Nuke net.inet6.icmp6.rediraccept and allow redirects on interfaces

with autoconf enabled.
If one is doing SLAAC one does already trust link local icmp6 so the
policy for icmp6 redirects should be the same.
pointed out by & OK bluhm@; OK henning@

10 files changed, 19 insertions, 40 deletions

diff --git a/distrib/miniroot/install.sh b/distrib/miniroot/install.sh
index bb8429f9cd0..8d126463ced 100644
--- a/distrib/miniroot/install.sh
+++ b/distrib/miniroot/install.sh
@@ -1,5 +1,5 @@
 #!/bin/ksh
-#	$OpenBSD: install.sh,v 1.256 2014/08/10 16:32:28 rpe Exp $
+#	$OpenBSD: install.sh,v 1.257 2014/08/27 14:04:15 florian Exp $
 #	$NetBSD: install.sh,v 1.5.2.8 1996/08/27 18:15:05 gwr Exp $
 #
 # Copyright (c) 1997-2009 Todd Miller, Theo de Raadt, Ken Westerback
@@ -309,8 +309,5 @@ fi
 	print -r -- "$rootkey" >> /mnt/root/.ssh/authorized_keys
 )
 
-grep -qs '^rtsol' /mnt/etc/hostname.* &&
-	echo 'net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)' >>/mnt/etc/sysctl.conf
-
 # Perform final steps common to both an install and an upgrade.
 finish_up
diff --git a/etc/examples/sysctl.conf b/etc/examples/sysctl.conf
index b01a20ce96a..581de99bc1f 100644
--- a/etc/examples/sysctl.conf
+++ b/etc/examples/sysctl.conf
@@ -1,4 +1,4 @@
-#	$OpenBSD: sysctl.conf,v 1.2 2014/08/20 11:23:41 mikeb Exp $
+#	$OpenBSD: sysctl.conf,v 1.3 2014/08/27 14:04:15 florian Exp $
 #
 # This file contains a list of sysctl options the user wants set at
 # boot time.  See sysctl(3) and sysctl(8) for more information on
@@ -8,7 +8,6 @@
 #net.inet.ip.mforwarding=1	# 1=Permit forwarding (routing) of IPv4 multicast packets
 #net.inet.ip.multipath=1	# 1=Enable IP multipath routing
 #net.inet.icmp.rediraccept=1	# 1=Accept ICMP redirects
-#net.inet6.icmp6.rediraccept=1	# 1=Accept IPv6 ICMP redirects (for hosts)
 #net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of IPv6 packets
 #net.inet6.ip6.mforwarding=1	# 1=Permit forwarding (routing) of IPv6 multicast packets
 #net.inet6.ip6.multipath=1	# 1=Enable IPv6 multipath routing
diff --git a/etc/rc.conf b/etc/rc.conf
index 8a3806da333..c4af1a86b37 100644
--- a/etc/rc.conf
+++ b/etc/rc.conf
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc.conf,v 1.197 2014/08/26 19:33:48 robert Exp $
+#	$OpenBSD: rc.conf,v 1.198 2014/08/27 14:04:15 florian Exp $
 
