Author: melifaro Date: Mon Mar 23 15:27:10 2020 New Revision: 359244 URL: https://svnweb.freebsd.org/changeset/base/359244
Log: Make ICMP redirect processing depend on routing daemon. Submitted by: lutz at donnerhacke.de Reviewed by: melifaro,rgrimes Differential Revision: https://reviews.freebsd.org/D23329 Modified: head/libexec/rc/rc.conf head/libexec/rc/rc.d/routed head/libexec/rc/rc.d/routing head/share/man/man5/rc.conf.5 Modified: head/libexec/rc/rc.conf ============================================================================== --- head/libexec/rc/rc.conf Mon Mar 23 14:53:55 2020 (r359243) +++ head/libexec/rc/rc.conf Mon Mar 23 15:27:10 2020 (r359244) @@ -235,7 +235,7 @@ log_in_vain="0" # >=1 to log connects to ports w/o l tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification -icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets +icmp_drop_redirect="auto" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). cloned_interfaces="" # List of cloned network interfaces to create. Modified: head/libexec/rc/rc.d/routed ============================================================================== --- head/libexec/rc/rc.d/routed Mon Mar 23 14:53:55 2020 (r359243) +++ head/libexec/rc/rc.d/routed Mon Mar 23 15:27:10 2020 (r359244) @@ -3,7 +3,7 @@ # $FreeBSD$ # -# PROVIDE: routed +# PROVIDE: routed dynamicrouting # REQUIRE: netif routing # BEFORE: NETWORK # KEYWORD: nojailvnet Modified: head/libexec/rc/rc.d/routing ============================================================================== --- head/libexec/rc/rc.d/routing Mon Mar 23 14:53:55 2020 (r359243) +++ head/libexec/rc/rc.d/routing Mon Mar 23 15:27:10 2020 (r359244) @@ -292,8 +292,29 @@ ropts_init() fi } +_check_dynamicrouting() +{ + local skip file name rcvar + + # copied from /etc/rc + skip="-s nostart" + if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then + skip="$skip -s nojail" + fi + [ -n "$local_startup" ] && find_local_scripts_new + + for file in $( rcorder ${skip} /etc/rc.d/* ${local_rc} 2>/dev/null | + xargs grep -lE '^# PROVIDE:.*\<dynamicrouting\>' ); do + (set -- enabled; . $file) && return 0; + done + + return 1 +} + options_inet() { + local _icmp_drop_redirect + _ropts_initdone= if checkyesno icmp_bmcastecho; then ropts_init inet @@ -303,7 +324,17 @@ options_inet() ${SYSCTL} net.inet.icmp.bmcastecho=0 > /dev/null fi - if checkyesno icmp_drop_redirect; then + _icmp_drop_redirect="${icmp_drop_redirect}" + case "${_icmp_drop_redirect}" in + [Aa][Uu][Tt][Oo] | "") + if _check_dynamicrouting; then + _icmp_drop_redirect="yes" + else + _icmp_drop_redirect="no" + fi + ;; + esac + if checkyesno _icmp_drop_redirect; then ropts_init inet echo -n ' ignore ICMP redirect=YES' ${SYSCTL} net.inet.icmp.drop_redirect=1 > /dev/null Modified: head/share/man/man5/rc.conf.5 ============================================================================== --- head/share/man/man5/rc.conf.5 Mon Mar 23 14:53:55 2020 (r359243) +++ head/share/man/man5/rc.conf.5 Mon Mar 23 15:27:10 2020 (r359244) @@ -1182,11 +1182,19 @@ break some legitimate applications. .It Va icmp_drop_redirect .Pq Vt bool Set to -.Dq Li NO -by default. +.Dq Li AUTO +by default. This setting will be identical to +.Dq Li YES , +if a dynamicrouting daemon is enabled, because redirect processing may +cause perfomance issues for large routing tables. If no such service +is enabled, this setting behaves like a +.Dq Li NO . Setting to .Dq Li YES will cause the kernel to ignore ICMP REDIRECT packets. +Setting to +.Dq Li NO +will cause the kernel to process ICMP REDIRECT packets. Refer to .Xr icmp 4 for more information. _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
