drop ICMP redirects if ipforwaring = 1

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

drop ICMP redirects if ipforwaring = 1

Claudio Jeker
Routers need to ingore ICMP redirects in anycase so it would make sense to
disable ICMP redirects as soon as ipforwarding is set to 1.
The IPv6 counterpart already does this.

OK?
--
:wq Claudio

Index: netinet/ip_icmp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.92
diff -u -p -r1.92 ip_icmp.c
--- netinet/ip_icmp.c 13 Sep 2010 09:59:32 -0000 1.92
+++ netinet/ip_icmp.c 24 Mar 2011 10:39:46 -0000
@@ -313,6 +313,7 @@ icmp_input(struct mbuf *m, ...)
  void *(*ctlfunc)(int, struct sockaddr *, u_int, void *);
  int code;
  extern u_char ip_protox[];
+ extern int ipforwarding;
  int hlen;
  va_list ap;
  struct rtentry *rt;
@@ -558,7 +559,7 @@ reflect:
  /* Free packet atttributes */
  if (m->m_flags & M_PKTHDR)
  m_tag_delete_chain(m);
- if (icmp_rediraccept == 0)
+ if (icmp_rediraccept == 0 || ipforwarding == 1)
  goto freeit;
  if (code > 3)
  goto badcode;

Reply | Threaded
Open this post in threaded view
|

Re: drop ICMP redirects if ipforwaring = 1

Matthew Dempsky-3
On Mon, Apr 4, 2011 at 9:11 AM, Claudio Jeker <[hidden email]>
wrote:
> +               if (icmp_rediraccept == 0 || ipforwarding == 1)

Would "ipforwarding != 0" be more appropriate here?  According to
sysctl(3), ipforwarding == 2 is a legitimate configuration setting.

Reply | Threaded
Open this post in threaded view
|

Re: drop ICMP redirects if ipforwaring = 1

Claudio Jeker
On Mon, Apr 04, 2011 at 10:10:49AM -0700, Matthew Dempsky wrote:
> On Mon, Apr 4, 2011 at 9:11 AM, Claudio Jeker <[hidden email]>
> wrote:
> > +               if (icmp_rediraccept == 0 || ipforwarding == 1)
>
> Would "ipforwarding != 0" be more appropriate here?  According to
> sysctl(3), ipforwarding == 2 is a legitimate configuration setting.
>

Yes, ipforwarding == 2 is legitimate but IMO it is not a full router when
forwarding is only done when an IPsec flow is used. I have the feeling
that IPsec may need some redirects. This is why I choosed the == 1 check.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: drop ICMP redirects if ipforwaring = 1

Matthew Dempsky-3
On Mon, Apr 4, 2011 at 11:24 AM, Claudio Jeker <[hidden email]> wrote:
> Yes, ipforwarding == 2 is legitimate but IMO it is not a full router when
> forwarding is only done when an IPsec flow is used. I have the feeling
> that IPsec may need some redirects. This is why I choosed the == 1 check.

Got it, makes sense to me then.  Thanks for clarifying. :)

Reply | Threaded
Open this post in threaded view
|

Re: drop ICMP redirects if ipforwaring = 1

Thordur Bjornsson-2
In reply to this post by Claudio Jeker
On Mon, Apr 04, 2011 at 08:24:38PM +0200, Claudio Jeker wrote:

> On Mon, Apr 04, 2011 at 10:10:49AM -0700, Matthew Dempsky wrote:
> > On Mon, Apr 4, 2011 at 9:11 AM, Claudio Jeker <[hidden email]>
> > wrote:
> > > +               if (icmp_rediraccept == 0 || ipforwarding == 1)
> >
> > Would "ipforwarding != 0" be more appropriate here?  According to
> > sysctl(3), ipforwarding == 2 is a legitimate configuration setting.
> >
>
> Yes, ipforwarding == 2 is legitimate but IMO it is not a full router when
> forwarding is only done when an IPsec flow is used. I have the feeling
> that IPsec may need some redirects. This is why I choosed the == 1 check.
add a comment to that effect; I had the same thought as matthew.