refactor: split sysctl file

2024-02-04 12:52:08 -05:00 · 2024-02-04 12:52:08 -05:00 · 1b98ea698d
commit 1b98ea698d
parent f0d2e555ac
13 changed files with 346 additions and 127 deletions
--- a/common/nixos/sysctl/networking/default.nix
+++ b/common/nixos/sysctl/networking/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./ipv4.nix
+    ./ipv6.nix
+    ./net.nix
+  ];
+}
--- a/common/nixos/sysctl/networking/ipv4.nix
+++ b/common/nixos/sysctl/networking/ipv4.nix
@ -0,0 +1,114 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  boot.kernel.sysctl = {
+    # enable BBR congestion control
+    "net.ipv4.tcp_congestion_control" = "bbr";
+
+    # disallow IPv4 packet forwarding
+    "net.ipv4.ip_forward" = 0;
+
+    # enable SYN cookies for SYN flooding protection
+    "net.ipv4.tcp_syncookies" = 1;
+
+    # number of times SYNACKs for a passive TCP connection attempt will be retransmitted
+    "net.ipv4.tcp_synack_retries" = 5;
+
+    # do not send redirects
+    "net.ipv4.conf.default.send_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+
+    # do not accept packets with SRR option
+    "net.ipv4.conf.default.accept_source_route" = 0;
+    "net.ipv4.conf.all.accept_source_route" = 0;
+
+    # enable reverse path source validation (BCP38)
+    # refer to RFC1812, RFC2827, and BCP38 (http://www.bcp38.info)
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+
+    # log packets with impossible addresses to kernel log
+    "net.ipv4.conf.default.log_martians" = 1;
+    "net.ipv4.conf.all.log_martians" = 1;
+
+    # do not accept ICMP redirect messages
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+
+    # disable sending and receiving of shared media redirects
+    # this setting overwrites net.ipv4.conf.all.secure_redirects
+    # refer to RFC1620
+    "net.ipv4.conf.default.shared_media" = 0;
+    "net.ipv4.conf.all.shared_media" = 0;
+
+    # always use the best local address for announcing local IP via ARP
+    "net.ipv4.conf.default.arp_announce" = 2;
+    "net.ipv4.conf.all.arp_announce" = 2;
+
+    # reply only if the target IP address is local address configured on the incoming interface
+    "net.ipv4.conf.default.arp_ignore" = 1;
+    "net.ipv4.conf.all.arp_ignore" = 1;
+
+    # drop Gratuitous ARP frames to prevent ARP poisoning
+    # this can cause issues when ARP proxies are used in the network
+    "net.ipv4.conf.default.drop_gratuitous_arp" = 1;
+    "net.ipv4.conf.all.drop_gratuitous_arp" = 1;
+
+    # ignore all ICMP echo requests
+    #net.ipv4.icmp_echo_ignore_all = 1
+
+    # ignore all ICMP echo and timestamp requests sent to broadcast/multicast
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+
+    # ignore bad ICMP errors
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+
+    # mitigate TIME-WAIT Assassination hazards in TCP
+    # refer to RFC1337
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    # disable TCP window scaling
+    # this makes the host less susceptible to TCP RST DoS attacks
+    # could drastically reduce throughput if latency is high
+    #net.ipv4.tcp_window_scaling = 0
+
+    # increase system IP port limits
+    "net.ipv4.ip_local_port_range" = "1024 65535";
+
+    # TCP timestamps could provide protection against wrapped sequence numbers,
+    #   but the host's uptime can be calculated precisely from its timestamps
+    # it is also possible to differentiate operating systems based on their use of timestamps
+    # - 0: disable TCP timestamps
+    # - 1: enable timestamps as defined in RFC1323 and use random offset for
+    #        each connection rather than only using the current time
+    # - 2: enable timestamps without random offsets
+    "net.ipv4.tcp_timestamps" = 0;
+
