Add net.inet.icmp.log_redirect and net.inet.icmp.drop_redirect, for

respectively logging and dropping ICMP REDIRECT packets. Note that there is no rate limiting on the log messages, so log_redirect should be used with caution (preferrably only for debugging purposes).
1999-08-10 09:45:33 +00:00 · 1999-08-10 09:45:33 +00:00 · 34ed1195f9
commit 34ed1195f9
parent 8a5bbef021
9 changed files with 108 additions and 11 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -9,7 +9,7 @@
 #
 # All arguments must be in double or single quotes.
 #
-#	$Id: rc.conf,v 1.23 1999/07/26 10:49:33 brian Exp $
+#	$Id: rc.conf,v 1.24 1999/08/03 10:11:02 eivind Exp $

 ##############################################################
 ###  Important initial Boot-time options  ####################
@ -48,6 +48,8 @@ natd_flags=""                   # Additional flags for natd.
 tcp_extensions="NO"		# Set to Yes to turn on RFC1323 extensions.
 log_in_vain="NO"		# Disallow bad connection logging (or YES).
 tcp_keepalive="YES"		# Kill dead TCP connections (or NO).
+icmp_drop_redirect="NO"		# Set to YES to ignore ICMP REDIRECT packets
+icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
 ifconfig_lo0="inet 127.0.0.1"	# default loopback device configuration.
 #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
--- a/etc/network.subr
+++ b/etc/network.subr
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $
+#	$Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91

 # Note that almost all the user-configurable behavior is no longer in
@ -197,6 +197,16 @@ network_pass1() {
 	    echo -n ' broadcast ping responses=YES'
 	    sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
    fi
+    
+    if [ "X$icmp_drop_redirect" = X"YES" ]; then
+	    echo -n ' ignore ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
+    fi
+    
+    if [ "X$icmp_log_redirect" = X"YES" ]; then
+	    echo -n ' log ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
+    fi

    if [ "X$gateway_enable" = X"YES" ]; then
 	    echo -n ' IP gateway=YES'
--- a/etc/rc.d/netoptions
+++ b/etc/rc.d/netoptions
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $
+#	$Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91

 # Note that almost all the user-configurable behavior is no longer in
@ -197,6 +197,16 @@ network_pass1() {
 	    echo -n ' broadcast ping responses=YES'
 	    sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
    fi
+    
+    if [ "X$icmp_drop_redirect" = X"YES" ]; then
+	    echo -n ' ignore ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
+    fi
+    
+    if [ "X$icmp_log_redirect" = X"YES" ]; then
+	    echo -n ' log ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
+    fi

    if [ "X$gateway_enable" = X"YES" ]; then
 	    echo -n ' IP gateway=YES'
--- a/etc/rc.d/network1
+++ b/etc/rc.d/network1
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $
+#	$Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91

 # Note that almost all the user-configurable behavior is no longer in
@ -197,6 +197,16 @@ network_pass1() {
 	    echo -n ' broadcast ping responses=YES'
 	    sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
    fi
+    
+    if [ "X$icmp_drop_redirect" = X"YES" ]; then
+	    echo -n ' ignore ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
+    fi
+    
+    if [ "X$icmp_log_redirect" = X"YES" ]; then
+	    echo -n ' log ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
+    fi

    if [ "X$gateway_enable" = X"YES" ]; then
 	    echo -n ' IP gateway=YES'
--- a/etc/rc.d/network2
+++ b/etc/rc.d/network2
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $
+#	$Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91

 # Note that almost all the user-configurable behavior is no longer in
@ -197,6 +197,16 @@ network_pass1() {
 	    echo -n ' broadcast ping responses=YES'
 	    sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
    fi
+    
+    if [ "X$icmp_drop_redirect" = X"YES" ]; then
+	    echo -n ' ignore ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
+    fi
+    
+    if [ "X$icmp_log_redirect" = X"YES" ]; then
+	    echo -n ' log ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
+    fi

    if [ "X$gateway_enable" = X"YES" ]; then
 	    echo -n ' IP gateway=YES'
--- a/etc/rc.d/network3
+++ b/etc/rc.d/network3
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $
+#	$Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91

