blob: 1f5d70f7adaa2dc6baee7581e6d74aed8d94a4e5 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
#!/bin/sh
case $BOXCONF_OS_VERSION in
13.*)
set_sysctl \
net.inet.ip.check_interface=1 \
net.inet.tcp.rfc6675_pipe=1
;;
*)
set_sysctl \
net.inet.ip.rfc1122_strong_es=1
;;
esac
load_kernel_module cc_htcp
set_sysctl \
net.inet.icmp.drop_redirect=1 \
net.inet.ip.process_options=0 \
net.inet.ip.random_id=1 \
net.inet.ip.redirect=0 \
net.inet.tcp.abc_l_var=44 \
net.inet.tcp.always_keepalive=0 \
net.inet.tcp.cc.abe=1 \
net.inet.tcp.cc.algorithm=htcp \
net.inet.tcp.cc.htcp.adaptive_backoff=1 \
net.inet.tcp.cc.htcp.rtt_scaling=1 \
net.inet.tcp.drop_synfin=1 \
net.inet.tcp.ecn.enable=1 \
net.inet.tcp.fastopen.server_enable=1 \
net.inet.tcp.icmp_may_rst=0 \
net.inet.tcp.initcwnd_segments=44 \
net.inet.tcp.minmss=536 \
net.inet.tcp.msl=2500 \
net.inet.tcp.mssdflt=1448 \
net.inet.tcp.nolocaltimewait=1 \
net.inet.tcp.path_mtu_discovery=1 \
net.inet.tcp.recvbuf_max="$tcp_buffer_size" \
net.inet.tcp.recvspace=65536 \
net.inet.tcp.sendbuf_inc=65536 \
net.inet.tcp.sendbuf_max="$tcp_buffer_size" \
net.inet.tcp.sendspace=65536 \
net.inet.tcp.syncookies=0 \
net.inet6.ip6.redirect=0 \
security.bsd.unprivileged_proc_debug="$allow_proc_debug"
# Some sysctls cannot be set within jails.
if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then
set_sysctl \
hw.kbd.keymap_restrict_change=4 \
kern.coredump=0 \
kern.elf32.allow_wx="$allow_wx" \
kern.elf32.aslr.pie_enable=1 \
kern.elf64.allow_wx="$allow_wx" \
kern.ipc.maxsockbuf="$tcp_buffer_size" \
kern.ipc.shm_use_phys=1 \
kern.ipc.soacceptqueue=1024 \
kern.ipc.somaxconn=1024 \
kern.random.fortuna.minpoolsize=128 \
kern.randompid=1 \
net.inet.tcp.fast_finwait2_recycle=1 \
net.inet.tcp.finwait2_timeout=5000 \
net.inet.tcp.keepcnt=2 \
net.inet.tcp.keepidle=62000 \
net.inet.tcp.keepinit=5000 \
net.inet.tcp.minmss=536 \
net.inet.tcp.minmss=536 \
security.bsd.hardlink_check_gid=0 \
security.bsd.hardlink_check_uid=0 \
security.bsd.see_other_gids="$see_other_uids" \
security.bsd.see_other_uids="$see_other_uids" \
security.bsd.unprivileged_read_msgbuf=0 \
vfs.nfsd.enable_locallocks=1 \
vfs.nfsd.issue_delegations=0 \
vfs.zfs.min_auto_ashift=12
# FreeBSD automatically scales kern.maxfilesperproc with the amount of memory.
# On systems with large amounts of RAM, this can cause strange lags with some
# applications that attempt to close every possible file descriptor.
# Therefore, we arbitrarily cap this value at 65535.
[ "$(sysctl -n kern.maxfilesperproc)" -le 65535 ] || set_sysctl kern.maxfilesperproc=65535
fi
|
