base-layout: expose sysctl configuration to the host

There are certain `sysctl` tunables that can influence the
peformance of the solution, and as such, it is worth to make them
accessible for fine-tuning.

As part of this change, factor out the IPV6-related settings to
make it conditional on the actual configuration settings.  Also,
adjust some of the default settings to reflect saner values.

Suggested by:	Anton Saietskii <vsasjason@gmail.com>

2 files changed, 20 insertions, 0 deletions

diff --git a/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample b/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample
new file mode 100644
index 0000000..29bd382
--- /dev/null
+++ b/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample
@@ -0,0 +1,10 @@
+# Enable IPv6 Privacy Extensions (see RFC 4941 and RFC 3041)
+net.ipv6.conf.all.use_tempaddr = 2
+net.ipv6.conf.default.use_tempaddr = 2
+
+# Redirects can potentially be used to maliciously alter hosts routing
+# tables.
+net.ipv6.conf.all.accept_redirects = 0
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv6.conf.all.accept_source_route = 0
diff --git a/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample b/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample
new file mode 100644
index 0000000..29bd382
--- /dev/null
+++ b/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample
@@ -0,0 +1,10 @@
+# Enable IPv6 Privacy Extensions (see RFC 4941 and RFC 3041)
+net.ipv6.conf.all.use_tempaddr = 2
+net.ipv6.conf.default.use_tempaddr = 2
+
+# Redirects can potentially be used to maliciously alter hosts routing
+# tables.
+net.ipv6.conf.all.accept_redirects = 0
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv6.conf.all.accept_source_route = 0