nixos/systemd: install sysctl snippets

systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.

These enable:
 - Loose reverse path filtering
 - Source route filtering
 - `fq_codel` as a packet scheduler (this helps to fight bufferbloat)

This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.

Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.

In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.

nixos/doc/manual/release-notes/rl-1909.xml

@@ -444,6 +444,30 @@
       two-digit number and a dash to simplify the ordering of the files.
     </para>
    </listitem>
+   <listitem>
+    <para>
+      We now install the sysctl snippets shipped with systemd.
+    <itemizedlist>
+     <para>This enables:</para>
+     <listitem>
+      <para>Loose reverse path filtering</para>
+     </listitem>
+     <listitem>
+      <para>Source route filtering</para>
+     </listitem>
+     <listitem>
+      <para>
+       <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
+      </para>
+     </listitem>
+    </itemizedlist>
+
+     This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>.
+     These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
+     and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
+     (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 </section>

nixos/modules/config/sysctl.nix

@@ -52,12 +52,6 @@ in
         restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
       };
 
-    # Enable hardlink and symlink restrictions.  See
-    # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
-    # for details.
-    boot.kernel.sysctl."fs.protected_hardlinks" = true;
-    boot.kernel.sysctl."fs.protected_symlinks" = true;
-
     # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
     # users as these make it easier to exploit kernel vulnerabilities.
     boot.kernel.sysctl."kernel.kptr_restrict" = 1;

nixos/modules/profiles/hardened.nix

@@ -95,23 +95,17 @@ with lib;
   # Disable ftrace debugging
   boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
 
-  # Enable reverse path filtering (that is, do not attempt to route packets
-  # that "obviously" do not belong to the iface's network; dropped packets are
-  # logged as martians).
+  # Enable strict reverse path filtering (that is, do not attempt to route
+  # packets that "obviously" do not belong to the iface's network; dropped
+  # packets are logged as martians).
   boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
   boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
 
   # Ignore broadcast ICMP (mitigate SMURF)
   boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
 
-  # Ignore route information from sender
-  boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
-
   # Ignore incoming ICMP redirects (note: default is needed to ensure that the
   # setting is applied to interfaces added after the sysctls are set)
   boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;

nixos/modules/system/boot/systemd.nix

@@ -831,6 +831,10 @@ in
         [Sleep]
       '';
 
+      # install provided sysctl snippets
+      "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf";
+      "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf";
+
       "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
       "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";
 

nixos/modules/virtualisation/google-compute-config.nix

@@ -159,12 +159,6 @@ in
     # functionality/features (e.g. TCP Window scaling).
     "net.ipv4.tcp_syncookies" = mkDefault "1";
 
-    # ignores source-routed packets
-    "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
-
-    # ignores source-routed packets
-    "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
-
     # ignores ICMP redirects
     "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
 
@@ -186,10 +180,10 @@ in
     # don't allow traffic between networks or act as a router
     "net.ipv4.conf.default.send_redirects" = mkDefault "0";
 
-    # reverse path filtering - IP spoofing protection
+    # strict reverse path filtering - IP spoofing protection
     "net.ipv4.conf.all.rp_filter" = mkDefault "1";
 
-    # reverse path filtering - IP spoofing protection
+    # strict path filtering - IP spoofing protection
     "net.ipv4.conf.default.rp_filter" = mkDefault "1";
 
     # ignores ICMP broadcasts to avoid participating in Smurf attacks