svn commit: r359244 - in head: libexec/rc libexec/rc/rc.d share/man/man5

[Alexander V. Chernikov]

Author: melifaro
Date: Mon Mar 23 15:27:10 2020
New Revision: 359244
URL: https://svnweb.freebsd.org/changeset/base/359244

Log:
  Make ICMP redirect processing depend on routing daemon.
  
  Submitted by:	 lutz at donnerhacke.de
  Reviewed by:	melifaro,rgrimes
  Differential Revision:	https://reviews.freebsd.org/D23329

Modified:
  head/libexec/rc/rc.conf
  head/libexec/rc/rc.d/routed
  head/libexec/rc/rc.d/routing
  head/share/man/man5/rc.conf.5

Modified: head/libexec/rc/rc.conf
==============================================================================
--- head/libexec/rc/rc.conf	Mon Mar 23 14:53:55 2020	(r359243)
+++ head/libexec/rc/rc.conf	Mon Mar 23 15:27:10 2020	(r359244)
@@ -235,7 +235,7 @@ log_in_vain="0"			# >=1 to log connects to ports w/o l
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
 tcp_drop_synfin="NO"		# Set to YES to drop TCP packets with SYN+FIN
 				# NOTE: this violates the TCP specification
-icmp_drop_redirect="NO" 	# Set to YES to ignore ICMP REDIRECT packets
+icmp_drop_redirect="auto" 	# Set to YES to ignore ICMP REDIRECT packets
 icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
 cloned_interfaces=""		# List of cloned network interfaces to create.

Modified: head/libexec/rc/rc.d/routed
==============================================================================
--- head/libexec/rc/rc.d/routed	Mon Mar 23 14:53:55 2020	(r359243)
+++ head/libexec/rc/rc.d/routed	Mon Mar 23 15:27:10 2020	(r359244)
@@ -3,7 +3,7 @@
 # $FreeBSD$
 #
 
-# PROVIDE: routed
+# PROVIDE: routed dynamicrouting
 # REQUIRE: netif routing
 # BEFORE: NETWORK
 # KEYWORD: nojailvnet

Modified: head/libexec/rc/rc.d/routing
==============================================================================
--- head/libexec/rc/rc.d/routing	Mon Mar 23 14:53:55 2020	(r359243)
+++ head/libexec/rc/rc.d/routing	Mon Mar 23 15:27:10 2020	(r359244)
@@ -292,8 +292,29 @@ ropts_init()
 	fi
 }
 
+_check_dynamicrouting()
+{
+	local skip file name rcvar
+
+	# copied from /etc/rc
+	skip="-s nostart"
+	if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+		skip="$skip -s nojail"
+	fi
+	[ -n "$local_startup" ] && find_local_scripts_new
+	
+	for file in $( rcorder ${skip} /etc/rc.d/* ${local_rc} 2>/dev/null |
+		       xargs grep -lE '^# PROVIDE:.*\<dynamicrouting\>' ); do
+		(set -- enabled; . $file) && return 0;
+	done
+
+	return 1
+}
+
 options_inet()
 {
+	local _icmp_drop_redirect
+
 	_ropts_initdone=
 	if checkyesno icmp_bmcastecho; then
 		ropts_init inet
@@ -303,7 +324,17 @@ options_inet()
 		${SYSCTL} net.inet.icmp.bmcastecho=0 > /dev/null
 	fi
 
-	if checkyesno icmp_drop_redirect; then
+	_icmp_drop_redirect="${icmp_drop_redirect}"
+	case "${_icmp_drop_redirect}" in
+	[Aa][Uu][Tt][Oo] | "")
+		if _check_dynamicrouting; then
+			_icmp_drop_redirect="yes"
+		else
+			_icmp_drop_redirect="no"
+		fi
+		;;
+	esac
+	if checkyesno _icmp_drop_redirect; then
 		ropts_init inet
 		echo -n ' ignore ICMP redirect=YES'
 		${SYSCTL} net.inet.icmp.drop_redirect=1 > /dev/null

Modified: head/share/man/man5/rc.conf.5
==============================================================================
--- head/share/man/man5/rc.conf.5	Mon Mar 23 14:53:55 2020	(r359243)
+++ head/share/man/man5/rc.conf.5	Mon Mar 23 15:27:10 2020	(r359244)
@@ -1182,11 +1182,19 @@ break some legitimate applications.
 .It Va icmp_drop_redirect
 .Pq Vt bool
 Set to
-.Dq Li NO
-by default.
+.Dq Li AUTO
+by default.  This setting will be identical to
+.Dq Li YES ,
+if a dynamicrouting daemon is enabled, because redirect processing may
+cause perfomance issues for large routing tables.  If no such service
+is enabled, this setting behaves like a
+.Dq Li NO .
 Setting to
 .Dq Li YES
 will cause the kernel to ignore ICMP REDIRECT packets.
+Setting to
+.Dq Li NO
+will cause the kernel to process ICMP REDIRECT packets.
 Refer to
 .Xr icmp 4
 for more information.