From 36151dde5327885ca18e86dbb13e422a7aa9281c Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 1 Nov 2024 17:06:08 -0400
Subject: [PATCH] Set net.ipv4 sysctl flags via server metapackage

Instead of setting these via ansible, let's ship them in this package so
it's easier to tweak them in the future without needing future ansible
runs.

This should be safe to ship even with these values in /etc/sysctld.conf
since they're the same values for now; but we'll have the next server
version remove them from that file now that they're owned by the kernel
packaging.

Refs <https://github.com/freedomofpress/securedrop/issues/7323>.
---
 .../etc/sysctl.d/30-securedrop.conf               | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf b/debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf
index 05d116c..09e5a3e 100644
--- a/debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf
+++ b/debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf
@@ -1 +1,16 @@
 vm.heap_stack_gap=1048576
+
+net.ipv4.tcp_max_syn_backlog = 4096
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.ip_forward = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0