From 241833b7f320e7fca84ba226f1ecbb0c963534f7 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Fri, 12 Jul 2024 15:20:54 -0400 Subject: initial commit of hypervisor configs --- scripts/os/freebsd/10-sysctls | 80 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 scripts/os/freebsd/10-sysctls (limited to 'scripts/os/freebsd/10-sysctls') diff --git a/scripts/os/freebsd/10-sysctls b/scripts/os/freebsd/10-sysctls new file mode 100644 index 0000000..a59d54f --- /dev/null +++ b/scripts/os/freebsd/10-sysctls @@ -0,0 +1,80 @@ +#!/bin/sh + +case $BOXCONF_OS_VERSION in + 13.*) + set_sysctl \ + net.inet.ip.check_interface=1 \ + net.inet.tcp.rfc6675_pipe=1 + ;; + *) + set_sysctl \ + net.inet.ip.rfc1122_strong_es=1 + ;; +esac + +load_kernel_module cc_htcp + +set_sysctl \ + net.inet.icmp.drop_redirect=1 \ + net.inet.ip.process_options=0 \ + net.inet.ip.random_id=1 \ + net.inet.ip.redirect=0 \ + net.inet.tcp.abc_l_var=44 \ + net.inet.tcp.always_keepalive=0 \ + net.inet.tcp.cc.abe=1 \ + net.inet.tcp.cc.algorithm=htcp \ + net.inet.tcp.cc.htcp.adaptive_backoff=1 \ + net.inet.tcp.cc.htcp.rtt_scaling=1 \ + net.inet.tcp.drop_synfin=1 \ + net.inet.tcp.ecn.enable=1 \ + net.inet.tcp.fastopen.server_enable=1 \ + net.inet.tcp.icmp_may_rst=0 \ + net.inet.tcp.initcwnd_segments=44 \ + net.inet.tcp.minmss=536 \ + net.inet.tcp.msl=2500 \ + net.inet.tcp.mssdflt=1448 \ + net.inet.tcp.nolocaltimewait=1 \ + net.inet.tcp.path_mtu_discovery=0 \ + net.inet.tcp.recvbuf_max="$tcp_buffer_size" \ + net.inet.tcp.recvspace=65536 \ + net.inet.tcp.sendbuf_inc=65536 \ + net.inet.tcp.sendbuf_max="$tcp_buffer_size" \ + net.inet.tcp.sendspace=65536 \ + net.inet.tcp.syncookies=0 \ + net.inet6.ip6.redirect=0 \ + security.bsd.unprivileged_proc_debug="$allow_proc_debug" + +# Some sysctls cannot be set within jails. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then + set_sysctl \ + hw.kbd.keymap_restrict_change=4 \ + kern.coredump=0 \ + kern.elf32.allow_wx="$allow_wx" \ + kern.elf32.aslr.pie_enable=1 \ + kern.elf64.allow_wx="$allow_wx" \ + kern.ipc.maxsockbuf="$tcp_buffer_size" \ + kern.ipc.shm_use_phys=1 \ + kern.ipc.soacceptqueue=1024 \ + kern.ipc.somaxconn=1024 \ + kern.random.fortuna.minpoolsize=128 \ + kern.randompid=1 \ + net.inet.tcp.fast_finwait2_recycle=1 \ + net.inet.tcp.finwait2_timeout=5000 \ + net.inet.tcp.keepcnt=2 \ + net.inet.tcp.keepidle=62000 \ + net.inet.tcp.keepinit=5000 \ + net.inet.tcp.minmss=536 \ + net.inet.tcp.minmss=536 \ + security.bsd.hardlink_check_gid=0 \ + security.bsd.hardlink_check_uid=0 \ + security.bsd.see_other_gids=0 \ + security.bsd.see_other_uids=0 \ + security.bsd.unprivileged_read_msgbuf=0 \ + vfs.zfs.min_auto_ashift=12 + + # FreeBSD automatically scales kern.maxfilesperproc with the amount of memory. + # On systems with large amounts of RAM, this can cause strange lags with some + # applications that attempt to close every possible file descriptor. + # Therefore, we arbitrarily cap this value at 65535. + [ "$(sysctl -n kern.maxfilesperproc)" -le 65535 ] || set_sysctl kern.maxfilesperproc=65535 +fi -- cgit v1.2.3