tunables: default net.inet.icmp.reply_from_interface to 1.

The helpt text (man icmp) suggests this is a better default in our usecase: ----------- (boolean) Use the IP address of the interface the packet came through in for responses to packets which are not directly addressed to us. If enabled, this rule is processed before all others. By default, continue with normal source selection. Enabling this option is particularly useful on routers because it makes external traceroutes show the actual path a packet has taken instead of the possibly different return path. ----------- ref https://github.com/opnsense/core/issues/4094
2026-03-17 18:14:42 +00:00 · 2020-05-17 11:22:02 +02:00 · 2020-05-17 11:22:02 +02:00 · a95f943965
commit a95f943965
parent 2d052a9bde
1 changed files with 3 additions and 1 deletions
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@ -84,6 +84,7 @@ function get_default_sysctl_value($id)
        'net.inet.icmp.drop_redirect' => '0',
        'net.inet.icmp.icmplim' => '0',
        'net.inet.icmp.log_redirect' => '0',
+        'net.inet.icmp.reply_from_interface' => '1',
        'net.inet.ip.accept_sourceroute' => '0',
        'net.inet.ip.intr_queue_maxlen' => '1000',
        'net.inet.ip.portrange.first' => '1024',
@ -132,7 +133,8 @@ function system_sysctl_get()
        'net.enc.in.ipsec_filter_mask' => 'default',
        'net.enc.out.ipsec_bpf_mask' => 'default',
        'net.enc.out.ipsec_filter_mask' => 'default',
-        'net.local.dgram.maxdgram' => 'default',
+        'net.inet.icmp.reply_from_interface' => 'default',
+        'net.local.dgram.maxdgram' => 'default'
    );

    foreach (config_read_array('sysctl', 'item') as $tunable) {