Hello!

- do we need to walk all tos values for ip_rt_redirect in the same
way as for ip_rt_frag_needed,

Well, it is just the same thing (except for one thing, that ignored
redirects are harmless)

- from another thread: whether ICMP redirects modify only
routes via gateway when shared_media is ON:

http://marc.theaimsgroup.com/?l=linux-netdev&m=107109827516060&w=2

"message but we are sure we hit the target IP directly"

You cannot be sure, actually. This happens and resolves the situation
when the things sort ip route add default dev eth0 are used i.e. host
does not know real prefixes.

If this is a security issue (I do not see actually, the things on link
can be screwed via proxy arp et all in any case), make it a separate option
or even better use IN_DEV_SEC_REDIRECTS(in_dev) like similar paranoid case
for !shared_media case.

Alexey