summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorErmal <eri@pfsense.org>2014-11-10 20:47:14 (GMT)
committerErmal <eri@pfsense.org>2014-11-10 20:47:14 (GMT)
commitd87fcac96b45958bd777c7ac38cc0665dbde6062 (patch)
tree599a680c39d7db4a859595b17fe65b948def3dc9
parent24d728bb4feb848b10d42a81df0e0a92dd599764 (diff)
downloadunivnautes-d87fcac96b45958bd777c7ac38cc0665dbde6062.zip
univnautes-d87fcac96b45958bd777c7ac38cc0665dbde6062.tar.gz
univnautes-d87fcac96b45958bd777c7ac38cc0665dbde6062.tar.bz2
Do not require the default sysctl items to be set on the config.xml but rather extract the definitions from the sysctl tree. Also to reduce config.xml size
-rw-r--r--conf.default/config.xml152
-rw-r--r--etc/inc/system.inc39
-rw-r--r--etc/inc/unbound.inc18
-rw-r--r--usr/local/www/system_advanced_sysctl.php33
4 files changed, 69 insertions, 173 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml
index 01b2d59..68c361a 100644
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@@ -4,158 +4,6 @@
<version>9.9</version>
<lastchange></lastchange>
<theme>pfsense_ng</theme>
- <sysctl>
- <item>
- <descr><![CDATA[Disable the pf ftp proxy handler.]]></descr>
- <tunable>debug.pfftpproxy</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html]]></descr>
- <tunable>vfs.read_max</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
- <tunable>net.inet.ip.portrange.first</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
- <tunable>net.inet.tcp.blackhole</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
- <tunable>net.inet.udp.blackhole</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Randomize the ID field in IP packets (default is 0: sequential IP IDs)]]></descr>
- <tunable>net.inet.ip.random_id</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
- <tunable>net.inet.tcp.drop_synfin</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Enable sending IPv4 redirects]]></descr>
- <tunable>net.inet.ip.redirect</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Enable sending IPv6 redirects]]></descr>
- <tunable>net.inet6.ip6.redirect</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
- <tunable>net.inet6.ip6.use_tempaddr</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
- <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
- <tunable>net.inet.tcp.syncookies</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Maximum incoming/outgoing TCP datagram size (receive)]]></descr>
- <tunable>net.inet.tcp.recvspace</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Maximum incoming/outgoing TCP datagram size (send)]]></descr>
- <tunable>net.inet.tcp.sendspace</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[IP Fastforwarding]]></descr>
- <tunable>net.inet.ip.fastforwarding</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Do not delay ACK to try and piggyback it onto a data packet]]></descr>
- <tunable>net.inet.tcp.delayed_ack</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Maximum outgoing UDP datagram size]]></descr>
- <tunable>net.inet.udp.maxdgram</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr>
- <tunable>net.link.bridge.pfil_onlyip</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr>
- <tunable>net.link.bridge.pfil_member</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr>
- <tunable>net.link.bridge.pfil_bridge</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr>
- <tunable>net.link.tap.user_open</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr>
- <tunable>kern.randompid</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Maximum size of the IP input queue]]></descr>
- <tunable>net.inet.ip.intr_queue_maxlen</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr>
- <tunable>hw.syscons.kbd_reboot</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Enable TCP extended debugging]]></descr>
- <tunable>net.inet.tcp.log_debug</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Set ICMP Limits]]></descr>
- <tunable>net.inet.icmp.icmplim</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[TCP Offload Engine]]></descr>
- <tunable>net.inet.tcp.tso</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[UDP Checksums]]></descr>
- <tunable>net.inet.udp.checksum</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Maximum socket buffer size]]></descr>
- <tunable>kern.ipc.maxsockbuf</tunable>
- <value>default</value>
- </item>
- <item>
- <descr><![CDATA[Reply ICMP from source interface]]></descr>
- <tunable>net.inet.icmp.reply_from_interface</tunable>
- <value>default</value>
- </item>
- </sysctl>
<system>
<optimization>normal</optimization>
<hostname>pfSense</hostname>
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 273b5a2..87bbdb2 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -72,13 +72,50 @@ function get_default_sysctl_value($id) {
return $sysctls[$id];
}
+function get_sysctl_descr($sysctl) {
+ unset($output);
+ $_gb = exec("/sbin/sysctl -nd {$sysctl}", $output);
+
+ return $output[0];
+}
+
+function system_get_sysctls() {
+ global $config, $sysctls;
+
+ $disp_sysctl = array();
+ $disp_cache = array();
+ if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) {
+ foreach($config['sysctl']['item'] as $id => $tunable) {
+ if ($tunable['value'] == "default")
+ $value = get_default_sysctl_value($tunable['tunable']);
+ else
+ $value = $tunable['value'];
+
+ $disp_sysctl[$id] = $tunable;
+ $disp_sysctl[$id]['modified'] = true;
+ $disp_cache[$tunable['tunable']] = 'set';
+ }
+ }
+
+ foreach ($sysctls as $sysctl => $value) {
+ if (isset($disp_cache[$sysctl]))
+ continue;
+
+ $disp_sysctl[$sysctl] = array('tunable' => $sysctl, 'value' => $value, 'descr' => get_sysctl_descr($sysctl));
+
+
+ }
+ unset($disp_cache);
+ return $disp_sysctl;
+}
+
function activate_sysctls() {
global $config, $g, $sysctls;
if ($g['platform'] == 'jail')
return;
- if (is_array($config['sysctl'])) {
+ if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) {
foreach($config['sysctl']['item'] as $tunable) {
if($tunable['value'] == "default")
$value = get_default_sysctl_value($tunable['tunable']);
diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc
index 4088035..b047346 100644
--- a/etc/inc/unbound.inc
+++ b/etc/inc/unbound.inc
@@ -79,14 +79,16 @@ function unbound_optimization() {
* Larger socket buffer for busy servers
* Check that it is set to 4MB (by default the OS has it configured to 4MB)
*/
- foreach ($config['sysctl']['item'] as $tunable) {
- if ($tunable['tunable'] == 'kern.ipc.maxsockbuf') {
- $so = floor(($tunable['value']/1024/1024)-1);
- // Check to ensure that the number is not a negative
- if ($so > 0)
- $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m";
- else
- unset($optimization['so_rcvbuf']);
+ if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) {
+ foreach ($config['sysctl']['item'] as $tunable) {
+ if ($tunable['tunable'] == 'kern.ipc.maxsockbuf') {
+ $so = floor(($tunable['value']/1024/1024)-1);
+ // Check to ensure that the number is not a negative
+ if ($so > 0)
+ $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m";
+ else
+ unset($optimization['so_rcvbuf']);
+ }
}
}
// Safety check in case kern.ipc.maxsockbuf is not available.