 # DO NOT EDIT THIS FILE!!
 #
@@ -40,7 +40,6 @@ route6d_flags=NO	# for normal use: ""
 			# be sure to set net.inet6.ip6.forwarding=1
 rtsold_flags=NO		# for normal use: interface
 			# be sure to set net.inet6.ip6.forwarding=0
-			# be sure to set net.inet6.icmp6.rediraccept=1
 lpd_flags=NO		# for normal use: "" (or "-l" for debugging)
 sensorsd_flags=NO	# for normal use: ""
 hotplugd_flags=NO	# for normal use: ""
diff --git a/lib/libc/gen/sysctl.3 b/lib/libc/gen/sysctl.3
index eb226a7cbb3..9b181f1dc9d 100644
--- a/lib/libc/gen/sysctl.3
+++ b/lib/libc/gen/sysctl.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: sysctl.3,v 1.241 2014/08/20 11:23:41 mikeb Exp $
+.\"	$OpenBSD: sysctl.3,v 1.242 2014/08/27 14:04:15 florian Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 20 2014 $
+.Dd $Mdocdate: August 27 2014 $
 .Dt SYSCTL 3
 .Os
 .Sh NAME
@@ -1650,7 +1650,6 @@ The currently defined protocols and names are:
 .It icmp6 Ta nd6_mmaxtries Ta integer Ta yes
 .It icmp6 Ta nd6_prune Ta integer Ta yes
 .It icmp6 Ta nd6_umaxtries Ta integer Ta yes
-.It icmp6 Ta rediraccept Ta integer Ta yes
 .It icmp6 Ta redirtimeout Ta integer Ta yes
 .It ip6 Ta auto_flowlabel Ta integer Ta yes
 .It ip6 Ta dad_count Ta integer Ta yes
@@ -1741,11 +1740,6 @@ This variable specifies the
 constant in IPv6 neighbor discovery specification
 .Pq RFC 4861 .
 .Pp
-.It Li icmp6.rediraccept
-If set to non-zero, the host will accept ICMPv6 redirect packets.
-Note that IPv6 routers will never accept ICMPv6 redirect packets,
-so the variable is only meaningful on IPv6 hosts, not on routers.
-.Pp
 .It Li icmp6.redirtimeout
 The variable specifies the lifetime of routing entries generated by
 incoming ICMPv6 redirects.
diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8
index 20f59696bd3..69a67762237 100644
--- a/sbin/sysctl/sysctl.8
+++ b/sbin/sysctl/sysctl.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: sysctl.8,v 1.183 2014/08/20 11:23:41 mikeb Exp $
+.\"	$OpenBSD: sysctl.8,v 1.184 2014/08/27 14:04:15 florian Exp $
 .\"	$NetBSD: sysctl.8,v 1.4 1995/09/30 07:12:49 thorpej Exp $
 .\"
 .\" Copyright (c) 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)sysctl.8	8.2 (Berkeley) 5/9/95
 .\"
-.Dd $Mdocdate: August 20 2014 $
+.Dd $Mdocdate: August 27 2014 $
 .Dt SYSCTL 8
 .Os
 .Sh NAME
@@ -307,7 +307,6 @@ and a few require a kernel compiled with non-standard
 .It net.inet6.ip6.maxdynroutes Ta integer Ta yes
 .It net.inet6.ip6.dad_pending Ta integer Ta yes
 .It net.inet6.ip6.mtudisctimeout Ta integer Ta yes
-.It net.inet6.icmp6.rediraccept Ta integer Ta yes
 .It net.inet6.icmp6.redirtimeout Ta integer Ta yes
 .It net.inet6.icmp6.nd6_prune Ta integer Ta yes
 .It net.inet6.icmp6.nd6_delay Ta integer Ta yes
diff --git a/sys/netinet/icmp6.h b/sys/netinet/icmp6.h
index 68c82666ad9..f67e2480c62 100644
--- a/sys/netinet/icmp6.h
+++ b/sys/netinet/icmp6.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: icmp6.h,v 1.40 2014/07/11 12:20:26 benno Exp $	*/
+/*	$OpenBSD: icmp6.h,v 1.41 2014/08/27 14:04:15 florian Exp $	*/
 /*	$KAME: icmp6.h,v 1.84 2003/04/23 10:26:51 itojun Exp $	*/
 
 /*
@@ -542,7 +542,7 @@ struct icmp6stat {
 #define ICMPV6CTL_NAMES { \
 	{ 0, 0 }, \
 	{ 0, 0 }, \
-	{ "rediraccept", CTLTYPE_INT }, \
+	{ 0, 0 }, \
 	{ "redirtimeout", CTLTYPE_INT }, \
 	{ 0, 0 }, \
 	{ 0, 0 }, \
@@ -566,7 +566,7 @@ struct icmp6stat {
 #define ICMPV6CTL_VARS { \
 	NULL, \
 	NULL, \
-	&icmp6_rediraccept, \
+	NULL, \
 	&icmp6_redirtimeout, \
 	NULL, \
 	NULL, \
@@ -668,7 +668,6 @@ do { \
 		} \
 } while (0)
 
-extern int	icmp6_rediraccept;	/* accept/process redirects */
 extern int	icmp6_redirtimeout;	/* cache time for redirect routes */
 
