From 9be0327a4975e219957d5108b3753a7640c4a9e0 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Sun, 11 Aug 2019 13:32:24 +0200
Subject: nixos/systemd: install sysctl snippets

systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.

These enable:
 - Loose reverse path filtering
 - Source route filtering
 - `fq_codel` as a packet scheduler (this helps to fight bufferbloat)

This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.

Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.

In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
---
 nixos/modules/virtualisation/google-compute-config.nix | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

(limited to 'nixos/modules/virtualisation')

diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix
index 5c59188b68b2..79766970c757 100644
--- a/nixos/modules/virtualisation/google-compute-config.nix
+++ b/nixos/modules/virtualisation/google-compute-config.nix
@@ -159,12 +159,6 @@ in
     # functionality/features (e.g. TCP Window scaling).
     "net.ipv4.tcp_syncookies" = mkDefault "1";
 
-    # ignores source-routed packets
-    "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
-
-    # ignores source-routed packets
-    "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
-
     # ignores ICMP redirects
     "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
 
@@ -186,10 +180,10 @@ in
     # don't allow traffic between networks or act as a router
     "net.ipv4.conf.default.send_redirects" = mkDefault "0";
 
-    # reverse path filtering - IP spoofing protection
+    # strict reverse path filtering - IP spoofing protection
     "net.ipv4.conf.all.rp_filter" = mkDefault "1";
 
-    # reverse path filtering - IP spoofing protection
+    # strict path filtering - IP spoofing protection
     "net.ipv4.conf.default.rp_filter" = mkDefault "1";
 
     # ignores ICMP broadcasts to avoid participating in Smurf attacks
-- 
cgit 1.4.1