]>
Commit | Line | Data |
---|---|---|
8f27a221 KS |
1 | # This file is part of systemd. |
2 | # | |
3 | # systemd is free software; you can redistribute it and/or modify it | |
4 | # under the terms of the GNU Lesser General Public License as published by | |
5 | # the Free Software Foundation; either version 2.1 of the License, or | |
6 | # (at your option) any later version. | |
7 | ||
61233823 | 8 | # See sysctl.d(5) and core(5) for documentation. |
16b65d7f ZJS |
9 | |
10 | # To override settings in this file, create a local file in /etc | |
11 | # (e.g. /etc/sysctl.d/90-override.conf), and put any assignments | |
12 | # there. | |
8f27a221 | 13 | |
0f59fe51 | 14 | # System Request functionality of the kernel (SYNC) |
16b65d7f ZJS |
15 | # |
16 | # Use kernel.sysrq = 1 to allow all keys. | |
0e685823 | 17 | # See https://docs.kernel.org/admin-guide/sysrq.html for a list |
bd9bb4ca | 18 | # of values and keys. |
0f59fe51 KS |
19 | kernel.sysrq = 16 |
20 | ||
8f27a221 KS |
21 | # Append the PID to the core filename |
22 | kernel.core_uses_pid = 1 | |
23 | ||
24 | # Source route verification | |
def94437 | 25 | net.ipv4.conf.default.rp_filter = 2 |
5d4fc0e6 ZJS |
26 | net.ipv4.conf.*.rp_filter = 2 |
27 | -net.ipv4.conf.all.rp_filter | |
8f27a221 KS |
28 | |
29 | # Do not accept source routing | |
def94437 | 30 | net.ipv4.conf.default.accept_source_route = 0 |
5d4fc0e6 ZJS |
31 | net.ipv4.conf.*.accept_source_route = 0 |
32 | -net.ipv4.conf.all.accept_source_route | |
8f27a221 | 33 | |
ad8bc9ea | 34 | # Promote secondary addresses when the primary address is removed |
def94437 | 35 | net.ipv4.conf.default.promote_secondaries = 1 |
5d4fc0e6 ZJS |
36 | net.ipv4.conf.*.promote_secondaries = 1 |
37 | -net.ipv4.conf.all.promote_secondaries | |
ad8bc9ea | 38 | |
0338934f LP |
39 | # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW |
40 | # The upper limit is set to 2^31-1. Values greater than that get rejected by | |
41 | # the kernel because of this definition in linux/include/net/ping.h: | |
42 | # #define GID_T_MAX (((gid_t)~0U) >> 1) | |
43 | # That's not so bad because values between 2^31 and 2^32-1 are reserved on | |
1d10005b | 44 | # systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary |
000500c9 | 45 | -net.ipv4.ping_group_range = 0 2147483647 |
0338934f | 46 | |
e6c253e3 | 47 | # Fair Queue CoDel packet scheduler to fight bufferbloat |
fa98c99e | 48 | -net.core.default_qdisc = fq_codel |
e6c253e3 | 49 | |
8f27a221 KS |
50 | # Enable hard and soft link protection |
51 | fs.protected_hardlinks = 1 | |
52 | fs.protected_symlinks = 1 | |
27325875 LW |
53 | |
54 | # Enable regular file and FIFO protection | |
55 | fs.protected_regular = 1 | |
56 | fs.protected_fifos = 1 |