Index: libexec/rc/rc.conf =================================================================== --- libexec/rc/rc.conf +++ libexec/rc/rc.conf @@ -262,7 +262,7 @@ tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification -icmp_drop_redirect="auto" # Set to YES to ignore ICMP REDIRECT packets +icmp_drop_redirect="YES" # Set to NO to process ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). cloned_interfaces="" # List of cloned network interfaces to create. Index: libexec/rc/rc.d/routing =================================================================== --- libexec/rc/rc.d/routing +++ libexec/rc/rc.d/routing @@ -325,30 +325,8 @@ fi } -_check_dynamicrouting() -{ - local skip file name rcvar - - # copied from /etc/rc - skip="-s nostart" - if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then - skip="$skip -s nojail" - fi - [ -n "$local_startup" ] && find_local_scripts_new - [ -n "$system_rc" ] && find_system_scripts - - for file in $( rcorder ${skip} ${system_rc} ${local_rc} 2>/dev/null | - xargs grep -lE '^# PROVIDE:.*\' ); do - (set -- enabled; . $file) && return 0; - done - - return 1 -} - options_inet() { - local _icmp_drop_redirect - _ropts_initdone= if checkyesno icmp_bmcastecho; then ropts_init inet @@ -358,17 +336,12 @@ ${SYSCTL} net.inet.icmp.bmcastecho=0 > /dev/null fi - _icmp_drop_redirect="${icmp_drop_redirect}" - case "${_icmp_drop_redirect}" in + case "${icmp_drop_redirect}" in [Aa][Uu][Tt][Oo] | "") - if _check_dynamicrouting; then - _icmp_drop_redirect="yes" - else - _icmp_drop_redirect="no" - fi + icmp_drop_redirect="yes" ;; esac - if checkyesno _icmp_drop_redirect; then + if checkyesno icmp_drop_redirect; then ropts_init inet echo -n ' ignore ICMP redirect=YES' ${SYSCTL} net.inet.icmp.drop_redirect=1 > /dev/null Index: share/man/man5/rc.conf.5 =================================================================== --- share/man/man5/rc.conf.5 +++ share/man/man5/rc.conf.5 @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd May 4, 2024 +.Dd May 6, 2024 .Dt RC.CONF 5 .Os .Sh NAME @@ -1348,20 +1348,15 @@ .It Va icmp_drop_redirect .Pq Vt bool Set to -.Dq Li AUTO -by default. -This setting will be identical to -.Dq Li YES , -if a dynamic routing daemon is enabled, because redirect processing may -cause performance issues for large routing tables. -If no such service is enabled, this setting behaves like a -.Dq Li NO . -Setting to .Dq Li YES -will cause the kernel to ignore ICMP REDIRECT packets. +by default, which causes the kernel to ignore ICMP REDIRECT packets. Setting to .Dq Li NO will cause the kernel to process ICMP REDIRECT packets. +For backwards compatibility +.Dq Li AUTO +is also accepted and is identical to +.Dq Li YES . Refer to .Xr icmp 4 for more information. Index: sys/netinet/ip_icmp.c =================================================================== --- sys/netinet/ip_icmp.c +++ sys/netinet/ip_icmp.c @@ -125,7 +125,7 @@ &VNET_NAME(icmpmaskfake), 0, "Fake reply to ICMP Address Mask Request packets"); -VNET_DEFINE(int, drop_redirect) = 0; +VNET_DEFINE(int, drop_redirect) = 1; #define V_drop_redirect VNET(drop_redirect) SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(drop_redirect), 0,