On Mon, Jun 08, 2009 at 04:26:35PM +0100, Stuart Henderson wrote: > Prompted by an undeadly post [0]. What does anyone think about > disabling acceptance of ICMP redirects by default? I had a look > in a few relevant places and didn't notice any discussion about > this before, but if my google/grep-fu is lacking, please point > me in the right direction. This may break parts of IPv6 Neighbor Discovery.
See RFC 2461: "Hosts use the advertised on-link prefixes to build and maintain a list that is used in deciding when a packet's destination is on-link or beyond a router. Note that a destination can be on-link even though it is not covered by any advertised on- link prefix. In such cases a router can send a Redirect informing the sender that the destination is a neighbor." > > [0] http://undeadly.org/cgi?action=article&sid=20090605213724&pid=30&mode=flat > > > Index: etc/sysctl.conf > =================================================================== > RCS file: /cvs/src/etc/sysctl.conf,v > retrieving revision 1.46 > diff -u -p -r1.46 sysctl.conf > --- etc/sysctl.conf 5 Jan 2008 18:38:37 -0000 1.46 > +++ etc/sysctl.conf 8 Jun 2009 15:19:57 -0000 > @@ -7,6 +7,8 @@ > #net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets > #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 > multicast packets > #net.inet.ip.multipath=1 # 1=Enable IP multipath routing > +#net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects > +#net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects > #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets > #net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 > multicast packets > #net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing > Index: sys/netinet/ip_icmp.c > =================================================================== > RCS file: /cvs/src/sys/netinet/ip_icmp.c,v > retrieving revision 1.83 > diff -u -p -r1.83 ip_icmp.c > --- sys/netinet/ip_icmp.c 5 Jun 2009 00:05:22 -0000 1.83 > +++ sys/netinet/ip_icmp.c 8 Jun 2009 15:19:57 -0000 > @@ -113,7 +113,7 @@ int icmpprintfs = 0; > int icmperrppslim = 100; > int icmperrpps_count = 0; > struct timeval icmperrppslim_last; > -int icmp_rediraccept = 1; > +int icmp_rediraccept = 0; > int icmp_redirtimeout = 10 * 60; > static struct rttimer_queue *icmp_redirect_timeout_q = NULL; > struct icmpstat icmpstat; > Index: sys/netinet6/in6_proto.c > =================================================================== > RCS file: /cvs/src/sys/netinet6/in6_proto.c,v > retrieving revision 1.57 > diff -u -p -r1.57 in6_proto.c > --- sys/netinet6/in6_proto.c 25 Nov 2008 12:11:45 -0000 1.57 > +++ sys/netinet6/in6_proto.c 8 Jun 2009 15:19:57 -0000 > @@ -299,7 +299,7 @@ u_long rip6_sendspace = RIPV6SNDQ; > u_long rip6_recvspace = RIPV6RCVQ; > > /* ICMPV6 parameters */ > -int icmp6_rediraccept = 1; /* accept and process redirects */ > +int icmp6_rediraccept = 0; /* accept and process redirects */ > int icmp6_redirtimeout = 10 * 60; /* 10 minutes */ > struct timeval icmp6errratelim = { 0, 0 }; /* no ratelimit */ > int icmp6errppslim = 100; /* 100pps */