 #endif /* _KERNEL */
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index 07b9a7beec7..c43857759d6 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: icmp6.c,v 1.147 2014/07/22 11:06:10 mpi Exp $	*/
+/*	$OpenBSD: icmp6.c,v 1.148 2014/08/27 14:04:16 florian Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -1386,7 +1386,7 @@ icmp6_redirect_input(struct mbuf *m, int off)
 	/* XXX if we are router, we don't update route by icmp6 redirect */
 	if (ip6_forwarding)
 		goto freeit;
-	if (!icmp6_rediraccept)
+	if (!(ifp->if_xflags & IFXF_AUTOCONF6))
 		goto freeit;
 
 	IP6_EXTHDR_GET(nd_rd, struct nd_redirect *, m, off, icmp6len);
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c
index 04e0a530b54..bb0387fa0e4 100644
--- a/sys/netinet6/in6_proto.c
+++ b/sys/netinet6/in6_proto.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in6_proto.c,v 1.74 2014/08/19 12:28:03 mpi Exp $	*/
+/*	$OpenBSD: in6_proto.c,v 1.75 2014/08/27 14:04:16 florian Exp $	*/
 /*	$KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $	*/
 
 /*
@@ -303,7 +303,6 @@ u_long	rip6_sendspace = RIPV6SNDQ;
 u_long	rip6_recvspace = RIPV6RCVQ;
 
 /* ICMPV6 parameters */
-int	icmp6_rediraccept = 0;		/* don't process redirects by default */
 int	icmp6_redirtimeout = 10 * 60;	/* 10 minutes */
 int	icmp6errppslim = 100;		/* 100pps */
 int	ip6_mtudisc_timeout = IPMTUDISCTIMEOUT;
diff --git a/usr.sbin/rtsold/rtsold.8 b/usr.sbin/rtsold/rtsold.8
index 41cbaecd884..0dd68bf83e8 100644
--- a/usr.sbin/rtsold/rtsold.8
+++ b/usr.sbin/rtsold/rtsold.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: rtsold.8,v 1.32 2014/07/11 16:44:13 henning Exp $
+.\"	$OpenBSD: rtsold.8,v 1.33 2014/08/27 14:04:16 florian Exp $
 .\"	$KAME: rtsold.8,v 1.17 2001/07/09 22:30:37 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -28,7 +28,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 11 2014 $
+.Dd $Mdocdate: August 27 2014 $
 .Dt RTSOLD 8
 .Os
 .\"
@@ -70,10 +70,7 @@ only.
 The
 .Va net.inet6.ip6.forwarding
 .Xr sysctl 8
-should be set to zero and the
-.Va net.inet6.icmp6.rediraccept
-.Xr sysctl 8
-should be set to a non-zero value
+should be set to zero
 (see also the
 .Fl F
 option below).
diff --git a/usr.sbin/rtsold/rtsold.c b/usr.sbin/rtsold/rtsold.c
index 534bbb73d73..7ed8fca84d1 100644
--- a/usr.sbin/rtsold/rtsold.c
+++ b/usr.sbin/rtsold/rtsold.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rtsold.c,v 1.52 2014/07/11 16:44:13 henning Exp $	*/
+/*	$OpenBSD: rtsold.c,v 1.53 2014/08/27 14:04:16 florian Exp $	*/
 /*	$KAME: rtsold.c,v 1.75 2004/01/03 00:00:07 itojun Exp $	*/
 
 /*
@@ -184,13 +184,9 @@ main(int argc, char *argv[])
 	}
 #endif
 
-	if (Fflag) {
-		setinet6sysctl(IPPROTO_ICMPV6, ICMPV6CTL_REDIRACCEPT, 1);
+	if (Fflag)
 		setinet6sysctl(IPPROTO_IPV6, IPV6CTL_FORWARDING, 0);
-	} else {
-		/* warn if accepting redirects is off */
-		if (!getinet6sysctl(IPPROTO_ICMPV6, ICMPV6CTL_REDIRACCEPT))
-			warnx("kernel is configured not to accept redirects");
+	else {
 		/* warn if forwarding is up */
 		if (getinet6sysctl(IPPROTO_IPV6, IPV6CTL_FORWARDING))
 			warnx("kernel is configured as a router, not a host");