 # Note that almost all the user-configurable behavior is no longer in
@ -197,6 +197,16 @@ network_pass1() {
 	    echo -n ' broadcast ping responses=YES'
 	    sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
    fi
+    
+    if [ "X$icmp_drop_redirect" = X"YES" ]; then
+	    echo -n ' ignore ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
+    fi
+    
+    if [ "X$icmp_log_redirect" = X"YES" ]; then
+	    echo -n ' log ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
+    fi

    if [ "X$gateway_enable" = X"YES" ]; then
 	    echo -n ' IP gateway=YES'
--- a/etc/rc.d/routing
+++ b/etc/rc.d/routing
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $
+#	$Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91

 # Note that almost all the user-configurable behavior is no longer in
@ -197,6 +197,16 @@ network_pass1() {
 	    echo -n ' broadcast ping responses=YES'
 	    sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
    fi
+    
+    if [ "X$icmp_drop_redirect" = X"YES" ]; then
+	    echo -n ' ignore ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
+    fi
+    
+    if [ "X$icmp_log_redirect" = X"YES" ]; then
+	    echo -n ' log ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
+    fi

    if [ "X$gateway_enable" = X"YES" ]; then
 	    echo -n ' IP gateway=YES'
--- a/etc/rc.network
+++ b/etc/rc.network
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $
+#	$Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91

 # Note that almost all the user-configurable behavior is no longer in
@ -197,6 +197,16 @@ network_pass1() {
 	    echo -n ' broadcast ping responses=YES'
 	    sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
    fi
+    
+    if [ "X$icmp_drop_redirect" = X"YES" ]; then
+	    echo -n ' ignore ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
+    fi
+    
+    if [ "X$icmp_log_redirect" = X"YES" ]; then
+	    echo -n ' log ICMP redirect=YES'
+	    sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
+    fi

    if [ "X$gateway_enable" = X"YES" ]; then
 	    echo -n ' IP gateway=YES'
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)ip_icmp.c	8.2 (Berkeley) 1/4/94
- *	$Id: ip_icmp.c,v 1.33 1998/12/04 04:21:25 dillon Exp $
+ *	$Id: ip_icmp.c,v 1.34 1999/03/06 23:10:42 archie Exp $
 */

 #include <sys/param.h>
@ -69,6 +69,14 @@ static int	icmpmaskrepl = 0;
 SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
 	&icmpmaskrepl, 0, "");

+static int	log_redirect = 0;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW, 
+	&log_redirect, 0, "");
+
+static int	drop_redirect = 0;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW, 
+	&drop_redirect, 0, "");
+
 #ifdef ICMP_BANDLIM 
 
 /*    
@ -92,8 +100,8 @@ SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RD,
 */

 static int	icmpbmcastecho = 0;
-SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
-	   0, "");
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW,
+	&icmpbmcastecho, 0, "");


 #ifdef ICMPPRINTFS
@ -462,6 +470,23 @@ icmp_input(m, hlen)
 		return;

 	case ICMP_REDIRECT:
+		if (log_redirect) {
+			u_long src, dst, gw;
+
+			src = ntohl(ip->ip_src.s_addr);
+			dst = ntohl(icp->icmp_ip.ip_dst.s_addr);
+			gw = ntohl(icp->icmp_gwaddr.s_addr);
+			printf("icmp redirect from %d.%d.%d.%d: "
+			       "%d.%d.%d.%d => %d.%d.%d.%d\n",
+			       (int)(src >> 24), (int)((src >> 16) & 0xff),
+			       (int)((src >> 8) & 0xff), (int)(src & 0xff),
+			       (int)(dst >> 24), (int)((dst >> 16) & 0xff),
+			       (int)((dst >> 8) & 0xff), (int)(dst & 0xff),
+			       (int)(gw >> 24), (int)((gw >> 16) & 0xff),
+			       (int)((gw >> 8) & 0xff), (int)(gw & 0xff));
+		}
+		if (drop_redirect)
+			break;
 		if (code > 3)
 			goto badcode;
 		if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||