base-layout: expose sysctl configuration to the host

There are certain `sysctl` tunables that can influence the peformance of the solution, and as such, it is worth to make them accessible for fine-tuning. As part of this change, factor out the IPV6-related settings to make it conditional on the actual configuration settings. Also, adjust some of the default settings to reflect saner values. Suggested by: Anton Saietskii <vsasjason@gmail.com>
author: PÁLI Gábor János <pali.gabor@gmail.com> 2024-03-20 08:25:34 +0100
committer: PÁLI Gábor János <pali.gabor@gmail.com> 2024-03-24 14:50:37 +0100
commit: 1eed3cd2b7584460658bcda4697f3c0f46afee4b (patch)
tree: d9c79b5501def77ebc4f39753b9f72915d80f34a /etc/optional/ipv6/hostapd
parent: c23f774936ce4ac1c3c7584a65c20c6a63db7069 (diff)
download: freebsd-wifibox-alpine-1eed3cd2b7584460658bcda4697f3c0f46afee4b.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample b/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample
new file mode 100644
index 0000000..29bd382
--- /dev/null
+++ b/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample
@@ -0,0 +1,10 @@
+# Enable IPv6 Privacy Extensions (see RFC 4941 and RFC 3041)
+net.ipv6.conf.all.use_tempaddr = 2
+net.ipv6.conf.default.use_tempaddr = 2
+
+# Redirects can potentially be used to maliciously alter hosts routing
+# tables.
+net.ipv6.conf.all.accept_redirects = 0
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv6.conf.all.accept_source_route = 0
author	PÁLI Gábor János <pali.gabor@gmail.com>	2024-03-20 08:25:34 +0100
committer	PÁLI Gábor János <pali.gabor@gmail.com>	2024-03-24 14:50:37 +0100
commit	1eed3cd2b7584460658bcda4697f3c0f46afee4b (patch)
tree	d9c79b5501def77ebc4f39753b9f72915d80f34a /etc/optional/ipv6/hostapd
parent	c23f774936ce4ac1c3c7584a65c20c6a63db7069 (diff)
download	freebsd-wifibox-alpine-1eed3cd2b7584460658bcda4697f3c0f46afee4b.zip