From 75d7af83ce415f7831da99c9cda7e9c51dce09b9 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Wed, 28 Aug 2024 18:41:29 +0200
Subject: [PATCH] Resolve cnspec warnings for ICMP redirects

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 PKGBUILD                                            |  2 +-
 base/usr/share/luzifer/base-setup/files/sysctl.conf | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/PKGBUILD b/PKGBUILD
index 456a5b7..8db5646 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -7,7 +7,7 @@ pkgname=(
   luzifer-gui
   luzifer-lenovo-gui
 )
-pkgver=0.11.0
+pkgver=0.11.1
 pkgrel=1
 pkgdesc='System configuration for @luzifer systems'
 arch=(any)
diff --git a/base/usr/share/luzifer/base-setup/files/sysctl.conf b/base/usr/share/luzifer/base-setup/files/sysctl.conf
index f186889..0c5830a 100644
--- a/base/usr/share/luzifer/base-setup/files/sysctl.conf
+++ b/base/usr/share/luzifer/base-setup/files/sysctl.conf
@@ -8,3 +8,13 @@ net.ipv4.conf.default.rp_filter = 1
 
 # CNSPEC: Ensure core dumps are restricted
 fs.suid_dumpable = 0
+
+# CNSPEC: Ensure ICMP redirects are not accepted
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# CNSPEC: Ensure secure ICMP redirects are not accepted
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0