Paths

Table of Contentst

Disable ICMP (v4) redirects by default
Needs ReviewPublic
Actions

Authored by emaste on May 6 2024, 3:14 PM.

Details

Reviewers

philip
gordon
melifaro
donner

Summary

Relnotes: Yes

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

emaste created this revision.May 6 2024, 3:14 PM

Herald added subscribers: glebius, melifaro. · View Herald TranscriptMay 6 2024, 3:14 PM

emaste requested review of this revision.May 6 2024, 3:14 PM

Based on discussion on a recent secteam call. After putting this together I discovered D23329, which provides an rc.conf setting defaulting to AUTO which is set to yes (drop) if a routing daemon is enabled, and no if not - so if we do want to make this change we'll want to update rc.d/routing as well.

CC @donner and @melifaro.

I agree that this default is a long due to be changed. Needs to be mentioned in Release Notes, though.

switch userland default as well

emaste added inline comments.May 6 2024, 7:43 PM

libexec/rc/rc.d/routing
341 ↗	(On Diff #138186)	I don't think there's an issue with just changing the var itself from AUTO to YES (i.e., avoiding the underscore-prefixed dance)

emaste added reviewers: melifaro, donner.May 6 2024, 7:44 PM

emaste added a subscriber: network.May 6 2024, 11:13 PM

ceri added a subscriber: ceri.May 7 2024, 7:41 AM

ceri added inline comments.

libexec/rc/rc.d/routing
340 ↗	(On Diff #138186)	Is the \|”” still appropriate? It seems to have the wrong default behaviour if this is somehow unset.

emaste added inline comments.May 7 2024, 12:29 PM

libexec/rc/rc.d/routing
340 ↗	(On Diff #138186)	Default is now yes, so choosing yes if unset seems appropriate?

ceri added inline comments.May 7 2024, 12:53 PM

libexec/rc/rc.d/routing
340 ↗	(On Diff #138186)	A very fine point; was reading backwards.

rgrimes added a subscriber: rgrimes.May 7 2024, 3:02 PM

rgrimes added inline comments.

libexec/rc/rc.d/routing
341 ↗	(On Diff #138186)	For systems doing "updates" just switching auto to yes may break some installations.

gordon added inline comments.May 7 2024, 5:08 PM

libexec/rc/rc.d/routing
341 ↗	(On Diff #138186)	That's kind of the point here. At some point we have to break some eggs. We will doing this for 15 and not intending to MFC. It will be a release note item.
346 ↗	(On Diff #138186)	Should we print this on the yes case given it is now the default?

emaste added inline comments.May 7 2024, 5:33 PM

libexec/rc/rc.d/routing
346 ↗	(On Diff #138186)	Hrm, good question. This is one of the unfortunate side effects of negative-sense sysctls; we print a message in all of the "= 1" cases so there's some argument for keeping that for consistency. We could instead print `ignore ICMP redirect=NO` in the no case I suppose.

We probably need a similar change for IPv6 redirects.

emaste added inline comments.Jun 13 2024, 1:22 AM

libexec/rc/rc.d/routing
341 ↗	(On Diff #138186)	Also note that redirects are a performance optimization, if a system changes to yes after upgrade it won't "break" in the sense of network unreachability.

ICMP6:

VNET_DEFINE_STATIC(int, icmp6_rediraccept) = 1;
#define V_icmp6_rediraccept     VNET(icmp6_rediraccept)
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, rediraccept,
    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(icmp6_rediraccept), 0,
    "Accept ICMPv6 redirect messages");

It appears there's no rc.conf machinery to configure this though?

Herald added a subscriber: ziaee. · View Herald TranscriptAug 19 2025, 1:14 PM

A long long time ago ( I was a student then ), I enabled drop_redirect on one of my VM, but the router ( out of my control ) keep sending ICMP redirects. That confused me for quite a long time until I figured out that is perfect legitimate for routers to do that.

I meant, if the industry encourage disabling sending ICMP redirects on routers, then it is good time to drop ICMP redirects on a host, for security reason.

Revision Contents
Changeset List

Path

Size

sys/

netinet/

ip_icmp.c

2 lines

Diff 138163

View Options

Disable ICMP (v4) redirects by defaultNeeds ReviewPublicActions