+    # enabling SACK can increase the throughput
+    # but SACK is commonly exploited and rarely used
+    "net.ipv4.tcp_sack" = 0;
+    "net.ipv4.tcp_dsack" = 0;
+    "net.ipv4.tcp_fack" = 0;
+
+    # divide socket buffer evenly between TCP window size and application
+    "net.ipv4.tcp_adv_win_scale" = 1;
+
+    # SSR could impact TCP's performance on a fixed-speed network (e.g., wired)
+    #   but it could be helpful on a variable-speed network (e.g., LTE)
+    # uncomment this if you are on a fixed-speed network
+    "net.ipv4.tcp_slow_start_after_idle" = 0;
+
+    # enabling MTU probing helps mitigating PMTU blackhole issues
+    # this may not be desirable on congested networks
+    "net.ipv4.tcp_mtu_probing" = 1;
+    "net.ipv4.tcp_base_mss" = 1024;
+
+    # increase memory thresholds to prevent packet dropping
+    "net.ipv4.tcp_rmem" = "4096 87380 8388608";
+    "net.ipv4.tcp_wmem" = "4096 87380 8388608";
+  };
+}
--- a/common/nixos/sysctl/networking/ipv6.nix
+++ b/common/nixos/sysctl/networking/ipv6.nix
@ -0,0 +1,56 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  boot.kernel.sysctl = {
+    # disallow IPv6 packet forwarding
+    "net.ipv6.conf.default.forwarding" = 0;
+    "net.ipv6.conf.all.forwarding" = 0;
+
+    # number of Router Solicitations to send until assuming no routers are present
+    "net.ipv6.conf.default.router_solicitations" = 0;
+    "net.ipv6.conf.all.router_solicitations" = 0;
+
+    # do not accept Router Preference from RA
+    "net.ipv6.conf.default.accept_ra_rtr_pref" = 0;
+    "net.ipv6.conf.all.accept_ra_rtr_pref" = 0;
+
+    # learn prefix information in router advertisement
+    "net.ipv6.conf.default.accept_ra_pinfo" = 0;
+    "net.ipv6.conf.all.accept_ra_pinfo" = 0;
+
+    # setting controls whether the system will accept Hop Limit settings from a router advertisement
+    "net.ipv6.conf.default.accept_ra_defrtr" = 0;
+    "net.ipv6.conf.all.accept_ra_defrtr" = 0;
+
+    # router advertisements can cause the system to assign a global unicast address to an interface
+    "net.ipv6.conf.default.autoconf" = 0;
+    "net.ipv6.conf.all.autoconf" = 0;
+
+    # number of neighbor solicitations to send out per address
+    "net.ipv6.conf.default.dad_transmits" = 0;
+    "net.ipv6.conf.all.dad_transmits" = 0;
+
+    # number of global unicast IPv6 addresses can be assigned to each interface
+    "net.ipv6.conf.default.max_addresses" = 1;
+    "net.ipv6.conf.all.max_addresses" = 1;
+
+    # enable IPv6 Privacy Extensions (RFC30;41) and prefer the temporary address
+    #"net.ipv6.conf.default.use_tempaddr" = 2; # Nix sets by default
+    "net.ipv6.conf.all.use_tempaddr" = 2;
+
+    # ignore IPv6 ICMP redirect messages
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+
+    # do not accept packets with SRR option
+    "net.ipv6.conf.default.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+
+    # ignore all ICMPv6 echo requests
+    #net.ipv6.icmp.echo_ignore_all = 1
+    #net.ipv6.icmp.echo_ignore_anycast = 1
+    #net.ipv6.icmp.echo_ignore_multicast = 1
+  };
+}
--- a/common/nixos/sysctl/networking/net.nix
+++ b/common/nixos/sysctl/networking/net.nix
@ -0,0 +1,21 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  boot.kernel.sysctl = {
+    # increase the maximum length of processor input queues
+    "net.core.netdev_max_backlog" = 250000;
+
+    # enable BPF JIT hardening for all users
+    # this trades off performance, but can mitigate JIT spraying
+    "net.core.bpf_jit_harden" = 2;
+
+    # increase TCP max buffer size setable using setsockopt()
+    "net.core.rmem_max" = 8388608;
+    "net.core.wmem_max" = 8388608;
+    "net.core.rmem_default" = 8388608;
+    "net.core.wmem_default" = 8388608;
+    #net.core.optmem_max = 40960
+  };
+}