From 1eed3cd2b7584460658bcda4697f3c0f46afee4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=81LI=20G=C3=A1bor=20J=C3=A1nos?= <pali.gabor@gmail.com>
Date: Wed, 20 Mar 2024 08:25:34 +0100
Subject: base-layout: expose sysctl configuration to the host

There are certain `sysctl` tunables that can influence the
peformance of the solution, and as such, it is worth to make them
accessible for fine-tuning.

As part of this change, factor out the IPV6-related settings to
make it conditional on the actual configuration settings.  Also,
adjust some of the default settings to reflect saner values.

Suggested by:	Anton Saietskii <vsasjason@gmail.com>
---
 .../ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample    | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample

(limited to 'etc/optional/ipv6/wpa_supplicant')

diff --git a/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample b/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample
new file mode 100644
index 0000000..29bd382
--- /dev/null
+++ b/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample
@@ -0,0 +1,10 @@
+# Enable IPv6 Privacy Extensions (see RFC 4941 and RFC 3041)
+net.ipv6.conf.all.use_tempaddr = 2
+net.ipv6.conf.default.use_tempaddr = 2
+
+# Redirects can potentially be used to maliciously alter hosts routing
+# tables.
+net.ipv6.conf.all.accept_redirects = 0
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv6.conf.all.accept_source_route = 0
-- 
cgit v1.2.3