Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)

• Previous message: Esben Nielsen: "Re: [PATCH] local_irq_disable removal"
• In reply to: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
• Next in thread: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
• Reply: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:	Mon, 13 Jun 2005 17:45:21 +1000
To: Willy Tarreau <willy@w.ods.org>

On Mon, Jun 13, 2005 at 08:17:48AM +0200, Willy Tarreau wrote:
>
> What's the problem with the sysctl ? If you prefer, I can change the patch
> to keep the feature enabled by default so that only people aware of the
> problem have to fix it by hand. But I found it better the other way : people
> who need the feature enable it by hand.

Well that's exactly my problem :)

I reckon it should be off by default because the threat posed by
this problem is IMHO small compared to some of the other standard
threats that are applicable to TCP. Plus this is a well-documented
feature so we can't be sure that someone somewhere isn't depending
on it.

However, if it were off by default then there is very little value
in providing it at all since the same thing can be achived easily
through netfilter.

Anyway, let's leave it to Dave to make the decision.

Cheers,

-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

• Previous message: Esben Nielsen: "Re: [PATCH] local_irq_disable removal"
• In reply to: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
• Next in thread: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
• Reply: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11) ... >> depending on your needs. ... > In my old 2.4 patch there was a sysctl to turn off the kernel reseeding. ... > BTW what do you do when the FIPS test fails? ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: PATCH: report NGROUPS_MAX via a sysctl (read-only) ... > if the kernel limit is actually smaller. ... Now that the sysctl is in, it's a very tiny patch to make ngroups_max ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [PATCH] Realtime LSM ... > This moves initialization of the module to after /proc and sysctl is ... > setup. ... > This patch still includes allcaps, which should be removed before it is ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [PATCH] Use MPOL_INTERLEAVE for tmpfs files ... > And now, for your viewing pleasure... ... Patch is fine except that I would add a sysctl to enable/disable this. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) tty beep ... I've heard rumors that there was once a patch that exported the ability to ... entirely disable the PC speaker via a sysctl. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)