diff --git a/usr/local/www/system_advanced_sysctl.php b/usr/local/www/system_advanced_sysctl.php
index 7dcf3df..51e1bf0 100644
--- a/usr/local/www/system_advanced_sysctl.php
+++ b/usr/local/www/system_advanced_sysctl.php
@@ -47,25 +47,32 @@ require("guiconfig.inc");
$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_advanced_sysctl.php');
+if (!is_array($config['sysctl']))
+ $config['sysctl'] = array();
if (!is_array($config['sysctl']['item']))
$config['sysctl']['item'] = array();
$a_tunable = &$config['sysctl']['item'];
+$tunables = system_get_sysctls();
-if (is_numericint($_GET['id']))
- $id = $_GET['id'];
-if (isset($_POST['id']) && is_numericint($_POST['id']))
- $id = $_POST['id'];
+if (isset($_GET['id']))
+ $id = htmlspecialchars_decode($_GET['id']);
+if (isset($_POST['id']))
+ $id = htmlspecialchars_decode($_POST['id']);
$act = $_GET['act'];
if (isset($_POST['act']))
$act = $_POST['act'];
if ($act == "edit") {
- if ($a_tunable[$id]) {
+ if (isset($a_tunable[$id])) {
$pconfig['tunable'] = $a_tunable[$id]['tunable'];
$pconfig['value'] = $a_tunable[$id]['value'];
$pconfig['descr'] = $a_tunable[$id]['descr'];
+ } else if (isset($tunables[$id])) {
+ $pconfig['tunable'] = $tunables[$id]['tunable'];
+ $pconfig['value'] = $tunables[$id]['value'];
+ $pconfig['descr'] = $tunables[$id]['descr'];
}
}
@@ -111,7 +118,7 @@ if ($_POST) {
$tunableent['value'] = $_POST['value'];
$tunableent['descr'] = $_POST['descr'];
- if (isset($id) && $a_tunable[$id])
+ if (isset($id) && isset($a_tunable[$id]))
$a_tunable[$id] = $tunableent;
else
$a_tunable[] = $tunableent;
@@ -175,7 +182,11 @@ include("head.inc");
<td width="60%" class="listhdrr"><?=gettext("Description"); ?></td>
<td width="20%" class="listhdrr"><?=gettext("Value"); ?></td>
</tr>
- <?php $i = 0; foreach ($config['sysctl']['item'] as $tunable): ?>
+ <?php foreach ($tunables as $i => $tunable):
+
+ if (!isset($tunable['modified']))
+ $i = $tunable['tunable'];
+ ?>
<tr>
<td class="listlr" ondblclick="document.location='system_advanced_sysctl.php?act=edit&amp;id=<?=$i;?>';">
<?php echo $tunable['tunable']; ?>
@@ -185,10 +196,6 @@ include("head.inc");
</td>
<td class="listr" align="left" ondblclick="document.location='system_advanced_sysctl.php?act=edit&amp;id=<?=$i;?>';">
<?php echo $tunable['value']; ?>
- <?php
- if($tunable['value'] == "default")
- echo "(" . get_default_sysctl_value($tunable['tunable']) . ")";
- ?>
</td>
<td class="list nowrap">
<table border="0" cellspacing="0" cellpadding="1" summary="edit delete">
@@ -198,16 +205,18 @@ include("head.inc");
<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" alt="" />
</a>
</td>
+ <?php if (isset($tunable['modified'])): ?>
<td valign="middle">
<a href="system_advanced_sysctl.php?act=del&amp;id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this entry?"); ?>')">
<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="" />
</a>
</td>
+ <?php endif; ?>
</tr>
</table>
</td>
</tr>
- <?php $i++; endforeach; ?>
+ <?php endforeach; unset($tunables); ?>
<tr>
<td class="list" colspan="3">
</td>