Page MenuHomeFreeBSD
Files F154560391

D45102.diff
No OneTemporary
Actions

D45102.diff
View Options

Index: libexec/rc/rc.conf
===================================================================
--- libexec/rc/rc.conf
+++ libexec/rc/rc.conf
@@ -262,7 +262,7 @@
tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).
tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN
# NOTE: this violates the TCP specification
-icmp_drop_redirect="auto" # Set to YES to ignore ICMP REDIRECT packets
+icmp_drop_redirect="YES" # Set to NO to process ICMP REDIRECT packets
icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets
network_interfaces="auto" # List of network interfaces (or "auto").
cloned_interfaces="" # List of cloned network interfaces to create.
Index: libexec/rc/rc.d/routing
===================================================================
--- libexec/rc/rc.d/routing
+++ libexec/rc/rc.d/routing
@@ -325,30 +325,8 @@
fi
}
-_check_dynamicrouting()
-{
- local skip file name rcvar
-
- # copied from /etc/rc
- skip="-s nostart"
- if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
- skip="$skip -s nojail"
- fi
- [ -n "$local_startup" ] && find_local_scripts_new
- [ -n "$system_rc" ] && find_system_scripts
-
- for file in $( rcorder ${skip} ${system_rc} ${local_rc} 2>/dev/null |
- xargs grep -lE '^# PROVIDE:.*\<dynamicrouting\>' ); do
- (set -- enabled; . $file) && return 0;
- done
-
- return 1
-}
-
options_inet()
{
- local _icmp_drop_redirect
-
_ropts_initdone=
if checkyesno icmp_bmcastecho; then
ropts_init inet
@@ -358,17 +336,12 @@
${SYSCTL} net.inet.icmp.bmcastecho=0 > /dev/null
fi
- _icmp_drop_redirect="${icmp_drop_redirect}"
- case "${_icmp_drop_redirect}" in
+ case "${icmp_drop_redirect}" in
[Aa][Uu][Tt][Oo] | "")
- if _check_dynamicrouting; then
- _icmp_drop_redirect="yes"
- else
- _icmp_drop_redirect="no"
- fi
+ icmp_drop_redirect="yes"
;;
esac
- if checkyesno _icmp_drop_redirect; then
+ if checkyesno icmp_drop_redirect; then
ropts_init inet
echo -n ' ignore ICMP redirect=YES'
${SYSCTL} net.inet.icmp.drop_redirect=1 > /dev/null
Index: share/man/man5/rc.conf.5
===================================================================
--- share/man/man5/rc.conf.5
+++ share/man/man5/rc.conf.5
@@ -22,7 +22,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd May 4, 2024
+.Dd May 6, 2024
.Dt RC.CONF 5
.Os
.Sh NAME
@@ -1348,20 +1348,15 @@
.It Va icmp_drop_redirect
.Pq Vt bool
Set to
-.Dq Li AUTO
-by default.
-This setting will be identical to
-.Dq Li YES ,
-if a dynamic routing daemon is enabled, because redirect processing may
-cause performance issues for large routing tables.
-If no such service is enabled, this setting behaves like a
-.Dq Li NO .
-Setting to
.Dq Li YES
-will cause the kernel to ignore ICMP REDIRECT packets.
+by default, which causes the kernel to ignore ICMP REDIRECT packets.
Setting to
.Dq Li NO
will cause the kernel to process ICMP REDIRECT packets.
+For backwards compatibility
+.Dq Li AUTO
+is also accepted and is identical to
+.Dq Li YES .
Refer to
.Xr icmp 4
for more information.
Index: sys/netinet/ip_icmp.c
===================================================================
--- sys/netinet/ip_icmp.c
+++ sys/netinet/ip_icmp.c
@@ -125,7 +125,7 @@
&VNET_NAME(icmpmaskfake), 0,
"Fake reply to ICMP Address Mask Request packets");
-VNET_DEFINE(int, drop_redirect) = 0;
+VNET_DEFINE(int, drop_redirect) = 1;
#define V_drop_redirect VNET(drop_redirect)
SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(drop_redirect), 0,

File Metadata

Mime Type
text/plain
Expires
Wed, Apr 29, 10:16 PM (44 m, 51 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
32403078
Default Alt Text
D45102.diff (3 KB)

Event Timeline