From acaf4b2d17636edc6abcac0ed0395e35e83a1070 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 13 Aug 2025 13:38:52 +0200 Subject: [PATCH] testing: Move sysctl settings to sysctl.d and add some memory settings Debian trixie doesn't provide a 99-sysctl.conf symlink in that directory anymore. The memory settings are also useful there as the default of one changed and overbooking helps when forking a process with large memory footprint (e.g. the IKE daemon). --- testing/hosts/default/etc/sysctl.conf | 62 ------------------- .../default/etc/sysctl.d/99-strongswan.conf | 16 +++++ 2 files changed, 16 insertions(+), 62 deletions(-) delete mode 100644 testing/hosts/default/etc/sysctl.conf create mode 100644 testing/hosts/default/etc/sysctl.d/99-strongswan.conf diff --git a/testing/hosts/default/etc/sysctl.conf b/testing/hosts/default/etc/sysctl.conf deleted file mode 100644 index 364b64ad61..0000000000 --- a/testing/hosts/default/etc/sysctl.conf +++ /dev/null @@ -1,62 +0,0 @@ -# -# /etc/sysctl.conf - Configuration file for setting system variables -# See /etc/sysctl.d/ for additional system variables -# See sysctl.conf (5) for information. -# - -#kernel.domainname = example.com - -# Uncomment the following to stop low-level messages on console -#kernel.printk = 3 4 1 3 - -##############################################################3 -# Functions previously found in netbase -# - -# Uncomment the next two lines to enable Spoof protection (reverse-path filter) -# Turn on Source Address Verification in all interfaces to -# prevent some spoofing attacks -#net.ipv4.conf.default.rp_filter=1 -#net.ipv4.conf.all.rp_filter=1 - -# Uncomment the next line to enable TCP/IP SYN cookies -# See http://lwn.net/Articles/277146/ -# Note: This may impact IPv6 TCP sessions too -#net.ipv4.tcp_syncookies=1 - -# Uncomment the next line to enable packet forwarding for IPv4 -net.ipv4.ip_forward=1 - -# Uncomment the next line to enable packet forwarding for IPv6 -# Enabling this option disables Stateless Address Autoconfiguration -# based on Router Advertisements for this host -net.ipv6.conf.all.forwarding=1 - - -################################################################### -# Additional settings - these settings can improve the network -# security of the host and prevent against some network attacks -# including spoofing attacks and man in the middle attacks through -# redirection. Some network environments, however, require that these -# settings are disabled so review and enable them as needed. -# -# Do not accept ICMP redirects (prevent MITM attacks) -#net.ipv4.conf.all.accept_redirects = 0 -#net.ipv6.conf.all.accept_redirects = 0 -# _or_ -# Accept ICMP redirects only for gateways listed in our default -# gateway list (enabled by default) -# net.ipv4.conf.all.secure_redirects = 1 -# -# Do not send ICMP redirects (we are not a router) -#net.ipv4.conf.all.send_redirects = 0 -# -# Do not accept IP source route packets (we are not a router) -#net.ipv4.conf.all.accept_source_route = 0 -#net.ipv6.conf.all.accept_source_route = 0 -# -# Log Martian Packets -#net.ipv4.conf.all.log_martians = 1 - -# Enable coredump for suid binaries -fs.suid_dumpable = 1 diff --git a/testing/hosts/default/etc/sysctl.d/99-strongswan.conf b/testing/hosts/default/etc/sysctl.d/99-strongswan.conf new file mode 100644 index 0000000000..c21ce4195e --- /dev/null +++ b/testing/hosts/default/etc/sysctl.d/99-strongswan.conf @@ -0,0 +1,16 @@ +# Enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +# Enable coredump for suid binaries +fs.suid_dumpable = 1 + +# As we run with very little memory, use the old default to reduce overhead +vm.max_map_count = 65530 + +# Allow overcommitting, in particular for forks +vm.overcommit_memory = 1 -- 2.47.3