Index: libexec/rc/rc.conf =================================================================== --- libexec/rc/rc.conf +++ libexec/rc/rc.conf @@ -234,7 +234,7 @@ tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification -icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets +icmp_drop_redirect="auto" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). cloned_interfaces="" # List of cloned network interfaces to create. Index: libexec/rc/rc.d/routed =================================================================== --- libexec/rc/rc.d/routed +++ libexec/rc/rc.d/routed @@ -3,7 +3,7 @@ # $FreeBSD$ # -# PROVIDE: routed +# PROVIDE: routed dynamicrouting # REQUIRE: netif routing # BEFORE: NETWORK # KEYWORD: nojailvnet Index: libexec/rc/rc.d/routing =================================================================== --- libexec/rc/rc.d/routing +++ libexec/rc/rc.d/routing @@ -292,6 +292,34 @@ fi } +_search_dynamicrouting() +{ + _dynamicrouting=$( # do not pollute the environment, use a subshell + # copied from /etc/rc + skip="-s nostart" + if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then + skip="$skip -s nojail" + fi + [ -n "$local_startup" ] && find_local_scripts_new + files=`rcorder ${skip} /etc/rc.d/* ${local_rc} 2>/dev/null` + + for file in $files; do + if grep -q ^rcvar $file; then + eval `grep ^name= $file` + eval `grep ^rcvar $file` + if [ -n "$rcvar" ]; then + load_rc_config_var ${name} ${rcvar} + fi + checkyesno $rcvar 2>/dev/null || continue; + if grep -qE '^# PROVIDE:.*\' $file; then + echo $file + break + fi + fi + done + ) +} + options_inet() { _ropts_initdone= @@ -303,7 +331,18 @@ ${SYSCTL} net.inet.icmp.bmcastecho=0 > /dev/null fi - if checkyesno icmp_drop_redirect; then + _icmp_drop_redirect="${icmp_drop_redirect}" + case "${_icmp_drop_redirect}" in + [Aa][Uu][Tt][Oo] | "") + _search_dynamicrouting + if [ -n "$_dynamicrouting" ]; then + _icmp_drop_redirect="yes" + else + _icmp_drop_redirect="no" + fi + ;; + esac + if checkyesno _icmp_drop_redirect; then ropts_init inet echo -n ' ignore ICMP redirect=YES' ${SYSCTL} net.inet.icmp.drop_redirect=1 > /dev/null Index: share/man/man5/rc.conf.5 =================================================================== --- share/man/man5/rc.conf.5 +++ share/man/man5/rc.conf.5 @@ -1182,11 +1182,19 @@ .It Va icmp_drop_redirect .Pq Vt bool Set to -.Dq Li NO -by default. +.Dq Li AUTO +by default. This setting will be identical to +.Dq Li YES , +if a dynamicrouting daemon is enabled, because redirect processing may +cause perfomance issues for large routing tables. If no such service +is enabled, this setting behaves like a +.Dq Li NO . Setting to .Dq Li YES will cause the kernel to ignore ICMP REDIRECT packets. +Setting to +.Dq Li NO +will cause the kernel to process ICMP REDIRECT packets. Refer to .Xr icmp 4 for more information.