openwrt/package/base-files/files/etc/sysctl.conf

kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
fs.suid_dumpable=2

net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
fix sysctl issues SVN-Revision: 768 19 years ago			`kernel.panic=3`
base-files: fix typo in core dump pattern sysctl entry (fixes #20489) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 46890 9 years ago			`kernel.core_pattern=/tmp/%e.%t.%p.%s.core`
basefiles: allow suid coredumps Set sysctl fs.suid_dumpable = 2 This allows suid processes to dump core according to kernel.core_pattern setting. LEDE typically uses suid to drop root priviledge rather than gain it but without this setting any suid process would be unable to produce coredumps (e.g. dnsmasq) Processes still need to set a non zero core file process limit ('ulimit -c unlimited' or if procd used 'procd_set_param limits core="unlimited"') in order to produce a core. This setting removes an obscure stumbling block along the way. >From https://www.kernel.org/doc/Documentation/sysctl/fs.txt suid_dumpable: This value can be used to query and set the core dump mode for setuid or otherwise protected/tainted binaries. The modes are 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped. 1 - (debug) - all processes dump core when possible. The core dump is owned by the current user and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked. This is insecure as it allows regular users to examine the memory contents of privileged processes. 2 - (suidsafe) - any binary which normally would not be dumped is dumped anyway, but only if the "core_pattern" kernel sysctl is set to either a pipe handler or a fully qualified path. (For more details on this limitation, see CVE-2006-2451.) This mode is appropriate when administrators are attempting to debug problems in a normal environment, and either have a core dump pipe handler that knows to treat privileged core dumps with care, or specific directory defined for catching core dumps. If a core dump happens without a pipe handler or fully qualifid path, a message will be emitted to syslog warning about the lack of a correct setting. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase] 7 years ago			`fs.suid_dumpable=2`
base-files: set kernel.core_pattern in sysctl.conf Move the pattern setting from netifd's service script to /etc/sysctl.conf. Put the timestamp component '%t' just after executable name '%e' for more natural order from output of ls command. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> SVN-Revision: 46867 9 years ago
sync the sysctls with whiterussian, and tune the conntrack timeouts SVN-Revision: 4133 18 years ago			`net.ipv4.conf.default.arp_ignore=1`
			`net.ipv4.conf.all.arp_ignore=1`
fix sysctl issues SVN-Revision: 768 19 years ago			`net.ipv4.ip_forward=1`
			`net.ipv4.icmp_echo_ignore_broadcasts=1`
			`net.ipv4.icmp_ignore_bogus_error_responses=1`
base-files: increase igmp_max_memberships to improve multicast-proxy handling SVN-Revision: 42227 10 years ago			`net.ipv4.igmp_max_memberships=100`
fix sysctl issues SVN-Revision: 768 19 years ago			`net.ipv4.tcp_fin_timeout=30`
			`net.ipv4.tcp_keepalive_time=120`
sync the sysctls with whiterussian, and tune the conntrack timeouts SVN-Revision: 4133 18 years ago			`net.ipv4.tcp_syncookies=1`
base-files: enable TCP timestamps, enable sack/dsack. (patch by Dave Täht) A year of testing in the cerowrt project shows not using timestamps to be a very bad idea in nearly any TCP at speeds above a few Mbit. Lastly sack/dsack help on recovery from larger amounts of packet loss. SVN-Revision: 32513 12 years ago			`net.ipv4.tcp_timestamps=1`
			`net.ipv4.tcp_sack=1`
			`net.ipv4.tcp_dsack=1`
base-files: update sysctl.conf for modern kernels SVN-Revision: 26204 13 years ago
base-files: set default IPv6 forwarding value to 1 SVN-Revision: 36918 11 years ago			`net.ipv6.conf.default.forwarding=1`
			`net.ipv6.conf.all.forwarding=1`
base-files: add support for ipv6-prefixes in connection with netifd SVN-Revision: 35168 12 years ago
base-files: enable conntrack accounting in sysctl. It used to be a compile time option which got deprecated SVN-Revision: 30805 12 years ago			`net.netfilter.nf_conntrack_acct=1`
base-files: update sysctl.conf for modern kernels SVN-Revision: 26204 13 years ago			`net.netfilter.nf_conntrack_checksum=0`
			`net.netfilter.nf_conntrack_max=16384`
base-files: adjust the default netfilter tcp established connection timeout as per RFC 5382 (#17098) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 41599 10 years ago			`net.netfilter.nf_conntrack_tcp_timeout_established=7440`
base-files: update sysctl.conf for modern kernels SVN-Revision: 26204 13 years ago			`net.netfilter.nf_conntrack_udp_timeout=60`
			`net.netfilter.nf_conntrack_udp_timeout_stream=180`

base-files: disable bridge firewalling by default SVN-Revision: 19214 15 years ago			`# disable bridge firewalling by default`
			`net.bridge.bridge-nf-call-arptables=0`
			`net.bridge.bridge-nf-call-ip6tables=0`
			`net.bridge.bridge-nf-call-iptables=0`