Make ICMP redirect processing depend on routing daemon.

Submitted by: lutz at donnerhacke.de Reviewed by: melifaro,rgrimes Differential Revision: https://reviews.freebsd.org/D23329
svn path=/head/; revision=359244
2020-03-23 15:27:10 +00:00 · 2020-03-23 15:27:10 +00:00 · 7119cdc225 · 2020-12-20 02:59:44 +00:00
commit 7119cdc225
parent 2ce22b06c0
4 changed files with 44 additions and 5 deletions
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@ -235,7 +235,7 @@ log_in_vain="0"			# >=1 to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
 tcp_drop_synfin="NO"		# Set to YES to drop TCP packets with SYN+FIN
 				# NOTE: this violates the TCP specification
-icmp_drop_redirect="NO" 	# Set to YES to ignore ICMP REDIRECT packets
+icmp_drop_redirect="auto" 	# Set to YES to ignore ICMP REDIRECT packets
 icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
 cloned_interfaces=""		# List of cloned network interfaces to create.
--- a/libexec/rc/rc.d/routed
+++ b/libexec/rc/rc.d/routed
@ -3,7 +3,7 @@
 # $FreeBSD$
 #

-# PROVIDE: routed
+# PROVIDE: routed dynamicrouting
 # REQUIRE: netif routing
 # BEFORE: NETWORK
 # KEYWORD: nojailvnet
--- a/libexec/rc/rc.d/routing
+++ b/libexec/rc/rc.d/routing
@ -292,8 +292,29 @@ ropts_init()
 	fi
 }

+_check_dynamicrouting()
+{
+	local skip file name rcvar
+
+	# copied from /etc/rc
+	skip="-s nostart"
+	if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+		skip="$skip -s nojail"
+	fi
+	[ -n "$local_startup" ] && find_local_scripts_new
+	
+	for file in $( rcorder ${skip} /etc/rc.d/* ${local_rc} 2>/dev/null |
+		       xargs grep -lE '^# PROVIDE:.*\<dynamicrouting\>' ); do
+		(set -- enabled; . $file) && return 0;
+	done
+
+	return 1
+}
+
 options_inet()
 {
+	local _icmp_drop_redirect
+
 	_ropts_initdone=
 	if checkyesno icmp_bmcastecho; then
 		ropts_init inet
@ -303,7 +324,17 @@ options_inet()
 		${SYSCTL} net.inet.icmp.bmcastecho=0 > /dev/null
 	fi

-	if checkyesno icmp_drop_redirect; then
+	_icmp_drop_redirect="${icmp_drop_redirect}"
+	case "${_icmp_drop_redirect}" in
+	[Aa][Uu][Tt][Oo] | "")
+		if _check_dynamicrouting; then
+			_icmp_drop_redirect="yes"
+		else
+			_icmp_drop_redirect="no"
+		fi
+		;;
+	esac
+	if checkyesno _icmp_drop_redirect; then
 		ropts_init inet
 		echo -n ' ignore ICMP redirect=YES'
 		${SYSCTL} net.inet.icmp.drop_redirect=1 > /dev/null
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -1182,11 +1182,19 @@ break some legitimate applications.
 .It Va icmp_drop_redirect
 .Pq Vt bool
 Set to
-.Dq Li NO
-by default.
+.Dq Li AUTO
+by default.  This setting will be identical to
+.Dq Li YES ,
+if a dynamicrouting daemon is enabled, because redirect processing may
+cause perfomance issues for large routing tables.  If no such service
+is enabled, this setting behaves like a
+.Dq Li NO .
 Setting to
 .Dq Li YES
 will cause the kernel to ignore ICMP REDIRECT packets.
+Setting to
+.Dq Li NO
+will cause the kernel to process ICMP REDIRECT packets.
 Refer to
 .Xr icmp 4
 for more information.