[IPV4]: Update icmp sysctl docs and disable broadcast ECHO/TIMESTAMP by default

It's not a good idea to be smurf'able by default.
The few people who need this can turn it on.

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index ab65714d95fcec32b6103c384f05bd06ab84c506..b433c8a27e2d16728c69d39ec8ebcbc43a6d84f1 100644 (file)
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -355,10 +355,14 @@ ip_dynaddr - BOOLEAN
        Default: 0
 
 icmp_echo_ignore_all - BOOLEAN
+       If set non-zero, then the kernel will ignore all ICMP ECHO
+       requests sent to it.
+       Default: 0
+
 icmp_echo_ignore_broadcasts - BOOLEAN
-       If either is set to true, then the kernel will ignore either all
-       ICMP ECHO requests sent to it or just those to broadcast/multicast
-       addresses, respectively.
+       If set non-zero, then the kernel will ignore all ICMP ECHO and
+       TIMESTAMP requests sent to it via broadcast/multicast.
+       Default: 1
 
 icmp_ratelimit - INTEGER
        Limit the maximal rates for sending ICMP packets whose type matches

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 24eb56ae1b5ac4e5d4f6235654a899ea676e4039..90dca711ac9f3061d8b247d1e9f1b50e40419e40 100644 (file)
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -188,7 +188,7 @@ struct icmp_err icmp_err_convert[] = {
 
 /* Control parameters for ECHO replies. */
 int sysctl_icmp_echo_ignore_all;
-int sysctl_icmp_echo_ignore_broadcasts;
+int sysctl_icmp_echo_ignore_broadcasts = 1;
 
 /* Control parameter - ignore bogus broadcast responses? */
 int sysctl_icmp_ignore_bogus_error_responses;