From f3fd1226e05c806dd4ad4552abf56bcac12efe5e Mon Sep 17 00:00:00 2001
From: Greg Hackmann <ghackmann@google.com>
Date: Wed, 3 Dec 2014 09:57:00 -0800
Subject: [PATCH] init.rc: disable ICMP redirects

Bug: 18604139

Change-Id: I4bf22d0029f8b03b0ef4329b7b8632d8e116c8e1
Signed-off-by: Greg Hackmann <ghackmann@google.com>
---
 rootdir/init.rc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 9f444c19a..c0efeb176 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -114,6 +114,10 @@ on init
     # set fwmark on accepted sockets
     write /proc/sys/net/ipv4/tcp_fwmark_accept 1
 
+    # disable icmp redirects
+    write /proc/sys/net/ipv4/conf/all/accept_redirects 0
+    write /proc/sys/net/ipv6/conf/all/accept_redirects 0
+
     # Create cgroup mount points for process groups
     mkdir /dev/cpuctl
     mount cgroup none /dev/cpuctl cpu