diff options
| author | Florian Klink <flokli@flokli.de> | 2019-08-11 13:32:24 +0200 |
|---|---|---|
| committer | Florian Klink <flokli@flokli.de> | 2019-08-18 17:54:26 +0200 |
| commit | 9be0327a4975e219957d5108b3753a7640c4a9e0 (patch) | |
| tree | f264e6c231f25fcf660af8997e665e78704fc3cb /nixos/modules/virtualisation | |
| parent | e5965bd4897310d1f99ad75f51ef99f1f0e2c274 (diff) | |
| download | nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.gz nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.bz2 nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.lz nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.xz nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.zst nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.zip | |
nixos/systemd: install sysctl snippets
systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit.
Diffstat (limited to 'nixos/modules/virtualisation')
| -rw-r--r-- | nixos/modules/virtualisation/google-compute-config.nix | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 5c59188b68b2..79766970c757 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -159,12 +159,6 @@ in # functionality/features (e.g. TCP Window scaling). "net.ipv4.tcp_syncookies" = mkDefault "1"; - # ignores source-routed packets - "net.ipv4.conf.all.accept_source_route" = mkDefault "0"; - - # ignores source-routed packets - "net.ipv4.conf.default.accept_source_route" = mkDefault "0"; - # ignores ICMP redirects "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; @@ -186,10 +180,10 @@ in # don't allow traffic between networks or act as a router "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - # reverse path filtering - IP spoofing protection + # strict reverse path filtering - IP spoofing protection "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - # reverse path filtering - IP spoofing protection + # strict path filtering - IP spoofing protection "net.ipv4.conf.default.rp_filter" = mkDefault "1"; # ignores ICMP broadcasts to avoid participating in Smurf attacks |