other_gids=0 \ + security.bsd.see_other_uids=0 \ + security.bsd.unprivileged_read_msgbuf=0 \ + vfs.zfs.min_auto_ashift=12 + + # FreeBSD automatically scales kern.maxfilesperproc with the amount of memory. + # On systems with large amounts of RAM, this can cause strange lags with some + # applications that attempt to close every possible file descriptor. + # Therefore, we arbitrarily cap this value at 65535. + [ "$(sysctl -n kern.maxfilesperproc)" -le 65535 ] || set_sysctl kern.maxfilesperproc=65535 +fi |