From owner-svn-src-head@freebsd.org Mon Mar 23 15:27:12 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 18C07265FB4; Mon, 23 Mar 2020 15:27:12 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48mJCM6xbXz4fVY; Mon, 23 Mar 2020 15:27:11 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E9BD1188E4; Mon, 23 Mar 2020 15:27:11 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 02NFRBjK033166; Mon, 23 Mar 2020 15:27:11 GMT (envelope-from melifaro@FreeBSD.org) Received: (from melifaro@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 02NFRBso033162; Mon, 23 Mar 2020 15:27:11 GMT (envelope-from melifaro@FreeBSD.org) Message-Id: <202003231527.02NFRBso033162@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: melifaro set sender to melifaro@FreeBSD.org using -f From: "Alexander V. Chernikov" Date: Mon, 23 Mar 2020 15:27:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r359244 - in head: libexec/rc libexec/rc/rc.d share/man/man5 X-SVN-Group: head X-SVN-Commit-Author: melifaro X-SVN-Commit-Paths: in head: libexec/rc libexec/rc/rc.d share/man/man5 X-SVN-Commit-Revision: 359244 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2020 15:27:12 -0000 Author: melifaro Date: Mon Mar 23 15:27:10 2020 New Revision: 359244 URL: https://svnweb.freebsd.org/changeset/base/359244 Log: Make ICMP redirect processing depend on routing daemon. Submitted by: lutz at donnerhacke.de Reviewed by: melifaro,rgrimes Differential Revision: https://reviews.freebsd.org/D23329 Modified: head/libexec/rc/rc.conf head/libexec/rc/rc.d/routed head/libexec/rc/rc.d/routing head/share/man/man5/rc.conf.5 Modified: head/libexec/rc/rc.conf ============================================================================== --- head/libexec/rc/rc.conf Mon Mar 23 14:53:55 2020 (r359243) +++ head/libexec/rc/rc.conf Mon Mar 23 15:27:10 2020 (r359244) @@ -235,7 +235,7 @@ log_in_vain="0" # >=1 to log connects to ports w/o l tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification -icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets +icmp_drop_redirect="auto" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). cloned_interfaces="" # List of cloned network interfaces to create. Modified: head/libexec/rc/rc.d/routed ============================================================================== --- head/libexec/rc/rc.d/routed Mon Mar 23 14:53:55 2020 (r359243) +++ head/libexec/rc/rc.d/routed Mon Mar 23 15:27:10 2020 (r359244) @@ -3,7 +3,7 @@ # $FreeBSD$ # -# PROVIDE: routed +# PROVIDE: routed dynamicrouting # REQUIRE: netif routing # BEFORE: NETWORK # KEYWORD: nojailvnet Modified: head/libexec/rc/rc.d/routing ============================================================================== --- head/libexec/rc/rc.d/routing Mon Mar 23 14:53:55 2020 (r359243) +++ head/libexec/rc/rc.d/routing Mon Mar 23 15:27:10 2020 (r359244) @@ -292,8 +292,29 @@ ropts_init() fi } +_check_dynamicrouting() +{ + local skip file name rcvar + + # copied from /etc/rc + skip="-s nostart" + if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then + skip="$skip -s nojail" + fi + [ -n "$local_startup" ] && find_local_scripts_new + + for file in $( rcorder ${skip} /etc/rc.d/* ${local_rc} 2>/dev/null | + xargs grep -lE '^# PROVIDE:.*\' ); do + (set -- enabled; . $file) && return 0; + done + + return 1 +} + options_inet() { + local _icmp_drop_redirect + _ropts_initdone= if checkyesno icmp_bmcastecho; then ropts_init inet @@ -303,7 +324,17 @@ options_inet() ${SYSCTL} net.inet.icmp.bmcastecho=0 > /dev/null fi - if checkyesno icmp_drop_redirect; then + _icmp_drop_redirect="${icmp_drop_redirect}" + case "${_icmp_drop_redirect}" in + [Aa][Uu][Tt][Oo] | "") + if _check_dynamicrouting; then + _icmp_drop_redirect="yes" + else + _icmp_drop_redirect="no" + fi + ;; + esac + if checkyesno _icmp_drop_redirect; then ropts_init inet echo -n ' ignore ICMP redirect=YES' ${SYSCTL} net.inet.icmp.drop_redirect=1 > /dev/null Modified: head/share/man/man5/rc.conf.5 ============================================================================== --- head/share/man/man5/rc.conf.5 Mon Mar 23 14:53:55 2020 (r359243) +++ head/share/man/man5/rc.conf.5 Mon Mar 23 15:27:10 2020 (r359244) @@ -1182,11 +1182,19 @@ break some legitimate applications. .It Va icmp_drop_redirect .Pq Vt bool Set to -.Dq Li NO -by default. +.Dq Li AUTO +by default. This setting will be identical to +.Dq Li YES , +if a dynamicrouting daemon is enabled, because redirect processing may +cause perfomance issues for large routing tables. If no such service +is enabled, this setting behaves like a +.Dq Li NO . Setting to .Dq Li YES will cause the kernel to ignore ICMP REDIRECT packets. +Setting to +.Dq Li NO +will cause the kernel to process ICMP REDIRECT packets. Refer to .Xr icmp 4 for more information.