Merge pull request #13 from kinvolk/kai/baselayout-sysctl-order

sysctl.d: Add prefix 60 to baselayout.conf and set rp_filter values
flatcar · Dec 15, 2020 · 69ed7c7 · 69ed7c7
2 parents b989f2c + d5a9775
commit 69ed7c7
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 16 deletions.
diff --git a/sysctl.d/60-baselayout.conf b/sysctl.d/60-baselayout.conf
@@ -0,0 +1,21 @@
+# sysctl defaults for Flatcar
+
+# Enable IPv4 forwarding to support NAT in containers
+net.ipv4.ip_forward = 1
+
+# Disable source route verification (reverse path filtering) due to Cilium
+# https://github.com/cilium/cilium/issues/10645
+# For future interfaces:
+net.ipv4.conf.default.rp_filter = 0
+# and for all existing interfaces:
+net.ipv4.conf.all.rp_filter = 0
+# (for varying settings per interface: match existing interfaces by a glob, excluding the special "all" name)
+net.ipv4.conf.*.rp_filter = 0
+-net.ipv4.conf.all.rp_filter
+
+# Disable kernel address visibility to non-root users.
+kernel.kptr_restrict = 1
+
+# Disable regular file and FIFO protection for compatibility.
+fs.protected_regular = 0
+fs.protected_fifos = 0
diff --git a/sysctl.d/baselayout.conf b/sysctl.d/baselayout.conf